Monday, 2015-10-05

« Sunday, 2015-10-04 Index Tuesday, 2015-10-06 »
*** _hrou_ has joined #openstack-keystone00:00
*** dsirrine has joined #openstack-keystone00:02
*** lhcheng has joined #openstack-keystone00:02
*** ChanServ sets mode: +v lhcheng00:02
*** hrou has quit IRC00:03
*** mylu has quit IRC00:07
*** woodster_ has quit IRC00:09
*** dims_ has quit IRC00:17
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** jsavak has joined #openstack-keystone00:34
*** btully has joined #openstack-keystone00:36
*** jsavak has quit IRC00:38
*** btully has quit IRC00:40
*** jsavak has joined #openstack-keystone00:43
*** mylu has joined #openstack-keystone00:58
*** david-lyle has quit IRC01:13
*** dsirrine has quit IRC01:23
*** jsavak has quit IRC01:25
*** geoffarnold has joined #openstack-keystone01:35
*** mylu has quit IRC01:35
*** geoffarn_ has joined #openstack-keystone01:36
*** mylu has joined #openstack-keystone01:36
*** geoffarnold has quit IRC01:40
*** david-lyle has joined #openstack-keystone01:44
*** geoffarn_ is now known as geoffarnoldX01:46
*** geoffarnoldX has quit IRC01:56
*** geoffarnold has joined #openstack-keystone01:57
*** geoffarnold has quit IRC02:04
*** geoffarnold has joined #openstack-keystone02:04
*** mylu has quit IRC02:08
*** mylu has joined #openstack-keystone02:10
*** geoffarnold has quit IRC02:18
*** geoffarnold has joined #openstack-keystone02:18
*** dimsum__ has joined #openstack-keystone02:21
*** geoffarnold has quit IRC02:25
*** geoffarnold has joined #openstack-keystone02:26
*** akanksha_ has quit IRC02:28
*** mestery has quit IRC02:37
*** mestery has joined #openstack-keystone02:38
*** dimsum__ has quit IRC02:40
*** ayoung has quit IRC02:41
*** mylu has quit IRC02:41
*** su_zhang_ has joined #openstack-keystone02:48
*** topol has joined #openstack-keystone02:52
*** ChanServ sets mode: +v topol02:52
*** mylu has joined #openstack-keystone02:56
*** geoffarn_ has joined #openstack-keystone03:01
*** geoffarnold has quit IRC03:01
*** geoffarn_ is now known as geoffarnoldX03:21
*** geoffarnold has joined #openstack-keystone03:22
*** su_zhang_ has quit IRC03:27
*** david-lyle has quit IRC03:32
*** hrou has joined #openstack-keystone03:41
*** geoffarnold has quit IRC03:43
*** geoffarnold has joined #openstack-keystone03:43
*** david-lyle has joined #openstack-keystone03:44
*** _hrou_ has quit IRC03:44
*** topol has quit IRC03:47
*** david-lyle has quit IRC03:48
*** david-lyle has joined #openstack-keystone03:53
*** david-lyle has quit IRC04:02
openstackgerritMerged openstack/keystonemiddleware: Make __all__ immutable  https://review.openstack.org/23002504:02
*** geoffarnold has quit IRC04:04
*** geoffarnold has joined #openstack-keystone04:05
*** david-lyle has joined #openstack-keystone04:06
*** david-lyle has quit IRC04:12
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Update the project description  https://review.openstack.org/23086604:19
*** jaosorior has joined #openstack-keystone04:19
*** dimsum__ has joined #openstack-keystone04:21
*** mylu has quit IRC04:22
*** david-lyle has joined #openstack-keystone04:22
*** geoffarn_ has joined #openstack-keystone04:26
*** geoffarnold has quit IRC04:27
*** amit213 has quit IRC04:28
*** amit213 has joined #openstack-keystone04:28
*** david-lyle has quit IRC04:29
*** _hrou_ has joined #openstack-keystone04:40
*** hrou has quit IRC04:43
*** fifieldt has joined #openstack-keystone04:46
*** geoffarn_ has quit IRC04:47
*** geoffarnold has joined #openstack-keystone04:47
*** _hrou_ has quit IRC04:47
*** btully has joined #openstack-keystone04:51
*** topol has joined #openstack-keystone04:51
*** ChanServ sets mode: +v topol04:51
*** topol has quit IRC04:55
*** topol has joined #openstack-keystone05:00
*** ChanServ sets mode: +v topol05:00
*** topol has quit IRC05:01
*** geoffarnold has quit IRC05:08
*** geoffarnold has joined #openstack-keystone05:09
*** stevemar_ has quit IRC05:20
*** geoffarnold has quit IRC05:30
*** geoffarnold has joined #openstack-keystone05:30
*** btully has quit IRC05:34
*** btully has joined #openstack-keystone05:38
*** lhcheng has quit IRC05:51
*** geoffarnold has quit IRC05:51
*** geoffarnold has joined #openstack-keystone05:52
*** sdake has joined #openstack-keystone06:06
*** sdake has quit IRC06:10
*** sdake has joined #openstack-keystone06:11
*** lsmola has joined #openstack-keystone06:13
*** mflobo has left #openstack-keystone06:16
*** mflobo has joined #openstack-keystone06:19
*** mflobo has left #openstack-keystone06:19
*** sdake has quit IRC06:27
*** sdake has joined #openstack-keystone06:31
*** sdake has quit IRC06:31
*** geoffarnold has quit IRC06:33
*** geoffarnold has joined #openstack-keystone06:34
*** su_zhang_ has joined #openstack-keystone06:35
*** links has joined #openstack-keystone06:35
*** Nirupama has joined #openstack-keystone06:59
*** henrynash has joined #openstack-keystone07:10
*** ChanServ sets mode: +v henrynash07:10
*** su_zhang_ has quit IRC07:11
*** geoffarnold has quit IRC07:16
*** geoffarnold has joined #openstack-keystone07:17
*** mancdaz has joined #openstack-keystone07:24
*** fifieldt has quit IRC07:28
*** ParsectiX has joined #openstack-keystone07:35
*** geoffarnold has quit IRC07:37
*** geoffarnold has joined #openstack-keystone07:38
*** Guest38007 is now known as d0ugal07:41
*** d0ugal has quit IRC07:41
*** d0ugal has joined #openstack-keystone07:41
*** aix has quit IRC07:45
*** aix has joined #openstack-keystone07:45
*** wwwjfy_ has quit IRC07:50
*** fhubik has joined #openstack-keystone07:54
*** fhubik is now known as fhubik_brb07:55
*** pnavarro has joined #openstack-keystone07:55
*** fhubik_brb is now known as fhubik07:58
*** geoffarnold has quit IRC07:59
*** geoffarnold has joined #openstack-keystone08:00
*** topol has joined #openstack-keystone08:02
*** ChanServ sets mode: +v topol08:02
*** arif-ali has quit IRC08:05
*** wwwjfy_ has joined #openstack-keystone08:06
*** topol has quit IRC08:06
*** arif-ali has joined #openstack-keystone08:09
*** e0ne has joined #openstack-keystone08:10
*** jvarlamova has joined #openstack-keystone08:15
*** fhubik is now known as fhubik_brb08:15
*** arif-ali has quit IRC08:16
*** kodokuu has joined #openstack-keystone08:18
*** arif-ali has joined #openstack-keystone08:19
*** geoffarnold has quit IRC08:20
*** geoffarnold has joined #openstack-keystone08:20
kodokuuHi. Sometimes I have a trace in nova with "NeutronClientException: Authentication required" because neutron have error ==> "Failed to validate token", "code": 404, "title": "Not Found"  AND I can see in keystone WARNING keystone.common.wsgi [-] Failed to validate token08:21
kodokuuanyone know why I have this error ?08:22
*** btully has quit IRC08:25
*** david-lyle has joined #openstack-keystone08:28
*** arif-ali has quit IRC08:34
*** fhubik_brb is now known as fhubik08:35
*** wwwjfy_ has quit IRC08:36
*** jistr has joined #openstack-keystone08:38
*** arif-ali has joined #openstack-keystone08:39
*** wwwjfy_ has joined #openstack-keystone08:41
*** geoffarnold has quit IRC08:41
*** geoffarnold has joined #openstack-keystone08:42
marekdkodokuu: keystone cannot validate token, but it probably looks more like neutron problem.08:46
*** arif-ali has quit IRC08:47
*** david-lyle has quit IRC08:51
*** arif-ali has joined #openstack-keystone08:51
openstackgerritEric Brown proposed openstack/keystone: Handle 16-char non-uuid user IDs in payload  https://review.openstack.org/22612108:53
*** jistr has quit IRC09:00
*** david-lyle has joined #openstack-keystone09:00
*** jistr has joined #openstack-keystone09:01
*** fhubik is now known as fhubik_brb09:02
*** geoffarnold has quit IRC09:03
*** geoffarnold has joined #openstack-keystone09:03
kodokuumarekd Why ? Maybe after keystone expire token, neutron still try to use old token ?09:04
*** markvoelker has joined #openstack-keystone09:05
*** markvoelker_ has joined #openstack-keystone09:06
*** david-lyle has quit IRC09:07
*** jmccrory has quit IRC09:07
*** jmccrory has joined #openstack-keystone09:08
*** markvoelker has quit IRC09:09
*** marzif has joined #openstack-keystone09:18
*** fhubik_brb is now known as fhubik09:19
*** markvoelker_ has quit IRC09:20
*** david-lyle has joined #openstack-keystone09:23
*** geoffarnold has quit IRC09:24
*** geoffarnold has joined #openstack-keystone09:24
*** david-lyle has quit IRC09:27
marekdkodokuu: so i'd still say this is not keystone working worngly09:30
*** david-lyle has joined #openstack-keystone09:30
marekdeither play with expiration time09:30
marekdor neutron is doing something wrong and using old tokens09:30
*** marzif has quit IRC09:37
*** geoffarnold has quit IRC09:45
*** geoffarnold has joined #openstack-keystone09:46
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314209:53
*** david-lyle has quit IRC09:54
*** katkapilatova has joined #openstack-keystone10:00
*** katkapilatova has left #openstack-keystone10:01
*** david-lyle has joined #openstack-keystone10:01
*** wwwjfy_ has quit IRC10:02
*** geoffarnold has quit IRC10:07
*** geoffarnold has joined #openstack-keystone10:07
*** wwwjfy_ has joined #openstack-keystone10:07
*** e0ne has quit IRC10:10
*** e0ne has joined #openstack-keystone10:14
*** kodokuu has quit IRC10:15
*** david-lyle has quit IRC10:16
*** david-lyle has joined #openstack-keystone10:19
*** fhubik is now known as fhubik_brb10:22
*** geoffarnold has quit IRC10:28
*** marzif has joined #openstack-keystone10:28
*** pnavarro is now known as pnavarro|mtg10:28
*** geoffarnold has joined #openstack-keystone10:28
*** david-lyle has quit IRC10:29
*** david-lyle has joined #openstack-keystone10:32
*** Burgosz has joined #openstack-keystone10:41
*** david-lyle has quit IRC10:42
*** yottatsa has joined #openstack-keystone10:46
*** itlinux has joined #openstack-keystone10:46
*** david-lyle has joined #openstack-keystone10:49
*** geoffarnold has quit IRC10:49
*** geoffarnold has joined #openstack-keystone10:50
*** david-lyle has quit IRC10:53
*** david-lyle has joined #openstack-keystone10:56
*** aix has quit IRC11:03
*** marzif has quit IRC11:05
*** marzif has joined #openstack-keystone11:05
*** david-lyle has quit IRC11:07
*** david-lyle has joined #openstack-keystone11:08
*** marzif has quit IRC11:10
*** geoffarnold has quit IRC11:11
*** marzif has joined #openstack-keystone11:11
*** geoffarnold has joined #openstack-keystone11:11
*** david-lyle has quit IRC11:18
*** david-lyle has joined #openstack-keystone11:25
*** pnavarro|mtg is now known as pnavarro|lunch11:25
*** fhubik_brb is now known as fhubik11:26
*** iurygregory has joined #openstack-keystone11:30
*** geoffarnold has quit IRC11:32
samueldmqmorning11:32
*** geoffarnold has joined #openstack-keystone11:33
samueldmqquick quesiton, when we propose a backport, it is against origin/stable/* and not against gerrit/stable/*, right ?11:33
*** aix has joined #openstack-keystone11:35
*** Madkiss has joined #openstack-keystone11:38
Madkisshey folks11:38
Madkissmorgan: are you there by chance? :)11:38
*** jaosorior has quit IRC11:45
*** jaosorior has joined #openstack-keystone11:45
*** Burgosz has quit IRC11:46
samueldmqMadkiss: hi11:50
*** jaosorior_ has joined #openstack-keystone11:53
*** geoffarnold has quit IRC11:54
*** geoffarnold has joined #openstack-keystone11:54
MadkissWe're seeing a strange effect here: Horizon is terribly slow, and we suspect Keystone to be the root cause for it11:54
