Monday, 2015-04-20

« Sunday, 2015-04-19 Index Tuesday, 2015-04-21 »
*** darrenc is now known as darrenc_afk00:12
*** darrenc_afk is now known as darrenc00:22
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add flag to append project_id to catalog URL  https://review.openstack.org/14816600:33
*** browne has joined #openstack-keystone00:45
*** richm has joined #openstack-keystone00:57
*** lhcheng has joined #openstack-keystone00:57
*** ChanServ sets mode: +v lhcheng00:57
*** richm has quit IRC01:08
*** alex_xu has quit IRC01:18
*** alex_xu has joined #openstack-keystone01:23
*** erkules has joined #openstack-keystone01:40
*** richm has joined #openstack-keystone01:41
*** erkules_ has quit IRC01:43
*** jimbaker has quit IRC01:47
*** richm has quit IRC01:49
*** lhcheng has quit IRC01:50
*** lhcheng has joined #openstack-keystone01:51
*** ChanServ sets mode: +v lhcheng01:51
*** jimbaker has joined #openstack-keystone01:51
*** jimbaker has quit IRC01:51
*** jimbaker has joined #openstack-keystone01:51
openstackgerritDave Chen proposed openstack/keystone: Remove project association before removing endpoint group  https://review.openstack.org/17319202:07
*** stevemar has joined #openstack-keystone02:14
*** ChanServ sets mode: +v stevemar02:14
*** ayoung has quit IRC02:20
*** davechen has joined #openstack-keystone02:38
*** davechen1 has joined #openstack-keystone02:44
*** davechen2 has joined #openstack-keystone02:46
*** davechen has quit IRC02:46
*** davechen1 has quit IRC02:48
*** david-lyle has quit IRC02:55
*** jamielennox is now known as jamielennox|away02:58
*** jamielennox|away is now known as jamielennox03:03
*** lhcheng has quit IRC03:09
*** topol has joined #openstack-keystone03:12
*** ChanServ sets mode: +v topol03:12
*** topol has quit IRC03:13
*** lhcheng has joined #openstack-keystone03:34
*** ChanServ sets mode: +v lhcheng03:34
*** iamjarvo has joined #openstack-keystone03:49
*** ishant has joined #openstack-keystone04:04
*** rushiagr_away is now known as rushiagr04:20
*** boris-42 has quit IRC04:58
*** ishant has quit IRC05:13
*** _kiran_ has joined #openstack-keystone05:15
*** ishant has joined #openstack-keystone05:38
*** iamjarvo has quit IRC05:55
*** lhcheng has quit IRC06:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/17262406:05
*** afazekas_ has joined #openstack-keystone06:10
*** stevemar has quit IRC06:40
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add flag to append project_id to catalog URL  https://review.openstack.org/14816606:51
*** jamielennox is now known as jamielennox|away06:52
*** browne has quit IRC06:52
*** stevemar has joined #openstack-keystone06:54
*** ChanServ sets mode: +v stevemar06:54
*** jaosorior has joined #openstack-keystone06:58
*** tsufiev has joined #openstack-keystone07:04
*** browne has joined #openstack-keystone07:05
*** amakarov has joined #openstack-keystone07:07
*** browne has quit IRC07:21
*** unixlike has joined #openstack-keystone07:27
unixlikeHi there !07:27
unixlikesorry for my english in advance07:28
unixlikeis there an possible way to configure mongodb as database backend of keystone ?  :)07:28
*** chlong has quit IRC07:29
unixlikei mean using mongo instead of mysql07:31
*** pnavarro has joined #openstack-keystone07:31
*** kiranr has joined #openstack-keystone07:38
*** _kiran_ has quit IRC07:39
*** jistr has joined #openstack-keystone07:47
openstackgerrithuanghao proposed openstack/keystone: Add unique constraint to Service.type field.  https://review.openstack.org/17529007:48
stevemarunixlike, i don't think keystone supports mongodb07:55
stevemarunixlike, but ask on the mailing list to be certain07:55
*** _kiran_ has joined #openstack-keystone07:57
*** kiranr has quit IRC07:57
*** fhubik has joined #openstack-keystone08:06
*** stevemar has quit IRC08:06
*** ajayaa has joined #openstack-keystone08:11
*** erkules has quit IRC08:13
*** erkules has joined #openstack-keystone08:13
*** fhubik is now known as fhubik_afk08:25
openstackgerrithuanghao proposed openstack/keystone: Add unique constraint to Service.type field.  https://review.openstack.org/17529008:34
*** fhubik_afk is now known as fhubik08:41
*** f13o has joined #openstack-keystone08:47
*** chlong has joined #openstack-keystone08:50
davechen2dstanek: hi David,09:08
davechen2dstanek: I just reply your question regarding to this bug (https://bugs.launchpad.net/keystone/+bug/1369388), pls kindly check it at your convenience.09:10
openstackLaunchpad bug 1369388 in Keystone "local configuration is not allowed in "keystone-paste.ini"" [Low,In progress] - Assigned to Dave Chen (wei-d-chen)09:10
*** chlong has quit IRC09:20
*** pcaruana has quit IRC09:27
*** henrynash has quit IRC09:27
*** ishant has quit IRC09:28
*** pcaruana has joined #openstack-keystone09:30
*** chlong has joined #openstack-keystone09:32
*** fhubik is now known as fhubik_afk09:33
*** fhubik_afk is now known as fhubik09:37
*** davechen2 has left #openstack-keystone09:50
*** fhubik is now known as fhubik_afk09:51
*** boris-42 has joined #openstack-keystone09:51
*** fhubik_afk is now known as fhubik09:54
*** aix has joined #openstack-keystone10:01
openstackgerritMatthieu Huin proposed openstack/keystone: Get method's class name in a python3-compatible way  https://review.openstack.org/15877710:10
*** rushiagr is now known as rushiagr_away10:38
*** fhubik is now known as fhubik_afk10:47
*** fhubik_afk is now known as fhubik11:02
*** afaranha has quit IRC11:02
*** afaranha_ has quit IRC11:03
*** fhubik is now known as fhubik_afk11:04
*** afazekas_ has quit IRC11:24
*** afazekas_ has joined #openstack-keystone11:28
*** fhubik_afk is now known as fhubik11:33
dstanekunixlike: there is a mongodb backend for caching, but not any of the actual subsystem data11:37
*** fhubik_afk has joined #openstack-keystone11:45
*** fhubik_afk has quit IRC11:46
*** fhubik_afk has joined #openstack-keystone11:46
*** fhubik_afk is now known as fhubik_meeting11:46
*** fhubik has quit IRC11:46
*** fhubik_meeting has quit IRC11:50
*** jistr has quit IRC11:57
*** chlong has quit IRC11:58
*** afazekas_ has quit IRC11:58
*** fhubik has joined #openstack-keystone11:59
*** fhubik is now known as fhubik_meeting12:00
*** jistr has joined #openstack-keystone12:03
*** henrynash has joined #openstack-keystone12:17
*** ChanServ sets mode: +v henrynash12:17
*** bknudson has quit IRC12:26
*** jamielennox|away is now known as jamielennox12:31
*** pnavarro has quit IRC12:31
*** jamielennox is now known as jamielennox|away12:32
*** pnavarro has joined #openstack-keystone12:37
*** gordc has joined #openstack-keystone12:37
*** joesavak has joined #openstack-keystone12:47
*** henrynash has quit IRC12:49
*** bknudson has joined #openstack-keystone12:55
*** ChanServ sets mode: +v bknudson12:55
*** lifeless has quit IRC13:05
*** f13o has quit IRC13:07
*** fhubik_ has joined #openstack-keystone13:08
*** richm has joined #openstack-keystone13:09
*** fhubik_meeting has quit IRC13:12
*** f13o has joined #openstack-keystone13:12
openstackgerritDavid Stanek proposed openstack/keystone: Adds proper isolation to templated catalog tests  https://review.openstack.org/17455613:13
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063013:15
*** fhubik_ is now known as fhubik13:18
*** iamjarvo has joined #openstack-keystone13:30
*** krykowski has joined #openstack-keystone13:32
*** iamjarvo has quit IRC13:33
*** jistr_ has joined #openstack-keystone13:35
*** jistr has quit IRC13:38
*** sigmavirus24_awa is now known as sigmavirus2413:42
*** jistr_ has quit IRC13:44
*** jistr has joined #openstack-keystone13:44
*** davechen has joined #openstack-keystone13:44
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844213:44
*** mattfarina has joined #openstack-keystone13:45
*** henrynash has joined #openstack-keystone13:47
*** ChanServ sets mode: +v henrynash13:47
openstackgerritDavid Stanek proposed openstack/keystone: WIP: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603013:47
