Monday, 2014-10-20

« Sunday, 2014-10-19 Index Tuesday, 2014-10-21 »
*** jogo has left #openstack-keystone00:00
*** henrynash has quit IRC00:12
*** mitz_ has joined #openstack-keystone00:33
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Add xmlsec1 dependency comments  https://review.openstack.org/12933800:38
*** topol has joined #openstack-keystone00:40
rodrigodsbknudson, just replied in the tiny doc patch ^00:46
*** jacer_huawei has quit IRC00:47
*** sudorandom has quit IRC00:51
*** sudorandom has joined #openstack-keystone00:51
openstackgerritA change was merged to openstack/python-keystoneclient: Fix mappings.Mapping docstring  https://review.openstack.org/12861500:51
*** apex has joined #openstack-keystone00:58
*** jacer_huawei has joined #openstack-keystone00:59
*** apex is now known as k-kosaka01:00
openstackgerritayoung proposed a change to openstack/keystone-specs: rescope tokens unscoped to scoped only  https://review.openstack.org/12376001:05
*** stevemar has quit IRC01:06
*** stevemar has joined #openstack-keystone01:06
*** amcrn has joined #openstack-keystone01:08
*** alex_xu has joined #openstack-keystone01:12
openstackgerritA change was merged to openstack/keystone: Remove check_password() in identity.backend.ldap  https://review.openstack.org/12910301:19
openstackgerritayoung proposed a change to openstack/keystone-specs: hierarchical roles  https://review.openstack.org/12570401:47
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: hierarchical roles  https://review.openstack.org/12570401:56
*** dimsum_ has quit IRC02:01
*** dimsum_ has joined #openstack-keystone02:02
*** dimsum_ has quit IRC02:06
openstackgerritayoung proposed a change to openstack/keystone: Basic-Auth middleware  https://review.openstack.org/9213702:34
*** diegows has quit IRC02:52
openstackgerritayoung proposed a change to openstack/keystone-specs: Session Tokens  https://review.openstack.org/9664803:11
openstackgerritNathan Kinder proposed a change to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878203:14
*** topol has quit IRC03:36
*** HenryG has quit IRC03:49
*** ayoung is now known as ayoung-ZZZzzz03:57
*** topol has joined #openstack-keystone04:00
*** topol has quit IRC04:24
*** fifieldt has joined #openstack-keystone04:48
*** swartulv has quit IRC04:58
*** swartulv has joined #openstack-keystone04:59
*** amcrn has quit IRC05:34
*** stevemar has quit IRC05:42
*** k4n0 has joined #openstack-keystone06:11
*** aix has joined #openstack-keystone06:33
*** r1chardj0n3s is now known as r1chardj0n3s_afk06:37
*** dimsum_ has joined #openstack-keystone06:40
*** aix has quit IRC06:42
*** dimsum_ has quit IRC06:45
openstackgerritDave Chen proposed a change to openstack/keystone: Correct the code path of implementation for the abstract method  https://review.openstack.org/12953006:54
*** vb has quit IRC07:37
*** nellysmitt has joined #openstack-keystone07:49
*** jamielennox has joined #openstack-keystone07:49
* jamielennox the triumphant return 07:51
*** henrynash has joined #openstack-keystone08:04
*** jistr has joined #openstack-keystone08:12
* marekd o/08:13
*** afazekas has joined #openstack-keystone08:19
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin  https://review.openstack.org/11585708:59
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Revert "Support service user and project in non-default domain"  https://review.openstack.org/12955108:59
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955208:59
*** henrynash has quit IRC09:19
*** k4n0 has quit IRC09:32
*** k4n0 has joined #openstack-keystone09:35
*** amakarov_away is now known as amakarov09:41
*** k-kosaka has quit IRC09:55
*** htruta has quit IRC10:18
*** KanagarajM has joined #openstack-keystone10:18
*** yasu_ has joined #openstack-keystone10:33
*** aix has joined #openstack-keystone10:43
*** KanagarajM has quit IRC10:51
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation  https://review.openstack.org/12689710:51
*** dimsum_ has joined #openstack-keystone10:57
*** samuelms has joined #openstack-keystone11:18
*** shikui_ has joined #openstack-keystone11:25
*** diegows has joined #openstack-keystone11:35
*** HenryG has joined #openstack-keystone11:39
*** vb has joined #openstack-keystone11:52
samuelmsdolphm, ping12:08
openstackgerritMasahito Muroi proposed a change to openstack/keystonemiddleware: Changing the value type of http_connect_timeout  https://review.openstack.org/12654312:11
*** shikui_ has quit IRC12:19
*** htruta has joined #openstack-keystone12:19
*** dimsum_ has quit IRC12:28
*** dimsum_ has joined #openstack-keystone12:28
*** nellysmitt has quit IRC12:40
*** yasu_ has quit IRC12:45
*** henrynash has joined #openstack-keystone12:48
openstackgerritXu Chen proposed a change to openstack/python-keystoneclient: set close_fds=True in Popen  https://review.openstack.org/12945612:49
*** saipandi has joined #openstack-keystone12:49
*** radez_g0n3 is now known as radez12:55
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings description  https://review.openstack.org/11859012:56
*** pc-m has joined #openstack-keystone12:57
*** henrynash has quit IRC13:02
*** gordc has joined #openstack-keystone13:09
*** bknudson has quit IRC13:12
openstackgerritA change was merged to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878213:36
*** bknudson has joined #openstack-keystone13:39
amakarovbknudson, greetings! A question on https://review.openstack.org/#/c/120043/5/keystone/common/utils.py13:42
bknudsonamakarov: ok13:43
amakarovbknudson, SmarterEncoder is used to encode all outcoming json responses13:43
amakarovSo if I make special encoder for PKI tokens I have to replace SmarterEncoder Everywhere )13:44
*** stevemar has joined #openstack-keystone13:44
bknudsonamakarov: the commit message doesn't make it clear that the goal is to change the encoding of all outgoing json responses...13:44
bknudsonthe commit message only mentions PKI tokens.13:44
amakarovbknudson, I see. So nothing wrong to encode all responses in a new way, just to mention it in commit message?13:45
bknudsonamakarov: I think it is wrong to encode all responses in a new way13:46
amakarovbknudson, well, what's you idea about it?13:47
bknudsonamakarov: have a specific encoder just for the PKI token.13:50
bknudsoncreate a new class and use that to encode the PKI token.13:50
jamielennoxwow, we have a huge problem when we're concerned with gains like that13:50
bknudsonPKI tokens are broken13:51
*** bdossant_ has quit IRC13:51
jamielennoxit's not that the patch is bad - just a huge problem13:51
*** bdossant has joined #openstack-keystone13:51
jamielennoxbknudson: so I proposed https://review.openstack.org/#/c/129551/13:53
amakarovbknudson, good, I'll look how to bypass common json middleware13:53
openstackgerritayoung proposed a change to openstack/keystone-specs: Hierarchical Roles  https://review.openstack.org/12570413:54
bknudsonjamielennox: looks like I was already +2 on https://review.openstack.org/#/c/115857/13:55
*** k4n0 has quit IRC13:55
jamielennoxbknudson: do you understand where i was trying to go with it?13:55
jamielennoxI'm pretty sure that the WIP i posted as a follow up will work, i'm just spinning up some new environments to do a proper test13:55
jamielennoxand then add some test cases for it13:56
bknudsonoh, it was WIP13:56
jamielennoxno i added a new one as a follow on to that which is WIP13:56
