Tuesday, 2015-09-01

« Monday, 2015-08-31 Index Wednesday, 2015-09-02 »
*** dims has quit IRC00:03
jamielennoxmorgan: i'm looking through keystoneauth for any last minute changes00:04
jamielennoxi'm not sure we should include mordred's https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/base.py#L88 in a 1.0 vs having it in OCC for now00:05
jamielennoxeg https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/base.py#L109 'auth_type' is an OSC thing00:06
*** jasonsb has joined #openstack-keystone00:09
*** ankita_wagh has joined #openstack-keystone00:11
*** shadower has quit IRC00:23
*** gyee has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** wwwjfy has joined #openstack-keystone00:25
*** vivekd has joined #openstack-keystone00:28
*** hrou has joined #openstack-keystone00:31
morganjamielennox: nod00:42
jamielennoxmorgan: just looking at a patch that does the required value checking and i can discuss with mordred later how to do that00:42
morganok00:43
jamielennoxbut i don't think at the moment that OCC should be in the business of validating those requirements00:43
*** geoffarnold has quit IRC00:46
*** geoffarnold has joined #openstack-keystone00:49
openstackgerritJamie Lennox proposed openstack/keystoneauth: Better isolate loading tests  https://review.openstack.org/21908100:59
openstackgerritJamie Lennox proposed openstack/keystoneauth: Change option requirement testing  https://review.openstack.org/21908200:59
jamielennoxmorgan, mordred: ^00:59
* morgan looks00:59
*** sigmavirus24_awa is now known as sigmavirus2401:00
*** chlong has joined #openstack-keystone01:02
*** vivekd_ has joined #openstack-keystone01:03
*** vivekd has quit IRC01:04
*** vivekd_ is now known as vivekd01:04
*** dave-mccowan has quit IRC01:04
*** samleon has quit IRC01:06
openstackgerritJamie Lennox proposed openstack/keystoneauth: get_available_loaders should return loader object  https://review.openstack.org/21908601:12
*** btully has joined #openstack-keystone01:19
*** dims has joined #openstack-keystone01:20
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove deprecated options from identity base plugin  https://review.openstack.org/21908701:22
*** mylu has joined #openstack-keystone01:24
*** roxanaghe has quit IRC01:25
*** wwwjfy has quit IRC01:31
openstackgerritJamie Lennox proposed openstack/keystoneauth: Provide has_scope_parameters function on plugins  https://review.openstack.org/21908901:31
*** topol has joined #openstack-keystone01:41
*** ChanServ sets mode: +v topol01:41
*** vivekd has quit IRC01:42
*** vivekd has joined #openstack-keystone01:44
*** geoffarnold is now known as geoffarnoldX01:46
*** fangzhou_ has joined #openstack-keystone01:47
*** fangzhou has quit IRC01:48
*** fangzhou_ is now known as fangzhou01:48
*** ankita_wagh has quit IRC01:50
*** stevemar has joined #openstack-keystone01:50
*** ChanServ sets mode: +v stevemar01:50
*** stevemar has quit IRC01:55
*** spandhe has quit IRC01:58
*** mylu has quit IRC01:59
openstackgerritDave Chen proposed openstack/keystone: Refactor: Don't hard code the error code  https://review.openstack.org/19862302:00
*** davechen has joined #openstack-keystone02:01
*** zzzeek has quit IRC02:04
openstackgerritJamie Lennox proposed openstack/keystoneauth: Raise error if loader is provided name without id  https://review.openstack.org/21909402:08
*** woodster_ has quit IRC02:19
*** geoffarnoldX is now known as geoffarnold02:20
*** bknudson has quit IRC02:24
*** wwwjfy has joined #openstack-keystone02:34
*** ankita_wagh has joined #openstack-keystone02:46
*** hakimo has joined #openstack-keystone02:52
*** hakimo_ has quit IRC02:54
*** csoukup has joined #openstack-keystone03:04
*** csoukup has quit IRC03:04
*** csoukup has joined #openstack-keystone03:05
*** lhcheng has quit IRC03:05
*** annasort has quit IRC03:09
*** diazjf has joined #openstack-keystone03:12
*** chlong has quit IRC03:12
*** Nirupama has joined #openstack-keystone03:14
*** davechen1 has joined #openstack-keystone03:20
*** davechen has quit IRC03:23
openstackgerritJamie Lennox proposed openstack/keystoneauth: Auth-url is required for identity plugins  https://review.openstack.org/21911103:24
openstackgerritMerged openstack/keystone: Unit tests for is_domain field in project's table  https://review.openstack.org/21204503:24
*** darrenc is now known as darrenc_afk03:28
*** annasort has joined #openstack-keystone03:31
*** lhcheng has joined #openstack-keystone03:31
*** ChanServ sets mode: +v lhcheng03:31
*** davechen has joined #openstack-keystone03:33
*** fangzhou has quit IRC03:34
*** davechen1 has quit IRC03:36
*** chlong has joined #openstack-keystone03:38
*** vivekd has quit IRC03:44
*** links has joined #openstack-keystone03:46
*** sigmavirus24 has quit IRC03:48
*** sigmavirus24 has joined #openstack-keystone03:50
*** lhcheng_ has joined #openstack-keystone03:51
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Disable memory caching of tokens  https://review.openstack.org/21234503:53
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Seperate standalone cache tests  https://review.openstack.org/21234403:53
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Handle memcache pool arguments collectively  https://review.openstack.org/21234103:53
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Import _memcache_pool normally  https://review.openstack.org/21234303:53
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create Environment cache pool  https://review.openstack.org/21234203:53
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains  https://review.openstack.org/21344803:53
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060003:53
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837203:53
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table  https://review.openstack.org/21117003:53
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains  https://review.openstack.org/21121903:53
*** lhcheng has quit IRC03:54
*** stevemar has joined #openstack-keystone03:56
*** ChanServ sets mode: +v stevemar03:56
openstackgerritJamie Lennox proposed openstack/keystoneauth: Auth-url is required for identity plugins  https://review.openstack.org/21911103:57
openstackgerritJamie Lennox proposed openstack/keystoneauth: Raise error if loader is provided name without id  https://review.openstack.org/21909403:59
*** sigmavirus24 is now known as sigmavirus24_awa03:59
*** markvoelker has joined #openstack-keystone04:00
*** markvoelker_ has joined #openstack-keystone04:02
*** chlong_ has joined #openstack-keystone04:04
*** chlong has quit IRC04:04
*** markvoelker has quit IRC04:04
*** btully has quit IRC04:05
*** geoffarnold is now known as geoffarnoldX04:07
*** Ephur has quit IRC04:07
*** geoffarnoldX is now known as geoffarnold04:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21450904:24
*** ayoung has quit IRC04:29
*** dims has quit IRC04:30
*** csoukup has quit IRC04:41
*** shaleh_ has quit IRC04:44
*** darrenc_afk is now known as darrenc04:54
*** topol has quit IRC05:00
*** vivekd has joined #openstack-keystone05:05
*** geoffarnold has quit IRC05:11
*** geoffarnold has joined #openstack-keystone05:11
*** wwwjfy has quit IRC05:17
*** spandhe_ has joined #openstack-keystone05:19
*** stevemar has quit IRC05:20
*** henrynash has joined #openstack-keystone05:22
*** ChanServ sets mode: +v henrynash05:22
openstackgerritMerged openstack/keystone: Group tox optional dependencies  https://review.openstack.org/21869305:29
