Thursday, 2014-09-18

« Wednesday, 2014-09-17 Index Friday, 2014-09-19 »
*** marcoemorais has quit IRC00:00
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a pool of memcached clients  https://review.openstack.org/11945200:03
morganfainbergdstanek, ^00:03
morganfainbergdstanek, added the max-timeout (10s default)00:04
morganfainbergdstanek, this now requires a string freeze exception00:04
*** dims has joined #openstack-keystone00:10
*** radez is now known as radez_g0n300:11
*** gyee has quit IRC00:12
*** jasonsb has quit IRC00:13
*** ayoung has quit IRC00:22
*** wanghong has joined #openstack-keystone00:26
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Delete unused examples/pki/certs/middleware.pem  https://review.openstack.org/12227700:32
*** amcrn has quit IRC00:32
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Remove unused iso8601  https://review.openstack.org/12227800:33
*** Tahmina has quit IRC00:34
*** amcrn has joined #openstack-keystone00:34
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: BaseAuthTokenMiddlewareTest.setUp call super normally  https://review.openstack.org/12227900:34
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token tests create temp cert directory  https://review.openstack.org/12228000:36
*** ayoung has joined #openstack-keystone00:36
cyeohcan anyone tell me if there is a fixed format for tenant ids? I know that by default its uidv4 with the dashes removed and that historically there have been integers as tenant ids. But is it also now dependent on backends?00:37
cyeohlooking to see if we can do any cheap input validation in the nova api on tenant ids - eg without having to query keystone00:38
morganfainbergcyeoh, project_ids should be uuid4().hex (we auto generate them) -- BUT (big but) someone could do wonky things.00:40
morganfainbergcyeoh, i think officially we are 64byte varchar is our limit00:40
cyeohmorganfainberg: ok, thanks - sounds like it wouldn't be safe for us to do any input validation on them then00:41
morganfainbergcyeoh, i would hope all projects are 32bytes hex, but i honestly can't guarantee old old old sysrtems that have been migrated forward (essex, diablo) continously wouldn't have something odd in them00:41
morganfainbergi think it depends on where we draw that line.00:41
cyeohyea I had a patch that checked for uidv4 and someone pointed out that they have old entries in the db that have integers as their tenant_ids00:42
*** oomichi has joined #openstack-keystone00:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228100:43
cyeohthe original basic problem was people sending say tenant names instead of tenant ids to the api and API would quietly accept them but do nothing00:43
*** bknudson has joined #openstack-keystone00:43
morganfainbergah yeah. :(00:43
morganfainbergwe do have the "get_project_by_name" but you'd need to know the domain_id too00:43
morganfainberg(most cases up until recently that would be "default")00:44
cyeohyea and I think its too expensive to query keystone just for tenant id validation00:45
morganfainbergcyeoh, and then there'd be the people who would do something weird like use a UUID hex for the name of the project too.00:45
cyeohhahaha yea00:45
*** alex_xu has quit IRC00:45
oomichihi bknudson00:45
bknudsonoomichi: hi00:46
morganfainbergcyeoh, ok actually what's the use case? because most of the time people are only ever spinning up instances in their own project, right?00:46
oomichibknudson: can you take a look at https://review.openstack.org/#/c/121575/ again ?00:46
morganfainbergcyeoh, their own = currently scoped00:46
morganfainbergcyeoh, or is this more for introspection type stuff?00:46
oomichibknudson: I'd like to know current status of the problem.00:46
cyeohthis specific example was 'nova quota-delete' <tenant_id> I think00:46
morganfainbergcyeoh, ah00:47
*** jasonsb has joined #openstack-keystone00:47
morganfainbergthat is a tough one00:47
cyeohmorganfainberg: if you pass an invalid tenant id, nova quite happily goes through its db, doesn't delete anything because it doesn't match any entries and says success!00:47
bknudsonoomichi: this was a month ago so I don't remember all of the details... but the test needed to be disabled in before the change to fix it could go in.00:47
morganfainbergcyeoh, maybe it should say "found no project by id XXX" ?00:48
bknudsonoomichi: https://review.openstack.org/#/c/109389/ was the change in keystone00:48
morganfainbergcyeoh, but short of that yeah i'd say the only sane option is validate with keystone.00:48
morganfainbergcyeoh, or keep current behavior00:48
*** jasonsb has quit IRC00:48
morganfainbergbut that sounds a little less sane from a usability standpoint00:48
oomichibknudson: yeah, I saw it. and now can we change keystone status to "Fix Released" on https://bugs.launchpad.net/tempest/+bug/135102600:49
uvirtbotLaunchpad bug 1351026 in keystone "IdentityError in TokensV3TestJSON.test_rescope_token" [Undecided,Fix committed]00:49
cyeohmorganfainberg: yep, have thought about checking how many records have been deleted and complain if none are. Unfortunately its a bit of non trivial db work so that would be deferred to kilo00:49
morganfainbergcyeoh, yeah it is a bit late in the cycle.00:49
cyeohmorganfainberg: yep. anyway thanks for you help!00:50
bknudsonoomichi: I'm not working on the bug anymore since it's taken care of.  If the revert in tempest passes the gate then should be fine.00:50
morganfainbergcyeoh, np anytime!00:50
bknudsoncyeoh: keystone has notifications for tenants00:50
bknudsonso if you want to keep a cache of valid tenants should be possible00:50
morganfainbergyeah you could but we know how often things ... uh ... disappear on the message bus00:51
bknudsoncyeoh: we have a bug open to have nova clean up when a tenant is deleted00:51
bknudsonor, make it so you can't delete the tenant if nova has vms on it00:51
*** cjellick has quit IRC00:52
cyeohbknudson: oh interesting00:52
morganfainbergbknudson, that latter one i think is very interesting00:52
cyeohbknudson, morganfainberg: yea we'd need reliable delivery updates if we're going to do input validation on it.00:52
*** cjellick has joined #openstack-keystone00:53
cyeohactually IIRC there is also another nova bug where we really should be doing tenant id validation so it might be generally useful00:53
oomichibknudson: thanks,  I got it. let's enable the test again.00:53
bknudsonpart of the problem is... you ask keystone if the tenant is there and it says yes, but then at the same time someone's doing the delete and now it's gone00:53
cyeohI think it was adding flavor access where we don't do an checking of the tenant id passed00:54
bknudsonso it didn't do any good to check if the project exists.00:54
*** rodrigods_ has joined #openstack-keystone00:54
cyeohbknudson: i think in these cases we could probably live with the race, but we'd have to be careful in others00:55
*** cjellick has quit IRC00:57
ayoungjamielennox|away, you around? If you are ,  Question:  does it make sense to fix httpclient so that authenticate is aware of sessions? I think it does.01:01
*** bjornar has quit IRC01:10
*** amcrn has quit IRC01:13
*** dims has quit IRC01:17
*** dims has joined #openstack-keystone01:17
*** dims has quit IRC01:21
*** dims has joined #openstack-keystone01:22
*** meker12 has quit IRC01:31
*** meker12 has joined #openstack-keystone01:32
dstanekayoung: i think he's on vacation for a few weeks01:34
ayoungdstanek, HE WENT TO THE CHURCH TO GET MARRIED!01:34
* ayoung making reference to old, racist movies01:35
*** amcrn has joined #openstack-keystone01:36
*** meker12 has quit IRC01:37
*** _cjones_ has quit IRC01:38
*** _cjones_ has joined #openstack-keystone01:38
*** _cjones_ has quit IRC01:43
*** zzzeek has quit IRC01:45
*** amcrn has quit IRC01:47
*** oomichi has quit IRC01:56
*** vdreamarkitex has quit IRC02:00
*** openstackgerrit has quit IRC02:01
*** wanghong has quit IRC02:06
*** stevemar has joined #openstack-keystone02:08
*** meker12 has joined #openstack-keystone02:09
*** dims has quit IRC02:15
*** david-lyle has joined #openstack-keystone02:16
*** dims has joined #openstack-keystone02:16
*** openstackgerrit has joined #openstack-keystone02:20
*** dims has quit IRC02:21
*** rodrigods_ has quit IRC02:24
*** meker12 has quit IRC02:24
*** meker12 has joined #openstack-keystone02:24
*** meker12_ has joined #openstack-keystone02:27
*** meker12_ has quit IRC02:27
*** meker12_ has joined #openstack-keystone02:28
*** vdreamarkitex has joined #openstack-keystone02:28
*** meker12 has quit IRC02:29
*** junhongl has joined #openstack-keystone02:30
*** junhongl has quit IRC02:33
*** junhongl has joined #openstack-keystone02:33
YorikSarmorganfainberg: morning/evening02:43
morganfainbergYorikSar, hi02:44
YorikSarmorganfainberg: Oh, you're still around, cool.02:44
YorikSarmorganfainberg: It looks like everybody's happy with queue version :)02:44
YorikSarmorganfainberg: The only change I'm not sure about is help strings for config options :)02:45
morganfainbergYorikSar, those are actually needed, i've had dstanek and one other person confused about the very similar options02:45
morganfainbergand those ones are clearly for KVS02:45
YorikSarmorganfainberg: The whole section is for KVS02:45
*** alex_xu has joined #openstack-keystone02:46
YorikSarmorganfainberg: But actually it's not a big deal.02:46
YorikSarmorganfainberg: I guess we can port this to middleware now, right?02:46
morganfainbergYorikSar, we need some way to make it clear. i just would rather have too much info in help strings vs not enough. we can cut it back next cycle come.02:46
morganfainbergYorikSar, i think we can.02:47
YorikSarmorganfainberg: Yes, agree.02:47
YorikSarmorganfainberg: Ok, I'll put up new patchset to middleware once I reach work02:47
dstanekYorikSar: great!02:49
YorikSarmorganfainberg: I hate waking up before dawn :)02:49
*** _cjones_ has joined #openstack-keystone02:49
*** wwriverrat has joined #openstack-keystone02:50
*** meker12_ has quit IRC02:50
*** meker12 has joined #openstack-keystone02:51
dstanekYorikSar: yeah, my issue was that there was nothing that says the memcache section is only for kvs; and now with the change there is duplicate memcache settings with no guidance about where they are used02:51
morganfainbergwe could move it to KVS section but i think it'd net us the same issue.02:52
YorikSardstanek: I don't oppose them, just... I think I'm too familiar with this corner of Keystone config now :)02:52
