Friday, 2015-04-24

« Thursday, 2015-04-23 Index Saturday, 2015-04-25 »
*** zzzeek has quit IRC00:11
*** _cjones_ has quit IRC00:27
*** gyee has quit IRC00:29
*** tqtran_ has quit IRC00:34
*** _cjones_ has joined #openstack-keystone00:37
*** _cjones_ has quit IRC00:39
*** bknudson has joined #openstack-keystone01:21
*** ChanServ sets mode: +v bknudson01:21
*** alexsyip has quit IRC01:22
*** erkules_ has joined #openstack-keystone01:36
*** erkules has quit IRC01:38
*** _cjones_ has joined #openstack-keystone01:39
*** harlowja is now known as harlowja_away02:02
*** xianghuihui has joined #openstack-keystone02:02
*** xianghuihui has quit IRC02:09
*** tqtran has joined #openstack-keystone02:19
*** TommyTheKid has quit IRC02:20
*** tqtran has quit IRC02:24
*** _cjones_ has quit IRC02:24
*** ayoung has quit IRC02:56
*** lhcheng has quit IRC03:04
*** richm has quit IRC03:07
*** spandhe has quit IRC03:13
*** samueldmq has quit IRC03:20
*** lhcheng has joined #openstack-keystone03:39
*** ChanServ sets mode: +v lhcheng03:39
*** rushiagr_away is now known as rushiagr03:40
openstackgerritMerged openstack/keystone-specs: New attributes for SAML assertion  https://review.openstack.org/17446203:40
*** xianghuihui has joined #openstack-keystone03:40
*** xianghuihui has quit IRC03:40
*** xianghuihui has joined #openstack-keystone03:41
*** xianghuihui has quit IRC03:41
*** lhcheng_ has joined #openstack-keystone03:42
*** lhcheng has quit IRC03:42
*** spandhe has joined #openstack-keystone03:51
*** spandhe_ has joined #openstack-keystone03:54
*** spandhe has quit IRC03:56
*** spandhe_ is now known as spandhe03:56
*** rushiagr is now known as rushiagr_away04:00
*** rushiagr_away is now known as rushiagr04:02
*** _cjones_ has joined #openstack-keystone04:08
*** _cjones_ has quit IRC04:13
*** lhcheng_ has quit IRC04:49
*** lhcheng has joined #openstack-keystone04:49
*** ChanServ sets mode: +v lhcheng04:49
*** markvoelker_ has quit IRC04:51
*** tqtran has joined #openstack-keystone04:53
morganfainbergjamielennox|away: wanted to discuss ayoung's access info when you have time. I'd like to move on that initiative but get it in the right place(es).05:00
*** browne has joined #openstack-keystone05:03
*** rushiagr is now known as rushiagr_away05:06
*** kiran-r has joined #openstack-keystone05:15
*** lhcheng has quit IRC05:29
*** afazekas has quit IRC05:31
openstackgerritSteve Martinelli proposed openstack/keystone: Update openid connect docs to include other distros  https://review.openstack.org/17304305:35
*** e0ne has joined #openstack-keystone05:43
*** e0ne is now known as e0ne_05:43
*** e0ne_ is now known as e0ne05:43
*** e0ne has quit IRC05:45
*** afazekas has joined #openstack-keystone05:49
*** ajayaa has joined #openstack-keystone05:50
*** _cjones_ has joined #openstack-keystone05:57
*** rushiagr_away is now known as rushiagr06:01
*** david-ly_ has joined #openstack-keystone06:01
*** _cjones_ has quit IRC06:02
*** david-lyle has quit IRC06:03
*** josecastroleon has joined #openstack-keystone06:03
*** tqtran has quit IRC06:14
*** stevemar has quit IRC06:32
*** chlong has quit IRC06:39
*** krykowski has joined #openstack-keystone07:11
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Move federated auth plugins to separate repo.  https://review.openstack.org/17672707:18
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Standardize federated auth token scoping  https://review.openstack.org/17675907:18
*** tqtran has joined #openstack-keystone07:23
*** tqtran has quit IRC07:27
*** browne has quit IRC07:42
*** jistr has joined #openstack-keystone07:44
*** e0ne has joined #openstack-keystone07:47
*** e0ne has quit IRC07:49
*** lhcheng has joined #openstack-keystone07:51
*** ChanServ sets mode: +v lhcheng07:51
*** e0ne has joined #openstack-keystone07:53
*** e0ne has quit IRC08:05
*** e0ne has joined #openstack-keystone08:09
*** jistr is now known as jistr|mtg08:09
*** e0ne has quit IRC08:11
*** lhcheng has quit IRC08:13
*** fhubik has joined #openstack-keystone08:14
*** pnavarro has joined #openstack-keystone08:14
*** lhcheng has joined #openstack-keystone08:20
*** ChanServ sets mode: +v lhcheng08:20
*** aix has joined #openstack-keystone08:40
*** lhcheng has quit IRC08:58
*** fhubik is now known as fhubik_afk09:07
*** e0ne has joined #openstack-keystone09:10
*** ncoghlan has quit IRC09:12
*** e0ne is now known as e0ne_09:16
*** e0ne_ has quit IRC09:21
*** bdossant has joined #openstack-keystone09:25
*** jistr|mtg is now known as jistr09:32
*** _cjones_ has joined #openstack-keystone09:34
*** e0ne has joined #openstack-keystone09:35
*** henrynash has quit IRC09:35
*** fhubik_afk is now known as fhubik09:38
*** _cjones_ has quit IRC09:39
*** henrynash has joined #openstack-keystone09:44
*** ChanServ sets mode: +v henrynash09:44
*** jaosorior has joined #openstack-keystone09:46
*** henrynash has quit IRC09:50
*** henrynash has joined #openstack-keystone09:53
*** ChanServ sets mode: +v henrynash09:53
*** henrynash has quit IRC09:53
*** markvoelker has joined #openstack-keystone10:06
*** jdennis has quit IRC10:07
*** fhubik has quit IRC10:11
*** markvoelker has quit IRC10:11
*** fhubik has joined #openstack-keystone10:11
*** fhubik has quit IRC10:16
*** fhubik_afk has joined #openstack-keystone10:16
*** fhubik_afk is now known as fhubik10:16
*** Bsony has joined #openstack-keystone10:20
*** samueldmq has joined #openstack-keystone10:24
samueldmqmorning10:25
*** spandhe has quit IRC10:26
marekdmorganfainberg: re: Indeed we haven't release ksc-saml2 repo yet, but ksc has already support for federated plugins so I feel we should support some backwards compatibility. Until now we didn't expect users to provider 'protocol' value, now I feel we should. For some time (two releases of ksc?) we should probably warn, that soon this parameter will be required , and later complain painfully when they don't provide it.10:26
marekdmorganfainberg: https://review.openstack.org/#/c/176727/3/keystoneclient/contrib/auth/v3/federation.py10:26
openstackgerritMerged openstack/keystone-specs: Tokenless authz with X.509 SSL client cert  https://review.openstack.org/17701910:27
*** fhubik_afk has joined #openstack-keystone10:37
*** fhubik has quit IRC10:41
*** dguerri is now known as _dguerri10:59
*** _dguerri is now known as dguerri11:00
*** markvoelker has joined #openstack-keystone11:07
*** markvoelker has quit IRC11:12
*** e0ne is now known as e0ne_11:13
samueldmqhi, do we have a liaison for API consistency around services ? iirc dolphm was it, am I right ?11:19
*** dguerri is now known as _dguerri11:20
*** e0ne_ has quit IRC11:23
*** _cjones_ has joined #openstack-keystone11:23
*** _cjones_ has quit IRC11:27
marekdAll,is there any reason why versionutils.deprecated were not implemented in keystoneclient?11:29
*** _dguerri is now known as dguerri11:37
*** amakarov_away is now known as amakarov11:38
*** e0ne has joined #openstack-keystone11:43
bretonmarekd: there is a spec about that from bknudson afair11:48
openstackgerritMerged openstack/keystone: Update openid connect docs to include other distros  https://review.openstack.org/17304311:49
*** fhubik_afk has quit IRC11:50
marekdbreton: https://blueprints.launchpad.net/python-keystoneclient?searchtext=deprecate that's all I could find.11:50
marekdand the closest is that one https://blueprints.launchpad.net/python-keystoneclient/+spec/deprecations11:50
marekdhttps://review.openstack.org/#/c/147026/11:51
*** markvoelker has joined #openstack-keystone11:54
*** diegows has joined #openstack-keystone11:57
*** EmilienM has quit IRC12:01
*** EmilienM has joined #openstack-keystone12:01
*** erkules_ is now known as erkules12:11
*** erkules has joined #openstack-keystone12:11
bretonmarekd: https://review.openstack.org/#/c/153881/12:21
marekdbreton: i wonder how does this spec correspond to https://blueprints.launchpad.net/python-keystoneclient/+spec/deprecations12:24
*** ashishjain has joined #openstack-keystone12:33
*** raildo has joined #openstack-keystone12:39
marekdbknudson: Hi. Do you predict any progress regarding https://review.openstack.org/#/c/153881/ ?12:39
bknudsonmarekd: y, I need to look into debtcollector.12:42
*** bknudson has quit IRC12:42
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Do not add new 'db' command and subcommands for it  https://review.openstack.org/17721912:44
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Target Alembic for Liberty  https://review.openstack.org/17722012:44
openstackgerritBoris Bobrov proposed openstack/keystone: alembic initial support  https://review.openstack.org/15005712:46
openstackgerritBoris Bobrov proposed openstack/keystone: Use migration_cli for db migrations  https://review.openstack.org/14754812:46
*** diegows has quit IRC12:46
*** ajayaa has quit IRC12:51
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722712:51
*** e0ne is now known as e0ne_12:53
*** e0ne_ is now known as e0ne12:55
*** afazekas has quit IRC12:55
*** henrynash has joined #openstack-keystone12:56
*** ChanServ sets mode: +v henrynash12:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/17723212:58
raildohenrynash, ping, can you see the ericksonsantos's comment in the patch set 13, here: https://review.openstack.org/#/c/158720/ ?13:01
henrynashwill do…will check a bit later…13:02
*** henrynash has quit IRC13:02
*** gordc has joined #openstack-keystone13:04
*** ajayaa has joined #openstack-keystone13:07
*** jbonjean has left #openstack-keystone13:10
*** richm has joined #openstack-keystone13:11
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674613:12