*** jaosorior has quit IRC11:57
*** nicodemos has joined #openstack-keystone12:00
*** e0ne has quit IRC12:01
*** baffle_ is now known as baffle12:01
*** yottatsa has quit IRC12:02
*** Nirupama has quit IRC12:03
*** jaosorior_ has quit IRC12:04
*** jaosorior has joined #openstack-keystone12:04
*** marzif has quit IRC12:12
*** marzif has joined #openstack-keystone12:12
*** e0ne has joined #openstack-keystone12:13
*** geoffarn_ has joined #openstack-keystone12:15
*** raildo-afk is now known as raildo12:16
*** jecarey_ has quit IRC12:17
*** nisha has joined #openstack-keystone12:18
*** geoffarnold has quit IRC12:20
*** marzif has quit IRC12:21
*** jaosorior has quit IRC12:27
*** jaosorior has joined #openstack-keystone12:28
marekddstanek: hello.12:31
dstanekmarekd: hi12:31
*** doug-fish has joined #openstack-keystone12:31
marekddstanek: running a functional testsuite should work as with: tox -efunctional federation (for this patch https://review.openstack.org/#/c/203258/) ?12:31
marekdor what is the right wayto specify file/class/test to run ?12:32
*** ayoung has joined #openstack-keystone12:33
*** ChanServ sets mode: +v ayoung12:33
dstanekmarekd: you can specify the class just like you do for unit tests12:35
marekddstanek: ok, i found the error , there was no __init__.py in the tests/functional/federation12:35
*** geoffarn_ has quit IRC12:36
*** geoffarnold has joined #openstack-keystone12:36
*** doug-fish has quit IRC12:37
*** edmondsw has joined #openstack-keystone12:37
*** doug-fish has joined #openstack-keystone12:37
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325812:40
*** doug-fish has quit IRC12:42
*** doug-fish has joined #openstack-keystone12:42
*** agireud has quit IRC12:47
*** yottatsa has joined #openstack-keystone12:48
*** amakarov_away is now known as amakarov12:50
marekddstanek: https://review.openstack.org/#/c/203142/8/keystone/tests/functional/core.py looks like fetching values from the environment doesn't really work. Any quick ideas on how to fix it?12:54
*** geoffarnold has quit IRC12:57
*** geoffarnold has joined #openstack-keystone12:58
*** pauloewerton has joined #openstack-keystone12:59
dstanekmarekd: not sure, but in about 30 minutes i can take a look12:59
*** jecarey has joined #openstack-keystone13:00
marekddstanek: would be heplful, thanks13:01
*** jsavak has joined #openstack-keystone13:03
*** hrou has joined #openstack-keystone13:03
*** pnavarro|lunch is now known as pnavarro13:06
*** dimsum__ is now known as dims13:08
*** fhubik is now known as fhubik_brb13:09
*** geoffarnold has quit IRC13:19
*** geoffarnold has joined #openstack-keystone13:19
*** gordc has joined #openstack-keystone13:21
*** zzzeek has joined #openstack-keystone13:21
*** links has quit IRC13:22
*** fhubik_brb is now known as fhubik13:24
*** chlong has joined #openstack-keystone13:26
*** btully has joined #openstack-keystone13:30
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325813:31
marekddstanek: this ^^ basically works when i harcode my devstacks urls/passwors/projects id13:32
marekddstanek: i will try to focus more on functional tests now13:32
marekddstanek: so i will probably also bug you a little bit more :-)13:32
*** erhudy has joined #openstack-keystone13:32
*** jasondotstar|afk is now known as jasondotstar13:32
*** nisha_ has joined #openstack-keystone13:36
*** nisha_ has quit IRC13:36
*** nisha_ has joined #openstack-keystone13:38
*** nisha has quit IRC13:39
*** geoffarnold has quit IRC13:40
*** nisha_ is now known as nisha13:40
dstanekmarekd: bug me as often as you need13:40
*** geoffarnold has joined #openstack-keystone13:40
*** zz_john5223 is now known as john522313:47
*** csoukup has joined #openstack-keystone13:51
*** dsirrine has joined #openstack-keystone13:51
*** ParsectiX has quit IRC13:53
*** diazjf has joined #openstack-keystone13:54
*** openstackstatus has joined #openstack-keystone13:57
*** ChanServ sets mode: +v openstackstatus13:57
*** yottatsa has quit IRC13:57
*** su_zhang_ has joined #openstack-keystone14:01
*** stevemar_ has joined #openstack-keystone14:01
*** ChanServ sets mode: +o stevemar_14:01
*** topol has joined #openstack-keystone14:01
*** ChanServ sets mode: +v topol14:01
*** geoffarn_ has joined #openstack-keystone14:02
*** geoffarnold has quit IRC14:02
*** links has joined #openstack-keystone14:05
openstackgerritLance Bragstad proposed openstack/keystone: Expose method list inconsistency in federation api  https://review.openstack.org/22912514:08
*** sigmavirus24_awa is now known as sigmavirus2414:09
*** ngupta has joined #openstack-keystone14:10
*** yottatsa has joined #openstack-keystone14:13
samueldmqlbragstad: ping - https://review.openstack.org/#/c/22912514:13
samueldmqlbragstad: thanks for adding the @wip annotation, but you forgot to remove a comment there :)14:13
lbragstadi'll push another revision14:14
*** richm has joined #openstack-keystone14:14
*** Guest38101 is now known as zeus14:14
stevemar_dolphm lbragstad dstanek morgan bknudson henrynash marekd jamielennox|away any last minute stuff going into liberty RC2??14:14
*** zeus has quit IRC14:14
*** zeus has joined #openstack-keystone14:14
lbragstadstevemar_: not that I can think of14:14
bknudsonstevemar_: keystone seems to be working in the gate.14:15
henrynashstevemar_: nothing from me14:15
stevemar_bknudson: in the gate, SHIP IT!14:15
samueldmqstevemar_: wait .. there is a patch from lbragstad that maybe worth it including14:15
samueldmqlet me find the link again14:15
stevemar_lets hope we don't have an RC314:15
stevemar_samueldmq: uh oh14:15
samueldmqstevemar_: lbragstad see https://review.openstack.org/#/c/221786/14:15
*** raildo is now known as raildo-afk14:16
stevemar_lbragstad: is that one rc worthy? ^14:16
marekdstevemar_: nope.14:16
lbragstadstevemar_: that protects against the upgrade case14:16
*** vivekd has joined #openstack-keystone14:17
*** thiagop has joined #openstack-keystone14:17
*** diazjf has quit IRC14:18
stevemar_lbragstad: explain that more?14:18
lbragstadstevemar_: that patch only makes sense to have in liberty14:18
lbragstadstevemar_: when fernet was first implemented, we padded the tokens before giving them back to theuser14:19
lbragstadstevemar_: that changed, in keystone we now remove all the padding from the token before returning it to the user14:19
stevemar_lbragstad: well, we are cutting liberty14:19
lbragstadand then we re-inflate that padding on the way back in, when we validate the token14:19
lbragstadstevemar_: yeah, for some reason i thought that patch merged14:19
stevemar_lbragstad: so we definitely need it in liberty?14:20
lbragstadstevemar_: that patch makes it so that, in liberty, we can validate tokens that have padding, and tokens that don't have padding, it should be removed in Mitaka because liberty only issues tokens that don't have padding...14:20
lbragstadstevemar_: yes14:20
lbragstadstevemar_: it has been up for a while, i lost track of it14:21
samueldmqlbragstad: ++ it will give stability (tokens will still be valid through upgrade), we don't know what timeout they give to tkens14:21
lbragstadstevemar_: I can address those last couple comments,14:21
stevemar_lbragstad: it's all good, the bug wasn't tagged14:21
stevemar_lbragstad: so i lost track of it too, yeah, fix them up and we are look at it again14:22
lbragstadstevemar_: ok, i'll get a new patch up this morning14:22
stevemar_lbragstad: cool14:22
stevemar_cc dolphm ^14:22
*** geoffarn_ has quit IRC14:22
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521214:23
lbragstadclear14:23
*** geoffarnold has joined #openstack-keystone14:23
* lbragstad moves to an *actual* terminal... 14:23
stevemar_lbragstad: actually, it should be done on in stable/liberty14:23
stevemar_since it's going to be removed in mitaka14:23
stevemar_and master is mitaka right now14:24
lbragstadstevemar_: ok, i'm wondering what the process should be for that though...14:24
samueldmqstevemar_: ++14:24
samueldmqlbragstad: just proposing the change against origin/stable/liberty ?14:25
lbragstadstevemar_: because we'd be merging something to a stable branch without it in master/14:25
stevemar_thats a good point14:25
*** raildo-afk is now known as raildo14:25
stevemar_it makes sense to me to only propose to stable/liberty since it's going to be reverted in M14:26
*** roxanagh_ has joined #openstack-keystone14:26
bknudsonif the fix isn't needed in master put it to stable/liberty14:26
samueldmqstevemar_: yeah and it will be all done14:26
bknudsonwe only expect it in master first because we don't want a regression14:26
stevemar_but you can propose to master, we can get it in, backport it, then propose a revert to master14:27
bknudsonthat's more confusing14:27
stevemar_bknudson: \o/14:27
stevemar_bknudson: you're more familiar with stable than i am, can we propose directly to stable? or does it have to be a backport?14:28
bknudsonstevemar_: you can do anything you want.14:28
stevemar_yay14:29
bknudsonthere's nothing that forces change in stable to be backports14:29
stevemar_lbragstad: that's your answer14:29
bknudsonas long as you have a good reason to do it.14:29
*** nisha has quit IRC14:29
*** tonytan4ever has joined #openstack-keystone14:31
stevemar_bknudson: "only applicable to liberty" is a good reason14:32
lbragstadstevemar_: https://review.openstack.org/#/c/231022/14:32
*** jsavak has quit IRC14:32
stevemar_everyone ^14:33
* marekd shall reconfig irc client to highlight 'everyone'14:34
stevemar_everyone should do that ^ :)14:34
stevemar_dolphm: would appreciate your eyes on ^14:35
dstanekstevemar_: not that i know of14:36
bknudsonok, I'm confused... why does this only need to be in liberty and not in M?14:37
*** chlong has quit IRC14:38
*** tonytan4ever has quit IRC14:40
lbragstadbknudson: we don't issue fernet tokens with padding on them in liberty14:40
*** jsavak has joined #openstack-keystone14:40
lbragstadbknudson: so the upgrade only effects kilo to liberty14:40
bknudsonlbragstad: what if I upgrade from kilo to M?14:41
lbragstadbknudson: is that an upgrade we support/14:41
lbragstadbknudson: https://github.com/openstack/keystone/commit/f3e3a653f9c9ce0f9a7ba842eff118e5887eb38814:41
bknudsonlbragstad: sure, you can upgrade from k to m.14:42
bknudsonas long as you follow the upgrade notes for each release14:42
lbragstadhmm, ok, I can propose that to master then too14:42
*** alextricity has joined #openstack-keystone14:43
*** tonytan4ever has joined #openstack-keystone14:43
*** phalmos has joined #openstack-keystone14:44
*** geoffarn_ has joined #openstack-keystone14:44
*** geoffarnold has quit IRC14:45
bknudsonI'm sure we can remove it sometime... usually it's N+2.14:47
*** ngupta has quit IRC14:47
bknudsonmaybe add a note that the backwards-compatibility can be removed in N, and then we can add it to the release notes.14:48
bknudsonor we could just say in the release notes that fernet tokens aren't compatible between releases.14:48
*** slberger has joined #openstack-keystone14:50
bknudsonthere should be tests that have the old format of fernet tokens working with the latest code so that we know we can upgrade.14:50
