Wednesday, 2014-04-16

*** ChanServ changes topic to "Open for Juno development; submit design summit session proposals ASAP (deadline: April 20th) http://summit.openstack.org/"		00:02
*** derek_c has quit IRC		00:02
morganfainberg	marekd, you're going to be in ATL right?	00:08
morganfainberg	marekd, cause... it would be terrible if you werent :)	00:08
marekd	morganfainberg: yes, I got the ATL, since some of my patches got merged to the master :-)	00:09
morganfainberg	marekd, yay!	00:09
marekd	btw, ATL stands for...? :P	00:09
marekd	(i mean the full name)	00:09
morganfainberg	marekd, atlanta	00:09
morganfainberg	ATL is the airport code iirc	00:09
marekd	morganfainberg: oh maaaan.	00:10
marekd	ok it's late in here.	00:10
morganfainberg	ATC you mean, ATC is active technical contributor	00:10
marekd	ok, i thought you asked about ATC	00:10
marekd	:P	00:10
morganfainberg	nah.	00:10
marekd	that's why i mentioned the patches.	00:10
marekd	i'd better go to bed now ;/	00:10
morganfainberg	more concerned about people getting to the summit esp. those contributing a lot of time.	00:10
morganfainberg	marekd, never a bad idea.	00:11
morganfainberg	marekd, esp. if it's late	00:11
marekd	2 am	00:11
morganfainberg	have a good night dude. catch ya later	00:11
marekd	morganfainberg: anyways, i have ATC status. I will be in Atlanta too :-)	00:12
morganfainberg	nice.	00:12
marekd	yep, gonna hit the bed now. good night!	00:12
*** marekd is now known as marekd\|away		00:13
*** praneshp has quit IRC		00:22
*** theocean154 has joined #openstack-keystone		00:31
*** derek_c has joined #openstack-keystone		00:34
*** marcoemorais has quit IRC		00:39
*** jagee has quit IRC		00:48
*** jagee has joined #openstack-keystone		00:48
openstackgerrit	guang-yee proposed a change to openstack/python-keystoneclient: Implement endpoint filtering functionality on the client side. https://review.openstack.org/82713	01:01
*** gyee has quit IRC		01:03
*** ilives has joined #openstack-keystone		01:16
*** bknudson has joined #openstack-keystone		01:28
*** dstanek has quit IRC		01:29
*** dstanek has joined #openstack-keystone		01:32
*** daneyon has joined #openstack-keystone		01:32
*** derek_c_ has joined #openstack-keystone		01:35
*** david-lyle has joined #openstack-keystone		01:36
*** amcrn has quit IRC		01:39
*** bknudson has quit IRC		01:39
*** derek_c has quit IRC		01:53
*** derek_c_ has quit IRC		01:53
*** stevemar has joined #openstack-keystone		02:01
*** david-lyle has quit IRC		02:03
*** jzl-ctrip has joined #openstack-keystone		02:07
jzl-ctrip	hi, guys, I just can't get through the test 'test_ipv6.py', is there any solution?	02:08
*** jzl-ctrip has quit IRC		02:09
openstackgerrit	A change was merged to openstack/keystone: Remove unnecessary dict copy https://review.openstack.org/87430	02:10
*** richm has quit IRC		02:10
*** cloud has joined #openstack-keystone		02:16
*** derek_c has joined #openstack-keystone		02:16
*** cloud is now known as jzl-ctrip		02:16
*** ls has joined #openstack-keystone		02:20
*** ls is now known as jzl_ctrip		02:20
*** jzl-ctrip has quit IRC		02:20
jzl_ctrip	sorry for asking again as I just got disconnected, is there any solution for passing the test case test_ipv6.py?	02:21
jzl_ctrip	never mind, I just skipped that testcase	02:29
*** derek_c_ has joined #openstack-keystone		02:33
*** harlowja is now known as harlowja_away		02:35
*** derek_c has quit IRC		02:36
morganfainberg	jzl_ctrip, i don't know what issue you're seeing. is ipv6 not available on the system you're using for testing?	02:40
morganfainberg	jzl_ctrip, if you provide a paste (paste.openstack.org) of the error I can see if I can help you.	02:43
openstackgerrit	David Stanek proposed a change to openstack/keystone: More notification unit tests https://review.openstack.org/81659	02:44
openstackgerrit	David Stanek proposed a change to openstack/keystone: Refactor notifications https://review.openstack.org/81660	02:44
*** derek_c has joined #openstack-keystone		02:51
*** mberlin has quit IRC		02:58
*** zhiyan_ is now known as zhiyan		03:01
*** mberlin has joined #openstack-keystone		03:13
*** jimbaker has quit IRC		03:20
*** jimbaker has joined #openstack-keystone		03:21
*** jimbaker has quit IRC		03:21
*** jimbaker has joined #openstack-keystone		03:21
*** praneshp has joined #openstack-keystone		03:29
openstackgerrit	A change was merged to openstack/keystone: Sync with oslo-incubator 2fd457b https://review.openstack.org/83966	04:11
*** praneshp_ has joined #openstack-keystone		04:15
*** praneshp has quit IRC		04:19
*** praneshp_ is now known as praneshp		04:19
*** theocean154 has quit IRC		04:21
*** saju_m has joined #openstack-keystone		04:27
*** jamielennox is now known as jamielennox\|away		04:27
*** saju_m has quit IRC		04:27
*** saju_m has joined #openstack-keystone		04:28
*** saju_m has quit IRC		04:30
*** marcoemorais has joined #openstack-keystone		04:36
*** dstanek has quit IRC		04:39
*** dstanek has joined #openstack-keystone		04:40
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Move mutable parameter checking into federation https://review.openstack.org/87849	04:41
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Move hints building/filtering onto object https://review.openstack.org/87850	04:42
*** jagee has quit IRC		04:43
*** jamielennox\|away is now known as jamielennox		04:45
jamielennox	ayoung: you here?	04:46
