Wednesday, 2015-07-01

« Tuesday, 2015-06-30 Index Thursday, 2015-07-02 »
openstackgerritVladimir Eremin proposed openstack/keystone-specs: Keystone slaveification spec  https://review.openstack.org/19737900:04
*** spandhe has joined #openstack-keystone00:06
yottatsadstanek morganfainberg: done with proposal00:06
*** lhcheng_ has quit IRC00:09
yottatsaCan you please please look on it? Is everything correct?00:11
*** dsirrine_ has joined #openstack-keystone00:14
*** yottatsa has quit IRC00:21
*** chlong has joined #openstack-keystone00:21
*** csd has quit IRC00:26
*** sirushti has quit IRC00:28
*** diazjf has joined #openstack-keystone00:29
*** dims has joined #openstack-keystone00:32
*** sirushti has joined #openstack-keystone00:33
*** kfox1111 is now known as kfox1111_away00:33
*** csd has joined #openstack-keystone00:33
*** dims_ has joined #openstack-keystone00:35
*** dims has quit IRC00:39
*** geoffarnold has quit IRC00:40
*** ankita_w_ has quit IRC00:46
*** BrAsS_mOnKeY has quit IRC00:49
*** _cjones_ has quit IRC00:49
*** _cjones_ has joined #openstack-keystone00:50
*** _cjones_ has quit IRC00:55
*** crc32 has quit IRC00:55
*** sigmavirus24 is now known as sigmavirus24_awa00:58
*** boris-42 has quit IRC01:02
*** stevemar has joined #openstack-keystone01:02
*** Rockyg has joined #openstack-keystone01:03
*** BrAsS_mOnKeY has joined #openstack-keystone01:04
*** tellesnobrega_ has joined #openstack-keystone01:05
*** kiran-r has joined #openstack-keystone01:10
*** piyanai has joined #openstack-keystone01:11
*** r-daneel has quit IRC01:11
*** ncoghlan has joined #openstack-keystone01:19
*** davechen has joined #openstack-keystone01:20
*** ncoghlan has quit IRC01:20
*** ncoghlan has joined #openstack-keystone01:20
*** ncoghlan has quit IRC01:20
*** zzzeek has quit IRC01:23
*** Rockyg has quit IRC01:28
*** tellesnobrega_ has quit IRC01:38
*** diazjf has quit IRC01:47
*** ankita_wagh has joined #openstack-keystone01:54
*** kiran-r has quit IRC02:14
*** piyanai has quit IRC02:15
*** ankita_wagh has quit IRC02:18
*** ankita_wagh has joined #openstack-keystone02:19
*** Ephur_ has quit IRC02:19
jamielennoxstevemar, morganfainberg: want to have a look at two simple ones for me https://review.openstack.org/#/c/193422/ and follow up02:28
*** tqtran has quit IRC02:28
*** tobe has joined #openstack-keystone02:29
stevemaroh thats neat02:30
morganfainbergjamielennox: slick02:32
jamielennoxgodamn it - that's not what i wanted to show you02:32
*** juvenn has joined #openstack-keystone02:32
morganfainberglol02:33
jamielennoxhttps://review.openstack.org/#/c/196949/202:33
morganfainbergahaha02:33
jamielennoxthat and follow up is simple02:33
morganfainbergthat is a bit different yah02:33
jamielennoxthe glane one is about as good as it can be without a lot of refactoring02:34
jamielennox(that i don't want to do)02:34
*** Kennan has quit IRC02:38
*** Kennan has joined #openstack-keystone02:38
*** spandhe has quit IRC02:41
*** gyee has quit IRC02:52
*** fangzhou has quit IRC02:54
*** piyanai has joined #openstack-keystone02:59
openstackgerritMerged openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081602:59
*** ankita_wagh has quit IRC03:01
*** richm has quit IRC03:20
*** zzzeek has joined #openstack-keystone03:26
*** zzzeek has quit IRC03:26
*** htruta_ has quit IRC03:28
*** jecarey has joined #openstack-keystone03:43
*** mabrams has joined #openstack-keystone03:45
*** diazjf has joined #openstack-keystone03:45
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587303:55
openstackgerritSteve Martinelli proposed openstack/keystone: Generate new config options for oslo.cache  https://review.openstack.org/19670003:55
*** stevemar has quit IRC04:00
*** stevemar has joined #openstack-keystone04:01
*** ankita_wagh has joined #openstack-keystone04:02
*** dims_ has quit IRC04:03
*** lhcheng has joined #openstack-keystone04:03
*** ChanServ sets mode: +v lhcheng04:03
*** juvenn has quit IRC04:06
*** juvenn has joined #openstack-keystone04:06
*** davechen has quit IRC04:07
*** davechen has joined #openstack-keystone04:08
openstackgerritMerged openstack/keystonemiddleware: Add user_token and service_token to request  https://review.openstack.org/19694904:17
*** davechen1 has joined #openstack-keystone04:17
*** davechen has quit IRC04:18
*** davechen has joined #openstack-keystone04:20
*** jecarey has quit IRC04:21
*** davechen1 has quit IRC04:22
*** morganfainberg is now known as caerbannograbbit04:24
*** caerbannograbbit is now known as CaerbannogRabbit04:24
*** tobe has quit IRC04:26
CaerbannogRabbitjamielennox: +a on that one btw.04:27
jamielennoxCaerbannogRabbit: oh, seet04:28
jamielennoxsweet04:28
jamielennoxCaerbannogRabbit: https://review.openstack.org/#/c/196950/ is almost exactly the same if you have a minute04:28
CaerbannogRabbitmaaaaybe04:29
*** piyanai has quit IRC04:31
*** henrynash has joined #openstack-keystone04:36
*** ChanServ sets mode: +v henrynash04:36
*** browne1 has joined #openstack-keystone04:40
*** browne has quit IRC04:40
*** kiran-r has joined #openstack-keystone04:41
*** hrou has quit IRC04:45
*** ajayaa_ has joined #openstack-keystone04:45
*** juvenn has quit IRC04:50
*** kiran-r has quit IRC04:56
*** kiran-r has joined #openstack-keystone04:56
*** ajayaa_ has quit IRC05:01
*** chlong has quit IRC05:03
*** dims has joined #openstack-keystone05:07
*** dims has quit IRC05:12
*** diazjf has left #openstack-keystone05:18
*** chlong has joined #openstack-keystone05:21
*** tobe has joined #openstack-keystone05:26
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Move fileutils functions to oslo.policy  https://review.openstack.org/19742005:27
*** yottatsa has joined #openstack-keystone05:45
openstackgerritVladimir Eremin proposed openstack/keystone-specs: Keystone slaveification spec  https://review.openstack.org/19737905:57
*** tobe has quit IRC05:59
*** e0ne has joined #openstack-keystone05:59
*** chlong has quit IRC06:01
openstackgerritSteve Martinelli proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/19742806:01
*** chlong has joined #openstack-keystone06:01
*** chenhong has joined #openstack-keystone06:06
*** e0ne has quit IRC06:11
yottatsastevemar, why do you need it? )06:13
yottatsaI mean, config point rename06:13
stevemaryottatsa: ?06:13
stevemaroh, i'm just screwing around, testing something06:13
yottatsa:)06:13
stevemarignore that please :)06:13
yottatsaBTW, can you please re-review Keystone slaveification spec  https://review.openstack.org/19737906:14
stevemaryottatsa: yeah, probably tomorrow, looks like a good improvement though06:14
stevemari dont see any red flags06:14
stevemarred flags/warnings06:15
*** gokrokve has joined #openstack-keystone06:16
yottatsaActually I've got a code patch already. Can I propose it before spec will be Merged?06:16
stevemaryottatsa: sure06:16
openstackgerritSteve Martinelli proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/19742806:17
*** gokrokve has quit IRC06:18
*** ajayaa_ has joined #openstack-keystone06:19
*** chlong has quit IRC06:19
*** browne1 has quit IRC06:21
stevemaryottatsa: i'm done screwing around now :)06:23
yottatsaAre you writing some kind of automation?06:23
stevemaryeah, trying to anyway... https://review.openstack.org/#/c/177620/06:23
stevemarbed time for me! see ya06:28
*** stevemar has quit IRC06:28
*** stevemar has joined #openstack-keystone06:28
*** stevemar has quit IRC06:31
*** chlong has joined #openstack-keystone06:33
*** ianbrown has quit IRC06:35
*** arunkant__ has joined #openstack-keystone06:35
*** arunkant_ has quit IRC06:38
yottatsastevemar see ya!06:39
*** arunkant_ has joined #openstack-keystone06:43
*** lhcheng has quit IRC06:44
*** arunkant__ has quit IRC06:47
*** juvenn has joined #openstack-keystone06:48
*** ankita_wagh has quit IRC06:49
*** henrynash has quit IRC06:53
*** tobe has joined #openstack-keystone06:53
*** belmoreira has joined #openstack-keystone06:54
*** juvenn has quit IRC06:55
*** chenhong has quit IRC06:56
*** chenhong has joined #openstack-keystone06:57
*** lufix has joined #openstack-keystone06:57
*** pawel_ has joined #openstack-keystone07:09
*** abhishekk has joined #openstack-keystone07:12
*** chlong has quit IRC07:24
yottatsaJust found out thah "EngineFacade is deprecated.  Please use oslo.db.sqlalchemy.enginefacade for new development". Does anybody plan to rewrite keystone/common/sql/core.py onto new API?07:31
openstackgerritVladimir Eremin proposed openstack/keystone: Keystone slaveification spec  https://review.openstack.org/19745507:43
openstackgerritVladimir Eremin proposed openstack/keystone: Keystone slaveification  https://review.openstack.org/19745507:44
*** jistr has joined #openstack-keystone07:45
*** yottatsa has quit IRC07:49
*** kiran-r has quit IRC07:52
*** amaretskiy has joined #openstack-keystone07:54
*** e0ne has joined #openstack-keystone07:56
*** chenhong has quit IRC07:57
*** chenhong has joined #openstack-keystone07:57
*** afazekas is now known as __afazekas07:59
*** arunkant__ has joined #openstack-keystone08:07
*** fhubik has joined #openstack-keystone08:11
*** arunkant_ has quit IRC08:11
*** yottatsa has joined #openstack-keystone08:11
*** chenhong has quit IRC08:12
*** chenhong has joined #openstack-keystone08:12
bretonfolks, I would highly appreciate if you review https://review.openstack.org/#/c/190863/08:19
*** __afazekas is now known as afazekas08:20
*** chenhong has quit IRC08:23
*** chenhong has joined #openstack-keystone08:23
davechenbreton: seems no cores is still online and the author Deepti is not here too.08:26
davechenIt's a good patch, especially, as to the performance improvement.08:28
breton++08:29
*** dguerri` is now known as dguerri08:29
bretonthat's why I really-really want it in and maybe backported to kilo08:29
*** diabloneo has joined #openstack-keystone08:29
*** lsmola has joined #openstack-keystone08:29
*** chenhong has quit IRC08:30
*** stevemar has joined #openstack-keystone08:30
*** lhcheng has joined #openstack-keystone08:33
*** ChanServ sets mode: +v lhcheng08:33
*** stevemar has quit IRC08:34
*** e0ne is now known as e0ne_08:36
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267108:36
*** juvenn has joined #openstack-keystone08:38
*** lhcheng has quit IRC08:38
*** e0ne_ is now known as e0ne08:38
*** rdo has quit IRC08:39
*** dguerri is now known as dguerri`08:41
*** rdo has joined #openstack-keystone08:41
*** e0ne has quit IRC08:41
*** lhcheng has joined #openstack-keystone08:45
*** ChanServ sets mode: +v lhcheng08:45
*** aix has joined #openstack-keystone08:48
*** afazekas is now known as __afazekas08:50
*** dims has joined #openstack-keystone09:08
*** dims has quit IRC09:14
*** BrAsS_mOnKeY has quit IRC09:21
*** BrAsS_mOnKeY has joined #openstack-keystone09:22
*** afazekas has joined #openstack-keystone09:24
*** BrAsS_mOnKeY has quit IRC09:26
*** BrAsS_mOnKeY has joined #openstack-keystone09:27
openstackgerritMarek Denis proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19542909:30
*** aix has quit IRC09:31
davechenmarekd: thanks a lot. ;-)09:31
*** fhubik is now known as fhubik_afk09:32
marekddavechen: for? :-)09:32
davechenmarekd: there are a lot of work around that bugs.09:32
davechenah,  you just help ot rebase my patch, you forgot? too fast.09:32
marekdah, yes.09:32
marekddavechen: i saw few of your patches, so didn't remember which you could mention.09:33
davechenmarekd: haha, they need cores's reviews.09:33
marekddavechen: what's the difference between https://review.openstack.org/#/c/195001/5 and next one? They seem to have exactly the same commit title.09:33
davechenmarekd: this one is trying to close the bug  reported by someone.09:34
davechenbut after looking into that bug, I found a lot of entities in keystone has the same issue.09:34
davechenso, i just registered a blanket bug in LP.09:34
davechenand all of the rest go to that bug instead.09:35
*** e0ne has joined #openstack-keystone09:35
*** fhubik_afk is now known as fhubik09:35
davechenthe commit message is the same but the desc is a little different.09:35
davechenI am going to differentiate a little bit about the commit message in the following patch.09:36
davechenmarekd: seems you are not in US or Europe?09:36
marekdI am in Europe09:37
marekdin Switzerland.09:37
marekdwhy would you think I am not in Europe? It's freaking hot middle of my work day.09:37
davechenwhat's your time, I am a little scared, must be deep in light or early in the morning.09:37
marekd:-)09:37
marekd11.37 AM09:38
davechennot a bad time, :)09:38
marekdnot at all09:38
davechengreat, so I can catch you in this timeslot.09:38
marekdsure!09:38
marekdi feel lonely here09:39
davechenwhy? better than me09:39
marekdwhy?09:39
*** yottatsa has quit IRC09:40
davechenBut time difference.09:40
davechenbad*09:40
davechenhave a good day, I am going to take shuttle and back home.09:41
marekddavechen: thanks, you too.09:41
davechen;-)09:41
