Thursday, 2014-08-28

« Wednesday, 2014-08-27 Index Friday, 2014-08-29 »
*** dims has quit IRC00:07
*** rm_work|away is now known as rm_work00:08
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194900:10
*** cjellick has quit IRC00:12
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194900:12
*** cjellick has joined #openstack-keystone00:12
*** bobt_ has quit IRC00:14
*** cjellick has quit IRC00:17
*** r-daneel has quit IRC00:17
*** amcrn has quit IRC00:19
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not load auth plugins by class in tests  https://review.openstack.org/11706200:19
morganfainbergjamielennox, do you *really* need a deleter?00:21
morganfainbergjamielennox, for auth_token in Access?00:21
gyeemorganfainberg, jamielennox, I have a question on that patch as well00:22
morganfainberggyee, see your comment, haden't gotten that far yet :P00:22
jamielennoxmorganfainberg: probably not in terms of will it be used, however it's not good enough to set auth_token = None it needs to be done00:22
gyeeseem kinda dangerous to allow both auth_token and token ID00:22
*** amerine has quit IRC00:23
jamielennoxgyee: i hadn't seen your comment00:24
gyeejamielennox, refresh button :)00:24
jamielennoxgyee: so take the PKI token case - what is token['token']['id'] ?00:25
jamielennoxfrom memory it says 'stubbed' or something similar00:25
*** jimhoagland has joined #openstack-keystone00:26
gyeeno, for v2, its a token hash I think00:26
jamielennoxgyee: i should have double checked maybe there is a hack for this somewhere, but you can't put the hash of a token within a PKI token00:27
gyeejamielennox, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L40700:30
*** amerine has joined #openstack-keystone00:31
morganfainbergjamielennox, it says placeholder00:31
morganfainbergjamielennox, if you cms decode a v2 PKI token00:32
morganfainberggyee, ^00:32
morganfainberggyee, keystone replaces the value in the validate step / store to persistence00:32
jamielennoxjust logged into 3 devstacks and i've got them all running UUIDs00:32
morganfainbergjamielennox, there is an active bug on it, but it's not "fixable"00:32
morganfainbergjamielennox, i mean... i could fix it and remove the id from the token data, but i think that is backwards incompatible00:32
jamielennoxmorganfainberg: right there's nothing we can do about it00:32
gyeejamielennox, oh, you mean local verify00:33
morganfainberg['access']['token']['id'] = 'Sorry, we screwed up, don't use this value'00:33
gyeek, well can we at least check for 'placeholder'?00:34
jamielennoxgyee: why?00:34
jamielennoxit's available if not given otherwise use the override00:34
jamielennoxbecause the place i want to use this most is in auth_token middleware00:34
gyeebecause we open it up for abuse00:34
jamielennoxwhere i have the token already, it came via header00:34
gyeewhat if auth_token is not the same as token id and token id is not the special 'placeholder'?00:34
morganfainbergjamielennox, reminds me, we need to figure out how we're going to align KeystoneToken model and accessinfo00:34
jamielennoxi don't want to rely on the value that came from verify the token i want to force set it00:34
jamielennoxmorganfainberg: i think we keep them seperate00:35
jamielennoxgyee: then something very wrong has happened in your verification00:35
jamielennoxalso we never document 'placeholder' it's just something that ends up in code00:36
morganfainbergjamielennox, i think we could extract the "go get stuff" logic out and get the two aligned using the same code00:36
gyeesheeeeit00:36
morganfainbergjamielennox, and then just alyer the "go get stuff" logic in for use in keystoneclient / session00:36
jamielennoxmorganfainberg: so the AccessInfo in keystoneclient is not right00:37
morganfainbergjamielennox, that was the main reason i didn't use AccessInfo, i didn't want to get bound up trying to remove "go get stuff" logic and then waiting for a release to work on keystone00:37
jamielennoxmy concern is that we end up with keystone having issues and having to wait for the whole cycle of requirements to get fixes in00:37
jamielennoxthere are going to be very different requirements of the server side model00:37
jamielennox(to the point i'd love to have token.save())00:37
morganfainbergjamielennox, we already have some of that issue with cms00:38
gyeeso what are we saying, allow override now and improve it later?00:38
jamielennoxi see CMS as a view on the model, it doesn't impact AccessInfo and shouldn't on the server side00:39
morganfainberggyee, allow override, when v2 tokens die (v2 api) we let that go away00:39
jamielennoxmorganfainberg: i think go independant for now and lets have a look at summit or so00:39
morganfainbergjamielennox, we use cms to sign00:39
morganfainbergjamielennox, and validate in the server00:39
* gyee puts a stick into the heart of v200:39
morganfainbergjamielennox, in k1 we should look at extracting some of that stuff to a separate lib, then we can make ksc depend on it, and avoid circular deps in keystonemiddleware....00:39
morganfainbergor something00:39
morganfainbergthough we might get shot by packagers00:40
jamielennoxgyee: so the other side of this is that the Identity Plugins in auth use auth_ref.token_id as the value that they are going to put into the X-Auth-Token field00:40
morganfainbergfor doing that again00:40
jamielennoxgyee: that gets correctly set if 1) you load it directly from a response object (which we do in the plugins - but can't in auth_token) 2) you are using UUID00:40
jamielennoxgyee: I want to pass a 'ready-to-go' plugin out of auth_token so the services can use it, but if i do it know then the services are going to end up with a 'placeholder' token value00:41
jamielennoxgyee: so i need a way to override it and at least this way it's standard across UUID/CMS and v2/v300:42
gyeejamielennox, k, lets do this00:43
gyeeI don't see any good alternative right now00:43
jamielennoxgyee: i don't know if it's any more open to abuse than it was before00:43
jamielennoxgyee: the whole object is built on top of a dictionary so i could always have done something nasty like auth_ref['token']['id'] = 'whatever i want'00:44
jamielennoxAccessInfo is one of those good ideas badly implemented, candidate for fixing in ksc200:44
*** nkinder has joined #openstack-keystone00:46
gyeeI think originally it was born out of convenience, then it morph into a standard interface for token00:47
jamielennoxgyee: that could be the tagline for the whole keystoneclient00:48
gyeewe just need to make it a rock solid standard00:50
* jamielennox just got completely surprised by someone asking about keystone and worker processes - completely missed that review00:59
morganfainbergjamielennox, yeah it's there01:00
morganfainbergjamielennox, but seriously: apache + mod_wsgi01:00
jamielennoxi thought we were saying no to that and use apahce01:00
morganfainbergthat is my answer01:00
morganfainbergwe don't gate on multi-eventlet workers01:00
morganfainbergthere was some demand for it.01:01
morganfainbergit snuck in01:01
morganfainbergit's mostly harmless01:01
morganfainbergbut i wouldn't recommend using it01:01
*** marcoemorais has quit IRC01:04
gyeejamielennox, +2 on the token override patch, will let morganfainberg do the honor :)01:04
morganfainberggyee, oh go ahead if it has a +201:04
gyeedinner bell is ringing for me01:04
morganfainberggyee, i've not looked at it too in depth.01:04
