Tuesday, 2015-02-10

*** bknudson has joined #openstack-keystone		00:01
*** ChanServ sets mode: +v bknudson		00:01
*** dimssum__ has joined #openstack-keystone		00:04
*** dimssum__ is now known as dimsum__		00:04
*** dimsum__ has quit IRC		00:04
*** atiwari has quit IRC		00:05
*** lnxnut_ has quit IRC		00:06
*** gyee has quit IRC		00:06
*** markvoelker has quit IRC		00:07
*** chlong has joined #openstack-keystone		00:07
*** lnxnut_ has joined #openstack-keystone		00:08
*** josecastroleon has quit IRC		00:09
*** lnxnut_ has quit IRC		00:12
*** r-daneel has quit IRC		00:12
*** dims__ has joined #openstack-keystone		00:14
*** gyee has joined #openstack-keystone		00:14
*** ChanServ sets mode: +v gyee		00:14
*** henrynash has joined #openstack-keystone		00:18
*** ChanServ sets mode: +v henrynash		00:18
henrynash	morganfainberg: hi…	00:18
morganfainberg	henrynash, one moment, writing an email up	00:19
morganfainberg	be with ya in a sec :)	00:19
henrynash	morganfainberg: np	00:19
dstanek	samueldmq: you still around?	00:19
*** ljfisher has quit IRC		00:21
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/154275	00:22
openstackgerrit	henry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests https://review.openstack.org/151962	00:25
openstackgerrit	Brant Knudson proposed openstack/keystone: Change hacking check to verify all oslo imports https://review.openstack.org/151881	00:29
openstackgerrit	Brant Knudson proposed openstack/keystone: Change oslo.i18n to oslo_i18n https://review.openstack.org/151880	00:29
openstackgerrit	Brant Knudson proposed openstack/keystone: Change oslo.config to oslo_config https://review.openstack.org/145250	00:29
openstackgerrit	Brant Knudson proposed openstack/keystone: Change oslo.db to oslo_db https://review.openstack.org/148029	00:29
bknudson	rebased those changes... there weren't any merge conflicts so I'm not sure what that stupid bird was complaining about.	00:29
gyee	twit, twit	00:31
dstanek	bknudson: you may have angered the beast	00:31
*** atiwari has joined #openstack-keystone		00:34
morganfainberg	bknudson, jgit is awful	00:40
morganfainberg	bknudson, that was what the bird was complaining about	00:40
morganfainberg	bknudson, jgit suckes when it does 3-way merges	00:41
bknudson	weird.	00:41
morganfainberg	yeah	00:41
bknudson	I've seen this on our internal gerrit, too.	00:41
morganfainberg	yep	00:42
morganfainberg	it's because gerrit uses jgit instead of the c-based git you use on the CLI	00:42
bknudson	"JGit is a relatively full-featured implementation of Git written natively in Java"	00:42
bknudson	"relatively"	00:42
morganfainberg	haha yep	00:42
morganfainberg	it's like handgrenades and horseshoes	00:42
bknudson	seems easier to just call the cli.	00:42
morganfainberg	except then it would be java equiv to popen	00:43
morganfainberg	can't have that in java	00:43
morganfainberg	nooooooo	00:43
bknudson	we need a pure-python git.	00:43
openstackgerrit	Steve Martinelli proposed openstack/keystone: Fix the syntax issue on creating table `endpoint_group` https://review.openstack.org/151931	00:43
morganfainberg	ahaha	00:43
stevemar	gyee, ^	00:43
morganfainberg	how slow would that be.	00:43
gyee	stevemar, thanks	00:43
bknudson	could just use pickle	00:43
openstackgerrit	henry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments https://review.openstack.org/154302	00:50
openstackgerrit	henry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests https://review.openstack.org/153897	00:51
morganfainberg	bknudson, i'm reapporving those if someone didn't beat me to it.	00:51
gyee	morganfainberg, lbragstad, so we have no non-persistent solution in kilo then?	00:51
morganfainberg	looks like steve beatme to it	00:51
bknudson	stevemar is fast.	00:52
morganfainberg	gyee, one way or another we will get a non-persistent option into kilo	00:52
stevemar	bknudson, i prefer impatient	00:52
morganfainberg	gyee, either AE or non-persistent PKI,	00:52
morganfainberg	gyee, etc	00:52
stevemar	i get annoyed when easy things take long	00:53
gyee	k, AE spec needs a deadline extension I suppose	00:53
bknudson	stevemar: no wonder you're angry all the time.	00:54
morganfainberg	gyee, AE needs to work to address the reasons it still has a -2 then an extension	00:54
gyee	heh, I thought he's a nice guy!	00:54
morganfainberg	stevemar, hold on. i think i can review something next month for you... i know it's a 1 line fix...	00:54
morganfainberg	>.>	00:54
stevemar	bknudson, as the hulk says, that's my secret	00:55
bknudson	I thought the hulk says "you don't want to make me angry"	00:56
bknudson	or "hulk smash!"	00:56
morganfainberg	SMASH	00:56
stevemar	bknudson, https://www.youtube.com/watch?v=msRaooooyds	00:57
morganfainberg	stevemar, what is needed to make OSC happily talk federation?	00:57
morganfainberg	python-keystoneclient-federation being released?	00:57
bknudson	stevemar: that was actually the best part of the movie (other than scarlett johansson)	00:58
stevemar	morganfainberg, it already sort of does, marekd has the details on that one. I think the most part is authN plugins for the different federation protocols	00:58
stevemar	bknudson, incorrect, the whole movie was the best part	00:58
*** amerine has quit IRC		00:59
stevemar	morganfainberg, setup the authN env. vars for OSC, that KSC expects... and I think that's about it	00:59
morganfainberg	oh cool	00:59
morganfainberg	and to make it work nice and seamlessly w/ the new SP stuff in the catalog?	00:59
stevemar	morganfainberg, marekd showed it here: https://www.youtube.com/watch?v=9ojwbnvP92k&index=2&list=FLuZvezYbRB_W6SP-1pMBCqw	00:59
gyee	morganfainberg's doing dark magic https://review.openstack.org/#/c/148354/	00:59
morganfainberg	bursting to a remote SP	00:59
morganfainberg	gyee, voodoo	01:00
* gyee is learning		01:00
stevemar	morganfainberg, that is something i don't think we want to handle, OSC is more of a per-service basis	01:00
morganfainberg	gyee, meta programming with more metaprogramming to test metaprogramming	01:00
bknudson	I heard you like metaprogramming	01:00
morganfainberg	stevemar, i argue you do want to handle that case	01:00
stevemar	if you want to use more than 1, you should use os-client-config or something	01:00
stevemar	the thing dtroyer and mordred has been working on	01:01
morganfainberg	stevemar, what is the difference between using resources here XXX and over there YYY	01:01
morganfainberg	they are both nova compute	01:01
stevemar	morganfainberg, it completely changes the auth_url	01:01
morganfainberg	so? single toolchain is kinda nice dontchathink?	01:01
morganfainberg	;)	01:01
morganfainberg	so how does osc handle using a remote service then?	01:02
stevemar	i agree that it would be awesome	01:02
morganfainberg	or is that just "never going to happen"	01:02
morganfainberg	because that is a bad answer in my book ;)	01:02
morganfainberg	basically i want to consume resources on a remote SP. the stuff mordred and dtroyer are working on is awesome	01:03
morganfainberg	but it leaves a huge gap in the CLI tools	01:03
stevemar	dtroyer, ^ any ideas?	01:03
morganfainberg	i can't access via SAML the remote SP.	01:03
morganfainberg	since the only way I do that is I auth against my local keystone then request saml for the remote one	01:04
stevemar	no, that's the not issue, we could probably get a token from the remote SP, that parts do-able	01:04
*** marg7175_ has quit IRC		01:04
morganfainberg	yoiu can't just "use a different auth url"	01:04
stevemar	its the management / switching of things	01:04
*** marg7175 has joined #openstack-keystone		01:05
stevemar	henrynash, go to sleep, it's crazy late in your TZ	01:05
morganfainberg	stevemar, or it's crazy early	01:05
morganfainberg	>.>	01:05
henrynash	stevemar: yeah, i know I know…but there’s interesting stuff to do….	01:06
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: iso expires should be returned in one place https://review.openstack.org/140984	01:09
stevemar	easy one for middleware ^^^	01:12
stevemar	considering we are releasing today it's a good time to review it :D	01:12
*** henrynash has quit IRC		01:13
gyee	I'll let jenkins do the hard work first	01:14
openstackgerrit	Brant Knudson proposed openstack/keystone: Consistently use oslo_config.cfg.CONF https://review.openstack.org/147367	01:14
*** gokrokve has quit IRC		01:14
stevemar	i think bknudson likes to open as much files as possible and make 2 lines changes :P	01:15
stevemar	that or he really knows awk/sed/grep really well	01:16
bknudson	somebody has to do it.	01:16
stevemar	or or... you get a kick out of making us review all those files	01:16
stevemar	so many things to choose from	01:16
wanghong	stevemar, morning, thanks!	01:17
stevemar	wanghong, np!	01:18
stevemar	bknudson, yo, you are totally undoing your own work, lots of overlap with https://review.openstack.org/#/c/145250/	01:18
bknudson	stevemar: there will be a merge conflict I'll have to resolve.	01:19
stevemar	why didnt you just build on top of that one	01:19
lhcheng	hello! question on the keystone test_sql_upgrade. Is it creating a temp database?	01:19
* stevemar is confused		01:19
bknudson	I don't think it's undoing anything.	01:19
morganfainberg	lhcheng, it creates [iirc] in-memory db, but it is wierd	01:20
bknudson	I have no idea what order people are going to review things in so I try to make it so that it can be reviewed.	01:20
gyee	it clears db in tmp I think	01:20
gyee	creates	01:20
bknudson	for some reason people seem to review new changes rather than the old ones.	01:20
morganfainberg	gyee, i think we went to pure anonymous dbs, no filebacking	01:20
gyee	keystone/tests/tmp?	01:21
morganfainberg	i think that mostly is for files like paste-inis	01:21
bknudson	if I kept all changes in a list then they'd probably never merge... I spend a lot of time resolving merge conflicts.	01:21
lhcheng	morganfainberg: I have a branch where I added migration script 64, and ran the test on that. I later switch to another branch and when I ran the test it , it is complaining about 64 version not found.	01:21
bknudson	also, reviewers seem to not notice that one review depends on another one.	01:22
morganfainberg	lhcheng, remove the .pyc	01:22
lhcheng	arg	01:22
morganfainberg	lhcheng, hehe i do that all the time :P	01:22
lhcheng	morganfainberg: thanks!	01:22
gyee	bknudson, you have a hit list for me? :)	01:22
*** gokrokve has joined #openstack-keystone		01:22
gyee	lhcheng, tox -e clean-my-shit	01:23
bknudson	gyee: I always look here : https://review.openstack.org/#/q/status:open+is:watched+label:Code-Review%253D2+label:Code-Review%253D0%252Cself+branch:master,n,z	01:23
gyee	I do wish we have that command though	01:23
stevemar	bknudson, i know, i always go 'down the rabbit hole' of dependencies in a patch	01:23
lhcheng	morganfainberg: I should have asked sooner..	01:23
lhcheng	gyee: lol	01:24
stevemar	but i noticed a lot of folks don't	01:24
gyee	damn, bknudson have a long dep chain	01:25
stevemar	gyee, review it sooner and it won't be so long :)	01:25
gyee	wth, didn't we just remove the xml stuff? https://review.openstack.org/#/c/138918/4	01:26
gyee	why are we fixing matcher?	01:26
bknudson	gyee: that was proposed back when we still had xml stuff.	01:27
bknudson	I'll remove it... need to rebase the other ones.	01:27
gyee	k man	01:27
openstackgerrit	Brant Knudson proposed openstack/keystone: Remove test PYTHONHASHSEED setting https://review.openstack.org/136593	01:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct test_auth_unscoped_token_project for result ordering https://review.openstack.org/138919	01:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct test_get_v3_catalog test for result ordering https://review.openstack.org/138920	01:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct catalog response checker for result ordering https://review.openstack.org/138921	01:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct a v3 auth test for result ordering https://review.openstack.org/138922	01:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct version tests for result ordering https://review.openstack.org/138923	01:30
stevemar	bknudson, \o/	01:30
bknudson	rebased	01:30
gyee	wow that's fast	01:30
gyee	bknudson's a bot!	01:31
stevemar	yess my +2s stayed, no need to review	01:31
openstackgerrit	Merged openstack/keystonemiddleware: Use oslo.context instead of incubator code https://review.openstack.org/154166	01:31
bknudson	stevemar: that's why I split it up.	01:31
bknudson	should be easier for reviewers	01:32
gyee	duuuude, you still using matcher	01:32
gyee	https://review.openstack.org/#/c/138919/5/keystone/tests/test_auth.py	01:32
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API https://review.openstack.org/132122	01:32
bknudson	I will always use matchers!	01:33
bknudson	it's the wave of the future.	01:33
gyee	wait, was I confused with xml matcher	01:33
morganfainberg	bknudson, is resp.json.keys() guarnateed order?	01:33
morganfainberg	https://review.openstack.org/#/c/138921/6/keystone/tests/test_v3.py	01:33
* morganfainberg admits to not being sure about key order from .keys() suddenly		01:33
bknudson	morganfainberg: it's not... but the sets should compare equal	01:33
morganfainberg	oh derp	01:33
lhcheng	bknudson, lbragstad: finally resolved the config import issue on test - https://review.openstack.org/#/c/132122/	01:34
