Friday, 2014-06-27

« Thursday, 2014-06-26 Index Saturday, 2014-06-28 »
*** richm has left #openstack-keystone00:06
jamielennoxmorganfainberg: do you know where to address the problems here: http://lists.openstack.org/pipermail/openstack-stable-maint/2014-June/002337.html ?00:09
*** praneshp has quit IRC00:14
hrybackijamielennox: I met with the glance folks today about keystoneclient integration -- they seemed very open to input from our team00:17
hrybackispecifically they asked if you/me/ayoung would look over https://review.openstack.org/#/c/82126/ -- see if everything seems to be in order, if they are missing things, etc..00:17
jamielennoxhrybacki: excellent,00:18
jamielennoxoh, someones had a go at it already00:18
hrybackiyep :)00:18
hrybackithe power of weekly meetings00:19
jamielennoxwhat have they done there? they don't seem to be going for a session00:19
hrybackiI haven't had a chance to look over it myself00:20
hrybackibut that's the kind of feedback they need00:20
jamielennoxoh00:20
jamielennoxthey are using the session in shell to get a token and endpoint and then using the existing client from then on00:20
jamielennoxdamn, i need to get some reviews pushed through - everyone needs the same stuff00:21
hrybackilet me know when you do, I want to be on the same page as you00:21
jamielennoxhrybacki: so what they've done is not what i was suggesting you look at00:21
hrybacki?00:22
jamielennoxi have a review to push through a standard set of CLI params, it's waiting for people00:22
jamielennoxso as i was saying the other day there are multiple parts to a python-*client, there's the CLI part and the library part00:22
hrybackinods00:22
jamielennoxwhen i was talking about using the session i was suggesting we replace the core of the libraries, what they've done is to use the session to get out the token they need in the shell00:23
jamielennoxshell = CLI00:23
ayoung_afkhrybacki, sorry to leave you hanging today00:23
ayoung_afkI was knocked out00:23
hrybackiayoung_afk: no worries00:23
jamielennoxand then pass that token value through to all there existing http code00:23
hrybackiayoung_afk: I saw your late night pushes00:23
ayoung_afksome sort of bug....00:23
hrybacki--00:23
ayoung_afkI think I'm through it now00:24
ayoung_afkhrybacki, anything come out of the glance meeting?00:24
hrybacki++00:24
hrybackijust what I was telling jamie00:24
*** otwieracz has quit IRC00:24
hrybackithey are open to collaboration and want our help in integrating keystoneclient00:25
*** otwieracz has joined #openstack-keystone00:25
hrybackihttps://review.openstack.org/#/c/82126/00:25
hrybackibut jamie was saying they are not on track yet -- I haven't looked over it myself yet00:25
ayoung_afkjamielennox, which reviews00:25
ayoung_afklooks like they just went for V3 API supportwithout going full session, kindof like Neutron did00:26
hrybackihttps://review.openstack.org/#/c/82126/00:26
jamielennoxayoung_afk: theres or which of mine need mergine?00:26
*** ayoung_afk is now known as ayoung00:26
ayoungjamielennox  "damn, i need to get some reviews pushed through - everyone needs the same stuff"00:26
jamielennoxayoung: yea, they used the session to get a token, but didn't convert the existing library00:26
ayoungits  astart00:26
jamielennoxhttps://review.openstack.org/#/c/95015/00:26
jamielennoxand then the dependencies of that00:26
jamielennoxthat one and the follow on are ready to go00:26
jamielennoxthe two after that need a little more work00:27
*** hrybacki is now known as hrybacki_afkish00:27
jamielennoxdamn, the second one needs a rebase00:28
jamielennoxayoung: when's the meetup?00:29
*** yfujioka has joined #openstack-keystone00:30
ayoungnext week, wed-fri00:30
ayounger00:30
ayoungtwo weeks00:30
ayoungnext week is a Holiday00:30
dstanekjamielennox: why would oslo.config fail to import? https://review.openstack.org/#/c/95015/9/keystoneclient/session.py00:31
jamielennoxdstanek: because oslo.config shouldn't be a dependency of keystoneclient00:32
jamielennoxit currently is, but if middleware comes out it won't be00:32
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from CLI options  https://review.openstack.org/9567800:36
dstanekjamielennox: odd, so there will be functionality available to people that do have it installed?00:37
jamielennoxdstanek: it's not really useful unless you have it installed00:37
jamielennoxyou get back a list of oslo.conf options which you then need to register with a CONF object00:38
jamielennoxso the consumer is going to have that available00:38
morganfainbergjamielennox, not sure who to bug about stable maint00:38
jamielennoxmorganfainberg: i had a quick chat in -infra, they gave me some pointers but i've got no idea what to do with it00:39
hrybacki_afkishi'm heading out, have a good day/night all!00:40
morganfainbergjamielennox, i can try and help some once i get back from the gym and openstack meetup00:40
morganfainbergjamielennox, i don't have a ton of time to spend at the moment though00:40
morganfainbergneed to get going00:40
jamielennoxmorganfainberg: they said to look at the ironic setup and look at that00:40
morganfainbergjamielennox, ok i'[ll look at the scroll back and if i can help i will00:40
morganfainbergit's probably not too bad to fix00:41
*** hrybacki_afkish has quit IRC00:47
*** xianghui has quit IRC00:50
openstackgerritMichael McCune proposed a change to openstack/python-keystoneclient: Correcting using-api-v2.rst  https://review.openstack.org/10298600:51
dstanekjamielennox: is depending on oslo.config a bad thing?00:53
jamielennoxdstanek: it's not horrible i guess - it just generally doesn't make sense from a client perspective00:53
jamielennoxwe do it now anyway, so if it's an issue i can take out the check for now00:54
dstanekjamielennox: i'm just looking throught that series or reviews now and i noticed that dhellmann was also wondering the same thing00:55
jamielennoxdstanek: that's a little different, he's looking at the auth plugins00:56
jamielennoxand i created my own intermediate format rather than use oslo options00:57
*** oomichi is now known as oomichi_away00:57
jamielennoxoslo.config is good for config files, there is some CLI support there but it isn't used by any of the clients - it's only parsed for CLI options when starting the servers00:57
dstanekjamielennox: is there any reason that it's not?00:58
jamielennoxit also doesn't support cliff00:58
jamielennoxdstanek: honestly i don't know00:58
jamielennoxi tried to figure out how it worked and got my brain tied in knots00:58
dstanekhaha, me too00:58
dstaneki think that code needs a lot of love00:59
dstanekjamielennox: there are things like this https://review.openstack.org/#/c/99831 that i think may have just worked on accident01:02
jamielennoxdstanek: i expect to have the oslo.config debate for those parameters which is why i haven't updated those reviews01:05