*** Ephur has joined #openstack-keystone13:57
*** fhubik has quit IRC13:59
*** rushil has joined #openstack-keystone13:59
dstanekanyone know if deployers take advantage of the lack of Service.type uniqueness? https://review.openstack.org/#/c/175290/14:00
dstanekdolphm: ^14:00
dolphmdstanek: not that i'm aware of14:01
dolphmdstanek: wait, that's not what i was thinking of. why on earth would you make it unique?14:02
dstanekdolphm: ok. i thought i remembered someone talking about that in the past. but i can't find record of it14:02
dolphmdstanek: i'm going to -214:03
dstanekdolphm: just did that :-(14:05
*** chrisshattuck has quit IRC14:05
*** ajayaa has quit IRC14:06
davechendstanek, dolphm: but at least it's meaningless if there is a lot of redundant entries in the tables.14:08
davechendstanek, dolphm: seems this can also be found with other enties.14:08
dstanekdavechen: what exactly happens if there are redundant entries? a traceback? can both of them have endpoints in the catalog?14:09
davechendstanek: no harm, just looks ugly. :)14:10
dstanekdavechen: about your bug comment. the reason you may have a function arg defined that is not used is that you are adhering to an interface14:11
davechendstanek: so, you think it okay if we pass a argument but we do nothing with it? I think both is okay.14:12
davechendstanek: as long as there is some information print out.14:13
openstackgerritMatthieu Huin proposed openstack/keystone: Get method's class name in a python3-compatible way  https://review.openstack.org/15877714:13
dstanekdavechen: in this case we'd have to if were want to deprecate the behavior - or maybe we could catch it a show a better error message than a traceback14:14
*** chrisshattuck has joined #openstack-keystone14:14
davechendstanek: going to rework on that patch, btw, thanks for your comment and your advice. :-D14:14
dstanekdavechen: i think in the specific case you were talking about we could just change the docs14:14
davechendstanek: hmm, there are already some docs about that.14:15
dstanekdavechen: the problem you were having it that specific filter doesn't take an additional args14:15
davechendstanek: maybe, but one thing is sure, I am going to add it in the docstring.14:17
dstanekdavechen: for example, the apps take extra args14:18
*** afazekas_ has joined #openstack-keystone14:18
davechendstanek: yes,  and dstanek, what do you think about this bug (https://bugs.launchpad.net/keystone/+bug/1403408)?14:19
openstackLaunchpad bug 1403408 in Keystone "Redundant endpoints found in the table "endpoint"" [Medium,Confirmed] - Assigned to Dave Chen (wei-d-chen)14:19
dstanekdavechen: did you see my comment there?14:19
*** henrynash has quit IRC14:20
davechendstanek: thanks, I am going to reference that bug with your comments as well.14:21
davechendstanek: so I can stop working at that :)14:22
dstanekdavechen: it's probably a good idea to put that on the agenda for tomorrow's meeting to get feedback on the backward compat issue i mentioned14:22
davechendstanek: Just notice you have post comments to both bugs. yes, I will add a agenda, but not sure I can wake up on time.14:23
*** iamjarvo has joined #openstack-keystone14:24
dstanekdavechen: add my name next to yours and if you are not around i can ask the question14:24
davechendstanek: I must struggle for several times before get up. :)14:24
davechendstanek: Great! thanks you.14:25
dstanekdavechen: np14:25
dstaneki'll also ask a little later when more people are awake.14:25
davechendstanek: where is your base, I am based in far east, so the time is bad for me.14:26
dstanekI'm in the EST timezone in the US - for me the meeting is 2PM localtime14:26
*** afazekas_ has quit IRC14:26
davechendstanek: 2 am for me. :P14:27
dstanekdavechen: yeah, i can get the answer for you. no need to be up that late for something like this14:28
*** ayoung has joined #openstack-keystone14:28
*** ChanServ sets mode: +v ayoung14:28
davechendstanek: thanks, see you tomorrow.14:29
dstanekdavechen: have a good night14:30
*** afazekas_ has joined #openstack-keystone14:30
davechendstanek: thanks, happy coding.14:31
*** davechen has left #openstack-keystone14:31
*** lifeless has joined #openstack-keystone14:32
*** chrisshattuck has quit IRC14:33
*** chrisshattuck has joined #openstack-keystone14:34
*** thedodd has joined #openstack-keystone14:34
*** afazekas_ has quit IRC14:36
*** stevemar has joined #openstack-keystone14:39
*** ChanServ sets mode: +v stevemar14:39
*** browne has joined #openstack-keystone14:39
*** f13o has quit IRC14:40
*** f13o has joined #openstack-keystone14:40
*** gordc has quit IRC14:44
*** gordc has joined #openstack-keystone14:46
*** afazekas_ has joined #openstack-keystone14:47
*** chrisshattuck has quit IRC14:48
*** chrisshattuck has joined #openstack-keystone14:52
*** chrisshattuck has quit IRC14:52
*** zzzeek has joined #openstack-keystone14:58
*** rwsu has joined #openstack-keystone15:02
*** afazekas_ has quit IRC15:08
*** browne has quit IRC15:08
openstackgerritDavid Peraza proposed openstack/keystone: Testing my keystone dev env  https://review.openstack.org/17544315:10
*** jistr has quit IRC15:14
*** ajayaa has joined #openstack-keystone15:16
*** _kiran_ has quit IRC15:18
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767515:20
*** afazekas_ has joined #openstack-keystone15:21
*** krykowski has quit IRC15:23
morganfainbergdstanek: service.type can't be unique. We can make a name+type (or similar) unique to prevent duplicates from being made.15:24
morganfainbergdstanek: but unique type would break Rackspace deployment for example (if you were to be using keystone) for those who are using pre-nova compute and nova compute (public cloud)15:25
*** afazekas_ has quit IRC15:26
*** jistr has joined #openstack-keystone15:28
stevemarmorganfainberg, ++15:33
* morganfainberg would have preferred service.type be unique. But that ship has sailed.15:36
*** afazekas_ has joined #openstack-keystone15:37
dstanekmorganfainberg: that's what i thought...although i couldn't remember why15:42
*** gyee has joined #openstack-keystone15:45
*** ChanServ sets mode: +v gyee15:45
*** afazekas_ has quit IRC15:47
bknudsonis there an rc2 for keystone?15:48
*** rm_work is now known as rm_work|away15:52
*** jistr_ has joined #openstack-keystone15:53
*** tqtran has joined #openstack-keystone15:55
*** jistr has quit IRC15:56
*** _cjones_ has joined #openstack-keystone15:57
*** _cjones_ has quit IRC15:59
*** _cjones_ has joined #openstack-keystone15:59
*** henrynash has joined #openstack-keystone16:02
*** ChanServ sets mode: +v henrynash16:02
*** davidckennedy has joined #openstack-keystone16:04
*** jistr_ is now known as jistr16:05
*** davidckennedy has quit IRC16:05
morganfainbergbknudson, we just opened the window16:11
morganfainbergbknudson, like... 30 minutes ago16:11
morganfainbergso yes, now there is an RC2 for keystone we are working on.16:11
morganfainberghere is the list of bugs: https://launchpad.net/keystone/+milestone/kilo-rc216:11
*** iamjarvo has quit IRC16:11
openstackgerritMerged openstack/keystone: Loosen validation on matching trusted dashboard  https://review.openstack.org/17516916:12
*** ChanServ changes topic to "Liberty Development Open | Kilo RC2: https://launchpad.net/keystone/+milestone/kilo-rc2 | Look for RC-critical bugs | Review Liberty Keystone Specs"16:12
*** browne has joined #openstack-keystone16:21
*** iamjarvo has joined #openstack-keystone16:23
*** iamjarvo has quit IRC16:23
*** iamjarvo has joined #openstack-keystone16:24
*** thedodd has quit IRC16:24
*** jistr has quit IRC16:24
*** henrynash has quit IRC16:26
*** alexsyip has joined #openstack-keystone16:27
*** rm_work|away is now known as rm_work16:31
*** iamjarvo has quit IRC16:31
*** arunkant has quit IRC16:34
*** nkinder has quit IRC16:38
dolphmmorganfainberg: i'm assuming we can +A stable/kilo patches then16:42
morganfainbergdolphm, yep. i need to unblock one or two16:42