*** davechen has left #openstack-keystone09:42
*** bradjones has quit IRC09:44
*** bradjones has joined #openstack-keystone09:46
*** bradjones has quit IRC09:46
*** bradjones has joined #openstack-keystone09:46
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725409:56
*** aix has joined #openstack-keystone09:58
*** dims has joined #openstack-keystone09:59
*** lhcheng has quit IRC10:06
*** stevemar has joined #openstack-keystone10:19
*** stevemar has quit IRC10:22
*** fhubik is now known as fhubik_afk10:34
*** diabloneo has quit IRC10:36
*** e0ne is now known as e0ne_10:39
*** e0ne_ is now known as e0ne10:39
*** mabrams has left #openstack-keystone10:45
*** mabrams has joined #openstack-keystone10:45
*** mabrams has left #openstack-keystone10:46
*** abhishekk has quit IRC11:11
*** abhishekk has joined #openstack-keystone11:12
samueldmqmorning11:14
samueldmqdstanek: hi, you around ?11:14
*** yottatsa has joined #openstack-keystone11:16
*** fhubik_afk is now known as fhubik11:17
*** fhubik is now known as fhubik_afk11:18
*** ajayaa_ has quit IRC11:23
*** e0ne is now known as e0ne_11:24
*** e0ne_ is now known as e0ne11:24
*** yottatsa has quit IRC11:29
*** juvenn has quit IRC11:32
*** yottatsa has joined #openstack-keystone11:35
*** ajayaa_ has joined #openstack-keystone11:39
*** fhubik_afk is now known as fhubik11:41
*** tobe has quit IRC11:46
*** piyanai has joined #openstack-keystone11:47
*** arunkant_ has joined #openstack-keystone11:51
*** arunkant has joined #openstack-keystone11:54
*** arunkant__ has quit IRC11:54
*** jaosorior has joined #openstack-keystone11:56
*** arunkant_ has quit IRC11:57
*** fhubik is now known as fhubik_afk12:11
*** markvoelker has quit IRC12:14
*** markvoelker has joined #openstack-keystone12:14
dstaneksamueldmq: yes12:15
samueldmqdstanek: hey, I was looking at the domain-specific backends feature12:16
samueldmqdstanek: and confirmed that we don't support multiple SQL connections in there12:16
*** yottatsa has quit IRC12:17
samueldmqdstanek: would it be that hard to instantiate multiple Engine objects from sqlalchemy and manage them ?12:17
*** raginbajin has quit IRC12:18
*** yottatsa has joined #openstack-keystone12:18
*** kiran-r has joined #openstack-keystone12:18
*** raginbajin has joined #openstack-keystone12:19
samueldmqdstanek: actually I should've asked first if you're familiar with that code/feature :-)12:20
*** radez_g0n3 is now known as radez12:21
amaretskiyHi all!  Can someone review https://review.openstack.org/#/c/188457/ :)12:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19648512:24
dstaneksamueldmq: there is actually a proposal somewhere for that; i don't think it's terribly hard (but not easy), but does start to get operationally tricky too12:25
samueldmqdstanek: great. I'll search for bps or specs on that12:27
samueldmqdstanek: with reseller that feature becomes still more important12:27
samueldmqdstanek: thanks12:27
*** zigo has quit IRC12:28
*** zigo has joined #openstack-keystone12:29
*** csoukup has joined #openstack-keystone12:32
*** kiran-r has quit IRC12:32
*** edmondsw has joined #openstack-keystone12:32
*** tellesnobrega_ has joined #openstack-keystone12:40
*** e0ne is now known as e0ne_12:41
*** e0ne_ is now known as e0ne12:42
*** bknudson has joined #openstack-keystone12:45
*** ChanServ sets mode: +v bknudson12:45
*** tellesnobrega__ has joined #openstack-keystone12:47
*** tellesnobrega_ has quit IRC12:49
*** jasondotstar has joined #openstack-keystone12:51
*** e0ne is now known as e0ne_12:53
*** tellesnobrega__ has quit IRC12:55
*** Ctina__ has joined #openstack-keystone12:56
*** e0ne_ is now known as e0ne12:57
*** jsavak has joined #openstack-keystone12:57
*** jecarey has joined #openstack-keystone13:00
*** radez is now known as radez_g0n313:06
openstackgerritVladimir Eremin proposed openstack/keystone: Keystone slaveification  https://review.openstack.org/19745513:09
*** woodster_ has joined #openstack-keystone13:11
*** stevemar has joined #openstack-keystone13:12
*** Ephur has joined #openstack-keystone13:13
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267113:14
marekdbknudson: i  fixed you comments, can you re +2 ?13:14
*** trey has joined #openstack-keystone13:14
*** jsavak has quit IRC13:20
*** jsavak has joined #openstack-keystone13:22
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687713:26
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token()  https://review.openstack.org/19677413:26
*** topol has joined #openstack-keystone13:27
*** ChanServ sets mode: +v topol13:27
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687713:27
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token()  https://review.openstack.org/19677413:27
*** stevemar has quit IRC13:27
*** browne has joined #openstack-keystone13:28
lbragstadbknudson: do you know what happened with the timeutils strtime() issue? http://cdn.pasteraw.com/i3j45fhbtv6i0mgxupxb1xvy6jzkggb13:31
lbragstadbknudson: I remember seeing a commit you had that undeprecated it?13:32
bknudsonlbragstad: the fix is https://review.openstack.org/#/c/196842/13:32
*** richm has joined #openstack-keystone13:33
*** dsirrine_ has quit IRC13:33
jdandreabknudson: Is the Introduction to this out of date as well? It doesn't mention sessions until the second section. http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html13:34
jdandreaIf so, np - want to make sure I have my v3 ducks in order. :)13:34
bknudsonjdandrea: it is out of date.13:35
jdandreaok, thx13:35
*** jsavak has quit IRC13:36
*** jsavak has joined #openstack-keystone13:36
*** abhishekk has quit IRC13:38
samueldmqdstanek: I am working on the 'policy by url' spec now13:43
samueldmqdstanek: there is an interesting comment from you there13:43
*** trey has quit IRC13:43
samueldmqdstanek: let me know when you have some time to have a quick discussion on that13:43
*** Ctina__ is now known as ctina13:43
samueldmqdstanek: "s the URL just an arbitrary decision? Couldn't a deployer configure the url as 'rax-iad-compute' and then use that as the URL when storing the policy? Also, where is the URL configured?"13:44
*** dsirrine_ has joined #openstack-keystone13:45
openstackgerritLance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens  https://review.openstack.org/19647513:49
openstackgerritLance Bragstad proposed openstack/keystone: Do not require the token_id for converting v3 to v2 tokens  https://review.openstack.org/19647613:50
openstackgerritLance Bragstad proposed openstack/keystone: When validating a V3 token as V2, use the v3_to_v2 conversion  https://review.openstack.org/19648313:50
openstackgerritLance Bragstad proposed openstack/keystone: Convert issue_v2_token to always issue a v3_token and convert  https://review.openstack.org/19654813:50
*** arunkant_ has joined #openstack-keystone13:50
*** radez_g0n3 is now known as radez13:50
*** arunkant__ has joined #openstack-keystone13:52
dstaneksamueldmq: yessir, i did write that. even if it is arbitrary we should say that. making it a URL and not saying "it really doesn't matter what it is", I think, will make it difficult for a deployer since services may have multiple URLs pointing to them. which one do they pick?13:53
dstanekif it's arbitrary it doesn't matter which one13:53
*** arunkant has quit IRC13:54
*** arunkant_ has quit IRC13:55
*** gokrokve has joined #openstack-keystone13:56
*** jsavak has quit IRC13:56
*** zzzeek has joined #openstack-keystone13:56
samueldmqdstanek: that should be an URL exisitng in the service catalog13:57
samueldmqdstanek: I think we should be able to do taht somehow13:57
*** fhubik_afk is now known as fhubik13:57
samueldmqdstanek: what I'd like to talk to you was the REST aspects of those APIs, as I see some alternatives13:58
*** kiran-r has joined #openstack-keystone13:58
samueldmqdstanek: the challenge is : how do we associate a policy entity to an endpoint ?13:59
samueldmqdstanek: I see some available options:13:59
*** dims has quit IRC13:59
samueldmqdstanek: i) we could make the policy id a hash of the endpoint_url, so it would be easier to, for example, add a policy per project association, as we allow custom ids14:00
samueldmqbut I don't think it is REST, it may be being too flexible14:00
*** dims has joined #openstack-keystone14:00
*** jsavak has joined #openstack-keystone14:01
samueldmqdstanek: ii) we could create endpoint_url, service_id/type, region_id as attributes of policy entity14:01
*** jsavak has quit IRC14:02
samueldmqdstanek: iii) or simply create an attribute called 'target', that would contain filters, that could be one of the above .. as we have for endpoint group filters14:02
samueldmqi.e a policy is a resource that is owned/applies to a set of targets, identified by the filters defined in its 'target' attribute14:03
samueldmqdstanek: or iv) make associations via REST (kind of what we have today).. /policies/<policy_id>/endpoints/<endpoint_id>14:04
samueldmqthis one is very REST, but not sure how we can fit the url in there14:04
samueldmqthat's all ... sorry I said it was quick :(14:04
*** mylu has joined #openstack-keystone14:05
*** Ephur has quit IRC14:07
*** kiran-r has quit IRC14:07
*** e0ne is now known as e0ne_14:08
*** piyanai has quit IRC14:09
*** raildo has quit IRC14:12
*** sigmavirus24_awa is now known as sigmavirus2414:12
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19648514:13
*** kiran-r has joined #openstack-keystone14:14
*** piyanai has joined #openstack-keystone14:15
*** piyanai has quit IRC14:15
*** raildo has joined #openstack-keystone14:15
*** mylu has quit IRC14:22
*** dguerri` is now known as dguerri14:22
*** stevemar has joined #openstack-keystone14:28
*** mylu has joined #openstack-keystone14:31
*** stevemar has quit IRC14:32
*** mylu has quit IRC14:35
*** hrou has joined #openstack-keystone14:39
*** darrenc_ has joined #openstack-keystone14:39
*** kiran-r has quit IRC14:40
*** serverascode_ has joined #openstack-keystone14:41
*** breton_ has joined #openstack-keystone14:41
*** devanand1 has joined #openstack-keystone14:41
*** gordc_af1 has joined #openstack-keystone14:41
*** Nakato_ has joined #openstack-keystone14:41
*** radez` has joined #openstack-keystone14:45
*** mtreinish_ has joined #openstack-keystone14:45
*** EmilienM_ has joined #openstack-keystone14:45
*** dguerri_ has joined #openstack-keystone14:45
*** rharwood_ has joined #openstack-keystone14:45
*** mtreinish has quit IRC14:46
*** rushiagr_away has quit IRC14:46
*** gordc_afk has quit IRC14:46
*** mancdaz has quit IRC14:46
*** EmilienM has quit IRC14:46
*** radez has quit IRC14:46
*** rharwood has quit IRC14:46
*** dguerri has quit IRC14:46
*** serverascode has quit IRC14:46
*** devananda has quit IRC14:46
*** Nakato has quit IRC14:46
*** darrenc has quit IRC14:46
*** breton has quit IRC14:46
*** timburke has quit IRC14:46
*** rharwood_ is now known as rharwood14:46
*** EmilienM_ is now known as EmilienM14:46
*** dguerri_ is now known as dguerri14:46
*** dguerri has quit IRC14:46
*** dguerri has joined #openstack-keystone14:46
*** mtreinish_ is now known as mtreinish14:46
*** mylu has joined #openstack-keystone14:46
*** diazjf has joined #openstack-keystone14:47
*** ayoung has joined #openstack-keystone14:47
*** ChanServ sets mode: +v ayoung14:47
*** slberger has joined #openstack-keystone14:48
*** timburke has joined #openstack-keystone14:48
*** fhubik is now known as fhubik_afk14:49
*** kiran-r has joined #openstack-keystone14:51
*** geoffarnold has joined #openstack-keystone14:55
*** serverascode_ is now known as serverascode14:56
*** geoffarnold has quit IRC14:57
*** geoffarnold has joined #openstack-keystone14:58
openstackgerritVladimir Eremin proposed openstack/keystone-specs: Keystone slaveification spec  https://review.openstack.org/19737914:58
yottatsaamakarov_away, buddy are you here?14:59
*** fhubik_afk is now known as fhubik15:01
*** devanand1 is now known as devananda15:01
*** ajayaa_ has quit IRC15:07
*** e0ne_ is now known as e0ne15:07
*** mancdaz has joined #openstack-keystone15:07
amakarov_awayyottatsa, yo!15:09
*** amakarov_away is now known as amakarov15:09
yottatsaCould you please re-review  https://review.openstack.org/19737915:09
yottatsaI've posted an explanation for this pretty usual case into spec.15:10
*** belmoreira has quit IRC15:10
amakarovyottatsa, my concern is about db configuration becoming messy15:10
amakarovyottatsa, I understand what are you proposing and see it's advantages15:12
yottatsaConfiguration option is already exists.15:12
amakarovyottatsa, also I see that cloud deployment will involve more 1 specialist15:12
amakarovs/more 1/1 more/15:13
amakarovand it troubles me15:13
yottatsa1 more for what?15:13
yottatsaslave_connection is not a required option. Leaving it unspecified makes code works like before and it's already done in oslo.db. And it's already implemented in Nova e.g.15:14
amakarovif it was just database admin, not it require a DevOps too15:14
*** piyanai has joined #openstack-keystone15:15
*** piyanai has quit IRC15:16
amakarovyottatsa, ok, the case: I want to deploy keystone in several DC15:16
yottatsaamakarov, okay, which DB you're using for it?15:16
