Friday, 2015-03-06

*** timcline has quit IRC		00:01
*** iamjarvo has quit IRC		00:02
*** ayoung has quit IRC		00:04
*** Akshik has joined #openstack-keystone		00:06
Akshik	im getting Target WSGI script '/var/www/cgi-bin/keystone/main' cannot be loaded as Python module. im using icehouse in centos	00:08
Akshik	http://pastebin.com/KU90rPkW	00:08
Akshik	pls. help	00:08
*** markvoelker has quit IRC		00:11
*** zzzeek has joined #openstack-keystone		00:20
*** stevemar has quit IRC		00:27
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides https://review.openstack.org/161962	00:32
jamielennox	bknudson, gyee: a fix to loading plugins from swift ^	00:32
gyee	looking	00:33
jamielennox	Akshik: it would seem you have a file out of date somewhere, is this an old copy of the main file with a newer keystone?	00:34
bknudson	if it's got functools you know it's good.	00:35
*** rdo has quit IRC		00:35
gyee	nice!	00:36
jamielennox	bknudson: that's what qualifies you as a pythonista	00:36
mtreinish	bknudson: heh, I think I've got a good counter example: http://git.openstack.org/cgit/openstack-infra/subunit2sql/tree/subunit2sql/write_subunit.py and http://git.openstack.org/cgit/openstack-infra/subunit2sql/tree/subunit2sql/read_subunit.py	00:39
mtreinish	that's the recommended interface for the subunit stuff	00:39
bknudson	mtreinish: you can overdo the functools.partial.	00:40
bknudson	might consider using a kwargs = {} at somepoint.	00:40
mtreinish	bknudson: yeah I've been meaning to refactor it. It was just copy and pasted from the subunit lib's example for doing that	00:40
*** jaosorior has quit IRC		00:42
bknudson	http://git.openstack.org/cgit/openstack-infra/subunit2sql/tree/subunit2sql/read_subunit.py#n40 -- that's just identity function	00:43
*** rdo has joined #openstack-keystone		00:43
*** dims has quit IRC		00:44
samueldmq_	morganfainberg, No More Downward SQL Schema Migrations - you around?	00:46
mtreinish	bknudson: yeah it is. (more copy and paste) I was just using it as an example of something I woudlnt consider good that had functools :)	00:47
morganfainberg	samueldmq_, hi	00:51
samueldmq_	morganfainberg, ok, so in few words ... the motivation is: upgrades sometimes mess up the database and create inconsistent states	00:52
samueldmq_	morganfainberg, trying to downgrade what is inconsistent would still make it worst, so let's restore to a 'safe point'	00:53
morganfainberg	samueldmq_, more to the point, regardless of upgrade results, downgrades are rarely tested [never?] in real environments, and with a bunch of the data mangling that happens in upgrades, downgrades could do a bad job of "restoring" to a previous schema consistently	00:54
morganfainberg	samueldmq_, also a number of downgrade paths are very hard to do without keeping extra data that would only ever be used in a downgrade case. in short - since no one really ever does downgrades outside of our tests, why are we supporting them? a downgrade in production would be done by restoring [or every deployer that i've ever talked to has communicated that to me]	00:55
samueldmq_	morganfainberg, yes, sure ... so one best practice would be to create a 'restore point' in the database before upgrading?	00:55
morganfainberg	samueldmq_, correct	00:55
samueldmq_	morganfainberg, and it takes our time developing them :)	00:56
morganfainberg	samueldmq_, and maintaining them	00:56
samueldmq_	morganfainberg, yes, and time from our team is expensive!!	00:56
bknudson	dstanek: any reason you didn't +W this? https://review.openstack.org/#/c/161702/	00:57
morganfainberg	samueldmq_, from everyone's team it is expensive	00:57
samueldmq_	morganfainberg, our = openstack :)	00:57
samueldmq_	morganfainberg, great! I really support this idea, thanks for pointing this out	00:58
morganfainberg	:)	00:58
samueldmq_	morganfainberg, what is the operator meetup ?	00:58
samueldmq_	morganfainberg, something at the summit?	00:58
samueldmq_	morganfainberg, to take like a survey from operators?	00:59
morganfainberg	samueldmq_, it's an event happening next week in Boston i think	00:59
morganfainberg	or new york	00:59
morganfainberg	or one of those east coast cities	00:59
bknudson	philadelphia	00:59
morganfainberg	bknudson, so.. luckily you reviewed the previous patches for https://review.openstack.org/#/c/161718/4 ... that still doesn't change my complete lack of understanding "what is this trying to fix"?	01:00
morganfainberg	the bug i'd incomplete based on the information in it, the commit message communicates nothing about what is really wrong, and the code is doing something-ish that relates to it, but it's unclear why this is an issue.	01:01
bknudson	morganfainberg: ok, if the only change is the commit message then I'm still fine with it.	01:01
morganfainberg	bknudson, my question is... what is it fixing?	01:01
morganfainberg	bknudson, can you explain it to me? seriously, i am missing some context to know what is going on here	01:01
samueldmq_	morganfainberg, ack, thanks .. please consider my help on keystone side if you need when it start happening	01:02
bknudson	morganfainberg: first, realize that a large commit was split up...	01:02
morganfainberg	bknudson, sure.	01:02
bknudson	so there was a patch for just the backend.	01:02
bknudson	unfortunately, the manager is complicated...	01:02
bknudson	the complication actually comes from the controller	01:03
*** mikedillion has joined #openstack-keystone		01:03
morganfainberg	sure.	01:03
bknudson	which you have to imagine is going to be taking requests that might or might not have groups and options ... e.g., {domain}/config/{group}/{option} -> fn(domain, group=None,option=None)	01:04
bknudson	so you could do -- PATCH domain1/config/group1/option1	01:04
bknudson	that should actually be a 404 Not Found if there's no group1 or group1/option1 already	01:04
morganfainberg	so this is saying if it's not defined in the common.config options it should raise an exception?	01:04
morganfainberg	or is it more subtle than that	01:05
bknudson	it's saying if you never created domain1/config/group1/option1 and try to update domain1/config/group1/option1 then you should get a 404 Not Found	01:05
*** mikedillion has quit IRC		01:05
morganfainberg	but only if you're doing an update	01:05
morganfainberg	got it	01:05
bknudson	right, the only change is in update.	01:06
*** mikedillion has joined #openstack-keystone		01:06
bknudson	I think I complained about this in a previous commit and didn't -1 since there would be a follow-on patch...	01:06
morganfainberg	sure. this is one of those where without the context of the whole chain the bug, commit message, and code are really hard to go "aha that is X problem and fixing it by doing Y"	01:07
morganfainberg	like i said, i'd incomplete the bug even with the code without your explination - but figured i'd ask since it appeared to be important in some way	01:08
morganfainberg	This could have been about options in common.config, what you described where options needed to be defined before an update, could have been about some other config object that wasn't clear here.	01:09
morganfainberg	bknudson, thanks for the description i think i can review this now :P	01:10
*** tqtran has quit IRC		01:10
*** markvoelker has joined #openstack-keystone		01:15
bknudson	really the complication should have been cleaned up in the controller so that the manager could be simple.	01:16
*** aix has joined #openstack-keystone		01:16
morganfainberg	++	01:16
morganfainberg	that probably would have been a bit more straight forward	01:16
*** rwsu is now known as rwsu-afk		01:17
openstackgerrit	Merged openstack/keystone: rename cls in get_auth_context to self https://review.openstack.org/150251	01:18
*** markvoelker has quit IRC		01:20
*** zzzeek has quit IRC		01:23
*** crinkle has quit IRC		01:23
openstackgerrit	Merged openstack/keystone: Add parent_id to test_project_model https://review.openstack.org/159294	01:29
openstackgerrit	Merged openstack/keystone: Fixed skip msg in templated catalog test https://review.openstack.org/158088	01:30
openstackgerrit	Merged openstack/keystone: Fix nits from 157495 https://review.openstack.org/160925	01:30
*** r-daneel has quit IRC		01:31
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Add OS-SIMPLE-CERT support for v3. https://review.openstack.org/142200	01:34
*** crinkle has joined #openstack-keystone		01:34
dstanek	morganfainberg: i didn't +w because i didn't see henry's vote	01:38
morganfainberg	bknudson, ^	01:39
bknudson	dstanek: oh, I wound up -1 that one.	01:40
dstanek	bknudson: yeah i saw :-)	01:42
samueldmq_	>>> import this	01:45
samueldmq_	it prints a text: The Zen of Python	01:46
samueldmq_	o/ didnt know this	01:46
morganfainberg	samueldmq_, do >>> from __future__ import braces	01:46
samueldmq_	SyntaxError: not a chance	01:47
samueldmq_	lol	01:47
samueldmq_	morganfainberg, that's funny :p	01:48
openstackgerrit	Brant Knudson proposed openstack/keystone: Update testing docs https://review.openstack.org/161553	01:50
dstanek	run 'import antigravity' on your local machine	01:51
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints https://review.openstack.org/161702	01:54
samueldmq_	bknudson, ^	01:54
samueldmq_	dstanek, well, I'm afraid on running this	01:54
dstanek	samueldmq_: haha, it won't hurt	01:54
samueldmq_	dstanek, at least not me .. ok, if I disconnect it was your fault :p	01:55
morganfainberg	thats fantastic	01:56
*** richm has joined #openstack-keystone		01:56
*** _cjones_ has quit IRC		01:56
samueldmq_	dstanek, ahaha ! thats amazing	01:57
*** mikedillion has quit IRC		02:02
*** erkules_ has joined #openstack-keystone		02:07
*** stevemar has joined #openstack-keystone		02:08
*** ChanServ sets mode: +v stevemar		02:08
*** erkules has quit IRC		02:10
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	02:15
*** markvoelker has joined #openstack-keystone		02:17
openstackgerrit	Merged openstack/keystone: Add checking for existing group/option to update domain config https://review.openstack.org/161718	02:19
*** markvoelker has quit IRC		02:21
*** davechen has joined #openstack-keystone		02:26
*** zzzeek has joined #openstack-keystone		02:37
*** richm has quit IRC		02:40
*** zzzeek_ has joined #openstack-keystone		02:42
*** zzzeek has quit IRC		02:42
*** zzzeek_ is now known as zzzeek		02:42
*** zzzeek has quit IRC		02:47
*** zzzeek has joined #openstack-keystone		02:48
*** zzzeek has quit IRC		02:48
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: remove Fernet formatter's dep on trust_api / v3 token helper https://review.openstack.org/161876	02:49
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	02:49
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens https://review.openstack.org/161774	02:49
stevemar	gyee, whats sam leong's irc handle?	02:56
openstackgerrit	Merged openstack/keystone: Fixes minor whitespace issues https://review.openstack.org/161828	02:59
*** browne has quit IRC		03:04
openstackgerrit	Dolph Mathews proposed openstack/keystone: refactor: scoped tokens are always scoped https://review.openstack.org/161921	03:04
*** radez is now known as radez_g0n3		03:05
*** richm has joined #openstack-keystone		03:14
*** markvoelker has joined #openstack-keystone		03:18
*** ayoung has joined #openstack-keystone		03:19
*** ChanServ sets mode: +v ayoung		03:19
*** markvoelker has quit IRC		03:22
*** richm has quit IRC		03:22
*** spandhe has quit IRC		03:37
*** samueldmq_ has quit IRC		03:42
*** browne has joined #openstack-keystone		03:42
*** david-lyle is now known as david-lyle_afk		03:44
*** ayoung has quit IRC		03:49
*** chrisshattuck has quit IRC		03:49
openstackgerrit	Steve Martinelli proposed openstack/keystone: Spelling and grammar cleanup https://review.openstack.org/161826	03:51
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides https://review.openstack.org/161962	03:52
*** harlowja is now known as harlowja_away		03:57
gyee	stevemar, chioleong I think	04:05
stevemar	gyee, tell him to go online more :)	04:09
gyee	yeah I know	04:09
gyee	he left for the day I think	04:10
gyee	is this about the tokenless patch?	04:10
stevemar	gyee, you let people leave?	04:10
*** telemonster has quit IRC		04:10
gyee	heh, I am not a manager man	04:10
*** telemonster has joined #openstack-keystone		04:10
stevemar	gyee, sort of, just wanted to say thanks for putting up with my reviews :)	04:10
gyee	no thank you! he love your suggestions, especially the multistring opt	04:11
gyee	I spoke to him about an hour ago	04:11
gyee	thank you!	04:11
stevemar	yay!	04:11
gyee	I can push a patch for him later tonight if I can't find him	04:11
gyee	its dinner time for ppl at the left coast right now	04:12
stevemar	reviewing and -1's seem harsh, but it's all love	04:12
gyee	that's why I told the ppl I am mentoring, embracing the -1s	04:12
gyee	you'll always learns something new from them	04:12
gyee	embrace	04:13
gyee	Sam came from a Java background so you may still see some Javaness in his code	04:15
*** markvoelker has joined #openstack-keystone		04:19
*** gyee has quit IRC		04:23
*** markvoelker has quit IRC		04:25
*** nonameentername has quit IRC		04:27
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides https://review.openstack.org/161962	04:29
jamielennox	if i want to bump the global keystonemiddleware requirement - do we think it's better to do that before kilo freeze or after?	04:40
