| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Escape values in LDAP search filters https://review.openstack.org/87142 | 00:12 |
|---|---|---|
| *** shakamunyi has joined #openstack-keystone | 00:31 | |
| morganfainberg | jamielennox, https://review.openstack.org/#/c/84070/1/doc/source/using-sessions.rst i apologize in advance a lot of suggestions to make it more assertive that "this is the way it works | 00:32 |
| morganfainberg | " | 00:32 |
| morganfainberg | vs "should be" "will be" etc | 00:32 |
| jamielennox | morganfainberg: that's ok - i know i do that | 00:32 |
| morganfainberg | jamielennox, i didn't point them all out, but in general a more assertive tone is better for documentation | 00:33 |
| morganfainberg | jamielennox, i pointed a bunch out and provided some suggestions. | 00:33 |
| morganfainberg | jamielennox, the other point is not sure if >>> is RST friendly or if there is a ..code::python or similar construct that should be used | 00:34 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Allow any attributes in mapping https://review.openstack.org/81040 | 00:34 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Include extra attributes in list results https://review.openstack.org/81041 | 00:34 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Enhance tests for user extra attribute mapping https://review.openstack.org/81046 | 00:34 |
| *** shakamunyi has quit IRC | 00:37 | |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Ensure JSON headers in Auth Requests https://review.openstack.org/85209 | 00:39 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Stronger assertion for test_user_extra_attribute_mapping https://review.openstack.org/87145 | 00:46 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Convert auth_token to use session https://review.openstack.org/74908 | 00:55 |
| *** wchrisj has joined #openstack-keystone | 00:56 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Deprecate admin_token option in auth_token https://review.openstack.org/87091 | 00:59 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Update docs for auth_token middleware config options https://review.openstack.org/73875 | 01:06 |
| *** RockKuo_ has joined #openstack-keystone | 01:11 | |
| bknudson | http://sphinx-doc.org/domains.html#cross-referencing-python-objects | 01:12 |
| bknudson | oops, wrong link... | 01:12 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Fix catalog Driver signatures https://review.openstack.org/77444 | 01:16 |
| *** stevemar has joined #openstack-keystone | 01:24 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Don't re-raise instance https://review.openstack.org/87149 | 01:25 |
| *** wchrisj has quit IRC | 01:32 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: More efficient DN list for LDAP role delete https://review.openstack.org/87151 | 01:36 |
| *** diegows has quit IRC | 01:38 | |
| openstackgerrit | Priti Desai proposed a change to openstack/keystone: Adding one more check on project_id https://review.openstack.org/85199 | 01:40 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Revamp discovery https://review.openstack.org/81146 | 01:44 |
| jamielennox | morganfainberg: re: the token generation stuff - i would prefer that people didn't use the generic kwargs | 01:55 |
| jamielennox | but don't we have the case where you can add whatever you like to the service catalog on the server side? | 01:55 |
| jamielennox | i'm not sure how else to allow that case | 01:55 |
| jamielennox | also i think the v2 does that as well | 01:55 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/85833 | 02:05 |
| *** dstanek has quit IRC | 02:14 | |
| *** dstanek has joined #openstack-keystone | 02:22 | |
| morganfainberg | jamielennox, i think we shouldn't support generic crap in the token in v3 at least | 02:31 |
| morganfainberg | jamielennox, crap=things we didn't specifically put there | 02:31 |
| jamielennox | morganfainberg: yea, i'm changing that | 02:31 |
| morganfainberg | jamielennox, cool | 02:32 |
| jamielennox | part of the new approach - don't add anything unecessary until someone complains that it's missing | 02:32 |
| morganfainberg | jamielennox, ++++++++++ | 02:32 |
| morganfainberg | jamielennox, absolutely | 02:32 |
| jamielennox | harder to do that you'd think | 02:32 |
| morganfainberg | and even then... i'll argue against extra stuff in tokens | 02:32 |
| morganfainberg | :) | 02:32 |
| morganfainberg | it's slow going through all the reviews, but getting back to it. | 02:32 |
| morganfainberg | i think i'm down to ~12 left in my "will do today" for client | 02:33 |
| jamielennox | morganfainberg: it's not the token's fault - it's things that are added on the server side like when catalog endpoints are created | 02:33 |
| morganfainberg | jamielennox, thats the next thing i'm going to be working on, unifying token underlying format | 02:33 |
| morganfainberg | jamielennox, it's a requirement to move to ephemeral tokens | 02:33 |
| morganfainberg | jamielennox, and then allow for a transform to V2 | 02:33 |
| jamielennox | morganfainberg: don't do a transform | 02:34 |
| jamielennox | create an underlying model which has everything | 02:34 |
| morganfainberg | jamielennox, for end consumption needs to transform | 02:34 |
| jamielennox | then go from that to v2 or v3 as a view layer | 02:34 |
| morganfainberg | jamielennox, yeah it'll be for emitting on a v2 interface not internal | 02:34 |
| jamielennox | don't start by assuming we want v3 to be the goal | 02:34 |
| morganfainberg | jamielennox, the goal is single type of token data, the rest if all up to emitting at the controller basically | 02:35 |
| morganfainberg | jamielennox, didn't say v3 format -> v2, i said unified data to v2 :P | 02:36 |
| morganfainberg | sorry wasn't clear that v3 would be the same | 02:36 |
| morganfainberg | ;) | 02:36 |
| morganfainberg | and.. of course there will need to be the inverse | 02:36 |
| morganfainberg | once i'm done with v2/v3 i'm planning on making token format independant of api version | 02:36 |
| jamielennox | morganfainberg: i'm not sure - i would like to see a proper model / view seperation in keystone and token would just be another in that line | 02:37 |
| jamielennox | you should never need to convert from v2->v3 or back | 02:37 |
| morganfainberg | jamielennox, we still need to smash down to json at some point | 02:37 |
| morganfainberg | jamielennox, it's not v3 -> v2 | 02:38 |
| morganfainberg | it's underlying data -> version | 02:38 |
| jamielennox | sure - but that doesn't need to look like v3 | 02:38 |
| jamielennox | i'd say it shouldn't | 02:38 |
| morganfainberg | and the inverse | 02:38 |
| morganfainberg | it wont :P | 02:38 |
| jamielennox | (eh - last bit debatable) | 02:38 |
| morganfainberg | if you _wanted_ to make v2 -> v3 you would do v2 -> unified model -> v3 | 02:38 |
| morganfainberg | that has to be allowed, but it wont be v2 json / dict -> v3 | 02:39 |
| morganfainberg | and i expect that to only occur until v2 API dies. | 02:39 |
| jamielennox | i think we're more or less talkig the same thing | 02:39 |
| morganfainberg | yep | 02:39 |
| morganfainberg | we are | 02:39 |
| morganfainberg | it's something that needs to occur though soon if we want ephemeral tokens in Juno | 02:39 |
| morganfainberg | along with that will be the "ensure no extra data ends up in the token" test | 02:40 |
| jamielennox | morganfainberg: ok, i'm keen | 02:40 |
| morganfainberg | so we don't get token creep without knowing it... or by accident | 02:40 |
