Wednesday, 2015-08-05

« Tuesday, 2015-08-04 Index Thursday, 2015-08-06 »
*** Guest5314 is now known as med_00:29
*** med_ has quit IRC00:29
*** med_ has joined #openstack-keystone00:29
*** gsilvis has joined #openstack-keystone00:35
samueldmqdstanek: you still around ?00:35
*** fangzhou has joined #openstack-keystone00:35
samueldmqdstanek:  how far are you on getting CacheControl on ksclient?00:36
*** _cjones_ has quit IRC00:52
*** topol has joined #openstack-keystone00:54
*** ChanServ sets mode: +v topol00:54
*** stevemar has joined #openstack-keystone00:55
*** ChanServ sets mode: +v stevemar00:55
*** spandhe_ has joined #openstack-keystone00:56
*** geoffarnold has quit IRC00:57
*** spandhe has quit IRC00:57
*** spandhe_ is now known as spandhe00:57
*** stevemar has quit IRC00:58
*** topol has quit IRC00:59
*** jdandrea has quit IRC01:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: oslo-incubator apiclient.exceptions to keystoneclient.exceptions  https://review.openstack.org/20930201:06
*** jasonsb_ has quit IRC01:08
*** david-lyle has joined #openstack-keystone01:19
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split plugin loading  https://review.openstack.org/19059401:20
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove auth/ directory  https://review.openstack.org/20930401:20
*** ajayaggarwal_ has joined #openstack-keystone01:21
ajayaggarwal_I am new to openstack. I have been reading about federation support in keystone. But its not clear to me how the openstack command line clients make use of federated ids.01:23
morganfainbergdstanek: dude... http://uwsgi-docs.readthedocs.org/en/latest/Embed.html#step-3-embedding-flask-itself /impressed01:25
*** davechen has joined #openstack-keystone01:26
*** zzzeek has joined #openstack-keystone01:27
*** dank_ is now known as dan01:31
*** spandhe has quit IRC01:31
*** tqtran-afk has quit IRC01:34
*** fangzhou has quit IRC01:37
*** ajayaggarwal_ has left #openstack-keystone01:38
openstackgerritMerged openstack/keystone-specs: Include groups in federated scoped tokens  https://review.openstack.org/20715901:40
*** mylu has joined #openstack-keystone01:40
dstanekmorganfainberg: uwsgi is pretty awesome01:44
morganfainbergdstanek: i just proposed it to g-r01:44
morganfainbergdstanek: and thinking devstack using emperor mode01:44
morganfainbergkindof win01:44
openstackgerritJamie Lennox proposed openstack/keystoneauth: Move AccessInfo objects into own module  https://review.openstack.org/20931101:47
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split plugin loading  https://review.openstack.org/19059401:47
*** zzzeek has quit IRC01:50
openstackgerritJamie Lennox proposed openstack/keystoneauth: Move AccessInfo objects into own module  https://review.openstack.org/20931101:52
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make missingproperty private  https://review.openstack.org/20931701:58
*** lhcheng has quit IRC02:01
*** dims has quit IRC02:04
*** lhcheng has joined #openstack-keystone02:12
*** ChanServ sets mode: +v lhcheng02:12
*** mylu has quit IRC02:12
*** lhcheng has quit IRC02:12
*** lhcheng has joined #openstack-keystone02:13
*** ChanServ sets mode: +v lhcheng02:13
*** mylu has joined #openstack-keystone02:15
openstackgerritDave Chen proposed openstack/keystone: Cleanup tearDown in unit tests  https://review.openstack.org/20775302:19
*** mylu has quit IRC02:29
*** mylu has joined #openstack-keystone02:29
*** lhcheng has quit IRC02:32
*** mylu has quit IRC02:33
*** gyee has quit IRC02:35
*** hakimo_ has joined #openstack-keystone02:52
*** hakimo has quit IRC02:54
*** piyanai has joined #openstack-keystone03:04
*** btully has quit IRC03:04
*** mylu has joined #openstack-keystone03:06
*** jasonsb has joined #openstack-keystone03:12
openstackgerritDan Nguyen proposed openstack/keystone: Allow Domain Admin to get domain details  https://review.openstack.org/20808203:13
*** spandhe has joined #openstack-keystone03:22
*** doug-fish has joined #openstack-keystone03:24
*** mylu has quit IRC03:24
*** mylu has joined #openstack-keystone03:24
*** spandhe_ has joined #openstack-keystone03:25
*** spandhe has quit IRC03:27
*** spandhe_ is now known as spandhe03:27
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913203:37
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376303:37
openstackgerritHenrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418003:37
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837203:37
*** Nakato has quit IRC03:38
*** Nakato has joined #openstack-keystone03:40
*** hrou has quit IRC03:50
*** topol has joined #openstack-keystone03:51
*** ChanServ sets mode: +v topol03:51
*** mylu has quit IRC03:51
*** stevemar has joined #openstack-keystone03:55
*** ChanServ sets mode: +v stevemar03:55
*** stevemar has quit IRC03:58
*** kafka_ has joined #openstack-keystone04:03
*** geoffarnold has joined #openstack-keystone04:04
*** geoffarnold has quit IRC04:06
kafka_curl -s -X GET 127.0.0.1:35357/v3/users?inotexist=dd842  -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'X-Auth-Token: 229cf704ae0e4ad2b55e1ee07aa2bc6c'|python -mjson.tool04:08
*** geoffarnold has joined #openstack-keystone04:09
kafka_query paramter is a not exist property,  and GET return all ,   is that valid?04:09
*** geoffarnold has quit IRC04:16
*** stevemar has joined #openstack-keystone04:29
*** ChanServ sets mode: +v stevemar04:29
*** fifieldt has joined #openstack-keystone04:32
*** pcaruana has quit IRC04:59
*** piyanai has quit IRC05:06
*** davechen has quit IRC05:11
*** davechen has joined #openstack-keystone05:11
morganfainbergmarekd, stevemar, dstanek: https://github.com/nginx-shib/nginx-http-shibboleth05:12
stevemarmorganfainberg: ola05:12
morganfainbergtrying to start the work to document other webserver and wsgi implementation options05:13
morganfainbergstevemar: isn't is crazy late there and a holiday or something05:13
stevemarmorganfainberg: yes and yes05:13
stevemarmorganfainberg: i'm back on the clock tomorrow05:14
* morganfainberg nods05:14
morganfainbergtomorrow i'll be camped in the coffee shop again05:14
morganfainbergthen on a plane05:14
morganfainbergand then jetlagged.05:14
stevemarmorganfainberg: coming or going?05:15
*** davechen1 has joined #openstack-keystone05:19
*** topol has quit IRC05:20
*** davechen has quit IRC05:22
openstackgerritMerged openstack/keystone-specs: List credentials by type  https://review.openstack.org/20922805:22
morganfainbergHeaded home.05:24
*** davechen has joined #openstack-keystone05:26
*** davechen1 has quit IRC05:27
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove auth/ directory  https://review.openstack.org/20930405:32
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split plugin loading  https://review.openstack.org/19059405:32
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove oslo_config from auth plugin loading  https://review.openstack.org/20934805:32
openstackgerritJamie Lennox proposed openstack/keystoneauth: Move session loading into loading module  https://review.openstack.org/20934905:32
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862005:48
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862006:01
*** ParsectiX has joined #openstack-keystone06:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/20882306:07
*** spandhe_ has joined #openstack-keystone06:11
*** spandhe has quit IRC06:11
*** spandhe_ is now known as spandhe06:11
*** topol has joined #openstack-keystone06:21
*** ChanServ sets mode: +v topol06:21
*** topol has quit IRC06:25
stevemarjamielennox: weird trust issue on the ML06:26
jamielennoxstevemar: everyone fighting like that - trust is bound to become an issue06:27
stevemarjamielennox: hardeeharhar06:28
stevemarhttp://openstack.markmail.org/search/?q=trust#query:trust%20order%3Adate-backward+page:1+mid:xp44mfkgwflaes3u+state:results06:28