morganfainberg	jamielennox, before.	05:04
morganfainberg	jamielennox, the earlier we bump that requirement the better	05:05
jamielennox	morganfainberg: ok - we missed the march release do we want to do that first?	05:05
morganfainberg	give distros more time to be aware of it	05:05
morganfainberg	jamielennox, uh was going to see about doing a release early next week if we had stuff to release	05:05
morganfainberg	only cause i wont do a release on friday [i don't want to work over the weekend if i can avoid it]	05:06
morganfainberg	basically wednesday is my cutoff for a ksc or ksm release	05:06
jamielennox	morganfainberg: https://review.openstack.org/#/c/161962/ is important - even though i just wrote it	05:06
morganfainberg	jamielennox, ayew	05:07
morganfainberg	aye*	05:07
jamielennox	i see no reason: https://review.openstack.org/#/c/153247/ shouldn't be in - but not urgent	05:07
jamielennox	actually if we consider this the last release for kilo it might be	05:07
morganfainberg	i would make the DO NOT COPY THIS more pronounced	05:07
morganfainberg	possibly a separate NOTE() that says UNDER NO CIRCUMSTANCES SHOULD YOU COPY THIS [this isn't a reason i'd reject the patch]	05:08
jamielennox	then this https://review.openstack.org/#/c/153296/ i haven't reviewed much - i don't know	05:08
jamielennox	ok - leave as a note and if i need to respin i will	05:09
morganfainberg	yeah .. the delay denial	05:09
jamielennox	i thought caps was pretty good	05:09
jamielennox	the delay denial is fairly simple	05:09
morganfainberg	really someone wants "i gave a bogus token, please let me through anyway"?	05:09
* morganfainberg smh		05:09
morganfainberg	oh	05:10
morganfainberg	wait thats service token	05:10
jamielennox	morganfainberg: unfortunately we do that anyway	05:10
jamielennox	he just wants the same thing for service token	05:11
morganfainberg	yeah	05:11
morganfainberg	that last one yeah we need to get in, but that can go in post freeze	05:12
morganfainberg	we don't require it for kilo, but it'll land before we cut the release that goes out w/ the named release	05:13
morganfainberg	jamielennox, i think your first one and the service-token one are the two i'd like to land... if not the service token one at least yours	05:13
jamielennox	morganfainberg: right - if it wasn't friday i'd be tempted to get that merged and release	05:16
morganfainberg	well we can merge it... release wont happen till next week though	05:16
jamielennox	morganfainberg: well - it's 4:15 friday here, so prime release time	05:16
morganfainberg	;)	05:16
*** ChristyF has quit IRC		05:16
jamielennox	if you can bug people to review those two tomorrow then it'll be ready to go on monday	05:16
morganfainberg	you know.. if you want to put your phone # on the commit and say "if this is broken call me, any time of the day/night and i'll fix it for you", then i think we can release it now :P	05:17
jamielennox	morganfainberg: i think that's RHEL	05:17
morganfainberg	anyway... i need to go get food.	05:18
morganfainberg	it's late.	05:18
morganfainberg	jamielennox, oh.. we have a nasty icky thing that could be happening in ksm. i think i want to drop memorycache completely asap	05:18
jamielennox	morganfainberg: when i'm allowed to do a v2 we can drop many things	05:19
morganfainberg	basically, you could cause significant bloat and slowdown on any service using ksm if lots of tokens are validated w/o memcache servers being setup	05:19
morganfainberg	ok replace memorycache.	05:19
morganfainberg	is what i meant	05:19
jamielennox	morganfainberg: it goes to that fake cache in production?	05:20
morganfainberg	if you don't set memcache servers and you leave the default cache time, yep	05:20
morganfainberg	so.. the default behavior is "use bad fake cache"	05:20
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Delay denial when service token is invalid https://review.openstack.org/153247	05:20
morganfainberg	we could use a backend like: https://bitbucket.org/morgan_fainberg/dogpile.cache/commits/166f1773b1dd6ba64b3c2730f1d71d7083a3a9ad	05:21
*** markvoelker has joined #openstack-keystone		05:21
morganfainberg	that at least buckets up the deletions.	05:21
morganfainberg	thankfully only 300s of token validates, but that still could get icky. and per-process.	05:22
morganfainberg	since it initializes a cache each process. memorycache is just awful	05:22
jamielennox	morganfainberg: i'm happy to offload as much of that stuff as possible to other libraries	05:22
morganfainberg	i might roll up a "flip over to dogpile" w/ that driver i just linked patch tonight/tomorrow.	05:23
morganfainberg	if we can drop the only think in oslo-incubator for ksm, i'd be super happy	05:23
jamielennox	right - me to	05:24
jamielennox	afaik we are the only people using memorycache as well - so it can die after that	05:24
morganfainberg	nope, some other projects are :(	05:25
morganfainberg	makes me sad.	05:25
jamielennox	ergh - why	05:25
jamielennox	it's fairly specifc	05:25
morganfainberg	because it's there.	05:25
*** markvoelker has quit IRC		05:26
morganfainberg	anyway. it would be pretty easy to dump memorycache. i'll look into it	05:26
*** lhcheng has quit IRC		05:37
*** lhcheng has joined #openstack-keystone		05:38
*** chrisshattuck has joined #openstack-keystone		05:44
*** browne has quit IRC		06:02
*** browne has joined #openstack-keystone		06:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/161606	06:04
*** chrisshattuck has quit IRC		06:04
*** chrisshattuck has joined #openstack-keystone		06:10
davechen	stevemar: hi,	06:11
davechen	stevemar: are you around?	06:11
stevemar	davechen, maaaaybe	06:11
stevemar	depends on the question :)	06:11
davechen	stevemar: haha,	06:11
davechen	stevemar: just want to confirm with you, do you have a patch intends to fix the DB ondelete issue?	06:12
davechen	stevemar: If no, I am trying to fix it recently.	06:12
davechen	stevemar: to follow your comment here, https://review.openstack.org/#/c/151931/4/keystone/contrib/endpoint_filter/migrate_repo/versions/002_add_endpoint_groups.py	06:13
*** Bsony has joined #openstack-keystone		06:13
stevemar	davechen, i do not have any patch intended to fix that	06:15
stevemar	davechen, i know henrynash had some questions about it	06:16
davechen	stevemar: I am thinking I lost you, get it I will try to do it and add you as the co-author if you don't object to it.	06:16
davechen	stevemar: yeah, it's indeed a issue.	06:17
*** Bsony has quit IRC		06:17
stevemar	davechen, oh, don't worry about co-author, no need. but sure, post a patch and we'll review it	06:20
stevemar	lhcheng, you are a funny guy	06:21
stevemar	"good luck on fixing the gate"	06:21
lhcheng	stevemar: :D	06:21
*** markvoelker has joined #openstack-keystone		06:22
lhcheng	stevemar: I just posted that, are you monitoring patches in real time and responding to IRC at the same time?	06:22
stevemar	lhcheng, i don't really have a method/system of reviewing	06:23
davechen	lhcheng, what's your first name? lin or hua cheng? I am curious about that :-)	06:23
lhcheng	stevemar: how can you do that? specially at this time :)	06:23
* stevemar shrugs at lhcheng		06:23
lhcheng	stevemar: lol both wrong	06:24
lhcheng	want to take another guess	06:24
stevemar	lhcheng, i'm mostly looking at bugs	06:24
lhcheng	stevemar: lin hua	06:24
davechen	lhcheng: lin hua?	06:25
davechen	lhcheng, copy that.	06:25
lhcheng	davechen: yeah, but if I translate that to chinese. the chinese character for cheng should start first	06:25
morganfainberg	aha, was wondering why timestamp looked wiered in IRC...	06:26
morganfainberg	24h clock > 12h	06:26
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	06:26
lhcheng	davechen: hello!	06:26
davechen	lhcheng, basically, the same with chen in English.	06:26
lhcheng	davechen: yeap	06:27
davechen	lhcheng: hi, there is a meeting up in next week	06:27
*** markvoelker has quit IRC		06:27
lhcheng	stevemar was probably assuming my name was in chinese format.	06:27
lhcheng	davechen: you going to the operators meetup?	06:28
davechen	lhcheng: in Minhang, Shanghai, if you are interesting in you can join us.	06:28
davechen	lhcheng: not just operators, but a lot of toipic about operators obviously.	06:29
lhcheng	morganfainberg: thought the timestamp has always been 24h, did it recently changed?	06:29
morganfainberg	lhcheng, in my client	06:29
morganfainberg	lhcheng, somehow got switched to %I from %H	06:29
lhcheng	morganfainberg: or you could be in sweden and it still dark at 10am :)	06:30
davechen	lhcheng: It's held in our company, not sure where is your base.	06:30
lhcheng	davechen: oh.. I am in california	06:30
lhcheng	davechen: thanks for the invite though	06:30
* morganfainberg thinks it's time to go to sleep...		06:30
stevemar	lhcheng, i didn't ask about your name :) but good to know i said it incorrectly the entire time in SA	06:31
davechen	lhcheng: I am wrong again. :-)	06:31
lhcheng	stevemar: oh that's actually right, people just call me "lin" :)	06:32
stevemar	phew	06:32
stevemar	glad i didn't look like a jerk	06:32
lhcheng	stevemar: I realized that works better, whenever I get a call and they mentioned my full first name, it usually get butchered :)	06:34
lhcheng	davechen: hey, got a quick question for you on https://bugs.launchpad.net/keystone/+bug/1416615	06:35
openstack	Launchpad bug 1416615 in Keystone "add schema for some extension entities" [Wishlist,Confirmed] - Assigned to Lin Hua Cheng (lin-hua-cheng)	06:35
lhcheng	davechen: is the bug supposed to cover all extension entities?	06:36
stevemar	lhcheng, i definitely don't expect it to cover all extensions	06:36
davechen	lhcheng, I suppose not.	06:36
davechen	lhcheng, I file the bug after review your patch.	06:36
stevemar	one at a time, no rush :) we can't run out of bugs to file	06:37
lhcheng	davechen: I guess for this one, I can just add the PolicyAssociation schema?	06:37
lhcheng	stevemar: haha	06:37
davechen	lhcheng, split the bug is sound good.	06:38
lhcheng	stevemar: more bugs more fun	06:39
lhcheng	davechen: which company do you work for?	06:39
davechen	lhcheng, as stevemar said, one by one, no rush, but this need their approval :)	06:40
davechen	you can see my contact mail address.	06:40
davechen	lhcheng: I work with David Lyle, you should know him.	06:41
lhcheng	davechen: oh.. is there an r&d office you guys have in shanghai?	06:41
davechen	lhcheng: yeah, not only in Shanghai, BJ as well.	06:42
lhcheng	davechen: nice, it's like HP. They're everywhere :)	06:46
*** Akshik has quit IRC		06:47
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 \| Middleware Release Planned for Next Week"		06:56
*** Akshik has joined #openstack-keystone		06:56
*** Bsony has joined #openstack-keystone		06:57
*** chrisshattuck has quit IRC		07:00
stevemar	jamielennox, can you confirm that this bug is invalid now? https://bugs.launchpad.net/keystone/+bug/1421616	07:15
openstack	Launchpad bug 1421616 in Keystone "Cannot create project using Horizon - Could not find default role "_member_"" [Undecided,New]	07:15
*** jamielennox is now known as jamielennox\|away		07:16
stevemar	jamielennox, i'm going to mark it as such, if you disagree then re-open it	07:16
openstackgerrit	Dave Chen proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual https://review.openstack.org/162041	07:18
*** markvoelker has joined #openstack-keystone		07:24
*** markvoelker has quit IRC		07:29
*** Bsony has quit IRC		07:36
*** Akshik has quit IRC		07:46
*** Akshik has joined #openstack-keystone		07:48
openstackgerrit	Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/161606	07:58
*** chlong has quit IRC		08:11
*** browne has quit IRC		08:12
*** henrynash has joined #openstack-keystone		08:18
*** ChanServ sets mode: +v henrynash		08:18
*** krtaylor has quit IRC		08:22
*** henrynash has quit IRC		08:24
*** markvoelker has joined #openstack-keystone		08:25
*** notmyname has quit IRC		08:30
*** markvoelker has quit IRC		08:31
*** karimb has joined #openstack-keystone		08:35
*** krtaylor has joined #openstack-keystone		08:35
*** henrynash has joined #openstack-keystone		08:37
*** ChanServ sets mode: +v henrynash		08:37
*** afazekas has joined #openstack-keystone		08:39
*** stevemar has quit IRC		08:42
openstackgerrit	Marek Denis proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual https://review.openstack.org/162041	08:49
*** krtaylor has quit IRC		08:54
*** jistr has joined #openstack-keystone		09:02
*** erkules_ is now known as erkules		09:04
*** Akshik has quit IRC		09:08
*** krtaylor has joined #openstack-keystone		09:10
*** markvoelker has joined #openstack-keystone		09:27
*** markvoelker has quit IRC		09:33
*** jistr is now known as jistr\|biab		09:36
*** henrynash has quit IRC		09:38
*** haneef has quit IRC		09:46
openstackgerrit	Dave Chen proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual https://review.openstack.org/162041	09:47
*** haneef has joined #openstack-keystone		09:47
*** davechen has quit IRC		09:54
*** samueldmq_ has joined #openstack-keystone		09:55
*** samueldmq_ has quit IRC		10:07
openstackgerrit	Merged openstack/keystone: Spelling and grammar cleanup https://review.openstack.org/161826	10:22
*** markvoelker has joined #openstack-keystone		10:29
*** markvoelker has quit IRC		10:35
openstackgerrit	Matthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file https://review.openstack.org/161317	10:37
