Thursday, 2015-09-03

« Wednesday, 2015-09-02 Index Friday, 2015-09-04 »
openstackgerritMerged openstack/keystoneauth: Add session and auth loading to loading.__init__  https://review.openstack.org/21946300:11
*** wwwjfy_ has joined #openstack-keystone00:11
*** wwwjfy has quit IRC00:11
*** hockeynut has quit IRC00:13
*** charz has quit IRC00:14
*** jasonsb_ has quit IRC00:14
*** tobasco_ has quit IRC00:15
*** notmyname has quit IRC00:15
*** tobasco has joined #openstack-keystone00:16
*** charz has joined #openstack-keystone00:16
*** hockeynut has joined #openstack-keystone00:17
*** notmyname has joined #openstack-keystone00:17
*** btully has joined #openstack-keystone00:19
*** goodygum has quit IRC00:19
openstackgerritMerged openstack/keystoneauth: Use auth_type instead of auth_plugin by default  https://review.openstack.org/21952000:20
openstackgerritMatt Riedemann proposed openstack/python-keystoneclient: Update path to subunit2html in post_test_hook  https://review.openstack.org/21993100:20
*** goodygum has joined #openstack-keystone00:21
*** shadower has quit IRC00:23
*** hockeynut has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** hockeynut has joined #openstack-keystone00:23
*** btully has quit IRC00:23
*** wwwjfy_ has quit IRC00:29
*** wwwjfy has joined #openstack-keystone00:30
*** bknudson has quit IRC00:44
openstackgerritMerged openstack/keystoneauth: Raise exception for v2 with domain scope  https://review.openstack.org/21688300:45
*** btully has joined #openstack-keystone00:46
*** browne has quit IRC00:46
*** btully has quit IRC00:51
*** wwwjfy has quit IRC00:53
*** wwwjfy has joined #openstack-keystone00:53
*** shoutm_ has joined #openstack-keystone00:56
*** shoutm has quit IRC00:56
*** browne has joined #openstack-keystone00:58
*** zzzeek has joined #openstack-keystone01:03
morgangyee: whoa, 62 patchsets?!01:04
*** wwwjfy has quit IRC01:07
*** dsirrine has quit IRC01:12
*** jdandrea has quit IRC01:13
openstackgerritTerry Howe proposed openstack/keystoneauth: Move around the tests so they can be found easier  https://review.openstack.org/21994701:22
*** roxanaghe has quit IRC01:22
*** nigelb has left #openstack-keystone01:23
openstackgerritTerry Howe proposed openstack/keystoneauth: Move around the tests so they can be found easier  https://review.openstack.org/21994701:24
mordredjamielennox: so - I'm fine with using the private ... _except_ the functionality is already exposed in prod in ansible modules01:33
mordredwhich I understand is not necessarily ksa's problem01:33
mordredjamielennox: but it means that to provide that, I'll need to be relying on a private thing across library boundaries01:34
mordredand that means I'm opening myself to being screwed, because changing a private impl thing is totally fair game01:35
mordredalso - printing out the catalog is a thing I do A LOT in interacting with clouds, fwiw01:35
mordredit's basically my first step in figuring out what's going on01:35
*** sdake has quit IRC01:36
*** jasonsb has joined #openstack-keystone01:46
*** boris-42 has quit IRC01:50
jamielennoxmordred: ok, i'm fine to expose it01:51
jamielennoxmordred: the same thing applies with the AccessInfo object, and there was a problem there whether it should have a private object which is a dict or if the whole thing should just be the dict01:52
jamielennoxto which i boldly said - meh01:53
mordredit's the right bold statement01:53
*** geoffarnold is now known as geoffarnoldX01:55
ayoungmorgan, https://review.openstack.org/#/c/156870/61..62/doc/source/configure_tokenless_x509.rst,cm  sufficient?  If so, I'll pull the trigger01:56
*** fangzhou has quit IRC01:57
jamielennoxmordred: either way would prefer it as a property though, but if you're busy i can fix that quick01:57
jamielennoxi don't know if morgan is still hoping to release today01:57
mordredjamielennox: I can do it - but also _totaly_ don't mind you do it if that works for your brain01:57
morganjamielennox: was planning on waiting if needed we are at the last "make sure we arent broken phase" an extra day doesnt hurt things.02:01
jamielennoxmorgan: there's things still merging02:01
morganYes. We woild have to wait for that too02:02
jamielennoxi don't have anything else - but i didn't think i did yesterday either02:02
morganayoung: yeah its good enough02:03
ayounggyee, Fire in the hole!02:04
*** zzzeek has quit IRC02:09
gyeeayoung, thanks!02:12
*** mylu has joined #openstack-keystone02:13
*** mylu has quit IRC02:17
*** spandhe has quit IRC02:17
*** samleon has quit IRC02:17
*** mylu has joined #openstack-keystone02:17
*** woodster_ has quit IRC02:19
*** csoukup has joined #openstack-keystone02:24
*** mylu has quit IRC02:25
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add accessor method for raw catalog content  https://review.openstack.org/21986202:27
*** sdake has joined #openstack-keystone02:28
*** Kennan has quit IRC02:29
*** Kennan has joined #openstack-keystone02:30
*** sdake_ has joined #openstack-keystone02:31
*** mylu has joined #openstack-keystone02:31
*** mylu has quit IRC02:34
*** sdake has quit IRC02:34
*** lhcheng_ has quit IRC02:41
*** kiran-r has joined #openstack-keystone02:43
openstackgerritSteve Martinelli proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862002:52
*** hakimo_ has quit IRC02:54
*** hakimo has joined #openstack-keystone02:57
*** kiran-r has quit IRC02:58
*** wwwjfy has joined #openstack-keystone03:04
*** richm has quit IRC03:04
*** mylu has joined #openstack-keystone03:05
*** lhcheng has joined #openstack-keystone03:06
*** ChanServ sets mode: +v lhcheng03:06
*** mylu has quit IRC03:09
*** djc_ has joined #openstack-keystone03:10
*** mylu has joined #openstack-keystone03:10
djc_I'm setting up keystone domains. I have one domain called 'LDAP' which has users in AD. I have another domain called 'default' which has service accounts like glance, nova, etc in mysql. I can't login to the dashboard with an admin account that is in mysql. Any ideas what I'm doing wrong?03:13
*** csoukup has quit IRC03:16
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains  https://review.openstack.org/21121903:18
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains  https://review.openstack.org/21344803:18
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table  https://review.openstack.org/21117003:18
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837203:18
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060003:18
*** shoutm_ has quit IRC03:20
*** mylu has quit IRC03:26
*** eglute has quit IRC03:27
*** dolphm has quit IRC03:29
*** erhudy1 has quit IRC03:29
*** sigmavirus24 has quit IRC03:30
*** dguerri` has quit IRC03:30
*** d34dh0r53 has quit IRC03:30
*** dikonoor has joined #openstack-keystone03:31
*** d34dh0r53 has joined #openstack-keystone03:31
*** dolphm has joined #openstack-keystone03:32
*** eglute has joined #openstack-keystone03:32
*** dguerri` has joined #openstack-keystone03:32
*** dguerri` is now known as dguerri03:32
*** dguerri has joined #openstack-keystone03:32
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376303:33
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839803:34
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721803:34
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913203:34
openstackgerritHenrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418003:34
*** sigmavirus24_awa has joined #openstack-keystone03:35
*** dikonoor has quit IRC03:35
*** dims has joined #openstack-keystone03:35
openstackgerritMerged openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162303:36