dstanekmorganfainberg: but that would mean we'd either make existing configurations invalid or support both right?02:52
dstanekYorikSar: i hear ya :-)02:53
*** wwriverrat has left #openstack-keystone02:53
morganfainbergdstanek, something like that02:53
YorikSardstanek: Let's see what I'll say in couple months when I forget all about this :)02:53
morganfainbergdstanek, oh .. dunno who you need to bug about it... but could we convince RAX to do a 3rd party gate on Jython running keystone... and maybe document how to make it run?02:53
*** _cjones_ has quit IRC02:53
morganfainbergdstanek, it's an interesting deployment model for $reasons_rackspace_deploys_it_llike_that$02:54
dstanekmorganfainberg: probably - where do i find out how to make a third party gate?02:54
YorikSarmorganfainberg: Rackspace deploys OpenStack in Jython?02:54
morganfainbergdstanek, antaeya is the gate keeper of 3rd party ci http://ci.openstack.org/third_party.html02:54
morganfainbergYorikSar, keystone02:55
* YorikSar found a thought to get his eyes open02:55
dstanekYorikSar: not everything, keystone for sure02:55
YorikSarwow02:55
dstanektheir legacy system was java and they wanted to reuse it as a backend (i think) so jython let me do it "easily"02:56
*** meker12 has quit IRC02:56
dstaneks/their/our/02:56
ayoungI've been reading mail slowly all day.  Mailbox was clear this morning, now there are 600+ messages, and it is almost all #openstack*02:56
YorikSardstanek: Oh... And how good does that perform?02:56
morganfainbergYorikSar, based on the convos i've had.. passibly02:56
morganfainbergbetter than eventlet02:56
morganfainberg;)02:56
YorikSarmorganfainberg: Huh... I think I should tell that to our 'scaling' team, let them run some benchmarks :)02:57
morganfainbergayoung, oh you'll like this... i'm definitely bringing up the possiblity of axing eventlet (for keystone). to open discussion on this front soon. (obviously with multiple cycles of deprecation)02:58
ayoungmorganfainberg, so the problem, as I understand it, is the oslo messaging.  THat side of the house likes singlethreaded apps02:58
ayoungoh, just for Keystone02:58
morganfainbergayoung, yep.02:58
ayoungI thought you meant everywhere02:58
morganfainbergayoung, i wish02:58
ayoungcuz of the memcached issue02:59
morganfainbergayoung, no cause eventlet sucks issue ;)02:59
morganfainbergayoung, was talking with infra and we know eventlet deployment is sub-par compared to other options.. we shoudl either figure out how to make eventlet deploy better or focus on making the real methods way better02:59
morganfainbergand.. i agree.02:59
ayoungmorganfainberg, I meant "Make eventlet go away everywhere because eventlet to memcach is broken."03:00
morganfainbergayoung, oh haha i think that is the wrong argument for ridding us of eventlet ;)03:01
ayoungmorganfainberg, I thought you were saying it was a show stopper03:01
morganfainbergbut it's a side benefit03:01
morganfainbergnaaaah03:01
morganfainbergi'm not that insane...03:01
morganfainbergmost days03:01
ayoungmorganfainberg, BTW, congrats.  Between landing willingly at HP and being consumed by Cisco, I know which I would prefer03:01
morganfainberghehe03:02
morganfainbergthe real question will be how much $ do i end up walking away with from the options i had vested/purchased03:02
*** r1chardj0n3s is now known as r1chardj0n3s_afk03:03
morganfainbergthose guys are excited though, and i'm really happy for em.03:03
ayoungmorganfainberg, OK,  remember the mox hell I was in yesterday?  Still there.  Trying to figure out how to get a testable version of D-O-A to work with Keystone.  THought I had it:  was going to make "authenticate"  serssion aware, but I am tripping over the fact that ...you know what, no one cares about this but Jamie. I'll bug him after the honeymoon03:03
morganfainbergayoung, i can try and help you tomorrow on the mox front in the morning.03:03
ayoungmorganfainberg, if I were a founder, sure.  For the average worker bee, does it mean that they are really going to get much out of it.03:03
ayoungmorganfainberg, the problem is not mox per se but rather the fact that to use auth plugins, DOA needs to know too much about keystoneclient03:04
morganfainbergayoung, right.03:04
ayoungand, looking at my "just get it working code"  I should not be allowed to write code03:04
*** stevemar has quit IRC03:04
morganfainbergayoung, i mean.. can we just back it to session like the other clients?03:05
ayoungmorganfainberg, so that is what I am trying to do03:05
ayoungbut...well, let me show you03:05
*** stevemar has joined #openstack-keystone03:05
ayounghttps://review.openstack.org/#/c/121281/1/openstack_auth/backend.py  morganfainberg see the nasty auth_ref stuff03:06
morganfainbergooooh03:06
morganfainbergyeah03:06
ayoungmorganfainberg, the old logic is this:03:06
ayoungfirst, just try to get a token, any token.03:06
ayoungbut the new code makes that difficult03:06
ayounghence my jumping all the way to the auth plugin to do that03:06
ayoungauth_ref, though, is that thing you were looking at before that wraps the token data03:07
ayoungit assumes (IIUC) that there is a service catalog03:07
ayoungnow, the old code talks about an unscoped auth_ref, which seems like a contradiction in terms to me03:08
ayoungassumine auth_ref is an  access.AccessInfo03:08
openstackgerritA change was merged to openstack/python-keystoneclient: Handle federated tokens  https://review.openstack.org/12114603:08
morganfainbergit probably is03:09
morganfainbergor should be03:09
ayoungconsidering that get_auth_ref in the v3 code ends with03:09
ayoung return access.AccessInfoV3(resp.headers['X-Subject-Token'],03:09
ayoung                                   **resp_data)03:09
*** zzzeek has joined #openstack-keystone03:09
ayoungI'm pretty sure it is03:09
*** marcoemorais has joined #openstack-keystone03:09
morganfainbergayoung, my brain is already fried.03:10
morganfainbergayoung, but ick :(03:10
ayoungmorganfainberg, this has been my life for this release.  Poor jamie03:10
ayounghe's been living in this code for a year+ now03:10
morganfainbergayoung, i know.03:10
morganfainberghe's got a few week break though, so.. maybe he'll be a bit refreshed03:11
*** marcoemorais1 has joined #openstack-keystone03:11
morganfainbergwoohoo ksc has no outstanding release blockers!03:12
morganfainbergyay stevemar, ayoung, jamielennox|away, and marekd, for working through those.03:12
morganfainbergand lots of other people too03:12
morganfainberg>.>03:12
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/service_catalog.py#n32   morganfainberg so this is the root of the problem03:13
*** marcoemorais has quit IRC03:14
morganfainbergoh validate or blow up03:14
ayoungoh...wait.03:14
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/service_catalog.py#n31303:14
ayoungheh03:14
morganfainbergahh03:14
ayoungI was jumping to conclusions...I think I can just fix that in my test...03:14
ayoungjust add methods to the kwargs03:15
* morganfainberg is happy to be the sounding board.03:15
morganfainberg;)03:15
ayoungmorganfainberg, ok. so I can move ahead03:17
morganfainbergcool03:17
*** jimbaker has quit IRC03:17
stevemarmorganfainberg, yay03:17
ayoungthe issue is that I want to make the DOA code just call authenticate, like it did before, and I think I can do that...all I want to be different is how the client is rreated,  but I might have to change the unscoped->scoped transition to use the same client...that should be OK03:18
*** jimbaker has joined #openstack-keystone03:20
morganfainbergayoung, that sounds reasonable03:20
*** jimbaker has quit IRC03:20
*** jimbaker has joined #openstack-keystone03:20
morganfainbergayoung, it shou;dn't be awful to make that transition at all03:20
ayoungwe'll see...this code has taken pretty much the whole release, and it still not review ready03:20
morganfainbergayoung, do you need/want someone to pickup the enumerate and the tests for the "safer enabled check"?03:22
morganfainbergayoung, those are the two outstanding bits of code you're working on for keystone/ksc/middleware i think that are RC blockers or RC-potential03:22
*** wwriverrat1 has joined #openstack-keystone03:28
ayoungmorganfainberg, I'll knock them out tomorrow.  I will probably need this change as well03:31
morganfainbergayoung, makes sense03:31
ayoungit should be straightforward to review.  Its just making another call that used to to direct token things make use of the session if provided03:32
ayoungrunning the tests now03:32
*** ayoung has quit IRC03:33
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: PERFORMANCE TEST - DNM  https://review.openstack.org/12230803:33
*** zzzeek has quit IRC03:34
*** jasonsb has joined #openstack-keystone03:34
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Make client.authenticate use session if provided  https://review.openstack.org/12230903:35
*** wwriverrat1 has left #openstack-keystone03:37
*** morgan_remote_ has joined #openstack-keystone03:38
*** r1chardj0n3s_afk is now known as r1chardj0n3s03:44
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Make client.authenticate use session if provided  https://review.openstack.org/12230903:44
*** ayoung has joined #openstack-keystone03:50
*** wwriverrat has joined #openstack-keystone03:51
ayoungmorgan_remote_, check me on this:  If I have token, I can request a token.  I don;t need any other data.  So making validate_token a protected call gives no real protection, right?03:51
*** hugokuo has joined #openstack-keystone03:53
*** oomichi has joined #openstack-keystone03:53
openstackgerritKui Shi proposed a change to openstack/keystone: Add memcached_backend configuration  https://review.openstack.org/12203703:54
hugokuomorning03:54
hugokuohi Guys,03:54
hugokuoI'd like to implement Rackspace-style authentication in my Keystone instance. How could I find the resource ?03:55
hugokuoMy Keystone is in Havana03:55
*** ayoung has quit IRC03:57
*** wanghong has joined #openstack-keystone04:07
*** k4n0 has joined #openstack-keystone04:46
*** r1chardj0n3s is now known as r1chardj0n3s_afk04:52
*** wanghong has quit IRC04:54
*** stevemar has quit IRC05:06
*** wanghong has joined #openstack-keystone05:07
*** stevemar has joined #openstack-keystone05:07
*** HenryG has quit IRC05:09
*** achampion has joined #openstack-keystone05:13
*** achampio1 has quit IRC05:15
*** rushiagr_away is now known as rushiagr05:16
*** harlowja is now known as harlowja_away05:20
*** HenryG has joined #openstack-keystone05:22
morganfainberghugokuo, i'm not sure what to recommend as I'm not 100% familiar with the RAX style of auth (compared to say default keystone auth). Your best bet is to ask dstanek, but I can look into this a bit more tomorrow and see what is out there.05:36