morganfainberg	yep	01:34
morganfainberg	derpity derp derp	01:34
*** atiwari has quit IRC		01:34
openstackgerrit	Merged openstack/keystone: Deprecate LDAP Assignment Backend https://review.openstack.org/150970	01:34
stevemar	this is the most code to have been dropped in keystone in ages	01:35
stevemar	so much is getting done	01:35
stevemar	\o/	01:35
morganfainberg	so, FYI i'm going to be mostly off the map on thursday	01:35
morganfainberg	need to go visit with some folks about their use of openstack	01:35
morganfainberg	so lets get more stuff in before thursday!	01:36
openstackgerrit	Merged openstack/keystonemiddleware: Sync with oslo-incubator https://review.openstack.org/154168	01:37
morganfainberg	so this one: https://review.openstack.org/#/c/138922/7/keystone/tests/test_v3_auth.py is materially changing what is going on	01:39
morganfainberg	it could change the behavior of the test.	01:39
bknudson	morganfainberg: yes, it is... hopefully it's making it better.	01:39
morganfainberg	but it looks safe?	01:39
bknudson	rather than only checking a single attribute it's now checking all of them.	01:40
morganfainberg	just checking that was intended here	01:40
bknudson	the way it was before it essentiallly checked a random attribute.	01:41
*** lhcheng is now known as lhcheng_afk		01:41
bknudson	just depending on which one turned up first in the lsit.	01:41
bknudson	and sometimes the first one would be 'expires_at'	01:41
morganfainberg	yeah ok, +2 on it	01:41
bknudson	so in some ways it's pretty much the same.	01:41
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	01:42
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	01:42
morganfainberg	bknudson, once check passes on those w/ 2x+2 feel free to +A them.	01:42
morganfainberg	in the hashseed change list	01:42
bknudson	ok	01:43
bknudson	we'll see if that last one still passes.	01:43
* morganfainberg needs to sitdown and do the revocation event stuff so we can make taht the default instead of the TRL trainwreck		01:46
*** lhcheng_afk has quit IRC		01:47
*** kfox1111 has quit IRC		01:52
*** diegows has quit IRC		01:53
*** gokrokve has quit IRC		01:54
*** amerine has joined #openstack-keystone		01:55
*** amerine has quit IRC		02:00
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Docs for v3 credentials https://review.openstack.org/153875	02:02
*** rwsu is now known as rwsu-afk		02:02
*** erkules_ has joined #openstack-keystone		02:04
*** stevemar has quit IRC		02:06
*** erkules has quit IRC		02:06
*** stevemar has joined #openstack-keystone		02:06
*** ChanServ sets mode: +v stevemar		02:06
openstackgerrit	Merged openstack/python-keystoneclient: Switch from oslo.utils to oslo_utils https://review.openstack.org/145968	02:11
openstackgerrit	Merged openstack/python-keystoneclient: Change oslo.serialization to oslo_serialization https://review.openstack.org/148632	02:14
openstackgerrit	Merged openstack/python-keystoneclient: Change oslo.config to oslo_config https://review.openstack.org/145252	02:14
*** spandhe has quit IRC		02:15
*** dims__ has quit IRC		02:23
*** lnxnut has joined #openstack-keystone		02:26
*** gokrokve has joined #openstack-keystone		02:27
*** samueldmq_ has joined #openstack-keystone		02:31
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Change hacking check to verify all oslo imports https://review.openstack.org/151879	02:35
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Change oslo.i18n to oslo_i18n https://review.openstack.org/151878	02:35
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Docs for v3 credentials https://review.openstack.org/153875	02:37
*** gyee has quit IRC		02:38
*** lnxnut has quit IRC		02:39
*** lnxnut has joined #openstack-keystone		02:40
*** YorikSar has quit IRC		02:45
*** markvoelker has joined #openstack-keystone		02:47
*** gokrokve_ has joined #openstack-keystone		02:49
*** gokrokve_ has quit IRC		02:50
*** gokrokve_ has joined #openstack-keystone		02:51
openstackgerrit	Steve Martinelli proposed openstack/keystone: Fix IDs names for federation router https://review.openstack.org/154321	02:52
openstackgerrit	Merged openstack/python-keystoneclient: Remove 404 link to novaclient in README https://review.openstack.org/153873	02:52
openstackgerrit	Merged openstack/python-keystoneclient: Workflow documentation is now in infra-manual https://review.openstack.org/139375	02:52
stevemar	^^ i could use a quick review - it's super easy	02:52
*** gokrokve has quit IRC		02:52
stevemar	bknudson, i have build up enough karma!	02:53
stevemar	the only reason i review, so others owe me	02:53
*** tqtran has quit IRC		02:54
openstackgerrit	Merged openstack/keystonemiddleware: iso expires should be returned in one place https://review.openstack.org/140984	03:02
*** dims__ has joined #openstack-keystone		03:03
*** dims__ has quit IRC		03:07
*** dims__ has joined #openstack-keystone		03:07
*** tqtran has joined #openstack-keystone		03:11
*** rushiagr_away is now known as rushiagr		03:12
*** lnxnut has quit IRC		03:17
*** boris-42 has quit IRC		03:22
*** gokrokve_ has quit IRC		03:25
*** davechen__ has quit IRC		03:28
*** david-lyle is now known as david-lyle_afk		03:29
*** lnxnut has joined #openstack-keystone		03:29
*** DaveChen has joined #openstack-keystone		03:29
*** samueldmq_ has quit IRC		03:31
ayoung	jamielennox, I'm slogging through the access_info making all the dictionary based code behave using the modle...might be the most annoying code I've had to work with yet on Keystone. You work with this every day? I do not envy you.	03:31
ayoung	down to 43 errors in tests	03:31
*** ayoung is now known as ayoung_sleep		03:34
*** gokrokve has joined #openstack-keystone		03:42
*** dims_ has joined #openstack-keystone		03:47
*** dims__ has quit IRC		03:49
*** tqtran has quit IRC		03:55
openstackgerrit	Merged openstack/python-keystoneclient: Change oslo.i18n to oslo_i18n https://review.openstack.org/151878	03:56
openstackgerrit	Merged openstack/python-keystoneclient: Change hacking check to verify all oslo imports https://review.openstack.org/151879	03:56
openstackgerrit	Merged openstack/python-keystoneclient: Docs for v3 credentials https://review.openstack.org/153875	03:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Turn our auth plugin into a token interface https://review.openstack.org/137268	04:15
jamielennox	i think when i add tests in future i'm going to pick a random spot in the class, otherwise you get merge conflicts as everyone is appending tests	04:15
*** richm has quit IRC		04:20
*** zzzeek has quit IRC		04:24
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Make remove_service_catalog private https://review.openstack.org/154334	04:26
*** amerine has joined #openstack-keystone		04:31
*** dims_ has quit IRC		04:32
*** harlowja is now known as harlowja_away		04:34
openstackgerrit	Lance Bragstad proposed openstack/python-keystoneclient: Remove ability to get global user roles. https://review.openstack.org/154238	04:42
openstackgerrit	Lance Bragstad proposed openstack/python-keystoneclient: Remove ability to get global user roles. https://review.openstack.org/154238	04:42
*** Novtopro has joined #openstack-keystone		04:45
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins https://review.openstack.org/141267	04:46
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Enforce that some plugin options are required https://review.openstack.org/148784	04:49
*** lnxnut has quit IRC		04:50
openstackgerrit	Merged openstack/keystone: Remove XMLEquals from tests https://review.openstack.org/154242	04:50
*** lnxnut has joined #openstack-keystone		04:51
openstackgerrit	Merged openstack/keystone: Remove unused test case https://review.openstack.org/154212	04:51
*** lnxnut has quit IRC		04:56
*** gokrokve_ has joined #openstack-keystone		04:56
jamielennox	stevemar: you mind having a look at https://review.openstack.org/#/c/143339/ as well?	04:56
jamielennox	i'm just going through the leftovers, clean up a few old reviews that didn't move	04:57
openstackgerrit	Abhishek Talwar proposed openstack/python-keystoneclient: User-password-update accepts blank as password https://review.openstack.org/147399	04:58
*** gokrokve has quit IRC		04:59
*** Novtopro has quit IRC		05:00
*** gokrokve_ has quit IRC		05:00
openstackgerrit	Merged openstack/keystone: Fix the syntax issue on creating table `endpoint_group` https://review.openstack.org/151931	05:05
openstackgerrit	Merged openstack/keystone: Change oslo.db to oslo_db https://review.openstack.org/148029	05:05
openstackgerrit	Merged openstack/keystone: Change oslo.config to oslo_config https://review.openstack.org/145250	05:05
openstackgerrit	Merged openstack/keystone: Change oslo.i18n to oslo_i18n https://review.openstack.org/151880	05:05
openstackgerrit	Merged openstack/keystone: Change hacking check to verify all oslo imports https://review.openstack.org/151881	05:06
jamielennox	morganfainberg: you haven't done keystonemiddleware yet?	05:08
morganfainberg	jamielennox, no was waiting for some stuff to land.	05:08
jamielennox	morganfainberg: this is passing if we can get it in: https://review.openstack.org/#/c/137268/	05:08
jamielennox	morganfainberg: also what i was going to prompt about was can you do ksc-kerberos sometime	05:09
jamielennox	i don't think there's anything waiting there...	05:09
morganfainberg	jamielennox, yeah. we need to figure out how to do testing for it	05:09
morganfainberg	but yes i can release that this week too	05:09
jamielennox	morganfainberg: so i've just written up a doc on how to test kerberos login, i just don't know how to work all this into a functional test for gerrit	05:14
*** spandhe has joined #openstack-keystone		05:15
*** lnxnut has joined #openstack-keystone		05:21
*** junhongl has joined #openstack-keystone		05:22
*** abhirc has quit IRC		05:37
*** lnxnut has quit IRC		05:38
*** ajayaa has joined #openstack-keystone		05:39
openstackgerrit	Merged openstack/keystone: Fix downgrade test for migration 61 on non-sqlite https://review.openstack.org/146497	05:42
*** lhcheng_afk has joined #openstack-keystone		05:44
*** oomichi has quit IRC		05:50
*** rushiagr is now known as rushiagr_away		05:53
*** marg7175 has quit IRC		05:53
*** harlowja_away has quit IRC		06:01
openstackgerrit	Merged openstack/keystone: Correct test_auth_unscoped_token_project for result ordering https://review.openstack.org/138919	06:02
openstackgerrit	Merged openstack/keystone: Correct test_get_v3_catalog test for result ordering https://review.openstack.org/138920	06:02
openstackgerrit	Merged openstack/keystone: Correct catalog response checker for result ordering https://review.openstack.org/138921	06:02
openstackgerrit	Merged openstack/keystone: Correct a v3 auth test for result ordering https://review.openstack.org/138922	06:03
openstackgerrit	Merged openstack/keystone: Correct version tests for result ordering https://review.openstack.org/138923	06:03
openstackgerrit	Merged openstack/keystone: Remove test PYTHONHASHSEED setting https://review.openstack.org/136593	06:03
stevemar	\o/	06:04
stevemar	finally clearing up the keystone pipeline (pun intended)	06:04
stevemar	jamiec, sure thing, i'll take a look	06:04
stevemar	jamiec, sorry wrong jamie	06:05
stevemar	jamielennox, ^	06:05
stevemar	jamielennox, sorry i take so long to get back to you, i do random things at night, like laundry	06:08
jamielennox	stevemar: that's ok - you know your getting into the habbit of being the last one around?	06:08
stevemar	jamielennox, yeah, i think i've had that honor for a while now	06:09
openstackgerrit	Abhishek Talwar proposed openstack/python-keystoneclient: User-password-update accepts blank as password https://review.openstack.org/147399	06:12
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over. https://review.openstack.org/150627	06:19
jamielennox	stevemar: added bug to https://review.openstack.org/#/c/150627/ can you +2 again	06:19
stevemar	rgr	06:19
jamielennox	today has been the most code i've seen merged this year i think	06:22
openstackgerrit	Steve Martinelli proposed openstack/keystone: Check consumer and project id before creating request token https://review.openstack.org/145701	06:28
stevemar	jamielennox, wasn't it freaking fantastic	06:29
morganfainberg	stevemar booo	06:29
stevemar	?	06:29
morganfainberg	boooooooooooo on that joke	06:29
stevemar	morganfainberg, why booo?	06:29
stevemar	what joke?	06:30
morganfainberg	keystone pipeline...	06:30
stevemar	hahahaha	06:30
morganfainberg	boooooo	06:30
stevemar	it was funny	06:30
openstackgerrit	Steve Martinelli proposed openstack/keystone: Provide additional detail if OAuth headers are missing https://review.openstack.org/142191	06:31
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add links to extensions that point to api specs https://review.openstack.org/147311	06:32
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: WIP - Add openid connect client support https://review.openstack.org/134700	06:35
openstackgerrit	Steve Martinelli proposed openstack/keystone: Use oslo.policy and delete the sync'ed version https://review.openstack.org/148624	06:36
*** krykowski has joined #openstack-keystone		06:39
stevemar	morganfainberg, do i need a bug for this: https://review.openstack.org/#/c/154321/	06:39
