samueldmq | jamielennox, if you'd like to check a role assignment, we should do a HEAD | 00:00 |
---|---|---|
samueldmq | jamielennox, don't know if we have such call from kc | 00:00 |
jamielennox | samueldmq: yes - but what i mean is that the GET to that same URL should either return some information or a 204. the HEAD shouldn't be a seperate path | 00:01 |
jamielennox | separate call | 00:01 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements https://review.openstack.org/146332 | 00:02 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements https://review.openstack.org/146332 | 00:03 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements https://review.openstack.org/146332 | 00:03 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements https://review.openstack.org/146332 | 00:04 |
samueldmq | jamielennox, so in this case (https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_endpoint_policy.py#L48-L50) | 00:04 |
samueldmq | jamielennox, https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_endpoint_policy.py#L62 | 00:05 |
samueldmq | jamielennox, we should still get 204 from GET (because there is not content) | 00:05 |
samueldmq | jamielennox, and 200 from HEAD | 00:05 |
samueldmq | jamielennox, if so, they're not consistent in this case | 00:05 |
jamielennox | no - i think if GET returns a 204 then HEAD should return a 204 | 00:05 |
jamielennox | the way we discovered this is that apache will handle some of this rewriting for you | 00:05 |
jamielennox | if you put a HEAD request to any url then apache will issue it as a GET and then just discard any body | 00:06 |
jamielennox | we need to be consistent with that behaviour from python | 00:06 |
bknudson | if GET returns a 204 then HEAD must return 204 (and it will if running in apache httpd) | 00:06 |
samueldmq | hmm | 00:06 |
bknudson | apache converts the HEAD request to a GET request, so wsgi doesn't see it. | 00:06 |
*** _cjones_ has quit IRC | 00:06 | |
samueldmq | got the point, HEAD must always 'follow' the behavior of 'GET', whatever it returns | 00:07 |
bknudson | (pretty much what jamielennox said) | 00:07 |
samueldmq | I thought HEAD should always return 200 | 00:07 |
samueldmq | or error | 00:07 |
bknudson | samueldmq: read the spec: http://tools.ietf.org/html/rfc2616#section-9.4 | 00:08 |
jamielennox | wikipedia: Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content. | 00:08 |
jamielennox | heh bknudson goes for the way more authoritative source | 00:08 |
samueldmq | bknudson, ++ | 00:12 |
samueldmq | jamielennox, bknudson got it, thx | 00:12 |
samueldmq | will update my patch, and request your review (addind your names there) once I submit it | 00:13 |
*** avozza is now known as zz_avozza | 00:15 | |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Move to hacking 0.10 https://review.openstack.org/146353 | 00:18 |
jamielennox | samueldmq: np | 00:18 |
samueldmq | bknudson, jamielennox reading that spec made me think that we should then have a HEAD for each GET request | 00:21 |
jamielennox | samueldmq: in the case of apache we do implicitly | 00:21 |
samueldmq | for all GET request, I mean | 00:21 |
bknudson | yes, we must. It's implied. | 00:22 |
bknudson | (i.e., no need to document it since it's implied) | 00:22 |
samueldmq | yes, I am just not sure we have HEAD for every GET | 00:23 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Correct failures for check E122 https://review.openstack.org/146355 | 00:23 |
openstackgerrit | Jamie Lennox proposed openstack/python-keystoneclient: Surface the user_id and project_id beyond the plugin https://review.openstack.org/132030 | 00:24 |
samueldmq | bknudson, jamielennox that's what I was talking about: bug #1370335 :) | 00:25 |
uvirtbot | Launchpad bug 1370335 in keystone "Keystone should support HEAD requests for all GET actions" [Wishlist,Triaged] https://launchpad.net/bugs/1370335 | 00:25 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Enforce check F821 https://review.openstack.org/146356 | 00:26 |
*** dgonzalez has quit IRC | 00:26 | |
*** dgonzalez has joined #openstack-keystone | 00:26 | |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Correct failures for check H238 https://review.openstack.org/146357 | 00:28 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Enforce check F821 and H304 https://review.openstack.org/146356 | 00:30 |
*** dgonzalez has joined #openstack-keystone | 00:31 | |
openstackgerrit | Jamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin https://review.openstack.org/138575 | 00:34 |
openstackgerrit | Jamie Lennox proposed openstack/python-keystoneclient: Make session use the Loadable interface https://review.openstack.org/138576 | 00:34 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Correct failures for check H703 https://review.openstack.org/146358 | 00:35 |
*** david-lyle has joined #openstack-keystone | 00:35 | |
*** dgonzalez has quit IRC | 00:37 | |
*** dgonzalez has joined #openstack-keystone | 00:37 | |
*** dgonzale_ has joined #openstack-keystone | 00:46 | |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient-federation: Move to hacking 0.10 https://review.openstack.org/146359 | 00:50 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient-federation: Correct failures for check W292 https://review.openstack.org/146360 | 00:50 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient-federation: Correct failures for check W292 https://review.openstack.org/146360 | 00:51 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient-kerberos: Move to hacking 0.10 https://review.openstack.org/146362 | 01:00 |
*** david-lyle has quit IRC | 01:18 | |
*** david-lyle has joined #openstack-keystone | 01:25 | |
*** david-lyle has quit IRC | 01:27 | |
*** david-lyle has joined #openstack-keystone | 01:28 | |
openstackgerrit | wanghong proposed openstack/keystone: do parameter check before updating endpoint_group https://review.openstack.org/146040 | 01:31 |
*** diegows has joined #openstack-keystone | 01:32 | |
*** chrisshattuck has joined #openstack-keystone | 01:52 | |
*** david-lyle has quit IRC | 01:59 | |
*** diegows has quit IRC | 02:01 | |
*** abhirc has joined #openstack-keystone | 02:05 | |
samueldmq | can we go 'rescope' a scoped token to an unscoped one? | 02:15 |
openstackgerrit | ChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor https://review.openstack.org/143842 | 02:18 |
morganfainberg | samueldmq, today? no | 02:18 |
morganfainberg | w/ ayoungs' changes - absolutely not | 02:18 |
samueldmq | morganfainberg, nice | 02:19 |
samueldmq | morganfainberg, I'm reviewing his 'adding allow rescope config' patch | 02:19 |
morganfainberg | yeah | 02:19 |
samueldmq | morganfainberg, and if we could do that, we need to add a new tests as well | 02:19 |
*** abhirc_ has joined #openstack-keystone | 02:28 | |
*** abhirc has quit IRC | 02:30 | |
*** r-daneel has joined #openstack-keystone | 02:42 | |
*** erkules has joined #openstack-keystone | 02:44 | |
*** LinstatSDR has quit IRC | 02:46 | |
*** erkules_ has quit IRC | 02:46 | |
*** adriant has joined #openstack-keystone | 02:52 | |
openstackgerrit | ChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor https://review.openstack.org/143842 | 02:55 |
*** abhirc_ has quit IRC | 03:07 | |
*** chrisshattuck has quit IRC | 03:20 | |
*** r-daneel has quit IRC | 03:22 | |
*** r-daneel has joined #openstack-keystone | 03:23 | |
*** abhirc has joined #openstack-keystone | 03:25 | |
*** LinstatSDR has joined #openstack-keystone | 03:33 | |
openstackgerrit | wanghong proposed openstack/keystone: do parameter check before updating endpoint_group https://review.openstack.org/146040 | 03:34 |
*** david-lyle has joined #openstack-keystone | 03:44 | |
*** chrisshattuck has joined #openstack-keystone | 03:46 | |
*** chrisshattuck has quit IRC | 03:56 | |
*** samueldmq has quit IRC | 04:01 | |
*** chrisshattuck has joined #openstack-keystone | 04:07 | |
*** chrisshattuck has quit IRC | 04:07 | |
*** chrisshattuck has joined #openstack-keystone | 04:08 | |
*** david-lyle has quit IRC | 04:50 | |
*** david-lyle has joined #openstack-keystone | 04:50 | |
*** chrisshattuck has quit IRC | 05:05 | |
*** david-lyle has quit IRC | 05:06 | |
*** adriant has quit IRC | 05:13 | |
*** abhirc has quit IRC | 05:23 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/145135 | 06:03 |
*** LinstatSDR has quit IRC | 06:04 | |
*** LinstatSDR has joined #openstack-keystone | 06:05 | |
openstackgerrit | wanghong proposed openstack/keystone: remove the Conf.signing.token_format option support https://review.openstack.org/144250 | 06:15 |
*** r-daneel has quit IRC | 06:25 | |
*** LinstatSDR has quit IRC | 06:46 | |
*** ajayaa has joined #openstack-keystone | 06:57 | |
*** rushiagr_away is now known as rushiagr | 06:58 | |
*** zz_avozza is now known as avozza | 07:00 | |
*** henrynash has joined #openstack-keystone | 07:02 | |
*** ChanServ sets mode: +v henrynash | 07:02 | |
*** avozza is now known as zz_avozza | 07:10 | |
openstackgerrit | wanghong proposed openstack/keystone: let endpoint policy delete api return 404 if not found https://review.openstack.org/146388 | 07:43 |
openstackgerrit | Merged openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix https://review.openstack.org/145505 | 07:55 |
*** jamielennox is now known as jamielennox|away | 07:56 | |
*** zz_avozza is now known as avozza | 08:01 | |
openstackgerrit | Abhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool https://review.openstack.org/130824 | 08:09 |
*** chlong has quit IRC | 08:10 | |
*** avozza is now known as zz_avozza | 08:15 | |
*** links has joined #openstack-keystone | 08:35 | |
openstackgerrit | Marek Denis proposed openstack/keystone-specs: Service Provider for K2K https://review.openstack.org/135604 | 08:36 |
*** henrynash has quit IRC | 08:37 | |
*** afazekas has joined #openstack-keystone | 08:39 | |
*** ajayaa has quit IRC | 08:43 | |
*** henrynash has joined #openstack-keystone | 08:47 | |
*** ChanServ sets mode: +v henrynash | 08:47 | |
*** henrynash has quit IRC | 08:49 | |
openstackgerrit | Marek Denis proposed openstack/python-keystoneclient: Standardize token scoping workflow. https://review.openstack.org/142376 | 08:52 |
*** jaosorior has joined #openstack-keystone | 08:58 | |
*** ajayaa has joined #openstack-keystone | 09:09 | |
*** zz_avozza is now known as avozza | 09:18 | |
*** bdossant has joined #openstack-keystone | 09:25 | |
openstackgerrit | Marek Denis proposed openstack/keystone-specs: Specify default values for identity providers. https://review.openstack.org/146405 | 09:49 |
*** jistr has joined #openstack-keystone | 09:58 | |
*** amakarov_away is now known as amakarov | 10:07 | |
*** nellysmitt has joined #openstack-keystone | 10:49 | |
*** henrynash has joined #openstack-keystone | 10:52 | |
*** ChanServ sets mode: +v henrynash | 10:52 | |
*** pcaruana has joined #openstack-keystone | 10:59 | |
*** avozza is now known as zz_avozza | 11:20 | |
*** andreaf has joined #openstack-keystone | 11:24 | |
*** samuelms has quit IRC | 11:31 | |
*** david-lyle has joined #openstack-keystone | 11:32 | |
*** lsmola_ has quit IRC | 11:32 | |
openstackgerrit | Marek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules. https://review.openstack.org/139013 | 11:35 |