*** stevemar has joined #openstack-keystone05:33
*** ChanServ sets mode: +v stevemar05:33
*** wwwjfy has joined #openstack-keystone05:36
*** stevemar has quit IRC05:38
*** geoffarnold is now known as geoffarnoldX05:51
*** markvoelker_ has quit IRC05:53
*** dims has joined #openstack-keystone05:59
*** ankita_wagh has quit IRC06:02
*** spandhe_ has quit IRC06:02
*** dims has quit IRC06:04
*** spandhe has joined #openstack-keystone06:05
*** roxanaghe has joined #openstack-keystone06:06
*** ankita_wagh has joined #openstack-keystone06:08
*** roxanaghe has quit IRC06:10
*** roxanaghe has joined #openstack-keystone06:11
*** lhcheng has joined #openstack-keystone06:14
*** ChanServ sets mode: +v lhcheng06:14
*** btully has joined #openstack-keystone06:17
*** shoutm has quit IRC06:17
*** lhcheng_ has quit IRC06:17
*** dikonoor has joined #openstack-keystone06:21
*** ParsectiX has joined #openstack-keystone06:22
*** dikonoo has joined #openstack-keystone06:22
*** roxanaghe has quit IRC06:23
*** lhcheng has quit IRC06:33
*** lhcheng has joined #openstack-keystone06:34
*** ChanServ sets mode: +v lhcheng06:34
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917806:34
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162306:35
*** topol has joined #openstack-keystone06:35
*** ChanServ sets mode: +v topol06:35
*** afazekas__ has joined #openstack-keystone06:36
*** lhcheng has quit IRC06:38
*** ankita_wagh has quit IRC06:39
*** topol has quit IRC06:40
*** kiran-r has joined #openstack-keystone06:43
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196206:43
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430206:44
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389706:44
*** fangzhou has joined #openstack-keystone06:45
*** dikonoo has quit IRC06:48
*** spandhe has quit IRC06:50
*** josecastroleon has quit IRC06:50
*** kiran-r has quit IRC06:53
*** hrou has quit IRC06:54
*** fhubik has joined #openstack-keystone07:08
openstackgerritDave Chen proposed openstack/keystonemiddleware: Fix the outdated options  https://review.openstack.org/21916207:09
openstackgerritDave Chen proposed openstack/keystonemiddleware: Fix the outdated options  https://review.openstack.org/21916207:10
*** diazjf has quit IRC07:11
*** sirushti has quit IRC07:15
*** pnavarro has joined #openstack-keystone07:18
*** kodoku has joined #openstack-keystone07:23
*** shoutm has joined #openstack-keystone07:24
*** chlong_ has quit IRC07:24
*** henrynash has quit IRC07:25
kodokuHi, someone can help me ? I don't understand why keystone DELETE my token and causes neutron error ====> http://paste.openstack.org/show/437002/07:25
kodokumaybe because neutron use keystone v3 ?07:27
*** kiran-r has joined #openstack-keystone07:38
*** henrynash has joined #openstack-keystone07:43
*** ChanServ sets mode: +v henrynash07:43
*** vivekd has quit IRC07:46
*** henrynash has quit IRC07:50
*** katkapilatova has joined #openstack-keystone07:52
*** kodoku has quit IRC07:58
*** jistr has joined #openstack-keystone08:08
*** fhubik has quit IRC08:13
*** fhubik has joined #openstack-keystone08:13
*** e0ne has joined #openstack-keystone08:13
openstackgerritChristian Berendt proposed openstack/keystone: Log the user id when using an invalid username or password  https://review.openstack.org/12886008:14
*** lhcheng has joined #openstack-keystone08:22
*** ChanServ sets mode: +v lhcheng08:22
openstackgerritDave Chen proposed openstack/keystonemiddleware: Fix the outdated options  https://review.openstack.org/21916208:25
openstackgerritDave Chen proposed openstack/keystonemiddleware: Fix the outdated options  https://review.openstack.org/21916208:26
*** lhcheng has quit IRC08:27
*** lars1 has quit IRC08:31
*** sirushti has joined #openstack-keystone08:32
*** e0ne has quit IRC08:36
*** dims has joined #openstack-keystone08:42
*** e0ne has joined #openstack-keystone08:48
*** dims has quit IRC08:48
*** aix has quit IRC08:50
*** kiran-r has quit IRC08:57
*** lars1 has joined #openstack-keystone08:59
*** boris-42 has quit IRC09:00
*** jaosorior has joined #openstack-keystone09:00
*** marzif has joined #openstack-keystone09:01
*** kiran-r has joined #openstack-keystone09:04
*** marzif has quit IRC09:04
*** marzif has joined #openstack-keystone09:05
*** sirushti has quit IRC09:08
*** sirushti has joined #openstack-keystone09:11
*** aix has joined #openstack-keystone09:19
*** fhubik has quit IRC09:19
*** fhubik has joined #openstack-keystone09:28
*** katkapilatova has left #openstack-keystone09:32
*** dims has joined #openstack-keystone09:36
*** dims has quit IRC09:41
*** davechen has left #openstack-keystone09:54
*** aix has quit IRC10:05
*** aix has joined #openstack-keystone10:05
*** dave-mccowan has joined #openstack-keystone10:06
*** lhcheng has joined #openstack-keystone10:11
*** ChanServ sets mode: +v lhcheng10:11
*** lhcheng has quit IRC10:16
*** marzif has quit IRC10:24
*** btully has quit IRC10:29
*** fhubik is now known as fhubik_brb10:30
*** dims has joined #openstack-keystone10:30
*** lhcheng has joined #openstack-keystone10:35
*** ChanServ sets mode: +v lhcheng10:35
*** dims has quit IRC10:36
*** fhubik_brb has quit IRC10:40
*** lhcheng has quit IRC10:40
*** h00327910__ has quit IRC10:43
*** topol has joined #openstack-keystone10:44
*** ChanServ sets mode: +v topol10:44
*** marzif has joined #openstack-keystone10:44
*** pnavarro is now known as pnavarro|lunch10:50
*** ParsectiX has quit IRC10:53
*** wwwjfy has quit IRC11:00
*** marzif has quit IRC11:02
*** btully has joined #openstack-keystone11:07
*** btully has quit IRC11:12
*** claudiub has joined #openstack-keystone11:14
*** ParsectiX has joined #openstack-keystone11:17
*** shoutm has quit IRC11:19
*** dims has joined #openstack-keystone11:25
*** dims has quit IRC11:29
*** fhubik has joined #openstack-keystone11:33
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin for hierarchical models  https://review.openstack.org/19841811:34
*** exploreshaifali has joined #openstack-keystone11:35
*** gordc has joined #openstack-keystone11:36
*** ParsectiX has quit IRC11:41
*** hrou has joined #openstack-keystone11:44
*** e0ne has quit IRC11:46
*** diegows has joined #openstack-keystone11:59
*** eandersson has joined #openstack-keystone11:59
*** Nirupama has quit IRC11:59
*** wwwjfy has joined #openstack-keystone12:02
*** ParsectiX has joined #openstack-keystone12:03
*** petertr7_away is now known as petertr712:06
*** chlong_ has joined #openstack-keystone12:09
*** nicodemos has joined #openstack-keystone12:15
*** e0ne has joined #openstack-keystone12:18
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376312:26
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839812:27
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721812:27
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913212:27
*** Ephur has joined #openstack-keystone12:28
*** dims has joined #openstack-keystone12:33
*** pnavarro|lunch is now known as pnavarro12:33
*** Ephur has quit IRC12:34
*** woodster_ has joined #openstack-keystone12:36
*** fhubik has quit IRC12:39
*** raildo is now known as raildo-afk12:40
*** Ephur has joined #openstack-keystone12:41
*** thiagop has joined #openstack-keystone12:50
*** sigmavirus24_awa is now known as sigmavirus2412:51
*** diegows has quit IRC12:52
*** ninag has joined #openstack-keystone12:53
*** zzzeek has joined #openstack-keystone12:57
*** fhubik has joined #openstack-keystone12:58
*** richm has joined #openstack-keystone13:05
*** gordc has quit IRC13:09
*** topol has quit IRC13:19
*** sigmavirus24 is now known as sigmavirus24_awa13:24
*** geoffarnoldX is now known as geoffarnold13:29
*** petertr7 is now known as petertr7_away13:31
openstackgerritLance Bragstad proposed openstack/keystone: Fix grammar in doc string  https://review.openstack.org/21927713:33
*** petertr7_away is now known as petertr713:37
*** fhubik is now known as fhubik_brb13:38
mordredjamielennox: looking13:38