stevemarthe reader is seeing a KSC exception06:29
jamielennoxyea, that was terrible06:30
jamielennoxah - damn, i saw this one land in the inbox but i was at conference06:31
jamielennoxi thought i marked it somehow06:31
*** henrynash has joined #openstack-keystone06:31
*** ChanServ sets mode: +v henrynash06:31
stevemaris it the common session?06:32
*** yottatsa has joined #openstack-keystone06:32
jamielennoxstevemar: bah - turns out marking something as todo on my phone moves it to a completely app specific folder and so i never see it again06:32
stevemar\o/06:32
stevemarproductivity++06:32
* stevemar thinks its the common session06:33
*** spandhe has quit IRC06:33
*** browne has quit IRC06:34
jamielennoxstevemar: hmm, it looks ok06:34
stevemarreplied with that anyway06:35
*** marzif_ has quit IRC06:35
stevemari only have 1 meeting tomorrow! oh joy!06:35
stevemarjamielennox: poke around it if you can, otherwise no biggie06:36
stevemari'm out for now, see ya!06:36
jamielennoxstevemar: seeya06:36
*** pcaruana has joined #openstack-keystone06:36
*** stevemar has quit IRC06:40
*** stevemar has joined #openstack-keystone06:41
*** ChanServ sets mode: +v stevemar06:41
*** vivekd has joined #openstack-keystone06:41
*** davechen has quit IRC06:41
*** davechen has joined #openstack-keystone06:42
*** stevemar has quit IRC06:43
*** davechen1 has joined #openstack-keystone06:45
*** davechen has quit IRC06:47
*** davechen has joined #openstack-keystone06:50
*** davechen1 has quit IRC06:53
*** davechen1 has joined #openstack-keystone06:58
bretonkafka_: yes afaik07:00
bretonmorning, keystone07:00
marekdhey07:00
*** davechen has quit IRC07:00
*** afazekas has joined #openstack-keystone07:02
*** davechen has joined #openstack-keystone07:08
*** kafka_ has quit IRC07:09
*** davechen1 has quit IRC07:11
*** marzif_ has joined #openstack-keystone07:13
*** davechen1 has joined #openstack-keystone07:14
*** vince_ has joined #openstack-keystone07:15
*** marzif__ has joined #openstack-keystone07:16
*** davechen has quit IRC07:16
*** marzif_ has quit IRC07:18
*** lhcheng has joined #openstack-keystone07:22
*** ChanServ sets mode: +v lhcheng07:22
*** navid__ has joined #openstack-keystone07:23
*** davechen has joined #openstack-keystone07:26
*** lsmola has joined #openstack-keystone07:29
*** davechen1 has quit IRC07:29
*** browne has joined #openstack-keystone07:30
marekdmorganfainberg: wow07:32
morganfainbergmarekd: :)07:33
marekdmorganfainberg: it was ofc re: ngix-shib thing :-)07:33
morganfainbergYep07:33
*** browne has quit IRC07:40
*** jiaxi has joined #openstack-keystone07:43
jiaxiHi, davechen07:43
jiaxidavechen: Hi07:43
jiaxiThere are many place in unittest use 'self.resource_api.create_domain'07:44
*** josecastroleon has quit IRC07:44
jiaxiWhere is the domain created with 'self.resource_api.create_domain'  stored ?07:45
*** e0ne has joined #openstack-keystone07:47
*** josecastroleon has joined #openstack-keystone07:48
*** vivekd has quit IRC07:50
*** e0ne has quit IRC07:52
*** e0ne has joined #openstack-keystone07:56
davechenjiaxi: hi jiaxi,07:58
davechenjiaxi: I just replied your email, pls check it.07:58
*** vivekd has joined #openstack-keystone07:59
jiaxidavechen: Thanks , I will08:01
*** e0ne has quit IRC08:04
*** fhubik has joined #openstack-keystone08:10
*** fhubik is now known as fhubik_afk08:12
*** yottatsa has quit IRC08:12
*** vivekd has quit IRC08:14
*** jistr has joined #openstack-keystone08:14
bretonjiaxi: in the in-memory database08:18
jiaxibreton: I want to understand the whole structure and design of keystone unittest .    Can you recommend some docs to me ?08:19
jiaxibreton: Before I read code of keystone, I will read docs. That will make the code easy to read.08:21
jiaxibreton: Is there any good docs about the unitttest of keystone ?08:21
*** vivekd has joined #openstack-keystone08:22
*** belmoreira has joined #openstack-keystone08:23
charzHi08:25
charzIs anyone can help to review this patch https://review.openstack.org/#/c/179777/08:25
bretonjiaxi: I don't know any. Try looking at setUp of the test case you are interested in and check what it calls08:25
jiaxibreton: Good suggestion. Thanks.08:26
*** boris-42 has quit IRC08:30
*** lhcheng has quit IRC08:35
*** josecastroleon has quit IRC08:36
*** stevemar has joined #openstack-keystone08:41
*** ChanServ sets mode: +v stevemar08:41
*** mhu has joined #openstack-keystone08:43
*** josecastroleon has joined #openstack-keystone08:45
*** stevemar has quit IRC08:45
vince_on my attempt to federate keystone to google, I am using the new OidcPassword plugin and following this https://developer.ibm.com/opentech/2015/06/17/use-websphere-liberty-as-an-openid-connect-provider-for-openstack/08:49
vince_here is my request and response, done by the plugin08:49
vince_http://pastebin.com/MQaCcNr808:49
vince_the problem is that I get this "Invalid OAuth 2 grant type: PASSWORD" error08:49
vince_(request method is post)08:50
*** fhubik_afk is now known as fhubik08:51
*** vivekd_ has joined #openstack-keystone08:53
*** vivekd has quit IRC08:53
*** vivekd_ is now known as vivekd08:53
marekdvince_: i suggest bugging stevemar later on09:01
vince_marekd: ok09:07
vince_on a related note, I was wondering why we would need to use the client id and secret at this level09:07
vince_as if apache is configured with the oidc module, those information are known to it09:07
vince_and one just needs to hit the federation auth uri on keystone and then apache does the redirect to the IdP09:08
marekdisn't client id a user specific thing?09:08
vince_it's app specific09:08
marekdvince_: what happens with >1 IdPs ?09:08
vince_(afaik, and I don't know much :D)09:08
vince_marekd: in case of multiple IdPs, I don't know how and if the oidc apache mod can handle that, but I could imagine that you have different auth URIs, each one setup with its different OIDC settings09:10
vince_but my point is that it should be possible from the end-user pov to just provide the auth uri of keystone and its credentials for the IdP to authenticate09:11
marekdvince_: aha, i suggest talking with stevemar then :09:11
vince_marekd: ok, I will :), is he in canasa?09:12
vince_*canada09:12
marekdvince_: yes09:12
marekdtoronto time.09:12
vince_still in its deep sleep probably :)09:12
marekdvince_: yes09:14
marekdvince_: he should be here in 5-6 hours.09:14
openstackgerritDave Chen proposed openstack/keystone: Remove the redundant code  https://review.openstack.org/20941409:27
*** e0ne has joined #openstack-keystone09:31
bretondavechen: https://review.openstack.org/#/c/201648/09:33
*** e0ne has quit IRC09:38
openstackgerritBoris Bobrov proposed openstack/keystone: Remove excessive transformation to list  https://review.openstack.org/20164809:40
*** stevemar has joined #openstack-keystone09:42
*** ChanServ sets mode: +v stevemar09:42
davechenbreton: ha, you have did that.09:45
davechenbreton: I will drop it when I back home. :)09:46
*** stevemar has quit IRC09:46
bretonI wonder, why do we populate token dates as isotime?09:46
bretonwhy not timestamp or some datetime-like object that is converted to isotime before returning it to the user09:47
davechenbreton: done.09:50
*** davechen has left #openstack-keystone09:53
*** yottatsa has joined #openstack-keystone09:56
*** yottatsa has quit IRC09:56
morganfainbergbreton: wire format. Must be serialized to a primitive so string. In that case isotime is the clear winner09:57
morganfainbergWe also historically stored the timestamps in a db serialized.09:58
*** dims has joined #openstack-keystone10:00
*** dims has quit IRC10:00
*** dims has joined #openstack-keystone10:00
*** Qlawy has quit IRC10:08
*** Qlawy has joined #openstack-keystone10:09
*** yottatsa has joined #openstack-keystone10:13
bretonmorganfainberg: we store dates in db as isotime?10:14
morganfainbergWhen it is in a serialized form such as the token body10:14