*** Guest4574 is now known as mfisch13:56
*** mfisch has joined #openstack-keystone13:56
jamielennoxhttps://review.openstack.org/#/c/129552/ is WIP13:56
bknudsonjamielennox: ok, so this reverts support for v3 auth13:57
jamielennoxbknudson: yes, v3 auth can be supported (with whatever domain you like) by using an auth plugin13:58
bknudsonso it reopens the bug13:58
jamielennoxyes13:59
jamielennox129552 will close it (or make it invalid)14:01
*** thedodd has joined #openstack-keystone14:01
*** sigmavirus24_awa is now known as sigmavirus2414:02
bknudsonjamielennox: ok... add some tests so it's not a WIP14:02
bknudsonthen I can try it out14:02
jamielennoxbknudson: yep, and i want to write up a chunk of documentation to be in the same patch14:02
jamielennoxjust want to make sure you know why i'm proposing the revert14:03
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed  https://review.openstack.org/12004314:11
stevemarblah, xml support is in the pipeline by default14:14
stevemarand lxml is in test-req.txt14:15
bknudsonwhen can we remove xml support?14:17
*** ayoung-ZZZzzz is now known as ayoung14:17
stevemarbknudson, lbragstad is doing that now14:19
ayoungjamielennox, you planning on posting a follow up to https://review.openstack.org/#/c/129551/  that uses a V3 auth plugin?14:19
stevemarbknudson, quick q about https://review.openstack.org/#/c/126543/14:19
lbragstadstevemar: bknudson https://review.openstack.org/#/c/125738/14:19
lbragstadbknudson: stevemar links to the tempest and devstack changes are in there as well14:19
bknudsonstevemar: what's the q?14:19
stevemarbknudson, i saw other patches fail when changing the options in auth_token.py, changing the help text for instance, why did this one work14:20
jamielennoxayoung: i'm planning on fleshing out https://review.openstack.org/#/c/129552/ and using v3 as a reason to make people change how they configure auth_token14:20
*** nkinder has joined #openstack-keystone14:20
stevemartrying to dig up an example14:20
ayoungjamielennox, will that allow multiple plugins, with different config options?  I'd like to make it support the Kerberos one, which means selecting the plugin based on entry point14:20
stevemarbknudson, like this one https://review.openstack.org/#/c/118048/14:21
bknudsonstevemar: heat was still using middleware in keystoneclient.14:21
stevemarbknudson, ah OK14:21
stevemarthat caused some conflict14:21
stevemarneat14:22
jamielennoxayoung: that will allow any plugin to be used with auth_token, so kerberos will work and the v3 options will be supported14:22
bknudsonstevemar: https://review.openstack.org/#/c/127100/14:22
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Honor the inform and outform parameters  https://review.openstack.org/12753314:22
bknudsonstevemar: heat is doing some wacky stuff.14:22
stevemarbknudson, yes i recall looking at some of those patches14:22
stevemardidn't realize it was so connected to the tempest tests14:22
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Honor the inform and outform parameters  https://review.openstack.org/12753314:23
bknudsonthey import auth_token middleware and try to grab conf options... which isn't going to work14:23
bknudsonfor example jamielennox's change is going to break heat.14:23
*** dtroyer has joined #openstack-keystone14:23
stevemarthats not good14:24
bknudsonjamielennox: this should worry you: http://git.openstack.org/cgit/openstack/heat/tree/contrib/heat_keystoneclient_v2/heat_keystoneclient_v2/client.py#n12014:24
jamielennoxbknudson: the revert?14:24
ayoungjamielennox, I found an issue with entry points that the "name" value in setup.cfg can mess up.  python-keystoneclient-kerberos didn't work, but keystoneclient_kerberos did.  I'm not certain if the python-  is right or wrong, but we do it for Keystone client.14:25
bknudsonjamielennox: no, trying to use auth plugins in auth_token middleware14:25
jamielennoxbknudson: yea, umm - i don't know what we can do about that14:25
ayoungbreak it!14:25
jamielennoxhowever using the username/password from auth_tokens config is wrong14:25
jamielennoxneutron does it to - or did14:26
ayoungwe need to get an X509 auth plugin standard so that service users can avoid having to read passwords out of config files14:26
jamielennoxayoung: name in setup.cfg? like the plugin name entrypoint? or naming the gem?14:27
jamielennoxahh gem, module thingy14:27
ayounggem is wrong language, but yes14:27
ayounghttps://github.com/openstack/python-keystoneclient/blob/master/setup.cfg#L214:27
jamielennoxyea, i think i had to do that with requests-mock. pypi can have requests-mock as the name but internally you have to use requests_mock14:27
ayoungreally should not have python- there, as it is redundant14:27
jamielennoxbecause python would freak out if you did: import requests-mock or import keystoneclient-kerberos because it treats the - as a minus14:28
ayounghmmm, Monty Taylor did that.14:28
stevemargordc, ping14:29
ayoungjamielennox, yeah, it messes up the package name, but it also is a PBR issue in registering packages.14:29
ayoungI suspect that the PBR code is capable of handling one - to _ transform, as otherwise the python-keystoneclient  name would fail for out other entrypoints14:30
*** rwsu has joined #openstack-keystone14:30
ayoungits strange behavior.  If the class has ever been loaded in a unix session, then the naming works fine, but if you come from a fresh log in,  the entrypoints are not found, and it is due to PBR searching through the set of site-packages14:31
jamielennoxthat sounds .... odd14:31
ayoungreally ugly stuff.  Starting to thing that the R stands for Revenge, not Reasonableness14:31
jamielennoxso requests-mock is PBR14:31
jamielennoxthough there isn't anything about entrypoints in thre14:31
jamielennoxdo you have a code example of where it fails14:31
ayoungis the name requests-mock or python-requests-mock in setup.cfg?14:32
ayoungyeah,  previous version of the keystoneclient-kerberos  patch failed14:32
ayoungyou don;t need kerberos enabled, just load the plugin via stevedore14:32
jamielennoxjust requests-mock, the python thing has always been kind of redundant14:34
jamielennoxis it a problem with entrypoints or PBR14:35
gordcstevemar: whatup14:36
stevemargordc, trying to understand all the oslo incubator stuff in pycadf14:36
gordcsure.14:36
stevemarthere seems to be a ton of it for a little library :)14:36
gordcstevemar: yes there is.14:37
stevemargordc, any way we can lose the dependency on the fixture module?14:37
gordcand pull in oslotest?14:37
stevemarseems like the best candidate for shedding some bloat14:37
stevemarhmm yes14:37
stevemari wasn't sure where that one was moved to14:38
gordcstevemar: yes. i think i'm using it in our tests.14:38
stevemaryes14:38
gordcstevemar: want to coordinate on the switching to graduated libs?14:38
stevemargordc, i was just going to throw up some patches now14:39
stevemardid it for keystone, ksc, and middleware already14:39
*** henrynash has joined #openstack-keystone14:39
gordcstevemar: what'd you switch? so i don't bother posting dup stuff14:39
ayoungI think the problem is with PBR, as that is what does the version recognition.  I hadn't 100% tracked it down, but found that it was missing the match due to the - to _ thing14:39
stevemargordc, still investigating, apparently 'local' needs 'log'14:40
*** jacer_huawei has quit IRC14:40
stevemarerr other way around14:40
stevemarbut in keystone we import log, but pretty sure we don't have any local ref14:40
gordcmight be an old ref14:41