morganfainberg	stevemar, ideally	06:44
openstackgerrit	Steve Martinelli proposed openstack/keystone: Use oslo.policy and delete the sync'ed version https://review.openstack.org/148624	06:46
*** lnxnut has joined #openstack-keystone		06:51
openstackgerrit	Steve Martinelli proposed openstack/keystone: Fix IDs names for federation router https://review.openstack.org/154321	06:53
stevemar	morganfainberg, okay done	06:54
*** jaosorior has joined #openstack-keystone		06:56
*** lnxnut has quit IRC		06:56
openstackgerrit	Merged openstack/python-keystoneclient: Reference identity plugins from __init__.py https://review.openstack.org/143339	06:59
*** lhcheng_afk has quit IRC		07:08
*** mflobo has quit IRC		07:09
*** mflobo has joined #openstack-keystone		07:10
*** spandhe has quit IRC		07:11
*** spandhe has joined #openstack-keystone		07:12
*** avozza is now known as zz_avozza		07:32
*** mzbik has joined #openstack-keystone		07:32
*** dims__ has joined #openstack-keystone		07:33
*** markvoelker has quit IRC		07:33
*** markvoelker has joined #openstack-keystone		07:34
*** dims__ has quit IRC		07:37
*** markvoelker has quit IRC		07:38
*** lnxnut has joined #openstack-keystone		07:52
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add a check to see if a federation token is being used for v2 auth https://review.openstack.org/154368	07:53
stevemar	marekd, ^	07:54
*** chlong has quit IRC		07:54
openstackgerrit	wanghong proposed openstack/keystone: add timestamp to project and role https://review.openstack.org/154370	07:55
*** mflobo has left #openstack-keystone		07:56
*** lnxnut has quit IRC		07:57
*** mflobo has joined #openstack-keystone		07:59
openstackgerrit	Steve Martinelli proposed openstack/keystone: Use _VersionsEqual for a few more version tests https://review.openstack.org/154373	07:59
stevemar	bknudson, ^ for you in the morning	08:00
stevemar	morganfainberg, bknudson this bug could use some attention, causing check failures https://review.openstack.org/#/c/154373/	08:02
*** fifieldt has joined #openstack-keystone		08:03
*** markvoelker has joined #openstack-keystone		08:04
*** aix has joined #openstack-keystone		08:07
*** spandhe has quit IRC		08:08
*** markvoelker has quit IRC		08:09
*** stevemar has quit IRC		08:13
breton	wow, that's a lot of merges	08:14
*** karimb has joined #openstack-keystone		08:15
*** oomichi_ has joined #openstack-keystone		08:23
*** zz_avozza is now known as avozza		08:25
ccard	jamielennox: I found some stuff on using domain-specific drivers. Is it possible to configure keystone so that the internal openstack users are take from SQL and the other users from LDAP? How does keystone know which domain to lookup users in?	08:28
jamielennox	ccard: yes, you can do exactly that	08:29
jamielennox	umm	08:29
jamielennox	ccard: ok, starting here: http://docs.openstack.org/juno/config-reference/content/section_keystone-domain-configs.html	08:29
jamielennox	(and i'm not telling you to RTFM - just no way i can remember it all)	08:30
jamielennox	_enabled turns it on	08:30
jamielennox	the domain_config_dir is a directory with files in it	08:30
jamielennox	keystone.DOMAIN_NAME.conf	08:30
jamielennox	so if you create a domain name my-test-domain you create a file keystone.my-test-domain.conf	08:31
jamielennox	within that you need to put the [identity] driver= field	08:32
jamielennox	and then either the [sql] or [ldap] section - depending on driver	08:32
ccard	jamielennox: yes, I understand the structure of the configuration files (I was looking at http://docs.openstack.org/developer/keystone/configuration.html), but I don't see how keystone knows that a user (e.g. ccard) is in a particular domain	08:32
jamielennox	so that's a fairly fundamental part of the v3 api	08:33
jamielennox	all users and projects belong to a domain	08:33
jamielennox	when you login with v3 API you either give user_id (globally unique) or username and user_domain_name	08:33
jamielennox	(domain names are unique)	08:33
ccard	ok, suppose I give user_id, but the identity data for that user is in some LDAP db, how does keystone know that?	08:34
jamielennox	ccard: hmm - that's a good question...	08:34
jamielennox	i think when you turn this stuff on it makes the user_ids really big	08:35
jamielennox	so from memory the user_id becomes two uuids appended together	08:35
jamielennox	and i think the idea is that it's user_id and domain_id appended	08:35
jamielennox	the idea was something like that but i honestly didn't follow the implementation closely enoguh to be certain	08:36
ccard	jamielennox: when I login to horizon, I just give a username (e.g. admin, or ccard) but it doesn't ask for a domain name	08:36
jamielennox	right - so i know horizon was working on how to expose domains via the dashboard	08:37
jamielennox	i don't know how to set that up	08:37
ccard	that's not in juno then?	08:37
jamielennox	ccard: not sure, i don't have much to do with horizon	08:38
jamielennox	i'd try in #openstack-horizon	08:38
jamielennox	ccard: though google gives me: https://ask.openstack.org/en/question/47220/does-domain-work-for-horizon-and-keystone/	08:39
ccard	jamielennox: if I create a domain-specific configuration file, is the domain name I give it arbitrary, or does it have to match an actual real domain (e.g. the suffix of the LDAP directory)?	08:39
jamielennox	ccard: the name is a required field when creating a domain	08:40
jamielennox	openstack domain create blah	08:40
ccard	jamielennox: ah, right. I'd not noticed that openstack has its own domains - still on the learning curve	08:41
jamielennox	ccard: np, it's a long curve	08:41
ccard	jamielennox: that link looks useful, thanks	08:42
*** gokrokve has joined #openstack-keystone		08:43
*** jistr has joined #openstack-keystone		08:47
*** afazekas has joined #openstack-keystone		08:52
ccard	jamielennox: I can't find cli commands for domains	08:53
jamielennox	ccard: you using keystone or openstack cli	08:53
ccard	jamielennox: keystone, I don't seem to have the openstack cli on my installation	08:54
jamielennox	yea, it's a seperate install	08:54
*** gokrokve has quit IRC		08:54
jamielennox	we deprecated the keystone cli tool, it only supports the v2 api	08:55
jamielennox	to do things with v3 try out openstack	08:55
*** gokrokve has joined #openstack-keystone		08:55
jamielennox	python-openstackclient	08:55
ccard	jamielennox: thanks, I'll try that	08:55
*** spandhe has joined #openstack-keystone		08:56
*** gokrokve has quit IRC		09:00
ccard	jamielennox: I got python-openstackclient-1.0.1-1.el7.centos.noarch installed, but I see no domain commands in openstack --help	09:00
jamielennox	ccard: so openstackclient is a bit odd	09:01
jamielennox	you will need to either --os-identity-api-version 3 or export OS_IDENTITY_API_VERSION=3	09:02
jamielennox	i think if you do a v3 auth then it comes up as well	09:02
ccard	jamielennox: ok, thanks	09:02
*** erkules_ is now known as erkules		09:04
*** markvoelker has joined #openstack-keystone		09:05
*** nellysmitt has joined #openstack-keystone		09:10
*** markvoelker has quit IRC		09:10
ccard	jamielennox: I'm getting this: "openstack --os-identity-api-version 3 domain list	09:11
ccard	ERROR: openstack Authentication failure: The resource could not be found. (HTTP 404)"	09:11
ccard	similarly for domain create	09:11
jamielennox	hmm	09:12
jamielennox	what are you doing for auth?	09:12
ccard	environment variables are set, which work for other commands	09:12
jamielennox	just to test - try adding --os-url=http/keystone/v3	09:12
*** lsmola has quit IRC		09:12
jamielennox	so if you are using v2 auth then i'm prety sure it will fail	09:12
marekd	morganfainberg: so what I showed on the video was Icehouse federation only. As K2K was kinda problematic (and sadly saying incomplete in Kilo) I didn't go ahead with implementing client part for that. But the good news is it should be much easier to implement client part for K2K given the experience we now have and a code we already have.	09:13
ccard	jamielennox: same error	09:13
ccard	what's different for v3 auth?	09:14
jamielennox	if you do username you need to specify user_domain_id	09:14
jamielennox	same with if you're using project_name you need project_domain_id	09:14
ccard	which is "default", yes?	09:14
jamielennox	OSC protects you from some of this - but i don't remember what	09:14
jamielennox	yes	09:14
ccard	jamielennox: if I set OS_USER_DOMAIN_NAME and/or OS_PROJECT_DOMAIN_NAME to default, I get the same error. If I set OS_DOMAIN_NAME I get the error "ERROR: openstack Authentication cannot be scoped to multiple targets. Pick one of: project, domain or trust"	09:22
jamielennox	ccard: yep - so in v3 you can scope the authentication to a domain, not just a project	09:23
jamielennox	by using OS_DOMAIN_NAME you're asking for a domain scoped token, but you're also asking for a project scoped token	09:23
jamielennox	USER_DOMAIN_NAME relates to user, PROJECT_DOMAIN_NAME relates to project	09:23
ccard	but setting OS_PROJECT_DOMAIN_NAME or OS_USER_DOMAIN_NAME give the "openstack Authentication failure: The resource could not be found. (HTTP 404)" error	09:25
jamielennox	does it work if you do openstack token issue	09:27
jamielennox	(i think thats the command)	09:27
ccard	# openstack token issue	09:30
ccard	ERROR: openstack Could not determine a suitable URL for the plugin	09:30
ccard	# openstack --os-identity-api-version 3 token issue	09:30
ccard	ERROR: openstack The resource could not be found. (HTTP 404)	09:30
marekd	ccard: what is the output for # env \| grep OS \| grep -v OS_PASSWORD ?	09:31
ccard	marekd: OS_REGION_NAME=RegionOne	09:33
ccard	OS_AUTH_URL=http://********:5000/v2.0/	09:33
ccard	OS_USERNAME=admin	09:33
ccard	OS_TENANT_NAME=admin	09:33
marekd	ccard: and you want to use v3 or v2?	09:35
ccard	marekd: I'm trying to use v3 (for domain stuff) - do I need to change OS_AUTH_URL as well as supply --os-identity-api-version 3 ?	09:36
marekd	or export OS_IDENTITY_API=3	09:37
marekd	you might also make sure that openstackclient uses v3 auth plugin.	09:37
marekd	ccard: opus, sorry = OS_IDENTITY_API_VERSION=3	09:39
ccard	OS_REGION_NAME=RegionOne	09:41
ccard	OS_IDENTITY_API_VERSION=3	09:41
ccard	OS_AUTH_URL=http://********:5000/v3.0/	09:41
ccard	OS_USERNAME=admin	09:41
ccard	OS_TENANT_NAME=admin	09:41
marekd	ccard: should be OS_AUTH_URL=http://********:5000/v3	09:41
marekd	v3, not v3.0	09:41
marekd	also i'd advise you to do # openstack -h and see vars names to be exported, as I think you might need OS_USERNAME, OS_PROJECT_NAME, OS_PROJECT_DOMAIN_NAME	09:43
jamielennox	sorry, tuned out - OS_TENANT_NAME will work but it's deprecated for v3, you should use OS_PROJECT_NAME	09:44
marekd	++	09:44
marekd	and domain the projects is within.	09:44
jamielennox	you should probably specify OS_PROJECT_DOMAIN_ID however i think OSC defaults to 'default' if you don't specify anything eles	09:44
ccard	thanks, that did it. I set OS_PROJECT_NAME and OS_PROJECT_DOMAIN_NAME and openstack domain list worked	09:45
jamielennox	ccard: it's not a particularly user friendly story - but it does begin to make more sense as you understand the concepts	09:48
ccard	jamielennox: now to see if I can keep the internal users in SQL and use LDAP for other users, and get horizon to work with it ...	09:49
*** lsmola has joined #openstack-keystone		09:59
ccard	jamielennox: changing horizon config to use v3 api, I can see the domains under identity, so horizon seems to be working ok with v3	10:04
jamielennox	can you login to horizon under a non-default domain?	10:05
ccard	I don't know, I haven't created any new domains yet	10:05
*** markvoelker has joined #openstack-keystone		10:06
ccard	horizon doesn't appear to support creating domains, so I'll have to use the cli	10:07
*** lhcheng_afk has joined #openstack-keystone		10:09
*** markvoelker has quit IRC		10:11
*** lhcheng_afk has quit IRC		10:14
*** bjornar has joined #openstack-keystone		10:21
*** boris-42 has joined #openstack-keystone		10:29
ccard	jamielennox: I created a new domain, but I can't see how to add a user to the domain. Horizon doesn't support this, and "openstack user set --domain <domain> <user>" returns "ERROR: openstack Cannot change Domain ID (HTTP 400)"	10:29
jamielennox	no you can't change a domain id	10:30
jamielennox	nothing can be moved between domains like that, if you think about what a domain is trying to do it's segmenting openstack so it doesn't really make sense	10:30
jamielennox	if you want a user in a different domain they have to be created in that domain	10:30
ccard	jamielennox: so I have to create a new user and set the domain as part of the create?	10:31
jamielennox	yes	10:31
*** ajayaa has quit IRC		10:36
openstackgerrit	Boris Bobrov proposed openstack/keystone: Fix invalid super() usage in memcache pool https://review.openstack.org/154095	10:38
