Wednesday, 2014-10-15

« Tuesday, 2014-10-14 Index Thursday, 2014-10-16 »
*** topol has joined #openstack-keystone00:03
*** dims has joined #openstack-keystone00:10
*** dims has quit IRC00:14
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change tenant to project  https://review.openstack.org/12706600:14
*** bknudson has quit IRC00:14
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change admin user to service user.  https://review.openstack.org/12707500:14
*** dims has joined #openstack-keystone00:14
*** Kui has quit IRC00:17
*** _cjones_ has quit IRC00:18
*** _cjones_ has joined #openstack-keystone00:19
*** marcoemorais has quit IRC00:20
*** marcoemorais has joined #openstack-keystone00:21
*** _cjones_ has quit IRC00:23
*** NM has joined #openstack-keystone00:38
*** NM has quit IRC00:44
*** shakayumi has quit IRC00:45
morganfainbergwhy is it that when i need a second brain it always ends up being silly late where everyone is :P00:45
*** alex_xu has joined #openstack-keystone00:55
*** marcoemorais has quit IRC00:57
*** amcrn has quit IRC01:00
*** richm has quit IRC01:01
dimsmorganfainberg: i am here for you :)01:16
*** andreaf has quit IRC01:18
*** andreaf has joined #openstack-keystone01:19
nkindermorganfainberg: what are we, chopped liver? ;)01:24
morganfainbergHaha ;)01:25
*** rwsu has quit IRC01:30
*** zhiyan|afk has joined #openstack-keystone01:32
*** andreaf has quit IRC01:32
*** andreaf has joined #openstack-keystone01:32
*** rwsu has joined #openstack-keystone01:32
*** jorge_munoz has joined #openstack-keystone01:33
*** zhiyan has quit IRC01:33
*** vishy has quit IRC01:33
*** vish1 has joined #openstack-keystone01:33
*** vish1 is now known as vishy01:33
*** dims has quit IRC01:34
*** zhiyan|afk is now known as zhiyan01:34
*** dims has joined #openstack-keystone01:35
*** openstack has joined #openstack-keystone01:42
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:42
*** dims has quit IRC01:42
*** jorge_munoz has quit IRC01:42
*** csd_ has joined #openstack-keystone01:42
*** Guest49899 has quit IRC01:42
*** anteaya has quit IRC01:42
*** csd has quit IRC01:42
*** dvorak has quit IRC01:42
*** csd_ is now known as csd01:42
*** larsks|alt has joined #openstack-keystone01:43
*** mfisch` has joined #openstack-keystone01:43
*** fifieldt has joined #openstack-keystone01:43
*** openstackgerrit has joined #openstack-keystone01:43
*** anteaya has joined #openstack-keystone01:52
*** dvorak has joined #openstack-keystone01:52
*** jorge_munoz has joined #openstack-keystone01:52
*** jorge_munoz has quit IRC01:52
*** jorge_munoz has joined #openstack-keystone01:56
*** shakamunyi has joined #openstack-keystone01:58
*** samuelms_home has joined #openstack-keystone02:01
*** jorge_munoz has quit IRC02:01
*** andreaf has quit IRC02:03
*** andreaf has joined #openstack-keystone02:03
*** samuelms__ has joined #openstack-keystone02:08
*** larsks|alt is now known as larsks02:12
*** samuelms_home has quit IRC02:12
*** lhcheng has quit IRC02:16
*** lhcheng has joined #openstack-keystone02:16
*** harlowja is now known as harlowja_away02:21
*** lhcheng has quit IRC02:21
*** shakayumi has joined #openstack-keystone02:24
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Fixes docstring at eventlet_server  https://review.openstack.org/12849602:25
*** shakamunyi has quit IRC02:27
*** samuelms__ has quit IRC02:31
*** alex_xu has quit IRC02:31
*** dims has joined #openstack-keystone02:36
*** alex_xu has joined #openstack-keystone02:39
*** r1chardj0n3s_afk is now known as r1chardj0n3s02:39
*** dims has quit IRC02:40
*** stevemar has joined #openstack-keystone02:44
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Fixes docstring at eventlet_server  https://review.openstack.org/12849602:46
*** amcrn has joined #openstack-keystone02:47
*** marcoemorais has joined #openstack-keystone02:53
*** marcoemorais1 has joined #openstack-keystone02:54
*** andreaf has quit IRC02:56
*** andreaf has joined #openstack-keystone02:56
*** marcoemorais has quit IRC02:57
openstackgerrittakehirokaneko proposed a change to openstack/keystone: Adds a validation param "max_username_size".  https://review.openstack.org/12850403:10
*** ayoung has joined #openstack-keystone03:12
*** ayoung has quit IRC03:14
*** ayoung has joined #openstack-keystone03:14
*** lhcheng has joined #openstack-keystone03:17
*** lhcheng has quit IRC03:22
*** lhcheng has joined #openstack-keystone03:26
*** sunrenjie has joined #openstack-keystone03:26
*** radez is now known as radez_g0n303:26
*** ajayaa has joined #openstack-keystone03:30
*** david-lyle has joined #openstack-keystone03:45
*** amcrn has quit IRC03:50
*** wpf has quit IRC03:54
*** andreaf has quit IRC03:54
*** andreaf has joined #openstack-keystone03:55
r1chardj0n3sayoung: I have replaced the rubby parts of angboard with the node.js programming language to appease you :)03:58
*** ajayaa has quit IRC04:04
*** renlt has joined #openstack-keystone04:07
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Use oslo.utils and oslo.serialization  https://review.openstack.org/12845404:23
*** dims has joined #openstack-keystone04:25
*** swamireddy has joined #openstack-keystone04:25
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Use oslo.utils and oslo.serialization  https://review.openstack.org/12845404:25
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Set install_venv_common as a script, not a module  https://review.openstack.org/12845504:28
*** dims has quit IRC04:29
*** andreaf has quit IRC04:30
*** andreaf has joined #openstack-keystone04:30
*** gyee has quit IRC04:34
*** wpf has joined #openstack-keystone04:47
*** ncoghlan has joined #openstack-keystone04:52
*** lhcheng has quit IRC04:58
*** ajayaa has joined #openstack-keystone05:12
*** ukalifon1 has joined #openstack-keystone05:24
*** toddnni has quit IRC05:24
openstackgerrittakehirokaneko proposed a change to openstack/keystone: Adds a validation param "max_username_size".  https://review.openstack.org/12850405:26
*** alex_xu has quit IRC05:31
*** alex_xu has joined #openstack-keystone05:47
*** lhcheng has joined #openstack-keystone05:50
*** lhcheng has quit IRC05:51
*** lhcheng has joined #openstack-keystone05:52
*** lhcheng_ has joined #openstack-keystone05:56
*** lhcheng has quit IRC05:56
*** lhcheng_ has quit IRC05:57
*** lhcheng has joined #openstack-keystone05:57
*** lhcheng has quit IRC05:59
*** lhcheng has joined #openstack-keystone06:00
*** zigo has joined #openstack-keystone06:08
*** stevemar has quit IRC06:12
*** ncoghlan is now known as ncoghlan_afk06:13
*** dims has joined #openstack-keystone06:13
*** david-lyle has quit IRC06:14
*** dims has quit IRC06:18
*** stevemar has joined #openstack-keystone06:27
*** ncoghlan_afk is now known as ncoghlan06:30
*** jacer_huawei has quit IRC06:31
*** stevemar has quit IRC06:31
*** afazekas has joined #openstack-keystone06:36
*** stevemar has joined #openstack-keystone06:37
*** jamiec has quit IRC06:41
*** andreaf has quit IRC06:50
*** Guest86578 is now known as d0ugal07:04
*** jamiec has joined #openstack-keystone07:05
*** d0ugal has quit IRC07:05
*** d0ugal has joined #openstack-keystone07:05
*** jamiec has quit IRC07:20
*** marcoemorais1 has quit IRC07:25
*** jamiec has joined #openstack-keystone07:26
*** topol has quit IRC07:31
*** jamiec has quit IRC07:38
*** lhcheng has quit IRC07:42
*** lhcheng has joined #openstack-keystone07:42
*** jamiec has joined #openstack-keystone07:43
*** lhcheng has quit IRC07:47
*** navid_ has quit IRC07:51
marekd|awaystevemar: thanks, I will take another round before Friday.07:55
marekd|awaystevemar: actually, 90% of that was you :-) I only added 2 slides :-)07:56
stevemarmarekd|away, np, i would have made suggestions but i don't know enough about what you are trying to convey :P07:56
*** marekd|away is now known as marekd07:56
marekdstevemar: appreciate, but I don't want you to waste your time on my part of the job :-)07:57
stevemarmehhhh, it's no issue, i just want our presentation to kick butt07:57
marekdstevemar: it will :-)08:00
marekdwhy are still not asleep ?08:01
stevemarmarekd, drank coffee too late :(08:02
*** jistr has joined #openstack-keystone08:02
marekdstevemar: oh, lol08:03
stevemarmarekd, i'm going to share a google doc with you :)08:05
stevemarplease review it if you can08:05
marekdstevemar: ok08:05
marekdstevemar: it's about k2k ?08:05
marekdstevemar: or sth else08:05
stevemarmarekd, OSC08:06
marekdstevemar: btw is CADF an open standard and IBM just contributes to it or it was created by IBM ?08:06
stevemarmarekd, was open before we started, IIRC08:07
marekdstevemar: one more thing - is OSC also being cut just like keystoneclient is?08:08
stevemarmarekd, not sure what you mean08:08
stevemarmarekd, you mean whenever we want to release, we can?08:08
stevemarbecause yes08:08
marekdstevemar: i meant: do you make versions and official releases :-)08:08
stevemarmarekd, technically we're still 'beta' since we don't have a 1.0 release08:09
stevemarbut keystoneclient is also considered beta too08:09
stevemarbut yeah, whenever we want we can cut a new version08:09
stevemar0.5 should come out soon08:09
stevemarbefore paris08:09
marekdstevemar: ok08:09
stevemardtroyer and i have been doing a lot of stuff the last 2 weeks08:10
marekdstevemar: i could see tha08:10
marekdt08:10
stevemarmarekd, why do you ask? :)08:10
marekdi am curious.08:10
marekdand I would like to tell others that federation is now included in the pip release of the osc.08:11
marekdso they can simply type pip install openstackclient08:11
marekdstevemar: this google doc is for IBM's article?08:12
stevemarmarekd, ah i see, and yes08:13
stevemarmarekd, http://www.dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf lots of authors and contributors from other companies, we have a guy who co-chairs it08:14
stevemar(page 9)08:14
marekdstevemar: ok, thanks.08:14
stevemarmarekd, i'm on the fence for the federation auth plugin in OSC08:15
stevemaradding lxml just scares me08:15
marekdstevemar: hmmm, but why would you add lxml to OSC ?08:16
marekdit should be all covered by keystoneclient.08:16