*** zz_avozza is now known as avozza | 11:37 | |
*** chlong has joined #openstack-keystone | 11:41 | |
*** chlong has quit IRC | 11:47 | |
*** chlong has joined #openstack-keystone | 11:47 | |
*** andreaf has quit IRC | 11:56 | |
*** avozza is now known as zz_avozza | 11:59 | |
*** samueldmq has joined #openstack-keystone | 12:04 | |
samueldmq | morning :) | 12:04 |
samueldmq | henrynash, ping - need to talk about inherited roles api | 12:04 |
henrynash | samueldmq: ok... | 12:05 |
samueldmq | henrynash, hi :) | 12:07 |
samueldmq | henrynash, it should be a quick discussion | 12:07 |
henrynash | famous last words | 12:07 |
samueldmq | ahha | 12:07 |
samueldmq | so the api tell us inheritance info should be : "OS-INHERIT:inherited_to": ["projects"] | 12:08 |
samueldmq | as a list, but we don't have this implemented | 12:08 |
samueldmq | so the api is inconsistent, technically the code is wrong (because it should follow the api) | 12:08 |
samueldmq | http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html#list-effective-role-assignments | 12:09 |
samueldmq | I propose to fix the api | 12:09 |
henrynash | I’m trying to remember whether it is a mistake that the api has it as a list… | 12:10 |
*** EmilienM|afk is now known as EmilienM | 12:10 | |
henrynash | or whether there was a reason :-) | 12:10 |
samueldmq | haha, yep | 12:10 |
henrynash | I *think* it was to keep some peopel happy…there was at least one person who wanted to be be able to direct inheritance..i.e.: | 12:12 |
samueldmq | also applied to the domain itself : | 12:12 |
samueldmq | ? | 12:12 |
*** andreaf has joined #openstack-keystone | 12:12 | |
henrynash | "OS-INHERIT:inherited_to": ["project_id”: ABC, “project_id”: XYZ] | 12:12 |
henrynash | and “projects” was shortand for “all the projects in the domain” | 12:13 |
henrynash | I think that’s pretty scary….and if peopel really did use that kind of “directed” inheritance, you’d pretty soon lose track of what was inhertited to what | 12:14 |
samueldmq | so it could be inherited to only a branch of the tree (now with hierarchical projs) | 12:15 |
samueldmq | ++ | 12:15 |
samueldmq | so let's remove that, before people getting confused | 12:15 |
samueldmq | since the weird person who requested that probably is not here anymore lol | 12:15 |
henrynash | (it’s coming back to me now!)….we had a long argument about whether inheritance by “tree” was the right solution | 12:15 |
samueldmq | kidding, but I think we have good reasons to not keep that ` | 12:15 |
samueldmq | should we add a point to tomorrow's meeting and then agree this all together? | 12:16 |
henrynash | this is alos the reson why it isn’t jsut a boolean (which is what my original spec said)…i.e. “inherited_to_projects”: Ture | 12:17 |
henrynash | (True, even) | 12:17 |
samueldmq | hmm, so you thought it should be as actually I think it should | 12:17 |
samueldmq | inherited = True | 12:17 |
henrynash | yes, that’s how I originally had planned it…but the debate was quite heated :-) | 12:18 |
*** zz_avozza is now known as avozza | 12:18 | |
samueldmq | not even inherited_to_projects, because it cannot be inherited by other thing than projects | 12:18 |
henrynash | well…lbut et’s think about this….now that we have a tree of projects…and maybe “projects with domain-ness”, might me want more than a boolean? | 12:19 |
henrynash | might you want to say (I’m making this up for now): | 12:19 |
henrynash | "OS-INHERIT:inherited_to": ["projects_but_don’t_cross_a_domain_boundary” | 12:20 |
henrynash | I think, actually, we don’t want this to be defined by the assignment, but by the domain boundary itself….I think... | 12:21 |
henrynash | so that’s probably a red herring | 12:21 |
samueldmq | ++ | 12:21 |
henrynash | I guess maybe, possibly: "OS-INHERIT:inherited_to": "projects_but_only_immediate_descendants” | 12:22 |
samueldmq | and it should be the most used option, crossing domain boundaries should be only allow to cloud_admin iI think | 12:22 |
samueldmq | if not immediate descendants, put the rule in the child projects, and not in the parent | 12:22 |
henrynash | but if we really wanted that flexibility….maybe that should be defnined by the projects | 12:22 |
henrynash | yep, agreed | 12:23 |
henrynash | so I think we really saying that we think we just want to effectively have: “inherited”: True/Flase | 12:23 |
samueldmq | ++ | 12:24 |
samueldmq | instead of making possible to define any type of inheritance config | 12:24 |
samueldmq | maybe we could add a mechanism to stop inheritance at some project level | 12:24 |
henrynash | or if we wanted to be predantic, we might say: “assign_to_descendants”: True/False | 12:24 |
samueldmq | suppose you have a private 'project', and you dont want inherited roles to be applied there | 12:25 |
henrynash | but it may be too late to drop the inheritance word | 12:25 |
samueldmq | yep, I agree ... inherited may hurt UX I think | 12:25 |
samueldmq | I had a discussion with dstanek about that a day | 12:25 |
samueldmq | inherited normally is something that is applied to the parent and children .. | 12:26 |
henrynash | yeah, I think we might want that blocking power…but would that mean teh “inheritance” stops at that point…or can it hop over that project and go on down to the descendants…(taht sounds too complicated) | 12:26 |
samueldmq | the first I think | 12:27 |
henrynash | agreed | 12:27 |
samueldmq | we should have private trees I think | 12:27 |
samueldmq | that's what I meant | 12:27 |
samueldmq | you're the manager everywhere (but that room there you cant enter) shh | 12:27 |
henrynash | yep, agreed | 12:28 |
samueldmq | I think we can change almost everything (having care on this, sure) on inheritance api | 12:28 |
samueldmq | since it's still (not for long time) experimental | 12:28 |
samueldmq | it's an extension | 12:28 |
samueldmq | and will probably become stable with the new classification (in-tree, etc) | 12:28 |
samueldmq | also, there shouldn't be a lot of people using it so far | 12:29 |
*** esmute has quit IRC | 12:29 | |
*** esmute has joined #openstack-keystone | 12:32 | |
henrynash | agreed | 12:33 |
henrynash | let’s discuss at the meeting tomorrow | 12:34 |
henrynash | speak to yoy later | 12:34 |
samueldmq | k, thanks | 12:34 |
*** dims has joined #openstack-keystone | 12:35 | |
*** diegows has joined #openstack-keystone | 12:39 | |
*** esmute has quit IRC | 12:45 | |
*** lsmola has joined #openstack-keystone | 12:46 | |
*** esmute has joined #openstack-keystone | 12:48 | |
*** chlong has quit IRC | 12:55 | |
*** rushiagr is now known as rushiagr_away | 12:56 | |
*** radez_g0n3 is now known as radez | 13:03 | |
*** dims has quit IRC | 13:14 | |
samueldmq | someone up there? would like to talk about token revocation :) | 13:17 |
*** dims__ has joined #openstack-keystone | 13:18 | |
samueldmq | dstanek, ping ^ | 13:18 |
dstanek | samueldmq: howdy | 13:18 |
samueldmq | dstanek, had to translate that, had never received this greeting :-) | 13:19 |
marekd | rodrigods: vsilva: https://review.openstack.org/#/c/142573 hi. are you planning to touch this in the nearest future? Otherwise I'd be happy to do it. | 13:19 |
samueldmq | dstanek, howdy ! | 13:19 |
marekd | samueldmq: TX style | 13:19 |
dstanek | samueldmq: :-) | 13:19 |
samueldmq | marekd, yep (: | 13:19 |
*** abhirc has joined #openstack-keystone | 13:20 | |
samueldmq | dstanek, so what's needed to issue tokens? role assignments, right? | 13:20 |
samueldmq | dstanek, so I think token revocations should always be triggered by role assignments removal | 13:22 |
samueldmq | dstanek, then we could have a better control over that | 13:22 |
samueldmq | dstanek, I mean, when you delete a domain, it triggers role assignments deletion (associated to that domain, and then there (role assignments deletion) we should revoke tokens | 13:23 |
dstanek | samueldmq: i think i would agree - but that could also be over reaching | 13:23 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Trust redelegation https://review.openstack.org/126897 | 13:23 |
dstanek | samueldmq: do we not revoke tokens in that specific case? | 13:23 |
samueldmq | dstanek, I think so, was just an example | 13:23 |
samueldmq | dstanek, I'm talking about new way to organize code, would be clearer IMO | 13:24 |
samueldmq | dstanek, the feature is ok as it is, I think | 13:24 |
dstanek | samueldmq: ok, just getting back into the swing of things | 13:32 |
*** rushiagr_away is now known as rushiagr | 13:33 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring https://review.openstack.org/141352 | 13:35 |
marekd | dstanek: hi. | 13:35 |
marekd | dstanek: what's the current status on that: https://review.openstack.org/#/c/139137/ ready for review? | 13:35 |
marekd | dstanek: need some help on that? | 13:35 |
samueldmq | dstanek, k, thanks | 13:40 |
*** avozza is now known as zz_avozza | 13:41 | |
dstanek | marekd: yeah, can probably start reviewing - have you tried it out? | 13:43 |
marekd | dstanek: not yet. | 13:43 |
*** gordc has joined #openstack-keystone | 13:45 | |
*** jjulien has quit IRC | 13:46 | |
dstanek | marekd: i have to see if it still works :-) | 13:47 |
marekd | :-) | 13:47 |
*** bknudson has quit IRC | 13:51 | |
amakarov | samueldmq, hi! I need an advice about https://review.openstack.org/#/c/141854/ | 13:54 |
samueldmq | amakarov, sure, will be glad if I can help | 13:55 |
amakarov | samueldmq, there are actually 2 bugs fixed by this patch | 13:56 |
amakarov | so gerrit didn't pick it up as a fix for 1 of those | 13:57 |
samueldmq | amakarov, yep | 13:57 |
samueldmq | amakarov, and I saw lbragstad created a test to expose one of these bugs, didnt he? | 13:57 |
amakarov | it lead to that patch of lbragstad that confused you as I noticed | 13:57 |
amakarov | samueldmq, exactly | 13:58 |
amakarov | I'm not sure what to do in such cases | 13:58 |
*** KnightLord has joined #openstack-keystone | 13:58 | |
samueldmq | amakarov, what I proposed was: lbragstad could keep his patch as it was creating a test to expose the bug | 13:58 |
amakarov | Ask Lance about abandoning his patch or just ignore it | 13:58 |
samueldmq | amakarov, he could also add another test to expose the second bug | 13:59 |
samueldmq | amakarov, let's say they're for ensure the bugs do occur, right? | 13:59 |
amakarov | samueldmq, I agree, but there is a test exposing this bug already :) | 13:59 |
samueldmq | amakarov, so in a follow on patch (depending on that one that propose the new tests) you fix the bug and tests | 14:00 |
amakarov | actually, it's a test posted by me, then by Lance, than modified by me )) | 14:00 |
samueldmq | amakarov, is there? you have a link? | 14:00 |
amakarov | samueldmq, 1 sec, doblechecking... | 14:00 |
