Thursday, 2015-02-05

« Wednesday, 2015-02-04 Index Friday, 2015-02-06 »
dolphmthe 433% can be computed from the raw data (linked), but in retrospect i'm not sure it repesents a performance metric anyone cares about, so i excluded it. it sure sounded good though :)00:00
morganfainbergdolphm, yep. i figured it'd be like that00:00
morganfainbergdolphm, toss in smart caching00:00
morganfainbergeven better00:00
morganfainbergi'm sure00:00
morganfainbergdolphm, i actually think you underestimate validate pain00:01
morganfainbergpeople just don't think about it00:01
*** henrynash has quit IRC00:01
morganfainbergit'll be the #2 after token table issues00:01
morganfainbergmaybe #3 post TTL and table size issues00:01
morganfainbergthey don't know they care about it yet.00:01
morganfainberg;)00:01
dolphmmorganfainberg: it's apparently not a pain for public cloud. caching up the wazoo makes it a non-issue00:02
dolphmrax* public cloud00:02
rodrigodsdolphm, that is a impressive result... we are doing some benchmarks ourselves, more related with keystone's horizontal scalability00:02
morganfainbergpublic clouds do stupid stuff to "paper over" the issue00:02
morganfainbergbut it's because we can00:02
morganfainbergHP does other silly things to solve it00:02
morganfainbergwhen you have that much ram sitting around... cache all the things!00:03
morganfainbergbut smaller providers can't do it.00:03
*** henrynash has joined #openstack-keystone00:03
*** ChanServ sets mode: +v henrynash00:03
dolphmrodrigods: with everything setup, i'll likely publish some additional metrics for other scalability concerns00:03
*** henrynash has quit IRC00:04
dolphmmorganfainberg: yeah, i'd like to repeat these benchmarks in a deployment that would represent a much smaller provider00:04
dolphmmorganfainberg: i imagine AE won't have as much of a performance margin there00:05
*** dkingshott has quit IRC00:05
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add entry-points for option discovery  https://review.openstack.org/15309000:06
openstackgerritLin Hua Cheng proposed openstack/pycadf: Fix oslo.messaging link in docs  https://review.openstack.org/15309400:16
*** raildo_ has quit IRC00:16
lhchengstevemar: what was the keystone setting to output the cadf audit into a log file instead of sending to a queue?00:17
*** dims_ has quit IRC00:17
openstackgerritBrant Knudson proposed openstack/keystone: Change hacking check to verify all oslo imports  https://review.openstack.org/15188100:18
stevemarlhcheng, notification_driver = log00:22
lhchengstevemar: thanks! I'm just about to review and test the cadf patches. :)00:22
*** amerine has quit IRC00:22
*** amerine has joined #openstack-keystone00:23
*** gtt116_ has joined #openstack-keystone00:27
*** stevemar has quit IRC00:27
*** gtt116__ has quit IRC00:30
*** gordc has joined #openstack-keystone00:31
*** gyee has quit IRC00:34
*** diegows has quit IRC00:40
*** zzzeek has quit IRC00:46
*** dims__ has joined #openstack-keystone00:46
*** zzzeek has joined #openstack-keystone00:50
*** _cjones_ has quit IRC00:53
*** nellysmitt has joined #openstack-keystone00:58
*** oomichi has joined #openstack-keystone00:58
*** gordc has quit IRC01:00
*** nellysmitt has quit IRC01:02
*** chlong has joined #openstack-keystone01:05
*** zzzeek has quit IRC01:12
*** zzzeek has joined #openstack-keystone01:15
*** gordc has joined #openstack-keystone01:15
*** david-lyle is now known as david-lyle_afk01:18
openstackgerritBrant Knudson proposed openstack/oslo.policy: General docstring cleanup  https://review.openstack.org/15310001:18
*** jamielennox|away is now known as jamielennox01:19
*** chlong has quit IRC01:22
*** DaveChen has joined #openstack-keystone01:28
*** rwsu is now known as rwsu-afk01:43
*** gordc has quit IRC01:44
openstackgerritMerged openstack/pycadf: Fix oslo.messaging link in docs  https://review.openstack.org/15309401:48
*** markvoelker has joined #openstack-keystone01:54
*** EmilienM is now known as EmilienM|afk01:55
*** sluo_wfh has joined #openstack-keystone02:03
*** tqtran has quit IRC02:10
*** erkules_ has joined #openstack-keystone02:11
openstackgerritwanghong proposed openstack/keystone-specs: implement timestamp for Project, Domain, Role  https://review.openstack.org/15311402:13
*** erkules has quit IRC02:14
*** dims__ has quit IRC02:14
openstackgerritMerged openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223502:20
*** chlong has joined #openstack-keystone02:26
*** spandhe has quit IRC02:27
*** tellesnobrega_ has quit IRC02:31
*** thedodd has joined #openstack-keystone02:37
*** thedodd has quit IRC02:37
*** rushiagr_away is now known as rushiagr02:40
*** chlong has quit IRC02:40
*** dims__ has joined #openstack-keystone02:45
*** dims_ has joined #openstack-keystone02:46
*** dims__ has quit IRC02:50
*** tellesnobrega_ has joined #openstack-keystone02:53
*** lhcheng has quit IRC02:57
*** nellysmitt has joined #openstack-keystone02:58
*** tellesnobrega_ has quit IRC02:59
*** nellysmitt has quit IRC03:04
*** tellesnobrega_ has joined #openstack-keystone03:12
*** stevemar has joined #openstack-keystone03:12
*** ChanServ sets mode: +v stevemar03:12
*** dims_ has quit IRC03:12
*** rushiagr is now known as rushiagr_away03:18
*** josecastroleon has quit IRC03:23
*** chlong has joined #openstack-keystone03:30
*** chlong has quit IRC03:37
*** stevemar has quit IRC03:38
*** stevemar has joined #openstack-keystone03:40
*** ChanServ sets mode: +v stevemar03:40
*** rushiagr_away is now known as rushiagr03:43
*** zzzeek has quit IRC03:53
*** harlowja is now known as harlowja_away03:56
*** lhcheng has joined #openstack-keystone04:09
openstackgerritwanghong proposed openstack/python-keystoneclient: use right resource_class to create resource instance  https://review.openstack.org/15283104:10
*** haneef_ has joined #openstack-keystone04:21
*** chlong has joined #openstack-keystone04:35
jamielennoxso there kerberos plugin has no way to specify user domain information?04:50
jamielennoxs/there/the04:50
jamielennoxmarekd: have you come across this?04:50
*** richm has quit IRC04:54
*** chlong has quit IRC04:54
jamielennoxok, i guess handling that on the server side is sufficient04:55
jamielennoxor makes more sense04:55
jamielennoxeveryone ignore the guy thinking though stuff on IRC04:55
*** nellysmitt has joined #openstack-keystone04:59
*** chlong has joined #openstack-keystone05:03
*** nellysmitt has quit IRC05:04
*** abhirc has quit IRC05:40
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412405:42
*** dguerri has quit IRC05:44
*** lhcheng has quit IRC05:44
*** lhcheng has joined #openstack-keystone05:45
*** dguerri has joined #openstack-keystone05:45
*** tellesnobrega_ has quit IRC05:58
*** dims__ has joined #openstack-keystone06:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15279506:15
*** dims__ has quit IRC06:18
stevemarjamielennox, happens to us all https://badarabbas.files.wordpress.com/2013/07/feyn.jpg06:21
wanghongstevemar, ping. It seams that we will remove ldap next circle, right?06:21
stevemarwanghong, ldap *assignment*06:21
jamielennoxstevemar: in my case think even moderately06:21
wanghongstevemar, yeah, ldap assignment06:22
stevemarwanghong, it'll be targeted for deprecation, so it'll be around for at least 2 cycles06:22
stevemarwanghong, if you have a requirement for it to stay, then let us know06:22
stevemaras far as we know, only one company is using it, and they are moving their assignments to SQL06:23
jamielennoxstevemar: who?06:23
stevemarjamielennox, CERN06:23
wanghongstevemar, thanks, I just confirm.06:23
jamielennoxso when you say one company... :)06:23
stevemarhehe, one BIG consumer06:23
wanghonghaha06:23
stevemarwanghong, we are also thinking about removing the read/write portion of identity ldap, but that's later06:24
stevemarso it's just read-only06:24
stevemarbecause again, no one actually uses it in a read-write manner06:24
stevemarwe will remove *a lot* of code that no one is using, which would be great06:25
wanghongBut, it seams that we only have sql driver in the future06:27
stevemarfor assignment, yes06:27
stevemarfor identity we will still have ldap, just not the ability to write to ldap (like create new users)06:27
wanghongOur company only uses sql. In fact, I know little about ldap :)06:31
stevemarwanghong, so your huawei account is probably on a company ldap, so imagine you wanted to give access to openstack to all users on that ldap06:32
stevemaryou just point it to the right internal url06:32