*** jdennis has joined #openstack-keystone13:13
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722713:13
*** afazekas has joined #openstack-keystone13:13
*** davechen has joined #openstack-keystone13:15
*** kiran-r has quit IRC13:18
*** rushil has joined #openstack-keystone13:19
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722713:20
*** rushil has quit IRC13:20
*** rushil has joined #openstack-keystone13:21
openstackgerritCyril Roelandt proposed openstack/python-keystoneclient: Print an error message when no tenant is specified  https://review.openstack.org/14830513:23
*** mattfarina has joined #openstack-keystone13:27
openstackgerritMarek Denis proposed openstack/keystone: Correctly handle direct mapping with keywords  https://review.openstack.org/17598013:31
*** diegows has joined #openstack-keystone13:32
*** ayoung_ has joined #openstack-keystone13:34
*** ajayaa has quit IRC13:42
*** ajayaa has joined #openstack-keystone13:43
*** bknudson has joined #openstack-keystone13:44
*** ChanServ sets mode: +v bknudson13:44
*** rushiagr is now known as rushiagr_away13:44
*** ayoung_ is now known as ayoung13:46
dolphmsamueldmq: i think there are several of us that would fit that description, but what's up?13:48
*** ashishjain has quit IRC13:49
samueldmqdolphm, hi, some services (I know nova and cinder) throw 400 when use try to use an unscoped or domain scoped token13:54
samueldmqdolphm, I think that should be 401, shouldn't ?13:54
*** diegows has quit IRC13:54
samueldmqdolphm, I was wondering if it would be useful to have this consistent on all services, then improving UX13:54
htruta dstanek, bknudson: feeling like doing some review? https://review.openstack.org/#/c/167613/13:56
dolphmsamueldmq: oh that's an interesting question13:56
*** stevemar has joined #openstack-keystone13:57
*** ChanServ sets mode: +v stevemar13:57
dolphmsamueldmq: yeah, that should be a 401. you have at least identified yourself, but you don't carry the correct authorization for the requested action, so 401.13:57
samueldmqdolphm, great, I will submit bugs for those I am seeing this13:58
dolphmsamueldmq: if there's an interesting argument to be had, it would be between 401 and 403, not 40013:58
samueldmqdolphm, thanks13:58
samueldmqdolphm, ++ I agree13:58
dstanekhtruta: sure - i just need a few minutes to finish up what i'm working on13:58
samueldmqdolphm, Malformed request URL: URL's project_id 'abbe4eac077b42efa5f7872925f10d93' doesn't match Context's project_id 'None'13:58
samueldmqdolphm, bad ux13:59
htrutadstanek: cool.13:59
*** dguerri is now known as _dguerri14:01
dolphmsamueldmq: agree, but how on earth are you getting that error message? why do you have a tenant-specific URL with an unscoped token?14:01
*** tqtran has joined #openstack-keystone14:01
dolphm(or a domain scoped token)14:01
samueldmqdolphm, I am checking all the services compatibility with v3 auth14:01
samueldmqdolphm, I've tested nova, cinder, glance last night14:02
samueldmqdolphm, rest api (with curl) works fine, clients with a keystone session too14:02
*** sigmavirus24_awa is now known as sigmavirus2414:03
samueldmqdolphm, the final goal is to have devstack using v3 auth to deploy the env (create what it needs) *and* deploying all services to use v3 auth as well14:03
samueldmqdolphm, this is on morganfainberg list for L14:03
dolphmsamueldmq: it's on mine as well :D14:03
*** alex_xu has quit IRC14:03
samueldmqdolphm, and then have gate jobs all working with v3 auth14:03
samueldmqdolphm, o/14:03
dolphmsamueldmq: i *really* want to see a gate job running asap, even if it's failing and non-voting14:03
*** pnavarro has quit IRC14:04
samueldmqdolphm, I am still at the beginning, checking services->clients->osclient14:04
samueldmqdolphm, then will modify devstack, and after the gate jobs14:05
*** _dguerri is now known as dguerri14:05
samueldmqdolphm, I think this flow makes sense ... what you think about it ?14:05
dolphmsamueldmq: i saw a paste you had the other day with about 7 steps? it made sense to me14:06
samueldmqdolphm, great! hmm .. you're always there ... silently :p14:06
dolphmsamueldmq: i'd personally modify devstack to not deploy v2 first, and then approach it from a break-fix perspective14:06
dolphmsamueldmq: ;)14:07
samueldmqdolphm, to see things exploding14:07
bknudsonwhat step is making amends?14:07
samueldmqbknudson, dolphm http://paste.openstack.org/show/205246/14:07
bknudsonI don't think any cloud provider wants to use devstack.14:08
bknudsonseems like step 1 is to have devstack deploy keystone without v2.14:09
bknudsonand maybe step 0 is to change keystone so that it's easy do disable v2.14:09
*** afazekas has quit IRC14:09
samueldmqbknudson, me neither, I dont think any of them use devstack14:10
samueldmqbknudson, hmm yeah, the final goal is to get jobs running v3 auth only14:10
samueldmqbknudson, how should I proceed to disable v2 ? modifying the paste config ?14:10
bknudsonv3 auth or v3?14:10
samueldmqbknudson, both14:11
bknudsonthe way we say to do it now is to modify the paste config14:11
samueldmqbknudson, I meant running exclusively v314:11
bknudsonI don't think this is easy enough.14:11
bknudsonit would be easier to have a config option.14:11
*** vhoward has left #openstack-keystone14:11
samueldmqbknudson, yeah, and devstack does it right ? (the past config .. )14:11
*** vhoward has joined #openstack-keystone14:11
samueldmqI am trying to realize how to disable it on devstack14:12
bknudsonI don't think devstack is modifying the paste config?14:12
dolphmbknudson: it's already trivial to disable v2 in keystone?14:12
bknudsonyou have to modify the paste config now.14:12
dolphmfor the love of god, paste is not hard14:13
bknudsonhe he14:13
dolphmadding bullshit complexity on top of paste is not a damned solution to anything14:13
dolphmi really hope you're joking14:13
bknudsona lot of people don't like modifying the paste config14:13
bknudsonand scripting changes in the paste config isn't always easy either.14:14
dolphmthat's because they've never read the docs on paste and have zero understanding of wsgi14:14
*** alex_xu has joined #openstack-keystone14:14
bknudsonyou also have to know where to stick the middleware in the pipeline if it's got special requirements14:14
bknudsonalthough for changing v2 it's probably just deleting lines.14:15
bknudsonfor disabling v214:15
marekdstevemar: Just noticed a bug (aith a bug fix): https://bugs.launchpad.net/keystone/+bug/144095814:16
openstackLaunchpad bug 1440958 in Keystone "loosen validation on matching trusted dashboard" [Medium,Fix committed] - Assigned to Lin Hua Cheng (lin-hua-cheng)14:16
marekdi am not sure if it's good that http://paste.openstack.org/show/205705/ would work...14:16
dolphmbknudson: yep, it looks just like this https://github.com/dolph/keystone-deploy/commit/6c64ff78277101cee71d190178e496cc33c461ab#diff-667a3f5039a453b764e5e6fafc91668a14:16
openstackgerritDave Chen proposed openstack/keystone: Fix the misuse of `versionutils.deprecated`  https://review.openstack.org/17664614:16
marekdstevemar: did anybody complain  about it?14:16
samueldmqdolphm, btw thanks, will use it :)14:18
stevemarmarekd, on the phone... why is /evil_marek a bad thing?14:18
dolphmbknudson: and at minimum it's a one-line delete to drop v2 for testing purposes. my diff just thoroughly removes the remaining cruft14:18
*** ajayaa has quit IRC14:19
*** lhcheng has joined #openstack-keystone14:19
*** ChanServ sets mode: +v lhcheng14:19
dolphmtwo* line delete14:19
dolphmsamueldmq: all you *have* to do is delete the /v2.0 lines from [composite:main] and [composite:admin] https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L9814:19
marekdstevemar: evil_marek will intercept all the calls, he may steal the token.14:20
samueldmqdolphm, nice ... btw, I could have a patch on keystone to remove it from our sample paste file14:20
bknudsonmaybe devstack could have a config for what versions are enabled14:20
samueldmqdolphm, and point to my patch on devstack local.conf14:20
dolphm(but then v2 might still be advertised in the multiple chioce response? i'm not sure if the v2 app factories will still be initialized or not)14:20
dolphmbknudson: yeah, that toggle belongs in devstack (or whatever the deployment tooling is)14:22
*** davechen has left #openstack-keystone14:23
*** csoukup has joined #openstack-keystone14:23
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381414:23
*** tqtran has quit IRC14:26
*** henrynash has joined #openstack-keystone14:27
*** ChanServ sets mode: +v henrynash14:27
samueldmqdolphm, well, osclient looks to be working pretty well with v3 auth already14:27
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381414:29
samueldmqdolphm, that's great, but I still need to disable v2, since services may still be using v2 api with v3 tokens14:29
samueldmqdolphm, sorry, need to go afk for a bit14:29
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog  https://review.openstack.org/17638314:33
stevemarmarekd, an evil marek from the same host?14:37
marekdstevemar: imagine host webhost provider....14:37
marekdor... i don't know personal space for cern users.14:38
marekdwhere netloc is same for everyone, home.web.cern.ch/Name.Surname14:39
*** bandwidth has joined #openstack-keystone14:46
*** krykowski has quit IRC14:48
*** vhoward has quit IRC14:51
*** vhoward has joined #openstack-keystone14:52
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381414:52