stevemarmarekd, cause it's not actually used at all, it's a lot of bloat for a client08:16
stevemari need to figure out if we can get it to pass jenkins without having it in test-req08:17
marekdstevemar: in other words, you don't want to include federation auht plugins by default in OSC?08:18
stevemarmarekd, not at all, i want to, but i just dont want to list lxml as a dependency08:19
marekdstevemar: i suspect people will never read docs, and there will be lots of bugs "when i used federateion auth it blew my client"08:20
marekdstevemar: besides, lxml is already a dependency in keystoneclient.08:21
marekdstevemar: so i really don't see any need for putting lxml as osc dependency - > it will simply install keystoneclient as dep and this will include lxml08:21
marekdright?08:21
marekdstevemar: at the osc level we never touch any XML08:23
stevemarmarekd, ahhh thats the things right there08:23
marekd?08:23
stevemarmarekd, see thats why i'm saying there is no need to list it in test-req, since it's installed by KSC.08:24
stevemarBUT it's also listed in test-req in KSC, so it's never actually installed there08:24
stevemarfor some reason, if mhu takes it out of test-req, the tests fail08:24
marekdosc test-req or ksc test-req ?08:24
*** ajayaa has quit IRC08:25
*** alex_xu has quit IRC08:27
stevemarosc test req08:27
stevemari commented08:28
stevemari think i know whats going on08:28
stevemaranyway08:28
stevemarit's late, i'm outta here08:28
marekdstevemar: sure08:28
stevemarmarekd, until next time!08:28
marekdstevemar: until afternoon :-)08:28
*** rwsu has quit IRC08:31
*** stevemar has quit IRC08:32
openstackgerritA change was merged to openstack/keystone: wrong logic in assertValidRoleAssignmentListResponse method  https://review.openstack.org/11930308:41
*** aix has joined #openstack-keystone08:42
*** ncoghlan has quit IRC08:47
*** alex_xu has joined #openstack-keystone08:49
*** rwsu has joined #openstack-keystone08:56
*** jacer_huawei has joined #openstack-keystone09:08
*** alex_xu has quit IRC09:09
*** aix has quit IRC09:19
*** nellysmitt has joined #openstack-keystone09:23
*** lsmola has quit IRC09:26
*** sunrenjie has quit IRC09:31
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 wrapper plugin for full federation authN  https://review.openstack.org/10675109:34
*** renlt has quit IRC09:34
*** lsmola has joined #openstack-keystone09:41
*** andreaf has joined #openstack-keystone09:46
*** andreaf has quit IRC09:53
*** Tahmina has joined #openstack-keystone09:54
*** aix has joined #openstack-keystone09:56
*** henrynash has joined #openstack-keystone09:58
*** henrynash has quit IRC10:01
*** amakarov_away is now known as amakarov10:02
*** henrynash has joined #openstack-keystone10:02
*** andreaf has joined #openstack-keystone10:10
*** ajayaa has joined #openstack-keystone10:17
*** dims has joined #openstack-keystone10:18
*** ukalifon2 has joined #openstack-keystone10:28
*** ukalifon1 has quit IRC10:28
*** henrynash has quit IRC10:45
*** andreaf has quit IRC10:47
*** andreaf has joined #openstack-keystone10:47
*** ukalifon2 has quit IRC10:52
*** andreaf has quit IRC11:00
*** henrynash has joined #openstack-keystone11:06
*** henrynash has quit IRC11:17
*** miqui has quit IRC11:24
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Docstrings should have :returns: everywhere.  https://review.openstack.org/12861211:35
*** henrynash has joined #openstack-keystone11:37
*** swamireddy1 has joined #openstack-keystone11:37
*** radez_g0n3 is now known as radez11:37
*** swamireddy has quit IRC11:40
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Fix mappings.Mapping docstring  https://review.openstack.org/12861511:43
*** swamireddy1 has quit IRC11:44
*** henrynash has quit IRC11:46
*** bknudson has joined #openstack-keystone12:06
*** dims has quit IRC12:11
*** dims has joined #openstack-keystone12:12
*** dims_ has joined #openstack-keystone12:14
*** dims has quit IRC12:16
*** bdossant has joined #openstack-keystone12:24
*** Tahmina has quit IRC12:28
amakarovayoung, ping12:31
*** ajayaa has quit IRC12:52
*** andreaf has joined #openstack-keystone12:52
*** afazekas has quit IRC12:58
ayoungamakarov, you are about 3 deep in the queue right now.  got a meeting in 2 minutes...talk to you in about 45?12:58
ayoungr1chardj0n3s, you rock.  Excellent.  It will help the packagers out immensely12:59
*** andreaf has quit IRC13:00
*** alex_xu has joined #openstack-keystone13:00
*** andreaf has joined #openstack-keystone13:03
*** Dafna has quit IRC13:06
*** nkinder has quit IRC13:10
*** gordc has joined #openstack-keystone13:10
*** Dafna has joined #openstack-keystone13:10
amakarovayoung, good13:11
ayoungamakarov, fire away13:12
*** afazekas has joined #openstack-keystone13:14
amakarovayoung,  there is 1-line bugfix hanging about a week for now https://review.openstack.org/#/c/125923/13:14
*** swamireddy has joined #openstack-keystone13:15
amakarovayoung, and about trust chains: I implemented the feature, Steve Hardy is about to review it, but it's Keystone feature after all... So maybe you look at it too: https://review.openstack.org/#/c/126897/13:16
*** richm has joined #openstack-keystone13:17
ayoungamakarov, already have 3 draft review comments13:18
ayoungamakarov, basically looks good.  I'm not a huge fan of how you are using &=13:18
ayoungI think you should do an early exit from the logic instead13:18
ayoungamakarov, I'll hit submit on my review, as there is some work for you there, but I've not completed reviewing it, and I might have more comments.  Fair enough?13:19
amakarovayoung, ok, I did it this way to have more compact code, but it does not allow detailed validation feedback. Thank you for your attention )13:20
ayoungamakarov, yeah, I see what you are doing.  Throwin an exception at the actual point of failure, though, makes it easier to debug13:21
ayoungamakarov, otherwise, all the user finds out is that it failed13:22
ayoungand not whether it was due to  the first line, the second...13:22
amakarovayoung, so may I consider concept approved and just prettify implementation?13:24
ayoungamakarov, yes.  Is there a spec?13:24
amakarovayoung, yes, 1 sec for link search. Loding...13:25
ayoungamakarov, I'm there13:25
ayoungamakarov, just wanted to confirm the spec was approved13:25
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/kilo/trusts-redelegation.rst13:25
amakarovayoung, yes, Steve himself pointed me there13:25
amakarovyes, here it is13:26
ayoungamakarov, this is really good stuff.13:26
*** andreaf has quit IRC13:26
amakarovayoung, I have a pic for that :) https://docs.google.com/a/mirantis.com/drawings/d/1IZk_JwMJ0uQkSewnAWgzdgo2smORQSTL-v3tK_464PE/edit13:27
*** andreaf has joined #openstack-keystone13:28
ayoungNICE!  Happy little trusts!  Happ little users!13:28
*** saipandi has joined #openstack-keystone13:34
*** Gippa has joined #openstack-keystone13:37
*** afazekas has quit IRC13:37
ayoungamakarov, I need to update my Keystone presentation to explain trusts better13:41
*** andreaf has quit IRC13:42
amakarovayoung, cool, there is a presentation ))) Can you please share a link? I didn't find it on my research13:42
ayoungamakarov, yeah...one sec13:43
ayounghttp://adam.younglogic.com/presentations/KeystoneFolsom/  was from back at Folsome13:43
ayoungFolsom13:43
ayoungand lets see...13:43
ayoungI don't think I published the internal one I did back in April...13:44
ayounghttp://adam.younglogic.com/presentations/SecuringOpenstackFreeIPA/Securing-OpenStack-FreeIPA.html  was the FreeIPA integration, too13:44
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change tenant to project  https://review.openstack.org/12706613:44
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change admin user to service user.  https://review.openstack.org/12707513:44
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Correct tests to use strings in conf  https://review.openstack.org/12865513:44
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options  https://review.openstack.org/12865613:44
ayoungamakarov, I have one I need to update that is IJK...13:44
ayounger  h-i-j...13:45
ayoungApr 1 2014...13:45
*** sigmavirus24_awa is now known as sigmavirus2413:46
amakarovayoung, thanks, that'll be handy13:46
ayoungamakarov, I have it as a PDF.  Let me see if I can generate it as HTML.13:46
amakarovayoung, pdf is ok13:47
*** andreaf has joined #openstack-keystone13:48
*** afazekas has joined #openstack-keystone13:51
ayoungamakarov, I know, but I want to make it into something I can deep link13:52
*** nkinder has joined #openstack-keystone13:54
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct typos in man page  https://review.openstack.org/12768513:58
*** ayoung has quit IRC13:59
*** vhoward has joined #openstack-keystone14:00
*** andreaf has quit IRC14:00
*** Gippa has quit IRC14:03
*** swamireddy has quit IRC14:10
*** shakayumi has quit IRC14:12
*** Gippa has joined #openstack-keystone14:13
*** Gippa has quit IRC14:13
*** Gippa has joined #openstack-keystone14:13
*** Gippa has quit IRC14:13
*** vb has joined #openstack-keystone14:17
vbhello, could anyone please tell me why we have amqp setting in keystone? What functions of keystone need it? Any pointers to blogs or architecture stuff are welcome :)14:19
*** vhoward has left #openstack-keystone14:19
*** jorge_munoz has joined #openstack-keystone14:21
*** aix has quit IRC14:25
*** david-lyle has joined #openstack-keystone14:30
*** sigmavirus24 has left #openstack-keystone14:30
*** alex_xu has quit IRC14:34
*** zzzeek has joined #openstack-keystone14:39
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Docstring cleanup for return type  https://review.openstack.org/12785714:43
*** stevemar has joined #openstack-keystone14:58
*** sigmavirus24 has joined #openstack-keystone15:05
*** thedodd has joined #openstack-keystone15:06
*** henrynash has joined #openstack-keystone15:07
*** afazekas has quit IRC15:11
openstackgerritDolph Mathews proposed a change to openstack/identity-api: convert v3 API docs from markdown to rst  https://review.openstack.org/12867615:17