*** henrynash has joined #openstack-keystone		10:39
*** ChanServ sets mode: +v henrynash		10:39
*** jistr\|biab is now known as jistr		10:39
*** Akshik has joined #openstack-keystone		10:39
*** Akshik has quit IRC		10:54
*** lhcheng is now known as lhcheng_afk		10:57
*** dims has joined #openstack-keystone		11:00
openstackgerrit	henry-nash proposed openstack/keystone: Enable use of database domain config https://review.openstack.org/159675	11:08
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	11:09
*** henrynash has quit IRC		11:10
*** chlong has joined #openstack-keystone		11:22
*** nellysmitt has joined #openstack-keystone		11:25
*** dencaval has joined #openstack-keystone		11:27
openstackgerrit	Marco Fargetta proposed openstack/keystone: Adding utf8 to federations tables https://review.openstack.org/159803	11:29
*** markvoelker has joined #openstack-keystone		11:31
*** fmarco76 has joined #openstack-keystone		11:36
*** markvoelker has quit IRC		11:36
openstackgerrit	Merged openstack/keystone: Fix the wrong order of parameters when using assertEqual https://review.openstack.org/162041	11:50
*** amakarov_away is now known as amakarov		11:54
*** markvoelker has joined #openstack-keystone		12:32
*** markvoelker has quit IRC		12:36
*** aix has quit IRC		12:38
*** raildo_away is now known as raildo		12:48
openstackgerrit	Marco Fargetta proposed openstack/keystone: Adding utf8 to federations tables https://review.openstack.org/159803	12:54
samueldmq	from __future__ import dstanek	13:03
samueldmq	dstanek.ping('Could you please revisit https://review.openstack.org/#/c/161702/ ?')	13:03
dstanek	samueldmq: sure, let me finish what i'm doing and then i'll get right on it	13:04
samueldmq	dstanek, great! it already have your +2, but I needed to address some bknudson's concerns :)	13:04
samueldmq	dstanek, thanks	13:04
*** markvoelker has joined #openstack-keystone		13:06
*** lhcheng_afk has quit IRC		13:09
*** karmatronic has joined #openstack-keystone		13:14
*** karimb has quit IRC		13:17
dstanek	samueldmq: are you going to removed the satisfied.append in the other case too?	13:27
*** aix has joined #openstack-keystone		13:30
openstackgerrit	Telles Mota Vidal Nóbrega proposed openstack/keystone: Add domain_id checking in create_project https://review.openstack.org/159944	13:32
openstackgerrit	Telles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398	13:32
openstackgerrit	Telles Mota Vidal Nóbrega proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	13:32
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	13:39
*** karmatronic has quit IRC		13:41
*** karimb has joined #openstack-keystone		13:42
*** gordc has joined #openstack-keystone		13:43
*** radez_g0n3 is now known as radez		13:46
*** obutenko has quit IRC		13:46
*** sigmavirus24_awa is now known as sigmavirus24		13:54
*** obutenko has joined #openstack-keystone		13:58
*** mattfarina has joined #openstack-keystone		14:00
*** jamiec has quit IRC		14:01
*** jamiec has joined #openstack-keystone		14:01
*** topol has joined #openstack-keystone		14:03
*** ChanServ sets mode: +v topol		14:03
*** fmarco76 has quit IRC		14:04
*** fifieldt_ has quit IRC		14:05
*** jamiec has quit IRC		14:09
*** jamiec has joined #openstack-keystone		14:09
*** samueldmq_ has joined #openstack-keystone		14:09
*** obutenko has quit IRC		14:18
openstackgerrit	Boris Bobrov proposed openstack/keystone: [wip] Migration squashing https://review.openstack.org/162170	14:26
*** obutenko has joined #openstack-keystone		14:34
*** chlong has quit IRC		14:34
*** dims has quit IRC		14:37
*** dims has joined #openstack-keystone		14:38
marekd	morganfainberg: https://review.openstack.org/#/c/159803 i think the fix is getting into shape, but i am not sure if you guys discussed and it's even allowed to modify migration scripts that merged: https://review.openstack.org/#/c/159803/9/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py	14:45
openstackgerrit	Merged openstack/keystone: Fix typos in tests/unit/core.py https://review.openstack.org/161547	14:50
*** boris-42 has quit IRC		14:52
openstackgerrit	Boris Bobrov proposed openstack/keystone: Migrations squash https://review.openstack.org/162170	15:02
*** richm has joined #openstack-keystone		15:06
*** dims is now known as dimsum__		15:07
breton	morganfainberg: ^	15:11
*** radez is now known as radez_g0n3		15:12
*** iamjarvo has joined #openstack-keystone		15:13
*** carlosmarin has joined #openstack-keystone		15:17
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	15:18
*** r-daneel has joined #openstack-keystone		15:20
*** timcline has joined #openstack-keystone		15:20
*** atiwari has joined #openstack-keystone		15:21
*** timcline_ has joined #openstack-keystone		15:22
*** timcline has quit IRC		15:26
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor Fernet: drop timestamps and move payload version into payload https://review.openstack.org/162196	15:26
*** kaisers1 has joined #openstack-keystone		15:30
kaisers1	Hi Keyston'ers!	15:30
kaisers1	Does anybody have a min for keystone newbie question regarding (configuring) extensions for keystone?	15:31
*** kashyap has left #openstack-keystone		15:33
*** jorge_munoz has joined #openstack-keystone		15:33
*** radez_g0n3 is now known as radez		15:34
dolphm	marekd: bknudson: i have a stack of changes on top of https://review.openstack.org/#/c/161379/ which address all of your -1's. i put up a squashed commit so you can see them all at once if you'd like (which i linked to), but they're broken into 6 or so patches in a sequence as well	15:34
bknudson	dolphm: where's the link?	15:35
dolphm	kaisers1: you have to ask your question before someone can try to answer it	15:35
dolphm	bknudson: they're all dep'd on https://review.openstack.org/#/c/161379/	15:35
marekd	dolphm: thanks.	15:35
dolphm	bknudson: this is the squashed change https://review.openstack.org/#/c/162196/	15:36
dolphm	bknudson: it has direct links to all the individual patches as well	15:36
*** samueldmq_ has quit IRC		15:37
kaisers1	dolphm: right, just don't want babble if nobody currently has the time to listen. :)	15:39
marekd	dolphm: so ideally you want to approve whole chain or this squashed patch?	15:39
kaisers1	i'm looking to activate what seems to be very old keystone extensions, namely OS-KSADM and OS-KSS3	15:39
dolphm	marekd: i put up the squashed patch for illustration - morganfainberg would probably prefer the individual patches	15:40
dolphm	marekd: you're welcome to review it however you wish	15:40
*** joesavak has joined #openstack-keystone		15:40
kaisers1	But i can't find a way to "activate" these with a Juno installation	15:40
dolphm	kaisers1: whas is OS-KSS3?	15:40
kaisers1	dolphm: S3 token extensions afaics	15:40
dolphm	kaisers1: OS-KSADM is hardcoded into the v2 implementation	15:40
*** topol has quit IRC		15:41
kaisers1	dolphm: Aaah, ok. that was my impression. This was merged into main keystone at some point, right?	15:41
kaisers1	dolphm: It seems both are listed as "extensions". So far i've only used default-keystone setups. How can i 'activate' these extensions or are they available by default?	15:42
dolphm	kaisers1: S3 is enabled via your paste pipeline, and is included on both :35357/v2.0/ and /v3 by default	15:42
kaisers1	dolphm: sorry, what is the 'paste pipeline'?	15:42
dolphm	kaisers1: most openstack projects use paste deploy to configure their WSGI middleware stacks: http://pythonpaste.org/deploy/	15:42
dolphm	kaisers1: S3 is implemented as middleware that sits on top of keystone	15:43
dolphm	kaisers1: you can add/remove whatever middleware you want in /etc/keystone/keystone-paste.ini	15:43
kaisers1	dolphm: Sidenote - I'm quite busy with OpenStack for months now. But every other day i still hear about completely new things i never previously heard about... :)	15:43
kaisers1	dolphm: /etc/keystone/keystone-paste.ini does not seem to be created on default, right? I'm looking at a Juno RDO OpenSTack intallation right now	15:45
dolphm	kaisers1: the tl;dr is that "filters" stack up on top of "apps" and are glued together into "pipelines" which are deployed as "composite" applications with their own endpoints, and scale independently, etc	15:45
dolphm	kaisers1: well it sounds like you're digging deeper and deeper into configuration :)	15:45
dolphm	kaisers1: RDO probably puts it somewhere else, but i'm not familiar at all with RDO	15:46
dstanek	samueldmq: did you say that there were other things you needed to fix on that review?	15:46
dolphm	kaisers1: /etc/keystone is our default location	15:46
dolphm	kaisers1: it would normally be sitting right next to your keystone.conf at least	15:46
kaisers1	dolphm: what about devstack. I'll check that	15:46
kaisers1	yep, there it is	15:47
dolphm	kaisers1: so, S3 is defined here https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L39-L40	15:48
dolphm	kaisers1: and that middleware is added to these two pipelines by default https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L74-L82	15:48
kaisers1	dolphm: Yeah, currently staring that line into talking and explaining itself to me ;-)	15:48
dolphm	kaisers1: and those two pipelines are deployed here https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L104-L105	15:48
dolphm	kaisers1: and [composite:admin] is deployed as :35357 by default	15:49
kaisers1	dolphm: ok, admin default ist good (less work for me)	15:49
dolphm	kaisers1: read through the paste.deploy documentation if you want to get a grasp of how to configure all openstack projects on this level	15:49
dolphm	kaisers1: also, everything in OS-KSADM is native functionality in /v3/	15:50
kaisers1	dolphm: ok, good	15:50
dolphm	kaisers1: v3 is documented here https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst	15:50
kaisers1	dolphm: Ok, gotta stack of reading material now. :) But one more noob question for quickness: The fact that the s3 filter is present and not commented out, does that mean it should be running?	15:53
amakarov	dolphm, good day! Help me please: how can I propose a change to http://docs.openstack.org/developer/keystone/configuration.html#token-persistence-driver? What project should I use?	15:53
dolphm	kaisers1: the fact that it's in the pipeline means it's deployed	15:53
kaisers1	Oh, stack of reading, devstack, openstack, stacking in my head. Gettin' stacked stupid in me head	15:53
dolphm	amakarov: if you commented out just the [filter] part, keystone would crash on startup because it wouldn't know what you were trying to include in the pipeline	15:54
dolphm	kaisers1: good luck on your adventure :)	15:54
dolphm	amakarov: sorry, that was meant for kaisers1 ^	15:54
kaisers1	dolphm: Ok, I'll read on from here. Thanks a lot!	15:54
dolphm	amakarov: that is in keystone doc/	15:54
dstanek	amakarov: that's in keystone's doc directory	15:54
dolphm	docs/ *	15:54
dolphm	amakarov: https://github.com/openstack/keystone/tree/master/doc/source	15:55
dolphm	dstanek: for the record, there are multiple documents so it should be called docs/ =)	15:55
amakarov	dolphm, dstanek thanks, had no idea it is not a separate project :)	15:55
*** arunkant has joined #openstack-keystone		15:55
dolphm	amakarov: all of http://docs.openstack.org/developer/keystone/ comes out of that directory	15:55
dolphm	amakarov: which is the same as http://keystone.openstack.org / now	15:56
*** ayoung has joined #openstack-keystone		15:57
*** ChanServ sets mode: +v ayoung		15:57
samueldmq	dstanek, hi .. sorry for the late reply ...	15:57
samueldmq	dstanek, not something in the code/logic, basically a doc	15:58
samueldmq	dstanek, but then I needed to send a new patch set, that removed your +2	15:58
samueldmq	dstanek, thanks for your review again :)	15:58
dstanek	ah, ok - if there are no more changes i'll go ahead and approve it too	15:59
*** ogzy has quit IRC		15:59
samueldmq	dstanek, ok so please go for it, no more changes, I already addressed everything :)	16:00
samueldmq	dstanek, thanks !!	16:00
dolphm	there's a bunch of "tokenless authorization" headers in https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst that don't actually apply to keystone ... i'm thinking those should be documented separately?	16:01
*** stevemar has joined #openstack-keystone		16:01
*** ChanServ sets mode: +v stevemar		16:01
dolphm	i assume that's all implemented in keystonemiddleware	16:01
*** mflobo has left #openstack-keystone		16:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data https://review.openstack.org/161793	16:05
openstackgerrit	Lance Bragstad proposed openstack/keystone: Federated token formatter https://review.openstack.org/161380	16:05
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add unscoped token formatter for Fernet tokens https://review.openstack.org/161379	16:05
bknudson	dolphm: it must be implemented in middleware in keystone, and then the properties go through the normal mapping	16:06
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor Fernet: drop timestamps and move payload version into payload https://review.openstack.org/162196	16:06
lbragstad	dolphm: pushed and resolved ^	16:06
lbragstad	cc marekd^	16:06
lbragstad	marekd: ^	16:06
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: rename the "standard" token formatter to "scoped" https://review.openstack.org/161838	16:06