*** henrynash has quit IRC14:58
*** zzzeek has joined #openstack-keystone14:58
*** _cjones_ has joined #openstack-keystone15:00
*** Bsony_ has joined #openstack-keystone15:04
*** _cjones_ has quit IRC15:05
*** browne has joined #openstack-keystone15:05
*** Bsony has quit IRC15:06
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Add docstrings for ``protocol`` parameter  https://review.openstack.org/17730315:08
stevemarmarekd, why would horizon send the token to /evil_marek?15:11
*** generic_ has joined #openstack-keystone15:11
*** e0ne is now known as e0ne_15:12
generic_exit15:12
*** generic_ has quit IRC15:12
*** ashishjain has joined #openstack-keystone15:13
*** e0ne_ is now known as e0ne15:13
*** topol has joined #openstack-keystone15:14
*** ChanServ sets mode: +v topol15:14
dstanekstevemar: because evil_marek is more fun than marekd15:15
*** Bsony_ has quit IRC15:17
*** david-ly_ is now known as david-lyle15:22
stevemardstanek, but more evil too15:23
*** e0ne is now known as e0ne_15:29
*** e0ne_ is now known as e0ne15:30
*** rm_work|away is now known as rm_work15:30
bandwidthI'm trying to get the OS-FEDERATION extension work, but I'm facing an issue when asking Nova for the list of my servers. basically, the domain_id is not set: if (token_ref['token_data']['token']['user']['domain']['id'] != KeyError 'domain'15:31
stevemarbandwidth, that should have been fixed in kilo or the latest middleware...15:35
ayoungmorganfainberg, crappy line drawing, but...https://twitter.com/admiyoung/status/591595899249385472/photo/115:39
*** ajayaa has joined #openstack-keystone15:40
dstanekayoung: what am i looking at?15:41
ayoungdstanek, My attempt to convert a blank black mug into a Keystone Tchotcke15:41
ayoungdstanek, it would help if I could draw a straight line.  I was rushing out the door this morning, and wanted to make the mug memorable cuz I was bringing it in to the office.15:42
*** lhcheng_ has joined #openstack-keystone15:42
*** Bsony has joined #openstack-keystone15:43
*** Ephur has joined #openstack-keystone15:44
morganfainbergHaha nice. ;)15:45
*** lhcheng has quit IRC15:45
*** ajayaa has quit IRC15:50
*** spandhe has joined #openstack-keystone15:50
*** ajayaa has joined #openstack-keystone15:50
*** alexsyip has joined #openstack-keystone15:51
stevemarayoung, i like it15:57
*** _cjones_ has joined #openstack-keystone16:02
*** _cjones_ has quit IRC16:07
*** e0ne has quit IRC16:07
samueldmqayoung, ping - I need to talk to you about dynamic policies16:07
ayoungsamueldmq, I need to shift gearts back to that soon16:08
ayoungsamueldmq, dealing with ECP and SAML ATM16:08
samueldmqayoung, I am trying to get a big picture of what we've done, and what misses, etc16:08
samueldmqayoung, yeah makes sense16:08
ayoungsamueldmq, that is what my presentation is going to be about.  I need to write it.16:08
samueldmqayoung, our team have plans to collaborate with that, so that's why I need a big picture16:08
samueldmqayoung, do you have an etherpad or something like it ?16:09
ayoungsamueldmq, OK, so first off is, I think, to clean up the policy file for Nova,16:09
samueldmqayoung, I see the blog post and that oslo.policy is graduated16:09
ayoungsamueldmq, I really can't shift gears right now16:09
*** gyee has joined #openstack-keystone16:09
*** ChanServ sets mode: +v gyee16:09
samueldmqayoung, maybe we can talk later today ?16:09
ayoungwe should do this on the BP page for Dynamic policy16:09
*** bdossant has quit IRC16:09
samueldmqayoung, k, but the general plan is still according the blog post16:10
ayoungyep16:10
samueldmqayoung, I am going to write up a summary and current status, and then I validate with you later16:11
ayoungsamueldmq, I want to go incremental for most things, so we show real value at each release16:11
samueldmqayoung, shouldnt take lot of your time16:11
ayoungbut also go in parallel where possible, so multiple people can be productive16:11
samueldmqayoung, ++16:11
ayoungsamueldmq, we need a sync with the Kent team16:11
ayoungthey are doing the DB stuff..look at that BP16:11
samueldmqayoung, do you have in mind as far as you want to go in L ?16:11
samueldmqayoung, k got it, will look the spec16:12
ayoungsamueldmq, let's schedule some time to talk about it, and see if we can link in Ioram16:12
samueldmqayoung, the spec you're talking specifically is Dynamic Policy Overview16:12
samueldmq?16:12
ayoungsamueldmq, yeah16:12
samueldmqayoung, great, yeah let's schedule some time to talk about this16:13
samueldmqayoung, also, we have the summit16:13
*** _cjones_ has joined #openstack-keystone16:13
ayoungsamueldmq, OK, so I don't know what happend to the old BP, but: https://blueprints.launchpad.net/keystone/+spec/dynamic-policy16:16
ayoungneed to link the other BPs to that, etc16:17
ayoungand now...ECP and lunch16:17
*** xgerman has joined #openstack-keystone16:18
samueldmqayoung, k go, bon apetit16:18
xgermanhi16:19
xgermanI am from Neutron  and I have a question about some use case and how othe rprojects handle it16:19
*** browne has quit IRC16:20
samueldmqxgerman, hi, just go ahead, ask and someone might the right answers for your questions :-)16:21
samueldmqmight have* :)16:21
xgermanso we have some admin functionality where an admin might do stuff on balf of a user. Currently we only check the admin tenant-id/credentials with keystone but not the if the teannt-id of the user exists the admin is doing stuff for because that would require another keystone roundtrip16:22
*** rm_work is now known as rm_work|away16:22
xgermanany ideas how say nova or other deal with that16:22
dolphmmorganfainberg: are we still using kilo-rc-potential, or have we switched to kilo-backport-potential?16:28
morganfainbergdolphm: if it would block the rc, aka needing an rc3. Use rc-potential.16:29
morganfainbergOtherwise backport is more correct.16:29
dolphmokay, so backport in this case16:29
morganfainberg++16:29
dolphmdstanek: approved https://review.openstack.org/#/c/159521/ but there are outstanding nits that should be addressed, plzkthx!16:36
*** jistr has quit IRC16:36
dstanekdolphm: sure.16:36
morganfainberg...16:44
morganfainbergIt is by caffeine alone I set my mind in motion,it is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning; it is by caffeine alone I set my mind in motion.16:44
morganfainbergyesssssss16:44
samueldmqmorganfainberg, hehe o/16:46
samueldmqThe Programmer's Mantra16:47
xgermanok, posted to the ML16:57
morganfainbergxgerman, more eyes on the ML in general. thanks.16:58
xgermanyou are welcome16:58
ayoungmarekd, OK, I am trying an ECP based workflow.  the first thing accessed should be an URL like this, right:  http://$HOSTNAME:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth17:00
ayoungstevemar, ^^17:01
*** browne has joined #openstack-keystone17:02
*** vhoward has left #openstack-keystone17:03
*** samleon has quit IRC17:03
*** samleon has joined #openstack-keystone17:04
*** _cjones_ has quit IRC17:08
*** _cjones_ has joined #openstack-keystone17:12
*** rm_work|away is now known as rm_work17:12
openstackgerritMerged openstack/keystone: Fix the misuse of `versionutils.deprecated`  https://review.openstack.org/17664617:14
openstackgerritMerged openstack/keystone: Remove pysqlite test-requirement dependency  https://review.openstack.org/17655717:16
morganfainbergyay^ 2 libaries to switch out to be close to py3 / ready for experimental job again.17:17
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:18
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839817:19
*** ajayaa has quit IRC17:20
*** spandhe has quit IRC17:24
*** dguerri is now known as _dguerri17:24
openstackgerritMerged openstack/keystone: Isolate injection tests  https://review.openstack.org/16276817:25
openstackgerritMerged openstack/keystone: Remove project association before removing endpoint group  https://review.openstack.org/17319217:25
*** _dguerri is now known as dguerri17:25
*** ChanServ changes topic to "Liberty Development Open | RC2 For Kilo has been tagged, please look for any new RC blockers | Review Liberty Specs"17:29
openstackgerritMerged openstack/keystone: Fixes the SQL model tests  https://review.openstack.org/15952117:29
openstackgerritMerged openstack/pycadf: Add trove conf file to setup.cfg  https://review.openstack.org/17698817:29
dstanekmorganfainberg: zzzeek: is there any advice for handling dogpile.cache key mangling in Python3?17:29
morganfainbergdstanek, magic.17:29
morganfainbergdstanek: depends on what aspect.17:30
dstanekfrom dogpile.cache.util import sha1_mangle_key always expends input to be bytes so the obvious thing for me to always wrap the key mangler17:30
dstanekbut was hoping there was a better way17:30
openstackgerritMerged openstack/keystonemiddleware: Update README to work with release tools  https://review.openstack.org/17591317:30
zzzeekdstanek: there’s a key mangler argument17:30
morganfainbergdstanek: yeah that would be the right thing... OR fix the keymangler upstream to handle non-bytes cases17:30
morganfainbergdstanek: (better solution)17:30
zzzeekmorganfainberg: sure17:30
morganfainbergdstanek: since zzzeek is our upstream here, it's easy to bug him about this stuff :)17:31
dstanekit's not obvious what the expected behavior would be? just check for text type and encode?17:31
morganfainbergdstanek: as long as it results in a consistent key17:32
*** raildo has quit IRC17:32
morganfainbergyeah17:32
zzzeekdstanek: i wouldnt want to do any isinstance() in there.  id want it to know up front what it will be getting17:32