morganfainbergdstanek, keystonemiddleware.tests.test_auth_token_middleware.v2AuthTokenMiddlewareTest.test_http_error_not_cached_token is the issue (or the first one)15:32
stevemardolphm, is there a difference between wrapping a section with ==== (above and below) and just === (below)15:33
morganfainbergi also greatly dislike the mixin use for tests.15:33
dolphmstevemar: yes15:33
dolphmstevemar: the overall document title is wrapped above and below - everything else is below, and is a section title in taht doc15:33
dstanekmorganfainberg: what is the issue?15:33
morganfainbergdstanek, that test hangs on cleanup15:34
morganfainbergdstanek, forever15:34
morganfainbergin py3415:35
dstanekmorganfainberg: really? i only have one error in test_shell.py15:35
morganfainbergdstanek, yep. it doesn't ever exit when run on my system (ubuntu 14.04)15:35
morganfainbergjust spins,15:36
dstanekmorganfainberg: this is my only failure http://paste.openstack.org/show/121291/15:36
morganfainbergthat looks like hashseed issue15:36
morganfainbergoh15:37
morganfainbergnope15:37
morganfainbergbad dict15:37
morganfainbergdstanek, http://paste.openstack.org/show/121293/15:37
*** wwriverrat has joined #openstack-keystone15:37
dstanekwhat verion of python are you running? i have 3.4.1 installed using pyenv15:38
morganfainbergbeen sitting like that for ~10 minutes while i'm tyring to figure out wtf is going on15:38
morganfainbergall the other tests work15:38
morganfainbergerm all the other tests i've tried15:38
morganfainbergPython 3.4.0 (default, Apr 11 2014, 13:05:11)15:38
morganfainbergit's the trusty default install15:38
morganfainberglet me 2x check.15:39
morganfainbergbut.. that should be the latest for 14.0415:39
dstanekmorganfainberg: oh, wait - i'm looking at client and you are looking at middleware15:39
morganfainbergyes15:40
morganfainbergclient failure is much less severe under py34 afaict15:40
morganfainbergsomething is acting waaaay up with middleware15:40
dstanekbuild a middleware venv now to see if i can replicate15:41
morganfainbergthere are a few tests that look to hang forever. this is jut the first one.15:41
morganfainbergit *might* all be around memcache stuff.15:41
*** wwriverrat has left #openstack-keystone15:44
stevemarnkinder, does RDO release a juno version of OS when Juno is announced?15:44
stevemarhow's that work?15:44
dstanekmorganfainberg: the issue is our sleeping token check15:45
dstanekhttp://paste.openstack.org/show/121298/15:45
morganfainbergdstanek, ugh15:46
*** packet has joined #openstack-keystone15:46
dstanekmorganfainberg: i don't use testtools/testr for development because it's super lacking - i always use nose15:46
morganfainbergdstanek, sure. but the question is why does py33 pass?15:47
morganfainbergand py34 not.15:47
morganfainbergi have clear evidence py33 *does* work :P15:47
dstaneknot sure - i haven't looked into it yet15:47
morganfainberghuh, i am not seeing how we're getting dropped into that loop15:51
morganfainbergwe explicitly set retry max.15:52
*** lhcheng has joined #openstack-keystone15:55
*** ayoung has joined #openstack-keystone15:56
*** lhcheng has quit IRC16:02
*** lhcheng has joined #openstack-keystone16:03
*** _cjones_ has joined #openstack-keystone16:03
morganfainbergdstanek, not sure if it's in the retry loop actually, because i get an "OK" the test passes, it hangs on what looks like one of the addcleanups16:04
bknudsonit looks like heat has hard-coded our auth_token config option names so we can never change them.16:04
bknudsonhttp://logs.openstack.org/66/127066/3/check/check-tempest-dsvm-postgres-full/5353623/console.html#_2014-10-15_14_28_49_46416:04
dstanekmorganfainberg: i can only get it to hang there - well i only tried 2 or 3 times - looking a the ksc issue16:05
openstackgerritDolph Mathews proposed a change to openstack/identity-api: split HTTP methods & resources from section titles  https://review.openstack.org/12869016:05
morganfainbergdstanek, yeah it takes a few seconds to clear out of that. i'm digging into this.16:05
morganfainbergit's ... weird16:05
dstanekmorganfainberg: dumb thought - are the conf values type or does that max retry come back as a string?16:06
morganfainberghm.16:06
morganfainbergin this case it's guaranteed to be an int, we set it in the test case16:06
ayoungnkinder, So,   I tried the openstack client with the Kerberos plugin.  Didn't work out the gate, looks like some sort of issue with the entrypoints/Stevedore loading the plugin.  I'm going to debug.16:08
openstackgerritDolph Mathews proposed a change to openstack/identity-api: add doc8 validation to v3/  https://review.openstack.org/12869316:10
*** __TheDodd__ has joined #openstack-keystone16:11
*** thedodd has quit IRC16:12
*** jistr has quit IRC16:14
*** marcoemorais has joined #openstack-keystone16:17
*** sigmavirus24 is now known as sigmavirus24_awa16:19
ayoungbreton, you want to take over the work on the  DB migrations?16:25
bretonayoung: yep16:26
bretonayoung: afaik sqlalchemy-migrations is deprecated and not developed16:26
ayoungbreton, OK,  so we looked briefly into Alembic about two releases ago16:26
ayoungand it seemed at the time that it was going to replace SQL A-Migrate16:27
ayoungbut not certain that is still the case16:27
ayoungwe got an OpenStack developer to take on the maint of SQL-A-M  and we've been able to get it to limp along since then16:27
*** bdossant has quit IRC16:27
ayoungI liked what I saw of Alembic, but not enought to force me over to it...I'm kind of path of least resistance on this16:28
ayoungSo...first thing is to confirm that the changeover to Alembic is still worth while.  morganfainberg dstanek bknudson any input?16:28
morganfainbergzzzeek, ^16:29
zzzeekheh16:29
morganfainberg:)16:29
morganfainbergzzzeek, we <3 you here!16:29
zzzeekconsidering sqlalchemy-migrate is dead.....16:29
ayoungAre we still looking to move to Alembic, then?16:29
morganfainbergayoung, ideally, unless the community is going a different direction (don't think that is the case since zzzeek is here)16:30
zzzeekwe’ve been trying to work out the integartion path16:30
bknudsoncan we compact our migrations again for J?16:30
morganfainbergbknudson, yes16:30
zzzeekand it’s not the current thing im working on, so it needs work16:30
morganfainbergbknudson, we should squash H -> I16:30
bretonI also think that we should migrate to Alembic because it's py3-ready16:31
bknudsonsqlalchemy-migrate seems to be getting the work done.16:31
ayoungmorganfainberg, assuming we do that, should all Kilo migrations be in Alembic?16:31
morganfainbergayoung, i think we need to conver completly over to alembic if we're doing that not just "start using alembic after XXX"16:32
morganfainbergayoung, it's more work, but less likelyhood of things being weird because we're briding two things.16:32
morganfainbergesp. with our extensions with their own migrate repos16:32
*** jorge_munoz has quit IRC16:33
ayoungmorganfainberg, right, so we need 2 things:16:33
bknudsonhow do you transition from migrate to alembic?16:34
ayoung1.  a way to convert a system already at SQL-A-M max to alembic16:34
ayoung2.  Initialize a system with the collapsed to I migrations  using Alembic16:34
ayoungI think 2 will be easier.16:34
ayoungbreton, want to start with that?16:34
bretonyep16:35
bretonI'm not sure yet what "collapsed to I" means16:35
ayoungbreton, we take the set of migrations  and collapse them periodically16:36
ayoungI means Icehouse.  so all migrations up through Icehouse get collapsed into one migration that shows the end state16:36
bretongot it16:37
*** marcoemorais has quit IRC16:37
*** marcoemorais has joined #openstack-keystone16:38
*** marcoemorais has quit IRC16:38
*** marcoemorais has joined #openstack-keystone16:39
morganfainbergdolphm, ping, it's possible to re-push sessions to sched.org until the deadline (e.g. update the sessions)16:45
ayoungbreton, so what I was suggesting is that we hold off on any more SQL-A migrations and do any from here on forward in Alembic, but it means we need to get the Alembic stuff done early.  Alternatively, we could do the two tasks in parallel, and just accept that we are going to have to do double work for a while:16:45
dolphmmorganfainberg: see anne's comment on https://review.openstack.org/#/c/128676/16:45
morganfainbergdolphm, right?16:45
dolphmmorganfainberg: yes16:45
morganfainbergdolphm, anne's comment makes sense to me.16:46
dolphmmorganfainberg: there's a long cache expiration delay on sched.org before you'll see changes reflected, but yes16:46
morganfainbergdolphm, cool. going to push the first pass then.16:46
bretonayoung: how early?16:46
morganfainbergdolphm, http://kilodesignsummit.sched.org/type/keystone16:46
ayoungdoing the same migrations in SQL A and in Alembic until we can lock in to only Alembic16:47
morganfainberghenrynash, topol, nkinder, i think we're going to want a couple more questions for the ops session. but it's def a good start16:47
*** henrynash has quit IRC16:48
dolphmmorganfainberg: sweet :)16:48
*** morganfainberg changes topic to "Now open for Kilo development! Blocking reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Please review design session schedule and provide feedback: http://kilodesignsummit.sched.org/type/keystone"16:48
bretonayoung: well, ok, but how early does alembic need to be done?16:50
morganfainbergdavid-lyle, pushed the Keystone tentative schedule to sched.org, let me know if I need to shuffle around the SSO one16:53
*** ayoung has quit IRC16:53
morganfainbergdolphm, and let me know if you see any glaring ick on those sessions / recommended changes.16:53
david-lylemorganfainberg, can you PM me the link to push? I missed it somehow16:54
morganfainbergdavid-lyle, sure.16:54
*** henrynash has joined #openstack-keystone16:57
*** browne has joined #openstack-keystone16:59
bretonok, anyway, I'll start working on Alembic integration tomorrow16:59
*** marcoemorais has quit IRC17:00
dstanekmorganfainberg: any luck?17:00
*** marcoemorais has joined #openstack-keystone17:00
morganfainbergdstanek, nope. i haven't been able to figure it out. aparantely we're also leaking memory, fungi said he forgot to kill it ran his machine out of memory17:00
