Friday, 2015-10-09

« Thursday, 2015-10-08 Index Saturday, 2015-10-10 »
dstanekmorgan: just pushed up my zone files00:01
dstanekhmm....i should have probably checked them for profanity00:02
morgandstanek: LOL00:02
dstaneknah, looks like i'm all good00:02
morganjamielennox: +200:03
morganjamielennox: looks good to me00:03
dstanekjamielennox: with all the kwargs i can't tell where the endpoint_type is coming from00:04
*** david-ly_ has joined #openstack-keystone00:04
jamielennoxdstanek: yea, i never wanted to define all the options because they are going to be plugin specific00:04
*** EinstCrazy has quit IRC00:05
jamielennoxdstanek: it's passed as endpoint_filter to request()00:05
jamielennoxor get() or anything else00:05
*** david-lyle has quit IRC00:05
dstanekso the endpoint_filter kwarg seems to have the v2 interface name, but i'm not sure why it's using that00:06
jamielennoxv2 interface name?00:06
dstanekpublicURL00:06
jamielennoxit just passes that through to the plugin, it's the service catalog that's accepting those arguments00:07
jamielennox'public' will work just fine there on v2 and v3 plugins00:07
*** tull has quit IRC00:09
dstanekjamielennox: because you have a compat function :-)00:09
dstanek_normalize_endpoint_type)_00:09
jamielennoxyea, layers on layers of horrible00:10
*** su_zhang has quit IRC00:10
dstanekjamielennox: i couldn't figure out the auth plugin thing so for now i'm just going to tidy up the ServiceCatalog00:11
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893100:11
stevemar_so many reviews to look at00:12
stevemar_mordred: it's a wonder you ever did a single patch00:12
stevemar_s/did/committed00:13
*** topol has joined #openstack-keystone00:13
*** ChanServ sets mode: +v topol00:13
*** devkulkarni has quit IRC00:13
mordredstevemar_: I think you wanted morgan00:15
stevemar_mordred: yep00:15
morganstevemar_: welcome to the craziness.00:15
stevemar_mordred: why do you guys need to share the first three characters00:15
*** morgan is now known as mordgan00:16
mordganstevemar_: better?00:16
mordgan*shiftyeyes*00:16
*** mordgan is now known as morgan00:16
*** mordred is now known as morgred00:16
* morgred can play that game too00:16
*** zzzeek has quit IRC00:16
*** morgan is now known as mordan00:16
mordanoh this wont confuse anyone00:16
*** mordan is now known as mordgan00:16
mordganat all00:17
mordganmorgred: :P00:17
morgredmordgan: \o/00:17
*** topol has quit IRC00:18
dimsdear god!00:18
dstanekstevemar_: jamielennox: is there a way to force osc not to get the catalog?00:18
dstanekdims: sounds like the start of a very personal letter00:18
stevemar_dstanek: nope, we always call /auth/tokens (no &no_catalog option)00:18
jamielennoxdstanek: not really00:19
jamielennoxit doesn't really make sense for OSC00:19
stevemar_morgred mordgan i have no idea who is who (i disable renames from showing up in irc client)00:19
jamielennoxthough you can make an auth plugin that does whatever you like :)00:19
stevemar_jamielennox: true00:19
mordganstevemar_: the last characters of the name are most significant in this case00:19
morgreddstanek: what are you trying to do00:19
dimsdstanek: i was just getting used to nova's friday nicks!00:19
dstanekmorgred: i just don't want the catalog returned ever00:20
dstaneki'll just leave my hack in for now00:20
morgreddstanek: yah - but why? mostly want to grok all the various ways in which people get unhappy00:20
stevemar_dstanek: any plans on our surprise event tomorrow? :)00:20
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: WIP: DNS-SD proof of concept  https://review.openstack.org/23282200:21
dstaneki'm proud to say that ^ may be the crappiest code i've ever written00:22
*** shadower has joined #openstack-keystone00:23
*** gildub has joined #openstack-keystone00:23
dstanekstevemar_: ugg.... let me finish my email - i've been distracted all day00:27
mordganstevemar_ uses distract on dstanek! It is highly effective00:28
stevemar_dstanek: no pressure dude, send it over to me in IRC and i'll polish it off00:28
stevemar_mordgan: hehe00:28
stevemar_mordgan: i wasn't the one distracting him!00:28
dstanekit was ayoung.... he mentioned the DNS stuff the other day i wanted to finish while the code was fresh in my head00:29
*** markvoelker has quit IRC00:29
openstackgerritBrant Knudson proposed openstack/keystone: Common arguments for fernet payloads assembly  https://review.openstack.org/23016500:31