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: remove token formatters dep on 'token_data' on create() https://review.openstack.org/161855	16:06
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: remove Fernet formatter's dep on trust_api / v3 token helper https://review.openstack.org/161876	16:06
bknudson	dolphm: but I agree that documentation doesn't have anything to do with the identity api.	16:06
*** chrisshattuck has joined #openstack-keystone		16:07
bknudson	well, actually it looks like those headers are in the request.	16:07
dolphm	bknudson: right, but to keystonemiddleware, not identity-api specifically?	16:07
samueldmq	bknudson, I think so, and then it should be kept there, no?	16:08
bknudson	no, those are in the request to keystone.	16:08
samueldmq	dolphm, I think keystone	16:08
samueldmq	bknudson, ++	16:08
bknudson	so if auth_token wants to validate a token it sends a request using its client cert and X-Project-Id set.	16:08
dolphm	oh, that's not what i thought that was for at all	16:09
dolphm	i thought this was for clients to skip talking to keystone and just use x509 directly with nova, etc	16:09
bknudson	maybe there's another spec for that?	16:10
dolphm	bknudson: i actually thought that's what gyee and someone at CERN were interested in at some point	16:11
dolphm	which sounds cool to me	16:11
openstackgerrit	Boris Bobrov proposed openstack/keystone: Migrations squash https://review.openstack.org/162170	16:11
bknudson	dolphm: I know he's talked about it... keeping it in-house.	16:12
dolphm	bknudson: yeah, but then IIRC it had some weird upstream impact that didn't make any sense without us having x509 support upstream too	16:13
dolphm	anyway, i thought they were on the road to upstreaming it	16:14
marekd	dolphm: i think jose was hacking something here.	16:16
lbragstad	marekd: I'm going to propose that federated mixin refactor against master without and dependencies,	16:17
lbragstad	marekd: something got messed up in the rebase	16:17
marekd	lbragstad: sure.	16:17
*** krtaylor has quit IRC		16:23
dolphm	marekd: how much longer are you around today?	16:26
marekd	~1h	16:26
marekd	dolphm: wanted to talk about anyhing specific?	16:27
dolphm	marekd: your -1 on https://review.openstack.org/#/c/161379/	16:27
marekd	dolphm: ok, let me look at it now.	16:28
dolphm	marekd: i'm hoping that can land today because we have so much behind it	16:28
marekd	dolphm: sure.	16:28
*** browne has joined #openstack-keystone		16:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data https://review.openstack.org/162211	16:32
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data https://review.openstack.org/162211	16:33
*** topol has joined #openstack-keystone		16:33
*** ChanServ sets mode: +v topol		16:33
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens https://review.openstack.org/161774	16:33
*** chlong has joined #openstack-keystone		16:33
stevemar	marekd, still want me to update https://review.openstack.org/#/c/161475/ ?	16:34
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	16:35
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	16:35
marekd	stevemar: sorry, didn't notice the comment.	16:35
marekd	no, it's fine	16:35
*** krtaylor has joined #openstack-keystone		16:35
marekd	stevemar: it's approved	16:35
lbragstad	marekd: addressed the comments and I believe I have a clean commit here https://review.openstack.org/#/c/162211/	16:36
lbragstad	cc stevemar ^	16:36
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	16:36
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	16:36
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor Fernet: drop timestamps and move payload version into payload https://review.openstack.org/162196	16:37
*** joesavak has quit IRC		16:37
dolphm	lbragstad: that just looks like a refactor at first glance?	16:37
lbragstad	dolphm: yep, it is	16:38
dolphm	lbragstad: cool. marekd just +2'd	16:38
marekd	:)	16:38
lbragstad	dolphm: its so we can leverage all that neat setup stuff for fernet tokens	16:38
lbragstad	dolphm: and not duplicate it	16:38
dolphm	lbragstad: ++	16:38
dolphm	marekd: now it's just you and https://review.openstack.org/#/c/161379/ :P	16:38
dolphm	marekd: i replied to most of your comments on patchset 4, but the gist is that everything you mentioned is either addressed or deleted anyway later in the series	16:39
dstanek	dolphm: any reason why https://review.openstack.org/#/c/161855/ has not been approved?	16:40
dolphm	dstanek: only because it's dependent on something that hasn't	16:40
dolphm	dstanek: so, not a real reason	16:41
marekd	dolphm: ok, done.	16:41
dolphm	marekd: sweet! thank you sir	16:41
*** _cjones_ has joined #openstack-keystone		16:43
*** _cjones_ has quit IRC		16:43
*** _cjones_ has joined #openstack-keystone		16:44
dolphm	dstanek: you like reviewing refactors, right?! https://review.openstack.org/#/c/161876/	16:46
lbragstad	dolphm: you have a commit that removes this stuff, right? https://review.openstack.org/#/c/160993/8/keystone/token/providers/fernet/token_formatters.py	16:46
dstanek	dolphm: sure, i can review another one	16:46
dolphm	lbragstad: not that bit, no	16:47
lbragstad	dolphm: https://review.openstack.org/#/c/161855/3/keystone/token/providers/fernet/token_formatters.py	16:47
dolphm	lbragstad: my series will conflict with that patch	16:47
dolphm	lbragstad: and +1 for using map() there	16:47
lbragstad	dolphm: ok, I'll address and push a new revision	16:48
lbragstad	cc bknudson ^	16:48
dolphm	lbragstad: let me find what you should rebase that change on...	16:48
* marekd thought lbragstad used mmap() and was wondering since when we are going that low-level in OpenStack :P		16:48
dolphm	lbragstad: probably just on the last change https://review.openstack.org/#/c/162031/	16:48
dolphm	lbragstad: the only change i made to the handling of audit_ids in my series is that i keep it as a list the whole time	16:49
dolphm	lbragstad: they still need to be converted to bytes	16:49
lbragstad	dolphm: got it, I'll tack that on to the end	16:49
dolphm	lbragstad: i'm also curious what our new token size is after all this	16:49
*** gyee has joined #openstack-keystone		16:49
*** ChanServ sets mode: +v gyee		16:49
lbragstad	dolphm: it's going to be awesome	16:49
lbragstad	because we're getting rid of creation and expiration, right?	16:50
marekd	'awesome' is a new number in maths? next to pi, e and so on	16:50
lbragstad	marekd: yes, it got me through all my math classes	16:50
marekd	hehe	16:51
dolphm	marekd: ++	16:51
dolphm	lbragstad: as of the last patch in my series, it's gone down from 187 chars to 140	16:51
dolphm	so like you can totally tweet your bearer tokens: mission accomplished! product teams everywhere can rejoice	16:51
lbragstad	dolphm: cool, so it should be a little smaller than that with audit_ids in bytes	16:51
*** boris-42 has joined #openstack-keystone		16:53
*** notmyname has joined #openstack-keystone		16:54
dstanek	dolphm: why you remove the expiration from the token are you expecting that only the rotation will expire tokens?	17:04
*** iamjarvo has quit IRC		17:08
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis token backend https://review.openstack.org/150844	17:13
dolphm	dstanek: that was my original thought	17:30
dolphm	dstanek: which will still work, but my new thought is that everything about these tokes is leaning towards stateless, and we can compute the expiration based on creation + CONF	17:30
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/162244	17:31
dolphm	dstanek: if you wanted to have a subset of tokens with no expiration, we could still do that, and do it better than before. set CONF token lifespan to 1000 years or whatever, force expire tokens via rotation, and just leave a special key in the rotation for long-lived tokens (you might have to manage your own rotation in that case)	17:32
dstanek	dolphm: ok, i just got finished on that review and you may have just invalidated my complaints if you go that route	17:32
lbragstad	dolphm: that would be a good idea for the long lived tokens	17:33
*** rwsu-afk is now known as rwsu		17:33
dolphm	dstanek: if we go to what route, specifically?	17:33
*** browne has quit IRC		17:34
*** tqtran has joined #openstack-keystone		17:34
*** arif-ali has quit IRC		17:34
dolphm	lbragstad: simplest approach might be to take away keystone's ability to write to a specific key file, and just try/except the delete during rotation :)	17:34
dstanek	dolphm: i have security concerns about having the rotation be the only thing that controls expiration; if you do a created + CONF i would not have that concern	17:34
dolphm	dstanek: then you shouldn't have any concerns with https://review.openstack.org/#/c/161774/4/keystone/token/providers/fernet/core.py	17:35
dolphm	dstanek: right? L180-183 on the right	17:35
dolphm	dstanek: i have an abandoned patch (or old patchset) that is entirely dependent on rotation, but then i remembered that Fernet has the token's creation time as part of the format itself (outside the payload)	17:36
dstanek	dolphm: not if the commit message is incorrect	17:36
openstackgerrit	Boris Bobrov proposed openstack/keystone: Remove deprecated external authentication plugins https://review.openstack.org/162250	17:36
stevemar	ayoung, can you review https://review.openstack.org/#/c/157158/ , https://review.openstack.org/#/c/158561/ and https://review.openstack.org/#/c/158562/	17:37
dolphm	dstanek: touche! that's my old commit message	17:37
dstanek	dolphm: where does the rejection based on an expired token happen?	17:37
dolphm	dstanek: will fix	17:37
*** jistr has quit IRC		17:37
ayoung	stevemar, wilco	17:37
dolphm	dstanek: good question, i don't have a functional test for it - but i believe that happens further up the stack when we pass up an expired token from the provider?	17:37
dolphm	dstanek: we can also pass a ttl to Fernet and it'll barf there	17:37
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements https://review.openstack.org/162251	17:38
dstanek	dolphm: if it's now the case where expiration is enforced by Keystone then i think the docstrings just need to be updated	17:39
*** lhcheng__ has joined #openstack-keystone		17:39
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens https://review.openstack.org/161774	17:39
ayoung	stevemar, +2 A across the board. THose were designed to make me happy	17:39
stevemar	ayoung, \o/	17:40
morganfainberg	So, based on my digging into ksm and how that works, I'd like to keep the expiration being enforced separate/held until the rest of fernet is done, that makes sense?	17:40
morganfainberg	Expiration only enforced by keystone that is.	17:40
*** iamjarvo has joined #openstack-keystone		17:41
*** iamjarvo has quit IRC		17:41
dolphm	morganfainberg: that sounds like i need to change the dependency order of this, which won't be fun? https://review.openstack.org/#/c/162031/	17:41
morganfainberg	The fact that you're introducing cases where the user gets different behaviors based upon a config in keystone still is making me uncomfortable.	17:41
*** iamjarvo has joined #openstack-keystone		17:42
morganfainberg	Ugh.	17:42
ayoung	morganfainberg, ksm?	17:42
morganfainberg	ayoung: auth_token	17:42
dolphm	morganfainberg: but ... it's an edge case :)	17:42
ayoung	ah	17:42
dolphm	morganfainberg: i'd say it's solvable via documentation	17:43
ayoung	morganfainberg, I'm missing something. Why doesit matter where in the token the value lives?	17:43
*** lhcheng__ is now known as lhcheng		17:43
*** david-lyle_afk is now known as david-lyle		17:43
ayoung	morganfainberg, link to the discussion?	17:43
morganfainberg	ayoung: if expiration is only calculated in keystone by the Ttl, changing the conf means tokens will (if cached, and the default is to cache) cause different behaviors to the end user	17:44
ayoung	morganfainberg, won't all of that data be returned in the token response	17:44
ayoung	and...then the cached value should match what keystomne would say	17:44
morganfainberg	ayoung: so cache the token validity. Then change keystones conf.	17:45
ayoung	Which keystone conf value are you concerned about?	17:45
morganfainberg	Now tokens could result in changing state based on the cache.	17:45
dolphm	ayoung: token lifespan	17:45
* ayoung slow shifting gears here, sorry		17:45
ayoung	shouldn;'t that value be passed in to set the token lifespan/ttl in the fernet token?	17:46
morganfainberg	ayoung: dolphm is pitching to make token expiration calculated based on creation and conf.token.expiration_time	17:46
dolphm	ayoung: the goal is for fernet tokens to only carry a creation timestamp - no fixed expiration date	17:46
morganfainberg	On validate.	17:46
dolphm	++	17:46
ayoung	dolphm, hmm...I thought we made it possible for someone to explicitly request a longer expiration date in a token...if we didn't, we might need to	17:46
morganfainberg	ayoung: no. Tokens are fixed lifespan. You can't override it	17:47
ayoung	https://twitter.com/admiyoung/status/573899072676954112	17:47
ayoung	morganfainberg, I think I just got burned by Glance and a 1 hour token lifespan. In real life, too.	17:47
dolphm	ayoung: it would be safe to have longer token lifespans with fernet if you're also rotating keys	17:47
dolphm	ayoung: like, rotate keys daily or weekly, and keep them for a year	17:48