gyeek, no turning back now01:05
morganfainbergif it's really solving an issue sounds reasonable to me.01:05
gyeetill the next round of refactoring anyway :D01:05
morganfainberggyee, phsaw, we have 10hrs before it'll get through gate... and we can always revert it :P01:05
*** dims has joined #openstack-keystone01:05
jamielennoxyea, i was going to hold of til the gate cleared but i'm not going to get anything passed with that strategy01:06
gyeedamn, missed topol's ping early01:06
* gyee hope he didn't get accuse of anything01:06
jamielennoxgyee: version independant plugins have now made it to the top of the review queue01:07
gyeejamielennox, yeah, I am way behind on reviews, still working on internal user stories01:08
gyeeI really really really fucking hate agile01:08
jamielennoxthat's fine, i'm behind on reviews as well01:09
*** dims_ has joined #openstack-keystone01:09
*** dims__ has joined #openstack-keystone01:11
*** dims has quit IRC01:11
*** zzzeek has quit IRC01:12
*** dims_ has quit IRC01:14
morganfainbergbknudson, ping would a NamedTuple solve your namespace request, i think that is *really* what we're looking for (both waht I was aiming for and what you were suggesting with a namespace)01:15
morganfainbergbknudson, also buys us __iter__ for free, etc01:15
*** amerine has quit IRC01:15
morganfainbergexcept.... namedtuple isn't in py26 collections *grumble*01:16
morganfainbergor is it01:17
morganfainbergoh it is01:18
morganfainbergyay01:18
*** jimhoagland has quit IRC01:24
*** zzzeek has joined #openstack-keystone01:32
*** gyee has quit IRC01:32
*** zzzeek has quit IRC01:35
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Notification cleanup: namespace actions  https://review.openstack.org/11733001:43
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Notification cleanup: namespace actions  https://review.openstack.org/11733001:49
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Comments to docstrings for notification emit methods  https://review.openstack.org/11733101:50
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add commas for ease of maintenance  https://review.openstack.org/11733201:50
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow providing an endpoint_override to requests  https://review.openstack.org/11739901:59
*** yasukun has joined #openstack-keystone02:00
*** openstackgerrit has quit IRC02:02
*** openstackgerrit has joined #openstack-keystone02:02
openstackgerritA change was merged to openstack/keystone: Update sample config  https://review.openstack.org/11708702:03
*** dims__ has quit IRC02:13
*** dims has joined #openstack-keystone02:14
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162002:22
*** stevemar has joined #openstack-keystone02:45
*** KanagarajM has joined #openstack-keystone02:47
*** zzzeek has joined #openstack-keystone02:52
*** yasukun has quit IRC02:53
*** yasukun has joined #openstack-keystone02:54
*** rm_work is now known as rm_work|away03:20
*** alex_xu has quit IRC03:43
*** zzzeek has quit IRC03:45
*** mitz_ has quit IRC03:59
*** mitz has joined #openstack-keystone03:59
*** dims has quit IRC04:17
*** amerine has joined #openstack-keystone04:20
*** bobt_ has joined #openstack-keystone04:29
*** ncoghlan has joined #openstack-keystone04:31
*** stevelle has quit IRC04:41
*** stevemar has quit IRC04:48
*** ncoghlan is now known as ncoghlan_afk04:59
*** bobt_ has quit IRC05:03
*** stevelle_ has joined #openstack-keystone05:11
*** dims has joined #openstack-keystone05:18
*** dims has quit IRC05:22
*** stevelle_ is now known as stevelle05:23
*** oomichi has quit IRC05:42
*** alex_xu has joined #openstack-keystone05:49
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194905:58
*** ukalifon1 has joined #openstack-keystone05:59
*** k4n0 has joined #openstack-keystone06:03
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:06
*** amirosh has joined #openstack-keystone06:09
*** ncoghlan_afk is now known as ncoghlan06:09
*** wanghong has joined #openstack-keystone06:16
*** toddnni has quit IRC06:17
*** toddnni has joined #openstack-keystone06:22
openstackgerritKanagaraj Manickam proposed a change to openstack/keystone: Endpoint table is missing reference to region table  https://review.openstack.org/11318306:38
*** afazekas has joined #openstack-keystone06:41
ByteSorehi people, got a question.. i've been testing alot today with glance authentication.. i can't get it to work. when i run a glance index i'm getting an error in the api.log: NotAuthenticated: Authentication required i have the OS_USERNAME and all set to the right info. if i check it with swift the credentials do work.06:43
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194906:48
*** ncoghlan has quit IRC07:07
*** jaosorior has joined #openstack-keystone07:11
*** harlowja_ is now known as harlowja_away07:14
*** bvandenh has joined #openstack-keystone07:26
*** mflobo_ has joined #openstack-keystone07:37
*** mflobo has quit IRC07:41
*** ukalifon3 has joined #openstack-keystone07:58
*** ukalifon1 has quit IRC07:59
*** yasukun has quit IRC08:00
*** rushiagr_away is now known as rushiagr08:08
*** ajayaa has joined #openstack-keystone08:09
*** rushiagr is now known as rushiagr_away08:12
*** henrynash has joined #openstack-keystone08:19
*** boris-42 has quit IRC08:21
*** boris-42 has joined #openstack-keystone08:30
*** ukalifon3 has quit IRC08:36
*** jamielennox is now known as jamielennox|away08:36
*** ukalifon has joined #openstack-keystone08:37
*** mflobo_ has quit IRC08:50
*** mflobo has joined #openstack-keystone08:50
*** timmer has joined #openstack-keystone09:03
*** henrynash has quit IRC09:15
*** henrynash has joined #openstack-keystone09:37
*** oomichi has joined #openstack-keystone09:47
*** henrynash has quit IRC09:52
openstackgerritMarcos Fermín Lobo proposed a change to openstack/python-keystoneclient: Attributes required using token for auth  https://review.openstack.org/11522809:54
*** henrynash has joined #openstack-keystone10:04
*** henrynash has quit IRC10:13
*** alex_xu has quit IRC10:20
*** henrynash has joined #openstack-keystone10:22
*** diegows has joined #openstack-keystone10:25
*** alex_xu has joined #openstack-keystone10:28
*** roock has joined #openstack-keystone10:31
roockhello. I'm trying to get the keystone munin plugin running, but i'm getting an error https://gist.github.com/roock/4312b1d04ebe35e72e73 anyone who can help? thank you in advance!10:35
*** HenryG has quit IRC10:43
*** aix has joined #openstack-keystone10:52
*** KanagarajM has quit IRC11:01
*** f13o has joined #openstack-keystone11:35
openstackgerritRazumovsky Peter proposed a change to openstack/keystone: Add a simple module to work with filters and DNs to LDAP backend  https://review.openstack.org/11748411:36
*** henrynash has quit IRC11:39
*** HenryG has joined #openstack-keystone11:52
*** richm has joined #openstack-keystone12:04
*** afazekas has quit IRC12:06
f13ohi12:14
*** erecio has joined #openstack-keystone12:18
mflobof13o, Hi!12:19
*** gordc has joined #openstack-keystone12:37
*** alex_xu has quit IRC12:58
*** jasondotstar has joined #openstack-keystone13:00
*** nkinder has quit IRC13:09
*** k4n0 has quit IRC13:10
*** ajayaa has quit IRC13:11
*** afazekas has joined #openstack-keystone13:16
*** oomichi has quit IRC13:20
openstackgerritA change was merged to openstack/keystone: Remove assignment_api dependency on token_api  https://review.openstack.org/11533813:22