*** geoffarnoldX is now known as geoffarnold03:39
*** gyee has quit IRC03:40
*** shoutm has joined #openstack-keystone03:41
*** sdake_ is now known as sdake03:42
*** jecarey has quit IRC03:46
*** boris-42 has joined #openstack-keystone03:59
*** dims has quit IRC04:00
*** links has joined #openstack-keystone04:02
*** Nirupama has joined #openstack-keystone04:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21949304:14
*** btully has joined #openstack-keystone04:15
*** stevemar has joined #openstack-keystone04:23
*** ChanServ sets mode: +v stevemar04:23
*** djc_ has quit IRC04:26
*** shoutm has quit IRC04:38
*** lhcheng_ has joined #openstack-keystone04:39
*** lhcheng has quit IRC04:39
*** geoffarnold is now known as geoffarnoldX04:40
*** stevemar has quit IRC04:43
*** ayoung has quit IRC04:44
*** shoutm has joined #openstack-keystone04:47
*** fangzhou has joined #openstack-keystone04:52
*** fangzhou has quit IRC04:57
*** dims has joined #openstack-keystone04:59
*** afazekas has joined #openstack-keystone05:04
morganjamielennox: you ok with https://review.openstack.org/#/c/219862/ ?05:04
jamielennoxmorgan: yep05:04
jamielennoxi uploaded the second review05:05
morganok cool05:05
openstackgerritMerged openstack/keystone: Initial support for versioned driver classes  https://review.openstack.org/21848105:05
*** vivekd has joined #openstack-keystone05:05
morganand https://review.openstack.org/#/c/219947/05:05
morgan?05:05
morgansince i'm doing ksa 1.x prepare stuff05:06
*** dims has quit IRC05:06
morgani have no issues with it05:06
morganbut.. worth 2x checking your view05:06
*** sdake_ has joined #openstack-keystone05:13
*** kiran-r has joined #openstack-keystone05:14
*** sdake has quit IRC05:17
*** hrou has quit IRC05:18
*** Kennan2 has joined #openstack-keystone05:24
*** Kennan has quit IRC05:25
*** mylu has joined #openstack-keystone05:26
*** stevemar has joined #openstack-keystone05:28
*** ChanServ sets mode: +v stevemar05:28
*** mylu has quit IRC05:31
*** shoutm has quit IRC05:36
*** shoutm has joined #openstack-keystone05:37
jamielennoxwhoa, hand't seen that05:39
jamielennoxmorgan: sure, i don't mind05:40
jamielennoxsame number of tests are running, i don't care where they live05:40
*** kiran-r has quit IRC05:44
stevemarmarekd: i promise to look at the idp revocation token stuff in ~ 8hrs05:44
*** stevemar has quit IRC05:44
*** sdake has joined #openstack-keystone05:48
*** sdake_ has quit IRC05:52
*** sdake_ has joined #openstack-keystone05:54
*** sdake has quit IRC05:57
*** shoutm has quit IRC05:58
*** shoutm has joined #openstack-keystone05:58
*** vivekd has quit IRC06:12
*** stevemar has joined #openstack-keystone06:14
*** ChanServ sets mode: +v stevemar06:14
openstackgerritMerged openstack/keystoneauth: Change auth plugin help text to auth type  https://review.openstack.org/21983806:16
*** stevemar has quit IRC06:19
*** shoutm_ has joined #openstack-keystone06:25
*** chmouel has quit IRC06:26
*** shoutm has quit IRC06:26
*** chmouel has joined #openstack-keystone06:27
*** mylu has joined #openstack-keystone06:28
*** ParsectiX has joined #openstack-keystone06:29
*** mylu has quit IRC06:32
openstackgerritCraige McWhirter proposed openstack/python-keystoneclient: Add drivers to the documentation  https://review.openstack.org/21809906:39
openstackgerritCraige McWhirter proposed openstack/python-keystoneclient: Add drivers to the documentation  https://review.openstack.org/21809906:42
*** kiran-r has joined #openstack-keystone06:44
*** henrynash has joined #openstack-keystone06:45
*** ChanServ sets mode: +v henrynash06:45
*** vivekd has joined #openstack-keystone06:50
*** btully has quit IRC06:51
*** ParsectiX has quit IRC06:55
*** kiran-r has quit IRC06:59
openstackgerritMorgan Fainberg proposed openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/21638707:05
*** browne has quit IRC07:07
*** martinus__ has joined #openstack-keystone07:09
*** browne has joined #openstack-keystone07:09
*** browne has quit IRC07:09
*** lhcheng_ has quit IRC07:10
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Change the README to remove the warning for 1.0.0 release  https://review.openstack.org/22001907:12
morganjamielennox: ^^07:12
morganjamielennox: that could use a quick +207:12
jamielennoxmorgan: done07:12
morganthnx07:13
* jamielennox finds copy and paste haproxy config error after 3.5 hours07:13
morganwe can bug someone else to +2/+A that one and we should be ready to cut 1.007:13
morganunless you ran into something else last minute?07:13
* jamielennox not sure if he's a genius or an idiot07:13
jamielennoxah, i just +Aed07:13
morganoh all good07:13
morgan:)07:13
morganwfm07:14
jamielennoxwe probably need to get back to 2 +207:14
morganpost 1.0 we will be back to 2x+2 before +A07:14
jamielennox:)07:14
morganwe also need to get a project to be consuming it in the neutron gate test07:15
morganso we can be sure we have it exercised outside of our unit tests07:15
morgani figure the test renames can happen post 1.007:15
jamielennoxso did the g-r patch go in?07:15
morganno07:16
morganit was held for 1.007:16
morganhttps://review.openstack.org/#/c/219521/ can wait eh?07:16
jamielennoxi'm wondering how we can test it in gate and not crash everything07:16
jamielennoxmorgan: oh yea07:16
morganwe will release 1.007:17
morganget g-r landed07:17
morganand start converting things over to use it07:17
morganif there was a "oh #$%^" moment where something is horribly broken we can fix that07:17
morganbut i think we've done a good job here tbh07:17
*** jorge_munoz has quit IRC07:20
*** ParsectiX has joined #openstack-keystone07:20
*** jorge_munoz_ has joined #openstack-keystone07:21
*** ftco has quit IRC07:21
jamielennoxmorgan: i'm happy07:21
jamielennoxit took longer than expected07:21
jamielennoxbut whatever07:21
jamielennoxi don't expect to put it as a dep in anything in kilo but we can then try and get ksc 2 ready to go07:22
jamielennoxi wonder if i can like "borrow" a docs writer to sit down with me for a day07:22
morgans/kilo/liberty07:22
jamielennoxi'll just have gotten used to that and have to switch to the next one07:23
*** ParsectiX has quit IRC07:24
morganSDK folks will be happy with KSA being released07:24
*** ParsectiX has joined #openstack-keystone07:24
morganjamielennox: also that CORS patch ^^ should be super easy to review07:24
morganit should be safe to +2/+A if you're inclined since I did just a change of the commit message to not reference ironic07:25
*** ccard has quit IRC07:26
jamielennoxhmm, CORS, i went to that talk, what do i remember...07:29
jamielennoxmorgan: why wouldn't CORS be configured via paste?07:29
morgan2 reasons07:30
morgan1: don't configure things via paste07:30
morgan2: we're ripping apart tons of that stuff atm07:30
morganand it was easier to place it in our WSGI code07:30
jamielennoxmmm - this seems like an _actually optional_ middleware. ie perfect for paste07:30
morganexcept it wont be optional once horizon makes a shift to angular07:30
morganit'll be "optional" like keystonemiddleware is "optional" only if you want everything to not work07:31
jamielennoxhmm07:31
jamielennoxalright07:31
morganbut i disagree with configuring anything via paste at this point07:31
jamielennoxnot bothering with keystone-all07:31
jamielennoxoh - speaking of which did sileht speak to you about wanting a middleware release?07:32
morgani grudgingly give it a pass for swift etc07:32
morganjamielennox: no, but i just did a flush of the easy approvals in KSM07:32
morganso i figure we'll do a release tomorrow07:32
morganjust like we'll do a keystoneclient release07:32
silehtjamielennox, thx for the reminder07:33
jamielennoxoh, hi07:33
*** afazekas__ has joined #openstack-keystone07:33
silehta keystonemiddleware release would be great for aodh project07:33
jamielennoxbah, all those middleware patches of mine are still unreviewed07:33
morganjamielennox: sorry =/07:34
morgani'll be sweeping through your cache ones once FF is done07:35