*** jsavak has quit IRC14:51
*** woodster_ has joined #openstack-keystone14:52
*** EmilienM has quit IRC14:55
*** EmilienM has joined #openstack-keystone14:55
*** david-ly_ has joined #openstack-keystone14:56
*** david-lyle has quit IRC14:57
*** stevemar_ has quit IRC14:57
*** david-ly_ is now known as david-lyle14:57
*** stevemar_ has joined #openstack-keystone14:57
*** ChanServ sets mode: +o stevemar_14:57
openstackgerritBrant Knudson proposed openstack/keystone: Config option for insecure responses  https://review.openstack.org/20722614:59
*** fhubik has quit IRC14:59
lbragstadbknudson: dolphm so are we not going to put https://review.openstack.org/#/c/231022/1 in master?15:01
*** nicodemos has quit IRC15:01
dolphmlbragstad: with mitaka open, do we need to?15:02
lbragstadbknudson: I can unabandon https://review.openstack.org/#/c/221786/15:02
dolphmlbragstad: if you want to support direct upgrades from kilo->mitaka then it'd be useful15:02
*** stevemar_ has quit IRC15:02
dolphmi don't know if we traditionally support skipping or not15:02
lbragstaddolphm: is that something we are going to bother with?15:02
dolphmi know people try, and there's always a recommendation against15:02
bknudsondoes it cost anything to carry it?15:02
lbragstadbknudson: a test...15:03
lbragstadi think?15:03
*** aix has quit IRC15:03
*** david-ly_ has joined #openstack-keystone15:03
*** david-lyle has quit IRC15:03
bknudsonI think we should put it in master, with a note that we can remove it in n.15:03
lbragstadbknudson: alright, so i'll unabandon https://review.openstack.org/#/c/221786/ fix it up, then use that as the backport15:04
*** david-ly_ is now known as david-lyle15:04
bknudsongreat, thanks15:05
*** geoffarn_ has quit IRC15:05
*** vivekd has quit IRC15:05
*** geoffarnold has joined #openstack-keystone15:06
samueldmqbknudson: lbragstad cool, sounds pretty right :)15:06
*** yottatsa has quit IRC15:06
dolphmlbragstad: that patch should also exist in kilo so that you can upgrade from unpatched kilo to patched kilo15:07
lbragstaddolphm: true, i'll propose that as well15:07
dolphmbknudson: easy enough15:07
*** jecarey has quit IRC15:08
*** su_zhang_ has quit IRC15:12
openstackgerritLance Bragstad proposed openstack/keystone: Ensure token validation works irrespective of padding  https://review.openstack.org/22178615:12
*** diazjf has joined #openstack-keystone15:15
morgan*yawn* yep need coffee, definitely a monday...15:15
*** stevemar_ has joined #openstack-keystone15:18
*** ChanServ sets mode: +o stevemar_15:18
marekddstanek: did you have a chance to take a look why environment variabes are not honoured?15:20
bknudsonit's probably tox not passing the env vars through15:22
stevemar_lbragstad: bknudson looks like this bug might miss liberty rc2 then15:22
*** alejandrito has joined #openstack-keystone15:23
*** jasonsb_ has joined #openstack-keystone15:24
alextricityHey, does anybody know about keystone's "auth_context"15:24
alextricity?15:24
openstackgerritLance Bragstad proposed openstack/keystone: Ensure token validation works irrespective of padding  https://review.openstack.org/22178615:24
alextricityI'm trying to figure out why my keystone federation isn't working. To me it looks like wsgi.py isn't issuing the right GET request (the request doesn't have the parameters it should have)15:25
dolphmmarekd: ^15:25
alextricityWas wondering if maybe it's this; There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. process_request /usr/local/lib/python2.7/dist-packages/keystone/middleware/core.py:30115:25
*** jsavak has joined #openstack-keystone15:25
marekdalextricity: some more context would be useful.15:26
marekdesp what client are you using?15:26
*** ngupta has joined #openstack-keystone15:26
*** geoffarnold has quit IRC15:26
alextricitymarekd: Sure. I'm just doing this through horizon using firefox. I have keystone federation set up with oidc.15:27
alextricityto authenticate with google15:27
*** geoffarnold has joined #openstack-keystone15:27
*** Ephur has joined #openstack-keystone15:27
marekdalextricity: allrighty.15:27
marekdalextricity: and what exactly GET call is failing for you. Can you specify the url ?15:28
marekdalextricity: (there are many calls in that workflow, that's why i am asking)15:28
*** tonytan4ever has quit IRC15:29
alextricitymarekd: Absolutely. The mod_auth_openidc apache module requires a redirect URI to redirect me back to horizon. So it's issuing a  GET https://furiouscat.com:5000/v3/auth/OS-FEDERATION/websso/redirect:15:29
alextricityBut i'm pretty sure this is suppose to have some parameters associated with it.15:30
marekdyou should have ?origin=horizon.website.url15:30
stevemar_alextricity: the random colon at the end it weird: https://furiouscat.com:5000/v3/auth/OS-FEDERATION/websso/redirect:15:31
alextricityIt's not building out the query_string like it should here: https://github.com/openstack/keystone/blob/f15d9f493cf36bdb431412e6bc1d33876dd68fa3/keystone/common/wsgi.py#L20215:31
alextricityOh..that was a copy/paste typo15:31
alextricityThe logs don't show that colon15:31
alextricitymarekd: Right. I should..but for some reason i'm not.. :/15:32
stevemar_alextricity: hitting furiouscat.com/ works well, looks like you have horizon setup correctly15:32
alextricityWait...are you saying I should have that origin paramter configured in my apache configs?15:32
marekdalextricity: not in apache15:32
*** nisha has joined #openstack-keystone15:32
marekdalextricity: somewhere in apache.15:32
marekdtfu15:32
*** jsavak has quit IRC15:32
marekdin horizon15:32
dstanekmarekd: I'm playing with it now15:33
marekddstanek: thanks!15:33
*** jsavak has joined #openstack-keystone15:33
marekdalextricity: when I try https://furiouscat.com:5000/v3/auth/OS-FEDERATION/websso/redirect i see what i had expected to see: http://cdn.pasteraw.com/gbwrwo1i1ljwwfrfzeaxq4u89ehtnz7#15:33
lbragstadbknudson: dolphm stevemar_ master - https://review.openstack.org/#/c/221786/15:34
lbragstadstable/liberty - https://review.openstack.org/#/c/231051/15:34
marekdalextricity: so i'd check whether horizon is configured well.15:34
lbragstadstable/kilo - https://review.openstack.org/#/c/231057/ (had some conflicts here)15:34
alextricitymarekd: Yeah..that's what I'm trying to work through..I've been banging my head over this15:34
alextricityWould it be maybe the KEYSTONE_URL in dashboard configs?15:34
alextricityI'll check15:35
marekdi assume you know what's the purpose of the 'origin' parameter.15:35
marekdalextricity: rather not15:35
alextricitymarekd: I'm still a little hazy with how this all works15:35
alextricitybut I presume that origin parameter is where i'm suppose be taken15:35
marekdalextricity: don't worry - it's a little bit confusing at the beginning.15:36
*** Guest43458 is now known as med_15:36
*** med_ has quit IRC15:36
*** med_ has joined #openstack-keystone15:36
marekdalextricity: origin is the url where you will be taken once you authenticate with keystone (usually it will be horizon that you hit first)15:36
*** med_ is now known as med15:37
*** med is now known as med_15:38
*** dims has quit IRC15:40
*** ayoung has quit IRC15:41
alextricitymarekd: stevemar_ Where is it suppose to build out that origin paramter?15:42
alextricityIs that information gathered from the apache oidc module?15:42
*** diazjf has quit IRC15:42
*** su_zhang_ has joined #openstack-keystone15:42
marekdhttps://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L18915:42
marekdit's horizon15:42
alextricitywait. marekd you said that is configured in horizon?15:43
openstackgerritLance Bragstad proposed openstack/keystone: Documentation for other services  https://review.openstack.org/20480115:44
openstackgerritLance Bragstad proposed openstack/keystone: Additional documentation for services  https://review.openstack.org/21118415:44
*** diazjf has joined #openstack-keystone15:44
marekdhttps://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L24415:46
marekdthis should avtually be configured by default15:46
marekdalextricity:15:46
*** pnavarro is now known as pnavarro|off15:46
*** su_zhang_ has quit IRC15:47
*** dims has joined #openstack-keystone15:47
*** dims has quit IRC15:47
*** Guest96374 has joined #openstack-keystone15:47
*** Guest96374 has quit IRC15:48
*** david-ly_ has joined #openstack-keystone15:48
*** david-lyle has quit IRC15:48
*** dims_ has joined #openstack-keystone15:48
*** geoffarnold is now known as geoffarnoldX15:49
*** david-ly_ is now known as david-lyle15:49
openstackgerritLance Bragstad proposed openstack/keystone: Expose method list inconsistency in federation api  https://review.openstack.org/22912515:50
*** jasonsb_ has quit IRC15:50
marekdalextricity: did you setup in horizon WEBSSO_IDP_MAPPING = "saml2" ?15:51
*** nisha has quit IRC15:52
*** diazjf has left #openstack-keystone15:54
*** alejandrito has quit IRC15:55
marekdalextricity: try hitting this url and see what happens: https://furiouscat.com:5000/v3/auth/OS-FEDERATION/websso/saml2/auth?origin=<url encoded horizon url>15:57
marekdsorry15:59
marekdhttps://furiouscat.com:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=<url encoded horizon url>15:59
*** richm has quit IRC15:59
alextricityHey marekd I didn't set that directive in my local_settings.py16:00
marekdalextricity: so maybe that's the reason16:00
alextricityIs that also needed for oidc?16:00
marekdalextricity: for each protocol16:00
alextricityin local_settings.py right?16:00
marekdalextricity: settings.py rather?16:00
marekdwell anyway16:00
marekdwhich protocol did you configure on keystone?16:01
marekdoidc?16:01
alextricityyes16:01
marekdset the same name in WEBSSO_IDP_MAPPING16:01
marekdoidc16:01
alextricitymarekd: Oh..a new error16:06
alextricityI heard that's called progress in openstack16:06
alextricityXD16:06
alextricityjk16:06
marekdalextricity: did you configure keystone ?16:06
marekdalextricity: anyway, which tz are you ?16:06
alextricityCentral16:06
marekdCEST?16:06
alextricityCST16:07
marekduh16:07
alextricityyes. I configued keystone. My identity provider is there, so are my mappings and protocols16:07
*** itlinux has quit IRC16:08
marekdalextricity: which error now ?16:08
*** yottatsa has joined #openstack-keystone16:08
alextricitymarekd: It looks like a django error now16:08
alextricity'str' object has no attribute 'get'16:08
alextricityException Location: sr/local/lib/python2.7/dist-packages/openstack_dashboard/wsgi/../../openstack_auth/utils.py in get_websso_url, line 24616:09
marekdalextricity: so try WEBSSO_IDP_MAPPING = {'oidc'}16:09
*** geoffarnoldX has quit IRC16:09
*** geoffarnold has joined #openstack-keystone16:09
*** raildo is now known as raildo-afk16:10
alextricitySame :/ furiouscat.com16:10
*** raildo-afk is now known as raildo16:12
stevemar_alextricity: you are using django_openstack_auth 2.0.0?16:12
alextricityyes, 2.0.116:13
marekdthis is all because multiple paths to websso16:13
alextricityI am running two horizon boxes16:13
alextricityload balanced by haproxy16:13
*** _cjones_ has joined #openstack-keystone16:14
marekdalextricity: actually, if you remove (sorry) WEBSSO_IDP_MAPPING it should work fine16:16
*** alejandrito has joined #openstack-keystone16:16
*** stevemar_ has quit IRC16:17
*** stevemar_ has joined #openstack-keystone16:18
*** ChanServ sets mode: +o stevemar_16:18
alextricityOh okay. I'll keep digging into openstack_auth to see where my problem is, but to be clear, this wouldn't be a problem with the auth_context not being populated right?16:19
*** tonytan4ever has joined #openstack-keystone16:19
marekdalextricity: no16:19