| morganfainberg | :) | 02:40 |
| *** zhiyan_ is now known as zhiyan | 02:41 | |
| *** stevemar has quit IRC | 02:47 | |
| openstackgerrit | Matt Fischer proposed a change to openstack/keystone: Make the LDAP debug option a configurable setting https://review.openstack.org/87068 | 02:54 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Create a V3 Token Generator https://review.openstack.org/78878 | 02:56 |
| *** mberlin has joined #openstack-keystone | 02:59 | |
| *** mberlin1 has quit IRC | 03:00 | |
| morganfainberg | jamielennox, you still here? | 03:06 |
| jamielennox | morganfainberg: yea | 03:06 |
| morganfainberg | looking at https://review.openstack.org/#/c/74908/8/keystoneclient/middleware/auth_token.py | 03:06 |
| morganfainberg | jamielennox, you removed the retry logic, it looks like we will just fail outright now ? | 03:06 |
| morganfainberg | jamielennox, is this something embeded in the new session object (I didn't see it) but figured i'd ask | 03:06 |
| jamielennox | i removed retry logic on authentication - everything else should be ok | 03:07 |
| morganfainberg | jamielennox, so if the admin_token is expired the session will request a new one? | 03:07 |
| morganfainberg | jamielennox, e.g. uuid tokens | 03:07 |
| jamielennox | yes | 03:08 |
| morganfainberg | hmm. | 03:08 |
| jamielennox | or revocation list fetching | 03:08 |
| morganfainberg | aye | 03:08 |
| morganfainberg | figured those two would be the same | 03:08 |
| morganfainberg | hmm. i guess i just don't see the code for it. no accounting for my blindness though | 03:09 |
| morganfainberg | jamielennox, oh i see i only chased part way through the session object | 03:09 |
| jamielennox | retry logic is handled within the plugins | 03:10 |
| jamielennox | when you do a get_token if it's expired it will fetch a new one firs t | 03:10 |
| morganfainberg | so, how does it know your token is expired (sorry, just figured it's quicker to ask) | 03:11 |
| morganfainberg | erm, it's token | 03:11 |
| morganfainberg | are you storing the whole token? more to the point what occurs if the admin token was revoked. | 03:11 |
| morganfainberg | does it know to re-request then? | 03:11 |
| jamielennox | the auth plugin knows the token it got when it authenticated | 03:12 |
| jamielennox | which includes an expiry | 03:12 |
| morganfainberg | the whole data blob | 03:12 |
| morganfainberg | ok | 03:12 |
| morganfainberg | and if the admin token ends up revoked? | 03:12 |
| jamielennox | so it's hanging on to the auth data as well as the header blob | 03:12 |
| morganfainberg | lets just assume someone did something dumb. | 03:12 |
| morganfainberg | and changed the role or some such of the service user. | 03:13 |
| morganfainberg | and the token got revoked. | 03:13 |
| morganfainberg | s/revoked/invalidated (whatever you want to call uuid version of this) | 03:13 |
| jamielennox | mmm | 03:14 |
| morganfainberg | because auth_token does need to be resilent about this (and the retry logic takes care of this) | 03:15 |
| jamielennox | that's a hard logic to make generic on the auth plugin side | 03:15 |
| morganfainberg | jamielennox, this might be a case where you still need a retry in auth_token | 03:15 |
| morganfainberg | sometimes it happens. | 03:15 |
| morganfainberg | and i'm ok with us keeping the retry for this case. it's an edge case, but we need to be resilient and not just fail | 03:16 |
| jamielennox | it's also not something i know how to clear from outside an auth plugin | 03:16 |
| jamielennox | there isn't (currently) a generic reset | 03:17 |
| morganfainberg | jamielennox, you see where this could be an issue for auth_token though, right? | 03:18 |
| morganfainberg | jamielennox, feel free to tell me i'm the crazy one and over thinking it | 03:18 |
| morganfainberg | jamielennox, but i _think_ this is a legitimate issue we need to address. | 03:18 |
| jamielennox | morganfainberg: i see it | 03:20 |
| jamielennox | my question with this (and in general) is is auth_token a special case? | 03:20 |
| jamielennox | why should auth_token have handling logic different to what all the other clients will consume | 03:20 |
| morganfainberg | jamielennox, hm... | 03:20 |
| morganfainberg | valid point | 03:21 |
| morganfainberg | i'd say i think it's something we need to support across the board | 03:21 |
| jamielennox | and therefore do i need to allow for the auth plugins to do generic re-authing on auth failure | 03:21 |
| morganfainberg | phrased that way | 03:21 |
| morganfainberg | i'm going to -1 that review with a comment about this. | 03:21 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Don't use generic kwargs in v2 Token Generation https://review.openstack.org/87156 | 03:21 |
| morganfainberg | how it gets handled can follow up from there. | 03:21 |
| jamielennox | ironically this one has already been +Aed it failed the merge job | 03:21 |
| morganfainberg | glad i started reviewing it then! | 03:22 |
| morganfainberg | :P | 03:22 |
| morganfainberg | sorry it's taken me this long to get some time to review client stuffs | 03:22 |
| jamielennox | that's alright - i also remember being surprised when i saw it going for merge | 03:22 |
| jamielennox | particularly with auth_token we need to be fairly careful and this is a big change | 03:23 |
| jamielennox | morganfainberg: the above link is based on not using **kwargs in token generation but for v2 | 03:23 |
| morganfainberg | jamielennox, k will look. | 03:23 |
| morganfainberg | jamielennox, -1 and brief comment on this convo looking at the above link now. | 03:25 |
| jamielennox | the token gen or the auth_token? | 03:25 |
| morganfainberg | auth_token one | 03:25 |
| jamielennox | yea, not sure how to fix that generally | 03:25 |
| jamielennox | it could be just a retry_auth flag to request() | 03:26 |
| morganfainberg | i think that is a clean option | 03:26 |
| jamielennox | there are a lot of flags on request | 03:26 |
| morganfainberg | i mean... as clean as it gets | 03:26 |
| jamielennox | :) | 03:26 |
| morganfainberg | it lets the caller decide if automatic retry is correct | 03:26 |
| jamielennox | yea, for example from CLI that's not something i'd want | 03:27 |
| jamielennox | though i'm not sure how you set that up for clients | 03:27 |
| morganfainberg | though i almost would say it's up to the implementor to do retries if the token is bad... just have a way to say "ok go retry this w/o your current token" -- but that has bad developer experience / non-dry | 03:27 |
| jamielennox | yea, it's a lot of scattered retry logic and the sort of thing i'm trying to get rid of | 03:28 |
| jamielennox | i guess it's a session attribute and not a request() flag | 03:28 |
| morganfainberg | sadly for security reasons we can't say "oh this token is revoked" | 03:28 |
| morganfainberg | if we could this would be easier | 03:28 |
| morganfainberg | we could just retry then, but that leaks info that we shouldn't leak - we can only really say 401 | 03:28 |
| jamielennox | so that you create a session that just says always retry auth | 03:29 |
| jamielennox | then a CLI wouldn't set that on the session, but auth_token would | 03:29 |
| morganfainberg | so, here is the real question, is there _ever_ a reason not to retry auth? | 03:29 |
| morganfainberg | if you have the info and you get a 401 (assume cli not included) | 03:29 |
| morganfainberg | maybe the answer is make it default to true and let people opt out of retry | 03:30 |
| morganfainberg | cli can opt out of it explicitly | 03:30 |