amakarovyottatsa, I've configured Galera15:16
amakarovyottatsa, let it be mysal15:16
amakarovmysql15:16
amakarovwhat db architecture should I use?15:17
yottatsaamakarov, what do you prefer without this proposal?15:17
yottatsaamakarov, let's pretent there is no proposal15:18
yottatsaso you could connect keystone to local Galera replica (connection=sql://.....@localhost), but it have some implications15:19
*** e0ne is now known as e0ne_15:19
amakarovyottatsa, for now it's Galera in a weird mode when mysql is a master-slave cluster in the cloud and multi-master architecture across them15:20
*** e0ne_ is now known as e0ne15:20
amakarovyottatsa, agree - at least I have to wait for replications to complete15:20
amakarovSo do I having master-slave15:21
yottatsaamakarov, so you could select a designated Galera node and call it master and connect to it15:22
amakarovThe point is to have query routing configured somewhere outside of keystone15:22
amakarovyottatsa, +115:22
yottatsaso if you have noticeable RTT between keystone and this master, it push down the performance15:24
yottatsaI mean if you have no "query routing configured somewhere outside of keystone"15:24
yottatsaMy point (and proposal) it to use already exists slave_connection to fine grained routing, because it costs us few lines of code.15:26
*** afazekas has quit IRC15:26
yottatsa*is to use15:26
*** piyanai has joined #openstack-keystone15:26
CaerbannogRabbitbknudson: I want to point out it feels liked we are going backwards with the timeutils depreciations.15:26
* CaerbannogRabbit shrugs.15:26
*** jsavak has joined #openstack-keystone15:26
openstackgerritMerged openstack/keystone: OS-FEDERATION no longer extension in docs  https://review.openstack.org/19267115:27
bknudsonCaerbannogRabbit: oslo is deprecating it, not us15:28
*** mylu has quit IRC15:28
CaerbannogRabbitbknudson: I know. I just mean we are again carrying the time code *shrug* :(15:29
*** mylu has joined #openstack-keystone15:30
*** CaerbannogRabbit is now known as morganfainberg15:30
*** anhhuynx has joined #openstack-keystone15:30
amakarovyottatsa, ok, speaking in terms of use cases: I deploy a distributed cloud with synchronized assignment storage (live example). I've cpecified master/slave connections in the keystone config. I've placed use_slave everywhere I see fit (here will be problems). And then I discover I need to direct some additional query to the slave. What should I do?15:30
amakarovs/cpecified/specified/15:30
yottatsawhat do you mean "then I discover I need to direct some additional query to the slave"?15:32
amakarovyottatsa, I've found a bottleneck for example15:32
amakarovI see, that select query is executed on a master many times per action15:33
yottatsaspeaking of code, let's see an example https://review.openstack.org/#/c/197455/3/keystone/assignment/backends/sql.py15:33
*** jkomg has joined #openstack-keystone15:33
yottatsaI re-route read requests on slave with use_slave=True15:34
amakarovyottatsa, you've done it in the code15:35
yottatsaIt's because (I quote you) " I discover I need to direct some additional query to the slave//I've found a bottleneck " on a token issuing15:35
yottatsaamakarov, yep. What's wrong doing it in code?15:35
*** kfox1111_away is now known as kfox111115:35
amakarovyottatsa, I don't want to touch the code on a production environment15:36
*** chenhong has joined #openstack-keystone15:36
*** Lactem has joined #openstack-keystone15:36
amakarovIt was tested, checked, reviewed, approved and carved in stone15:36
amakarovyottatsa, I want to be able to do it in the same place I configured my database infrastructure15:37
morganfainbergraildo: ping15:37
*** hrou_ has joined #openstack-keystone15:37
*** hrou has quit IRC15:37
*** lufix has quit IRC15:38
yottatsaamakarov, you could use your existing infra in Fuel I guess )15:38
amakarovyottatsa, routing over routing? )15:38
yottatsaBTW, this code helps people who still didn't manage to make "query routing configured somewhere outside of keystone"15:38
yottatsaI prefer to have routing in application if application is designed to make it.15:39
*** jasondotstar has quit IRC15:39
amakarovyottatsa, let's postpone it a bit - I have a meetings scheduled15:40
amakarovs/meetings/meeting/15:40
yottatsacya15:40
yottatsaI'm off to lunch15:40
yottatsaamakarov, could you please mail yottatsa@yandex-team.ru (Russian maybe)15:41
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688315:43
Lactem: )15:43
*** yottatsa has quit IRC15:43
*** piyanai has quit IRC15:45
*** yottatsa has joined #openstack-keystone15:46
*** Lactem has quit IRC15:48
*** ajayaa_ has joined #openstack-keystone15:48
*** kiran-r has quit IRC15:48
gsilvisI'm working on some K2K federation stuff, and I'm a little confused.  I was under the impression that I could map projects in the IdP to new projects in the SP---is this doable?15:49
lbragstadcc marekd ^15:49
*** piyanai has joined #openstack-keystone15:49
*** mylu has quit IRC15:50
*** slberger1 has joined #openstack-keystone15:50
*** jasondotstar has joined #openstack-keystone15:50
*** slberger has quit IRC15:51
jdandreaFor Keystone v3 I'm getting an odd error. Not finding an explanation in the docs, which I'm striving to follow (for Sessions). Thoughts appreciated! http://paste.openstack.org/show/332395/15:56
*** henrynash has joined #openstack-keystone15:57
*** ChanServ sets mode: +v henrynash15:57
richmjdandrea: You need to specify a domain for your user15:59
*** BrAsS_mOnKeY has quit IRC16:00
richmjdandrea: you also need to specify either a project or a domain - not both16:00
jdandrearichm: domain_name='domain' doesn't do it then?16:00
richmjdandrea: That requests a domain scoped token16:00
jdandreaOk. Is there an example in the docs that shows this? I'm getting confused by the different terminology.16:00
richmjdandrea: Is there a user_domain_name parameter?16:00
richmIf so, that's what you use to specify the domain for the user16:00
jdandrearichm: There is. What's domain_name for then, hmm ...16:01
richmIt is to request a domain scoped token16:01
jdandrearichm: Ok. I'm confused then. I probably need to find a primer on all the different params and how they're used.16:01
richmBasically, when you request a token, you are requesting a token in order to use that token to do something16:01
jdandreaI can specify user_domain_id='domain' though.16:02
*** BrAsS_mOnKeY has joined #openstack-keystone16:02
richmyes, you can specify either the user_domain_name or user_domain_id16:02
*** BrAsS_mOnKeY has quit IRC16:02
richmAre you going to use that token to do something to an entire domain, or use that token to do something with a project inside a domain?16:02
jdandreaCould be one or the other, depending ...16:03
raildomorganfainberg, hi :)16:03
*** mylu has joined #openstack-keystone16:04
*** BrAsS_mOnKeY has joined #openstack-keystone16:04
morganfainbergraildo: https://review.openstack.org/#/c/153007/32/api/v3/identity-api-v3.rst what is "user is not available to projects above it"16:04
*** BrAsS_mOnKeY has quit IRC16:04
morganfainbergraildo: it's not super clear in the spec.16:05
richmjdandrea: Then you'll have to specify either the project_id (or project_name + project_domain_name), or the domain_name or domain_id, depending on what you are going to use the token for16:06
jdandrearichm: Thanks! That helps.16:07
*** jsavak has quit IRC16:07
jdandreaI think the notion of domain names in general is new to me and I'm confusing it with region names and such.16:08
*** jistr has quit IRC16:08
jdandreaI see domain name and think of a FQDN.16:08
*** shaleh has joined #openstack-keystone16:09
raildoI didn't find this in the link, but what I remember during the reseller discussion is, by default,  a user in a high level domain is not visible in the hierarchy. we need to grant a role for then in the subprojects16:10
raildomorganfainberg, ^16:10
*** yottatsa has quit IRC16:10
raildomorganfainberg, "not available" is very strong, I don't think that is the best way to describe the behaviour, maybe I can add some about it in the API spec16:12
*** BrAsS_mOnKeY has joined #openstack-keystone16:12
morganfainbergThat would be good.16:12
raildomorganfainberg, sure16:12
morganfainbergIt's uhmm. Add16:13
*** jsavak has joined #openstack-keystone16:13
morganfainbergSec*16:13
jdandrearichm: Tried it. I'm told the request requires AuthN but I gave it creds. Hmm. I followed http://docs.openstack.org/developer/python-keystoneclient/using-sessions.html (Sessions for Users) but did *not* set verify (not sure where the ca.cert would be).16:13
jdandreaWill keep hacking.16:13
morganfainbergraildo: not accessible16:13
morganfainbergRail do around line 86116:14
morganfainbergraildo: ^^16:14
*** jsavak has quit IRC16:14
*** dima__ has joined #openstack-keystone16:14
*** Lactem has joined #openstack-keystone16:15
ayoungmorganfainberg, I've been thinking about specs, and how to fix the process.  What I really thin we need is an online editor, where people can propose changes, the owner accepts or rejects changes, and then we vote  on accepting them at the weekly meeting16:18
raildomorganfainberg, I founded. ah, it's other argument. We think that a user created in a sub project.is_domain=true, can't have a role assignment in a parent project16:18
raildomorganfainberg, makes sense?16:18
ayoungSeems only Google docs has come up as tool that supports that.  I'll keep looking16:18
*** mylu has quit IRC16:18
bknudsonMicrosoft Word and email16:19
bknudsonhe he16:19
morganfainbergayoung: I'm about to just say we use bugs in LP. Having a separate tool is going to run into the same issues really.16:19
*** kiran-r has joined #openstack-keystone16:19
ayoungmorganfainberg, I would support you wholheartedly.16:19
*** _kiran_ has joined #openstack-keystone16:19
*** _kiran_ has quit IRC16:19
morganfainbergayoung: there is only one concern and I think we can solve it. The notion of "approved"16:19
morganfainbergTrying to figure that detail out.16:20
*** mylu has joined #openstack-keystone16:20
ayoungmorganfainberg, wouldn't that be "Triaged"16:21
morganfainbergWon't change API spec changes. But that is fine.16:21
morganfainbergayoung: soft of. That field is shared with "in progress" so you need to look at the history or guess about approval.16:21
*** spandhe has joined #openstack-keystone16:21
morganfainbergEspecially if there is POC code proposed.16:22
*** ajayaa_ has quit IRC16:22
*** ajayaa has joined #openstack-keystone16:22
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687716:22
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token()  https://review.openstack.org/19677416:22
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764716:22
morganfainbergAnd we need to go back through all bugs and mark specs as wishlist / add "rfe" in the title. Finally anything that isn't a feature moves to low prio. The "approved" part is the only thing that has me stumped.16:23
morganfainbergAnd not sure how important that is.16:23
*** gyee has joined #openstack-keystone16:24
*** ChanServ sets mode: +v gyee16:24
*** chenhong has quit IRC16:26
*** rushiagr_away has joined #openstack-keystone16:26
ayoungmorganfainberg, I think collaborative editing is still important for big features, but I would prefer it if we put that energy into something that had a lifespan after the feature was released16:26
morganfainbergMaybe there is another LP setting I can tweak for this. I'll go poke at it today.16:26
openstackgerritLance Bragstad proposed openstack/keystone: Add unit test for fernet provider  https://review.openstack.org/19764916:26
ayoungand that was more of a living document16:26
morganfainbergThe API spec is still that.16:27
morganfainbergAnd anything broader wiki (like the dynamic policy)16:27
gsilvisIs there a guide somewhere for what exactly mapping rules can look like?  The API docs I've found don't really explain it16:28
morganfainbergayoung: and the docs.16:28
*** jk|osx has joined #openstack-keystone16:28
openstackgerritHans Feldt proposed openstack/keystone: Fix LDAP group filter  https://review.openstack.org/19765016:28
ayoungmorganfainberg, I want Wiki-with-approval16:29
*** jkomg has quit IRC16:31
morganfainbergayoung: ask -infra and the foundation about that. I don't know about our wiki tools but some wikis can support that.16:31
*** amaretskiy has quit IRC16:32
*** tqtran has joined #openstack-keystone16:33
ayoungmorganfainberg, actually, what I really want is Etherpad+approval16:33
ayoungbut wiki would probably work16:34
morganfainbergLet's not try and wedge that into the awful node app :P16:34
ayoungHeh16:34
ayoungNah, I'll look around and see if there is something that makes  sense.  Won't happen today16:34
*** vilobhmm has joined #openstack-keystone16:35
ayoungI like the git aspect of specs, just wish it were more of a collaborative effort16:35
*** geoffarnold has quit IRC16:35
ayoungIt would almost make sense for it to continue to be a git repo, but with a pull request approach, so you can conitnue to work in your home editor, but you can't make "comments" instead you offer your interpretation16:36