*** andreaf_ has quit IRC		10:47
*** wpf has quit IRC		10:47
*** wpf has joined #openstack-keystone		10:48
*** ajayaa has joined #openstack-keystone		10:56
*** spandhe has quit IRC		11:01
*** oomichi_ has left #openstack-keystone		11:07
*** markvoelker has joined #openstack-keystone		11:07
*** markvoelker has quit IRC		11:12
*** EmilienM\|afk is now known as EmilienM		11:21
*** MasterPiece has joined #openstack-keystone		11:23
*** dims__ has joined #openstack-keystone		11:23
*** aix has quit IRC		11:26
*** diegows has joined #openstack-keystone		11:26
*** jaosorior has quit IRC		11:31
*** diegows has quit IRC		11:32
*** henrynash has joined #openstack-keystone		11:50
*** ChanServ sets mode: +v henrynash		11:50
*** rushiagr_away is now known as rushiagr		11:56
*** chlong has joined #openstack-keystone		11:59
*** markvoelker has joined #openstack-keystone		12:08
*** avozza is now known as zz_avozza		12:10
*** aix has joined #openstack-keystone		12:11
*** markvoelker has quit IRC		12:13
*** henrynash has quit IRC		12:17
*** aix has quit IRC		12:20
*** karimb is now known as karimb\|lunch		12:32
*** bjornar has quit IRC		12:34
*** bjornar has joined #openstack-keystone		12:36
*** henrynash has joined #openstack-keystone		12:49
*** ChanServ sets mode: +v henrynash		12:49
*** jasondotstar has quit IRC		12:49
*** jasondotstar has joined #openstack-keystone		12:50
*** lnxnut has joined #openstack-keystone		12:53
*** radez_g0n3 is now known as radez		12:55
*** lnxnut has quit IRC		12:58
*** zz_avozza is now known as avozza		13:05
*** markvoelker has joined #openstack-keystone		13:05
*** raildo has quit IRC		13:21
*** raildo has joined #openstack-keystone		13:22
breton	someone broke the gate, right?	13:23
*** raildo has quit IRC		13:27
openstackgerrit	henry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests https://review.openstack.org/151962	13:27
*** gordc has joined #openstack-keystone		13:30
openstackgerrit	henry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments https://review.openstack.org/154302	13:30
*** raildo has joined #openstack-keystone		13:31
openstackgerrit	henry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests https://review.openstack.org/153897	13:34
*** karimb\|lunch is now known as karim		13:39
*** karim is now known as Guest24809		13:39
*** bknudson has quit IRC		13:41
*** amakarov_away is now known as amakarov		13:42
*** rushiagr is now known as rushiagr_away		13:54
*** radez is now known as radez_g0n3		13:58
*** nicodemos has joined #openstack-keystone		13:59
*** bknudson has joined #openstack-keystone		14:00
*** ChanServ sets mode: +v bknudson		14:00
*** fifieldt has quit IRC		14:02
*** avozza is now known as zz_avozza		14:05
david-lyle_afk	ccard: Horizon does support domains, you have to set the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True in the openstack_dashboard/local/local_settings.py file https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L43	14:06
*** david-lyle_afk is now known as david-lyle		14:07
openstackgerrit	henry-nash proposed openstack/keystone: Support project hierarchies in data driver tests https://review.openstack.org/154485	14:08
openstackgerrit	Brant Knudson proposed openstack/keystone: Use _VersionsEqual for a few more version tests https://review.openstack.org/154373	14:08
*** zz_avozza is now known as avozza		14:08
*** richm has joined #openstack-keystone		14:09
henrynash	samueldmq: fyi, last piece of the data driven tests is now in place - supporting project hierarchies (seems to pass :-) ) - see https://review.openstack.org/#/c/154485/1	14:09
*** ajayaa has quit IRC		14:10
*** jaosorior has joined #openstack-keystone		14:10
bknudson	looks like apevec is seeing a problem in keystoneclient icehouse tests... I'm going to try it out myself.	14:12
*** ctina has joined #openstack-keystone		14:14
*** jasondot_ has joined #openstack-keystone		14:14
bknudson	I got a bunch of "ImportError: No module named oslo_utils" on the first run...	14:14
*** lnxnut has joined #openstack-keystone		14:17
bknudson	still getting "ImportError: No module named oslo_utils" after rebuilding tox.	14:20
*** lnxnut has quit IRC		14:22
bknudson	also got a "FAIL: keystone.tests.test_token_provider.TestPKIProviderWithStdlib.test_get_token_id_error_handling" -- "ImportError: cannot import name access"	14:22
*** radez_g0n3 is now known as radez		14:23
bknudson	it's because oslo.config is capped in stable... so I think we need to also cap python-keystoneclient.	14:32
bknudson	alternatively, we could have keystoneclient support old oslo.config	14:33
openstackgerrit	henry-nash proposed openstack/keystone: Split the assignments controller https://review.openstack.org/132634	14:36
*** abhirc has joined #openstack-keystone		14:36
*** MasterPiece has quit IRC		14:36
*** rushiagr_away is now known as rushiagr		14:40
*** dims__ has quit IRC		14:43
*** dims__ has joined #openstack-keystone		14:43
*** dims__ has quit IRC		14:43
*** joesavak has joined #openstack-keystone		14:44
*** dims__ has joined #openstack-keystone		14:44
*** esmute has quit IRC		14:45
*** radez is now known as radez_g0n3		14:45
*** esmute has joined #openstack-keystone		14:47
*** aix has joined #openstack-keystone		14:48
*** r-daneel has joined #openstack-keystone		15:00
ccard	david-lyle_afk: yes, I found that, and horizon is now allowing me to create domains etc. But I'm hitting another problem now.	15:01
ccard	I've created a domain and and project and user within the domain, but when I login to horizon as this domain+user I get an error "Error: Unauthorised: Unable to retrieve usage information."	15:02
*** topol has joined #openstack-keystone		15:03
ccard	I've turned on debug logging and I can see that this request is failing: "http://*********:8774/v2/c9d2aa14dff040d49fffa115697895fc/extensions"	15:03
*** ChanServ sets mode: +v topol		15:03
*** esmute has quit IRC		15:04
ccard	I suspect that this ought to be going to v3 rather than v2, and I've changed all the configuration I can find which was pointing at v2, and restarted everything, but I can't get past this error	15:04
*** radez_g0n3 is now known as radez		15:05
david-lyle	ccard, indeed that's that part about projects in other domains that fails to work and why domains aren't the default in Horizon	15:05
david-lyle	my understanding was that the keystone team had fixed this, but I haven't had time to verify	15:05
*** radez is now known as radez_g0n3		15:05
david-lyle	ccard: are you installing from master, or an older release?	15:06
*** esmute has joined #openstack-keystone		15:06
ccard	david-lyle: good question. I installed this openstack a couple of months ago, using packstack. It is juno, so not master I guess.	15:07
*** zzzeek has joined #openstack-keystone		15:07
david-lyle	that may have something to with it. I will verify locally	15:07
ccard	david-lyle: is there a bug report somewhere for this?	15:07
*** thedodd has joined #openstack-keystone		15:11
david-lyle	ccard: it actually works on trunk now	15:15
david-lyle	just verfied	15:15
david-lyle	\o/	15:15
david-lyle	I'm not sure if there is backport potential for whatever the fix was	15:15
david-lyle	there was a bug, but I am unsure of the id right now	15:15
*** gokrokve has joined #openstack-keystone		15:21
*** esmute has quit IRC		15:23
*** mzbik has quit IRC		15:25
*** ctina has quit IRC		15:25
*** esmute has joined #openstack-keystone		15:25
*** jdennis has joined #openstack-keystone		15:27
ccard	david-lyle: thanks. Will trunk make it into kilo?	15:27
*** lnxnut has joined #openstack-keystone		15:29
*** lnxnut has quit IRC		15:29
*** marg7175 has joined #openstack-keystone		15:30
*** timcline has joined #openstack-keystone		15:30
*** lnxnut has joined #openstack-keystone		15:30
*** marg7175 has quit IRC		15:31
*** marg7175 has joined #openstack-keystone		15:31
david-lyle	ccard: it already is :)	15:32
*** marg7175_ has joined #openstack-keystone		15:33
*** marg7175 has quit IRC		15:36
*** ctina has joined #openstack-keystone		15:39
*** henrynash has quit IRC		15:39
*** stevemar has joined #openstack-keystone		15:48
*** ChanServ sets mode: +v stevemar		15:48
*** rwsu-afk is now known as rwsu		15:52
stevemar	gordc, i just changed the commit msg!	15:54
gordc	stevemar: i don't understand.	15:56
gordc	stevemar: is this related to my 'bro' review?	15:56
stevemar	gordc, haha yes	15:56
stevemar	gordc, the only diff between the new patches was the commit msg	15:56
stevemar	i just changed it in the gerrit editor	15:57
gordc	stevemar: are you telling me i shouldn't have reviewed it?	15:57
gordc	stevemar: i won't lie, my brain is not on. you need to spell this out for me.	15:57
stevemar	gordc, i guess it wouldn't have been obvious it was just the commit msg, but yes i'll get to the whatever things you are talking about soon, mom	15:58
gordc	stevemar: good! and clean up your da** room.	15:58
*** esmute has quit IRC		16:04
*** esmute has joined #openstack-keystone		16:07
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance https://review.openstack.org/137202	16:12
bknudson	this one fixes random py27 failures: https://review.openstack.org/154373	16:19
*** esmute has quit IRC		16:23
*** abhirc_ has joined #openstack-keystone		16:24
*** esmute has joined #openstack-keystone		16:26
*** abhirc has quit IRC		16:27
stevemar	any takers? ^	16:29
*** chlong has quit IRC		16:30
*** esmute has quit IRC		16:43
*** ayoung_sleep is now known as ayoung		16:43
*** esmute has joined #openstack-keystone		16:45
*** gyee has joined #openstack-keystone		16:51
*** ChanServ sets mode: +v gyee		16:51
*** tqtran has joined #openstack-keystone		16:51
*** Guest24809 has quit IRC		16:52
*** atiwari has joined #openstack-keystone		16:55
*** afazekas has quit IRC		16:56
*** marg7175_ has quit IRC		17:05
*** spandhe has joined #openstack-keystone		17:06
*** jistr has quit IRC		17:07
*** krykowski has quit IRC		17:07
*** gokrokve_ has joined #openstack-keystone		17:09
*** gokrokve has quit IRC		17:12
openstackgerrit	Dolph Mathews proposed openstack/keystone: AE Tokens https://review.openstack.org/145317	17:13
*** spandhe_ has joined #openstack-keystone		17:14
*** jodah has joined #openstack-keystone		17:16
*** jodah has left #openstack-keystone		17:16
*** spandhe has quit IRC		17:17
*** spandhe_ is now known as spandhe		17:17
*** marg7175 has joined #openstack-keystone		17:18
*** lhcheng_afk has joined #openstack-keystone		17:19
*** ljfisher has joined #openstack-keystone		17:23
*** atiwari has quit IRC		17:24
*** esmute has quit IRC		17:25
*** esmute has joined #openstack-keystone		17:25
openstackgerrit	Merged openstack/keystone: Use _VersionsEqual for a few more version tests https://review.openstack.org/154373	17:28
*** jasondot_ has quit IRC		17:31
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: On creation default service name to empty string https://review.openstack.org/146962	17:36
*** lsmola has quit IRC		17:36
marekd	morganfainberg: re: direct users mapping. Had a chat with Steve and (as he replied) new keyword seems the best idea. Do you think I can carry on with that?	17:37
morganfainberg	marekd, yeah. that works for me	17:37
marekd	morganfainberg: thanks.	17:37
morganfainberg	:)	17:37
openstackgerrit	Merged openstack/keystone-specs: Correct rst in federation https://review.openstack.org/153874	17:38
*** lnxnut_ has joined #openstack-keystone		17:41
*** esmute has quit IRC		17:42
*** esmute has joined #openstack-keystone		17:44
*** lnxnut has quit IRC		17:44
*** aix has quit IRC		17:47
*** marg7175 has quit IRC		17:48
morganfainberg	marekd, http://lists.openstack.org/pipermail/openstack-dev/2015-February/056478.html	17:51
gyee	marekd, congrats! :)	17:52
*** avozza is now known as zz_avozza		17:54
rodrigods	congrats marekd!	17:54
raildo	marekd, congrats!	17:55
marekd	thanks guys :-)	17:56
marekd	but, i'd better wait for Feb 13th :P	17:57
gyee	Friday the 13th? I don't know	17:58
samueldmq	marekd, hey, I'll be glad to have you as a core :)	18:00
*** lhcheng_afk is now known as lhcheng		18:00
samueldmq	marekd, congrats for the work you did so far, you deserved this :)	18:00
marekd	samueldmq: thanks, i will try to help as much as possible :-)	18:00
*** henrynash has joined #openstack-keystone		18:01
*** ChanServ sets mode: +v henrynash		18:01
henrynash	test	18:01
*** henrynash has quit IRC		18:02
*** henrynash has joined #openstack-keystone		18:02
*** ChanServ sets mode: +v henrynash		18:02
*** openstac_ has joined #openstack-keystone		18:02
*** openstac_ is now known as amolock		18:03
dstanek	henrynash: ....E.... 8 passing, 1 error	18:05
henrynash	dstanek: ?	18:06
dstanek	henrynash: you said test...so i did	18:06
henrynash	dstanek: which patch…the data driven test stuff?	18:07
*** gokrokve_ has quit IRC		18:07
*** nellysmitt has quit IRC		18:09
*** harlowja has joined #openstack-keystone		18:10
*** arunkant has quit IRC		18:10
dolphm	morganfainberg: i want to see https://review.openstack.org/#/c/129736/ target k3, but i'm confused about your message: "This one will have an exception proposed next week with related updates (or AE Token will need to receive an exception)" is there already an exception being made?	18:11
*** thedodd has quit IRC		18:13
*** abhirc_ has quit IRC		18:14
*** abhirc has joined #openstack-keystone		18:14
*** diegows has joined #openstack-keystone		18:16
*** diegows has quit IRC		18:18
*** thedodd has joined #openstack-keystone		18:19
morganfainberg	dolphm, after meeting	18:22
*** openstackgerrit has quit IRC		18:22
*** openstackgerrit has joined #openstack-keystone		18:22
*** esmute has quit IRC		18:23
*** thedodd has quit IRC		18:24
gyee	is stable juno gate broken or just my imagination?	18:24
lbragstad	gyee: there a ml thread on it	18:24
gyee	sheeeeit	18:25