*** jacer_huawei has joined #openstack-keystone14:41
stevemaryeah, might want to do a sync first, then remove crud14:41
gordcstevemar: if we can move the middleware to keystone middleware, we can really shrink pycadf14:41
gordcstevemar: you going to sync oslo now? and then we can figure out how we want to split rest of work14:42
stevemargordc, true, but that'll be part 214:42
gordcstevemar: (yes, i'm assuming you're doing work)14:42
stevemargordc, i just started looking at this all 10 minutes ago :P14:43
stevemargordc, i haven't started anything, i planned to do it all, but we can certainly split it up :P14:43
gordcstevemar: sync it! or i can i do a patch.. i thikn my oslo is current14:43
*** thedodd has quit IRC14:44
*** jorge_munoz has joined #openstack-keystone14:47
*** htruta has quit IRC14:47
stevemargordc, sync'ing first doesn't make sense, we will lose all crap we want to remove14:49
stevemarwe should migrate to jsonutils, importutils, blah, and fixture, then sync and get rid of local (by updating log)14:50
gordcstevemar: it's actually easier to sync first. some of oslo modules reference graduated libraries... and it makes it easier to switch to new oslo libs since the latest code is closer to what exists in lib14:51
*** mflobo has quit IRC14:51
*** jorge_munoz has quit IRC14:52
stevemargordc, so do a half-sync? and undo the deletes it causes to jsonutils and such?14:52
*** jorge_munoz has joined #openstack-keystone14:52
gordcstevemar: either or... it's probably best to just do a full sync and start pulling stuff out as you switch to the lib14:52
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Sync oslo libraries  https://review.openstack.org/12963714:55
stevemargordc, ^ i left openstack-common.conf the same for now14:55
ayoungjamielennox, you left the comment "I've got a few things to do but i'll hopefully come back and fix up my comments soon"  on the Kerberos plugin.  I assume that is low in your queue, and I'm planning on making those changes myself.14:55
jamielennoxayoung: sure - i wasn't sure how high on your list that was14:56
jamielennoxi think i left comments for everything i saw14:56
ayoungKerberos is the biggest thing.  I don't know if a V2 Kerberos plugin is realistic14:56
ayoungI am guessing it would have to be "external"14:57
*** aix has quit IRC14:59
*** jistr has quit IRC14:59
*** aix has joined #openstack-keystone14:59
jamielennoxayoung: there's nothing preventing it, i just don't see any point doing it15:01
*** jistr has joined #openstack-keystone15:01
ayoungAgreed...just that saying "kerberos" is the cleanest thing from the Django side, but setting it to v3kerberos for now is probably the right call15:05
*** david-lyle has joined #openstack-keystone15:05
jamielennoxayoung: you can make an 'unversioned' kerberos plugin that just errors out if v3 isn't available15:06
ayoungjamielennox, yeah, just that your current unversioned approach does a discovery call that I want to avoid15:07
jamielennoxit's just about doing discovery and keeping the option open for later15:07
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Move to oslo.serialization  https://review.openstack.org/12964115:07
*** saipandi has quit IRC15:07
ayoungjamielennox, but Horizon shouldn't do discovery on each keystone call15:07
jamielennoxayoung: discovery is cached by the session and the auth plugin15:07
jamielennoxso if it reuses session then caching is handled for it15:08
ayoungyes, but sessions are not shared between requests in Horizon15:08
stevemargordc, ah i see log isn't in openstack-common.conf :)15:08
stevemarthat can cause issues15:08
ayoungjamielennox, where we gonna cache the session?  We don't have memcache guaranteed15:08
jamielennoxcache it on the process15:08
jamielennoxglobal var style15:08
ayoungsame session used for multiple users?15:09
ayoungnot sure what the threading model is for Horizon15:09
jamielennoxyou can pass the auth plugin per client rather than per session15:09
jamielennoxso use the session for everybody15:10
jamielennoxthen when you want to do something user specific do15:10
morganfainbergjamielennox, welcome back15:10
jamielennoxc = keystoneclient.v3.client.Client(session, user_auth)15:10
jamielennoxmorganfainberg: :)15:10
gordcstevemar: hmm.. it's probably pulled in by something else15:10
*** alee has joined #openstack-keystone15:10
aleeayoung, hey15:10
stevemargordc, local>log>fileutils>lockutils>fixture15:11
stevemardamn thats a chain15:11
morganfainbergjamielennox, please look over the keystoneclient summit session and let me know if we need to make changes to the description.15:11
jamielennoxmorganfainberg: glad to be back might be reaching a little too much, but it's good15:11
ayoungalee, so you want  ipa be hooked up to keystone to get a token?15:11
aleeayoung, yeah - is it possible?15:11
ayoungnot sure what that means, but in general, I don;t think IPA should know about Keystone.15:11
gordcstevemar: you should see the original dependency graph that dhellmann created.15:11
morganfainbergjamielennox, http://kilodesignsummit.sched.org/event/8df02f751841faa1cee7e4f1de1450f115:11
jamielennoxmorganfainberg: congrats on PTL15:11
morganfainbergjamielennox, hehe thanks.15:12
stevemargordc, jeez, i think by the end of this we will have that directory empty15:12
aleeayoung, in the case of vault though, ipa is providing more than just identity15:12
aleeayoung, its providing well - vault - just like barbican15:12
jamielennoxmorganfainberg: ok - i don't have a whole lot to say about client, most of what i need is in now and it's mostly getting other clients and services to use it15:12
ayoungalee, yeah, but you've got your abstractions crossed15:12
jamielennoxdon't mind leading it anyway15:13
aleeayoung, and so it needs to know about projects15:13
morganfainbergjamielennox, right.15:13
gordcstevemar: yeah, i'm pretty sure all the dependencies are because of test or middleware.15:13
morganfainbergjamielennox, cool thanks.15:13
ayoungI mean, you could do it if you had LDAP assignment15:13
ayoungand  Barbican could enforce the Policy beyond what the vault does15:13
stevemarwhat about context, gordc15:14
aleeayoung, yes - in fact I just wrote a blueptrint to do exactly that15:14
ayoungalee, I guess I would say that Barbican should be able to call to Keystone, but not IPA15:15
gordcthat we may need to keep because we add that to cadf message when we build event15:15
gordcbut i think that's also more related to messaging so it is possible that it could be dropped.15:15
ayoungits the whole "external authentication" that we never felt comfortable doing in IPA.15:15
jamielennoxwhy would barbican talk to keystone? i saw a thread on this with neutron wanting to talk to keystone and i dont think it's a good idea15:15
gordcstevemar: ^15:16
ayoungalee, My current thinking is more like this:15:16
ayoungthereis a NIST standard for RBAC in LDAP.  We could potentially support that.15:16
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo tests fixture  https://review.openstack.org/12964315:17
stevemargordc, ah missed 1 instance,15:17
ayoungand then both Keystone and IPA could share a common view of RBAC, but beyond that, I think there is too much variability15:17
gordcstevemar: yeah, i've noticed sync/switching to graudated lib has random items you'll always miss.15:19
ayoungjamielennox, so, session never has the auth plugin set?15:19
jamielennoxayoung: yep, if it's specified to the client then it is used in preference to session - and you can just leave it unset in session15:20