ayoung	dolphm, yeah...and with that,. we should make plans to re-absorb kite to do Key distribution.	17:48
ayoung	its a perfect match of capabilities for our use pattern: Group token signing	17:48
dolphm	ayoung: yeah, i tried to keep the key persistence simple because i know it's going to get fancier	17:49
dolphm	s/safe/safer/	17:49
morganfainberg	ayoung: kite aside. If expiration is solely calculated in keystone we're going to get some odd bugs. We've already have bugs reported because caching in ksm is inconsistent with in-memory	17:49
ayoung	Well, tehcnicnally, distribution is separate from persistence.	17:49
*** afazekas has quit IRC		17:49
*** stevemar has quit IRC		17:50
dolphm	morganfainberg: not bugs, just fun new behaviors out of a distributed system :)	17:50
morganfainberg	dolphm: bugs reported. They won't be valid. But they will be reported as bugs	17:50
dolphm	ayoung: right - simple expectations on where they come from is all i mean	17:50
*** stevemar has joined #openstack-keystone		17:50
*** ChanServ sets mode: +v stevemar		17:50
ayoung	morganfainberg, so you want the expiry explicitly recorded in the token, and dolphm is proposing just using the value out of the Config file?	17:50
ayoung	dolphm, Ah...I see what you mean.	17:50
dolphm	morganfainberg: i shall write all the many documentations to combat said bugs in advance	17:50
morganfainberg	ayoung: yeah, I'm saying keep tokens Ttl as a int when you issue the token like today.	17:51
morganfainberg	ayoung: at least until the rest of fernet is up and running.	17:51
ayoung	morganfainberg, so you would have a case where, say you changed expiry from one hour to two, certain tokens would have been expired, and then unexpired at config change?	17:51
morganfainberg	ayoung: yep	17:51
dolphm	ayoung: yes	17:51
ayoung	or a valid token might become invalid if the expiry is made shorter.	17:52
dolphm	ayoung: that's the only edge case i'm aware of	17:52
dolphm	ayoung: yes	17:52
dstanek	if the reason we are taking out the expiration date is token size we could just put in smaller offset number to calculate the expiration	17:52
dolphm	how often do people change the token lifespan in a running system? wouldn't they be willing to read a paragraph about the effects?	17:52
morganfainberg	ayoung: and if they are cached at an endpoint behavior of the endpoint changed based on cache. And if using in-memory cache, request could succeed/fail randomly based upon worker you get.	17:52
morganfainberg	dolphm: this also means if you use multiple keystones, the confligs have to be the same.	17:53
ayoung	dolphm, and I think they are ok. We are making it possible for people to read config values out of Keystone via the APIs, which mean that they coukld use the config values to set timeouts, instead of getting it from any ojne token	17:53
ayoung	morganfainberg, oooh.	17:53
dolphm	dstanek: agree, just trying to go even smaller	17:53
morganfainberg	dolphm: or you get different expiry for the same token based on the endpoint you hit.	17:53
morganfainberg	E.g. Load balanced keystones.	17:53
dolphm	we're at 140 chars for fernet tokens with all the proposed patches	17:53
morganfainberg	And load-balanced keystones are a real thing.	17:54
ayoung	morganfainberg, I just envisioned a whole bunch of work on that front...it really should be Puppet keeping configs in sync, but since we are now storing some configs in the database...does puppet have a mechanism to handle that? Chef or Ansible for that mater?	17:54
morganfainberg	This is a protect the deployer from themselves argument.	17:54
morganfainberg	ayoung: sortof, but often you change 1 then the rest of your cluster.	17:54
morganfainberg	For cms that won't kill the system by being different.	17:55
dolphm	the config in a database thing seems silly in the face of zookeeper etc	17:55
lbragstad	dolphm: did you say the domain scoped stuff was fixed?	17:55
dolphm	but i digress	17:55
dolphm	lbragstad: yes, in https://review.openstack.org/#/c/162031/	17:55
*** joesavak has joined #openstack-keystone		17:55
openstackgerrit	Boris Bobrov proposed openstack/keystone: Move external authentication plugins' last release https://review.openstack.org/162256	17:55
dolphm	lbragstad: it adds an explicit domain scope and passes the tests that suddenly started failing when i made them more strict	17:55
morganfainberg	Ooh I know, let's move all of keystones config into a db except the "how to connect	17:56
morganfainberg	To said db" /s	17:56
* ayoung interviewing an intern this afternoon, and just thought up eeeeevil Git based interview question		17:56
dolphm	interns know git now?	17:56
morganfainberg	Even better, we can use etcd for everything.	17:56
morganfainberg	/s	17:56
dolphm	pretty sure systemd supports domain-specific sql configuration	17:57
ayoung	morganfainberg, actually, I have a todo item to be able to store encrypted values in oslo config, but I am holding off filing it until I have chewed it over better	17:57
lbragstad	dolphm: I'm adding the audit_id stuff to the end of that series, and I get the following: http://cdn.pasteraw.com/j3vz2l8k9n7ev8eutruhbuar31vz878	17:57
dolphm	or something along those lines	17:57
dolphm	lbragstad: what's domain_id there?	17:58
morganfainberg	So I am not really absolutely against keystone calculating the expiry only, but it does kind of rub me the wrong way.	17:58
dolphm	lbragstad: is that keystone-deploy?	17:58
lbragstad	dolphm: no, it's the bootstrap.py script	17:58
dolphm	lbragstad: from keystone-deploy?	17:58
morganfainberg	dolphm: I wouldn't -1 or -2 it. But i need tons of docs on this and if we get lots	17:58
lbragstad	domain_name = 'Default'	17:58
ayoung	dolphm, my interns better know git. Here's the question "When the Kernel.org git server was compromised, the community was able to quickly validate that the main branch had not been changed. How were they able to tell?"	17:59
morganfainberg	Of bugs I'm going to revert it.	17:59
dolphm	morganfainberg: ack	17:59
lbragstad	dolphm: yes, the one we use with keystone-deploy	17:59
dolphm	morganfainberg: i can add them to that patch	17:59
morganfainberg	Or just give deployers your phone # :)	17:59
morganfainberg	:P	17:59
dstanek	ouch	18:00
morganfainberg	dolphm: in that patch or dependent on it. Either works	18:00
dolphm	morganfainberg: will do!	18:00
dolphm	lbragstad: what's the value of domain_id ?	18:02
lbragstad	dolphm: checkiung	18:02
lbragstad	dol	18:03
lbragstad	dolphm: 'domain': {'id': u'default', 'name': u'Default'},	18:03
lbragstad	so	18:03
lbragstad	we aren't passing uuid as the domain id ever time	18:04
lbragstad	domain ids can be something user defined...	18:04
lbragstad	which is where we are bombing out I think, since UUID doesn't know how to convert 'domain'	18:04
morganfainberg	Woohoo. https://review.openstack.org/#/c/162170/ -1950 lines. breton thanks for working on that!	18:05
morganfainberg	lbragstad: yeah domain has to be "string"	18:06
dolphm	lbragstad: OH 'default'!	18:06
lbragstad	dolphm: morganfainberg yep	18:06
lbragstad	dolphm: don't fix it yet	18:06
morganfainberg	And... That can explode your token size because a domain Id can be 255 bytes. :(	18:06
lbragstad	dolphm: I'm going to push what I have for the audit_id stuff	18:06
dolphm	morganfainberg: personal problem?	18:07
lbragstad	you can't fix stupid	18:07
dolphm	morganfainberg: actually it's limited to 64 bytes, right?	18:07
*** browne has joined #openstack-keystone		18:07
breton	https://review.openstack.org/#/c/162211/2 -- fellas, could you please avoid +A-ing "+654, -651" patches in 2 minutes after uploads	18:07
morganfainberg	dolphm: is it?	18:07
dolphm	morganfainberg: all / most IDs are 64 bytes IIRC	18:07
morganfainberg	dolphm: hm. That might be schema enforced. I hope?	18:08
dolphm	breton: have a specific issue with that test refactor?	18:08
dolphm	morganfainberg: i'd assume so	18:08
*** spandhe has joined #openstack-keystone		18:08
*** karimb has quit IRC		18:08
lbragstad	morganfainberg: dolphm https://github.com/openstack/keystone/blob/master/keystone/resource/schema.py#L53	18:09
morganfainberg	dolphm: ah sql schema sets it at 54	18:09
dolphm	breton: or you just mean the +A without a jenkins check first?	18:09
lbragstad	we limit to 64 using jsonschema	18:09
morganfainberg	lbragstad: that's name. Not Id	18:09
lbragstad	ah, morganfainberg yep	18:10
dolphm	the only domain ID that is custom is "default" afaik	18:10
dstanek	breton: i though people wanted things getting through quickly :-)	18:10
dstanek	thought*	18:10
breton	dolphm: I don't know. I saw it only by chance, while looking at zuul. I just dislike that such huge patches get accepted with zero discussion	18:10
dolphm	breton: it was briefly discussed here. the two developers that are most familiar with that code (and wrote it), were the ones that +2'd. i'd be happy to give it a third set of eyes if you'd like	18:11
amakarov	breton, wow, didn't even notice...	18:11
dolphm	breton: it's also just a big copy/paste refactor	18:11
lbragstad	breton: it started being reviewed here https://review.openstack.org/#/c/161793/	18:12
morganfainberg	Oh hey. Yeah we don't allow custom ids except default.	18:12
dolphm	lbragstad: should have used the same Change-Id!	18:12
morganfainberg	lbragstad: just saw that it does assign unique Id	18:12
morganfainberg	dolphm: ^^	18:12
dolphm	morganfainberg: special case default domain id maybe?	18:13
morganfainberg	so, ick, have to special case default. :(	18:13
lbragstad	breton: I proposed it to against master because there wasn't anything specific in the chain it was in that required it to be behind the other changes	18:13
lbragstad	dolphm: breton sure, I should have used the same change ID, my fault, but I abandon the old change immediately after and informed the other two developers about the change as soon as i proposed it	18:13
lbragstad	breton: fwiw, they are both linked to each other	18:14
dolphm	lbragstad: Restore -> use same Change-Id next time	18:14
morganfainberg	dolphm: it's in check right?	18:14
morganfainberg	Not gate.	18:14
morganfainberg	We should just do that to maintain the review history.	18:15
dolphm	morganfainberg: yes, it's still queued in check	18:15
morganfainberg	Even this time.	18:15
dolphm	morganfainberg: lbragstad: ++ ^	18:15
morganfainberg	People can re-+2 it.	18:15
openstackgerrit	Lance Bragstad proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	18:16
lbragstad	dolphm: ^ that will fail until the domain_id thing is fixed	18:16
dolphm	breton: morganfainberg: lbragstad: abandoned the approved change- https://review.openstack.org/#/c/162211/	18:16
dolphm	lbragstad: ack	18:17
morganfainberg	dolphm: beat me to it. Was going to -2 it then abandon :P	18:17
dolphm	morganfainberg: i figure abandon alone will kill the job :)	18:17
morganfainberg	dolphm: same net effect.	18:18
morganfainberg	dolphm: wfm!	18:18
breton	great, thank you	18:18
*** morganfainberg is now known as needscoffeebadly		18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data https://review.openstack.org/161793	18:19
lbragstad	breton: dolphm needscoffeebadly ^ done,	18:20
needscoffeebadly	dolphm: Friday! Dolphin time? ;)	18:20
*** dolphm is now known as dolphin		18:20
* dolphin whatever squeeky sound dolphins make		18:20
*** dolphin is now known as Guest82734		18:20
* lbragstad finds food		18:21
needscoffeebadly	Guest82734: someone owns dolphin as a nick? :P	18:21
*** needscoffeebadly is now known as CaptainMorgan		18:22
Guest82734	haha	18:23
*** vhoward has left #openstack-keystone		18:25
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: remove dep on trust_api / v3 token helper https://review.openstack.org/161876	18:25
Guest82734	dstanek: fixed the commit message and docstrings ^	18:26
dstanek	Guest82734: what did you guys decide about the config based expiration checking?	18:26
Guest82734	CaptainMorgan: ++	18:26
Guest82734	dstanek: when i was in the shower a couple weeks ago?	18:27
Guest82734	CaptainMorgan: can we kill the IBM "This change depends on a change that failed to merge." bot?	18:27
CaptainMorgan	bknudson: ^	18:27
CaptainMorgan	before we get them disabled or such let's ask nicely.	18:28
CaptainMorgan	Guest82734: but yes.	18:28
bknudson	CaptainMorgan: I have no control over it.	18:28
CaptainMorgan	bknudson: who do I email?	18:28
Guest82734	it's been failing all week, afaik. if no one is going to fix it...	18:28
CaptainMorgan	And say "fix plox or it shall be disabled"	18:28
CaptainMorgan	Or hmm. There is some magic setting I can change somewhere for this I think.	18:29
bknudson	CaptainMorgan: https://wiki.openstack.org/wiki/ThirdPartySystems/IBM_DB2_CI#Issue_Tracker -- it's yanfengxi@cn.ibm.com	18:29
CaptainMorgan	bknudson: ah thanks.	18:29
Guest82734	bknudson: if you have no control over it, then who the hell is supposed to maintain it?! that's crazy	18:29
bknudson	Guest82734: we have a team in china.	18:29
bknudson	it's a big company	18:30
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Made project_id required for ec2 credential https://review.openstack.org/155974	18:30
samueldmq	CaptainMorgan I saw a discussion in the mailing list on horizon + pkiz	18:30
CaptainMorgan	bknudson: will email them today. Since hours are all wonky I'll say it needs to get fixed first thing next week.	18:30
bknudson	and I'm not their manager or team leader in any way.	18:30
samueldmq	CaptainMorgan, do you know if horizon supports pkiz right now?	18:30