morganfainberg	gyee, did you read the ML?	18:25
lbragstad	http://lists.openstack.org/pipermail/openstack-dev/2015-February/056353.html	18:25
lbragstad	gyee: ^^	18:25
gyee	I'll stop rechecking it to infinity then	18:25
*** thedodd has joined #openstack-keystone		18:25
gyee	grasseyass amigo!	18:26
*** esmute has joined #openstack-keystone		18:26
*** atiwari has joined #openstack-keystone		18:29
ayoung	jamielennox, meeting time?	18:29
openstackgerrit	ayoung proposed openstack/keystone-specs: Default Policy https://review.openstack.org/134657	18:30
*** atiwari has quit IRC		18:34
openstackgerrit	ayoung proposed openstack/keystone-specs: Token Constraints https://review.openstack.org/123726	18:34
openstackgerrit	ayoung proposed openstack/keystone-specs: certmonger https://review.openstack.org/134099	18:35
openstackgerrit	ayoung proposed openstack/keystone-specs: Hierarchical Roles https://review.openstack.org/125704	18:37
openstackgerrit	ayoung proposed openstack/keystone-specs: Fetch policy.json from server https://review.openstack.org/134655	18:37
openstackgerrit	ayoung proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	18:37
openstackgerrit	ayoung proposed openstack/keystone-specs: unified policy file https://review.openstack.org/134656	18:37
openstackgerrit	ayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient https://review.openstack.org/133480	18:37
openstackgerrit	ayoung proposed openstack/keystone-specs: Default Policy https://review.openstack.org/134657	18:37
ayoung	GAH I said no REBASE dagnabit	18:37
samueldmq	gyee, ping - would like to talk about your review on 'Refactor check of targets and actors on RoleV3'	18:41
dolphm	morganfainberg: it's after meeting	18:41
gyee	samueldmq, that code is hard to read	18:41
samueldmq	gyee, https://review.openstack.org/#/c/144702/16/keystone/common/controller.py	18:41
morganfainberg	dolphm, in short either i need to send the exception email or AE tokens needs it	18:42
morganfainberg	i think i'd rather have AE token get the exception	18:42
samueldmq	gyee, the message should be, for example: 'Specify one of domain or project'	18:42
gyee	AE token!	18:42
samueldmq	gyee, doesn't that make sense?	18:42
gyee	morganfainberg, pleeeeeease	18:42
morganfainberg	dolphm, as long as you guys can get the -2 from ayoung off that spec	18:42
bknudson	there's a lot of work going on around token handling so it would be great if the common parts were in their own spec.	18:42
gyee	bribe him!	18:43
dolphm	morganfainberg: alrighty, that's pretty old	18:43
dolphm	morganfainberg: do i have a deadline?	18:43
morganfainberg	dolphm, asap :)	18:43
dolphm	ayoung: what's the nearest brewery to your house that delivers?	18:43
morganfainberg	dolphm, but asking for the exception on the ML should be done this week.	18:43
bknudson	send a snowblower.	18:43
morganfainberg	dolphm, even if you're still working on removing the -2	18:43
dolphm	morganfainberg: ack	18:43
samueldmq	gyee, .. :/	18:44
gyee	samueldmq, "if not provided_args:" means there's nothing there right?	18:44
*** esmute has quit IRC		18:44
gyee	so you'll get "Specify one of "	18:44
morganfainberg	oh and please look at rodrigods's request for a SPF exception (cc dolphm, bknudson, henrynash, gyee, topol, stevemar, jamielennox, dstanek, lbragstad, ayoung)	18:44
morganfainberg	sent to the ML already	18:44
dolphm	ayoung: i assume you went away to review code :) i'm going to grab food and i'll poke you later this afternoon	18:45
samueldmq	gyee, yes, the code is wrong, that should be the keys from kwargs	18:45
*** esmute has joined #openstack-keystone		18:45
henrynash	morganfainberg: ok	18:45
henrynash	(as in, ok, will look)	18:45
ayoung	dolphm, about AE? Have you made a breakthrough?	18:45
samueldmq	gyee, that's why I think we should assert error messages on tests	18:45
morganfainberg	http://lists.openstack.org/pipermail/openstack-dev/2015-February/056295.html	18:45
gyee	ayoung, the perf stat look awesome for AE	18:45
samueldmq	gyee, great catch!	18:45
ayoung	gyee, do we have a plan to support the issues we discussed at the midcycle?	18:46
gyee	samueldmq, happy coding :)	18:46
gyee	ayoung, yeah, there'll be at most one group per federated token right now	18:46
gyee	so its pretty static	18:46
samueldmq	gyee, thanks, will ping you in a few minutes to get your +1 (probably +2) there :=_	18:46
samueldmq	:-)	18:46
ayoung	gyee, that sounds good	18:46
ayoung	and what about roles?	18:47
lhcheng	bknudson: I have a follow-up question on https://review.openstack.org/#/c/132122/	18:47
*** gokrokve has joined #openstack-keystone		18:47
ayoung	er...delegations..trusts and oauth?	18:47
dolphm	ayoung: there's an implementation in review that seems to work, and in our nightmare deployment scenario, it runs 85% faster than UUID tokens	18:47
ayoung	nice	18:47
ayoung	link?	18:47
dolphm	ayoung: no solution for federation though, afaik	18:47
*** htruta has quit IRC		18:47
morganfainberg	dolphm, nightmare scenario, what is the token size?	18:47
lhcheng	bknudson: I was able to pass the test and pep8, with this change: https://review.openstack.org/#/c/132122/9/keystone/tests/core.py	18:47
dolphm	ayoung: https://review.openstack.org/#/c/145317/2	18:47
morganfainberg	dolphm, and we'd need to solve federation issues.	18:47
ayoung	no solution for federation is a show stopper	18:47
ayoung	why not?	18:47
morganfainberg	ayoung, maybe they hadn't gotten to that yet. but i agree federation is a show stopper here.	18:48
gyee	dolphm, federation shouldn't be a problem, IdP section is fixed length	18:48
*** htruta has joined #openstack-keystone		18:48
dolphm	ayoung: it's dependent on https://review.openstack.org/#/c/154590/ though	18:48
lhcheng	bknudson: but the docs and devstack are failing now. :(	18:48
dolphm	morganfainberg: nightmare scenario multiple globally distributed regions that need to validate each other's tokens	18:48
marekd	gyee: but groups list is not.	18:48
morganfainberg	dolphm, nice	18:48
bknudson	lhcheng: did you check the logs?	18:48
gyee	marekd, but we only have one group right now	18:49
*** amolock has quit IRC		18:49
*** arunkant has joined #openstack-keystone		18:49
gyee	that won't expend anytime soon	18:49
dolphm	marekd: i have an idea on that, but it'd take a bit of work that i don't want to land in kilo	18:49
lhcheng	bknudson: yeah, it is still related to CONF being read when imports is triggered.	18:49
*** amakarov is now known as amakarov_away		18:49
marekd	dolphm: i know you do.	18:49
dolphm	marekd: unless someone has a super elegant solution to federation in kilo, i'd like to make it as viable as we can, and simply document the limits on number of groups we can support in a token	18:50
dolphm	marekd: lol	18:50
*** henrique_ has joined #openstack-keystone		18:50
bknudson	lhcheng: the CONF work doesn't happen until the server starts, so CONF can't be read at import time.	18:50
lhcheng	bknudson: I got another option, that seems to pass the tests and docs in my local. http://paste.openstack.org/show/170875/	18:50
dolphm	marekd: i have a list of tricks i'd like to try to make AE tokens as efficient as possible	18:50
gyee	hierarchical groups! :D	18:50
morganfainberg	if we limit the number of groups someone is mapped to... OR ^^	18:50
morganfainberg	what gyee said.	18:50
dolphm	morganfainberg: yeah that would help too	18:50
morganfainberg	but we do need a story to support federated identity in AE Tokens if we're landing it in K	18:51
samueldmq	henrynash, ping - Check for invalid filtering on v3/role_assignments	18:51
bknudson	lhcheng: why would http://paste.openstack.org/show/170875/ work?	18:51
dolphm	morganfainberg: i have a crazy idea that would let us support an unbounded group list though	18:51
morganfainberg	dolphm, ok what is the crazy idea?	18:51
dolphm	morganfainberg: but again, it's not viable for kilo	18:51
henrynash	samueldmq: yes....	18:51
dolphm	morganfainberg: i'll save it :)	18:51
marekd	dolphm: 1) i was responding to gyee, 2) i said long time ago, we can make AE tokens as-is (or with some limitations) and assume it's not fully working with federation now.	18:51
lhcheng	bknudson: the schema needs to read the CONF though to get the max_password_length	18:51
samueldmq	henrynash, non-effective, domain and inherited would return inherited assignments on that domain (directly), wouldnt?	18:51
morganfainberg	marekd, "not fully working with federation" is bad :(	18:51
bknudson	lhcheng: ok, so _user_properties can't be created at import time... create it after CONF() is done.	18:52
lhcheng	bknudson: I doesn't throw an error if the CONF hasn't been loaded	18:52
gyee	s/not fully working/half-ass/	18:52
henrynash	samueldmq: yes	18:52
marekd	morganfainberg: dolph is going to kill me now :(	18:52
morganfainberg	that precludes working with a number of deployments that are wanting to support federated identity	18:52
henrynash	samueldmq: non expanded	18:52
samueldmq	henrynash, the meaning would be assignments that will be inherited by someone, and not that were inherited from someone (for this ask for effective)	18:52
morganfainberg	and AE Token would be a huge win for them	18:52
henrynash	sameuldmq: yes	18:52
samueldmq	henrynash, exactly	18:52
samueldmq	henrynash, so the answer for your question on https://review.openstack.org/#/c/144703/19/keystone/assignment/controllers.py is n	18:53
samueldmq	henrynash, no	18:53
marekd	morganfainberg: let's make basic AE tokens and later add extra layer that fixes federation.	18:53
dolphm	marekd: oh no, i'm fine with that, i'd just like to do the best we can in kilo and document the limitations	18:53
gyee	samueldmq, I need to step out for an hour or so, just amend the patch and I'll do the needful	18:53
marekd	dolphm: ++	18:53
dolphm	marekd: single region unfederated deployments are far more prevelant right now in the real world, so i'd like to cater to them first	18:53
lhcheng	bknudson: how do I create that after CONF() is done? is there a method I can plugin it to?	18:53
samueldmq	gyee, great! thanks	18:53
morganfainberg	so what will be broken with federation using the AETokens	18:54
henrynash	sameuldmq: by jove….I think you may be right!	18:54
morganfainberg	as it stands	18:54
samueldmq	henrynash, so that comes to that problem I said other day	18:54
marekd	morganfainberg: you need to keep list of your groups in a token.	18:54
bknudson	lhcheng: CONF() happens here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/common.py#n30	18:54
dolphm	lbragstad: ^	18:54
morganfainberg	give me the 3-5 bullet points	18:54
ayoung	I'm willing to sign off on an AE implementation that does not reduce the functionality of tokens. It rteally is that simple. If we are there, I'd be thrilled. I need a confirmation of that from others that do not have a vested interest in the AE implementation before removingmy -2.	18:54
samueldmq	henrynash, from the entity, you can't distinguish if an assignment was inherited or is to be inherited	18:54
openstackgerrit	David Stanek proposed openstack/keystone: exclude functional tests from unit test runs https://review.openstack.org/150527	18:54
openstackgerrit	David Stanek proposed openstack/keystone: Support for running functional federation tests https://review.openstack.org/139137	18:54
openstackgerrit	David Stanek proposed openstack/keystone: enables bashate checking on upcoming dsvm code https://review.openstack.org/151309	18:54
openstackgerrit	David Stanek proposed openstack/keystone: adds a devstack plugin for running a pysaml2 IdP https://review.openstack.org/151310	18:54
openstackgerrit	David Stanek proposed openstack/keystone: adds a devstack plugin for setting up federation https://review.openstack.org/151311	18:54
openstackgerrit	David Stanek proposed openstack/keystone: adds a tox target for functional tests https://review.openstack.org/150528	18:54
dolphm	ahh	18:54
samueldmq	henrynash, just from the call, but anyway, I just said to put this on your mind, and you can think about	18:55
morganfainberg	is it really just the tokens could be huge w/ federated identity?	18:55
morganfainberg	is that the only really broken bit?	18:55
marekd	morganfainberg: yes.	18:55
*** nellysmitt has joined #openstack-keystone		18:55
dolphm	morganfainberg: i really don't want them to go over 255 chars, ever	18:55
morganfainberg	dolphm, so if we let them over 255 characters [i agree] in the cases that are needed for federation to make sure it works 100% of the time	18:55
henrynash	samueldmq: I still think you can…can you give me a concrete example of the entity structure retunred by a given API (internal or public) where we can’t determine the difference?	18:56
morganfainberg	and we fix it / improve it to never go over 255 in L	18:56
morganfainberg	is that good in your book?	18:56
morganfainberg	i just don't want a token format that excludes federation.	18:56
dolphm	morganfainberg: i never want to cross that line :(	18:56
dolphm	morganfainberg: let me spend the next day or two breaking the AE implementation and i'll get back to you	18:56
morganfainberg	ok	18:56
dolphm	ayoung: you too ^	18:57
dolphm	morganfainberg: i'll answer with unit tests :)	18:57
samueldmq	henrynash, ok, you can, but the way we do is not so intuitive or with a good ux	18:57
morganfainberg	explciitly saying "this doesn't work with federation" is really an awful approach. i'd rather delay AE unti L if we can't support it and push PKI to the non-persistent.	18:57