| jamielennox | i guess it depends on what you are doing | 03:30 |
| morganfainberg | which behavior would you expect consuming the library | 03:30 |
| jamielennox | and somewhat the type of auth you have | 03:30 |
| morganfainberg | hmm. maybe let the plugin define the default / supportability? | 03:31 |
| jamielennox | it *might* be something where the plugin can provide hints, but i'm not sure if the logic can reside there | 03:31 |
| morganfainberg | if you have a username/password then reauth is available and expected | 03:31 |
| morganfainberg | if you have something else it may not be | 03:31 |
| jamielennox | eg token | 03:32 |
| morganfainberg | hm. | 03:32 |
| morganfainberg | well anyway something to think about before we do this conversion | 03:32 |
| morganfainberg | the v2 one looks a lot better w/o kwargs | 03:32 |
| jamielennox | currently wondering how to not end up with circular calls to re-auth because the plugins use the session as well | 03:32 |
| morganfainberg | session can be smart and only let a single retry ever occur | 03:33 |
| morganfainberg | sorry, 1 retry, thats what you get | 03:33 |
| jamielennox | no - that excludes really long running sessions | 03:33 |
| morganfainberg | 1 retry + window? | 03:33 |
| jamielennox | yea, not sure | 03:33 |
| morganfainberg | say 1 retry in a 300 second (clock skew window) period | 03:34 |
| jamielennox | i can figure that out though, hopefully it becomes more apparent when actually doing code | 03:34 |
| * morganfainberg nods. | 03:34 | |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing a req.Session object to old client https://review.openstack.org/82258 | 03:39 |
| jamielennox | alright, going for some food | 03:42 |
| *** derek_c has joined #openstack-keystone | 03:43 | |
| *** ukalifon has joined #openstack-keystone | 03:52 | |
| *** stevemar has joined #openstack-keystone | 03:58 | |
| *** stevemar has quit IRC | 04:02 | |
| *** zhiyan is now known as zhiyan_ | 04:07 | |
| *** derek_c has quit IRC | 04:20 | |
| *** ukalifon has quit IRC | 04:29 | |
| *** ukalifon has joined #openstack-keystone | 04:46 | |
| *** chandan_kumar has joined #openstack-keystone | 04:52 | |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins https://review.openstack.org/81985 | 04:52 |
| *** derek_c has joined #openstack-keystone | 04:57 | |
| *** ukalifon has quit IRC | 05:20 | |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add new error for invalid auth response https://review.openstack.org/85213 | 05:38 |
| *** zhiyan_ is now known as zhiyan | 05:43 | |
| openstackgerrit | Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/83955 | 06:01 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add new error for invalid auth response https://review.openstack.org/85213 | 06:30 |
| *** jaosorior has joined #openstack-keystone | 06:39 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Removed unused code https://review.openstack.org/85984 | 06:56 |
| *** marekd|away is now known as marekd | 06:58 | |
| *** andreaf has joined #openstack-keystone | 07:08 | |
| *** jamielennox is now known as jamielennox|away | 07:18 | |
| marekd | morganfainberg: o/, still here? | 07:25 |
| openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federation Mapping Rules. https://review.openstack.org/83742 | 07:33 |
| *** morganfainberg is now known as morganfainberg_Z | 08:00 | |
| *** leseb has joined #openstack-keystone | 08:01 | |
| *** florentflament has joined #openstack-keystone | 08:44 | |
| *** zhiyan is now known as zhiyan_ | 09:30 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Some methods in ldap were moved to superclass https://review.openstack.org/86250 | 10:29 |
| *** david-lyle has joined #openstack-keystone | 10:46 | |
| *** chandan_kumar has quit IRC | 10:55 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which gets elements of tree in ldap moved to a common method https://review.openstack.org/86302 | 10:58 |
| *** chandan_kumar has joined #openstack-keystone | 11:08 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 11:16 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447 | 11:16 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446 | 11:16 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445 | 11:16 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444 | 11:16 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448 | 11:16 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 11:16 |
| *** chandan_kumar has quit IRC | 11:16 | |
| *** topol has joined #openstack-keystone | 11:22 | |
| *** chandan_kumar has joined #openstack-keystone | 11:30 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method https://review.openstack.org/86578 | 11:34 |
| *** david-lyle has quit IRC | 11:41 | |
| *** RockKuo_ has quit IRC | 11:46 | |
| *** tomoiaga has joined #openstack-keystone | 12:15 | |
| *** bada has quit IRC | 12:25 | |
| *** zhiyan_ is now known as zhiyan | 12:27 | |
| *** tzumainn has joined #openstack-keystone | 12:32 | |
| tzumainn | hi guys! quick question if anyone knows - why can you not update the tenantId through the cli user-update command? | 12:32 |
| *** zhiyan is now known as zhiyan_ | 12:36 | |
| *** zhiyan_ is now known as zhiyan | 12:36 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 12:47 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447 | 12:47 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446 | 12:47 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448 | 12:47 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 12:48 |
| *** erecio has joined #openstack-keystone | 12:51 | |
| *** erecio has quit IRC | 12:52 | |
| *** erecio has joined #openstack-keystone | 12:53 | |
| *** erecio has quit IRC | 12:53 | |
| *** bknudson has quit IRC | 13:06 | |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Extracting get group roles for project logic to drivers. https://review.openstack.org/86025 | 13:10 |
| *** diegows has joined #openstack-keystone | 13:12 | |
| *** erecio has joined #openstack-keystone | 13:18 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method https://review.openstack.org/86578 | 13:26 |
| *** jagee has joined #openstack-keystone | 13:41 | |
| *** diegows has quit IRC | 13:43 | |
| *** kun_huang has joined #openstack-keystone | 13:54 | |
| *** wchrisj has joined #openstack-keystone | 13:58 | |
| *** stevemar has joined #openstack-keystone | 14:00 | |
| *** ayoung has joined #openstack-keystone | 14:08 | |
| *** rwsu has joined #openstack-keystone | 14:09 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: oslo.db implementation https://review.openstack.org/77210 | 14:09 |
| *** stevemar has quit IRC | 14:10 | |
| *** wchrisj has quit IRC | 14:31 | |
| *** tzumainn has quit IRC | 14:32 | |
| *** wchrisj has joined #openstack-keystone | 14:32 | |
| *** tzumainn has joined #openstack-keystone | 14:32 | |
| *** dims has quit IRC | 14:35 | |
| *** bknudson has joined #openstack-keystone | 14:41 | |
| *** dims has joined #openstack-keystone | 14:42 | |
| *** erecio has quit IRC | 14:44 | |
| *** stevemar has joined #openstack-keystone | 14:50 | |
| *** zhiyan is now known as zhiyan_ | 14:54 | |
| *** thedodd has joined #openstack-keystone | 14:59 | |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Extracting get group roles for project logic to drivers. https://review.openstack.org/86025 | 14:59 |
| ayoung | bknudson, is the change to always use sha256 going to break someone passing the MD5 hash as the token ID? | 14:59 |
| *** diegows has joined #openstack-keystone | 15:00 | |