openstackgerritA change was merged to openstack/python-keystoneclient: Docstrings should have :returns: everywhere.  https://review.openstack.org/12861217:01
dstanekmorganfainberg: i'm going to start poking around too17:01
morganfainbergdstanek, i figured i was going to push the sched.org stuff then come back to it.17:02
morganfainbergdstanek, it is really odd.17:03
stevemarmorganfainberg, shouldi create specs for these, or are they more bps/untargeted: 1) adding new CI tests for keystone (think federation/notifications), and 2) revamping docs, as i just got slammed for keystone not having enough docs, and them being super scattered.17:04
*** marcoemorais has quit IRC17:05
*** marcoemorais has joined #openstack-keystone17:05
*** marcoemorais has quit IRC17:05
*** marcoemorais has joined #openstack-keystone17:06
*** marcoemorais has quit IRC17:06
morganfainbergthe federation ci testing i could go either way on needing a spec [ BPs are still a mess, slowly working through them ], docs revamp probably doesn't need a spec. we *should* do it.17:06
*** marcoemorais has joined #openstack-keystone17:06
stevemarmorganfainberg, we *should* do the spec or the revamp?17:07
stevemarsorry, it's ambiguous :)17:07
morganfainbergthe revamp17:07
stevemarmorganfainberg, okay17:07
morganfainbergif you *want* to do a spec, feel free to.17:07
stevemarmorganfainberg, i'll start writing it up, if it's actually some meaty content i'll post it17:07
morganfainbergk17:08
stevemarcurrently it's kinda nebulous in my head17:08
morganfainbergdstanek, hmm.17:09
morganfainbergdstanek, socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files) *interesting*17:09
*** harlowja_away is now known as harlowja17:15
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: add v3 API documentation  https://review.openstack.org/12871217:15
morganfainbergdstanek, wow, we have likw 40billion sockets opened by that test.17:16
dstanekmorganfainberg: i think it's in an infinite loop trying to talk to keystone17:16
morganfainbergdstanek, yeah.17:16
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: add v3 API documentation  https://review.openstack.org/12871217:17
*** _cjones_ has quit IRC17:17
morganfainbergwondering if HTTPretty is failing in a weird way17:17
*** _cjones_ has joined #openstack-keystone17:17
stevemardolphm, whats the point of ^17:18
stevemarwhy add it to -specs?17:18
stevemarso we can kill identity-api and api-site?!?17:18
dolphmstevemar: annegentle has wanted us to do that for awhile - she commented as such on https://review.openstack.org/#/c/128676/17:18
dolphmstevemar: pretty much, yes17:18
stevemardolphm, <317:19
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Cleanup docs - raises class  https://review.openstack.org/12785817:19
stevemardolphm, you needs to also change project-config too17:21
stevemari assume we are actually going to publish these?17:21
dolphmstevemar: dunno - link me to what i need to change?17:22
* dolphm is headed to lunch17:22
*** amakarov is now known as amakarov_away17:23
bknudsonfood trucks!17:25
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Docstring cleanup for return type  https://review.openstack.org/12785717:26
stevemardolphm, will do, also eating lunch17:29
* morganfainberg goes to get food17:31
*** marcoemorais has quit IRC17:32
*** marcoemorais has joined #openstack-keystone17:32
*** r-daneel has joined #openstack-keystone17:37
*** henrynash has quit IRC17:44
morganfainbergDo we want to do midcycle discussion at the summit or pre-summit since we know the schedule for the release already.17:49
*** henrynash has joined #openstack-keystone17:52
*** sigmavirus24_awa is now known as sigmavirus2417:53
*** vsilva is now known as victsou18:05
*** victsou is now known as vsilva18:05
*** __TheDodd__ has quit IRC18:07
*** thedodd has joined #openstack-keystone18:09
*** thedodd has quit IRC18:23
*** navid_ has joined #openstack-keystone18:29
rodrigodsstevemar, marekd, trying to create a mapping here using keystoneclient, but: http://paste.openstack.org/show/121326/18:32
rodrigodswhat's wrong? =(18:32
nkinderrodrigods: you need an outer "mapping:"18:34
nkinderrodrigods: let me pastebin an example18:34
rodrigodsnkinder, thanks!18:34
nkinderrodrigods: http://paste.openstack.org/show/121327/18:35
*** ayoung has joined #openstack-keystone18:35
rodrigodsnkinder, have you ever tried with keystoneclient?18:36
stevemarrodrigods, get rid of the outer mapping like nkinder says, and don't dump it with jsonutils* http://paste.openstack.org/show/121328/18:36
*** ayoung has quit IRC18:36
*** ayoung has joined #openstack-keystone18:36
nkinderstevemar: ah, create_mapping adds the outer "mapping:" for you?18:37
rodrigodsnkinder, it does18:37
stevemarnkinder, yes18:37
nkinderok, cool18:37
rodrigodsstevemar, thanks, will try here!18:37
stevemarnkinder, i think that is most of the client apis18:37
stevemarwe don't pass in {user: {'name18:37
stevemarin for user, just the name18:38
ayoungnkinder, you messing with mod_lookup_identity?18:38
nkinderayoung: not at the moment18:38
rodrigodsstevemar, nkinder it worked! \o/18:38
nkinderayoung: I need to, but haven't gotten to it just yet18:38
*** gyee has joined #openstack-keystone18:38
nkinderrodrigods: great!18:38
*** topol has joined #openstack-keystone18:38
ayoungnkinder, OK.  One thing I was trying to figure out is if I have something like just the env vars themselves if there is some way we could figure out a-priori which mapping to pick.  I don't think there is.18:39
ayounglike if we had Kerberos with two different realms,  and they had different mappings...18:39
nkinderayoung: the only way to use a mapping is to use the federation stuff, right?18:40
nkinderayoung: ...which requires tying a mapping to an IdP18:40
stevemaryay18:40
ayoungnkinder, yeah.  When I looked, there are two calls for fetching mappings.  One is for the list, and the second is for the individual mapping18:40
ayounghttps://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#mappings-os-federationmappings18:41
stevemaryou can use a mapping on it's own, they are top level18:41
stevemarjust enable OS-FEDERATION18:41
nkinderstevemar: so when does the mapping get evaluated in that case?18:41
ayounghttps://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#list-all-supported-protocol-and-attribute-mapping-combinations-of-an-identity-provider-get-os-federationidentity_providersidp_idprotocols18:42
stevemarnkinder, we call it when the user authN's, but you can call it any time if you're making a new function18:42
ayoungstevemar, want to use it with the Kerberos approach and the external plugin18:42
nkinderstevemar: we're talking about using it for the normal auth route (not for a federation token request)18:42
ayoungso  you get REMOTE_USER,  and a handful of other env vars set,  and  ...18:43
stevemarnkinder, https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/mapped.py#L139-L14718:43
ayoungits really the same thing gyee needs fro X50918:43
stevemarohh i see the issue, the user should have to know what mapping to use18:43
ayoungfor18:43
ayoungnot have to know...18:43
nkinderayoung: what if there is a mapping assigned to a domain?18:44
ayoungnkinder, how?  Its the other way around, I think, where the mapping can chose the domain...18:44
ayoungI think18:44
nkinderayoung: so we can tie a SSSD domain to a keystone domain and associated a specific mapping18:44
ayoungI think so...18:45
nkinderayoung: richm and I were just chatting about needing to figure this area out earlier18:45
ayoungnkinder, OK,  let me start with my old examples.18:45
ayounghttp://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/18:45
nkinderayoung: need to drop for a bit.  Will be back in about an hour18:46
ayoungnkinder, OK...I've had a router failure at home, currently at a cafe with wireless18:46
nkinderoh, fun18:46
ayoungI should still be here  in an hour, need to head out and get another router18:46
ayoungyeah, I was using the cell phone as a wireless hotspot until the battery drained18:46
*** thedodd has joined #openstack-keystone18:47
*** henrynash has quit IRC18:48
ayoungstevemar, where do we specify what is an acceptable mapping for Federation?18:49
stevemardolphm, http://imgur.com/AzdUcZ218:51
stevemari wanted to check with you before over-riding your patch18:51
*** nkinder has quit IRC18:51
*** packet has quit IRC18:55
ayoungstevemar, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py  do we not do anything with domain id?18:55
*** stevemar has quit IRC18:55
*** huats_ has joined #openstack-keystone18:57
*** huats_ has quit IRC18:57
*** huats_ has joined #openstack-keystone18:57
*** packet has joined #openstack-keystone18:57
*** xianghui has quit IRC18:57
*** Guest27566 has quit IRC18:57
*** stevemar has joined #openstack-keystone18:58
ayoungrodrigods, are you interested in using Federation with multiple domains?18:58
rodrigodsayoung, absolutely18:59
rodrigodsneeding extra hands somewhere?18:59
*** xianghui has joined #openstack-keystone18:59
ayoungrodrigods, I'm looking at the code and I don't see anything that handles domains18:59
ayoungit just assumes that REMOTE_USER == user_id18:59
ayoungrodrigods, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py#n13418:59
ayoungand...I'm confused how that could be the case, so I'm investigating, but having someone else with a vested interest in this providing a double check on me would be welcome19:00
rodrigodsayoung, will add to my list19:01
rodrigodsthanks19:01
ayoungand, I'd like to log what I'm seeing, so I'm going to send these notifications to you, so I don't look like some IRC equivalent to a schizophrenic talking to myself19:01
ayoungthe auth plugin gets the post-processed SAML or whatever.19:01
ayoungrodrigods, there is nothing in here about domains http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py19:02
*** _cjones_ has quit IRC19:02
*** _cjones_ has joined #openstack-keystone19:03
*** amcrn has joined #openstack-keystone19:03
rodrigodsayoung, can't I map different federated users to different groups in different domains?19:04