jamielennoxpreference to session.auth15:20
jamielennox(i would leave it unset - it seems dangerous to me to mix having auth on the session and auth on the client, you're going to forget it somewhere)15:21
ayoungjamielennox, take a look at https://review.openstack.org/#/c/121281/  as I think I am doing it wrong15:21
ayounghttps://review.openstack.org/#/c/121281/6/openstack_auth/utils.py,cm  jamielennox has the offending code15:22
jamielennoxyea, looking at that now15:23
jamielennoxi don't like doing force_authenticate15:24
jamielennoxit doesn't protect anything because the session will do it again if required15:24
*** david-lyle has quit IRC15:24
jamielennoxit looks like you're doing it to set a whole bunch of variables on the client, and you shouldn't be using them15:25
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo.serialization  https://review.openstack.org/12964115:28
ayoungjamielennox, we need to be able to force authenticate.  We can't be guaranteed that a login has worked unless we get a token15:29
*** mitz has quit IRC15:29
ayoungand the only time we get a second token is if the first is unscoped15:29
*** mitz has joined #openstack-keystone15:29
jamielennoxok just so you're aware that it's not always authing there and it may attempt to reauth later15:30
jamielennoxbah, why does horizon need all that info?15:32
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo tests fixture  https://review.openstack.org/12964315:32
ayoungjamielennox, what info?15:33
jamielennoxauth_user.Token15:33
stevemarugh, just added pycadf-core, and it has like 15 people15:34
stevemarblah15:34
morganfainbergstevemar, hah15:34
*** nellysmitt has joined #openstack-keystone15:34
morganfainbergstevemar, removed oslo-core so that shouldn't happen again15:35
stevemarhaha, thanks morganfainberg15:35
ayoungjamielennox, my guess is the auth_user.Token abstraction is due to there not being an alternative in the past15:38
ayoungDjango-OpenStack-Auth needs some scrubbing15:38
ayoungjamielennox, my plan is to start with always requesting and storing an unscoped token15:39
ayoungand then using that on the switch code.15:39
marekdLooks like I am missing something. When I start using any openstack service (say via nova, glance cli) my clie only knos OS_AUTH_URL, a url poiting me where I should start with authentication. Then, in a token I will receive service catalog with all the services in that cloud, right?15:39
ayoungSo at log in, it will force two calls to Keystone:  1 to get unscoped, a second to get scoped15:39
ayoungwe do a lot of calls at login time anyway:  enumerating projects, etc15:40
ayoungwe could probably lump a bunch of calls together, but I think get it working as separate calls first15:40
jamielennoxmarekd: yes15:40
jamielennoxayoung: i'm still not sure what it's doing with that information though15:41
ayoungjamielennox, Horizon itself doens't need the data directly,  it can now work through the KC abstraction for things like Service Catalog, but that was not the case when it was origianlly written15:42
ayoungDOA is a little behind the times15:42
ayoungtoken gets stored in the session15:42
jamielennoxok, yea that seems relatively common unfortunately15:42
*** aix has quit IRC15:42
jamielennoxi'm trying to move things forward but people keep wanting things like the current scope from the token15:43
marekdjamielennox: so if in my SC there is http://keystone:5000/v2.0 configured  as identity service keystoneclient will try to access this url and hence use v2 identity api, right?15:43
ayoungexactly15:43
ayoungjamielennox, and...that should probably be "current scope from the client"15:43
ayoungbut then, how do you persist the scope?15:43
*** aix has joined #openstack-keystone15:44
jamielennoxmarekd: the hence is too optimistic, it doesn't recognize from the URL that it's a v2 endpoint15:44
jamielennoxit will use whatever client you tell it to regardless of the catalog unfortunately15:44
jamielennoxthere is a hack in place to allow it to strip the /v2.0 for v3 client calls - but it's not smart enough to know15:44
marekdjamielennox: so if i set OS_IDENTITY_API_VERSION=315:45
jamielennoxayoung: i consider the clients mostly stateless15:45
marekdjamielennox: and have /v2.0 identity endpoint in my SC15:45
jamielennoxmarekd: what service are we talking about? horizon?15:45
marekdjamielennox: keystone15:45
marekdand cli15:45
ayoungjamielennox, so the state abstraction is the auth plugin only?15:45
*** jistr has quit IRC15:45
jamielennoxmarekd: keystone CLI doesn't support v3 at all15:45
marekdkeystoneclient does, python-openstackclient does.15:46
jamielennoxayoung: yep15:46
jamielennoxmarekd: yes OSC does, in that case you're telling it which API version to use - which happens to equate to which auth version to use15:46
ayoungjamielennox, let me see if Token has snuck into the Horizon codebase or if it is limited to DOA15:46
jamielennoxand it also does a hack to strip of /v2.015:47
*** gyee has joined #openstack-keystone15:47
jamielennoxayoung: that's the goal, session has some transport state like SSL certs, auth plugin has auth state, clients are stateless15:47
jamielennox(other than having a session and/or auth plugin)15:47
ayoungjamielennox, I think there are some references in the Horizon tests, but the rest of Horizon should be agnostic15:48
marekdjamielennox: yes, so let's say I stick to V3 API. But then In my SC i will receive identity endpoint set to http://keystone:5000/v2.0. Now if osc use this exact url it will try to use v3 api athrogh v2 pipe. Am I right?15:48
ayoungso all fo the cleanup would be in DOA15:48
ayoungmarekd, and there is the pain point15:48
jamielennoxmarekd: yep, but OSC and KSC have a hack in place to recognise the mistake and work around it15:48
marekdjamielennox: ah, so it's already there....15:49
jamielennoxmarekd: we unfortunately can't change the service catalog to be keystone:5000/ yet because we will break all the legacy apps that are expecting a versione endpoint15:49
ayoungor, even better:  https://hostname/keystone/main/15:49
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Sync oslo libraries  https://review.openstack.org/12963715:49
stevemargordc, thanks for the comments15:50
jamielennoxayoung: if it's coming from the service catalog i couldn't care less what it looks like15:50
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo.serialization  https://review.openstack.org/12964115:50
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo tests fixture  https://review.openstack.org/12964315:50
marekdjamielennox: understood, i simply have an example of a cloud with endpoints set to /v20 only however I could use osc with v3 api and was wondering why...15:50
stevemargordc, -2500 lines of code :)15:50
ayoungjamielennox, not sure that the hack worked for Horizon;  I still needed to modify the service catalog to get it to work with V315:50
jamielennoxmarekd: yep, it's a hack and if you change the v2 endpoint to something other than /v2.0 it will fail15:50
jamielennoxayoung: if you're using the session the hack only went in in the 0.11 version15:51
ayoungBut then,m Horizon want's to tell Keystone what version of the API it is using on top of the Auth url and the service catalog15:51
marekdjamielennox: so setting endpoints to /v3 and trying to use with /v2.0 will also *NOT* work.15:51
marekderr, setting IDENTITY_API_VERSION=2.015:51