zzzeekdstanek: if this is an always py3k thing then we can look at compat.py3k flag17:32
morganfainbergzzzeek: the issue is keymangler is parsing args17:32
morganfainbergzzzeek: it might be bytes, it might be text17:32
morganfainbergzzzeek: hashing requires bytes.17:33
morganfainbergs/parsing/hashing17:33
zzzeekmorganfainberg: when would it be bytes?  these are the cache keys being used with get(), put() right.   we’re sending bytes-based keys?  id think that’s the speial case17:33
dstanekexactly and right now it is always expecting bytes17:33
dstanekzzzeek: but the decorator takes the args, whatever they are, and makes a key from them17:34
*** spandhe has joined #openstack-keystone17:34
zzzeekmorganfainberg dstanek : id say, “if py3k: key = key.encode()” would be the reasonable default no ?17:34
morganfainberghm.17:34
morganfainbergzzzeek: if an argument is already bytes though, that might explode, no?17:35
dstanekzzzeek: not because i think that will fail it is is bytes17:35
zzzeekor just, “key_mangler = sha1_key_mangler_create(encoding=‘utf8’)”17:35
morganfainbergzzzeek: keymangler acts on the passed argument values17:35
zzzeekmorganfainberg: yes, but when does that happen17:35
morganfainbergzzzeek: we have cases in keystone where arguments will be typed bytes17:35
morganfainbergzzzeek: because underlying things are expecting bytes, or it came in as bytes17:35
zzzeekmorganfainberg: oh you send one or the other arbitrarily?  then use your own mangler :)17:35
*** raildo has joined #openstack-keystone17:36
morganfainbergzzzeek: i think that is not a very friendly answer.17:36
dstaneki would imagine that this is a problem for everyone in py317:36
*** _cjones_ has quit IRC17:36
morganfainbergdstanek: thats my thought17:36
*** _cjones_ has joined #openstack-keystone17:36
zzzeekmorganfainberg: wasn’t meant to be unfriendly, I think the keys sent to the caching region should be of the same type in the default case17:36
morganfainbergzzzeek: and by not friendly i mean, not friendly to developers.17:36
morganfainbergnot you personally.17:36
zzzeekmorganfainberg: the isinstance() thing is a hole that everyone falls into too often17:37
morganfainbergzzzeek: in the case of hashing, it's important17:37
morganfainbergbecause hashing *does* require bytes17:37
dstanekthat means that we'd have 2 different regions - a bytes one and a text one17:37
morganfainbergand python (even py3) sucks at bytes vs text_string17:37
samueldmqayoung, what do you mean by 'to clean up the policy file for Nova', I dont understand clearly the work that need to be done17:37
morganfainbergdstanek: or a custom keymangler17:37
dstanekfor now i'll keep my hacked up key mangler and we can revisit later17:37
openstackgerritgordon chung proposed openstack/pycadf: drop audit middleware  https://review.openstack.org/17696917:38
ayoungsamueldmq, so...let me show17:38
dstanekmorganfainberg: yeah, that's what i already did17:38
zzzeekmorganfainberg / dstanek : clearly, having a simple function like “sha1_mangle_key” is too simplisitc.   Add API to util.py such that we can get a variety of key mangler types17:38
zzzeekone that accepts only strings, one that acepts only bytes, one that checks with isinstance()17:38
morganfainbergzzzeek: sure, or maybe we offer an upstream alternative... yeah17:38
ayoungsamueldmq, bascially, each rule has http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n317:38
morganfainbergzzzeek: as long as we provide nice options for developers, we induce less rage.17:39
ayoungsamueldmq, it does not even check if the rule has any role at all, just that the token is scoped to the project17:39
zzzeekmorganfainberg: and i think having it via a factory is best.   key_mangler = util.make_a_key_mangler(here_are_the_things_I_want)17:39
morganfainbergzzzeek: I can see that as a benefit17:39
ayoungsamueldmq, and the rule admin_or_owner  basically checks for the admin role...17:40
morganfainbergzzzeek: i would argue the default should check and do both bytes and text handling, but i'll argue that with you separately from "adding this into the libary support wise" even as a config'd option17:40
ayoungone anything, not just that context17:40
zzzeekmorganfainberg: just because, I dont want to bury a concrete isinstance() at the base of all cache operations for everyone17:40
dstanekzzzeek: will using the factory handle the case where is could be either bytes or text?17:40
zzzeekdstanek: yes17:40
samueldmqayoung, looking17:40
zzzeekdstanek: this is the factory that you or morganfainberg is giong to write me a PR for17:40
ayoungwhich means that if I have admin on anything, I can use that token against nova and get access to any API17:40
dstanekzzzeek: ah, haha ok17:40
samueldmqayoung, oh! that's the global admin thing as admin=117:40
ayoungright17:41
ayoungso,  what we want is to start there17:41
*** tqtran has joined #openstack-keystone17:41
samueldmqayoung: samueldmq, and the rule admin_or_owner  basically checks for the admin role...17:41
samueldmqshould check, you mean, right?17:41
ayoungsamueldmq, since a  project is created in Keystone, checking that both the project id and and that the user has the admin role on that project should be the norm17:42
* morganfainberg wonders if we can convince zzzeek to move dogpile to gerrit >.>17:42
*** r-daneel has joined #openstack-keystone17:42
morganfainbergzzzeek: i have a couple PRs i owe you17:42
morganfainbergzzzeek, and an update of that key one.17:42
morganfainbergzzzeek: hopefully soon.17:42
zzzeekmorganfainberg: not to stackforge but i am curious about having gerrits for bitbucket/github projects17:42
ayoungsamueldmq, the problem is that we do not have a good way to create a global admin that can clean up anything...OTOH, that would probably violate the goals of the reseller spec anyway17:43
samueldmqayoung, what we need to for nova is : 'role:admin and project_id:%(project_id)s', right ?17:43
morganfainbergzzzeek: i find PRs to be wholly distasteful and it usually deters me from contributing to projects unless i really really really care17:43
ayoungsamueldmq, so I want it like this17:43
morganfainbergzzzeek: dogpile i actually care enough about to do PRs, but PRs are a broken work flow when you exceed ~3 devs imo17:43
dstanekzzzeek: http://gerrithub.io/17:44
morganfainbergzzzeek: linux kernel aside because... there is always exceptions17:44
ayoung "compute_extension:admin_actions:pause": "rule:proejct_matches and role:member",17:44
morganfainbergdstanek, neat17:44
ayoungbut with an enhanced 'role ' that knows member implies admin17:44
ayoungnow, we could do this17:44
zzzeekmorganfainberg: i am ready for gerrits  and not PRs but woudl need time to get that all working.  plus i prefer bitbucket as home base so it has to integrate iwth that17:45
ayoung"member" : "role:admin or role:member"17:45
ayoungthen it would be17:45
morganfainbergzzzeek: sure. i totally get time + likeing bitbucket17:45
ayoung "compute_extension:admin_actions:pause": "rule:proejct_matches and rule:member",17:45
morganfainbergzzzeek: we all need clones or more time in a day17:45
dolphmself.scale_up()17:46
dolphmself.scale_horizontally() *17:46
ayoungsamueldmq, rule:project_matches is Nova specific17:46
samueldmqayoung, well ;; "context_is_admin":  "role:admin",17:46
ayoungthe other projects might need to do more complex logic.  I know Keystone does17:47
ayoungsamueldmq, I was thinking more like17:47
*** rm_work is now known as rm_work|away17:47
samueldmqayoung, sorry but I didnt get why we can't just change them to be what we need : 'role:admin and project_id:%(project_id)s'17:47
ayoungsamueldmq, we want people to make the minimal edits17:47
ayoungthe rules get too complex. Look at what Henrynash had to do in cloudsample17:48
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n3717:48
ayoungmake that two rules, and you can vary the role on a per APR line by line17:48
ayoungAPR->API17:49
samueldmqayoung, k so what you're looking for is something to simplify the policy definition17:49
samueldmqayoung, not making it more powerful for now17:49
ayoungsamueldmq, first, we need a standard to say something like:  an api should have a scope matching portion and a role portion17:49
ayoungand the role portion comes at the end.17:49
ayoungthen people can know that to change the role assigned to an api they just edit that one part of the line17:50
samueldmqayoung, and we need to make it easy, by using this pattern17:50
ayoungso say you split member into reader and writer17:50
ayoungyou would add rules at the top to indicate that, and modify the appropriate api lines accordingly17:50
ayoungthis is the stuff I am going to do for my talk17:51
*** harlowja_away is now known as harlowja17:51
ayoungshow how to do sets-of-roles (hate the term inheritance there) using the existing mechs17:51
ayounga role is a set of permissions,  so we can talk in terms of subsets17:51
ayoungmember can be a set which is composed of role:member role:reader role:writer17:52
samueldmqayoung, ah I think I got it17:52
ayoungand then the individual rules would be17:52
samueldmqayoung, so basically all we talked so far we can do with the current mechanisms17:52
ayoungrule:role_member  or rule:role_writer17:52
ayoungright17:52
ayoungbut start by getting the file into the right format17:52
*** Ctina has joined #openstack-keystone17:52
ayoungnow..lets talk admin for a moment17:52
samueldmqnice, you want to reorganize and define a pattern to define rules across apis17:52
ayoungright now, If I am admin anywhere, I am admin everywhere17:53