Guest82734	bknudson: my point is that if we cause it to fail, we should be able to help fix it. if it's a rubberstamping black box, then it should die	18:31
CaptainMorgan	bknudson: and let them know they need to keep track of it. Because us having to email after a week of failures is not ok.	18:31
Guest82734	bknudson: and if you, a keystone-core IBMer can't help fix it, it's totally a black box	18:31
CaptainMorgan	anteaya: ^cc might be bugging you next week about a CI account. (Just a heads up)	18:31
*** obutenko has quit IRC		18:33
Guest82734	samueldmq: if horizon doesn't break with PKI, it should support PKIz just fine	18:33
stevemar	i love how bknudson is associated with the db2 testing ci - i emailed him yesterday about	18:34
*** haneef has quit IRC		18:34
stevemar	fix a bug or two related to db2 and you're forever associated with it bknudson	18:34
anteaya	CaptainMorgan: who will?	18:34
bknudson	if it's identifying a problem I'd be happy to look into it... that's my job.	18:35
bknudson	but I have no knowledge of how it's set up and administered.	18:35
anteaya	CaptainMorgan: and you can save time and give them this: http://ci.openstack.org/third_party.html#creating-a-service-account	18:35
anteaya	since they need to set up the account themselves	18:35
bknudson	I doubt the company would give me time to work on that.	18:35
samueldmq	Guest82734, yes, it works .. I just checked it	18:35
bknudson	I could ask.	18:35
bknudson	Guest82734 isn't nearly as funny as dolphin.	18:36
*** Guest82734 is now known as dolphinator		18:36
*** joesavak has quit IRC		18:36
bknudson	unless I'm missing the joke ... is it a prime #?	18:36
samueldmq	dolphinator, the issue before was that we had 'pki' hardcoded in django_openstack_auth, but it looks to be ok now	18:36
samueldmq	dolphinator, thx	18:36
lhcheng	samueldmq: horizon can accept pki token from keystone, but it uses the hashed pki for making later calls.	18:37
lhcheng	samueldmq: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/user.py#L79-L84	18:37
openstackgerrit	Boris Bobrov proposed openstack/keystone: Remove fix for migration 37 https://review.openstack.org/162266	18:39
*** markvoelker has quit IRC		18:39
*** markvoelker has joined #openstack-keystone		18:40
dolphinator	lhcheng: oh good point	18:40
samueldmq	lhcheng, as it was a uuid or other token? requesting the whole token info (service catalog, etc) when it needs?	18:40
stevemar	yess dolphinator	18:40
dstanek	hmmmm...anyone else get the greenthread errors when running the test suite?	18:40
breton	dstanek: the waitall() ones?	18:41
samueldmq	dstanek, yes	18:41
lhcheng	samueldmq: it fetches the catalog on login, and store the service catalog + token in the session.	18:41
dstanek	breton: yes, so it's not just me	18:41
samueldmq	lhcheng, hm.. ok	18:42
samueldmq	lhcheng, I'm facing this (https://bugs.launchpad.net/horizon/+bug/1382079)	18:42
openstack	Launchpad bug 1382079 in OpenStack Dashboard (Horizon) "Project selector not working" [High,In progress] - Assigned to Thiago Paiva Brito (thiagop)	18:42
*** amakarov is now known as amakarov_away		18:42
samueldmq	lhcheng, I can't use horizon + v3	18:42
lhcheng	dolphinator: I think it works due to a logic somewhere in the keystone middleware where it is caching a hashed pki token. Not the best way to handle long tokens, but works for now.	18:44
* lhcheng looking at bug		18:44
*** ccrouch has left #openstack-keystone		18:44
*** markvoelker has quit IRC		18:44
dolphinator	dstanek: breton: yes, i "fixed" it by downgrading greenthreads i think	18:44
*** chrisshattuck has quit IRC		18:45
lhcheng	samueldmq: are you using devstack?	18:45
dolphinator	dstanek: as far as i looked into it, it seemed innocuous	18:45
lhcheng	samueldmq: and have you switch the session backend?	18:45
samueldmq	lhcheng, yes I am using devstack	18:46
dstanek	dolphinator: i'll give that a try	18:47
samueldmq	lhcheng, session bakcend?	18:47
* stevemar needs a fun friday nick		18:47
dolphinator	stevemar: stevebot?	18:47
stevemar	i suppose	18:47
samueldmq	lhcheng, to use memcached ?	18:47
lbragstad	++ stevebot	18:47
stevemar	stevebot :Nickname is already in use.	18:48
stevemar	that jerk	18:48
lhcheng	samueldmq: yeah, anything other than using cookie based	18:49
dolphinator	stevemar: steve_in_march	18:49
*** joesavak has joined #openstack-keystone		18:49
samueldmq	lhcheng, nice I'll give a try and come back to say what happened :)	18:50
dolphinator	stevemar: steven_march	18:50
*** arif-ali has joined #openstack-keystone		18:50
lbragstad	stevemar: stevedore	18:50
CaptainMorgan	lbragstad, LOL	18:50
*** stevemar is now known as stevedore		18:50
stevedore	i lift things!	18:50
lbragstad	\o/	18:50
dolphinator	stevedore: ++	18:50
stevedore	lbragstad, dolphinator whats up with rax trial accounts? how long are they good for?	18:50
* dolphinator hands stevedore a box		18:51
dolphinator	stevedore: via https://developer.rackspace.com/ ?	18:51
stevedore	looking at that now	18:51
stevedore	dolphinator, pm'ing you	18:51
CaptainMorgan	dolphinator, sadly the "free" level you get wasn't enough to get me more than the smallest vm ever w/o paying	18:51
lhcheng	samueldmq: cached session is probably easiest to configure: https://docs.djangoproject.com/en/1.7/topics/http/sessions/#using-cached-sessions	18:52
CaptainMorgan	dolphinator, and i was told the free tier was only good for a few months.	18:52
dolphinator	CaptainMorgan: was it $50/month for 12 months then?	18:52
CaptainMorgan	when i set it up	18:52
CaptainMorgan	dolphinator, i was told $30 for 6	18:52
CaptainMorgan	when i talked to someone on the phone [needed to for activation]	18:52
lbragstad	stevedore: are you building another iteration of http://opensax.com/ ?	18:52
bknudson	hey, no support fees.	18:53
CaptainMorgan	dolphinator, or something	18:53
bknudson	I'll call in for help and tell them to get dolphinator to do reviews.	18:53
* CaptainMorgan needs to figure out how to setup HP Cloud account for himself.		18:54
lhcheng	samueldmq: here you go: http://docs.openstack.org/developer/horizon/topics/deployment.html#local-memory-cache	18:54
CaptainMorgan	or maybe i should just go stick a rack mounted server in some colo for dev work.	18:54
*** arif-ali has quit IRC		18:59
* dstanek needs lunch and coffee		18:59
CaptainMorgan	dolphinator, bknudson, ayoung, dstanek, https://review.openstack.org/#/c/159803 this is a high-ish priority review - we have another "could be wedged" case for deplpoyers	19:00
CaptainMorgan	we're going to need to back port it as well	19:00
CaptainMorgan	:(	19:00
lbragstad	dolphinator: how do you think we should go about the domain id fix?	19:00
*** arif-ali has joined #openstack-keystone		19:00
ayoung	CaptainMorgan, Aye Aye	19:00
lbragstad	we have to try and detect if we're dealing with a user defined string or now	19:00
lbragstad	now*	19:00
lbragstad	not*	19:00
ayoung	CaptainMorgan, I'm going to clean up the commit message on that	19:00
openstackgerrit	ayoung proposed openstack/keystone: Adding utf8 to federation tables https://review.openstack.org/159803	19:01
*** markvoelker has joined #openstack-keystone		19:03
ayoung	CaptainMorgan, https://review.openstack.org/#/c/159803/10/keystone/contrib/federation/migrate_repo/versions/001_add_identity_provider_table.py those cahnges...tehy seem like they woudn't work for other backends.	19:03
CaptainMorgan	ayoung, they are mysql-specific arguments	19:03
CaptainMorgan	we use it elsewhere	19:03
ayoung	they ignored by non mysql backends?	19:03
CaptainMorgan	ayoung, for example: https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/034_havana.py#L79-L80	19:03
CaptainMorgan	ayoung, yeah they aren't passed to non-mysql backends	19:04
*** Akshik has joined #openstack-keystone		19:05
ayoung	CaptainMorgan, OK. looks right for Federation	19:05
dolphinator	lbragstad: if only the default domain is an exception, we can just treat it exceptionally :-/	19:07
samueldmq	lhcheng, well.. followed this (http://docs.openstack.org/developer/horizon/topics/deployment.html#memcached)	19:07
ayoung	CaptainMorgan, I don't like the Federation fix being in the main migration code	19:07
lbragstad	dolphinator: yeah, we could,	19:07
ayoung	https://review.openstack.org/#/c/159803/10/keystone/common/sql/migration_helpers.py	19:07
samueldmq	lhcheng, and I can log sometimes, and then get back to the login page... sometimes I stay in the login page with no error :/	19:07
ayoung	CaptainMorgan, Posta review. PLease tell me if it makes sense.	19:10
lbragstad	dolphinator: I left a comment on the review	19:11
dolphinator	lbragstad: which one?	19:11
lbragstad	dolphinator: https://review.openstack.org/#/c/162031/4/keystone/token/providers/fernet/token_formatters.py	19:11
dolphinator	lbragstad: ah okay	19:11
samueldmq	lhcheng, yes! got it :) (I was changing the config on settings.py instead of on local_settings.py)	19:12
samueldmq	lhcheng, thank you!!	19:12
dolphinator	lbragstad: review this one first :) https://review.openstack.org/#/c/161876/	19:12
lhcheng	samueldmq: heh	19:12
lbragstad	dolphinator: I think the only place were we would need to have a special case like this would be the domain formatter, so i find it appropriate for it to live only there?	19:12
lhcheng	samueldmq: great!	19:12
dolphinator	lbragstad: ++	19:12
lhcheng	samueldmq: anytime	19:13
*** Akshik_ has joined #openstack-keystone		19:14
*** Akshik has quit IRC		19:15
*** marekd-mobile has joined #openstack-keystone		19:15
anteaya	CaptainMorgan: http://lists.openstack.org/pipermail/third-party-announce/2015-March/000166.html	19:16
CaptainMorgan	anteaya, thanks.	19:16
anteaya	CaptainMorgan: I've sent them to you	19:16
CaptainMorgan	anteaya, ack	19:16
anteaya	my preference is for me to teach keystone team all the third party things	19:16
CaptainMorgan	anteaya, happy to have them sent here	19:17
anteaya	and then you can teach the operators that want to comment/verify keystone patches	19:17
anteaya	sure	19:17
CaptainMorgan	anteaya, that fix needs to go there	19:17
anteaya	so when they show up, ping me and we can address the conveyance of communication and expectations together	19:17
*** joesavak has quit IRC		19:17
CaptainMorgan	s/antaeya/ayoung	19:17
lbragstad	dolphinator: reviewed, one question inline https://review.openstack.org/#/c/161876/	19:18
anteaya	I'm ruining your tab complete	19:18
CaptainMorgan	ayoung, the fix can't be in the migration code, because sanit-check from oslo.db will fail	19:18
CaptainMorgan	anteaya, nah, i was crossing brain-wires, trying to type ayo<tab> while looking at your last message	19:18
*** _cjones_ has quit IRC		19:18
anteaya	ah	19:18
*** Akshik_ has quit IRC		19:19
CaptainMorgan	ayoung, so we're in a catch-22, you need a sane DB table to run migrations, but you can't run migrations because the table isn't sane	19:19
CaptainMorgan	ayoung, its the same issue as above for migration _37	19:19
dolphinator	lbragstad: responded	19:20
CaptainMorgan	ayoung, responded to your comment	19:21
CaptainMorgan	ayoung, but in short we already went rounds on this one and there is only so much we can do when oslo.db says "no your DB doesn't have innodb/utf8"	19:21
ayoung	CaptainMorgan, but doesn't the migration error out in the middle?	19:22
CaptainMorgan	ayoung, nope, oslo.db errors before it runs any migrations	19:22
ayoung	ah	19:22
ayoung	CaptainMorgan, ok...so...	19:22
CaptainMorgan	there is a bug against oslo.db	19:22
ayoung	for table in tables:	19:22
CaptainMorgan	but we still need to fix our broken deployers	19:22
ayoung	just blindly convert all tables?	19:22
CaptainMorgan	ayoung, trying to avoid potentially breaking anything by mucking with that	19:23
CaptainMorgan	i'd rather keep these fixes really limited and specific	19:23
ayoung	CaptainMorgan, this one is bleeding all over the place	19:23
ayoung	and it does not solve the long term problem...	19:23
CaptainMorgan	the bug against oslo should	19:23
CaptainMorgan	changing charset and engine potentially on a live db is scary	19:24
ayoung	We know the names of the tables due to the versions table.	19:24
CaptainMorgan	lets not do it unless we really need to. i don't want to muck with db data if there is no reason to	19:24
ayoung	I'm not letting this change in as is	19:24
*** aix has quit IRC		19:24
CaptainMorgan	this is about being as surgical as we can.	19:24
ayoung	CaptainMorgan, this is close, though	19:24
ayoung	lets do it right	19:24
CaptainMorgan	blinding changing tables is not doing it right	19:24
CaptainMorgan	this is only making the change if it is needed and 2nd all sorts of FK issues when yous tart doing this	19:25
ayoung	Nah, not blind...we now the list of table names from the versions table	19:25
ayoung	or do wee....	19:25
CaptainMorgan	uh...	19:25
CaptainMorgan	we can probably be more surgical even	19:25
CaptainMorgan	yes	19:25
CaptainMorgan	and catch just federation names since we know what table versions we're at	19:26
CaptainMorgan	ayoung, oh	19:26
CaptainMorgan	look at lines 198-207	19:27
CaptainMorgan	_fix_federation_tables	19:27
CaptainMorgan	we can check we're in the federation extension though when migrating	19:27
CaptainMorgan	vs. any extension value error triggering the fix	19:27
ayoung	looking	19:28
CaptainMorgan	ayoung, package_name = '.'.join((contrib.__name__, extension)) can be checked	19:28