jamielennoxi might bring it up at the next meeting01:05
jamielennoxi don't think it affects the first two reviews about the session for now though01:05
*** openstackgerrit has quit IRC01:06
jamielennoxdstanek: mmm, that's fun01:06
jamielennoxi had this problem with a review just the other day, you can't stub a deprecated argument in oslo.config because it doesn't actually get registered01:07
jamielennoxit seems like such an easy problem....01:07
*** xianghui has joined #openstack-keystone01:07
*** openstackgerrit has joined #openstack-keystone01:08
dstanekjamielennox: ah yes, i ran into something similar during my oslo.config travels01:10
*** topol has joined #openstack-keystone01:11
*** marcoemorais has quit IRC01:13
*** zzzeek has quit IRC01:15
*** hrybacki_afkish has joined #openstack-keystone01:18
*** zhiyan_ is now known as zhiyan01:18
*** zzzeek has joined #openstack-keystone01:33
*** jamielennox is now known as jamielennox_afk01:33
*** praneshp has joined #openstack-keystone01:37
*** mberlin has joined #openstack-keystone01:39
*** mberlin1 has quit IRC01:40
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds hacking check for debug logging translations  https://review.openstack.org/10163601:56
*** dims_ has quit IRC02:02
*** praneshp_ has joined #openstack-keystone02:06
*** praneshp has quit IRC02:09
*** praneshp_ is now known as praneshp02:09
openstackgerritA change was merged to openstack/keystone: Adds oslo.db support for Python 3 tests  https://review.openstack.org/10262402:12
*** zzzeek has quit IRC02:24
*** nsquare has quit IRC02:38
*** rodrigods_ has quit IRC02:41
*** harlowja is now known as harlowja_away02:53
*** dstanek is now known as dstanek_zzz02:54
*** zhiyan is now known as zhiyan_03:05
*** stevemar2 has joined #openstack-keystone03:05
*** otwieracz has quit IRC03:05
*** zhiyan_ is now known as zhiyan03:06
*** stevemar has quit IRC03:07
*** otwieracz has joined #openstack-keystone03:12
*** dstanek_zzz is now known as dstanek03:15
*** dstanek is now known as dstanek_zzz03:25
*** jamielennox_afk is now known as jamielennox04:01
*** hrybacki_afkish has quit IRC04:11
*** dstanek_zzz is now known as dstanek04:16
*** dstanek is now known as dstanek_zzz04:26
*** stevemar2 has quit IRC04:27
*** stevemar2 has joined #openstack-keystone04:30
*** stevemar2 is now known as stevemar04:30
*** Chicago has joined #openstack-keystone04:55
*** yfujioka has left #openstack-keystone05:04
*** packet has quit IRC05:06
*** oomichi_away is now known as oomichi05:07
*** stevemar has quit IRC05:09
*** ajc_ has joined #openstack-keystone05:15
*** dstanek_zzz is now known as dstanek05:17
*** chandan_kumar has joined #openstack-keystone05:22
*** dstanek is now known as dstanek_zzz05:27
*** chandan_kumar has quit IRC05:35
*** henrynash has joined #openstack-keystone05:41
*** chandan_kumar has joined #openstack-keystone05:42
*** tkelsey_ has joined #openstack-keystone05:45
*** topol has quit IRC05:48
*** henrynash has quit IRC05:53
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002305:55
*** stevemar has joined #openstack-keystone05:58
*** stevemar2 has joined #openstack-keystone06:13
*** praneshp_ has joined #openstack-keystone06:13
*** praneshp has quit IRC06:14
*** stevemar has quit IRC06:15
*** praneshp_ has quit IRC06:18
*** dstanek_zzz is now known as dstanek06:18
*** ukalifon1 has joined #openstack-keystone06:20
*** praneshp has joined #openstack-keystone06:21
*** tomoiaga has joined #openstack-keystone06:21
*** dstanek is now known as dstanek_zzz06:28
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10180006:32
*** ncoghlan has joined #openstack-keystone06:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10140406:37
*** stevemar2 has quit IRC06:38
*** afazekas_ has quit IRC06:46
*** afazekas has quit IRC06:52
*** jamielennox is now known as jamielennox|away06:52
*** rwsu has quit IRC06:53
*** praneshp_ has joined #openstack-keystone06:53
*** praneshp has quit IRC06:55
*** praneshp_ is now known as praneshp06:55
*** ukalifon1 has quit IRC06:55
*** henrynash has joined #openstack-keystone07:00
*** praneshp has quit IRC07:04
*** mrda is now known as mrda-weekend07:06
*** BAKfr has joined #openstack-keystone07:06
*** dstanek_zzz is now known as dstanek07:18
*** dstanek is now known as dstanek_zzz07:28
*** ukalifon has joined #openstack-keystone07:48
*** ukalifon has quit IRC07:55
*** nkinder has quit IRC08:06
*** nkinder has joined #openstack-keystone08:06
*** rwsu has joined #openstack-keystone08:08
*** rwsu has quit IRC08:08
*** dstanek_zzz is now known as dstanek08:19
*** dstanek is now known as dstanek_zzz08:29
*** dstanek_zzz is now known as dstanek09:20
*** marekd|away is now known as marekd09:26
*** oomichi has quit IRC09:27
*** dstanek is now known as dstanek_zzz09:30
baffleHi, I have a problem using the identity:list_projects policy in Keystone. My current rule is: "identity:list_projects": "rule:cloud_admin or (rule:admin_required and domain_id:%(domain_id)s)" but when I try to list projects in Horizon, I see the following in the log: enforce identity:list_projects: {'is_delegated_auth': False, 'group_ids': [], 'user_id': u'58acf68ca8a84ce596cb65d3823088c3', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id':09:44
baffleAnd then I get "You are not authorized to perform the requested action, identity:list_projects.". Do this mean that the auth context does not have a domain id, so my "rule:cloud_admin" rule will fail?09:45
*** ncoghlan has quit IRC09:48
*** zhiyan is now known as zhiyan_09:57
*** dstanek_zzz is now known as dstanek10:21
*** dstanek is now known as dstanek_zzz10:31
*** rodrigods_ has joined #openstack-keystone11:00
openstackgerritA change was merged to openstack/keystone: Regenerate sample config file  https://review.openstack.org/10229411:15
*** rodrigods_ has quit IRC11:16
*** dstanek_zzz is now known as dstanek11:22
openstackgerritMarek Denis proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002311:25
*** dstanek is now known as dstanek_zzz11:32
*** topol has joined #openstack-keystone11:39
*** topol has quit IRC11:47
*** ajc_ has quit IRC12:03
*** zhiyan_ is now known as zhiyan12:08
*** bknudson has joined #openstack-keystone12:14
*** joesavak has joined #openstack-keystone12:20
*** erecio has joined #openstack-keystone12:21
*** dstanek_zzz is now known as dstanek12:22
*** dstanek is now known as dstanek_zzz12:32
*** dstanek_zzz is now known as dstanek12:33
*** richm has joined #openstack-keystone12:35
*** nsquare has joined #openstack-keystone12:37
openstackgerritJuan Manuel OllĂ© proposed a change to openstack/keystone: Adding Role for an unexisting user should fail  https://review.openstack.org/9398212:42