hugokuomarcoemorais1: That'd be great to have any clues. THX05:37
morganfainberghugokuo, what timezone are you in? I'll try and circle back when it's not close to midnight here.05:37
morganfainberghugokuo, it's been a long day, and i don't want to send you down the wrong path.05:37
*** alex_xu has quit IRC05:39
hugokuomorganfainberg: I'm located in HK (hongKong timezone05:39
*** alex_xu has joined #openstack-keystone05:39
hugokuoappreciate05:40
morganfainberghugokuo, ok I'll do my best to catch you tomorrow.05:40
morganfainberghugokuo, we'll see what we can track down. but I *think* RAX uses a custom extension to the API05:41
morganfainberghugokuo, i'll defer to the RAX employees that work on Keystone though for a definite answer.05:41
*** openstackgerrit_ has joined #openstack-keystone05:45
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: PERFORMANCE TEST - DNM  https://review.openstack.org/12230805:47
*** david-lyle has quit IRC05:55
*** stevemar has quit IRC05:56
*** morganfainberg has quit IRC05:58
*** r1chardj0n3s_afk is now known as r1chardj0n3s05:58
*** morgan_remote_ has quit IRC06:00
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12069506:08
*** ukalifon1 has joined #openstack-keystone06:11
*** morganfainberg has joined #openstack-keystone06:13
*** ajayaa has joined #openstack-keystone06:15
*** jaosorior has joined #openstack-keystone06:21
*** afazekas has joined #openstack-keystone06:34
*** jschwarz has joined #openstack-keystone06:35
jschwarzhi guys06:35
jschwarzfor some reason, on my devstack setup, when I try to create a new VM neutron-server goes about an Unauthorized exception in the nova notifier part of code06:36
jschwarzany ideas? :<06:36
*** henrynash has joined #openstack-keystone06:41
*** jamielennox|away has quit IRC07:06
*** andreaf has quit IRC07:08
*** jschwarz is now known as jschwarz|afk07:10
*** marcoemorais1 has quit IRC07:11
*** lufix has joined #openstack-keystone07:13
*** jschwarz|afk has quit IRC07:16
*** garnav has joined #openstack-keystone07:21
*** rodrigods has quit IRC07:22
marekdmorganfainberg: +100 for lack of RC blockers!07:25
*** toddnni has quit IRC07:27
*** BAKfr has joined #openstack-keystone07:30
*** jamielennox|away has joined #openstack-keystone07:31
*** jamielennox|away is now known as jamielennox07:32
*** rodrigods has joined #openstack-keystone07:34
*** morganfainberg has quit IRC07:35
*** alex_xu has quit IRC07:37
*** morganfainberg has joined #openstack-keystone07:39
*** marekd has quit IRC07:39
*** alex_xu has joined #openstack-keystone07:45
*** openstackgerrit_ has joined #openstack-keystone07:49
*** afazekas has quit IRC07:53
*** afazekas has joined #openstack-keystone07:56
*** marekd has joined #openstack-keystone08:00
*** jschwarz|afk has joined #openstack-keystone08:00
*** jamielennox has quit IRC08:02
*** openstackgerrit_ has joined #openstack-keystone08:03
*** meker12 has joined #openstack-keystone08:04
*** jamielennox has joined #openstack-keystone08:13
*** jschwarz|afk is now known as jschwarz08:14
*** jschwarz_ has joined #openstack-keystone08:31
*** jschwarz has quit IRC08:33
*** toddnni has joined #openstack-keystone08:35
openstackgerritjun xie proposed a change to openstack/python-keystoneclient: Fix a doc_string error  https://review.openstack.org/12235608:36
*** k4n0 has quit IRC08:37
*** meker12 has quit IRC08:48
*** meker12 has joined #openstack-keystone08:49
*** aix has joined #openstack-keystone08:51
*** r1chardj0n3s is now known as r1chardj0n3s_afk08:52
*** k4n0 has joined #openstack-keystone08:53
openstackgerrithenry-nash proposed a change to openstack/python-keystoneclient: Add support for endpoint policy.  https://review.openstack.org/12236709:09
openstackgerrithenry-nash proposed a change to openstack/python-keystoneclient: Add support for endpoint policy.  https://review.openstack.org/12236709:11
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure identity sql driver supports domain-specific configuration.  https://review.openstack.org/12124609:17
*** k4n0 has quit IRC09:22
*** andreaf_ is now known as andreaf09:34
*** k4n0 has joined #openstack-keystone09:35
garnavHi all, quick question09:42
garnavs it possible to use other Content-Type appart from application/json? Its a requirement for a keysonte extension Im working on09:42
garnavthanks in advance09:42
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Make Keystone use CLI Plugin  https://review.openstack.org/12152309:45
*** jschwarz_ has left #openstack-keystone09:47
andreafukalifon1: ping - I fixed my patch and it's now merged - I verified that your test now works as expected09:52
andreafukalifon1: https://review.openstack.org/12156209:52
andreafukalifon1: and here you can see your test passing: https://review.openstack.org/#/c/115279/09:53
ukalifon1andreaf: yes, I grabbed your fix yesterday and saw that it works. Many thanks !10:19
andreafukalifon1: glad I could help10:21
*** meker12 has quit IRC10:28
*** meker12 has joined #openstack-keystone10:29
*** meker12 has quit IRC10:33
*** oomichi has quit IRC10:37
*** dims has joined #openstack-keystone10:48
*** rodrigods_ has joined #openstack-keystone10:53
*** dims has quit IRC10:55
*** dims has joined #openstack-keystone10:56
*** dims has quit IRC11:00
*** dims has joined #openstack-keystone11:06
*** aix has quit IRC11:08
openstackgerritStuart McLaren proposed a change to openstack/keystonemiddleware: Add composite authentication support  https://review.openstack.org/10838411:13
*** dims has quit IRC11:18
*** dims has joined #openstack-keystone11:18
*** dims_ has joined #openstack-keystone11:19
*** afaranha has left #openstack-keystone11:22
*** dims has quit IRC11:22
*** rodrigods_ has quit IRC11:28
*** soulxu_ has joined #openstack-keystone11:29
*** alex_xu has quit IRC11:32
*** henrynash has quit IRC11:34
*** diegows has joined #openstack-keystone11:35
*** aix has joined #openstack-keystone11:38
*** soulxu__ has joined #openstack-keystone11:43
*** soulxu_ has quit IRC11:47
*** dhellmann is now known as dhellmann_11:52
*** meker12 has joined #openstack-keystone11:53
*** soulxu__ has quit IRC11:53
*** soulxu__ has joined #openstack-keystone11:53
*** meker12 has quit IRC11:53
*** meker12 has joined #openstack-keystone11:54
*** achampion has quit IRC11:55
*** soulxu__ has quit IRC11:58
*** soulxu__ has joined #openstack-keystone11:59
*** k4n0 has quit IRC12:01
*** soulxu_ has joined #openstack-keystone12:05
*** soulxu__ has quit IRC12:08
*** soulxu_ has quit IRC12:10
*** soulxu_ has joined #openstack-keystone12:10
*** meker12 has quit IRC12:12
*** meker12 has joined #openstack-keystone12:12
*** rushiagr is now known as rushiagr_away12:14
*** soulxu__ has joined #openstack-keystone12:16
*** diegows has quit IRC12:17
*** soulxu_ has quit IRC12:20
*** rushiagr_away is now known as rushiagr12:24
*** Tahmina has joined #openstack-keystone12:32
*** wap has joined #openstack-keystone12:37
*** gordc has joined #openstack-keystone12:37
waphi all12:38
wapi try to enable multiple worker in icehouse12:38
wapim following this patch12:38
waphttps://launchpadlibrarian.net/179898469/keystone-multiple-workers.icehouse-backport.inplace.patch12:38
wapand this review: https://review.openstack.org/#/c/42967/12:38
wapbut i still cant run multiple keystone worker12:39
waphttp://ur1.ca/i7lek12:39
wapit says AttributeError: 'module' object has no attribute 'ProcessLauncher'12:40
wapwhats wwrong with proses launcher in icehouse?12:41
*** miqui has joined #openstack-keystone12:41
marekdmorganfainberg: o/ Do you think devstack is ready for IDENTITY API v3 ?12:48
*** dims_ has quit IRC12:51
*** dims has joined #openstack-keystone12:51
*** dims has quit IRC12:51
*** dims has joined #openstack-keystone12:52
*** jasondotstar has joined #openstack-keystone12:57
*** vdreamarkitex has quit IRC13:02
*** richm has joined #openstack-keystone13:04
*** meker12 has quit IRC13:05
*** meker12 has joined #openstack-keystone13:06
*** achampion has joined #openstack-keystone13:06
*** meker12 has quit IRC13:10
*** meker12 has joined #openstack-keystone13:14
wapthanks all, i get it13:14
*** wap has quit IRC13:14
*** vdreamarkitex has joined #openstack-keystone13:17
*** dhellmann_ is now known as dhellmann13:19
*** rodrigods_ has joined #openstack-keystone13:20
*** nkinder has quit IRC13:23
*** radez_g0n3 is now known as radez13:27
*** junhongl_ has joined #openstack-keystone13:27
*** henrynash has joined #openstack-keystone13:31
*** vdreamarkitex has quit IRC13:32
*** henrynash has quit IRC13:33
samuelmzmarekd, when I run devstack and then set OS_IDENTITY_API_VERSION to 3 I'm not able to run python-openstackclient D:13:35
samuelmzmarekd, did you already have something similar?13:35
*** afaranha has joined #openstack-keystone13:35
bknudsonAre we supposed to be doing a client release today?13:35
marekdsamuelmz: i can run it, but for instance a project shipped with devstack (demo) seems to be not usable under v3 as it doesn't have domain.13:36
marekdsamuelmz: what error did you get13:36
bknudsonLooks like keystoneclient has a change to update requirements but it doesn't have oslo updates: https://review.openstack.org/#/c/116255/13:36
samuelmzmarekd, I got ERROR: openstackclient.shell Exception raised: Expecting to find domain in project - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400)13:37
bknudsonthat change is still going through global requirements: https://review.openstack.org/#/c/122408/13:37
bknudsonso once that merges hopefully we'll get an update in keystoneclient & keystonemiddleware13:37
*** henrynash has joined #openstack-keystone13:37
samuelmzmarekd, with --debug http://paste.openstack.org/show/112858/13:38
marekdsamuelmz: yeah i had the same thing.13:38
marekdsamuelmz: well, i thnk it;s not openstackclient13:39
samuelmzmarekd, cool (or not)13:39
samuelmzmarekd, it s on keystoneclient13:39
marekdbut the fact that project was prepared under v213:39
samuelmzmarekd, I was able to run it yesterday13:39
marekdsamuelmz: and it doesn't have domains there.13:40
marekdand that's the problem.13:40
marekdis my understanding correct ^^ ?13:40
rodrigods_what about keystone client old CLI? it stopped working here as well =(13:41