jamielennox	ayoung, morganfainberg or anyone here, can you have a review of https://review.openstack.org/#/c/83630/ ?	04:47
jamielennox	dolph wants to do a realease soon and that'd be a small nice to have	04:47
*** dstanek has quit IRC		04:55
*** Chicago has quit IRC		04:57
*** Chicago has joined #openstack-keystone		04:57
*** Chicago has joined #openstack-keystone		04:57
*** nkinder has joined #openstack-keystone		05:00
morganfainberg	jamielennox, looking now	05:08
morganfainberg	jamielennox, +2/+A	05:10
jamielennox	morganfainberg: cheers	05:10
morganfainberg	now i gotta get moving and get food :P	05:10
morganfainberg	late dinner	05:10
openstackgerrit	Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325	05:18
openstackgerrit	A change was merged to openstack/keystone: Removed unused code https://review.openstack.org/85984	05:20
*** morganfainberg is now known as morganfainberg_Z		05:20
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Isolate backend loading https://review.openstack.org/74293	05:24
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Make Pecan the root routing framework https://review.openstack.org/65428	05:24
*** chandan_kumar has joined #openstack-keystone		05:31
*** stevemar has quit IRC		05:41
*** florentflament has quit IRC		05:49
jzl_ctrip	the variable 'repository' seems undesired here,	06:14
jzl_ctrip	Jiānróng xìng	06:14
jzl_ctrip	https://github.com/openstack/keystone/blob/master/keystone/tests/test_sql_upgrade.py#L203-L216	06:14
*** dstanek has joined #openstack-keystone		06:22
*** dstanek has quit IRC		06:27
*** jaosorior has joined #openstack-keystone		06:38
openstackgerrit	A change was merged to openstack/python-keystoneclient: Add service name to catalog https://review.openstack.org/78410	06:39
*** tomoiaga has joined #openstack-keystone		06:46
*** chandan_kumar has quit IRC		07:02
*** chandan_kumar has joined #openstack-keystone		07:08
*** ilives has quit IRC		07:11
*** ilives has joined #openstack-keystone		07:11
*** florentflament has joined #openstack-keystone		07:27
*** marcoemorais has quit IRC		07:31
*** leseb has joined #openstack-keystone		07:42
*** marekd\|away is now known as marekd		07:53
*** henrynash has joined #openstack-keystone		08:18
*** derek_c has quit IRC		08:20
*** derek_c_ has quit IRC		08:20
*** dstanek has joined #openstack-keystone		08:24
*** henrynash has quit IRC		08:25
*** andreaf has joined #openstack-keystone		08:28
*** dstanek has quit IRC		08:28
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618	08:35
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447	08:35
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446	08:35
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445	08:35
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444	08:35
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448	08:35
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	08:35
*** praneshp_ has joined #openstack-keystone		08:46
*** praneshp has quit IRC		08:46
*** praneshp_ is now known as praneshp		08:46
openstackgerrit	wanghong proposed a change to openstack/keystone: delete the tokens when deleting ec2 credential https://review.openstack.org/87450	08:54
*** marcoemorais has joined #openstack-keystone		09:00
*** marcoemorais has quit IRC		09:05
*** praneshp has quit IRC		09:05
*** chandan_kumar has quit IRC		09:06
*** chandan_kumar has joined #openstack-keystone		09:19
*** chandan_kumar has quit IRC		09:26
*** chandan_kumar has joined #openstack-keystone		09:26
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Make Pecan the root routing framework https://review.openstack.org/65428	09:34
*** jamielennox is now known as jamielennox\|away		09:40
*** dstanek has joined #openstack-keystone		09:45
*** dstanek has quit IRC		10:00
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method https://review.openstack.org/86578	10:14
*** florentflament has quit IRC		10:26
*** dstanek has joined #openstack-keystone		10:27
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Some methods in ldap were moved to superclass https://review.openstack.org/86250	10:28
*** dstanek has quit IRC		10:32
*** marekd is now known as marekd\|away		10:32
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Some methods in ldap were moved to superclass https://review.openstack.org/86250	10:52
*** jaosorior has quit IRC		11:21
*** dstanek has joined #openstack-keystone		11:33
*** jaosorior has joined #openstack-keystone		11:49
*** jzl_ctrip has quit IRC		12:00
*** marcoemorais has joined #openstack-keystone		12:02
*** zlji has joined #openstack-keystone		12:02
*** marcoemorais has quit IRC		12:06
*** zlji has quit IRC		12:19
baffle	Role names can contain spaces. Policies uses role names. Does role names with spaces work in Keystone and policies? Should they be escaped? Is space replaced with another character? :)	12:42
*** snikitin has joined #openstack-keystone		12:43
dolphm	jamielennox\|away: https://review.openstack.org/#/c/78878/	12:52
*** marcoemorais has joined #openstack-keystone		13:03
*** marcoemorais has quit IRC		13:08
*** erecio has quit IRC		13:08
*** tomoiaga has left #openstack-keystone		13:09
*** erecio has joined #openstack-keystone		13:14
*** dstanek_afk has joined #openstack-keystone		13:21
*** dstanek has quit IRC		13:23
*** dims has quit IRC		13:32
openstackgerrit	David Stanek proposed a change to openstack/keystone: Fixes for in-code documentation https://review.openstack.org/87965	13:32