marekdi already told yo16:19
marekdtry the url by hand16:19
marekdi posted it earlier16:19
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837216:20
*** marzif has joined #openstack-keystone16:20
alextricitymarekd: ah..sorry. So much text16:21
marekdalextricity:16:21
marekdi gotta go for now16:21
alextricitymarekd: For sure. Thanks for your time :)16:21
marekdtry it and ping me tomorrow if you have problems16:21
alextricityAlright. thank you16:21
marekdalextricity: it's more like misconfiguration rather than actual bug in the code.16:21
alextricitymarekd: Yeah probably. I tried hitting that URL by hand but I get the same message. I'll keep working on it! Thanks again16:22
*** yottatsa has quit IRC16:24
*** hrou has quit IRC16:24
*** hrou has joined #openstack-keystone16:24
openstackgerritSteve Martinelli proposed openstack/keystone: Sample Identity endpoints changed to unversioned  https://review.openstack.org/13066916:24
*** hrou has quit IRC16:24
*** ngupta has quit IRC16:25
*** ngupta has joined #openstack-keystone16:25
*** yottatsa has joined #openstack-keystone16:26
*** jistr has quit IRC16:26
dolphmanyone know of a git shortcut to effectively "delete the current branch"16:26
*** e0ne has quit IRC16:28
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Update the project description  https://review.openstack.org/23086616:28
stevemar_dolphm: ^16:29
*** geoffarnold has quit IRC16:30
*** geoffarnold has joined #openstack-keystone16:31
*** lhcheng has joined #openstack-keystone16:32
*** ChanServ sets mode: +v lhcheng16:32
*** bknudson has left #openstack-keystone16:34
*** bknudson has joined #openstack-keystone16:35
*** ChanServ sets mode: +v bknudson16:35
*** bknudson has left #openstack-keystone16:35
*** bknudson has joined #openstack-keystone16:35
*** ChanServ sets mode: +v bknudson16:35
*** jaosorior has quit IRC16:36
*** jaosorior_ has joined #openstack-keystone16:36
*** alejandrito has quit IRC16:37
*** ayoung has joined #openstack-keystone16:37
*** ChanServ sets mode: +v ayoung16:37
stevemar_dolphm: oh right, one more thing16:38
*** raildo is now known as raildo-afk16:38
stevemar_dolphm: https://review.openstack.org/#/c/230231/16:38
stevemar_or bknudson16:38
bknudsonstevemar_: I can take a look.16:40
bknudsonstevemar_: we don't have the fix released in master yet.16:40
stevemar_bknudson: yes we do16:40
stevemar_https://review.openstack.org/#/c/230151/16:41
bknudsonstevemar_: according to this there is no tag with that commit -- http://git.openstack.org/cgit/openstack/python-keystoneclient/log/16:41
*** raildo-afk is now known as raildo16:41
stevemar_bknudson: its the first one on the list16:42
bknudsonstevemar_: there's no tag for it16:42
bknudsonit hasn't been released16:42
bknudsonthe last release was 1.7.116:43
stevemar_bknudson: its gotta be released as a refresh in master before refreshed in liberty? that seems odd16:47
bknudsonI guess since we don't have a master release yet it should be fine.16:48
bknudsonit'll be strange to have master say it's at 1.7.1 while stable is at 1.7.2.16:49
*** ngupta has quit IRC16:50
*** richm has joined #openstack-keystone16:50
stevemar_bknudson: asking dhellmann in -relmgr-office16:50
*** jasonsb_ has joined #openstack-keystone16:51
stevemar_bknudson: master will be bumped up to 1.8.0 as soon as we need to release something16:51
*** geoffarnold has quit IRC16:52
*** geoffarnold has joined #openstack-keystone16:52
bknudsonstevemar_: don't we need to release this bug fix?16:53
*** kiran-r has joined #openstack-keystone16:53
stevemar_bknudson: you have successfully confused me and everything i thought i knew about stable16:54
openstackgerritDavid Stanek proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314216:55
dstanekmarekd: ^ that will do it16:55
*** jasonsb_ has quit IRC16:56
dstanekmarekd: i also moved the test_v3 stuff you were importing to a more common place16:56
*** atiwari has joined #openstack-keystone16:56
*** jaosorior_ has quit IRC16:58
*** jaosorior has joined #openstack-keystone16:59
openstackgerritDolph Mathews proposed openstack/keystoneauth: Update the project description  https://review.openstack.org/23086617:00
*** su_zhang_ has joined #openstack-keystone17:00
openstackgerritDolph Mathews proposed openstack/keystoneauth: Remove "Features" section from README  https://review.openstack.org/23109417:02
openstackgerritDolph Mathews proposed openstack/keystoneauth: Make RST section delineation length match title  https://review.openstack.org/23109617:04
*** roxanagh_ has quit IRC17:04
dolphmstevemar_: morgan: dhellmann: why aren't our package releases getting to pypi? problem or missed step with the new release tooling? https://bugs.launchpad.net/keystoneauth/+bug/150250117:06
openstackLaunchpad bug 1502501 in keystoneauth "releases not published to pypi" [Undecided,New]17:06
*** roxanagh_ has joined #openstack-keystone17:06
amakarovbknudson, o/17:07
*** ngupta has joined #openstack-keystone17:08
*** marzif has quit IRC17:09
*** thiagop has quit IRC17:09
amakarovbknudson, in https://review.openstack.org/#/c/229865/ you are fixing 1-liners and also doing many edits, can these edits be considered related to this CR?17:09
*** iurygregory has quit IRC17:09
lbragstaddolphm: random thought on the fernet + tempest issues17:09
*** pauloewerton has quit IRC17:10
amakarovbknudson, you are changind documentation after all...17:10
lbragstaddolphm: mysql truncates subsecond precision, but how does it do that? Does it ever round up? Does it always round down? I'm trying to test manually now17:10
dolphmlbragstad: i believe the docs say it simply truncates unsupport precesion17:11
dolphmunsupported* precision*17:11
*** aix has joined #openstack-keystone17:11
lbragstaddolphm: this is what i'm testing manually - http://cdn.pasteraw.com/etjprig71cmtj4vjh2hc1dufpzha01g17:12
*** geoffarn_ has joined #openstack-keystone17:13
*** geoffarnold has quit IRC17:14
dolphmlbragstad: weird, what version is that?17:14
lbragstaddolphm: Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)17:14
lbragstaddolphm: this was on my tempest box17:14
*** pnavarro|off has quit IRC17:15
dolphm"However, when MySQL stores a value into a column of any temporal data type, it discards any fractional part and does not store it."17:16
dolphmlbragstad: what does "SELECT NOW(6);" return?17:16
*** e0ne has joined #openstack-keystone17:17
lbragstaddolphm: interesting, the truncations works as you describe it in maria17:17
dolphmlbragstad: maria 5.5?17:17
lbragstaddolphm: 10.0.21-MariaDB-1~trusty-wsrep-log17:18
*** raildo is now known as raildo-afk17:18
lbragstaddolphm: select now(6) returns - 2015-10-05 17:07:01.41960817:19
dolphmlbragstad: in mysql 5.5 or maria 10.0.21?17:19
*** thiagop has joined #openstack-keystone17:20
lbragstaddolphm: in maria 10.0.21 is returns subsecond precision17:21
*** tellesnobrega is now known as tellesnobrega_af17:21
*** stevemar_ has quit IRC17:21
*** richm has quit IRC17:26
*** raildo-afk is now known as raildo17:30
*** openstackgerrit has quit IRC17:31
*** openstackgerrit has joined #openstack-keystone17:32
*** samleon has joined #openstack-keystone17:32
*** itlinux has joined #openstack-keystone17:33
*** jsavak has quit IRC17:33
lhchengquestion on KSM, when there's no memcache_servers defined on the config, it uses a _CachePool() in the code.  Does the mean it is still performing some caching?17:34
*** alejandrito has joined #openstack-keystone17:34
lhchenghttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_cache.py#L14917:34
*** jsavak has joined #openstack-keystone17:34
*** geoffarn_ has quit IRC17:34
*** geoffarnold has joined #openstack-keystone17:35
*** stevemar_ has joined #openstack-keystone17:36
*** ChanServ sets mode: +o stevemar_17:36
*** alejandrito has quit IRC17:38
*** jsavak has quit IRC17:47
*** jsavak has joined #openstack-keystone17:47
*** raildo is now known as raildo-afk17:48
morganlhcheng: by default keystonemiddleware does in-memory caching. I've long wanted to make that not the case and require caching to be opt in only17:49
morgandolphm lbragstad: mysql/maria started supporting subsecond precision at some point. But we dont have a hard mysql version requirement for openstack, we cannot assume it will be the case.17:50
*** iurygregory has joined #openstack-keystone17:50
*** diazjf has joined #openstack-keystone17:52
*** tellesnobrega_af is now known as tellesnobrega17:53
*** yottatsa has quit IRC17:54
*** yottatsa has joined #openstack-keystone17:54
*** itlinux has quit IRC17:54
*** geoffarnold has quit IRC17:56
samueldmqlbragstad: the backport to kilo is actually failing in our tests17:56
*** doug-fis_ has joined #openstack-keystone17:56
*** geoffarnold has joined #openstack-keystone17:56
*** doug-fish has quit IRC17:56
*** tellesnobrega is now known as tellesnobrega_af17:59
htrutahey henrynash, are you around?17:59
lbragstadsamueldmq: thanks for the heads up... looking17:59
htrutahenrynash: I'm just a little bit concerned about your first comment here: https://review.openstack.org/#/c/213448/18/keystone/resource/core.py17:59
*** tellesnobrega_af is now known as tellesnobrega18:01
*** openstackgerrit has quit IRC18:01
*** openstackgerrit has joined #openstack-keystone18:02
lhchengmorgan: in-memory caching, that means just per process caching?18:04
openstackgerritSteve Martinelli proposed openstack/keystone: add initiator to v2 calls for additional auditing  https://review.openstack.org/23112318:05
*** jasonsb has joined #openstack-keystone18:06
morganYes18:06
bknudsonamakarov: I don't think I have any docstring changes in flight.18:07
bknudsonor the ones that I do have are fixing rst issues rather than pep25718:07
amakarovbknudson, for ex.: https://review.openstack.org/#/c/229865/1/keystone/contrib/federation/utils.py,cm18:08
bknudsonamakarov: what about it?18:08
lhchengmorgan: I see..  does KSM also caches the token it presents to keystone for token validation?18:09
amakarovbknudson, you are changing not only PEP257, but also the contents of a docstring18:10
bknudsonamakarov: I didn't change that, it was dolphm18:10
*** jasonsb has quit IRC18:10
amakarovbknudson, oh, sorry  - I've reviewed the set of changes and didn't notice that not only you are among the authors :)18:12
morganlhcheng: not sure what you're asking?18:12
amakarovdolphm, in https://review.openstack.org/#/c/229865/ you are fixing 1-liners and also doing many edits, can these edits be considered related to this CR?18:13
*** kiran-r has quit IRC18:13
*** aix has quit IRC18:14
*** raildo-afk is now known as raildo18:14
*** mylu has joined #openstack-keystone18:14
*** geoffarn_ has joined #openstack-keystone18:17
*** roxanagh_ has quit IRC18:18
*** geoffarnold has quit IRC18:18
dolphmbknudson: amakarov: many of pep257's requirements will require rewriting docstrings to be compliant. that's the goal. our docstrings suck.18:18
bknudsondoes the pep257 or some other checker validate correct use of :raises: and :param: and stuff?18:19
bknudsonthat would also be handy18:19
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains  https://review.openstack.org/21344818:19
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837218:19
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060018:19
amakarovdolphm, so these are not just unrelated changes, they are to satisfy pep 257 requirements?18:19