samuelmzmarekd, I think keystoneclient is broken13:41
marekdsamuelmz: if you have cycles maybe you could add a project through v313:42
marekdand then see if osc works.13:42
samuelmzmarekd, cycles? I didnt understand what you're proposing ..13:43
marekdsome time :-)13:43
marekd(like CPU cycles :P)13:43
samuelmzmarekd, haha ,makes sensse :)13:43
*** topol has joined #openstack-keystone13:46
*** meker12 has quit IRC13:48
*** meker12 has joined #openstack-keystone13:49
*** meker12 has quit IRC13:49
*** vdreamarkitex has joined #openstack-keystone13:50
*** meker12 has joined #openstack-keystone13:50
openstackgerritMarek Denis proposed a change to openstack/keystone: Update 'Configure Federation' documentation.  https://review.openstack.org/12241513:50
*** meker12 has quit IRC13:51
*** henrynash has quit IRC13:52
*** victsou has joined #openstack-keystone13:53
morganfainbergbknudson, tagged that review (ksc) for a blocker13:53
morganfainbergbknudson, forgot to add itto the list yesterday13:53
bknudsonmorganfainberg: here's for ksm : https://review.openstack.org/#/c/119142/13:54
morganfainbergbknudson, added as well13:54
*** ukalifon2 has joined #openstack-keystone13:56
morganfainbergbknudson, turns out switching to UUID tokens and running eventlet with a single worker slowed the gate down by ~20+ minutesfor the postgres job13:56
bknudsonmorganfainberg: I've got a review out to allow setting multiple eventlet workers.13:57
morganfainbergbknudson, i'm going to open a bug for us to up the default number of workers in keystone (I know you have a CR open for doing so in devstack)13:57
*** andreaf is now known as andreaf_13:57
morganfainbergbknudson, or we could change ds-g to do it to something like n-proc13:57
bknudsonmorganfainberg: the gate wouldn't use the default... they have an option for it13:57
morganfainbergonce yours merges.13:57
*** ukalifon1 has quit IRC13:57
bknudsonmorganfainberg: they didn't want n-proc because it uses too much memory13:57
marekdwho is devstack's gatekeeper, dtroyer?13:58
*** henrynash has joined #openstack-keystone13:58
morganfainbergmarekd, qa- team, dean is core on it though13:58
marekdmorganfainberg: thanks.13:58
morganfainbergbknudson, i did a quick sample with 4 workers default and it made the postgres gate faster than the mod_wsgi one13:58
bknudsonmorganfainberg: how's that possible?13:59
*** vdreamarkitex has quit IRC13:59
morganfainbergone data point, but *shrug*13:59
morganfainbergsecond datapoint shows it closer to the standard 1h mark like the others13:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162013:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/11914213:59
morganfainberghttps://review.openstack.org/#/c/122308/13:59
bknudsonmod_wsgi seems to re-initialize the application a few times.13:59
morganfainbergbknudson, thats normal.14:00
bknudsonhttps://review.openstack.org/#/c/111620/ looks good!14:00
morganfainbergcool!14:00
*** ajayaa has quit IRC14:00
henrynashmorganfainberg:…ok, fixed thta issue14:00
morganfainberghenrynash, yay! thanks for working on that :)14:00
bknudsonoh, wait, it doesn't have oslo.config14:00
morganfainbergbknudson, doh!14:01
bknudsonstill waiting for https://review.openstack.org/#/c/122408/ in requirements14:01
morganfainbergbknudson, ok so with your fix to devstack we just need ds-g to set an appropriate number of workers. I think i'm also going to spin off a specific eventlet tempest run for us that is only run under keystone (for now)14:02
*** vdreamarkitex has joined #openstack-keystone14:02
henrynashmorganfainberg” also *trying* to get this in to the cleint: https://review.openstack.org/#/c/122367/14:02
bknudsonmorganfainberg: I think there is a review for d-g or it's merged already to set the option.14:03
morganfainbergbknudson, ah let me check. that would be good14:03
bknudsonmorganfainberg: https://review.openstack.org/#/c/121242/ -- it's WIP14:04
bknudsonmorganfainberg: then they try to set the default in devstack -- https://review.openstack.org/#/c/122269/14:05
bknudsonso it's caught in a review war as they say.14:05
morganfainbergbknudson, ok so the simplest is if we make our default something not *1* and worry about the devstack review war14:05
morganfainberglater14:05
* morganfainberg checks novas default14:05
*** sigmavirus24_awa is now known as sigmavirus2414:10
*** nkinder has joined #openstack-keystone14:10
*** zzzeek has joined #openstack-keystone14:19
*** david-lyle has joined #openstack-keystone14:20
bknudsonthe others default to n-cpu14:21
*** meker12 has joined #openstack-keystone14:26
*** meker12 has joined #openstack-keystone14:26
*** david-lyle has quit IRC14:27
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: PERFORMANCE TEST - DNM  https://review.openstack.org/12230814:30
morganfainbergbknudson, yeah so that is the what we're going to do, based on chat in -qa we may want devstack to have a separate knob for either just 'main_workers' or both 'main' and 'admin' for keystone (not tied to the global API_WORKERS setting14:32
openstackgerritMarek Denis proposed a change to openstack/keystone: Add info about pysaml2 into federation docs.  https://review.openstack.org/12243314:32
morganfainbergbknudson, ^ that review is just testing the change to see roughly where we land. in either case n-cpu should be the default, i'll open a bug on it now and tag to juno-RC14:32
bknudsonmorganfainberg: going to change devstack to set API_WORKERS to n-cpu?14:32
bknudsonmorganfainberg: I think the only reason we didn't have keystone default to n-cpu workers is because the change came late in the prev release.14:33
morganfainbergbknudson, there was discussion in openstack-qa that for keystone we may want that as default in devstack.14:33
morganfainbergbknudson, ++ makes sense to me14:33
*** diegows has joined #openstack-keystone14:33
bknudsonwe've got internal tempest here where we set multiple workers. so it has been tested more now.14:34
morganfainbergbknudson, keystone is a bit special :P which means the other APIs might get set to n-cpu with a min of 2, we might always be n-cpu.14:34
henrynashbknudson, morganfainberg: when you have a momemnet, let’s get https://review.openstack.org/#/c/121246/ back into the queue…14:34
*** david-lyle has joined #openstack-keystone14:35
bknudsonhenrynash: what changed?14:35
morganfainbergbknudson, https://bugs.launchpad.net/keystone/+bug/137115414:36
uvirtbotLaunchpad bug 1371154 in keystone "increase default setting of workers to n-cpu" [Medium,Triaged]14:36
henrynashbknudson: line 112 of identity/core.py  I had missed off the is_sql part (self._any_sql = new_config['driver'].is_sql)14:36
bknudsonwasn't it just treated as a boolean? seems like it would work either way14:37
bknudsonit's either None or an object that will be true-y14:37
henrynashbknudson: so I’d have kind of thought that too….but it definitely makes the difference14:39
henrynashbkundson: what happens is tha if the last driver was ldap….it would still set any_sql to true, even though is_sql was false14:41
morganfainberghenrynash, which is why it ended up being sortof intermittant14:41
morganfainbergand passing check but not gate.14:41
*** packet has joined #openstack-keystone14:42
morganfainbergyeah not failing on a local run for me now.14:42
morganfainberghenrynash, +2 again.14:43
henrynashmorganfainberg: thx14:43
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens  https://review.openstack.org/10683814:54
*** jorge_munoz has quit IRC14:55
*** rushiagr is now known as rushiagr_away14:56
*** ukalifon2 has quit IRC14:59
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens  https://review.openstack.org/10683815:01
*** rodrigods_ has quit IRC15:02
*** stevemar has joined #openstack-keystone15:04
*** ayoung has joined #openstack-keystone15:04
marekdmorganfainberg: new keystoneclient will be released today or it's just some bugfixing period closing?15:04
morganfainbergmarekd, we need an oslo sync and we're waiting for a patch to make it through requirements first15:04
*** andreaf has joined #openstack-keystone15:06
*** victsou has quit IRC15:07
*** Sharath_ has joined #openstack-keystone15:07
marekdmorganfainberg: aha. Cause there is some problem and I am not sure how to respond to this: https://bugs.launchpad.net/python-keystoneclient/+bug/1371085 . Tests were passing before the release, they are indeed not passing now (when I tox -epy27 version fetched from pypi). On the other hand, the problematic line was removed as a result of some refactoring. So it's not in github anymore. How can we classify this bug?15:08
uvirtbotLaunchpad bug 1371085 in python-keystoneclient "saml2 unit tests are failing with testtools 0.9.39" [Undecided,New]15:08
Sharath_Hi, Am new to openstack, started with keystone , have put some logs to get the control flow , but its not clear to me , can you please tell me the one control flow , with that i can findout other flows and try to contribute to the community15:10
dstanekmorganfainberg: should there just be one call to super() instead of two calls to the parent's setUp?15:11
henrynashmorganfainberg, bknudson: I’d really like to try and get https://review.openstack.org/#/c/122367/ into that keystoneclient release…it’s pretty standalone since it is the class for the new endpoint policy extensions15:11
*** meker12_ has joined #openstack-keystone15:11
morganfainbergdstanek, hm?15:11
morganfainbergdstanek, i think there shouldonly be one..15:11
*** meker12 has quit IRC15:12
dstanekmorganfainberg: yeah, not sure how that code slipped by15:12
morganfainbergok i need to head out for an appt. today15:12
Sharath_can any one please explain me one flow ?15:12
morganfainbergi'll be back online when i get to the coffee shop out that way.15:12
morganfainberghenrynash, i'm happy to review that when i'm back15:13
ayounglbragstad, morganfainberg bknudson https://review.openstack.org/#/c/120592/2/keystone/token/providers/common.py,cm  does not need a test15:13
henrynashmorganfainberg: thx15:13
marekddstanek: you are talking about my code?15:13
dstanekmorganfainberg: ok, don't rush to get back online15:13
ayoungcurrent testing ensures the change doesn;t break15:13
dstanekmarekd: thatbug you mentioned15:13
marekddstanek: i was inheriting from two classes and needed attributes from both parents.15:14
ayoungand all of the testing in the world will not prevent someone else from doing an end run around the public API like this one was doing15:14