ayounglike fixing nits and the like16:36
*** diazjf has quit IRC16:36
ayoungI think that the gerrit approval is not what we want16:36
ayoungit should be a core vote instead16:36
ayoungthat way,  you don't have the case of "I can't approve this, because I wrote it"16:37
ayoungand it puts the onus on the cores to actually understand the specs....16:37
*** diazjf has joined #openstack-keystone16:40
morganfainbergayoung: Git (strictly as a versioning) is fine. It's all the other tooling around got that makes it bad for specs.16:43
morganfainbergAnd merging / conflict resolution tips it away from good.16:43
*** piyanai has quit IRC16:43
*** piyanai has joined #openstack-keystone16:43
ayoungmorganfainberg, exactly.16:44
*** geoffarnold has joined #openstack-keystone16:44
*** piyanai has quit IRC16:44
morganfainbergHonestly... Most bug trackers get this right.16:44
ayoungmorganfainberg, although I think that doing merging by hand for these kinds of docs would be trivial upon conflict.16:44
morganfainbergJust LP has a few glaring gaps and we can't fix that.16:44
ayoungmorganfainberg, I do like the idea that we track everything with the bug tracker16:45
ayoungBugzilla is a PITA too16:45
*** csoukup has quit IRC16:45
ayoungmorganfainberg, but, take https://review.openstack.org/#/c/192422/2/specs/backlog/policy-by-url.rst,cm16:45
morganfainbergSure. But one tool does what we need. Then. It is tracking work.16:46
ayoungmost of dstanek 's comments are just capitalization etc, and those should just be made in the doc.  Contrast that with david8hu 's request that we make it per project, which is "out of scope"16:46
ayoungI would be fine with dropping the Blueprint app.16:47
*** piyanai has joined #openstack-keystone16:48
morganfainbergI like the bugs because conversation can be preserved. Examples uploaded.16:49
morganfainbergAnd the description title can be edited.16:49
*** lhcheng has joined #openstack-keystone16:51
*** ChanServ sets mode: +v lhcheng16:51
*** roxanaghe has joined #openstack-keystone16:52
openstackgerritayoung proposed openstack/keystone-specs: Policy by URL  https://review.openstack.org/19242216:53
ayoungmorganfainberg, we are planning on merging identity-api-v3-os-endpoint-policy.rst into the core API, or leave it in an extension?  I need to know where to add the API for ^^16:54
*** aix has quit IRC16:55
*** belmoreira has joined #openstack-keystone16:55
*** mylu has quit IRC16:58
*** mylu has joined #openstack-keystone16:59
*** piyanai has quit IRC16:59
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733117:00
*** hrou_ has quit IRC17:01
*** browne has quit IRC17:02
*** piyanai has joined #openstack-keystone17:03
*** sigmavirus24 is now known as sigmavirus24_awa17:04
morganfainbergayoung: no extensions.17:04
morganfainbergPlease don't bring them back ;)17:04
*** breton_ is now known as breton17:04
ayoungmorganfainberg, so what are we doing about the API docs?17:04
openstackgerritRoxana Gherle proposed openstack/python-keystoneclient: Change default endpoint type for Keystone v3 to 'public'  https://review.openstack.org/18520017:04
morganfainbergSlowly updating things.17:04
*** mylu has quit IRC17:05
morganfainbergThings are being made core. But we can't change the urls17:05
morganfainbergWe can say this is holdover from the past.17:05
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3-os-endpoint-policy.rst  has the term "Extension" in there.  Should we at least modify the API specs17:05
morganfainbergAnd it's on/there by default17:05
morganfainbergYes. It's a slow migrate to remove it. It's happened elsewhere (federation)17:05
ayoungmorganfainberg, cuz there is no version in there for the extension17:05
bknudsonwe should provide the new url along with the old url17:06
*** mylu has joined #openstack-keystone17:06
morganfainbergbknudson: yes. We should.17:06
ayoungand this would be a rev of identity-api-v3-os-endpoint-policy.rst17:06
morganfainbergayoung: backlog moving the extension to core17:06
ayoungthis is starting to get microversioning17:06
*** lhcheng has quit IRC17:06
morganfainbergLeave it where it is.17:06
*** kiran-r has quit IRC17:07
morganfainbergWe can't micoversion until flask17:07
ayoungmorganfainberg, what about the API changes for policy_by_url17:07
*** lhcheng has joined #openstack-keystone17:07
*** ChanServ sets mode: +v lhcheng17:07
*** henrynash has quit IRC17:07
morganfainbergIf it makes sense leaving it in the same place as other things do that17:08
*** mylu has quit IRC17:08
morganfainbergWe will eventually get everything moved to core.17:08
morganfainbergIt was always planned to be a slow migrate because t is a lot of work.17:08
*** mylu has joined #openstack-keystone17:08
ayoungmorganfainberg, dream on here;  what would be the "right" solution for updating something that is today an extension17:09
ayoungis it "merge extension into core first"17:10
*** vilobhmm has quit IRC17:10
ayoungand then rev the API17:10
morganfainbergI'd prefer to merge it to core first17:10
morganfainbergBut if I can't have that I'll take the inverse17:10
ayoungmorganfainberg, can it stay in its own document17:10
*** vilobhmm has joined #openstack-keystone17:10
*** mylu has quit IRC17:10
*** mylu has joined #openstack-keystone17:10
ayoungand we just update the main document to point to the current extension doc?17:11
morganfainbergIt can stay as its own document. We could make each subsystem its own document if we wanted.17:11
morganfainbergI think that is fine17:11
*** dguerri is now known as dguerri`17:11
morganfainbergPoint the main doc at the separate doc. We might want to split documents out a bit anyway to make it easier to read / manage long term.17:11
samueldmqbtw I have something to discuss on the policy by endpoint URL thing ... ayoung17:12
*** geoffarnold has quit IRC17:13
samueldmqayoung: see http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2015-07-01.log.html#t2015-07-01T13:59:1717:13
amakarovmorganfainberg, ayoung: greetings! I see you have different opinion on resolving group role revocation issue: https://review.openstack.org/#/c/141854/ Can we reach a consensus somehow? :)17:14
*** geoffarnold has joined #openstack-keystone17:14
morganfainbergamakarov: my opinion is api behavior/contract break is there17:14
morganfainbergamakarov: I like your proposal much more than what we have personally.17:14
morganfainbergamakarov: really I am only -1 because of the behavior change. Which is against the contract.17:15
david8huayoung, samueldmg, I think we have enough resource to get per project done for Liberty.  We need to nail down a good design, and see how to divide it up among those that can help implement this thing.17:15
morganfainbergNot sure what to point you at to solve that.17:15
morganfainbergOr if this would be an "ok" break (my view is it really isn't ok to break the behavior... But I might be wrong / overruled here)17:16
samueldmqdavid8hu: you mean policy per project ?17:16
david8husamueldmq, yes policy per project at an url17:17
amakarovmorganfainberg, I agree, but there is a trade-off: if we revoke by user_id we'll end up with revocation event list as big as TRL we trying to get away from.17:17
morganfainbergbknudson: want to weigh in on ^ the behavior change (just look at my comment and the test case, doesn't need a whole review atm, just a second pair of "is this a real break")17:17
morganfainbergEyes17:17
*** piyanai has quit IRC17:18
*** ankita_wagh has joined #openstack-keystone17:18
amakarovmorganfainberg, so ayoung suggested to revoke by scope disregarding possible splash17:18
morganfainbergamakarov: let's get bknudson's view. I'll ok this if he says it's a reasonable break.17:18
morganfainbergOr not a real concern17:18
morganfainbergI want a second pair of eyes. Like I said, your solution is way better than today's17:19
bknudsonwhat API is breaking?17:19
david8husamueldmg, ayoung, roxanaghe noticed that nova is still using an incubator copy of oslo.policy.  I think roxanaghe is going to help migrate it to oslo.policy library :)17:19
*** diazjf has quit IRC17:19
*** e0ne is now known as e0ne_17:19
amakarovbknudson, hi! Here it is: https://review.openstack.org/#/c/141854/17:19
morganfainbergbknudson: revocation of a group assignment will cause all role-project tokens to be revoked17:19
morganfainbergNot just for those who are part of the group17:19
bknudsonwhy does the API have to change?17:20
*** e0ne_ is now known as e0ne17:20
morganfainbergSo it's change to role-project vs user-project.if(user is part of group)17:20
*** mylu has quit IRC17:20
morganfainbergbknudson: to minimize the number of events issues for revocation17:20
amakarovbknudson, several patches ago (on the summit actually) I offered fine-grained revocation by user-role-project for all users in the group17:20
* morganfainberg will17:21
morganfainbergLet amakarov explain17:21
* morganfainberg is on mobile.17:21
bknudsonbut the test is showing that there's more tokens being revoked than before17:21
samueldmqdavid8hu: I don't think we can have per project policy in L17:21
amakarovayoung suggested to revoke by role-project impacting some innocents17:22
amakarovbknudson, yes17:22
bknudsonI don't think which tokens are revoked on any operation is API breaking anyways17:22
*** mylu has joined #openstack-keystone17:22
amakarovand there is a reason for it17:22
david8husamueldmq,  why not?17:22
samueldmqdavid8hu: that requires another caching mechanism from what we have in place17:22
bknudsonwe could randomly revoke tokens17:22
amakarovif we revoke something for OUR users - it's ok to identify them17:22
samueldmqdavid8hu: that's a huge change and have to be very well discussed17:23
samueldmqdavid8hu: I prefer to put all the dynamic policies changes in place17:23
amakarovbknudson, but if users are from some external provider identifying them can be tricky17:23
samueldmqdavid8hu: have better default policies, better delegation17:23
morganfainbergbknudson: if you don't see revocations as an api break (in a case like this) I'm good with it.17:23
amakarovthat's how I understand ayoung's consern17:23
samueldmqdavid8hu: solve 968696 and then we can go for per project policy17:23
bknudsonI don't see revocations as an API break17:23
samueldmqdavid8hu: if that makes sense ..17:23
david8husamueldmq, we don't have a cache mechanism.  Let's get it right from the beginnning, so we do not need to band-aid it it later.17:24
morganfainbergbknudson: thanks that works for me.17:24
samueldmqdavid8hu: the cache mechanism is the way we store the policy into files, that will be read from the service17:24
morganfainbergbknudson: thanks.17:24
morganfainbergamakarov: let me do one more review. And I'll reverse the -117:24
samueldmqdavid8hu: that would require a per-project policy.json ?17:24
samueldmqdavid8hu: in the endpoints ?17:25
bknudsonhttps://review.openstack.org/#/c/141854/26/keystone/tests/unit/test_v3_auth.py -- should be using entrypoints rather than module paths17:25
*** jsavak has joined #openstack-keystone17:25
*** gokrokve_ has joined #openstack-keystone17:26
amakarovmorganfainberg, you're welcome. Actually I don't like the imperfect solutions, but this is a trade-off, I don't know how to make it more granular17:26
*** trey has joined #openstack-keystone17:26
morganfainbergamakarov: yeah. And I tend to err on conservative with api / behavior breaks17:26
morganfainbergSo... That s why I wanted another set of eyes.17:27
*** gokrokve has quit IRC17:27
amakarovmorganfainberg, hope to discuss a concept of short-term tokens on mid-cycle17:27
david8husamueldmg, something like PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/{endpoint}/project/{project_id}17:29
*** e0ne is now known as e0ne_17:29
*** fangzhou has joined #openstack-keystone17:32
*** e0ne_ is now known as e0ne17:32
*** arunkant_ has joined #openstack-keystone17:32
*** mylu has quit IRC17:32
roxanaghesamueldmq, david8hu, what I noticed yesterday during some policy code reading is that there is a lot of code duplication in nova/neutron/etc for policy enforcement, do we want to move that to using a consolidated version of policy enforcement from oslo.policy?17:32
*** piyanai has joined #openstack-keystone17:33
*** mylu has joined #openstack-keystone17:34
samueldmqmorganfainberg: amakarov looking at that change, if a group role grant is deleted, *any* other token containing the same role and scope would be revoked as well17:34
amakarovsamueldmq, yes17:34
morganfainbergamakarov: I have a goal to kill bearer tokens.17:34
morganfainbergamakarov: and we have a path to do it.17:34
samueldmqmorganfainberg: amakarov I think the best solution would be a single notification telling the revoke API the exact assignment that was deleted17:34
morganfainbergMaybe 1-2 cycles from having all the prices in play17:34
morganfainbergPeices*17:34