jamielennoxmarekd: yes - the last thing i want to do is encourage people to move to another versioned endpoint15:51
gordcstevemar: now you just need to get rid of that oslo.messaging requirement and it becomes lightweight :)15:51
*** afazekas has quit IRC15:52
jamielennoxmarekd: i've got things in place so a number of clients will work with the unversioned endpoint in the catalog - but i want /v3 to fail so people don't try and do it15:52
marekdjamielennox: thanks, makes sense now :-)15:52
ayoung keystone --version returns 0.11.215:52
stevemaragreed!15:53
jamielennoxsplit pycadf.parsing and pycadf.messaging15:53
ayoungjamielennox, OK,  so please bleed on the Auth Tokens review for DOA, as I think getting that right is essential.  I might need some more hands on help getting that to work, as the "force_reauthenticate" call  was the result of much trial and error15:53
morganfainbergok.. so can anyone point me to the bug/bp that is about where we issue the wrong 404 error on some operations, we should instead issue a bad request (e.g. if you try and create a role with a non-existent project, not a 404 project not found)15:54
jamielennoxayoung: yea, we may not have much choice on DOA because it's a library and so may be used with older versions of horizon - we just need to look at where to from here15:55
*** lhcheng has joined #openstack-keystone15:56
*** lhcheng_ has joined #openstack-keystone15:57
*** _cjones_ has joined #openstack-keystone16:00
*** topol has joined #openstack-keystone16:00
*** fifieldt has quit IRC16:03
bknudsonmorganfainberg: what does it mean to create a role with a non-existant project?16:04
amakarovayoung, good day! I16:04
amakarovayoung, good day! I've done pedigree check in trust chains16:05
ayoungamakarov, not yet you haven't16:05
morganfainbergbknudson, there is a bug where we issue a 404 when you're doing something like creating a user for a non-existent domain. this is because we do/did "get_domain" instead of sayin "oh domain doesn't exist, this is a bad request"16:05
amakarovayoung, but I don't know how to test it )16:05
morganfainbergbknudson, might have been fixed.16:05
ayoungah..so not in a submiteed review...good16:06
morganfainbergbknudson, just was trying to communicate the concept, but LP is making finding that "fun".16:06
ayoungamakarov, OK, I think the right place to do it is in the get call16:06
ayoungamakarov, wrap this function:  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/trust/core.py#n8316:07
ayoungand check that, if it is a redelegated trust,  do a get on the parent, etc16:07
ayoungand, on get, check that the roles etc are still valid16:07
amakarovayoung, do parents care about redelegated trusts?16:08
ayoungamakarov, probably this logic here needs to move: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/trust/controllers.py#n6916:08
ayoungamakarov, other way around:  if a parent trust is invalid, so is the redelegate one16:09
amakarovayoung, if I move delete logic to controller, notification event won't be fired16:09
ayoungamakarov, controller is the wrong place16:09
amakarovayoung, agreed about descendants invalidation16:09
ayoungcontroller is really for binding to HTTP, but the common logic belongs in the manager16:09
amakarovayoung, pardon, I'm about the manager )16:10
ayoungamakarov, I'm all about the Pentiums myself16:10
amakarovIt's manager's "delete" that is wrapped in notification16:10
*** bdossant has quit IRC16:11
amakarovayoung, I have to create trust delete notification manually if logic moved to manager16:12
ayoungamakarov, it belongs in the manager anyway16:12
ayoungamakarov, here's the thing:  oauth and trusts should use the same code16:12
*** saipandi has joined #openstack-keystone16:12
ayoungthe trusts implementation is really the generic delegation mechanism, and I expect it to be used regardless of the API called16:13
ayoungamakarov, think of the controller as the WEB API implementation, and the manager as the API agnostic logic16:13
amakarovayoung, so all that trust hierarchy staff goes to manager, got it16:14
ayoungamakarov, yeah.  Common code, regardless of where and how it is called16:14
*** lhcheng has quit IRC16:15
*** lhcheng_ is now known as lhcheng16:15
ayoungamakarov, and with that, I am off to get lunch and walk the dog.  As part of your patch, make sure you have all sorts of tests for intermediate users getting disabled, the parent use losing roles that are in the trusts, and so forth.  Test the living daylights out of this code.16:18
*** ayoung is now known as ayoung-dogwalkin16:18
rodrigodshenrynash, lbragstad, think it's ready for +A =) https://review.openstack.org/#/c/117785/2716:18
*** dimsum_ has quit IRC16:20
*** dimsum_ has joined #openstack-keystone16:21
henrynashrodigods: only one question I have after looking at it again, is the name ot the get_project_subtree() method….16:24
henrynashrodigods: in returns a list….so in general we try and name methods that return a list something like “list_xyz”16:25
*** dimsum_ has quit IRC16:25
henrynashrodigods: a “get_xyz” style of naming is meant to return a single entity16:25
*** ks-untriaged-bot has joined #openstack-keystone16:26
ks-untriaged-botUntriaged bugs for project keystone:16:26
ks-untriaged-bothttps://bugs.launchpad.net/keystone/+bug/138196116:26
uvirtbotLaunchpad bug 1381961 in keystone "Keystone API GET 5000/v3 returns wrong endpoint URL in response body" [Undecided,New]16:26
ks-untriaged-bothttps://bugs.launchpad.net/keystone/+bug/137693716:26
uvirtbotLaunchpad bug 1376937 in keystone "No way to prevent duplicates in endpoints" [Undecided,Confirmed]16:26
ks-untriaged-botUntriaged bugs for project python-keystoneclient:16:26
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/137708016:26
uvirtbotLaunchpad bug 1377080 in python-keystoneclient "Stale endpoint selection logic in keystone client" [Undecided,In progress]16:26
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/137271016:26
uvirtbotLaunchpad bug 1372710 in python-keystoneclient "cfn-push-stats fails to authenticate" [Undecided,Incomplete]16:26
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/135756716:26
uvirtbotLaunchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,New]16:26
*** ks-untriaged-bot has quit IRC16:26
henrynashrodigods: now there a plenty of places where we break that rule :-)….but we have been trying to keep to it more recently16:27
lhchengrodigods: I just noticed that you’re submitting the patch to feature/hierarchical-multitenancy branch instead of master. What does that mean?16:28
morganfainberglhcheng, it's a feature branch16:28
morganfainberglhcheng, once it's all merged we'll move it over to master16:28
morganfainberglhcheng, this allowed them to work on it w/o needing -2s etc to prevent merging late in Juno16:29
*** zzzeek has joined #openstack-keystone16:31
jamielennoxalright, see everyone tomorrow16:34
*** marcoemorais has joined #openstack-keystone16:36
*** jamielennox has quit IRC16:37
*** wwriverrat has joined #openstack-keystone16:38
openstackgerritA change was merged to openstack/keystone-specs: Enable tests on non-SQLite databases  https://review.openstack.org/12637016:42
lhchengmorganfainberg, ah that makes sense.  Is there already a target milestone for this feature? :)16:42
morganfainberglhcheng, I would hope by the summit.16:42
morganfainbergor at least to have it completly merged to the topic branch.16:42
openstackgerritAlexander Makarov proposed a change to openstack/python-keystoneclient: Endpoint selection logic fix  https://review.openstack.org/12592316:43