| bknudson | ayoung: if clients don't know that the server is configured for sha256 and it uses md5 to hash the token then it's not going to validate. | 15:01 |
| bknudson | so I think the answer is yes. | 15:01 |
| ayoung | bknudson, I think that breaks Horizon | 15:01 |
| ayoung | ask in #openmstack-horizon before that gets committed, please | 15:01 |
| bknudson | horizon will have to be enhanced to support sha256 | 15:01 |
| bknudson | or other token hashing algorithms | 15:01 |
| ayoung | bknudson, make sure they are aware | 15:02 |
| ayoung | the other clients I am less worried about, but if we are going to go and break everyone, we need to shout loud and clear that we are doing so | 15:03 |
| bknudson | ayoung: makes sense... I asked on -horizon. | 15:04 |
| ayoung | ++ | 15:04 |
| bknudson | I'll probably wind up opening a wishlist bug or just associate the one we've got with horizon | 15:04 |
| *** doddstack has joined #openstack-keystone | 15:06 | |
| *** richm has joined #openstack-keystone | 15:07 | |
| *** thedodd has quit IRC | 15:08 | |
| *** stevemar has quit IRC | 15:09 | |
| *** chandan_kumar has quit IRC | 15:11 | |
| *** dims has quit IRC | 15:13 | |
| *** gyee has joined #openstack-keystone | 15:32 | |
| mfisch | does anyone know why user-role-add is pulling a full user-list under some conditions before trying to add the role? | 15:33 |
| mfisch | When I add someone who is in my local DB, it does a user-lookup .../users/<ID> | 15:33 |
| mfisch | But when I try to add a role to someone who's authenticated from AD (with a stacked driver) it pulls the full user-list .../users | 15:34 |
| mfisch | And from my AD that takes a long long long time | 15:34 |
| mfisch | I can't figure out how it's deciding which way to make the call | 15:36 |
| *** stevemar has joined #openstack-keystone | 15:38 | |
| *** joesavak has joined #openstack-keystone | 15:38 | |
| *** dims has joined #openstack-keystone | 15:39 | |
| *** gokrokve has joined #openstack-keystone | 15:40 | |
| mfisch | I think the client is trying to do an ID lookup (getID), which fails, and then leaves the call with no argument past "users" | 15:43 |
| *** jsavak has joined #openstack-keystone | 15:46 | |
| *** joesavak has quit IRC | 15:49 | |
| *** marekd is now known as marekd|away | 15:51 | |
| *** dims has quit IRC | 15:52 | |
| *** diegows has quit IRC | 15:53 | |
| *** browne has joined #openstack-keystone | 15:56 | |
| *** marcoemorais has joined #openstack-keystone | 15:59 | |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Moves test database setup/teardown into a fixture https://review.openstack.org/85651 | 16:00 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Adds table and model for storing rotated passwords https://review.openstack.org/73368 | 16:00 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: password rotation extension WIP https://review.openstack.org/74623 | 16:00 |
| *** dims has joined #openstack-keystone | 16:05 | |
| *** joesavak has joined #openstack-keystone | 16:05 | |
| *** jsavak has quit IRC | 16:05 | |
| *** thiagop has joined #openstack-keystone | 16:11 | |
| *** dims has quit IRC | 16:13 | |
| *** dims has joined #openstack-keystone | 16:27 | |
| *** tomoiaga has quit IRC | 16:31 | |
| mfisch | if anyone cares it appears that my issue is that if the user-id is not a UUID, which it's not in LDAP, then the python-keystone client does a search instead of a direct lookup | 16:31 |
| *** chandan_kumar has joined #openstack-keystone | 16:33 | |
| dolphm | ayoung: this was the same crypto talk that was in SA https://www.youtube.com/watch?v=r_Pj__qjBvA | 16:33 |
| dolphm | mfisch: with the latest client? | 16:34 |
| dolphm | mfisch: there was a fix for an issue that sounds a lot like that a few months ago | 16:34 |
| mfisch | dolphm: I'm in Havana | 16:34 |
| mfisch | dolphm: I was about to file a bug, let me check Icehouse | 16:35 |
| mfisch | my one line hack fixed it though | 16:35 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Ingore broken endpoints in get_catalog https://review.openstack.org/81528 | 16:35 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Ignore broken endpoints in get_v3_catalog https://review.openstack.org/81527 | 16:35 |
| mfisch | dolphm: from a brief glance it looks to be fixed in I, the assumption that UIDs had to be UUIDs was taken out | 16:36 |
| *** tzumainn has left #openstack-keystone | 16:36 | |
| dolphm | mfisch: ++ | 16:38 |
| mfisch | https://bugs.launchpad.net/python-keystoneclient/+bug/1189933 | 16:38 |
| uvirtbot | Launchpad bug 1189933 in python-keystoneclient "user-get fails when using IDs which are not UUIDs" [High,Fix released] | 16:38 |
| mfisch | thanks dolphm | 16:38 |
| mfisch | and thanks ayoung for fixing this | 16:38 |
| mfisch | I spent all Friday afternoon working around this by making local copies in SQL of LDAP users which was kinda fun | 16:39 |
| openstackgerrit | guang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes. https://review.openstack.org/84945 | 16:39 |
| mfisch | bknudson: will the DocImpact bug on my review be assigned to me? | 16:40 |
| mfisch | dolphm: is there a ML specific to keystone? I didn't see one in the wiki | 16:43 |
| *** htruta has joined #openstack-keystone | 16:43 | |
| ayoung | dolphm, thanks. I'll watch it here shortly...around a troubleshooting session for Neutron managed networks... | 16:45 |
| htruta | dolphm, ayoung https://bugs.launchpad.net/keystone/+bug/1081221 can you see the comment I've made on this bug? i think it was already solved in another bug or BP | 16:46 |
| uvirtbot | Launchpad bug 1081221 in keystone "Keystone POST /tokens response does not contain all endpoints" [Medium,Triaged] | 16:46 |
| ayoung | htruta, probably solved. THat was an old report | 16:46 |
| htruta | ayoung: can you update the bug status? | 16:47 |
| *** leseb has quit IRC | 16:47 | |
| *** leseb has joined #openstack-keystone | 16:48 | |
| dolphm | htruta: done, thanks! | 16:51 |
| *** leseb has quit IRC | 16:52 | |
| htruta | ayoung: thanks! | 16:52 |
| *** harlowja_away is now known as harlowja | 16:54 | |
| dolphm | marekd|away: stevemar: we need those federation docs on at least keystone.openstack.org! | 16:55 |
| stevemar | dolphm, which docs you thinking of, specifically? | 16:56 |
| dolphm | stevemar: marekd|away's mailing list response should just be docs | 16:56 |
| dolphm | stevemar: marekd|away: there have been a *lot* of requests for docs to setup mod_shib etc | 16:56 |
| stevemar | dolphm, i was worried you would want those ones specifically | 16:57 |
| dolphm | stevemar: why is that a worry? | 16:58 |
| stevemar | dolphm, cause work? | 16:58 |
| stevemar | dolphm, i'll start something | 16:58 |
| openstackgerrit | A change was merged to openstack/keystone: Collapse SQL Migrations https://review.openstack.org/78169 | 16:59 |
| dolphm | stevemar: hrm, marekd|away actually replied off-list with instructions (gmail is just showing it to me as part of the same thread) | 17:02 |
| dolphm | not sure why it's not on list, but i'll forward it to you | 17:03 |
| stevemar | dolphm, please do | 17:03 |
| dolphm | stevemar: it sounds like marekd|away is working on docs already too | 17:03 |
| stevemar | dolphm, even better | 17:03 |
| stevemar | dolphm, he's the one actually consuming/trying it out | 17:03 |
| stevemar | dolphm, can you fwd to my ibm email, if you have it on record | 17:04 |
| *** afaranha has joined #openstack-keystone | 17:06 | |
| nkinder | dolphm: yeah, I've had folks asking about how to set things up for federation lately too | 17:07 |
| dolphm | stevemar: i did | 17:07 |