*** hrybacki_afkish has joined #openstack-keystone12:51
*** erecio has quit IRC12:54
*** erecio has joined #openstack-keystone12:55
*** hrybacki_afkish is now known as hrybacki12:56
*** csd has joined #openstack-keystone13:10
*** bobt has joined #openstack-keystone13:11
csdhi, let me pull a question I asked on openstack-dev over as this might be a better place:13:13
csdhi, I'm looking for CORS support for keystone. I see an abandoned code review here:  https://review.openstack.org/13:13
csd#/c/21958/13:13
csdand an article on how to install it here: http://blog.yunak.eu/2013/07/24/keystone_cors/13:14
csdthat seems to be the current state. Just checking if anyone is aware or any further work that I might have missed before dwelving into those more13:14
csdas they are all >1 year solutions13:14
*** radez_g0n3 is now known as radez13:16
bknudsonDo you expect that openstack would work if I set the identity endpoint to /v3 ?13:19
bknudsonIs that something that should work?13:20
bknudsonOr do we only support /v2.0?13:20
bknudsonOr are we saying we also support an unversioned endpoint? (Although I'm pretty sure that doesn't work)13:20
openstackgerrithenry-nash proposed a change to openstack/keystone: Add identity mapping capability  https://review.openstack.org/10243013:30
openstackgerrithenry-nash proposed a change to openstack/keystone: multi-backend support for identity  https://review.openstack.org/7421413:30
*** vhoward has left #openstack-keystone13:33
dstanekcsd: this is the first i have heard about tha13:38
dstanekcsd: your link appears to just be middleware so if you need that support you should be able to use it without it being included in openstack projects13:39
csddstanek, what about ? CORS ?13:39
csdI heard of CORS recently from a co-worker who's writing some ajax code to talk to keystone+nova and ran into this problem13:41
openstackgerrithenry-nash proposed a change to openstack/keystone: multi-backend support for identity  https://review.openstack.org/7421413:41
csddstanek, are you saying that you don't think CORS should be in openstack project ? I think it would be good for keystone to (configurably) support CORS13:42
csdas it would permit web clients to talk REST to openstack components directly (horizon doesn't suffer this because django middleware takes care of it is my understanding)13:43
raildoayoung: I was reading the keystone on-spec Endpoint Policy Assignment, I know it is still very early, but I'm with a doubt. What is the difference between this proposal and the API policy existing at Keystone?13:44
dstanekcsd: i'm not saying it shouldn't be there. just that i believe you can use it anyway.13:49
csddstanek, understood. the instructions seem to be okay for the most part. I was just wondering if anyone knew of more recent attempts at making it part of keystone13:50
csdas that would be a better place to go if it existed13:50
tomoiagabknudson: nova may not work. If you plan on using two endpoints for v3 and v2 that may be ok. Otherwise stick with v2. You can use keystone v3 directly (by setting the url). Just keep in mind that nova looks at the service catalog and will work with keystone v2 only13:51
*** stevemar has joined #openstack-keystone13:51
dstanekcsd: the review you linked to wasn't for keystone it was for oslo13:51
bknudsontomoiaga: ok, we've got some work to do then13:52
dstanekcsd: i just browsed the comments and i think there was still a bit or work to do to properly support it; maybe the original author's case worked and didn't feel the need to continue?13:52
*** stevemar has quit IRC13:52
tomoiagabknudson: for example, I am using keystone v3 and pass a token to nova directly. Nova won't need to authenticate anymore (I've done some work to overwrite the authentication method in nova to work things out, no big deal)13:53
dstanekcsd: looks like there were no objections to it so you can probably pick up the patch and start fixing the issues13:53
*** stevemar has joined #openstack-keystone13:53
csddstanek, okay. thanks.13:54
*** kwss has joined #openstack-keystone14:06
marekdstevemar: looks like SPs will be required no matter what way we choose in k2k bp. Let me start playing with that on Monday.14:12
stevemarmarekd, you sure? I can probably pick that up, you are busy with client stuff?14:15
hrybackidolphm: in regards to http://dolphm.com/openstack-juno-design-summit-outcomes-for-keystone/ -- how much progress has been made in the doc improvement speak underneath the Identity API v3 everywhere header?14:15
openstackgerritMarek Denis proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002314:15
marekdstevemar: client is stalled as I'm waiting for some reviewers' input :/14:15
stevemarmarekd, alright, and then mapping engine improvements ...14:18
marekdstevemar: with that i would wait for geneal spec approval :-)14:18
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: Simplified Mapping for Federated Authentication  https://review.openstack.org/10028014:18
marekdgeneral14:18
marekdstevemar:  instead of coding, you can make a good use of your power by looking here: https://review.openstack.org/#/c/83829/14:25
stevemarmarekd, i have the powerrrr14:25
marekdstevemar: you do14:26
*** rwsu has joined #openstack-keystone14:27
*** daneyon has joined #openstack-keystone14:27
*** dstanek is now known as dstanek_zzz14:30
*** zhiyan is now known as zhiyan_14:32
marekdstevemar: actually, if you want to help with the client stuff, you can try it out with TFIM...unless I can get some access (which is not possible I am guessing). THere is some email with useful code inside.14:32
ayoungraildo, right now, if an endpoint wanted to fetch policy from Keystone, it would need to know the policy id14:33
ayounghow is it going to find that out?14:33
*** tomoiaga has quit IRC14:33
stevemarmarekd, your assumption was correct14:34
stevemarmarekd, since the k2k spec seems to be on the right path, i'll spend time reviewing client and testing it out14:35
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: Simplified Mapping for Federated Authentication  https://review.openstack.org/10028014:35
*** dstanek_zzz is now known as dstanek14:35
marekdstevemar: thanks a lot, appreciate it!14:35
stevemarmarekd, i wanted to make sure k2k was on the right path first..14:35
marekdstevemar: reasonable goal14:35
dstanekstevemar, marekd: who is responsible for the "bursting" requirements?14:37
marekddstanek: for federating clouds?14:37
marekddstanek: or you are saying about tech step?14:37
marekdstevemar: i am about to start merging SAML ECP  auth plugin with this https://review.openstack.org/#/c/79542/914:38
dstanekmarekd: the k2k mentions it a few times and i'd like to see if i can get clarification14:38
marekddstanek: i think it is not going to happen automatically - keystoneclient will probably not automatically change endpoints...at least not at the very beginning I am guessing. Right stevemar ?14:39
*** comstud is now known as bearhands14:40
dstanekmarekd: when i think automatic i think on the nova side14:40