morganfainbergdstanek, nah not rushing :) got a 60mi drive. gonna relax the way out there and enjoy coffee when i arrive.15:14
Sharath_Hi Morgan ,15:14
marekddstanek: anyway, we can say the fix is already in the master branch.  So it should be treated as invalid, I don't think so. Fixed?15:15
morganfainbergSharath_, hi, i'm sorry i need to get on the road, i'll be back a bit later and can discuss and/or help you out if someone else here is unable to do so before i'm back.15:15
bknudsonmarekd: I was able to recreate with 0.10.1 but not with master... so I assume we fixed it at some point15:15
Sharath_Sure Morgan , i will wait for you , Thank you:)15:15
marekdbknudson: i had the same situation. as i write, the problematic line was removed actually as a part of some refactoring or something like that.15:16
*** Tahmina has quit IRC15:16
morganfainbergSharath_, but i'm pretty sure you can get some further help here in the channel  before i'm back, just be patient and don't hesitate to directly ask the questions you have. we're pretty good about responding overall.15:16
ayoungSharath_, start with keystone/auth/controller15:16
morganfainbergayoung, ++ thanks :)15:16
bknudsonmarekd: if there was a bug for the change that fixed it then could mark as a dup or just indicate it was fixed already with that change.15:16
marekdbknudson: there was no bug for that.15:17
Sharath_Hi ayong15:17
Sharath_when i install keystone , i started executed some commands in console like ,. keystone --debug token-get15:18
ayoungSharath_, yep15:18
ayoungso you see that calls the keystone server on the AUTH_URL15:18
ayoungSharath_, assuming you got rid of OS_SERVER_TOKEN etc15:19
ayoungthe username, password, and auth_url all become the URL and POST payload to the token creation process15:19
Sharath_when i see in the log screen , its hitting to the keystone/common/wsgi.py15:19
ayoungSharath_, there is a middleware pipeline defined in /etc/keystone/keystone-paste.ini15:20
Sharath_here i expect how call is going from one class to other ,15:20
ayoungin the case of what you are doing, it is  V2 token creation,  which will go down the [main] public_api pipeline:15:21
ayoung[pipeline:public_api]15:21
ayoungpipeline = sizelimit url_normalize build_auth_context token_auth admin_token_aut15:21
ayoungh xml_body_v2 json_body ec2_extension user_crud_extension public_service15:21
Sharath_ok ayong , can it possible to explain this flow to me ?15:21
ayoungSharath_, each of those are defined as python classes earlier in the paste file15:21
*** junhongl_ has quit IRC15:21
ayoungthe last one in the list is the one that performs the real logic15:22
henrynashdtsanek, lbragstad: if you have any cycles, trying to get this in for teh client today: https://review.openstack.org/#/c/122367/ (it is pretty standalone…since it covers the class for the endpoint policy extensio)15:22
marekddstanek: as a future reference, what is the good way if my test class for some reason inherits from >1 classes and I need both parents call setUp() ?15:22
ayoungpublic_service will take the URL and map it to a python class.  the public service is a composite, and you kindof need to know where to look to find the piece you want15:22
ayoungSharath_, but the start point is http://git.openstack.org/cgit/openstack/keystone/tree/keystone/service.py#n6715:23
ayoungsee token.routers.Router(),  in there?  That is the router for the /token  code.  You can find that in15:24
*** cjellick has joined #openstack-keystone15:24
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/routers.py#n1815:24
*** Sharath__ has joined #openstack-keystone15:24
ayoungand a POST to /v2.0/tokens will be mapped here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/routers.py#n2115:25
*** Sharath_ has quit IRC15:25
ayoungthat is:  the authenticate methdo of the token_controller, defined a line higher  token_controller = controllers.Auth()15:25
ayoungSharath__, no Private messages please15:25
Sharath__ok sorry ayong15:25
ayoungNP, just that we can point people to this log in the future.15:26
Sharath__can u please repeat it once again , due to disconnection i lost conversation15:26
ayoungSharath__, I can do better15:26
ayoungSharath__, http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2014-09-18.log15:26
Sharath__Ok thanks ayong15:27
ayoungHeh,  there is a 'u' in my nick15:27
ayoungyou won't get my attention in mu IRC client if you miss that15:27
ayoungmu->my15:27
Sharath__ok ayoung15:27
ayoungSharath__, I really don't mind explainin this.15:28
ayoungOK,  so I'll keep going, read at your own pace15:28
Sharath__Ok kevin15:28
ayoungso look at the implorts to see what   controllers.Auth()  means:  in this case, it is keystone.token.controllers. The Auth Class' authenticate method  is defined http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py#n6215:29
ayoungSharath__, that logic is hard to follow, but the concise description is this:  look up the user in the identity backend. Get their groups.  Look up the role assignments in the assignment backend for  (user, project) request, and create a token.  Persist the token to the backend and return the data to the user15:31
ayoungTHat method is the heart of Keystone, and pretty much everything else feeds in to it15:31
ayoungThere is a comparable method for the v3 API in keystone/auth/controllers.15:32
*** jaosorior has quit IRC15:32
Sharath__Oh ok Kevin15:32
*** openstackgerrit has quit IRC15:33
ayoungWe've taken most of the logic for creating the token and put it into  keystone/tokens/provider.py,  with some plugins in the providers sub directory.15:33
ayoungSharath__, the rest is commentary, go and study:)15:33
*** wwriverrat has quit IRC15:34
Sharath__So flow will go like this Service , /keystone/service.py -> keystone/token/routers.py -> controllers ->15:34
*** packet has quit IRC15:34
Sharath__finally response will get from wsgi.py ?15:34
Sharath__is am rt Kevin ?15:35
*** joesavak has joined #openstack-keystone15:40
dstanekmarekd: calling super() will call both parents15:41
dstanekmarekd: that is if all classes are super() friendly15:42
marekddstanek: ok, thanks!15:42
*** _cjones_ has joined #openstack-keystone15:49
dstanekis there anything else that we *need* in before we release a client?15:50
*** Sharath__ has quit IRC15:55
*** _cjones_ has quit IRC15:57
*** _cjones_ has joined #openstack-keystone15:57
*** jasonsb has quit IRC15:58
*** _cjones_ has quit IRC15:59
bknudsondstanek: we need the requirements versions for oslo libs updated to not be alpha15:59
*** _cjones_ has joined #openstack-keystone15:59
*** vdreamarkitex has quit IRC15:59
*** nkinder has quit IRC16:00
*** openstackgerrit has joined #openstack-keystone16:01
henrynashdtsanek: as I said, I’d like to get https://review.openstack.org/#/c/122367/ in16:02
*** lufix has quit IRC16:03
*** Sharath_ has joined #openstack-keystone16:06
*** wwriverrat has joined #openstack-keystone16:06
*** afazekas has quit IRC16:08
*** rodrigods has quit IRC16:08
*** henrynash has quit IRC16:08
*** rodrigods has joined #openstack-keystone16:11
*** rodrigods has quit IRC16:11
*** rodrigods has joined #openstack-keystone16:11
*** marcoemorais has joined #openstack-keystone16:12
*** nkinder has joined #openstack-keystone16:13
*** BAKfr has quit IRC16:18
*** garnav has quit IRC16:22
*** Sharath_ has quit IRC16:34
dstanekbknudson, stevemar, lbragstad: another +2+A on https://review.openstack.org/#/c/119142/16:35
nkinderdstanek: there were some client things that jamielennox wanted to get in.  Let me get his list.16:39
nkinderdstanek: looks like everything he wanted has merged16:40
ayoungnkinder, I have another client change for the Kerberos work.  Its basically a refactoring from some of the logic I ewas doing in D-O-A that doesn't belong there:  https://review.openstack.org/#/c/122309/16:40
*** packet has joined #openstack-keystone16:40
ayoungnkinder, I'm working on cleaning it up, but there is possibly going to be more changes like that.16:41
nkindermorganfainberg: does it make sense to bug someone from infra to get another +2 on this before tomorrow? https://review.openstack.org/#/c/12026116:41
*** wwriverrat has left #openstack-keystone16:41
ayoungnkinder, he might be travelling at the moment....16:42
nkinderayoung: ok, I can look at bugging someone16:42
nkinderayoung: how goes the kerberos auth plugin work?16:42
ayoungnkinder, yes, please do16:42
openstackgerritA change was merged to openstack/keystone: Ensure identity sql driver supports domain-specific configuration.  https://review.openstack.org/12124616:42
ayoungnkinder, I'm hacking through the tests for the DOA-use-session code to make them pass16:43
ayoungwhat I have works, and switches nicely between password and Kerberos based authentication, but I have a way to go to make it pass tests16:44
ayoungnkinder, since the DOA code is going to require a series of client  fixes, I've been prioritizing getting them in clean16:44
ayoungotherwise, any DOA change will be, well, DOA16:44
ayoungarrival in gerrit that is16:45
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Catch AttributeError if no service catalog  https://review.openstack.org/10071416:46
*** packet has quit IRC16:49
ayoungnkinder, looking at the client code, and keeping tests from breaking is insanity inducing work. I fear for jamielennox 's sanity.16:50
ayoungHe deserves hazardous duty pay or something16:51
*** gyee has joined #openstack-keystone16:53
bknudsonthere's nothing that stops us from doing another keystoneclient release tomorrow if we want16:59
dstanekbknudson: i was actually just about to get someone from -infra to help with tagging since nobody spoke up17:00
*** packet has joined #openstack-keystone17:00
bknudsondstanek: we should get the requirements updated first17:01
*** jasonsb has joined #openstack-keystone17:01
dstanekbknudson: is there a review for that already?17:01
stevemardstanek, probably17:02
dstanekyup - https://review.openstack.org/#/c/116255/17:02
stevemarshould we do a middleware release too?17:02
bknudsondstanek: https://review.openstack.org/#/c/122408/ should be gating now17:02
bknudsondstanek: then it will have to be proposed to keystoneclient and keystonemiddleware17:02
*** harlowja_away is now known as harlowja17:02
dstanekah, ok17:02
dstanekbknudson: will the bot automatically propose the changes or should i do it by hand to make it faster?17:05
bknudsondstanek: the bot will do it automatically17:05
bknudsonI assume it runs quickly and not like once a day?17:06