lhchengmorganfainberg, cool looking forward to it!16:44
* lhcheng mind blown about hierarchical project + inherited roles 16:45
*** thedodd has joined #openstack-keystone16:47
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed  https://review.openstack.org/12004316:49
rodrigodslhcheng, we have this feature branch, to get everything from HM in place16:56
rodrigodsonce all patches are approved, we are going to get it merged to master16:56
*** marcoemorais has quit IRC17:00
*** jsavak has joined #openstack-keystone17:02
*** gyee has quit IRC17:03
*** marcoemorais has joined #openstack-keystone17:03
*** radez is now known as radez_g0n317:04
rodrigodshenrynash, just replied at your comment in the HM patch17:10
*** thedodd has quit IRC17:11
*** topol has quit IRC17:14
*** harlowja_away is now known as harlowja17:14
*** aix has quit IRC17:18
*** richm has joined #openstack-keystone17:22
*** ayoung-dogwalkin is now known as ayoung17:26
ayoungrodrigods, I'm not going to make you rework it, but I really don't like how you split up that patch and the follow on.   Yes, smaller patches are good, but there has to be some logical consistency to the patches.  Always think "if this one gets in, but the follow on one doesn't, does the first patch make sense?"17:28
*** wwriverrat has left #openstack-keystone17:29
rodrigodsayoung, ++ that was a difficult decision to make, I was aware about this issue17:29
ayoungrodrigods, I've been guilty of some hugh-mong-us patches in my time17:29
rodrigodsayoung, actually, it fitted better our internal tasks and was how it would be better split17:30
rodrigodsbut... yeah17:30
ayoungfair enough17:30
*** marcoemorais has quit IRC17:32
*** jacer_huawei has quit IRC17:32
openstackgerritA change was merged to openstack/keystone: Remove unused ec2 driver option  https://review.openstack.org/12481017:34
openstackgerritA change was merged to openstack/keystonemiddleware: Changing the value type of http_connect_timeout  https://review.openstack.org/12654317:34
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Sync oslo libraries  https://review.openstack.org/12963717:34
*** marcoemorais has joined #openstack-keystone17:38
*** topol has joined #openstack-keystone17:42
*** afazekas has joined #openstack-keystone17:43
*** amcrn has joined #openstack-keystone17:43
*** jacer_huawei has joined #openstack-keystone17:48
lbragstadif anyone is itching to take on a review, I'd appreciate any feedback on the XML removal stuff https://review.openstack.org/#/c/125738/17:52
*** sigmavirus24 is now known as sigmavirus24_awa17:52
lbragstadfailing tests because the proposed changes to Tempest/Devstack haven't been merged yet, they want to see a couple +2s on the Keystone patch first.17:53
*** toddnni has quit IRC18:01
*** toddnni has joined #openstack-keystone18:02
*** toddnni has quit IRC18:06
*** afazekas has quit IRC18:08
*** thedodd has joined #openstack-keystone18:10
*** dimsum_ has joined #openstack-keystone18:11
*** afazekas has joined #openstack-keystone18:15
*** arunkant has joined #openstack-keystone18:20
*** sigmavirus24_awa is now known as sigmavirus2418:21
openstackgerritA change was merged to openstack/keystone: Add max-complexity to pep8 for Keystone  https://review.openstack.org/12914318:22
*** thedodd has quit IRC18:27
*** amakarov is now known as amakarov_away18:35
*** afazekas has quit IRC18:38
*** Guest52830 is now known as mgagne18:42
*** mgagne has joined #openstack-keystone18:42
*** zzzeek has quit IRC18:48
*** zzzeek has joined #openstack-keystone18:49
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo.serialization  https://review.openstack.org/12964118:53
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo tests fixture  https://review.openstack.org/12964318:53
morganfainbergayoung, do you have a token constraints BP registered yet? or jus thr spec proposed?18:55
*** nkinder has quit IRC18:56
ayoungBP?   No18:56
ayoungjust the spec18:56
morganfainbergayoung, ok cool18:56
morganfainbergayoung, thanks :)18:56
ayoungmorganfainberg, I was trying to get all of my specs up to date, then was going to get the BPs in sync, but people keep reviewing my specs (good) and -1ing them (dagnabit)18:56
morganfainbergayoung, works for me18:56
morganfainbergayoung, no rush.18:56
morganfainbergfor theBPs that is18:57
*** afaranha has quit IRC18:59
*** navid_ has joined #openstack-keystone18:59
*** raildo has quit IRC19:00
*** samuelms has quit IRC19:01
bretonsomethig was happening to Alembic bp19:01
morganfainbergbreton, i was just classifying it19:01
morganfainbergi'm doing BP cleanup19:01
morganfainbergand wanted to make sure it wasn't punted because it *is* something we want.19:02
bretonoh, ok. I'm still on it, btw. I was reading docs and doing some experiments19:02
morganfainberg++19:02
morganfainbergyep, keep working on it. :)19:02
morganfainbergdstanek, is https://blueprints.launchpad.net/keystone/+spec/failing-tests still something you're working on?19:04
morganfainbergdstanek, or something i should deprioritize for now.19:04
morganfainbergayoung, is ^ that BP something we even still need/want? (I can still see value there)19:05
*** samuelms has joined #openstack-keystone19:05
*** raildo has joined #openstack-keystone19:05
ayoungmorganfainberg, that was registered as the result of a discussion about how to deal with bugs and test failures19:06
*** afaranha has joined #openstack-keystone19:06
morganfainbergayoung, right. it's reasonable, i'm happy to see something like that19:06
ayoungso, yeah, I think it should be done, but not certain about priority19:06
morganfainbergk i'll just set it to "not" for now19:07
morganfainberghenrynash, ping did: https://blueprints.launchpad.net/keystone/+spec/fetch-policy-by-endpoint get implemented?19:08
dstanekmorganfainberg: I actually implemented it last week, bit didn't have a chance to push the commit19:08
morganfainbergdstanek, oh cool will prio it as low and tag to kilo-1 then. awesome19:09
morganfainbergso interestingly, new OS X seems to have increased my battery life on my laptop from ~4hrs to ~6h with normal web use + IRC19:10
morganfainbergdolphm, ^ same question i asked henrynash. I want to say it was implemented...19:12
dstanekI found the same thing after an update.19:12
morganfainbergbut.. honestly, i can't find the code.19:12
morganfainbergdstanek, don't get me wrong, I'm not complaining at all! :)19:12
dolphmmorganfainberg: i don't think so19:13
morganfainbergdolphm, ok i'll tag it as something we need to pull forward to kilo19:13
morganfainbergthanks19:13
dolphmmorganfainberg: just a heads up, i'm working on unwinding the hard dep that our functional tests have on XML translation19:17
morganfainbergdolphm, ++ awesome.19:17
dolphmmorganfainberg: per the confused email on the thread. hoping to respond with a patch19:17
dolphmon the list*19:17
morganfainbergyeah saw the mail, thanks for jumpin on that one19:17
*** stevemar has quit IRC19:19
morganfainbergwoot, blueprint list is starting to look a lot more manageable19:22
*** andreaf has joined #openstack-keystone19:28
*** radez_g0n3 is now known as radez19:30
ayoungwhat is our approach to XML going to be?19:34
morganfainbergayoung, i think the right answer is what we discussed last week, middleware/pluggable system (Pecan?) that we can just write a renderer for19:35