rodrigodsI thought it was a possible case19:05
ayoungrodrigods, I don't see how19:05
rodrigodsayoung, hmm19:05
ayoungrodrigods, and, in general, no, user and groups must all come from the same domain19:05
ayoungrodrigods, groups are part of identity, not assignment19:05
rodrigodsayoung, why is that? where the "unique" domain link is made?19:06
ayoungrodrigods, lets punt on groups for the moment19:06
*** drjones has joined #openstack-keystone19:06
*** _cjones_ has quit IRC19:06
ayoungcuz with mapping, we could do all sorts of wacky things, so we can probably make whatever use case you need to happen,  but right now, I'm concerned that federation is one domain only19:06
ayoungor, worse, that we blindly accept the domain out of the request  alongside the users ID.19:07
ayoungI don't think that is the case, as the user domain should be in the AuthCOntext object19:07
rodrigodsayoung, hmm... yeah, we don't attach a domain to a IdP19:08
ayoungrodrigods, I was kindof insisting on it back a bout a year ago and ...well...what happened to it?19:08
rodrigodsayoung, yeah, only 6 moths of openstack19:09
rodrigods=(19:09
ayoungrodrigods, I think I'm coming up on a Half Century of OpenStack..feeels like it anyway19:09
ayoungrodrigods, OK, check my logic here:19:10
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py#n89  calls extract_assertion_data19:11
ayoungdown in that function, we assume user_id = REMOTE_USER19:11
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py#n13619:11
ayoungso if there is REMOTE_USER, we ignore any additional mapping:19:11
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py#n105  we would only set user_id if it were not already set19:12
ayoungso if REMOTE_USER was  ayoung@REDHAT.COM for me an rodrigods@RODRIGODS.COM for you,  we couldn't map those to different domains.19:12
ayoungI think that we would want to pull in the code that we use for multiple backends here:19:13
ayoungsplit the REMOTE_USER on the @ sign and thjen the user_id would be19:14
ayoungthe sha256 of the left portion of the REMOTE_USER field and the domain_id19:14
rodrigodsthat makes sense if the user has a left/right portion19:15
rodrigodsis that true for k2k, for example?19:15
rodrigodsanyway19:16
rodrigodsayoung, we would need a "valid federation" domains somewhere19:16
rodrigodsright?19:16
ayoungrodrigods, K2K is using SAML19:16
ayoungand so when the SAML assertion comes in, the user_id will be the value in the REMOTE_USER field,  no matter where it came from19:17
rodrigodsayoung, yes, my doubt is if REMOTE_USER is always like you said19:17
ayoungpretty sure REMOTE_USER will be set to USER_ID,  but haven't looked at the token->saml code recently enough to remember19:17
rodrigodsayoung, trying to generate one here19:17
rodrigods1 sec19:18
ayoungrodrigods, where is the SAML code for that anyway?19:18
ayoungfederation/idp.py19:19
rodrigodsayoung, https://review.openstack.org/#/c/114850/24/keystone/contrib/federation/idp.py19:20
rodrigodsyeah19:20
rodrigodswas looking for the review19:20
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/federation/idp.py#n24419:20
ayoungcreate_assertion19:20
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/federation/idp.py#n153  that is the binding19:21
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/federation/controllers.py#n273  user name....not even the id19:23
*** jogo has joined #openstack-keystone19:23
jogohave a fun nova spec that is all about keystone19:24
jogohttps://review.openstack.org/#/c/92507/13/specs/kilo/approved/validate-tenant-user-with-keystone.rst19:24
morganfainbergohboy!19:24
jogowould like to get the opinion of keystone on it19:24
ayoungjogo, hmmm19:25
ayoungjogo, what's a tenant?19:25
jogojust added keystone-core to the review19:25
morganfainbergayoung, hah.19:25
ayoung-1 for 'tenant' alone19:26
jogothis seems to be a fairly common use case19:26
morganfainbergayoung, in nova i think it's still called tenants19:26
ayoungso what19:27
jogoI as an admin of sorts wants to set the quota for !notme19:27
jogo!me19:27
openstackjogo: Error: "me" is not a valid command.19:27
ayoung!yesitis19:27
openstackayoung: Error: "yesitis" is not a valid command.19:27
jogogah, go away openstack19:27
ayoung!a valid command19:27
openstackayoung: Error: "a" is not a valid command.19:27
ayoungmeh19:27
morganfainberg!help19:27
openstackmorganfainberg: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.19:27
ayoung!list19:28
openstackayoung: Admin, Channel, ChannelLogger, Config, MeetBot, Misc, Owner, Services, and User19:28
ayounganyway19:28
morganfainbergi'm surprised this hasn't been a bigger issue until now.19:28
jogome too19:28
morganfainbergi think it's reasonable to validate projects - users might be harder since federated users don't "exist"19:29
ayoungmorganfainberg, so everyone in Federation is going to live in one, big, happy domain.  And their user_ids are going to be whatever REMOTE_USER is set to be19:29
morganfainbergbut we can verify the user has authenticated i guess w/ henry's mapping thing19:29
ayoungmorganfainberg, henry's mapping thing is, I think, out of the flow19:30
*** ChanServ sets mode: -o morganfainberg19:30
morganfainbergayoung, i mean we can say "this id has been used / came from keystone"19:31
ayoungthat is done by the identity plugin19:31
morganfainbergvs. a totally unknown id.19:31
ayoungand Federation mapping is going to be in the auth pipeline...19:31
morganfainbergbut we don't have that support yet19:31
ayoungah, wait, so  once the mapping is applied (auth plugin) we then turn over to the token provider to make the token....somewhere in between we hit identity19:32
ayoungI think we still need to add domain to the mapping plugin, but...19:32
morganfainbergayoung, probably.19:33
morganfainbergjogo, so in short, validating projects makes sense, users might be a bit harder if they are federated.19:33
ayoungmorganfainberg, I still think we want to limit what domains a given mapping can map to,  or a given IdP really19:33
ayoungah bugger19:34
ayoungwe create the auth context, then run authenticate19:34
ayoungthere is no correlation between the data19:34
ayoungwhich means federation is broken19:34
ayoungmorganfainberg, check me on this19:34
jogomorganfainberg: what about the existing REST call19:34
jogowhere someone can set the quota for someone else19:35
jogoor something else19:35
morganfainbergayoung, lets backup and talk about jogo's request before we dive into federation oddities19:35
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/controllers.py#n37019:35
ayoungmorganfainberg, this is more important19:35
ayoungand I was talking first anyway19:35
ayoungheh19:35
ayoungwhat you can't carrry on five converstaions at once?19:35
ayoungGive you another month at PTL and you'll be able to do 1019:36
morganfainbergayoung, you're missing the convos in other IRC channels and via email.19:36
ayoungtrue19:36
morganfainbergayoung, so. i might be at 10+ already :P19:36
morganfainbergjogo, so i'm not super familiar with nova's quotas anymore (been since grizzly since i spent a lot of time on nova)19:37
jogomorganfainberg: so I think the first gotcha is19:37
jogothe only data we have from keystone now is what we get from the keystone middleware19:37
rodrigodsayoung, I was with only two and was completely lost, will take a look in the domains + fed stuff tonight, ok?19:38
jogowhich tells us what project the person is in, and data that we pass into the policy engine19:38
ayoungjogo, the token gets expanded19:38
ayoungand that project ID will be avalid19:38
ayoungvalid19:38
jogoto figure out what commands they can call19:38
ayoungso I don't think you need to validate a second time19:38
morganfainbergayoung, this would be for user X setting a quota on "not-his-project" Y19:39
morganfainbergi think19:39
morganfainbergif i'm understanding this correctly19:39
jogoAFAIK quota commands today have no validation beyond checking the policy file19:39
ayoungmorganfainberg, then the token should be for the....ah19:39
jogomorganfainberg: yup19:39
ayoungyeah, you don't want to have the role to set quote for the project internal to the project19:39
ayoungcuz then the admin can change the quota19:39
morganfainbergjogo, i think this is absolutly related to the authorization and policy topics i've started the conversation on19:40
ayoungset_quota should be a separate role from admin19:40
jogothis is all we have for quota update http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n22219:40
jogomorganfainberg: too bad I didn't pay attention to those19:40
morganfainbergjogo, there is plans for a summit design session... but unfortunately nova has sessions at all the same times we do (keystone)19:40
jogomorganfainberg: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites ?19:41
morganfainbergjogo, yes19:41
morganfainbergjogo, i think this is something that hasn't been addressed *yet* in that thread, but is valid, policy decisions beyond the limited enforcement we have now.19:41
ayoungmorganfainberg, OK,  so this came up in a different context.  If a project is owned by  a domain, and a user has some role that implies  "can set quota"  should the token be for the domain or for the project?19:41
jogomorganfainberg: cool19:41
morganfainbergayoung, i'd say domain in that case.19:42
morganfainbergayoung, but afaik nova doesn't work with domain tokens.19:42
* ayoung votes we call the role "quoter"19:42
jogoso want to comment on the spec, it sounds like there are some big issues to sort out before we can even review this spec19:42
ayoungwell, that would also be a more important feature than "validate project with keystone" then19:42
morganfainbergyeah. there are some sizable issues around this that stretch beyond the basics of "validating the project"19:42
jogomorganfainberg: yeah that is my understanding too, nova has no concept of domains, and as of know doesn't want to know about them.19:43
morganfainbergjogo, but i mean, it's not unreasonable to include a "make sure the project exists" api call.19:43
jogomorganfainberg: sure, but the quota-update call is still wide open to all 'admins'19:43