morganfainbergNot when it is a top level column. We duplicate some of these data points for sql query purposes. Also remember we support storing serialized form in non-sql backends10:16
*** fhubik is now known as fhubik_afk10:20
*** topol has joined #openstack-keystone10:23
*** ChanServ sets mode: +v topol10:23
*** topol has quit IRC10:27
openstackgerritAndrey Pavlov proposed openstack/keystonemiddleware: Adding parse of protocol v4 of AWS auth to ec2_token  https://review.openstack.org/20544010:29
*** e0ne has joined #openstack-keystone10:30
*** yottatsa has quit IRC10:34
*** yottatsa has joined #openstack-keystone10:35
*** yottatsa has quit IRC10:45
*** e0ne has quit IRC10:46
*** jasondotstar has joined #openstack-keystone10:47
*** yottatsa has joined #openstack-keystone10:47
*** jiaxi has quit IRC10:51
*** josecastroleon has quit IRC10:52
bretonmorganfainberg: do we? http://paste.openstack.org/show/408223/10:52
bretonthat's from kvs.py, create_token10:53
bretonright after self._set_key(ptk, data_copy)10:53
morganfainbergSee issued_at10:53
morganfainbergDifferent values different forms10:54
bretonoh, ok, see it10:54
morganfainberg:)10:54
morganfainbergIt all depends on a number of things10:54
morganfainbergBut largely, legacy/compat/historical now10:55
morganfainbergNot really worth changing at this point. Drive towards fernet and then fix things like that as needed10:55
bretonbecause of that we have to do something like https://review.openstack.org/#/c/208021/3/keystone/token/providers/fernet/core.py10:56
*** h00327910__ has quit IRC10:58
*** yottatsa has quit IRC10:59
*** yottatsa_ has joined #openstack-keystone10:59
*** josecastroleon has joined #openstack-keystone11:06
*** e0ne has joined #openstack-keystone11:07
*** marzif__ has quit IRC11:15
*** amakarov_away is now known as amakarov11:15
*** marzif__ has joined #openstack-keystone11:16
*** fhubik_afk is now known as fhubik11:26
*** dims_ has joined #openstack-keystone11:26
*** gordc has joined #openstack-keystone11:28
*** dims has quit IRC11:28
*** e0ne has quit IRC11:34
*** yottatsa_ has quit IRC11:43
*** yottatsa has joined #openstack-keystone11:44
*** dims_ has quit IRC11:44
*** afazekas_ has joined #openstack-keystone11:46
*** afazekas has quit IRC11:48
*** topol has joined #openstack-keystone11:49
*** ChanServ sets mode: +v topol11:49
*** bdossant has joined #openstack-keystone11:51
*** dims has joined #openstack-keystone11:51
*** jistr has quit IRC11:56
*** bdossant_ has joined #openstack-keystone12:00
amakarovayoung, hi! Should the driver for unified delegation be unified too, or it's better to implement separate driver for every component (assignment, trust, request token)12:01
amakarovayoung, ?12:01
*** bdossant has quit IRC12:02
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720212:04
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917812:06
*** e0ne has joined #openstack-keystone12:06
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162312:07
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196212:08
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430212:08
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389712:09
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917812:12
*** fhubik is now known as fhubik_afk12:12
*** ayoung has quit IRC12:13
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162312:15
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162312:16
*** jistr has joined #openstack-keystone12:18
*** jistr is now known as jistr|biab12:19
*** alejandrito has joined #openstack-keystone12:19
bretonfg12:22
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196212:23
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430212:24
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389712:26
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448512:27
*** piyanai has joined #openstack-keystone12:29
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899512:30
*** edmondsw has joined #openstack-keystone12:34
bretonwhat's the reason to store reference to user and tenant in both token_data and in the root of the stored dict?12:34
*** hrou has joined #openstack-keystone12:37
*** topol has quit IRC12:41
*** marzif__ has quit IRC12:43
*** marzif__ has joined #openstack-keystone12:44
*** bapalm has joined #openstack-keystone12:52
*** bapalm_ has joined #openstack-keystone12:53
*** dims_ has joined #openstack-keystone12:57
*** bapalm has quit IRC12:57
*** dims has quit IRC12:59
*** petertr7_away is now known as petertr713:03
*** yottatsa has quit IRC13:05
*** edmondsw has quit IRC13:05
*** browne has joined #openstack-keystone13:06
*** jistr|biab is now known as jistr13:06
*** TheIntern has joined #openstack-keystone13:07
*** afazekas_ has quit IRC13:10
*** alejandrito has quit IRC13:10
*** yottatsa has joined #openstack-keystone13:13
*** yottatsa has quit IRC13:18
*** bdossant_ has quit IRC13:20
*** zzzeek has joined #openstack-keystone13:21
*** diazjf has joined #openstack-keystone13:21
*** ccard has quit IRC13:24
*** btully has joined #openstack-keystone13:25
*** bdossant has joined #openstack-keystone13:26
*** urulama has quit IRC13:26
*** urulama has joined #openstack-keystone13:27
morganfainbergSerialized token body vs indexed data.13:27
*** davi8784 has joined #openstack-keystone13:27
*** bknudson has joined #openstack-keystone13:28
*** ChanServ sets mode: +v bknudson13:28
morganfainbergSearching for user in a json blob is expensive.13:28
morganfainbergEsp. Over many many many many many rows13:28
*** TheIntern has quit IRC13:29
*** diazjf1 has joined #openstack-keystone13:29
bknudsonor searching for the tenant ID in the json blob13:30
bknudsonmorganfainberg: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/persistence/backends/sql.py#n14113:31
morganfainbergbknudson: ++13:31
*** diazjf has quit IRC13:31
*** davi8784 has quit IRC13:32
bknudsonbtw - changing apiclient.exceptions seems to have worked, see https://review.openstack.org/#/c/209306/ (auth_integration branch passes)13:32
bknudsonand https://review.openstack.org/#/c/209302/ is the change in master13:33
*** diazjf has joined #openstack-keystone13:33
*** TheIntern has joined #openstack-keystone13:33
*** navid__ has quit IRC13:33
*** diazjf1 has quit IRC13:34
*** petertr7 is now known as petertr7_away13:34
*** jecarey has joined #openstack-keystone13:36
*** dims has joined #openstack-keystone13:36
*** petertr7_away is now known as petertr713:38
*** dims_ has quit IRC13:38
*** jdandrea has joined #openstack-keystone13:39
*** topol has joined #openstack-keystone13:42
*** ChanServ sets mode: +v topol13:42
*** dims_ has joined #openstack-keystone13:42
*** dims has quit IRC13:44
*** topol has quit IRC13:46
*** ayoung has joined #openstack-keystone13:51
*** ChanServ sets mode: +v ayoung13:51
*** dobson has quit IRC13:52
*** jamiec has quit IRC13:52
*** jamiec has joined #openstack-keystone13:52
*** dobson has joined #openstack-keystone13:52
*** fhubik_afk is now known as fhubik13:54
bretonI am talking about kvs13:54
*** dims has joined #openstack-keystone13:55
bretonwe currrently store the whole dict in memcache13:56
*** sigmavirus24_awa is now known as sigmavirus2413:56
*** diazjf1 has joined #openstack-keystone13:57
*** dims_ has quit IRC13:57
*** diazjf has quit IRC13:58
*** ParsectiX has quit IRC14:00
*** edmondsw has joined #openstack-keystone14:02
dstanekmorganfainberg: do you not sleep anymore?14:05
dstanekbreton: kvs should die!14:05
morganfainbergIm in australia until friday14:05
*** zigo has quit IRC14:05
openstackgerritMerged openstack/keystone-specs: Remove KDS from the list of api extensions  https://review.openstack.org/20838314:06
morganfainbergdstanek: it is 0:05 now14:06
dstanekmorganfainberg: ah, that makes more sense14:06
morganfainbergdstanek: and I am trying to shift my schedule enough that I can avoid too much jet lag on the 17hr time change back home14:06