*** arunkant has joined #openstack-keystone16:48
*** iamjarvo has joined #openstack-keystone16:51
*** iamjarvo has quit IRC16:51
*** iamjarvo has joined #openstack-keystone16:52
*** david8hu has quit IRC16:57
*** f13o has quit IRC16:57
openstackgerritguang-yee proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767517:03
openstackgerritDolph Mathews proposed openstack/keystonemiddleware: Refactor: extract echo_app from enclosing class  https://review.openstack.org/17548917:05
*** david8hu has joined #openstack-keystone17:06
*** ajayaa has quit IRC17:14
*** Guest36304 is now known as mgagne17:16
*** mgagne has joined #openstack-keystone17:16
*** lhcheng has joined #openstack-keystone17:17
*** ChanServ sets mode: +v lhcheng17:17
*** pnavarro has quit IRC17:29
*** harlowja_away is now known as harlowja17:38
*** edmondsw has joined #openstack-keystone17:39
lhchengdstanek: your Spidey sense tingling on https://bugs.launchpad.net/keystone/+bug/144095817:42
openstackLaunchpad bug 1440958 in Keystone "loosen validation on matching trusted dashboard" [Medium,Fix committed] - Assigned to Lin Hua Cheng (lin-hua-cheng)17:42
lhchengdstanek: the validation would still be performed on the "origin" query parameter, that didn't change.17:43
dstaneklhcheng: right, i was just pointing out that it could be possible to be attacked if the dashboard had an unvalidated redirect17:48
*** david-lyle has joined #openstack-keystone17:50
lhchengdstanek:  hmm you mean something like  http://horizon.com?origin=http://horizon.com?redirect=<bad_url>17:53
dstaneklhcheng: exactly17:54
openstackgerritMerged openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517117:54
dstaneklhcheng: i think it's unlikely since it looks like Horizon is doing the right things and Django does a great job of protecting against this sort of thing;17:56
lhchengdstanek: yeah, it is covered by django: https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a18:00
*** david-lyle_ has joined #openstack-keystone18:01
*** david-lyle has quit IRC18:01
lhchengdstanek: cool, I wasn't aware of this check until I looked it up.18:02
dstaneklhcheng: the safe URL stuff? django does a great job of protecting you. but if you don't use that then you could be vulnerable18:02
dstanekfor instance, /auth/login?next=xyz; django's auth app takes care of checking this for you, but if you make a different view that accepted a 'next' param you would have to do that yourself18:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/17213918:04
*** mattfarina has quit IRC18:04
ayounglhcheng, https://review.openstack.org/#/c/173669/3   finally tested.  Works correctly, and same system does not work without patch.  Any thoughts on how better to test it? AFAICT, the websso patch is not touched by unit tests, or my code would have asploded in past revisions18:04
ayounglhcheng, I'm tempted to say leave  https://bugs.launchpad.net/keystone/+bug/1440958  alone.  It is not a real problem.  What we do need is better error reporting if the match fails18:06
openstackLaunchpad bug 1440958 in Keystone "loosen validation on matching trusted dashboard" [Medium,Fix committed] - Assigned to Lin Hua Cheng (lin-hua-cheng)18:06
*** david-lyle_ is now known as david-lyle18:06
lhchengdstanek: horizon leverages the django login view for the login, which eventually goes to https://github.com/django/django/blob/002425fe39f62faafaa32e400f7531809181a1a0/django/contrib/auth/views.py#L4718:06
lhchengdstanek: so we're good.18:06
ayoungGAH  that got committed already?18:06
ayoungDamnit...I was going to say "don't do it"18:07
stevemarayoung, you approved it :)18:08
stevemarhttps://review.openstack.org/#/c/175169/18:08
ayoungstevemar, I know18:08
stevemarhehe18:08
ayoungI had a change of heart18:08
morganfainbergayoung, REVERT REVERT! Full reverse!18:08
stevemarit's not a huge issue, i like the change18:08
ayoungmorganfainberg, nah18:08
morganfainberg:P18:08
morganfainbergayoung, the change is fine.18:08
ayoungstevemar, the things is, what we really need is a list of of URLS, not just a single one18:08
ayoungright now we have highlander syndrome18:09
stevemaryou can make it a list by defining it multiple times18:09
ayoungdoes that work?18:09
stevemarit's cfg.ListOpt18:09
stevemaryep18:09
morganfainbergayoung, we have a bunch of movies each one claiming there can be only one, and a television series?18:09
stevemartrusted_dashboard = host1.com, trusted_dashboard = host2.com18:09
morganfainbergayoung, but clearly there are more than that18:10
ayoungmorganfainberg, poorly written, and no good soundtracks since Freddie passed on18:10
stevemarnew line instead of comma18:10
morganfainbergayoung, right?!18:10
*** rushil has quit IRC18:10
morganfainbergstevemar, uhm ListOpt would be: trusted_dashboard = host1.com, host2.com18:10
morganfainbergstevemar, right?18:10
morganfainbergMultiStrOpt would be multi-line18:10
ayoungHow does Keystone work?  "Its a kind of magic."18:10
morganfainbergayoung, magnets18:10
stevemarah right MultiStrOpt it what i meant18:10
stevemari was going from memory, bad idea18:11
morganfainbergstevemar, heh18:11
* morganfainberg needs coffee.18:11
* stevemar is drinking some now18:11
ayoungmorganfainberg, so...K2K means we need smarter auth plugins, right?  When performing some operation, the clients are going to need to do the whole token->saml->token thing for the user?18:12
morganfainbergayoung, yes we will need that18:12
morganfainbergayoung, this is something that should get baked into keystoneauth18:12
ayoungmorganfainberg, OK.  I think that finally gives us a way to  fix my origianl concern about Keystone18:12
ayoungwe can make it possible to dothis:18:12
ayounggot to nova and perform "create server" ....18:12
dstanekmorganfainberg: i would rather have more specific URLs than just host matching18:13
ayoungthen when nova goes to glance, client can look at the token data and say "no glance in here, let me get a token for *that*"18:13
morganfainbergdstanek, i was just explaining the opt versions not what they meant.18:13
morganfainbergdstanek, i'm ok if we switch to something better than host (or smarter if more than host is provided)18:13
dstanekmorganfainberg: ah18:13
ayoungits the same general mechanism "look at the token, determine if it will get us the next step, if not, go back to keystone..."18:14
morganfainbergayoung, sure, now if you need to be smart about *what* glance to use [this one or that one], i don't expect us to get crazy about it [let the user decide]18:14
morganfainbergayoung, but yes. - the rough edges we need tow ork out is how do we know that-cloud-over-there has glance...18:14
ayoungmorganfainberg, different issue there.  There is actually a BP for that, separate...let me link18:14
morganfainbergayoung, without having to auth and ask every-single-time.18:15
ayounghttps://review.openstack.org/#/c/132623/218:15
morganfainbergayoung, what is that?18:15
ayoungmorganfainberg, it will indicate on a given resource "which endpoint holds this"18:15
morganfainbergexcept you can't know18:16
*** mattfarina has joined #openstack-keystone18:16
ayoungso,  if the glance image you need is in a specific server, the client will be able to tell from the URL18:16
lhchengayoung: as for the test of https://review.openstack.org/#/c/173669/3 ,  I have already added a test that validates the generated redirect url. So that code path is already covered in here: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/tests/tests.py#L860-L87218:16
morganfainbergwhat if that-cloud-over-there changes their endpoints?18:16
ayoungmorganfainberg, then the resource you just pointed to is no longer valid18:16
lhchengayoung: if the test still pass, you're good :)18:16
morganfainbergayoung, the catalog doesn't know what endpoints a remote SP has18:17
ayounglhcheng, good to know18:17
morganfainbergayoung, SPs are a top-level construct in the catalog18:17
ayoungmorganfainberg, you are thinking too hard18:17
morganfainbergayoung, today i have to ask an SP for it's catalog18:17
morganfainbergto know what services are even there18:17