| stevemar | nkinder, fwding to you | 17:10 |
| *** amcrn has joined #openstack-keystone | 17:11 | |
| nkinder | stevemar: thanks | 17:13 |
| *** gokrokve_ has joined #openstack-keystone | 17:16 | |
| *** gokrokve has quit IRC | 17:19 | |
| *** htruta has quit IRC | 17:33 | |
| *** marekd|away is now known as marekd | 17:37 | |
| *** gokrokve_ has quit IRC | 17:37 | |
| marekd | dolphm: i wanted to reply to the list with some more 'ready to share' document... | 17:37 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Don't use generic kwargs in v2 Token Generation https://review.openstack.org/87156 | 17:41 |
| bknudson | dolphm: keystone switching to 'cryptography' lib? | 17:42 |
| dstanek | bknudson: is there a review for that? | 17:55 |
| bknudson | dstanek: I haven't seen a patch. I just heard of the lib. | 17:55 |
| bknudson | I assume barbican is planning to use it. | 17:56 |
| dstanek | bknudson: ah, ok; i think it was ayoung and nkinder that were looking for what we should be doing cryptographically | 17:56 |
| ayoung | dstanek, reading up | 17:57 |
| ayoung | ah...not yet | 17:57 |
| ayoung | not sure if the cryptography libraray even has the primitives for CMS, never mind the "recipe" | 17:57 |
| ayoung | dstanek, bknudson I'd like to drive toward that, though, as I think it would be great to have a really mature, full featured Crypto story in Python | 17:58 |
| *** afaranha has left #openstack-keystone | 17:59 | |
| *** afaranha has joined #openstack-keystone | 17:59 | |
| nkinder | The barbican guys are involved with that whole effort | 17:59 |
| nkinder | https://github.com/pyca/cryptography | 17:59 |
| ayoung | nkinder, we should evalutate the feasability of NSS as a cryptography.py backend | 18:00 |
| nkinder | ayoung: fairly certain they are already looking at it | 18:01 |
| ayoung | and whether something that uses that could get common criteria certification....or if it would suffer from the same restriction that JCCE has with multi-backends | 18:01 |
| * ayoung never understood that | 18:01 | |
| afaranha | dstanek: Hello, you asked me the link of my review, here it is https://review.openstack.org/#/c/85480/ (About testing keystoneclient in nova API) | 18:02 |
| afaranha | dstanek: The problem is: I don't know how to automatic test it, because it needs to change some data in the currently openstack instance | 18:03 |
| afaranha | in line 75 I instantiate keystoneclient (https://review.openstack.org/#/c/85480/3/nova/api/openstack/compute/contrib/change_instance_ownership.py), and use it in line 133 | 18:05 |
| dstanek | afaranha: maybe that's a job for the tempest tests? i took a look when you first posted, but i don't have an constructive comments because I don't know how nova tests work | 18:05 |
| dstanek | afaranha: i thought you were making keystoneclient changes | 18:05 |
| afaranha | no, no, I just use it to list projects. Do you know how does the tempest works? I only know how to run it, but what difference does it make? | 18:06 |
| dstanek | afaranha: in keystone unit test we spin up a new database for each test so we are able to mess with it as much as we want and it won't impact other tests | 18:06 |
| afaranha | dstanek: I'm still new to openstack and don't know how to do it, could you, please, explain how to spin up a new database? | 18:08 |
| dstanek | afaranha: i think you need to talk to the nova team about what you want to do for some guidance | 18:09 |
| dstanek | afaranha: that is just built into the way our tests run | 18:09 |
| dstanek | afaranha: as far as i understand, tempest is more for testing larger scenarios across projects - different that project unit testing | 18:10 |
| afaranha | dstanek: I think for this functionality I could create a database and create users and projects to test it | 18:10 |
| dstanek | afaranha: is this for a unit test? | 18:10 |
| *** leseb has joined #openstack-keystone | 18:10 | |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Extracting get group roles for project logic to drivers. https://review.openstack.org/86025 | 18:10 |
| dstanek | afaranha: if it is you should find our how they handle this kind of testing | 18:11 |
| afaranha | I think I cannot do an unit test for it, since it depends on keystone and mock it won't work | 18:11 |
| *** morganfainberg_Z is now known as morganfainberg | 18:15 | |
| morganfainberg | marekd, sorry missed ya last night | 18:16 |
| afaranha | dstanek: Thank you, I'll ask more details with nova team :) | 18:17 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Moves test database setup/teardown into a fixture https://review.openstack.org/85651 | 18:18 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Adds table and model for storing rotated passwords https://review.openstack.org/73368 | 18:18 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: password rotation extension WIP https://review.openstack.org/74623 | 18:18 |
| dstanek | afaranha: good luck! | 18:18 |
| *** doddstack has quit IRC | 18:19 | |
| *** doddstack has joined #openstack-keystone | 18:19 | |
| *** leseb has quit IRC | 18:20 | |
| *** andreaf has quit IRC | 18:20 | |
| morganfainberg | dolphm, yay! sql collapse went in! | 18:22 |
| *** Guest_ has joined #openstack-keystone | 18:29 | |
| *** gokrokve has joined #openstack-keystone | 18:39 | |
| *** derek_c has quit IRC | 18:43 | |
| dstanek | morganfainberg: nice | 18:44 |
| morganfainberg | dstanek, now i need to get on the refactor to move to the migration testing like nova does (more programatic) | 18:44 |
| marekd | morganfainberg: no problem, and thanks for the review. | 18:49 |
| morganfainberg | marekd, +2 by the way, thanks for fixing the RST issues, looks way better now | 18:49 |
| marekd | morganfainberg: yay! | 18:49 |
| morganfainberg | also not masking id is good, but broken docs are super bad :P | 18:50 |
| * morganfainberg gets back to catching up on email | 18:51 | |
| marekd | understood. | 18:53 |
| *** kun_huang has quit IRC | 18:54 | |
| *** tomoiaga has joined #openstack-keystone | 18:55 | |
| *** Guest_ has quit IRC | 18:55 | |
| *** Guest_ has joined #openstack-keystone | 18:55 | |
| tomoiaga | I can't find a way to get a token on behalf of another user, having admin credentials. I believe this is not possible right now right ? (I can re-scope by domain/project, but user has a default domain ID, not sure if it's the right way) | 18:58 |
| *** dstanek has quit IRC | 18:59 | |
| *** doddstack has quit IRC | 19:10 | |
| *** thedodd has joined #openstack-keystone | 19:10 | |
| *** thedodd has quit IRC | 19:19 | |
| *** thedodd has joined #openstack-keystone | 19:20 | |
| *** thedodd has quit IRC | 19:22 | |
| dolphm | tomoiaga: correct - even as "admin" you can't just impersonate another identity | 19:22 |
| *** chandan_kumar has quit IRC | 19:22 | |
| dolphm | tomoiaga: we support explicit impersonation through trust delegation, but it sounds like that not actually what you need | 19:23 |
| dolphm | tomoiaga: if you just need to perform operations on a specific project/tenant, as admin you can assign yourself whatever roles you want on that tenant/project, and just scope to it | 19:23 |
| dolphm | tomoiaga: i.e. you don't have to impersonate anyone | 19:23 |
| *** thedodd has joined #openstack-keystone | 19:24 | |
| *** cynosure_ has joined #openstack-keystone | 19:24 | |
| *** vhoward has left #openstack-keystone | 19:27 | |
| *** amcrn is now known as notamrith | 19:28 | |
| *** notamrith is now known as amcrn | 19:32 | |
| *** nkinder has quit IRC | 19:40 | |