openstackgerritA change was merged to openstack/python-keystoneclient: Standardize AccessInfo token setting  https://review.openstack.org/11341513:23
*** radez_g0` is now known as radez13:24
*** diegows has quit IRC13:30
f13oI am running keystone on icehouse, and client version  0.7.113:32
f13oI source admin rc file13:32
f13owith OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT13:32
f13okeystone catalog13:33
f13ofails with: "'NoneType' object has no attribute 'has_service_catalog'"13:33
f13oIf I unset OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT, keystone catalog succeeds, but...13:33
f13okeystone tenant-list then hangs... as my installation (Fuel based) has adminURL on internal non-accessible network (I am running from public network, remote host)13:34
f13oI've been browsing docs and google, but is the only solution to use different credentials (token and non-token) for different calls?13:35
*** joesavak has joined #openstack-keystone13:42
*** jsavak has joined #openstack-keystone13:44
*** afazekas has quit IRC13:46
*** joesavak has quit IRC13:48
*** zzzeek has joined #openstack-keystone13:50
*** bklei has joined #openstack-keystone13:54
*** ukalifon3 has joined #openstack-keystone13:56
*** ukalifon has quit IRC13:56
*** stevemar has joined #openstack-keystone13:56
*** gokrokve has joined #openstack-keystone14:00
*** andreaf has joined #openstack-keystone14:03
*** nkinder has joined #openstack-keystone14:04
*** diegows has joined #openstack-keystone14:04
dstanekf13o: sounds like a bug. can you file it on launchpad? be sure to say what version of the client you are using14:05
*** r-daneel has joined #openstack-keystone14:05
f13odone: https://bugs.launchpad.net/keystone/+bug/136263014:10
uvirtbot`Launchpad bug 1362630 in keystone "keystone catalog command line fails with  "'NoneType' object has no attribute 'has_service_catalog'"" [Undecided,New]14:10
lbragstadnonameentername: I reviewed you change here and had one very minor comment https://review.openstack.org/#/c/116374/14:11
*** andreaf has quit IRC14:14
*** amerine has quit IRC14:19
*** david-lyle has joined #openstack-keystone14:19
*** topol has joined #openstack-keystone14:20
*** henrynash has joined #openstack-keystone14:22
*** Lordanat1 has joined #openstack-keystone14:23
*** andreaf has joined #openstack-keystone14:28
*** david-lyle has quit IRC14:30
*** david-lyle has joined #openstack-keystone14:30
openstackgerritA change was merged to openstack/keystone: Add libxmlsec1 as external package dependency on OS X  https://review.openstack.org/11690714:33
*** amerine has joined #openstack-keystone14:33
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Notify a consumer that all dependenices injected  https://review.openstack.org/11752314:41
*** amirosh has quit IRC14:42
*** amirosh has joined #openstack-keystone14:42
*** andreaf has quit IRC14:43
*** andreaf has joined #openstack-keystone14:43
*** bklei has quit IRC14:46
*** bklei has joined #openstack-keystone14:47
*** amirosh has quit IRC14:47
*** bobt_ has joined #openstack-keystone14:48
*** bklei has quit IRC14:48
*** bklei has joined #openstack-keystone14:49
*** cjellick has joined #openstack-keystone14:52
*** andreaf has quit IRC14:54
*** andreaf has joined #openstack-keystone14:54
*** diegows has quit IRC14:58
*** jorge_munoz has joined #openstack-keystone14:59
*** ukalifon3 has quit IRC14:59
*** cjellick has quit IRC14:59
*** cjellick has joined #openstack-keystone15:00
*** jsavak has quit IRC15:07
*** joesavak has joined #openstack-keystone15:07
*** joesavak has joined #openstack-keystone15:10
*** jsavak has joined #openstack-keystone15:13
*** joesavak has quit IRC15:17
*** HenryG has quit IRC15:28
*** cjellick has quit IRC15:36
*** cjellick has joined #openstack-keystone15:37
morganfainbergdolphm, oops, the join(str(a) for a in Actions) is superfluous15:37
morganfainbergdolphm, join(Actions) should be sufficient as those are all strings anyway15:37
*** gokrokve_ has joined #openstack-keystone15:38
*** cjellick has quit IRC15:41
*** gokrokve has quit IRC15:41
*** jimhoagland has joined #openstack-keystone15:43
*** gyee has joined #openstack-keystone15:47
*** david-ly_ has joined #openstack-keystone15:48
openstackgerrithenry-nash proposed a change to openstack/keystone: Add index for actor_id in assignments table.  https://review.openstack.org/11754115:49
*** david-lyle has quit IRC15:51
*** wwriverrat has joined #openstack-keystone15:51
*** wwriverrat has left #openstack-keystone15:52
openstackgerritwerner mendizabal proposed a change to openstack/keystone: Set revoke_api attribute to None on provider object  https://review.openstack.org/11637415:54
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194915:54
XEyeHi, all! I'm a newbie here and i'd like to have one my very own bug to start contributing. How about https://bugs.launchpad.net/keystone/+bug/1336769? May I have it please? :)16:03
uvirtbot`Launchpad bug 1336769 in keystone "LDAP additional attribute mappings do not care about model attribute" [Low,New]16:03
*** jraim__ has quit IRC16:06
*** erecio has quit IRC16:06
*** jraim_ has joined #openstack-keystone16:06
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194916:08
morganfainbergXEye, Feel free to grab the bug and start working on it. :) make sure you've read the wiki on how to contribute https://wiki.openstack.org/wiki/How_To_Contribute16:09
morganfainbergXEye, we're always happy to have people jump in and help us out!16:09
morganfainbergXEye, and welcome!16:10
*** xianghui has quit IRC16:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Cleanup superfluous string comprehension and coersion  https://review.openstack.org/11755216:11
*** diegows has joined #openstack-keystone16:11
*** erecio has joined #openstack-keystone16:13
XEye<morganfainberg>, thank you :)16:19
*** rm_work|away is now known as rm_work16:19
dstanekXEye: welcome!16:21
morganfainbergdstanek, i feel silly16:23
dstanekmorganfainberg: why is that?16:23
morganfainbergi missed a useless use of list comprehension when cleaning up a patch: https://review.openstack.org/#/c/117552/16:23
* morganfainberg hangs head in shame.16:24
morganfainberg:P16:24
dstanekmorganfainberg: :-) happens to the best of us16:25
morganfainbergdstanek, though i'm digging named tuples16:25
*** elmiko has joined #openstack-keystone16:26
elmikohey folks, has there been any backport of the domain or trust scoping into the v2 rest api? (e.g. could i supply a domain for a user in a v2 call?)16:26
*** bklei_ has joined #openstack-keystone16:27
*** bklei has quit IRC16:29
morganfainbergelmiko, domains are a v3 concept, so you can't scope to a domain in v2.16:29
*** david-ly_ is now known as david-lyle16:30
morganfainbergelmiko, and v2 is effectively a frozen API we're trying to get everyone to move towards v3, so i don't expect porting extra functionality back to it.16:30
morganfainbergdstanek, so domain scoped token request to nova, looks sane to me: http://paste.openstack.org/show/101486/ probably should document it though16:31
*** diegows has quit IRC16:31
elmikomorganfainberg: thanks, i really want to use v3 but i'm working with some old code. looks like it's time to pull out the upgrade hammer ;)16:31
morganfainbergdstanek, unless that much data poses a security risk?16:31
morganfainbergelmiko, :) sure thing! happy to help16:31