*** rbak has joined #openstack-keystone13:39
*** ayoung has joined #openstack-keystone13:39
*** ChanServ sets mode: +v ayoung13:39
*** sigmavirus24_awa is now known as sigmavirus2413:39
*** kiran-r has quit IRC13:40
*** kiran-r has joined #openstack-keystone13:41
mordredjamielennox, morgan: (or anyone else) - any chance people konw off the top of their head if all the clients support "interface" instead of "endpoint_type" yet?13:41
*** kiran-r has quit IRC13:41
*** fhubik_brb is now known as fhubik13:42
*** jsavak has joined #openstack-keystone13:45
*** raildo has joined #openstack-keystone13:46
*** edmondsw has joined #openstack-keystone13:47
*** gordc has joined #openstack-keystone13:52
*** petertr7 is now known as petertr7_away13:59
*** mpmsimo has joined #openstack-keystone14:00
*** Kennan has joined #openstack-keystone14:03
*** Kennan2 has quit IRC14:03
*** pnavarro is now known as pnavarro|afk14:05
*** phalmos has joined #openstack-keystone14:07
*** dave-mccowan has quit IRC14:13
*** exploreshaifali has quit IRC14:13
*** ParsectiX has quit IRC14:13
*** geoffarnold has quit IRC14:14
*** wwwjfy has quit IRC14:16
*** links has quit IRC14:23
*** alejandrito has joined #openstack-keystone14:26
*** dave-mccowan has joined #openstack-keystone14:28
*** petertr7_away is now known as petertr714:29
*** wwwjfy has joined #openstack-keystone14:32
*** hrou has quit IRC14:34
*** diazjf has joined #openstack-keystone14:35
*** afazekas__ has quit IRC14:41
*** boris-42 has joined #openstack-keystone14:42
*** ninag has quit IRC14:43
*** ninag has joined #openstack-keystone14:43
*** topol has joined #openstack-keystone14:45
*** ChanServ sets mode: +v topol14:45
*** ninag has quit IRC14:48
*** shoutm has joined #openstack-keystone14:49
*** phalmos has quit IRC14:49
*** dave-mccowan has quit IRC14:51
*** csoukup has joined #openstack-keystone14:52
*** geoffarnold has joined #openstack-keystone14:53
*** phalmos has joined #openstack-keystone14:55
*** tonytan4ever has joined #openstack-keystone14:56
*** afaranha has joined #openstack-keystone14:56
*** afaranha has left #openstack-keystone14:56
*** diazjf has quit IRC14:57
*** links has joined #openstack-keystone14:57
*** dave-mccowan has joined #openstack-keystone14:58
*** jistr is now known as jistr|call14:58
*** bknudson has joined #openstack-keystone14:59
*** ChanServ sets mode: +v bknudson14:59
*** daemontool_ has quit IRC15:01
*** fhubik is now known as fhubik_brb15:01
*** ninag has joined #openstack-keystone15:03
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848815:08
*** shoutm has quit IRC15:10
*** sdake has joined #openstack-keystone15:11
sdakehey quick question folks15:11
ayoungfire way15:11
sdakewe have 3 keystone services running in active/active/active15:11
*** shardy has joined #openstack-keystone15:12
sdakewe get a token from the first kyestone serice, and then try to use it on the 2nd keystone service15:12
sdakewe get a rbac error about the key not being found15:12
*** vivekd has joined #openstack-keystone15:12
*** diazjf has joined #openstack-keystone15:12
sdakebecaue the first node didn't save it to the database prior to us reading it on the 2nd node15:12
sdakeis there some flush option?15:12
sdakethe obvious "flush" keyword doesn't turn anything up15:12
sdakedatabase setion doesn't have anything on synchronous writes15:12
sdakeany pointers ayoung?15:14
ayoungsdake, what kind of tokens?15:14
sdakewe tried turning caching off15:14
sdakesec15:14
*** SamYaple has joined #openstack-keystone15:14
SamYaple\o15:14
sdakesamyaple ayoung asked whicih type of tokens we are using to which i dont knwo the answer15:15
SamYapleuuid15:15
*** petertr7 is now known as petertr7_away15:15
ayoungsdake, I'm going to assume PKI, actually, since you said Key15:15
ayoungthere are no keys in uuid...15:15
SamYapleayoung: its uuid15:15
SamYapledont worry about key15:16
sdakeapparently we are using uuids :)15:16
*** ninag has quit IRC15:16
ayoungwith UUID, you need a common database backend15:16
sdakeayoung this is for kolla15:16
SamYapleyea we are using mysql15:16
ayoungthe uuids are pointers to recorfs in the database.15:16
*** ninag has joined #openstack-keystone15:16
*** links has quit IRC15:16
ayoungGallera and replication is the usual solution there15:16
ayoungPKI tokens don't have that issue, but have others15:17
sdakewe have galera in master/slave/slave mode15:17
ayoungFernet tokens are coming up as a replacement, but are still considered experimental15:17
*** dims has quit IRC15:17
SamYaplei like fernet tokens. they work well for me15:17
ayoungalthough mfisch has them in production15:17
SamYaplebut this is uuid15:17
sdakeso the problem is ayougn we have uuid tokens and are using a commond b back15:17
sdakebackend15:17
sdakebut the toens are not being flushed on each token creation15:17
ayoungsounds like the sync iof the token table is not set up properly, then15:18
mfischwhat do you mean flushed?15:18
ayoungmfisch, I think he means synced15:18
mfischok15:18
ayoungmfisch, not the token flush, as that is cleanup15:18
mfischthat makes way more sense15:18
sdakemfisch i mean if i get a token from keystone 1, and use it in keystone 2, keystone 2 doesn't see it15:18
mfischthats a pure galera issue15:18
mfischyou need to have all reads and writes going to 1 box or enable wsrep_causal_reads15:19
mfischwhich kills perf15:19
SamYapleits syncing tokens, give me wone moment ill try to explain the problem as i see it15:19
SamYaplewe do have all to one box15:19
sdakewe have all reads and writes going to 1 box15:19
SamYaplethe cluster is active/active but haproxy only sends to one box15:19
mfischif you shutdown keystone2, do you have any issues?15:19
mfischservice keystone stop15:19
sdakewe are running in containers ;)15:20
sdakefor kolla, deploying openstack in containers using ansible15:20
mfischdocker whatever stop kill keystone15:20
mfischif you have 1 container does it work?15:20
sdakeyes that would work because the second keystone wouldn't be accessed15:20
sdakewe have forced access to one keystone service15:20
sdakethat does work15:20
SamYapleim not convinced this is a keystone issue but something auth wierd is going on, building a pastebin15:21
*** ninag has quit IRC15:21
mfischI'm sure this is a galera issue15:21
mfischyour 2nd keystone node is talking to a different box15:21
sdake2nd keystone definately talkign to the same box15:21
mfischtry to get a token on one and validate on another and sleep 3 seconds in between15:21
sdakeall traffic is forced to one active galera service continually15:23
*** jasonsb has quit IRC15:23
mfischyou've checked keystone.conf there?15:23
sdakeotherwise the databae locks up in neutron and nova15:23
sdakewe route to a vip15:23
sdakethe vip routes to haproy15:23
*** jasonsb has joined #openstack-keystone15:23
sdakehaproxy connects to thespecific galera service because it is speified as master15:23
sdakethe other two are backups15:23
SamYaplemfisch: ill satisfy your question by using a single mysql node15:23
sdaketherefore the other two never hit round robyn15:23
mfischyes please15:23
sdakesounds good samyaple15:24
SamYapleill kill hte other two and bring the cluster to 115:24
mfischotherwise you've found a pretty amazing keystone bug that nobody else has found15:24
SamYaplei dont think its that for the record15:24
SamYaplebut im a bit stumped as well15:24
SamYaplethis same stuff works for me just fine15:24
*** ninag has joined #openstack-keystone15:24
sdakeoh ya, so this works on some peoples hardware and not on mine ;)15:24
*** fhubik_brb is now known as fhubik15:24
sdakemfisch as soon as keystone creates the token, its synced it with the database15:25
sdake?15:25
ayoungsdake, you lie15:25
mfischuuid? yes15:25
*** ninag has quit IRC15:25
ayoungit is supposed to, but you have messed up a configuration somewhere which means it don't15:26