*** diazjf has quit IRC18:20
dolphmamakarov: unless you have an idea about how to rewrite the docstring's one line summary to fit in a single line...18:20
bknudsonamakarov: try it out. check out the change and revert the line and see if it still passes.18:21
*** itlinux has joined #openstack-keystone18:21
dolphmamakarov: if you have an alternative solution, i'd be happy to revise18:21
* amakarov trying it out18:22
bknudsonI wouldn't get too hung up on unrelated doc changes. It's really unlikely this is going to be reverted.18:22
*** jasonsb has joined #openstack-keystone18:24
amakarovbknudson, do these 1-liners have some considerable impact on resulting (generated) documentation?18:25
amakarovbknudson, tox -r -e pep8 succeeded on HEAD^ for that change...18:26
bknudsonamakarov: the docstrings for keystone are so useless I don't think it will have a considerable impact. The goal is to not have to spend time commenting on pep257 violations in reviews.18:27
bknudsonamakarov: it was the change in tox.ini that caused the docstrings to fail18:27
*** dims_ has quit IRC18:27
*** thiagop has quit IRC18:28
amakarovbknudson, well, let's consider that changes related to the change18:28
*** jasonsb has quit IRC18:29
*** browne has joined #openstack-keystone18:30
amakarovdolphm, https://review.openstack.org/#/c/229855/1/keystone/common/base64utils.py,cm18:30
amakarovif r""" is used, what will '\\' yield as a result in the doc?18:31
amakarovdolphm, I fear some magic is here too :)18:32
*** thiagop has joined #openstack-keystone18:32
*** Guest14841 is now known as tsymanczyk18:32
*** yottatsa has quit IRC18:33
*** su_zhang_ has quit IRC18:34
*** atiwari has quit IRC18:37
*** geoffarnold has joined #openstack-keystone18:39
*** geoffarn_ has quit IRC18:39
*** hrou has joined #openstack-keystone18:41
dolphmamakarov: i believe you're correct, the escape should be removed18:41
*** mylu has quit IRC18:41
*** jsavak has quit IRC18:42
dolphmamakarov: otherwise the escape is rendered in the output because it's treated as a raw string18:42
dolphmamakarov: to demo, http://cdn.pasteraw.com/63b2fod4jvwgkmic99p5cy7zjc6ae8718:44
*** links has quit IRC18:44
*** mylu has joined #openstack-keystone18:45
*** raildo is now known as raildo-afk18:45
*** raildo-afk is now known as raildo18:45
amakarovdolphm, yes, I've tried this out in the Python console, but wasn't sure if it is handled by sphinx(python) only18:45
*** marzif has joined #openstack-keystone18:46
dolphmamakarov: sphinx parses docstrings per pep257 as far as i'm aware. i'm not sure if you've read the pep, but it goes as far as including parsing algorithms.18:46
dolphmamakarov: if you want to play with pep257, i have a sample file that A) passes pep257, and B) illustrates every major assertion of pep257 http://dolphm.com/pep257-good-python-docstrings-by-example/18:47
*** akanksha_ has joined #openstack-keystone18:47
*** jsavak has joined #openstack-keystone18:47
amakarovdolphm, you are right: I'm used to check using pep8 only18:48
amakarovand read it of course :)18:48
*** diegows has joined #openstack-keystone18:48
openstackgerritDolph Mathews proposed openstack/keystone: Fix D301: Use r”“” if any backslashes in your docstring (PEP257)  https://review.openstack.org/22985518:48
openstackgerritDolph Mathews proposed openstack/keystone: Fix D210: No whitespaces allowed surrounding docstring text (PEP257)  https://review.openstack.org/22985718:49
openstackgerritDolph Mathews proposed openstack/keystone: Fix D200: 1 line docstrings should fit with quotes (PEP257)  https://review.openstack.org/22986518:49
openstackgerritDolph Mathews proposed openstack/keystone: Fix D202: No blank lines after function docstring (PEP257)  https://review.openstack.org/22988718:49
openstackgerritDolph Mathews proposed openstack/keystone: Fix D204: blank line required after class docstring (PEP257)  https://review.openstack.org/22989818:49
openstackgerritDolph Mathews proposed openstack/keystone: Promote an arbitrary string to be a docstring  https://review.openstack.org/22991618:49
*** stevemar_ has quit IRC18:50
*** stevemar_ has joined #openstack-keystone18:50
*** ChanServ sets mode: +o stevemar_18:50
*** amakarov is now known as amakarov_away18:51
*** roxanagh_ has joined #openstack-keystone18:52
*** marzif has quit IRC18:54
*** marzif has joined #openstack-keystone18:55
*** stevemar_ has quit IRC18:55
*** dims_ has joined #openstack-keystone18:58
*** dims_ has quit IRC18:58
*** dims_ has joined #openstack-keystone18:59
*** jaosorior has quit IRC18:59
*** geoffarnold has quit IRC19:00
*** geoffarnold has joined #openstack-keystone19:00
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains  https://review.openstack.org/21121919:01
*** gyee has joined #openstack-keystone19:03
*** ChanServ sets mode: +v gyee19:03
*** dims_ has quit IRC19:03
dolphmcode reviews have come a long way https://review.openstack.org/#/c/28519:05
*** SpamapS has joined #openstack-keystone19:06
SpamapSHey keystoners..19:06
SpamapSWas there ever resolution on "how to do key revocation without deleting an unpredictably large number of keys at any given time" ?19:06
*** e0ne has quit IRC19:06
SpamapSerr19:06
SpamapSs/key/token/19:06
openstackgerritDolph Mathews proposed openstack/keystone: Add docstring validation  https://review.openstack.org/22968919:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D210: No whitespaces allowed surrounding docstring text (PEP257)  https://review.openstack.org/22985719:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D202: No blank lines after function docstring (PEP257)  https://review.openstack.org/22988719:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D300: Use """triple double quotes""" (PEP257)  https://review.openstack.org/22985319:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D208: Docstring over indented. (PEP257)  https://review.openstack.org/22983719:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D301: Use r”“” if any backslashes in your docstring (PEP257)  https://review.openstack.org/22985519:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D402: First line should not be the function's "signature" (PEP257)  https://review.openstack.org/22983919:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D200: 1 line docstrings should fit with quotes (PEP257)  https://review.openstack.org/22986519:07
openstackgerritDolph Mathews proposed openstack/keystone: Fix D204: blank line required after class docstring (PEP257)  https://review.openstack.org/22989819:08
openstackgerritDolph Mathews proposed openstack/keystone: Promote an arbitrary string to be a docstring  https://review.openstack.org/22991619:08
morganSpamapS: you mean with fernet?19:08
morganSpamapS: or.. Uh19:08
morganWait with the s// i dont know what you're asking19:08
dolphmSpamapS: ^^ i was just about to ask if you have a bug or something??19:09
dolphmSpamapS: also not sure if you're referring to the old revocation list, mass-deleting UUID/PKI tokens in sql, or token revocation events19:10
SpamapSrevocation events19:10
SpamapSwith fernet tokens19:10
dolphmSpamapS: what was unpredictable about them?19:11
SpamapSdolphm: it would delete any expired events on any new revocation19:11
SpamapSso sometimes, 100ms responsetime, sometimes 10s19:11
dolphmSpamapS: ah, that's morgan's patch19:11
morgandolphm: ?19:12
dolphmSpamapS: the old behavior was to delete old revocation events on every token validation. the new behavior is to delete old revocation events each time a new revocation event is issued19:12
morganOh.19:12
morganYeah19:12
morganOld events dont really matter if they linger19:13
*** wolsen_ is now known as wolsen19:13
dolphmwell, they do :-/19:13
morganAs long as they are cleaned up?19:13
dolphmif you have a whole lot, token validations are slow. if you have a lot of events in a short time, and then never have any again, then validations will be slow forever19:13
SpamapSSo there's never been thought given to just clearing them out in batches or as an asynchronous background process?19:14
morganWe can fix the "load events" query to ignore exipred19:14
morganThat would be easy19:14
*** jsavak has quit IRC19:15
*** jsavak has joined #openstack-keystone19:15
dolphmmorgan: how often are they reloaded from DB? i assume we're caching them, although i haven't seen that code19:15
SpamapSignoring expired would add a range filter, meaning different index usage profile19:15
morganSpamapS: and i think that is a fine compromise.19:16
morgandolphm: we sortof cache them19:16
morganBut it would be easy to curate in memory.19:16
*** stevemar_ has joined #openstack-keystone19:16
*** ChanServ sets mode: +o stevemar_19:16
SpamapSIt's kind of a medium priority btw. The reality is that token invalidation should not be super common in a cloud that isn't just being tested for keystone functionality. ;)19:17
morganSpamapS: it is possible to add a flush mechanism.19:17
dolphmSpamapS: most of the bugs we've seen with fernet are a result of aggressive testing, not real world issues19:17
SpamapSdolphm: right, thats what I see here too.19:17
SpamapSRally sets up 100 users and then deletes them all.19:18
SpamapSAnd goes "HEY THAT TOOK A LONG TIME"19:18
dolphm:)19:18
SpamapSThe other bit that our testers had was that token validation was _SUPER_ CPU hungry19:19
SpamapSon account of having to rebuild the catalog over and over and over19:19
SpamapSThey've set that as medium as well, since they can just throw cores at that problem.19:20
morganSpamapS: i've always seen rally scenarios for keystone to be very non-representative of real world uses. Highly contrived and not super useful unless you look at the avg over time responses19:20
morganSpamapS: i think we have caching for the catalog now which helps19:20
SpamapSyeah, one problem is these testers are pointed at Kilo.19:20
*** geoffarn_ has joined #openstack-keystone19:21
*** geoffarnold has quit IRC19:22
boris-42SpamapS: you can use exisitng users19:23
boris-42morgan: so very disagree on this19:23
morganboris-42: rally scenarios are absolutely not real work representative for keystone. Never have been. The data is not very useful unless you are comparing it across runs.19:24
boris-42morgan: for example authentication one is very representative19:24
morganboris-42: only sortof. It is so highly contrived in setup i still disagree19:25
dolphmlbragstad: where's your catalog caching patch? ^19:25
morganboris-42: but then again I have (as you know) not been a huge fan of rally. So take my view with a grain of salt19:25
SpamapSboris-42: I may recommend that to my testers. Right now we're just filtering the user delete as low priority.19:26
SpamapSmorgan: until I see an alternative that does what it does, I'm a fan of Rally. Contrived performance tests trump no performance tests.19:26
dolphmSpamapS: what does it do that you don't get from other performance testing tools?19:27
SpamapSI'd rather look at a bad result and go "yeah, that test needs work" than try to grok what will happen by reading code and docs. ;)19:27
morganSpamapS: and i dont disagree with value. I disagree with using it in isolation of subsequent tests. Compare runs of rally avgs. Dont use it once and use that data19:27
SpamapSdolphm: I haven't seen another comprehensive openstack performance testing tool?19:27
