Friday, 2015-09-18

« Thursday, 2015-09-17 Index Saturday, 2015-09-19 »
*** zzzeek has quit IRC00:11
*** mylu has quit IRC00:13
*** mylu has joined #openstack-keystone00:14
*** btully has quit IRC00:14
*** hrou has joined #openstack-keystone00:15
*** shoutm has quit IRC00:17
*** stevemar has joined #openstack-keystone00:18
*** ChanServ sets mode: +v stevemar00:18
*** shoutm has joined #openstack-keystone00:20
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** topol has joined #openstack-keystone00:26
*** ChanServ sets mode: +v topol00:26
*** shoutm_ has joined #openstack-keystone00:29
*** shoutm has quit IRC00:32
*** darrenc is now known as darrenc_afk00:37
*** markvoelker has joined #openstack-keystone00:37
*** dims_ has joined #openstack-keystone00:38
*** lhcheng has quit IRC00:39
*** david-lyle has quit IRC00:40
*** zzzeek has joined #openstack-keystone00:41
*** markvoelker has quit IRC00:42
*** zzzeek has quit IRC00:42
*** dims_ has quit IRC00:43
*** dims_ has joined #openstack-keystone00:43
*** david-lyle has joined #openstack-keystone00:44
*** martinus__ has quit IRC00:45
*** ankita_wagh has quit IRC00:46
*** markvoelker has joined #openstack-keystone00:51
*** stevemar has quit IRC00:55
*** stevemar has joined #openstack-keystone00:55
*** ChanServ sets mode: +v stevemar00:55
*** stevemar has quit IRC00:58
dstanekjamielennox: ok, thx. my openstack-ansible cluster is misbehaving because the openstack client is loading plugins with keyauth100:58
*** Guest60900 is now known as tsymanczyk00:58
dstanekjamielennox: osc registers auth plugins using the ksc namespace, but for whatever reason ksa1 is being invoked and it expects plugins to be registered with its namespace00:59
*** darrenc_afk is now known as darrenc01:00
*** su_zhang has quit IRC01:00
dstanekhmmm.....the version of os_client_config i have installed is using ksa1 directly01:00
jamielennoxdstanek: oh, yea os_client_config updated itself for ksa01:01
jamielennoxi haven't heard the conclusion on this, mordred, dtroyer, stevemar were debating it last night01:01
jamielennoxIMO we don't release anything with a ksa dependency for liberty01:02
jamielennoxthat at least gives us some time to work through the transition early next cycle01:02
jamielennoxso if you can i'd pin os_client_config below what the last release was01:02
jamielennoxi'm surprised this isn't having more effect on the gate01:02
dstanekthe only problem i've run into so far is that osc can't load the correct plugin. i've not tried other clients01:03
*** martinus__ has joined #openstack-keystone01:04
*** _cjones_ has quit IRC01:12
*** dims_ has quit IRC01:27
*** ankita_wagh has joined #openstack-keystone01:27
*** dims_ has joined #openstack-keystone01:29
*** davechen has joined #openstack-keystone01:30
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make a new AuthToken object  https://review.openstack.org/22495401:30
*** dims_ has quit IRC01:37
*** tonytan4ever has joined #openstack-keystone01:39
*** stevemar has joined #openstack-keystone01:42
*** ChanServ sets mode: +v stevemar01:42
*** erhudy1 has quit IRC01:51
*** topol has quit IRC01:57
*** topol has joined #openstack-keystone01:58
*** ChanServ sets mode: +v topol01:58
*** mylu has quit IRC02:05
*** csoukup has joined #openstack-keystone02:06
*** geoffarnold is now known as geoffarnoldX02:07
*** sdake_ has joined #openstack-keystone02:10
*** dyasny has quit IRC02:11
*** sdake has quit IRC02:13
*** diazjf has joined #openstack-keystone02:16
*** mylu has joined #openstack-keystone02:16
openstackgerritMerged openstack/keystone: Issue deprecation warning if domain_id not specified in create call  https://review.openstack.org/20984802:21
*** gyee has quit IRC02:30
*** ankita_wagh has quit IRC02:37
*** shoutm_ has quit IRC02:38
*** erhudy1 has joined #openstack-keystone02:39
*** lhcheng has joined #openstack-keystone02:40
*** ChanServ sets mode: +v lhcheng02:40
stevemarjamielennox: poke for when you're around02:40
jamielennoxstevemar: maybe02:40
stevemarjamielennox: hi hi - i noticed in the keystoneauth repo that the oidc plugin didn't make it02:41
stevemarwas that intentional?02:41
jamielennoxthe oidc plugin is there i think, just not the launcher02:41
stevemarhmm https://github.com/openstack/keystoneauth/tree/master/keystoneauth102:41
stevemari'm looking here: https://github.com/openstack/keystoneauth/tree/master/keystoneauth1/identity/v302:41
jamielennoxoh - maybe its not02:41
stevemari see the basic federation one02:41
jamielennoxno, no reason02:42
stevemarjamielennox: alright, i'll propose a move02:42
stevemarjamielennox: someone started a patch that implements a new flow to oidc, but did it against ksc, i wanted to suggest doing it against ksa but then...02:42
jamielennoxstevemar: anything that needs to be improved now's your chance02:43
stevemarjamielennox: yep, i'm going to propose a move then a refactor... then the new flow02:44
*** lhcheng has quit IRC02:45
*** lhcheng has joined #openstack-keystone02:45
*** ChanServ sets mode: +v lhcheng02:45
*** richm has quit IRC02:46
*** mylu has quit IRC02:48
*** shoutm has joined #openstack-keystone02:49
*** su_zhang has joined #openstack-keystone02:50
*** mylu has joined #openstack-keystone02:51
*** lhcheng_ has joined #openstack-keystone02:54
*** lhcheng has quit IRC02:54
openstackgerritMatthew Edmonds proposed openstack/keystonemiddleware: only make token invalid when it really is  https://review.openstack.org/21737302:57
stevemarjamielennox: we got rid of all the conf/cfg stuff that ksc handled?02:57
*** ankita_wagh has joined #openstack-keystone02:57
*** markvoelker has quit IRC03:01
openstackgerritMatthew Edmonds proposed openstack/keystonemiddleware: Cleanup a few auth_token comments  https://review.openstack.org/22497003:02
*** humble_ has joined #openstack-keystone03:02
jamielennoxstevemar: it's there, just done differently03:03
jamielennoxstevemar: it got moved under the loading/ directory03:03
*** edmondsw has quit IRC03:04
*** mylu has quit IRC03:05
stevemarjamielennox: the federation options are not there?03:06
jamielennoxstevemar: they may not have come over :(03:06
stevemaroh wait - they are03:06
stevemaroofff, this is not an easy copy/paste03:07
jamielennoxnope03:10
jamielennoxprobably why it got left behind03:10
jamielennoxit's not _that_ different though03:10
jamielennoxit just makes you think about what's the auth plugin and what is a loading option which i don't think people did in ksc03:11
humble_jamielennox: I find that auth_plugin is not generated by oslo-config-generator.03:12
jamielennoxhumble_: regarding auth_token middlewarew?03:12
humble_jamielennox: yes03:13
jamielennoxhmmm03:13
humble_jamielennox: I think it is a bug03:13
stevemarjamielennox: no tests for those options?03:17
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Ensure auth_plugin options are in generated CONF  https://review.openstack.org/22497503:18
jamielennoxhumble_: does that fix it for you ^03:18
jamielennoxstevemar: which opts?03:18
stevemarFederatedBase options03:18
humble_jamielennox: Thank you03:18
jamielennoxstevemar: no idea - they don't work?03:18
*** tonytan4ever has quit IRC03:19
stevemarjamielennox: no idea, haven't tried yt03:19
jamielennoxthat one probably needs a bug filed...03:19
*** jecarey has joined #openstack-keystone03:20
*** mylu has joined #openstack-keystone03:22
*** dims_ has joined #openstack-keystone03:22
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Ensure auth_plugin options are in generated CONF  https://review.openstack.org/22497503:24
*** geoffarnoldX is now known as geoffarnold03:27
*** dims_ has quit IRC03:28
*** EinstCrazy has joined #openstack-keystone03:29
*** sdake has joined #openstack-keystone03:29
*** sdake_ has quit IRC03:32
*** cloud_zhanglei has joined #openstack-keystone03:36
*** cloud_zhanglei has quit IRC03:38
*** sdake_ has joined #openstack-keystone03:38
*** sdake_ has quit IRC03:39
*** sdake_ has joined #openstack-keystone03:40
*** sdake has quit IRC03:41
*** erhudy1 has quit IRC03:42
*** ankita_wagh has quit IRC03:45
*** sdake_ is now known as sdake03:48
*** jecarey has quit IRC03:52
*** ankita_wagh has joined #openstack-keystone03:55
*** lhcheng_ has quit IRC03:59
*** shoutm_ has joined #openstack-keystone04:00
*** markvoelker has joined #openstack-keystone04:02
*** shoutm has quit IRC04:02
*** markvoelker has quit IRC04:06
*** mylu has quit IRC04:18
openstackgerritSteve Martinelli proposed openstack/keystoneauth: add openid connect plugins  https://review.openstack.org/22499304:19