*** wchrisj has joined #openstack-keystone		13:34
*** dstanek_afk is now known as dstanek		13:35
dstanek	dolphm: https://review.openstack.org/#/c/83630/ just doesn't want to work	13:38
*** bknudson has joined #openstack-keystone		13:40
*** vhoward has left #openstack-keystone		13:43
*** wchrisj has left #openstack-keystone		13:53
*** marcoemorais has joined #openstack-keystone		14:04
*** nkinder has quit IRC		14:07
*** marcoemorais has quit IRC		14:08
*** topol has joined #openstack-keystone		14:09
*** bach has joined #openstack-keystone		14:10
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618	14:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447	14:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446	14:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445	14:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444	14:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448	14:11
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	14:11
*** dstanek has quit IRC		14:14
*** dims has joined #openstack-keystone		14:18
*** stevemar has joined #openstack-keystone		14:19
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Sync with oslo-incubator 462e62d https://review.openstack.org/87980	14:25
*** bach has quit IRC		14:28
*** dstanek has joined #openstack-keystone		14:30
dolphm	dstanek: seriously	14:31
*** marcoemorais has joined #openstack-keystone		14:33
*** daneyon has quit IRC		14:34
*** dims has quit IRC		14:34
*** daneyon has joined #openstack-keystone		14:35
*** marcoemorais has quit IRC		14:38
dolphm	dstanek: https://review.openstack.org/#/c/81659/3/keystone/tests/test_notifications.py	14:41
bknudson	that's one way to resolve a merge conflict	14:43
dstanek	bknudson: yeah, it's the only way!	14:45
*** dims has joined #openstack-keystone		14:47
lbragstad	whoop whoop, gerrit powered meeting agendas for keystone? https://review.openstack.org/#/c/87759/1/meetings/keystone-team-meeting.yml	14:47
openstackgerrit	David Stanek proposed a change to openstack/keystone: More notification unit tests https://review.openstack.org/81659	14:48
bknudson	I doubt that we could get the agenda reviewed in time for the meeting.	14:49
lbragstad	yeah, it's a work in progress.	14:49
dstanek	yeah, the agenda seems like a bad thing to add in there	14:50
*** thedodd has joined #openstack-keystone		14:50
bknudson	-1 I don't want to talk about this	14:50
dstanek	some neutron bug has been failing a ton of reviews recently	14:51
*** jaosorior has quit IRC		14:51
bknudson	http://status.openstack.org/elastic-recheck/	14:52
bknudson	2943 fails in 14 days	14:52
*** ilives has quit IRC		14:54
*** ilives has joined #openstack-keystone		14:58
dstanek	i'm looking to run tests against MySQL in parallel. i'm thinking right now that i should try to create the database before each test and drop it after.	14:58
dstanek	probably named something like keystone_tests_#pid#. any reason that this would be bad?	14:59
stevemar	that is an insane amount of failures in the last 14 days	15:13
*** dstanek has quit IRC		15:22
*** dstanek has joined #openstack-keystone		15:23
*** ilives has quit IRC		15:24
*** ilives has joined #openstack-keystone		15:25
*** jagee has joined #openstack-keystone		15:29
*** andreaf has quit IRC		15:41
*** andreaf has joined #openstack-keystone		15:41
*** vhoward has joined #openstack-keystone		15:43
*** bach has joined #openstack-keystone		15:45
*** chandan_kumar has quit IRC		15:46
*** bach has quit IRC		16:02
*** bach has joined #openstack-keystone		16:02
openstackgerrit	Matthieu Huin proposed a change to openstack/keystone: Add missing import, remove trailing ":" in middleware example https://review.openstack.org/88014	16:03
bknudson	dstanek: whatever you do make it extendable to other dbs...	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Migration DB_INIT_VERSION in common place https://review.openstack.org/88016	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444	16:04
bknudson	dstanek: I'll want to add db2 support	16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448	16:04
*** browne1 has joined #openstack-keystone		16:04
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	16:04
*** browne1 has left #openstack-keystone		16:05
*** richm has joined #openstack-keystone		16:05
*** browne has joined #openstack-keystone		16:05
dstanek	bknudson: absolutely	16:06
*** bach has quit IRC		16:07
*** zhiyan is now known as zhiyan_		16:17
*** nkinder has joined #openstack-keystone		16:22
dstanek	should we be nudging people toward matchers?	16:25
*** zhiyan_ is now known as zhiyan		16:34
*** ilives has quit IRC		16:36
*** nkinder has quit IRC		16:40
*** zhiyan is now known as zhiyan_		16:41
*** gokrokve has joined #openstack-keystone		16:47
*** leseb has quit IRC		16:50
*** harlowja_away is now known as harlowja		16:51
*** praneshp has joined #openstack-keystone		16:54
*** praneshp has quit IRC		16:54
*** praneshp has joined #openstack-keystone		16:54
*** amcrn has joined #openstack-keystone		16:57
*** amcrn has quit IRC		17:10
bknudson	dstanek: I'm trying.	17:10
bknudson	dstanek: it's not working well.	17:10
bknudson	maybe we'll get a critical mass of matchers code and then people will stop asking about it	17:11