morganfainbergnkinder, ^ what i posed to dstanek. using a domain scoped token to nova.16:32
*** joesavak has joined #openstack-keystone16:32
*** jsavak has quit IRC16:32
dstanekmorganfainberg: your worried about the contents of that message?16:32
morganfainbergdstanek, not worried just 2x checking16:32
dstanekwow...my grammer sucks16:32
morganfainbergi don't see any reason it would be an issue16:33
morganfainbergbut... no coffee and need to run off to an appointment16:33
*** gokrokve has joined #openstack-keystone16:33
dstanekmorganfainberg: i don't see any issue with having the project_id since it's now any kind of pii16:33
morganfainbergso i'm not trusting my gut check on security related16:33
morganfainbergthats kindof my thought16:33
morganfainbergbut that seems *quite* reasonable and requires no changes on our part16:34
morganfainbergthat is an out-of-the-box devstack16:34
*** marcoemorais has joined #openstack-keystone16:35
*** gokrokve_ has quit IRC16:36
morganfainbergdstanek, so yay all my patches are (all the important ones) are in gate16:37
morganfainbergdstanek, time to get the reviews up so we can get the rest of everything in before FF16:37
*** gokrokve has quit IRC16:37
morganfainbergdstanek, though, be back in a bit, need to head off to an appointment16:38
*** gokrokve has joined #openstack-keystone16:38
*** aix has quit IRC16:40
*** jsavak has joined #openstack-keystone16:42
*** bvandenh has quit IRC16:43
*** gokrokve has quit IRC16:43
*** andreaf_ has joined #openstack-keystone16:43
*** bobt_ has quit IRC16:44
*** andreaf has quit IRC16:44
dolphmlbragstad: dstanek: can one of ya'll confirm that the patches listed for v3 api validation on https://gist.github.com/dolph/651c6a1748f69637abd0 are the only ones that need to merge?16:45
*** joesavak has quit IRC16:45
dstanekdolphm: that looks correct to me16:47
*** xianghui has joined #openstack-keystone16:48
dolphmdstanek: do they need to merge in that order? or can they be parallelized any further?16:50
dolphmdstanek: it seems reasonable, i just wanted to check16:51
*** gyee has quit IRC16:51
*** jsavak has quit IRC16:51
dstanekI think they need to merge in that order - they add depend on the same import being added16:52
dstanekoh, and they all basically append more tests to the same file16:52
dolphmdstanek: oh yeah, that'd be a pain16:54
raildodolphm: Could you create a branch for hierarchical projects? I do not have permission to do this. https://wiki.openstack.org/wiki/GerritJenkinsGit#Create_proposed.2F.2A_Branch16:54
dolphmraildo: YES! thanks for reminding me16:54
raildodolphm: :D16:55
*** joesavak has joined #openstack-keystone16:55
morganfainbergraildo, ack! sorry i meant to check on that yesteray afternoon for you!16:55
morganfainbergraildo, sorry!!16:55
raildomorganfainberg: no problem16:55
*** lsmola has quit IRC16:56
dolphmraildo: it looks like i don't have permission to do so either :( i'll ping ttx and ensure it gets created16:58
dolphmraildo: there should be a field for a new branch on https://review.openstack.org/#/admin/projects/openstack/keystone,branches16:58
raildodolphm: sounds good to me, thank you!16:59
*** gokrokve has joined #openstack-keystone17:01
morganfainbergdolphm, i need to take off (appt to run to) but, https://bugs.launchpad.net/python-keystoneclient/+bug/1360892 this bug looks correct, i didn't get a chance to  dig into it yesterday, i *think* we'll want to get this in for the next ksc release. but it is one of those ones i want to doubly be sure we don't accidently break something in the process.17:01
uvirtbot`Launchpad bug 1360892 in python-keystoneclient "EC2 v4 signature calculation is wrong, in case of request is POST" [Undecided,In progress]17:01
dolphmmorganfainberg: ack17:02
*** harlowja_away is now known as harlowja_17:03
*** harlowja_ is now known as harlowja_away17:04
*** harlowja_away is now known as harlowja_17:09
*** andreaf_ has quit IRC17:09
*** andreaf_ has joined #openstack-keystone17:10
*** edmondsw_ has joined #openstack-keystone17:14
dstanekis http://git.openstack.org/cgit/openstack/identity-api/tree/v3/src/markdown/identity-api-v3.md officially published somewhere?17:15
bknudsondstanek: yes, at http://git.openstack.org/cgit/openstack/identity-api/tree/v3/src/markdown/identity-api-v3.md17:16
dstaneki just found this: http://docs.openstack.org/api/openstack-identity-service/3/content/openstack-identity-api-v3.html17:16
*** RicoLin has quit IRC17:17
dstanekso what is this? http://developer.openstack.org/api-ref-identity-v3.html17:17
bknudsondstanek: WADLs17:17
*** erecio has quit IRC17:17
bknudsonand it's also out of date17:17
dstanekah, that's why it's practically useless. thanks!17:18
*** Haneef has joined #openstack-keystone17:19
*** erecio has joined #openstack-keystone17:20
stevemardolphm, so is FF going to be extended because jenkins/zuul shutdown?17:22
bknudsonisn't it down for about 30 mins?17:22
dolphmstevemar: shutdown? or just minor downtime17:22
dolphmstevemar: and probably not17:23
henrynashkanagarajM: ping17:23
*** diegows has joined #openstack-keystone17:23
henrynashdolphm: do you think we need to retain the trusts kvs backend?  I didn’t mark that one…wonder if I should?17:24
dolphmhenrynash: yes, deprecate them all except token :)17:25
henrynashdolphm: Ok….the templated catalog depends on catalog kvs17:25
dolphmstevemar: you're just talking about renaming glance?17:26
henrynashdolphm: I wasn’t sure if people wanted to keep the templated catalog17:26
dolphmhenrynash: ooh, that's an interesting one...17:26
dolphmhenrynash: people do use it, but not kvs directly afaik17:26
bknudsonI think jaypipes would complain if it wasn't supported17:26
henrynashdolphm: that’s what I thought17:26
dolphmbknudson: rax private cloud found a use for it as well, last i heard. but it was broken, so they went with sql17:27
bknudsonwell, other than it's broken it's a great choice.17:27
raildohenrynash:  I'm a little worried about the amount of patches about hierarchical projects and the deadline for featureFreeze.17:27
bknudsonit's easy to configure devstack for templated backend so maybe we could have a test run of it.17:28
raildohenrynash: Although the implementation is almost ready, we still need some code reviews :(  Is there anything that I can do to speed up this process?17:28
henrynashraildo: indeed17:28
dolphmraildo: moving to a feature branch means we don't have to worry about feature freeze for the moment17:28
raildodolphm: great :)17:29
lbragstaddolphm: those are the correct api validation patches https://gist.github.com/dolph/651c6a1748f69637abd017:29
dolphmhenrynash: i've always felt that the templated driver should just be the kvs driver with a different __init__ (populate a standard kvs driver from a file)17:29
raildodolphm: i did not know that17:29
lbragstadthe trust one is in rough shape because the validation blows up on the test_v3_auth.py unit tests. I opened a bug for that17:29
dolphmraildo: we don't use feature branches very often - but this is a great use case for one17:29
henrynashdolphm: let me have a look at it17:29
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/11668217:30
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Base methods to handle hierarchical projects  https://review.openstack.org/11184117:30
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Add parent_project_id field  https://review.openstack.org/11184017:30