* morganfainberg might be a level behind where you are18:17
morganfainbergyou're talking when a resource already exists18:17
morganfainbergi'm talking from a "i want to interact with a cloud... no specific resource *yet*"18:18
ayoungmorganfainberg, right...this is the MOC team,  think "I have a bunch of mini openstack deployments, and I need to start sharing resources between them, but no one is willing to give up control of their own cloud"18:18
morganfainbergayoung, so we still don't know what exists where - which we need to solve18:19
morganfainbergayoung, ultimately, i think we make catalog non-priv.18:19
morganfainbergthe priv version has filtering etc18:19
* ayoung thinking18:20
*** david-lyle has quit IRC18:20
morganfainbergbut the "what services do i have running" isn't unreasonable to just publish18:20
*** david-lyle has joined #openstack-keystone18:20
* ayoung thinking he needs to leave to pick up his kid from camp as it is vacation weeek...yikes18:20
ayoungmorganfainberg, just services, no endpoints?18:21
morganfainbergendpoints might be filtered18:21
morganfainbergbased upon your auth18:21
ayoung"my cloud admits to supporting nova, glance, and cinder..."18:21
morganfainbergand you need a local token anyway to interact with nova/glance/etc18:21
morganfainbergthats my thought18:21
ayounginteresting...I think that is the right level of sharing...I'll chew it over.18:21
* ayoung needs to go18:22
ayoungback online in a few18:22
*** ayoung has quit IRC18:22
dstanekgyee: responded to a few of your comments in rev9 of https://review.openstack.org/#/c/16767518:37
gyeedstanek, thanks, I'll take a look and push a patch for David18:39
*** david-lyle has quit IRC18:41
dstanekgyee: let me know if you have questions. i'm just looking to not slow everything down by default18:42
gyeesure, I'll push a patch for David Kennedy as he's in UK timezone18:47
*** rushil has joined #openstack-keystone18:49
*** iamjarvo has quit IRC18:58
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/17262419:09
*** iamjarvo has joined #openstack-keystone19:11
*** iamjarvo has quit IRC19:11
*** iamjarvo has joined #openstack-keystone19:12
*** iamjarvo_ has joined #openstack-keystone19:13
*** iamjarvo_ has quit IRC19:13
*** iamjarvo_ has joined #openstack-keystone19:13
*** iamjarvo has quit IRC19:16
lhchengdstanek, morganfainberg: so we'll keep the validation for the trusted_dashboard for now? or revert it back and come up with a smarter way?19:20
morganfainberglhcheng, we can keep it as is now, but we could detect if it's a full URI down the line and be more restrictive19:21
stevemargordc, ping19:23
lhchengmorganfainberg: hmm could simply change the check into: <redirect_url>.startswith (<url in trusted_dashboard>)19:23
lhchengmorganfainberg: that way, the deployer can configure how much restrictive they want it to be..19:24
*** iamjarvo_ has quit IRC19:24
morganfainberglhcheng: since it is early Liberty feel free to propose that change.19:24
gordcstevemar: whatup?19:24
morganfainberglhcheng: ping dstanek on what he'd like to see.19:25
lhchengmorganfainberg: cool, will do!19:25
stevemargordc, whats up with swift and notifications, doesn't look like it uses oslo messaging?19:25
gordcit don't19:25
gordcstevemar: swift hates oslo.19:25
gordcdon't quote me19:26
stevemargordc, sooo pycadf for swift would bomb out?19:26
gordcno... well there's away around it... let me grab you code19:26
gordchttps://github.com/openstack/ceilometermiddleware/blob/master/ceilometermiddleware/swift.py19:26
gordcstevemar: i actually build a pycadf message from api already... but it doesn't really build the same amount of detail as audit middleware19:27
gordcstevemar: i should probably port what i did for ceilometermiddleware to audit middleware tbh19:27
stevemarprobably19:27
gordcFINE! i'll do it!19:28
*** aix has quit IRC19:29
dolphmbknudson: i'm afraid i'm missing something here, so i didn't -1, but: https://review.openstack.org/#/c/127066/12/keystonemiddleware/auth_token/_auth.py19:30
stevemarwhy is swift not forced to use oslo messaging?19:31
dolphmstevemar: swift is very special19:33
stevemardolphm, seems like it19:34
stevemargosh that's annoying19:34
*** iamjarvo has joined #openstack-keystone19:35
gyeedstanek, have time for a quick chat? https://review.openstack.org/#/c/167675/9/keystone/catalog/backends/sql.py19:48
*** ayoung_ has joined #openstack-keystone19:50
*** pnavarro has joined #openstack-keystone19:51
morganfainbergdolphm, so what you're saying is... swift is ... swift?19:53
stevemarmorganfainberg, yep19:55
bknudsonwe're getting swift-boated19:56
morganfainberguh.19:57
morganfainberg......19:57
bknudsondstanek: is there an infra change for tox -e functional already?19:59
dstanekbknudson: yes, well i have it locally - was waiting for our tox target to merge19:59
bknudsondstanek: get ready to push it!19:59
dstanekbknudson: yay!20:00
*** joesavak has quit IRC20:13
*** pnavarro has quit IRC20:15
morganfainbergdstanek, on the topic of functional...20:17
morganfainbergdstanek, i wonder how hard it would be to re-use some of the functional testing for defcore [long term]20:18
morganfainberghogepodge might appreciate it if we find useful ways of doing so.20:18
dstanekmorganfainberg: can you point me to what they are doing?20:18
*** joesavak has joined #openstack-keystone20:18
* morganfainberg summons hogepodge 20:18
dstanekmorganfainberg: i could imagine we have similar goals20:19
morganfainbergdstanek, well they are working on a number of tests that can be done w/o scribbling on a DB.20:19
morganfainbergdstanek, basically a pure API test20:19
morganfainbergsome test *may* do writes, but if it requires cloud admin, it's out20:19
dstanekmorganfainberg: that's exactly what i want to see for functional tests - all black-box tests using the client or requests20:20
morganfainbergdstanek, i figured we'd continue down the functional initiative20:20
morganfainbergand start improving the tests along those lines20:20
morganfainbergbut i figured that was your goal20:21
* hogepodge appears20:21
morganfainbergthat would be "A wild hogepodge appears"20:21
morganfainberghogepodge, ^^ re testing functional20:21
morganfainberghogepodge, sooo might be helpful!20:22
dstanekhogepodge: morganfainberg says there is some kind of testing around defcore - can you point me to it?20:23
bknudsonwe need to be able to pick which functional tests to run20:24
bknudsondoes keystone do that the same way tempest does?20:24
hogepodgehttps://github.com/openstack/defcore20:24
dstanekbknudson: you mean the direction i am heading?20:24
bknudsonwe only have a few tests now, but eventually we'll have to be able to exclude some20:25
bknudsonmaybe you only want to run "smoke" tests, or maybe you only want to run read-only tests.20:25
dstaneki am currently doing things just like unit tests where you can pick using a regex for the test name20:25
dstanekfor something like that we can implement a tagging mechanism, but i don't know if that exists in testtools20:26
dstanekin the past i've done stuff like that with lettuce20:26
bknudsontempest already has a bunch of config switches20:26
dstaneki'll have to look and see how they implement it and see how easy it is to copy20:27
bknudsontempest also has test ids.20:27
*** pnavarro has joined #openstack-keystone20:28
hogepodgedstanek: https://review.openstack.org/#/c/169655/20:28
bknudsonwe should definitely have functional tests for getting a token.20:29
bknudsonand validating tokens and revoking tokens.20:30
*** spandhe has joined #openstack-keystone20:34
hogepodgeI'd like for every api endpoint that doesn't need admin credentials to have tests and added to defcore.20:35
hogepodgeThat review (which I need to update) just gets identity into the defcore capabilities and required20:35
bknudsonhogepodge: looks like you can reference tempest tests, what about keystone functional tests?20:36
hogepodgebknudson: We're looking at adding test sources so we can pull from different test suites20:37