stevemarbut your ldap admins would probably never give you permission to *create* users on it06:33
stevemarany SSO application will read from ldap, most ldaps have anonymous read access06:33
marekdmorning.06:34
stevemarmarekd, evening06:34
wanghongafternoon:)06:34
stevemarhehe06:34
marekdstevemar: what do you mean by sso protocol in keystone?06:35
marekdre: ping from ~10h ago?06:35
stevemarmarekd, scrap that, don't worry06:36
marekdmorganfainberg: yeah, i am focusing on that. In fact I might need some Jedi's eyes on that.06:36
marekdstevemar: ok06:37
stevemari convinced our horizon dev that the option should be in horizon, not in keystone06:37
marekdwhich one? Because I didn't fully understand.06:37
*** lhcheng has quit IRC06:37
marekdstevemar: https://review.openstack.org/#/c/152659/ about my patch where py27 tests pass and all the rest fail on some 'unrelated' reasons I am guessing the best channel in -infra?06:38
stevemarmarekd, look at the settings file in this patch: https://review.openstack.org/#/c/151842/06:38
marekdstevemar: ah, so it will redirect to either saml2 or oidc regarding what option is put there?06:39
stevemarmarekd, yes, that is what i was thinking initially06:40
stevemarmarekd, but ayoung and gyee had a good suggestion, why not just have buttons that say 'saml2' and 'oidc'06:41
marekdstevemar: ++06:41
stevemarthey make more sense than "protocol id"06:41
stevemarwhich is kinda vague06:41
marekdyes, we can change it.06:41
stevemarmarekd, you know more about discovery service, what do you need for that to work properly? on the horizon side?06:42
stevemari was telling our dev to just have a setting called discovery_service which takes a url06:42
marekdstevemar: I had a guy who setup once a shibboleth with DS, but Horizon can be completely blind to this.06:43
marekdstevemar: (what's the past form of 'setup' ? )06:44
stevemarmarekd, this is funny: http://logs.openstack.org/59/152659/4/check/check-tempest-dsvm-full/ce97bcd/logs/apache/keystone.txt.gz#_2015-02-04_16_47_33_51106:44
marekdstevemar: it's more like configuring shibboleth where you define: if you have one default IdP always redirect to that IdP, if you have more than one, put something in between (DS) so user can choose.06:44
openstackgerritwanghong proposed openstack/keystone-specs: implement timestamp for Project, Domain, Role  https://review.openstack.org/15311406:45
stevemarmarekd, it would be 'I knew a guy who had setup a shibboleth with DS' the 'had' implies past tense, but 'setup' doesn't have one06:46
marekdOk :-)06:47
stevemarmarekd, it's only when trying to explain english that i realize how confusing it can be06:47
stevemarspecial rules everywhere!06:47
marekdenglish is easy comparing to ...say french06:47
stevemarmarekd, reply to the mailing list if you can, our horizon dev sent out screenshots06:48
marekdstevemar: I will do it.06:49
stevemarmarekd, i think there is something screwy in your code for SPs in SC06:49
stevemarif you see the keystone log it has errors06:49
marekdstevemar: yeah, but for other tests it fails on installing packages, spawning a shell etc.06:49
stevemarProgrammingError: (ProgrammingError) (1146, "Table 'keystone.service_provider' doesn't exist") 'SELECT service_provider.id AS service_provider_id, service_provider.enabled AS service_provider_enabled, service_provider.description AS service_provider_description, service_provider.auth_url AS service_provider_auth_url, service_provider.sp_url AS service_provider_sp_url \\nFROM service_provider \\nWHERE service_provider.enab06:50
stevemarled = 1' ()06:50
stevemaroh... maybe it's running into that dependency problem06:50
marekdooh, apparently i was checking wrong testsuites.06:51
stevemari went here: http://logs.openstack.org/59/152659/4/check/check-tempest-dsvm-full/ce97bcd/logs/apache/keystone.txt.gz06:51
morganfainbergdid keystone break the gate w/ the SP stuff?06:51
morganfainbergor??06:51
stevemarmorganfainberg, no, it's the output of a patch06:51
stevemarmorganfainberg, go back to sleep :P06:51
morganfainbergoh phew06:51
stevemarhaha06:51
stevemarmarekd, so the dsvm suite doesn't do the db_sync for federation tables06:52
marekdstevemar: never happened to me before, how do I make it do db_sync ?06:52
stevemarmarekd, you can't make it do it06:53
marekdwho can make do it?06:53
stevemarwell you can push a patch to infra but they will -2 it06:53
stevemarsince you are then assuming every devstack has to create the federation tables06:54
stevemari think we just have to look at https://review.openstack.org/#/c/152659/4/keystone/catalog/core.py again06:54
marekdhm hm h,06:55
marekdthe worst thing is I think I cannot test it locally.06:57
*** ajayaa has joined #openstack-keystone06:57
marekdbut, i am going to do the test.06:58
stevemarmarekd, sure you can06:58
marekdstevemar: oh,everyday something new!06:59
stevemardo a minimal devstack setup, just keystone/glance/cinder/nova and don't call the federation db_sync06:59
stevemarpull down this patch, try to do anything with the service catalog, watch it blow up06:59
*** josecastroleon has joined #openstack-keystone07:00
marekdstevemar: ah, that way, i thought there is a way where I can actually run tests like jenkis does.07:00
*** nellysmitt has joined #openstack-keystone07:00
stevemarmarekd, that's too much trouble07:00
stevemarand our test suite automatically resolves dependencies for all our extensions07:01
stevemarso it's faking it07:01
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add entry-points for option discovery  https://review.openstack.org/15309007:01
stevemar^^ finally figured that mess out07:01
marekd++07:02
stevemaroops forgot the changes to setup.cfg07:03
marekdstevemar: ok, i am running devstac.07:04
marekddevstack07:04
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add entry points for option discovery  https://review.openstack.org/15309007:05
*** nellysmitt has quit IRC07:05
*** markvoelker has quit IRC07:06
jamielennoxwho destroyed django_openstack_auth - but got kerberos login in horizon? #tothetuneofshaft07:09
jamielennoxoooooh yea07:09
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Privatize parsing classes  https://review.openstack.org/15314907:14
stevemarjamielennox, well done :)07:16
*** erkules_ is now known as erkules07:18
*** harlowja_away has quit IRC07:23
*** mzbik has joined #openstack-keystone07:30
*** chlong has quit IRC07:39
*** afazekas has joined #openstack-keystone07:55
*** nkinder has joined #openstack-keystone07:57
*** lsmola has quit IRC08:05
*** stevemar has quit IRC08:12
*** nellysmitt has joined #openstack-keystone08:17
openstackgerritwanghong proposed openstack/keystone: remove the Conf.signing.token_format option support  https://review.openstack.org/14425008:21
*** jaosorior has joined #openstack-keystone08:22
*** lsmola has joined #openstack-keystone08:22
openstackgerritMarek Denis proposed openstack/keystone: Refactor federation SQL backend  https://review.openstack.org/15315908:23
*** zz_avozza is now known as avozza08:28
openstackgerritDave Chen proposed openstack/keystone: Add new "RoleAssignment" exception  https://review.openstack.org/13362808:32
openstackgerritMarek Denis proposed openstack/keystone: Add ``service_providers`` in Service Catalog  https://review.openstack.org/15265908:32
*** lsmola has quit IRC08:36
*** lsmola has joined #openstack-keystone08:38
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available  https://review.openstack.org/14486008:45
openstackgerritwanghong proposed openstack/keystone: remove assignments for foreign actors when deleting domain  https://review.openstack.org/12743309:06
*** jistr has joined #openstack-keystone09:07
*** ajayaa has quit IRC09:10
*** ajayaa has joined #openstack-keystone09:10
*** ajayaa has quit IRC09:30
*** ajayaa has joined #openstack-keystone09:31
*** gtt116_ has quit IRC09:34
*** pnavarro has joined #openstack-keystone09:37
*** MasterPiece has joined #openstack-keystone09:39
*** obutenko has joined #openstack-keystone09:49
*** nkinder has quit IRC09:53
*** nkinder has joined #openstack-keystone09:59
*** obutenko has quit IRC10:01
*** obutenko_ has joined #openstack-keystone10:01
*** pnavarro has quit IRC10:15
*** pnavarro has joined #openstack-keystone10:17
*** henrynash has joined #openstack-keystone10:20
*** ChanServ sets mode: +v henrynash10:20
*** MasterPiece has quit IRC10:23
*** tellesnobrega_ has joined #openstack-keystone10:28
*** tellesnobrega_ has quit IRC10:43
*** tellesnobrega_ has joined #openstack-keystone10:45
*** chlong has joined #openstack-keystone10:50
*** boris-42 has quit IRC10:52
bretonjamielennox: in Mirantis ldap assignment was used too10:58