dstaneknova sees that it is nearing capacity and bursts to a different cloud14:40
stevemardstanek, oh thats interesting14:40
marekddstanek: i was not expecting to work it that way...14:41
stevemari thought keystoneclient would do it14:41
marekdstevemar: ++14:41
stevemarkwss, a +1 !14:42
stevemarwoooo14:42
marekdstevemar: saw it.14:42
marekdstevemar: i think it still needs some polishing, but it's definitely a good sign.14:42
dstanekhow would ksc know that nova was at capacity? maybe keystonemiddleware (kmw)14:42
stevemarmy weekend is officially starting off well14:42
kwssstevemar, :)14:43
stevemaroh i like the introduction of the kmw acronym14:43
*** zzzeek has joined #openstack-keystone14:43
dstaneki'm lazy and i hate to type14:43
marekddstanek: i was predicting this would require human step.14:43
marekddstanek: somebody once mentioned nova cannot monitor resource usage and capacity...am I right?14:44
marekdstevemar: did you ever have auto-burst in mind?14:44
dstanekmarekd: the spec to me is ambiguous ... it says a will burst to b and if b if full b will burst to c14:44
marekddstanek: i think it's too much for J release.14:45
dstanekin my view niether a or b will burst anywhere14:45
marekdor i would keep it as optional...14:45
dstanekmarekd: nova really doesn't know how many more VMs it can create?14:46
marekddstanek: i am nova noob, i don't know.14:46
stevemardstanek, would the logic have to be introduced for other services, like cinder or glance?14:47
dstanekstevemar: i would image so if the intent is for them to do the bursting14:48
marekdthey all already use keystoneclient, right?14:49
marekd(to cover all that token fun)14:49
dstanekmarekd: probably14:49
stevemardstanek, then i think it would make sense to make kmw or ksc handle this then, change it in one spot instead of many14:50
dstanekbut you can put the bursting login directly into ksc only14:50
marekddstanek: if you want to burst automatically how do you want services to choose what cloud to choose next?14:50
dstanekmarekd: i'm not saying that we should do this at all - i'm saying the spec language implies to me that we are14:51
dstanekoh, actually there are a few new comments about bursting14:52
marekdi am wondering what are joesavak's opinion on new k2k proposal.14:52
*** bobt has quit IRC14:53
dstaneki have a meeting with him in a few - hopefully we cover it14:53
marekddstanek: first big change - abandoning SAML/OIDC protocols in favor of something custom.14:54
dstanekyeah, i was catching up on the chat14:55
marekddstanek: superb! :-)14:55
dstanekmy only concern there is that we'll be reinventing the wheel14:55
marekddstanek: well..14:57
*** ukalifon1 has joined #openstack-keystone14:59
kwssHi guys, probably a stupid question, but when I use a federated token to list projects, should I be putting it in the X-SUBJECT-TOKEN header?15:03
marekdkwss:  hmmm, not  x-auth-token ?15:06
kwssmarekd, actually I tried in both X-AUTH-TOKEN and X-SUBJECT-TOKEN but I guess I did something wrong because the token is always rejected as invalid :S15:07
marekdkwss: hmm, your policies are ok?15:07
kwssmarekd, I'm using the example policy, do I need to change it?15:08
marekdkwss: let me check15:10
kwssmarekd, thanks! I didn't see anything about it in the docs but it's more than possible I missed it :)15:10
marekdkwss: https://github.com/openstack/keystone/blob/master/etc/policy.json#L140 it's there in default policy file so you should have it too...15:10
kwssmarekd, hmm yes that's definitely in my policy, I must have messed up something else :S15:12
marekdkwss: logs dont say anything?15:13
kwssmarekd, just "RBAC: Invalid token"15:14
marekdkwss: :( When you are getting unscoped token, you are copying X-Subject-Token value from that response  and later put it in X-Auth-Token when listing projects, right?15:16
kwssmarekd, yep15:16
*** thedodd has joined #openstack-keystone15:19
marekdkwss: in both cases api cannot find that token (wow, suprise)15:20
marekdthis warning is logger either here: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L75 or here: https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L27115:21
*** openstackgerrit has quit IRC15:21
kwssmarekd, yea, but I can look in the mysql db and see the token there...15:22
*** hrybacki has quit IRC15:23
marekdkwss: you are using uuid?15:24
kwssmarekd, no, PKI15:24
*** hrybacki has joined #openstack-keystone15:25
marekdkwss: i would just try to debug just before the exception is raised.15:26
marekdlog whatever can be logged...15:26
marekdpdb w/ apache might be difficult i guess15:27
*** david-lyle has joined #openstack-keystone15:29
kwssmarekd, if I put an error in the policy.json file, should the request fail?15:29
stevemarkwss, are you issuing a curl request, can you put it on http://paste.openstack.org/ ?15:29
kwssstevemar, I'm using a rest client, let me just try it with curl fast15:31
stevemarkwss, i was doing: curl -X GET -H "X-Auth-Token: $TOKEN_ID" http://localhost:5000/v3/OS-FEDERATION/projects15:32
stevemarand it was alright15:32
*** ukalifon1 has quit IRC15:35
kwsscurl -X GET -H "X-Auth-Token: $TOKEN_ID" --insecure https://localhost:5000/v3/OS-FEDERATION/projects {"error": {"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}15:40
kwssstevemar, is it because it's https? I wouldn't have thought so though15:40
marekdkwss: i wouldnt say so...15:41
marekd(https)15:41
*** openstackgerrit has joined #openstack-keystone15:45
*** afaranha has joined #openstack-keystone15:45
kwssmarekd, stevemar I got it!! Thanks so much. The rest client was inserting newlines into the token! Sorry to waste your time15:45
marekdkwss: uh, good to know it was not openstack ;-)15:46
kwssmarekd, I was pretty sure it was my fault the whole time.. :D15:46
marekdkwss: not yours15:48
*** hrybacki has quit IRC15:48
kwssmarekd, haha, you're too kind to my newbie mistakes ^^15:49
*** doddstack has joined #openstack-keystone15:52
stevemarkwss, great to hear it was the rest client!15:52
marekdkwss: what rest client are you using (so others dont repeat that mistake)? :-)15:53
kwssIt's a firefox plugin call RESTClient15:54
*** BAKfr has quit IRC15:55
*** thedodd has quit IRC15:55
openstackgerritDolph Mathews proposed a change to openstack/identity-api: Remove duplicate section title  https://review.openstack.org/10317715:55
*** nsquare has quit IRC15:57
*** kwss has quit IRC16:01
*** sbasam has quit IRC16:04
*** erecio has quit IRC16:04
*** dstanek is now known as dstanek_zzz16:05
*** dstanek_zzz is now known as dstanek16:07
*** marekd is now known as marekd|away16:07
*** marekd|away is now known as marekd|weekend16:07
*** jsavak has joined #openstack-keystone16:09
*** joesavak has quit IRC16:11
*** joesavak has joined #openstack-keystone16:12
*** sbasam has joined #openstack-keystone16:13
*** jsavak has quit IRC16:14
*** sbasam has quit IRC16:14
boris-42dolphm morganfainberg Hi guys, if you are interested in getting osprofiler in keystone +1 this patch https://review.openstack.org/#/c/102362/ that adds it to global requieremtns=)16:18