*** ftco has joined #openstack-keystone07:35
jamielennoxmeh, mostly cleanups, the other chain is the one that would let me put auth_token in front of keystone but i wouldn't do that for this cycle anyway07:35
jamielennoxalright - i'm out for a few hours07:36
morganjamielennox: thnx07:38
morgancheers07:38
*** browne has joined #openstack-keystone07:53
openstackgerritMerged openstack/keystoneauth: Add accessor method for raw catalog content  https://review.openstack.org/21986208:00
*** vikram has joined #openstack-keystone08:02
vikramHi there08:02
vikramI am facing errors while starting devstack08:02
*** links has quit IRC08:02
vikram openstack role add: error: argument --user: expected one argument08:03
vikram2015-09-03 08:01:29.756 | + user_role_id=08:03
vikram2015-09-03 08:01:29.756 | + echo08:03
vikram2015-09-03 08:01:29.756 |08:03
vikram2015-09-03 08:01:29.756 | + get_or_create_project service default08:03
vikram2015-09-03 08:01:29.756 | + local project_id08:03
vikram2015-09-03 08:01:29.757 | ++ openstack --os-url=http://192.168.1.101:5000/v3 --os-identity-api-version=3 project create service --domain=default --or-show -f value -c id08:03
vikram2015-09-03 08:01:30.326 | ERROR: openstack Internal Server Error (HTTP 500)08:03
vikramCan someone please help me ?08:03
*** vivekd has quit IRC08:07
openstackgerritMerged openstack/keystonemiddleware: Allow specifying a region name to auth_token  https://review.openstack.org/21657908:08
*** pnavarro has joined #openstack-keystone08:09
openstackgerritMerged openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952408:12
*** ParsectiX has quit IRC08:22
*** yottatsa has joined #openstack-keystone08:25
*** vikram has quit IRC08:25
*** stevemar has joined #openstack-keystone08:26
*** ChanServ sets mode: +v stevemar08:26
*** mylu has joined #openstack-keystone08:29
*** stevemar has quit IRC08:31
*** vivekd has joined #openstack-keystone08:33
*** mylu has quit IRC08:33
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899508:34
*** browne has quit IRC08:35
*** jistr has joined #openstack-keystone08:37
*** katkapilatova has joined #openstack-keystone08:43
*** btully has joined #openstack-keystone08:43
*** btully has quit IRC08:47
*** vivekd has quit IRC08:47
*** ftco1 has joined #openstack-keystone08:49
*** ftco has quit IRC08:51
*** vivekd has joined #openstack-keystone08:55
*** lhcheng has joined #openstack-keystone08:59
*** ChanServ sets mode: +v lhcheng08:59
*** yottatsa has quit IRC09:01
*** lhcheng has quit IRC09:04
openstackgerritMerged openstack/keystoneauth: Change the README to remove the warning for 1.0.0 release  https://review.openstack.org/22001909:06
*** ParsectiX has joined #openstack-keystone09:07
openstackgerrithenry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/20815209:17
*** yottatsa has joined #openstack-keystone09:18
*** yottatsa has quit IRC09:20
*** yottatsa has joined #openstack-keystone09:25
*** belmoreira has joined #openstack-keystone09:26
openstackgerritMerged openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196209:28
openstackgerritMerged openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430209:28
*** e0ne has joined #openstack-keystone09:32
*** marzif has joined #openstack-keystone09:42
*** e0ne has quit IRC10:04
*** e0ne has joined #openstack-keystone10:08
*** marzif has quit IRC10:08
*** vivekd has quit IRC10:19
*** yottatsa has quit IRC10:24
*** links has joined #openstack-keystone10:31
*** Kennan2 is now known as Kennan_on_vacati10:44
*** Kennan_on_vacati is now known as Kennan_Vacation10:45
*** vivekd has joined #openstack-keystone10:45
*** aix has quit IRC10:46
*** marzif has joined #openstack-keystone10:47
*** lhcheng has joined #openstack-keystone10:48
*** ChanServ sets mode: +v lhcheng10:48
openstackgerritMerged openstack/keystone: Add federated auth for idp specific websso  https://review.openstack.org/21476610:48
*** henrynash has quit IRC10:52
*** lhcheng has quit IRC10:52
*** henrynash has joined #openstack-keystone10:53
*** ChanServ sets mode: +v henrynash10:53
*** stevemar has joined #openstack-keystone10:56
*** ChanServ sets mode: +v stevemar10:56
*** henrynash has quit IRC10:57
*** claudiub has joined #openstack-keystone10:59
*** stevemar has quit IRC11:01
*** lhcheng has joined #openstack-keystone11:12
*** ChanServ sets mode: +v lhcheng11:12
*** vivekd has quit IRC11:14
*** aix has joined #openstack-keystone11:15
*** lhcheng has quit IRC11:16
*** shoutm has joined #openstack-keystone11:17
*** vivekd has joined #openstack-keystone11:18
*** shoutm_ has quit IRC11:18
*** pnavarro is now known as pnavarro|lunch11:34
*** martinus__ has quit IRC11:37
*** amakarov_away is now known as amakarov11:45
*** mylu has joined #openstack-keystone12:00
*** wwwjfy_ has joined #openstack-keystone12:04
*** mylu has quit IRC12:04
*** wwwjfy has quit IRC12:07
*** wwwjfy_ has quit IRC12:12
*** wwwjfy_ has joined #openstack-keystone12:13
*** marzif has quit IRC12:14
*** marzif has joined #openstack-keystone12:15
*** gordc has joined #openstack-keystone12:17
*** raildo-afk is now known as raildo12:18
*** petertr7_away is now known as petertr712:22
*** Nirupama has quit IRC12:24
*** pnavarro|lunch is now known as pnavarro12:24
openstackgerritRalf Haferkamp proposed openstack/keystone: Add new eventlet config option 'url_length_limit'  https://review.openstack.org/22011612:34
*** yottatsa has joined #openstack-keystone12:35
*** richm has joined #openstack-keystone12:40
*** dims has joined #openstack-keystone12:41
*** shoutm_ has joined #openstack-keystone12:47
*** shoutm has quit IRC12:48
openstackgerritMerged openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687012:53
*** chutwig has joined #openstack-keystone12:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/22012412:55
*** hrou has joined #openstack-keystone13:01
*** geoffarnoldX is now known as geoffarnold13:08
*** petertr7 is now known as petertr7_away13:09
*** dsirrine has joined #openstack-keystone13:09
openstackgerritTerry Howe proposed openstack/keystoneauth: Convert project to os-testr  https://review.openstack.org/22013113:09
*** edmondsw has joined #openstack-keystone13:13
*** petertr7_away is now known as petertr713:15
*** jsavak has joined #openstack-keystone13:16
*** lhcheng has joined #openstack-keystone13:19
*** ChanServ sets mode: +v lhcheng13:19
lbragstaddolphm: quick question on the fernet length. Currently, fernet tokens end with percent encoded '=' signs (http://cdn.pasteraw.com/6tl69nuqrj56l3bl9nnlbotsqbqw4j7). What if we were to truncate the '=' and '%3D' and re-inflate them on validate?13:21
lbragstadit would result in project and domain scoped token length being a little smaller13:22
*** stevemar has joined #openstack-keystone13:23
*** ChanServ sets mode: +v stevemar13:23
*** btully has joined #openstack-keystone13:27
*** stevemar has quit IRC13:28
openstackgerritLin Hua Cheng proposed openstack/keystone: Deprecate LDAP Resource Backend  https://review.openstack.org/20374813:31
*** afaranha has joined #openstack-keystone13:34
*** jecarey has joined #openstack-keystone13:34
*** afaranha has left #openstack-keystone13:35
*** afaranha has joined #openstack-keystone13:36
*** afaranha has left #openstack-keystone13:36
*** links has quit IRC13:40
openstackgerritNAVEEN KUNAREDDY proposed openstack/keystone: Fixed typos in 'developing_drivers' doc  https://review.openstack.org/22014413:45
*** yottatsa has quit IRC13:50
*** zzzeek has joined #openstack-keystone13:51
*** vivekd has quit IRC13:57
*** sigmavirus24_awa is now known as sigmavirus2413:59
*** petertr7 is now known as petertr7_away14:00
*** lhcheng has quit IRC14:04
*** KarthikB has joined #openstack-keystone14:04
*** geoffarnold is now known as geoffarnoldX14:08
*** rbak has joined #openstack-keystone14:09
*** jsavak has quit IRC14:12
*** geoffarnoldX is now known as geoffarnold14:13
*** ParsectiX has quit IRC14:14
gordcthere's no 'super-admin' role is there? something like an admin for domain rather than admin for project?14:14