samueldmq | amakarov, k | 14:01 |
amakarov | samueldmq, https://review.openstack.org/#/c/141854/6/keystone/tests/test_v3_auth.py,cm | 14:01 |
amakarov | it's a positive variant of https://review.openstack.org/#/c/142099/2/keystone/tests/test_v3_auth.py,cm | 14:01 |
amakarov | samueldmq, so I say that test in Lance's patch is a prior version of test in my fix ) | 14:03 |
samueldmq | amakarov, checking | 14:03 |
samueldmq | amakarov, yep, that's why I would suggest you to rebase on his patch | 14:05 |
samueldmq | amakarov, his patch A introduces a test to show what's wrong | 14:05 |
samueldmq | amakarov, your patch B get his code, fix the bug and fix his test to show with that test the system is working properly | 14:05 |
samueldmq | amakarov, is that clear? have you already submitted any patchs with dependency? | 14:06 |
amakarov | samueldmq, not exactly: I can't propose a test that fails | 14:08 |
samueldmq | amakarov, exactly, so the test proposed is the one lbragstad is proposing | 14:08 |
samueldmq | amakarov, the test passes, but the behavior is wrong | 14:08 |
amakarov | samueldmq, test in my patch is an invertion of it's initial version | 14:08 |
samueldmq | amakarov, you then get his code (as depending on his patch), fix the code and the test, because the test as it is won't pass anymore | 14:09 |
samueldmq | amakarov, because you've fixed that | 14:09 |
samueldmq | amakarov, need to go afk for a bit, will be back soon | 14:10 |
amakarov | samueldmq, I don't see a purpose of this process: I have a fix, a test for it, what else? | 14:10 |
*** Kazazi has joined #openstack-keystone | 14:14 | |
*** nkinder has quit IRC | 14:15 | |
amakarov | samueldmq, in fact all you described is already done, I really cant understand what do you want me to do :) Do you want to see intact test provided with the bug (Lance's patch)? It will duplicate provided one... | 14:16 |
openstackgerrit | Marcos Fermín Lobo proposed openstack/python-keystoneclient: Attributes required using token for auth https://review.openstack.org/115228 | 14:16 |
openstackgerrit | David Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3 https://review.openstack.org/125410 | 14:20 |
openstackgerrit | David Stanek proposed openstack/keystone: Updates Python3 requirements https://review.openstack.org/130579 | 14:20 |
openstackgerrit | David Stanek proposed openstack/keystone: Mocks out the memcache library for tests https://review.openstack.org/125409 | 14:20 |
openstackgerrit | David Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing https://review.openstack.org/95827 | 14:20 |
dstanek | samueldmq: all rebased! and thanks for the reviews | 14:22 |
samueldmq | amakarov, it was just a way to not discard lbragstad's patch, we could then keep both in a valid way | 14:25 |
samueldmq | dstanek, you're welcome :) | 14:26 |
samueldmq | dstanek, will review again | 14:26 |
amakarov | samueldmq, I see your point, but are you sure we do need them both? | 14:31 |
samueldmq | henrynash, added a point to the meeting's main agenda | 14:33 |
samueldmq | henrynash, https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda | 14:33 |
samueldmq | amakarov, we can do it or not, I just think you and lbragstad should agree on that | 14:34 |
samueldmq | amakarov, if we keep just your patch, his one needs to be abandoned | 14:34 |
samueldmq | amakarov, keeping both makes reviewing process worst, makes sense? | 14:35 |
*** bdossant_ has joined #openstack-keystone | 14:35 | |
*** bdossant_ has quit IRC | 14:35 | |
*** bdossant has quit IRC | 14:35 | |
henrynash | ayoung: if you are around, are you OK with re-adding your +2 to https://review.openstack.org/#/c/144239/15 | 14:35 |
*** joesavak has joined #openstack-keystone | 14:39 | |
*** samueldmq is now known as samueldmq-away | 14:41 | |
*** bknudson has joined #openstack-keystone | 14:45 | |
*** ChanServ sets mode: +v bknudson | 14:45 | |
rodrigods | marekd, we are... but not sure when (coming back from vacation today), still going through the pendent reviews list | 14:49 |
rodrigods | marekd, but if you could help with it, we'd appreciate that | 14:50 |
marekd | rodrigods: OK! | 14:50 |
*** mattfarina has joined #openstack-keystone | 14:51 | |
*** MasterPiece has joined #openstack-keystone | 14:53 | |
*** mattfarina has quit IRC | 14:54 | |
openstackgerrit | David Stanek proposed openstack/keystone: Make the default cache time more explicit in code https://review.openstack.org/113586 | 14:54 |
*** mattfarina has joined #openstack-keystone | 14:56 | |
dstanek | morganfainberg: i just rebased https://review.openstack.org/#/c/113586 ; I forgot that is the one i started, but that you had taken over | 14:56 |
*** fifieldt__ has joined #openstack-keystone | 15:00 | |
marekd | morganfainberg: https://review.openstack.org/#/c/135604/ addressed your concerns (and added two sub questions). | 15:01 |
MasterPiece | Kazazi, What is exactly your problem with its definition ? use some paste service like paste.ubuntu.com in order to paste multiple lines :) | 15:02 |
*** fifieldt_ has quit IRC | 15:02 | |
*** abhirc has quit IRC | 15:03 | |
*** nkinder has joined #openstack-keystone | 15:05 | |
*** jsavak has joined #openstack-keystone | 15:06 | |
Kazazi | MasterPiece, Thanks for the reply, when i insert the command of (# keystone tenant-create --name=admin --description="Admin Tenant") at keystone installation, it gives me the error of : keystone unable to establish connection to http://locahost:127.0.0.1:35357/v2.0/tenants, im using the official manual and my controller node is on a virtual machine ubuntu 14.04 | 15:07 |
MasterPiece | Kazazi, Please use paste.ubuntu.com when you wanna tell the commands and output in IRC and to others :) | 15:08 |
*** joesavak has quit IRC | 15:10 | |
*** ajayaa has quit IRC | 15:10 | |
Kazazi | MasterPiece, http://paste.ubuntu.com/9718890/ | 15:10 |
MasterPiece | Kazazi, ok, do you checked your keystone configurations again? Seems you have some problem in "locahost" word , this world should be "localhost" | 15:12 |
Kazazi | the commands i insert and the error i get is http://paste.ubuntu.com/9718897/ | 15:12 |
MasterPiece | Kazazi, Please paste the entire process of the following command : | 15:12 |
MasterPiece | $ nc localhost 35357 -vz | 15:12 |
MasterPiece | and | 15:13 |
MasterPiece | $ netstat -antlp | 15:13 |
Kazazi | MasterPiece, sorry its localhost | 15:13 |
*** mflobo has quit IRC | 15:14 | |
*** richm has joined #openstack-keystone | 15:15 | |
MasterPiece | ok, give me your keystone.conf file ( use ubuntu paste services ) | 15:16 |
*** mflobo has joined #openstack-keystone | 15:16 | |
openstackgerrit | David Stanek proposed openstack/keystone: WiP: Script to sync oslo https://review.openstack.org/114305 | 15:17 |
*** Kazazi has quit IRC | 15:20 | |
KnightLord | MasterPiece, http://paste.ubuntu.com/9718933/ (i event tried controller, instead of localhost which refers to controller node and i can ping it from other nodes) | 15:25 |
KnightLord | even* | 15:25 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description https://review.openstack.org/118590 | 15:26 |
*** KnightLord has quit IRC | 15:29 | |
*** MasterPiece has quit IRC | 15:29 | |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Fix incorrect session usage in tests https://review.openstack.org/144460 | 15:31 |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Fix migration 42 downgrade https://review.openstack.org/144331 | 15:31 |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Fix transaction issue in migration 44 downgrade https://review.openstack.org/144321 | 15:31 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Enable the storing of domain specific configuration in SQL. https://review.openstack.org/123238 | 15:36 |
amakarov | lbragstad, hi! Can we discuss what to do with this duplication: https://review.openstack.org/#/c/141854/ and https://review.openstack.org/#/c/142099/ ? | 15:37 |
lbragstad | amakarov: o/ | 15:37 |
lbragstad | sure | 15:37 |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Fix downgrade test for migration 61 on non-sqlite https://review.openstack.org/146497 | 15:37 |
amakarov | lbragstad, am I to rebase my patch somehow, our you just abandon yours? | 15:38 |
amakarov | lbragstad, there is a confusion already among our reviewers :) | 15:38 |
lbragstad | amakarov: let me look through yours quick. My patch is pretty trivial, and could be rolled in somewhere else if needed. | 15:39 |
amakarov | lbragstad, it's a copy of test case provided along with the bug: https://bugs.launchpad.net/keystone/+bug/1401926 | 15:41 |
uvirtbot | Launchpad bug 1401926 in keystone "Role revocation invalidates tokens on all user projects" [Medium,In progress] | 15:41 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Enable the storing of domain specific configuration in SQL. https://review.openstack.org/123238 | 15:41 |
amakarov | lbragstad, it's included in my patch in positive form | 15:41 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Enable the storing of domain specific configuration in SQL. https://review.openstack.org/123238 | 15:43 |
breton | fg | 15:45 |
breton | sorry | 15:45 |
*** abhirc has joined #openstack-keystone | 15:46 | |
*** bernardo-silva has joined #openstack-keystone | 15:47 | |
henrynash | stevemar, ayoung, morganfainberg: looking to try and kick in the first of the assignment split patches: https://review.openstack.org/#/c/144239/15 | 15:47 |
*** zzzeek has joined #openstack-keystone | 15:58 | |
*** LinstatSDR has joined #openstack-keystone | 16:05 | |
henrynash | samueldmq: ping | 16:11 |
*** chrisshattuck has joined #openstack-keystone | 16:11 | |
marekd | morganfainberg: henrynash can you take a look at: https://review.openstack.org/#/c/142743/11/keystone/contrib/federation/utils.py and line ~136ish (and my comment) ? Thanks, | 16:13 |
henrynash | ok..looing | 16:13 |
*** ajayaa has joined #openstack-keystone | 16:14 | |
marekd | henrynash: thanks. | 16:14 |
*** stevemar has joined #openstack-keystone | 16:15 | |
*** ChanServ sets mode: +v stevemar | 16:15 | |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743 | 16:16 |
*** samueldmq-away is now known as samueldmq | 16:17 | |
samueldmq | lbragstad, amakarov ping | 16:19 |
amakarov | samueldmq, pong | 16:19 |
samueldmq | amakarov, is lbragstad somewhere? :) | 16:20 |
samueldmq | amakarov, just saw you were talking about those patches | 16:20 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Remove old-style role metadata structures from assignment. https://review.openstack.org/146546 | 16:20 |
samueldmq | henrynash, pong | 16:20 |
amakarov | samueldmq, last time he said he'll look into | 16:20 |
samueldmq | amakarov, k | 16:20 |
samueldmq | amakarov, nice | 16:21 |
*** ajayaa has quit IRC | 16:21 | |
henrynash | samueldmq: is there a blueprint/spec for the filter performance improvemnts to list role assignments? | 16:21 |
samueldmq | henrynash, not yet | 16:21 |
samueldmq | henrynash, oh, I need to go back to this and send a 'final' version this week | 16:22 |