*** zigo has joined #openstack-keystone14:06
dstaneki thought this was part of your training :-)14:06
morganfainbergLol14:06
morganfainbergTomorrow night, no sleep. Sleep on the plane, 14hr flight. I leave at 10:30a Friday and land at 06:30a Friday in la14:07
*** diazjf has joined #openstack-keystone14:07
morganfainbergWon't start really training until post PTL.14:08
*** woodster_ has joined #openstack-keystone14:08
*** diazjf1 has quit IRC14:09
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952414:09
*** jsavak has joined #openstack-keystone14:10
*** diazjf1 has joined #openstack-keystone14:11
*** afazekas_ has joined #openstack-keystone14:12
*** diazjf has quit IRC14:12
*** yottatsa has joined #openstack-keystone14:15
*** bdossant has quit IRC14:19
*** bdossant has joined #openstack-keystone14:19
*** geoffarnold has joined #openstack-keystone14:19
*** bdossant has quit IRC14:21
bretondstanek: not yet14:21
*** bdossant has joined #openstack-keystone14:21
bretonit beats sql by performance14:22
*** geoffarnold has quit IRC14:22
*** jsavak has quit IRC14:23
*** vivekd has quit IRC14:23
*** geoffarnold has joined #openstack-keystone14:23
*** jsavak has joined #openstack-keystone14:23
*** diazjf has joined #openstack-keystone14:24
*** diazjf1 has quit IRC14:25
*** mordred has quit IRC14:25
*** dims_ has joined #openstack-keystone14:27
*** urulama has quit IRC14:29
*** urulama has joined #openstack-keystone14:29
*** dims has quit IRC14:29
*** dims has joined #openstack-keystone14:31
*** fhubik is now known as fhubik_afk14:33
*** dims_ has quit IRC14:33
*** dims_ has joined #openstack-keystone14:34
*** fhubik_afk is now known as fhubik14:35
*** dims has quit IRC14:37
*** dims has joined #openstack-keystone14:38
*** bapalm_ has quit IRC14:38
*** dims_ has quit IRC14:40
*** jsavak has quit IRC14:42
*** afazekas_ has quit IRC14:43
*** vinsh has joined #openstack-keystone14:43
*** afazekas_ has joined #openstack-keystone14:43
*** jistr has quit IRC14:44
*** jistr has joined #openstack-keystone14:44
*** stevemar has joined #openstack-keystone14:46
*** ChanServ sets mode: +v stevemar14:46
*** bapalm_ has joined #openstack-keystone14:46
*** mylu has joined #openstack-keystone14:48
*** jsavak has joined #openstack-keystone14:49
morganfainbergbreton: not really.14:51
morganfainbergbreton: kvs beats sql in a limited cross section of performance14:51
morganfainbergSimilarly sql really sucks if you don't flush the token table14:52
vince_stevemar: hello! I am using your OidcPassword plugin to federate with google and get auth from the CLI, I followed your blog post here (some parts, as the IdP here is google) https://developer.ibm.com/opentech/2015/06/17/use-websphere-liberty-as-an-openid-connect-provider-for-openstack/14:52
morganfainbergThe house keeping code in kvs is very expensive14:52
vince_stevemar: problem is that I am getting this "Invalid OAuth 2 grant type: PASSWORD" error, you can see the request and response here: http://pastebin.com/MQaCcNr814:53
*** jsavak has quit IRC14:53
*** afazekas_ has quit IRC14:54
*** diazjf1 has joined #openstack-keystone14:55
stevemarvince_: hey there, uh... gimmie a sec, glad you are going through that, but i'm a bit busy at the moment, can you send me an email?14:55
*** jsavak has joined #openstack-keystone14:56
vince_stevemar: sure!14:56
*** diazjf has quit IRC14:56
vince_I don't have your address though :D14:56
*** thedodd has joined #openstack-keystone14:56
*** diazjf has joined #openstack-keystone14:58
iurygregoryhello stevemar, i have some questions about Federation, can you help me?14:58
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: oslo-incubator apiclient.exceptions to keystoneclient.exceptions  https://review.openstack.org/20930214:59
*** diazjf1 has quit IRC14:59
bknudsonmorganfainberg: I just added a bug to ^ so that if it breaks something we'll have more info.15:00
samueldmqayoung: I was about to send out the email to the operators list, but just saw you did it15:00
ayoungsamueldmq, heh15:00
*** jsavak has quit IRC15:00
ayoungI 've been thinking about that one for a long time.  We needed to get the ideas as clear as possible.15:00
*** diazjf1 has joined #openstack-keystone15:01
*** jsavak has joined #openstack-keystone15:01
ayoungI realized that focusing on the problems was not going to get buy in.  Need to show the additional value15:01
ayoungsamueldmq, either we will get crazy-too-much feedback or crickets.  Lets see which.15:02
iurygregorystevemar, When using (OpenID Connector and SAML - shib/mellon) can I use other webserver instead of apache?15:02
*** diazjf has quit IRC15:02
samueldmqayoung: ++ sounds good15:03
ayoungsamueldmq, are you keeping up with the design discussion by Iorem and David?15:03
*** phalmos has joined #openstack-keystone15:03
samueldmqayoung: the horizon part of dynamic policy,15:03
samueldmqayoung: not responded to that thread yet15:04
ayoungsamueldmq, let themn discuss, just keep abreast of the conversation15:04
*** diazjf has joined #openstack-keystone15:04
samueldmqayoung: ++15:04
ayoungsamueldmq, I kindof want to build support by letting as many voices be heard as possible.  I think we have a good understanding of the approach and the tools needed...still details to clear up, of course.15:05
samueldmqayoung: yeah15:05
*** diazjf1 has quit IRC15:05
*** vivekd has joined #openstack-keystone15:05
samueldmqayoung: the most we hear, more people get involved, and we won"t face the issue we have today (lack of stackholders)15:06
ayoung++15:06
samueldmqayoung: btw, sharing a thought I had ..15:06
samueldmqayoung: another thing .. what about a sort of Congress for access control policy checks ?15:06
samueldmqayoung: UFCG team started a similar porject last year15:07
ayoungdo you mean offload policy checks to a remote server?  A remote PDP/PEP?15:07
samueldmqayoung: basically you had a class per role, and you defined the checks like : list_users_any_domain = False, list_users_own_domain = True15:07
samueldmqayoung: and that'd be ran against the cloud15:07
samueldmqI'd say PVP15:08
*** diazjf1 has joined #openstack-keystone15:08
samueldmqPolicy Validation Point15:08
samueldmqhehe15:08
ayoungsamueldmq, that means Player-Versus-Player to me15:08
ayoungso validation before upload?15:08
samueldmqayoung: not in this context, but we can play with it ofc15:08
samueldmqayoung: you can run validation whenever you want15:09
*** diazjf has quit IRC15:09
samueldmqayoung: you define what you mean in a very very simple language15:09
samueldmqayoung: like list_users_any_domain = False, etc15:09
ayoungsamueldmq, so...I think that is what I was getting at with splitting up the role assignment from the scope check15:09
samueldmqayoung: so less susceptible to errors15:09
ayoungimage if policy were just15:09
henrynashstevemar, dstanek, lbragstad: a plea for some eyes on https://review.openstack.org/#/c/137202/ there’s a lot piling up behind this one….15:09
dstanekbreton: it's actually going to be gone soon if my reviews get merged15:09
*** diazjf has joined #openstack-keystone15:10
ayoung"dentity:list_users"  : "role:member"\15:10
ayoungthe scope checks really should not be touched15:10
dstanekhenrynash: i'll take a look in a few. just finishing up a commit15:10
samueldmqhenrynash: we gotta have a cake for this review in the summit, like 1-year old15:10
henrynashdstanek: thx15:11
samueldmqayoung: hahahahaha I read that as "dentist:list_users"15:11
henrynashsamueldmq: yep, I’ll buy us all little fairy cakes with cherries on top…15:11
samueldmqhenrynash: +++15:11
bretondstanek: which ones?15:11
henrynashsamueldmq: (and that’s not a euphanism for anything….)15:11
*** HT_sergio has joined #openstack-keystone15:12
samueldmqayoung: even if they aren't, we could check (before splitting the policy)15:12