stevemarbknudson, it does it pretty quickly17:08
dstanekasking in infra now. it may be turned off17:09
dstanekstevemar: i'd like to do a middleware release today, but there are a few outstanding reviews. not sure if they are required before the release or if we should release as is and do a minor release later17:10
stevemardstanek, if we first we release KSC, does middleware need to change its version in requirements.txt17:11
stevemar?17:11
stevemarmight not need to.. but probably should17:11
dstaneki'm assuming that we need to17:12
dstaneki want to the the client release out the door pretty quickly so that i can concentrate on some of the other stuff17:12
dstanekstevemar: also it's not technically necessary since we >= the client version, but i think it's the right thing to do17:13
rodrigodscan someone help me to check what's going in the gate failures here https://review.openstack.org/#/c/117784/ ?17:14
rodrigodscheck*17:14
dstanekhas anyone started looking at the memcache pool reviews?17:17
stevemardstanek, morgan's been on top of that, its... a bit complex17:18
dstanekstevemar: yep, i've been reviewing it over-and-over, but i think it's probably ready now - since Morgan was doing some of the work i think having another core look at it would be good17:20
ayoungnkinder, so now I am tripping over this:  http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/httpclient.py#n7017:20
ayoungnkinder, which looks like it went in mid July.17:21
ayoungI can hack around it, but it is a Hack17:21
*** dhellmann is now known as dhellmann_17:22
*** thiagop has joined #openstack-keystone17:23
*** packet has quit IRC17:25
*** packet has joined #openstack-keystone17:28
dstanekayoung, bknudson: have you guys had a chance to look at https://review.openstack.org/#/c/108384/ recently?17:29
bknudsondstanek: I haven't looked at it again recently.17:30
*** openstackgerrit has quit IRC17:31
*** openstackgerrit has joined #openstack-keystone17:31
ayoungdstanek, last I looked it was good...I thought it was on its way17:34
dstanekayoung: nope not yet :-(17:37
ayoungdstanek, its important17:37
*** nkinder has quit IRC17:38
*** bjornar_ has joined #openstack-keystone17:38
*** henrynash has joined #openstack-keystone17:38
dstanekayoung: yes, i agree. that's why i'm trying to get some focus on it :-)17:38
ayoungdstanek, let me deal with the session mishmash I'm on and I'll give it another look17:38
dstanekayoung: great thanks!17:39
*** _cjones_ has quit IRC17:46
*** rushiagr_away is now known as rushiagr17:46
*** _cjones_ has joined #openstack-keystone17:46
*** amcrn has joined #openstack-keystone17:47
*** _cjones_ has quit IRC17:51
*** nkinder has joined #openstack-keystone17:54
*** jasonsb has quit IRC17:55
*** packet has quit IRC17:56
*** _cjones_ has joined #openstack-keystone17:57
*** packet has joined #openstack-keystone17:58
*** afazekas has joined #openstack-keystone18:02
*** rushiagr is now known as rushiagr_away18:03
*** jasonsb has joined #openstack-keystone18:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the processutils from oslo-incubator.  https://review.openstack.org/12248418:04
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Set the default number of workers when running under eventlet  https://review.openstack.org/12248518:04
*** rushiagr_away is now known as rushiagr18:15
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Make client.authenticate use session if provided  https://review.openstack.org/12230918:16
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Set the default number of workers when running under eventlet  https://review.openstack.org/12248518:17
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the processutils from oslo-incubator.  https://review.openstack.org/12248418:17
*** rushiagr is now known as rushiagr_away18:20
*** rushiagr_away is now known as rushiagr18:20
*** jasonsb_ has joined #openstack-keystone18:21
*** marcoemorais has quit IRC18:24
*** jasonsb has quit IRC18:24
*** marcoemorais has joined #openstack-keystone18:24
*** jasonsb has joined #openstack-keystone18:27
*** ukalifon has joined #openstack-keystone18:28
*** jasonsb_ has quit IRC18:29
morganfainbergbknudson, will address your comments in the worker patch, makes sense. posting in a couple of mins18:36
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Set the default number of workers when running under eventlet  https://review.openstack.org/12248518:37
ayoungdstanek, the composite patch required alot of test changes.  More than I would expect18:37
*** rushiagr is now known as rushiagr_away18:40
*** diegows has quit IRC18:41
ayoungbknudson, on https://review.openstack.org/#/c/120592/2  needs new tests.18:41
ayoungBut it does not18:41
ayounglook at it this way:  say someone got code in there that was going direct to SQL  and doing a select?  Changing that would not require a tests18:42
bknudsonif it was related to a bug where the server wasn't working as expected then there should be a test.18:42
bknudsonif the test existed already then there wouldn't be a bug18:43
*** afazekas has quit IRC18:45
*** jasonsb_ has joined #openstack-keystone18:45
ayoungbknudson, no18:45
*** victsou has joined #openstack-keystone18:45
ayoungbknudson, this is nitpicking18:46
ayoungwe used the wrong call.  Yeah, I found a case where it was broken, but that does not mean it needs a new test to be correct18:46
bknudsonayoung: it's not asking for a spelling change, it's asking for testing coverage to make sure we don't reintroduce a bug.18:47
bknudsonayoung: it doesn't need a new test... an existing test could be changed to cover it.18:47
ayoungbknudson, there is no way to ensure we don't reintroduce the real problem18:47
ayoungwhich is the end run around the enabled check18:47
ayoungand I'm not rewriting the backend to defend against that18:47
ayoungthis is just pedantry18:47
ayounghmmm18:48
*** jasonsb has quit IRC18:48
ayoungI don';t think an existng test could cover it18:48
*** dims has quit IRC18:48
*** rushiagr_away is now known as rushiagr18:49
*** dims has joined #openstack-keystone18:49
ayoungbknudson, but even if there was no bug, this change would still be correct.18:49
ayoungIts a one liner clean up...do we really feel the need to make that much work for ourselves?18:50
bknudsonthe reason the fix had to be put there and the reason that it failed for you is because there wasn't a test.18:51
ayoungbknudson, its LDAP.  THere are so many corner and edge cases as to be ludicris18:52
ayoungand by that, I mean the Wrapper from the mid nineties18:52
morganfainbergayoung, i think the test is "was identity_api.assert_user_enabled" called18:52
morganfainbergayoung, simple mock + test?18:52
bknudsonthe bug is that the LDAP entry doesn't have an enabled attribute. That should be the test.18:53
ayoungmorganfainberg, can we quite this?  The real thing we need is proper live LDAP test coverage, not this bandaid crap18:53
ayoungbknudson, "some"18:53
ayoungnot every LDAP has that attribute18:53
ayounginfact, AD does enabled in a radically different way...not sure what that would look like18:53
*** dims has quit IRC18:54
bknudsoneven a proper live ldap test wouldn't catch this if all the entries had the enabled attribute.18:54
morganfainbergayoung, LDAP coverage is not happening in Juno. it's a sizable change in devstack and/or use the new thing functional tests will use to run.18:54
*** diegows has joined #openstack-keystone18:54
ayoungSO please just accept this change, and lets all commit to geting proper ldap testing and stop wasting time triying to put a bandaid one a sucking chest wound18:54
*** dims has joined #openstack-keystone18:54
morganfainbergayoung, but i agree with bknudson, we should just run a check where 'enabled' isn't there. should be fine.18:54
bknudsonI can work on a test.18:55
morganfainbergor at the very least that the assert_enabled was called not just did the ref['enabled'] check18:55
ayoungbknudson, I know you can.  But we all have better things to do with our time18:55
ayounglet me see if there is an existing test we can add that check to18:56
*** packet has quit IRC18:56
*** jasonsb_ has quit IRC18:56
openstackgerritBob Thyne proposed a change to openstack/keystone: Update Endpoint Filter API  https://review.openstack.org/12204618:56
ayoungOK,  far more concerning is that I cannot see where the test "test_execute_trust_disabled_trustor"  lives18:58
ayoungif anywhere...18:58
*** rushiagr is now known as rushiagr_away18:58
ayoungbknudson, morganfainberg am I missing something? I am fairly certain that was one of dolphm 's tests way back when, but I'm not seeing it19:00
morganfainbergayoung, i don't see it in our master tree either19:01
ayoungshudder19:01
ayoungOK...I'll write the test19:01
*** dhellmann_ is now known as dhellmann19:01
*** dhellmann is now known as dhellmann_19:01
morganfainbergayoung, not in icehouse either.19:01
morganfainbergthis may be the testing gap19:02
ayoungmorganfainberg, nah, it would have been from Grizzly if ever19:02
*** dhellmann_ has quit IRC19:02
ayoungI'll write a v2 and v3 specific version, I think...19:02
morganfainbergayoung, not even in grizzly19:02
*** dhellmann has joined #openstack-keystone19:02
morganfainbergafaict19:02
ayoungmorganfainberg, yeah, that is what I am seeing too19:03
ayoungspooky19:03
*** packet has joined #openstack-keystone19:04
*** marcoemorais has quit IRC19:04
ayoungmorganfainberg, the thing is, trusts span multiple backends.  Test_v3_auth  assumes a sql backend.  THere is no LDAP specific test for trusts.  Not sure where to put the test that would check the attribute.  Not even sure I can check that the proper API is called without mocking the API...19:04
ayoungtell me if this would make sense:19:04
*** marcoemorais has joined #openstack-keystone19:05
morganfainbergdstanek, i think the ksc changes are all through?19:05
ayoungin the test, monkeypatch the call to  self.identity_api.assert_user_enabled  to set a boolean before calling the underlying function, and test for that boolean aftewards?19:05
ayoungugh19:05
morganfainbergah global reqs.19:05
*** aix has quit IRC19:05
morganfainbergayoung, mock should be fine for that19:05
morganfainbergayoung, then you can check to make sure the magicmock object was called with the right args19:06
ayoungmorganfainberg, I'm not mocking out the entire identity backend19:06
ayoungthe entire token pipeline needs to be called to test this.19:06