*** ninag has joined #openstack-keystone15:26
sdakei agree our config is dmanaged in some way - we are tyring to figure out which option we need to make er work ;)15:26
ayoungsdake, make sure all three Keystone servers are pointing at the same database to start with15:27
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/21450915:27
sdakethey should be15:27
ayoungeliminate the simple things15:27
sdakebut samyaple is verifyign that15:27
ayoungyes...the *should* be15:27
mfischconnection = mysql://keystone:pass@haproxy-vip:3307/keystone15:27
ayoungbut could HA proxy be playing games with you?15:27
mfischhatop will show you how many connections you have15:27
mfischyou should have 0 to the other nodes in galera15:28
* ayoung needs to learn ha proxy15:28
*** jasonsb has quit IRC15:28
SamYaplemfisch: it was 015:28
* ayoung decides actually that would be a bad idea15:28
SamYaplei checked via the socket15:28
sdakesamyaple any results in shutting down the other two galera services?15:28
SamYapleyea im rekicking everything, with a single mariadb node15:29
mfischhere is our haproxy gui: http://i.imgur.com/bvAWHHm.png15:29
SamYaplejust exec15:29
SamYapleshould take 5 min15:29
mfischonly talking to node 115:29
SamYaplemfisch: well this wont need to be part of the discussion in a few minutes15:29
SamYaplebut for the record, i did check those stats15:29
mfischwe've used haproxy-galera-keystone UUID since icehouse15:30
mfischnow on fernet though15:30
sdakeansible takes 5 minutes to deploy openstack15:30
sdakemfisch arey ou using the source routing option in haproxy?15:30
*** stevemar has joined #openstack-keystone15:30
*** ChanServ sets mode: +v stevemar15:30
mfischoh I should trade my help for fixing an ansible bug ;)15:30
sdakeif so, that locks traffic to one keystone service15:30
SamYaplemfisch: you name it imve got you covered15:30
SamYaplei also fix bugs for whiskey15:31
*** ninag has quit IRC15:31
SamYaplejust fyi15:31
mfischI've already harassed Robyn ;)15:31
sdakeSamYaple is a ansible rocket surgeon15:31
*** diazjf has quit IRC15:31
SamYapleill be honest I would prefer the whiskey15:32
sdakelol15:32
sdakemfish can you check your haproxy for the source routing option?15:32
mfischsure15:32
*** ninag has joined #openstack-keystone15:32
ayoungWhiskey prices in Tokyo going to exceed my expense account limits I'm sure15:32
mfischfor keystone or galera?15:32
sdakehttps://review.openstack.org/#/c/219261/15:32
sdakefor keystone15:32
*** diazjf has joined #openstack-keystone15:33
SamYaplemfisch: is that fernet in production you are using?15:33
marekdayoung: so  buy your own on a duty free :P15:33
sdakemy expense account at rht was my personal amex ;-)15:33
ayoungmarekd, planning on it15:33
SamYaplei saw ayoung writeup on that. looked good to me. i use that in my lab15:33
mfischhere's the config for galera15:33
mfischhttp://paste.openstack.org/show/438007/15:33
mfischSamYaple: yes fernet in prod15:33
ayoungsdake, I lopve REd Hat, but its pockets are shallow15:33
mfischgalera cluster UUID == pain in my ass15:34
sdake  balance  source15:34
mfischbut look at the server list15:34
sdakeso this will lock all traffic to one keystone service15:34
mfischbackup backup15:34
mfischthats for galera15:34
mfischkeystone is round-robin15:34
SamYaplethere guys. everyone should be happy. mariadb 1 host no multihost same issue15:34
marekdmfisch: is galera making a cluster without a single master? so you can write to every node and it will not be fully commited until all (or majority) of nodes commit ?15:34
sdakedo you have balance source?15:34
SamYaplehow shall we proceed15:34
mfischmarekd: they're all masters technically but we only use one as a hangover from UUID days15:35
ayoung"cluster" is only half the word....15:35
mfischAFAIK galera will return success on a write as soon as its in the transaction log and guaranteed not to conflict with anything pending15:35
marekdmfisch: i know i should probably ask such questions on #galera but since you seem to be an expert in the topic :-)15:35
sdakecharlie foxtrot is the appropriate terminology ayoung :)15:35
mfischlol15:35
mfischthats scary marekd15:35
marekdmfisch: so how does it know nothing is in conflict, some requests,tasks may be on the wire while local node is retuning commit15:36
marekd^^ that's scary :P15:36
mfischSpecial Finnish magic that has been passed down from DBA to DBA since ancient times15:36
SamYapleGTID15:37
mfischtbh I've never asked that question before15:37
mfischSamYaple: if you can repro with 1 host my assistance here is done ;)15:37
SamYaplemfisch: i cannot15:37
SamYaplesame issue15:37
SamYapletwas my point15:37
sdakeso we are down to one galera server, and problem persists15:37
mfischright, its broken with 1 host thats your point15:38
SamYaplecorrect15:38
mfischso its not a galera clustering/haproxy issue15:38
SamYapleah i follow15:38
morganayoung: ping15:38
mfischits out of my realm of where I can help ;)15:38
sdake1 galera 3 keystone15:38
morganayoung: need to point you at something15:38
SamYapleyea i didnt think it was but glad we could rule it out mfisch :)15:38
ayoungmorgan, that is only marginally better than a naked ping.15:38
morganayoung: there is a reason15:38
ayoungat least it wasn't a PM15:38
*** arunkant_ has joined #openstack-keystone15:40
sdakeso 1 galera server, 3 keystone servers, is there a way to ensure via a config option that the key has been flushed to the db?15:40
sdakethe upstream docs say to use that source routing stuff15:41
sdakebut that forces all traffic to one keystone server15:41
sdakerather then spreading the load15:41
mfischwsrep_causal_reads15:41
mfischthat forces every transcation to sync before reads15:41
mfischbut its slower15:42
*** HT_sergio has joined #openstack-keystone15:42
SamYapleawesome. so here is the deal curl command, some hosts it returns 200 others it 401's15:43
SamYaplepastebin incoming15:43
sdakesamyaple what are your thoughts on this wsrep_casual_reads idea15:43
mfischtbh I dont know anyone doing it15:43
sdakei think that is worse then source routing15:43
*** roxanaghe has joined #openstack-keystone15:44
mfischdoes your galera cliuster include neutron/nova etc or is it just keystone?15:44
SamYaplehost 1 fails, the other two succed15:44
SamYaplehttp://paste.fedoraproject.org/262042/12226814/15:44
SamYaplerepeatable15:44
sdakeits got the whole deployment in it15:44
mfischok15:44
mfischours is separate15:44
sdakesamyaple is it minime-one that fails?15:45
mfischyou can see similar "not found" issues with neutron too15:45
mfischif you dont do something like primary/backups15:45
SamYaplesdake: yea but it varies, its not consistent15:45
SamYapleim going to disable some servers in haproxy to see if it works with _any_ keystone server as long as its one o there are some busted ones15:46
*** diazjf has quit IRC15:46
sdakesamyaple your pastebin is why i wanted to try out 2 node baremetal in my environment15:47
mfischsimplify this15:47
mfischmodify keystone.conf by hand to point direct to a node not haproxy and try to repro15:47
openstackgerritMonty Taylor proposed openstack/keystoneauth: Mark tenant-name and tenant-id deprecated  https://review.openstack.org/21347515:48
sdakethat will force reads to one keystone service, we have already verified that works15:48
mfischThere are N keystones and M mysqls right?15:48
sdakether  is 1 mysql 3 keystones15:48
openstackgerritMonty Taylor proposed openstack/keystoneauth: Mark tenant-name and tenant-id deprecated  https://review.openstack.org/21347515:49
mfischare you using caching of any sort?15:49
sdakememcache? nope15:49
*** diazjf has joined #openstack-keystone15:49
sdakeall the caching options ar set to false in keystone.conf15:49
openstackgerritMarek Denis proposed openstack/keystone: IdP deletion triggers token revocation  https://review.openstack.org/21045615:49