*** lhcheng has joined #openstack-keystone04:22
*** ChanServ sets mode: +v lhcheng04:22
*** ankita_wagh has quit IRC04:30
openstackgerritCraige McWhirter proposed openstack/python-keystoneclient: Add drivers to the documentation  https://review.openstack.org/21809904:36
jamielennoxstevemar: reviewed04:40
stevemarjamielennox: uh... it wasn't quite ready04:40
jamielennoxstevemar: i saw04:41
stevemarjamielennox: i just wanted to give this guy a heads up: https://review.openstack.org/#/c/223946/04:41
stevemarthat he should feel free to override my patch04:41
stevemarinstead of proceeding with that one, since i assume that one is a hard -2 with the reason "no more plugins"04:42
jamielennoxnot sure about the subclass there04:42
jamielennoxyou could have a base OIDC plugin and pass it a method which is either password or authentication code04:42
jamielennoxprobably doesn't matter unless we see people wanting to use methods other than what we do upstream04:44
*** lhcheng_ has joined #openstack-keystone04:44
stevemari'm good with either04:47
stevemarthis is what i thought of at first04:47
*** lhcheng has quit IRC04:47
*** briancline has joined #openstack-keystone04:50
brianclinesometime in the last few days, fresh openstackclient installs from pypi started complaining about not being able to find keystoneclient's auth plugins... is this a known issue?04:52
openstackgerritCraige McWhirter proposed openstack/python-keystoneclient: Add drivers to the documentation  https://review.openstack.org/21809904:53
*** shoutm has joined #openstack-keystone04:55
*** shoutm_ has quit IRC04:59
*** csoukup has quit IRC05:01
*** kiran-r has joined #openstack-keystone05:01
*** geoffarnold is now known as geoffarnoldX05:03
openstackgerritDave Chen proposed openstack/keystone: Refactor: Don't hard code the error code  https://review.openstack.org/22454505:04
*** kiran-r has quit IRC05:07
brianclinenevermind, the problem is os-client-config 1.7.x. downgrading to 1.6.x worked...05:09
*** urulama__ is now known as urulama05:11
stevemarjamielennox: i hate the @utils.positions thing05:13
jamielennoxstevemar: i wish it was everywhere05:13
stevemarbriancline: yeah, its an occ thing05:13
stevemarstill working on getting it fixed05:13
stevemarjamielennox: it becomes hard when subclassing things05:14
jamielennoxwhy is it different to otherwise using the lib?05:14
openstackgerritSteve Martinelli proposed openstack/keystoneauth: add openid connect plugins  https://review.openstack.org/22499305:14
jamielennoxs/lib/object05:15
brianclinestevemar: thanks, yeah, just found the bug report and subscribed to get email bombed about it05:15
*** shoutm_ has joined #openstack-keystone05:17
*** shoutm has quit IRC05:17
*** shoutm has joined #openstack-keystone05:20
*** lost_ing has quit IRC05:21
*** shoutm_ has quit IRC05:22
*** lost_ing has joined #openstack-keystone05:22
openstackgerritCraige McWhirter proposed openstack/python-keystoneclient: Add plugin doco generated with stevedore.sphinxext  https://review.openstack.org/21809905:30
openstackgerritDave Chen proposed openstack/keystone: Refactor: Don't hard code the error code  https://review.openstack.org/22454505:30
stevemarjamielennox: so i don't need the @property stuff any longer?05:30
stevemarneat05:30
jamielennoxstevemar: not sure why you ever did, they are public attributes05:31
stevemarnope!05:31
*** openstackgerrit has quit IRC05:31
stevemarit was in the old one, so i moved it over05:31
*** openstackgerrit has joined #openstack-keystone05:32
jamielennoxi'm surprised it didn't go into an infinite recursion05:33
jamielennoxor maybe it did and just noone tested it05:33
*** tonytan4ever has joined #openstack-keystone05:37
*** tonytan4ever has quit IRC05:41
jamielennoxi can still never figure out the project-config repo, every time i get it wrong05:42
openstackgerritSteve Martinelli proposed openstack/keystoneauth: add openid connect plugins  https://review.openstack.org/22499305:44
stevemarjamielennox: i feel like that with positional args05:44
jamielennoxlol05:44
jamielennoxthey're not that bad05:44
jamielennoxstevemar: is this the occ bug we're using05:46
jamielennoxhttps://bugs.launchpad.net/os-client-config/+bug/149662405:46
openstackLaunchpad bug 1496624 in os-client-config "NoMatchingPlugin: The plugin osc_password could not be found" [Undecided,New]05:46
stevemari still dont get it05:46
stevemarjamielennox: yes05:46
stevemarerr05:46
stevemarno05:46
*** lhcheng_ has quit IRC05:46
stevemari am using this05:47
stevemarhttps://bugs.launchpad.net/python-openstackclient/+bug/149668905:47
openstackLaunchpad bug 1496689 in python-openstackclient "osc unit tests fail with newest occ and keystoneauth" [High,New]05:47
stevemarmarked the one you mention as a dupe05:47
*** kiran-r has joined #openstack-keystone05:48
jamielennoxany idea what the plan is there, i've got another group asking me what keystoneauth is and how is it breaking everyone05:49
*** sdake has quit IRC05:49
stevemarjamielennox: not really tbh05:49
*** ankita_wagh has joined #openstack-keystone05:49
stevemaraside from 'fix it'05:50
stevemarmonty had a good patch https://review.openstack.org/#/c/224444/405:50
stevemarbut its not passing05:50
jamielennoxyea, i don't think it's worth it05:50
jamielennoxi think we release a new os-client-config which reverts the ksa change05:50
jamielennoxand wait till we have the liberty split05:50
jamielennoxotherwise we have to ensure that all the clients that osc depends on are going to play nice with ksa plugins rather than ksc plugins05:51
jamielennoxwhich should be fine, but not something i want to mess with this close to a release05:51
stevemarright05:52
stevemardepending on ksa for occ may have been ambitious05:52
jamielennoxi always forget about the osc/occ thing05:52
jamielennoxi think because i don't like how it's done i block it out05:52
stevemarwe all do that to certain thinsg05:52
stevemarthigns05:52
stevemarthings****05:52
stevemarfack05:52
stevemarlike me and typing?05:53
jamielennoxstevemar: hopefully https://review.openstack.org/#/c/212386/2 will help05:54
*** hrou has quit IRC05:56
jamielennoxstevemar: the problem with mordred's patch is that under ksa there is no osc_password plugin so it's all going to fall apart06:00
jamielennoxksa/occ can't load something it knows nothing about06:01
*** shoutm has quit IRC06:03
*** markvoelker has joined #openstack-keystone06:03
*** shoutm has joined #openstack-keystone06:06
*** markvoelker has quit IRC06:07
*** topol has quit IRC06:07
*** stevemar has quit IRC06:09
*** stevemar has joined #openstack-keystone06:11
*** ChanServ sets mode: +v stevemar06:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/22424206:12
*** exploreshaifali has joined #openstack-keystone06:12
*** ankita_wagh has quit IRC06:17
*** urulama has quit IRC06:24
*** urulama has joined #openstack-keystone06:24
*** dolphm has quit IRC06:26
*** dolphm has joined #openstack-keystone06:27
*** eglute has quit IRC06:27
*** kiran-r has quit IRC06:32
*** kiran-r has joined #openstack-keystone06:33
*** eglute has joined #openstack-keystone06:33
openstackgerritDave Chen proposed openstack/keystone: Refactor: Don't hard code the error code  https://review.openstack.org/22454506:38
stevemarjamielennox: i think reverting occ might be the right thing to do06:40
*** shoutm has quit IRC06:40
*** e0ne has joined #openstack-keystone06:42
*** e0ne has quit IRC06:45
*** shoutm has joined #openstack-keystone06:45
*** e0ne has joined #openstack-keystone06:48
mordredwait, why?06:48
mordred we just set occ to not validate when we create the object, then osc will continue as normal06:49
*** lsmola has joined #openstack-keystone06:50
mordredI'm about to take off ... lemme make a patch that should allow non revert and see what you think06:50
mordredbecause the only reason ksa code is being executed is because of occ arg validation.06:54
*** e0ne has quit IRC06:55
mordredwe certainly don't need to port osc to ksa this instant06:58
*** e0ne has joined #openstack-keystone06:59
*** su_zhang has quit IRC07:00
*** woodster_ has quit IRC07:09
*** e0ne has quit IRC07:10
*** browne has quit IRC07:13
openstackgerritSteve Martinelli proposed openstack/keystone: check if tokenless auth is configured before validating  https://review.openstack.org/22503907:15
*** HenryG has quit IRC07:21
*** diazjf has quit IRC07:27
*** EinstCrazy has quit IRC07:33
*** pnavarro has joined #openstack-keystone07:36
*** e0ne has joined #openstack-keystone07:37
*** martinus__ is now known as martin-h07:39
*** aix has joined #openstack-keystone07:42
*** e0ne has quit IRC07:44
jamielennoxmordred: that would work for now, if ksa doesn't find a plugin with the supplied name then no validation is performed, osc will fall back to using the existing loading which is ksc based07:48