| morganfainberg | wow there are a lot of proposed sessions for keystone @ ATL | 19:51 |
| tomoiaga | dolphm: yes, that is what I am thinking. I need to integrate keystone with an existing user base and I would of wanted to only perform tasks using the users credentials not the admin ones, but I guess I just have to scope to roles I need in a specific domain/project. | 19:52 |
| openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols. https://review.openstack.org/83829 | 19:58 |
| openstackgerrit | A change was merged to openstack/identity-api: Fix bad formatting in v3 federation markdown https://review.openstack.org/85617 | 20:00 |
| *** boris-42 has joined #openstack-keystone | 20:01 | |
| boris-42 | dolphm hi | 20:01 |
| *** gokrokve has quit IRC | 20:21 | |
| *** tomoiaga has quit IRC | 20:22 | |
| *** stevemar has quit IRC | 20:22 | |
| *** derek_c has joined #openstack-keystone | 20:23 | |
| gyee | morganfainberg, yeah, I am adding one more proposal | 20:24 |
| morganfainberg | gyee, wheeeee! | 20:25 |
| morganfainberg | gyee, sooooo many proposals | 20:25 |
| gyee | time to write more code! :D | 20:25 |
| boris-42 | morganfainberg hi | 20:26 |
| morganfainberg | boris-42, hi there! | 20:26 |
| boris-42 | morganfainberg just looking for people who cares about performance of openstack=) | 20:26 |
| boris-42 | morganfainberg do you know somebody here in keystone?) | 20:26 |
| morganfainberg | boris-42, ++ i care a lot about it | 20:26 |
| boris-42 | morganfainberg so nice=) | 20:27 |
| boris-42 | morganfainberg and I am working on tool for benchmarking openstack projects | 20:27 |
| morganfainberg | boris-42, but i'm not the only one, i know ayoung, bknudson, dolphm, and the rest of the core team do as well. | 20:27 |
| morganfainberg | (sorry for those not explicitly named :P) | 20:27 |
| morganfainberg | boris-42, awesome! | 20:27 |
| bknudson | boris-42: our group cares about keystone performance | 20:28 |
| boris-42 | so we have already some base benchmarks | 20:28 |
| boris-42 | for keystone | 20:28 |
| bknudson | boris-42: getting some baseline numbers is the first step | 20:28 |
| boris-42 | how about running on every patch? | 20:28 |
| boris-42 | in gates?) | 20:28 |
| boris-42 | benchmarks | 20:28 |
| bknudson | boris-42: that's what we need. | 20:28 |
| boris-42 | so why not just run Rally ? | 20:29 |
| boris-42 | it has already benchmarks + processing and graphics=) | 20:29 |
| boris-42 | http://pavlovic.me/rally/glance_list.html output for glance lol | 20:29 |
| boris-42 | bknudson I mean for 1 hrs that takes tempest (we are able to run a lot of benchmarks) | 20:30 |
| bknudson | boris-42: I can't get to that site. | 20:31 |
| boris-42 | hmm | 20:31 |
| boris-42 | bknudson it takes a bit to load that page | 20:31 |
| boris-42 | bknudson that page is huge .. | 20:31 |
| boris-42 | bknudson morganfainberg so guys if you are interested I can make live demo of benchmarking keystone | 20:32 |
| boris-42 | bknudson morganfainberg + share ideas about voting gate performance tests | 20:32 |
| boris-42 | in case of nodes with different performance | 20:33 |
| morganfainberg | boris-42, i would love to see performance per-commit (even if it doesn't block gate), but show trends. | 20:33 |
| morganfainberg | so we can see which direction we're moving and get averages etc. | 20:33 |
| boris-42 | morganfainberg so it's actually quite simple to do | 20:33 |
| boris-42 | morganfainberg we will have gate inside rally that will run all scenarios | 20:34 |
| bknudson | I think we especially want to see if some change done for performance reasons actually improves performance | 20:34 |
| boris-42 | morganfainberg but in case of keystone we can make task that exercise only keysotne | 20:34 |
| bknudson | but I also like the idea of gating on a change that really causes a perf problem. | 20:34 |
| boris-42 | bknudson morganfainberg actually that is why started Rally 8 months ago | 20:34 |
| boris-42 | bknudson morganfainberg to make it possible to see how changes affect performance | 20:34 |
| morganfainberg | boris-42, nice. | 20:35 |
| bknudson | boris-42: glance is using this laready? | 20:35 |
| bknudson | already | 20:35 |
| *** marcoemorais has quit IRC | 20:35 | |
| boris-42 | bknudson nope we just started work on gates recently | 20:35 |
| *** gokrokve has joined #openstack-keystone | 20:35 | |
| boris-42 | bknudson cause we were more concentrate on Rally not on integrations=) | 20:35 |
| boris-42 | bknudson but seems like "cinder" will add rally gate soon | 20:36 |
| *** marcoemorais has joined #openstack-keystone | 20:36 | |
| bknudson | boris-42: I think cinder also has different backends / drivers -- do they test with different drivers? | 20:36 |
| boris-42 | bknudson seems like first gate will be on top of fake driver | 20:37 |
| boris-42 | bknudson to check infrastructure issues | 20:37 |
| boris-42 | bknudson not performance of hdd=) | 20:37 |
| boris-42 | bknudson perfromance/scale testing could be done with relative small amount of hardware | 20:38 |
| *** leseb has joined #openstack-keystone | 20:38 | |
| boris-42 | bknudson you can split benchmarking driver from benchmarking whole project infrastructure | 20:38 |
| bknudson | boris-42: it would be interesting to have some numbers for how keystone performs with concurrent requests. | 20:38 |
| boris-42 | bknudson just run rally=) | 20:39 |
| boris-42 | bknudson we already have benchmarks for authenticate (create users and tenants) | 20:39 |
| morganfainberg | boris-42, bknudson, concurrency is a bit part of what i plan to focus on this cycle, i'm thinking i need to poke at rally to make sure i'm moving us in the right direction | 20:39 |
| bknudson | boris-42: I think the keystone performance we want is authenticating (getting and validating a token) | 20:39 |
| boris-42 | morganfainberg bknudson so guys maybe just shot live demo? | 20:39 |
| boris-42 | short* | 20:40 |
| boris-42 | https://wiki.openstack.org/wiki/Rally/HowTo <- or you can read this manual =) | 20:40 |
| bknudson | boris-42: is there code with they keystone tests? | 20:40 |
| boris-42 | bknudson in tutorial we are running nova benchmark | 20:40 |
| boris-42 | bknudson but https://github.com/stackforge/rally/tree/master/doc/samples/tasks/keystone | 20:41 |
| boris-42 | ^ samples of benchmarks tasks for keystone | 20:41 |
| boris-42 | and one for authenticate | 20:41 |
| boris-42 | https://github.com/stackforge/rally/tree/master/doc/samples/tasks/authenticate | 20:41 |
| boris-42 | so you can just run with rally this tasks and that's all | 20:41 |
| boris-42 | btw installation of rally is quite simple task | 20:42 |
| bknudson | the tests are in json? | 20:42 |
| boris-42 | git clone https://github.com/stackforge/rally.git | 20:42 |
| boris-42 | bknudson you are able to use json or yaml | 20:42 |
| boris-42 | bknudson as an input format | 20:42 |
| boris-42 | bknudson it was holly war in rally | 20:42 |
| bknudson | looks like they both won | 20:42 |
| boris-42 | bknudson cause half of Rally team preferred json half yaml | 20:42 |
| bknudson | now you have to do both | 20:42 |
| boris-42 | yep=) | 20:42 |
| boris-42 | changed json.loads to yaml.safe_load lol | 20:43 |
| boris-42 | +) | 20:43 |
| boris-42 | so to install rally just run | 20:44 |
| boris-42 | https://github.com/stackforge/rally/blob/master/install_rally.sh =) | 20:44 |
| *** dstanek has joined #openstack-keystone | 20:44 | |
| bknudson | is rally integrated into devstack? | 20:44 |
| boris-42 | bknudson we are on stack forge =( | 20:45 |
| boris-42 | bknudson but you can use rally devstack plugin | 20:45 |