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Inherited roles to projects  https://review.openstack.org/11692117:30
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184217:30
dolphmraildo: emailed ttx btw17:31
raildodolphm: With this I am relieved, thank you17:31
henrynashanyone know how to check if an index exists in sqlalchemy?17:32
dolphmraildo: when it's available on github, you'll be able to `git review feature/hierarhical-multitenancy` to submit patches to the new branch in gerrit. then, just abandon all the ones on master17:32
raildook, we'll do that!17:33
*** cjellick has joined #openstack-keystone17:34
gabriel-bezerrawho has worked with the implementation of the ldap identity backend?17:35
*** cjellick has quit IRC17:35
Haneefdolphm:  keystone identity-api ( domain/user/project) will work only with domain scoped token as per v3 policy file. It can work with either domain scope or project scope with  v2 policy file?  What is the recomended scope going forward?17:35
gabriel-bezerraam I going to have to register the services' accounts on ldap if I use that backend?17:35
*** cjellick has joined #openstack-keystone17:36
openstackgerrithenry-nash proposed a change to openstack/keystone: Add index for actor_id in assignments table.  https://review.openstack.org/11754117:36
*** andreaf_ has quit IRC17:36
*** andreaf has joined #openstack-keystone17:37
*** ukalifon1 has joined #openstack-keystone17:37
*** shakamunyi has joined #openstack-keystone17:41
*** arunkant_work has joined #openstack-keystone17:43
*** bklei_ has quit IRC17:46
*** andreaf has quit IRC17:47
*** andreaf has joined #openstack-keystone17:47
henrynashHaneef: what’s a “v2 policy file”?17:48
david-lylehenrynash: current default17:49
HaneefYes17:50
*** amcrn has joined #openstack-keystone17:51
henrynashdavid_lyle: ah, well that’s not really a v2 policy fie (since v2 didn’t have RBAC)…it;s a v3 policy file suitable for simple deployments where there is central admin for everything17:51
HaneefThe problem is heat is creating user from the code and it is using project scoped token. Due to this we can't move move to v3 policy file which expects domain scoped for create_user17:51
david-lylehenrynash: understood, I just knew what Haneef was referring to17:51
*** andreaf has quit IRC17:51
*** ukalifon1 has quit IRC17:52
david-lylefor HP v3 is really all about domains17:52
david-lylehence v3 policy vs v2 (current)17:52
david-lylenot accurate nomenclature, just what has been used17:52
henrynashHaneef, david-lyle: well, there are two choices….you can chaneg the policy file…or use a domain token…:-)17:53
HaneefI agree I will rephrase it.  -- for create_user operation -- should the token be scoped to domain or project. Assuming I'm creating user using v3 api17:53
david-lyledomain information is not properly added into the credentials used to check policy without a domain scoped token17:53
henrynashHaneef: so remember the policy file is an example to what we anticipate people will do with delegation of admin with multiple domains17:54
*** andreaf has joined #openstack-keystone17:54
david-lyleper comments on a recent review -2, that was by design17:54
henrynashHaneef: but it does indeed seem sensible to me that most peopel would use a domain scoped token to ensure you had persmission to create users in that domain17:54
Haneefhenrynash: I agree but  people can't do that, if one of the core services is not using that way.17:55
henrynashHaneef: which core service17:55
Haneefheat17:55
henrynashHaneef: we need to chaneg Heat then17:55
david-lylehttps://bugs.launchpad.net/keystone/+bug/133855017:56
uvirtbot`Launchpad bug 1338550 in keystone "V3 API project/user/group list  only work with domain scoped token" [Undecided,Invalid]17:56
henrynashHaneef: otherwide we throw multi-domain RABC out the window17:56
*** morganfainberg is now known as morganfainberg_Z17:57
Haneefhenrynash: I agree with you. I will file a defect against heat referncing this  bug. Let me see what is their response17:57
henrynashdavid-lyle: btw, as to your comment in the bug, a suer CAN read THEIR user record17:58
henrynashdavid-lyle: and I think we could tweak it so that they could list the groups they are a member of17:59
david-lylehenrynash: ok, I'll dig in again18:01
*** cjellick has quit IRC18:02
*** cjellick_ has joined #openstack-keystone18:02
gabriel-bezerraHi! Am I going to have to register the services' accounts on my LDAP server if I use is as identity backend?18:02
*** cjellick_ has quit IRC18:06
*** andreaf has quit IRC18:15
*** andreaf has joined #openstack-keystone18:19
*** bklei has joined #openstack-keystone18:21
*** gyee has joined #openstack-keystone18:21
*** andreaf has quit IRC18:29
openstackgerritA change was merged to openstack/keystone: Mark kvs backends as deprecated, for removal in Kilo.  https://review.openstack.org/11728818:35
*** rm_work is now known as rm_work|away18:37
dstanekdolphm, lbragstad : you guys around?18:39
lbragstaddstanek: yep18:40
dstaneki was thinking that it would be nice for all of the ID fields to eventually be string_id instead of just strings - that would mean that we'd have to have some last commit that doesn't exist yet to make that change18:41
dstanekthoughts?18:41
lbragstaddstanek: that would work18:41
dstaneki made a change locally to do that, but i can't do anything with it until things merge18:42
*** jaosorior has quit IRC18:42
dstaneki merged all of the commit in my local repo to make the change18:42
lbragstaddstanek: cool, and everything worked fine?18:43
dstaneklbragstad: yes, looks good18:51
lbragstaddstanek: sweet18:52
lbragstadthe trust stuff is still broken I think18:52
lbragstadstill digging into that18:52
*** amirosh has joined #openstack-keystone18:53
dstaneklbragstad: why did you have to manually add id here? https://review.openstack.org/#/c/98522/16/keystone/tests/test_v3_identity.py18:56
lbragstaddstanek: checking18:58
*** jimhoagland_ has joined #openstack-keystone19:00
dstanekstevemar: yt?19:09
*** amerine has quit IRC19:09
stevemardstanek, ahoy19:09
Haneefhenrynash:  Do you any insight on this defect?  https://bugs.launchpad.net/keystone/+bug/1361306. Any reason why  we don't use mapping.19:09
uvirtbot`Launchpad bug 1361306 in keystone "Keystone doesn't handle user_attribute_id mapping" [Undecided,New]19:09
dstanekstevemar: is there an identity-api change to document the region.url?19:09
stevemardstanek, there is19:09
lbragstaddstanek: I'm not entirely sure why that's there/19:09
lbragstadthe new_credentials_ref() doesn't really need to call new_ref() though,19:10
lbragstadsince it doesn't share a lot of the same attributes19:10
henrynashHaneef: no, not sure…seems odd…I’d have to dig in to it…but a bit busy right now19:10
stevemardstanek, URL to region -> https://review.openstack.org/#/c/114118/19:10
stevemardstanek, route for exchanging token for saml -> https://review.openstack.org/#/c/113998/19:11
dstanekstevemar: thx19:11
stevemardstanek, np, thanks for looking at it :)19:11
stevemari'll be here if you have any questions!19:11
henrynashdstanek: quite afew test for some reason create a random ID and THEN call a xxxx_new_ref() call19:11
stevemardstanek, i'm working on brants comments to the first patch of the k2k chain https://review.openstack.org/#/c/110542/ going to try to make the tests a bit better19:12
henrynashdtsanek: I’ve been trying to remove them wherever I see them19:12