jamielennoxthis is a possible future compatibility issue in that we'll turn it on one day - but if we're ok with that it'll solve the problem for now07:49
*** stevemar has quit IRC07:49
jamielennoxhowever is it possible to for os-client-config to stable/liberty now so we can keep working on these ksa things without getting in the way of liberty in future07:49
*** stevemar has joined #openstack-keystone07:50
*** ChanServ sets mode: +v stevemar07:50
jamielennoxi'd be happy to not see ksa get included in the official liberty release at all07:50
*** stevemar has quit IRC07:52
*** tsymancz2k has quit IRC07:54
*** fhubik has joined #openstack-keystone07:59
*** markvoelker has joined #openstack-keystone08:04
*** jistr has joined #openstack-keystone08:07
*** markvoelker has quit IRC08:08
*** topol has joined #openstack-keystone08:08
*** ChanServ sets mode: +v topol08:08
*** HenryG has joined #openstack-keystone08:12
*** aix has quit IRC08:13
*** topol has quit IRC08:13
*** HenryG has quit IRC08:16
*** henrynash has quit IRC08:25
*** aix has joined #openstack-keystone08:27
*** dims_ has joined #openstack-keystone08:30
*** HenryG has joined #openstack-keystone08:30
*** dims_ has quit IRC08:34
*** shoutm has quit IRC08:36
*** tsymancz2k has joined #openstack-keystone08:38
*** chlong has quit IRC08:47
*** stevemar has joined #openstack-keystone08:51
*** ChanServ sets mode: +v stevemar08:51
*** kiran-r has quit IRC08:54
openstackgerritDave Chen proposed openstack/keystonemiddleware: Deprecate class AuthTokenPlugin properly  https://review.openstack.org/22050908:55
*** kiran-r has joined #openstack-keystone09:01
*** henrynash has joined #openstack-keystone09:05
*** ChanServ sets mode: +v henrynash09:05
*** stevemar has quit IRC09:05
*** exploreshaifali has quit IRC09:15
*** henrynash has quit IRC09:17
openstackgerritKonstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting  https://review.openstack.org/20745609:20
*** fhubik is now known as fhubik_afk09:23
*** e0ne has joined #openstack-keystone09:27
*** fhubik_afk is now known as fhubik09:28
*** dims_ has joined #openstack-keystone09:32
openstackgerritDave Chen proposed openstack/keystone: check if tokenless auth is configured before validating  https://review.openstack.org/22503909:34
*** dims_ has quit IRC09:36
*** rob_d has joined #openstack-keystone09:39
*** davechen has left #openstack-keystone09:44
rob_dhopefully someone can help an awful sys admin- Is is possible to sync keystone domain specific users (ldap) to the sql database, that is, so their usernames are readable in keystone.users table, the docs state that this command "keystone-manage domain_config_upload --domain-name DOMAINA" can be userd to 'migrate' from domain specific to sql, futhermore it states that "Once uploaded, these domain-configuration options will be visible via the Identi09:49
*** dims_ has joined #openstack-keystone09:50
*** fhubik has quit IRC09:58
*** fhubik has joined #openstack-keystone09:59
*** markvoelker has joined #openstack-keystone10:04
*** markvoelker has quit IRC10:10
*** urulama has quit IRC10:18
*** urulama has joined #openstack-keystone10:18
*** exploreshaifali has joined #openstack-keystone10:22
*** fhubik has quit IRC10:40
*** exploreshaifali has quit IRC10:51
*** flwang has quit IRC10:53
*** katkapilatova has joined #openstack-keystone11:02
*** e0ne has quit IRC11:10
*** flwang has joined #openstack-keystone11:10
*** markvoelker has joined #openstack-keystone11:21
*** kiran-r has quit IRC11:22
*** fhubik has joined #openstack-keystone11:24
*** markvoelker has quit IRC11:26
*** ChanServ sets mode: +o dolphm11:31
*** e0ne has joined #openstack-keystone11:33
*** stevemar has joined #openstack-keystone11:33
*** ChanServ sets mode: +v stevemar11:33
*** stevemar has quit IRC11:37
*** urulama has quit IRC11:38
*** urulama has joined #openstack-keystone11:39
*** gordc has joined #openstack-keystone11:41
*** tellesnobrega is now known as tellesnobrega_af11:45
*** tellesnobrega_af is now known as tellesnobrega11:46
*** exploreshaifali has joined #openstack-keystone11:47
*** chlong has joined #openstack-keystone12:06
*** chlong has quit IRC12:07
*** chlong has joined #openstack-keystone12:07
*** topol has joined #openstack-keystone12:11
*** ChanServ sets mode: +v topol12:11
*** tobasco has quit IRC12:13
*** topol has quit IRC12:16
*** markvoelker has joined #openstack-keystone12:20
*** lsmola has quit IRC12:22
*** topol has joined #openstack-keystone12:22
*** ChanServ sets mode: +v topol12:22
*** raildo-afk is now known as raildo12:27
*** edmondsw has joined #openstack-keystone12:33
*** lsmola has joined #openstack-keystone12:35
*** exploreshaifali has quit IRC12:43
*** doug-fish has joined #openstack-keystone12:49
*** zzzeek has joined #openstack-keystone12:59
*** topol has quit IRC12:59
*** su_zhang has joined #openstack-keystone12:59
*** fifieldt has quit IRC13:00
*** hrou has joined #openstack-keystone13:09
*** exploreshaifali has joined #openstack-keystone13:11
*** jecarey has joined #openstack-keystone13:14
*** amoturi has joined #openstack-keystone13:15
*** amakarov_away is now known as amakarov13:20
*** dsirrine has joined #openstack-keystone13:23
*** jsavak has joined #openstack-keystone13:30
*** woodster_ has joined #openstack-keystone13:32
*** stevemar has joined #openstack-keystone13:34
*** ChanServ sets mode: +v stevemar13:34
*** geoffarnoldX is now known as geoffarnold13:36
*** stevemar has quit IRC13:37
*** openstackgerrit has quit IRC13:46
*** grantbow has quit IRC13:46
*** openstackgerrit has joined #openstack-keystone13:47
odyssey4mejamielennox mordred stevemar what're the next steps for https://bugs.launchpad.net/python-openstackclient/+bug/1496689 ? what's the best workaround for us to implement now to unbreak our master gate (which is on Liberty-3) - should we cap the openstackclient version?13:48
openstackLaunchpad bug 1496689 in python-openstackclient "osc broken with newest occ and keystoneauth" [High,Confirmed]13:48
*** grantbow has joined #openstack-keystone13:48
*** pnavarro has quit IRC13:56
*** markvoelker has quit IRC13:57
*** jsavak has quit IRC13:59
*** markvoelker_ has joined #openstack-keystone14:00
*** jsavak has joined #openstack-keystone14:00
openstackgerritGerhard Muntingh proposed openstack/keystone: Fix the referred [app:app_v3] into [pipeline:api_v3]  https://review.openstack.org/22516014:02
*** KarthikB has joined #openstack-keystone14:03
*** richm has joined #openstack-keystone14:03
*** gabriel-1 is now known as gabriel-bezerra14:06
*** gerhardqux has joined #openstack-keystone14:06
*** gabriel-bezerra is now known as gabrielbezerra14:09
openstackgerritGerhard Muntingh proposed openstack/keystone: Fix the referred [app:app_v3] into [pipeline:api_v3]  https://review.openstack.org/22516014:13
*** sigmavirus24_awa is now known as sigmavirus2414:14
*** dims_ has quit IRC14:20
*** dims_ has joined #openstack-keystone14:21
*** phalmos has joined #openstack-keystone14:21
*** sdake has joined #openstack-keystone14:27
*** raildo is now known as raildo-afk14:27
*** roxanaghe has joined #openstack-keystone14:29
openstackgerritDave Chen proposed openstack/keystone: Deprecate local conf in paste-ini  https://review.openstack.org/13412414:30
openstackgerritDave Chen proposed openstack/keystone: Add the missing parameter  https://review.openstack.org/22517714:30
*** david-lyle has quit IRC14:31
*** slberger has joined #openstack-keystone14:32
*** roxanaghe has quit IRC14:35
openstackgerritDave Chen proposed openstack/keystone: Add the missing parameter  https://review.openstack.org/22517714:35
*** agireud has quit IRC14:35
*** agireud has joined #openstack-keystone14:37
*** stevemar has joined #openstack-keystone14:39
*** ChanServ sets mode: +v stevemar14:39
*** tonytan4ever has joined #openstack-keystone14:40
*** shoutm has joined #openstack-keystone14:42
*** btully has joined #openstack-keystone14:42
*** richm has quit IRC14:43
*** diazjf has joined #openstack-keystone14:46
*** richm has joined #openstack-keystone14:46
*** csoukup has joined #openstack-keystone14:48
mfischstevemar: morning14:48
mfischstevemar: wrt CADF on V2/V3, I do see initiator events for some v2 stuff like getting a token (auth)14:49
*** browne has joined #openstack-keystone14:49
dolphmmfisch: but no result?14:49