| boris-42 | bknudson https://wiki.openstack.org/wiki/Rally/installation#Rally_with_DevStack_all_in_one_installation | 20:45 |
| bknudson | ./tests/fakes.py: self._keystone = FakeKeystoneClient() ... interesting | 20:47 |
| boris-42 | bknudson hehe=) | 20:47 |
| boris-42 | bknudson tests - are real unit tests | 20:47 |
| boris-42 | bknudson not benchmarks=) | 20:47 |
| boris-42 | all benchmarks are here https://github.com/stackforge/rally/tree/master/rally/benchmark/scenarios | 20:48 |
| bknudson | boris-42: how do I link the "Authenticate.keystone" from keystone.json to the function? | 20:49 |
| boris-42 | bknudson so first of all there is a base.Scenario class | 20:50 |
| boris-42 | all subclasses of it are auto discovered | 20:50 |
| boris-42 | bknudson to make a benchmark scenario from just a method of this class | 20:51 |
| boris-42 | you should add @base.scenario decorator | 20:51 |
| cynosure_ | hi, has anyone tried running keystone in apache2 containers ? | 20:51 |
| dstanek | morganfainberg: did you have any thoughts on https://bugs.launchpad.net/keystone/+bug/1300581 | 20:51 |
| uvirtbot | Launchpad bug 1300581 in keystone "test_revoke.RevokeTreeTests.test_cleanup fails" [Critical,Triaged] | 20:51 |
| dstanek | i can't reproduce it locally | 20:51 |
| morganfainberg | dstanek, i was trying to duplicate it. i can't | 20:51 |
| cynosure_ | I am following these instructions https://github.com/openstack/keystone/blob/master/doc/source/apache-httpd.rst but facing issues | 20:51 |
| boris-42 | bknudson so "Authenticate" - is class name and "keystone" is method in this class | 20:51 |
| morganfainberg | dstanek, i've tried many many many ways. | 20:51 |
| morganfainberg | dstanek, but we're somehow losing an event (we are expecting more than there are) | 20:52 |
| bknudson | dstanek: morganfainberg: https://review.openstack.org/#/c/86472/ -- I tried adding some debug output, but never hit it | 20:52 |
| bknudson | maybe merge it and see if it helps | 20:52 |
| morganfainberg | dstanek, i'm actually wondering if a sleep(0) would "fix" it. | 20:52 |
| morganfainberg | bknudson, thats a good idea. | 20:52 |
| morganfainberg | bknudson, needs a rebase but i'm 100% for merging that | 20:54 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: More debug output for test https://review.openstack.org/86472 | 20:54 |
| bknudson | rebased. | 20:54 |
| morganfainberg | bknudson, ++ LGTM. will +2 once jenkins is happy | 20:55 |
| boris-42 | bknudson so is it now clear how name from task is bind to scenario method?) | 20:56 |
| bknudson | boris-42: https://github.com/stackforge/rally/blob/master/rally/benchmark/scenarios/authenticate/authenticate.py#L24 is Authenticate.keystone ? | 20:58 |
| bknudson | it's pretty short | 20:58 |
| boris-42 | bknudson yep | 20:58 |
| dstanek | bknudson: i like the logging | 20:58 |
| bknudson | dstanek: I don't know what else to do other than see what the args are... I was never able to recreate locally | 20:59 |
| boris-42 | bknudson and here is the sample https://github.com/stackforge/rally/blob/master/doc/samples/tasks/authenticate/keystone.yaml | 20:59 |
| boris-42 | bknudson of task for it | 20:59 |
| boris-42 | bknudson not a fun of tempest stuff | 20:59 |
| bknudson | boris-42: what does the output look like? took x seconds? | 20:59 |
| dstanek | bknudson: yeah, i ran the tests in a loop over night and never got a failure | 21:00 |
| boris-42 | bknudson it's a bit more complex | 21:00 |
| boris-42 | bknudson =) | 21:00 |
| boris-42 | bknudson here is the result schema | 21:00 |
| boris-42 | bknudson https://github.com/stackforge/rally/blob/master/rally/benchmark/runners/base.py#L82-L129 | 21:00 |
| bknudson | boris-42: so looks like we've got a test for getting a token via username and password (not sure what the backend is)... | 21:01 |
| boris-42 | bknudson yep something like that | 21:01 |
| boris-42 | bknudson and in this case we are actually using small part of power of rally | 21:02 |
| bknudson | boris-42: how about a scenario for validating a token, and one for getting a token given another token? | 21:02 |
| boris-42 | bknudson I have always simple answer on that =) | 21:02 |
| boris-42 | bknudson it's python and you are able to run any functions from std python client | 21:02 |
| *** browne has quit IRC | 21:03 | |
| boris-42 | bknudson so it's possible | 21:03 |
| boris-42 | =) | 21:03 |
| boris-42 | bknudson more then you're able to measure time of every action | 21:03 |
| boris-42 | bknudson like here https://github.com/stackforge/rally/blob/master/rally/benchmark/scenarios/keystone/basic.py#L44-L47 | 21:04 |
| boris-42 | bknudson you'll get whole duration, duration of user create and duration of list users | 21:04 |
| bknudson | boris-42: what does the output look like? I thought I'd find some in cinder but didn't see any | 21:05 |
| boris-42 | bknudson let me re-run some keystone benchmark | 21:05 |
| *** browne has joined #openstack-keystone | 21:05 | |
| bknudson | boris-42: you were planning to integrate this into the gate/check runs? | 21:06 |
| boris-42 | bknudson http://paste.openstack.org/show/75713/ | 21:07 |
| boris-42 | bknudson this is already aggregated result | 21:07 |
| bknudson | keystone.create_tenant | 10 | 1.00275611877 | 21:08 |
| bknudson | slow! | 21:08 |
| bknudson | running on a commodore 64? | 21:08 |
| boris-42 | bknudson this is without aggregation http://paste.openstack.org/show/75714/ | 21:08 |
| boris-42 | bknudson so we have information for every call | 21:08 |
| boris-42 | bknudson information about exception (if it occurred), information about duration and so on | 21:09 |
| bknudson | boris-42: I'd be happy with just a big table of action | count | max (sec) | avg (sec) for each action. | 21:09 |
| boris-42 | bknudson it's 5 concurrent requests | 21:09 |
| boris-42 | bknudson heh | 21:09 |
| boris-42 | bknudson on page that I share | 21:09 |
| boris-42 | bknudson you can find pretty graphs | 21:09 |
| boris-42 | bknudson let me share just HTML code | 21:10 |
| bknudson | boris-42: what's the plan to compare against previous runs or figure out if this commit is a lot slower? | 21:11 |
| bknudson | boris-42: we've got a similar problem where we might want to compare tox -e cover results across commits. | 21:11 |
| boris-42 | bknudson http://paste.openstack.org/show/75716/ | 21:11 |
| boris-42 | bknudson just open in your browser | 21:12 |
| boris-42 | bknudson so I have some thoughts | 21:12 |
| boris-42 | bknudson first step integration is just use your eyes=) | 21:12 |
| boris-42 | bknudson second step integration is use one DB for all rally instances | 21:12 |
| boris-42 | bknudson so you'll be able to store all results in one place | 21:13 |
| boris-42 | bknudson and access them in every moment | 21:13 |
| *** topol has quit IRC | 21:13 | |
| boris-42 | bknudson the third step is to make in rally support of task comparison (so it will draw graphs and son on) | 21:13 |
| boris-42 | bknudson then we should have "normalization" of absolute values | 21:14 |
| boris-42 | bknudson e.g. running some benchmark that measure cpu/io/mem performance | 21:15 |
| boris-42 | and having function that calculates normalization_number | 21:15 |
| boris-42 | based on that values=) | 21:15 |
| boris-42 | and last step is voting gate | 21:16 |
| boris-42 | that normalizes absolute values and compares with latest merged patch | 21:16 |
| boris-42 | bknudson ^ | 21:17 |
| *** leseb has quit IRC | 21:17 | |
| boris-42 | seems like if we get approve from PTL this can take whole Juno cycle.. | 21:17 |