dolphmSpamapS: well that's not a complement of the tool itself, but rather of the established test suite19:28
morganSpamapS: it shows value as a run over run avg/progression. It is close to useless as a one-off test19:28
SpamapSdolphm: +1 to that. :) The tool does have useful outputs as well.19:28
SpamapSmorgan: I'd agree with that assessment. :)19:28
lbragstaddolphm: I have it marked as wip somewhere19:29
morganSpamapS: and as better scenarios are written my view might change.19:29
SpamapSI'd also judge most performance testing tools I"ve used as such. :)19:29
lbragstaddolphm: https://review.openstack.org/#/c/215212/19:29
dolphmSpamapS: i'd be curious to hear your results after adding that to your performance tests ^ if the current patchset does not break your test suite outright19:29
*** itlinux has quit IRC19:30
dolphmSpamapS: (it doesn't do cache invalidation properly yet)19:30
*** sdake has joined #openstack-keystone19:30
SpamapSdolphm: oh lovely, I was going to have to write that if it didn't already exist. :)19:30
morganThat patch is a recipe for disaster since invalidations cant occur with it eaisly19:31
*** mylu has quit IRC19:31
morganBut it should show the benefit of caching19:31
*** mylu has joined #openstack-keystone19:32
dolphmaside: what the hell does CatalogDriverV8 mean?19:32
*** mylu has quit IRC19:32
morgandolphm: its to show compatibility with the different driver interfaces19:32
*** mylu has joined #openstack-keystone19:32
morganSo if we add a method / remove / change - it would be v9 next19:32
dolphmoooh, *that* change landed19:33
morganIt is the start of the stable driver interface work19:33
morganYeah19:33
dolphmi must have never noticed19:33
morganThen it landed smoothly ;)19:33
morganThe versions all just started at 8 because this was keystone v8 in liberty19:34
dstanek... and under the radar19:34
morgandolphm: not sure how to invalidate all the caches with user_id etc in there :(19:35
morganUnless... We use some other value as a seed for the cache key in the generator19:35
morganWhen you change the catalog the seed changes?19:36
morganI probably could brew something up to handle it.19:36
dolphmmorgan: does dogpile have an invalidate_all() or something?19:36
morganYes for a whole region19:36
morganBut we share a region across all caches atm19:36
*** marzif has quit IRC19:37
morganWe could spin up a new region or find a way to wedge a "seed" value into the args. Both are reasonably complex efforts with how caching is built in keystone19:38
dolphmmorgan: hmm19:39
dolphmmorgan: the challenge with lance's patch is that certain operations will require invalidating all cached catalogs, so you may as well have a discrete cache region and invalidate the whole thing?19:40
*** jsavak has quit IRC19:41
*** jsavak has joined #openstack-keystone19:42
morganYes. Or a value that is used to calculate the cache keys that changes when you need to invalidate with the current (shared) region19:42
*** geoffarnold has joined #openstack-keystone19:43
*** geoffarn_ has quit IRC19:43
stevemar_lbragstad: gah, your patch is failing cause of the grenade issue19:44
*** henrynash has quit IRC19:44
*** itlinux has joined #openstack-keystone19:45
*** doug-fis_ is now known as doug-fish19:50
lbragstadstevemar_: grenade issue?19:51
stevemar_lbragstad: yes, https://bugs.launchpad.net/oslo-incubator/+bug/144658319:51
openstackLaunchpad bug 1446583 in oslo.service "services no longer reliably stop in stable/liberty / master" [Critical,New]19:52
stevemar_lbragstad: we might have to cut rc2 without your fix, and cut rc3 when it's more stable19:52
*** mylu has quit IRC19:52
lbragstadstevemar_: ok19:52
*** dims_ has joined #openstack-keystone19:53
lbragstadstevemar_: i don't think it's even entered check yet?19:54
stevemar_lbragstad: right, its an intermittent failure19:54
stevemar_so you might get hit by it, you might not19:55
* lbragstad is feeling lucky19:55
dolphmlbragstad: which fix is that?19:57
dolphmstevemar_: ^19:57
lhchengmorgan: sorry, my question is not that clear. let me step back a bit.19:57
lhchengmorgan: so when KSM needs to validate user token, if looks it up in the cache, if not found it would connect to keystone to validate the token, it will authenticate using the credentials  (service user) provided in [keystone_authtoken] to be able to make the validate token call.19:57
*** dims_ has quit IRC19:57
lbragstadhttps://review.openstack.org/#/c/221786/ dolphm19:57
dolphmah okay19:58
lhchengmorgan: the service token used to make the validate token call, is that also place in memcache ?19:58
*** mylu has joined #openstack-keystone19:59
dolphmlhcheng: can you clarify, is what about the token placed in which memcache instance?19:59
*** sdake has quit IRC19:59
stevemar_dolphm: https://review.openstack.org/#/c/208064/19:59
openstackgerritHenrique Truta proposed openstack/keystone: Add test case passing is_domain flag as False  https://review.openstack.org/22954920:00
*** jsavak has quit IRC20:00
openstackgerritHenrique Truta proposed openstack/keystone: Filters is_domain=True in v2 get_project_by_name  https://review.openstack.org/22484220:00
*** jsavak has joined #openstack-keystone20:01
bknudsonlhcheng: auth_token uses a regular keystoneclient session which doesn't support caching the token in memcache as far as I know.20:01
lhchengdolphm: I understand KSM place the hashed token as key in the cache for all the user token that has been recently validated.20:01
lhchengdolphm: I am just curious if we do any caching of the service token (credentials used for making validation token call)20:02
alextricitymarekd: stevemar_: RE: oidc keystone federation. Turns out I forgot to include the protocol in the redirect URI20:02
lhchengbknudson: ah20:02
alextricitymarekd: stevemar_ Now i'm working thorugh Unauthorized issues after I log into goole20:03
*** itlinux has quit IRC20:03
alextricitygoogle*20:03
lhchengbknudson: so if I have 20 user requests on nova (with different tokens), KSM will do 20 get token call for the service user?20:03
bknudsonlhcheng: the session can work however it wants to, but it typically will reuse its token until shortly before it expires.20:04
*** geoffarnold has quit IRC20:04
*** geoffarnold has joined #openstack-keystone20:04
bknudsonor maybe it just waits for an unauthorized response from the server before it gets a new token20:04
bknudsonthere was a bug recently fixed where auth_token would get multiple tokens because multiple threads try to auth at the same time20:05
*** atiwari has joined #openstack-keystone20:06
lhchengbknudson: excellent, that's what we hit!20:08
lhchengbknudson: we're doing some perf testing, running 200 user requests in parallel.20:08
*** jasonsb has joined #openstack-keystone20:09
bknudsonlhcheng: https://review.openstack.org/#/q/Ib6487de7de638abc69660c851bd048a8ec177109,n,z20:09
lhchengbknudson: and we noticed, that our internal authentication system has been hammered more than what we expected20:09
*** henrynash has joined #openstack-keystone20:09
*** ChanServ sets mode: +v henrynash20:09
bknudsonlhcheng: looks like the fix for that one hasn't been released.20:09
morganlhcheng: no service tokens are not in memcache afaik, they are in process memory20:10
*** su_zhang_ has joined #openstack-keystone20:10
*** maxabidi has joined #openstack-keystone20:11
*** markvoelker has joined #openstack-keystone20:12
*** roxanagh_ has quit IRC20:13
*** mylu has quit IRC20:13
*** raildo is now known as raildo-afk20:13
lhchengmorgan: okay.. so in our rally performance tests, I noticed that rally re-uses the same token for the 200 concurrent requests, and we wondered why using the same user token would be triggering 200 calls to our internal authentication system.20:14
*** jasonsb has quit IRC20:14
morganlhcheng: maybe jamie fixed the caching thing? I honestly don't remember if we got that fix landed20:14
*** e0ne has joined #openstack-keystone20:15
lhchengmorgan: having the service token not cached at least explains the mystery why so many user/password check happening :)20:15
morganlhcheng: no it doesn't really20:15
boris-42lhcheng: rally doesn't reuse token20:16
*** dims_ has joined #openstack-keystone20:16
*** dims_ has quit IRC20:16
morganif rally is not reusing tokens (^^) then yes 200 requests makes sense20:16
*** dims_ has joined #openstack-keystone20:16
*** csoukup has quit IRC20:17
lhchengboris-42: I thought it is caching the tokens here: https://github.com/openstack/rally/blob/master/rally/osclients.py#L29520:18
*** raildo-afk is now known as raildo20:18
*** henrynash has quit IRC20:19
lhchengboris-42: for  concurrent tests, it doesn't re-use the token? think we set the configure in here: https://github.com/openstack/rally/blob/master/rally-jobs/rally-ironic.yaml20:21
*** tqtran_ has joined #openstack-keystone20:21
lhchengmorgan: cool, I'll ping jamie later in the day to check the current state.20:22
*** raildo is now known as raildo-afk20:23
*** geoffarnold has quit IRC20:25
*** geoffarnold has joined #openstack-keystone20:25
*** jbell8 has joined #openstack-keystone20:28
lhchengbknudson: thanks for the link! this will be handy20:29
*** roxanagh_ has joined #openstack-keystone20:29
lhchengdims_: hello, curious why you abandoned this patch: https://review.openstack.org/#/c/229361/ ?20:29
*** agireud has joined #openstack-keystone20:31
dims_lhcheng: do you feel it's useful? restored20:31
*** john5223 is now known as zz_john522320:32
*** jsavak has quit IRC20:32
*** jsavak has joined #openstack-keystone20:33
*** diegows has quit IRC20:35
lhchengdims_: thanks! yeah, seems useful.  will ask jamie later for more info, if he thinks backport worthy.20:36
*** erhudy has quit IRC20:39
openstackgerritEric Brown proposed openstack/keystone: Handle 16-char non-uuid user IDs in payload  https://review.openstack.org/22612120:45
opilottei'm having a problem with tox: DistributionNotFound: No distributions at all found for .[ldap,memcache,mongodb]20:48
opilotteanyone ran into this problem?20:48
*** aix has joined #openstack-keystone20:49
openstackgerritEric Brown proposed openstack/keystone: Handle 16-char non-uuid user IDs in payload  https://review.openstack.org/22612120:53
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521221:01
dolphmSpamapS: mfisch: morgan: lbragstad: dstanek: ^ got this patch passing but had to introduce a second cache region due to the unique requirement for cache invalidation behavior. fixtures and things were affected, but hopefully it's sufficiently clean. it should certainly be worth performance testing as-is.21:03
lbragstaddolphm: awesome, thanks for picking that up21:04
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521221:05
dolphmlbragstad: i've been meaning to for awhile :-/21:05
*** tonytan4ever has quit IRC21:06
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521221:08
*** geoffarn_ has joined #openstack-keystone21:08
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571521:08
openstackgerritEric Brown proposed openstack/keystone: Trivial fix of some typos found  https://review.openstack.org/23118921:08
*** zigo has quit IRC21:09
*** maxabidi has quit IRC21:09
slbergerAre revocation events stored in memcache when enabled for resources?21:09
*** zigo has joined #openstack-keystone21:10
*** geoffarnold has quit IRC21:12
*** zz_john5223 is now known as john522321:12
mfischdolphm: nice!21:13