*** derek_c_ has joined #openstack-keystone		17:15
*** marcoemorais has joined #openstack-keystone		17:16
*** derek_c has joined #openstack-keystone		17:16
*** david-lyle has joined #openstack-keystone		17:20
*** david-lyle has quit IRC		17:35
*** praneshp_ has joined #openstack-keystone		17:36
dims	ayoung, others, is this the latest instructions for keystone + mod_wsgi? is there anything in openstack doc? http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keystone/	17:37
ayoung	dims, I'm like, the worst person to ask, cuz I'm the one that did it origianlly, and I do it all by trial and error.	17:38
ayoung	I just set on up on Devstack, and I used mod_nss instead of mod_ssl, for example	17:38
ayoung	dims, for example, I hate port 5000 and 35357 with the white hot intensity of a thousand suns (to quote the bard)	17:39
dims	a. ok :)	17:39
ayoung	so I put them both on 334	17:39
ayoung	er	17:39
ayoung	443	17:39
ayoung	I got kerberos working, too, if you actually want something secure?	17:40
*** praneshp has quit IRC		17:40
*** praneshp_ is now known as praneshp		17:40
dims	ayoung, a bit of background, i am seeing a lockup of keystone when heat makes calls and peter's patch (resurrected) seems to help - https://review.openstack.org/#/c/85395/ - i was thinking of other ways to overcome the problem	17:41
ayoung	just realized that both Kerberos and X509 would have been more resistant to Heartbleed. But Kerberos would have been vulnerable to a replay attack,	17:41
ayoung	He lies	17:41
ayoung	" keystone-all's throughput is limited to the	17:41
ayoung	throughput of a single CPU core. "	17:41
ayoung	un troo	17:41
ayoung	Now, I am not one to sing the praises of Greenthreads, but each greenthread can spawn a process, and so the processes execute in parallel, and nothing lockes it to a single core	17:42
dims	haven't dug deep into the problem yet. it could be some custom code that i may have causing trouble as well	17:42
ayoung	the crypto is all done with a popoen	17:42
dims	k	17:43
ayoung	anyway, Apache is still better	17:43
ayoung	so you are on the right path, but I would not split out to ports 5000 and 35357	17:43
ayoung	Instead, run admin on https://hostname/keystone/admin	17:43
ayoung	and main on	17:43
ayoung	Instead, run admin on https://hostname/keystone/main	17:43
dims	makes sense	17:43
ayoung	WSGIDaemonProcess keystone_admin user=keystone group=nogroup	17:43
ayoung	WSGIDaemonProcess keystone_main user=keystone group=nogroup	17:44
ayoung	same user but separate processes	17:44
ayoung	If you don't, you get errors parsing the config file.	17:44
*** amcrn has joined #openstack-keystone		17:44
ayoung	Separate process groups, too	17:44
dims	k. need to read up on Apache2/httpd config first. sounds like we don't have "Keystone under HTTPD" in devstack either	17:47
dims	thanks ayoung let me see what i can find/do	17:48
ayoung	dims, not yet. but you don't want it in devstack, trust me	17:49
* ayoung just got nuked by that		17:49
dims	ah ok	17:49
ayoung	devstack is awesome, but if you make changes to the live config...it gets over written if you need to rerun devstack	17:49
ayoung	and if you need to reboot the VM...you need to rerun devstack	17:49
dims	right	17:50
ayoung	dims, so right now I am waiting on the RDO release of Icehouse RC packages to continue that effort. However	17:51
ayoung	devstack should be good for you. One thing:L	17:51
ayoung	dims, http://adam.younglogic.com/2014/04/teaching-horizon-to-share/	17:52
ayoung	you can make those changes in	17:52
*** thedodd has quit IRC		17:53
ayoung	/opt/stack/horizon/openstack_dashboard/local/local_settings.py	17:53
*** d0ugal has quit IRC		17:56
dims	gotcha. thanks	17:57
*** gokrokve has quit IRC		17:57
*** derek_c has quit IRC		18:02
*** derek_c_ has quit IRC		18:03
openstackgerrit	Andreas Jaeger proposed a change to openstack/keystone: Check that all po/pot files are valid https://review.openstack.org/84211	18:04
*** thedodd has joined #openstack-keystone		18:15
*** praneshp is now known as praneshp_afk		18:16
*** gokrokve has joined #openstack-keystone		18:18
*** praneshp_afk has quit IRC		18:26
*** morganfainberg_Z is now known as morganfainberg		18:27
*** dstanek has quit IRC		18:28
*** leseb has joined #openstack-keystone		18:31
*** dstanek has joined #openstack-keystone		18:42
*** praneshp has joined #openstack-keystone		18:44
*** jimbaker has quit IRC		18:44
*** jimbaker has joined #openstack-keystone		18:45
*** jimbaker has quit IRC		18:45
*** jimbaker has joined #openstack-keystone		18:45
*** chandan_kumar has joined #openstack-keystone		18:49
*** andreaf has quit IRC		18:59
*** dstanek has quit IRC		19:21
*** dstanek has joined #openstack-keystone		19:22
*** derek_c has joined #openstack-keystone		19:24
*** derek_c_ has joined #openstack-keystone		19:24
*** bknudson has quit IRC		19:28
*** derek_c has quit IRC		19:28
*** derek_c_ has quit IRC		19:28
*** derek_c has joined #openstack-keystone		19:28
*** bknudson has joined #openstack-keystone		19:29
*** chandan_kumar has quit IRC		19:30
*** samuelmz has quit IRC		19:31
openstackgerrit	Andreas Jaeger proposed a change to openstack/keystone: Check that all po/pot files are valid https://review.openstack.org/84211	19:38
*** marcoemorais has quit IRC		19:39
*** leseb has quit IRC		19:41
*** amcrn_ has joined #openstack-keystone		19:46
*** amcrn has quit IRC		19:47
*** amcrn_ is now known as amcrn		19:48
*** dstanek has quit IRC		19:53
*** Krsna has joined #openstack-keystone		19:54
Krsna	morganfainberg: hope you got my message I sent to you when you were offline	19:55
morganfainberg	Krsna, i did	19:55