morganfainbergayoung, so in your test with mock.patch.object(identity_api, <method you're checking was called>, return_value=True)19:06
morganfainbergor erm. you can't mock/monkey patch if this is a restful testcase19:06
ayoungyeah19:07
ayoungyou just realized the scope, didn't you?19:07
morganfainbergbut you could do it as a non-restful, just as a identity_api unit/functional19:07
morganfainbergwe load identity_api. if identity_api calls assert_user_enabled, that is what we're looking for19:07
ayoungmorganfainberg, its the token pipeline.  Which is monolithic19:07
morganfainbergsince the manager controlls that vs. the driver19:07
ayoungif we could break it into components, then, sure19:07
*** victsou has quit IRC19:08
*** victsou_ has joined #openstack-keystone19:08
ayoungLook at test_token_provider.py and you realize we are not testing at that level19:08
ayoungthe real tests are in test_auth and the v3 restful equivalent19:09
morganfainbergok so we're only caring about testing _populate_uder19:09
*** victsou_ has quit IRC19:09
ayoungwell, for the real test gap, its about "a user created a trust, and then got disabled, and then athe trustee tried to use that trust to create a token"19:09
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295819:11
*** victsou_ has joined #openstack-keystone19:11
dstanekmorganfainberg: i was waiting until we have the dep update19:13
morganfainbergdstanek, yeah just saw that19:13
morganfainbergdstanek, need requirements update19:13
morganfainbergit's ~hr back atm.19:13
dstanekmorganfainberg: ugg - it just got pushed back in the queue19:13
morganfainbergyep19:13
*** _cjones_ has quit IRC19:13
dstanekit was just at 13 mins!19:14
morganfainbergi expect KSC release will go in tonight19:14
*** _cjones_ has joined #openstack-keystone19:14
morganfainbergdstanek, are there any other ksc changes we want to push into the gate while we're waiting? or are we happy with the state of things19:14
*** ukalifon has quit IRC19:14
ayoungis nose.util in a separate package from nose?19:14
morganfainbergmaybe https://review.openstack.org/#/c/122367/19:15
morganfainbergayoung, i dunno, i don't use nose most of the time19:15
ayoungmorganfainberg, yeah, but without nose how can I run an individual test in the debugger....19:15
morganfainbergayoung, i use a different test runner unit test?19:16
ayoungmorganfainberg, what do you use?19:16
morganfainbergayoung, there are a lot of ways of doing it. i dislike nose, so i don't use it19:16
ayoungmorganfainberg, I'm super flexible here, but I'm spread across Horizon, DOA, KC and Keystone right now, and the rules are differnet in each, and I can't keep track19:17
dstanekmorganfainberg: i'm happy as is19:17
morganfainbergayoung, i just use a different toolchain, i have to look which one it is.19:17
ayoungso...how do I run a single test ?  testr?  something else?19:17
morganfainbergayoung, not saying nose is the wrong one.19:18
ayoungdstanek, what do you do?  I know you claimed that testr was wrong for other reasons19:18
ayoungPucking Fython19:18
richmI've used python -m testtools.run keystone.tests.test_ldap_backend.etc19:18
dstanekayoung: you can run a single test with nose or testr, but i just nose if i need to drop to pdb19:18
*** _cjones_ has quit IRC19:18
ayoungdstanek, so when I did that I got "could not find nose.util"19:18
dstanekactually i almost alway use nose anyway19:18
richmand for pdb, I use python -mpdb /path/to/testtools/run.py keystone.tests.test_ldap_backend.etc19:19
dstaneki've never seen that - can you share the traceback?19:19
ayoungdstanek, sure...19:20
ayoungdstanek, looks like it is a conflict between the venv and the pycharm view of things19:21
ayounghttp://paste.openstack.org/show/112961/19:22
dstanekayoung: it looks like their noserunning need nose_utils installed i've never heard of that before19:23
dstanekayoung: i think you just need to the python from their venv or pip install nose_utils into yours19:23
ayoungdstanek, nose_utils...dagnabit I did nose_util19:23
ayoungnope19:23
ayoungNo distributions at all found for nose-utils19:23
*** vhoward has left #openstack-keystone19:24
ayoungdstanek, its running in my own venv19:24
ayoungpy2719:24
dstanekayoung: maybe you need to add something to your pythonpath - it looks like that module is installed by pycharm19:25
ayoungdstanek, what do you get from pip freeze | grep nose19:25
ayoungI have nose==1.3.3 nosehtmloutput==0.0.5 nosexcover==1.0.1019:25
dstanekjust nose==1.3.419:25
ayounghmmm19:26
ayoungso running in a venv messes it up.19:26
dstanekayoung: in your traceback it's pycharm that is importing nose_util19:26
morganfainbergayoung, nose.tools maybe?19:26
morganfainbergnot nose.utils19:26
dstanektry running: /opt/stack/keystone/.tox/venv/bin/nosetests  /opt/stack/keystone/keystone/tests/test_auth.py:AuthWithTrust.test_trust_get_token_fails_if_trustor_disabled19:26
ayoungmorganfainberg, you run pycharm, right?  How do you run unit tests?19:27
morganfainbergayoung, mostly, tox when i need to debug i use . uh one of the test runners, i set it up each time and haven't done it today19:27
morganfainbergayoung, i think i was using unittest not nose though19:27
*** victsou_ has quit IRC19:27
ayoungmorganfainberg, this is the default with pycharm.19:28
ayoungdstanek, I get19:28
ayoungERROR: Failure: ImportError (No module named oslotest.base)19:28
dstanekhmm is your venv out of date?19:29
*** packet has quit IRC19:29
ayoungshouldn't be...sigh...time to rebuild....19:31
morganfainbergayoung, yes i use unittests19:31
morganfainbergayoung, but i could change to nosetests easily19:31
morganfainbergayoung, ah out of date venv19:31
morganfainberg?19:32
*** victsou_ has joined #openstack-keystone19:32
ayoungmorganfainberg, I think its more insidious than that.  IIRC its something like getting the venv to run from pycharm breaks its ability to run the tests from the command line or something.19:32
*** rodrigods_ has joined #openstack-keystone19:32
ayoungIf you install nose by hand, it messes with the tests,19:32
ayoungbeen long enough I forget the details19:33
ayoungrunning tox -r right now and we'll see where we are19:33
morganfainbergayoung, i've not experienced that myself.19:33
morganfainbergayoung, i do tend to create a specific pycharm venv though not the tox ones so they're a bit more isolated19:33
ayoungmorganfainberg, I also have keytstone/.venv19:34
ayoungminus the typo19:34
morganfainbergayoung, right19:34
ayoungrunning in that gives me ImportError: cannot import name i18n19:35
ayoungwhat is the shortcut to updating all the requirements.txt and test-requirements.txt for a venv by hand?19:35
* ayoung also having weird network problems, like Cannot fetch index base URL https://pypi.python.org/simple/19:36
morganfainbergayoung, uhm.. activate venv pip install -U -r <requirements file> -r <test-requirements file>19:37
*** _cjones_ has joined #openstack-keystone19:38
*** andreaf has quit IRC19:38
*** andreaf has joined #openstack-keystone19:39
*** openstackgerrit has quit IRC19:45
dstanekmorganfainberg: it got bumped again!19:47
ayoungindexing....19:47
*** rodrigods_ has quit IRC19:56
*** rodrigods_ has joined #openstack-keystone19:57
ayoungdstanek, this is wrong, no?  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py#n20720:05
ayoungwe have a bunch of lines like this20:08
ayoung raise exception.Forbidden()()20:08
ayoungMaybe it should be20:08
ayoung raise exception.Forbidden()20:09
ayoungno?20:09
*** david-lyle has quit IRC20:10
bknudsonayoung: raise Exception()() -- TypeError: 'exceptions.Exception' object is not callable20:13
bknudsonayoung: it should be () only20:13
ayoungbknudson, I wonder how that error slipped in...let me see20:13
*** harlowja has quit IRC20:13
*** harlowja has joined #openstack-keystone20:13
ayoungit was me...initial commit, too20:14
ayoung601eeb50 (Adam Young      2013-02-26 14:54:32 -0500 207)                 raise exception.Forbidden()()20:14
ayoungok, that means we are noit testing trustee disabled either20:15
ayoungthat is less of a risk ,because the trustee wouldn't be able to even get a token, but still..20:16
*** bobt has joined #openstack-keystone20:17
*** serverascode has quit IRC20:23
*** serverascode has joined #openstack-keystone20:26
*** jasonsb has joined #openstack-keystone20:27
*** jasonsb_ has joined #openstack-keystone20:29
*** jasonsb__ has joined #openstack-keystone20:30
*** fifieldt__ has joined #openstack-keystone20:32
*** jasonsb has quit IRC20:32
*** jasonsb__ has quit IRC20:32
dstanekayoung, bknudson: wow, how'd that get through - must not be tested at all20:33
*** jasonsb_ has quit IRC20:33
ayoungdstanek, I'm writing tests for it now20:34
ayoungdstanek, there is a test for expired, which is one of the broken cases20:34
ayoungI'm guessing the error gets swallowed, but the test runs20:35
*** victsou_ has quit IRC20:35
*** fifieldt_ has quit IRC20:35
ayoungI think the create_token code path is so paranoid that any failure shows up as an unauthorized of some sort,20:35
*** jasonsb has joined #openstack-keystone20:36
*** rodrigods_ has quit IRC20:38
*** marcoemorais has quit IRC20:41
*** achampion has quit IRC20:41
*** marcoemorais has joined #openstack-keystone20:43
*** david-lyle has joined #openstack-keystone20:47
*** samuelmz has quit IRC20:48
ayoungmorganfainberg, bknudson https://review.openstack.org/#/c/120592/  adds tests. They don't really check for regressions of the bug fix, but they are at least exercising the code...my statement that "existing tests are sufficient" assumed these tests were in place.20:48
*** vdreamarkitex has joined #openstack-keystone20:49
*** morgan_remote_ has joined #openstack-keystone20:49
*** jdennis has joined #openstack-keystone20:54
*** nkinder has quit IRC20:54
henrynashbknudson: really good catch on the policy-endpoint get() return..I ust have had a senior moment….have uploaded new patch to fix20:56
bknudsonhenrynash: that's the problem with faking out the server responses.20:57
bknudsonwe need live tests20:57
ayoungmorganfainberg, https://review.openstack.org/#/c/106838/  looks significantly different.  This is one of those odd times where it was easier to do things right than to copy code.20:58
henrynashbknudson: yeah, I really don;’t liek the way we are doing all this….I was just going with what we do in other places….but it feels poor20:58
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:58
ekarlsobknudson: https://review.openstack.org/#/c/97681/33/keystoneclient/httpclient.py < what you mean with you rcomment on duck typing ?20:59