*** amerine has joined #openstack-keystone19:27
dstanekhenrynash: nice. once we get past FF i have a bunch of stuff to push up for review related to fixing our tests19:28
*** openstackgerrit has quit IRC19:31
*** openstackgerrit has joined #openstack-keystone19:32
*** jsavak has joined #openstack-keystone19:33
*** joesavak has quit IRC19:34
lbragstaddstanek: I think it was because of earlier implementations19:34
lbragstadhttps://review.openstack.org/#/c/98522/11/keystone/tests/test_v3.py19:34
marcoemoraishello I am integrating keystone with openldap backend and I am running into the same issue as Yanping https://lists.launchpad.net/openstack/msg16482.html19:36
marcoemoraisI don't want to have redefine the schema in my deployment so I am trying to extend groupOfNames to add an enabled attribute (and description as well, thou that might not be needed), here is the ldif https://gist.github.com/marcoemorais/4ce65a7e12fbb8105d2a19:36
marcoemoraissince I am an LDAP newbie could someone help me to let me know whether what I am trying to do is recommended approach?19:36
marcoemoraisin case it helps here is logging output from keystone which shows the UNDEFINED_TYPE error {'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute type'}19:37
marcoemoraishttps://gist.github.com/marcoemorais/9ff2ffa41f453a1aaeac19:37
openstackgerritDavid Stanek proposed a change to openstack/identity-api: Updated required attributes for region  https://review.openstack.org/11759919:37
stevemardstanek, lbragstad bknudson could one of you +2/+A this guy: https://review.openstack.org/#/c/117157/ Ajaeger said it was the last one on his list19:38
bknudsonstevemar: this looks like we don't need docutils at all anymore.19:39
dstanekstevemar: bknudson: done - we don't need it. sphinx will bring it in for us19:41
bknudsonah, ok.19:41
openstackgerritA change was merged to openstack/keystone-specs: Remove docutils pin  https://review.openstack.org/11715719:41
dstanekthere was some issue that made us require a specific version19:41
dstanekwow...why can't keystone be that fast19:41
bknudsonit can19:42
dstanekthat would be unreal19:43
*** dims has joined #openstack-keystone19:46
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Notify a consumer that all dependenices injected  https://review.openstack.org/11752319:47
*** amirosh has quit IRC19:50
*** amirosh has joined #openstack-keystone19:50
*** dims has quit IRC19:53
*** amirosh has quit IRC19:55
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on the Catalog V3 API  https://review.openstack.org/9626620:10
dolphmdstanek: +2'd on your -1 https://review.openstack.org/#/c/104065/20:10
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3  https://review.openstack.org/9852220:10
*** joesavak has joined #openstack-keystone20:11
stevemardstanek, we're making description required for regions?20:14
*** jsavak has quit IRC20:14
dstanekstevemar: oops i forgot to leave a comment after i posted that20:14
dstanekstevemar: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/backends/sql.py#n2920:14
dstanekdolphm: i think that might need to change anyway, but i'd be happy to follow it up with another patch20:16
dolphmstevemar: ? description shouldn't be required20:16
dolphmdstanek: what needs to change?20:16
dstanekstevemar: WIPed it so that i can write a test first20:18
stevemardolphm, referring to this: https://review.openstack.org/#/c/117599/1/v3/src/markdown/identity-api-v3.md20:18
stevemaralrighty20:18
dstanekdolphm: it's based on outdated reviews20:20
dolphmdstanek: so abandon that identity api change ^ ?20:21
dolphmdstanek: before i -1 it? :)20:21
*** Dafna has quit IRC20:23
dstanekdolphm: is it not actually required?20:23
dolphmdstanek: i don't see why it should be20:24
dolphmdstanek: don't we set it to an empty string if it's not provided at the api layer?20:24
dstanekdolphm: not sure looking for that now20:24
dolphmlbragstad: i think you wrote that ^20:25
dolphmdstanek: in the manager layer for create_region20:25
lbragstadyeah20:25
lbragstadthat was when we were fixing a bug that required a migration for the regions table20:26
openstackgerritBrad Topol proposed a change to openstack/keystone: Add audit support to keystone federation  https://review.openstack.org/11433720:26
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/catalog/core.py#L98-L10120:26
lbragstadif `description` isn't provided in the reference, it gets set to an empty string in the manager20:26
dolphmdstanek: i.e. it's optional in the API defintion ^20:27
lbragstadyep20:27
dstaneklbragstad: yes i found it and already abandoned the review20:27
lbragstadit's *not* optional at the backend/db layer, but it should never get that far being null20:27
dolphmdstanek: with jsonschema, what happen if you make it required but have a default value of '' ?20:27
lbragstaddolphm: that should still be valid unless you do something like make it match a pattern20:28
dolphmand validate it as a string, of course20:28
lbragstadthe pattern being a regex or something, or set min and max length20:28
dolphmlbragstad: all descriptions should start with a capital letter and end in a period and make subtle references to can haz memes #regexthat20:29
lbragstad++20:29
dolphmlbragstad: minLength = 0, maxLength = 255?20:29
dolphmbut really it's a backend limitation20:29
dolphmi don't know that the api should care20:29
dolphmexcept in the case of IDs20:30
dolphmcause those are portable across projects and whatnot20:30
openstackgerritDavid Stanek proposed a change to openstack/keystone: Update region with a null description should 400  https://review.openstack.org/11761120:31
dstanekdolphm, lbragstad: see that one ^20:32
dstaneki like using numbers as verbs!20:34
lbragstadthe funny thing is that it's perfectly acceptable in this case :)20:34
dstaneki guess the fix would be as simple as copying the block from create to update20:37
lbragstaddstanek: so `name` isn't here https://review.openstack.org/#/c/96266/31/keystone/catalog/schema.py20:38
lbragstadbut it also doesn't have a dedicated column here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/backends/sql.py#n5520:38
lbragstadso, we will add it to the services properties because the docs specify it20:39
dstaneklbragstad: but i think we should still validate it to some extent20:39
lbragstaddstanek: I agree20:39
dstaneklbragstad: the nice thing about having jsonschema is that it could act as machine readable documentation20:39
lbragstadyeah20:40
lbragstaddstanek: i'll add `name` to the service_properties and use the name parameter type, so that should take care of the second comment20:41
dstaneklbragstad: i was just comparing the schema to the docs and the sql backends20:41
lbragstadthat's good, because I missed a couple things20:42
*** fifieldt_ has quit IRC20:42
dstanekit wasn't fun :-(  very tedious20:42
lbragstaddstanek: should we just use parameter_type.name for service.type?20:43
lbragstada service['type'] shouldn't be 0 or greater than 25520:43
lbragstadand it's of type string, so...20:44
dstaneklbragstad: no i'd rather add a new name - otherwise it's confusing20:44
dstanekor you can do it inline until there is a reason to add a new name20:44
lbragstadok20:44
bknudsonthere must be some weird thing happens when the tests run... seems like it uses the keystoneclient from .tox/py27 for  some and then switches to the installed one.20:44
bknudsonprobably something with loading / unloading keystoneclient for the client tests.20:45