ayoungwhat we want, instead, is the inherited roles you guys did being enforced17:53
*** rushil_ has joined #openstack-keystone17:53
ayoungbut that means that a user now needs to get a token scoped to a particular something as opposed to a god token17:53
ayounggot tokens bad17:53
ayounggod tokens bad I mean17:53
*** rushil has quit IRC17:54
ayoungso...we create a new role...call it ALL17:54
samueldmqwe need to enforce admin role + project scope, rigjt ?17:54
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:54
ayoungit means all Roles, not all roles everywhere17:54
samueldmqk go ahead17:54
ayoungand stop using the term Admin17:54
ayoungsamueldmq, you are right:  "we need to enforce admin role + project scope"  only lets call it ALL to avoid clashes17:54
samueldmqk17:55
ayoungcertain things need role "ALL"  and certain things need role "Member"  but always on the appropriate scope17:55
samueldmqall doesnt care about scope, right ?17:56
ayoung"service_or_admin": "rule:admin_required or rule:service_role",  is another way of saying the service role set should include role:service or role:admin, as I don;'t think we have any calls that won't let admin operate17:56
ayoungnow, the service_role APIs don't have a matching scope17:57
ayoungidentity:validate_token"  or identity:revocation_list  etc17:57
ayoungand that is OK. those rules will be explicitly unscoped, but then maybe we drop the "service implies admin" for them17:57
bandwidthstevemar: so that means, no federation with Juno, right?17:57
ayoungseems to me we should have some scoping for everything...but that takes us off in a tangent17:58
stevemarbandwidth, it'll have some issues that were ironed out in kilo17:58
ayoungI wonder when anyone would use an admin token to validate a token instead of a token scoped to a service user.17:58
samueldmqayoung, from what you said the ALL thing, I was thinking like:17:59
morganfainbergayoung, more often than you'd like. less often than we know17:59
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742718:00
samueldmqayoung, "compute:create": "ALL or (match_scope and match_role)"18:00
samueldmqayoung, ^ at least the logic of it18:00
ayoungmorganfainberg, what would be the right scope for an admin user to be able to validate a token?  I am admin on <what?>18:00
ayoungsamueldmq, no18:00
ayounglet me take ojne that has a non-empty rule18:00
ayoung "compute_extension:admin_actions:pause": "rule:admin_or_owner",  right now would become18:01
morganfainbergayoung, dunno18:01
morganfainbergayoung, i'd rather enforce a service scoped user to keystone18:01
ayoung "compute_extension:admin_actions:pause": "rule:project_matches and    rule:role_member"18:01
ayoungmorganfainberg, so would I18:01
morganfainbergayoung, but today can we differentiate between admin on X and Y w/o breaking everyone?18:01
ayoungmorganfainberg, no we can't at least not in default policy...let me see cloudsample18:02
ayoungmorganfainberg, in cloudsample, we have no calls that use just service token, but those do not check scope at all, either18:02
ayoungmorganfainberg, http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n10418:02
ayoungthat rule is defined http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n518:03
samueldmqayoung, you want to have 'enforce scope + role' everywhere, but at the same time allowing (for compatibility) the old admin anywhere can do everywhere18:03
samueldmqayoung, righ ?18:03
morganfainbergsamueldmq: that should be a function of the policy file18:03
morganfainbergsamueldmq: or policy rules18:03
ayoungmorganfainberg, we are saying that service users should go in the service domain anyway...what if I present on a rule that enforces them having the service rule on the service domain, and then they request a tick for that...I guess they would need a default proejct to work today, and we don't specify that in the auth_toekn section consumed by middleware18:04
morganfainbergayoung: yeah18:04
ayoungso...we would create a service project in the service domain, and they get a token with the service role scoped on it by default?18:04
ayoungthat would work today18:04
morganfainbergayoung: we could adjust that project requirement *if* we suppoerted a service scope... but i ..18:04
morganfainbergthat sounds like it's getting ugly/scary18:05
ayoungmorganfainberg,this is for "how an operator can do it today" not for changing what we ship by default18:05
morganfainbergayoung, ahh18:05
ayoungone of my guidelines, I think, will be "scope all the things"18:05
morganfainberglol18:06
ayoungmorganfainberg, actually, the service role has to be assigned on some scope today anyway18:08
samueldmqayoung, is there a need to write a spec for anything in dynamic policies ? or are they all defined a t https://review.openstack.org/#/q/project:openstack/keystone-specs+branch:master+topic:dynamic-policy,n,z18:08
morganfainbergayoung: do we need to revisit service scope?18:08
morganfainbergayoung: as a real thing18:08
morganfainberg?18:08
ayoungmorganfainberg, one sec..let me see what is going on in a runnin instance18:08
dstanekis this test valuable? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/tests/test_core.py#n5018:08
*** dguerri is now known as _dguerri18:09
morganfainbergdstanek: possibly?18:09
morganfainbergdstanek: oh uh..18:09
ayoungok, rdo deployment has no Service role18:09
dstanekit's testing to make sure our tests get an exception if there is a deprecatoin warning18:10
morganfainbergdstanek: that looks like it's testing "does python work"18:10
ayoungI think it was testing "do our tests work"18:10
dstanekmorganfainberg: right18:10
morganfainbergdstanek: i see no value in testing base python interpreter stuff18:10
morganfainberghonestly18:10
dstanekayoung: more precisely "do our tests configure Python correctly"18:10
ayoungwho wrote that...git blame?18:11
dstanekayoung: i'm betting bknudson18:11
dolphmgordc: it looks like you opened 3 bugs for the audit middleware somehow - i closed 1448237 and 1448238 in favor of 1448239 (the one stevemar triaged): https://bugs.launchpad.net/pycadf/+bug/144823918:11
openstackLaunchpad bug 1448239 in pycadf "drop audit middleware" [Medium,In progress] - Assigned to gordon chung (chungg)18:11
stevemardolphm, launchpad win!18:12
dolphmyeah..18:12
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839818:13
ayoungmorganfainberg, so RDO set up we give service userse the admin role on the service project18:13
ayoungsamueldmq, this is under the unified policy file, I think18:13
bknudsontest_deprecations verifies that the code in the test setup to catch if there are any use of deprecations works. otherwise we don't have any idea or not if it's actually protecting anything.18:13
gordcdolphm: hmmmm.. i guess i spazzed out.18:13
gordcthanks for cleaning up18:14
bknudsonusing a deprecated function typically doesn't raise an exception.18:14
bknudsonthe test itself is kind of goofy... not sure why it doesn't just call warnings module.18:15
ayoungsamueldmq, the other thing we need to do is rework the spec on fetching policy from Keystone before enforcing it.  dolphm wanted it under middleware...which is probably wehere iot belongs, but it is a library call, not a middleware call.18:15
bandwidthstevemar: did you try keystone from kilo with the services with juno?18:15
samueldmqayoung, yeah I also think middleware is the right place18:15
ayoungwe need to clarify how nova talks to libraray talks to keystone, with caching of the policy file in the middle there somewhere18:15
samueldmqayoung, hm ..18:16
dstanekbknudson: it does now :-)18:16
ayoungI don't think so...I think middleware is part of it, but I would say that anyone should be able to fetch policy and operate on it.  Horizon does not use middleware, but needs to figure out things from policy18:16
samueldmqayoung, so collaboration points would be the unified policy (implementing it and helping to maintain the spec)18:16
samueldmqayoung, and the fetching policy spec18:16
ayoungI would prefer to have a KC interface, and then have middleware provide a cache layer in front of it18:16
ayoungsamueldmq, yes18:17
ayoungsamueldmq, as well as thedefault spec18:17
ayoungonce we have a unfieid policy file, default makes more sense18:17
samueldmqayoung, great, I will propose these 3 collaboration points, thanks18:17
samueldmqayoung, btw, just to check ... 'Add to the policy library the essential code to enforce policy based on a keystone token' is already done, right?18:17
samueldmqayoung, as we've already graduated oslo.policy18:18
ayoungsamueldmq, we also want to make the other projects replace oslo incubator with the policy library18:18
ayoungwhich means that some work needs to be done for Neutron, see the mailing list on that one18:18
samueldmqayoung, nice18:18
ayoungthat will require a new release of policy lib with symbols made public18:18
ayoungnice thing about that is we will pick up the fix needed for endpoint binding18:19
morganfainbergstevemar: ping18:19
ayoungso..question of priorities...lets make highest priority anything that can be used on  its own with no other dependencies18:19
stevemarmorganfainberg, pong18:19
morganfainbergstevemar: can you help me get the -specs repo to move kilo specs to "previous"?18:20
morganfainbergstevemar: if you don't mind18:20
samueldmqayoung, ++18:20
samueldmqayoung, I got it, I understand a big part of the things, will become more familiar as we get into collaboration18:21
stevemarmorganfainberg, oh yeah, i was thinking about doing that18:21
ayoungsamueldmq, that give you enough to work on?18:21