*** jsavak has quit IRC14:49
mfischsorry what?14:50
mfischsteve and were talking about some CADF events are missing some fields14:50
dolphmmfisch: ah, okay14:50
*** exploreshaifali has quit IRC14:52
bknudsonwhat do you think about having tempest runs for the different token formats?14:52
bknudsonlike we have gate-tempest-dsvm-postgres-full for eventlet now14:53
dolphmbknudson: it'd be nice, is the short term effort worth the long term utility?14:53
bknudsonthat one should be switching soon14:53
dolphmwe can't matrix test every feature in tempest, obviously, but tokens are an obvious candidate14:54
bknudsonI'm hoping the effort is minimal14:54
bknudsonsince devstack already supports the token format as a config option14:54
*** jsavak has joined #openstack-keystone14:55
*** geoffarnold is now known as geoffarnoldX14:55
*** EinstCrazy has joined #openstack-keystone14:56
dolphmthen it's just a matter of whether infra is willing to give us 3 more jobs per patch lol14:56
dolphm3 more *tempest* jobs, no less14:56
openstackgerritLance Bragstad proposed openstack/keystone-specs: Clarify documentation about scope  https://review.openstack.org/22479214:56
bknudsonI was thinking switch an existing one14:56
bknudsonor, we could pick a random token format for each test14:56
dolphmtransient by design?14:57
lbragstadI feel like that might be confusing..14:57
bknudsonsince we never break things we should be fine14:59
*** henrynash has joined #openstack-keystone15:01
*** ChanServ sets mode: +v henrynash15:01
*** jistr is now known as jistr|call15:02
*** dims_ is now known as dimsum__15:03
*** jsavak has quit IRC15:04
*** jsavak has joined #openstack-keystone15:04
henrynashbknudson: ping15:05
bknudsonhenrynash: what's up?15:06
henrynashbknudson: hi…just wondering if you would have a change to look at teh new patch for https://review.openstack.org/#/c/191976/ hopefully fixed up most of your concerns15:07
*** geoffarnoldX is now known as geoffarnold15:07
bknudsonhenrynash: I will take a look... maybe I can figure it out this time.15:07
bknudson(not sure why everything we do needs to be so complicated)15:08
henrynashbknudson: I know, I know15:08
*** topol has joined #openstack-keystone15:09
*** ChanServ sets mode: +v topol15:09
*** EinstCrazy has quit IRC15:09
*** jsavak has quit IRC15:11
*** jsavak has joined #openstack-keystone15:12
mfischstevemar: as it turns out, auth events are useful to me. its some kind of compliance thing15:21
*** mylu has joined #openstack-keystone15:21
stevemarmfisch: yeah, that was the thought when we created them15:22
stevemarmfisch: re: initiator, yes, its there on all auth requests - regardless of v2 or v315:22
mfischits interesting to see who's using up all my tokens15:23
mfischits Icinga and Monasca actually15:23
*** mylu has quit IRC15:25
*** mylu has joined #openstack-keystone15:25
stevemarcould get some nice data / analytics out of that15:29
openstackgerritSteve Martinelli proposed openstack/keystone: check if tokenless auth is configured before validating  https://review.openstack.org/22503915:33
*** tsymancz2k has quit IRC15:34
*** jsavak has quit IRC15:34
stevemardolphm: https://review.openstack.org/#/c/225039/ & anyone else15:34
*** jsavak has joined #openstack-keystone15:34
*** tsymanczyk has quit IRC15:35
*** jsavak has quit IRC15:39
*** r-daneel has joined #openstack-keystone15:39
mordredstevemar: I made a working patch on the plane but had no internet15:40
stevemarmordred: awesomeo15:40
mordredstevemar: turns out the problem is a one line silly15:40
stevemareverything is coming up stevemar today!15:40
mordredheck yeah15:41
mordredI'll upload it in about 3015:41
mordredstevemar: I also have 80% of a complete conversion of osc done15:41
mordredstevemar: obvs for next cycle :)15:41
*** gyee has joined #openstack-keystone15:42
*** ChanServ sets mode: +v gyee15:42
*** jsavak has joined #openstack-keystone15:43
*** david-lyle has joined #openstack-keystone15:43
*** erhudy has joined #openstack-keystone15:46
*** phalmos has quit IRC15:47
*** jsavak has quit IRC15:47
*** jsavak has joined #openstack-keystone15:49
*** pece has joined #openstack-keystone15:49
*** fhubik has quit IRC15:50
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate httpd/keystone.py  https://review.openstack.org/22197515:50
mfischstevemar: on a user.authenticate event the target id is odd: "openstack:90ba969b-805a-4ced-94ff-34feef1e70d0" what is that? its not a user15:51
mfischis that a token hash?15:51
openstackgerritSteve Martinelli proposed openstack/keystone: check if tokenless auth is configured before validating  https://review.openstack.org/22503915:52
*** su_zhang has quit IRC15:54
*** katkapilatova has left #openstack-keystone15:56
*** phalmos has joined #openstack-keystone16:01
mfischstevemar: also I'd like to put initiator into v2, is that doable? I'm happy to do the work16:02
mfischso much stuff still uses it16:02
*** tsymanczyk has joined #openstack-keystone16:02
*** tsymanczyk is now known as Guest2628816:03
stevemarmfisch: it should definitely be doable, its just a matter of moving the context around i think16:03
dstanekeveryone seems to be so worried about switching away from apache, but what would we be switching?16:04
bknudsonI thought we wrote the code to work with any wsgi container already?16:05
*** e0ne has quit IRC16:05
bknudsonwe're not using apache.16:05
*** roxanaghe has joined #openstack-keystone16:06
stevemarmfisch: its basically this patch, but for the v2 routes https://review.openstack.org/#/c/155660/1416:06
dstanekbknudson: exactly16:07
mfischthanks stevemar I'll look at it16:07
*** diazjf has quit IRC16:08
stevemarmfisch: its just added an initiator arg to the manager (and then calling notifications.create.x), and the controller has to find the initiator from the context and pass it to the manager16:09
lbragstaddolphm: ping; i'm looking at the revocation stuff + fernet tokens again16:09
mfischstevemar: step 1 for me will be figuring out the v2 vs v3 path in that code16:09
stevemarmfisch: v2 https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L3416:10
stevemarv3 https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L19416:10
lbragstadif i have this straight - if we err on the side of revoking tokens that have been issued in the same second a revocation event was created; we would be re-introducing bug 148423716:10
openstackbug 1484237 in Keystone kilo "token revocations not always respected when using fernet tokens" [Undecided,In progress] https://launchpad.net/bugs/1484237 - Assigned to Dolph Mathews (dolph)16:10
*** fhubik has joined #openstack-keystone16:15
dstaneklbragstad: i only read the description, but from that i wouldn't expect it to be the same16:16
dstaneklbragstad: why were the tokens not being revoked?16:16
lbragstadso, this issue that we were having, is we could get a fernet token16:17
lbragstadimmediately revoke it16:17
*** tsymancz1k has joined #openstack-keystone16:17
lbragstadand then *immediately* validate that token16:17
lbragstadin some cases you'll get a 200 back16:17
lbragstadand in some cases you'd get a 40416:17
lbragstadand you'd should expect a 404 always; right?16:18
*** raildo-afk is now known as raildo16:19
dstaneklbragstad: yeah16:19
*** david-lyle has quit IRC16:19
dstanekit looks like the fix for that was to revoke the tokens for that second instead of just before16:19
lbragstaddstanek: that wasn't recreateable with uuid tokens because they included subsecond precision and so did the revocation model16:19
dstanekpreviously if a token was created and revoked in the same second it wouldn't be revoked16:20
lbragstadright, because the comparison was done at the subsecond level of precision16:20
*** mylu has quit IRC16:20
mordredstevemar: https://review.openstack.org/225217 fwiw16:20
*** ankita_wagh has joined #openstack-keystone16:20
*** mylu has joined #openstack-keystone16:21
dstaneklbragstad: that missing equal sign was still a bug with sub-seconds precision. just a much harder one to recreate16:21
lbragstadso, if we do decide to revoke tokens that were issued in the same second as the creation of the revocation event, we'd need to document that behavior16:21
lbragstadbut we would also need to add sometime to our tests that would make sure we don't hit that failure when we have tests that run in less than a second16:22
dstaneklbragstad: yep, we should document it anyway since that's an important part of Keystone16:22