hogepodgeThey need to be api only though, without needing admin credentials.20:37
bknudsonthe ones that we've got now don't require any credentials.20:38
hogepodgeKeep in mind that configuration is already tough with Tempest, and we're wary about adding complexity on top of the test procedures.20:38
hogepodgeHaving n test suites for n projects is going to get really difficult to handle.20:38
bknudsonmaybe we should try to make sure we can all use the same config files or something.20:39
hogepodgebknudson: ideally I want to use a minimum config anway, and endpoint, user creds, and maybe some image and network names20:39
bknudsonthere's not much you can do against keystone with just user creds by default.20:41
dstanekhogepodge: that's really interesting. do you envision using the tests from the projects?20:41
bknudsonget a token / delete a token -- get /, get /v2.0, get /v3.20:43
hogepodgedstanek: right now we have compute and storage in tempest, want to expand to identity and networking20:46
dstanekhogepodge: so i'm under the impression that tests that only hit keystone are considered functional test and don't belong in tempest...is that not correct?20:47
*** edmondsw has quit IRC20:47
bknudsonthere already are identity tests in tempest20:48
hogepodgebknudson: I just added non-admin identity tests20:48
bknudsonI provided some for using a v3 token against a v2 service some time ago... might have been removed though20:48
hogepodgedstanek: If a test is used for defcore, it can be kept in tempest as part of interoperability testing20:49
dstanekbknudson: my understanding is that those things are supposed to be moved out20:49
hogepodgethat becomes one of the criteria20:49
bknudsony, I think they're only there because we didn't have functional tests in keystone until this afternoon.20:49
dstanekso now i'm all sorts of confused because a significant number of our functional tests would be applicable to defcore20:50
hogepodgeI can't speak for him, but mtreinish seems to want to make sure defcore is a major consumer of tempest.20:50
bknudsonhttp://git.openstack.org/cgit/openstack/tempest/tree/tempest/api/identity/v3/test_tokens.py -- here they are20:50
bknudsonhere's a bunch: http://git.openstack.org/cgit/openstack/tempest/tree/tempest/api/identity/admin/v320:51
hogepodgedstanek: possibly, yes. swift already has its own major testing tree, and had a request submitted to start using their testing framework. That may become a larger model20:51
hogepodgedstanek: It's all under negotiation right now as we grow the process. We want to meet the needs of the community at large, and it's a big area for discussion.20:51
mtreinishdstanek: the contention is twofold, one if the test is a good interop test it probably also has value in the integrated test suite20:52
mtreinishsome duplication between tests isn't reall a big deal20:52
bknudsonmtreinish: once we've got it in keystone functional we delete from tempest, right?20:52
mtreinishthe second is that tempest is designed to work against any deployed cloud which is a good fit for the defcore work, the functional tests don't necessarily have to have to have that constraint20:53
mtreinishbknudson: no not always20:53
mtreinishbknudson: https://wiki.openstack.org/wiki/QA/Tempest-test-removal20:53
mtreinishonly where it makes sense20:53
* morganfainberg avoids snarky responses while obnoxious git filter tree commands run in the background20:53
dstanekmtreinish: so i've started to rewrite some of the tempest test in keystone; how do i know what should be removed from tempest?20:53
mtreinishdstanek: the parts of doing functional testing in a project tree aren't to duplicate what we've been doing in tempest20:54
mtreinishbut to be more targetted and test lower level interactions to ensure things work20:54
mtreinishdstanek: well the wiki page gives the criteria for removal20:54
bknudsonsounds like we need to consider whether a test should go in keystone or in tempest.20:55
mtreinishbknudson, dstanek: so for an example look at the 1 thing which has gone through this so far20:57
dstanekbknudson: i don't think so. i'd rather just say that our functional tests cover the usecases we care about and if there is overlap then that's OK20:57
mtreinishhttps://review.openstack.org/#/c/158852/ which was replaced with nova's: https://review.openstack.org/#/c/160423/20:57
dstanekbknudson: i like the way we'll be able to point our tests at any keystone instance and run all of the usecases20:58
*** stevemar has quit IRC20:58
bknudsondstanek: you can point tempest at any keystone and run it.20:59
mtreinishdstanek: what I really like about that example is that it checks the db to ensure things didn't get stored when they shouldnt have20:59
mtreinishthat's something functional testing can do and tempest can't20:59
dstanekbknudson: i have always had problems getting it to work on my devstack so i never followed through21:00
morganfainbergmtreinish, i would consider direct examination of the DB an exceptional case vs the norm though21:00
bknudsonso I think one target of functional testing is federation... does that go in tempest?21:00
mtreinishwell, if you constrain yourself to only testing the top level (like what tempest does) there is whole bunch of stuff you're going to miss21:00
bknudsoncatching tempest up with all the missing keystone tests is going to be a lot of work.21:00
dstanekmtreinish: i'd rather not do that if we can help it. makes the tests much more brittle21:00
dstanekmtreinish: for example, i want to run the tests and not care if the backend is LDAP, SQL or MongoDB21:01
bknudsonwe have a mongodb backend now? great! finally webscale.21:01
morganfainbergbknudson, shush :P21:01
mtreinishdstanek: my point is that what functional testing should give you is the ability to test a functional unit of keystone. Just testing through the api is already something we have and we've found we need more testing in between unit and that21:02
mtreinishbknudson: heh, I want to try webscale keystone21:02
dstanekmtreinish: right now i was planning on having functional tests only use the public api; do you know of cases where that isn't enough?21:04
mtreinishdstanek: although to be honest, I haven't really looked to closely at what you've be working on21:04
dolphmjust want to point out that lbragstad has an 18 node keystone deployment running that spans two datacenters using fernet, and for example, you can create fernet tokens in either region and have them useable in the other region immediately. (same goes for user creates and whatnot)21:04
dstanekwe only have web scale caching now :-( somebody was in there recently asking about using MondoDB for other backends21:05
bknudsonfernet is webscale21:05
dolphmkeystone is webscale!21:05
mtreinishdstanek: not with keystone, but there are tons of examples with things like neutron and nova where there are races which would be easily tested and caught21:05
dstanekdolphm: very nice21:05
mtreinishbut we can't test with limiting ourselves to going through the rest api21:05
morganfainbergdolphm, that is actually a part of fernet i was disucssing using within HP recently21:05
morganfainbergdolphm, a big push to get us really looking at fernet cause... fernet.21:05
* lbragstad cracks beers21:05
dolphmmorganfainberg: that's like, the *point* of fernet IMO lol21:05
morganfainbergdolphm, no, the point of fernet is no token persistence21:06
morganfainbergdolphm, the benefit is fernet is much much more21:06
dolphmwhich enables webscale!21:06
morganfainbergdolphm, ;)21:06
* morganfainberg stares harder at awful git filter-tree commands21:06
dolphmlbragstad: that reminds me, i got a Deschutes Saison that isn't approved for sale in TX by the TABC yet21:06
mtreinishmorganfainberg: heh, yeah it's awful21:06
bknudsonso what about federation tests, do they go in tempest for keystone?21:06
dstanekmorganfainberg: the more you look at them the worse they become21:06
morganfainbergbknudson, functional for now21:06