samueldmqayoung, thanks18:21
morganfainbergstevemar: :)18:21
stevemarmorganfainberg, have like 10 things to do before 5pm :P18:21
samueldmqayoung, well ... yes, I will propose all those points to my manager, thanks18:21
ayoung++18:21
morganfainbergstevemar: not needed *today* just a "can you toss this on your stack" for "soon"18:21
*** jaosorior has quit IRC18:22
ayoungsamueldmq, we should still set up a time for a group of us to discuss dynamic policy prior to the summit18:25
dstaneki'm going the spam this room in a few minutes with Python3 commits....18:25
openstackgerritMerged openstack/keystone: Tests don't override default config with default  https://review.openstack.org/16663118:25
morganfainbergdstanek, sounds good18:25
samueldmqayoung, k, once we decide what we can grab from those points for now (before summit)18:26
morganfainbergdstanek, btw: i am putting a spec up for handing ldap3 and pymemcache updates18:26
dstanekhmmm....looks like maybe only half of them are ready18:26
morganfainbergdstanek, so we can tag this work to a specific initiative18:26
samueldmqayoung, I will tell you and we schedule a meeting to talk about the policy stuff18:26
samueldmqayoung, in general18:26
samueldmqayoung, works for you ?18:26
marekdayoung: yes18:27
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Move kilo specs to 'implemented' section  https://review.openstack.org/17737718:28
stevemarmorganfainberg, ^18:28
ayoungmarekd, I've been debugging since then.  That part works, and it is fouling up on the IdP side...It might be (probably is) a config set up problem cuz I'm not getting a transaction ID allocated, but also cuz the IdP is redierceting where it should just be answering the request for an assertion.18:29
marekdayoung: transaction at the SP or IdP side?18:30
ayoungmarekd, who should be allocating the transaction id? Maybe that is the problem.  Does the SP allocate it?18:33
ayoungmarekd, the problem was on the IdP side, but if it was getting the transaction id from the request, then it is a provider problem, isn't it18:33
*** rm_work|away is now known as rm_work18:34
marekdayoung: there might be some transaction-id like string/number but i don't think it's required. It helps and probably works more like session-id18:36
*** jdennis has quit IRC18:36
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Add spec for python-3 compatibility  https://review.openstack.org/17738018:36
*** jdennis has joined #openstack-keystone18:37
ayoungmarekd, I'm working with a pretty new setup..quite likely both bugas and config errors.  I need to get down to fewer moving parts before I can solve this, but I think I am close to getting ECP testing working.  I need to head out now, but I'll keep hacking on it over the weekend18:37
*** ayoung is now known as ayoung-bye18:37
morganfainbergdstanek, ^18:37
*** ayoung-bye has quit IRC18:37
dstanekmorganfainberg: do you want to link that back to the existing blueprint?18:40
morganfainbergdstanek, we have an existing BP?18:40
morganfainbergoh. didn't know18:40
morganfainbergwe can do that18:41
morganfainbergand mark the new one superseded18:41
morganfainbergcause.. i don't care as long as we're tracking :)18:41
morganfainbergdstanek: aslo https://review.openstack.org/#/c/177375/18:41
morganfainbergdstanek: x-project spec about py3 stuffs18:42
dstanekall my commits are 'bp python3', but i can change that18:42
morganfainbergdstanek: your call i'm happy to quickly update the new spec18:42
*** panbalag has joined #openstack-keystone18:42
morganfainbergdstanek: you're down as leading this charge btw [and i'm committing to help with the ldap3 stuff and/or pymemcache]18:42
*** lhcheng_ has quit IRC18:44
dstanekmorganfainberg: sounds good to me18:45
morganfainbergdstanek: so should i update the bp link in the spec or you changing your targets in commits?18:47
dstanekmorganfainberg: depends. we already have a base of work under 'bp python3' i'm assuming that we'd want all of the work to be under the same bp. so i say update the bp link18:48
morganfainbergupdating now18:48
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Add spec for python-3 compatibility  https://review.openstack.org/17738018:49
morganfainbergdstanek, ^^18:49
panbalagHi.. I have configured keystone to use SSL and its certificates are not signed by a trusted authority (I setup my own CA using openssl). When i try to issue keystone endpoint-list, I get "Authorization Failed: SSL exception connecting to https://10.8.0.50:35357/v2.0/tokens"...I tried using --insecure option (along with --debug) ..I see "Starting new HTTPS connection ..." but the curl command in the debug lists http connectio18:49
morganfainbergpanbalag: are the endpoints in the catalog HTTPS or HTTP for keystone?18:50
*** rm_work is now known as rm_work|away18:50
panbalagmorganfainberg, did you mean the "keystone_admin" file I sourced?18:50
morganfainbergpanbalag: so the service catalog might be telling the client to use http even though you are originally authenticating with https.18:52
panbalagmorganfainberg, how do I change the service catalog?18:52
morganfainbergpanbalag: can you use curl to get a token and/or interact with keystone directly instead of via the python cli?18:52
morganfainbergpanbalag: depends on if you're using the templated catalog of the catalog in the SQL backend18:52
panbalagmorgafainberg, ok let me try the curl command directly18:52
morganfainbergpanbalag: note curl command scrubbs the token18:53
*** alextrcitiy has quit IRC18:53
morganfainbergpanbalag: in --debug18:53
morganfainbergpanbalag: so you'll need to get a valid token first [copy/paste doesn't work directly]18:53
morganfainbergif you see {SHA1}<hexstring> for the token, that is obfuscated18:53
morganfainbergor similar18:53
morganfainbergif it's a 32-byte uuid hex string *or* PKI string [really really long] then it's a real token.18:54
*** rm_work|away is now known as rm_work18:56
panbalagmorganfainberg, curl command works fine with https.18:58
morganfainbergpanbalag: ok so this tells me that the client is being confused. if it's using http instead of https18:58
morganfainbergpanbalag: after the token is received18:59
morganfainbergpanbalag: are you using the templated catalog or the SQL based catalog (this will be in the keystone config under [catalog])18:59
morganfainbergand the option will be driver18:59
morganfainbergthis might also be related to the 'admin_endpoint' and 'public_endpoints' in the keystone config19:00
morganfainbergpanbalag, ^19:00
morganfainbergpanbalag: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L21-L3519:00
panbalagmorganfainberg, it is SQL based - "keystone.catalog.backends.sql.Catalog"...the public_endpoint and admin_point have been commented out19:04
morganfainbergpanbalag: so the default is http with those commented out iirc19:04
morganfainbergpanbalag you may need to change and specify https://<host of keystone>:<port>/.... like shown in the comment of that config file19:04
morganfainbergpanbalag: alternatively you may also need to look at the endpoints in the catalog and update the keystone ones to reference https19:05
morganfainbergpanbalag: i unfortunately am a bit context switched to another topic so can't tell you which one of those / if both will be needed off the top of my head19:05
panbalagmorganfainberg, ok.I'll change the admin/public endpoint first and see if that helps...19:06
panbalagmorganfainberg, that didnt help..looks like I need to change the endpoint in the catalog..any idea how to change it?19:09
*** lhcheng has joined #openstack-keystone19:14
*** ChanServ sets mode: +v lhcheng19:14
*** rm_work is now known as rm_work|away19:22
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185419:23
amakarovmorganfainberg, hi! Looks like I've figured out how to support TRL ^^19:24
*** jdennis has quit IRC19:25
*** _dguerri is now known as dguerri19:30
*** amakarov is now known as amakarov_away19:33
bknudsongordc: any progress on a pycadf stable/juno branch (so we can get keystonemiddleware going again)19:42
openstackgerritMerged openstack/keystone: Cleanup test keeping unnecessary fixture references  https://review.openstack.org/16154419:43
*** rm_work|away is now known as rm_work19:43
gordcbknudson: ah right. i was going to ping you about that yesterday.19:44
bknudsongordc: good news, I assume.19:44
gordcbknudson: errr.. more like i forgot.lol19:44
gordc dhellmann: ^ any chance you free and able to create a stable/juno branch for pycadf.19:44
bknudsonlooks like the pycadf branch would be 0.6.019:45
openstackgerritMerged openstack/keystone: Entrypoints for commands  https://review.openstack.org/13143519:45
bknudsonthat was 2014-08-21... the next release 0.7.0 was 2015-01-1919:45
gordcbknudson: yep. (i thought there was a 0.6.1 but guess not)19:45
bknudsonand juno was 2014-10-16.19:45
gordcmorganfainberg: i don't know if you have abilities to create branches on pycadf.19:46
morganfainberggordc, i cannot create branches, but it is easy to ask infra to19:46
gordcbknudson: yeah that seems sane to me. looks like we need ot branch on https://github.com/openstack/pycadf/releases/tag/0.6.019:46
morganfainberggordc, or at least i don't think i can19:46
* morganfainberg checks19:47
morganfainberggordc, get the branch name and sha of the commit the branch should be based on19:47
morganfainbergi do not have "create branch" superpowers.19:47
gordcmorganfainberg: https://github.com/openstack/pycadf/commit/52727bcea3a98e72331e748ce5f9e3a111a64cd119:47