*** aix has joined #openstack-keystone11:04
*** tellesnobrega_ has quit IRC11:10
*** andreaf has joined #openstack-keystone11:12
*** amakarov_away is now known as amakarov11:18
*** lufix has joined #openstack-keystone11:40
*** markvoelker has joined #openstack-keystone11:40
*** josecastroleon has quit IRC11:46
*** markvoelker has quit IRC11:47
*** dims__ has joined #openstack-keystone11:47
*** pnavarro has quit IRC11:55
*** dims__ has quit IRC12:00
*** josecastroleon has joined #openstack-keystone12:00
*** EmilienM|afk is now known as EmilienM12:02
*** dims__ has joined #openstack-keystone12:03
*** nkinder has quit IRC12:12
rodrigodshenrynash, great review in the reseller spec, thx12:14
henrynashrodigods: np12:15
*** nkinder has joined #openstack-keystone12:19
*** pnavarro has joined #openstack-keystone12:19
rodrigodshenrynash, replied your comments :)12:22
henrynashrodigods: so agree with the first bit, but not sure about teh second part….see my comment12:29
*** topol has joined #openstack-keystone12:30
*** ChanServ sets mode: +v topol12:30
rodrigodshenrynash, just saw it12:31
rodrigodshenrynash, my concern is... if we allow to grant a project role in a "domain" we would be giving domain powers anyway12:32
*** chlong has quit IRC12:38
rodrigodshenrynash, or is this not a problem?12:38
*** oomichi has quit IRC12:39
henrynashrodigods:…so probably my unease is that I was assuming this is what we were doing (!)….but what is “a domain” power”? the only power is “do I have a role X on an entity with ID=Y”…hmmm…Iet me think on it few minutes....12:42
*** oomichi has joined #openstack-keystone12:42
henrynashrodigods:…and I’m still uneasy about dual scoped tokens….somehow these issues are connected..but Ican’t quite artiulate my concern....12:43
*** markvoelker has joined #openstack-keystone12:43
*** oomichi has quit IRC12:44
rodrigodshenrynash, yes... our previous proposal was to keep both assignments types (DOMAIN and PROJECT) and have the ability to request a project scoped, domain scoped or dual scoped token depending on the assignments types you have12:45
rodrigodshenrynash, but... thinking a bit more about assigning a project role in a "domain" is ok (doesn't make sense to deny this operation)12:46
*** markvoelker has quit IRC12:47
rodrigodshenrynash, if an operator wants to split responsibilities (project -> handle resources, domain -> handle identity) it is possible by creating two different roles (domain_admin and project_admin) and using them in the policy12:52
henrynashrodigods: yes, that’s right….12:54
rodrigodshenrynash, so I think we are good as it is... just wait for lhcheng to reply12:55
marekdbknudson: Hi. I am fearing I am mising something with loading contrib Modules. For some reason https://review.openstack.org/#/c/152659/ -> keystone-manage db_sync --extension federation is not being run (and that's ok), but for some reason in catalog.Manager federation_api is not None behaving like federation was enabled up and running.12:58
marekdbknudson: my question is how can we control/check whether some extension is enabled or not12:59
*** markvoelker has joined #openstack-keystone13:01
*** oomichi has joined #openstack-keystone13:04
*** afazekas has quit IRC13:06
*** oomichi has quit IRC13:08
*** Ctina has joined #openstack-keystone13:23
bknudsonmarekd: providers enable themselves on import, e.g., see http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/federation/core.py#n4913:27
bknudsonmarekd: so in order for federation to be enabled it has to be imported.13:27
bknudsonand for it to not be enabled, it has to not be imported.13:27
rodrigodsbknudson, good catch about "parent_id" being passed in kwargs: https://review.openstack.org/#/c/115770/27/keystoneclient/v3/projects.py13:28
bknudsonnormally extensions are only imported because the controller is loaded by the paste pipeline13:28
rodrigodsbknudson, should we keep compatibility by preferring always the "parent" param?13:28
bknudsonrodrigods: preferring the parent param makes sense... or I guess it could fail if both are used together.13:29
marekdbknudson: so, if federation_Extension is not loaded in any pipe in keystone-paste.ini it should not be loaded hence, available?13:29
bknudsonmarekd: if it's not in a paste pipeline then it shouldn't be available13:30
marekdbknudson: does it change that we are trying to load it by using @dependeny.optional() in auth/plugins/token.py ?13:30
bretonfellas, I'd really love to see https://review.openstack.org/#/c/131531/ merged before spec freeze today. Could you please review it?13:30
*** gordc has joined #openstack-keystone13:33
bknudsonmarekd: the module has to be imported for the provider to be registered, that's what @dependency.provider('federation_api') does.13:33
bknudsonthere's no magic.13:33
marekdbknudson: so i don't understand how is it possible, that while federation_extension is not added to the paste-ini file, catalog.Manager.federation_api is not None.13:36
*** abhirc has joined #openstack-keystone13:36
bknudsonmarekd: something else might be importing the federation module.13:36
marekdhttps://github.com/openstack/keystone/blob/master/keystone/auth/plugins/token.py#L27 e.g. this? or it must really be "from keystone.contrib import federation"  ?13:38
bknudsondependency.optional doesn't import the federation module.13:39
*** kromanenko has joined #openstack-keystone13:39
marekdbknudson: probably one of those files does the dirty job: http://pasteraw.com/c5hrilm4p9o3xa9pakot9cpybd21m1f13:40
bknudsonthat's a lot of files importing that module...13:41
*** abhirc has quit IRC13:41
marekdbknudson: yes.13:41
marekd:(13:42
bknudson./contrib/federation/routers.py is expected ... that should be what's loaded by the paste pipeline.13:42
marekdyes, should have added "grep -v contrib"13:42
marekdone dirty hack that comes to my head is to handle PRogrammingError and pass it silently, but I am not comfortable with the fact, that an Exception will be raised in probably 90% cases.13:44
marekdpity we don't have any more explicit way of enabling/disabling extensions.13:44
*** dims__ has quit IRC13:49
bknudsonmarekd: there's a spec approved to change extension handling ...13:51
marekdbknudson: oh, right.13:51
marekdforgot about that.13:51
bknudsonhttp://specs.openstack.org/openstack/keystone-specs/specs/kilo/replace_extensions.html13:52
bknudsonso I assume federation wouldn't be an extension when this is implemented.13:52
bknudsonso federation can't be disabled13:53
bknudsonand we don't have to worry about optional dependencies13:53
*** afazekas has joined #openstack-keystone13:55
marekdso the federation backend you be created by default, right?13:57
marekd(for instance)13:57
marekdOK, I am going to leave a comment on my patch so others can weight.13:58
marekdcause it's unclear to me whatto do with service_providers for K2K13:58
*** samueldmq_ has joined #openstack-keystone13:58
marekddepend on the extensions spec, add exception handler and deal with that or change API so client must explicitely ask for service_providers in the Service Catalog.13:59
bknudsonsince federation won't be an extension then the database tables will always be created.13:59
bknudsonI don't know if we're going to remove the --extension parameter to keystone_manage db_sync or what.13:59
bknudsonand migration is going to have to create the federation tables if they didn't exist before.14:01
*** dims_ has joined #openstack-keystone14:02
marekdwell, yeah, federation related db tables would be there by default.14:02
marekdwithout any extra manual step.14:02
*** dims___ has joined #openstack-keystone14:02
marekdlike db_sync --extension federation14:02
*** abhirc has joined #openstack-keystone14:03
*** dims____ has joined #openstack-keystone14:04
*** dims_ has quit IRC14:06
*** dims__ has joined #openstack-keystone14:06
*** dims__ has quit IRC14:06
*** dims___ has quit IRC14:06
*** dims__ has joined #openstack-keystone14:07
*** dims__ has quit IRC14:08
*** dims____ has quit IRC14:09
*** therve has quit IRC14:10
*** therve has joined #openstack-keystone14:10
*** dims_ has joined #openstack-keystone14:11
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: domain as project  https://review.openstack.org/14376314:12
*** mzbik has quit IRC14:16
*** richm has joined #openstack-keystone14:17
marekdmflobo: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#authenticating14:19