ayoung	CaptainMorgan, where is the oslo fix? If it ireally is going to fix this, then lets push to get that in	19:29
ayoung	link, please?	19:29
CaptainMorgan	ayoung, the bug is in the comment	19:29
CaptainMorgan	filed against oslo.db	19:29
CaptainMorgan	#1426334	19:29
CaptainMorgan	bug #1426334	19:29
openstack	bug 1426334 in Keystone "DB migration problem with federation extension" [High,In progress] https://launchpad.net/bugs/1426334 - Assigned to Adam Young (ayoung)	19:29
CaptainMorgan	oh no sec	19:30
ayoung	Closes-Bug: 1426334 Only klinks to Keystone. Where is the Oslo fix?	19:30
ayoung	Who assigned it to me?	19:30
CaptainMorgan	no idea	19:30
CaptainMorgan	oh	19:31
CaptainMorgan	automatic	19:31
CaptainMorgan	you changed the commit msg	19:31
ayoung	Heh	19:31
ayoung	CaptainMorgan, heh, I thought you were Marco	19:31
CaptainMorgan	hah	19:31
CaptainMorgan	no	19:31
ayoung	We doing casual nick Friday?	19:32
CaptainMorgan	today, yes	19:32
CaptainMorgan	look at dolphinator	19:32
CaptainMorgan	and stevedore	19:32
*** joesavak has joined #openstack-keystone		19:32
*** ayoung is now known as SugarAddy		19:32
*** SugarAddy is now known as ayoung		19:32
ayoung	Nah	19:32
dolphinator	CaptainMorgan: i don't know what you're talking about	19:33
ayoung	talking with dreamhost guys in a different channel, don't want to lost the thread there	19:33
CaptainMorgan	so i know there is an oslo.db bug	19:33
CaptainMorgan	lets just ask marco to add it in the comments	19:33
ayoung	CaptainMorgan, mmm, so the issue is we run a migration, and it fails due to there being no utf-8 innodb...and yet we don't know the name of the table it failed on?	19:34
CaptainMorgan	ayoung, sanity_check raises an exception	19:34
ayoung	What if we could get the table out of the error message	19:34
ayoung	and then perform this migration on that table	19:34
CaptainMorgan	https://review.openstack.org/#/c/161162/	19:34
ayoung	that seems a little light to be solving the actual problem	19:35
CaptainMorgan	ayoung, https://github.com/openstack/oslo.db/blob/master/oslo_db/sqlalchemy/migration.py#L108-L110	19:36
CaptainMorgan	i don't think i want to trust extracting the names from a generic valueerorr	19:36
ayoung	that is going to do nothing for tables that are already created, though	19:36
* CaptainMorgan thinks this is a SQL-A migrate/alembic option that needs to grow		19:36
ayoung	OK...what if...	19:37
ayoung	1. we modigy migration 1 and 2 for fedration like you;ve done	19:37
CaptainMorgan	i think the sanity check is just broken actually.	19:37
CaptainMorgan	we need a hacking check or something else to force conformity	19:37
ayoung	and then also add a migration 3 that converts the table..why would that trigger the sanity check?	19:37
CaptainMorgan	ayoung, if the tables are already broken, not innodb/utf8 you can't run migration3	19:38
ayoung	GAH that sanity check is breaking things	19:38
ayoung	that needs to die	19:38
CaptainMorgan	sanity_check is causing the issue	19:38
ayoung	revert that	19:38
CaptainMorgan	not something to revert	19:38
* ayoung tempted to f(&^(&uing monkey patch it out of existence		19:38
ayoung	yes it is...	19:38
CaptainMorgan	this is a discussion to be had with oslo team	19:38
CaptainMorgan	not something we can simply revert i meant	19:39
ayoung	Yeah, I know	19:39
ayoung	but...	19:39
ayoung	damn short sighted	19:39
CaptainMorgan	and we can't disable the sanity check easily from the CLI	19:39
CaptainMorgan	if so, i would put some exceptional handling in	19:39
CaptainMorgan	it's burried	19:39
* CaptainMorgan did this chase the last time this happened		19:39
CaptainMorgan	since it is rare - most deployers run with sane defaults (UTF8 and innodb by default) this is an edge case.	19:40
CaptainMorgan	i think the sanity check is inherited from grizzly era fwiw	19:40
ayoung	can we make that an external utility that is run, then	19:41
ayoung	keystone-manage db_unfsck	19:41
CaptainMorgan	hah	19:41
CaptainMorgan	ooh wait a sec... this might have changed some.	19:41
CaptainMorgan	ah we can work around it now i think...	19:41
CaptainMorgan	we can add an explicit sanity_check=False now	19:42
CaptainMorgan	that wasn't doable before	19:42
CaptainMorgan	so we can move that logic to a migration	19:42
CaptainMorgan	but the sanity_check=false has to be in migration_helpers still	19:43
CaptainMorgan	so it just changes the migration method from _fix_federation_tables to migrate_version(xxx)	19:43
CaptainMorgan	with an explicit no sanity_check passed fro that version	19:43
* CaptainMorgan is still not pleased about this.		19:43
*** Akshik has joined #openstack-keystone		19:44
*** CaptainMorgan is now known as morganfainberg		19:50
*** spandhe_ has joined #openstack-keystone		19:51
*** joesavak has quit IRC		19:52
*** spandhe has quit IRC		19:53
*** spandhe_ is now known as spandhe		19:53
dolphinator	morganfainberg: before i put it up for review, http://cdn.pasteraw.com/r00yrj2ide6z9j70wslrnfkdrma6a57	19:58
*** _cjones_ has joined #openstack-keystone		20:01
*** joesavak has joined #openstack-keystone		20:02
lbragstad	dolphinator: http://cdn.pasteraw.com/r00yrj2ide6z9j70wslrnfkdrma6a57 looks good	20:09
ayoung	morganfainberg, so we going to pass "sanity-check=False" and then run the migrations?	20:10
ayoung	or maybe just let --sanioty-check be passed in on the command line?	20:10
morganfainberg	ayoung, sure. we can probably do that now. but i'm worried it'll become the norm to run it that way :P	20:11
breton	wow, wait	20:11
breton	you are planning to run all migrations with sanity_check=False?	20:12
ayoung	morganfainberg, So, I think that we can have gate/devstack run with sanity check enabled, and make it a flag to keystone-manage db_sync	20:12
morganfainberg	breton, no	20:12
ayoung	breton, no, we are planning on making it possible to run that way so we can unwedge people	20:12
morganfainberg	breton, well i think we need to make sanity_check change a lot, because as it stands you can get people wedged.	20:12
morganfainberg	but that aside	20:12
morganfainberg	no, only if its needed to fix a problem where someone is wedges	20:12
morganfainberg	wedged*	20:12
morganfainberg	it's poorly designed in that if you end up with a db w/ tables that don't have innodb/utf8 you cannot run any migrations. but it was totally valid to end up in that state via migrations because it wasn't enforced	20:13
morganfainberg	you can't even run a migration to fix the state of the db.	20:13
breton	so it will be per-migration?	20:13
morganfainberg	breton, it'll be for a specific set of migrations that need it - in the case they need it	20:14
morganfainberg	aka a deployer is wedged	20:14
ayoung	breton, I think we want the sanity check run at the end, not the beginning	20:14
ayoung	running it a-priori just makes it impossible to fix thigns	20:14
ayoung	things	20:14
openstackgerrit	Merged openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints https://review.openstack.org/161702	20:14
morganfainberg	ayoung, that doesn't fix thing really either. i think sanity check needs to be something that migrate tools can turn off where needed	20:14
morganfainberg	not something that wraps it	20:14
*** _cjones_ has quit IRC		20:14
morganfainberg	aka alembic / sql-a-migrate	20:14
ayoung	but running it after all migrations, or after each migration even, will at least report the error where it happens	20:15
morganfainberg	ayoung, sure.	20:15
ayoung	but...running it at the end probably is the best short term hack	20:15
dstanek	morganfainberg: for https://review.openstack.org/#/c/159803/10 - existing migrations are being changed. if they have already been run then the tables won't be utf-8 right?	20:15
ayoung	it lets you run, but then reports and error that says "you did something dumb"	20:15
morganfainberg	dstanek, that is correct, which is why the code in migration_helpers exists.	20:15
morganfainberg	dstanek, you can't unwedge easily with a migration.	20:15
*** nellysmitt has quit IRC		20:15
ayoung	morganfainberg, you coukld if there were no sanity check	20:15
morganfainberg	dstanek, because sanity_check prevents you from running any migrations	20:15
ayoung	migration 3 could add the innodb to tables that were imporoerly defined	20:16
ayoung	ok...we are in alignment	20:16
morganfainberg	yeah	20:16
ayoung	morganfainberg, let me know what you plan on doing. I'd rather not have federation speciofic code in the migration helper	20:16
morganfainberg	ayoung, there will be some specific code, i am hesitant to make --no-sanity checka cli option	20:17
morganfainberg	but i think we can be better about it	20:17
* morganfainberg has a thought on how to handle this nicely		20:17
morganfainberg	let me deal with the internal-HP-It issue i'm fighting right now.	20:17
ayoung	morganfainberg, I would be more ok with a keystone-manage db_innodbify approach	20:17
ayoung	if the migratio0n fails, they can run it by hand	20:17
morganfainberg	then i'll post the change i'm thinking	20:17
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	20:18
morganfainberg	ayoung, nah, have a better idea ;)	20:18
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	20:18
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens https://review.openstack.org/161774	20:18
ayoung	morganfainberg, cool	20:18
morganfainberg	ayoung, way better idea actually ;)	20:18
morganfainberg	i think you'll like it	20:18
dstanek	morganfainberg: for this specific review?	20:18
morganfainberg	dstanek, yes	20:18
morganfainberg	dstanek, and anytime this comes up in the future.	20:18
dstanek	ok, i'll continue onto other things	20:18
ayoung	morganfainberg, I have an intern candidate on the way, and then need to go get the kids...so I'll likely not get to it until later tongith or this weekend. send it via email, please	20:18
morganfainberg	ayoung, it can wait till monday	20:19
morganfainberg	ayoung, s/wait till monday/till this weekend.	20:19
openstackgerrit	Dolph Mathews proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	20:19
morganfainberg	or whatever.	20:19
*** _cjones_ has joined #openstack-keystone		20:21
bknudson	what's a weekend?	20:21
morganfainberg	bknudson, that thing that most people go outside and get burned by the daystar during	20:22
ayoung	bknudson, when parenting duties take priority	20:22
bknudson	sounds terrible.	20:22
morganfainberg	or when people shovel more snow to so the can take kids elsewhere	20:22
ayoung	bknudson, you have no idea	20:22
stevedore	wee-kend?	20:24
stevedore	i am unfamiliar with this word	20:24
*** _cjones_ has quit IRC		20:26
*** _cjones_ has joined #openstack-keystone		20:27
*** dnalezyt has joined #openstack-keystone		20:27
*** dnalezyt has quit IRC		20:28
*** dnalezyt has joined #openstack-keystone		20:28
dstanek	weekend is when you can drink in the early afternoon and not get fired	20:29
*** dnalezyt has quit IRC		20:30
*** dnalezyt has joined #openstack-keystone		20:30
openstackgerrit	Dolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens https://review.openstack.org/162031	20:31
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens https://review.openstack.org/161897	20:31
openstackgerrit	Dolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens https://review.openstack.org/161774	20:31
openstackgerrit	Dolph Mathews proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	20:31
*** radez is now known as radez_g0n3		20:32
dstanek	oh, no; the split off into keystone.resource has turned our circular dependency into a figure 8	20:33
dolphinator	dstanek: lol	20:33
*** henrynash has joined #openstack-keystone		20:33
*** ChanServ sets mode: +v henrynash		20:33
dstanek	it was identity <- -> assignment and not it's identity <- -> assignment && identity <- -> resource && assignment <- -> resource	20:34
dolphinator	stevedore: weekend is 48 hour period in which canadians celebrate not having to commute across the frozen wasteland for work	20:34
dolphinator	stevedore: but you work remotely so you wouldn't know	20:34
stevedore	dolphinator, the wife says i'm a delicate flower since i don't commute in, and complain that it's cold	20:36
lbragstad	stevedore: lol	20:37
stevedore	meanwhile she walks	20:37
dolphinator	stevedore: /nick delicate_flower please	20:37
lbragstad	++	20:37
stevedore	working remotely has turned me soft, figuratively and literally	20:37
henrynash	bknudson: when you have a moment, perhaps you could see if you are happy with my changes to your comments on: https://review.openstack.org/#/c/158752/27	20:38
stevedore	henrynash, you should know bknudson is never 'happy', he is just less angry with code	20:39
*** dencaval has quit IRC		20:39
dstanek	stevedore: i'll get you the t-shirt	20:39
stevedore	sweet	20:39
bknudson	henrynash: I actually had some comments from last night I forgot to hit the review button on.	20:39
henrynash	bknudson: np :-)	20:40
dstanek	henrynash: oh, no. you'll never get it through ;-)	20:40
henrynash	dstanek: oh ye of little faith :-)	20:41
bknudson	henrynash: it's close... would like to see the spec updated with the other resources.	20:41
henrynash	bknudson: the domain-config-group etc.?	20:42
bknudson	henrynash: yes.	20:42
*** raildo has quit IRC		20:42
bknudson	the previous patch set was correct with the relationship, but the relationship wasn't documented in the spec.	20:43
henrynash	bknudson: sure, we can do that….I know the spec is theoretically frozen, but I would think that whould be a reasonable fix to it	20:43