jogoits not per project etc19:43
morganfainbergjogo, exactly19:43
jogoits a global admin thing19:43
jogoyeah adding a sanity check make sure project exists should be an easy first step19:44
ayoungmorganfainberg, ok,  I think we are actual cool WRT Federation.  auth_info vs auth_context is horrible naming19:44
morganfainbergjogo, we also have a topic on hierarchical multitency and role management, policy management19:44
jogobut the whole quota thing is funny in this sense19:44
jogoso random tangent19:44
morganfainbergjogo, it's all interelated. i think kilo is going to be "OMG POLICY" and workign towards fixing the "admin scope" issue we've had ... forever19:44
jogothoughts on keystone owning a quotas library19:45
morganfainbergayoung, yes it is awful naming.19:45
ayoungmorganfainberg, in mapped its called auth_payload, which is a little better19:45
jogoas policy, quotas and keystone are all related somewhat19:45
morganfainbergjogo, yeah, we've had some conversations on that19:45
jogooh nice19:45
morganfainbergthe general consensus is at least initial quota state should be stored in keystone (Centrally)19:46
morganfainbergor something *like* keystone19:46
jogoI am not sure I agree actually19:46
morganfainbergbut enforcement has to be other projects19:46
jogoI think we can hide the distributed nature of things via openstackclient19:46
ayoungmorganfainberg, I think in Keystone makes sense so long as Keystone does not try to understand the quota data19:46
jogoso openstack quotas list19:46
morganfainbergayoung, ++19:46
jogowould show all things19:46
ayoungits like posting the shipping manifest on the outside of the shipping container19:47
morganfainbergjogo, hm.19:47
ayoungAll the container knows is that there is a piece of paper stuck to its front19:47
ayoungand it doesn;t care...its just a big metal box19:47
morganfainbergjogo, perhaps..19:47
jogoayoung: your containers are conscious. scary19:48
ayoungjogo, most of my things are scary19:48
morganfainbergjogo, i do agree we need a quota "library" to make handling quota better, but I'm unsure if keystone as a project needs to own it19:48
ayoungyou should see my desk19:48
jogomorganfainberg: sure, maybe not own it19:48
morganfainbergjogo, wrt policy lib, i plan on adopting that one - i'm not sure how far apart policy and quota actually ends up19:48
ayoungmorganfainberg, OK,  so quota is probably not best stored in Keystone...here's why19:48
ayounglets assume you have a sharedproject19:48
jogoit can live in oslo or where ever too, I was just trying to sign keystone up for more work ;)19:48
morganfainbergjogo, haha19:49
ayoungusually nova1 is paired with cinder1 and nova2 with cinder2,  but in this case, its nova1 with cinder219:49
morganfainbergjogo, i don't know if we want Identity to own quota. i think i need to noodle on that one some.19:49
ayoungall of the 1 resources are owned by, say Harvard and all of the 2 resources by BostonU19:49
jogoso maybe not own, but maybe just be involved in a bit19:50
ayoungso  in the case of  Nova1 to BU2 you don't want BU admins overriding the quota's set by Nova19:50
ayounger By Harvard19:50
morganfainbergjogo, oh absolutely, likely with the heirarchical stuff we need to add quota support.19:50
ayoungNow..lets make it even more complex19:50
morganfainbergjogo, so we'll have a vested interest [e.g. max numbers of projects under a domain that can be created, etc]19:50
ayoungwhere this project has VMs in both nova1 and nova219:50
ayoungand the quoatas should be kept separate19:50
* ayoung has been fielding some wacky use cases lately19:51
morganfainbergjogo, though we do sortof own audit, which is somewhat closely aligned with quota so we may be the best place for it when it comes down to it19:51
lhchengqq, is it possible to setup keystone with ldap backend for user and using db-backend for projects/roles?19:51
morganfainberglhcheng, yep19:51
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a specification for revamping the documentation  https://review.openstack.org/12874719:52
ayounglhcheng, its the normal LDAP approach.  Even better, with the new multiple backends, you can put service users in SQL, and use LDAP for the real users19:52
stevemardolphm, ^19:52
ayounglhcheng, http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/19:52
jogomorganfainberg: so to double back to your email thread19:53
jogomorganfainberg: I have a use case I have been wanting to address for a while now19:53
jogomorganfainberg: have a smart 'nova help' that only shows me things I can do19:53
morganfainbergjogo, my email doesn't cover that use case, but it should be added to the pile19:53
ayoungmorganfainberg, so extending mapping to handle domains:  bug or new spec?19:53
morganfainbergonce the schedule for the summit is more or less solidified i plan on replying with "hey come talk about this, keystone has volunteered a design slot so we can *really* work on this"19:54
morganfainbergayoung, i'd say it's not a bug so much as a feature add19:54
jogomorganfainberg: I think there are two aspects to this use case: 1) discovering what extensions  are running (I think this can be done today)19:54
jogodiscovering what the policy will allow19:54
morganfainbergjogo, ++19:54
lhchengmorganfainberg: how do I configure project/role to continue using db-backend?  if I don't have an ldap mapping to projects, does keystone assume it is db-backend?19:55
*** ayoung has quit IRC19:56
morganfainberglhcheng, you will set the driver in [assigment] to use the sql driver keystone.assignment.backends.sql.Assignment (i think), and [identity] driver option to be keystone.identity.backends.ldap.Identity19:56
lhchengayoung: thanks for the link, the back-end by domain sounds great.19:56
jogomorganfainberg: added my use case to the thread for posterity19:57
morganfainbergjogo, thanks!19:57
lhchengayoung: I'll keep that in mind, one more reason to move to v3! :)19:57
morganfainbergjogo, http://kilodesignsummit.sched.org/event/061876b56285e8a46443bc3bf730031b19:57
jogomorganfainberg: I wonder how many other sessions that will conflict with heh19:57
morganfainbergjogo, that is the tentative slot we (keystone) have ponied up for this policy conversation. I19:57
morganfainbergjogo, likely a few :(. but i think it's a bit late to get a cross-project slot and a *lot* of it has to do with Keystone in either case.19:58
jogoyeah makes sense20:01
jogoanyway thanks, glad this is on the roadmap20:02
lhchengmorganfainberg: sweet! it works!20:03
lhchengmorganfainberg: I thought the assignment-driver only applies to role assignments20:03
morganfainberglhcheng, nah, assignment is projects, domains, roles, etc20:04
lhchengmorganfainberg: so if I don't have a project ldap mapping, keystone defaults the back-end to the assignment driver?20:04
morganfainberglhcheng, the LDAP driver for assigment is separate, you *could* use ldap assigment20:04
morganfainbergbut i don't recommend it20:04
morganfainbergthose options are for using that LDAP driver20:04
lhchengmorganfainberg: I see, and identity backend just applies only to "users"20:06
morganfainberglhcheng, yep20:07
morganfainberglhcheng, there is some code to line them up if you only set the [identity] driver for operator experience / compatibility20:07
r1chardj0n3sayoung: I got rid of the ruby for you :)20:08
lhchengmorganfainberg: what do you mean by lining them up? organizing the config setting?20:09
morganfainberglhcheng, in previous releases (havana and before) there was no "assignment" split. so you would only set [identity[20:10
morganfainberglhcheng, so we needed a way to make sure [identity] and [assigment] drivers were the same *if* only identity was set20:11
morganfainberglhcheng, otherwise the operators/deployers would come after us for making upgrades awful20:11
*** nkinder has joined #openstack-keystone20:11
lhchengmorganfainberg, ++ on that. Glad this is already in keystone! :)20:13
lhchengmorganfainberg, dolphm: on another note, question on v3 domain scoped token. It's probably asked too many times, but I'll ask anyway.20:14
lhchengWhich identity operations should we used domain-scoped token?20:14
morganfainberglhcheng, that depends on what your policy.json ends up looking like20:16
lhchengI've read the response somewhere, but I couldn't find it again :(20:16
morganfainbergright now, with the default policy, i don't think we've got much that is domain scoped compatible20:16
nkinderstevemar: this is just the normal call to get a scoped token, not something OS-FEDERATION specific, right? http://docs.openstack.org/api/openstack-identity-service/3/content/request-a-scoped-os-federation-token-post-authtokens.html20:17
lhchengmorganfainberg: assuming the cloud_admin policy file20:17
lhchengmorganfainberg, https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json20:17
morganfainberglhcheng, then the stuff that looks for "domain admin" [i don't remember all of them off the top of my head] are domain scoped actions20:17
morganfainbergiirc20:17
nkinderlhcheng: domain scoped token should be used to create projects within the domain and to assign roles to user within the domain20:17
morganfainbergnkinder, ++20:18
nkinderlhcheng: also user/group CRUD operations within the domain20:18
nkinderlhcheng: the "cloud admin" would be responsible for defining roles, CRUD operations for the domain objects, and assigning an admin to each domain20:19
lhchengnkinder: seems like almost all identity operations :P20:19
nkinderlhcheng: think of the domain owning users/groups/projects for that domain20:19
nkinderlhcheng: so the domain admin manages those things (and assignment of roles to their users/groups)20:20
nkinderthe cloud admin really just needs to set the domains up and can then delegate the administration within those domains down to the domain admin20:20
lhchengnkinder: thanks for the explanation!  That makes sense, that all domain admin related task would be using the domain scoped token.20:23
lhchengnkinder: how about managing regions and endpoints? the policy file uses "rule:admin_or_cloud_admin"20:24