*** stevemar has joined #openstack-keystone14:15
*** ChanServ sets mode: +v stevemar14:15
*** shoutm_ has quit IRC14:18
*** dave-mccowan has quit IRC14:18
*** roxanaghe has joined #openstack-keystone14:19
*** stevemar has quit IRC14:19
*** jsavak has joined #openstack-keystone14:19
*** topol has joined #openstack-keystone14:22
*** ChanServ sets mode: +v topol14:22
openstackgerritMerged openstack/python-keystoneclient: Update path to subunit2html in post_test_hook  https://review.openstack.org/21993114:23
*** ayoung has joined #openstack-keystone14:24
*** ChanServ sets mode: +v ayoung14:24
openstackgerritMarek Denis proposed openstack/keystone: Add methods for checking scoped tokens  https://review.openstack.org/20888514:24
openstackgerritBrant Knudson proposed openstack/keystone: Add user domain info to federated fernet tokens  https://review.openstack.org/21374214:25
openstackgerritBrant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context  https://review.openstack.org/21379214:25
openstackgerritBrant Knudson proposed openstack/keystone: Correct docstring for common.authorization  https://review.openstack.org/21375214:25
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context  https://review.openstack.org/21379714:25
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21851114:25
openstackgerritBrant Knudson proposed openstack/keystone: More info in RequestContext  https://review.openstack.org/21359514:25
*** mhickey_ has joined #openstack-keystone14:27
*** tonytan4ever has joined #openstack-keystone14:28
*** browne has joined #openstack-keystone14:31
*** dave-mccowan has joined #openstack-keystone14:31
*** yottatsa has joined #openstack-keystone14:32
*** devlaps has quit IRC14:33
*** mpmsimo has joined #openstack-keystone14:33
*** chutwig has quit IRC14:36
*** KarthikB has quit IRC14:37
openstackgerritBrant Knudson proposed openstack/keystone: Move TestClient to test_versions  https://review.openstack.org/21858414:39
*** mpmsimo has quit IRC14:39
*** bknudson has joined #openstack-keystone14:41
*** ChanServ sets mode: +v bknudson14:41
*** HT_sergio has joined #openstack-keystone14:42
*** Ephur has quit IRC14:45
openstackgerritAlexander Makarov proposed openstack/keystone: Protect initialization with critical sections  https://review.openstack.org/21000114:46
*** stevemar has joined #openstack-keystone14:46
*** ChanServ sets mode: +v stevemar14:46
*** stevemar has quit IRC14:51
*** roxanaghe has quit IRC14:54
*** KarthikB has joined #openstack-keystone14:55
*** stevemar has joined #openstack-keystone14:56
*** ChanServ sets mode: +v stevemar14:56
*** petertr7_away is now known as petertr714:56
*** jsavak has quit IRC14:58
*** erhudy has joined #openstack-keystone14:59
*** jsavak has joined #openstack-keystone14:59
*** stevemar has quit IRC15:00
*** jorge_munoz_ has quit IRC15:00
dolphmdstanek: you're not in one of the breakout rooms, are you?15:01
*** Ephur has joined #openstack-keystone15:02
*** jistr is now known as jistr|call15:02
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733115:05
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185415:05
openstackgerritHenrique Truta proposed openstack/keystone: Change policy to comply with is_domain in token  https://review.openstack.org/20606315:05
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593615:05
*** Ephur has quit IRC15:06
morganmordred, jamielennox: https://review.openstack.org/22018615:06
*** csoukup has joined #openstack-keystone15:07
*** markvoelker has joined #openstack-keystone15:08
mordredmorgan: yay!15:09
*** yottatsa has quit IRC15:10
*** sigmavirus24 is now known as sigmavirus24_awa15:12
*** sigmavirus24_awa is now known as sigmavirus2415:13
*** phalmos has joined #openstack-keystone15:13
*** stevemar has joined #openstack-keystone15:13
*** ChanServ sets mode: +v stevemar15:13
*** geoffarnold is now known as geoffarnoldX15:14
*** chutwig has joined #openstack-keystone15:14
*** yottatsa has joined #openstack-keystone15:15
*** yottatsa has quit IRC15:15
*** Ephur has joined #openstack-keystone15:16
*** stevemar_ has joined #openstack-keystone15:17
*** ChanServ sets mode: +v stevemar_15:17
*** stevemar has quit IRC15:18
*** jorge_munoz has joined #openstack-keystone15:18
openstackgerritMerged openstack/keystoneauth-saml2: Fix Accept header in SAML2 requests  https://review.openstack.org/21692915:18
*** yottatsa has joined #openstack-keystone15:20
openstackgerritDavid Stanek proposed openstack/keystone: Removes py3 test import hacks  https://review.openstack.org/22019915:24
*** dims has quit IRC15:26
*** geoffarnoldX is now known as geoffarnold15:26
*** yottatsa has quit IRC15:28
*** pnavarro is now known as pnavarro|off15:29
*** KarthikB has quit IRC15:30
stevemar_dstanek: ldappool is now py3 friendly?15:30
openstackgerritDavid Stanek proposed openstack/keystone: Adds warning when no domain configs were uploaded  https://review.openstack.org/21428715:31
*** yottatsa has joined #openstack-keystone15:33
dstanekstevemar_: it at least isn't completely unfriendly15:33
stevemar_dstanek: ah i see what you mean, none of the things we "depend" on, so the 'extras' might still be py27 only15:33
dstanekstevemar_: i haven't tried running any of the tests yet, but the existing tests no longer fail on import15:33
*** pnavarro|off has quit IRC15:34
dstanekstevemar_: we initially had some import issues because of transitive imports an those hacks basically stopped the madness15:34
stevemar_seems like a half measure15:34
stevemar_but meh15:34
stevemar_well, i mean, it seems like we'll just run into this problem again15:34
stevemar_but we'll cross that bridge when it comes15:35
dstanekstevemar_: only as we add more tests that get covered in py34 - i really want to get them all covered sooner rather than later15:35
stevemar_makes sense15:36
*** dims has joined #openstack-keystone15:36
morganlbragstad: https://review.openstack.org/#/c/218353/ needs rebase it's the only thing that hasn't been implemented for the BP15:36
morganlbragstad: i'm ok with that becoming a folloup bug as it's docs15:36
morganlbragstad:  please open the bug and rebase/retarget the change to rc15:36
morganactually..15:37
*** yottatsa has quit IRC15:38
*** yottatsa has joined #openstack-keystone15:39
openstackgerritMorgan Fainberg proposed openstack/keystone: Add documentation for configuring IdP WebSSO  https://review.openstack.org/21835315:39
*** yottatsa has quit IRC15:39
stevemar_morgan: yay doc patch15:40
stevemar_guys guys guys, i actually have time to review and do stuff today!!15:41
morganstevemar_: i just fixed the commit15:41
stevemar_look, i'm on IRC!15:41
morganstevemar_: so it's a RC-targeted patch15:41
lbragstadmorgan: awesome, thanks.. I was just in the middle of rebasing15:41
lbragstadmorgan: but you beat me to it15:41
lbragstadstevemar_: o/15:41
openstackgerritSteve Martinelli proposed openstack/keystone: Add documentation for configuring IdP WebSSO  https://review.openstack.org/21835315:41
stevemar_morgan: you based it on an ancient patch15:41
morganstevemar_: it needs a rebase15:41
stevemar_oh there we go15:41
stevemar_the button works15:41
morganstevemar_:  seriously i just updated the commit msg for the doc bug15:42
*** markvoelker_ has joined #openstack-keystone15:42
morganstevemar_: https://review.openstack.org/#/c/153897/28 start reviewing here15:42
*** woodster_ has joined #openstack-keystone15:44
stevemar_morgan: its all good15:44
stevemar_+2ed that one!15:44
*** jistr|call is now known as jistr15:44
stevemar_eww inheritance testing15:45
stevemar_+73, -0, i can dig it15:45