*** mylu has quit IRC16:25
*** david-lyle has joined #openstack-keystone16:26
dstaneklbragstad: i'm surprised that we didn't start running into that at all when we started to run tests in parallel16:27
lbragstaddstanek: so, when the code was just `return revoke_map['issued_before'] > token_data['issued_at']` mfisch was hitting bug 148423716:28
openstackbug 1484237 in Keystone kilo "token revocations not always respected when using fernet tokens" [Undecided,In progress] https://launchpad.net/bugs/1484237 - Assigned to Dolph Mathews (dolph)16:28
*** jistr|call is now known as jistr16:28
mfischyes under certain test circumstances16:29
*** lhcheng has joined #openstack-keystone16:30
*** ChanServ sets mode: +v lhcheng16:30
*** jistr has quit IRC16:30
dstaneklbragstad: sure16:30
*** lhcheng has quit IRC16:30
*** lhcheng has joined #openstack-keystone16:30
*** ChanServ sets mode: +v lhcheng16:30
*** david-lyle has quit IRC16:31
lbragstadahhh...16:31
lbragstadbecause the sub-second level precision of the revoke_map['issued_before'] is in fact greater than the token_data['issued_at'] time of the fernet token...16:32
* lbragstad lightbulb... 16:32
*** lsmola has quit IRC16:32
lbragstadso, the true fix for this (as it was discussed before) is the following:16:33
lbragstad- remove subsecond level precision from keystone revocation events16:33
lbragstad- and switch `return revoke_map['issued_before'] >= token_data['issued_at']` back to `return revoke_map['issued_before'] > token_data['issued_at']`16:34
*** mylu has joined #openstack-keystone16:37
dstaneklbragstad: you'd have to make sure that both sides of the operation don't have sub-seconds16:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/22522216:38
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/22522416:38
dolphmdstanek: ++16:40
*** tsymancz1k is now known as tsymanczyk16:42
*** hrou has quit IRC16:42
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/22523216:42
dolphmand it's still possible for the revocation event to cause tokens in the immediate future to be invalidated, but you *could* also avoid that by introducing an artificial sleep when revocation events are created. so if the revocation event is created, delay the operation from returning successfully for a full second. things that follow that operation will never have the same timestamp as the revocation event16:42
lbragstaddstanek: so, the first step in fixing this is removing sub-second precision from the revocation model16:42
*** hrou has joined #openstack-keystone16:42
*** tonytan4ever has quit IRC16:42
*** ankita_wagh has quit IRC16:43
lbragstadso, to clarify, tokens created at times are rounded up?16:48
lbragstadthey have to be in order for this all to be true?16:48
lbragstadso if a token is created at .374657 seconds the time of the creation as Fernet knows about it is actually 1.00000016:49
dolphmlbragstad: 0.0 in that example :)16:51
lbragstadyes16:51
dolphmlbragstad: they should be truncated by mysql16:51
dolphmerr, not fernet create timestamps. mysql truncates revocation event times16:52
dolphmfernet timestamps are probably truncated as well, but by pypi/cryptography16:52
lbragstadah, right16:52
lbragstadugh, I keep forgetting about the subsecond precision thing with SQL!16:53
dolphmthis is a complicated issue16:54
*** su_zhang has joined #openstack-keystone16:54
*** tonytan4ever has joined #openstack-keystone16:54
dolphmare all the tempest failures hinging on this?16:54
*** mylu has quit IRC16:54
lbragstaddolphm: yes16:54
dolphm100% sure?16:54
lbragstadto the best of my knowledge16:54
dolphmk16:54
dolphmat castle?16:54
lbragstaddolphm: let me grab the bug16:54
lbragstaddolphm: nope16:55
dolphmi think my afternoon project got delayed. i'll help you tackle this after food16:55
lbragstadok16:55
lbragstaddolphm: i'll be back on in thirty minutes16:56
*** tsymanczyk has quit IRC16:56
*** Guest26288 has quit IRC16:56
*** lhcheng has quit IRC16:57
*** lhcheng has joined #openstack-keystone16:57
*** ChanServ sets mode: +v lhcheng16:57
*** david-lyle has joined #openstack-keystone16:57
*** mylu has joined #openstack-keystone16:59
*** ankita_wagh has joined #openstack-keystone17:01
*** _cjones_ has joined #openstack-keystone17:03
*** mylu has quit IRC17:03
*** mylu has joined #openstack-keystone17:04
*** roxanaghe has quit IRC17:04
*** su_zhang has quit IRC17:06
*** roxanaghe has joined #openstack-keystone17:06
dstanekgyee: rip apache out of what?17:06
gyeedstanek, out of Keystone17:06
dstanekgyee: it's not in Keystone17:07
dstanekwe don't use it or need it17:07
gyeefederation?17:07
gyeeexternal auth?17:07
dstanekoptional features that "may" require apache. keystone itself doesn't require it17:08
gyeeif we are moving away from identity management, we need a backup17:08
dstanekalso uwsgi doesn't replace apache17:08
*** mylu has quit IRC17:08
gyeeI understand17:08
gyeemy point is federation and external will may a major role, especially since Keystone's identity management capability is unawesome right now17:09
gyeeexternal auth17:09
dstanekgyee: sure there is nothing in keystone that actually requires Apache except our example config. i'm not sure how that thread got so out of whack17:10
gyeethen how do we gate federation, websso, etc?17:11
gyeewe don't at the moment, but eventually17:11
dstanekgyee: devstack uses Apache17:11
dstanekif i said today that "Keystone would no longer use Apache" - there would be nothing in the project that would change17:12
gyeeunless you have not intention to support federation and external auth17:13
gyeeunless the default user management capability is good enough for you in production17:13
dstanekgyee: you as a deployer can use Apache17:13
dstanekbut that doesn't change the fact that Keystone doesn't actually use Apache at all even with federation. it gets environment variables that does stuff. technically this could be done using IIS and it's set of federation capabilities (as long and the standards match)17:15
gyeeif you can make it work, please do share :)17:15
dstanekhttps://wiki.shibboleth.net/confluence/display/SHIB2/Integrating+Nginx+and+a+Shibboleth+SP+with+FastCGI17:16
dstanekdone17:16
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config  https://review.openstack.org/19197617:16
gyeehave you done it?17:16
dstanekgyee: i haven't but someone has :-)17:17
gyeek, will have to give it a try then17:17
dstaneki guess i just don't understand what people think will be changing17:18
henrynashbknduson: thx for your comments on https://review.openstack.org/#/c/191976/ see new patch17:18
henrynashmorgan: Working with bknduson to get https://review.openstack.org/#/c/191976/ in for RC1 - think this is important since without it you can’t create a non-defaulrt service domain with the API-based domain config method17:19
henrynashmorgan: new patch posted that hopefully addresses his concerns17:19
gyeedstanek, my concern is with the uncertainty in web servers handling external auth17:19
gyeeand how to gate them17:19
henrynashlbragstad: since you +2d a previous version, if you could give your veiw as well that would be great17:20
*** phalmos has quit IRC17:20
dstanekgyee: you simply do what we do now. test the recommended configuration.17:20
gyeelike what, mock the env vars?17:21
dstanekdevstack uses apache right now17:22
*** browne has quit IRC17:22
dstanekif nginx had modules that adhere to the standards (like it does now for shib) then saying the recommended setup is nginx would be a change to devstack and not keystone. that's all i'm saying. you as a deploy should be free to deploy on the web server and application server of your choice.17:24
gyeeso keystone requires devstack in order to fully test certain features17:25
*** e0ne has joined #openstack-keystone17:26
dstanekgyee: yes, it always has and i don't see that changing at all17:26
*** henrynash has quit IRC17:27
gyeeis it fair to say Keystone depends on devstack then?17:28
dstanekgyee: when was the last time you deployed devstack to production?17:30
dstanekgyee: it's just our testing infrastructure17:30
dstaneki think it's fair to say our process depends on devstack17:31
*** tsymancz1k has joined #openstack-keystone17:31
dstanekgyee: i think of this like ldap. keystone can use ldap, but doesn't depend on it17:32
*** mylu has joined #openstack-keystone17:33
*** tsymancz2k has joined #openstack-keystone17:33
bknudsontime to vote... who do I vote for?17:34
dstanekpedro?17:34
bknudsonwrite-in17:34
*** diazjf has joined #openstack-keystone17:35
*** tsymancz2k has quit IRC17:38
*** tsymancz1k has quit IRC17:38
gyeedstanek, k, fair enough, I don't care its nginx or apache, we just need to have test coverage on that stuff, especially if we are moving away from identity management17:38