openstackgerritBrant Knudson proposed openstack/keystone: Add user domain info to federated fernet tokens  https://review.openstack.org/21374215:49
openstackgerritBrant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context  https://review.openstack.org/21379215:49
openstackgerritBrant Knudson proposed openstack/keystone: Correct docstring for common.authorization  https://review.openstack.org/21375215:50
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context  https://review.openstack.org/21379715:50
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21851115:50
openstackgerritBrant Knudson proposed openstack/keystone: More info in RequestContext  https://review.openstack.org/21359515:50
SamYaplesame random 401 beahviour with single keystone server, since mariadb backend15:50
mfischsdake: you have 3x Keystone --> 1 haproxy --> 1 mysql right now right?15:50
mfischok15:50
SamYaplemfisch: no right now its 1x1x115:50
SamYaplesame random 401 digging in logs now15:50
sdakeright but the haproxy goess back to the 3x keystones15:50
mfischif you can get that to break, then next do 1->1 and skip haproxy15:50
mfischah so you have this15:50
mfischyou -> 1 haproxy -> 3 keystone -> 1 haproxy -> 1 mysql15:50
*** bknudson has quit IRC15:50
*** j_king has left #openstack-keystone15:50
sdakeright but its actually just 1 haproxy process servering the whole thing15:51
mfischsure but its in the middle of everything15:51
mfischremove it from the chain15:51
mfischconfiggure keystoe to talk direct to maria15:51
mfischand you curl direct to keystone15:51
sdakeif we do that it works15:51
sdakewe have already verified that15:51
mfischok15:52
SamYapleyea definetely not keystone being the problem here15:52
SamYaplethe 401 comes but glance never talked to keystone15:52
SamYaple(according ot the logs)15:52
mfischmaybe we should move to #openstack-operators?15:52
*** roxanaghe has quit IRC15:53
SamYapleyea it shouldnt be here15:53
mfischbefore ayoung tells us we're doing it all wrong and we shouldnt be using dbs or something15:53
SamYaplepad and pencil is my go to15:53
*** fhubik has quit IRC15:53
mfischone time pads15:53
ayoungmfisch, Keystone is wrong.  THe rest is commentary. Go and study15:53
mfischsee you guys in #openstack-operators15:53
mfischlo15:53
mfischlol15:53
ayounglo lo lo lo LOOOOOO!15:54
*** roxanaghe has joined #openstack-keystone15:58
openstackgerritDavid Stanek proposed openstack/keystone: Adds caching to paste deploy's egg lookup  https://review.openstack.org/21932315:59
*** ninag has quit IRC15:59
*** ninag has joined #openstack-keystone16:00
*** ankita_wagh has joined #openstack-keystone16:02
*** richm has quit IRC16:02
*** roxanaghe has quit IRC16:03
*** ninag has quit IRC16:05
*** dims has joined #openstack-keystone16:05
*** sdake_ has joined #openstack-keystone16:05
*** e0ne has quit IRC16:05
*** bknudson has joined #openstack-keystone16:06
*** ChanServ sets mode: +v bknudson16:06
*** browne has joined #openstack-keystone16:06
*** sdake has quit IRC16:09
*** spandhe has joined #openstack-keystone16:09
*** raildo has quit IRC16:10
*** phalmos has quit IRC16:11
*** fhubik has joined #openstack-keystone16:11
*** ninag has joined #openstack-keystone16:11
*** fhubik has quit IRC16:11
*** spandhe_ has joined #openstack-keystone16:12
*** jasonsb has joined #openstack-keystone16:13
*** spandhe has quit IRC16:13
*** spandhe_ is now known as spandhe16:13
*** phalmos has joined #openstack-keystone16:14
*** richm has joined #openstack-keystone16:17
*** sdake_ is now known as sdake16:21
*** spandhe has quit IRC16:22
dstanekbknudson: i think the tests now take 2 days to run :-(16:23
*** ninag has quit IRC16:24
*** ninag has joined #openstack-keystone16:24
bknudsondstanek: it runs in the gate in 15 mins or so, although it's not consistent16:26
*** ninag has quit IRC16:27
*** ninag has joined #openstack-keystone16:27
*** jistr|call has quit IRC16:28
*** tonytan4ever has quit IRC16:28
morgandstanek: I approve of putting the eggs in one basket16:29
dstaneki'm going to try to be in the meeting today, but i'm in SAT and i'll be in a meeting there too - so i may be a little sluggish on the keyboard16:30
*** ninag has quit IRC16:32
openstackgerritDavid Stanek proposed openstack/keystone: Adds caching to paste deploy's egg lookup  https://review.openstack.org/21932316:35
*** ankita_wagh has quit IRC16:35
openstackgerritDavid Stanek proposed openstack/keystone: Initial support for versioned driver classes  https://review.openstack.org/21848116:36
*** thedodd has joined #openstack-keystone16:41
*** jasonsb has quit IRC16:42
*** jasonsb has joined #openstack-keystone16:43
*** aix has quit IRC16:45
*** exploreshaifali has joined #openstack-keystone16:46
*** jasonsb has quit IRC16:47
*** david-ly_ has joined #openstack-keystone16:49
*** david-lyle has quit IRC16:49
*** tonytan4ever has joined #openstack-keystone16:50
*** geoffarnold has quit IRC16:50
*** lhcheng has joined #openstack-keystone16:51
*** ChanServ sets mode: +v lhcheng16:51
*** fangzhou has quit IRC16:52
*** geoffarnold has joined #openstack-keystone16:54
*** eandersson has quit IRC16:55
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848816:56
*** roxanaghe has joined #openstack-keystone17:03
*** sdake_ has joined #openstack-keystone17:06
*** sdake has quit IRC17:06
*** sdake has joined #openstack-keystone17:07
*** david-ly_ has quit IRC17:07
*** wwwjfy has quit IRC17:07
*** jasonsb has joined #openstack-keystone17:08
*** vivekd_ has joined #openstack-keystone17:10
*** sdake_ has quit IRC17:10
*** vivekd has quit IRC17:11
*** vivekd_ is now known as vivekd17:11
*** jasonsb has quit IRC17:12
*** petertr7_away is now known as petertr717:13
*** roxanaghe_ has joined #openstack-keystone17:13
*** samleon has joined #openstack-keystone17:15
*** roxanaghe has quit IRC17:16
openstackgerritDavid Stanek proposed openstack/keystone: Initial support for versioned driver classes  https://review.openstack.org/21848117:17
*** tonytan4ever has quit IRC17:18
*** jasonsb has joined #openstack-keystone17:19
*** jasonsb has quit IRC17:21
*** aix has joined #openstack-keystone17:25
*** spandhe has joined #openstack-keystone17:26
*** tonytan4ever has joined #openstack-keystone17:27
*** fangzhou has joined #openstack-keystone17:36
*** stevemar has quit IRC17:42
*** exploreshaifali has quit IRC17:46
*** afazekas__ has joined #openstack-keystone17:46
openstackgerritLin Hua Cheng proposed openstack/keystone: Add federated auth for idp specific websso  https://review.openstack.org/21476617:50
*** afazekas__ has quit IRC17:51
*** vivekd_ has joined #openstack-keystone17:52
lhchenglbragstad: made a small fix on the routing ^17:52
*** jasonsb has joined #openstack-keystone17:53
*** vivekd has quit IRC17:53
*** vivekd_ is now known as vivekd17:53
lbragstadlhcheng: awesome, thanks!17:53
*** david-lyle has joined #openstack-keystone17:54
*** sigmavirus24 is now known as sigmavirus24_awa17:54
*** afazekas__ has joined #openstack-keystone17:54
lbragstadlhcheng: i'm going to push another patch, i think there might be an indentation nit?17:55
lhchenglbragstad: np. I am still trying to setup my env, for some reason I can't re-use the env I setup last release for testing websso, getting a lot of package conflict with oslo.17:55
morgandstanek: mind running the meeting today? (Cc lbragstad ?)17:55
lbragstadmorgan: i think dstanek is at a lunch meeting?17:56
lhchenglbragstad: sure go ahead, but this is the best I got where pep8p is still happy.17:56
lbragstadmorgan: I can give it a shot17:56
morganlbragstad: thnx17:56
openstackgerritLance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso  https://review.openstack.org/21476617:57