openstackgerritBrant Knudson proposed openstack/keystone: Normalize fernet payload disassembly  https://review.openstack.org/23018100:31
openstackgerritBrant Knudson proposed openstack/keystone: De-duplicate fernet payload tests  https://review.openstack.org/23019300:31
*** phalmos has quit IRC00:32
*** morgred is now known as morgblue00:34
*** sdake has joined #openstack-keystone00:35
*** tqtran has quit IRC00:35
*** morgblue is now known as morgred00:36
*** gyee has quit IRC00:41
*** EinstCrazy has joined #openstack-keystone00:54
*** ayoung has joined #openstack-keystone00:55
*** ChanServ sets mode: +v ayoung00:55
*** gildub has quit IRC01:10
*** telemonster has joined #openstack-keystone01:12
*** topol has joined #openstack-keystone01:13
*** ChanServ sets mode: +v topol01:13
*** david-ly_ has quit IRC01:14
*** dims has quit IRC01:18
*** dims has joined #openstack-keystone01:18
*** david-lyle has joined #openstack-keystone01:22
*** dims has quit IRC01:23
*** lhcheng has quit IRC01:26
*** david-lyle has quit IRC01:29
*** davechen has joined #openstack-keystone01:32
*** davechen1 has joined #openstack-keystone01:35
*** davechen has quit IRC01:37
*** davechen has joined #openstack-keystone01:40
*** topol has quit IRC01:41
*** davechen1 has quit IRC01:43
*** geoffarnold is now known as geoffarnoldX01:43
*** sdake has quit IRC01:44
*** wwwjfy has quit IRC01:44
*** jamielennox is now known as jamielennox|away01:46
*** hrou has joined #openstack-keystone01:47
*** mylu has joined #openstack-keystone01:52
*** jasonsb has quit IRC01:52
*** btully has quit IRC01:54
*** devkulkarni has joined #openstack-keystone01:55
openstackgerritMerged openstack/oslo.policy: Custom fixture to avoid external call in HttpCheck  https://review.openstack.org/23272501:56
stevemar_jamielennox|away: you are in serious janitor mode with the cache bits for keystonemiddleware02:13
*** mylu_ has joined #openstack-keystone02:16
*** devkulkarni has quit IRC02:18
*** lhcheng has joined #openstack-keystone02:19
*** ChanServ sets mode: +v lhcheng02:19
*** dims has joined #openstack-keystone02:19
*** mylu has quit IRC02:20
*** dims has quit IRC02:24
*** stevemar_ has quit IRC02:24
*** stevemar_ has joined #openstack-keystone02:25
*** ChanServ sets mode: +o stevemar_02:25
*** stevemar_ has quit IRC02:33
*** ngupta has joined #openstack-keystone02:34
*** stevemar_ has joined #openstack-keystone02:34
*** ChanServ sets mode: +o stevemar_02:34
stevemar_mordgan: morgred whichever one morgan is: https://review.openstack.org/#/c/232764/02:37
*** lhcheng has quit IRC02:44
*** spandhe has quit IRC02:47
*** wwwjfy has joined #openstack-keystone02:51
*** hidekazu has joined #openstack-keystone02:52
*** lhcheng has joined #openstack-keystone02:52
*** ChanServ sets mode: +v lhcheng02:52
*** ayoung has quit IRC02:58
openstackgerritMerged openstack/keystonemiddleware: Create Environment cache pool  https://review.openstack.org/21234203:03
openstackgerritMerged openstack/keystonemiddleware: Import _memcache_pool normally  https://review.openstack.org/21234303:07
*** lhcheng has quit IRC03:13
*** Kennan has quit IRC03:43
*** Kennan has joined #openstack-keystone03:43
*** gildub has joined #openstack-keystone03:45
*** david-lyle has joined #openstack-keystone03:47
*** vivekd has joined #openstack-keystone03:50
*** sdake has joined #openstack-keystone03:51
*** topol has joined #openstack-keystone03:52
*** ChanServ sets mode: +v topol03:52
*** links has joined #openstack-keystone03:53
*** markvoelker has joined #openstack-keystone03:55
*** topol has quit IRC03:57
hidekazurodrigods is in?03:59
*** chlong has joined #openstack-keystone04:00
hidekazuI have a question about spec: Add is_domain to the token for projects acting as a domain04:00
*** chlong has quit IRC04:05
*** roxanagh_ has joined #openstack-keystone04:06
*** dims has joined #openstack-keystone04:08
hidekazuHe seems to be not here now..04:08
*** mylu has joined #openstack-keystone04:13
*** mylu_ has quit IRC04:16
*** yasu has joined #openstack-keystone04:16
*** chlong has joined #openstack-keystone04:18
*** hidekazu has quit IRC04:19
gildubstevemar_, how to make bug/1475091 evolve?04:21
*** fawadkhaliq has joined #openstack-keystone04:28
stevemar_gildub: evolve?04:30
gildubgildub, yeah, as opposed to stay in limbo04:30
gildubgildub, move maybe?04:31
gildubstevemar_, ^ ^^04:31