*** joesavak has joined #openstack-keystone14:23
*** boris-42 has joined #openstack-keystone14:25
*** ajayaa has quit IRC14:28
*** ajayaa has joined #openstack-keystone14:29
*** abhirc_ has joined #openstack-keystone14:38
*** abhirc has quit IRC14:40
*** henrynash has quit IRC14:44
*** diegows has joined #openstack-keystone14:45
*** krykowski has joined #openstack-keystone14:45
*** topol has quit IRC14:45
*** josecastroleon has quit IRC15:00
*** karimb has joined #openstack-keystone15:03
*** pnavarro has quit IRC15:08
lbragstaddolphm: nice write up15:08
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Delay denial when service token is invalid  https://review.openstack.org/15324715:15
*** rm_work|away is now known as rm_work15:18
*** ajayaa has quit IRC15:19
*** topol has joined #openstack-keystone15:20
*** ChanServ sets mode: +v topol15:20
*** timcline has joined #openstack-keystone15:22
*** david-lyle_afk is now known as david-lyle15:23
*** josecastroleon has joined #openstack-keystone15:30
*** blinky_ghost has joined #openstack-keystone15:39
blinky_ghosthi can anybody tell me what this error means in keystone: DEBUG urllib3.connectionpool [-] "POST /v3/auth/tokens HTTP/1.1" 401 140 _make_request /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:357  DEBUG keystoneclient.session [-] Request returned failure status: 401 request /usr/lib/python2.7/site-packages/keystoneclient/session.py:345 DEBUG keystoneclient.v3.client [-] Authorization failed. get_raw_token_from_identity_service15:40
blinky_ghost /usr/lib/python2.7/site-packages/keystoneclient/v3/client.py:26715:40
blinky_ghostthanks15:40
*** dnalezyt has joined #openstack-keystone15:46
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Hierarchical multitenancy basic calls  https://review.openstack.org/11577015:47
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids  https://review.openstack.org/15007815:47
rodrigodsbknudson, ^ think addressed your comments in the first one, thanks for the review15:47
*** Ctina_ has joined #openstack-keystone15:48
bknudsonrodrigods: the decorator is necessary, it's the optional argument to the decorator.15:48
*** dnalezyt has quit IRC15:49
*** dnalezyt has joined #openstack-keystone15:50
*** stevemar has joined #openstack-keystone15:50
*** ChanServ sets mode: +v stevemar15:50
*** dnalezyt has quit IRC15:50
*** Ctina has quit IRC15:50
*** dnalezyt has joined #openstack-keystone15:50
rodrigodsbknudson, didn't I add it back?15:54
rodrigodslet me check15:54
*** rm_work is now known as rm_work|away15:54
rodrigodsbknudson, it's back :)15:54
bknudsonok, thanks15:54
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Add pep8 import exception for oslo_policy._i18n  https://review.openstack.org/15327116:05
*** avozza is now known as zz_avozza16:07
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Hierarchical multitenancy basic calls  https://review.openstack.org/11577016:08
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids  https://review.openstack.org/15007816:08
rodrigodsbknudson, removed the unnecessary parameter from utils.positional decorator ^16:08
bknudsonok... I'm fine with it either way. I took a quick look through it and didn't notice anything... I should have time later today to go through it.16:09
rodrigodsbknudson, thanks!16:09
*** raildo has left #openstack-keystone16:10
*** raildo has joined #openstack-keystone16:10
*** vishy has quit IRC16:11
*** vishy has joined #openstack-keystone16:12
*** nkinder has quit IRC16:17
*** zzzeek has joined #openstack-keystone16:18
*** thedodd has joined #openstack-keystone16:19
*** rushiagr is now known as rushiagr_away16:21
*** htruta has quit IRC16:22
*** rm_work|away is now known as rm_work16:22
*** nkinder has joined #openstack-keystone16:23
*** nellysmitt has quit IRC16:27
*** ajayaa has joined #openstack-keystone16:27
*** rwsu-afk is now known as rwsu16:28
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline  https://review.openstack.org/15062916:30
*** dnalezyt2 has joined #openstack-keystone16:31
*** dnalezyt2 has quit IRC16:31
*** dnalezyt2 has joined #openstack-keystone16:32
*** dkingshott has joined #openstack-keystone16:35
*** sld has joined #openstack-keystone16:35
*** dnalezyt has quit IRC16:43
*** kromanenko has quit IRC16:44
*** htruta has joined #openstack-keystone16:48
*** rushiagr_away is now known as rushiagr16:49
*** ayoung has quit IRC16:49
*** obutenko_ has quit IRC16:54
*** ljfisher has joined #openstack-keystone16:57
*** samueldmq_ has quit IRC16:59
*** nkinder has quit IRC16:59
*** mattfarina has joined #openstack-keystone17:01
*** abhirc_ has quit IRC17:02
*** dnalezyt2 has quit IRC17:02
*** pnavarro has joined #openstack-keystone17:03
openstackgerritBob Thyne proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329617:06
*** tqtran has joined #openstack-keystone17:06
*** karimb has quit IRC17:09
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add entry points for option discovery  https://review.openstack.org/15309017:10
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add entry points for option discovery  https://review.openstack.org/15309017:10
*** josecastroleon has quit IRC17:11
openstackgerritDavid Stanek proposed openstack/keystone-specs: environment setup for functional tests  https://review.openstack.org/15330017:14
*** aix has quit IRC17:14
bretondstanek: ping17:17
bretondstanek: on line 105 of https://review.openstack.org/#/c/147608/7/specs/kilo/functional-testing.rst it is said "To run all of the shared tests" and on line 111 "To run all of the shared config tests". What's the difference?17:20
openstackgerritTom Cameron proposed openstack/keystone: Add docstrings to remaining functions  https://review.openstack.org/14731317:23
*** abhirc has joined #openstack-keystone17:26
*** ayoung has joined #openstack-keystone17:26
*** ChanServ sets mode: +v ayoung17:26
dstanekbreton: that's probably a bad example - no different in that case17:27
*** lhcheng has joined #openstack-keystone17:27
dstanekbreton: actually the functional example below it makes my point - i may submit a revision making that more sane - thanks for the detailed look17:27
*** timcline has quit IRC17:28
*** timcline has joined #openstack-keystone17:29
*** abhirc has quit IRC17:33
*** timcline has quit IRC17:33
bretondstanek: that'd clarify things, yes, thank you17:35
*** abhirc has joined #openstack-keystone17:36
*** abhirc has quit IRC17:36
openstackgerritAlexander Makarov proposed openstack/keystone: Fix for KVS cache backend incompatible with redis-py  https://review.openstack.org/15330717:38
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend  https://review.openstack.org/15084417:39
*** pnavarro has quit IRC17:43
*** tsufiev is now known as tsufiev_17:44
openstackgerritIan Cordasco proposed openstack/oslo.policy: [WIP] Make use of private modules  https://review.openstack.org/15331017:46
morganfainbergSo looks like we have a k2 milestone :)17:47
samueldmqmorganfainberg, hey17:48
morganfainbergMornin.17:49
samueldmqmorning17:49
samueldmqmorganfainberg, since we've defined to push domain-roles a little bit and put more efforts in dynamic policies for now ...17:49
samueldmqshouldnt we workflow -1 this ? https://review.openstack.org/#/c/133855/17:49
samueldmqwe didn't make clear to reviewers our decision, and it's even getting +217:50
morganfainbergsamueldmq: I will be doing -2s on specs today.17:53
morganfainbergWell. Tonight.17:54
morganfainbergTo cover ones that are not approved for this cycle.17:54
samueldmqmorganfainberg, great! thanks17:54
bretonmorganfainberg: will there be +2s among -2s?17:54
amakarovmorganfainberg, greetings! May it be a "smart" solution as you asked https://review.openstack.org/#/c/153307/ ? :)17:54
morganfainbergbreton: the -2s will be only for specs that will not be approved +2s for specs that will be.17:55
*** pnavarro has joined #openstack-keystone17:55
raildolhcheng, Hi Lin, I answered your comment in the reseller spec :)17:55
morganfainbergamakarov: just looked it over, at a glance exactly what I was looking for. There is a weird edge case we introduce but honestly we shouldn't be relying on the mutex then (and in practice we won't ever hit it because it requires a custom mutex to be defined)17:56
morganfainbergamakarov: I need to do a more in-depth review but yes, spot on. :)17:56
openstackgerritJeremy Stanley proposed openstack/python-keystoneclient: Workflow documentation is now in infra-manual  https://review.openstack.org/13937517:56
morganfainbergraildo: so one other comment. Domains should (separate work) eventually support inheriting from a parent domain.17:57