lbragstadlhcheng: ^ done17:57
lhchenglbragstad: cool, pep8 is still happy with that :)17:58
*** gyee has joined #openstack-keystone17:59
*** ChanServ sets mode: +v gyee17:59
*** amakarov_away is now known as amakarov18:01
*** david-lyle has quit IRC18:01
*** NM has joined #openstack-keystone18:03
*** zeus- has joined #openstack-keystone18:04
*** spandhe_ has joined #openstack-keystone18:04
*** spandhe has quit IRC18:05
*** spandhe_ is now known as spandhe18:05
*** afazekas__ has quit IRC18:07
*** alex_xu has quit IRC18:08
*** ankita_wagh has joined #openstack-keystone18:09
*** ankita_wagh has quit IRC18:10
*** ankita_wagh has joined #openstack-keystone18:10
HT_sergioHey all. I'm seeing a very strange behaviour from KS: I call keystoneclientv3.tokens.revoke_token() on the token I'm using the make the API request. Every other request fails :S18:11
*** alex_xu has joined #openstack-keystone18:11
HT_sergioNormally I dive into the code to figure stuff out, but I'm lost this time !18:11
HT_sergioI'm using UUID tokens with memcache backend (1 server).18:12
HT_sergiowhere should I look to start narrowing down the cause ?18:13
*** NM has quit IRC18:15
*** samueldmq has joined #openstack-keystone18:17
*** david-lyle has joined #openstack-keystone18:19
*** NM has joined #openstack-keystone18:24
*** boltR has joined #openstack-keystone18:26
boltRis it possible to generate a permanent token?18:27
boltRfor service-to-service calls18:28
*** e0ne has joined #openstack-keystone18:29
*** ankita_w_ has joined #openstack-keystone18:30
*** fangzhou_ has joined #openstack-keystone18:31
*** fangzhou has quit IRC18:33
*** fangzhou_ is now known as fangzhou18:33
*** ankita_wagh has quit IRC18:33
*** exploreshaifali has joined #openstack-keystone18:34
*** pgbridge has joined #openstack-keystone18:38
*** e0ne has quit IRC18:39
*** dims has quit IRC18:40
*** dims has joined #openstack-keystone18:40
*** dikonoor has quit IRC18:41
*** dims has quit IRC18:45
amakarovboltR, use trusts18:52
*** raildo-afk is now known as raildo18:53
amakarovboltR, long-living tokens considered a bad idea as there are problems to revoke them correctly18:53
*** slberger has joined #openstack-keystone18:54
*** e0ne has joined #openstack-keystone18:55
*** zeus- is now known as zeus18:56
*** zeus has quit IRC18:56
*** zeus has joined #openstack-keystone18:56
boltRamakarov: cool i had no idea this existed!18:58
amakarovboltR, welcome )18:58
HT_sergioamakarov: any idea where to start looking for my issue ?18:59
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952418:59
*** tsymanczyk has quit IRC19:00
amakarovHT_sergio, yes, it was a trade-off:19:00
amakarovrevocation event is created with role+project rather than user+role+project19:01
dstanekmarekd: you still hanging around?19:01
amakarovso any token issued for role+project is considered revoked on group revocation for example19:02
HT_sergioamakarov: OK, that unfortunate for me. But then how come the token correctly gets rejected sometimes, but not always19:02
*** nicodemos has quit IRC19:03
amakarovHT_sergio, the recommended behaviour: if your token rots away - request a new one19:03
*** sigmavirus24_awa is now known as sigmavirus2419:04
HT_sergioamakarov: that's not the issue I'm having. I'm trying to revoke a token, but it's not working consistently19:04
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952419:04
amakarovHT_sergio, revocation engine is not hardened to flawless state yet and it it already considered a mistake :)19:04
*** afazekas has quit IRC19:04
HT_sergioamakarov: lol ok. Thank you amakarov !19:04
amakarovHT_sergio, the latest silver bullet is 5-minutes tokens living long enough for a single operation19:06
amakarovThey just expire and don't need any revocation/deletion and other annoying stuff )19:06
*** petertr7 is now known as petertr7_away19:06
HT_sergiodo you know who works on token revocation, so I could learn more about it?19:07
*** fangzhou has quit IRC19:07
*** stevemar has joined #openstack-keystone19:07
*** ChanServ sets mode: +v stevemar19:07
*** dims has joined #openstack-keystone19:09
amakarovHT_sergio, iirc revocation engine is ayoung's doing, I've fixed it a bit too so I think I can answer some of your questions19:11
*** ankita_wagh has joined #openstack-keystone19:12
*** sdake_ has joined #openstack-keystone19:12
*** sdake has quit IRC19:13
*** dims has quit IRC19:13
*** sdake has joined #openstack-keystone19:14
*** jaosorior has quit IRC19:15
*** ankita_w_ has quit IRC19:16
*** fangzhou has joined #openstack-keystone19:17
*** sdake_ has quit IRC19:18
*** dims has joined #openstack-keystone19:18
*** samueldmq has quit IRC19:20
*** tsymanczyk has joined #openstack-keystone19:24
*** tsymanczyk is now known as Guest6911119:24
*** dims has quit IRC19:25
openstackgerritDavid Stanek proposed openstack/keystone: Adds caching to paste deploy's egg lookup  https://review.openstack.org/21932319:25
*** geoffarnold has quit IRC19:27
*** roxanaghe_ has quit IRC19:27
marekddstanek: yes19:28
*** pgbridge has quit IRC19:34
*** claudiub has quit IRC19:34
*** hakimo has quit IRC19:34
*** lifeless has quit IRC19:34
*** tobasco_ has quit IRC19:34
*** rmstar has quit IRC19:34
*** mtreinish has quit IRC19:34
*** raginbajin has quit IRC19:34
*** harlowja has quit IRC19:34
*** goodygum has quit IRC19:34
*** dobson has quit IRC19:34
*** jamiec has quit IRC19:34
openstackgerritDavid Stanek proposed openstack/keystone: Adds warning when no domain configs were uploaded  https://review.openstack.org/21428719:34
*** dobson has joined #openstack-keystone19:34
*** jamiec has joined #openstack-keystone19:34
*** pgbridge has joined #openstack-keystone19:35
*** claudiub has joined #openstack-keystone19:35
*** hakimo has joined #openstack-keystone19:35
*** lifeless has joined #openstack-keystone19:35
*** tobasco_ has joined #openstack-keystone19:35
*** rmstar has joined #openstack-keystone19:35
*** mtreinish has joined #openstack-keystone19:35
*** raginbajin has joined #openstack-keystone19:35
*** goodygum has joined #openstack-keystone19:35
*** harlowja has joined #openstack-keystone19:35
*** harlowja has quit IRC19:35
*** harlowja has joined #openstack-keystone19:35
*** dims has joined #openstack-keystone19:35
openstackgerritDavid Stanek proposed openstack/keystone: Adds caching to paste deploy's egg lookup  https://review.openstack.org/21932319:36
dstanekwow, i'm doing too many things at once and getting confused19:38
*** jdennis has joined #openstack-keystone19:39
mordredjamielennox, morgan: what's the new way of doing auth.get_plugin_class?19:40
openstackgerritDavid Stanek proposed openstack/keystone: Adds caching to paste deploy's egg lookup  https://review.openstack.org/21932319:41
*** ankita_w_ has joined #openstack-keystone19:41
*** ankita_w_ has quit IRC19:42
*** ankita_w_ has joined #openstack-keystone19:42
*** ankita_wagh has quit IRC19:43
*** sdake_ has joined #openstack-keystone19:45
*** amakarov is now known as amakarov_away19:45
*** ankita_wagh has joined #openstack-keystone19:47
*** ankita_w_ has quit IRC19:47
*** harlowja has quit IRC19:47
*** pgbridge has quit IRC19:47
*** claudiub has quit IRC19:47
*** hakimo has quit IRC19:47
*** lifeless has quit IRC19:47
*** tobasco_ has quit IRC19:47
*** rmstar has quit IRC19:47
*** mtreinish has quit IRC19:47
*** raginbajin has quit IRC19:47
*** goodygum has quit IRC19:47
mordredmorgan, jamielennox: or, more importantly, how do I create a session now without argparse or oslo.config structures - like, what's the Python API19:48
*** ankita_wagh has quit IRC19:48
*** petertr7_away is now known as petertr719:48
*** sdake has quit IRC19:49
*** fangzhou has quit IRC19:49
*** sdake has joined #openstack-keystone19:49
*** ayoung has quit IRC19:50
jamielennoxmordred: there's auth.get_plugin_loader19:50