*** g4rg4m3|_ has quit IRC19:36
ayoungmorganfainberg, that was HTML.  Pecan already does XML, but I am guessing it will differ (subtly?  substantially) from the XML Keystone produced in the past19:36
morganfainbergayoung, we've deprecated the old XML19:36
morganfainbergit's done, it's being removed in Juno19:36
morganfainbergerm19:37
morganfainbergKilo19:37
rodrigodslhcheng, there?19:37
morganfainbergso if we're supporting something *new* like Pecan version of XML, that'll need to be communicated (release notes? documentation? etc?). but i think the answer is the same as HTML19:37
ayoungmorganfainberg, I think we found that moving to Pecan/WSME rendering was going to affect out JSON processing.19:37
lhchengrodrigods: hey!19:38
morganfainbergayoung, pecan/wsme isn't the only option (Falcon?). but our approach should be the same.19:38
*** miqui has joined #openstack-keystone19:38
morganfainbergsomething pluggable not what we had.19:38
ayoungFalcon?  Is it  Blue?19:38
morganfainberglol19:38
rodrigodslhcheng, regarding your comment about the ABOVE part in the api19:39
rodrigodsdo you have suggestions to improve it? Its indeed only the parents, the childs will not appear19:39
ayoungmorganfainberg, is there any demand for XML?  If so, from whom, and will changing the rendering render the point moot?19:40
morganfainbergayoung, afaik, no.19:41
morganfainbergwe've deprecated it and if they really need XML they could use the JSONx *duck*19:41
morganfainbergmechanism.19:41
morganfainbergi mean...19:41
openstackgerritA change was merged to openstack/keystonemiddleware: Fix reference to middleware architecture doc  https://review.openstack.org/12707819:44
openstackgerritA change was merged to openstack/keystonemiddleware: Remove HTTP_X_STORAGE_TOKEN doc  https://review.openstack.org/12708319:44
lhchengrodrigods: If I request for the  the current project selected to GET is a 3rd level child, should it show the parent going up Level 2 and Level 1 in a list or ju?19:44
lhcheng** If I request for the “parents” of the current project (a 3rd level child), should it show the parent going up Level 2 and Level 1 in a list or just the direct parents?19:45
lhchengrodrigods: not sure which one is better, just throwing some thoughts to think about in the API design.19:46
morganfainbergayoung, https://blueprints.launchpad.net/keystone/+spec/kerberos-authentication this BP is effectively implemented right?19:47
rodrigodslhcheng, each project has only one parent. And the regular project object already has the direct parent_id.19:48
ayoungnot yet19:51
ayoungmorganfainberg, still need to get the client side going,  but I guess that is only server side19:52
morganfainbergyeah19:52
morganfainbergthat was my thought19:52
ayoungmorganfainberg, but...19:52
ayoungmorganfainberg, the way I am handling it now is hackish, and not the good kind19:52
ayoungbascially, just a separate AUTH_URL19:52
ayoungand no way to advertise19:52
ayoungbut...yeah,  that one as written is covered19:53
morganfainbergmarked as implemented19:53
*** navid_ has quit IRC19:53
lhchengrodrigods: understood.  for example: If you have a hierarchy of Project A -> Project B -> Project C, then call GET /projects/<project C>?parents.  Should we return [Project B, Project A] or just the direct parent of Project C?   I think typical hierarchical API would just return the direct parent. And if the user want to traverse up, they need to make another call.19:54
morganfainbergayoung, is this user's authenticating against an endpoint with a cert? an endpoint authenticating against keystone with a cert? something else? https://blueprints.launchpad.net/keystone/+spec/endpoint-cert19:55
morganfainbergpart of token binding?19:55
ayoungmorganfainberg, that was going to be the endpoints service user validating with a cert back to keystone19:55
ayounghere's what is going to happen19:56
ayoungwe are going to get the X509 plugin from gyee and jamielennox is working on making middleware use an auth plugin19:56
rodrigodslhcheng, if you call GET /projects/<project C> it will return the project object, which will contain a parent_id field with <Project B>. If you want the whole list of parents, you call with the ?parents query, which will return an extra field called parents, that will contain a list with [Project B, Project A]19:56
morganfainbergthe description just wasn't super useful. so just trying to update that before setting a prio on it19:56
ayoungthat should support both kerberos and x509 auth from the endpoints19:56
ayoungwilco19:56
*** nkinder has joined #openstack-keystone19:57
ayoungmorganfainberg, I've basically been using the Blueprints as a record of backlog items.19:58
ayoungSome of them have lingered for a while. but most are still valid concepts19:58
morganfainbergayoung, thats fine, most of them i'm just pushing to the bottom of the pile, but if i can't figure out what they're meant to convey, it means likely only the person registering has a clue what they're meant to say20:00
ayoung++20:00
morganfainbergayoung, and that makes them less than useful for anyone picking them up later20:00
ayoungmorganfainberg, absolutely.20:00
morganfainbergi've also found a few you registered twice20:00
morganfainbergjust slightly different name20:00
morganfainberglike 2 or 3 duplicates20:00
morganfainbergthose i picked the one with more info and closed the other one.20:01
morganfainbergbut like i said, most of yours i was going to leave alone since it's fine as a backlog for now (until we have something better)20:01
* morganfainberg needs to find a new coffee shop. the music is so bad here today I can't even drown it out with headphones.20:02
rodrigodsmorganfainberg, lol20:02
morganfainbergi've learned I *really* don't like "architecture in helsinki" as an artist20:02
ayoungmorganfainberg, I'm at home, switching between Stan Getz and Gato Barbieri20:03
morganfainberghehe20:03
rodrigodsI did home office once, I miss those days =(20:03
morganfainbergrodrigods, i like it right until I want to *not* be at home.20:04
*** stevemar has joined #openstack-keystone20:04
rodrigodsmorganfainberg, that's why I'm member from a hackerspace in my city =D20:04
morganfainbergLA doesn't have good hackerspaces.20:04
rodrigodsI like the one here (it's the only one), really small and friendly people20:05
rodrigodsalso with a lot of toys20:05
lhchengrodrigods: missed the part about the GET /projects/<project_id> already includes the parent_id there.  You can ignore my comment :P20:05
rodrigodslhcheng, np =P20:05
rodrigodslhcheng, suggestions about how to write the phrase that explains the ?parent param?20:06
*** _cjones_ has quit IRC20:06
*** _cjones_ has joined #openstack-keystone20:06
*** harlowja is now known as harlowja_away20:10
lhchengrodrigods:  Instead of “ABOVE its hierarchy”, perhaps something like “walking/traversing up its hierarchy.”20:13
rodrigodslhcheng, ++20:14
*** jsavak has quit IRC20:16
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy  https://review.openstack.org/11135520:17
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Inherited Roles to Projects  https://review.openstack.org/12944520:17
*** joesavak has joined #openstack-keystone20:17
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy  https://review.openstack.org/11135520:18
*** david-lyle has joined #openstack-keystone20:18
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Inherited Roles to Projects  https://review.openstack.org/12944520:19
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:22