*** ayoung has quit IRC17:57
raildomorganfainberg, sure, we have this in mind :)17:57
morganfainbergraildo: second. Project roles and domain roles should be the same.17:58
morganfainbergNot depending on which api you call.17:58
morganfainbergI commented on the spec. But am ready to approve it if that all is in line.17:58
rodrigodsmorganfainberg, raildo yes :)17:58
amakarovmorganfainberg, well, thank you on that! As for me it's WIP now - it must yet pass scale testing, so I'll inform you when I done17:59
*** Ctina_ has quit IRC17:59
raildomorganfainberg, absolutely. We will do this.17:59
morganfainbergThe fix for lua that is amakarov the redis part is I understand more WIP18:00
lhchengraildo: thanks for responding to my comments! :)18:00
*** amakarov is now known as amakarov_away18:02
raildolhcheng, np :)18:02
*** spandhe has joined #openstack-keystone18:04
openstackgerritIan Cordasco proposed openstack/oslo.policy: [WIP] Make use of private modules  https://review.openstack.org/15331018:06
*** krykowski has quit IRC18:07
*** jistr has quit IRC18:09
*** lufix has quit IRC18:09
*** jistr has joined #openstack-keystone18:10
openstackgerritMerged openstack/keystone-specs: Reseller  https://review.openstack.org/13982418:13
openstackgerritIan Cordasco proposed openstack/oslo.policy: [WIP] Make use of private modules  https://review.openstack.org/15331018:14
*** ndonegan has left #openstack-keystone18:17
openstackgerritIan Cordasco proposed openstack/oslo.policy: Make use of private modules  https://review.openstack.org/15331018:17
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Do not use global enforcer for tests  https://review.openstack.org/15332118:18
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Stop shouting test attribute names  https://review.openstack.org/15332218:18
openstackgerritIan Cordasco proposed openstack/oslo.policy: Make use of private modules  https://review.openstack.org/15331018:18
morganfainbergdhellmann, ping - i see you're online quick question18:18
morganfainbergactually18:19
morganfainbergwill ask in oslo channel [the right place]18:19
*** mattfarina has quit IRC18:19
*** abhirc has joined #openstack-keystone18:19
*** jistr has quit IRC18:22
*** timcline has joined #openstack-keystone18:23
*** abhirc has quit IRC18:23
*** radez_g0n3 is now known as radez18:23
morganfainbergrodrigods, stevemar, added to oslo.policy core18:26
morganfainbergyou two were missing18:26
*** timcline has quit IRC18:27
openstackgerritIan Cordasco proposed openstack/oslo.policy: Do not use global enforcer for tests  https://review.openstack.org/15332118:27
*** mattfarina has joined #openstack-keystone18:28
*** nellysmitt has joined #openstack-keystone18:28
* samueldmq is wondering if list/get grants api endpoints are not conceptually wrong, since they return roles instead of grants18:29
*** ljfisher has quit IRC18:30
*** harlowja has joined #openstack-keystone18:30
openstackgerritIan Cordasco proposed openstack/oslo.policy: Stop shouting test attribute names  https://review.openstack.org/15332218:31
*** abhirc has joined #openstack-keystone18:32
*** abhirc has quit IRC18:32
*** nellysmitt has quit IRC18:33
*** rushiagr is now known as rushiagr_away18:36
*** ajayaa has quit IRC18:39
*** afazekas has quit IRC18:40
marekdmorganfainberg: Hi. Need your advice on https://review.openstack.org/#/c/152659/ (see the last comment)18:46
*** jaosorior has quit IRC18:46
morganfainbergmarekd, we should just migrate them always18:46
morganfainbergfederation should be moved to default on (based on "no more extensions" spec) as it's 'stable'18:47
*** dkingshott has quit IRC18:47
morganfainbergmarekd, you can do the work for the no-more-extensions to make federation stable18:47
morganfainbergit's mostly we have do to each item as we have a chance18:47
marekdmorganfainberg: what exactly does it mean?18:47
morganfainbergno reason it can't be done as part of this.18:47
morganfainbergmarekd, 1) make federation tables always migrate18:47
morganfainberg2) put it in the default pipeline [API]18:48
marekdthat's it?18:48
morganfainbergconvert the "dependency.optional" to "dependency.required", ensure docs are indicating it's always there18:48
morganfainbergand how to disable it [re: policy.json?, etc]18:48
morganfainbergyeah it's mostly doc work and minor massaging of stuff inside keystone18:48
marekdmorganfainberg: roger that.18:49
marekdonce I do it and it's reviewed I will carry on with the K2K stuff.18:49
morganfainbergack18:49
marekdmorganfainberg: thanks, that was quick :-)18:49
*** thedodd has quit IRC18:50
*** dan_ has joined #openstack-keystone18:51
*** zz_avozza is now known as avozza18:52
*** mattfarina has quit IRC18:57
*** thedodd has joined #openstack-keystone18:58
notmynameauthtoken has a config option called delay_auth_decision. it defaults to False, and that breaks a ton of functionality in Swift. therefore it means that every deployer using Swift + keystone has to explicitly change that config. is there any way to either change the default or remove the default so it must be explicitly configured?18:59
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005019:00
*** mattfarina has joined #openstack-keystone19:01
morganfainbergnotmyname: there are some issues around changing that behavior but, in short, iirc we want to change that default. But other services need to be smarter before we can.19:02
morganfainbergMaking it need to be explicitly configured would be more broken though / worse experience.19:03
*** avozza is now known as zz_avozza19:03
notmynameit seems that there isn't a common correct default? so either default you pick is wrong. so making it explicitly configured means that you can't choose one that works. that makes sense to me19:04
openstackgerritLance Bragstad proposed openstack/keystone: Switch the token provider to use strict_abc  https://review.openstack.org/14941119:04
bknudsonrather than have a config we could provide 2 auth_tokens, one that does delay_auth_decision and on that doesn't19:07
bknudsonthen swift uses the one it wants and other projects use the one they want, no extra config option reqd.19:07
bknudsonor we could somehow allow the application to pass the default to auth_token middleware19:08
notmynamebknudson: that seems pretty heavyweight19:08
morganfainbergbknudson: actually yes. And we can work to convert people over to the new one once we fix everything to be smarter (not need to reject due to lack of token)?19:08
notmynamewhat do other projects require?19:08
bknudsonit's not heavyweight, it's just a different name that can be referenced in paste.ini19:08
morganfainbergnotmyname: it would be the same code just a very light if/check wrapper. Delay auth decision is just not rejecting based on lack of token.19:08
*** thedodd has quit IRC19:09
notmynamebut that means deployers will have to choose the right config name right? instead of the right config variable value. IOW you'll have deployers running multiple services with keystone and having to use different middleware for each19:09
morganfainbergnotmyname: I really dislike that middleware rejects because of a lack of token. The issue is that doesn't let us expose any apis cleanly that don't need auth.19:11
notmynameare there other services that require that functionality to be there?19:11
morganfainbergnotmyname: require, no. Would like in some cases: yes19:11
notmynameas in, require it but also don't respect the config value?19:11
notmynameI'm curious about the barriers to changing the default19:12
morganfainbergAll services but swift assume the pep is only enforcing RBAC not does token exist19:12
notmynameI didn't parse that19:13
morganfainbergIt's a slog to make the enforcement points not assume we validated token existence. Or at least a way to say urls xyz are open to be hit w/o a token (enforcement is done on data from token not assuming a token was provided because a request hit the service)19:13
bknudsonany service that's not checking the X-Identity-Status is going to have a problem.19:14
morganfainbergbknudson: that is the issue isn't it. Services don't check that. We "enforce it for them"19:14
*** blinky_ghost has quit IRC19:14
notmynameI'm not familiar with x-identity-status19:15
morganfainberg"Is the token valid / existing"19:15
bknudsonauth_token middleware sets X-Identity-Status to "Confirmed" if the token was valid.19:15
bknudsonor set it to "Invalid"19:15
notmynameah19:16
bknudsonif delay_auth_decision is False then the application will never see "Invalid"19:16