*** joesavak has quit IRC16:22
*** nsquare has joined #openstack-keystone16:32
morganfainbergboris-42, what was the other patch you wanted me tolook at yesterday? sorry got swamped and am trying to find it in my backlog16:34
*** xianghui has quit IRC16:34
*** joesavak has joined #openstack-keystone16:36
dolphmboris-42: is osprofiler dependent on apache?16:37
dolphmboris-42: oh, that's the license! duh16:38
morganfainbergdolphm, :)16:38
*** chandan_kumar has quit IRC16:46
*** hrybacki has joined #openstack-keystone16:47
*** praneshp has joined #openstack-keystone16:48
openstackgerritA change was merged to openstack/keystone-specs: Propose Specification for non-persistent-tokens  https://review.openstack.org/9597616:49
morganfainbergwoooooo16:49
morganfainberg:)16:49
*** sbasam has joined #openstack-keystone16:53
*** harlowja_away is now known as harlowja16:56
stevemardolphm, i'd appreciate some input on https://review.openstack.org/#/c/100023/14 :)17:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Correct the region table to be InnoDB and UTF8  https://review.openstack.org/10296417:14
*** tkelsey_ has quit IRC17:18
*** ukalifon1 has joined #openstack-keystone17:20
boris-42dolphm yep that is license=)17:25
morganfainbergdolphm, stevemar, ayoung, gyee, https://github.com/openstack/keystone/blob/master/keystone/common/config.py#L43 compute_port in keystone's config?17:25
*** daneyon has quit IRC17:25
boris-42dolphm there is only one requirements WebOb17:25
boris-42morganfainberg so I was speaking about this patch https://review.openstack.org/#/c/98836/17:26
boris-42morganfainberg but you already +2 it17:26
morganfainbergboris-42, yep, saw it after a lot of backlog searching17:26
morganfainberg:)17:26
boris-42morganfainberg thx=17:26
stevemarmorganfainberg, according to blame :P https://github.com/openstack/keystone/commit/23a4fe9ec7b9f3c007793e339110dc43e8781d6f17:26
boris-42morganfainberg with plugins & profiler it will be super useful17:26
boris-42morganfainberg finally easy to use=)17:27
*** vhoward has joined #openstack-keystone17:27
morganfainbergstevemar, sure, i might have changed it last there17:27
stevemarmorganfainberg, it seems pointless though17:28
morganfainbergstevemar, https://github.com/openstack/keystone/commit/1ed2046eaa91fa36926d66a5fe1e88ccd65373bb before that17:28
morganfainbergstevemar, https://github.com/openstack/keystone/commit/1ed2046eaa91fa36926d66a5fe1e88ccd65373bb17:30
morganfainbergstevemar, looks like it originates about there17:30
stevemarmorganfainberg, i did a search, i don't think it's used...17:30
*** jsavak has joined #openstack-keystone17:31
*** doddstack has quit IRC17:31
morganfainbergstevemar, running tests will remove if it isn't17:31
stevemarmorganfainberg, we should double check with henrynash17:32
morganfainberg? it was added back in 2012.17:32
morganfainbergby termie17:32
morganfainberglook at the last link17:32
morganfainbergstevemar, it's used for test i think17:34
*** joesavak has quit IRC17:34
stevemarmorganfainberg, having a config option for a test sounds silly17:35
morganfainbergstevemar17:35
morganfainbergye17:35
gyeemorganfainberg, what's compute port doing in there?17:35
stevemargyee, thats what we're trying to figure out :)17:35
morganfainberggyee, it looks like it's used for testing17:35
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Extracting get group roles for project logic to drivers.  https://review.openstack.org/8602517:37
gyeemorganfainberg, stevemar, I don't think it's been used17:38
*** dstanek is now known as dstanek_zzz17:45
*** dstanek_zzz is now known as dstanek17:46
morganfainberggyee, stevemar, it's used17:49
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/catalog/backends/templated.py#L11017:49
*** joesavak has joined #openstack-keystone17:49
morganfainbergin the templated backend17:49
morganfainbergit _assumes_ it can replace items in our default template with items from the keystone config object17:50
morganfainberghow is that useful...17:51
morganfainberg?!!17:51
morganfainbergi mean the nova part17:51
*** jsavak has quit IRC17:52
henrynashmorganfainberg: hi17:54
morganfainberghenrynash, heyya17:54
henrynashmorganfainberg: was there a question for me?17:56
morganfainberghenrynash, nah,17:56
*** dstanek is now known as dstanek_zzz17:57
henrynashmorganfainberg: oh, ok!17:57
morganfainberghenrynash, was trying to chase down why 'compute_port' was in the keystone config :P17:57
morganfainbergloooong history17:57
henrynashmorganfainberg: yep, somewhere betweem columbus and madonna (the singer that is)17:57
gyeemorganfainberg, I see. Compute port shouldn't be replaceable at catalog creation time17:57
gyeethat's wrong17:57
morganfainberggyee, yep fixing it now17:58
gyeethat's static data17:58
morganfainberguhuh17:58
henrynashmorganfainberg, ayoung, dolphm, dstanek: both remaining multi-backend uuid patches are now posted (https://review.openstack.org/#/c/102430/ and https://review.openstack.org/#/c/74214)17:59
ayounghenrynash, thanks18:00
*** thedodd has joined #openstack-keystone18:02
*** harlowja is now known as harlowja_away18:04
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not use keystone's config for nova's port  https://review.openstack.org/10320418:04
bknudsonDoes anyone know if our keystone docs ever said to set the identity endpoint to /v3?18:11
bknudsonhow would that work? applications don't know if identity endpoints supports v2 or v3.18:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not use keystone's config for nova's port  https://review.openstack.org/10320418:14
*** harlowja_away is now known as harlowja18:15
_elmikobknudson: i was just reading the keystoneclient docs last night, and in the "Using API v3" page it recommends using the discovery mechanism. it looked like this avoided calling out the version and allowed discovery.18:20
*** _elmiko is now known as elmiko18:20
elmikobknudson: http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html18:21
elmikonot sure if that's what you meant18:21
bknudsonelmiko: I know that we've got the discovery thing, but I don't think that the other services that use keystone auth ever implemented it... especially in icehouse.18:22
elmikobknudson: probably not(re: others implementing)18:22
*** marcoemorais has joined #openstack-keystone18:24
*** bknudson has quit IRC18:38
openstackgerritDolph Mathews proposed a change to openstack/keystone: Consolidate provider calls to token_api.create_token  https://review.openstack.org/7376818:47
morganfainbergdolphm, wow forgot those even exists18:48
openstackgerritDolph Mathews proposed a change to openstack/keystone: Pass token expiry to the .create_token() method  https://review.openstack.org/7376918:50