morganfainberg	Krsna, also let marekd\|away know i pointed you at him as a resource for federation work	19:55
morganfainberg	Krsna, glad to have you working on this!	19:55
*** chandan_kumar has joined #openstack-keystone		19:56
Krsna	morganfainberg: well I have to clear a few tickets before then, but yes will be fun. I am looking forward to meeting you at the sumit	19:57
*** browne has quit IRC		19:57
*** leseb has joined #openstack-keystone		19:57
morganfainberg	Krsna, glad you'll be there! i know last summit was great for keystone, this next one should be awesome as well	19:57
Krsna	I am excited!	19:58
*** thedodd has quit IRC		19:59
*** browne has joined #openstack-keystone		20:00
Krsna	morganfainberg: Also, I am trying to get the code we have for multi-backends upstreamed. Hopefully soonish	20:00
morganfainberg	Krsna, very cool.	20:00
*** thedodd has joined #openstack-keystone		20:05
*** derek_c has quit IRC		20:14
*** david-lyle has joined #openstack-keystone		20:16
*** dstanek has joined #openstack-keystone		20:19
*** gyee has joined #openstack-keystone		20:21
*** topol has quit IRC		20:24
*** marcoemorais has joined #openstack-keystone		20:32
*** marcoemorais1 has joined #openstack-keystone		20:35
*** marcoemorais has quit IRC		20:37
*** gokrokve has quit IRC		20:42
*** jamielennox\|away is now known as jamielennox		20:52
*** bach has joined #openstack-keystone		20:59
*** gokrokve has joined #openstack-keystone		21:02
*** Krsna has quit IRC		21:10
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Create a V3 Token Generator https://review.openstack.org/78878	21:12
jamielennox	dolphm, bknudson: ^^	21:12
openstackgerrit	A change was merged to openstack/keystone: Add missing import, remove trailing ":" in middleware example https://review.openstack.org/88014	21:12
morganfainberg	jamielennox, ooh cool.	21:17
morganfainberg	jamielennox, looked like the v2 one was merged, right?	21:18
jamielennox	ayoung: https://review.openstack.org/#/c/86727/ - why shouldn't kerberos be in requirements seperate from requests-kerberos?	21:18
jamielennox	morganfainberg: yep	21:18
jamielennox	morganfainberg: and there is a client release imminent so it's good to have the matched set	21:18
morganfainberg	jamielennox, ++ yeah	21:18
morganfainberg	jamielennox, i was opening this review to look at right now	21:18
jamielennox	morganfainberg: it's one of those client releases that will be immediately adopted by all the projects as well, so it's a good one to get things in to	21:19
morganfainberg	jamielennox, yep	21:19
jamielennox	aww, my cross-project summit session on standardizing clients was rejected - thought that was a sure thing	21:21
morganfainberg	=/	21:21
jamielennox	they must be swamped	21:21
bknudson	jamielennox: is there another session on openstack-sdk?	21:21
jamielennox	they had some proposed - i don't know if it was accepted or anything	21:22
jamielennox	http://summit.openstack.org/cfp/details/334	21:22
bknudson	this cross-project workshop is super popular	21:22
jamielennox	so there is a 2-parter on SDK and project libraries in general so i guess thats essentially the same	21:23
bknudson	jamielennox: there's 2 not to be missed!	21:23
bknudson	they're going to need big rooms for the cross-project sessions	21:24
morganfainberg	jamielennox, there is no way we can make the v3 and v2 fixtures have less... duplicated code? or is that for future refactoring?	21:24
morganfainberg	jamielennox, or we don't care that much since v2 can probably die eventually.	21:24
jamielennox	yea, so there is enough there to keep it interesting - and largely i think it's useful just to indentify who is interested	21:24
jamielennox	morganfainberg: it doesn't really work	21:25
morganfainberg	jamielennox, ok	21:25
jamielennox	theree are a lot of similar things but its all based on the token format	21:25
morganfainberg	jamielennox, i was thinking maybe there would be some way to align them... but tbh, i didn't see it off the bat	21:25
morganfainberg	figured asking was the best bet	21:26
morganfainberg	i would love to get a .md that explicitly shows the token format(s)	21:26
jamielennox	it's annoying with a few things where an endpoint in v2 is 1 for all 3 interfaces vs 3 endoints in v3	21:26
morganfainberg	would be useful to compare formats against... anyway	21:27
jamielennox	but it's testing infrastructure so i think people are ok to have to know a little baout what they are doing	21:27
morganfainberg	yeah	21:27
*** jagee has quit IRC		21:27
*** dstanek has quit IRC		21:27
bknudson	here's some code I had for converting v2 to v3 catalog: https://review.openstack.org/#/c/70630/5/keystone/catalog/backends/templated.py	21:27
jamielennox	bknudson: ah - that's useful, i'm going to have to do the reverse of that in auth_token	21:28
morganfainberg	bknudson, cool.	21:28
bknudson	the templated backend only does v2	21:28
bknudson	so don't try to get a v3 token using templated backend	21:28
morganfainberg	bknudson, jamielennox, so i'm going to be building a construct for the token (object) that can be shared between v2/v3/vwhatever should this construct/object go in client or server? as in... should i put it in client first?	21:29
jamielennox	the backend there is a bit unusual because it's version specific	21:29
morganfainberg	bknudson, jamielennox, this is so we can make internal use of token non-version specific, take JSON/whatever and make it an object we can consistently work with.	21:29