morganfainbergbknudson, since we have more control on the scenarios and has next to no impact on other services.21:07
bknudsonthat makes sense.21:07
morganfainbergbknudson, long term i'd like a federated IdP used for some tests in tempest21:07
bknudsonshouldn't need a whole tempest run for every possible keystone config.21:07
morganfainbergmake sure we don't miss some critical bit that makes nova/neutron break with a federated token21:07
morganfainbergbut lets start small21:07
morganfainbergand actually just test it ;)21:08
bknudsonwe should bikeshed it for a long time first.21:08
morganfainbergfor k2k we wont ever run full tempest.21:08
morganfainbergbknudson, totally21:08
morganfainbergbknudson, can we have a whole session at the summon on bikeshedding the bikeshedding?21:08
mtreinishbknudson: that's our normal path to getting everything done21:08
morganfainbergmtreinish, dstanek, working on splitting keystoneauth bits from python-keystoneclient21:09
morganfainbergis not fun21:09
dolphmmorganfainberg: last summit we stopped a sessions to define bikeshedding21:09
dolphma session*21:09
* mtreinish likes his dimly lit corner where he doesn't have to talk to anyone21:09
* morganfainberg is trying to avoid "fork keystoneclient" and then rip stuff out21:09
* morganfainberg shines a spot light on mtreinish's corner21:09
dolphmmorganfainberg: because someone asked, and then we argued over the definition of bikeshedding for a moment21:09
morganfainbergdolphm, that..21:09
morganfainbergdolphm, is so sad it's epic21:09
morganfainbergok so..21:10
morganfainbergi am about >.< close to saying "screw this" and just forking keystoneclient and ripping crap out of it21:10
morganfainberginstead of trying to filter relevant files.21:10
mtreinishmorganfainberg: are you working on something like this: http://git.openstack.org/cgit/openstack/tempest-lib/diff/tools/migrate_from_tempest.sh?id=5372a58a79ff6675756499e8fe3d00caa294d55921:10
morganfainbergmtreinish, similar21:10
morganfainbergmtreinish, but more oslo-graduation style21:10
mtreinishwhich is what I used for the original tempest-lib split21:10
morganfainbergless tempest-y21:11
mtreinishheh, that's where I stole most of it from :)21:11
morganfainberg;)21:11
morganfainbergyeah it's not fun. cause things are all inter-twined21:11
morganfainbergi don't know if i care if we carry all of keystoneclient's history in this split or not.21:11
morganfainbergi'm rapidly approaching don't get a crap.21:11
morganfainbergvs. isolated history that is.21:12
morganfainbergdolphm, dstanek, bknudson, gyee, any of you care if i just do a keystoneclient fork instead of isolating history out?21:12
dstanekmorganfainberg: nope21:13
morganfainbergmtreinish, my issue is things are pretty inter-mixed.21:13
mtreinishmorganfainberg: so we moved to just copying the file and using a list of change-ids in the commit msg21:13
bknudsonmorganfainberg: I like the history... but I've never had to deal with splitting a repo so I have no idea how hard it is to get it.21:13
mtreinishthat way if people cared they could look things up21:13
mtreinishbut we didn't have to worry about the history mess21:13
morganfainbergmtreinish, the issue here is i'd like to keep session history in repo. it's kindof a lot of things to care about to see how things changed21:14
mtreinishmorganfainberg: yeah we had that inter-mixed issue (luckily not on the initial import) which is why we gave up using the git filter-tree in the script21:14
morganfainbergbknudson, it's doable but it's less fun each time i do it. at least with middleware it was *really* just 1 small directory21:14
morganfainbergthis is not even remotely isolated.21:15
morganfainbergbknudson, this is my current filter-list: http://paste.openstack.org/show/204920/21:15
morganfainbergbknudson, i can import session21:16
morganfainbergbknudson, i could just run with that and we can just copy things back in if needed.21:16
morganfainberg i *think* that is most of the auth things.21:16
mtreinishmorganfainberg: my favorite was for whatever reason the script kept trying to pull in: http://git.openstack.org/cgit/openstack/tempest/commit/?id=ec3f7090203671f76f8886c26b36d8460858b02321:16
morganfainbergHAHA21:17
mtreinishwhich doesn't have anything to do with the current tempest tree and all of those files no longer exist21:17
bknudsonugh, not again, stable/juno global requirements update is failing: https://review.openstack.org/#/c/173123/21:18
morganfainbergbknudson, oslo.messaging21:18
morganfainbergbknudson, yay lets make stable branches of projects that never understood stable. /comfort21:18
mtreinishmorganfainberg: heh, what part of the name "stable branch" makes you think they'll be stable :)21:23
morganfainbergbknudson, https://github.com/morganfainberg/keystoneauth that is my first pass21:28
morganfainbergstill looking at tests and such21:29
morganfainbergmy goal is to make it so i can replace the stuff in ksc and it works.21:29
morganfainbergfor unit tests21:29
bknudsonneat!21:29
gyeemorganfainberg, does that history will not be preserved for the fork?21:31
gyeedoes that mean21:31
*** mattfarina has quit IRC21:37
morganfainbergbknudson, ok so passes pep8, did a couple force-pushes to my repo21:40
morganfainbergbknudson, checking unit tests and if these pass, will check coverage then see if i can make keystoneclient work through it's unit tests21:41
morganfainbergbknudson, if that all works will push the infra changes up21:41
morganfainbergthen we start hacking it up to a real release21:41
morganfainberggyee, i'm trying to hang onto the history w/o needing all of keystoneclient's history21:42
morganfainberggyee, it will either be "only keystoneauth file history" or "all of keystoneclient history"21:42
morganfainbergnot "no history"21:42
gyeethat should be fine then21:44
*** iamjarvo has quit IRC21:59
*** pnavarro has quit IRC22:04
*** david-lyle has joined #openstack-keystone22:04
*** joesavak has quit IRC22:07
*** alexsyip has quit IRC22:16
morganfainbergjamielennox|away, ping: https://github.com/morganfainberg/keystoneauth22:20
morganfainbergjamielennox|away, is there anything missing?22:20
morganfainbergjamielennox|away, i can merge in any other required files pretty easily now.22:21
openstackgerritMerged openstack/keystone: Move common checks into base testcase  https://review.openstack.org/16785222:25
openstackgerritguang-yee proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767522:25
*** rushil has quit IRC22:25
gyeedstanek: take 12 ^^^22:26
*** bknudson has quit IRC22:26
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687022:26
*** gordc has quit IRC22:26
*** blogan has joined #openstack-keystone22:31
dstanekgyee: sweet ill take a look after dinner22:31
blogangot a question about the keystone client authentication22:33
openstackgerritMerged openstack/keystone: Update developer doc to reference Ubuntu 14  https://review.openstack.org/17456322:33
bloganis instantiated the keystoneclient.v2_0.v2_client.Client deprecated?22:33
openstackgerritMerged openstack/keystone: Adds an initial functional test  https://review.openstack.org/15846622:33
openstackgerritMerged openstack/keystone: adds a tox target for functional tests  https://review.openstack.org/15052822:33
bigjoolshi - can someone help me please, I'm looking for the handler that deals with the websso url at /v3/auth/OS-FEDERATION/websso/kerberos?origin=foo22:33
bloganand v3 version of that22:33
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/17213922:33
gyeedstanek, Cavs don't play tonight :)22:39
*** _cjones_ has quit IRC22:46
*** _cjones_ has joined #openstack-keystone22:49
morganfainbergblogan, no. the client v2 object is not deprecated22:50
morganfainbergblogan, the CLI is deprecated22:50
morganfainbergblogan, from keystoneclient22:50
bloganmorganfainberg: http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#non-session-authentication-deprecated22:51
bloganmorganfainberg: thats abotu the deprecated way to authenticate right?22:51