bknudson	henrynash: well, if this is going to be experimental then these resources shouldn't show up in the JSONHome	20:44
bknudson	especially since ?experimental for JSON Home never got implemented.	20:44
* henrynash bknudson: really? I thought we would show these in Json hoe, but have a hints status of experimental…that’s actually in a follow on patch, see:		20:46
henrynash	https://review.openstack.org/#/c/160032/	20:46
henrynash	bknudson: a reasonable argumetn would be that this experimental setting should be merged with this api patch	20:47
bknudson	henrynash: ok... I don't know when that was decided.	20:47
bknudson	no reason it can't work that way.	20:47
bknudson	but I don't think there's any documentation that says that's the way we do experimental in json-home?	20:48
henrynash	bknudson: so I thought it was a consquence of getting rid of extensions….instead teh API would (ideally show up in JSON HOme, but experiemantal if it was not ready for core	20:48
bknudson	http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#json-home says nothing about it	20:49
*** Ephur_ has quit IRC		20:49
bknudson	ok, I didn't have time to review that one so I guess I have to live with the consequences.	20:49
henrynash	bknudson: ….I guess this will be a trial one...	20:49
stevedore	dolphinator, mosh needs scroll back	20:49
*** henrynash has quit IRC		20:50
bknudson	if we're going to make experimental in hints a thing then should be in the spec.	20:50
lbragstad	dolphinator: curious if we need to add config_fixture for default_domain_id ? https://review.openstack.org/#/c/162031/6/keystone/tests/unit/test_v3_auth.py	20:52
lbragstad	or that shouldn't matter since it's assuming the default?	20:52
*** dimsum__ has quit IRC		21:01
*** samueldmq_ has joined #openstack-keystone		21:12
dolphinator	stevedore: i assume you're in tmux ... ctrl+B and then {	21:17
dolphinator	lbragstad: it's using the default anyway	21:17
dolphinator	lbragstad: and i think those tests pass? i wrote a unit test for the new behavior	21:18
lbragstad	dolphinator: cool	21:18
*** iamjarvo has quit IRC		21:21
dolphinator	lbragstad: after your patch, an unscoped token is 140 chars. a project/domain scoped token is 164 chars, a trust scoped token is 184 chars	21:21
lbragstad	dolphinator: yep, sounds consistent with what I got, I didn't get the numbers for trust scoped though	21:22
lbragstad	dolphinator: http://cdn.pasteraw.com/gqlxmxkgqaenro9n66gonwmghy8p9jm	21:23
dolphinator	lbragstad: did you try bootstrap again?	21:23
lbragstad	dolphinator: I'll repull and try it	21:23
openstackgerrit	Merged openstack/keystone: Update developer docs landing page https://review.openstack.org/161475	21:23
lbragstad	dolphinator: works now! http://cdn.pasteraw.com/ee836ujdvfip72m6g5yb7663jg5l5de	21:25
dolphinator	lbragstad: yay!	21:31
dolphinator	now if only ansible 1.9 would come out i could run playbooks against gerrit	21:32
*** harlowja_away has quit IRC		21:34
openstackgerrit	Lance Bragstad proposed openstack/keystone: Convert audit_ids to bytes https://review.openstack.org/160993	21:34
lbragstad	jorge_munoz: fixed ^	21:35
jorge_munoz	lbragstad: thanks	21:35
*** iamjarvo has joined #openstack-keystone		21:35
*** dimsum__ has joined #openstack-keystone		21:41
sigmavirus24	/goto api	21:43
sigmavirus24	'scuse me	21:44
*** topol has quit IRC		21:45
dolphinator	bknudson: would that DB2 CI job be trying to cherry pick changes onto a custom code base?	21:46
dolphinator	bknudson: i'm just trying to figure out how the error message makes any sense ("This change depends on a change that failed to merge.")	21:47
bknudson	dolphinator: I think there's actually lots of reasons for a "failed to merge error"... e.g., any time there's an issue early on it says it failed to merge.	21:47
dolphinator	bknudson: fair enough	21:47
bknudson	dolphinator: I sent enough angry emails around here that I think we'll see some action on this (or I'll be available)	21:48
dolphinator	bknudson: i came across a job that succeeded from this morning, so it might only be failing intermittently (although I've seen a lot of failures!)	21:49
dolphinator	bknudson: lol thanks	21:49
bknudson	dolphinator: it needs to be more stable otherwise it's not useful... I thought that the keys were revoked already so I'm surprised it's still reporting.	21:50
dolphinator	bknudson: the keys?	21:53
bknudson	dolphinator: infra can disable external CI from reporting or getting notifications...	21:56
dolphinator	bknudson: ah, if that's happened, i'm not aware of it	21:56
bknudson	http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2015-03-06.log -- 2015-03-06T19:07:47 <clarkb> anteaya: CaptainMorgan all done	21:57
*** panbalag has quit IRC		21:58
morganfainberg	dolphinator: they are also not posting useful success/failure logs.	22:01
morganfainberg	dolphinator: so unless they conform to the requirements for 3rd party CI again, it won't be enabled.	22:01
dolphinator	morganfainberg: the successful jobs have logs	22:02
dolphinator	morganfainberg: but i've never looked at them because i've never run into a legit failure	22:02
morganfainberg	Once from 2-3 days ago didn't.	22:02
morganfainberg	They were 404s	22:02
dolphinator	oh fun	22:02
morganfainberg	Yeah link was there, no logs.	22:02
bknudson	how long are we expected to keep logs?	22:02
bknudson	2-3 days ought to be enough for anyone.	22:02
morganfainberg	bknudson: I think 2wks.	22:02
morganfainberg	Might be 30days	22:02
morganfainberg	It's on the 3rd party CI guidelines.	22:03
anteaya	failure should post logs	22:03
anteaya	else how do you know what failed	22:03
anteaya	30 day log retention	22:04
anteaya	it is in the requirements section	22:04
anteaya	http://ci.openstack.org/third_party.html#requirements	22:04
morganfainberg	anteaya: yep was looking at the page for that link as you typed it :)	22:05
anteaya	:)	22:05
anteaya	it is in muscle memory	22:05
morganfainberg	^_^	22:05
bknudson	anteaya: just wondering -- what's the process for getting reenabled?	22:06
anteaya	prove to keystone that you are following all requirements as listed above	22:07
bknudson	it must be ssh keys from reading the gerrit stream that gets disabled: http://ci.openstack.org/third_party.html#reading-the-event-stream	22:07
anteaya	and provide value by commenting on patches	22:07
anteaya	then when keystone says hey anita re-enable them, I will	22:07
anteaya	or can tell infra if I am unavailable	22:08
bknudson	ok... will worry about that when it's fixed.	22:08
anteaya	basically if you are happy (and they have fulfilled listed requirements - I'm counting on folks in here to check) then I'm happy	22:08
anteaya	bknudson: yup	22:08
*** radez_g0n3 is now known as radez		22:08
anteaya	and if you see a requirement you don't know what it means, ping me and we can go over it	22:08
*** mattfarina has quit IRC		22:09
*** timcline_ has quit IRC		22:09
bknudson	anteaya: you also have a meeting for 3rd party ci?	22:09
anteaya	I'd much rather teach y'all what those mean than every.new.ci.account	22:09
anteaya	I have two	22:09
anteaya	mondays at 1500 utc and tuesdays at 0800 utc	22:09
anteaya	all welcome	22:09
bknudson	krtaylor also provides power ci here so maybe we can use him as a consultant.	22:09
anteaya	if you like	22:10
anteaya	the first problem is the system is broken and noone was watching	22:10
anteaya	don't care who fixes taht but that is the first problem that needs to be fixed	22:10
*** joesavak has quit IRC		22:11
*** dnalezyt has quit IRC		22:12
*** dimsum__ has quit IRC		22:16
*** dimsum__ has joined #openstack-keystone		22:17
*** dimsum__ has quit IRC		22:21
*** dimsum__ has joined #openstack-keystone		22:23
*** r-daneel has quit IRC		22:23
*** chlong has quit IRC		22:24
lbragstad	dolphinator: you were using depends-on recently, right?	22:28
lbragstad	jorge_munoz: was curious	22:28
dolphinator	lbragstad: i have not used it yet, but i know mostly how it works	22:29
bknudson	lbragstad: that was stevedore	22:29
lbragstad	gotcha	22:29
lbragstad	dolphinator: is it documented somewhere? searching for it now	22:31
*** radez is now known as radez_g0n3		22:31
dolphinator	lbragstad: not that i've seen, but haven't looked	22:33
lbragstad	dolphinator: http://docs.openstack.org/infra/manual/developers.html#cross-project-dependencies	22:33
stevedore	lbragstad, it was a bit finnicky	22:34
dolphinator	lbragstad: you can also do multiple Depends-On within the same repo ... so you could depend on both patch A and patch B which are not dependent on each other already, without affecting those	22:34
bknudson	stevedore: what happened?	22:35
dolphinator	lbragstad: a bunch of fernet changes are near the front of the gate	22:35
stevedore	the first patch in the chain merged, then the second patch would pass check but never entered gate	22:35
openstackgerrit	Merged openstack/keystone: Add unscoped token formatter for Fernet tokens https://review.openstack.org/161379	22:35
openstackgerrit	Merged openstack/keystone: Refactor: rename the "standard" token formatter to "scoped" https://review.openstack.org/161838	22:35
dolphinator	oh well there we go	22:36
bknudson	stevedore: you had to recheck?	22:36
openstackgerrit	Merged openstack/keystone: Refactor: remove token formatters dep on 'token_data' on create() https://review.openstack.org/161855	22:36
dolphinator	lbragstad: ^	22:36
dolphinator	lbragstad: ^	22:36
stevedore	bknudson, even after a recheck it did nothing	22:36
stevedore	bknudson, i ended up removing depends-on from the commit msg	22:36
stevedore	and then it merged	22:36
bknudson	I'm surprised they didn't get their account disabled #holdsagrudge	22:36
dolphinator	one refactor left to review before we get to fun changes if anyone is interested: https://review.openstack.org/#/c/161876/	22:36
dolphinator	bknudson: who?	22:36
*** Akshik_ has joined #openstack-keystone		22:37
openstackgerrit	Merged openstack/keystone: Add minimum release support notes for federation https://review.openstack.org/146758	22:37
lbragstad	sweet	22:38
lbragstad	jorge_munoz: bunch of stuff just merged there	22:38
*** tqtran is now known as tqtran_afk		22:39
*** Akshik has quit IRC		22:41
*** Akshik_ has quit IRC		22:42
*** dimsum__ has quit IRC		22:43
*** dimsum__ has joined #openstack-keystone		22:43
*** tqtran_afk has quit IRC		22:46
*** jorge_munoz has quit IRC		22:46
*** dimsum__ has quit IRC		22:48
*** carlosmarin has quit IRC		22:56
breton	dolphinator: re 155292: understood, thank you	22:57
*** _cjones_ has quit IRC		22:59
*** iamjarvo has quit IRC		22:59
*** henrynash has joined #openstack-keystone		23:00
*** ChanServ sets mode: +v henrynash		23:00
*** r-daneel has joined #openstack-keystone		23:02
*** henrynash has quit IRC		23:05
*** r-daneel_ has joined #openstack-keystone		23:06
*** r-daneel has quit IRC		23:07
*** _cjones_ has joined #openstack-keystone		23:07
*** r-daneel_ has quit IRC		23:10
*** r-daneel_ has joined #openstack-keystone		23:10
*** gordc has quit IRC		23:10
openstackgerrit	Brant Knudson proposed openstack/keystone: Docstring fixes in fernet.token_formatters https://review.openstack.org/162337	23:16
openstackgerrit	Dolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic https://review.openstack.org/162338	23:17
dolphinator	lbragstad: so i think this is what we were discussing earlier in the week: https://review.openstack.org/#/c/162338/	23:17
dolphinator	lbragstad: that should make jorge's patch much simpler	23:18
ayoung	morganfainberg, dolphinator stevedore do we have CLI support for federation commands yet, like creating IDPs and protocols?	23:18
dolphinator	ayoung: in openstackclient?	23:18
morganfainberg	ayoung: I don't think we have direct support yet.	23:18
morganfainberg	Maybe in openstackclient. But I want to say that hasn't landed.	23:19
bknudson	ayoung: https://wiki.openstack.org/wiki/OpenStackClient/Commands#federation_protocol ?	23:19
bknudson	stevedore is all over this stuff.	23:19
bknudson	https://wiki.openstack.org/wiki/OpenStackClient/Commands#identity_provider	23:19
bknudson	they're never going to be in keystone CLI since they're v3	23:21
stevedore	ayoung, you bet it's in OSC	23:21
ayoung	ah...I have an old client. got the RPM version	23:21
stevedore	even mappings	23:21
stevedore	AH!	23:21
stevedore	dangit	23:21
ayoung	openstack 0.3.1	23:21
stevedore	that thing always gets up	23:21
stevedore	ewww	23:21
stevedore	ancient	23:21
ayoung	stevedore, well F21 was released with Icehouse	23:22
ayoung	Juno came out afterwards, so the RPMs are not yet updated, but I can get them from a repo	23:22
stevedore	yep, new ones are around	23:23
ayoung	but updateing is going to pull in all of the dependencies. I'm guessing what I have was from installing packstack, since they are not the pip versions	23:23
bknudson	TypeError: decrypt() got an unexpected keyword argument 'ttl'	23:25
bknudson	it's in the docs...	23:28
bknudson	cryptography==0.7.2	23:28
*** doug-fish has left #openstack-keystone		23:28
bknudson	>>> val2 = fernets.decrypt(val1,ttl=100) -- worked for me.	23:31
*** stevedore has quit IRC		23:31
richm	ayoung: what package version do you need?	23:31
*** mattfarina has joined #openstack-keystone		23:40
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	23:55
*** mattfarina has quit IRC		23:57
*** dimsum__ has joined #openstack-keystone		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!