*** erecio has joined #openstack-keystone18:52
*** bknudson has joined #openstack-keystone18:53
dolphmmorganfainberg: this one looks hopeless, abandon? https://review.openstack.org/#/c/73477/18:53
dolphm(re-abandon?)18:53
morganfainberghmmm18:53
morganfainbergthat one needs a lot more love18:54
morganfainbergi can probably fix it though18:54
morganfainbergi mean... we need to do that anyway18:55
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples.  https://review.openstack.org/9012118:55
dolphmmorganfainberg: ack18:55
hrybackidolphm: I think https://review.openstack.org/#/c/102602 is ready18:55
dolphmhrybacki: a test exercising the new defaults would be appreciated, but otherwise lgtm18:56
*** bknudson has quit IRC18:57
hrybacki++18:57
morganfainberghrybacki, second the adding tests would be great18:58
morganfainberghrybacki, but that can be done as a follow-up18:58
morganfainberghrybacki, (please do it as a followup :)18:59
hrybackimorganfainberg: dumb new guy questions -- how does one do a followup? Is there a special procedure for that? There seems to be a lot of procedures for things around OS :P18:59
morganfainberghrybacki, if you make a new commit on top of your current one, when you use git-review it'll ask if you want to submit both19:00
hrybackinods, versus just an amend19:00
morganfainberghrybacki, yep19:01
openstackgerrityuriy brodskiy proposed a change to openstack/python-keystoneclient: fixing minor grammatical issue  https://review.openstack.org/10321819:01
hrybackimorganfainberg: thanks!19:01
morganfainberghrybacki, and dont hesitate to ask questions, even if they seem dumb - we've all had to ask them at one point, happy to answer any i can19:02
morganfainberg(and it wasn't a dumb question)19:02
hrybackihah, thank you. Working with such a large project has been quite the learning experience19:03
morganfainberghrybacki, and (I hope) it's been fun too19:03
hrybackimorganfainberg: it gets more fun as I understand more -- as it stands nothing is simple to me. Even making two parameters optional has a wide range of side effects I can't fully grasp just yet19:04
*** marcoemorais has quit IRC19:05
morganfainberghrybacki, yep.19:05
*** marcoemorais has joined #openstack-keystone19:05
*** marcoemorais has quit IRC19:05
*** marcoemorais has joined #openstack-keystone19:06
*** marcoemorais has quit IRC19:06
*** marcoemorais has joined #openstack-keystone19:06
*** bknudson has joined #openstack-keystone19:11
*** achampion has joined #openstack-keystone19:18
*** praneshp has quit IRC19:20
*** openstackgerrit has quit IRC19:20
*** marcoemorais has quit IRC19:22
*** openstackgerrit has joined #openstack-keystone19:22
*** marcoemorais has joined #openstack-keystone19:22
*** marcoemorais has quit IRC19:22
*** dstanek_zzz is now known as dstanek19:23
*** marcoemorais has joined #openstack-keystone19:23
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add initial service provider API for OS-FEDERATION  https://review.openstack.org/10322319:25
morganfainbergjdennis, ping if you have some time to look at LDAP stuff, https://review.openstack.org/#/c/95300/ it would be appreciated19:25
*** marcoemorais has quit IRC19:25
*** marcoemorais has joined #openstack-keystone19:26
morganfainbergjdennis, i'm doing a review of it now, but i'm happier when I have smarter and more knowledgeable follks input on this kind of stuff :)19:26
jdennismorganfainberg: ok, I'll try to take a peek19:27
morganfainbergjdennis, thanks. its not overly complex, but i feel like it could use more eyes, make sure I don't miss some subtlety in the LDAP front when using the pooling lib19:28
jdennismorganfainberg: rcrit is probably a good person as well to take a look, Rob is excellent at this stuff19:29
ayoungmorganfainberg, is there any good reason to avoid putting the keystone endpoint id into the auth_token config?  It will let us fetch policy by endpoint (if we want) and do endpoint binding of the tokens.  We could do the first based on the service user, but not the second.  I'm thinking we just bite the bullet and say "emdpoints need to know their own id"19:37
nkindermorganfainberg: I'm taking a look now too...19:37
ayoungme too19:38
ayoungthat seems...invasive19:38
nkindermorganfainberg: have you done any benchmarking with/without the pool enabled?19:39
*** vhoward- has joined #openstack-keystone19:41
ayoungnkinder, morganfainberg doesn't it seems like that code should be a decorator on the  PythonLDAPHandler(?19:41
*** toddnni_ has joined #openstack-keystone19:41
*** raildo1 has joined #openstack-keystone19:41
*** gmurphy_ has joined #openstack-keystone19:42
*** jraim_ has joined #openstack-keystone19:42
*** raildo has quit IRC19:43
*** vhoward has quit IRC19:43
*** gmurphy has quit IRC19:43
*** jraim has quit IRC19:43
*** toddnni has quit IRC19:43
*** otwieracz has quit IRC19:43
*** huats has quit IRC19:43
*** toddnni_ is now known as toddnni19:43
ayoungBut I think that the changes look "right"19:43
*** jraim_ is now known as jraim19:43
*** huats has joined #openstack-keystone19:43
*** huats has quit IRC19:43
*** huats has joined #openstack-keystone19:43
ayoungnkinder, do you have any idea how we could test it?  Is it just a case of having a replicated LDAP server?19:44
nkinderayoung: you only need one LDAP server19:44
nkinderayoung: it just reuses connections (and has multiple that it keeps open)19:44
hrybackimorganfainberg, dolphm: in regards to those tests -- it looks like I would only need to create one additional test in v2_0/test_endpoints as v2_0/test_shell already covers the use case, yeah?19:44
*** otwieracz has joined #openstack-keystone19:44
ayoungnkinder, to ensure it doesn't crash, yeah.  But to test the pooling, you'd need two and kill one, no?19:44
nkinderayoung: no, this is not for failover (though reconnect should be tested)19:45
dolphmhrybacki: i didn't look, but that sounds correct - copy/paste an existing test for that function, rename the new test, change the input to take advantage of the new defaults, and make sure the output is correct19:45
hrybackidolphm++19:45
ayoungnkinder, then what is means by "pool" if it is not "select one from a set of servers?"19:45
nkinderayoung: a pool of connections (not necessarily servers)19:46
ayoungnkinder, ah...just reuse...OK,  so this should be the default I'd expect?19:46
nkinderayoung: it allows reuse, but also comes in handy when you have async LDAP operations19:46
nkinder...but keystone can't/doesn't do that, right?19:47
nkindermorganfainberg: will keystone even try to perform multiple LDAP operations at the same time?19:49
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: Add tests for optional create endpoint params  https://review.openstack.org/10322919:49