morganfainbergblogan, correct22:51
morganfainbergblogan, doesn't impact the actual client object, the client object should still work [and be transparent] with the new authentication methods22:51
bloganso is this deprecated then too?22:52
bloganhttps://gist.github.com/the2hill/8b2918679eb876286e6822:52
bloganmorganfainberg: ^^22:52
morganfainbergblogan, it isn't using the session mechanism, so yeah i think so.22:52
morganfainbergoh wait22:52
morganfainberghm22:52
bloganmorganfainberg: or would you suggest using the Password stuff22:52
morganfainbergno that is using session22:52
morganfainbergthat should be fine to use22:52
bloganmorganfainberg: i know, and its throwing me off22:52
morganfainbergit's about session and auth plugins.22:52
bloganmorganfainberg: okay, since it is using the session mechanism, then it should be fine22:53
morganfainbergblogan, so i think that gist is just doing inverse order22:53
morganfainbergit's not passing a session object to the client22:53
bloganmorganfainberg: so that would mean its wrong22:53
bigjoolswhich version of django_openstack_auth should I use with Juno keystone?22:53
morganfainbergit's grabbing it from the client22:53
bloganmorganfainberg: well the session that gets instantiated when then be used in novaclient or neutronclient22:53
morganfainbergblogan, i'd have to dig a bit more i'm off in git split land, but the actual client object should not be deprecated22:54
bloganmorganfainberg: is the typical way to build a session using the Password class?22:54
morganfainbergblogan, this is the reference i'll point you at: http://www.jamielennox.net/blog/2014/02/24/client-session-objects/22:55
morganfainbergblogan, it's the most concise explanation of using session that i've seen [since jamielennox|away wrote session object it helps]22:55
bloganmorganfainberg: thanks, i'll read through it, just wonder if how that gist is doing it is also okay22:57
morganfainbergblogan, the gist is inverting some logic22:57
bloganmorganfainberg: yeah thats what it seems, getting a client to get a session, seems odd22:58
morganfainbergblogan, it's not wrong but if you follow jamielennox|away's example you end up with the session independant of the client22:58
bloganmorganfainberg: yeah but we're trying to support v2 and v3, and v2 accepts tenant_name, while v3 is looking for project_name22:58
morganfainbergblogan, fwiw i expect V2 to officially deprecate in liberty22:59
bloganmorganfainberg: we're just in the testing crap out mode right now, we're probably doing soemthign wrong22:59
lifelessmorganfainberg: I hope my questions about the middleware thing are making sense22:59
morganfainberglifeless, totally did22:59
bloganmorganfainberg: ah good to know22:59
morganfainberglifeless, i tried to address the first round, haven't looked if there was a second round22:59
morganfainberglifeless, i'll respond on the ML, but the long and short is nova's g-r is the issue23:01
morganfainbergmiddleware needs to coordinate it's release with requirements.23:01
morganfainberg1.5 has flat out incompatible requirements with juno nova for example23:02
morganfainberglifeless, the interfaces are all the same23:02
morganfainberglifeless, so in this case because we run *in* the same interpreter as nova, our release needs to be in-line with nova's release.23:03
morganfainbergif we can lighten up middleware's dependencies (we are on the way) this may be less of an issue. thankfully middleware has very limited "new" functionality nova has to rely on. we pass some headers down to the app23:04
morganfainberglifeless, i'll reply to the ML thread as well but it's long-and-short middleware is in a weird place when it comes to how it interfaces with the other apps. it would be better if it stood separate from the app's interpreter, but not sure how we'd accomplish that atm23:05
morganfainberghttps://github.com/pypa/pip/issues/988 is largely at fault. but still if we have incompatible requirements we'd not be able to work with nova.23:06
morganfainbergmiddleware is again wierd. it is somewhere between a "service" and a library23:06
morganfainbergit's just implied dependencies all the way down.23:08
morganfainbergto be fair when we implemented the plugin auth it should have been a 2.x feature23:09
morganfainbergnot a 1.x.x23:09
lifelessmorganfainberg: why are the requirements incompatible?23:10
lifelessmorganfainberg: as in, is nova too tight, or middleware too tight?23:11
morganfainberglifeless, typically nova and the other services are23:11
lifelessmordred: ^ - this is an example of the known-good pathology :)23:11
mordredlifeless: reading - although I'm certain I will still disagree with you :)23:11
morganfainberglifeless, yes and i'd rather go with provided known good than the current headache23:12
lifelessmorganfainberg: right, with known-bad in-repo?23:12
morganfainberglifeless, it is currently a massive headache for me the developer, and a miserable experience for deployers23:12
morganfainberglifeless, known-bad for instance X23:12
morganfainberglifeless, not globally known-bad23:12
morganfainbergor more "discovered bad"23:12
lifelessmorganfainberg: yes.23:12
mordredit sounds like middleware did not participate properly in g-r23:13
morganfainbergmordred, it absolutely does.23:13
mordredthen how does it have a problem?23:13
morganfainbergmordred, the issue is when did we g-r bump23:13
morganfainbergmordred, 1.2, 1.3, 1.5?23:13
morganfainbergmordred, and which version can run in nova23:13
mordredah23:13
morganfainbergthat was run in juno23:13
mordredyou don't have stable release things do you?23:13
morganfainbergmordred, we do now.23:13
mordredyah23:13
mordredbecause you have to with our model currently23:14
morganfainbergbut now the question is which versions get backports?23:14
morganfainbergall of them?23:14
morganfainbergthis is getting silly :P23:14
mordrednope. only the one that's stable/kilo23:14
mordredthe others are meh23:14
morganfainbergso then how does the deployer know this.23:14
morganfainbergor how do the developers deal with it23:14
mordredthe deployer shold be deploying teh kilo release, no?23:14
morganfainbergdo we increment X in the semver model per cycle?23:14
mordredwhy would a deployer or developer care about 1.3 at this point?23:14
morganfainbergmordred, 1.3 is the one that works with juno23:14
*** alexsyip has joined #openstack-keystone23:14
mordredwhy do you think semver communicates anything here?23:15
morganfainbergmordred, 1.5 came with kilo23:15
mordredsemver is not a model that is applicable to server portions of openstack23:15
lifelessmorganfainberg: 1.5 will work with juno too though right? functionally I mean23:15
mordredit's a wasted energy23:15
morganfainbergmordred, it doesn't. that was why i was moving middleware to release with the name-d versions of te servers23:15
mordredmorganfainberg: yes23:15
morganfainberglifeless, correct.23:15
morganfainbergmordred, this discussion spun out of why this change was occuring23:15
mordredgotcha23:15
mordredI did not read far enough back23:15
mordredyeah - basically - because we do that23:16
morganfainberglifeless, in fact, 1.0.0 would work [except some security fixes that are scaaaaary]23:16
morganfainberglifeless, config options aside [some nifty config options don't work with 1.0.0]23:16
morganfainbergbut impact should be exactly zero on nova in that regard23:16
mordredif we want to decouple rather than continue to couple, we will have to change the entire release model and stable branch model, IMHO23:16
mordredand that may be a thing to do23:17
morganfainbergmordred, yeah middleware is a lib that is coupled to server releases, vs. say oslo.XXX which is a lib that is decoupled.23:17
lifelessmordred: I don't think so. There is really only one thing causing friction, and thats the requirements management - AFAICT23:17
mordredlifeless: that may be - but nobody (including you) have suggested a thing that will actually also work23:17
lifelessmordred: which is driven by multiple different audiences concerns23:17