*** markvoelker has quit IRC15:45
*** phalmos has quit IRC15:47
lbragstadmorgan: https://bugs.launchpad.net/keystone/+bug/1491916 does that work?15:49
openstackLaunchpad bug 1491916 in Keystone "Improve IdP Specific WebSSO docs" [Undecided,New]15:49
*** KarthikB has joined #openstack-keystone15:49
*** btully has quit IRC15:50
lbragstaddolphm: http://cdn.pasteraw.com/es3j52dpfgem4nom62e7vktk7g5u2j115:50
tdurakovjamielennox, ping15:51
morganlbragstad: i already did it... there is now a duplicate bug :P15:51
morganlbragstad: feel free to mark mine as a dupe15:51
morganlbragstad: bug 149191015:52
openstackbug 1491910 in Keystone "document configuring websso idp" [Medium,In progress] https://launchpad.net/bugs/1491910 - Assigned to Steve Martinelli (stevemar)15:52
morganlbragstad: one of the two should be duplicate15:52
morganfor what it's worth our cut off for L3 tag looks to be https://review.openstack.org/216387 if it can land in the next couple hours15:53
morgan(in gate ~6-7 from the top)15:54
morgananything beyond that is unlikely to merge in L315:54
morgantoday is FF / Liberty315:54
*** browne has quit IRC15:54
lbragstadmorgan: done, i marked yours as a dupe15:54
morganlbragstad: be sure to update commit message and tag that bug to rc115:55
*** bknudson has quit IRC15:55
openstackgerritLance Bragstad proposed openstack/keystone: Add documentation for configuring IdP WebSSO  https://review.openstack.org/21835315:55
lbragstadmorgan: done15:56
*** phalmos has joined #openstack-keystone15:56
morganlbragstad: cool15:57
*** afazekas__ has quit IRC15:59
*** diazjf has joined #openstack-keystone16:01
*** phalmos has quit IRC16:01
*** phalmos has joined #openstack-keystone16:01
*** stevemar_ has quit IRC16:01
*** yottatsa has joined #openstack-keystone16:02
lbragstaddolphm: new bug open - https://bugs.launchpad.net/keystone/+bug/149192616:02
openstackLaunchpad bug 1491926 in Keystone "Remove padding from Fernet tokens" [Undecided,New]16:02
*** marzif has quit IRC16:04
*** yottatsa has quit IRC16:05
*** browne has joined #openstack-keystone16:06
*** jistr has quit IRC16:06
*** wwwjfy_ has quit IRC16:08
openstackgerritRalf Haferkamp proposed openstack/keystone: Add new eventlet config option 'url_length_limit'  https://review.openstack.org/22011616:09
*** aix has quit IRC16:12
*** yottatsa has joined #openstack-keystone16:13
*** roxanaghe has joined #openstack-keystone16:17
openstackgerritOlivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21058116:21
*** chutwig has quit IRC16:25
openstackgerritAlexander Makarov proposed openstack/keystone: Protect initialization with critical sections  https://review.openstack.org/21000116:27
*** katkapilatova has left #openstack-keystone16:27
*** stevemar has joined #openstack-keystone16:28
*** ChanServ sets mode: +v stevemar16:28
*** petertr7 is now known as petertr7_away16:29
*** chutwig has joined #openstack-keystone16:29
stevemarmorgan: dstanek i just presented ldap stuff to a bunch of folks that are customer facing16:29
stevemarthey lol'ed hard when i brought up horizon/paging/ldap issue16:30
*** tsymanczyk has quit IRC16:30
stevemar"if i can't manage the users, why do i need to see them"16:30
openstackgerritMerged openstack/keystone: Stop reading local config for domain-specific SQL config driver  https://review.openstack.org/21734816:31
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/22012416:32
morgan~35 mins (hopefully) from L316:33
morganand then a lot of things are getting smacked with Feature Freeze -2s :(16:34
*** e0ne has quit IRC16:34
*** bknudson has joined #openstack-keystone16:37
*** ChanServ sets mode: +v bknudson16:37
*** jsavak has quit IRC16:37
*** jsavak has joined #openstack-keystone16:38
*** phalmos has quit IRC16:38
stevemarmorgan: :(16:38
dolphmmorgan: Won't Fix? PKI + eventlet woes https://bugs.launchpad.net/keystone/+bug/149181716:38
raildo:(16:38
openstackLaunchpad bug 1491817 in Keystone "Revoking large token fails with "Request-URI Too Long (HTTP 414)"" [Undecided,In progress] - Assigned to Ralf Haferkamp (rhafer)16:38
morganwont fix16:38
dolphmcc dstanek ^16:39
stevemardolphm: they are both going away16:39
morganwe're ... 1 month from rm -rf eventlet16:39
amakarovHi, all! I've run into missing (intentionally?) feature: neither keystone nor openstack CLI does support groups16:39
morganok ok.. 40 days16:39
morganbut... close enough16:39
stevemaramakarov: groups should work :O16:39
stevemarhttp://docs.openstack.org/developer/python-openstackclient/command-objects/group.html16:40
stevemarset OS_IDENTITY_API_VERSION to 316:40
stevemarmorgan: got some great feedback about room for ldap improvements16:40
amakarovstevemar, openstack --help seems to know nothing about it :)16:40
stevemarlook for new blueprints in the future16:40
*** yottatsa has quit IRC16:40
*** afazekas__ has joined #openstack-keystone16:40
* amakarov doublechecking cli version...16:41
stevemaramakarov: `export OS_IDENTITY_API_VERSION=3` is your friend16:41
stevemarwe should default it to 3 :\16:41
amakarovstevemar, MAGIC!16:41
stevemarsome people say i'm a magician16:41
bknudsonuse clouds.yaml16:42
stevemarbknudson: truth16:43
amakarovstevemar, thanks, now I know kung-fu too :)16:44
*** btully has joined #openstack-keystone16:45
openstackgerritBrant Knudson proposed openstack/keystone: Change tests to use common name for keystone.tests.unit  https://review.openstack.org/21866516:47
*** tsymanczyk has joined #openstack-keystone16:47
*** tsymanczyk is now known as Guest2941216:48
*** btully has quit IRC16:49
stevemarbknudson: gonna propose to remove the ones in test_v3?16:50
bknudsonstevemar: I'm thinking about it.16:50
bknudsonjust to keep anybody from writing new code that uses the functions16:51
stevemarbknudson, yap16:51
bknudsonor, someone else could propose the change...16:51
bknudsonotherwise it may be part of the unit test hackathon16:52
*** Guest29412 is now known as tsymanczyk16:52
*** mpmsimo has joined #openstack-keystone16:57
*** mpmsimo has left #openstack-keystone16:59
*** Reulan1 has joined #openstack-keystone17:00
*** Reulan1 has quit IRC17:00
*** Reulan1 has joined #openstack-keystone17:01
*** Reulan1 has quit IRC17:01
*** lhcheng has joined #openstack-keystone17:04
*** ChanServ sets mode: +v lhcheng17:04
morgansileht:17:05
morgansileht: https://review.openstack.org/22024017:05
*** stevemar has quit IRC17:06
*** ChanServ sets mode: +o morgan17:06
*** mhickey_ has quit IRC17:06
openstackgerritLance Bragstad proposed openstack/keystone: Remove padding from Fernet tokens  https://review.openstack.org/22024217:07
*** morgan changes topic to "Liberty-3 Today, this means Feature Freeze is in effect! | KeystoneAuth 1.0 Released (pending g-r inclusion) | Submit FFE requests to the ML as needed"17:07
*** belmoreira has quit IRC17:07
morganalso keystonemiddleware release plan for today: https://review.openstack.org/#/c/220240/17:08
*** afazekas__ has quit IRC17:08
*** ChanServ sets mode: -o morgan17:08
*** amakarov is now known as amakarov_away17:11
*** afazekas__ has joined #openstack-keystone17:12
openstackgerritDolph Mathews proposed openstack/keystone: Fixes confusing deprecation message  https://review.openstack.org/21990617:13
*** markvoelker_ has quit IRC17:16
*** erhudy has quit IRC17:19
*** tsymanczyk has quit IRC17:20
*** afazekas__ has quit IRC17:21
*** tsymanczyk has joined #openstack-keystone17:25
*** tsymanczyk is now known as Guest2854317:25
*** phalmos has joined #openstack-keystone17:35
*** petertr7_away is now known as petertr717:38
*** e0ne has joined #openstack-keystone17:46
*** tonytan4ever has quit IRC17:47
*** kfox1111 has joined #openstack-keystone17:47
kfox1111so, we just upgraded to kilo... we were able to do an openstack group list before but can't now. we get a permission denied.17:48