mfischdolphm: whats the speedup?21:13
openstackgerritBrant Knudson proposed openstack/keystoneauth: auto-generate release history  https://review.openstack.org/22765721:16
dolphmmfisch: have not performance tested myself -- just got the thing passing unit tests :)21:17
dolphmmfisch: there's another patch after it that should have a similar benefit, but it also needs similar work IIRC. haven't looked at it recently21:17
mfischdolphm: I'm still working on getting our K upgraded to L-ish, but that wont be until after Tokyo at this point21:18
mfischI'm happy to help test tho21:18
*** geoffarn_ is now known as geoffarnold21:24
lbragstaddolphm: regarding https://review.openstack.org/#/c/231191/2 i don't think we have a doc patch21:24
*** phalmos has quit IRC21:24
lbragstaddolphm: mfisch https://review.openstack.org/#/c/215715/ should have a similar performance benefit to the first caching patch21:25
lbragstadbut, it needs some work21:25
*** marzif has joined #openstack-keystone21:26
mfischdolphm: the catalog one will only help getting tokens not validating right?21:27
lhchengkeystone history question, did we re-use token for the GET token call before?21:28
lhchengRight now, every time I make a call GET token, it always return a new token.21:28
*** marzif has quit IRC21:29
morganlhcheng: huh?21:29
*** geoffarnold has quit IRC21:29
mfischlhcheng: that was HP special sauce21:29
morganlhcheng: there was an edge case at one point where a PKI token could be re-issued identically21:29
*** marzif has joined #openstack-keystone21:29
bknudsonI hope GET of a token doesn't return a new token.21:29
morganand HP did magic awful re-issue logic21:29
lhchengmorgan: when I make a call to "keystone token-get " I always get a new token.21:29
morganthat re-authenticates21:29
morganso eys21:29
lhchengmfisch: yeah, that could be the HP special sauce :P21:30
morganyes*21:30
mfischyes absolutely21:30
mfischJason has been bugging me to add it here21:30
morganmfisch: don't do it21:30
morganmfisch: it is a trap21:30
*** geoffarnold has joined #openstack-keystone21:30
mfischworking for HP you mean?21:31
mfisch"i'll be here all week thanks you've been a great audience"21:32
* lhcheng understands how mfisch feels when Jason asks for features :P21:32
lbragstadlhcheng: token-get is a POST21:33
lbragstadto /auth/tokens/21:33
lbragstadright/21:33
lbragstad?21:33
lbragstadso you *should* be getting a new token21:33
mfischDEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 641721:33
lhchenglbragstad: yeah, KSC is still doing a POST to /v2.0/tokens21:33
mfischI interpreted the question as "did keystone ever support token re-issue in the tree"21:34
morganmfisch: PKI tokens could be identically re-issued within a 1 second window21:34
lhchengmfisch: your interpretation is right..  I was wondering if keystone ever  supported that.21:35
morganfor a given user/scope combination21:35
morganthis was pre-... Havana?21:35
*** jsavak has quit IRC21:35
mfischlhcheng is having an HP flashback I believe21:35
morganlhcheng: token-get is a "get me a new token" call from the CLI21:35
morganlhcheng: also, don't use the keystone cli21:35
lhchengmfisch: this is bad, I think I am getting sick..21:36
mfischlol21:36
*** thiagop has quit IRC21:36
morganthe reason for the re-issue was because pki token data didn't have any unique values - until subsecond precision was added21:36
morgantoday audit-ids solve the same issue (and better)21:36
lhchengmorgan: yeah, just used something quick to test. do we have the versionless auth in L (/auth/tokens) ?21:37
morganuh21:37
morganversionless auth?21:37
morganno.21:38
morganthat is on the backlog21:38
morgan"good idea but someone has to engineer it"21:38
lhchengusing /auth/tokens instead of /v2.0/tokens21:38
lhchengokay..21:38
*** topol has quit IRC21:40
lhchengmorgan: good to know for the PKI token re-issue bug21:42
morganlhcheng: but any modern/supported vintage of keystone will not reissue the same token twice21:42
morgani think we fixed that issue in icehouse21:43
lbragstadfor UUID tokens, right?21:43
*** edmondsw has quit IRC21:44
*** jbell8 has quit IRC21:47
*** jbell8 has joined #openstack-keystone21:48
*** jbell8 has quit IRC21:49
bknudsonso even PKI tokens can be switched to use seconds for timestamps.21:51
*** e0ne has quit IRC21:51
openstackgerritDavid Stanek proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314221:51
*** e0ne has joined #openstack-keystone21:54
*** jasonsb has joined #openstack-keystone21:57
*** harlowja has quit IRC21:59
*** e0ne has quit IRC22:01
*** jasonsb has quit IRC22:01
*** stevemar_ has quit IRC22:02
*** stevemar_ has joined #openstack-keystone22:02
*** ChanServ sets mode: +o stevemar_22:02
openstackgerritBrant Knudson proposed openstack/keystone: Reclassify get_project_by_name() controller method  https://review.openstack.org/23120722:04
morganbknudson: yes22:04
*** marzif has quit IRC22:04
*** stevemar_ has quit IRC22:05
*** stevemar_ has joined #openstack-keystone22:05
*** ChanServ sets mode: +o stevemar_22:05
*** sigmavirus24 is now known as sigmavirus24_awa22:06
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/23057822:08
*** chlong has joined #openstack-keystone22:10
*** hrou has quit IRC22:11
*** ngupta has quit IRC22:12
*** geoffarnold has quit IRC22:12
*** geoffarn_ has joined #openstack-keystone22:12
*** openstackgerrit has quit IRC22:16
*** openstackgerrit has joined #openstack-keystone22:17
john5223which part of keystone handles the "methods" when you hit the keystone endpoint? i know it calls into auth/plugins/password.py but who actually calls that based on method=["password"]?22:18
john5223nvm, i think i found it. def load_auth_method22:20
john5223trying to implement something like this:   https://ask.openstack.org/en/question/53047/how-to-implement-2-factor-authentication-in-horizon/22:21
john5223has anyone done that before?22:21
john5223and would i just drop my OTP method inside keystone/auth/plugins then modify keystone.conf to have methods = external,password,token,OTP ?22:24
john5223trying to do it from outside keystone codebase like you can with the external auth plugin architecture but looks like i gotta drop it directly into the keystone project22:24
john5223oh wait:   password = keystone.auth.plugins.password.Password   .. nvm looks like i can have it outside22:25
*** tonytan4ever has joined #openstack-keystone22:31
*** jamielennox|away is now known as jamielennox22:31
dstanekjohn5223: you can definitely have your plugin outside of Keysotne22:33
*** geoffarnold has joined #openstack-keystone22:33
john5223awesome. im going to start with that and then maybe contribute back into keystone when i have it all working22:33
*** geoffarn_ has quit IRC22:34
*** jbell8 has joined #openstack-keystone22:36
morganjohn5223: remember that the methods configured in keystone.conf are a logical or (you may use any one of them, or any combination of them), you may need to create a replacement password method that has a hard OTP requirement22:36
*** jbell8 has quit IRC22:38
dstanekmorgan: when you say replacement do you mean a new entrypoint like ot-password?22:40
*** jbell8 has joined #openstack-keystone22:40
morgandstanek: yes. and then in keystone.conf set method password=<new entrypoint>22:40
dstanekmorgan: gotcha, i thought you were saying to register with the same name and tbh i don't what what setuptools does22:41
john5223gotcha. its going to be a little complicated b/c i only have some clients that use otp, some dont so i'll have to dynamically be able to tell.... and then relay that to horizon so i can show the extra OTP form value to fill in22:41
john5223so this will be fun22:41
SpamapSdolphm: hm, the thundering herd would be strong with that cache invalidation.22:41
morganSpamapS: catalog cache invalidation should be infrequent22:42
dstanekSpamapS: for the catalog patch?22:42
*** gordc has quit IRC22:42
SpamapSmorgan: Agree!22:42
SpamapSso I suggest just set a TTL and let it do its work.22:42
dstanekit would be no different than status quo22:42
SpamapS"Endpoint changes will take up to 5 minutes"22:42
morganSpamapS: except we have some enforcement that is dependent on these catalog bits.22:42
SpamapSmorgan: same answer. :)22:42
morganSpamapS: the per-user-per-tenant catalogs are not highly cachable22:43
morganthe global catalog is much more cachable22:43
morganif we cached the global catalog and made the filter eficient22:43
SpamapSmorgan: the patch I'm looking at caches get_catalog22:43
morganit would mean a single hit / invalidate22:43
SpamapSso, per user per project22:43
morganyes. which can be adjusted22:43
morganif the results from the DB are cached, and the filtering etc is cleaned up22:44
morganrather than trying to cache every permutation of user/catalog/scope22:44
morganwe cache the raw results and filter22:44
SpamapSmorgan: the problem right now is the CPU pain of producing the catalog, not so much the DB22:44
morgansingle cache point, single invalidation, minimal thundering herd22:44
morganSpamapS: construct the catalog completely, cache the filter params.22:44
morgane.g. "these endpoints for X user/project" where applicable22:45
morgan(that is easy to invalidate due to the way endpoint filtering works)22:45
morganand do a fast(er) filtering than load, load, compare, build22:45
SpamapSso have a cache key with endpoint in it somehow?22:45
*** raildo-afk is now known as raildo22:45
morganthe two caches are: complete service catalog22:46
morganand "endpoint filter"22:46
morganso you can do a quick apply of the endpoint filter to the complete catalog22:46
morgandict.copy() is less punative than <create catalog>22:46
morgan(worst cast)22:46
morganso worst case scenario: dict.copy().apply_filter22:46
SpamapSso, when I add an endpoint22:47
morganwhich just pops off / dels some keys22:47
SpamapSI have to create a new catalog22:47
SpamapSand then the filtered ones22:47
morganyou'd invalidate the global catalog, next request would be slower but it would cache for everything22:47
morganthe filters are a list of endpoint ids for a project22:47
SpamapSso to make that not thundering-herd, I need a coalesce mechanism22:47
morganif the scope is <project> you apply the filter22:47
SpamapSthe next request would be the next 100 requests22:47
morganif you change the endpoint filter you only invalidate the filter22:47
*** roxanagh_ has quit IRC22:48
*** harlowja has joined #openstack-keystone22:48
morganif you change the global catalog you only invalidate the global catalog22:48
SpamapSunless we use something like gearman and coalesce around a single cache worker22:48
morgandogpile already does this if you don't use in-memory22:48
morganvia a lock in (memcache, or redis)22:48
SpamapSyes, so when I invalidate the global catalog, until it becomes valid again, every worker kicks off the "Make me a new global catalog"22:48
morganyou can even fire off an async runner22:48
SpamapSwhat?22:48
morgandogpile has an async runner concept22:49
SpamapSwat!22:49
* SpamapS reads22:49
morganwhere one worker does a refresh and all others would just use the old value22:49
morganuntil the refresh occurs22:49
SpamapSthat's handy22:49
morgankeystone is not well setup for it, but it could be implemented22:49
SpamapSassuming you don't rely on actual memcached TTL's ;)22:49
morganyou do, but you have a fudge window in there22:49