*** vhoward- has left #openstack-keystone19:50
jdennisright off I see a few issues, shouldn't there be a min and max pool size?19:50
nkinderthe other thing I don't like it that a connection stays bound as the last user who was authenticated19:51
nkinder...and unbind is a no-op19:51
jdennisisn't the _common_ldap_initialization function stomping on global attributes?19:52
jdenniserr, rather I mean global ldap config values19:52
*** jsavak has joined #openstack-keystone20:02
*** david-lyle has quit IRC20:03
*** david-ly_ has joined #openstack-keystone20:04
*** thedodd has quit IRC20:05
*** joesavak has quit IRC20:06
jdennisthe code is setting and resetting every option on every call20:07
openstackgerritDolph Mathews proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9927820:08
bknudsonif you unbind an ldap connection then it's disconnected20:08
bknudsonso unbinding in a connection pool would essentially not be a pool20:08
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116620:08
bknudsonmaybe unbind would bind as a different user?20:08
richmin LDAPv3 you are supposed to be able to issue multiple bind requests on a connection to switch identities20:09
*** erecio has quit IRC20:09
richmone technique I have seen used is that the connection pool does a bind as a proxy user20:10
richmto authenticate as a "real" user, the connection pool issues a proxy authentication request using the identity and credentials of the "real" user20:10
nkinderbknudson: it can bind as anonymous or a proxy user20:10
richmthis avoids bind overhead20:10
bknudsonI like those options20:11
richmthe 389 "ldap" backend (aka chaining/database link) uses this technique20:11
jdenniswhere is ConnectionManager defined? I don't see it20:12
*** ukalifon1 has quit IRC20:13
morganfainbergback20:15
morganfainbergnkinder, yeah i wasn't sure about the bind/unbind20:15
morganfainbergnkinder, i wanted to see what people thought first20:16
ayoungmorganfainberg, you get the feeling we've upped our game on LDAP?20:16
bknudsonjdennis: it's in ConnectionPool20:16
morganfainbergayoung, maybe a little :P20:16
bknudsonjdennis: it's in ldappool20:16
jdennisbknudson: I must be silly, but I don't see an ldappool in the changeset nor in master20:17
nkinderjdennis: it's an external lib20:18
bknudsonjdennis: https://pypi.python.org/pypi/ldappool/20:18
morganfainbergjdennis, it just cleared global reqs not too long ago20:18
*** fifieldt has quit IRC20:19
morganfainbergnkinder it sounds like we need a 'go bind as this user' type connection that is only ever used for that purpose20:20
morganfainbergnkinder, and the general use-case do things as keystone connection (or pool)20:20
morganfainbergnkinder so we don't perform things as a random user.20:20
jdennisI don't see how you differentiate connections with different options sharing the same URL20:21
*** jraim has quit IRC20:21
*** jraim has joined #openstack-keystone20:21
nkindermorganfainberg: yes, you could have an authentication pool and a regular lookup/other stuff pool20:21
morganfainbergnkinder, and the pool wouldn't get re-used across eventlet workers (keystone can be configured with multiple workers now), because if it could you could end up with weird pool stuffs20:23
openstackgerritayoung proposed a change to openstack/keystone: Migrate default extensions  https://review.openstack.org/9632620:23
morganfainbergjdennis, with what i'm describing, we'd just use a separate pool and only ever 'bind as user for auth purposes' from that pool, the other pool of connections would be used for the keystone ldap operations20:24
jdennisI guess that's why every ldap call resets every option :-(20:24
morganfainbergjdennis, =/20:24
ayoung doing an authenticate should reset to connection at the end20:25
ayoungdoing any other call should ensure that the connection is set as the admin user20:25
ayoungit can be one pool, or authenticate doesn't need to use a pool.20:25
morganfainbergayoung, yes20:27
nkinderayoung: ideally we would still use a pool for auth20:27
nkinder...but, I'd prefer to have sssd handle all of this for us instead20:27
ayoungnkinder, oh, yes20:28
ayoungnkinder, but I suspect that the LDAP code will live on for a long while.  Not everyone is going to be onboard with SSSD20:28
*** rodrigods has quit IRC20:29
morganfainbergrichm's point with the prxy user is good too20:30
morganfainbergif we can do that in our ldap stuff it would solve the same issue20:30
*** fifieldt has joined #openstack-keystone20:31
*** jsavak has quit IRC20:33
*** joesavak has joined #openstack-keystone20:42
*** navid has joined #openstack-keystone20:42
*** thedodd has joined #openstack-keystone20:45
*** otwierac1 has joined #openstack-keystone20:48
*** thedodd has quit IRC20:50
dstanekmorganfainberg: you ever see this http://logs.openstack.org/26/95826/6/gate/gate-keystone-python26/fa13f3c/console.html ?20:50
morganfainbergdstanek, looks like the wrong node was trying to run py2620:51
morganfainbergor... cent6 node doesn't have py26 anymore?20:51
dstanekodd right?20:52
*** otwieracz has quit IRC20:52
*** otwierac1 is now known as otwieracz20:52
morganfainbergi'd raise that up w/ infra20:58
morganfainbergthey might want to know.20:58
dstanekmorganfainberg: there was a bug already for it21:00
morganfainbergah21:00
morganfainbergcool21:00
*** navid has quit IRC21:03
*** clayg has joined #openstack-keystone21:04
claygis this where the keystone devs hang out!?21:04
morganfainbergclayg, yep yep21:05
claygI'm trying to review a swift patch for the keystone auth middleware that deals with domains, but my devstack setup only comes with users in the default domain21:05
jdennisclayg: ducks and runs, these are not the devs you're looking for :-)21:05
clayghttps://review.openstack.org/#/c/86430/21:05
claygI hear that the keystone client is gunna support domains in the future, but I was wondering how you guys test out domains while that's all getting fleshed out21:06
* clayg hopes for use_domains = true option in local.conf21:06
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove backend_entities from backend_ldap.conf  https://review.openstack.org/10324121:06
clayg... but you know a blog post or gist or even a crappy opinonated curl script would probably get me back on track21:08
claygI found http://www.mirantis.com/blog/manage-openstack-projects-using-domains-havana/ but it's all like - but it starts with "install this custom policy file" and I'm hoping it's gotten easier in the past 4 montsh?21:09
*** jsavak has joined #openstack-keystone21:10
clayghrmmm...21:10
* clayg lurks in case anyone wants to bust out some knowledge for me21:11
morganfainbergclayg, ok sorry was in another convo at the moment you popped up21:11
morganfainbergclayg, if you're using V2 api for keystone, you will only ever get things back from v2.21:12
claygmorganfainberg: oh no worries brother, didn't mean to sound impatient :)21:12