kfox1111we're using the ldap backend for groups/users, but not tenants and roles.17:48
kfox1111and the permission denieds seem to follow that pattern. did something change there?17:48
*** Guest28543 is now known as tsymanczyk17:49
kfox1111s/permission denied/401 request requires auth/17:50
*** bradjones has joined #openstack-keystone17:53
*** bradjones has quit IRC17:53
*** bradjones has joined #openstack-keystone17:53
ayoungkfox1111, anything else changed?17:54
openstackgerritwerner mendizabal proposed openstack/keystone: Fix for token revocation not always respected when using fernet tokens  https://review.openstack.org/22025917:54
*** tsymanczyk has quit IRC17:55
*** btully has joined #openstack-keystone17:58
*** diazjf has quit IRC18:00
*** tonytan4ever has joined #openstack-keystone18:00
*** tsymancz1k has joined #openstack-keystone18:04
*** phalmos has quit IRC18:05
*** diazjf has joined #openstack-keystone18:10
*** jasonsb has quit IRC18:14
*** jasonsb has joined #openstack-keystone18:14
kfox1111ayoung. don't think so? just yum upgraded things and followed the upgrade instructions.18:18
kfox1111no config entries changed.18:18
ayoungkfox1111, http://adam.younglogic.com/2015/03/troubleshoot-new-keystone/18:18
*** jasonsb has quit IRC18:19
kfox1111ayoung: looking.18:19
kfox1111another interesting data point...18:19
kfox1111keystone user-list does work with v2.18:20
*** pgbridge has quit IRC18:20
ayoungkfox1111, were you doing LDAP before, too?18:21
lbragstadbknudson: around? looking at your patch to switch the token provider default in devstack to fernet18:21
kfox1111yup.18:21
bknudsonlbragstad: what's up?18:21
kfox1111default domain's ldap, the rest sql.18:21
kfox1111juno didn't support enough of v3 to work with anything but default for nova/neutron.18:21
bknudsonI'm at the security group meetup18:22
kfox1111we have heat using v3 and groups work, so were using those.18:22
lbragstadbknudson: we have three tests (afaik) that are failing - one of which is addressed by - https://review.openstack.org/#/c/220242/18:22
lbragstadbknudson: oh, nevermind, I don't mean to bother you if you're busy18:22
ayoungkfox1111, you doing multi domain or just a singe?18:22
bknudsonlbragstad: I'm not that busy. I don't know what there is to discuss. We've got to get it working.18:22
kfox1111single, except for heat has its own doamin.18:22
kfox1111domain18:22
ayoungkfox1111, um...that is multidomain18:23
kfox1111which is sql.18:23
kfox1111k.18:23
ayoungso sqlbackend with a domain specific Backend for LDAP?18:23
lbragstadbknudson: yeah, i'm just curious if you have an opinion on one of the other tests thats failing18:23
kfox1111yeah. ldap config's in /etc/keystone/domains/keystone.Default.conf18:23
openstackgerritwerner mendizabal proposed openstack/keystone: Fix for token revocation not always respected when using fernet tokens  https://review.openstack.org/22025918:24
ayoungkfox1111, make sure the user attempting to do a user-list or gorup list has a role asignment scoped to the Default domain18:24
ayoung a project scoped token won't work...well, it depends on policy18:24
lbragstadbknudson: this test fails because everything happens within the same second, so the unscoped token and the rescoped tokens have the same issued-at time - https://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v3/test_tokens.py#L12018:24
ayoungwhat is the policy rule for list_groups and list_users for the policy file you are using?18:24
kfox1111we're using the default policy.18:24
*** gyee has joined #openstack-keystone18:24
*** ChanServ sets mode: +v gyee18:24
kfox1111k. looking.18:24
bknudsonlbragstad: we'll have to figure out if tokens are granular to the second or microsecond or what.18:25
lbragstadbknudson: and it only fails for fernet because the subsecond precision is truncated.18:25
bknudsonlbragstad: because if tokens must be subsecond then fernet is wrong.18:25
bknudsonand if tokens aren't subsecond then uuid is wrong.18:25
lbragstadbknudson: that's out of our control because we rely on the timestamp that fernet is using18:25
kfox1111"identity:list_groups": "rule:admin_required"18:25
kfox1111ayoung: so, I'm using the cli. do I drop out the projectname/domain from the environment then?18:26
lbragstadbknudson: we have subsecond precision, but it's always .000000Z18:27
lbragstadfor fernet tokens18:27
bknudsonlbragstad: if that's the case then tempest needs to be fixed to allow it.18:28
lbragstadbknudson: ok18:28
*** pgbridge has joined #openstack-keystone18:28
*** marzif has joined #openstack-keystone18:28
kfox1111the cli doesn't seem to want to let me authenticate without a project.18:28
ayoungkfox1111, add OS_DOMAIN_ID18:29
ayoungfor domain scoped operations, you want drop OS_PROJECT*18:29
kfox1111k. I'll try that.18:30
kfox1111the user is an admin on the admin tenant.18:30
*** harlowja has quit IRC18:31
*** harlowja has joined #openstack-keystone18:32
*** jsavak has quit IRC18:34
*** phalmos has joined #openstack-keystone18:34
kfox1111ok. when I drop the project and add the domain, all requests are now failing.18:34
kfox1111DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 401 11418:35
kfox1111seems to be failing earlier.18:35
*** stevemar has joined #openstack-keystone18:36
*** ChanServ sets mode: +v stevemar18:36
stevemarclassic dhellmann - spamming my inbox!18:38
*** marzif has quit IRC18:38
lbragstadbknudson: https://review.openstack.org/#/c/220272/18:43
stevemarlbragstad: nice18:44
lbragstadstevemar: do you love my super complex and efficient fix? ;)18:45
stevemardtroyer morgan - how do you guys feel about setting identity api version in OSC to v3?18:45
stevemarsetting *default* identitiy...18:45
stevemarwith devstack running in v3 only mode, i think its okay18:46
odyssey4mestevemar shall I hold your beer? ;)18:46
stevemarodyssey4me: hehe, hold my beer while i push a patch to see if devstack falls on its face18:47
stevemarodyssey4me: then give it back18:47
odyssey4mestevemar I have scotch, so you can have your beer back. :)18:48
odyssey4mestevemar we're still waiting for https://review.openstack.org/186684 to land though :/18:48
kfox1111yeah, the removing project and setting domain_id just causes everythign to fail.18:49
kfox1111do I have to be an admin on the domain?18:50
stevemarodyssey4me: yep, thats my motivation for changing it in OSC18:51
dtroyerstevemar: I may be ready for that.18:51
dtroyerI'm so far behind the curve ATM though I'm not going to commit just yet without playing with it18:51
morganstevemar, dolphm, dstanek, lbragstad, marekd, lhcheng, ayoung, bknudson, jamielennox, gyee, topol, Henrynash, FYI L3 has been tagged for keystone. Feature freeze is in effect. (don't punt things that are currently gating out, they are fine) - just be wary of approving things (i'll be doing the -2 sweep later today)18:53
bknudsonmorgan: ok. bug fixes are ok?18:54
morganbknudson: yep18:54
morganbug fixes are fine18:54
morganthough the gate is hellacious18:54
morganyou may want to give it some time to calm down ;)18:54
bknudsonchanges to translatable strings?18:54
bknudsonthat part was always confusing18:54
morganstring freeze... hm i need to check when that is18:54
topolmorgan, ok thanks!18:55
dstanektopol: howdy; long time no see18:55
stevemarmorgan: damn, i missed the window for my oslo.cache change :(18:55
morganbknudson: lets just go with next week on strings or until we hear otherwise18:56
stevemarand moving a few of the extensions around (thought we might be able to still do this?)18:56
morganstevemar: this is what happens when everything is crammed into the last minute18:56
morganstevemar: shuffling code internally around should be fine.18:56
morganstevemar: same thing with adding new tests18:56
stevemarmorgan: yeah, but not using oslo.cache right?18:56