*** diazjf2 has joined #openstack-keystone15:12
samueldmqayoung: another option would be to have a DSL on the top of it (we didn't touched this part yet)15:12
*** diazjf1 has quit IRC15:12
samueldmqayoung: so you'd specify things like: "as an admin, I must be able to list users",etc15:13
ayoungsamueldmq, splitting the policy has another benefit, in that the dynamic could be based on the URL and the scope could be based on the resource fetched from the database.15:13
ayoungsamueldmq, yeah, I think we want to be able to run checks like that against policy15:13
samueldmqayoung: yes I know, I agree with the split15:13
dstanekbreton: catalog for sure - i'd like to revisit token to see what value is in there15:13
samueldmqayoung: and put the RBAC check in the middleware possibly15:14
ayoungright15:14
samueldmqayoung: btw, first reply to your email15:14
samueldmqayoung: loooking.....15:14
samueldmq:)15:14
bretondstanek: nah, I care only about memcache_pool for tokens.15:14
*** diazjf has quit IRC15:14
dstanekbreton: i think those are the only things that still have a kvs driver15:15
ayoungsamueldmq, good to see people focus on scale.15:15
*** diazjf has joined #openstack-keystone15:15
*** marzif__ has quit IRC15:15
*** afazekas_ has joined #openstack-keystone15:15
dstanekbreton: actually revoke too15:15
*** marzif__ has joined #openstack-keystone15:16
*** yottatsa has quit IRC15:16
samueldmqayoung: yeah15:16
*** Ephur has quit IRC15:16
samueldmqayoung: btw, I am implementing the missing bit of the fetch (the server side)15:16
ayoungsamueldmq, lets see if we get more feedback before answering.  I want this to be an operator driven discussion if possible15:17
*** diazjf2 has quit IRC15:17
samueldmqayoung: and I'll see if I can recover some of the work in the Policy Validation Point we made last year15:17
samueldmqayoung: sure15:17
ayoungsamueldmq, which part>15:17
ayoung?15:17
dstanekhenrynash: do you have any strong opinions on how this would work? https://bugs.launchpad.net/keystone/+bug/1437407/comments/1115:17
openstackLaunchpad bug 1437407 in Keystone "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,In progress] - Assigned to Guang Yee (guang-yee)15:17
ayoungdstanek, I do!15:17
samueldmqayoung: all the implementation of "centralized policy distribution mechanism"15:17
dstanekayoung: let me have it!15:17
ayoungdstanek, we need HMT for that15:17
samueldmqayoung: all the code is gonna to be small15:17
ayounga domain admin should not be able to list role assignments for projects without some inheritance set up.15:18
samueldmqayoung: I guess ~1000 lines by summing up middleware + server + oslo15:18
*** diazjf1 has joined #openstack-keystone15:18
ayoungdstanek, so  that is why we were lookuing at "Domain IS-A project"15:18
ayoungif you get the role on the domain, and the role assignment is inherited, it would work15:19
ayoungbut, without that, we need some way to change a domain scoped role assignment to a project scoped one when inherited15:19
*** diazjf has quit IRC15:20
henrynashdstanek, ayoung: and we are are adding some specific APIs to let you do some specific thisngs, e.g. list roles in a project hierarchy (wip in progress at: https://review.openstack.org/#/c/208152/)15:20
*** diazjf has joined #openstack-keystone15:21
henrynashayoung, dstank: but these apis will have a separate policy entry, rather than rely on domain scoping or any such thing15:21
ayounghenrynash, You do realize that you are lifting up the side of the tent and inviting the Camels on over, right?15:22
henrynashayoung: only the nice smelling ones15:22
henrynash(going off  line for a bit, back later)15:22
*** henrynash has quit IRC15:22
dstanekhenrynash: is there a spec for the api changes already proposed? i'm assuming your change is a replacement for https://review.openstack.org/#/c/180846/615:23
*** diazjf1 has quit IRC15:23
dstanek@filterprotected('non-smelly-camels')15:23
*** diazjf1 has joined #openstack-keystone15:23
bknudsonsome like smelly camels so it needs to use RBAC15:24
*** jack__ has joined #openstack-keystone15:24
*** vince_ has quit IRC15:24
*** diazjf has quit IRC15:25
jack__stevemar: Hi, steve. Would you please space one minute in reviewing my patch set ? https://review.openstack.org/#/c/203312/15:25
*** vince_ has joined #openstack-keystone15:26
*** vince_ has quit IRC15:26
*** Ephur has joined #openstack-keystone15:26
*** diazjf has joined #openstack-keystone15:27
*** chris_19 has joined #openstack-keystone15:27
*** diazjf1 has quit IRC15:28
*** jack__ has quit IRC15:28
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767515:28
*** yottatsa has joined #openstack-keystone15:29
*** diazjf1 has joined #openstack-keystone15:31
chris_19Trying to enable federation in keystone, but getting a 404 when I try accessing /OS-FEDERATION/identity_providers. Pretty sure I have this instance configured identically to another instance which works.15:32
*** diazjf has quit IRC15:32
*** afazekas_ has quit IRC15:33
*** bapalm_ has quit IRC15:34
*** diazjf has joined #openstack-keystone15:34
*** josecastroleon has quit IRC15:34
*** petertr7 is now known as petertr7_away15:35
*** diazjf1 has quit IRC15:36
*** gyee has joined #openstack-keystone15:36
*** ChanServ sets mode: +v gyee15:36
*** _cjones_ has joined #openstack-keystone15:36
chris_19but i can't figure out why the endpoint isn't even found15:37
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: rename Fernet's unscoped federated payload  https://review.openstack.org/20219015:38
*** belmoreira has quit IRC15:39
*** bdossant has quit IRC15:39
*** diazjf1 has joined #openstack-keystone15:39
*** diazjf has quit IRC15:40
*** drjones has joined #openstack-keystone15:40
*** yottatsa has quit IRC15:41
*** drjones has quit IRC15:41
*** drjones has joined #openstack-keystone15:43
*** yottatsa has joined #openstack-keystone15:43
*** _cjones_ has quit IRC15:44
*** drjones has quit IRC15:47
*** piyanai has quit IRC15:49
*** geoffarnold has quit IRC15:52
*** bapalm_ has joined #openstack-keystone15:57
*** vivekd has quit IRC15:58
stevemarchris_19: any replies yet?15:59
*** dims_ has joined #openstack-keystone16:00
*** diazjf has joined #openstack-keystone16:01
*** ayoung is now known as ayoung-lunch16:01
*** dims__ has joined #openstack-keystone16:02
*** dims has quit IRC16:02
*** fhubik has quit IRC16:03
*** diazjf1 has quit IRC16:03
*** dims_ has quit IRC16:04
*** vivekd has joined #openstack-keystone16:05
*** jsavak has quit IRC16:08
*** jsavak has joined #openstack-keystone16:08
*** stevemar has quit IRC16:10
*** dims has joined #openstack-keystone16:11
*** stevemar has joined #openstack-keystone16:11
*** ChanServ sets mode: +v stevemar16:11
*** dims__ has quit IRC16:13
*** drjones has joined #openstack-keystone16:17
*** mylu has quit IRC16:17
*** raildo has joined #openstack-keystone16:18
*** mylu has joined #openstack-keystone16:20
*** phalmos has quit IRC16:20
*** jistr has quit IRC16:23
*** browne has quit IRC16:23
*** jistr has joined #openstack-keystone16:23
*** jistr has quit IRC16:24
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Move apiclient.base.Resource into keystoneclient  https://review.openstack.org/20959216:25
*** mylu has quit IRC16:25
*** mylu has joined #openstack-keystone16:25
*** pcaruana has quit IRC16:26
lbragstadmorganfainberg: dolphm looks like we have two patches that attempt to solve the same thing (https://review.openstack.org/#/c/208021/3, https://review.openstack.org/#/c/196475/3) which one should we move forward with?16:26
*** diazjf1 has joined #openstack-keystone16:26
lbragstadeach patch has a line of dependent patches behind it that could be consolidated into a single series16:27
lbragstador possibly worked in parallel16:27
bknudsonlbragstad: and there's duplicate bug reports16:28
*** diazjf has quit IRC16:28
lbragstadbknudson: ah, good point16:28
*** geoffarnold has joined #openstack-keystone16:29
lbragstadwell, bug 1459790 was opened a month earlier16:29