claygmorganfainberg: i only managed to get as far as changint the auth_verison = 3.0 option in my authtoken middleware config - but I feel like that's a start!21:13
claygmorganfainberg: i'm told that I need to upgrade my swiftclient to get v3 token, but we have an associated patch for that - so I feel like that's getting closer21:13
morganfainbergclayg, sure that should be the starting place21:14
claygmorganfainberg: the last part of my understanding (and the limits of my expierence) are that I need a user that is not in the default domain - which brings me to keystone client support21:14
morganfainbergclayg, hm well from the shell, i don't think you can do it21:14
morganfainbergclayg, the CLI in keystoneclient is rather limited21:14
*** david-ly_ has quit IRC21:14
claygmorganfainberg: i'm guessing curl will let me - but no idea what the syntax might look like21:14
morganfainbergclayg, keystone client as a library has the support for V321:14
claygmorganfainberg: oh... unless maybe I can do it in horizon!?21:14
*** joesavak has quit IRC21:14
morganfainbergclayg, http://docs.openstack.org/developer/keystone/api_curl_examples.html21:15
claygmorganfainberg: ok, some some custom python scripts to make the api calls will probably work out for me?  does anyone have anything lying about or could scr - nice :D21:15
ayoungdstanek, I'm trying to do some horizon auth development.  I Have a packstack installed machine;  all RPMs.  I git cloned the django-openstack-auth repo and did sudo python ./setup.py develop  to overwrite the RPM version of that code with thegit version, but I get21:15
ayoung  File "/usr/lib64/python2.7/distutils/cmd.py", line 59, in __init__21:15
ayoung    raise TypeError, "dist must be a Distribution instance"21:15
ayoungis this a case of me having to pull multiple files in via PIP?21:15
claygmorganfainberg: that's a big ol' pile of win right there - i knew i came to the right place!21:16
morganfainbergayoung, you can use 'pip -e <path>' as well21:16
morganfainbergayoung it would do dependency resolution from pypi21:16
morganfainbergclayg, happy to help!21:16
ayoungmorganfainberg, what pip command would that be?21:17
morganfainbergayoung, oh sorry pip -e install <path>21:17
morganfainbergayoung, erm21:17
morganfainberginstall -e21:17
morganfainbergyeah install -21:17
ayoungmorganfainberg, from a git repo21:17
*** jsavak has quit IRC21:17
morganfainberge21:17
morganfainbergso if you're in the repo directory: pip install -e .21:17
morganfainbergmight need sudo21:17
morganfainbergdepends on your perms, or if you're installing in venv21:18
morganfainbergyou wouldn't need sudo with a venv21:18
ayoungah, I think it was the hacked PBR that messed things up21:18
ayoungmorganfainberg, nah, I wanted somethingthat would survive a reboot no matter how I hacked it, so I start with Packstack (root install)21:20
*** stevemar2 has joined #openstack-keystone21:22
*** bobt has joined #openstack-keystone21:24
*** zigo_ has joined #openstack-keystone21:24
*** shuffleb1t has joined #openstack-keystone21:26
*** jgriffit1 has joined #openstack-keystone21:26
morganfainbergstevemar, careful stevemar2 is here now. i hear he's shady21:27
*** morganfainberg is now known as stevemar321:27
stevemar3oh snap, stevemar321:27
*** david-lyle has joined #openstack-keystone21:27
stevemar3bah it's not fun when he's not paying attention to irc21:27
*** stevemar3 is now known as morganfainberg21:28
stevemar2stevemar3, i hate my isp21:28
morganfainbergstevemar2, :P21:28
stevemar2morganfainberg, i'm thinking i should log off, got folks coming by21:29
stevemar2morganfainberg, and now they are entering ... so i'm outta here, see ya later, likely21:30
*** otwieracz has quit IRC21:31
*** jraim has quit IRC21:31
*** marcoemorais has quit IRC21:31
*** hrybacki has quit IRC21:31
*** stevemar has quit IRC21:31
*** mhu has quit IRC21:31
*** bearhands has quit IRC21:31
*** mrda-weekend has quit IRC21:31
*** mgagne has quit IRC21:31
*** dolphm has quit IRC21:31
*** vishy has quit IRC21:31
*** zigo has quit IRC21:31
*** jgriffith has quit IRC21:31
*** Ephur has quit IRC21:31
*** shufflebot has quit IRC21:31
*** uvirtbot has quit IRC21:31
*** radez is now known as radez_g0n321:32
*** stevemar2 has quit IRC21:35
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not support toggling key_manglers in cache layer  https://review.openstack.org/10324721:37
openstackgerritA change was merged to openstack/python-keystoneclient: Session Adapters  https://review.openstack.org/8623721:41
openstackgerritA change was merged to openstack/python-keystoneclient: Make parameters in EndpointManager optional  https://review.openstack.org/10260221:41
*** dstanek is now known as dstanek_zzz21:42
*** rwsu has quit IRC21:49
openstackgerritayoung proposed a change to openstack/keystone-specs: endpoint policy  https://review.openstack.org/9984221:56
*** dstanek_zzz is now known as dstanek22:03
*** henrynash has quit IRC22:04
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not support toggling key_manglers in cache layer  https://review.openstack.org/10324722:06
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10180022:08
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove db, db.sqlalchemy from openstack-common.conf  https://review.openstack.org/10325122:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync with oslo-incubator e9bb0b59  https://review.openstack.org/10325222:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Update requirements to oslo.config>=1.4.0.0a1  https://review.openstack.org/10325322:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use config fixture from oslo.config  https://review.openstack.org/10325422:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove fixture from openstack-common.conf  https://review.openstack.org/10325522:10
*** dstanek is now known as dstanek_zzz22:13
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10140422:13
*** daneyon has joined #openstack-keystone22:38
*** daneyon has quit IRC22:38
*** daneyon has joined #openstack-keystone22:39
*** achampion has quit IRC22:49
*** dstanek_zzz is now known as dstanek22:51
*** elmiko is now known as _elmiko22:57
*** dstanek is now known as dstanek_zzz23:01
*** esp has joined #openstack-keystone23:05
*** david-lyle has quit IRC23:05
*** david-lyle has joined #openstack-keystone23:07
*** david-lyle has quit IRC23:11
*** bobt has quit IRC23:12
*** xianghui has joined #openstack-keystone23:18
*** dstanek_zzz is now known as dstanek23:30
*** openstackgerrit has quit IRC23:37
*** xianghui has quit IRC23:38
*** xianghui has joined #openstack-keystone23:50
*** daneyon has quit IRC23:51
*** rwsu has joined #openstack-keystone23:54
*** daneyon has joined #openstack-keystone23:54
*** zzzeek has quit IRC23:58
« Thursday, 2014-06-26 Index Saturday, 2014-06-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!