stevemari think nova -2'ed that too18:56
morganstevemar: correct moving to oslo.cache is now mitaka unless you want a FFE18:56
morganwhich case... send an email18:57
stevemarnaw18:57
morgan^^ topic18:57
*** jasonsb has joined #openstack-keystone18:57
odyssey4memorgan good news - openstack-ansible be doing a test review for sha updates tomorrow. we seem to test a bit more integration than the devstack tests and will feed back any issues :)18:57
morgancool18:58
stevemarmorgan: probably not https://review.openstack.org/#/c/210456/9 ?18:58
*** alextricity has joined #openstack-keystone18:59
stevemarmeh, it can go into M18:59
morganstevemar: looks like a bug to me...18:59
*** diazjf has quit IRC18:59
stevemari suppose18:59
morganlike i said, i'll sweep through and -2 all the things later today18:59
* morgan needs food and stuff18:59
alextricityDoes anybody know why switching from fernet tokens to UUID tokens might break the keystone v2 api18:59
morganalextricity: you'd need everything to re-auth18:59
stevemarlbragstad: ^19:00
dolphmalextricity: define "break the api?19:00
morganalextricity: but fundamentally it shouldn't "break the api"19:00
alextricitymorgan: How would I do that? 'Keystone user-list' gives me a 401 unautherized19:00
alextricitybut 'openstack user list' runs just fine19:00
*** stevemar has quit IRC19:00
*** topol has quit IRC19:00
morganif keystoneclient is using keyring? are you specifying a token explicitly?19:01
*** stevemar has joined #openstack-keystone19:01
*** ChanServ sets mode: +v stevemar19:01
morganyou have to be sure you are re-authing. OSC is probably doing a reauth for you19:01
alextricitymorgan: I'm not sure if the client is using a keyring to be honest. Can I check in the configs? I'm also not specifying a token explicityly19:02
alextricityI'm using OS_USERNAME/OS_PASSWORD19:02
lhchengmorgan: does the Feature Freeze apply to KSC and middleware too?19:03
alextricitytypical OS variables that I use for the clients19:03
*** stevemar has quit IRC19:03
*** stevemar has joined #openstack-keystone19:03
*** ChanServ sets mode: +v stevemar19:03
morganlhcheng: we will be careful about merging there but it's less tightly controlled. but i don't want to have to bump g-r versions for either unless we have a very good reason after this week19:03
kfox1111keystone still broken. :/19:04
morganlhcheng: also depends on when the stable branches are cut for liberty19:04
* morgan has to go for food.19:04
kfox1111its so odd that it is only affecting user/group listing.19:04
lhchengmorgan: got it19:04
kfox1111hmm... the rules on the working api calls are identicle to the non working ones. so I'm thinking somethings different somehow in the ldap plugin?19:05
bknudsonkeystonemiddleware might be broken by a release of something -- https://review.openstack.org/#/c/208213/19:07
*** jsavak has joined #openstack-keystone19:09
*** diazjf has joined #openstack-keystone19:10
kfox1111oh, weird...19:11
kfox1111ok. so it looks like group list isn't working without specifying --domain default now.19:11
openstackgerritMerged openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/21638719:12
kfox1111yay for CORS! :)19:13
*** jsavak has quit IRC19:15
*** _hrou_ has joined #openstack-keystone19:15
*** jsavak has joined #openstack-keystone19:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/22012419:18
*** hrou has quit IRC19:19
*** _cjones_ has joined #openstack-keystone19:29
*** dguerri is now known as dguerri`19:29
*** _cjones_ has quit IRC19:31
*** _cjones_ has joined #openstack-keystone19:32
*** _cjones_ has quit IRC19:36
mordredwoot CORS!19:38
*** _hrou_ has quit IRC19:38
morganYes! CORS!!19:42
*** henrynash has joined #openstack-keystone19:47
*** ChanServ sets mode: +v henrynash19:47
henrynashgyee: (or anyone who knows about stable driver interfaces) - are the driver interfaces frozen on release cycles or are they already froxen?19:48
*** ayoung has quit IRC19:50
*** jsavak has quit IRC19:51
*** jsavak has joined #openstack-keystone19:51
*** phalmos_ has joined #openstack-keystone19:53
*** phalmos_ has quit IRC19:55
gyeehenrynash, yes, they will be treated as API changes going forward19:55
henrynashgyee: as of now…or releae of Liberty?19:56
*** phalmos has quit IRC19:56
gyeeI would think as of now, but morgan may disagree19:56
gyeevivekd's working on 3rd party driver based on the current interface19:57
*** mylu has joined #openstack-keystone19:57
*** phalmos has joined #openstack-keystone19:57
morganFeature Freeze was an hour or so ago19:57
morganDriver interfaces should probably be frozen at the same point?19:58
morganOpen to discussion on it.19:58
henrynashmorgan: I think that probably makes sense19:58
gyeemorgan, like now? because the team in India is working on contributing their 3rd party driver19:58
morganIf so then yes. As of today19:59
gyeeyeah I agree19:59
morganIt is open to change just as ffes can happen19:59
*** mylu has quit IRC19:59
morganBut we should have w damn good reason to change it after feature freeze20:00
*** mylu has joined #openstack-keystone20:00
henrynashgyee, morgan: so jsut trying to work our the implcations of this…e.g. we may have to specify that in the Identity API sepc that certain APIs won’t work unless you have the latest drivers20:00
*** petertr7 is now known as petertr7_away20:01
gyeeor bump the driver version20:01
morganThis is where we try to manage with the naive implementations20:01
henrynashgyee: but isn;t the point that we must support the N-1 driver version?20:01
gyeeanyway, gotta run, be back in an hour20:01
morganhenrynash: that is the idea n-120:02
morganMost cases we can do a naive implementation on the n-1 driver base20:02
morganIn fact i cant think of a case we can't20:02
henrynashmorgan: naive…as in return NotImplemented?20:03
*** pnavarro|off has joined #openstack-keystone20:03
morganNo as in do the work without backend specific interface code20:03
*** jsavak has quit IRC20:03
*** jsavak has joined #openstack-keystone20:03
*** btully has quit IRC20:03
morganExample is find_by_name, naive is list, in-memory search for name, return20:03
*** mylu_ has joined #openstack-keystone20:04
morganVs filter in the backend20:04
*** chutwig is now known as erhud120:04
*** erhud1 is now known as erhudy120:04
*** mylu has quit IRC20:04
morganIn very few cases this wont work20:04
morganAnd those cases we can evaluate what options we have.20:04
*** petertr7_away is now known as petertr720:05
henrynashmorgan: I see more case where this won’t work that when it will to be honest…e.g. we’ll ahve to have bug fixes that are by driver version not by release, APIs that only work in driver versions, not  by release.....20:06
henrynashmorgan: personally, I think this is going to be a train wreck20:06
*** dave-mccowan has quit IRC20:06
morganWe shouldnt be changing our driver interfaces much.20:06
morganIf we are... We really are doing something horribly wrong20:07
morganOr we need to stop supporting "loading arbitrary" drivers20:07
henrynashmorgan: so every thing I am working on needs driver chanegs20:07
morganIt is frankly stupid we cant commit to a contract for our backends20:07
henrynashmoragn: e.g. https://review.openstack.org/#/c/191976/, https://review.openstack.org/#/c/148995/, https://review.openstack.org/#/c/208152/20:08
henrynashmorgan: I’m not saying we can’t do commit to it…just that we will need to revamp how we diven “big fixed in relase” or API supported from release X20:09
henrynashmorgan: that’s the naive bit, we’ll have to speciffy driver versions20:10
morganSo most of what you just linked can eaisly be done with versions.20:10
morganMetadata is trivial. We stop calling/returning it.20:10
morganThe list hierarchy is expensive to do naively but can be done20:11