openstackbug 1459790 in Keystone "With fernet tokens, validate token loses the ms on 'expires' value " [Low,In progress] https://launchpad.net/bugs/1459790 - Assigned to Dolph Mathews (dolph)16:29
*** petertr7_away is now known as petertr716:29
*** diazjf has joined #openstack-keystone16:29
*** yottatsa has quit IRC16:30
lbragstadbut bug 1469563 has the reference to kilo16:30
openstackbug 1469563 in Keystone liberty "Fernet tokens do not maintain expires time across rescope (V2 tokens)" [High,In progress] https://launchpad.net/bugs/1469563 - Assigned to Lance Bragstad (lbragstad)16:30
*** openstackgerrit_ has joined #openstack-keystone16:30
*** diazjf1 has quit IRC16:31
*** diazjf1 has joined #openstack-keystone16:33
*** drjones has quit IRC16:33
*** diazjf has quit IRC16:34
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862016:34
*** lhcheng has joined #openstack-keystone16:34
*** ChanServ sets mode: +v lhcheng16:34
*** piyanai has joined #openstack-keystone16:35
*** vivekd has quit IRC16:36
*** jsavak has quit IRC16:36
*** diazjf has joined #openstack-keystone16:37
*** yottatsa has joined #openstack-keystone16:37
*** diazjf1 has quit IRC16:38
*** yottatsa has quit IRC16:39
*** yottatsa has joined #openstack-keystone16:44
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation driver  https://review.openstack.org/20960016:45
*** _cjones_ has joined #openstack-keystone16:47
*** diazjf1 has joined #openstack-keystone16:48
*** ayoung-lunch is now known as ayoung16:49
*** spandhe has joined #openstack-keystone16:49
*** _cjones_ has quit IRC16:49
*** diazjf has quit IRC16:50
*** vivekd has joined #openstack-keystone16:56
*** mylu has quit IRC16:56
*** piyanai has quit IRC16:58
*** bapalm_ has quit IRC17:00
*** piyanai has joined #openstack-keystone17:01
*** _cjones_ has joined #openstack-keystone17:01
*** mylu has joined #openstack-keystone17:02
*** raildo has quit IRC17:03
*** openstackgerrit_ has quit IRC17:05
*** vivekd has quit IRC17:07
*** jasonsb has quit IRC17:10
openstackgerritLin Hua Cheng proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862017:11
*** tsymancz1k is now known as tsymanczyk17:11
*** dims has quit IRC17:11
*** dims has joined #openstack-keystone17:12
*** e0ne has quit IRC17:13
*** diazjf has joined #openstack-keystone17:13
*** browne has joined #openstack-keystone17:14
*** diazjf1 has quit IRC17:15
*** mylu has quit IRC17:17
*** mylu has joined #openstack-keystone17:23
*** openstackgerrit_ has joined #openstack-keystone17:24
stevemarnkinder ayoung hey question for you guys17:29
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate openstack.common.apiclient  https://review.openstack.org/20960917:29
stevemarayoung: ever hear of a problem with RDO where the user is 404'ed on certain routes/paths?17:29
stevemarchris_19 can hit /OS-OAUTH1/consumers, but not /OS-FEDERATION/identity_providers17:30
*** diazjf1 has joined #openstack-keystone17:30
stevemargets a 401 on the prior, and on the later he just gets 40417:31
stevemarlisting users/groups is all fine17:31
stevemarthe paste file seems fine too17:31
ayoungstevemar, V2 vs V3?17:31
stevemarv317:31
*** mylu has quit IRC17:31
ayoungthat might be intentional stevemar17:31
ayoungthe 404 might be what we return if the request is denied.  We do that a lot to not leak info17:32
stevemarthought, we edited paste.ini and removed oauth1 and federation, and reset httpd - the behaviour didn't change17:32
*** iamjarvo has joined #openstack-keystone17:32
*** iamjarvo has quit IRC17:32
stevemarayoung: hmm17:32
ayounglook at the API calls themselves17:32
stevemarever hear of that sort of weirdness around restarting httpd?17:32
*** iamjarvo has joined #openstack-keystone17:32
*** iamjarvo has quit IRC17:32
*** diazjf2 has joined #openstack-keystone17:33
*** diazjf has quit IRC17:33
*** iamjarvo has joined #openstack-keystone17:33
iurygregoryHey people, when using (OpenID Connector or SAML - shibboleth/mellon) can I use other web server instead of apache?17:33
*** iamjarvo has quit IRC17:33
*** marzif__ has quit IRC17:34
*** iamjarvo has joined #openstack-keystone17:34
ayoungiurygregory, so long as the web server supports SAML17:34
*** openstackgerrit_ has quit IRC17:34
ayoungiurygregory, from a Keystone perspective, the SAML has to get turned into REMOTE_USER and REMOTE_GROUPS or some other mappable env var17:34
*** diazjf1 has quit IRC17:35
*** piyanai has quit IRC17:35
iurygregorythanks ayoung17:35
*** diazjf has joined #openstack-keystone17:35
*** piyanai has joined #openstack-keystone17:37
*** diazjf2 has quit IRC17:37
*** piyanai has quit IRC17:38
*** piyanai has joined #openstack-keystone17:39
*** piyanai has quit IRC17:39
*** lsmola has quit IRC17:42
*** mylu has joined #openstack-keystone17:44
*** iamjarvo has quit IRC17:45
*** piyanai has joined #openstack-keystone17:45
*** petertr7 is now known as petertr7_away17:46
*** piyanai has quit IRC17:47
*** piyanai has joined #openstack-keystone17:50
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839817:51
*** piyanai has quit IRC17:52
*** diazjf1 has joined #openstack-keystone17:52
*** e0ne has joined #openstack-keystone17:53
*** piyanai has joined #openstack-keystone17:54
*** mylu has quit IRC17:55
*** diazjf has quit IRC17:56
*** petertr7_away is now known as petertr717:56
*** mylu has joined #openstack-keystone17:57
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721817:58
*** diazjf has joined #openstack-keystone17:59
stevemarayoung: well that was super weird17:59
ayoungthat's what...oh forget it18:00
stevemarwe needed to specify the full path to the paste file in keystone.conf, it wasn't picking it up by default18:00
*** bapalm_ has joined #openstack-keystone18:00
*** diazjf1 has quit IRC18:01
*** mylu has quit IRC18:01
*** mylu has joined #openstack-keystone18:01
*** diazjf1 has joined #openstack-keystone18:02
*** diazjf has quit IRC18:04
*** bapalm_ has quit IRC18:06
*** yottatsa has quit IRC18:06
*** phalmos has joined #openstack-keystone18:07
*** urulama has quit IRC18:15
*** urulama has joined #openstack-keystone18:15
*** jasonsb has joined #openstack-keystone18:17
*** tsymanczyk has quit IRC18:19
*** yottatsa has joined #openstack-keystone18:25
*** mylu has quit IRC18:26
*** mylu has joined #openstack-keystone18:26
*** diazjf1 has left #openstack-keystone18:28
*** josecastroleon has joined #openstack-keystone18:29
*** yottatsa has quit IRC18:29
*** yottatsa has joined #openstack-keystone18:31
*** mylu has quit IRC18:33
*** tsymanczyk has joined #openstack-keystone18:35
*** mylu has joined #openstack-keystone18:35
*** tsymanczyk is now known as Guest3544618:35
openstackgerritAlexander Makarov proposed openstack/keystone: Assignment driver cleaning  https://review.openstack.org/20962418:35
*** ayoung has quit IRC18:38
*** openstackgerrit has quit IRC18:46
*** mylu has quit IRC18:46
*** openstackgerrit has joined #openstack-keystone18:47
*** mylu has joined #openstack-keystone18:49
*** mylu has quit IRC18:50
*** mylu has joined #openstack-keystone18:50
*** geoffarnold has quit IRC18:55
*** josecastroleon has quit IRC18:58
*** geoffarnold has joined #openstack-keystone19:01
*** thedodd has quit IRC19:04
morganfainberglbragstad: lose ms is different than losing consistent expiry19:07
lbragstadso keep them separate?19:08
morganfainbergSeparate bugs. May be fixed by the same patch19:08
morganfainbergHaven't looked at the code for either19:08
* morganfainberg just woke up19:09
lbragstadthe code seems to be close19:09
morganfainbergBut short version is: maintain expiry properly is more important than microseconds19:09
morganfainbergPoke dolphin and see if they can be merged into a patch / set a ℅-authored19:10
morganfainbergLol dolphm not dolphin19:10
morganfainberg:)19:11
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593619:12