samueldmqmorganfainberg: amakarov and then revoke api knows, if it was a group assignment, that it needs to ask identity_api to list users and then revoke the individual tokens17:35
amakarovsamueldmq, there is a problem: token doesn't have a group )17:35
*** e0ne has quit IRC17:35
samueldmqamakarov: sure, that's why you need to iterate over group's users17:35
*** arunkant has joined #openstack-keystone17:35
amakarovsamueldmq, so such revocation event can't be effectively used to validate tokens17:36
*** arunkant__ has quit IRC17:36
samueldmqamakarov: but iterating on gorup's users doesn't have to be done in the assignment_api, it should happen in the revoke_api17:36
samueldmqamakarov: that receive the event from asisngment deletion , and iterate over the users, revoking their individual tokens17:37
david8huroxanaghe, samueldmg, I think we need to go into each of the service to make those changes.  Otherwise, services won't be able to pickup the proposed customized policy overlay feature in the future.17:37
*** trey has quit IRC17:37
samueldmqdavid8hu: customized policy is just a dict on keystone server17:37
amakarovsamueldmq, I've done exactly this a couple of CR's before17:37
samueldmqdavid8hu: we download that and overlay the existing policy17:38
*** belmoreira has quit IRC17:38
*** fhubik has quit IRC17:38
samueldmqamakarov: I remember you iterated over the group's users in the assignment_api and raised a notification for each user17:38
*** arunkant_ has quit IRC17:38
david8husamueldmq, I am confused.  Aren't you plan to change oslo.policy?17:39
samueldmqamakarov: I am saying to raise a single notification on the exact assignment that was deleted, revoke_api will know what ot do and revoke properly17:39
amakarovsamueldmq, but 1: revocation list grows as big as TLR, 2: no way to validate tokens for external users17:39
*** trey has joined #openstack-keystone17:39
samueldmqamakarov: so we can't list users from a remote group ?17:40
amakarovsamueldmq, do you propose to fire a revocation event with group-role-resource?17:40
morganfainbergsamueldmq: you can only revoke on values in the token.17:40
morganfainbergamakarov: we could revoke user-role-project? It's less than token-id17:41
morganfainbergamakarov: but more than role-project17:41
samueldmqroxanaghe: we have the base policy.py that was imported to services through oslo-incubator17:41
samueldmqroxanaghe: that's now in oslo-policy, imported from individual services17:41
*** jsavak has quit IRC17:42
samueldmqroxanaghe: if there is some code that can still be shared, sure we can put that in the common oslo.policy library17:42
amakarovmorganfainberg, we can't revoke by federated users17:42
samueldmqmorganfainberg: that's exactly what I was saying17:42
morganfainbergBut federated users *do* have groups in the token, right?17:42
amakarovmorganfainberg, exactly17:43
samueldmqmorganfainberg: the revoke_api receives a notification saying (group,role,target) was delete17:43
amakarovmorganfainberg, I thought to complicate revocation logic a bit17:43
morganfainbergSo... We could do group-project-role and any non-federated users are user-project-role?17:43
samueldmqmorganfainberg: revoke_api decides what to do, iterate over the group's users (if it can do), etc17:43
morganfainbergit is a lot more complex that way.17:43
samueldmqmorganfainberg: +++17:43
amakarovmorganfainberg, and, by the way, after my last refactoring I think I can try this out...17:43
*** piyanai has quit IRC17:44
morganfainbergamakarov: I really am not opposed to your current solution.17:44
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722517:44
morganfainbergamakarov: we can make it more refined as an arson?17:44
morganfainbergAhdhhdhdhuxuudhh17:44
david8husamueldmq,  nova does not import oslo.policy.  It does "from nova.openstack.common import policy"17:44
morganfainbergStupid autocorrect17:44
morganfainbergIt turned itself back on post update17:45
samueldmqdavid8hu: it still doesnt, but will17:45
morganfainbergAs an addon*17:45
*** browne has joined #openstack-keystone17:45
samueldmqhehe17:45
*** mestery_ has joined #openstack-keystone17:46
*** richm has quit IRC17:46
david8husamueldmg, it?17:46
*** piyanai has joined #openstack-keystone17:46
samueldmqdavid8hu: yes all the services will import policy.py from oslo.policy (that's the same as defined on oslo-incubator)17:46
samueldmqdavid8hu: taht comes to services as openstack.common.. etc17:47
*** vilobhmm has quit IRC17:47
amakarovmorganfainberg, maybe stop as we are for now and postpone by-group revocation until after mid-cycle if we understand that revocations will last long enough?17:47
morganfainbergSure.17:48
roxanaghesamueldmq, david8hu - yup samueldmq is right I see now that the code is updated/synced from oslo_policy17:49
*** mestery has quit IRC17:49
roxanaghesamueldmq, david8u - that's a nice automated code duplication mechanism in my opinion. do we ever want to change that to import oslo_policy directly?17:50
samueldmqamakarov: morganfainberg I see somehting like this http://paste.openstack.org/show/332728/17:50
*** richm has joined #openstack-keystone17:50
*** rwsu has quit IRC17:50
samueldmqroxanaghe: yes the idea is to have every project improting from oslo_policy17:50
samueldmqroxanaghe: david8hu well... this is how things happen:17:50
samueldmqroxanaghe: david8hu common code first enters the incubation process, so it lives in the oslo-incubator process17:51
david8husamueldmq, roxanaghe,  Sounds like no-op, then.  Then what's the point of graduating oslo.policy ealier this year :)17:51
samueldmqroxanaghe: david8hu after they graduate to its own library (such as oslo-policy), services don't need to synchronize that code manually anymore17:51
amakarovsamueldmq, if we'll can revoke by group we won't need group iteration on revoke at all17:51
samueldmqroxanaghe: david8hu they just import it from the library instead17:52
samueldmqamakarov: only for federated users we can find group in the tokne17:52
*** jdennis has quit IRC17:52
samueldmqamakarov: for normal users we only have the user_id, so we'll need to iterate over them if they're not federated17:52
*** piyanai has quit IRC17:52
amakarovsamueldmq, for normal user we can request it's groups17:53
samueldmqdavid8hu: did I answer your question ? ^ that's the incubation proces17:53
roxanaghesamueldmq, ok - so services will take care of making this easy switch to oslo_policy direct impoirt somewhere in the near future..17:53
roxanaghe*import17:53
samueldmqroxanaghe: it's already happening, most of them already did, let me find the bug I've opened .. jsut a sec17:53
samueldmqroxanaghe: david8hu see https://bugs.launchpad.net/nova/+bug/145894517:54
openstackLaunchpad bug 1458945 in Cinder "Use graduated oslo.policy instead of oslo-incubator code" [Medium,In progress] - Assigned to Ivan Kolodyazhny (e0ne)17:54
*** rwsu has joined #openstack-keystone17:54
samueldmqamakarov: I think token revokation list is supposed to contain the exact information needed to decide whether a token is invalid, without needign to get back to keystone and looking at group's users or whatever17:55
roxanaghesamueldmq - cool!! that expains a lot of my doubts. thanks for the info17:55
samueldmqamakarov: so for each token coming form a user, you request his/her groups to check if there is a revokaiton to one of those groups in that target/role17:56
amakarovsamueldmq, TRL is supported17:56
samueldmqamakarov: that's terrible I think17:56
*** csoukup has joined #openstack-keystone17:56
samueldmqroxanaghe: np feel free to share any question/thought you have :)17:56
amakarovsamueldmq, agree17:57
amakarovsamueldmq, so current solution looks like a compromise17:58
amakarovsamueldmq, it creates TRL if needed, and a revocation event which impact a bit more than supposed17:59
*** browne has quit IRC18:01
samueldmqamakarov: yes and I appreciate you wanting to improve our current solution18:01
samueldmqamakarov: I'll take a better look at your patch later today and leave comments, though I think you got what I am saying :)18:01
samueldmqayoung: morganfainberg so ... I have listed the alternatives we have to associate a policy with an endpoint_url18:02
*** browne has joined #openstack-keystone18:02
samueldmqayoung: morganfainberg http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2015-07-01.log.html#t2015-07-01T13:59:1718:02
samueldmqayoung: morganfainberg I'd like to get a couple of eyes on that and then discuss it quickly, as I am working on the spec right now :)18:03
amakarovsamueldmq, do you know what is the entry point? bknudson is offline and I'm a bit lost what was he about in the patch comment...18:03
samueldmqayoung: morganfainberg well... whenever you're available, of course18:03
amakaroventrypoint18:03
*** mestery_ is now known as mestery18:04
*** Kennan has quit IRC18:04
samueldmqamakarov: I think he's talking about ... wait18:04
*** Kennan has joined #openstack-keystone18:05
samueldmqamakarov: I think that's somehting that allows you to only specify driver='kvs'18:06
*** sigmavirus24_awa is now known as sigmavirus2418:06
amakarovsamueldmq, blood magic 0_o18:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19648518:06
lbragstadmorganfainberg: fyi, got these passing https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider,n,z18:08
lbragstadworking on the consolidating the v2 validate token logic from Fernet into the BaseProvider, but it's pretty messy18:08
morganfainberglbragstad: nice18:09
morganfainberglbragstad: hope my patches help some on that front18:09
*** yottatsa has joined #openstack-keystone18:09
lbragstadmorganfainberg: yeah, they do, I think we'll probably have a merge conflict but.. that's fine18:10
samueldmqamakarov: well, it's in the 'revoke' group of the config, if you talk about 'kvs' there we can map it to keystone.contrib.revoke.backends.kvs.Revoke18:10
lbragstadmorganfainberg: I rebased your chain this morning18:10
morganfainberglbragstad: sounds good18:10
samueldmqamakarov: but you better confirm with bknudson , or just test it :)18:10
morganfainberglbragstad: yeah that was an unfun set of patches.18:10
amakarovsamueldmq, thank you - just run the tests using it - it works :)18:11
morganfainberglbragstad: and i've run into a series of just "odd" side effects because i was digging into the depths of the token providers18:11
lbragstadmorganfainberg: collapsing the v2 stuff into the base provider is going to be ugly :(18:11
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185418:11
morganfainberglbragstad: thats why i did the work to make v2 issue like fernet first18:11
lbragstadmorganfainberg: at least with the issue path we have the _get_token_id() method that we can abstract things out to18:11
amakarovmorganfainberg, ayoung, bknudson, samueldmq  ^^18:12
morganfainberglbragstad: so we do v3 token -> convert -> get_id18:12
lbragstadmorganfainberg: the validate_v2_token might have to wait until your patches land?18:12
morganfainbergyeah probably18:12
lbragstadmorganfainberg: ok, I'm good with that...18:12
morganfainbergwell validate was easier than issue v218:12
morganfainbergfwiw18:12
morganfainbergvalidate was already passing18:12
morganfainberg(mostly)18:12
morganfainbergissue v2 is icky18:12
lbragstadyeah, i have issue v2, issue v3, and validate v3 passing now18:13
morganfainberglbragstad: https://review.openstack.org/#/c/196483/ validate18:13
lbragstadbut validate v2 is the rough one18:13
morganfainbergfor v218:13
morganfainbergthen collapsing fernet over really isn't crazy18:13
lbragstadawesome,18:13
morganfainbergjust a extract "sane values" in get_id18:13
lbragstadthat works18:13
morganfainbergbut first step is make the non-fernet look like fernet workflow18:13
lbragstadI'm going to wait to tackle collapsing the validate_v2_token() until that lands18:14
*** mylu has quit IRC18:14
morganfainbergok sounds good18:14
morganfainberglet me poke at your stuff here and see what i can +2.18:14
lbragstadmorganfainberg: awesome18:14
*** mylu has joined #openstack-keystone18:16
morganfainberglbragstad: and the nice thing is with this collapse, we test all of the code paths without needing to treat fernet as too insanely special18:16
morganfainberglbragstad: we should *probably* life most of the common provider code up into the manager18:16
morganfainberglbragstad: long term18:16
lbragstadmorganfainberg: yeah, that's going be awesome, then I can start the purge18:16
morganfainberglbragstad: that way we can really limit what the underlying provider needs to do18:16
morganfainbergif it really is just "get_id" or "extract_token_body"18:17
lbragstadthe purge of a million different types of test modules that describe different types of provider behaviors18:17
morganfainbergthat might make lives much easier18:17
lbragstad++18:17
*** kiran-r has joined #openstack-keystone18:18
samueldmqmorganfainberg: lbragstad so that the providers only contain the really essential code that differs between them, avoiding code duplication (and bugs) and tests as well18:18
samueldmqif I am understanding it well18:18