samueldmq	henrynash, let me give an example	18:57
lhcheng	bknudson: so I have to defer setting the _user_properties at all instance after config.configure() is called?	18:57
morganfainberg	but at this point AE would be my preference in all cases for non-persistent core provider	18:58
bknudson	lhcheng: yes.	18:58
morganfainberg	even if none of the rest of the token provider cleanup lands until next cycle	18:58
dolphm	morganfainberg: agree, ttiab	18:58
* dolphm buries head in sand.		18:58
bknudson	lhcheng: or the _user_properties could be modified after CONF() ? That might work, too.	18:58
samueldmq	henrynash, {user:{id:123},scope:{project:x,inherited_to:projects},role:{id:k},links:{assignment:/users/123/projects/y/roles/k}}	18:59
samueldmq	henrynash, how do you know it was inherited from a parent of project x or if it was assigned on project x to be inherited by its subprojects?	18:59
lhcheng	bknudson: is there a central method that is called after CONF()?	19:00
henrynash	samueldmq: becuase if you asked for effective mode then it is the former, non-effective mode the later?	19:00
*** gyee has quit IRC		19:00
bknudson	lhcheng: I don't think we've needed one yet since we've only got one thing to do after CONF(), which is the logging setup.	19:01
*** esmute has quit IRC		19:01
samueldmq	henrynash, and without knowing the way you asked ? (effective or not)	19:01
lhcheng	bknudson: the code you pasted was on just server start, have to make it work on tests/doc/keystone-manage too	19:01
henrynash	samueldmq: ah, no…that’s much harder…but is that a requirement?	19:01
lhcheng	bknudson: oh.. lucky me :)	19:01
samueldmq	henrynash, no, what we have today works	19:01
samueldmq	henrynash, but we have a way to do so	19:01
samueldmq	henrynash, the only way to do that is comparing the project id in [links][assignment] with the project id in [scope]	19:01
bknudson	lhcheng: maybe the tests can be changed to call that function?	19:02
samueldmq	henrynash, if they are different, that assignment was inherited	19:02
henrynash	samueldmq: usre…I get it…but we shouldn’t publish that as a way to tell teh difference….we should say that you interpret the results dependant on whetehr you asked for effective assignments or now	19:02
henrynash	not	19:02
*** dims__ has quit IRC		19:02
*** dims__ has joined #openstack-keystone		19:03
samueldmq	henrynash, I was not arguing the way we do it doesnt work, but the way we define the entity could make it clearer	19:03
henrynash	stevemar: ping	19:03
samueldmq	henrynash, yes makes sense, but it could be:	19:03
*** esmute has joined #openstack-keystone		19:03
samueldmq	henrynash, {user:{id:123},scope:{project:x,INHERITED_FROM:y},role:{id:k},links:{assignment:/users/123/projects/y/roles/k}}	19:03
*** atiwari has joined #openstack-keystone		19:03
morganfainberg	ayoung, i'll clear -2s off reproposed specs today/tonight	19:04
morganfainberg	ayoung, the ones against backlog that is.	19:04
*** dims_ has joined #openstack-keystone		19:04
samueldmq	henrynash, I don't know if it's worth it to change this, I'm just proposing something that would make our model easier to understand	19:04
bknudson	anybody have concerns with backporting https://review.openstack.org/#/c/136636/ to stable/juno and /icehouse? This is "Keystoneclient tests from venv-installed client"	19:04
morganfainberg	bknudson, no concerns	19:04
morganfainberg	bknudson, in fact. where can i +2 that change	19:04
samueldmq	henrynash, worth it in terms of api change, since it was already published on a stable version	19:04
morganfainberg	;)	19:04
bknudson	stable/icehouse keystone is broken without something like this.	19:04
samueldmq	henrynash, and this is not a bu	19:05
samueldmq	henrynash, bug*	19:05
morganfainberg	bknudson, please backport it :)	19:05
bknudson	I'll work on backporting it.	19:05
morganfainberg	bknudson, tyvm	19:05
henrynash	samueldmq: agree that we could do that…..I guess without the need, I’m less incluine d to change…and certainly not for K (unless you feel strongly enough about it to ask for special approval post-freeze)	19:05
morganfainberg	cburgess, ^^ re venv keystoneclient	19:05
morganfainberg	cburgess, because i know you hit this	19:05
morganfainberg	in icehouse	19:05
cburgess	This is the whole tests needing to do a git clone thing?	19:05
morganfainberg	yep	19:05
cburgess	So its gone in K right?	19:06
cburgess	At least as far as I can tell from the most recent commits.	19:06
*** rushiagr is now known as rushiagr_away		19:06
morganfainberg	yes.	19:06
bknudson	cburgess: git clone is gone in k	19:06
samueldmq	henrynash, we should at least put that on the backlog ...	19:06
morganfainberg	and bknudson is backporting to to j and i	19:06
cburgess	Backport would be nice, but at least the way we work not required.	19:07
*** dims__ has quit IRC		19:07
henrynash	samueldmq: if you feel it is important, sure...	19:08
*** tonny has joined #openstack-keystone		19:08
morganfainberg	topol, i need you to review something	19:08
morganfainberg	topol, thismorning if possible	19:08
morganfainberg	topol, https://review.openstack.org/#/c/149405/7/keystonemiddleware/audit.py	19:09
morganfainberg	topol, i want a second pair of pycadf eyes [i trust steve but you are also pycadf] on it	19:09
topol	morganfainber, sure can do it rightnow	19:09
stevemar	topol, get ready, it's a big one	19:09
morganfainberg	yeah	19:09
samueldmq	henrynash, I dont see it as a requirement ... if you dont feel it's important, I don't want to struggle with you (really) :-)	19:09
morganfainberg	i've looke dthrough it and it looks ok	19:09
morganfainberg	but... ugh.	19:09
tonny	hi, im installing openstack identity service, how can i prompt dpkg to create tenant and endpoint? it didnt come automaticaly, "im using debian 7 and did dpkg-reconfigure keystone but didnt help"	19:09
lhcheng	bknudson: so I probably have to add a new function like setup_schema() in keystone.config that will update the _user_properties to set the max_password_lenght	19:10
morganfainberg	tonny, i am unsure how dpkg does that or if it does	19:10
morganfainberg	tonny, you'd need to ask zigo about the packaging	19:10
*** atiwari has quit IRC		19:10
henrynash	samueldmq: :-)	19:10
tonny	morganfainberg, alright thanks	19:10
topol	morganfainberg, stevemar. Its a gig-Nash-tic :-)	19:11
henrynash	samueldmq: but as I said, I could be wrong (frequently am)…so if you do feel it is important, put it in the backlog	19:11
morganfainberg	tonny, there are docs on how to bootstrap the basic info into keystone [devstack does this]	19:11
*** EmilienM is now known as EmilienM\|afk		19:11
morganfainberg	tonny, and there is this document that might help some: http://docs.openstack.org/developer/keystone/configuringservices.html	19:11
morganfainberg	tonny, and http://docs.openstack.org/developer/keystone/configuration.html	19:12
*** marg7175 has joined #openstack-keystone		19:12
henrynash	topol: topol has clearly been listening to 70’s hit radio agin	19:12
henrynash	again	19:12
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3 https://review.openstack.org/144702	19:12
morganfainberg	tonny, but afaik dpkg doesn't do a much setup by design - since it's highly deployment specific on what you'd run in keystone	19:12
topol	henrynash, I love the 70's music!	19:13
stevemar	henrynash, all his presets are 70s stations	19:13
henrynash	topol: salt of the earth, salt of the earth	19:13
tonny	<morganfainberg, thanks alot for the helps and greate suggestions, i have done installing openstack with ubuntu, i can do it with keystone commands, just was wondering why no prompts	19:13
topol	henrynash, Im guessing you made it to Studio 54 once or twice	19:13
morganfainberg	tonny, probably because it's highly deployment specific. the pkg doesn't really have the capability to know what you'd expect it to do	19:13
*** marg7175 has quit IRC		19:13
henrynash	topol: confession time: my first two albums I bought were….Emerson, Lake and Palmer….and The Wombles…	19:14
morganfainberg	henrynash, https://review.openstack.org/#/c/137268/11 did you have any real material concerns on the patch?	19:14
henrynash	topol: I have forever sinned….	19:14
morganfainberg	henrynash, or just the nits?	19:14
morganfainberg	henrynash, also really? ELP? REALL?!	19:14
tonny	<morganfainberg>, yeah but how it worked for alot others :D? i have set the priority even on low, to prompt every little detail but no luck	19:14
henrynash	morganfainberg: they’re nits..can be cleaned up later	19:15
*** marg7175 has joined #openstack-keystone		19:15
henrynash	morganfainberg: Tarkus, my friend, Tarkus	19:15
morganfainberg	tonny, well packaging is outside of the scope of what keystone would do. - zigo packaages things, we don't maintain (nor do we want to) the packaging info in keystone	19:15
topol	henrynash, how about when KISS went through its disco phase? I have seen them in concert twice in raleigh the past two years	19:15
openstackgerrit	Merged openstack/pycadf: Do not depend on endpoint id existing in the service catalog https://review.openstack.org/109060	19:16
morganfainberg	topol, if that patch looks good i'll wait for it to merge then release middleware	19:16
morganfainberg	with it	19:16
morganfainberg	topol, if there are any concerns, that'll land next release of middleware	19:16
tonny	<morganfainberg>, oh ok, ty :-)	19:16
henrynash	topol: Robbie Williams: “Every morning when I wake up, I feel like KISS but without the makeup…”	19:16
tonny	<morganfainberg> sorry for the trouble	19:16
morganfainberg	topol, it's no trouble at all :)	19:16
morganfainberg	tonny, i mean you, it's no trouble at all	19:16
tonny	<morganfainberg> ;)	19:17
morganfainberg	topol, disregard that message that was meant for tonny	19:17
*** tonny has quit IRC		19:17
*** dims__ has joined #openstack-keystone		19:18
henrynash	stevemar: if you get a chance could you relook at: https://review.openstack.org/#/c/132634/ - I answered your comments (a few patches ago)…let me know if you have more questins	19:18
stevemar	henrynash, i'll keep it open in a tab, in the middle of other things atm	19:19
topol	morganfainberg, give me 5 mins	19:20
*** ljfisher has quit IRC		19:20
morganfainberg	topol, no worries. take your time. i wont release middleware till 1500pacific anyway	19:21
morganfainberg	topol, at the earliest	19:21
*** dims_ has quit IRC		19:21
henrynash	stevemar: np	19:21
*** esmute has quit IRC		19:23
*** esmute has joined #openstack-keystone		19:26
*** atiwari has joined #openstack-keystone		19:28
samueldmq	lbragstad, found your comments on json schema interesting, will ping you later to talk about	19:32
lbragstad	samueldmq: ok	19:32
samueldmq	lbragstad, I have a meeting now ... but overall I think if we have adopted that on keystone (we 're effectively using it) I should change how I am doing that	19:33
samueldmq	lbragstad, otherwise, we could merge and then address every validation together	19:33
samueldmq	lbragstad, I'd be able to help with that	19:33
*** samueldmq is now known as samueldmq-away		19:34
samueldmq-away	lbragstad, sorry gotta to go	19:34
lbragstad	samueldmq-away: no worries, https://github.com/openstack/keystone/blob/15fb5d68cd871a9d05f3bc332139e808d47af2a8/keystone/assignment/controllers.py#L489 is already being used in the assignment controller, so some of the ground work is already done	19:35
*** atiwari has quit IRC		19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: Hierarchical Roles https://review.openstack.org/125704	19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: Fetch policy.json from server https://review.openstack.org/134655	19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: unified policy file https://review.openstack.org/134656	19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient https://review.openstack.org/133480	19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: Default Policy https://review.openstack.org/134657	19:43
lhcheng	bknudson: http://paste.openstack.org/show/170908/ <- this fixes the issue by avoiding reading CONF when it is not ready yet. what do you think?	19:43
bknudson	we seem to have a lot of people posting WIPs to stable keystone branches today.	19:46
*** atiwari has joined #openstack-keystone		19:46
*** atiwari has quit IRC		19:47
stevemar	WIP it, WIP it good	19:47
*** atiwari has joined #openstack-keystone		19:48
morganfainberg	stevemar.....	19:50
openstackgerrit	Steve Martinelli proposed openstack/oslo.policy: Use standard logging in oslo.policy https://review.openstack.org/154635	19:50
stevemar	morganfainberg, yessum...	19:50
morganfainberg	stevemar, no Devo for you	19:50
stevemar	WHY ARE MY PUNS NOT LOVED	19:50
stevemar	screw you all, i'm going home	19:50
morganfainberg	unless you are posting pics of you wearing an energy dome hat as well.	19:50
morganfainberg	while saying WIP it WIP it good	19:50
* morganfainberg had a college buddy with the official devo energy dome hat		19:51
stevemar	official, thats fancy	19:51
morganfainberg	yeah... came off a box of cerial iirc.. you know mail-in style from the 80s	19:51
*** jaosorior has quit IRC		19:51
morganfainberg	stevemar, so.. http://www.swag-inc.com/shop/devo/devo-energy-dome-red.html next summit	19:52
morganfainberg	iexpect you to be wearing that	19:52