lifelessmordred: I believe I did on that etherpad23:17
morganfainberglifeless, i'm fine with moving back sometime in the future [i'm inclined to use a swift-semver model for middleware] until we can decouple23:18
mordredlifeless: I believe we missed each other some how23:18
morganfainbergvs. the 20XX.Y.Z model23:18
mordredlifeless: because "release a known good thing" is important23:18
morganfainberglifeless, then when/if decouple happens its easy to swing it back to more open.23:18
mordredlifeless: I am not convinced that less restrictive requirements ranges will solve thigns- only produce a different as-yet-unknown set of challenges23:19
mordredthese challenges suck23:19
mordredbut we do fully grok them, bad as they are23:19
mordredso a replacement needs to be pretty fully fleshed out23:19
mordredno?23:19
lifelessmordred: fixing pip is a key part of any solution23:19
mordredwell, yeah23:19
lifelessmordred: I am tired of solutions that presume we don't fix pip. thus doing that.23:19
mordredyes.23:19
mordredif/when pip does different things, I think the conversation becomes very different23:20
lifelessmordred: as a consequence, I now want to work through solutions that presume pip is fixed (to be no worse than e.g. yum or rpm)23:20
morganfainbergmordred, agreed.23:20
mordredgotcha23:20
lifelesswe've spent way too long not fixing the fundamental tech debt23:20
lifeless</rant>23:20
mordredlifeless: I am on board with that - and I now understand the pov that you are speaking from23:20
morganfainberghey mordred: https://github.com/morganfainberg/keystoneauth23:20
mordredmorganfainberg: neat!23:21
morganfainbergit's on it's way. should have confirmation tomorrow if anything is missing. then get it to gerrit and play the "remove everything not needed"23:21
mordredmorganfainberg: this is the thing that gets me keystoneauth and a Session object?23:21
morganfainbergmordred, yep23:21
mordredwoot23:21
morganfainbergmordred, it still has a lot more dependencies than it needs.23:21
morganfainbergmordred, but this was just the split to get it out of client23:21
mordredmorganfainberg: I may have some requests for some API functions :)23:21
morganfainbergmordred, next step is do massive restructure/kill things that suck, internalize the right interfaces23:21
mordred++23:22
morganfainbergi expect to get us to a good point for a 0.xx release, with a 1.0 a little later in the cycle23:22
morganfainbergi am going to go on record both in g-r and in this project, if we do a 2.x, all interfaces are open to be broken23:22
morganfainbergno implied contract across major versions.23:23
morganfainbergi hope we don't need a 2.x, but23:23
morganfainbergif we do...23:23
mordredmorganfainberg: http://paste.openstack.org/show/204930/23:24
mordredthose are the interfaces on session I use right now23:25
mordredmorganfainberg: obviously, some of them are ugly23:25
morganfainbergcool.23:25
morganfainbergyeah23:25
mordredmorganfainberg: other than constructing the session, I never know anything other than the session23:25
mordredso have to ask it for all things23:25
morganfainbergright23:25
morganfainbergit would be nice if some of that was done for you if asked23:26
mordredmorganfainberg: I'd like to be able to query some things about service endpoints and service catalog slightly differently - but I can also just chew on the service catalog for a while23:26
morganfainbergright23:26
mordredmorganfainberg: oh - also ...23:26
morganfainbergsounds good. as soon as we have it in gerrit and stripped of the bits we don't want (oslo.serialization will go away from this thing)23:27
mordredmorganfainberg: the top one on line 1 is the special way I have to get the url for constructing the keystone client23:27
morganfainbergi'll ping ya so we can fix these things.23:27
mordredthe one on line 9 is the way the other services work :)23:27
morganfainbergksc is weird23:27
morganfainbergbecause we've mixed auth *and* interfacing with our API23:27
morganfainbergi also aim to fix that in liberty23:28
*** thedodd has joined #openstack-keystone23:30
*** rm_work is now known as rm_work|away23:31
*** arif-ali has quit IRC23:34
*** chlong has joined #openstack-keystone23:34
*** jaosorior has quit IRC23:42
*** david-ly_ has joined #openstack-keystone23:44
*** jamielennox|away is now known as jamielennox23:45
*** david-lyle has quit IRC23:45
*** sigmavirus24 is now known as sigmavirus24_awa23:46
*** david-ly_ is now known as david-lyle23:46
jamielennoxmorganfainberg: if the tests are passing that looks fine to me23:49
morganfainbergjamielennox, tests are in-fact passing23:50
jamielennoxonly thing i see is a few extra pieces in openstack/common - but no big deal23:50
morganfainbergjamielennox, once it's in gerrit we want to eliminate as much oslo as we can.23:50
jamielennoxmorganfainberg: yep, there's a number of things i want to change there23:50
morganfainbergand restructure anything that needs to be internal api/etc23:50
morganfainbergjamielennox, does cms need to live here?23:50
morganfainbergshould it live here?23:50
morganfainbergsince cms *is* related to auth-y-things23:51
jamielennoxmorganfainberg: no, i don't think so23:52
morganfainbergwell cms needs to move out of client23:52
jamielennoxmorganfainberg: i fully expect to do another keystonecommon library or something else soon, but i want this one fairly lean23:52
morganfainbergas does your positional decorator23:52
jamielennoxhmm, positional....23:52
jamielennoxdebtcollector did offer to take it23:52
jamielennoxi just wasn't sure i wanted the dependency23:52
morganfainbergwell we now have it copied in 2 repos23:53
morganfainbergkeystoneauth shouldn't be required for it23:53
morganfainbergas it's useful on it's own23:53
jamielennoxright23:53
morganfainbergso something we will need to fix23:54
morganfainbergthe plugins got renamed in their entry points23:54
jamielennoxmaybe i just convert everything to **kwargs and make sure to check them all23:54
morganfainbergdo we want to move our namespace to keystoneauth23:54
morganfainbergand just check keystoneclient as a fallback for compat?23:54
jamielennoxergh, probably23:54
jamielennoxi mean there's no requirement, it's just a label23:54
jamielennoxbut it doesn't really make sense to be keystoneclient.X23:55
morganfainbergcorrect23:55
morganfainbergi think keystoneauth makes a ton more sense23:55
jamielennoxok, well that should be ok. i'll need to fix up OSC i think because they do there own thing23:55
morganfainbergjamielennox, the other thing is we will be ok to break anything/everything in the 2.x release of this if we want to go down that path23:56
jamielennoxif we rename the label we can run them side by side - i'm not sure if that's easier or more confusing yet23:56
jamielennoxie password plugin from ksc wont conflict with ksa23:56
morganfainbergjust going on record that this is totally fine to break all the things if we increment X in semver23:56
morganfainbergnot that we have to break all the things23:57
morganfainberganyway23:57
jamielennoxyea, that's going to be a big task - but it shouldn't be required yet23:57
morganfainbergi'll work to get this into gerrit in the next couple days23:57
jamielennoxmorganfainberg: thanks for sorting that out23:57
morganfainbergsince TC meeting is tomorrow... i wanted this up for the vote23:57
morganfainbergbut it might be deferred until new TC convienes23:58
*** openstackgerrit has quit IRC23:58
jamielennoxwill this need a vote? i assumed it would just be an infra patch23:58
*** openstackgerrit has joined #openstack-keystone23:58
morganfainberggovernance patch23:58
morganfainbergsince it adds it to keystone23:58
morganfainbergneed to fix the errors here23:59
morganfainberghttps://review.openstack.org/#/c/175596/23:59
jamielennoxoh, meh - mostly a formality23:59
morganfainbergi keep forgetting '-' precedes "a" in alphabatizing23:59
« Sunday, 2015-04-19 Index Tuesday, 2015-04-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!