*** dims__ has joined #openstack-keystone22:49
*** hrou has joined #openstack-keystone22:49
*** dims__ has quit IRC22:49
*** geoffarnold has quit IRC22:50
morganbascially if there is X time left on the cache, refresh it22:50
morganbut if no one comes in within the <X window, it falls out of memcache and is refreshed on demand22:50
*** geoffarnold has joined #openstack-keystone22:50
SpamapSYeah, in past-life-memcache-expert role we just took the developer supplied TTL and doubled it to give to memcache, and then stored a json blob with the real TTL, and when that expired, we pushed a new one into the cache with the old value and now+5min as the ttl, and then only one thread would end up doing the cache refresh22:51
morgandogpile stores a dogpile TTL which can be < backend TTL22:51
SpamapSwhich works great as long as memcached never runs out of space22:51
morganby default they are the same though22:51
SpamapSyeah sounds like dogpile has this technique, which is great22:51
morganthe record really is {<dogpile TTL>, <serialized data>}22:51
SpamapSit just falls apart spectacularly when memcached gets full.22:51
morganwhich isn't *really* dogpile's fault22:52
SpamapSsince memcached starts deleting whatever it damn well wants to22:52
morganand also dogpile does a decent job of just refreshing as needed if the data isn't there22:52
SpamapSwell gearman coalescing is a fantastically simple way to prevent the herd22:52
SpamapSmorgan: but if the data isn't there, dogpile has no old value to give out22:52
morgandogpile has most of the same constructs, but the backend is the limiting factor22:53
SpamapSmorgan: so you have to devise a way to synchronise all of the missers22:53
morganbecause we do block waiting for data to be returned22:53
*** dims_ has quit IRC22:53
SpamapSit's a worst case scenarios22:53
SpamapSand the gearman answer is not exactly "simple" :)22:53
morganok got disconnected22:54
morganmissed the last 2-3 things tyou typed22:54
morganso dogpile does a simple "lock the record" on the backend, all gets will block on the lock (keystone does blocking calls, vs. asyncio)22:54
morganso a "refresh" really is atomic.22:54
morganunless you use the async runner concept22:54
morganprovided the backend is shared [vs. say per-process in-memory]22:55
*** geoffarnold has quit IRC22:55
*** zzzeek has quit IRC22:55
*** geoffarnold has joined #openstack-keystone22:55
SpamapSmorgan: the lock is using memcache CAS+poll?22:56
morganSpamapS: no not that clever22:56
morganSpamapS: memcache add (fails if the record already exists)22:56
morganand poll22:56
*** tonytan4ever has quit IRC22:57
raildomorgan, what is the best way to do a keystone v3 API call in other service? like nova or cinder...22:57
morganto create the lock.22:57
morganCAS isn't implemented everywhere the same way so...22:57
morganit had to be worked around22:57
SpamapSmorgan: ugh22:58
morganraildo: with keystoneclient?22:58
morganraildo: (the library)22:58
morganunless it's just auth, then it's keystoneauth22:58
*** flwang has quit IRC22:58
SpamapSmorgan: this is the second thing that would benefit from having long running not-HTTP-serving keystone workers.22:59
raildomorgan, but I have to create a keystoneclient instance with the user credentials or as the service?22:59
*** roxanagh_ has joined #openstack-keystone22:59
morganSpamapS: sortof22:59
SpamapSmorgan: the other being record cleanup22:59
morganSpamapS: I would say not really.22:59
morganSpamapS: the token/whatever cleanup sure23:00
morganSpamapS: a keystone-manage cron > long running worker process.23:00
SpamapSmorgan: I'm thinking more of a trickling deleter than a batch deleter23:01
morganSpamapS: I'd still make it part of keystone-manage23:01
*** slberger has left #openstack-keystone23:01
morganbut eh23:02
SpamapSmorgan: Well I already did that for TripleO .. ;)23:02
morganI think there are other problems before we get to trickling deletes23:02
SpamapSmorgan: and it worked spectacularly for token deleting, but now we don't have to do that anymore.. ;)23:02
morganthat can be addressed in keystone code23:02
morganmanaging more processes for keystone is already ugly23:02
morgani'd rather (personally) see a batch-delete and optimizations to ignore expired records23:03
SpamapSmorgan: but this dogpile thing is.. well I'm worried it will fall over at higher scale when we start having thousands of api threads polling memcached.23:03
morganSpamapS: we already know it does fall over in memcache with eventlet23:04
morganin fact, python-memcache will fallover via keystonemiddleware23:04
SpamapSthats not a thread. ;)23:04
*** david-ly_ has joined #openstack-keystone23:04
morganin *Ever* service23:04
morganit's worst than a thread23:04
*** david-lyle has quit IRC23:04
morganeventlet highlights the thread.local issue(s)23:04
SpamapSSo, ignore the threading model. You have _all of the concurrency of an entire openstack region_ that will want to refresh this catalog when it is invalidated.23:05
morganmemcache is a poor choice in really distributed models anyway23:05
morganbecause lack of replication / scaling up23:05
morganyou basically have a big fat single point of failure23:06
SpamapSerr23:06
SpamapSif you use it that way yeah23:06
morganand the bucketing is *really* badly implemeted in python23:06
morganor not depending on the library used23:06
morganor not implemented that is23:06
SpamapSWe're not able to use libmemcached right?23:07
morganin dogpile you can23:07
morgani think?23:07
morganno it's pylibmc?23:07
morganthere are three implemented versions in python that dogpile supports23:07
morganand two of them have severe limitations23:07
morganpython-memcache is a trainwreck.23:07
SpamapSwe can't use it for the same reason we can't use libmysqlclient effectively.23:08
morganand it's pure python23:08
*** raildo is now known as raildo-afk23:08
morganpylibmc i think is mostly usable23:08
SpamapSI guess keystone doesn't have that problem anymore?23:08
SpamapSsince it's happily sitting under apache?23:08
morganand bmemcached has a narrow usecase23:08
morganeven with uwsgi or gunicorn23:08
morganthe issue goes away23:08
SpamapSright23:09
morganeventlet was the real issue there afaict23:09
SpamapSthe binary protocol isn't really a corner case.23:09
morganthe python implementation is rarely used23:10
morganbecause of the limitations of the library23:10
SpamapSbut it looks like the SASL part of python-binary-memcached is the thing people like.23:10
morganyep23:10
morganpretty much the only reason that lib is used23:10
morganpylibmc i think is the best of the native dogpile ones but we couldn't use it in general until... Mitaka23:10
morganand until we rip eventlet out of devstack/keystone we still can't rely on it23:10
morganfor the same reasons as libmysqlclient23:11
morgananyway.23:11
SpamapSlooks like python-binary-memcached doesn't do any hash ringing... :(23:11
SpamapSor hashing at all actually23:12
morganyep23:12
SpamapSit just uses them in fallback mode23:12
morganmost python libs don't do hash ringing23:12
morgansome don't even do fallback mode23:12
SpamapSwhich is o_O23:12
morganagreed23:12
*** flwang has joined #openstack-keystone23:12
morgani nearly forked a memcache lib to solve this ~8mo ago23:13
SpamapSwell is pylibmc bad?23:13
morganbecause this is (frankly) a tiresome limitation23:13
morganpylibmc is good as far as i know23:13
morgani just haven't been able to use it ;)23:13
SpamapSlibmemcached is the defacto standard for hash ring access and binary protocol use23:13
morganit is libmemcache23:14
morganso23:14
SpamapSso the only reason to avoid it would be GIL nonsense.23:14
SpamapSlibmemcached23:14
SpamapSlibmemcache is ZOMG WOW RUN AWAY23:14
morgantypo23:14
morgan:P23:14
SpamapS;)23:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/23056423:14
*** jbell8 has quit IRC23:16
*** geoffarn_ has joined #openstack-keystone23:17
*** geoffarnold has quit IRC23:17
*** dims_ has joined #openstack-keystone23:17
*** jbell8 has joined #openstack-keystone23:18
boris-42lhcheng: sorry was not here23:24
boris-42lhcheng: that cache works inside single iteraition*23:24
*** zhiyan has quit IRC23:24
boris-42lhcheng: so each scenario iteration starts from authentication23:25
*** zhiyan has joined #openstack-keystone23:26
*** jbell8 has quit IRC23:27
lhchengboris-42: does setting concurrency to 20 means 20 scenario iteration (authenticate 20 times)?23:27
*** jbell8 has joined #openstack-keystone23:27
boris-42lhcheng: so times and concurrency are independent parameters23:28
*** akanksha_ has quit IRC23:28
boris-42lhcheng: concurrency means the amount of iterations in parallel (over the time)23:28
boris-42lhcheng: like 20 means (20 iterations will work in parallel)23:28
boris-42lhcheng: times means total amount of iterations23:29
boris-42lhcheng:  so if you specify 20 times it means that rally will start 20 scenarios and just wait until they finih23:29
lhchengboris-42: so for concurrency, for each of the parallel iteration, will have their own cache?23:34
*** geoffarn_ is now known as geoffarnoldX23:34
lhchengand each have its own keystone token.23:35
*** geoffarnoldX has quit IRC23:37
*** geoffarnold has joined #openstack-keystone23:38
boris-42lhcheng: yep23:40
boris-42lhcheng: but you can write scenarios that behaviours in different wy23:40
boris-42lhcheng: way*23:40
lhchengboris-42: okay, got it now.23:40
lhchengboris-42: the way it works is just right :)23:41
boris-42lhcheng: if you need any help just ping me* (you can do it as well in openstack-rally chat)23:41
lhchengboris-42: thanks for the explanation23:41
lhchengboris-42: will do!23:41
*** stevemar_ has quit IRC23:42
*** stevemar_ has joined #openstack-keystone23:45
*** ChanServ sets mode: +o stevemar_23:45
stevemar_jamielennox: poke, since you are mr. KSA https://review.openstack.org/#/c/227657/23:46
jamielennox stevemar_ done23:47
SpamapSboris-42: just a tiny point of precision missing there. concurrency is not parallel. Parallel operations are _things moving toward the same goal_. Concurrent operations are _things happening at the same time_.23:47
*** jbell8 has quit IRC23:47
stevemar_jamielennox: \o/23:48
SpamapSmorgan: hey, I just thought of something. another option for async update of the cache is to fire off a worker in the background that will pre-compute all possible catalogs. ;)23:48
*** jbell8 has joined #openstack-keystone23:48
jamielennoxwhat's the current catalog problem?23:49
*** dims_ has quit IRC23:50
stevemar_jamielennox: aside from the fact that no one uses it?23:56
jamielennoxstevemar_: that makes scaling it trivial23:56
stevemar_heeh23:56
jamielennoxstevemar_, morgan: i need to look at https://review.openstack.org/225516 for stable/kilo23:57
jamielennoxor i need someone else to look at23:57
openstackgerritMerged openstack/keystoneauth: Update the project description  https://review.openstack.org/23086623:58
openstackgerritMerged openstack/keystoneauth: Remove "Features" section from README  https://review.openstack.org/23109423:58
SpamapSdolphm: https://review.openstack.org/#/c/215212/ <-- I -1'd, because I think it can be _way_ simpler. But I may have missed something so feel free to toss me a in a trashcan if that's the case. ;)23:59
*** geoffarn_ has joined #openstack-keystone23:59
« Sunday, 2015-10-04 Index Tuesday, 2015-10-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!