jamielennox	morganfainberg: no, i don't think so - at least not initially	21:29
morganfainberg	jamielennox, ok so i'll develop it in server - was thinking auth_token could benefit from it as well.	21:29
jamielennox	morganfainberg: we have AccessInfo which is that abstraction in client	21:30
morganfainberg	but we can shuffle it around i guess as needed.	21:30
morganfainberg	jamielennox, ah ok	21:30
bknudson	morganfainberg: use AccessInfo in the server	21:30
jamielennox	but it's an independent interface - not an independant representation	21:30
morganfainberg	bknudson, hm. i'll see if accessinfo does all i need.	21:30
morganfainberg	we might need a largely expanded version of it.	21:30
jamielennox	as in it keeps the orginal token format and provides different property accessors	21:30
bknudson	we might have a version of accessinfo in the server	21:30
morganfainberg	jamielennox, yeah that's not what i'm looking for in this case	21:31
jamielennox	morganfainberg: yep	21:31
morganfainberg	jamielennox, i'm looking for an object representation that we could use at the edge to emit a version of the token.	21:31
jamielennox	morganfainberg: i've been thinking about how to do that for all our models not just tokens	21:31
morganfainberg	but would otherwise simplify accessing parts of the token (expires is the same place, trust is the same place, etc etc)	21:32
morganfainberg	jamielennox, well i'll start with token :) we can build from there. if i can do something more generic i'll build that then token on top of it	21:32
jamielennox	morganfainberg: i've been still looking at the pecan thing on and off, it's a bit harder without WSME so i was thinking about replacing that whole layer with jsonschema and doing models that way	21:32
morganfainberg	jamielennox, hm... well i was looking at possibly using jsonschema for this code anyway	21:33
jamielennox	morganfainberg: have you had a look at WSME and how it works?	21:33
morganfainberg	jamielennox, i'll ping you with the example/review since it's the next thing i'm working on	21:33
jamielennox	morganfainberg: i might have time to do a sketch up today of how i was thinking of doing the models with schema	21:33
morganfainberg	jamielennox, i have, but i thought WSME in general was dead for us because of the lack of arbitrary attrs	21:34
jamielennox	if not i'm going down the coast for easter so it won't be till mid next week	21:34
morganfainberg	jamielennox, that would be useful if you have it - if not, i'll start working on some stuff and worst case we change it before we seriously consider merging it	21:34
jamielennox	morganfainberg: it is - but if you take the general concept of how it builds objects and such i think i can replicate that but do all the actual validation with jsonschema	21:34
stevemar	so many cross project workshop proposals	21:34
jamielennox	stevemar: ++, it's going to be a busy week	21:35
morganfainberg	jamielennox, i'll revisit wsme when i'm working on this in either case.	21:35
morganfainberg	jamielennox, i want to get the code proposed (if not merged) prior to the summit since this is a requirement to move to ephemeral tokens and other such improvements	21:36
jamielennox	morganfainberg: so in general i was thinking one of the big issues with WSME is that it goes around the pecan.expose rather than inside	21:36
jamielennox	as in WSME takes over JSON and XML rendering, i would try and do validation within pecan so that you can still use pecan's views layer	21:37
morganfainberg	jamielennox, the question then becomes the likelyhood of making pecan work with keystone	21:37
jamielennox	morganfainberg: pecan is fine i think	21:37
jamielennox	have you seen my patch on this?	21:37
morganfainberg	jamielennox, not recently	21:37
jamielennox	https://review.openstack.org/#/c/65428/	21:38
morganfainberg	jamielennox, is it ready? as in, no real issues and i should build upon it.	21:38
morganfainberg	jamielennox, ah yeah i've seen these two. i'll base my work on top of them.	21:38
jamielennox	it works for routing, the issue is all the @protected work is really intertwined with the current controller layout	21:38
morganfainberg	jamielennox, thankfully the @protected stuff isn't required for what i'm looking to do here (atm)	21:39
jamielennox	i've been looking at ways of seperating them a little bit but i haven't found anything that's really easy to understand	21:39
morganfainberg	at least to start.	21:39
jamielennox	true - for everything related to auth it won't matter	21:39
morganfainberg	yep	21:39
morganfainberg	makes auth a great place to start	21:40
jamielennox	yea, that would be good to start transitioning that i think	21:40
morganfainberg	cool.	21:40
morganfainberg	thanks.	21:40
jamielennox	i'm looking at how to do common methods between new and old controllers so that there isn't much code change in controllers to start	21:40
jamielennox	i'll let you know how that goes but you'll quickly figure out if you're missing things	21:41
morganfainberg	jamielennox, that would be good.	21:41
morganfainberg	jamielennox, hehe yeah i'm sure. anyway i'll point you at the code as i get through it.	21:41
jamielennox	that's what https://review.openstack.org/#/c/87850/ and https://review.openstack.org/#/c/87849/ are for - trying to simplify those controllers	21:41
morganfainberg	jamielennox, i think we also probably need to get to using stevedore for the backends.	21:43