openstackgerrit	Merged openstack/keystonemiddleware: Refactor auth_uri handling https://review.openstack.org/153880	19:55
tqtran	stevemar: is it safe to assume that token authentication is currently only use for websso? or should that check not be there?	19:56
*** nellysmitt has quit IRC		19:56
tqtran	if 'token' in request.POST: or if websso_enabled and 'token' in request.POST:	19:56
topol	morganfainberg, Looks good to me. Merge it!!!	19:56
topol	morganfainberg, stevemar I saw on the grammys one of the devo guys dies this year.. No reunion tour :-(	19:58
stevemar	tqtran, hmmm, theoretically token auth could be used for other non-websso operations	19:59
stevemar	but i don't see how a user would know that	19:59
stevemar	i think if 'token' in request.POST is good enough	20:00
tqtran	stevemar: ok, sounds good	20:00
*** marg7175 has quit IRC		20:00
*** esmute has quit IRC		20:02
*** atiwari has quit IRC		20:02
lbragstad	dstanek: do you happen to know when the kvs driver will be pulled out?	20:03
lbragstad	dstanek: looking for the official deprecation statement	20:03
*** esmute has joined #openstack-keystone		20:03
*** marg7175 has joined #openstack-keystone		20:04
lbragstad	dstanek: nevermind, found it	20:04
*** marg7175_ has joined #openstack-keystone		20:05
*** marg7175_ has quit IRC		20:05
*** marg7175_ has joined #openstack-keystone		20:05
*** atiwari has joined #openstack-keystone		20:06
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API https://review.openstack.org/132122	20:07
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	20:07
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	20:07
*** marg7175 has quit IRC		20:08
*** atiwari has quit IRC		20:11
*** marg7175 has joined #openstack-keystone		20:12
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API https://review.openstack.org/132122	20:12
openstackgerrit	Merged openstack/keystonemiddleware: Turn our auth plugin into a token interface https://review.openstack.org/137268	20:13
*** marg7175_ has quit IRC		20:14
dstanek	lbragstad: which kvs driver? i have a patch to remove the catalog one almost ready to post	20:15
lbragstad	dstanek: yeah I was curious about the catalog one	20:15
lbragstad	I already found it and linked it a review you'd commented on e	20:16
lbragstad	s/on e/on/	20:16
*** atiwari has joined #openstack-keystone		20:16
*** atiwari has quit IRC		20:16
*** esmute has quit IRC		20:19
*** zz_avozza is now known as avozza		20:23
*** esmute has joined #openstack-keystone		20:23
*** guimaluf has joined #openstack-keystone		20:24
guimaluf	Hey guys, I've setup HAProxy ssl passtrhough to keystone. Using curl I can access keystone api with -k and passing --cacert. but with keystone client, even with OS_CACERT, I can't run any command without the --insecure flag...	20:25
guimaluf	my keystone endpoints points to https://haproxy:5000/v2.0, https://haproxy:35357/v2.0	20:25
guimaluf	I don't know if this is an issue of my setup or keystoneclient...	20:25
guimaluf	I've got this error: Authorization Failed: <attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https:	20:25
*** EmilienM\|afk is now known as EmilienM		20:35
*** nellysmitt has joined #openstack-keystone		20:42
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Add schema for endpoint group https://review.openstack.org/150292	20:43
*** ctina has quit IRC		20:46
*** gokrokve has quit IRC		20:46
*** gokrokve has joined #openstack-keystone		20:46
*** gokrokve has quit IRC		20:51
*** g2` has quit IRC		20:51
dims__	hey all, do any of the check/gate jobs use keystone-all?	20:53
morganfainberg	"L" = OpenStack Liberty	20:54
morganfainberg	dims__, postgres one	20:54
dims__	"check-tempest-dsvm-postgres-full"?	20:54
morganfainberg	yep	20:54
dims__	thanks!	20:54
morganfainberg	dims__, though i want to drop eventlet support eventually :P	20:54
*** nicodemos has quit IRC		20:54
dims__	morganfainberg: yep, working towards it	20:55
*** marg7175 has quit IRC		20:57
*** esmute has quit IRC		20:59
*** marg7175 has joined #openstack-keystone		21:02
morganfainberg	x-project meeting in #openstack-meeting	21:03
morganfainberg	if anyone is planning on joining	21:03
morganfainberg	CPLs specifically	21:03
*** esmute has joined #openstack-keystone		21:08
*** esmute has quit IRC		21:12
*** esmute has joined #openstack-keystone		21:14
*** stevemar has quit IRC		21:14
*** marg7175 has quit IRC		21:15
*** radez_g0n3 is now known as radez		21:20
*** marg7175 has joined #openstack-keystone		21:22
*** atiwari has joined #openstack-keystone		21:23
*** atiwari has quit IRC		21:25
*** pnavarro has quit IRC		21:25
*** atiwari has joined #openstack-keystone		21:26
*** jsavak has joined #openstack-keystone		21:35
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	21:35
*** joesavak has quit IRC		21:38
*** atiwari has quit IRC		21:38
*** atiwari has joined #openstack-keystone		21:40
dolphm	morganfainberg: at lance's suggestion, added keystone-specs to https://gist.github.com/dolph/651c6a1748f69637abd0	21:40
morganfainberg	ah ty	21:40
*** atiwari has quit IRC		21:41
*** atiwari has joined #openstack-keystone		21:42
openstackgerrit	ayoung proposed openstack/keystone-specs: Alembic for SQL migrations https://review.openstack.org/131531	21:44
*** gyee has joined #openstack-keystone		21:51
*** ChanServ sets mode: +v gyee		21:51
lbragstad	morganfainberg: do we have a list of specs we know we want to get in still, or have ffs exceptions for?	21:51
lbragstad	I'm trying to go through and star some of them	21:51
*** samueldmq_ has joined #openstack-keystone		21:59
*** topol has quit IRC		22:00
morganfainberg	lbragstad, only 1, rodrigos	22:01
morganfainberg	for the SPFE	22:01
*** spandhe has quit IRC		22:02
*** nellysmitt has quit IRC		22:03
morganfainberg	lbragstad, and AE if someone sends an email requesting it >.>	22:05
*** joesavak has joined #openstack-keystone		22:09
guimaluf	hey guy, I really need help... my production environment is down for two days and I can't fixit. I had 3 keystone+swiftproxy nodes, balanced with DNS-RR and endpoints pointing to DNS; keystone running on 5000/35357 and swift on 443, both with self-signed certificate and native ssl; Then I've changed the swiftproxy to run on port 8080, disable the native SSL, set up HAProxy(real LB with healthcheck and SSL passthrough)	22:11
guimaluf	redirecting tcp connections to keystone/swiftproxy nodes and changed keystone endpoints pointing to HAProxy hostname with specific ports. What is happening now: Using curl I can access keystone api with -k and passing --cacert. but with keystoneclient, even with OS_CACERT, I can't run any command without the --insecure flag; swift just don't work, through API or swiftclient. Someone could help me please?	22:11
*** jsavak has quit IRC		22:12
gyee	guimaluf, can you tell you have the right cert?	22:13
gyee	openssl s_client --debug <host>:<port>	22:13
gyee	that should tell you which cert you are dealing with	22:14
guimaluf	gyee, what should I expectec to see? accessing keystone ports I can see the diferent nodes certificates...	22:16
*** thedodd has quit IRC		22:17
guimaluf	gyee, hmmm verify error:num=20:unable to get local issuer certificate; verify error:num=21:unable to verify the first certificate; Verify return code: 21 (unable to verify the first certificate)	22:17
guimaluf	i think this is an error right?	22:17
guimaluf	:/	22:17
lhcheng	morganfainberg: Should this bug cover all extension entities? https://bugs.launchpad.net/keystone/+bug/1416615	22:18
openstack	Launchpad bug 1416615 in Keystone "add schema for some extension entities" [Wishlist,Confirmed] - Assigned to Lin Hua Cheng (lin-hua-cheng)	22:18
*** atiwari has quit IRC		22:18
morganfainberg	zigo, ping	22:18
gyee	guimaluf, right, what do you have in OS_CACERT?	22:18
zigo	morganfainberg: Hi.	22:18
gyee	I mean what's in that file?	22:18
gyee	openssl x509 -in <cacert_file> -text -noout	22:19
morganfainberg	zigo, someone was asking me why this https://gist.github.com/cburgess/34945e855e504c3fb199 was in the ubuntu package for keystone, any idea if this is something they do commonly?	22:19
gyee	does it match the self-signed cert?	22:19
morganfainberg	zigo, in icehouse i think	22:19
*** atiwari has joined #openstack-keystone		22:19
guimaluf	gyee, the intermediate.pem certificate....	22:19
gyee	k, do this	22:19
guimaluf	gyee, when I pass this to curl it works, but to keystoneclient no	22:19
morganfainberg	zigo, it's nothing major, just... surprised me. figured you'd be the best person to ask if you knew if this was commonplace	22:20
gyee	openssl s_client -CAfile <cacert> -connect <host:port>	22:20
gyee	see if you see any errors	22:20
guimaluf	verify error:num=2:unable to get issuer certificate; Verify return code: 2 (unable to get issuer certificate)	22:21
gyee	there ya go :)	22:21
zigo	morganfainberg: What is this commit about?	22:21
morganfainberg	it's not a commit	22:21
morganfainberg	it's a patch aparantly carried in the ubuntu package for keystone (icehouse release)	22:21
zigo	Oh, a patch...	22:21
zigo	morganfainberg: Well, I don't maintain stuff in Ubuntu, I do in Debian.	22:21
zigo	morganfainberg: You'll have to ask people from Canonical.	22:22
morganfainberg	right, just wondering if you'd seen this type of stuff before	22:22
zigo	I don't have such a patch in Debian.	22:22
zigo	Never.	22:22
guimaluf	gyee, what I should do next? I really don't know....	22:22
*** darrenc is now known as darrenc_afk		22:22
morganfainberg	zigo, cool - it seems wierd to add an x-distribution header to every bloody request	22:22
guimaluf	gyee, why it works with curl?!	22:23
gyee	guimaluf, did you use 'curl -k'?	22:23
morganfainberg	zigo, i mean i can't stop them from doing it but... kind of w.t.f.	22:23
zigo	morganfainberg: It's kind of "please, I'm distribution X, with Y security hole, please hack me..."	22:24
morganfainberg	zigo, right?!	22:24
zigo	And yeah, it's also a w.t.f thing ... :)	22:24
zigo	morganfainberg: This reminds me the Horizon theme from Ubuntu which was completely broken ! :)	22:25
zigo	hint: switch to Debian... :)	22:25
ayoung	morganfainberg, let me state right now that we are having a session at the Vancouver summit called Death to Tokens.	22:25
morganfainberg	ayoung, LOL	22:26
ayoung	maybe an Ops summit session called Death By Tokens as well.	22:26
zigo	ayoung: Will you have a session called "death to python-memcache" ?	22:26
morganfainberg	zigo, actually..	22:26
guimaluf	gyee, with curl -k and with curl --cacert intermediate.pem	22:26
ayoung	zigo, Nah. Memcache isnot the problem, eventlet is the problem	22:26
*** stevemar has joined #openstack-keystone		22:26
*** ChanServ sets mode: +v stevemar		22:26
zigo	ayoung: Or do I need to annoy everyone about it for 3 more cycles before someone does something! :)	22:26
morganfainberg	reminds me we should get the other one in global reqs and move over to it	22:26
morganfainberg	zigo, what is your complaint about python-memcache?	22:27
morganfainberg	zigo, specifically.	22:27
morganfainberg	zigo, because either i'll make you happy or very sad	22:27
zigo	ayoung: Do you remember what Sean Dague told me when I asked "what's the process for removing a bad module from our dependencies" ?	22:27
ayoung	zigo, get people off Eventlet and the hackiness it does with threading. Or someone needs to bite the bullet and make an Eventlet specific hack to python-memcache that deals with greenthreads	22:27
gyee	guimaluf, means curl is ignoring signer errors most likely	22:27
morganfainberg	ayoung, there is another memcache lib that solves the issues... but it's not drop-in replacement.	22:28
zigo	morganfainberg: Specifically, it's SHIT (look at the code, seriously...), and it is the major blocker for having the possibility for me to support Python 3.	22:28
guimaluf	gyee, probably keystoneclient is not, right?!	22:28
guimaluf	gyee, what else do I need to make this cert work....?	22:28
ayoung	morganfainberg, does it work with Apache, or are we forced into an "either or" situation?	22:28
morganfainberg	zigo, ok good then the answer is we need the pintrest? the otherone in global reqs	22:28
morganfainberg	ayoung, it removes thread.local issues but otherwise would work with apache	22:29
morganfainberg	ayoung, it's actually well written	22:29
ayoung	and py3 compat?	22:29
zigo	morganfainberg: pymemcache is not bad, actually.	22:29
morganfainberg	yep	22:29
zigo	(used by Ceilometer)	22:29
morganfainberg	zigo, thats the one	22:29
zigo	Clean code, clean classes.	22:29
openstackgerrit	Lance Bragstad proposed openstack/keystone: Allow for periods in id_strings on validation https://review.openstack.org/145024	22:29
morganfainberg	if it's in global reqs then that is the one we should be moving to	22:29
* ayoung happy to let others lead on that		22:29
morganfainberg	also dogpile maintainer said he wanted to move to that as well	22:29
morganfainberg	zigo, so you really don't have arguments from people here ;)	22:29
morganfainberg	zigo, i almost forked python-memcache to do a rewrite before seeing pymemcache around the end of juno cycle	22:30
morganfainberg	zigo, because python-memcache is so bad	22:30
zigo	morganfainberg: Rewriting it (and just keeping its API) would be a good way to go as well !	22:31