morganfainbergbut we just need to ask -infra.19:47
morganfainbergwhat do you want this branch called?19:48
gordcstable/juno? bknudson?19:48
bknudsonstable/juno19:48
morganfainbergah ok19:48
bknudsonthere's a stable/kilo branch already19:48
*** _cjones_ has quit IRC19:49
*** iurygregory has quit IRC19:51
*** Bsony has quit IRC19:54
*** Ctina_ has joined #openstack-keystone19:55
openstackgerritDavid Stanek proposed openstack/keystone: pep8 whitespace changes  https://review.openstack.org/17740219:56
openstackgerritDavid Stanek proposed openstack/keystone: Fixes order of imports for pep8  https://review.openstack.org/17740319:56
openstackgerritDavid Stanek proposed openstack/keystone: Ignore multiple imports per line for six.moves  https://review.openstack.org/17740419:56
openstackgerritDavid Stanek proposed openstack/keystone: Replaced filter with a list comprehension  https://review.openstack.org/17740519:56
openstackgerritDavid Stanek proposed openstack/keystone: eventlet now supports Python3  https://review.openstack.org/17740619:56
openstackgerritDavid Stanek proposed openstack/keystone: pycadf now supports Python3  https://review.openstack.org/17740719:56
openstackgerritDavid Stanek proposed openstack/keystone: Fixes mocking of oslo messaging for Python3  https://review.openstack.org/17740819:56
openstackgerritDavid Stanek proposed openstack/keystone: Updates the *py3 requirements files  https://review.openstack.org/17740919:56
openstackgerritDavid Stanek proposed openstack/keystone: Fixes use of dict methods for Python3  https://review.openstack.org/17741019:56
openstackgerritDavid Stanek proposed openstack/keystone: Handles Python3 builtin changes  https://review.openstack.org/17741119:56
openstackgerritDavid Stanek proposed openstack/keystone: Handles modules that moved in Python3  https://review.openstack.org/17741219:56
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a whitespace issue  https://review.openstack.org/17741319:56
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for ldappool for Python3 tests  https://review.openstack.org/17741419:56
openstackgerritDavid Stanek proposed openstack/keystone: Fixes deprecations test for Python3  https://review.openstack.org/17741519:56
openstackgerritDavid Stanek proposed openstack/keystone: Refactor deprecations tests  https://review.openstack.org/17741619:57
openstackgerritDavid Stanek proposed openstack/keystone: Add mocking for memcache for Python3 tests  https://review.openstack.org/17741719:57
openstackgerritDavid Stanek proposed openstack/keystone: basestring no longer exists in Python3  https://review.openstack.org/17741819:57
* stevemar stabs dstanek 19:57
* dstanek deflect the stab with a banana and used a roll of duct tape to subdue his attackers19:57
raildohaha19:58
dstanekstevemar: on the plus side most of those should be easy reviews19:58
stevemarbananas! my only weakness19:58
*** Ctina has quit IRC19:58
stevemari'm wondering about https://github.com/openstack/keystone/blob/master/etc/policy.json#L6719:59
*** Ctina_ has quit IRC19:59
stevemarwhats up with "target.credential.user_id"... the v2 ec2 specific controller doesn't use 'credential'19:59
bknudsonpolicy on v2?20:00
stevemarah wait it does20:00
stevemarhttps://github.com/openstack/keystone/blob/862cbb427a4b4d3fb6969541521b67c92a823a69/keystone/contrib/ec2/controllers.py#L191-L20320:00
stevemarusing 'target' in the rule is tripping me up20:02
panbalagmorganfainberg, I switched back to http and deleted the old endpoint using "keystone endpoint-delete"..then created a new endpoint with https. But creating a new endpoint gave an error..so to create I exported "OS_SERVICE_ENDPOINT=" and then the new https endpoint for keystone was created..But now when I look at "keystone --debug endpoint-list", I can see https, but this time the token is wrong..so the final output is "The r20:03
morganfainbergpanbalag: give me a few minutes (or we can see if osmeone lese can help here) and i'll try and duplicate20:04
morganfainbergpanbalag: but my laptop is running low on battery20:04
panbalagmorganfainberg, sure no problem. please take your time.20:04
morganfainbergpanbalag: so it might be a good bit later20:04
panbalagmorganfainberg, ok20:05
dstanekpanbalag: what is the error you are getting?20:05
panbalagdstanek, "The resource could not be found. (HTTP 404)""..that is because the token is wrong..20:06
panbalagdstanek, not sure why the token got changed20:06
dstanekpanbalag: can you auth and get a new token?20:06
panbalagdstanek, what is the command to get a new token?20:07
*** ericksonsantos has quit IRC20:08
openstackgerritDolph Mathews proposed openstack/keystone: Allow wsgiref to reconstruct URIs per the WSGI spec  https://review.openstack.org/17742720:08
*** _cjones_ has joined #openstack-keystone20:09
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Add spec for 'stable driver abis'  https://review.openstack.org/17742820:10
morganfainberggyee, bknudson, dstanek, ^20:10
morganfainbergstable driver ABIs20:10
dolphmApplication Blocking Interfaces?20:10
morganfainbergdstanek, Application Binary Interface20:11
morganfainbergdolphm, ^20:11
bknudsonthis really affect gyee or anyone else who wants to write their own drivers... this isn't something I want to do.20:11
morganfainbergdolphm, since the communication to the driver is in-python and/or another protocol vs say HTTP rest interface20:11
morganfainbergbknudson, input on this is what i'm looking for20:12
morganfainbergbknudson, more than anything - including dissent on the whole idea20:12
dolphmpanbalag: keystone token-get ... or openstack token <something> (?)20:12
morganfainberghence proposal to the backlog vs. liberty20:12
bknudsonI think it's good practice to essentially treat every subsystem as an API anyways.20:12
morganfainbergbknudson, i would agree.20:12
morganfainbergbknudson: since we discussed it, i am puttng it up for review20:13
bknudsondo http URLs allow unicode?20:15
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Add spec for 'stable driver abis'  https://review.openstack.org/17742820:15
morganfainbergbknudson, uhmm...20:15
bknudsonI didn't think that was allowed.20:15
morganfainbergbknudson, i think that gets url-encoded20:15
morganfainbergbknudson, what spawned that question?20:16
bknudsonhttps://bugs.launchpad.net/bugs/144828620:17
openstackLaunchpad bug 1448286 in Keystone "unicode query string raises UnicodeEncodeError" [Medium,In progress] - Assigned to Dolph Mathews (dolph)20:17
morganfainbergoh huh20:17
*** rm_work is now known as rm_work|away20:17
*** Bsony has joined #openstack-keystone20:17
bknudsonobviously keystone shouldn't 500 given a URL20:18
morganfainbergbknudson, it would need to be URL encoded.20:18
dolphmbknudson: it's allowed as of not too long ago, relatively speaking. think filtering lists for unicode values in keystone for that bug20:18
morganfainbergdolphm, if someone passes non-encoded utf-8 it likely would break in apache layer20:19
*** rm_work|away is now known as rm_work20:19
morganfainbergdolphm, but we should do a url-decode on these params20:19
bknudsonit's scary that the error is coming out of python lib -- python2.7/urllib20:20
morganfainbergdolphm, but afaict filtering should be urlencoded when hitting the http layer20:20
bknudsonwe could monkey-patch urllib.20:20
dstaneki'm pretty sure unicode needs to be % encoded20:20
morganfainbergthat error we can make better20:20
morganfainbergbut it should be a 400 series20:20
morganfainbergnot a 50020:20
morganfainbergit is, in-fact, a bad request20:21
dolphmmaybe curl is encoding them but hiding that fact, not sure20:22
dolphmwith -v it still renders unicode20:22
dolphm> GET /?Ϡ HTTP/1.120:23
morganfainbergdolphm, use telnet20:23
*** Bsony has quit IRC20:23
morganfainbergdolphm, i don't trust curl in this case - it does magic sometimes20:23
dstanekthat's super funny - it dies logging the querystring20:23
gyeemorganfainberg, ++ for ABI20:23
gyeethat'll make it easier for people to contribute the drivers out of tree as well20:24
*** jdennis has joined #openstack-keystone20:24
bknudsongordc: https://review.openstack.org/#/q/status:open+project:openstack/pycadf+branch:stable/juno,n,z ?20:24
morganfainberggyee, so comment on the spec :)20:24
gyeeyes, reviewing20:24
gordcbknudson: is there another item to approve?20:24
panbalagdstanek, dolphm, morganfainberg.. figured out the issue.. I made a typo in the port in the adminURL while creating a new endpoint... after creating a new endpoint, https works fine...20:24
dstanekgoogle doesn't like the unicode - http://paste.openstack.org/show/205795/20:25
morganfainbergpanbalag: aha ouch20:25
bknudsongordc: did you want me to post the review to move the requirement?20:25
dolphmmorganfainberg: telnet works fine20:25
morganfainbergdolphm, no wsgi errors?20:25
gordcoh! that's what you meant. sure.20:25
dolphmmorganfainberg: not after my patch20:25
gordcor if you don't have pycadf loaded i can do it20:25
morganfainbergdolphm: without?20:25
bknudsongordc: I don't have pycadf, so go ahead.20:25
panbalagmorganfainberg, dolphm, dstanek..Thanks for the help.20:25
morganfainbergdolphm: because again, this should be a 400 if it's not urlencoded20:25
bknudsongordc: I don't need to pad my stats.20:25
gordcbknudson: lol kk20:26
dolphmmorganfainberg: crashes with unicodedecodeerror... on logging20:26
morganfainbergdolphm: the ietf says afaict it should be urlencoded.20:26
bknudsonalthough if I have a commit in pycadf then I can run for PTL...20:26