samueldmq | henrynash, it's already taking too long | 16:22 |
henrynash | samueldmq: I think we need one…I’m happy to write it up if needs be….I need that code for this too: https://review.openstack.org/146546 | 16:22 |
*** ayoung has joined #openstack-keystone | 16:23 | |
*** ChanServ sets mode: +v ayoung | 16:23 | |
samueldmq | henrynash, I can write it right now if you haven't start yet :) | 16:24 |
henrynash | https://review.openstack.org/146546 | 16:24 |
henrynash | oops, sorrt | 16:24 |
*** LinstatSDR has quit IRC | 16:24 | |
henrynash | samueldmq: no, haven’t starte it | 16:24 |
samueldmq | henrynash, nice, can I? never wrote a bp/spec (just an api change) | 16:25 |
samueldmq | henrynash, I'll do it right now, and add you as reviewer | 16:25 |
samueldmq | henrynash, works for you? | 16:25 |
henrynash | samueldmq: sure. I think we have to improve that perforamcne…so let’s get that one on the table so we can get it approved before m2 (feel free to opy the format of https://review.openstack.org/146546 since they are pretty similar scope of change) | 16:26 |
samueldmq | henrynash, yep sure | 16:26 |
samueldmq | henrynash, I'm putting that patch in my first priority, after bp/spec | 16:27 |
henrynash | samueldmq: great | 16:27 |
samueldmq | henrynash, I think it took so long because of the role split/hierarchical multitenancy stuff, etc | 16:28 |
samueldmq | henrynash, and that changed each time, sorry for delaying | 16:28 |
henrynash | samueldmq: no worries | 16:28 |
* samueldmq is busy now, working on serious stuff :-) | 16:28 | |
*** rushiagr is now known as rushiagr_away | 16:29 | |
amakarov | bknudson, greetings! Would you please review https://review.openstack.org/#/c/126897/ ? I've made suggested corrections there | 16:32 |
samueldmq | henrynash, https://blueprints.launchpad.net/barbican/+spec/list-role-assignments-performance | 16:33 |
*** blinky_ghost has joined #openstack-keystone | 16:33 | |
bknudson | ayoung: you around? discussion of olso.policy graduation during oslo meeting. | 16:34 |
blinky_ghost | hi all, can anbody explain me this error: DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. ?? | 16:34 |
ayoung | bknudson, I'm here. Where's the discussion? | 16:34 |
ayoung | #openstack-meeting? | 16:34 |
bknudson | meeting-alt | 16:34 |
henrynash | samueldmq: I think you slipped that into your barbican mindset :-) | 16:34 |
bknudson | #openstack-meeting-alt is the oslo meeting. | 16:35 |
ayoung | samueldmq, that is #openstack-meeting-alt | 16:35 |
henrynash | samueldmq: …and let’s put that on the list for tomorrow’s meeting as a candiadte for “blueprint that doesn’t need a spec”... | 16:35 |
samueldmq | ayoung, shh :-) | 16:35 |
samueldmq | henrynash, done | 16:39 |
lbragstad | amakarov: I have a couple comments here https://review.openstack.org/#/c/141854/ | 16:39 |
*** samueldmq has quit IRC | 16:39 | |
*** samueldmq has joined #openstack-keystone | 16:39 | |
lbragstad | but I'd be fine with abandoning my patch that exposes the bug since you're covering that case | 16:39 |
henrynash | samueldmq: …you still need to put the blueprint in the keystone bucket, not the barbican bucket, however :-) | 16:40 |
samueldmq | henrynash, oh .. sure, just a sec | 16:40 |
*** ajayaa has joined #openstack-keystone | 16:41 | |
lbragstad | amakarov: samueldmq had a comment here about including a test (and logic?) for users as well https://review.openstack.org/#/c/142099/2 | 16:41 |
amakarov | lbragstad, looking | 16:41 |
*** nkinder has quit IRC | 16:41 | |
*** dhellmann has quit IRC | 16:42 | |
*** dhellmann has joined #openstack-keystone | 16:42 | |
ayoung | bknudson, what does it mean that dhellman has quit the Oslo meeting? He doesn't like me any more? | 16:42 |
bknudson | lol | 16:43 |
amakarov | lbragstad, understood. I need a pair of minutes | 16:43 |
lbragstad | amakarov: I'm good with abandoning my review. I'll abandon with a link to yours and we'll continue iterating over what you have | 16:44 |
lbragstad | cc samueldmq ^ | 16:44 |
samueldmq | henrynash, https://blueprints.launchpad.net/keystone/+spec/list-role-assignments-performance | 16:44 |
amakarov | lbragstad, ++ | 16:44 |
samueldmq | lbragstad, ack, I had proposed that he could add his patch as dependency of yours | 16:45 |
samueldmq | lbragstad, but both approach works for me | 16:45 |
samueldmq | lbragstad, just needed to make sure we synchronize things, to clear review process :) | 16:45 |
samueldmq | lbragstad, thx | 16:45 |
lbragstad | samueldmq: amakarov no problem, let's continue iterating over amakarov's change | 16:46 |
samueldmq | lbragstad, ++ | 16:46 |
samueldmq | henrynash, I updated KeystoneMeeting as well | 16:47 |
samueldmq | henrynash, wait, first you said I could base my spec on yours ( https://review.openstack.org/146546 ) | 16:48 |
samueldmq | henrynash, and after that we needed to add it to the “blueprint that doesn’t need a spec” section | 16:48 |
henrynash | brb | 16:48 |
samueldmq | k | 16:48 |
morganfainberg | marekd: looking at the comment you referenced. | 16:51 |
morganfainberg | henrynash: looking at the review soon. | 16:51 |
*** r-daneel has joined #openstack-keystone | 16:52 | |
*** _cjones_ has joined #openstack-keystone | 16:53 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens https://review.openstack.org/141854 | 16:54 |
*** nkinder has joined #openstack-keystone | 16:55 | |
*** ajayaa has quit IRC | 16:55 | |
*** ajayaa has joined #openstack-keystone | 16:56 | |
amakarov | lbragstad, I'm done with the patch | 16:58 |
lbragstad | amakarov: cool, I'll add it back to my queue | 16:58 |
*** vozcelik has joined #openstack-keystone | 16:58 | |
samueldmq | amakarov, lbragstad ++ :) | 16:58 |
*** LinstatSDR has joined #openstack-keystone | 17:01 | |
*** mikedillion has joined #openstack-keystone | 17:02 | |
*** zz_avozza is now known as avozza | 17:02 | |
*** mikedillion has quit IRC | 17:06 | |
*** rwsu has joined #openstack-keystone | 17:09 | |
*** rwsu has quit IRC | 17:09 | |
*** esp has joined #openstack-keystone | 17:09 | |
*** vozcelik has left #openstack-keystone | 17:10 | |
*** esp has left #openstack-keystone | 17:10 | |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Remove old-style role metadata structures from assignment. https://review.openstack.org/146546 | 17:11 |
*** esp has joined #openstack-keystone | 17:11 | |
morganfainberg | henrynash, +++++++++ on that ^^ | 17:13 |
henrynash | morganfainberg: :-) | 17:14 |
*** nkinder has quit IRC | 17:14 | |
morganfainberg | henrynash, i expect ldap assignment to die next week | 17:14 |
morganfainberg | henrynash, btw | 17:14 |
*** tellesnobrega has quit IRC | 17:15 | |
henrynash | morganfainberg: oh, I’ll do a special ant-ldap voodoo dance to help it on its way…. | 17:16 |
morganfainberg | henrynash, right?! :) | 17:16 |
samueldmq | henrynash, morganfainberg lol | 17:18 |
samueldmq | just fell off my chair laughing | 17:18 |
morganfainberg | henrynash, success | 17:18 |
morganfainberg | ^^ | 17:18 |
samueldmq | ++ | 17:19 |
morganfainberg | ayoung, we need to create an LP project for oslo.policy (or have oslo guys do so) | 17:19 |
ayoung | morganfainberg, done | 17:19 |
morganfainberg | ayoung, hm. | 17:19 |
morganfainberg | oh haha | 17:19 |
morganfainberg | i see it | 17:19 |
ayoung | https://launchpad.net/oslo/oslo.policy | 17:19 |
morganfainberg | i was on the wrong page | 17:19 |
morganfainberg | was on the bug tracker :P | 17:19 |
ayoung | morganfainberg, I created a group, was just seeding it | 17:20 |
morganfainberg | cool | 17:20 |
morganfainberg | punting the oslo rule thing from keystone over to oslo.policy bugs | 17:20 |
morganfainberg | the bug i've left open until we had a real place for it | 17:20 |
samueldmq | morganfainberg, that bug regarding rules order evaluation ? | 17:20 |
*** ajayaa has quit IRC | 17:20 | |
morganfainberg | yep | 17:21 |
samueldmq | nice | 17:21 |
ayoung | Added Flavio since he's currently policy maintainer | 17:21 |
ayoung | morganfainberg, who else? | 17:21 |
ayoung | https://launchpad.net/~oslo-policy-core | 17:22 |
morganfainberg | bknudson, if he wants. | 17:22 |
morganfainberg | uhm. | 17:22 |
ayoung | Not giving him a choice | 17:22 |
ayoung | :) | 17:22 |
morganfainberg | probably stevemar (ping) and possibly dstanek (ping) | 17:22 |
henrynash | ayoung: any chance….you could re-apply your +2 to: https://review.openstack.org/#/c/144239/15 (a few minor cleanups from review comments on last version) | 17:23 |
ayoung | henrynash, looking. | 17:23 |
bknudson | ayoung: I've looked through the code before and am somewhat familiar with it, so I don't mind being core reviewer there. | 17:23 |
dstanek | morganfainberg: pong | 17:24 |
ayoung | henrynash, done | 17:25 |
ayoung | dstanek, want to be a reviewer on oslo.poliucy? | 17:25 |
henrynash | ayoung: thx, sir | 17:25 |
stevemar | morganfainberg, pong | 17:25 |
morganfainberg | ayoung, added 1.x.x series for oslo.policy | 17:25 |
samueldmq | ayoung, should rodrigods be core or even added as part of other group? | 17:26 |
morganfainberg | stevemar, ^ are you interested in oslo.policy core? | 17:26 |
dstanek | ayoung: shore - i don't mind | 17:26 |
* stevemar checks to make sure there are only 5 new reviews per month... | 17:26 | |
*** pcaruana is now known as pcaruana|off| | 17:27 | |
stevemar | morganfainberg, ayoung same answer as dstanek "shore" | 17:27 |
samueldmq | haha | 17:27 |
samueldmq | dstanek, is that part of your tx vocabulary? (as howdy) | 17:27 |
ayoung | samueldmq, Not yet. Want to populate with current cores. | 17:27 |
*** rwsu has joined #openstack-keystone | 17:27 | |
samueldmq | ayoung, ++ | 17:28 |
dstanek | samueldmq: no, i'm not from tx :-) | 17:28 |
ayoung | Was expecting it to be specifically a Keystone/Oslo joint venture. Want to know who is willing to opt in first | 17:28 |
samueldmq | dstanek, lol but speak as them ? :p | 17:28 |
morganfainberg | ayoung, also seeded the milestone for 1.0.0 for the first release when we're ready | 17:28 |
dstanek | samueldmq: i've been doing my best | 17:29 |
dstanek | samueldmq: if i start calling y'all partner then we're all in trouble | 17:29 |
*** nkinder has joined #openstack-keystone | 17:29 | |
samueldmq | dstanek, haha o/ | 17:30 |
*** afazekas has quit IRC | 17:35 | |
morganfainberg | marekd, stevemar, ping - Federation - lets move it from extension -> stable as per http://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html | 17:37 |
stevemar | i'm down with that | 17:37 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Remove old-style role metadata structures from assignment. https://review.openstack.org/146546 | 17:38 |
morganfainberg | ayoung, lets plan to get revoke from extension to stable (same as above)^ | 17:38 |
ayoung | Yes! | 17:38 |
morganfainberg | henrynash, os-inherit http://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html -> stable :) | 17:38 |
morganfainberg | ayoung, trusts -> http://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html stable :) | 17:38 |