jamielennox	morganfainberg: ++, that's on my list	21:43
*** topol has joined #openstack-keystone		21:48
mgagne	According to my reading, tenant names are not unique. What's the boundary for such non-uniqueness? Can a single domain have 2 tenants with the same name? Or is non-uniqueness only possible with multiple domains?	21:49
*** EmilienM has joined #openstack-keystone		21:51
*** dims has quit IRC		21:52
*** dstanek has joined #openstack-keystone		21:54
*** larsks has joined #openstack-keystone		21:54
*** dstanek has quit IRC		21:59
*** bach has quit IRC		22:02
morganfainberg	mgagne, tenant/project names are unique within a domain	22:03
morganfainberg	mgagne, all tenants in the v2 api are unique names since it uses the "default" domain exclusivly	22:03
mgagne	morganfainberg: cool, that clears things up then	22:03
morganfainberg	mgagne, sure thing	22:03
mgagne	morganfainberg: thanks!	22:04
*** dims has joined #openstack-keystone		22:04
*** leseb has quit IRC		22:09
jamielennox	mgagne: and tenant/project _id is globally unique so if you find yourself trying to use the tenant name for something you probably mean to be using the tenant_id	22:10
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Always configure logging https://review.openstack.org/88097	22:11
mgagne	jamielennox: won't you use tenant name AND the domain when querying for it?	22:12
jamielennox	mgagne: you can, but if you have the tenant id then you dont need the domain - it really depends what you are trying to do	22:13
jamielennox	mgagne: if you are doing CLI and user facing stuff then names are often easier, if you're saving information in another service then you should always use ids	22:13
mgagne	jamielennox: right, I agree.	22:14
jamielennox	mgagne: i only clarify because it came up with swift recently where they were using usernames as unique rather than user_ids and were attempting all sorts of hacks so that they could keep on using a username	22:15
mgagne	jamielennox: will take note of it for when I encounter such design choice =)	22:17
*** bknudson has quit IRC		22:27
*** marcoemorais1 has quit IRC		22:31
*** ilives has joined #openstack-keystone		22:32
*** marcoemorais has joined #openstack-keystone		22:33
morganfainberg	jamielennox, wait what?	22:33
morganfainberg	jamielennox, oh dear.... usernames unique	22:34
*** nkinder has joined #openstack-keystone		22:36
*** huats has quit IRC		22:37
*** ilives has quit IRC		22:38
*** derek_c has joined #openstack-keystone		22:38
*** thedodd has quit IRC		22:41
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient https://review.openstack.org/81980	22:42
*** huats has joined #openstack-keystone		22:51
*** huats has quit IRC		22:51
*** huats has joined #openstack-keystone		22:51
*** lnxnut_ has joined #openstack-keystone		22:51
*** lnxnut has quit IRC		22:51
*** lnxnut_ has quit IRC		22:51
*** lnxnut has joined #openstack-keystone		22:52
morganfainberg	jamielennox, dolphm, stevemar, https://review.openstack.org/#/c/77325/8/keystone/common/utils.py curious on your opinion of my comment there.	23:01
*** david-lyle has quit IRC		23:01
morganfainberg	i think WARNING is the wrong level and this should be downgraded to info... but kinda want other input on that	23:01
morganfainberg	topol. ^ your input would also be welcome	23:03
dolphm	morganfainberg: with configuration, i agree it should be info	23:06
morganfainberg	dolphm, i think previously warning was even a bit loud.	23:07
dolphm	morganfainberg: that's what i meant -- it was already too loud	23:09
morganfainberg	dolphm, ok cool. we're on the same page.	23:09
dolphm	WARNING: The system is behaving exactly as you configured it, nothing to see here!	23:10
morganfainberg	dolphm, WARNING: don't worry, do nothing.	23:10
morganfainberg	we should totally add more warning messages that everything is working as expected	23:11
morganfainberg	especially every time someone logs in	23:11
dolphm	morganfainberg: WARNING: CPU usage suddenly went up a bit.	23:11
morganfainberg	dolphm, WARNING: Someone used HTTP POST method	23:12
dolphm	WARNING: Non-zero load on auth service!	23:12
morganfainberg	dolphm, WARNING: This service runs in python.	23:13
dolphm	lol	23:13
*** stevemar has quit IRC		23:20
*** marcoemorais has quit IRC		23:22
*** gokrokve has quit IRC		23:23
topol	morganfainberg, what was the question?	23:33
morganfainberg	topol, https://review.openstack.org/#/c/77325/8/keystone/common/utils.py the log message warning is a bit loud.	23:34
morganfainberg	topol, was looking for other reviewer input	23:34
morganfainberg	as you can see the IRC channel got a little silly for non-warning log messages :P	23:34
morganfainberg	erm non-warning warnign messages	23:35
topol	warning seems merited to me for truncating a password	23:35
morganfainberg	topol, every time they authenticate?	23:35
topol	hmmm everytime	23:35
dolphm	topol: even though they configured keystone to truncate?	23:35
topol	other choice is info?	23:36
jamielennox	morganfainberg: i'm ok to downgrade that to info	23:36
morganfainberg	topol, i'd advocate info	23:36
morganfainberg	it allows you to still track occurences (you should be tracking things like that)	23:36
morganfainberg	but it's nothing you need to act on as a operator/deployer	23:36
jamielennox	morganfainberg: it's not an operator issue, if you are looking through your keystone logs WARNING should really stand out as you've done something wrong	23:36