*** phalmos has quit IRC20:11
morganAnd the sql restriction requires no driver changes, but requires loader changes and/or not calling certain methods20:11
*** e0ne has quit IRC20:12
morganAnd anything experimental is more open to change.20:13
morganBecause it has to be.20:13
henrynashmoragn: (to be exact sql restriction does add driver methods to v8 of DomainConfig so I don’t know how we get round that)….but my point is that even if we do naive implemtations, we’ll have to document performance impacts etc.20:13
morganWhy are we adding driver methods for that?20:13
henrynashmorgan: we are useing an SQL table for a lock20:14
morganI think this is putting the config in the wrong place. But w/e.20:14
morganSql as a lock /me shakes head20:15
*** topol has joined #openstack-keystone20:16
*** ChanServ sets mode: +v topol20:16
morganAnd you dont need to document soecific performance impact. In our driver development guide we have said there will be negative performance impact if you dont update your driver version20:16
*** btully has joined #openstack-keystone20:17
*** dguerri` is now known as dguerri20:18
henrynashmoragn: just think this is a sledge hammer to crack a nut….20:18
morganFeel free to suggest undoing this change next cycle20:18
morganIt's always open to discussion20:19
henrynashmorgan: alrady on my list :-)20:19
morganThis cycle we are locking in an interface.20:19
*** dguerri is now known as dguerri`20:20
morganMy view is simply: every driver is in tree and we never support out of tree drivers or lodes externally20:20
morganOr we need a contract on this interface.20:20
morganWe need to stop doing the "this isnt an api" if we support it being used as one20:21
*** btully has quit IRC20:21
*** phalmos has joined #openstack-keystone20:22
morganEither it is or it isnt. And if it is, we should stop changing it every cycle like crazy. So yes, a sledgehammer but it's not to crack a nut, its to drive a stake in to support the people using the interface in the way we agreed to and keep telling them to do (eg for mongo)20:22
morganOr is it a steak? ...20:23
henrynashmorgan: steaks are always more tasty in my view20:24
morganThis is true20:24
henrynashmorgan: well, I ‘m up for trying anything….so we’ll give this a whirl20:25
*** e0ne has joined #openstack-keystone20:25
*** sdake has joined #openstack-keystone20:25
morganSure. I think this will be a net win.20:25
morganHonestly, i kindof would like see us punt all drivers (including sql and ldap) out of tree. Wont happen20:26
morganBut it would be interesting if we could.20:26
*** e0ne has quit IRC20:26
openstackgerritMerged openstack/python-keystoneclient: Mask passwords when logging the HTTP response  https://review.openstack.org/21900420:29
*** sdake_ has quit IRC20:29
henrynashmorgan: on FFE….we send teh reequest to the dev mailing list with the [keystone] tag?20:30
morganAnd [ffe] tag i think20:31
henrynashmorgan: ok, thx20:32
morganAh just say FFE in the subject20:32
*** dave-mccowan has joined #openstack-keystone20:32
morganLooking at others.20:32
morganhenrynash: ^20:32
HT_sergioHey all. Silly question: how does the middleware know about revoked UUID tokens?20:32
HT_sergioI'm having problems with revoked tokens continuing to work against nova/cinder APIs seemingly forever (even after the default cache time of 300 seconds has passed)20:33
*** pnavarro|off has quit IRC20:36
*** KarthikB has quit IRC20:38
*** ayoung has joined #openstack-keystone20:41
*** ChanServ sets mode: +v ayoung20:41
*** thiagop has joined #openstack-keystone20:42
*** pgbridge has quit IRC20:49
*** pnavarro|off has joined #openstack-keystone20:49
HT_sergiodisregard that last bit, the 5 minute cache time seems to be working as expected now :) I'm still confused about the token revocations list tho. Any tips or pointers to documentation would be appreciated. You guys rock :)20:51
*** jsavak has quit IRC20:55
*** dramakri has joined #openstack-keystone21:03
*** dramakri has left #openstack-keystone21:06
*** gordc has quit IRC21:07
*** tdurakov_ has joined #openstack-keystone21:07
*** raildo is now known as raildo-afk21:08
*** tsymancz1k has quit IRC21:09
*** tdurakov_ has quit IRC21:11
*** stevemar has quit IRC21:11
*** diazjf has quit IRC21:13
*** stevemar has joined #openstack-keystone21:15
*** ChanServ sets mode: +v stevemar21:15
*** tdurakov__ has joined #openstack-keystone21:15
*** tdurakov__ has quit IRC21:15
*** stevemar has quit IRC21:16
*** ayoung has quit IRC21:17
*** djc_ has joined #openstack-keystone21:19
*** mylu_ has quit IRC21:20
djc_In the horizon dashboard, I am unable to switch projects. I don't believe this is a horizon problem.  Here is my keystone error_log. https://gist.github.com/anonymous/e1af043c6ea4c8b04cd121:21
*** mylu has joined #openstack-keystone21:23
*** topol has quit IRC21:29
*** mylu has quit IRC21:31
*** petertr7 is now known as petertr7_away21:31
*** mylu has joined #openstack-keystone21:32
*** pnavarro|off has quit IRC21:33
*** marzif has joined #openstack-keystone21:39
*** mylu has quit IRC21:40
*** djc_ has quit IRC21:41
*** HT_sergio has quit IRC21:44
*** phalmos has quit IRC21:46
*** tsymancz1k has joined #openstack-keystone21:49
openstackgerritLance Bragstad proposed openstack/keystone: Remove padding from Fernet tokens  https://review.openstack.org/22024221:50
*** diazjf has joined #openstack-keystone21:56
*** jorge_munoz has quit IRC21:57
*** diazjf has quit IRC22:02
gyeelbragstad, ^^^, hah nice, you mean I can inject bits to the end of the token anymore? :)22:02
gyees/can/can't/22:02
lbragstadgyee: :P22:03
*** btully has joined #openstack-keystone22:05
*** btully has quit IRC22:09
*** jorge_munoz has joined #openstack-keystone22:10
*** jorge_munoz has quit IRC22:25
*** thiagop has quit IRC22:28
odyssey4me\o/ https://review.openstack.org/186684 :)22:29
openstackgerrithenry-nash proposed openstack/keystone: Rationalize list role assignment routing  https://review.openstack.org/22033522:32
*** henrynash has quit IRC22:33
*** dsirrine has quit IRC22:36
openstackgerritMerged openstack/python-keystoneclient: Deprecate create Discover without session  https://review.openstack.org/20582922:48
*** jorge_munoz has joined #openstack-keystone22:49
*** tonytan4ever has quit IRC22:49
*** rbak has quit IRC22:51
*** ayoung has joined #openstack-keystone22:51
*** ChanServ sets mode: +v ayoung22:51
*** dsirrine has joined #openstack-keystone22:52
*** edmondsw has quit IRC22:53
*** jecarey has quit IRC22:59
*** gyee has quit IRC23:04
*** NM has joined #openstack-keystone23:06
*** _hrou_ has joined #openstack-keystone23:06
*** sdake has quit IRC23:06
*** zzzeek has quit IRC23:10
*** NM has quit IRC23:10
*** markvoelker has joined #openstack-keystone23:13
*** csoukup has quit IRC23:17
*** markvoelker has quit IRC23:17
openstackgerritLance Bragstad proposed openstack/keystone: Remove padding from Fernet tokens  https://review.openstack.org/22024223:18
*** jorge_munoz has quit IRC23:20
*** marzif has quit IRC23:21
*** markvoelker has joined #openstack-keystone23:25
*** bradjones has quit IRC23:31
*** dims has quit IRC23:44
*** shoutm has joined #openstack-keystone23:50
*** petertr7_away is now known as petertr723:51
bknudsonlbragstad: are fixes posted for the failures in the devstack fernet change: https://review.openstack.org/#/c/195780/ ?23:53
*** dims has joined #openstack-keystone23:53
bknudsonif so we can add depends-on23:53
*** dsirrine has quit IRC23:58
*** aix has joined #openstack-keystone23:58
lbragstadbknudson: oh, good point23:58
lbragstadbknudson: afaik, these are the reviews the need to land before 195780 has the ability to pass - https://review.openstack.org/#/c/220272/ and https://review.openstack.org/#/c/220242/23:59
« Wednesday, 2015-09-02 Index Friday, 2015-09-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!