* ayoung was saying Yes for Federation, but even more so for events | 17:38 | |
stevemar | it's all downs and such, not actually moving the code base | 17:38 |
stevemar | docs* | 17:38 |
*** abhirc has quit IRC | 17:38 | |
ayoung | sure | 17:38 |
morganfainberg | it's mostly docs and minor adjustments | 17:38 |
stevemar | ... i think | 17:38 |
*** links has quit IRC | 17:38 | |
morganfainberg | ideally we should move things out of contrib as we can, but no rush on that | 17:39 |
stevemar | yeah, agreed | 17:39 |
ayoung | morganfainberg, I would love to have had a "modules" section in the code base, and then each of the top level APIs would go into "modules" | 17:39 |
*** abhirc has joined #openstack-keystone | 17:39 | |
morganfainberg | ayoung, toss that on the meeting for tomorrow? | 17:39 |
morganfainberg | ayoung, thats probably a good concept to go with. | 17:39 |
ayoung | I almost did that back during the restructuring *myumbe;le* years ago | 17:39 |
samueldmq | ayoung, ++ | 17:39 |
*** abhirc has quit IRC | 17:40 | |
henrynash | morganfainberg: only thing on os-inherit might that for sure the original domain->project inheritacne should be stable….one might question the project->project newer stuff…but not sure we can easily distinquish in terms of responding in JSON home etc. | 17:40 |
morganfainberg | henrynash, this is where we need to do work. | 17:40 |
henrynash | (i.e. ideally the newer project->project would be in-tree expermental) | 17:40 |
morganfainberg | henrynash, some things are easy some are not. | 17:40 |
morganfainberg | when doing the conversion to the new classifiers | 17:40 |
morganfainberg | stevemar, oauth1 also i think is "Stable" these days. | 17:41 |
samueldmq | henrynash, ++ agree | 17:41 |
morganfainberg | henrynash, ++ | 17:41 |
*** amakarov is now known as amakarov_away | 17:41 | |
*** henrynash has quit IRC | 17:42 | |
morganfainberg | rodrigods, re: http://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html the way this all works, the reseller bits will be experimental (HMT) for Kilo - so plan for documentation to match. | 17:42 |
morganfainberg | rodrigods, i'd ping raildo as well but he's not here in channel at the moment | 17:42 |
morganfainberg | once we're happy with it, we can make it stable in L cycle. | 17:43 |
morganfainberg | bah henrynash dropped off | 17:43 |
morganfainberg | really need to convince him to get a bouncer | 17:43 |
*** gyee has joined #openstack-keystone | 17:44 | |
*** ChanServ sets mode: +v gyee | 17:44 | |
morganfainberg | gyee, ping | 17:44 |
morganfainberg | gyee, endpoint_filter needs some minor adjustments to be moved from extension -> stable http://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html | 17:44 |
morganfainberg | gyee, notably, it should be defaulted on and the catalog drivers should be merged. | 17:44 |
morganfainberg | gyee, mind taking that on? | 17:44 |
morganfainberg | plus doc changes. | 17:45 |
openstackgerrit | ayoung proposed openstack/keystone-specs: Visual Page for WebSSO https://review.openstack.org/133529 | 17:45 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Refactor role assignment assertions https://review.openstack.org/144543 | 17:48 |
morganfainberg | ayoung, the spec name scares me. | 17:48 |
morganfainberg | ayoung, ;) | 17:48 |
ayoung | morganfainberg, Visual? | 17:48 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected role assignments https://review.openstack.org/144544 | 17:48 |
ayoung | That is the biggest aspect of it | 17:48 |
morganfainberg | ayoung, haha yeah. i know what you're going for though | 17:48 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3 https://review.openstack.org/144702 | 17:48 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments https://review.openstack.org/144703 | 17:48 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests https://review.openstack.org/137021 | 17:49 |
morganfainberg | ok i need coffee. | 17:49 |
ayoung | morganfainberg, I'm trying to figure out if we could somehow get Horizon to handle the visuals without compromising security | 17:49 |
morganfainberg | i also would be much better off not being 3-hrs off from most people who work on keystone. | 17:49 |
gyee | morganfainberg, sure I'lll work on it | 17:49 |
morganfainberg | ayoung, ++ i would like that a lot | 17:49 |
morganfainberg | ayoung, but i know we weren't sure about it | 17:49 |
ayoung | morganfainberg, and without creating yet another service.... | 17:50 |
morganfainberg | gyee, thanks. | 17:50 |
gyee | morganfainberg, I think Robert is working on endpoint enforcement middleware | 17:50 |
gyee | but I'll double check with him so I don't step on his toe | 17:50 |
morganfainberg | gyee, shouldn't be too much craziness to get the filtering stuff merged together | 17:50 |
gyee | yeah, pretty straight forward | 17:50 |
morganfainberg | i think it's just making sure it's in the pipeline and moving the catalog driver (replace the non-filtering one with the filtering one) and change some docs | 17:51 |
morganfainberg | ayoung, i'm guessing simple-cert should be *cringe* stable | 17:51 |
gyee | easy peasy :) | 17:52 |
*** bernardo-silva has quit IRC | 17:53 | |
ayoung | morganfainberg, yes. | 17:54 |
*** ayoung is now known as ayoung-lunch | 17:54 | |
*** tellesnobrega has joined #openstack-keystone | 18:00 | |
*** jistr has quit IRC | 18:03 | |
stevemar | morganfainberg, your comment here: https://review.openstack.org/#/c/135604/12/api/v3/identity-api-v3-os-federation-ext.rst | 18:07 |
stevemar | can you explain that a bit more? you mean you'd omit 'disabled' SPs or all SPs | 18:07 |
stevemar | form the service catalog | 18:07 |
*** abhirc has joined #openstack-keystone | 18:07 | |
rodrigods | morganfainberg, ok, will take a look | 18:10 |
rodrigods | ayoung-lunch, do we have an official repo? | 18:10 |
morganfainberg | stevemar, just disabled | 18:10 |
openstackgerrit | Dolph Mathews proposed openstack/keystone: Additional test coverage for password changes https://review.openstack.org/146589 | 18:11 |
morganfainberg | stevemar, it also would allow us to omit "enabled" feild from the sC | 18:11 |
stevemar | right | 18:11 |
*** abhirc has quit IRC | 18:16 | |
morganfainberg | stevemar, i dont see a benefit to including "disabled" SPs in the catalog | 18:17 |
stevemar | morganfainberg, no no, you have a point | 18:17 |
stevemar | morganfainberg, just wondering what else the spec needs in order to be pushed through | 18:17 |
bknudson | is the S3Token middleware unmaintained? http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/s3_token.py#n100 | 18:17 |
morganfainberg | that plus the other things marekd already fixed i think was all i saw | 18:17 |
morganfainberg | bknudson, we have a bug to add tests but it was unmaintained before | 18:18 |
morganfainberg | bknudson, some people are using it... i think. | 18:18 |
morganfainberg | which scares me a little | 18:18 |
bknudson | the only thing that looks off is use of v2.0-only: requests.post('%s/v2.0/s3tokens' | 18:19 |
bknudson | I thought maybe we had to add auth plugin support but doesn't get a token | 18:20 |
bknudson | at some point we'll want to deprecate / remove v2.0/s3tokens so then we'll have to make a decision. | 18:21 |
morganfainberg | bknudson, well i'd like to make anything v2.0 go away *very* soon | 18:29 |
morganfainberg | stevemar, marekd, ping | 18:30 |
morganfainberg | stevemar, marekd, have a question re: federation | 18:30 |
morganfainberg | stevemar, marekd, specifically around k2k. as in - what is the minimum requirement for a SP to consume the k2k identity? Juno? Icehouse? | 18:30 |
morganfainberg | stevemar, marekd, Kilo? assuming that the IDP is kilo or later, that is. | 18:31 |
morganfainberg | hogepodge, ping - have a question for you, will send pm | 18:31 |
*** henrynash has joined #openstack-keystone | 18:32 | |
*** ChanServ sets mode: +v henrynash | 18:32 | |
stevemar | morganfainberg, icehouse is the minimum to act as an idp, juno is the minimum to act as an sp | 18:33 |
gyee | morganfainberg, stevemar, marekd, I would like to see ECP wrap as part of keystone IdP API instead of external | 18:33 |
stevemar | gyee, agreed | 18:34 |
morganfainberg | stevemar, i'd say Kilo is minimum to act as an SP, juno is minimum to play around with it | 18:34 |
morganfainberg | stevemar, remember juno was experimental | 18:34 |
stevemar | yep | 18:35 |
morganfainberg | stevemar, i'm looking to set clear guidelines on minimum recommended deployments for k2k | 18:35 |
stevemar | ah okay | 18:35 |
stevemar | then yes | 18:35 |
stevemar | i thought you were talking about feasability | 18:35 |
morganfainberg | stevemar, i feel like juno might be the best "recommended" SP. | 18:35 |
morganfainberg | even though icehouse *could* do it | 18:35 |
stevemar | yeah, bump each by 1 | 18:35 |
stevemar | nkinder, you owe us docs! | 18:39 |
*** harlowja_away is now known as harlowja | 18:39 | |
stevemar | nkinder, i didn't forget (okay i forgot for a while, but i remembered now) | 18:39 |
stevemar | nkinder, if you just point to the general location i can whip em up for ya if you're busy | 18:40 |
*** jraim_ is now known as jraim | 18:50 | |
*** lhcheng has joined #openstack-keystone | 18:53 | |
*** bernardo-silva has joined #openstack-keystone | 18:54 | |
*** bernardo-silva has quit IRC | 18:58 | |
*** harlowja has quit IRC | 19:00 | |
*** harlowja has joined #openstack-keystone | 19:00 | |
*** harlowja has quit IRC | 19:00 | |
*** bernardo-silva has joined #openstack-keystone | 19:00 | |
*** raildo has joined #openstack-keystone | 19:06 | |
*** abhirc has joined #openstack-keystone | 19:10 | |
*** bernardo-silva has quit IRC | 19:10 | |
*** raildo has quit IRC | 19:11 | |
*** abhirc has quit IRC | 19:16 | |
*** hichtakk has joined #openstack-keystone | 19:28 | |
*** raildo has joined #openstack-keystone | 19:35 | |
openstackgerrit | Dolph Mathews proposed openstack/keystone: Additional test coverage for password changes https://review.openstack.org/146589 | 19:37 |
raildo | morganfainberg, hey rodrigods told me that you say that HMT will be experimental for Kilo, right? | 19:42 |
raildo | morganfainberg, but itsthe whole implementation, include what its merged to kilo-1 or just the reseller part? | 19:43 |
morganfainberg | raildo, the reseller and enhancement stuff | 19:44 |
morganfainberg | raildo, but the stuff in k-1 will be considered stable | 19:44 |
*** abhirc has joined #openstack-keystone | 19:44 | |
*** _cjones_ has quit IRC | 19:44 | |
morganfainberg | raildo, this is to be in line with http://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html | 19:44 |
*** _cjones_ has joined #openstack-keystone | 19:44 | |
morganfainberg | raildo, specifically any new APIs | 19:44 |
raildo | morganfainberg, ok, that was what I was thinking | 19:45 |
morganfainberg | raildo, :) | 19:45 |
morganfainberg | stevemar, i think we should see if we can do cool RST/sphinx things w/ the apis so we can do something like ..EXPERIMENTAL:: | 19:45 |