morganfainberg	jamielennox, ++	23:36
topol	So the other choice is info, correct? It still gets placed in the logs everytime	23:37
morganfainberg	topol, correct	23:37
topol	they authenticate	23:37
*** chandan_kumar has quit IRC		23:37
morganfainberg	topol, well aslong as keystone is configured to emit info logs (min log level would apply)	23:38
morganfainberg	jamielennox, i think we have a number of logging lines that might need downgrade and probably some that need upgrade	23:38
morganfainberg	perhaps that should also be a target for Juno	23:38
jamielennox	i know this has been in for a while, but it feels like this should be part of a larger 'password rules' component and it fails if you don't meet the rules - silent truncation is bad	23:38
jamielennox	like special chars and numbers required	23:38
topol	as long as they can turn on logging and be informed of the truncation. It doesnt matter to me whether its info or WARNING. As long as they get informed	23:38
morganfainberg	topol, i think it is info, it's relevant for running a cloud, but nothing that needs immidiate action	23:39
jamielennox	i'm hoping there is a library that could do that because i don't want to manage passwrd rules in keystone	23:39
topol	morganfainberg agreed	23:39
topol	WARNING, keystone cores want to make token data binary	23:39
topol	that one was worth a WARNING	23:39
morganfainberg	topol, hehe	23:40
morganfainberg	jamielennox, isn't passlib capable of doing that?	23:40
topol	WARNING keystone cores dont use emoticons on IRC	23:40
jamielennox	morganfainberg: looking at that now	23:40
morganfainberg	topol, HAH	23:40
jamielennox	it's not mentioned on there front page	23:40
topol	WARNING, brad was about to have a stroke thinking about unusable curl examples from binary tokens cause brad is slow at keystone core humor	23:40
topol	so hard being the slow guy	23:40
topol	last one is an info	23:41
jamielennox	morganfainberg: i can't see it	23:41
dolphm	if they really cared deeply about this particular message, they could change the log level for this module	23:42
morganfainberg	dolphm, true	23:43
dolphm	was someone going to tackle binary tokens in juno-1?	23:45
topol	so how did dolphm let the variable "bigboy" get into the test case for the password stuff. He likes the tests cases to have a more professional decorum :-)	23:45
morganfainberg	LOL	23:45
morganfainberg	i was going to let that var name slide	23:46
morganfainberg	i thought twice about it though	23:46
topol	so WARNING did we pick a bar yet to meet up at Sunday night in Atlanta. I want to make sure I show up on time this time	23:46
morganfainberg	but... i was amused	23:46
dolphm	topol: i want to write a utf-8 generating method and take a pass at replacing all the arbitrary crap in tests with that (including uuid generation)	23:46
morganfainberg	dolphm, utf8_character_set[os.random-offset:length] ?	23:47
topol	morganfainberg ++	23:47
morganfainberg	with a little magic to do wrapping	23:47
dolphm	morganfainberg: pretty much -- is utf8_character_set a thing?	23:47
topol	so are folks coming Sunday night?	23:47
dolphm	topol: yes	23:47
morganfainberg	dolphm, probably somewhere	23:48
morganfainberg	Oh hay, i think i'm arriving dinnertime on sunday	23:49
dolphm	pretty sure i'm there around 11	23:50
dims	topol, i'll be there sun night too	23:50
dolphm	am	23:51
* morganfainberg checks flight info		23:51
morganfainberg	i should be arriving 1730ish	23:51
jamielennox	friday afternoon :)	23:51
ayoung	jamielennox, ah...got confused. You are right, I was thinking requests-kerberos. But I don't want us pulling in the Kerberos library for another reason: I want to push for straight HTTPD integation, not Kerberos in Eventlet.	23:52
topol	excellent. I get in around dinner time on Sunday night as well	23:53
jamielennox	ayoung: i thought we decided we were going to support both in the same plugin?	23:53
ayoung	jamielennox, no, I only agreed to half of that	23:53
ayoung	I agreed to put "kerberos" in the "method" field	23:53
topol	dims you going to Vegas?	23:53
ayoung	but...do you really think it makes sense to do in process kerberos?	23:54
dims	topol, nope. just Atlanta	23:54
ayoung	I can see an argument for supporting it in conjunction with Token binding in a different service if getting it to run in HTTPD is too hard, but I would rather push for HTTPD	23:55
jamielennox	ayoung: i see that if we have the 'kerberos' plugin that it's really easy to check for HTTPD headers and authenticate easily and if you don't have them you can do it in process	23:56
jamielennox	if we're getting rid of eventlet i don't see the problem with speed	23:56
ayoung	jamielennox, back in a bit..gotta battle a couple of bed-resistant pre-teens	23:56
jamielennox	all of this crypto is done in C anyway - my understanding is it was mostly the threading issues that we didn't want it before	23:56
topol	morganfainberg I get in at 6:42pm	23:56
topol	jamielennox take their phones. thats what I always do.	23:56
morganfainberg	topol, cool	23:57
morganfainberg	i'm still trying to chase down the best place to do a whiskey night	23:57
morganfainberg	i'll propose something for one of the nights, post dinner likely	23:57
topol	morganfainberg excellent	23:57
topol	is jamielennox correct? Are we getting rid of eventlet? What are we moving to?	23:59
topol	dolphm?	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!