| bknudson | boris-42: sounds great. I'd like to see the results generated for every commit. | 21:17 |
| boris-42 | bknudson yep it's quite simple to get results | 21:17 |
| boris-42 | bknudson but normalization & voting gate & comparing with previous will be interesting a big task=) | 21:18 |
| *** nkinder has joined #openstack-keystone | 21:39 | |
| *** Guest_ has quit IRC | 21:40 | |
| *** nkinder has quit IRC | 21:48 | |
| *** marekd is now known as marekd|away | 21:48 | |
| *** derek_c has quit IRC | 21:53 | |
| *** joesavak has quit IRC | 21:56 | |
| *** dims has quit IRC | 21:57 | |
| *** jagee has quit IRC | 22:01 | |
| *** browne has quit IRC | 22:03 | |
| *** amcrn has quit IRC | 22:04 | |
| *** browne has joined #openstack-keystone | 22:07 | |
| *** dims has joined #openstack-keystone | 22:10 | |
| dolphm | dstanek: just came across your comments on bug 1292311 - nice work lol | 22:36 |
| uvirtbot | Launchpad bug 1292311 in keystone "5 unicode unit test failures when building Debian package" [Undecided,Invalid] https://launchpad.net/bugs/1292311 | 22:36 |
| dstanek | dolphm: that was a bit of a pain to figure out, but i learned a ton about debain packaging from zigo | 22:37 |
| *** gokrokve has quit IRC | 22:38 | |
| dolphm | dstanek: i can imagine! zigo == thomas ? | 22:39 |
| dstanek | yep | 22:40 |
| *** gokrokve has joined #openstack-keystone | 22:46 | |
| *** gokrokve has quit IRC | 22:48 | |
| *** dims has quit IRC | 22:57 | |
| *** doddstack has joined #openstack-keystone | 23:03 | |
| *** thedodd has quit IRC | 23:04 | |
| morganfainberg | dstanek, yeah i learned a lot talking to zigo last time | 23:05 |
| *** jamielennox|away is now known as jamielennox | 23:06 | |
| *** doddstack has quit IRC | 23:08 | |
| jamielennox | ayoung: from my understanding cryptography will accept an NSS backend but the core team isn't interested in writing it | 23:11 |
| jamielennox | i have been watching it for a while now and would be keen to write it, just not sure how to fit it in with other stuff | 23:12 |
| jamielennox | CMS is a long way off because they need a full x509 stack for that | 23:12 |
| *** bknudson has quit IRC | 23:12 | |
| cynosure_ | tried to use keystone with apache2 facing problem "no module named openstack.common" | 23:20 |
| cynosure_ | its able to find the keystone paste file but not keystone | 23:20 |
| *** gokrokve has joined #openstack-keystone | 23:21 | |
| cynosure_ | am i missing something | 23:21 |
| cynosure_ | following instructions from here https://github.com/openstack/keystone/blob/master/doc/source/apache-httpd.rst | 23:21 |
| *** dims has joined #openstack-keystone | 23:22 | |
| jamielennox | cynosure_: openstack.common should be a part of keystone (keystone.openstack.common) so it would appear to be an install issue rather than httpd specific | 23:22 |
| jamielennox | can you pastebin the whole error | 23:22 |
| dolphm | morganfainberg: +1 for markdown in your email | 23:23 |
| dolphm | cynosure_: i'd be curious to see the whole backtrace as well | 23:24 |
| cynosure_ | I installed keystone from source ; then followed the instructions here https://github.com/openstack/keystone/blob/master/doc/source/apache-httpd.rst. Installed httpd and mod_wsgi. If I installed keystone from source I can see keystone being part of standard source path /usr/lib/python2.6/site-packages. Still not understanding why seeing "no module named openstack.common" | 23:28 |
| cynosure_ | dolphm: patebin link http://pastebin.com/PnEqjFc7 | 23:30 |
| dolphm | jamielennox: ^ | 23:30 |
| cynosure_ | jamielennox : ^^ | 23:30 |
| *** derek_c has joined #openstack-keystone | 23:31 | |
| cynosure_ | what is the normal procedure to use keystone with apache2 ? Are there well documented steps to do the same apart from the link which i pasted above | 23:31 |
| jamielennox | cynosure_: i'm guessing that python is not picking up keystone in your path | 23:32 |
| jamielennox | looking here: https://github.com/openstack/keystone/blob/master/httpd/keystone.py the gettextutils are the first thing ever imported from keystone | 23:32 |
| cynosure_ | jamielennox: true, but why ? | 23:32 |
| jamielennox | so i don't think it's related to openstack.common just that your http process can't find the keystone module | 23:32 |
| dolphm | cynosure_: this is a very opinionated keystone.conf, but it deploys to apache https://github.com/dolph/keystone-deploy | 23:32 |
| cynosure_ | me and my collugue both are seeing this | 23:32 |
| dolphm | cynosure_: what version of keystone is this? | 23:32 |
| dolphm | jamielennox: i find it really odd that it doesn't say keystone.openstack.common ... | 23:34 |
| jamielennox | yea | 23:34 |
| dolphm | for example, python -c "from asdfasdf.openstack.common import gettextutils" fails with ImportError: No module named asdfasdf.openstack.common | 23:34 |
| jamielennox | cynosure_: can you pastebin the whole apache conf file as well | 23:34 |
| cynosure_ | the apache conf file is unmodified | 23:35 |
| dolphm | cynosure_: and /usr/local/www/wsgi-scripts/keystone/keystone.py ? | 23:35 |
| cynosure_ | i can paste that too | 23:35 |
| cynosure_ | dolphm : thats where the keystone wsgi application is residing. | 23:35 |
| cynosure_ | which i got from the keystone source | 23:36 |
| jamielennox | a good check is normally sudo -u apache python -c "import keystone" | 23:36 |
| jamielennox | but it depends on your setup a bit | 23:36 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Rename HTTPError -> HttpError https://review.openstack.org/87411 | 23:41 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add new error for invalid auth response https://review.openstack.org/85213 | 23:41 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add new error for invalid response https://review.openstack.org/85213 | 23:43 |
| cynosure_ | jamielennox : Am I missing something here ? | 23:44 |
| cynosure_ | when I run sudo -u apache python -c "import keystone" it says Sorry, user XYZ is not allowed to execute '/usr/bin/python -c import keystone' as apache on MACHINE | 23:45 |
| jamielennox | cynosure_: so what are you seeing now? same thing? did you try that import statement to make sure the apache user can see the keystone module? is there a pastebin with your httpd config? | 23:45 |
| jamielennox | hmm, so you have a fairly restrictive environment then | 23:46 |
| jamielennox | is apache your www user? | 23:46 |
| dolphm | cynosure_: sounds like you just have some permissions issues to work through! | 23:48 |
| cynosure_ | yes apache is my www user | 23:48 |
| jamielennox | interesting, you can run mod_wsgi because you are getting the exception but the apache user can't run python | 23:49 |
| *** arborism has joined #openstack-keystone | 23:49 | |
| cynosure_ | apache 20447 0.0 1.2 404568 25144 ? S 22:11 0:00 /usr/sbin/httpd | 23:49 |
| *** vhoward has joined #openstack-keystone | 23:51 | |
| cynosure_ | jamielennox : i haven't modified the httpd.conf | 23:52 |
| cynosure_ | using httpd-2.2.15-30.el6_5.x86_64 | 23:52 |
| cynosure_ | and python 2.6.6 | 23:55 |
| *** cynosure_ has quit IRC | 23:55 | |
| jamielennox | if its a basic rhel/centos install then i can't see any reason that the apache user can't run the python process | 23:57 |
| jamielennox | and make sure that you have selinux disabled (not that you should need it in production, but in testing it's a PITA) | 23:57 |
| *** arborism is now known as amcrn | 23:58 | |
| *** wchrisj has quit IRC | 23:59 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!