morganfainberg | stevemar, or something and have the same warning/text included for anything new | 19:45 |
raildo | and i saw the deadline for the specs :) | 19:46 |
morganfainberg | i can bug annegentle about that if you think it's a good idea | 19:46 |
morganfainberg | raildo, yeah plenty of time still. | 19:46 |
stevemar | morganfainberg, i thought of the same thing when you first proposed the idea of fixing the docs | 19:46 |
morganfainberg | stevemar, hehe :) | 19:46 |
raildo | morganfainberg, yeah I think that we can approve the two specs related to HMT in time :) | 19:46 |
* morganfainberg goes back to bug triage | 19:47 | |
morganfainberg | actually... | 19:48 |
morganfainberg | need to send an email first | 19:48 |
*** harlowja has joined #openstack-keystone | 19:52 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change oslo.config to oslo_config https://review.openstack.org/145250 | 19:57 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Change oslo.config to oslo_config https://review.openstack.org/145252 | 19:58 |
morganfainberg | ayoung-lunch, dolphm, bknudson, stevemar, henrynash, gyee, lbragstad, bknudson, jamielennox|away, https://docs.google.com/forms/d/1xlq0XlFotqxxIw9drvSmkaRH3MPmJH5LnAbidtdbJT0/viewform - | 19:59 |
morganfainberg | dstanek, ^ | 19:59 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Change oslo.config to oslo_config https://review.openstack.org/145255 | 19:59 |
morganfainberg | ^^ that is the survey for LDAP Identity, please look it over | 19:59 |
morganfainberg | let me know if any changes need to be made before i send it out | 19:59 |
bknudson | morganfainberg: it would be good to say what the config setting is they need to check. | 20:01 |
morganfainberg | bknudson, ok | 20:01 |
bknudson | you might get more accurate results | 20:01 |
*** david-lyle has quit IRC | 20:02 | |
gyee | morganfainberg, looks fine | 20:03 |
gyee | but I agree with bknudson, on the "specifics" part, it would be nice to know their config | 20:06 |
morganfainberg | gyee, i don't want to force them to put config values in the form. if we want to dig in - i'd rather contact them directly | 20:07 |
morganfainberg | i worry about asking deployment config values as people tend to see those as private (vs. a little bit of prose about why ldap meets their deployment needs) | 20:07 |
gyee | morganfainberg, that's fine as long as we get some intel on the use cases | 20:08 |
morganfainberg | thats what the other pages are for. | 20:08 |
bknudson | ask what their root password is and the hostname then we can just take a look. | 20:08 |
morganfainberg | bknudson, ++ | 20:08 |
gyee | ultimately if this result in some use cases specific documentation that would be awesome | 20:09 |
morganfainberg | bknudson, it's either hunter2 or 12345 | 20:09 |
bknudson | crap, now I need to change my password | 20:09 |
morganfainberg | bknudson, don't wory it's all *'s on my end | 20:09 |
bknudson | ahh, now I need to change it again. | 20:09 |
gyee | best password I ever came across, 1SaysBadM0F0 | 20:10 |
*** chrisshattuck has quit IRC | 20:12 | |
morganfainberg | gyee, my hope is that we're not seeing wide spread use of read/write ldap | 20:13 |
morganfainberg | gyee, so it can be deprecated as well as the ldap assignment | 20:13 |
gyee | morganfainberg, yeah, I am kinda curious to see how many out there use r/w ldap | 20:14 |
*** chrisshattuck has joined #openstack-keystone | 20:14 | |
bknudson | morganfainberg: you could also pose the question if they have other tools for updating LDAP... e.g., if they're using AD then they have windows tools. | 20:15 |
gyee | and which IT person they have to shoot in order to touch ldap | 20:16 |
bknudson | so you could get info on why they don't use r/w ldap -- they have other tools, they don't want to give keystone write access. | 20:16 |
morganfainberg | bknudson, sure i'll add it to the read/only page | 20:16 |
morganfainberg | ok updated the 1st question to specify the config option | 20:17 |
morganfainberg | please 2x check / see if i need to rephrase it | 20:17 |
bknudson | and, maybe get info on why they use r/w ldap -- only reason I can think of it's convenient | 20:17 |
morganfainberg | bknudson, that question is already there | 20:18 |
morganfainberg | bknudson, added question to what tools they use on the R/O ldap page | 20:18 |
morganfainberg | if you answer r/w you get sent to a r/w specific page | 20:19 |
morganfainberg | if you answer r/o you go to a r/o specific page | 20:19 |
bknudson | morganfainberg: the r/w setting is a different one -- e.g., user_allow_update = true | 20:19 |
morganfainberg | oh you mean that.. yeah sec. | 20:19 |
bknudson | morganfainberg: I see the tools question ... great. | 20:19 |
dstanek | morganfainberg: I'd also find it interesting to know what ldap server they use; not sure if that helps your goal | 20:21 |
*** mflobo has quit IRC | 20:21 | |
morganfainberg | dstanek, i think that is out of scope for this survey. | 20:21 |
morganfainberg | lets keep it narrow to get clear responses | 20:21 |
*** ayoung-lunch is now known as ayoung | 20:22 | |
*** mflobo has joined #openstack-keystone | 20:23 | |
*** jamielennox|away has quit IRC | 20:23 | |
*** lbragstad has quit IRC | 20:23 | |
*** serverascode has quit IRC | 20:23 | |
ayoung | morganfainberg, heh, I don't know it that will actually do us any good. I just meant to have an Identity section in the origianal, assignment focused survey to give people a place to answer questions about that, to avoid muddying the water. But the outcome will be interesting to read regardless | 20:23 |
morganfainberg | bknudson, i'm not going to add options to the question answers, because it *could* be that ldap server doesn't allow writes and keystone just errors vs. uses the config options | 20:24 |
morganfainberg | bknudson, i clarified a little on the yes answer selection though | 20:24 |
morganfainberg | ayoung, i was hoping to keep the assignment deprecation information really independant of identity | 20:25 |
*** dims__ has quit IRC | 20:25 | |
*** radez is now known as radez_g0n3 | 20:25 | |
*** jaosorior has quit IRC | 20:25 | |
*** boris-42 has quit IRC | 20:25 | |
*** flwang has quit IRC | 20:25 | |
*** rm_work has quit IRC | 20:25 | |
morganfainberg | ayoung, because identity r/w may not be able to go away if it's really used | 20:25 |
morganfainberg | but assignment in LDAP may completly go away | 20:25 |
*** dims__ has joined #openstack-keystone | 20:26 | |
*** vishy has quit IRC | 20:26 | |
ayoung | morganfainberg, oh, yes. and this is all good data. Just that we had people answering the assignment survey that had no interest in the assignment side of thing....so they were making it an identity survey | 20:26 |
morganfainberg | right | 20:26 |
morganfainberg | we'll need to suss out the identity answers from that survey | 20:26 |
*** Guest58319 has quit IRC | 20:27 | |
*** serverascode has joined #openstack-keystone | 20:27 | |
morganfainberg | but i *think* based on answers we can remove it as stands. | 20:27 |
*** jraim has quit IRC | 20:28 | |
*** dims__ has quit IRC | 20:28 | |
*** dims__ has joined #openstack-keystone | 20:29 | |
*** mgagne has joined #openstack-keystone | 20:29 | |
*** lbragstad has joined #openstack-keystone | 20:29 | |
*** jraim has joined #openstack-keystone | 20:29 | |
*** rm_work has joined #openstack-keystone | 20:29 | |
*** LinstatSDR has quit IRC | 20:29 | |
*** rm_work has quit IRC | 20:30 | |
*** rm_work has joined #openstack-keystone | 20:30 | |
*** mgagne is now known as Guest36580 | 20:30 | |
*** boris-42 has joined #openstack-keystone | 20:30 | |
*** flwang has joined #openstack-keystone | 20:30 | |
ayoung | morganfainberg, So, Federation and the WebUI. If Keystone could give Horizon all of the information it needs to generate the request to the Identity provider, including some Nonce, and then Horizon could hand the SAML assertion back to Keystone, Keystone could safely issue a token. | 20:30 |
*** jaosorior has joined #openstack-keystone | 20:30 | |
ayoung | I don't know how practical that is | 20:30 |
ayoung | and it means that the Nonce has to be part of the request that goes to the IdP, get signed, and come back in the SAML assertion | 20:31 |
ayoung | so, I think the short of it is "possible, but not worth the effort" | 20:31 |
*** jamielennox|away has joined #openstack-keystone | 20:32 | |
*** jamielennox|away is now known as jamielennox | 20:32 | |
*** ChanServ sets mode: +v jamielennox | 20:32 | |
morganfainberg | ayoung, sure. | 20:33 |
*** vishy has joined #openstack-keystone | 20:34 | |
*** _cjones_ has quit IRC | 20:35 | |
rodrigods | ayoung, fyi: pypi repo for oslo.policy is registered, but unaccessible since we don't have any packages yet | 20:44 |
morganfainberg | rodrigods, did you set the maintainer as the openstack-infra [or whatever user that is]? | 20:45 |
rodrigods | morganfainberg, yes, openstackci | 20:45 |
morganfainberg | cool | 20:45 |
*** raildo has quit IRC | 20:49 | |
*** nellysmitt has quit IRC | 20:51 | |
*** nellysmitt has joined #openstack-keystone | 20:54 | |
samueldmq | so I'm getting 5 'AssertionError: There is no script for 62 version' errors | 20:57 |
samueldmq | already rebased | 20:57 |
samueldmq | deleted .venv | 20:57 |
samueldmq | any idea? | 20:57 |
*** _cjones_ has joined #openstack-keystone | 20:57 | |
*** david-lyle has joined #openstack-keystone | 20:57 | |
dolphm | samueldmq: clear pyc files: find . -name "*.pyc" -delete | 20:57 |
dolphm | samueldmq: you probably have a pyc for migration 61 from a different branch | 20:58 |
samueldmq | dolphm, and why it says There is no script for 62 version ? | 20:59 |
dolphm | samueldmq: because there's a pyc file, but when it goes to load the py directly, it doesn't exist | 20:59 |
*** radez_g0n3 is now known as radez | 20:59 | |
samueldmq | dolphm, so probably I was in a branch that had 62 migration, and the .pyc was generated | 21:00 |
samueldmq | dolphm, and the branch I'm doesnt have it (the .py file) | 21:00 |
dolphm | samueldmq: yes, exactly | 21:00 |
samueldmq | dolphm, nice, makes sense | 21:01 |
samueldmq | dolphm, tests are running | 21:01 |
dolphm | samueldmq: i nuke pyc files every time i switch branches, or check anything out of gerrit | 21:01 |
samueldmq | dolphm, how to check anything out of gerrit ? | 21:02 |
dolphm | samueldmq: git-review -d <change-number> | 21:02 |
samueldmq | dolphm, oh, sure :) | 21:03 |
samueldmq | dolphm, tests are ok, thanks :) | 21:03 |
marekd | gyee: regarding ECP - what do you mean? | 21:03 |
dolphm | samueldmq: cool, good to hear | 21:03 |
*** Guest36580 is now known as mgagne | 21:04 | |
*** mgagne has joined #openstack-keystone | 21:04 | |
marekd | morganfainberg: pong. (kind of late) | 21:05 |
samueldmq | dolphm, does .pyc files also affect git versioning (rebases, etc)? | 21:06 |
lbragstad | samueldmq: it shouldn't https://github.com/openstack/keystone/blob/master/.gitignore#L1 | 21:07 |
ayoung | rodrigods, good enough | 21:07 |