nkinderlhcheng: it's a cloud admin task20:24
lhchengnkinder: does that mean I could a domain scoped token from cloud_admin domain and project scoped token with admin role20:25
lhchengs/could/could use20:25
nkinderlhcheng: let me bring up the policy and check20:25
stevemarnkinder, it's pretty much the same, except the methods is different20:26
nkinderstevemar: yeah, the way it's processed is different.  It just looked like the route is the same20:27
nkinderlhcheng: so the region policies seem odd to me...20:27
nkinderlhcheng: create, update, and delete all just use admin_or_cloud_admin20:28
nkinderlhcheng: I'm not sure that's ideal.  That means anyone with the "admin" role on anything can do those operations20:28
nkindermorganfainberg: do you know why those policies were set up that way? ^^^20:29
morganfainbergnkinder, uhm20:29
nkinderservices and endpoints look like what I would expect - https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json20:29
nkinderbut why wouldn't regions be the same?20:29
morganfainbergnkinder, you need to ask henrynash specifically why those were setup thatway20:30
morganfainbergi'm honestly not 100% sure at this point it's been a while20:30
nkindermorganfainberg: cool, was wondering who to ask... :)20:30
nkinderthe current policy seems like it would allow a project "admin" to delete a region that the "cloud admin" created20:30
nkinderlhcheng: endpoint policies look correct.  The cloud admin manages them, but any admin can read them20:33
morganfainbergyeah might need some adjustments20:33
nkindermorganfainberg: there could be hard-coded restrictions (like trusts have)20:33
nkinderI'll bug henry about it when he's around20:33
lhchengnkinder: thanks for looking that up20:34
lhchengnkinder, I guess for now that policy file is just a reference20:34
lhchengand operator still needs to tweak it20:34
nkinderlhcheng: sure!  That policy file actually works, but it might need some tweaks20:35
morganfainberglhcheng, i think that's all policy files.20:35
*** amerine_ has joined #openstack-keystone20:35
lhchengmorganfainberg: true20:35
nkinderlhcheng: At a minimum, you need to set the id of your admin domain to use it.20:35
lhchengnkinder: right20:36
nkinderlhcheng: here's a snippet of a script that I've been using to switch over to using the domain aware policy - http://paste.openstack.org/show/121352/20:36
nkinderlhcheng: you should be able to get the basic idea from that20:37
*** nellysmitt has quit IRC20:37
lhchengwhen horizon start using the domain-scoped token for KS V# operation, we'll be able to verify the correctness of the policy.20:37
*** nellysmitt has joined #openstack-keystone20:38
*** amerine has quit IRC20:38
lhchengnkinder, nice20:38
nkinderlhcheng: I started to switch my horizon config over to use a domain on my test setup, but got side-tracked on other things20:38
nkinderlhcheng: horizon does have domain specific config20:39
lhchengyeah, I worked on that :)   It can work with V3, however it is using project-scoped token for all identity operations.20:41
lhchengnkinder, as long as keystone uses the default policy file, it works.20:42
*** nellysmitt has quit IRC20:42
nkinderlhcheng: ok, so horizon isn't getting a domain scoped token for anything now then?20:42
nkinderlhcheng: this seems like it would fit in with the stuff ayoung has been looking at (having horizon get an unscoped token and using that to switch between projects)20:43
lhchengnkinder: nope. it doesn't get the domain scoped token at all.   I think ayoung have started looking at that, or at least refactoring openstack_auth to make the transition easier.20:44
nkinderlhcheng: I suppose horizon would need a way for the user to select a domain to perform domain operations (as opposed to just projects)20:44
nkinderlhcheng: yeah, he and I have talked about it quite a bit.20:44
nkinderlhcheng: are you going to be at the summit?20:44
lhchengnkinder: the flow in the ui still needs to be figured out20:44
lhchengnkinder, yes20:44
nkinderlhcheng: great, we should all sit down and figure out the flow and what needs to be done.20:45
lhchengnkinder, agree!20:45
nkinderlhcheng: I'd really like to get domains and federation working well in horizon20:45
lhchengnkinder: ++20:45
lhchengnkinder, time to get lunch, brb20:45
lhchengthank you all for the help20:46
*** Kui has joined #openstack-keystone20:47
*** saipandi has quit IRC20:47
*** vsilva is now known as victsou20:53
*** saipandi has joined #openstack-keystone20:55
*** fifieldt has quit IRC21:00
*** fifieldt has joined #openstack-keystone21:00
*** amerine has joined #openstack-keystone21:05
*** amerine_ has quit IRC21:07
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Publish the Identity v3 API specs  https://review.openstack.org/12876521:09
*** dims_ has quit IRC21:14
morganfainbergdstanek, pretty straight forward fix to get *most* things fixed for the httpretty patch21:14
morganfainbergdstanek, erm, requests-mock21:14
morganfainberggetting some spurious 401s instead of expected responses atm21:14
morganfainbergthough21:14
rodrigodscan anyone have a quick look at https://review.openstack.org/#/c/111355/ . I'm most concerned with the parameters names choices (they have a considerable impact in the code we are shipping)21:14
*** dims_ has joined #openstack-keystone21:15
dstanekmorganfainberg: i started fixing some things on that patch and ran into issues21:15
morganfainbergdstanek, so i'm down to:21:15
morganfainbergdstanek, http://paste.openstack.org/show/121355/21:15
bknudsonwhat do you think about having a tests/public directory that has tests of the public API, such that you'd know if you changed something in public/ then you're changing a public API21:15
morganfainberglooks like spurious 401s where they aren't expected.21:16
morganfainbergbknudson, that would be a nice distinction, but isn't that equiavelent of all of our RESTFUL atm?21:16
morganfainbergbknudson, slash functional changes.21:17
morganfainbergerm s/changes/tests21:17
dstanekmorganfainberg: i was getting this crap again http://paste.openstack.org/show/121356/21:17
morganfainbergoh that.21:17
morganfainbergFFS21:17
bknudsonmorganfainberg: I'm thinking about this for the auth_token middleware... since somehow the CONF options are part of the public API now.21:17
morganfainbergdstanek, that was an "old version of requests" issue iirc21:18
morganfainbergbknudson, ah, sure21:18
dstanekmorganfainberg: it was, but i upgrade to 0.5.121:18
bknudsonwhich nobody would realize otherwise.21:18
morganfainbergdstanek, oh so did it regress?21:18
dstanekmorganfainberg: not sure, i stopped so that i can watch a live stream for work21:18
morganfainbergi'm (at the very least) not seeing that issue with the 2.7 test run i'm doing21:19
* morganfainberg keeps hacking on these changes to try and figure out the last of these tests.21:19
mfischanyone seen this with the juno version of K + LDAP?  'module' object has no attribute 'LDAP_CONTROL_PAGE_OID'21:19
morganfainbergsomething is weird converting from httpretty...like we had a side effect of using it21:19
nkindermfisch: yes, someone mentioned that to me today21:20
mfischwithout paging I get too many results21:20
nkindermfisch: I just tried to repro with RC2 and it worked for me21:20
mfischI'm on RC221:20
nkindermfisch: so the report I received said that they downgraded python-ldap to 2.3 and it worked21:20
*** Kui has quit IRC21:20
nkindermfisch: but that doesn't make much sense21:20
mfischyeah I've read that, but frankly thats dumb21:20
nkindermfisch: glad we arrived at the same conclusion :)21:21
nkindermfisch: So I've seen error like this before, and it was related to some mismatch between python-ldap and openldap libs on the system21:21
mfischlet me look21:21
nkindermfisch: on your system, can you start an interactive python session and 'import ldap'?21:21
mfischsure21:21
bknudsonwe can always code LDAP_CONTROL_PAGE_OID ourselves in keystone21:22
mfisch(someone remind me to build a time machine and go back to last December when I volunteered to work on AD integration and call in sick)21:22
bknudsonit's a known value21:22
mfischnkinder: what do you want me to do?21:22
mfischldap.LDAP_CONTROL_PAGE_OID is of course undef21:23
nkindermfisch: ok, so you got that same error?21:23
mfisch>>> ldap.LDAP_CONTROL_PAGE_OID21:23
mfischAttributeError: 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID'21:23
bknudsonldap.__version__21:24
mfisch>>> ldap.__version__21:24
mfisch'2.4.10'21:24
bknudsonI've got '2.3.13'21:24
mfischimport bknudson; bknudson.set_trace()21:24
mfischthats what the internet says, to downgrade but thats dirty21:25
mfischlet me look for an upstream bug21:25
nkinderso did they drop this from the module?21:25
*** radez is now known as radez_g0n321:25
mfischI see references to this back to 2007 even21:26
nkindermfisch: yeah - https://mail.python.org/pipermail//python-ldap/2012q1/003105.html21:26
*** Kui has joined #openstack-keystone21:26
mfischhttps://mail.python.org/pipermail//python-ldap/2012q1/003105.html21:26
mfischjinx21:26
nkinderMicahel is the python-ldap maintainer/developer21:27
mfischso should the keystone packages require 2.3 then?21:27
mfischI think 2.3 is in for P, but not later in Ubuntu21:27
mfischand confirmed21:27
nkinderyeah, so this is a bug21:27
nkinder2.4 is in RHEL7 too21:27
*** __TheDodd__ has joined #openstack-keystone21:28
bknudsonfrom ldap.controls import SimplePagedResultsControl -- it's totally different21:28
nkinderkeystone needs to be able to work with 2.421:28
mfischagree21:28
*** amcrn has quit IRC21:28
nkindermfisch: mind filing a keystone bug?21:28
*** r-daneel has quit IRC21:28
mfischwas about to ask21:28
mfischI love fiiling bugs21:28
nkindermfisch: I can see what needs to be done to fix it (unless bknudson has a burning interest)21:29
*** thedodd has quit IRC21:29
mfischlet me know if you need more details21:30
mfischhttps://bugs.launchpad.net/keystone/+bug/138176821:30
uvirtbotLaunchpad bug 1381768 in keystone "AttributeError: 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID' with python-ldap 2.4" [Undecided,New]21:30
nkindermfisch: thanks21:30