*** ankita_wagh has joined #openstack-keystone19:50
*** Guest69111 has quit IRC19:50
mordredah! loading.get_plugin_loader19:51
jamielennoxalso i think most clients now support interface= because i pass **kwargs from Client.__init__ to Adapter.__init__19:51
*** fangzhou has joined #openstack-keystone19:52
mordredok. cool19:52
*** harlowja has joined #openstack-keystone19:52
*** pgbridge has joined #openstack-keystone19:52
*** claudiub has joined #openstack-keystone19:52
*** hakimo has joined #openstack-keystone19:52
*** lifeless has joined #openstack-keystone19:52
*** tobasco_ has joined #openstack-keystone19:52
*** rmstar has joined #openstack-keystone19:52
*** mtreinish has joined #openstack-keystone19:52
*** raginbajin has joined #openstack-keystone19:52
*** goodygum has joined #openstack-keystone19:52
mordredI'lll go through and check and see if I can just do that in shade directly19:52
*** geoffarnold has joined #openstack-keystone19:52
*** sdake_ has quit IRC19:53
jamielennoxmordred: so i removed the auth-validate function but i added a couple of reviews to keystoneauth yesterday that i think will let you do the same thing19:53
mordredyeah - saw that - I tink that looks fine19:53
jamielennoxok19:54
*** e0ne has quit IRC19:54
*** e0ne has joined #openstack-keystone19:55
*** ayoung has joined #openstack-keystone19:56
*** ChanServ sets mode: +v ayoung19:56
*** ayoung has quit IRC19:58
openstackgerritAndrey Pavlov proposed openstack/keystone: Add S3 signature v4 checking  https://review.openstack.org/21548119:59
*** ayoung has joined #openstack-keystone20:00
*** ChanServ sets mode: +v ayoung20:00
*** boris-42 has quit IRC20:00
dstanekmarekd: i was pinging you about that review you mentioned in the meeting20:03
dstanekmarekd: left some feedback20:03
dstanekmorgan: should our stable drivers actually be v9 since that would be our next keystone release?20:03
*** ayoung has quit IRC20:05
marekddstanek: yeah, you are right. Thanks!20:05
dstanekmarekd: np20:05
*** tsymancz1k has joined #openstack-keystone20:06
*** ayoung has joined #openstack-keystone20:07
*** ChanServ sets mode: +v ayoung20:07
*** djc__ has joined #openstack-keystone20:10
djc__when my identity backend for keystone is using ldap, is it placed in the 'default' domain if no domain is specified?20:10
*** exploreshaifali has quit IRC20:12
*** vivekd has quit IRC20:13
stevemardjc__: yep20:14
djc__stevemar thanks. I now want to place service accounts in mysql and other users in AD using domains. do I need to create a keystone.default.conf file in /etc/keystone/domains directory?20:15
djc__steenmar and also create a domain called 'users' with a file a called 'keystone.users.conf' and place ldap configuration in this file?20:16
*** petertr7 is now known as petertr7_away20:22
*** mpmsimo has quit IRC20:23
*** mpmsimo has joined #openstack-keystone20:24
*** dave-mccowan has quit IRC20:25
slbergerdjc__ I don't think the keystone.default.conf will be necessary if the mysql connection information is overridden in the new keystone."users".conf20:26
djc__slberger In the keystone.users.conf I plan to have ldap information. See link: https://gist.github.com/anonymous/c2a4911f7ad207732b2920:28
*** mpmsimo has quit IRC20:29
djc__slberger: AD will have regular users. I would like service accounts to be in mysql and not in AD.20:29
slbergerdjc__ that should work, we created a similar looking file for our ldap setup20:29
*** vivekd has joined #openstack-keystone20:30
djc__slberger: It doesn't work. when i source admin creds (which is in AD) and try to run a command it fails:  "openstack user list ERROR: openstack The request you have made requires authentication. (HTTP 401) "20:31
slbergerdjc__ it should overwrite values when using the domain specific config. stevemar could you confirm20:31
slbergertry running the openstack command it the --domain <domain_name> option20:32
djc__slberger: same error message20:33
slbergerdjc__  I see this in our environment when we moved to v3 and started using domains20:33
slbergerdjc__ is this when trying to grab users from the users or default domain20:33
djc__slberger: the name of my domain is actually Service not users. I'll send my environment. one sec20:34
djc__slberger: https://gist.github.com/anonymous/ff6f698977facd6f4b2920:35
stevemardjc__: i wrote up something around this20:36
stevemarhttps://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/20:36
stevemarbasically slberger is right, you *MUST* make your default domain SQL backed, and any other domains backed by ldp20:37
stevemarldap20:37
*** dave-mccowan has joined #openstack-keystone20:38
djc__stevemar: awesome thanks! so I don't need a keystone.default.conf file in /etc/keystone/domains?20:38
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952420:38
djc__stevemar: I'm not sure how much you read, but I wan't service accounts in mysql and regular user accounts in ldap.20:39
djc__stevemar: I'm curious if I need to have two files in /etc/keystone/domains directory. One file for ldap (default domain) and one file for mysql (Service domain).20:40
djc__stevemar: Ok..looks like the link you sent covers this exact scenario.20:41
djc__stevemar: thanks.20:41
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952420:50
stevemardjc__: yeah, no need to create a default conf20:51
stevemarayoung: hey, how can i get in contact with gsilvis oh there he is20:51
stevemargsilvis: around?20:51
ayoungstevemar, he's almost always in #moc too, as is the rest of his team20:52
stevemarty!20:52
*** sdake has quit IRC20:53
*** thedodd has quit IRC20:53
*** thedodd has joined #openstack-keystone20:54
morganjamielennox are we loading in any of the new patches for KSA1 before we want to cut 1.0?20:58
*** thedodd has quit IRC20:59
jamielennoxmorgan: yes, it would be good to get those in, one or two are compat changes21:00
morganok.21:00
morganjamielennox: second question - do you think we can cut 1.0 before g-r freeze?21:01
morganjamielennox: or should we land 0.4.0 or a 0.5.0?21:01
jamielennoxmorgan: those patches i proposed for ksa was me going through it and figuring out what was missing and anything i thought was a problem21:01
morganok21:02
jamielennoxi don't think i have anything else i want for a 1.021:02
morganlets land those and call it good for 1.x21:02
*** raildo is now known as raildo-afk21:02
jamielennoxthere is the get_endpoint returns None but i don't think that's a problem to change later21:02
morganif things aren't horked with shade etc (cc mordred )21:02
*** spandhe has quit IRC21:02
*** spandhe has joined #openstack-keystone21:04
*** spandhe has quit IRC21:04
bknudsonOH: "if you have, say, python-${PROJECT}client updates or features that need to go in liberty, you probably want to get them released ASAP"21:04
bknudsonI don't think we've done a keystoneclient release in a while?21:05
jamielennoxmorgan: oh, the other thing i was thinking was allow auth_plugin as auth_type for compatibility with OSC and try and put that debate away21:05
morganjamielennox: i'm fine with that21:05
openstackgerritLance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso  https://review.openstack.org/21476621:06
jamielennoxthis can be > 1.0 as well21:06
*** spandhe has joined #openstack-keystone21:07
morganjamielennox: +A most of the chain you had going there21:08
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/21638721:09
morganjamielennox: any issue with https://review.openstack.org/#/c/209671/ ?21:10
*** topol has quit IRC21:10
*** pnavarro|afk has quit IRC21:11
jamielennoxmorgan: nope21:11
morganjamielennox: if that is approved, that will leave 2 outstanding patches against ksa21:11
morganand i'm happy with everything that has been proposed *except* the missing tests from the one terry proposed21:12