bknudsonbut if delay_auth_decision is True and you're not checking X-Identity-Status now you're letting everything through.19:18
morganfainbergThe policy enforcement point should check that, not middleware. But that has not been the case in general.19:18
morganfainbergHence why the default is "false"19:18
bknudsonoh, yeah, we could have a policy rule for it... would need that in the context.19:18
*** ayoung has joined #openstack-keystone19:18
bknudsonthere might be work going on in this area already19:18
morganfainbergSwift being the notable exception.19:18
*** ChanServ sets mode: +v ayoung19:18
notmynameinteresting. I don't think we're checking x-identity-status, but we do have a callback to the auth system to authroize requests (way after the middleware has control of the reuqest)19:20
samueldmqayoung, ping - do you know how horizon gets user' projects?19:23
*** timcline has joined #openstack-keystone19:24
ayoungsamueldmq, look at the code in django openstack auth / backend.py19:24
*** pnavarro has quit IRC19:24
*** abhirc has joined #openstack-keystone19:25
*** nellysmitt has joined #openstack-keystone19:26
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Privatize parsing classes  https://review.openstack.org/15314919:27
*** timcline has quit IRC19:28
*** timcline has joined #openstack-keystone19:34
samueldmqayoung, k thanks will take a look19:36
samueldmqayoung, I'm looking for the specific endpoint they call on keysotne19:36
david-lylesamueldmq: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L24219:42
samueldmqdavid-lyle, great! thanks19:43
david-lylenp19:43
*** dims__ has joined #openstack-keystone19:44
*** r-daneel has joined #openstack-keystone19:44
*** dims_ has quit IRC19:47
samueldmqayoung, it will be using list_user_projects (https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L412-L416) :-)19:48
*** dims__ has quit IRC19:48
ayoungsamueldmq, yes, I think19:48
*** abhirc has quit IRC19:48
ayoungsamueldmq, you should know by now better than to trust me19:49
*** dims__ has joined #openstack-keystone19:50
samueldmqayoung, in fact I checked ... I'm just saying that to let you know/confirm if you already knew :-)19:50
*** dims__ has quit IRC19:50
*** dims_ has joined #openstack-keystone19:54
*** dims___ has joined #openstack-keystone19:54
*** dims_ has quit IRC19:58
openstackgerritMerged openstack/oslo.policy: Drop usage of namespaced packages  https://review.openstack.org/15183620:00
*** abhirc has joined #openstack-keystone20:00
*** dims__ has joined #openstack-keystone20:01
*** spandhe has quit IRC20:01
openstackgerritMerged openstack/oslo.policy: Update .gitignore  https://review.openstack.org/14867120:02
*** dims___ has quit IRC20:03
*** spandhe has joined #openstack-keystone20:04
*** thedodd has joined #openstack-keystone20:08
*** spandhe has quit IRC20:08
*** dims_ has joined #openstack-keystone20:09
*** dims__ has quit IRC20:12
*** henrynash has joined #openstack-keystone20:14
*** ChanServ sets mode: +v henrynash20:14
*** dims__ has joined #openstack-keystone20:15
*** dims_ has quit IRC20:17
openstackgerritayoung proposed openstack/keystone: Unscoped to Scoped only  https://review.openstack.org/14259120:19
*** spandhe has joined #openstack-keystone20:21
stevemarayoung, sounds like this bug is up your alley rodrigods, ay20:26
stevemarcopy paste fail20:27
stevemarbug is here https://bugs.launchpad.net/keystone/+bug/141870220:27
TempLPBugBotLaunchpad bug 1418702 in Keystone "Project admin fails to list role assignments for his project with Project Scoped Token" (affected: 1, heat: 6) [Undecided,New] - Assigned to Priti Desai (priti-desai)20:27
openstackgerritMerged openstack/oslo.policy: General docstring cleanup  https://review.openstack.org/15310020:28
*** dims_ has joined #openstack-keystone20:30
amerineHey folks, is there a way to load a keystone extension that only contains callbacks in the Manager class?20:30
amerineI'm trying to avoid paste modifications and a fake router20:31
amerineBut it's unclear how I might do that20:31
*** dims__ has quit IRC20:31
*** zz_avozza is now known as avozza20:33
morganfainbergamerine, explain what you're trying to solve - i might be able to help with a bit more infor20:34
morganfainberginfo*20:34
*** dims__ has joined #openstack-keystone20:35
*** dims_ has quit IRC20:37
openstackgerritDavid Stanek proposed openstack/keystone-specs: Removes confusing functional test tox example  https://review.openstack.org/15336620:37
amerine@morganfainberg: I have an extension that only binds to project.created events.20:37
amerineI'm going to do something with those events.20:38
*** avozza is now known as zz_avozza20:38
amerineThe only way I've "classically"(lol) does Keystone extensions usually involves a router and endpoint additions/changes.20:38
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Perform an oslo-sync  https://review.openstack.org/15336720:38
amerineI was hoping there was an easy way to just load the extension and have the callabck registered.20:39
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Perform an oslo-sync  https://review.openstack.org/15336720:40
amerine@morganfainberg: Does that make sense?20:41
morganfainbergamerine, it does make sense tying to think about how to do that easily20:42
morganfainbergalso balancing between being in a meeting :P20:42
morganfainbergso, i'll be really slow to come up with an answer [in ~1h or so should be free]20:42
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Use oslo_i18n  https://review.openstack.org/15280620:43
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Use oslo_i18n  https://review.openstack.org/15280620:44
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add pep8 import exception for oslo_policy._i18n  https://review.openstack.org/15327120:44
amerine@morganfainberg: Heh, understood. Thanks!20:44
*** pnavarro has joined #openstack-keystone20:46
*** dims_ has joined #openstack-keystone20:49
*** dims__ has quit IRC20:50
*** dims__ has joined #openstack-keystone20:52
*** dims_ has quit IRC20:54
*** abhirc has quit IRC20:54
*** diegows has quit IRC20:55
*** dims__ has quit IRC20:55
*** dims__ has joined #openstack-keystone20:56
*** dims__ has quit IRC20:56
*** henrynash has quit IRC20:57
*** spandhe has quit IRC21:03
*** dims_ has joined #openstack-keystone21:05
*** _cjones_ has joined #openstack-keystone21:05
*** spandhe has joined #openstack-keystone21:05
*** zz_avozza is now known as avozza21:06
*** _cjones_ has quit IRC21:11
*** _cjones_ has joined #openstack-keystone21:12
*** _cjones_ has quit IRC21:13
*** _cjones_ has joined #openstack-keystone21:13
openstackgerritMerged openstack/keystone: Refactor federation SQL backend  https://review.openstack.org/15315921:14
*** _cjones_ has quit IRC21:18
*** topol has quit IRC21:20
*** _cjones_ has joined #openstack-keystone21:23
*** kfox1111 has joined #openstack-keystone21:28
kfox1111Whats the status of the v3 api? If I switch all openstack services to use the v3 api, do things work?21:28
morganfainbergre: token backends with redis https://review.openstack.org/#/c/153307/21:32
sldthx21:32
dan_Thanks!21:32
*** amerine has quit IRC21:32
kfox1111anyone using them in production?21:32
*** amerine has joined #openstack-keystone21:33
openstackgerritMerged openstack/oslo.policy: Drop use of oslo namespace for oslo libraries  https://review.openstack.org/15280821:35
marekdkfox1111: to some extent CERN users v3: http://openstack-in-production.blogspot.ch/2014/10/kerberos-and-single-sign-on-with.html21:36
*** henrynash has joined #openstack-keystone21:36
*** ChanServ sets mode: +v henrynash21:36
*** krtaylor has quit IRC21:40
kfox1111marekd: Cool. thanks. :)21:41
*** henrynash has quit IRC21:44
*** lhcheng has quit IRC21:44
*** lhcheng has joined #openstack-keystone21:45
*** atiwari has quit IRC21:48
*** atiwari has joined #openstack-keystone21:50
*** dhellmann_ has joined #openstack-keystone21:51
kfox1111is there a document that tells how to switch nova to keystone v3?21:52
morganfainbergkfox1111, for the most part nova doesn't need to know ahything specific about v2 or v321:52
morganfainbergi think the only case where it currently is a bit problematic is nova -> neutron21:52
morganfainbergwhich has [iirc] an outstanding patch to fix the issue21:53
*** krtaylor has joined #openstack-keystone21:53
kfox1111right now, if I pull up the dashboard as a domain user thats not in the default domain, I get stuff like: Error: Unauthorized: Unable to retrieve usage information.21:53