morganfainbergdolphm: hm.. wonder if apache is doing $magic$ for us too20:26
morganfainbergthis all looks suspect20:26
dolphmmorganfainberg: either way, a logging call shouldn't have anything to do with returning a 40020:26
gordcbknudson: it's a highly contested seat20:26
*** Bsony has joined #openstack-keystone20:27
morganfainberg dolphm: true20:27
dolphmGET /v3/projects/Ϡ HTTP/1.1 returns...20:27
dolphm{"error": {"message": "Could not find project: \u03e0", "code": 404, "title": "Not Found"}}20:27
dstanekmorganfainberg: i took the same request i made against google and did it against apache.org (which ignored it and gave me a page)20:28
bknudsonGET /v3/users/(ノಠ益ಠ)ノ ┻━┻20:28
dolphm(i.e. it's handling the path correctly, but not the query string)20:28
openstackgerritMerged openstack/keystone: Correct request logging query parameters separator  https://review.openstack.org/16600220:28
morganfainbergbknudson: Best test ever20:28
dolphmbknudson: that returns a 400 because you have spaces in the path :P20:29
bknudsonoh, I meant to flip the table straight up, not forward.20:29
gordcbknudson: you have a bug i can attach to?20:31
bknudsongordc: no, I didn't open any bugs.20:31
gordcbknudson: kk20:31
*** Bsony has quit IRC20:32
bknudsonSwitched to a new branch '(ノಠ益ಠ)ノ┻━┻'20:33
stevemarbknudson, you always pad your stats20:34
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-saml2: Remove unused private classes on tests  https://review.openstack.org/17126320:34
*** lhcheng has quit IRC20:35
stevemargordc, bknudson we should ask the TC to make pycadf it's own project20:35
morganfainbergstevemar, it really is20:37
morganfainbergstevemar, already20:37
morganfainbergthe only difference is that i'm the "PTL"20:37
morganfainbergbut it has a core team that is separate from everything else20:37
morganfainbergetc20:37
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-saml2: Update "federation" to "saml2" in README  https://review.openstack.org/17744220:37
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: client_socket_timeout has a default value  https://review.openstack.org/17744320:37
stevemarmorganfainberg, exactly, we're tired of living under your tyrannical rule20:37
morganfainbergstevemar, lol20:38
gyeewhat does the TC do anyway?20:39
openstackgerritDolph Mathews proposed openstack/keystone: Remove randomness from test_client_socket_timeout  https://review.openstack.org/17744420:41
bknudsonthey eat fancy lunches.20:41
gyeehah20:41
bknudsonI assume there's a TC party that's even fancier than the core pary.20:41
bknudsonparty20:41
gyeeyou may be right20:42
dolphmbknudson: probably just a dinner20:43
*** ashishjain has quit IRC20:44
*** ashishjain has joined #openstack-keystone20:44
*** ashishjain has left #openstack-keystone20:45
openstackgerritMerged openstack/keystone: Correct path in request logging  https://review.openstack.org/16601220:45
*** mattfarina has quit IRC20:45
bknudsongordc: you want me to just post the change?20:46
*** rm_work is now known as rm_work|away20:47
*** rm_work|away is now known as rm_work20:47
bknudsongordc: too late, here it is: https://review.openstack.org/#/c/177446/20:48
* bknudson pads stats20:48
gordcbknudson: ... how the hell. i kept getting stupid rebase madness... oh well good enough20:49
*** pnavarro has joined #openstack-keystone20:49
gordcbknudson: want to connect it to this: https://bugs.launchpad.net/pycadf/+bug/144829720:49
openstackLaunchpad bug 1448297 in pycadf "oslo.messaging should be a optional req" [Medium,Triaged] - Assigned to gordon chung (chungg)20:49
bknudsongordc: updated commit message: https://review.openstack.org/#/c/177446/20:51
*** rushil_ has quit IRC20:51
gordccool cool.20:51
gordchmm. i think this is going to fail req check20:52
bknudsongordc: different g-r in stable?20:53
bknudsonmaybe we need proposal bot to update the new branch reqs.20:53
gordcbknudson: yeah... i guess we'll wait for that. or maybe this will pass with no issues.20:54
bknudsonI don't think it's going to happen automatically.20:55
*** lhcheng has joined #openstack-keystone20:55
*** ChanServ sets mode: +v lhcheng20:55
gordcbknudson: it should (at least it did for clients)20:55
bknudsongordc: according to http://status.openstack.org/zuul/ it passed -requirements.20:55
bknudsonhttps://jenkins05.openstack.org/job/gate-pycadf-requirements/26/20:56
*** rm_work is now known as rm_work|away20:57
*** dguerri is now known as _dguerri20:57
gordcbknudson: :( py34 test failed20:58
bknudsongordc: can't blame me for that.20:59
*** csoukup has quit IRC20:59
* gordc looks around for someone else.20:59
bknudsondisable the test?20:59
bknudsonwe can just disable it for that branch21:00
gordcbknudson: yeah... i guess that's a quick fix.21:01
gordci can't remember fixing py3 stuff personally21:01
*** htruta has quit IRC21:01
*** gyee has quit IRC21:02
*** gyee has joined #openstack-keystone21:02
*** ChanServ sets mode: +v gyee21:02
bknudsongordc: did it the old fashioned way. https://review.openstack.org/#/c/177452/21:03
*** ayoung has joined #openstack-keystone21:04
*** ChanServ sets mode: +v ayoung21:04
bknudsongordc: do you want the reqs update in 0.6.1 ? I think we do.21:04
bknudsonI guess none of these is going to pass without the py3 fix.21:04
gordcbknudson: cool cool. this grew in scope. :( i'll keep an eye on it. will check with doug on that before release21:04
*** raildo has quit IRC21:05
bknudsongordc: are you making the py3 fix or did you want to skip the test?21:05
gordcbknudson: skipping might be better.21:06
bknudsongordc: ok, I'll propose the change to -infra.21:06
gordcbknudson: seems like the py3 stuff came with oslo-incubator to oslo lib switch21:06
bknudsonlooks like the error is https://jenkins07.openstack.org/job/gate-pycadf-python34/12/console21:07
bknudsonNo module named mox321:07
bknudsonso maybe it's just missing mox3 from test-requirements.txt?21:08
gordcpossibly? we can add it in if you'd like21:08
bknudsonactually, it looks like that error is coming from six.py... so maybe something with the level of six?21:08
bknudsonLet me just post a change to add it and see.21:08
gordckk. i'll probably only have time sunday night to confirm everything.21:09
bknudsongordc: https://review.openstack.org/#/c/177456/ -- adds mox321:10
bknudsonall of these reqs changes are going to conflict, so they'll have to be rebased.21:11
gordcright. i'll track the mox3 one for now.21:11
* gordc is not sure oslo.messaging stable/juno was py3 compatible21:12
bknudsonif that doesn't pass then I'll propose the infra change to disable py33 for stable/juno branch21:13
* bknudson really padding my stats now.21:14
*** e0ne has joined #openstack-keystone21:27
*** e0ne has quit IRC21:29
*** e0ne has joined #openstack-keystone21:33
dstanekbknudson: why use mox at all?21:33
sigmavirus24I thought mox was deprecated in favor of mock in openstack21:34
dstaneksigmavirus24: it is21:34
bknudsondstanek: on pycadf stable/juno? wasn't my choice21:34
bknudsonalthough it might still be in pycadf master21:34
openstackgerritMerged openstack/keystone: Tests use Database fixture  https://review.openstack.org/16434021:34
dstanekbknudson: ah, stable branch - i didn't realize that pycadf in juno supported py321:35
bknudsonit's in the tox.ini... although maybe it was never run21:35
bknudsonI should be able to find a review and see if py3 test were run.21:36
openstackgerritMerged openstack/keystone: Eventlet green threads not released back to pool  https://review.openstack.org/13082421:36
openstackgerritMerged openstack/keystone: Add fernet to test_supported_token_providers  https://review.openstack.org/16706921:36
*** gordc has quit IRC21:44
bknudsonlooks like py33 wasn't run on pycadf 0.6, so should probably disable it rather than try to get it to work:21:49
bknudsonhttps://review.openstack.org/#/c/124878/21:49
*** bknudson has quit IRC21:49
ayoungmorganfainberg, just got a Federated unscoped token using Ipsilon, Kerberos, and SAML.  I think we are going to have to somehow make Kerberos not an auth plugin, or make auth plugins stackable.  But it works.21:51
*** stevemar has quit IRC21:53
*** e0ne has quit IRC22:00
*** pnavarro has quit IRC22:05
*** lhcheng has quit IRC22:09
*** _dguerri is now known as dguerri22:12
*** r-daneel has quit IRC22:15
ayoungdstanek, do you know how to get debugging info out of a client app?22:15
ayoungmorganfainberg, dstanek, I have a really simple app that just fetches an unscoped fed token, and I want to see what url it is sending to.  basically, I want it to dump its guts on the command line22:16
*** jdennis has quit IRC22:21
*** dguerri is now known as _dguerri22:22
*** jdennis has joined #openstack-keystone22:25
*** lhcheng has joined #openstack-keystone22:33
*** ChanServ sets mode: +v lhcheng22:33
*** ayoung is now known as ayoung-noms22:40
*** harlowja_ has joined #openstack-keystone22:41
*** harlowja has quit IRC22:41
*** bandwidth has quit IRC22:42
*** lhcheng has quit IRC22:46
*** lhcheng has joined #openstack-keystone22:48
*** ChanServ sets mode: +v lhcheng22:48
*** lhcheng_ has joined #openstack-keystone22:50
*** lhcheng has quit IRC22:53
lhcheng_samueldmq: on your v3 testing, are you consuming the v3 policy file?23:04
*** lhcheng_ is now known as lhcheng23:04
*** ChanServ sets mode: +v lhcheng23:04
*** alexsyip has quit IRC23:11
*** topol has quit IRC23:25
*** sigmavirus24 is now known as sigmavirus24_awa23:25
*** samleon has quit IRC23:42
*** jdennis has quit IRC23:51
« Thursday, 2015-04-23 Index Saturday, 2015-04-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!