gyeebknudson, no hanging chad OK17:39
bknudsonshould just get the votes from here: http://russellbryant.net/openstack-stats/keystone-reviewers-90.txt17:39
*** c_soukup has joined #openstack-keystone17:41
*** e0ne has quit IRC17:41
* gyee cast a vote for henrynash17:41
*** lhcheng has quit IRC17:43
*** lhcheng has joined #openstack-keystone17:43
*** ChanServ sets mode: +v lhcheng17:43
dstanekbknudson: if i would have known that i would have done more reviews these last 2 weeks :-)17:43
gyeedstanek, just have to bots do that for you :)17:44
*** csoukup has quit IRC17:44
*** david-lyle has quit IRC17:44
gyeesince reviews does not require captcha17:45
dstanekgyee: i'll automate "-1 getting close" on everything17:45
gyeehah17:45
*** e0ne has joined #openstack-keystone17:49
*** boris-42 has quit IRC17:50
ayounggyee, http://adam.younglogic.com/2015/09/using-the-ipa-cli-from-an-unenrolled-workstation/17:56
gyeeayoung, cool, I'll take a look17:58
*** ankita_wagh has quit IRC17:58
*** harlowja has quit IRC17:58
*** harlowja has joined #openstack-keystone17:58
*** amakarov has quit IRC17:58
*** ankita_wagh has joined #openstack-keystone17:58
*** amakarov has joined #openstack-keystone17:59
*** tsymancz2k has joined #openstack-keystone18:01
*** tsymancz2k has quit IRC18:02
*** browne has joined #openstack-keystone18:02
*** su_zhang has joined #openstack-keystone18:06
*** su_zhang_ has joined #openstack-keystone18:09
openstackgerritLin Hua Cheng proposed openstack/keystone: Add documentation for configuring IdP WebSSO  https://review.openstack.org/21835318:10
*** su_zhang has quit IRC18:12
*** david-lyle has joined #openstack-keystone18:17
*** tsymancz2k has joined #openstack-keystone18:21
*** phalmos has joined #openstack-keystone18:23
*** tsymanczyk has joined #openstack-keystone18:27
*** tsymanczyk is now known as Guest4106618:27
*** roxanaghe has quit IRC18:28
*** jsavak has quit IRC18:30
dolphmsample* configuration18:31
*** jsavak has joined #openstack-keystone18:31
* dolphm 's client refuses to autoscroll, dammit.18:31
*** e0ne has quit IRC18:39
*** manjeet has joined #openstack-keystone18:42
* dolphm returns from ranting on the mailing list18:43
dolphmlbragstad: how goes that bug?18:43
manjeethow can i manually upgrade my client from v2 to v3 ?18:43
manjeetany documentation link, comments or suggestions ?18:43
dolphmmanjeet: which client? it probably supports v3 already, and you just need to tell it to use the v3 API18:43
lbragstaddolphm: tinkering with it now18:45
*** singh has joined #openstack-keystone18:45
lbragstaddolphm: i guess the fix depends on what we target it to18:45
dolphmlbragstad: how can i help?18:45
singhdolphm: sorry I lost connection this is manjeet18:46
singhwhich conf file I can specify client ?18:46
singhversion18:46
*** manjeet has quit IRC18:48
lbragstaddolphm: I started messing around with the revocation code, and i tried recreating mfisch's bug but I added a sleep(1) here - https://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/core.py#L23118:48
dolphmsingh: which client are you referring to?18:48
mfischI thought that bug was closed?18:48
dolphmlbragstad: after that line?18:48
lbragstaddolphm: before it18:49
lbragstaddolphm: http://cdn.pasteraw.com/luqxfajqjhotlkf6944vopxfqammzte18:49
dolphmmfisch: technically, it is. but tempest is still failing us on a tightly related edge case18:49
*** singh_ has joined #openstack-keystone18:49
singh_dolphm: keystone ?18:49
dolphmmfisch: before, we were erring on the side of insecure. now we're erring on the side of secure. tempest basically fails us either way ;)18:49
lbragstadthose edge cases being; tempest runs tests in less than a second18:49
dolphmsingh_: python-keystoneclient?18:49
mfischwell then sleep(1) is my go-to fix for anything ;)18:49
singh_yes18:50
dolphmsingh_: are you using it as a python library? as a CLI? via middleware?18:50
singh_cli18:50
dolphmsingh_: switch to python-openstackclient then18:51
*** singh has quit IRC18:51
dolphmsingh_: per the deprecation warnings you see in --help18:51
lbragstaddolphm: mfisch so, ensuring a revocation event doesn't have the same issue_before time as a token's issue_at time will get us around the problem with tempest18:52
singh_thank you so much dolphm18:52
lbragstadthen, after that, we should start removing all the subsecond precision in keystone, right?18:52
dolphmlbragstad: do you have a unit test for this condition in keystone?18:52
lbragstadno; not yet18:53
dolphmlbragstad: like set the clock to 1.0 seconds, generate a token, set the clock to 1.1 seconds, issue a revoke, set the clock to 1.2 seconds, generate a token?18:53
dolphmwe can do what tempest can't in that regard, but we can't run mysql18:53
*** amakarov has quit IRC18:53
lbragstaddolphm: right, where should that live, in the test_v3_os_revoke.py module or the test_v3_auth.py module?18:54
lbragstadit seems revocation event specific18:54
dolphmlbragstad: i'm looking to see if i wrote a similar test already we can modify or copy pasta18:54
lbragstaddolphm: you had a few lines of an existing test commented out.. I remember that18:54
dolphmi don't18:55
lbragstaddolphm: https://review.openstack.org/#/c/216236/4/keystone/tests/unit/test_auth.py18:55
*** phalmos has quit IRC18:55
dolphmlbragstad: this is not familiar18:56
dolphmdespite being < 1 month old18:56
lbragstaddolphm: that was the commit that relaxed the revocation logic to err on the side of insecure18:56
lbragstadand since it's fresh18:56
dolphmlbragstad: secure*, right?18:56
lbragstadwe didn't see the failures that we are seeing now with tempest18:57
lbragstadthe failures we are seeing with tempest now are things like -- 1.) get a token 2.) do some operation that requires a revocation event 3.) confirm an operation fails - but keystone does return the a token18:58
*** e0ne has joined #openstack-keystone18:58
*** phalmos has joined #openstack-keystone18:58
dolphmlbragstad: https://review.openstack.org/#/c/216367/3/keystone/tests/unit/test_auth.py,unified18:59
*** r-daneel has quit IRC18:59
*** jsavak has quit IRC18:59
dolphmlbragstad: so, similar to before, those tests *could* be fixed by either sleeping in the test, or sleeping in keystone, right?18:59
dolphmjust as a hacky solution to illustrate the problem?18:59
lbragstaddolphm: here is one of the tempest tests that are currently failing - https://github.com/openstack/tempest/blob/master/tempest/api/identity/v3/test_users.py#L3719:00
*** jsavak has joined #openstack-keystone19:00
dolphmlbragstad: but all those failures in tempest are transient, right?19:01
lbragstaddolphm: transient because they are occuring on sql?19:01
lbragstads/sql/mysql/19:01
dolphmlbragstad: transient.... because they're transiently based on the current clock19:02
lbragstaddolphm: then they should be transient in our tests too, right?19:03
dolphmlbragstad: i don't think any of our tests are transient19:04
dolphmlbragstad: oh, that's what you meant by mysql. yes: we don't have transients because we're running with sqlite19:04
lbragstaddolphm: because the subsecond precision generated is actually stored19:04
lbragstad++19:04
* dolphm shakes fist at sqlite19:04
lbragstadso, if you're looking at the tempest failures19:05
* dolphm shakes fist at mysql19:05
dolphmlbragstad: have you run tempest against your sleep patch on https://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/core.py#L23119:05
lbragstadit seems we, as in Keystone, are erring on the side of insecurity19:05
lbragstaddolphm: no, but i can push it as wip and add depends on to the devstack patch19:05
*** Guest41066 has quit IRC19:06
*** tsymancz2k has quit IRC19:06
openstackgerritBrant Knudson proposed openstack/keystone: Document token provider support  https://review.openstack.org/22488819:07
lbragstaddolphm: //cdn.pasteraw.com/t4dqexhvvw3qgss1vukqviyjp00w05t running against tempest should give us an idea of what will happen when we remove *all* subsecond support in keystone and run on sql19:08
lbragstads/sql/mysql/19:08
lbragstadproper link - http://cdn.pasteraw.com/t4dqexhvvw3qgss1vukqviyjp00w05t19:08
*** david-lyle has quit IRC19:11
*** david-lyle has joined #openstack-keystone19:11
openstackgerritLance Bragstad proposed openstack/keystone: WIP: implement wait on revocation events  https://review.openstack.org/22528319:14