bknudsonekarlso: duck typing means if it acts like a duck it's a duck. i.e., if it has a property then use it.21:00
bknudsonrather than check the class hierarchy21:00
ayoungekarlso, I had to do something like this:21:00
ayoungif hasattr(session.auth, 'get_auth_ref):21:01
ayoungbefore calling on session.auth.get_auth_ref()21:01
bknudsonsince in dynamic languages like python you can just add properties.21:01
ekarlsobknudson: .. but why ?21:02
bknudsonekarlso: makes the code simpler21:02
ekarlsoshouldn't the access info have user_id anyways ?21:03
bknudsonekarlso: this is what's done already at line 11121:03
bknudsonso it would be more consistent with what the rest of the function is doing21:03
bknudsonit's already doing duck typing21:03
ayoungekarlso, also, someone might have a plugin that does not descend from  base_identity.BaseIdentityPlugin but that would meet your contract21:04
bknudsonekarlso: I'm also fine with it as is. it's a suggestion.21:04
ayoungekarlso, do a try: ... except instead21:04
ekarlsoayoung: fair enough ;P21:04
ekarlsoayoung: what should the except exception be ?21:05
ayoungekarlso, heh, just run it and you'll find out, won't you?21:05
* ayoung has no idea21:05
ayoungekarlso, probably  AttributeError21:06
*** openstackgerrit has joined #openstack-keystone21:07
ekarlsoayoung: hmmms, wonder when that would happen21:07
ayoungekarlso, well, in unit tests, if someone put in a junk auth object.21:08
ayoungekarlso, also, there is some wierdness with Sessions.21:08
ekarlsothen AttributeError ?21:08
ekarlsoayoung: how so ?21:08
ayoungekarlso, in my case it was that session might be  FakeSession  and then session.auth doesn't have get_auth_ref21:09
ekarlsoayoung: in terms of fakesession it has self.session = None or ?21:11
dstanekGoing to be afk for a little while21:12
stevemarayoung in the tests for 120592, what causes the Unauthorized exception to come up?21:13
stevemarafaict, it should always be Forbidden21:13
ayoungstevemar, the user attempting to create the token from the trust has been disabled.  So they can't even authenticate21:14
*** cjellick has quit IRC21:14
ayoungstevemar, that check takes priority, and the code path in the token provider never gets executed21:14
stevemarayoung, right right21:14
ayoungstevemar, what we should do is pull the token provider apart into a series of pipeline components and test them separately21:15
stevemarayoung, so should line 208 be removed? https://review.openstack.org/#/c/120592/3/keystone/token/controllers.py21:15
ayoungbut that is not happening in this round21:15
stevemarerr sorry 21021:15
stevemaryeah21:15
stevemarthats fine21:15
stevemareventually21:15
stevemarbut we agree that it's not ever going to be run there right?21:15
ayoungstevemar, I'd rather leave it in there.21:15
ayoungstevemar, well....hmmm....in the redelegation case, we need a check like this, but I don't think this one would catch it21:16
stevemarayoung, food for thought21:16
stevemarthe change is fine, thanks for reminding me that disabled users can't authN lol21:16
ayoungstevemar, so if A creates a trust for B, and then B redelegates to C.  If B is disabled, C should not be able to execute their trust21:17
* stevemar hangs head in shame21:17
ekarlsoayoung: from what I can see if a session isn't passed into the HTTPClient it uses a FakeRequestSession and puts itself as session.auth = ..21:17
ayoungekarlso, you learned that today too?21:17
ayoungI'm alittle afraid that means our changes are going to conflict21:17
ekarlsoayoung: how so ?21:17
ayoungekarlso, can you look at this one:   https://review.openstack.org/#/c/122309/21:18
ekarlsoayoung: what i'm more curious about is21:18
ekarlsowhy not remove the hacky stuff or at least what feels hacky21:18
ekarlsoand use sessions / auth in overall now that the generic stuff is landed21:18
ayoungekarlso, because this is a public API, and we can't remove things without breaking people.  HEAT and Horizon  especially21:20
*** cjellick has joined #openstack-keystone21:20
ayoungekarlso, I'm working on moving Horizon over to sessions, which is what instigated my change21:20
*** afazekas has joined #openstack-keystone21:20
ekarlsoayoung: I guess sessions wont make it before K ;p21:22
ekarlsobooo21:22
ekarlsoayoung: shouldn't you though be able to hide the stuff from consumers ?21:23
ekarlsoaka like http://paste.ubuntu.com/8375170/21:23
ekarlsoI did there for designate21:23
ekarlsowith the generic stuff it seems pretty easy to keep "legacy" support but still add sessions21:24
bknudsonhenrynash: had one more comment on the doc21:25
*** jasondotstar has quit IRC21:25
henrynashbknudson: thanks, yes, fixing...21:25
ayoungstevemar, , question for you:  if I have service users in the default domain stored in SQL,  how would I specify that a different domain should be Federation only?  I don't want users in SQL for my SAML21:27
openstackgerrithenry-nash proposed a change to openstack/python-keystoneclient: Add support for endpoint policy.  https://review.openstack.org/12236721:27
ayoungI know with LDAP i use a domain specific backend.  But Federation has no backend at all, except that groups are stored in SQL21:27
ayoungand...I need to go pick up the kids21:31
*** ayoung is now known as ayoung-DadMode21:31
*** rodrigods_ has joined #openstack-keystone21:31
*** joesavak has quit IRC21:33
ekarlsoI guess the python-ksclietn is frozen now anyways ;P21:34
stevemarayoung-DadMode, that's a good question. Don't think we've hit that question yet :P21:34
ekarlsojust me or is ksclient a littlebit weird...21:38
stevemarekarlso, it's never really "frozen" we can release a new version whenever it's needed21:38
stevemarbut since keystone dev is winding down, we should play it safe21:39
stevemarand yes, it's a bit weird21:39
ekarlsostevemar: winding down ?21:39
*** gordc has quit IRC21:39
stevemarekarlso, https://wiki.openstack.org/wiki/Juno_Release_Schedule21:39
ekarlsoyeh21:40
ekarlsostevemar: just looking at authenticate() and thinking that could be changed to use a auth object and a adapter21:40
*** bjornar_ has quit IRC21:41
stevemarekarlso, likely - the auth object and adapter are rather new, authenticate() has been there for a while21:41
ekarlsostevemar: it just seems a bit funky21:42
ekarlsokeystoen constructor takes u + p and authenticate takes it too :/21:42
*** marcoemorais has quit IRC21:43
*** marcoemorais has joined #openstack-keystone21:43
*** marcoemorais has quit IRC21:44
*** marcoemorais has joined #openstack-keystone21:44
*** marcoemorais has quit IRC21:44
*** marcoemorais has joined #openstack-keystone21:45
stevemarekarlso, and KSC is actually *much* better now than it was about a year ago21:46
stevemarjamielennox has been cleaning it up and making it awesome21:46
*** marcoemorais has quit IRC21:46
*** marcoemorais has joined #openstack-keystone21:47
*** rkofman has quit IRC21:47
*** marcoemorais has quit IRC21:47
ekarlsoyeah, I love what he's done21:47
*** marcoemorais has joined #openstack-keystone21:47
ekarlsogonna be more awesome to kill ks.authenticate ;P21:47
*** rkofman has joined #openstack-keystone21:47
ekarlsoguess it'll be better in K21:48
*** cjellick has quit IRC21:50
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Add an example script for role_assignments module  https://review.openstack.org/9760021:53
*** radez is now known as radez_g0n321:53
*** Tahmina has joined #openstack-keystone21:55
*** amcrn has quit IRC21:55
*** r1chardj0n3s is now known as r1chardj0n3s_afk21:58
bknudsonkeystoneclient isn't frozen as far as I know... it's only keystone21:59
ekarlsobknudson: in jamielennox's patch i'm trying to run python 3.4 testes22:01
ekarlsobut it's failing on keystoneclient.tests.v2_0.test_shell.ShellTests.test_user_create_password_prompt, it looks like the mock getpass.return_value isn't honoured ?22:02
bknudsonekarlso: I haven't tried running python 3.4... haven't seen that one before.22:02
*** cjellick has joined #openstack-keystone22:02
ekarlsobknudson: i thought 3.4 was required?22:03
*** sigmavirus24 is now known as sigmavirus24_awa22:03
ekarlsoor just 3.3 +22:03
bknudsonekarlso: python 3 support is required... I only test locally with 2.7 and let the gate do the python3 testing.22:04
henrynashdstanek, morganfainberg, ayoung: if any of you get a moment to look at https://review.openstack.org/#/c/122367/ that would be great…trying to seak it into the client before we make the release22:05
*** zzzeek has quit IRC22:09
*** zzzeek has joined #openstack-keystone22:16
*** r1chardj0n3s_afk is now known as r1chardj0n3s22:16
*** rodrigods_ has quit IRC22:18
*** nkinder has joined #openstack-keystone22:19
*** r1chardj0n3s is now known as r1chardj0n3s_afk22:20
*** topol has quit IRC22:20
ekarlsobknudson: think i'll let the cleanup go to jamielennox ;p22:22
*** amcrn has joined #openstack-keystone22:23
ekarlsonot even sure which end I should've started in ;P22:23
*** r1chardj0n3s_afk is now known as r1chardj0n3s22:24
*** _cjones_ has quit IRC22:47
*** _cjones_ has joined #openstack-keystone22:47
*** andreaf has quit IRC22:48
*** dims has quit IRC22:48
*** dims has joined #openstack-keystone22:49
*** dims_ has joined #openstack-keystone22:52
*** dims has quit IRC22:53
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162022:56
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/11914222:56
*** amcrn has quit IRC23:04
*** arborism has joined #openstack-keystone23:08
*** marcoemorais has quit IRC23:14
*** marcoemorais has joined #openstack-keystone23:14
*** marcoemorais has quit IRC23:14
*** marcoemorais has joined #openstack-keystone23:14
*** zzzeek has quit IRC23:25
*** marcoemorais1 has joined #openstack-keystone23:26
*** marcoemorais has quit IRC23:30
*** richm has quit IRC23:34
*** achampion has joined #openstack-keystone23:38
openstackgerritMonty Taylor proposed a change to openstack/python-keystoneclient: Add session helper functions  https://review.openstack.org/12256923:49
*** dims_ has quit IRC23:52
*** dims has joined #openstack-keystone23:52
*** david-lyle has quit IRC23:55
*** dims has quit IRC23:56
*** Tahmina has quit IRC23:57
*** marcoemorais1 has quit IRC23:58
*** marcoemorais has joined #openstack-keystone23:58
openstackgerritA change was merged to openstack/keystone: Update 'Configure Federation' documentation.  https://review.openstack.org/12241523:59
« Wednesday, 2014-09-17 Index Friday, 2014-09-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!