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185419:12
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733119:12
*** yottatsa has quit IRC19:12
openstackgerritHenrique Truta proposed openstack/keystone: Change policy to comply with is_domain in token  https://review.openstack.org/20606319:13
*** yottatsa has joined #openstack-keystone19:14
*** Guest35446 has quit IRC19:15
*** iamjarvo has joined #openstack-keystone19:17
*** TheIntern has quit IRC19:17
*** tsymancz1k has joined #openstack-keystone19:17
*** r-daneel has joined #openstack-keystone19:20
*** narengan has joined #openstack-keystone19:23
stevemarnarengan: hi19:23
stevemardolphm: bknudson dstanek gyee morganfainberg marekd lhcheng hey everyone, i'm working with narengan - bringing her up to speed, any suggestions for small work items? :)19:24
*** sigmavirus24 is now known as sigmavirus24_awa19:24
morganfainbergUhmmmmmmm19:24
*** sigmavirus24_awa is now known as sigmavirus2419:24
dstanekstevemar: nothing specific - i think we still have bugs marked as low hanging fruit19:25
morganfainbergMaybe... Ask me again on Monday ;)19:25
stevemardstanek: i think most are committed, let me take another look19:25
*** yottatsa has quit IRC19:27
gyeestevemar, I usually have a new guy start with documentation update and adding new test cases19:28
gyeeadding mo func tests for dstanek?19:31
openstackgerritJoshua Harlow proposed openstack/oslo.policy: Ensure checking/setting the 'reducers' attribute is atomic  https://review.openstack.org/20964419:31
*** mylu has quit IRC19:33
dstanekwhy do we load domain configs lazily?19:33
*** roxanaghe has joined #openstack-keystone19:33
gyeewhy not? :)19:33
dstanekwhy wait until runtime to notice a configuration problem? you would think service start time is the best place for it19:34
gyeedstanek, we have per-domain config store in SQL feature19:34
gyeeso essentially, the configs are dynamic19:35
gyeefor LDAP backend anyway19:35
dstanekbut those are loaded once and not re-read so not really dynamic19:35
dstanekwe should load them once early19:36
gyeeno, they are reloaded from cache19:36
dstanekwhat reloads them?19:36
gyeethe managers I think19:36
dstaneknot that i can see. once it's configured it's configured19:37
*** e0ne has quit IRC19:38
dstanekoh, wait. i may have found it19:38
gyeehttps://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L27019:38
dstaneki may have to get out my red pen and start refactoring19:39
gyeedo it amigo!19:41
dstaneksoon, my friend, soon19:41
gyeeearn you mo karma and mojo19:41
dstaneki got caught up rewriting some ldap tests because things were breaking in weird ways while i was testing some flask changes19:41
*** TheIntern has joined #openstack-keystone19:42
dstanektoo many rabbit holes19:42
gyeefeeling like Alex in Wonderland huh? :)19:42
dstaneki'm still falling and haven't hit the ground yet19:43
dstaneki'm hoping that once i do it'll be over quickly19:43
gyeedstanek, on a serious note, we may need to start reimplementing our LDAP layer19:43
gyeeI am hoping to get some time on it soon19:43
dstanekmorganfainberg wants to move to the new ldap lib too19:44
*** ayoung has joined #openstack-keystone19:51
*** ChanServ sets mode: +v ayoung19:51
*** diazjf has joined #openstack-keystone19:51
stevemarlbragstad: ping19:51
*** thedodd has joined #openstack-keystone19:52
*** diazjf1 has joined #openstack-keystone19:54
*** diazjf has quit IRC19:55
*** rm_work is now known as rm_work|away19:59
dstanekgyee: i can't figure out how to get the dumb configs pre-loaded for the tests20:00
*** iamjarvo_ has joined #openstack-keystone20:00
gyeedstanek, you can turn off per-domain backend in sql feature if you only care about the static configurations20:01
gyeeunless you intend to test that part as well20:01
*** diazjf has joined #openstack-keystone20:02
dstanekgyee: i'm just trying to make sure that they are loaded by the end of the setUp - i'm working with the existing test_backend_ldap tests20:02
*** narengan_ has joined #openstack-keystone20:03
dstaneki noticed that small changes in the setup ordering mess up the backends so i had the wrong ones running20:03
*** iamjarvo has quit IRC20:03
dstanekunfortunately the tests all still passed :-( so now i am adding a check to make sure the correct backends are loaded20:03
*** diazjf1 has quit IRC20:04
openstackgerritJoshua Harlow proposed openstack/oslo.policy: Have the enforcer have its own file cache  https://review.openstack.org/20965620:04
*** rm_work|away is now known as rm_work20:04
openstackgerritJoshua Harlow proposed openstack/oslo.policy: Have the enforcer have its own file cache  https://review.openstack.org/20965620:05
*** narengan has quit IRC20:06
*** diazjf1 has joined #openstack-keystone20:06
*** diazjf has quit IRC20:07
gyeedstanek, yeah, you should be able to do something like self.domain_configs.setup_domain_drivers()20:07
gyeein the manager20:07
*** jasondot_ has joined #openstack-keystone20:07
dstanekgyee: yeah, i'm doing something like that, but having trouble20:08
*** jasondotstar has quit IRC20:08
dstanekgyee: preview - https://www.dropbox.com/s/o6p50w2korrn38f/Screenshot%202015-08-05%2016.08.50.png?dl=020:09
*** diazjf has joined #openstack-keystone20:09
gyeeCONF.identity.domain_configurations_from_database is set to False right?20:10
*** diazjf1 has quit IRC20:10
marekdstevemar: how about functional tests?20:10
amakarovgyee, hello!20:11
gyeeamakarov, hi!20:11
amakarovI've implemented materialized path - can you give it a push? )20:11
dstanekgyee: nope, at least for the test case i do workin on right now it pulls it from the db20:11
gyeemarekd, I also have the new guy to learn the art of coffee making first as well20:11
amakarovgyee, https://review.openstack.org/#/c/198418/20:11
* gyee add it to his todo list20:12
*** urulama has quit IRC20:12
*** boris-42 has joined #openstack-keystone20:12
*** urulama has joined #openstack-keystone20:12
gyeedstanek, that's strange, if that config is off, it should load from file20:13
dstanekgyee: every time i do that it seems like just another thing i won't have time for :-(20:13
*** diazjf1 has joined #openstack-keystone20:13
*** diazjf has quit IRC20:13
gyeehttps://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L23720:13
gyeeyou sure you have the path setup correctly?20:14
*** bapalm has joined #openstack-keystone20:16
samueldmqhello!                                                                                                                     │ briancurtin20:16
*** diazjf has joined #openstack-keystone20:16
gyeebetter yet, just turn off domain-specific driver altogether CONF.identity.domain_specific_drivers_enabled=False20:16
samueldmqoops20:16
dstanekgyee: then the won't be tested :-)20:17
gyeedstanek, so you are trying to test domain-specific backends, but not the domain config in sql part correct?20:17
*** diazjf1 has quit IRC20:17
*** diazjf1 has joined #openstack-keystone20:18
*** diazjf has quit IRC20:21
dstanekgyee: i think it thinks the domain config is in sql - i have no idea if it's supposed to20:23
*** diazjf has joined #openstack-keystone20:24
*** diazjf1 has quit IRC20:26
gyeeI wonder if the config got overwritten somehow20:26
dstanekyeah, this is all sorts of messed up20:28
dstanekadditionally we load the fixture data 2-3 times per test20:28
gyeewtf?20:28
gyee2-3 times, no wonder the shit is slow :)20:28
*** diazjf has quit IRC20:29
*** diazjf has joined #openstack-keystone20:29
dstanekoh... i found my problem20:30
dstanektoo much subsclassing20:32
*** diazjf1 has joined #openstack-keystone20:32
gyeethey are written by former Java coders :)20:33
gyeewere20:33
*** diazjf has quit IRC20:33
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin for hierarchical models  https://review.openstack.org/19841820:34