*** e0ne has quit IRC19:17
*** erhudy has quit IRC19:19
*** david-lyle has quit IRC19:19
lbragstaddolphm: if your patch (comparing revoke_map['issue_before'] >= token_data['issued_at']) has landed; how is tempest failing on tests that happen within the same second?19:20
dstaneklbragstad: tempest is still failing?19:25
lbragstaddstanek: as of the last run I checked on bknudson's patch (https://review.openstack.org/#/c/195780/)19:25
*** roxanaghe has joined #openstack-keystone19:25
lbragstadI just retriggered it and I have it dependent on https://review.openstack.org/22528319:25
dstaneklbragstad: is it possible that tests from different processes are interfering with eachother?19:26
lbragstaddstanek: I haven't thought about that case much..19:27
dstanekif two tests run in the same second and one happens to be revoking tokens there may be an issue19:27
lbragstaddstanek: would that only be an issue if both tests were using the same token?19:28
dstaneki think, unlike our unit tests, the tempest tests share a DB instance with all processes19:28
dstaneklbragstad: is it only revoking a specific token? or tokens for a user, etc?19:28
lbragstadoh, i guess that would be dependent on the tests19:29
lbragstadso, a test that exercises a user changing their password would fall under that case...19:29
*** urulama has quit IRC19:33
morganSo there are two options19:34
morgan1 revocation events are matched with < event time. Giving a 1 second gap19:34
openstackgerritSteve Martinelli proposed openstack/keystoneauth: add openid connect plugins  https://review.openstack.org/22499319:34
morganOr tokens can be issued 1 second ahead19:34
morganSame gap19:34
morganI think a 1 second gap is far from the end of the world19:35
morganThis prevents the case of a token being issued and already being revoked19:35
morganlbragstad: ^19:35
dolphmlbragstad: it's failing, it's just failing on the other half of the second, so to speak19:36
dolphmlbragstad: we were erring *insecurely* before my patch, and now we're *erring* securely.19:36
dolphmlbragstad: to make tempest happy, we must not err19:36
morgandolphm: yes19:37
morgandolphm: which is a compromise in either case. But minimally impactful19:37
lbragstadhmmm19:37
lbragstadhow does not erring make tempest happy?19:37
lbragstadthe part i can't figure out is19:38
dolphmlbragstad: we traded an error condition in one edge case for a similar error condition in a different edge case19:38
dolphmlbragstad: tempest catches it and fails either way19:39
dstanekso i'm thinking that g-r needs to be updated to restrict os-client-config versions /cc stevemar (i heard you were talking about this the other day)19:40
lbragstad1.) tempest asks for a token at 2.000001, and that token ends up with a creation time of 2.000000 2.) tempest changes the password at 2.000002 and the revocation event has an issued_before time of 2.000000 3.) we go to validate the token and that *should* return a 404 since the logic is >=...19:40
bknudsonDo we have a fix for http://logs.openstack.org/57/221157/10/check/gate-tempest-dsvm-full/18eb440/logs/devstacklog.txt.gz#_2015-09-18_13_51_46_902 already?19:40
bknudsonit's mentioned on the mailing list.19:40
bknudsonkeystoneauth?19:41
dstanekbknudson: on -dev?19:41
dolphmlbragstad: 3 is <=19:41
bknudsondstanek: y, -dev mailing list19:41
lbragstaddolphm: yes, thanks19:41
lbragstaddolphm: so that would mean the token would be revoked right? (i'm not seeing that in the current results from tempest)19:41
*** su_zhang_ has quit IRC19:42
dstanekbknudson: i think that's caused by what i was just talking about - os-client-config can't be unbounded on the top19:42
bknudsonlooks related to http://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=835dfb8528088a6fb6c223c0e0c4f905854dd7c019:42
dstanekbknudson: they added a dep on ksa and that breaks osc19:42
dstaneklooking for the thread....19:42
dolphmlbragstad: but then you issue a token after the revocation event?19:43
bknudsonlook like mordred is all over it.19:43
lbragstadbecause revoke_map['issued_before'] is greater than token_data['issued_at'] (2.000000 >= 2.000000)19:43
dstanekbknudson: cool. then that will fix my issue too19:43
lbragstadgiven ^ that logic, the tokens in tempest should be revoked if they are generated within the same second after the revocation event is stored19:44
*** sdake has quit IRC19:46
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/22522219:46
dstanekdolphm: lbragstad: it's entirely possible. maybe the tempest revocation tests should use a different user and be pinned to the same process.19:47
*** tsymanczyk has joined #openstack-keystone19:47
*** tsymanczyk is now known as Guest1269119:48
lbragstaddstanek: we should find out after the current jobs finish https://review.openstack.org/#/c/195780/19:48
dolphmlbragstad: ++ this is making my head hurt without more test failures to look at19:48
lbragstaddolphm: agreed...19:49
* lbragstad is -> <- close to switching to i-beer-prophen19:49
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/22522419:51
dstaneklbragstad: what's different in that test run?19:51
openstackgerritMerged openstack/keystone: check if tokenless auth is configured before validating  https://review.openstack.org/22503919:52
lbragstaddstanek: i made it dependent on https://review.openstack.org/#/c/225283/19:52
*** sdake has joined #openstack-keystone19:53
dstaneklbragstad: i would still expect transient failures with that change19:53
lbragstaddstanek: with the revocations happening in another tempest test thread, right19:54
dstaneklbragstad: yes, i'm assuming that tempest has tests that revoke by something more coarse grained than a single token19:54
lbragstaddstanek: yeah, i know they revoke by user and timestamp because they revoke on password events19:55
dstanekit just depends on test ordering and timing :-(19:55
lbragstaddstanek: fun!19:55
*** jsavak has quit IRC19:55
lbragstaddolphm: dstanek morgan - so, if we implement revocation events 1 second in the future, then we should still remove all the subsecond precision, no?19:59
morganErm no19:59
morganDo a < vs <=19:59
morganor always issues tokens 1 second ahead19:59
lbragstadi'm not completely convinced we can issue tokens on second early because in Fernet, we don't control the token creation time20:00
lbragstads/on/one/20:00
morganThen we do < on revocation events20:00
morganIt is a one line change20:00
morganWell and some of our tests20:00
morganI think*20:00
lbragstadok, so at this point, we'll still support subsecond precision and that's what we will test against20:01
lbragstadif we go with the fix above20:01
morganwe may have an issue where tempest is assuming tokens and events have greater than 1 second precision20:01
morganWhich is a larger issue that isn't always true20:01
lbragstadhmmm, we don't hit that with fernet because we populate subsecond accuracy, it's always at .000000 though20:02
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate httpd/keystone.py  https://review.openstack.org/22197520:02
*** doug-fish has quit IRC20:03
morganWell we do hit that20:03
dstanekmorgan: re: mail thread20:03
dstanekit's osc loading its own plugins plugins20:04
morganAh20:04
morganOk20:04
*** su_zhang has joined #openstack-keystone20:04
morganFantastic.20:04
*** tonytan4ever has quit IRC20:04
morganmordred: ^ cc20:04
dstanekosc just needs to use the correct entrypoints now that ksa is being used to load the plugins20:05
*** lhcheng has quit IRC20:05
mordreddstanek: but it's not20:05
*** lhcheng has joined #openstack-keystone20:05
*** ChanServ sets mode: +v lhcheng20:05
dstanekmordred: what else is it?20:05
mordreddstanek: because that's using occ 1.6.320:05
dstanekmordred: hmm....that's odd. i had to downgrade to that to fix my problem20:06
*** tonytan4ever has joined #openstack-keystone20:06
mordreddstanek: grep for os-client-config in that devstack output... it's VERY weird20:06
mordreddstanek: because the thing you described is what I expect that error to look like20:06
dstanekmordred: in the devstack.log it's showing 1,7.120:07
mordredreally?20:07
*** tsymancz2k has joined #openstack-keystone20:08
mordreddstanek: http://logs.openstack.org/51/224451/3/check/gate-tempest-dsvm-neutron-src-python-openstackclient/3da6cb0/logs/devstacklog.txt.gz#_2015-09-18_19_28_06_61020:08
dstanekmordred: that's odd. from the log mentioned in the thread http://logs.openstack.org/57/221157/10/check/gate-tempest-dsvm-full/18eb440/logs/devstacklog.txt.gz#_2015-09-18_13_50_01_29120:09
mordreddstanek: BWAHAHAHAHAHAHA20:10
morganOoh pinning not working?20:10
mordrednope20:10
mordredhang on - can we move this to infra?20:10
morganYah20:10