kfox1111it only affects nova though. glance and the other services seem to be ok.21:53
kfox1111hmm... k.21:53
morganfainbergit should work21:53
kfox1111I added a user in domain test to a project in the default domain, then logged in as the user. I can see the project, I can see images and the network and stuff, but any nova related pages fail with permission issues.21:54
*** atiwari has quit IRC21:54
*** atiwari1 has joined #openstack-keystone21:54
*** nellysmitt has quit IRC21:54
*** dhellmann_ has quit IRC21:55
*** dhellmann_ has joined #openstack-keystone21:57
*** henrynash has joined #openstack-keystone21:57
*** ChanServ sets mode: +v henrynash21:57
*** thedodd has quit IRC21:57
*** dhellmann_ has quit IRC21:58
*** andreaf has quit IRC21:59
*** andreaf has joined #openstack-keystone22:00
*** thedodd has joined #openstack-keystone22:00
*** abhirc has joined #openstack-keystone22:00
*** mattfarina has quit IRC22:02
*** dhellmann_ has joined #openstack-keystone22:03
*** topol has joined #openstack-keystone22:04
*** ChanServ sets mode: +v topol22:04
*** avozza is now known as zz_avozza22:05
morganfainbergkfox1111, thats weird.22:06
morganfainbergkfox1111, let me stand up my local devstack (ok a new one) and i'll poke at it.22:06
morganfainbergit *should* work22:06
*** spandhe has quit IRC22:06
*** spandhe has joined #openstack-keystone22:07
morganfainbergyou know...22:07
kfox1111k. thx.22:07
morganfainberghaving a chair that isn't falling apart is a good thing22:07
kfox1111I'm using rdo juno btw.22:07
* morganfainberg just tightened down the bolts22:07
kfox1111hehe. yeah.22:07
*** dhellmann_ has quit IRC22:08
morganfainbergsuddenly the chair doesn't feel like it's going to come apart under me22:08
morganfainberg:P22:08
morganfainbergkfox1111, hm. i should probably try RDO instead then22:08
kfox1111hmm... do I need to update the identity endpoints to v3 before nova will work?22:08
amerineStanding desk FTW.22:08
morganfainbergto mirror the env.22:08
*** henrynash has quit IRC22:08
morganfainbergamerine, i have a counter-height desk and a bar-stool when i don't want to stand anymore22:08
morganfainbergamerine, the bar-stool was about to fall apart22:09
* morganfainberg works from home.22:09
amerineah!22:09
amerineI work from home toO!22:09
amerineI have a NextDesk Terra. I <3 it22:09
morganfainbergi want to try one of the treadmill desks22:09
*** joesavak has quit IRC22:09
*** henrynash has joined #openstack-keystone22:09
*** ChanServ sets mode: +v henrynash22:09
kfox1111I'm still waiting for the hot tub desk. ;)22:09
amerineI don't know that I can type an walk at the same time.22:09
amerines/an/and22:09
openstackgerritMerged openstack/oslo.policy: Perform an oslo-sync  https://review.openstack.org/15336722:11
openstackgerritgordon chung proposed openstack/keystonemiddleware: move add event creation logic to keystonemiddleware  https://review.openstack.org/14940522:13
openstackgerritgordon chung proposed openstack/keystonemiddleware: make audit event scoped to request session and not middleware  https://review.openstack.org/14930022:13
morganfainbergwow22:14
morganfainbergalso noticed my chait was missing 3 screws22:14
* morganfainberg might have just canabalized the "broken" chair to fix this one22:15
morganfainbergkfox1111, CentOS/RHEL 7 or Fedora?22:15
kfox1111centos 7.22:15
openstackgerritMerged openstack/oslo.policy: Use oslo_i18n  https://review.openstack.org/15280622:18
*** dhellmann_ has joined #openstack-keystone22:20
kfox1111morganfainberg: is this the patch you were refering to? : https://review.openstack.org/#/c/113735/22:21
openstackgerritSteve Martinelli proposed openstack/pycadf: Do not depend on endpoint id existing in the service catalog  https://review.openstack.org/10906022:24
*** abhirc has quit IRC22:25
openstackgerritMerged openstack/oslo.policy: Add pep8 import exception for oslo_policy._i18n  https://review.openstack.org/15327122:26
*** andreaf has quit IRC22:26
*** abhirc has joined #openstack-keystone22:27
*** henrynash has quit IRC22:30
*** andreaf has joined #openstack-keystone22:31
ayoungmorganfainberg, +2A this one.  It's just a rebase of one you were willng to +2A in the past  https://review.openstack.org/#/c/142591/22:32
ayoungRDO  Juno should work kfox111122:34
morganfainbergayoung, i think this is a doc bug22:34
ayoungmorganfainberg, I build myself a standing desk.  It rocks22:34
morganfainbergayoung, missing a doc on how to do v322:34
ayoungI can even get a staionary bike undfer it22:34
ayoungah...v322:34
*** nkinder has joined #openstack-keystone22:35
morganfainbergnkinder, in cz huh?22:35
morganfainbergnkinder hows the travel treating you?22:35
dstanekayoung: pics?22:35
*** henrynash has joined #openstack-keystone22:35
*** ChanServ sets mode: +v henrynash22:35
ayoungdstanek, I thought I had posted one...elmme see22:35
ayoungdstanek, I'd fgacebooke posted it..I'll get it up on twitter22:36
*** henrynash has quit IRC22:40
ayoungdstanek, https://twitter.com/admiyoung/status/56346654189604864022:40
dstanekayoung: nice; i've been thinking about doing that for a while; or at least making mods to my existing desk22:41
bknudsonlooks fast!22:41
ayoungHeh22:41
bknudsonyou're really leaning forward when on the saddle22:42
ayoungthe trick was realizing the ingle pole was much simpler, then making sure I got a piece of black steel think enough to minimize the flex22:42
ayoungbknudson, actually, when I'm in bioke mode, I'm almost upright.  THe tray comes right over the lap22:42
bknudsonthat makes more sense.22:42
ayoungbknudson, the best part is how adjustable it is.  I can pretty much tweak it to get it comfortable standing, sitting, riding.  I could probably make it work for laying on the floor22:43
ayoungthe montor and keyboard trays pivot 36022:43
bknudsonthat's a dream setup... just lying on the floor. I could do that.22:44
ayoungI think I'm going to set the bike up across from the bench and just pivot them 180 between the two22:44
ayoungbknudson, He...not so sure about that myself22:44
*** wanghong has quit IRC22:44
ayoungI'm the basement, and the floor is cold.  Nice during the summer, not so much right now22:45
*** radez is now known as radez_g0n322:46
ayoungthe trickiest part is that the verticle is held by friction, and adjusting the tray in-and-out releases that friction, so you have to hold the tray up while adjusting it horizontally22:46
*** wanghong has joined #openstack-keystone22:46
nkindermorganfainberg: yep22:47
nkindermorganfainberg: so far so good22:47
*** timcline has quit IRC22:49
*** thedodd has quit IRC22:53
*** thedodd has joined #openstack-keystone22:53
morganfainbergahahah22:55
morganfainbergcentos 7 doesn't install "ifconfig" thats been a long time coming [considering ifconfig does bad things/wrong things these days]22:55
*** ncoghlan has joined #openstack-keystone22:57
*** dims_ has quit IRC22:58
*** dims__ has joined #openstack-keystone22:59
*** dims__ has quit IRC22:59
*** andreaf has quit IRC23:00
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Add entry points for option discovery  https://review.openstack.org/15309023:01
*** dims__ has joined #openstack-keystone23:03
*** abhirc has quit IRC23:07
*** andreaf has joined #openstack-keystone23:09
*** dims__ has quit IRC23:13
*** dims__ has joined #openstack-keystone23:14
amerinemorganfainberg: Any more thoughts about loading an extension that only wants to register a project.created callback?23:14
morganfainbergamerine, so, you could add it to the paste pipeline with no routes registered i would guess23:14
morganfainbergamerine, so take the example one, create the router (which instantiates the manager/controller/what is listening for the event) but doesn't register any routes itself23:15
*** abhirc has joined #openstack-keystone23:15
morganfainbergamerine, i *think* that will work23:15
morganfainbergthere is probably a better way for us to support this23:16
morganfainberglong term23:16
morganfainbergbut that is how i'd do it23:16
*** Haneef has quit IRC23:17
amerineThat's basically what I have :-(, But I can't seem to get the callbacks properly registered.23:18
amerineI'll keep digging, Thanks for the help morganfainberg.23:18
*** raildo_ has joined #openstack-keystone23:21
*** henrynash has joined #openstack-keystone23:22
*** ChanServ sets mode: +v henrynash23:22
*** topol has quit IRC23:22
kfox1111morganfainberg: Yeah, I was really surprised when ifconfig wasn't there.23:23
kfox1111another big learning curve. :)23:23
*** chlong has joined #openstack-keystone23:23
*** abhirc has quit IRC23:24
morganfainbergkfox1111, ok almost all setup23:25