mfischis this more than just definiing that value? seems like it21:31
nkindermfisch: yes, though defining it could work around it21:32
mfischokay I may try that21:32
mfischjust for fun21:32
nkindermfisch: gotta love when APIs change21:32
morganfainbergdstanek, found the issue. lack of passing "status_code" properly21:36
morganfainbergdstanek, we have *broken* tests21:36
morganfainbergdstanek, requests-mock highlights this21:37
dstanekmorganfainberg: no surprise there :-P21:37
openstackgerritJeremy Stanley proposed a change to openstack/python-keystoneclient: Actually test interactive password prompt  https://review.openstack.org/12877021:37
mfischnkinder: the downgrade made my code work21:37
mfischI see you guys have improved ldap performance, its about 3 minutes to list every user in my company21:38
morganfainbergdstanek, http://paste.openstack.org/show/121363/21:38
morganfainbergdstanek, status_code isn't httpretty21:38
nkindermfisch: it looks like keystone could just set the OID value to make this work with 2.3 and 2.4 (for now)21:38
morganfainbergvalid21:38
nkindermfisch: how long did it used to be?21:38
nkindermfisch: and how many users?21:38
mfischnkinder: 5 mins ;) I forgot to change my driver to not list ldap21:38
mfischnkinder: 50k+21:38
morganfainbergso that has been failing forever, fixing it, breaks the composite tests i'm seeing (with requests-mock). with requests-mock, not supplying "status_code" nets us the FP error you're seeing21:39
mfischan unreasonable amount21:39
nkindermfisch: still seems a bit ridiculous...21:39
nkindermfisch: AD, or something else?21:39
mfischa normal place would use an AD group to isolate people...21:39
mfischthat involves paperwork unfortunately21:39
morganfainbergdstanek, weird *now* i am only getting the FP error21:39
morganfainbergwtf.21:39
dstanekhaha21:40
nkindermfisch: still, I bet keystone is doing multiple operations per user when it really doesn't need to21:40
morganfainbergi think we're going to need to push the fix through that jamie didn't want in requests mock21:40
nkindermfisch: I did packet traces of LDAP early int he cycle and counted the number of LDAP operations for various CRUD operations in keystone.  It wasn't pretty...21:40
mfischnkinder: I'm happy to volunteer some of my time to help you track that stuff down as long as I can scrub the data21:40
morganfainberghttps://review.openstack.org/#/c/117890/ or https://review.openstack.org/#/c/118032/21:41
*** gordc has quit IRC21:41
nkindermfisch: I can mimic your setup with some basic details (numbers of entries, how you use groups, and what your keystone config looks like)21:42
mfischnkinder: happy to get you that21:42
morganfainbergdstanek, i can push that one jamie has through.21:42
mfischnkinder: will email you offline21:42
morganfainbergdstanek, but honestly his comment about breaking people worries me21:42
morganfainberghttps://review.openstack.org/#/c/118032/21:42
nkindermfisch: cool.  Let me try some things on the paging control.  I think a quick fix would be OK for now on this issue.21:43
morganfainbergdstanek, oh *doh*21:43
mfischnkinder: check your pms21:43
morganfainbergdstanek, body != text21:43
morganfainberg*grumble*21:43
openstackgerritJeremy Stanley proposed a change to openstack/python-keystoneclient: Actually test interactive password prompt  https://review.openstack.org/12877021:44
*** drjones has quit IRC21:48
*** _cjones_ has joined #openstack-keystone21:49
*** victsou is now known as vsilva21:50
*** _cjones_ has quit IRC21:53
*** mflobo has quit IRC21:56
*** packet has quit IRC21:58
morganfainbergoooh22:00
*** _cjones_ has joined #openstack-keystone22:01
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Replace httpretty with requests-mock  https://review.openstack.org/11277722:05
morganfainbergdstanek, ^22:05
morganfainbergdstanek, it at least passes py27, checking py34 now.22:07
morganfainbergand pep822:08
morganfainbergyep, passes py34, omg spammy output we need to "fix"22:09
*** bknudson has quit IRC22:09
*** topol has quit IRC22:14
*** sigmavirus24 is now known as sigmavirus24_awa22:19
nkindermfisch: I have a patch I'm running through the unit tests now.  If all goes well, I'll propose it for review.  It would be great if you could try it out.22:20
*** praneshp has joined #openstack-keystone22:20
praneshpHi dolphm22:20
praneshpkeystone.user table has a column called ‘extra'22:21
praneshpis there a way to see the contents of that from the CLI / python client?22:21
praneshpmorganfainberg: ^^22:21
mfischnkinder: sure can you add me as a reviewer?22:23
nkindermfisch: will do22:23
*** david-lyle has quit IRC22:27
morganfainbergpraneshp, i don't think so.22:30
praneshpmorganfainberg: ok. I was hoping we could update that field without sql22:31
praneshpthanks morganfainberg22:31
lhchengmorganfainberg: if python-client is used as library, we should be able to update the "extra" attribute with this code: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/users.py#L45 ?22:33
*** __TheDodd__ has quit IRC22:33
morganfainberglhcheng, but not from the CLI22:33
lhchengmorganfainberg: yup22:33
lhchengbut praneshp could use python client directly and write a python script to update the "extra" attribute instead of sql22:34
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Create specification for CADF everywhere  https://review.openstack.org/12878022:35
praneshplhcheng: can you also see (get) the extra atrrubut somehow?22:35
lhchengmorganfainberg: I haven't tested the update() though :P   But from the code, looks like it should work :)22:36
lhchengpraneshp: I think it should also work for get.  Have to boot my devstack to try it out..22:37
praneshplhcheng: let me walk over so you can use my cluster22:38
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Replace httpretty with requests-mock  https://review.openstack.org/11277722:45
openstackgerritNathan Kinder proposed a change to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878222:46
morganfainbergnkinder, that is reverse compatible with older versions of the python-ldap lib?22:46
morganfainbergah nvm22:46
morganfainbergi see what you did22:46
nkindermorganfainberg: yeah22:46
morganfainbergeuuw22:46
morganfainbergreally.. they did that on a minor point release?22:46
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Create specification for CADF everywhere  https://review.openstack.org/12878022:46
* morganfainberg shakes head.22:47
nkindermorganfainberg: yeah...22:47
morganfainbergwtf people22:47
morganfainberg:P22:47
*** henrynash has joined #openstack-keystone22:49
*** browne has quit IRC22:49
nkinderhenrynash: hey Henry22:51
henrynashnkinder: hi22:51
nkinderhenrynash: I have a policy question for you22:51
henrynashnkinder: shoot22:51
nkinderhenrynash: I'm not sure I understand the region policy here - https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json22:52
nkinderhenrynash: should create, update, delete be allowed for any admin users, or only cloud admin?22:52
nkinderhenrynash: it looks like anyone with "admin" at any scope would be allowed to delete regions that the cloud admin defined22:52
henrynashnkinder: yes, I don’t agree with the region policy here…22:53
nkinderhenrynash: Ok.  It seems like it should be the same as the service and endpoint API22:53
henrynashnkinder: in fact, I don’t think that just haveing the role admin for non-project/domain related APIs should get you anything at all22:53
nkinderhenrynash: +122:54
nkinderhenrynash: I'll propose a fix22:54
henrynashnkinder: excellent!22:54
nkinderlhcheng: ^^^ that answers the policy thing we were talking about earlier22:54
henrynashnkinder: someone else has a proposed set of changes for this as well…which I think might fix this too…have to find the patch22:55
nkinderhenrynash: oh, I'll look for it too.  Let me know if you find it first.22:55
henrynashnkinder: https://review.openstack.org/#/c/123509/22:56
lhchengnkinder: thanks!22:57
nkinderhenrynash: looks like a pretty big overhaul22:58
henrynashnkinder: yes…(maybe too big?)…but one nice idea is to combine the two policy files so we onlyhave one22:58
nkinderhenrynash: I agree that this is worth more discussion for Kilo.23:00
henrynashnkinder: yes23:00
nkinderhenrynash: I'll provide a more surgical update to the current policy in the meantime23:00
*** marcoemorais has quit IRC23:05
*** marcoemorais has joined #openstack-keystone23:05
*** marcoemorais has quit IRC23:05
*** marcoemorais has joined #openstack-keystone23:06
*** marcoemorais has quit IRC23:06
*** marcoemorais has joined #openstack-keystone23:06
*** henrynash has quit IRC23:06
*** marcoemorais has quit IRC23:07
*** marcoemorais has joined #openstack-keystone23:07
*** henrynash has joined #openstack-keystone23:13
*** praneshp has quit IRC23:20
*** praneshp has joined #openstack-keystone23:22
lhchenghenrynash, nkinder: haneef already started some work to combine the two policy file to work with v2 and v3: https://review.openstack.org/#/c/126217/23:22
*** _cjones_ has quit IRC23:24
lhchengoops I'm assigned to the ticket (https://bugs.launchpad.net/keystone/+bug/1378036) that unblocks it. I'll un-assign myself for now, in case someone wants to work on it.23:24
uvirtbotLaunchpad bug 1378036 in keystone "Keystone unit tests should use domain scoped token" [Low,Triaged]23:24
*** _cjones_ has joined #openstack-keystone23:24
*** marcoemorais has quit IRC23:26
*** drjones has joined #openstack-keystone23:26
*** marcoemorais has joined #openstack-keystone23:26
openstackgerritNathan Kinder proposed a change to openstack/keystone: Restrict certain APIs to cloud admin in domain-aware policy  https://review.openstack.org/12878823:28
*** _cjones_ has quit IRC23:29
*** stevemar has quit IRC23:32
*** praneshp has left #openstack-keystone23:32
*** henrynash has quit IRC23:37
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/12776523:41
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/12663123:41
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/12667923:46
« Tuesday, 2014-10-14 Index Thursday, 2014-10-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!