morganfainberg	zigo, unfortunately that is more work than i want to do, pymemcache would be a better choice.	22:32
zigo	morganfainberg: I can't see pymemcache in the global-reqs for Juno anymore ... :(	22:32
morganfainberg	zigo, look for master ;)	22:32
morganfainberg	zigo, we couldn't backport a change of lib to juno if we wanted to	22:32
zigo	morganfainberg: I don't want to backport that, I would like that someone fixes keystoneclient so that I can get rid of python-memcache from the build-depends, which is the only blocker for Python 3 support.	22:33
zigo	So we can FINALLY move forward.	22:33
morganfainberg	zigo, that is probably a ways out	22:34
morganfainberg	zigo, as auth_token in keystonelcient is frozen until ... well...	22:34
morganfainberg	uhm.	22:34
zigo	Not that I did try to have some kind of compat with Python 3 in python-memcache, but failed to do so (the code is too ugly, and each time I touch something, something else breaks...)	22:34
morganfainberg	i haven't been able to pin people down on how to remove it.	22:34
morganfainberg	and maintain compat.	22:34
morganfainberg	but at least until all projects are using keystonemiddleware	22:34
morganfainberg	and that would be juno. so in the L release maaaaybe we can ditch it	22:35
openstackgerrit	Merged openstack/keystonemiddleware: move add event creation logic to keystonemiddleware https://review.openstack.org/149405	22:35
morganfainberg	ok i'm going to go get food (finally)	22:36
*** marg7175 has quit IRC		22:36
morganfainberg	and then i'm going to release middleware and client	22:36
morganfainberg	erm	22:36
morganfainberg	middleware and write up release emails.	22:36
morganfainberg	god is it only tuesday?	22:36
zigo	morganfainberg: The thing is, python-memcache is blocking keystoneclient support to Python3, then because of that, everything else is blocked (because everything else uses keystoneclient).	22:36
morganfainberg	zigo, i can't remove auth_token from keystoneclient at this point	22:37
morganfainberg	zigo. i would if i could	22:37
zigo	I'd like to have at least some hope to release Python3 packages for OpenStack for Stretch (the Debian release after Jessie...).	22:37
morganfainberg	so remove the tests that require memcache in ksc :P	22:38
zigo	morganfainberg: Well, maybe not, but could you switch it to pymemcache ? :)	22:38
zigo	Hum...	22:38
morganfainberg	i'm trying very hard to avoid touching that code at all.	22:38
morganfainberg	i've been trying to figure out how to drop it	22:38
zigo	ok	22:38
*** ljfisher has joined #openstack-keystone		22:38
morganfainberg	there is one possibility to drop it. and i'm tempted to do it...	22:39
morganfainberg	but it requires splitting some code out of keystoneclient	22:39
zigo	Never mind, I'll just be winning more for 2 or 3 more cycles, as I wrote ! :D	22:39
morganfainberg	if we moved session and cms out of keystoneclient to a keystone.common module	22:39
morganfainberg	i could invert the dependency of ksc and ksm	22:40
morganfainberg	then we could make ksc just hold a ref to the ksm middleware	22:40
morganfainberg	and ksm can easily be updated to pymemcache	22:40
zigo	Actually, it seems it's even in keystoneclient/openstack/common/memorycache.py	22:40
zigo	So is that oslo-incubator?	22:40
morganfainberg	jamielennox, we might want to split the common stuff out of client (revisit)	22:40
morganfainberg	zigo, oh yeah thats incubator stuff no one should be using :P	22:41
stevemar	bknudson, can you take a quick look at https://review.openstack.org/#/c/153877/	22:41
morganfainberg	but people do	22:41
morganfainberg	and that is only there in support of middleware which is deprecated in ksc	22:41
zigo	Well, why is it there if we can't use it? :)	22:41
morganfainberg	zigo, it's pretty bad code	22:41
guimaluf	gyee, no more hints for today? :/	22:41
morganfainberg	zigo, it's there because we haven't (I haven't) had time to make oslo.cache a reality	22:42
morganfainberg	or oslo_cache or whatever you want to call it	22:42
zigo	morganfainberg: We've setteled to call foo as oslo.foo, even if we use oslo_foo. That's silly, but that's our choice ! :)	22:42
*** darrenc_afk is now known as darrenc		22:42
morganfainberg	zigo, right.	22:43
morganfainberg	zigo, so in short - if we can remove auth_token from keystoneclient all these complaints go away	22:43
*** diegows has joined #openstack-keystone		22:43
*** marg7175 has joined #openstack-keystone		22:43
morganfainberg	it's the reason we split auth_token to it's own package	22:43
zigo	It got me pretty dizzy in fact.	22:43
morganfainberg	jamielennox, ping	22:43
bknudson	when can we remove auth_token from keystoneclient?	22:44
morganfainberg	jamielennox, can we revisit the pain of moving common code out of keystoneclient and into keystone.common	22:44
morganfainberg	bknudson, as of today... next release maybe?	22:44
zigo	morganfainberg: Is the auth_token code that you're talking about the thing which all projects use in the [keystone:auth_token] in .conf files?	22:44
morganfainberg	bknudson, or we split session and cms out of ksc into ks.common	22:44
morganfainberg	bknudson, and make it better this cycle	22:44
zigo	(yes, I do not have time to investigate this kind of stuff, sorry for being stupidly ignorant...)	22:44
stevemar	bknudson, that should definitely be removed asap, most services/projects are using ksm	22:44
bknudson	I like "make it better"	22:44
morganfainberg	zigo, yes, as of juno everyone should be using keystonemiddleware	22:45
zigo	morganfainberg: Got ya.	22:45
openstackgerrit	Merged openstack/keystone-specs: Fix up federation rst headers https://review.openstack.org/153877	22:45
morganfainberg	bknudson, it would invert the dependency of ksc, so instead of ksm importing ksc, you'd have ksm import common code and ksc import common and kscm	22:45
morganfainberg	ksm	22:45
morganfainberg	bknudson, and then we'd just do a reference to the ksm midleware in keystoneclient.middleware	22:45
morganfainberg	bknudson, if that made sense.	22:45
bknudson	that's usually a good way to avoid a circular dependency.	22:46
bknudson	why would ksc import keystonemiddleware?	22:46
bknudson	seems like it should always be ksm -> ksc	22:46
morganfainberg	bknudson, because ksc can't reference code in ksm in it's middleware location	22:47
bknudson	oh, I was hoping we'd just delete the copy in ksc and not worry about ref'ing keystonemiddleware.	22:47
morganfainberg	bknudson, we can't	22:47
bknudson	we can never do that?	22:48
morganfainberg	bknudson, well we might be able to	22:49
bknudson	once it's been through the deprecation period we can remove it.	22:49
stevemar	gordc, what's the next version # of pycadf?	22:49
bknudson	Liberty!	22:49
stevemar	we're at 0.7.1, we calling this one .8 or .7.2	22:49
morganfainberg	bknudson, the issue is deprecation for *client is very much undefined	22:50
stevemar	bknudson, never, Love	22:50
bknudson	morganfainberg: we need keystoneclient2	22:50
bknudson	cross-repo dependencies??!!!	22:51
*** esmute has quit IRC		22:52
bknudson	wouldn't help with cross-repo deps on keystoneclient, since we need a release and requirements update.	22:53
*** timcline has quit IRC		22:53
gordc	stevemar: no clue... anything important?	22:53
*** marg7175 has quit IRC		22:54
morganfainberg	bknudson, if keystone.common existed	22:54
morganfainberg	the implied dependency for keystoneclient w/ references to keystone.common code	22:55
stevemar	gordc, just trying to make a patch for deprecation warning for audit api	22:55
morganfainberg	would be sufficient for most projects, but it would be a global req update for keystone.common	22:55
stevemar	gordc, since that merges with ksm, and will be alive today/tomorrow	22:56
stevemar	merged*	22:56
gordc	stevemar: cool cool. i'll check later... heading home for now.	22:56
*** marg7175 has joined #openstack-keystone		22:56
morganfainberg	bknudson, it also could mean that instead of needing all of keystoneclient and our CLI for other tools to work, they could just use the keystone.common package long term	22:57
*** esmute has joined #openstack-keystone		22:58
bknudson	maybe could put a cross-project ref on global-requirements?	22:59
morganfainberg	anyway.	22:59
morganfainberg	is it wrong to want to make auth_token in ksc at least reference the modern auth_token?	23:00
*** henrynash has quit IRC		23:00
morganfainberg	so we can ditch broken/old/bitrotting stuff	23:00
morganfainberg	honestly i don't know if that code is really working :(	23:00
morganfainberg	the deprecated auth_token in ksc	23:01
bknudson	maybe just change it to import and don't even bother adding to requirements.txt	23:01
*** gordc has quit IRC		23:01
*** bknudson has quit IRC		23:01
morganfainberg	jamielennox, how awful would it be to split common objects out of keystoneclient (e.g. session, cms, etc)?	23:03
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 \| Kilo Spec Proposal Freeze Has Passed \| Review Code!"		23:12
*** joesavak has quit IRC		23:12
morganfainberg	dolphm	23:12
morganfainberg	dolphm, i think your review page is b0rked	23:13
dolphm	morganfainberg: o/	23:13
morganfainberg	it is claiming https://review.openstack.org/132634 is part of keystone-specs	23:13
dolphm	morganfainberg: lol	23:13
morganfainberg	and keystone is missing from there now ;)	23:13
*** esmute has quit IRC		23:14
dolphm	morganfainberg: looks like it's just missing a line break	23:14
dolphm	morganfainberg: all better	23:14
morganfainberg	wheee	23:14
morganfainberg	KSM released. i'm going to go get food before i passout	23:15
morganfainberg	then i'll write the emails up	23:15
*** esmute has joined #openstack-keystone		23:17
*** atiwari has quit IRC		23:20
tqtran	stevemar: thanks for the review steve! its almost ready teddy	23:20
tqtran	i just have to add the discovery stuff, and we should be gtg	23:21
*** atiwari has joined #openstack-keystone		23:26
*** gyee has quit IRC		23:28
*** esmute has quit IRC		23:31
*** atiwari has quit IRC		23:33
lhcheng	Question for someone familiar with the LDAP code.. When converting ldap values to python, does anybody recall why the values is tested against string boolean values?	23:35
lhcheng	Here is the related code: https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L133-L135	23:35
*** BrAsS_mOnKeY has joined #openstack-keystone		23:36
lhcheng	There is already a separate method enabled2py() that performs the translation from LDAP boolean to python boolean, wondering why the same logic is in ldap2py().	23:36
*** esmute has joined #openstack-keystone		23:37
jamielennox	morganfainberg: mmm, i'm still going to go for a run before i come on here... the basics are easy, session shouldn't be too hard	23:38
jamielennox	there are some complications around exceptions caused primarily by OSC, it's fixed in master but it's a difficult thing to resolve completely	23:39
*** chlong has joined #openstack-keystone		23:39
jamielennox	i don't know why you want CMS to be in there	23:39
morganfainberg	jamielennox, because ksm needs cms	23:39
morganfainberg	as does keystone	23:39
jamielennox	right - but ksm needs ksc, as does keystone	23:40
morganfainberg	my thought is ks.common is where we put that stuff that ksm/keystone needs	23:40
morganfainberg	then keystone doesn't need ksc imported	23:40
jamielennox	morganfainberg: ah - ok that's different then	23:40
morganfainberg	and ksc can import ksm and reference auth_token	23:40
jamielennox	i'm thinking like client common for session	23:40
jamielennox	it's not keystone specific	23:40
morganfainberg	and other clients can reference session etc w/o needing ksc	23:40
morganfainberg	cms is stupid utility code that, being in ksc reaally doesn't win us a lot	23:41
morganfainberg	heck it could move to ksm	23:41
jamielennox	i don't mind doing both	23:42
jamielennox	so it's dumb - but a major reason for not creating client common yet is the lack of a name	23:42
morganfainberg	jamielennox, sure. lets chat about what it would take to make this a reality when i'm back.	23:42
jamielennox	this will be the first package people import for everything to do with clients to create a session	23:42
morganfainberg	and you're done w/ teh run	23:42
jamielennox	from commonclient import session	23:42
morganfainberg	sure.	23:43
*** ncoghlan has joined #openstack-keystone		23:43
morganfainberg	jamielennox, fyi i just registered https://pypi.python.org/pypi/commonclient in case you wanted to use that.	23:44
morganfainberg	jamielennox, happy to transfer it over to you if you decide to	23:44
morganfainberg	and/or infra	23:44
*** spandhe has joined #openstack-keystone		23:45
jamielennox	morganfainberg: lol	23:45
morganfainberg	;)	23:45
*** spandhe_ has joined #openstack-keystone		23:45
jamielennox	was an example...	23:46
*** dims_ has joined #openstack-keystone		23:46
jamielennox	besides it'd have to be python-commonclient	23:46
*** dims__ has quit IRC		23:47
*** marg7175 has quit IRC		23:48
*** spandhe has quit IRC		23:49
*** spandhe_ is now known as spandhe		23:49
*** dims_ has quit IRC		23:50
jamielennox	morganfainberg: looks like i'm not getting to that run for a bit	23:58
ayoung	jamielennox, the client side parsing of the serevice catalog is region aware?	23:59
jamielennox	ayoung: what do you mean by region aware - it knows it's there but it wont act on it till you query the catalog	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!