morganfainbergjust doing the last bit of install before trying to configure this v3 stuff23:25
kfox1111cool. thanks for trying it. I really appreciate the help.23:26
amerinemorganfainberg: OH MA GERD, figured it out.23:26
morganfainbergamerine, did my advice help you at all? ;)23:26
amerineThe mangager has to have the dependency decorator!23:26
morganfainbergahhh23:26
amerinemanager*23:26
morganfainbergdoh! sorry!23:26
morganfainbergkfox1111, like i said i *think* this is a doc bug23:26
amerineIt's working. Ghetto but working23:26
morganfainbergand if it's something else.23:27
morganfainbergkfox1111, we have ayoung, jamielennox, and nkinder in here to go "OMG LOOK!"23:27
morganfainbergbut i'm almost positive this *should work*23:27
morganfainbergpackstack is interesting23:27
*** henrynash has quit IRC23:27
amerinemorganfainberg: And yes, your advice helped a ton. Thank you again.23:27
morganfainbergamerine, happy to help23:28
*** nkinder has quit IRC23:28
*** ljfisher has joined #openstack-keystone23:32
*** EmilienM is now known as EmilienM|afk23:33
*** mgarza has joined #openstack-keystone23:35
kfox1111just tried checking to see if the user/project needs to be in the same domain. didn't help. still lacks authorization....23:36
kfox1111there isn't an endpoint update command? ugg.23:37
morganfainbergbug 111123:37
TempLPBugBotbug 1111 in gst-plugins0.8 (Ubuntu) "doesn't extract last track" (affected: 0, heat: 6) [Medium,Fix released] https://launchpad.net/bugs/1111 - Assigned to Ubuntu GNOME (ubuntu-gnome)23:37
rodrigodslol23:37
*** esmute has quit IRC23:39
*** spandhe has quit IRC23:40
kfox1111hmm.. do you need to restart all the services to get v3 working? I'd rather not restart neutron at this point, since it will take things down for a bit. :/23:40
amerineMan, whoever introduced and pushed through that internal callbacks system blueprint many moons ago has made my life so much damn easier.23:40
amerineNo more rabbit, no more API polling, damn I could cry23:40
openstackgerritgordon chung proposed openstack/keystonemiddleware: move add event creation logic to keystonemiddleware  https://review.openstack.org/14940523:41
*** esmute has joined #openstack-keystone23:41
morganfainbergamerine, a few of us did23:41
*** david-lyle is now known as david-lyle_afk23:41
morganfainbergkfox1111, well uh. depends on if you've configured keystonemiddleware to do v3-stuff23:42
* morganfainberg glares at "provision_glance" being slow23:42
*** spandhe has joined #openstack-keystone23:42
amerine^ truth23:42
morganfainbergamerine, though tbh we are likely going to spin up a quick project to let you hook into keystone notifications for $external_projects$, basically something that listens to the bus (we = openstack, maybe not this team, but i can hope) and you can register a callback with23:45
*** gordc has quit IRC23:45
morganfainbergamerine, this will be useful for things like "when projext X is deleted, nova can know to cleanup instances for project X"23:45
amerineDon't you already emit that over the rpc stuff?23:45
morganfainbergwe do23:45
morganfainbergbut it's hard for every project to consume23:46
morganfainbergthey all need listeners etc23:46
morganfainbergwe're thinking of "provide a listener and let the projects register for events they care about"23:46
morganfainbergand then it's on that project to act on these events23:46
amerineJust my 0.02, but supporting something like a webhook system for that would be nice.23:46
amerineOver HTTP23:46
morganfainbergkeystone can't be responsible to call out23:46
morganfainbergit wont scale23:47
amerineUnderstandable.23:47
morganfainbergwhat if i have 200-300 endpoints23:47
morganfainbergkeystone can emit a notification to the bus and the endpoints / services that care can respond23:47
morganfainbergs/respond/act23:47
amerineWe've build something like that at $WORK that multiplexes Keystone state chagnes.23:47
amerinekeystone rabbit bus -> rabbit -> multiplexer -> many endpoints.23:47
*** rm_work is now known as rm_work|away23:47
morganfainbergbut if keystone needed to send notifies via webhook to all endpoints - it doesn't scale.23:47
amerineAgreed.23:47
morganfainbergi'm thinking fanout queues23:48
morganfainbergbut same concept23:48
amerineThe issue I'm solving now is ensuring certain auditing users keep a configured role on a project.23:48
stevemarlhcheng, ping23:49
morganfainbergthis sounds like something that can be solved with the cloud-policy.json23:49
morganfainbergamerine, ^23:49
lhchengstevemar: pong23:49
morganfainbergso the user doesn't need a role on the project.. or inheritence of the role from the domain23:49
stevemarlhcheng, i have a request to ask of you :)23:50
stevemarlhcheng, can you give a preliminary review of https://review.openstack.org/#/c/136178/ and ....23:50
* lhcheng ducks23:50
lhchenglol23:50
morganfainberglhcheng, and i have a bus you can park on stevemar if he gets out of hand >.> [i also have a puddle of quicksand]23:50
openstackgerritMerged openstack/keystone: Unscoped to Scoped only  https://review.openstack.org/14259123:50
stevemarhttps://review.openstack.org/#/c/151842/23:50
stevemarhehe23:50
morganfainberg>.>23:50
lhchengstevemar: sure!23:50
stevemarmorganfainberg, i've earned some karma! i've been cleaning up oslo.policy23:50
stevemarlhcheng, since you are familiar with the keystone change, and horizon you are the obvious choice :P23:51
amerinemorganfainberg: I wish it were that easy.23:51
lhchengmorganfainberg: hah23:51
stevemarlhcheng, ty! i owe you $drink in vancouver23:51
morganfainbergamerine, well the role inherit (os-inherit) *probbably* would work from the domain level23:51
morganfainbergsince it automatically applies the roles to all projects under that domain for the user23:52
kfox1111morganfainberg: is this document correct? anything missing? http://www.cloudkb.net/how-to-change-keystone-api-v2-v3/23:52
lhchengstevemar: no prob. I still haven't got the chance to setup my IdP, but I'll take a look :)23:53
tqtranlhcheng: but don't look too hard, you might find kinks we're trying to hide23:53
stevemarlhcheng, you know what... if i have time i will try and make a doc to use google and openidc23:53
tqtranstevemar: that would really really really help23:54
lhchengtqtran: lol23:54
morganfainbergkfox1111, ok so23:55
morganfainbergkfox1111, i have a cent7 install on RDO23:55
morganfainbergv3 looks to be working right now23:55
kfox1111k. what all did you have to do to it?23:55
*** nellysmitt has joined #openstack-keystone23:55
morganfainbergchange horizon to use v3 identity ;)23:55
morganfainbergin local_settings23:55
kfox1111yeah. did that.23:55
morganfainbergso i might be missing a step you did23:55
kfox1111see the extra bits.23:55
morganfainbergand i restarted apache of course23:55
kfox1111I see domains, projects, etc.23:56
*** openstack has joined #openstack-keystone23:56
lhchengstevemar: so does any of "L" release name makes to you?  my canadian colleague said all those doesn't really have a canadian thing in it. :P23:56
morganfainbergaha23:56
kfox1111no, did not enable the policy yet.don't really care about domain admins vs cloud ones.23:56
morganfainbergok23:57
kfox1111just want to seperate ldap and sql for service accounts.23:57
morganfainbergsure23:57
lhchengtqtran: so.. should I get a drink first before looking at the patch?23:57
* morganfainberg doesn't have LDAP setup atm23:57
kfox1111is the policy update stil required in that case?23:57
morganfainbergnah23:57
tqtranlhcheng: i recommend several23:57
stevemarlhcheng, i think london is the place i'm most familiar with, it's a few hours drive away23:57
morganfainbergjust amking sure it wasn't some kind of policy,json issue23:57
stevemarlhcheng, they gave reasons here https://wiki.openstack.org/wiki/Release_Naming23:58
kfox1111I wouldn't think it would matter... let me see if I can make a non ldap domain quick, add a user, and see if anything's different.23:58
stevemarlangley would have made more sense, langley BC23:58
morganfainbergso, did you grant the user in LDAP a role on the project you're working on?23:58
* morganfainberg is very curious what is causing this issue. what does nova's log say when you're asking for that data?23:59
kfox1111morganfainberg: yes.23:59
lhchengstevemar: ah.. the name is picked as long it is a city, doesn't need to have something uniquely identify/characterize the place.23:59
« Wednesday, 2015-02-04 Index Friday, 2015-02-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!