samueldmq | lbragstad, nice thanks | 21:07 |
lbragstad | we don't track them in the project | 21:07 |
dolphm | samueldmq: pyc files are excluded from version control via .gitignore, so they're not version controlled at all. they'll be left behind by any operation that removes their corresponding py files from disk | 21:07 |
samueldmq | dolphm, got it, nice. thx | 21:08 |
ayoung | git clean is your friend on those types of issues | 21:09 |
ayoung | how do we create the openstack git repo... | 21:15 |
*** toddnni has quit IRC | 21:15 | |
*** david-lyle has quit IRC | 21:16 | |
*** david-ly_ has joined #openstack-keystone | 21:16 | |
gyee | marekd, I mean we should have an api to return ECP content | 21:16 |
*** toddnni has joined #openstack-keystone | 21:16 | |
*** chrisshattuck has quit IRC | 21:18 | |
ayoung | rodrigods, so where are we one the checklist? We've done this: http://docs.openstack.org/infra/manual/creators.html#add-project-to-the-governance-repository right? | 21:19 |
ayoung | but not http://docs.openstack.org/infra/manual/creators.html#adding-the-repository-to-the-ci-system | 21:19 |
*** toddnni has quit IRC | 21:25 | |
marekd | gyee: in Icedouse Federation or K2K ? | 21:28 |
gyee | marekd, K2k | 21:28 |
marekd | gyee: maybe... | 21:28 |
marekd | gyee: are you going to be on a meetup next week? | 21:29 |
gyee | marekd, from usability standpoint, we should provide a complete solution | 21:29 |
gyee | marekd, yes, I'll be there | 21:29 |
gyee | not sure if they let me bring whiskey though :) | 21:29 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected role assignments https://review.openstack.org/144544 | 21:31 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests https://review.openstack.org/137021 | 21:31 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3 https://review.openstack.org/144702 | 21:31 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments https://review.openstack.org/144703 | 21:31 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Refactor role assignment assertions https://review.openstack.org/144543 | 21:31 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Fixes 'OS-INHERIT:inherited_to' info in tests https://review.openstack.org/144542 | 21:31 |
marekd | gyee: from usability point of view we never said what we expect from the Service Provider point of view. | 21:32 |
marekd | whether we will mimic websso or ecp. | 21:32 |
samueldmq | bknudson, thx for your +2 on "Fixes 'OS-INHERIT:inherited_to' info in tests" | 21:33 |
gyee | marekd, say I want to write an app to utilize K2K, I wouldn't expect to do the ECP treatment right? | 21:34 |
*** toddnni has joined #openstack-keystone | 21:34 | |
gyee | I should be able to just call the keystone APIs | 21:34 |
ayoung | rodrigods, https://review.openstack.org/#/c/146645/ | 21:35 |
samueldmq | DaveChen, ping - could you please revisit https://review.openstack.org/#/c/144542/6 | 21:35 |
marekd | gyee: i am hoping to clarify this next week | 21:35 |
ayoung | morganfainberg, ^^ infra changes for policy. Please review | 21:35 |
gyee | marekd, k, sounds good | 21:36 |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Upgrade hacking to 0.10.0 https://review.openstack.org/146647 | 21:39 |
*** _cjones_ has quit IRC | 21:40 | |
*** david-ly_ has quit IRC | 21:40 | |
*** david-lyle has joined #openstack-keystone | 21:41 | |
morganfainberg | ayoung, reviewed, a couple in-line comments before it goes through | 21:42 |
ayoung | morganfainberg, thanks. Figured there would be | 21:42 |
*** chrisshattuck has joined #openstack-keystone | 21:45 | |
marekd | morganfainberg: stevemar: hi. https://review.openstack.org/#/c/135604/12/api/v3/identity-api-v3-os-federation-ext.rst your comments about that (around line 931) - this is an example of response after listing of registered Service Providers, this is not an example of Service Catalog. | 21:48 |
morganfainberg | oh blah i mis-read that then | 21:48 |
morganfainberg | marekd, sorry! | 21:48 |
stevemar | morganfainberg, haha, i thought you might have mis-read it :) | 21:48 |
morganfainberg | this is what happens pre-coffee | 21:48 |
stevemar | marekd, can you mention that anyway? I don't think you mention the catalog listing anywere | 21:49 |
marekd | stevemar: no, i didn't. | 21:49 |
rodrigods | ayoung, updated the bp with the openstack-infra review | 21:49 |
morganfainberg | marekd, ^^ that is what i think confused me | 21:49 |
*** david-lyle has quit IRC | 21:49 | |
morganfainberg | of course and being sans morning caffiene | 21:49 |
marekd | d'accord | 21:49 |
marekd | stevemar: i will add it. | 21:49 |
stevemar | marekd, awesomeo | 21:49 |
morganfainberg | marekd, otherwise i think this looks pretty good | 21:49 |
*** david-lyle has joined #openstack-keystone | 21:50 | |
marekd | morganfainberg: ok, thanks. | 21:50 |
ayoung | morganfainberg, I want the notifications in #openstack-keystone. Keystone is pretty much going to own this, and it simplifies the discussion. I won't see it in other channels | 21:50 |
ayoung | dropped the 2.6 req | 21:50 |
morganfainberg | ayoung, it may also need to be in oslo | 21:51 |
morganfainberg | i'd ask dhellmann about that | 21:51 |
morganfainberg | i'm not opposed to it being here since a lot of us are on the core team (and it ties to keystone closely) | 21:51 |
blinky_ghost | hi can anybody help me with keystone tokens? | 21:56 |
marekd | morganfainberg: stevemar: if you could take a look at this: https://review.openstack.org/#/c/142743/11..12/keystone/contrib/federation/utils.py , line 136 and add your opinion. | 21:56 |
rodrigods | blinky_ghost, you are in the right place :) | 21:56 |
*** toddnni has quit IRC | 21:56 | |
marekd | i'd like to have this patch review-ready by the end of the week and discuss the follow-up during the meetup. | 21:57 |
morganfainberg | marekd, done. i agree with you and henry btw, list seems better | 21:57 |
marekd | morganfainberg: stevemar: as i actually think we need multiple remote_id values per identity_provider object. | 21:58 |
ayoung | morganfainberg, I thought I put it in both? | 21:58 |
morganfainberg | ayoung, hm i only saw it in merges and keystone when i -1'd it | 21:58 |
ayoung | https://review.openstack.org/#/c/146645/1/gerritbot/channels.yaml,cm | 21:58 |
ayoung | not sure why it is manilla | 21:59 |
ayoung | that looks strange, but it is where the others are | 21:59 |
*** toddnni has joined #openstack-keystone | 21:59 | |
*** adriant has joined #openstack-keystone | 21:59 | |
morganfainberg | right but is there also openstack-oslo for some? | 21:59 |
morganfainberg | merges is fine | 21:59 |
morganfainberg | keystone is fine | 21:59 |
morganfainberg | but i think you're missing -oslo | 21:59 |
marekd | morganfainberg: do you think it deserves a separate set of APIs? Something like POST /v3/OS-FEDERATION/identity_provider/BLAH/remote_id (and remote_id value in a request body), or we should simply be able to modify identity_provider object and edit remote_ids list being a new attribute? | 22:00 |
ayoung | OK..I'll add that. Thanks. | 22:00 |
morganfainberg | marekd, hm. | 22:01 |
morganfainberg | marekd, i think it's all part of the identity provider - if we make it a separate url, my concern is we're assuming SQL-relationalisms based upon the URL structure | 22:02 |
morganfainberg | marekd, it could go either way imo | 22:02 |
ayoung | typically an ID by itself is not enough to have its own API marekd | 22:02 |
morganfainberg | marekd, but i don't want the API to back us into a SQL centric view | 22:02 |
morganfainberg | unless the rmote_id has lots of metadata associated with it, which doesn't seem to be the case here | 22:03 |
ayoung | I would keep it as an attribute if it is only a remote_id, make it a full api if there are other attributes associated with the remote_id | 22:03 |
morganfainberg | ayoung, ++ | 22:03 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected role assignments https://review.openstack.org/144544 | 22:04 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests https://review.openstack.org/137021 | 22:04 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3 https://review.openstack.org/144702 | 22:04 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments https://review.openstack.org/144703 | 22:04 |
marekd | morganfainberg: ayoung this makes things much easier - and yes, currently remote_id is just a string, typically a URL. | 22:04 |
marekd | morganfainberg: ayoung at some point we started with a super generic appriach (let's make a framework that can handle every protocol) and somehow we must continue this patch I gues. | 22:05 |
marekd | guess* | 22:05 |
marekd | and path :) | 22:05 |
*** toddnni_ has joined #openstack-keystone | 22:05 | |
*** toddnni has quit IRC | 22:07 | |
*** toddnni_ is now known as toddnni | 22:07 | |
blinky_ghost | rodrigods: I'm having a problem about 2 days that's driving me crazy. I have an HA setup based on haproxy/keepalived with 3 keystone nodes that use mysql backend. The problem is that api requests fail randomly, specially in glance and nova. This happens mostly when I reboot one of the servers. This is the error I'm getting: http://paste.openstack.org/show/156543/ | 22:08 |
*** chrisshattuck has quit IRC | 22:08 | |
*** _cjones_ has joined #openstack-keystone | 22:11 | |
marekd | Easy review: https://review.openstack.org/146405 | 22:11 |
marekd | morganfainberg: ayoung ^^ | 22:11 |
ayoung | marekd, +A | 22:12 |
marekd | thanks! | 22:12 |
morganfainberg | by seconds beat me to it ayoung | 22:12 |
openstackgerrit | David Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3 https://review.openstack.org/125410 | 22:13 |
openstackgerrit | David Stanek proposed openstack/keystone: Updates Python3 requirements https://review.openstack.org/130579 | 22:13 |
openstackgerrit | David Stanek proposed openstack/keystone: Mocks out the memcache library for tests https://review.openstack.org/125409 | 22:13 |
openstackgerrit | David Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing https://review.openstack.org/95827 | 22:13 |
ayoung | blinky_ghost, 504 Gateway Time-out is not Keystone itself. Keystone does not return that value | 22:13 |
marekd | rodrigods: thanks to you too :-) | 22:14 |
morganfainberg | blinky_ghost, are you doing HAPRoxy to mysql or in-front of keystone? | 22:14 |
blinky_ghost | ayoung: I get that value when in glance and nova, I wonder if it's something related with haproxy? | 22:14 |
ayoung | blinky_ghost, It sure sounds like it | 22:14 |
openstackgerrit | Merged openstack/keystone-specs: Specify default values for identity providers. https://review.openstack.org/146405 | 22:14 |
morganfainberg | blinky_ghost, it sounds like haproxy isn't failing the node out correctly | 22:14 |
morganfainberg | blinky_ghost, if it's in-front of keystone | 22:14 |
blinky_ghost | morganfainberg: Yes I use haproxy in front of keystone | 22:15 |
blinky_ghost | morganfainberg: for mysql I use mariadb galera with keepalived | 22:15 |