lbragstadsamueldmq: yeah18:18
*** diazjf has joined #openstack-keystone18:19
samueldmqlbragstad: hmm, looks something great :)18:19
lbragstadsamueldmq: everything with a provider should only be specific to that providers token implementation18:19
lbragstadsamueldmq: so if we can start pulling all the duplicate code out of differnet providers and consolidate it into the inherited methods of the BaseProvider, then we make testing each provider more sane because it's all the same code path18:20
morganfainberglbragstad: https://review.openstack.org/#/c/196774/ +2 ,but you could make the @property better18:20
morganfainberglbragstad: if you are spinning another patchset18:20
samueldmqlbragstad: ++ and a common test class for the baseprovide which is much more consistent18:20
lbragstadmorganfainberg: https://review.openstack.org/#/c/196774/8/keystone/token/providers/common.py18:21
samueldmqlbragstad: that looks sane18:21
lbragstadmorganfainberg: then we have to pass the auth_context to the property method?18:21
morganfainbergno18:21
lbragstadthen it wouldn't be a property method I don't think18:21
lbragstadoh18:21
morganfainbergif the @property raised NotImplemented18:21
morganfainbergjust check .supports_bind18:22
lbragstadoh18:22
morganfainbergif <provider>.supports_bind18:22
morganfainbergif you wanted to18:22
morganfainberg*shrug*18:22
morganfainberglike i said, i'm fine with it as is18:22
lbragstadand uuids .supprts_bind just passes18:22
lbragstadsamueldmq: ++ we should have a single test cases that we can read like a book that describes how tokens behave18:23
*** e0ne has joined #openstack-keystone18:23
*** e0ne is now known as e0ne_18:23
*** e0ne_ is now known as e0ne18:23
*** piyanai has joined #openstack-keystone18:23
*** e0ne has quit IRC18:23
lbragstadmorganfainberg: I like that better, I can respin another patch (or just change it in a different patchset since that already passed Jenkins?)18:23
morganfainbergadd it as a followup18:24
lbragstadmorganfainberg: will do18:24
morganfainbergif no one -1s18:24
morganfainbergor whatever18:24
morganfainberggyee: ^ could use some eyes on some nice cleanup patches18:24
morganfainberggyee: around fernet18:24
*** e0ne has joined #openstack-keystone18:24
morganfainberggyee: cause we all want fernet to be awesome18:24
morganfainberglbragstad: i'm surprised your issue_v2 token one was "just working"18:24
openstackgerritjanonymous proposed openstack/keystone: Python 3: Replace unicode with six.text_type  https://review.openstack.org/19386618:25
lbragstadmorganfainberg: yeah me too...18:25
lbragstadit was a "well, this *should* work", then run tox18:25
*** jdennis has joined #openstack-keystone18:25
morganfainbergi'd like to hold on that one until we get validate and expiry fixed18:25
morganfainberggyee: so https://review.openstack.org/#/c/196774/8 https://review.openstack.org/#/c/196877/ https://review.openstack.org/#/c/196475/18:26
morganfainbergthen we get to play some rebase fun18:26
*** jsavak has joined #openstack-keystone18:27
*** packet has joined #openstack-keystone18:29
*** slberger1 has quit IRC18:31
gyeemorganfainberg, yes, looking18:31
*** e0ne is now known as e0ne_18:34
*** piyanai has quit IRC18:34
*** piyanai has joined #openstack-keystone18:35
*** jaosorior has quit IRC18:36
*** e0ne_ is now known as e0ne18:37
*** kiran-r has quit IRC18:38
*** kiran-r has joined #openstack-keystone18:39
*** piyanai has quit IRC18:39
*** Rockyg has joined #openstack-keystone18:41
*** kiran-r has quit IRC18:44
jdandrearichm (or anyone who can help shed light): Continuing to run into AuthN problems using keystone v3. Steps to reproduce here: http://paste.openstack.org/show/332891/18:44
*** slberger has joined #openstack-keystone18:47
morganfainberggyee: i'm going to take a look at the user-agent patch from roxanaghe in a second here. I'd like to see that get merged so i'll de conflict and see if we cna address the comments quickly18:49
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764718:49
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method  https://review.openstack.org/19769918:49
lbragstadmorganfainberg: gyee moar token provider code!18:50
gyeemorganfainberg, sure, thanks18:50
*** gokrokve_ has quit IRC18:50
gyeejdandrea, I am guessing user don't have role assigned for the given project18:50
*** fangzhou has quit IRC18:50
gyeelbragstad, mo reviews18:51
roxanaghemorganfainberg, https://review.openstack.org/#/c/180769/12 this one? I am rebasing right now ..18:51
morganfainbergroxanaghe: oh okie :)18:51
*** bradjones has quit IRC18:51
morganfainbergroxanaghe: cool18:51
morganfainbergroxanaghe: i'll not rebase it for you then :)18:51
morganfainbergroxanaghe: yay!18:51
roxanaghemorganfainberg - you'll have something to review in 5 minutes :)18:52
morganfainbergwoot18:52
morganfainbergroxanaghe: yeah i didn't want that to get lost it is a useful thing to have18:52
*** bradjones has joined #openstack-keystone18:52
*** bradjones has quit IRC18:52
*** bradjones has joined #openstack-keystone18:52
gyeeroxanaghe, clock has started :)18:52
roxanaghehmm..18:53
lbragstadgyee:  responded https://review.openstack.org/#/c/196774/18:53
gyeelbragstad, please respin, if user id is missing we are in soup anyway18:54
lbragstadgyee: ok18:54
*** yottatsa has quit IRC18:54
*** lufix has joined #openstack-keystone18:54
*** yottatsa has joined #openstack-keystone18:57
*** yottatsa has quit IRC18:58
*** fangzhou has joined #openstack-keystone18:58
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764718:58
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method  https://review.openstack.org/19769918:58
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687718:58
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token()  https://review.openstack.org/19677418:58
*** Lactem has quit IRC19:00
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/19770619:01
*** jsavak has quit IRC19:07
*** shaleh has quit IRC19:07
*** crc32 has joined #openstack-keystone19:08
*** crc32 has quit IRC19:10
*** crc32 has joined #openstack-keystone19:10
*** gokrokve has joined #openstack-keystone19:10
*** arunkant_ has joined #openstack-keystone19:10
*** boris-42 has joined #openstack-keystone19:13
*** arunkant has quit IRC19:14
odyssey4memarekd are you around, or perhaps anyone else who can help with a federation related question19:15
odyssey4me?19:15
richmjdandrea: I don't see anything obviously wrong19:21
jdandrearichm: Yep, me neither. *scratches head*19:22
*** ankita_wagh has quit IRC19:23
* morganfainberg will write code again sometime.19:23
* morganfainberg dreams.19:23
raildohaha19:24
gyeehe's in MLK I have a dream mode :D19:24
jdandrealol19:25
*** piyanai has joined #openstack-keystone19:25
raildomorganfainberg,  I have some patches in reseller, if you want to help :P19:25
*** kiran-r has joined #openstack-keystone19:26
gyeeodyssey4me, what's the issue?19:27
*** Lactem has joined #openstack-keystone19:28
odyssey4methanks gyee it would appear that the keystone SP is giving out it's IP address in the SAML data, whereas the metadata and external reference from the IDP only refers to the DNS name19:28
*** Lactem has quit IRC19:28
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285019:28
odyssey4meso what's happening is the IDP is not authorising, saying that it doesn't know anything about resources on the IP address based URL19:29
*** anhhuynx has quit IRC19:29
gyeecan you do nslookup on IdP to see if those IP resolve to anything?19:31
odyssey4meI'm wondering whether there's a way to tell keystone/shibboleth that it needs to send the DNS name instead of the IP. The Shibboleth metadata only shows the DNS name, the Keystone Apache config has the DNS name, and the keystone public endpoint is DNS name based.19:31
odyssey4megyee that IP is the same as the DNS name - it's the right IP - but the IDP doesn't have any information about the IP - only the DNS name19:31
*** fangzhou has quit IRC19:32
gyeecan you paste the error log to pastebin somewhere?19:32
odyssey4megyee it's an ADFS IDP, FYI - will pastebin shortly19:33
bknudsonhttps://bugs.launchpad.net/python-keystoneclient/+bug/147062619:34
openstackLaunchpad bug 1470626 in python-keystoneclient "gate-tempest-dsvm failing when referencing keystoneauth1" [Undecided,New]19:34
bknudsonhow is that possible?19:34
*** dguerri` is now known as dguerri19:34
jdandreagyee, the user is admin and member for the project in question, and CLI works.19:34
bknudsonsomebody's using keystoneauth already?19:34
odyssey4megyee the event log error shown: http://pastebin.com/z8W3JNuj19:34
*** piyanai has quit IRC19:34
*** Rockyg has quit IRC19:35
*** gokrokve has quit IRC19:36
*** BrAsS_mOnKeY has quit IRC19:36
jdandreagyee, richm: The plot thickens. I wonder if *this* has anything to do with it. http://paste.openstack.org/raw/333048/19:36
jdandrea(In that example, I've edited it. "controller" is really a FQDN. The 10.1.1.1 IPs, however, actually exist as-is in keystone.19:36
*** jasondotstar has quit IRC19:37
*** Lactem has joined #openstack-keystone19:38
*** e0ne has quit IRC19:38
gyeejdandrea, you got a 401, not a 404 or unable to connect, so the endpoint is definitely servicing the request19:38
jdandreagyee: This is true.19:38
jdandreaI'm at a loss then. CLI works. python library returns a 401. Hmm.19:39
gyeejdandrea, most likely your user password is wrong, or you don't have any role for the given project19:39
jdandreaSame credentials (ostensibly).19:39
*** jsavak has joined #openstack-keystone19:39
jdandreaThe same credentials work using the CLI. The user is assigned as admin and member to the project in question.19:40
richmjdandrea: if the cli works, try enabling --debug to see the arguments passed to and from - unfortunately this will not show you the auth args (the data POSTed to the /v3/auth/tokens url)19:40
jdandrearichm: Trying ...19:40
odyssey4megyee rookie error - the resource I was accessing (Horizon) was where the IP address came from... sorry to waste your time :/19:41
gyeeodyssey4me, no problem, glad you got it working19:41
*** kiran-r has quit IRC19:42
jdandreagyee, richm: Boom. It's using the authurl endpoint under the hood. http://paste.openstack.org/show/333049/19:43
jdandreaEven though I gave it the publicurl one (?).19:43
Lactemhttps://review.openstack.org/#/c/196883/6 Can anyone take a look at my newest patch set?19:44
*** dguerri is now known as dguerri`19:44
jdandreaIf the python lib does the same thing, I imagine it won't work remotely (though it's also odd that it doesn't work *locally* either). Separately: Is there a good rationale I can give the cluster admin as to why adminurl endpoints should be publicly reachable?19:44
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076919:44
jdandreaOh! It's also using v2.19:45
jdandreaRetrying and forcing v3.19:45
*** yottatsa has joined #openstack-keystone19:45
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076919:45
*** yottatsa has quit IRC19:46
*** jsavak has quit IRC19:47
jdandreav3 refused. It falls back to v2, but the v3 endpoint is listed (this is kilo). Gaaah. :)19:47
*** jsavak has joined #openstack-keystone19:47
gyeejdandrea, you are using openstack CLI right?19:47
jdandreagyee: Yes.19:47
gyeeit should support v319:48
jdandreaTrying keystone --os-identity-api-version 3 --debug user-list (and v3, and 3.0).19:48
*** fangzhou has joined #openstack-keystone19:48
*** ctina_ has joined #openstack-keystone19:48
jdandreaNone of those work. It always falls back to 2. (WARNING: unsupported identity-api-version 3, falling back to 2.0)19:49
gyeeopenstack --os-identity-api-verison 3 --os-auth-type v3password --os-username username --os-user-domain-id domain_id --os-project-id project_id projects list19:49
roxanaghemorganfainberg - sorry that was way longer than 5 minutes, I got into some git squashing fights...19:49
jdandreaThe openstack command isn't on this cluster.19:49
gyeekeystone CLI does not support v319:50
jdandreapython-keystoneclient (keystone) won't work with v3?19:50
jdandreagyee: even though there's --os-identity-api-version? heh. ok.19:50
*** yottatsa has joined #openstack-keystone19:51
samueldmqgyee: --os-url $KEYSTONE_SERVICE_URI/v3 ?19:51
gyeeI hope we have a big fat warning in keystone CLI to indicate the fact that v3 is not supported19:52
*** yottatsa has quit IRC19:52
*** yottatsa has joined #openstack-keystone19:52
samueldmqgyee: I think we have to provide --os-url as well in osclient19:52
*** ctina has quit IRC19:52
bknudsongyee: tjere19:52
samueldmqgyee: based on this jamielennox's patch https://review.openstack.org/#/c/186682/9/functions-common19:52
*** Rockyg has joined #openstack-keystone19:52
bknudsonthere's no --os-api-version argument to keystone CLI19:52
jdandreagyee: What I see is "WARNING: unsupported identity-api-version 3, falling back to 2.0)" but I saw that and thought it didn't make sense because I see the endpoints in keystone plus they're advertised by the REST API.19:53