*** HenryG has quit IRC20:23
morganfainbergdolphm, i think https://blueprints.launchpad.net/keystone/+spec/external-auth-plugins this has been implemented?20:31
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use oslo tests fixture  https://review.openstack.org/12964320:34
*** drjones has joined #openstack-keystone20:35
*** dimsum_ has quit IRC20:37
morganfainbergstevemar, topol, which one: https://blueprints.launchpad.net/keystone/+spec/cadf-notifications-everywhere or https://blueprints.launchpad.net/keystone/+spec/cadf-project-operations20:38
*** dimsum_ has joined #openstack-keystone20:38
morganfainbergstevemar, topol, i'm leaning towards the "everywhere" one20:38
stevemarerrrrwhere20:38
topolIm having a deja vous20:38
*** _cjones_ has quit IRC20:39
topoldidnt you ask this last week :-)20:39
morganfainbergtopol, stevemar, yes... and no one fixed it20:39
topoleverywhere. if your gonna be a bear, be a grizzly20:39
topoldoh!20:39
morganfainbergtopol, stevemar, so this was the "ok i'm fixing it"20:39
topolhow do we fix?20:39
morganfainbergstevemar, go take a look at the Keystone bp page ;)20:39
morganfainbergtopol, i marked the project one a superseded by the everywhere one20:39
*** dimsum_ has quit IRC20:42
*** gyee has joined #openstack-keystone20:45
*** radez is now known as radez_g0n320:52
*** david-lyle has quit IRC20:56
*** radez_g0n3 is now known as radez20:57
*** david-lyle has joined #openstack-keystone20:57
openstackgerritA change was merged to openstack/keystone-specs: Create specification for CADF everywhere  https://review.openstack.org/12878021:00
*** jsavak has joined #openstack-keystone21:03
*** saipandi has quit IRC21:05
*** joesavak has quit IRC21:06
*** jsavak has quit IRC21:15
*** alex_xu has quit IRC21:19
-openstackstatus- NOTICE: Zuul erroneously marked some changes as having merge conflicts. Those changes have been added to the check queue to be rechecked and will be automatically updated when complete.21:21
mfischanyone seen this before?   "cms_hash_token() got an unexpected keyword argument 'mode'"21:23
mfischmy server is spewing that (am trying the latest keystone)21:23
*** jacer_huawei has quit IRC21:24
*** jacer_huawei has joined #openstack-keystone21:25
gyeemfisch, which version of python-keystoneclient you have?21:26
mfischI just upgraded it to the latest from UCA21:27
mfisch0.10.121:27
mfischokay it works fine if I go back a few days21:29
mfischto the 16th21:29
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Kilo version of non-persistent token specification  https://review.openstack.org/12973621:29
gyeemfisch, maybe bknudson's md5 hash patch has landed a few days back?21:30
morganfainbergmfisch, that latest keystone might require 11.x of ksc21:30
mfischhmm21:31
morganfainberghm.21:31
morganfainbergnot according to requirements.txt21:31
gyeebug? :)21:31
morganfainbergmfisch, can you use paste.openstack.org and paste the traceback?21:32
morganfainbergmfisch, i think you have a very old keystoneclient.21:33
mfischI just upgraded to the latest in juno21:34
mfischtrying to see the patch set21:34
morganfainbergThe mode kwarg was added back in like April. Been in place since 0.8.0 of keystone client for that method21:35
mfischa package from last week works... thats why I'm looking at the diff21:36
mfischhow old is 0.8.0?21:36
morganfainbergmfisch, https://github.com/openstack/python-keystoneclient/commit/82359492dc14e679d48e6801da304027e508533c21:37
mfischso just checked and 0.7.1 is default in trusty.. thought it was newer than that21:37
morganfainbergyeah 0.8 would be the minimum21:38
morganfainberg0.8.021:38
morganfainbergjuno should require 0.10.0 to work for trusty21:38
morganfainbergif not, it's a packaging error on the debian/ubuntu side21:38
morganfainbergs/trusty/any distro21:38
mfischwell keystone itself doesnt require the client21:39
mfischas a package dep21:39
mfischso its more like my fault21:39
morganfainbergmfisch, if you use pki it does.21:39
morganfainbergit is in the requirements.txt21:39
morganfainbergthis likely *is* a packaging failure on the deb/ubuntu side.21:40
morganfainbergand potentially a long running one21:40
*** gokrokve has joined #openstack-keystone21:40
mfischlet me look21:40
*** openstackgerrit has quit IRC21:40
morganfainbergHavana, Icehouse, and Juno (or whenever we started depending on keystoneclient.cms in keystone)21:40
*** packet has joined #openstack-keystone21:43
*** packet is now known as Guest2921221:43
*** Guest29212 has quit IRC21:44
*** dimsum_ has joined #openstack-keystone21:45
mfischthe latest from UCA requires 0.9.021:47
mfischas a build-dep21:47
mfischI'll let chuck know21:48
*** radez is now known as radez_g0n321:48
*** marcoemorais has quit IRC21:48
*** marcoemorais has joined #openstack-keystone21:49
*** dims_ has joined #openstack-keystone21:49
*** dims_ has quit IRC21:51
*** dims_ has joined #openstack-keystone21:51
*** dimsum_ has quit IRC21:52
morganfainbergmfisch, ok good not horribly broken.21:57
morganfainbergmfisch, bug juno should require https://github.com/openstack/keystone/blob/stable/juno/requirements.txt#L19 0.10.021:58
*** marcoemorais has quit IRC21:58
*** marcoemorais has joined #openstack-keystone21:59
*** marcoemorais has quit IRC21:59
*** marcoemorais has joined #openstack-keystone21:59
*** sigmavirus24 is now known as sigmavirus24_awa22:04
*** topol has quit IRC22:06
*** marcoemorais has quit IRC22:10
*** HenryG has joined #openstack-keystone22:16
mfischhey morganfainberg what about this confusing statement I see now?22:17
mfisch/usr/lib/python2.7/dist-packages/sqlalchemy/sql/default_comparator.py:35: SAWarning: The IN-predicate on "assignment.actor_id" was invoked with an empty sequence. This results in a contradiction, which nonetheless can be expensive to evaluate.  Consider alternative strategies for improved performance.22:18
*** wwriverrat has joined #openstack-keystone22:18
mfisch  return o[0](self, self.expr, op, *(other + o[1:]), **kwargs)22:18
*** wwriverrat has left #openstack-keystone22:18
*** wwriverrat1 has joined #openstack-keystone22:20
*** nellysmitt has quit IRC22:24
*** gordc has quit IRC22:25
*** david-lyle_ has joined #openstack-keystone22:26
*** david-lyle has quit IRC22:27
morganfainbergmfisch: that is an awesome error22:29
morganfainbergOr warning.22:29
mfischno stack on it though22:29
morganfainbergNah. It's a warn.22:29
morganfainbergIt is a "hay you're doing this wrong" message to us.22:30
*** wwriverrat1 has left #openstack-keystone22:30
mfischEGETYOURSTUFFTOGETHER22:30
*** david-lyle_ is now known as david-lyle22:35
*** openstackgerrit has joined #openstack-keystone22:42
openstackgerritA change was merged to openstack/pycadf: Sync oslo libraries  https://review.openstack.org/12963722:43
*** marcoemorais has joined #openstack-keystone22:43
*** harlowja_away is now known as harlowja22:48
*** marcoemorais has quit IRC22:55
*** gokrokve_ has joined #openstack-keystone23:03
*** gokrokve has quit IRC23:03
*** marcoemorais has joined #openstack-keystone23:05
*** bknudson has quit IRC23:09
*** dims_ has quit IRC23:12
*** dimsum_ has joined #openstack-keystone23:13
*** dimsum_ has quit IRC23:17
openstackgerritA change was merged to openstack/pycadf: Use oslo.serialization  https://review.openstack.org/12964123:47
*** gyee has quit IRC23:51
*** r1chardj0n3s is now known as r1chardj0n3s_afk23:55
*** henrynash has quit IRC23:59
« Sunday, 2014-10-19 Index Tuesday, 2014-10-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!