morganbut his change is good21:12
morganjamielennox: what about https://review.openstack.org/#/c/218727/ ?21:13
*** ankita_w_ has joined #openstack-keystone21:14
jamielennoxmorgan: minor fix21:14
jamielennoxumm, not sure why it's failing21:14
morgandoes it need to be pre-1.0?21:14
morganand https://review.openstack.org/#/c/216883/21:15
jamielennoxi don't think so because the path is public, can only be accessed by the entrypoint21:15
*** e0ne has quit IRC21:15
jamielennoxmm, not sure about that one21:16
*** e0ne has joined #openstack-keystone21:16
*** geoffarnold has quit IRC21:17
openstackgerritJamie Lennox proposed openstack/keystoneauth: Move admin_token to base _plugins dir  https://review.openstack.org/21872721:17
*** ankita_wagh has quit IRC21:17
*** mpmsimo has joined #openstack-keystone21:17
jamielennoxmorgan: is this you going for a release like today?21:18
jamielennox /now21:18
morganthat is my hope21:18
jamielennoxok, let me just comment one bit out and i can fix post 1.021:18
morganI want to make the 1.0 cut today if possible so we can g-r it21:18
morganalso we want to propose a fix to the readme21:19
morganto stop saying "OMG DONT USE THIS"21:19
morganmordred: ^ cc21:21
mordredmorgan, jamielennox: shade/occ use auth_type at the moment21:24
mordredI'd be happy to put in a rename/backwards-compat-deprecation for auth_plugin21:25
jamielennoxmordred: yea, it was initially --os-auth-plugin but dean prefered --os-auth-type, i care not i just want to have it all handled by ksa21:26
morganjamielennox: lets just support both21:26
jamielennoxmorgan: right - i don't want to break anyone already using AUTH_PLUGIN either21:26
*** geoffarnold has joined #openstack-keystone21:26
mordredk. well, I pass something to loading.get_plugin_loader - and in the other places I can support both21:26
mordredin my stuffs21:26
jamielennoxand like auth_token middleware etc all uses auth_plugin = in CONF21:26
mordredoh wait - which is the one you prefer?21:27
mordredlike, what is the word that ksa _wants_ to call it?21:27
morganauth_type iirc21:27
morganbut some people use auth_plugin21:27
mordredk. that's what I do now. I'm just going to keep it that way for simplicity, since I have no backwards compat people21:27
morganyeah21:27
morganwe just should support both in KSA21:27
morganthats all21:27
mordred++21:28
*** mpmsimo has quit IRC21:28
*** mpmsimo has joined #openstack-keystone21:28
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove the conf loading methods from loading.__init__  https://review.openstack.org/21946321:28
jamielennoxmordred: initially we had auth_plugin= i'm happy to say that auth_type= can be the default and just have plugin as a fallback21:29
jamielennoxauth-type does feel a bit nicer from a user perspective21:29
jamielennoxmordred, morgan: ^ review just gives us some room later, we could probably fix it now but we seem to be on a release roll21:30
morganjamielennox: ++21:31
jamielennoxoo, actually they could be a problem21:31
jamielennoxdamnit21:32
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains  https://review.openstack.org/21121921:33
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains  https://review.openstack.org/21344821:33
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839821:33
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376321:33
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table  https://review.openstack.org/21117021:33
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837221:33
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060021:33
morganjamielennox: ?21:34
jamielennoxmorgan: i might need another day21:35
morganok we can hold until tomorrow.21:35
jamielennoxthanks21:36
jamielennoxgood to find these problems, wish it had been when i was looking yesterday21:36
morganyeah21:39
*** tsymancz1k is now known as tsymanczyk21:42
*** csoukup has quit IRC21:44
*** phalmos has quit IRC21:52
*** spandhe has quit IRC21:55
*** diazjf has quit IRC21:55
*** djc__ has quit IRC21:55
openstackgerritJamie Lennox proposed openstack/keystoneauth: Return oslo.config opts from config loading  https://review.openstack.org/21946721:55
*** spandhe has joined #openstack-keystone21:57
*** stevemar has quit IRC21:59
*** NM has quit IRC21:59
*** shardy has quit IRC22:01
*** csoukup has joined #openstack-keystone22:01
*** stevemar has joined #openstack-keystone22:02
*** ChanServ sets mode: +v stevemar22:02
*** stevemar has quit IRC22:02
openstackgerritgordon chung proposed openstack/keystonemiddleware: use the same context across a request  https://review.openstack.org/21688922:03
*** slberger has left #openstack-keystone22:06
*** jsavak has quit IRC22:08
*** e0ne has quit IRC22:10
*** e0ne has joined #openstack-keystone22:14
*** sigmavirus24 is now known as sigmavirus24_awa22:18
*** ChanServ sets mode: +o morgan22:21
openstackgerritMerged openstack/keystoneauth: Better isolate loading tests  https://review.openstack.org/21908122:21
openstackgerritMerged openstack/keystoneauth: Change option requirement testing  https://review.openstack.org/21908222:21
*** morgan changes topic to "Please review code linked via BPs and Bugs on https://launchpad.net/keystone/+milestone/liberty-3 List"22:21
*** ChanServ sets mode: -o morgan22:22
morgandstanek, dolphm, lbragstad, marekd, lhcheng, ayoung, jamielennox, stevemar, gyee, henrynash: Please review code for bugs/BPs on the L3 list22:23
ayoungNo22:23
morgandstanek, dolphm, lbragstad, marekd, lhcheng, ayoung, jamielennox, stevemar, gyee, henrynash: Anything that isn't gating today is being punted.22:23
morganor will require a FFE to land22:23
ayoungOr a FFT22:23
morgangating = approved.22:23
morganI'll circle back through everything a little later today as well.22:24
*** gordc has quit IRC22:27
*** edmondsw has quit IRC22:28
*** csoukup has quit IRC22:28
openstackgerritMerged openstack/keystoneauth: get_available_loaders should return loader object  https://review.openstack.org/21908622:29
openstackgerritMerged openstack/keystoneauth: Raise error if loader is provided name without id  https://review.openstack.org/21909422:29
openstackgerritMerged openstack/keystoneauth: Mark tenant-name and tenant-id deprecated  https://review.openstack.org/21347522:29
*** thiagop has quit IRC22:30
*** spandhe has quit IRC22:33
*** e0ne has quit IRC22:34
*** zzzeek has quit IRC22:36
*** alejandrito_ has joined #openstack-keystone22:43
*** alejandrito_ has quit IRC22:45
*** alejandrito has quit IRC22:45
*** rbak has quit IRC22:49
*** mpmsimo has quit IRC22:53
*** boris-42 has joined #openstack-keystone22:57
*** Ephur has quit IRC23:00
*** vivekd has quit IRC23:00
*** vivekd has joined #openstack-keystone23:01
*** dims has quit IRC23:03
*** chlong_ is now known as chlong23:18
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913223:18
openstackgerritHenrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418023:18
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21949323:21
*** tonytan4ever has quit IRC23:22
*** henrynash has joined #openstack-keystone23:22
*** ChanServ sets mode: +v henrynash23:22
gyeemorgan, yes, sorry too many meetings today23:24
*** dims__ has joined #openstack-keystone23:24
gyeewill be reviewing23:24
gyeemorgan, if we are not going to do the split pipeline solution, can we get this one instead? https://review.openstack.org/#/c/208168/23:26
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721823:27
*** diazjf has joined #openstack-keystone23:35
*** geoffarnold has quit IRC23:43
*** ankita_w_ has quit IRC23:44
*** shoutm has joined #openstack-keystone23:48
*** arunkant_ has quit IRC23:58
« Monday, 2015-08-31 Index Wednesday, 2015-09-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!