*** ctina_ has quit IRC19:53
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076919:53
jdandreabknudson: I'm using keystone client 1.2.0 and I see  --os-identity-api-version in the Optional arguments. (?)19:53
*** piyanai has joined #openstack-keystone19:53
bknudsonjdandrea: ugh. we need to drop that19:54
gyeesamueldmq, we shouldn't need os-url19:54
bknudsonbut then the keystone CLI is deprecated already.19:54
*** yottatsa has quit IRC19:54
bknudsonso we'll be dropping the whole thing soon enough19:55
dstanekbknudson: it will be really interesting to see what happens when with the first release of ksc and doesn't include the cli19:55
bknudsonI think we'll be support 1.99 for a long time.19:56
Lactemdstanek: Hello.19:56
dstanekLactem: hi19:56
gyeedstanek, disappear for a week after the release so you won't get harm? :)19:56
LactemI made a new patch set.19:56
jdandreabknudson: So python-openstackclient will be the way to go for keystone going forward. I'll make that case to get it on the cluster. ;)19:56
dstanekgyee: it'll be the PTL at the time that will have to hide19:57
bknudsonjdandrea: python-openstackclient is the recommended replacement19:57
dstanekLactem: for which thing?19:57
Lactemhttps://review.openstack.org/#/c/196883/619:57
jdandreabknudson: Sounds good.19:57
Lactemdeleting endpoint19:57
*** amakarov is now known as amakarov_away19:58
jdandreabknudson: If I switch to python-openstackclient does all that documentation about python-keystoneclient and the libraries no longer apply? (Meaning do I now have to include different libraries to get the same functionality in my python scripts?)19:59
gyeedstanek, not that you care, but Cavs got Love!19:59
*** ajayaa has quit IRC19:59
bknudsonjdandrea: python-openstackclient uses python-keystoneclient20:00
bknudsonLove is a traitor20:00
gyeehah20:01
dstanekgyee: yeah, i saw that. maybe next year Lebron won't give up so easily20:01
*** yottatsa has joined #openstack-keystone20:01
dstanekLactem: i'll try it out now20:03
*** lufix_ has joined #openstack-keystone20:03
jdandreabknudson: Ah, so the CLI part is going away, but python-keystoneclient remains overall. It's just that the python-openstackclient will be the unified CLI way to get to it, and that supports v3.20:03
gyeeyep20:03
*** ankita_wagh has joined #openstack-keystone20:04
jdandreaExcellent.20:04
jdandreaAs for our adminurl endpoints being 10.1.1.1 ... :/20:04
yottatsaGood evening!20:06
yottatsaCan you please review https://blueprints.launchpad.net/keystone/+spec/keystone-slaveification?20:06
richmIf I add an endpoint using openstack --os-identity-api-version 3 endpoint create .... - should I be able to see them with openstack --os-identity-api-version 2 endpoint list?20:06
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076920:07
gyeerichm, there's a bug :)20:07
richmgyee: link?20:07
gyeenot sure if we have one filed yet20:07
richmarg20:07
gyeebut you add an endpoint using v3, it won't show up in v220:08
richmgyee: yes, that's what I'm seeing20:08
richmgyee: should I go ahead and file it?  This is a major pain for puppet-keystone20:08
gyeethey are not backward compatible20:08
gyeerichm, yes, please file one20:08
gyeerichm, I just made aware yesterday20:09
richmwhat about the opposite?  If I add an endpoint with v2, can I see it with v3?20:09
gyeerichm, yes20:10
gyeeif you add an endpoint in v2, it will show up as 3 separate endpoints in v320:10
richmI guess we'll have to use that as a workaround20:10
*** belmoreira has joined #openstack-keystone20:11
gyeeyes, if you want to support both v2 and v320:11
richmwe have to20:11
*** jsavak has quit IRC20:12
richmwe will break all kinds of existing workflow if "openstack endpoint list" suddenly stops working after upgrading to Keystone v320:12
*** yottatsa has quit IRC20:14
*** belmoreira has quit IRC20:15
*** jsavak has joined #openstack-keystone20:15
richmhttps://bugs.launchpad.net/keystone/+bug/147063520:16
openstackLaunchpad bug 1470635 in Keystone "endpoints added with v3 are not visible with v2" [Undecided,New]20:16
*** e0ne has joined #openstack-keystone20:18
openstackgerritMerged openstack/oslo.policy: Move fileutils functions to oslo.policy  https://review.openstack.org/19742020:18
morganfainbergroxanaghe: no worries ;)20:22
*** cburgess_ has quit IRC20:23
*** cburgess has joined #openstack-keystone20:23
*** fangzhou has quit IRC20:26
samueldmqis there any real difference between different interfaces for the same endpoint ?20:26
htrutahey morganfainberg, do you think we have room for deprecating "/" in project names in liberty?20:27
gyeesamueldmq, yes20:27
samueldmqgyee: what is it? how do we distinguish them?20:27
htrutathat would make it easier for us to pass the project hierarchy in M20:28
morganfainberghtruta: it;s likely going to be an issue in general. you probably need to send to the ML and possibly the OPS ML too to see if people are using '/' much in project names20:28
samueldmqgyee: in the request? because looking at devstack, all three have the same url20:28
samueldmqgyee: http://paste.openstack.org/show/333095/20:28
*** packet has quit IRC20:28
htrutamorganfainberg: fine. I'll do it.20:29
gyeesamueldmq, keystoneclient let you choose which interface to use20:29
morganfainberghtruta: sorry it's just not something i can say "yes we can do this" or " no we can't"20:29
htrutabut form keystone side, we won't have much resistance, I guess. Right?20:29
htrutafrom*20:29
morganfainberghtruta: but i dont see an issue adding it to L - its a very minor if-check if we do deprecate it20:29
samueldmqgyee: how does keystone server know what interface you want to use ? does that go in the request ?20:30
samueldmqgyee: since we don't have different ports for different interfaces (except in keystone) I don't see how that could work20:30
gyeesamueldmq, in production, we do20:30
htrutain case we decide to go this way, will we need a spec for it?20:30
samueldmqgyee: how ? could you please give me an example ?20:31
gyeeinterface is not something controlled by keystone server20:31
gyeeit is used by the clients to talk to the service20:31
samueldmqgyee: so it should not be an information stored there, right ?20:32
htrutamorganfainberg: ^20:32
gyeesameuldmq, interface is a property of an endpoint,20:32
morganfainberghtruta: we will need to update the API spec and likely a lightweight spec saying "why we're doing it"20:32
morganfainbergbut ask the ML question first20:32
morganfainbergshould make the spec easier to justify if we're doing that route20:32
morganfainberg"hey see, no one uses this"20:33
samueldmqgyee: so you can reach an endpoint in different ways ... i.e different ports ?20:33
gyeeclient select endpoint by passing endpoint filter to auth plugin get_endpoint()20:33
htrutamorganfainberg: yes, I will. I was just wondering what the next steps would be, assuming that community will accept it20:33
dstanekLactem: that's getting closer20:33
LactemYay.20:33
gyeesamueldmq, yes20:34
samueldmqgyee: so different interfaces DO NOT make sense if they point to the same URL (hostname + port)20:34
gyeefor example, in deployment, I have a bunch of services running on the same host, they can just use to "internal" endpoints20:34
gyeeexternal endpoints are usually protected with SSL, proxies, rate/bandwidth limiting, etc20:35
gyeeinternal services talking to each other do not need to go through public endpoints20:35
samueldmqgyee: and internal endpoints can use local addresses20:35
samueldmqgyee: so the port can be the same, and addresses different20:36
gyeesure, that's also possible20:36
*** Jason10258 has joined #openstack-keystone20:36
samueldmqgyee: for example, internal keystone endpoint could be localhost:5000, while for public I show 150.165.23.13:500020:36
*** openstackgerrit has quit IRC20:37
*** jasondotstar has joined #openstack-keystone20:37
gyeesamueldmq, yes, that's possible20:37
myluHi guys I have a question about federation, about to mapping rules to be exact, is there anyone can help me with that?20:37
*** jasondotstar has quit IRC20:37
samueldmqgyee: so they make sense if I have different addresses and/or ports20:37
samueldmqgyee: so I could say an URL uniquely identifies and endpoint20:37
*** openstackgerrit has joined #openstack-keystone20:37
samueldmqgyee: is that right ? conceptually20:37
gyeesamueldmq, both20:37
gyeecould be different address and/or different ports20:38
samueldmqgyee: exactly20:38
samueldmqgyee: is my sentence above correct then ?20:38
samueldmqgyee: an URL shoudl uniquely idenitfy an endpoint20:39
gyeesamueldmq, one sec20:39
samueldmqgyee: because if it doesn't, tehre is no reason to use different interfaces :)20:39
samueldmqgyee: sure20:39
dstaneksamueldmq: endpoint is confusing sometimes because a single server can have multiple endpoints that point to the same controller on the same server20:39
*** ayoung has quit IRC20:45
*** arunkant__ has joined #openstack-keystone20:45
*** fangzhou has joined #openstack-keystone20:46
samueldmqdstanek: yeah20:47
samueldmqdstanek: the more I understand them, the more I think policy by URL would be appropriate20:48
samueldmqdstanek: my reasoning is: if you have different URLs, there is difference between different interfaces20:48
*** arunkant_ has quit IRC20:48
samueldmqthen you could have different policies .. otherwise, if there is no difference between different interfaces (even in the network level), there is no reason to have different policies (and they have the same url)20:49
samueldmqif that makes sense ...20:49
dstaneksamueldmq: so do you need to have a policy for each defined interface? if not what happends?20:50
samueldmqdstanek: if I want to have a policy per interface, I should have a URL per interface20:50
samueldmqdstanek: if I haven't different URLs, why do I even have different interfaces?20:51
dstaneksamueldmq: but that doesn't answer my question :-)20:52
dstanekif i have 2 different URLs that point to the same service/endpoint how many policies do i need?20:52
samueldmqdstanek: it depneds on your choic20:53
samueldmqe20:53
gyeeURL can be an endpoint for multiple services20:53
samueldmqgyee: for URL in the SC I understand as ADDRESS + PORT20:54
samueldmqgyee: so a single service20:54
samueldmqright ?20:54
dstaneksamueldmq: what happens if you only provide a policy for one of the URLs?20:54
samueldmqdstanek: and specify the other as being the endpoint_url in ksmiddleware, what does it do ?20:55
gyeepolicy per URL doesn't make sense20:55
gyeeURL can have multiple services20:56
samueldmqdstanek: gyee so I think a policy per endpoint_group makes sense20:56
samueldmqdstanek: gyee so we can group endpoints as we want20:56
dstaneksamueldmq: http://internal.service:3000 goes to a load balancer that eventually hits service-A - https://public.service:3000 goes through public SSL terminators/load balancers etc. and eventually hits service-A20:56
samueldmqneed20:56
dstaneksamueldmq: do i need to specify two different policies?20:57
*** spandhe has quit IRC20:57
gyeesamueldmq, yes, per endpoint group make sense20:57
samueldmqgyee: and the deployer chooses whatever makes sense to him20:57
dstaneksamueldmq: that's why i was down on using URL in that review20:57
samueldmqdstanek: you could allow everything in the internal endpoint20:57
samueldmqdstanek: as that could be supposed to be used by services internally20:58
samueldmqdstanek: so everything allowed policy for internal interface, for example20:58
samueldmqdstanek: if that makes sense20:58
dstaneksamueldmq: so do i need to specify two different policies?20:58
samueldmqdstanek: if you want to make them the same, you would both: i) associate the same policy with the 2 URLs20:59
gyeedstanek, endpoint group is much flexible20:59
dstanekgyee: i totally agree20:59
samueldmqdstanek: ii) define a policy for the service/region (what would be what we could get if you don't find a policy specific to that URL)20:59
*** arunkant__ has quit IRC21:00
gyeesamueldqm, service and region are essentially "endpoint groups"21:00
gyeeservice is a collection of endpoint of the same service_id21:00
samueldmqdstanek: although having to assign the policies for 2 urls doesn't make sense I htink21:00
gyeeregion is a collection of services21:01
dstanekgyee: but i think samueldmq wants to allow different policies for different URLs - not sure if that's useful to a deployer21:01
samueldmqdstanek: hey, however I can't provide 2 different policies for the same endpoint today, even if they have different URLs21:01
dstaneksamueldmq: right21:01
samueldmqdstanek: so we couldn't allow that, and have no way to restrict it on the server21:01
samueldmqdstanek: because it doesn't know anything21:01
samueldmqabout them being the same endpoint at the end21:02
gyeeURL by itself is meaningless21:02
dstanekthat's why URL is conffusing...which one should be used? in reality it doesn't matter because the thing in the config just has to match what's in the DB - the string could be arbitrary21:02
gyeeit is ambiguous21:02
samueldmqgyee: dstanek however we have the same issue with policy per endpoint_id21:03