dstaneki suspect that's part of the issue with name in general. name has different sizes in different models20:45
dolphmbknudson: uh oh20:45
dstanekbknudson: likely something wonky in the magic20:45
dolphmbknudson: the unit test jobs in the gate won't have one pre-installed though, right?20:46
dolphmbknudson: (you're just seeing a local behavior?)20:46
bknudsonthat's possible... not sure how the unit tests jobs are set up.20:46
bknudsonshould be easy enough to uninstall local keystoneclient and see.20:47
dstaneklbragstad: did you forget to 'git add' the schema?20:48
dstanekor is that in a future push?20:49
lbragstaddstanek: ... for which commit?20:49
dstanekthe catalog one i think20:49
dstanekyes, that one20:49
lbragstaddstanek: I pushed a change to the credential patch before seeing your comments on the catalog schema20:50
lbragstadso this https://review.openstack.org/#/c/96266/32/keystone/catalog/schema.py20:50
lbragstadit's the latest version,20:50
lbragstadadding some tests to the catalog schema patch right now and I'll push20:51
lbragstaddstanek: should we have a list of invalid and valid url types for testing?20:51
bknudsondolphm: btw, you weren't kidding about needing some docstrings in keystoneclient.common.cms.20:52
*** rm_work|away is now known as rm_work20:52
dolphmbknudson: i started writing a patch that just adding a bunch of FIXME's where documentation was necessary and mixing, but it got to be rediculous20:53
dolphmand missing*20:53
*** radez is now known as radez_g0n320:54
bknudsonkeystone calls half of the functions in there20:54
bknudsonI did `sudo rm -r /usr/local/lib/python2.7/dist-packages/python-keystoneclient.egg-link` and now the tests pass with my patched .tox/py27/keystoneclient20:56
dstaneklbragstad: cool, i may not be here to review it until late tonight - got a 'meet the teach' and then a Browns game20:56
bknudsonso I think there is something happening when the tests run.20:56
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: token signing support alternative message digest  https://review.openstack.org/11737220:56
lbragstaddstanek: no worries, I'll have a new patch up within the hour20:57
lbragstadreview it whenever you're free to do so20:57
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable PKI token signature digest  https://review.openstack.org/11738020:57
*** fifieldt_ has joined #openstack-keystone20:59
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: token signing support alternative message digest  https://review.openstack.org/11737221:01
*** amerine_ has joined #openstack-keystone21:02
*** amerine has quit IRC21:02
*** andreaf has joined #openstack-keystone21:06
*** cjellick has joined #openstack-keystone21:06
*** jsavak has joined #openstack-keystone21:13
*** cjellick_ has joined #openstack-keystone21:14
*** cjellick has quit IRC21:14
*** topol has quit IRC21:16
*** joesavak has quit IRC21:16
*** dhellmann is now known as dhellmann_21:17
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Update region entries to include URLs  https://review.openstack.org/11411821:17
stevemardolphm, dstanek ^21:18
*** bklei has quit IRC21:22
*** jsavak has quit IRC21:23
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on the Catalog V3 API  https://review.openstack.org/9626621:26
*** sagara has joined #openstack-keystone21:34
*** andreaf has quit IRC21:37
*** andreaf has joined #openstack-keystone21:37
*** nkinder has quit IRC21:39
*** andreaf has quit IRC21:43
*** wwriverrat has joined #openstack-keystone21:44
*** erecio has quit IRC21:57
*** amcrn has quit IRC22:08
*** amcrn has joined #openstack-keystone22:14
*** amcrn has quit IRC22:17
*** henrynash has quit IRC22:20
*** gordc has quit IRC22:26
*** jimhoagland has quit IRC22:27
*** jimhoagland_ is now known as jimhoagland22:27
*** stevemar has quit IRC22:27
*** bobt has joined #openstack-keystone22:27
*** sagara has quit IRC22:33
*** morganfainberg_Z is now known as morganfainberg22:34
*** henrynash has joined #openstack-keystone22:36
gyeebknudson, can you wait in on this one? https://bugs.launchpad.net/keystone/+bug/136130622:39
uvirtbot`Launchpad bug 1361306 in keystone "Keystone doesn't handle user_attribute_id mapping" [High,Confirmed]22:39
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194922:40
gyeejust to make sure I wasn't smoking somethin22:40
*** wwriverrat has left #openstack-keystone22:40
gyees/wait/weight/22:40
bknudsongyee: I was already waiting.22:40
gyeeha22:41
bknudsonthe bug just points to some code but doesn't say what issue is that it causes.22:42
gyeeproblem is we are ignoring the user_id_attribute map22:42
gyeewe always take the leftmost RDN as the id22:42
gyeethat's dangerous assumption22:43
bknudsonso we've got an option and it doesn't do anything?22:43
gyeethat lead to ID conflict22:43
*** henrynash has quit IRC22:43
gyeesay I have uid=gyee,ou=marketing,dc=acme,dc=com and uid=gyee,ou=dev,dc=acme,dc=com22:43
gyeetwo different person, same ID22:44
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194922:44
bknudsongyee: you're asking for it if you do that! We already say IDs have to be unique.22:44
gyeewe've got to be flexible to allow user_id_attribute map to something that is globally unique22:44
bknudsonoh, so you're trying to make it unique by picking a different attributes22:44
bknudsonattribute22:44
gyeebknudson, say my email is globally unique22:45
bknudsonput the email in the DN22:45
gyeeif I set user_id_attribute = emial22:45
gyeebut we are dealing with read-only LDAPs22:45
gyeecustomers ain't going to remodel their garage in order to buy our car :)22:45
bknudsongyee: we do actually use user_id_attr...22:46
bknudsonhttps://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L124722:47
gyeebknudson, only in search filter22:47
bknudsonit's self.id_attr22:47
gyeebut not when it create the model22:47
*** jorge_munoz has quit IRC22:47
bknudsonthat would be on create I guess? or a base search?22:47
gyeein get()22:47
bknudsongyee: what's the proposed fix?22:49
gyeebknudson, https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L127822:49
gyeebknudson, I think we need to use the id map just like the rest22:49
gyeeshould be trivial I think22:49
bknudsongyee: dn_to_id can't work the same.22:49
bknudsonit doesn't even make sense anymore... you'd need entry_to_id22:50
morganfainberghmm.22:50
gyeebknudson, exactly22:50
gyeeI don't know why it was that way22:50
bknudsonthat's not going to be trivial22:50
bknudsongyee: https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L137022:50
bknudsonthe user ID attr is used in _ldap_get, isn't that good enough?22:50
morganfainberggyee, isn't that issue (the same uid) the *reason* we went with henry-nash's hashing things to = uid?22:51
bknudsonSo you pass in a user id, it gets the right entry22:51
morganfainberggyee, oh because you're captureing uid from the same tree.22:51
bknudsonof course, the user's ID is the DN ID and not the ID in the entry22:51
gyeemorganfainberg, henrynash's patch only cares about internal IDs22:51
gyeeexternal IDs shouldn't be changing22:51
morganfainberggyee, if that part of the tree (ou=marketing) was a separate domain, it would work, but that isn't it.22:52
gyeemorganfainberg, yes, if in a separate domain, it will work22:52
bknudson_dn_to_id is only used in a couple of places.22:52
gyeebut for a single flat domain, it won't22:52