*** diazjf has joined #openstack-keystone20:35
*** sigmavirus24 is now known as sigmavirus24_awa20:36
*** diazjf1 has quit IRC20:36
*** sigmavirus24_awa is now known as sigmavirus2420:36
*** marzif__ has joined #openstack-keystone20:38
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K  https://review.openstack.org/20758520:40
*** diazjf1 has joined #openstack-keystone20:42
*** diazjf has quit IRC20:42
*** stevemar has quit IRC20:46
*** diazjf has joined #openstack-keystone20:47
*** diazjf1 has quit IRC20:49
*** roxanaghe has quit IRC20:51
openstackgerritDan Nguyen proposed openstack/keystone: Allow Domain Admin to get domain details  https://review.openstack.org/20808220:53
*** diazjf1 has joined #openstack-keystone20:56
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K  https://review.openstack.org/20758520:56
*** iamjarvo has joined #openstack-keystone20:56
*** narengan_ has quit IRC20:57
*** narengan has joined #openstack-keystone20:58
*** thedodd has quit IRC20:58
*** diazjf2 has joined #openstack-keystone20:58
*** diazjf has quit IRC20:58
*** iamjarvo_ has quit IRC20:59
*** gordc has quit IRC20:59
*** diazjf1 has quit IRC21:00
*** tsymancz1k has quit IRC21:00
*** iamjarvo has quit IRC21:00
*** iamjarvo has joined #openstack-keystone21:01
openstackgerritDoug Fish proposed openstack/keystoneauth: Update k2k plugin with related code comments  https://review.openstack.org/20967121:01
*** iamjarvo has quit IRC21:02
*** narengan has quit IRC21:02
*** diazjf has joined #openstack-keystone21:03
*** diazjf has left #openstack-keystone21:03
-openstackstatus- NOTICE: Zuul has been restarted to resolve a reconfiguration failure: previously running jobs have been reenqueued but change events between 19:50-20:54 UTC have been lost and will need to be rechecked or their approvals reapplied to trigger testing.21:05
*** diazjf2 has quit IRC21:05
samueldmqdstanek: how far are we on getting CacheControl on ksclien?21:06
*** bapalm has quit IRC21:06
dstaneksamueldmq: i think i have a basic version working... i can publish what i have a little later after i get this ldap stuff out of the way21:07
*** chris_19 has left #openstack-keystone21:07
samueldmqdstanek: oh nice, let me know once you posted the code21:08
samueldmqdstanek: I am plannig to have all the necessary code submitted until next Tuesday21:09
samueldmqdstanek: so we can have another demo21:09
samueldmqthanks21:09
-openstackstatus- NOTICE: Correction: change events between 20:50-20:54 UTC (during the restart only) have been lost and will need to be rechecked or their approvals reapplied to trigger testing.21:10
*** petertr7 is now known as petertr7_away21:10
*** tsymanczyk has joined #openstack-keystone21:11
*** narengan has joined #openstack-keystone21:11
*** urulama has quit IRC21:11
*** tsymanczyk is now known as Guest8824021:11
*** urulama has joined #openstack-keystone21:12
*** narengan has quit IRC21:13
*** narengan has joined #openstack-keystone21:14
*** narengan_ has joined #openstack-keystone21:14
*** topol has joined #openstack-keystone21:16
*** ChanServ sets mode: +v topol21:16
*** chlong has quit IRC21:16
*** narengan_ has quit IRC21:18
*** narengan has quit IRC21:18
*** narengan has joined #openstack-keystone21:18
*** narengan_ has joined #openstack-keystone21:20
*** topol has quit IRC21:20
*** narengan has quit IRC21:22
*** chlong has joined #openstack-keystone21:30
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687721:32
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764721:32
*** marzif__ has quit IRC21:39
*** TheIntern has quit IRC21:43
*** tsymancz1k has joined #openstack-keystone21:45
*** Guest88240 has quit IRC21:45
*** geoffarnold has quit IRC21:48
*** geoffarnold has joined #openstack-keystone21:50
openstackgerritDolph Mathews proposed openstack/keystone: Validate domain ownership for v2 tokens  https://review.openstack.org/20806921:55
openstackgerritDolph Mathews proposed openstack/keystone: Fix the claimed expires_at & created_at timestamps for Fernet  https://review.openstack.org/20802121:55
*** narengan_ has quit IRC21:58
*** narengan has joined #openstack-keystone21:58
*** roxanaghe has joined #openstack-keystone21:59
*** hrou has quit IRC21:59
*** edmondsw has quit IRC22:00
*** tsymancz1k is now known as tsymanczyk22:01
*** narengan has quit IRC22:03
roxanagheanyone here knows if Fernet token expiration date should contain or not milliseconds? (I am trying to fix: https://bugs.launchpad.net/keystone/+bug/1459790)22:04
openstackLaunchpad bug 1459790 in Keystone "With fernet tokens, validate token loses the ms on 'expires' value " [Low,In progress] - Assigned to Dolph Mathews (dolph)22:04
roxanaghedolphm, maybe? ^^22:04
*** phalmos has quit IRC22:11
*** piyanai has quit IRC22:16
*** sigmavirus24 is now known as sigmavirus24_awa22:27
*** bknudson has quit IRC22:33
morganfainbergroxanaghe: assume we should contain microseconds if it was issued as a v3 token22:42
morganfainbergIt doesn't break any compatibility if v2 has microseconds (we have cases where it is possible)22:42
morganfainbergideally we should just make everything have microseconds22:42
*** hrou has joined #openstack-keystone22:45
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP: Centralized Policies Distribution Mechanism  https://review.openstack.org/20969522:48
samueldmqmorganfainberg: dstanek ^ implementation was quite simple, I am already calculating the timeouts, etc .. just need to put them in the appropriate HTTP headers in the response22:49
morganfainbergCool22:49
samueldmqayoung: I see good and motivating responses to that thread in the operators list22:49
samueldmqmorganfainberg: fyi I am planning to have the complete set of patches for the distribution submitted until next meeting22:50
samueldmqmorganfainberg: so they'll all be reviewable :)22:50
roxanaghemorganfainberg: thanks, that sounds good, there are some inconsistencies because uuid v2 token doesn't have ms, uuid v3 has ms, and Fernet has ms for both v2 and v3, so wanted to see if we have a direction22:54
ayoungsamueldmq, yep.22:54
*** mordred has joined #openstack-keystone22:54
morganfainbergroxanaghe: move towards microseconds when in doubt22:54
morganfainbergVs removing them22:55
roxanaghemorganfainberg: understood, thanks22:55
morganfainbergNp22:55
*** iamjarvo has joined #openstack-keystone23:12
*** iamjarvo has quit IRC23:13
*** iamjarvo has joined #openstack-keystone23:14
*** geoffarnold has quit IRC23:15
*** RA_ has joined #openstack-keystone23:17
*** woodster_ has quit IRC23:20
*** jasonsb has quit IRC23:25
*** Guest58084 has quit IRC23:28
RA_Heya I'm having issues with token renewal, services like nova, cinder are giving unauthorized in horizon after their tokens expire and they don't seem to get a new one until they get restarted. Does anyone have any pointers?23:31
*** jecarey has quit IRC23:34
*** Guest58084 has joined #openstack-keystone23:38
morganfainbergdolphm (re breton's link^): lets just go to microseconds everywhere. we already have cases where you can have / not have microseconds in both v2 and v3.23:42
morganfainbergdefcore already specifies both are acceptibvle23:43
*** zzzeek has quit IRC23:48
dstaneksamueldmq: why do you need to do client side freshness at all?23:54
*** iamjarvo has quit IRC23:55
*** topol has joined #openstack-keystone23:55
*** ChanServ sets mode: +v topol23:55
openstackgerritMerged openstack/keystone: Disable migration sanity check  https://review.openstack.org/19632923:56
*** topol has quit IRC23:57
*** topol has joined #openstack-keystone23:58
*** ChanServ sets mode: +v topol23:58
jamielennoxi would suggest microseconds are fine - but more to the point if you format this properly as iso8601 then microseconds or not should just be parsed correctly23:58
*** henrynash has joined #openstack-keystone23:59
*** ChanServ sets mode: +v henrynash23:59
« Tuesday, 2015-08-04 Index Thursday, 2015-08-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!