samueldmqwhat does it happen if I have different policies for different endpoint ids that represent the same endpoint but in different interfaces21:03
samueldmqwhich one do I fetch ?21:03
dstaneksamueldmq: i always thought the service would have a single value in it's config policy="my awesome service policy" and that string would match what's in the database21:04
gyeedo we have an use case where policy is different for different interface?21:04
gyeeI would hope not21:04
dstanekis there a need to have a single service protected by different policies?21:05
samueldmqgyee: maybe we haven't but we don't restrict that in the server21:05
samueldmqgyee: so we allow one to do so21:05
gyeedstanek, highly unlikely21:05
gyeedstanek, I can't think of one21:05
dstaneksamueldmq: but you can't do it now by design21:05
dstanekwhy allow it if we don't need to?21:05
samueldmqdstanek: we don't need to allow it21:06
samueldmqdstanek: but how can we restrict it ?21:06
dstanekgyee: it would be easy enough to add that as a feature later - much harder to remove21:06
gyeesure21:06
dstaneksamueldmq: see my comment a few lines up about how i thought it was supposed to work21:06
samueldmqdstanek: we could allow one to define its own policy id21:07
samueldmqdstanek: and one specify the policy id in the middleware21:07
samueldmqdstanek: so you could call your policy stanek's-awesome-policy21:08
*** e0ne has quit IRC21:08
samueldmqdstanek: and set your endpoint to fetch that21:08
dstaneksamueldmq: right, i thought URL was picked arbitrarily as a way to know ahead of time what the value will be without having to wait for keystone to get an endpoint_id21:08
dstaneksamueldmq: exactly, that's why i made the comment about it being arbitrary21:09
samueldmqdstanek: yes, and that can be done by allowing one to define the identifier21:09
*** henrynash has joined #openstack-keystone21:09
*** ChanServ sets mode: +v henrynash21:09
samueldmqdstanek: puppet can set id to be the encoded URL, if the deployer wants it21:09
samueldmqdstanek: and we could advice people to do so, but not being the only thing we allow21:10
samueldmqhmmmm ... that makes sense21:10
dstaneksamueldmq: yep, it could be whatever they want. but as soon as you say it has to be a URL they will wonder which one...21:10
samueldmqdstanek: yeah, it can be whatever21:11
samueldmqdstanek: it can even be the deployer's shopping list that the deployer register on keystone as a policy json21:11
*** lufix_ has quit IRC21:11
samueldmqdstanek: and wants that fetched and applied to an endpoint's policy21:12
samueldmqdstanek: well ... really kidding :-)21:12
samueldmqdstanek: and identify that as /policies/my_shopping_list21:12
samueldmqgyee: you agree on this solution using custom ids (the user defines) and set what policy will be used in the endpoint by configuring that id21:16
samueldmqgyee: the id could be the url if one wants, or whatever :)21:16
samueldmqgyee: vs using the endpoint-group21:16
gyeeabsolutely21:17
gyeeso as long as the custom endpoint ID is globally unique21:17
samueldmqgyee: we don't care about endpoint ids, we don't care about endpoints at all in this solution21:17
samueldmqgyee: you register your policy with gyee-prefered-id21:17
samueldmqgyee: and tell middleware to fetch policy with id gyee-prefered-id21:18
samueldmqgyee: that's all21:18
dstanekyou would be specifying a policy ID rather than an endpoint ID21:18
samueldmqdstanek: exactly21:18
gyeehow's that different from register policy with endpoint group?21:19
gyeejust saying :)21:19
samueldmqgyee: you can have the id a priori21:19
samueldmqgyee: as you can define the policy's id21:19
samueldmqgyee: that's the motivation of using the URL21:19
samueldmqso CMS knows that a priori, if that makes sense21:20
gyeelet me get this straight21:21
gyee1) you can create endpoints with a custom ID so as long as the ID is globally unique21:22
samueldmqgyee: sure go ahead21:22
samueldmqgyee: no21:22
gyee2) then assign a policy for the given endpoint ID21:22
samueldmqgyee: you create policies, and tell middleware to fetch that specific policy21:22
samueldmqgyee: dstanek oh .. that way we don't touch the endpoint constraint solution anymore, that could be using the endpoint ids as opposed to URLs21:23
gyeeoh, policies with a custom ID?21:23
samueldmqgyee: yeah21:23
gyeewfm!21:23
gyeeI like the solution21:24
samueldmqgyee: :-) and for your solution for endpoint constraint you can use the endpoint ids .. as you were planning a few patch sets ago ... (I think)21:24
samueldmqdstanek: gyee great then! I have to go home .. thanks for this conversation :-)21:25
samueldmqmorganfainberg: ayoung cc ~21:25
samueldmq^21:25
gyeesameldmq, super, thanks!21:26
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone  https://review.openstack.org/18076921:26
*** jk|osx has quit IRC21:27
*** edmondsw has quit IRC21:28
*** radez` is now known as radez_g0n321:35
*** yottatsa has joined #openstack-keystone21:41
*** hrou has joined #openstack-keystone21:42
openstackgerritMerged openstack/keystone-specs: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/18704521:42
*** diazjf has left #openstack-keystone21:43
yottatsagyee merge me merge me :)21:44
gyeesay what?21:45
yottatsagyee https://review.openstack.org/197379/21:46
yottatsathis morning there was double CR+221:47
gyeeoh, let me look21:48
gyeesorry I haven't read the whole thing yet21:48
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688321:48
yottatsasure!21:48
Lactemdstanek: I made the new patch set.21:49
*** ayoung has joined #openstack-keystone21:51
*** ChanServ sets mode: +v ayoung21:51
*** lufix has quit IRC21:51
*** bknudson has quit IRC21:51
*** mylu has quit IRC21:54
*** ianbrown has joined #openstack-keystone21:55
*** Lactem has quit IRC21:57
*** BrAsS_mOnKeY has joined #openstack-keystone21:58
*** jkomg has joined #openstack-keystone21:58
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722522:02
gyeeyottatsa, I like how you say "Carefully add ..." :D22:03
*** chlong has joined #openstack-keystone22:10
yottatsagyee :)22:15
yottatsaSpeaking about measurements22:16
yottatsagyee, our current Keystone Icehouse setup (pki, galera backend, designated master) experience some problems with offsite dc22:17
*** dims_ has joined #openstack-keystone22:17
yottatsaaverage ping is 7-8ms22:18
dstanekyottatsa: what do you mean by local replica in that spec?22:19
*** 20WABLD1U has joined #openstack-keystone22:19
*** 32NACAI4Z has joined #openstack-keystone22:19
yottatsadstanek: check out https://review.openstack.org/#/c/197379/3/specs/backlog/keystone-slaveification.rst,unified22:19
yottatsadstanek: Proposed Change section22:20
*** 20WABLD1U has left #openstack-keystone22:20
*** dims has quit IRC22:21
yottatsathere is a deployment example illustration, where is Galera node, Keystone and HAProxy installed on one server22:21
*** jk|osx has joined #openstack-keystone22:21
dstanekyottatsa: why callout a local server?22:21
dstanekyottatsa: don't you just want to have a slave connection so that you can spread out the safe reads?22:22
*** jkomg has quit IRC22:22
yottatsagyee, token issue on local MySQL: 110ms, on slow link: 340ms22:22
*** Jason10258 has quit IRC22:23
yottatsadstanek: I just want to have a slave connection for every safe read22:23
32NACAI4Zdstanek: Jenkins is about to +1 me.22:23
yottatsadstanek, and deployer can decide on thier what to use as a slave22:24
*** jsavak has quit IRC22:25
dstanek32NACAI4Z: ?22:25
32NACAI4ZOh I'm not sure why it changed my name.22:26
yottatsaI have 4 DC with RTT between them from 7 to 20 ms, so I prefer deployment I mentioned before22:26
*** jsavak has joined #openstack-keystone22:26
*** 32NACAI4Z is now known as Lactem22:26
dstanekyottatsa: that's why i was asking about the local replication; it sounds like you are suggesting that as a model since it's in the proposed change section22:27
LactemThat's better. dstanek: On Zuul, all the builds are almost done with success (and the two that sometimes fail already passed).22:27
yottatsadstanek: it's just a description I've added on 3rd iteration22:28
yottatsashould I remove it?22:28
LactemWait never mind. That's just check, not gate.   : /22:28
LactemWait but it doesn't have to go through gate until the +2s, so never mind that never mind.22:29
*** chlong has quit IRC22:30
*** chlong has joined #openstack-keystone22:30
dstanekLactem: i won't go into the gate until you get a +A22:30
Lactemdstanek: +A?22:31
gyeeyottatsa, dstanek, yeah, using local replica is a no brainer22:33
gyeeI can live with a little bit of replication lag, this is no different than local caching22:35
yottatsagyee, I've answered on comments22:36
dstanekgyee: yottatsa: what i don't get about the example is why a slave_connection is needed if you are active-active and each keystone has a database instance; can't you always read/write locally?22:36
yottatsadstanek, technically you can, but Galera is not really like it22:37
*** darrenc_ is now known as darrenc22:37
gyeedstanek, if you always write locally, you may run into collisions22:37
*** henrynash has quit IRC22:38
yottatsagyee, dstanek exactly22:38
yottatsadstanek, here is the paper https://www.percona.com/blog/2012/11/20/understanding-multi-node-writing-conflict-metrics-in-percona-xtradb-cluster-and-galera/22:38
dstanekbut in the example you are writing through HAProxy that will distribute writes to any of the three servers right?22:39
gyeethat example is for read I think22:39
yottatsadstanek, no. I've named Galeras as a master and slave. It's done by "backup" option in this http://docs.openstack.org/high-availability-guide/content/ha-aa-haproxy.html config22:40
yottatsaevery ``HAProxy`` connects to all Galera servers and all HAProxy use same Galera server in same time22:41
yottatsaSo slave_connection is going local, and master is going on "Galera 1" via any of HAproxy. And if "Galera 1" went down,  master  is going on "Galera 2"22:42
*** browne has quit IRC22:43
Lactemdstanek: Jenkins gave the +1. :)22:43
yottatsaas you need no write to db in Kilo + fernet, its a perfect solution that gives you 60ms on token issue and 5-40 ms on validation22:44
dstanekyottatsa: i think your example is confusing and hides the use cases (i'm not a deployer, so this configuration may be common)22:47
*** jsavak has quit IRC22:48
dstanekyottatsa: there are two real benefits that should be called out. the possibility of a local replica to speed up reads and the reduction in database load on the write node22:48
bigjoolshey. anyone else using testshib right now?22:49
bigjoolsI'm seeing it complain that my entity is missing, despite it appearing in their own list22:49
*** jsavak has joined #openstack-keystone22:50
yottatsadstanek, I'll make another patchset.22:52
openstackgerritVladimir Eremin proposed openstack/keystone-specs: Keystone slaveification spec  https://review.openstack.org/19737922:53
yottatsadstanek, gyee everything is fixed22:53
yottatsaup all night to send patch, up all night to get lucky ))22:55
openstackgerritRoxana Gherle proposed openstack/python-keystoneclient: Change default endpoint type for Keystone v3 to 'public'  https://review.openstack.org/18520022:56
*** topol has quit IRC22:56
*** jecarey has quit IRC22:57
*** jsavak has quit IRC22:58
yottatsadstanek, thank you, I've mentioned it22:58
*** _hrou_ has joined #openstack-keystone23:06
openstackgerritMerged openstack/pycadf: ensure id is not empty  https://review.openstack.org/19439723:08
*** _hrou_ has quit IRC23:11
yottatsadstanek, gyee: can you please re-vote? ))23:11
*** _hrou_ has joined #openstack-keystone23:11
yottatsajenkins +123:11
LactemSame, same.23:11
*** hrou has quit IRC23:12
*** _hrou_ has quit IRC23:12
*** hrou has joined #openstack-keystone23:12
*** Lactem has quit IRC23:13
yottatsaLactem :)23:16
*** piyanai has quit IRC23:19
*** Nakato_ is now known as Nakato23:19
*** fangzhou has quit IRC23:21
gyeeyottatsa, looks good!23:21
*** fangzhou_ has joined #openstack-keystone23:22
*** ctina_ has joined #openstack-keystone23:22
*** stevemar has joined #openstack-keystone23:32
openstackgerritlifeless proposed openstack/keystone: Update requirements by hand.  https://review.openstack.org/19777323:34
*** stevemar has quit IRC23:35
*** mylu has joined #openstack-keystone23:38
*** yottatsa has quit IRC23:38
*** browne has joined #openstack-keystone23:39
*** dsirrine_ has quit IRC23:40
openstackgerritlifeless proposed openstack/keystone: Update requirements by hand.  https://review.openstack.org/19777323:40
*** gyee has quit IRC23:40
*** ctina_ has quit IRC23:41
openstackgerritMerged openstack/keystone: Consolidate the fernet provider issue_v3_token()  https://review.openstack.org/19677423:44
*** jk|osx has quit IRC23:47
*** mylu has quit IRC23:52
*** dsirrine_ has joined #openstack-keystone23:53
*** trey has quit IRC23:53
*** mylu has joined #openstack-keystone23:55
« Tuesday, 2015-06-30 Index Thursday, 2015-07-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!