bknudsonso maybe it is a relatively easy change.22:52
gyeebknudson, yes (with fingers crossed)22:53
bknudsongyee: it's also used in list_users_in_gorup22:53
bknudsonlist_users_in_group22:53
gyeeyeah, that's dangerous22:53
bknudsonso now instead of getting the IDs back from the member attrs you need to fetch each entry22:53
gyeewe could end up with multiple users with the same id22:53
bknudsonwhich will be "a little" slow if you have a large group.22:54
bknudsonoh wait, it already does fetch the users for the group.22:54
gyeebknudson, I think the user group search is also not complete22:55
bknudsonso not a trivial change but it doesn't look like it's ridiculously difficult22:55
gyeeit won't work for reversed lookup22:55
bknudsonis_user_in_group?22:55
bknudsonsee if I can find that.22:55
gyeethe way it is implemented right now, it only works if we search the group objectclass first, then get the membership from the attributes22:56
bknudsonwhere's that code?22:56
gyeeif we have (say) memberOf attribute at the user object, that probably won't work22:56
dolphmbknudson: this file handling is super funky... https://review.openstack.org/#/c/110542/37/keystone/contrib/federation/idp.py22:56
bknudsonlist_group_users ?22:56
gyeeyeah22:57
bknudsondolphm: it is wacky... file handling can't be that hard.22:57
bknudsongyee: that just returns DNs, so that's not going to work.22:58
bknudsonit has to return IDs from all the users.22:58
gyeeyeah, we have more work to do22:58
bknudsonor we have to provide a function that checks if a user is in a group that does the lookups22:58
dolphmbknudson: i played around with it a bit, this seems more sane, but totally untested: http://pasteraw.com/43iidlfh6kooyw0gitm6ia54e3olob622:58
dolphmbknudson: anyway, i'll post that in the review for later22:59
bknudsonoh, delete=False.22:59
bknudsonyou've got the kitchen sink there... try / except / else / finally !23:00
bknudsonyou can't extend the "with tempfile.NamedTemporaryFile" to include the "subprocess.Popen(command_list" ?23:01
bknudsonis that only because subprocess.Popen can also raise IOError?23:01
dolphmbknudson: uhh, you need the file written in order to read it with popen23:01
dolphmbknudson: maybe that's what the flush was for at some point?23:01
dolphmbknudson: and yeah, i didn't want the ioerrors to be confused23:01
bknudsondolphm: I couldn't tell from the docs if something written to the file was supposed to be available.23:02
morganfainbergbknudson, i think the flush guarantees it. but otherwise it's questionable23:02
dolphmmorganfainberg: that's what i'd assume. the questionable bit may be up to a buffer or something, and luck23:03
* dolphm runs to food23:03
dolphmmorganfainberg: cross your fingers on your changes. they're only an hour from failing now!23:03
morganfainbergdolphm, LOL. barring any massive gate resets23:03
dolphmnooooo23:03
morganfainbergdolphm, and ceilometer change has queued things in it23:04
morganfainbergso.. might be even longer :P23:04
*** nkinder has joined #openstack-keystone23:05
gyeenkinder, need your input too, https://bugs.launchpad.net/keystone/+bug/136130623:06
uvirtbot`Launchpad bug 1361306 in keystone "Keystone doesn't handle user_attribute_id mapping" [High,Confirmed]23:06
bknudsongyee: were you planning to work on a fix?23:09
nkindergyee: I'll take a look23:12
gabriel-bezerramorganfainberg: have you worked on saml2 federation?23:15
morganfainbergugh.23:15
gabriel-bezerraon the extension?23:15
morganfainbergdolphm, we have an issue with the endpoint grouping API :( i'm going to post a fix to the spec.23:15
morganfainbergdolphm, we accepted a change where HEAD != GET responses to the API spec23:16
morganfainberggabriel-bezerra, no was looking at something else23:16
morganfainberggabriel-bezerra, i've not used it. marekd|away and stevemar are really the two leading the charge on that front.23:16
gabriel-bezerramorganfainberg: oh, ok. thanks23:17
*** david-lyle has quit IRC23:17
*** arunkant_work has quit IRC23:18
morganfainbergdolphm, or... someone fixed it :)23:18
morganfainbergdolphm, woo23:18
*** Haneef has quit IRC23:19
gyeebknudson, yeah, working on it23:28
nkindergyee: yeah, we shouldn't expect the id attribtue to exist in the DN at all23:28
gyeenkinder, thanks for looking, I am working on a fix23:29
nkindergyee: ok, add me to the review when you post it23:29
gyeek, will do23:29
*** shakamunyi has quit IRC23:33
*** edmondsw_ has quit IRC23:34
*** ncoghlan has joined #openstack-keystone23:35
ncoghlanping jamielennox|away23:35
morganfainbergdolphm, annnnnd Boom, fail :(23:35
ncoghlanjamielennox|away: when you get back, had a question about python-ldap, python3-ldap and https://wiki.openstack.org/wiki/Python323:36
bknudsonmorganfainberg: Server 74f5042a-ceaf-45aa-bd31-da7f63517040 failed to build and is in ERROR status ?23:38
morganfainbergbknudson, yeah :(23:38
morganfainbergbknudson, fairly common issue.23:39
morganfainbergbknudson, well fairly common result, underlying problem, haven't had a chance to look at yet23:39
bknudsonmorganfainberg: it's probably the SAML2 plugin dependency on token api.23:40
*** amcrn has joined #openstack-keystone23:40
bknudsonjust get rid of that and no problems :)23:40
morganfainbergbknudson, lol23:40
morganfainbergbknudson, oh hey, wanted to ask directly, is the code removal of filter by email a big UX win?23:40
morganfainbergbknudson, for stable/icehouse?23:41
morganfainbergbknudson, or is doc change sufficient?23:41
morganfainbergbknudson, just thinking from a 'do we need to add code to stable' perspective23:41
bknudsonmorganfainberg: I'm personally embarrassed if the product I support gives out a 500 error.23:41
morganfainbergbknudson, sure. though to be fair a lot of products give out 500s if you ask it undocumented things (we are undocumenting it :P)23:42
bknudsona web application shouldn't 500 ever.23:43
bknudsonand I believe we do document that query parameters that aren't expected are ignored.23:44
morganfainbergbknudson, that makes it worth fixing :)23:44
morganfainbergbknudson, for sure.23:44
bknudsonI don't think anybody is having a real problem with this since I explained it to him.23:44
morganfainbergright.23:44
morganfainbergi'll dig into the docs when i get back from food.23:45
morganfainbergand reference that line with the +2 then.23:45
morganfainbergbknudson, thanks!23:45
bknudsonno problem.23:45
*** openstackgerrit has quit IRC23:46
*** openstackgerrit has joined #openstack-keystone23:46
*** jamielennox|away is now known as jamielennox23:47
morganfainbergbknudson, oh https://review.openstack.org/#/c/102425 - devstack change to "fix" apache logs somewhat23:48
morganfainbergbknudson, so we get proper oslofmt instead of some wierd oslo+apache format23:48
morganfainbergbknudson, if you are interested this change.23:49
*** gokrokve has quit IRC23:51
jamielennoxoops, just rechecked a review because nothing had happened since yesterday, it hadn't got lost after all - just the head of the check queue has been running for >30hrs23:52
jamielennoxjust extended that one by a day23:52
openstackgerritA change was merged to openstack/keystone: Remove oauth controller dependency on token_api  https://review.openstack.org/11534323:53
*** ncoghlan is now known as ncoghlan_afk23:54
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194923:59
« Wednesday, 2014-08-27 Index Friday, 2014-08-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!