*** david-lyle has joined #openstack-keystone20:10
openstackgerritBrant Knudson proposed openstack/keystone: Bring bandit config up-to-date  https://review.openstack.org/19441720:15
openstackgerritBrant Knudson proposed openstack/keystone: Clean up bandit profiles  https://review.openstack.org/22530420:15
*** Guest12691 is now known as tsymanczyk20:20
*** jecarey has quit IRC20:20
lbragstaddolphm: so far so good - http://status.openstack.org/zuul/20:20
dolphmlbragstad: it's in the gate twice?20:21
dstanekin case it fails the first time?20:22
*** iurygregory has quit IRC20:23
*** gordc has quit IRC20:24
*** gabrielbezerra is now known as gbezerra20:25
*** gbezerra is now known as gabriel-bezerra20:25
lbragstaddolphm: I don't think so20:26
lbragstaddolphm:  195780,6 is the one I'm look at20:26
*** phalmos has quit IRC20:28
*** iurygregory has joined #openstack-keystone20:28
openstackgerritBrant Knudson proposed openstack/keystone: Bring bandit config up-to-date  https://review.openstack.org/19441720:29
*** jsavak has joined #openstack-keystone20:30
*** pece has quit IRC20:34
*** jsavak has quit IRC20:36
*** jsavak has joined #openstack-keystone20:37
dolphmlbragstad: the second time it's in the gate is because a devstack patch Depends-On it20:38
lbragstaddolphm: oh20:38
openstackgerritSteve Martinelli proposed openstack/keystoneauth: add openid connect plugins  https://review.openstack.org/22499320:38
stevemarjamielennox: finally done ^20:38
lbragstaddolphm: it looks like it's going to pass20:38
dolphmlbragstad: minus py2720:40
*** amoturi has left #openstack-keystone20:42
*** ankita_wagh has quit IRC20:43
*** ankita_w_ has joined #openstack-keystone20:43
lbragstaddolphm: strange, I was able to run those tests locally.20:54
openstackgerritBrant Knudson proposed openstack/keystone: Update bandit blacklist_calls config  https://review.openstack.org/22532720:57
mordreddstanek: https://review.openstack.org/225328 <-- this should fix osc without needing any patches for osc20:59
lbragstaddolphm: latest patch - http://cdn.pasteraw.com/icqe31td9i4qzr7pmbs2ili7sk49fcs20:59
dolphmlbragstad: revoke in the future?21:00
*** lhcheng has quit IRC21:00
*** lhcheng has joined #openstack-keystone21:00
*** ChanServ sets mode: +v lhcheng21:00
dolphmlbragstad: that would exacerbate the problem tempest is seeing now, i think21:01
lbragstadoh... that would be issue token in the future?21:05
*** david8hu has quit IRC21:07
lbragstaddolphm: it fails our unit tests, but didn't fail in tempest...21:08
lbragstadtempest passed with time.sleep(1) when storing a revocation event21:08
*** mylu has quit IRC21:09
mordreddstanek: updated https://review.openstack.org/22532821:11
*** tonytan4ever has quit IRC21:12
*** jsavak has quit IRC21:13
*** mylu has joined #openstack-keystone21:14
*** chlong has quit IRC21:14
*** jsavak has joined #openstack-keystone21:14
*** mylu has quit IRC21:15
*** stevemar has quit IRC21:16
*** singh_ has quit IRC21:19
*** raildo is now known as raildo-afk21:22
dstanekmordred: that seems to have taken care of my env issue21:25
dstanekmordred: took me a seconds to realize that _validate_auth_ksc is the old version of _validate_auth21:27
*** dims_ has joined #openstack-keystone21:29
*** iurygregory has quit IRC21:31
*** jsavak has quit IRC21:31
*** jsavak has joined #openstack-keystone21:31
*** tsymanczyk has quit IRC21:31
*** tsymancz2k has quit IRC21:31
*** dimsum__ has quit IRC21:32
*** stevemar has joined #openstack-keystone21:32
*** ChanServ sets mode: +v stevemar21:32
*** stevemar has quit IRC21:32
*** stevemar has joined #openstack-keystone21:33
*** ChanServ sets mode: +v stevemar21:33
*** edmondsw has quit IRC21:35
*** topol has quit IRC21:37
mordredyea21:38
openstackgerritBrant Knudson proposed openstack/keystone: federation.idp use correct subprocess  https://review.openstack.org/22534021:39
openstackgerritBrant Knudson proposed openstack/keystone: Update bandit blacklist_imports config  https://review.openstack.org/22534121:39
*** BAKfr has quit IRC21:41
*** topol has joined #openstack-keystone21:41
*** ChanServ sets mode: +v topol21:41
*** david8hu has joined #openstack-keystone21:43
*** BAKfr has joined #openstack-keystone21:43
*** topol has quit IRC21:44
*** hrou has quit IRC21:47
openstackgerritBrant Knudson proposed openstack/keystone: Enable Bandit 0.13.2 tests  https://review.openstack.org/22534721:57
*** tsymanczyk has joined #openstack-keystone21:58
*** tsymanczyk is now known as Guest8972621:58
*** c_soukup has quit IRC22:00
*** su_zhang has quit IRC22:02
*** Guest89726 has quit IRC22:03
*** su_zhang has joined #openstack-keystone22:04
*** david-lyle has quit IRC22:06
*** jsavak has quit IRC22:07
brownequestion: in launchpad if a bug isn't completely fixed, should i open a separate bug or change the state of the existing bug?22:08
stevemarbrowne: is the patch to fix it, still in progress or closed/merged?22:09
brownehttps://bugs.launchpad.net/keystone/+bug/145938222:10
openstackLaunchpad bug 1459382 in Keystone kilo "Fernet tokens can fail with LDAP identity backends" [High,Fix committed] - Assigned to Dolph Mathews (dolph)22:10
brownestevemar: one piece is released and one commited22:10
stevemarbrowne: what's not working for you?22:10
browneit still fails for some users22:10
stevemarah22:10
stevemarbrowne: open a new bug then, if it's for a specific case22:11
stevemarutf8 characters in user name?22:11
brownestevemar: ok thanks22:11
brownenope, just "Eric Brown 72620"22:11
brownemore details here: https://bugs.launchpad.net/keystone/+bug/149746122:12
openstackLaunchpad bug 1497461 in Keystone "Fernet tokens fail for some users with LDAP identity backend" [High,New]22:12
stevemarbrowne: add details about what opertaion you did to trigger that exception22:15
brownestevemar: sure, i just logged into horizon22:16
stevemarugh, brutal22:16
stevemarbrowne: are you using multiple backends? or just the one ldap?22:16
stevemarlike, do you have sql users at all? for admin accounts and such?22:16
*** slberger has left #openstack-keystone22:17
brownestevemar:  just one backend, ldap22:18
browneold school22:18
stevemarbrowne: truly22:18
*** NM has quit IRC22:19
anteayaanyone care to cruise by #openstack-dev?22:22
anteayait looks to me like someone is asking a keystone question22:22
stevemaranteaya: way ahead of you :O22:23
anteaya:)22:25
*** ptoohill is now known as pc-pothole22:29
*** sigmavirus24 is now known as sigmavirus24_awa22:32
*** erhudy1 has joined #openstack-keystone22:32
dolphmbrowne: the code you're tripping on was actually written to solve another, similar issue with LDAP + Fernet. it looks like another edge case :-/22:34
*** markvoelker_ has quit IRC22:36
dolphmbrowne: it should be using these methods somewhere it appears not to be https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L336-L36222:37
*** sdake_ has joined #openstack-keystone22:40
*** tsymancz1k has joined #openstack-keystone22:42
*** sdake has quit IRC22:43
brownedolphm: those methods are used, but because a ValueError is not raised, the user_id is set to a UUID22:45
brownewhich doesn't exist later when looking up the user_id in ldap server22:45
*** geoffarnold has quit IRC22:46
*** openstackgerrit has quit IRC22:46
*** openstackgerrit has joined #openstack-keystone22:47
*** sdake has joined #openstack-keystone22:48
*** sdake_ has quit IRC22:51
*** dims_ has quit IRC22:56
*** tsymancz2k has joined #openstack-keystone22:57
*** hrou has joined #openstack-keystone22:59
*** diazjf has quit IRC23:08
*** dimsum__ has joined #openstack-keystone23:23
*** ankita_w_ has quit IRC23:25
*** stevemar has quit IRC23:26
*** ankita_wagh has joined #openstack-keystone23:27
*** lhcheng has quit IRC23:27
*** KarthikB has quit IRC23:29
*** henrynash has joined #openstack-keystone23:31
*** ChanServ sets mode: +v henrynash23:31
*** ankita_wagh has quit IRC23:34
*** markvoelker has joined #openstack-keystone23:37
*** zzzeek has quit IRC23:38
*** lhcheng has joined #openstack-keystone23:38
*** ChanServ sets mode: +v lhcheng23:38
*** browne has quit IRC23:39
*** henrynash has quit IRC23:39
*** lhcheng has quit IRC23:39
*** lhcheng_ has joined #openstack-keystone23:39
*** markvoelker has quit IRC23:42
*** lhcheng has joined #openstack-keystone23:43
*** ChanServ sets mode: +v lhcheng23:43
*** erhudy1 has quit IRC23:43
*** lhcheng_ has quit IRC23:43
*** btully has quit IRC23:52
*** richm has quit IRC23:54
*** dsirrine has quit IRC23:55
« Thursday, 2015-09-17 Index Saturday, 2015-09-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!