morganfainberg | yeah sounds like haproxy isn't detecting keysotone is failed out - and therfore 504 until it hits a new keystone/fails the dead one out | 22:15 |
blinky_ghost | morganfainberg: can I show you the confs ? | 22:15 |
morganfainberg | blinky_ghost, sure, but i'll be honest i'd need to read up on haproxy again, haven't used it recently so not fresh in my head on what it's config should look like | 22:16 |
*** toddnni has quit IRC | 22:17 | |
blinky_ghost | morganfainberg: http://paste.openstack.org/show/156544/ | 22:17 |
*** toddnni has joined #openstack-keystone | 22:18 | |
morganfainberg | it looks sane at a glance | 22:18 |
*** stevemar has quit IRC | 22:18 | |
marekd | ayoung: how can i actually serialize a list to a SQL (using our current code). | 22:19 |
marekd | ayoung: is it handled automatically now? | 22:19 |
ayoung | marekd, please don't | 22:19 |
ayoung | normalize it if it is a list. | 22:19 |
ayoung | just doesnt' need its own API | 22:19 |
marekd | ayoung: allright. | 22:19 |
blinky_ghost | morganfainberg: what I see is that it will start working after a while | 22:19 |
morganfainberg | marekd, sql-a can load relationshops easily | 22:19 |
morganfainberg | blinky_ghost, what does haproxy say (log wise) when it's failing? | 22:20 |
marekd | morganfainberg: ayoung so you are ok with creating another table, relaitonships, but don't want to have a separate API for that. | 22:20 |
morganfainberg | marekd, yeah, that makes logical sense. | 22:20 |
marekd | morganfainberg: got it. | 22:20 |
ayoung | ++ | 22:20 |
marekd | i am guessing it needs a spec as it changes how identity_provider objects look like. | 22:20 |
morganfainberg | marekd, make sure that extra table is loaded via SQL-A and the releationship, not by the manager, so that if someone wanted to say use NoSQL, it's on the NoSQL object to contain the list vs. a separate call | 22:21 |
morganfainberg | if that makes sense | 22:21 |
marekd | OK | 22:22 |
morganfainberg | get_identity_provider(id) should be the call not get_identity_provider, get_remote_ids_for_idp(idp_id) | 22:22 |
morganfainberg | :) | 22:22 |
morganfainberg | marekd, yeah probbably should be a spec. | 22:23 |
marekd | i don't even think it'd be transactional :-) | 22:23 |
marekd | two separate calls in a memory | 22:23 |
*** r-daneel has quit IRC | 22:23 | |
morganfainberg | SQL-A can just load it directly and/or split the list up automatically | 22:23 |
morganfainberg | so should be really easy to write | 22:24 |
blinky_ghost | morganfainberg: I see this: http://paste.openstack.org/show/156546/ | 22:25 |
morganfainberg | yeah looks like the health check isn't doing what it's supposed to then. | 22:25 |
blinky_ghost | morganfainberg: you mean in 5000 port? | 22:26 |
morganfainberg | yeah. it shouldn't fail 504 is a proxy failure | 22:27 |
marekd | ayoung: WebSSO. So, listing a list of trusted WebUIs is doable (to avoid phishing attacks) ? | 22:27 |
marekd | ayoung: probably in kestone.conf for now. | 22:27 |
morganfainberg | i am guessing here since i am not 100% sure of what is going on there. :( | 22:27 |
*** bknudson has quit IRC | 22:27 | |
morganfainberg | keystone doesn't return a 504 | 22:27 |
blinky_ghost | morganfainberg: do you have some conf I can test? | 22:27 |
morganfainberg | ever | 22:27 |
ayoung | marekd, I'd like it to be a value on the IdP itself: visible or public or something | 22:28 |
morganfainberg | blinky_ghost, i do not have one at the moment. but i do know a lot of people use haproxy | 22:28 |
marekd | ayoung: e.g. admin needs to specify a list of trusted WebUIs where a response redirect to (with a token). | 22:28 |
ayoung | blinky_ghost, maybe one of the 3 keystone servers is misconfigiured, and the errors come from asking on the wrong host | 22:28 |
marekd | ayoung: i am not talking about IdP now. | 22:28 |
ayoung | marekd, Ah | 22:28 |
marekd | ayoung: I am talking about list of Horizons where I can actually initiate websso | 22:28 |
*** nellysmitt has quit IRC | 22:28 | |
blinky_ghost | morganfainberg: if you could provide me I would appreciate it :) | 22:29 |
ayoung | marekd, again, lets try to keep in the DB, so we don;t need to restart the server if there is a change? | 22:29 |
ayoung | blinky_ghost, the fact that it sometimes works means it is likely something in the rotation that is broken | 22:29 |
morganfainberg | blinky_ghost, unfortunately i don't have an haproxy config for this - or even have an environment that it would be easy to add haproxy into. | 22:29 |
*** mattfarina has quit IRC | 22:29 | |
blinky_ghost | ayoung: you mean one of the servers is not working? | 22:30 |
morganfainberg | blinky_ghost, if it is happening when you reboot a server - that tells me something is wrong with (probably?) the haproxy healthcheck | 22:30 |
ayoung | sounds like it blinky_ghost | 22:30 |
morganfainberg | or it's causing mysql to crap out until the server comes back in | 22:30 |
ayoung | this is all guesswork | 22:30 |
morganfainberg | are you losing quorum / functionality on mysql while the server is rebooting (e.g. is the controller node *also* a mysql server? in the cluster?) | 22:30 |
blinky_ghost | ayoung: ok I'll remove the server from haproxy conf and test again | 22:31 |
morganfainberg | there is a lot of guesswork on what it could be. | 22:31 |
ayoung | blinky_ghost, I know very little about HA proxy. Good luck | 22:31 |
blinky_ghost | morganfainberg: no, I use keepalived, when I reboot the server the VIP goes to the other node, I have a vrrp_script | 22:32 |
morganfainberg | so, mysql is running on the same node as keystone? | 22:32 |
morganfainberg | or is it separate hardware? | 22:33 |
morganfainberg | and if it is, does mysql work on the other node while that rebooting server is down | 22:33 |
morganfainberg | also waht version of oslo.db / keystone are you running | 22:33 |
blinky_ghost | morganfainberg: yes, mysql works fine, this only happens with nova and glance services | 22:33 |
morganfainberg | there was a bug in a release of oslo.db where keystone wouldn't drop connections to dead servers correctly | 22:34 |
morganfainberg | oh wait, so keystone continues to work? | 22:34 |
morganfainberg | just glance and nova don | 22:34 |
morganfainberg | 't work? | 22:34 |
* morganfainberg is confused. | 22:34 | |
blinky_ghost | morganfainberg: yes, that's right, I can access everything but nova and glance give me random errors 504 | 22:35 |
morganfainberg | that sounds like an issue with nova or glance then. not keystone | 22:35 |
morganfainberg | or an issue with haproxy + nova/glance | 22:35 |
blinky_ghost | morganfainberg: but I think it's something related with tokens | 22:35 |
blinky_ghost | because when I run the glance command sometimes I get token errors | 22:36 |
morganfainberg | but not always? it sounds to me like something is problematic with your setup. i recommend removing haproxy from glance and nova and seeing what errors you get | 22:36 |
morganfainberg | i'm sorry but i can only guess, the best thing you can do is eliminate the HA parts one at a time until you know what the real errors are | 22:37 |
morganfainberg | not the obscured 504s that haproxy is giving you | 22:37 |
blinky_ghost | morganfainberg: yes I guess I'll try that | 22:37 |
morganfainberg | you can also look at nova/glanc logs and see if there is something to add | 22:37 |
morganfainberg | some specific issues buit it might also be obscured in wierd ways | 22:38 |
blinky_ghost | ok, I'll test that, thanks | 22:39 |
openstackgerrit | Merged openstack/keystonemiddleware: Adds Memcached dependencies doc https://review.openstack.org/134993 | 22:41 |
blinky_ghost | morganfainberg: another question: can I use keystone with memcached in an HA setup? I have 3 memcached services running on my controllers | 22:41 |
*** henrynash has quit IRC | 22:43 | |
morganfainberg | blinky_ghost, so memcached has no good HA story for deployment | 22:44 |
*** mhu has quit IRC | 22:44 | |
*** mhu has joined #openstack-keystone | 22:44 | |
morganfainberg | blinky_ghost, you could use it, but i don't have any recommendations on best practices when it comes to using memcached like that | 22:44 |
blinky_ghost | morganfainberg: ok thanks | 22:46 |
*** raildo has joined #openstack-keystone | 22:48 | |
*** _cjones_ has quit IRC | 22:48 | |
*** _cjones_ has joined #openstack-keystone | 22:48 | |
blinky_ghost | morganfainberg: in fact it seems to be problem with haproxy, because If I restart the haproxy service in all the controllers it will start working. I saw this: https://bugs.launchpad.net/fuel/+bug/1391180 | 22:51 |
uvirtbot | Launchpad bug 1391180 in fuel/5.1.x "Deployment of Ha nova-flat cluster failed with (/Stage[main]/Osnailyfacter::Cluster_ha/Nova_floating_range[10.108.78.128-10.108.78.254]) Could not evaluate: Oops - not sure what happened: 757: unexpected token at '<html><body><h1>504 Gateway Time-out</h1>" [Critical,Fix released] | 22:51 |
morganfainberg | blinky_ghost, ah there ya go | 22:51 |
blinky_ghost | morganfainberg: I don't use fuel, I use RDO centos 7 but that seems the issue | 22:52 |
morganfainberg | it could be related | 22:52 |
*** gordc has quit IRC | 22:52 | |
morganfainberg | it sounds like an haproxy issue | 22:52 |
blinky_ghost | morganfainberg: thanks I'll do some more tests | 22:54 |
*** telemonster has quit IRC | 22:59 | |
*** raildo has quit IRC | 23:01 | |
*** lhcheng has quit IRC | 23:02 | |
*** andreaf has quit IRC | 23:03 | |
*** lhcheng has joined #openstack-keystone | 23:03 | |
*** jsavak has quit IRC | 23:12 | |
*** jaosorior has quit IRC | 23:13 | |
*** blinky_ghost has quit IRC | 23:13 | |
*** telemonster has joined #openstack-keystone | 23:13 | |
*** dims__ has quit IRC | 23:14 | |
*** nkinder has quit IRC | 23:14 | |
*** raildo has joined #openstack-keystone | 23:14 | |
*** dims__ has joined #openstack-keystone | 23:15 | |
*** chrisshattuck has joined #openstack-keystone | 23:15 | |
*** abhirc has quit IRC | 23:16 | |
*** dims__ has quit IRC | 23:19 | |
*** samueldmq_ has joined #openstack-keystone | 23:20 | |
*** david-lyle has quit IRC | 23:20 | |
*** chrisshattuck has quit IRC | 23:21 | |
*** abhirc has joined #openstack-keystone | 23:22 | |
*** dims__ has joined #openstack-keystone | 23:25 | |
*** mattfarina has joined #openstack-keystone | 23:27 | |
*** chlong has joined #openstack-keystone | 23:29 | |
*** dims_ has joined #openstack-keystone | 23:32 | |
*** bknudson has joined #openstack-keystone | 23:34 | |
*** ChanServ sets mode: +v bknudson | 23:34 | |
*** dims__ has quit IRC | 23:35 | |
*** dims_ has quit IRC | 23:36 | |
*** abhirc has quit IRC | 23:41 | |
*** chrisshattuck has joined #openstack-keystone | 23:42 | |
bknudson | oslo.utils has both tests and oslo_utils/tests -- which one should I use? | 23:42 |
*** chrisshattuck has quit IRC | 23:43 | |
*** mattfarina has quit IRC | 23:44 | |
*** abhirc has joined #openstack-keystone | 23:47 | |
*** mattfarina has joined #openstack-keystone | 23:50 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!