gildubstevemar_, I've sent an email to ayoung04:31
stevemar_ahhh that bug04:32
gildubstevemar_, yep04:32
*** flwang has quit IRC04:35
stevemar_gildub: i'm not really sure how to evolve the bug :(04:35
*** roxanagh_ has quit IRC04:35
*** su_zhang has joined #openstack-keystone04:36
gildubstevemar_, create an extra field (or use an already there but hidden), like a name or description. But ayoung was against (not really sure why actually, security?)04:36
gildubjamielennox|away, ^04:36
gildubstevemar_, for openstack puppet, no trust means not heat setup04:38
*** jlk has joined #openstack-keystone04:38
stevemar_gildub: gah04:38
*** markvoelker_ has joined #openstack-keystone04:40
*** sdake_ has joined #openstack-keystone04:41
*** wwwjfy has quit IRC04:42
*** markvoelker has quit IRC04:43
stevemar_gildub: i think richm's suggestion is reasonable... a hash of project/trustee/trustor/expiration04:43
stevemar_i'm trying to recall if expiration has a reasonable default04:43
*** sdake has quit IRC04:44
stevemar_oh it just doesn't expire if there is no expires_at04:46
stevemar_that's super04:46
stevemar_actually, i think that'll be OK04:47
stevemar_commenting ...04:47
gildubstevemar_, it doesn't guarantee uniqueness of the trust04:47
stevemar_you are absolutely correct04:49
mordganWhich bug is this?04:49
* mordgan needs to shutup and be better about lurking04:49
gildubstevemar_, so basically we are going to have to explain to the users, look keystone guys could have provided a field but they don't want to because that's bad then use the timestamp as a side effect and screw the timestamp initial purpose04:49
gildubmordgan, https://bugs.launchpad.net/keystone/+bug/147509104:49
openstackLaunchpad bug 1475091 in Keystone "Missing name field for trusts" [Wishlist,Won't fix]04:49
*** jaosorior has joined #openstack-keystone04:49
*** dims has quit IRC04:51
mordganHmm04:52
mordganName isnt going yo ensure uniqueness either.04:52
mordganTo*04:52
mordganit could, but that gets wonky04:52
stevemar_gildub: commented, basically ... yes, it doesn't guarantee uniqueness, but it shows duplication04:52
stevemar_if you create the same trusts (with those fields), then they do the same about of delegation04:53
* mordgan refrains from snarky overengineering remark04:53
stevemar_so if you find either, then you get the one you want04:53
gildubstevemar_, mordgan, ok, yes both name or timestamp would shows duplication04:53
mordganActually, this is a case where probably description is a better tool.04:53
mordganBut same net effect04:53
gildubstevemar_, mordgan, exactly ^, because otherwise what happens when the user needs the timestamp04:54
stevemar_mordgan: i'm sad that trusts don't have a unique id04:54
mordganstevemar_: they do04:54
mordganJust it is auto generated04:54
stevemar_gildub: is there no way to save a returned value?04:54
*** hrou has quit IRC04:55
stevemar_oh right.. of course they do, i remember writing the client code04:55
mordganYou know we could just unique contrain trsutor, trustee, expiry, roles04:55
gildubmordgan, any way to tap into that autogeneration ? Basically, here is the next primary key to use (if not in use yet)?04:55
mordganAuto generate is a uuid04:55
mordganNot an autoincremebt04:55
gildubmordgan, sure but a user provided uuid?04:55
*** topol has joined #openstack-keystone04:55
*** ChanServ sets mode: +v topol04:55
mordganNo.04:56
stevemar_gildub: it's returned in the response (it's random)04:56
mordganUuid.uuid4()04:56
stevemar_it's always in the ID field04:56
stevemar_gildub: you guys are calling openstackclient for this right?04:56
mordganstevemar_: we could just unique the values in the schema04:56
gildubstevemar_, yes04:56
mordganIt would raise conflict if the exact same trust was created again04:56
mordganIncluding expiration time that is.04:57
stevemar_gildub: is there no way to parse the output? and save the uuid that is returned04:57
stevemar_mordgan: yes, we could do that04:57
mordganstevemar_: parsing/storing output is icky04:57
mordganCMS can do it but it is a lot of work and prone to break04:57
stevemar_mordgan: shame04:58
*** mylu has quit IRC04:58
mordganIt is better if the truthyness comes from the cms not from the cms and responses from what the cms does04:58
mordganBecause then you dont need to guess if the trust was created (for example) if a timeout occured04:59
mordganYou could try and just create it again and get an e_already_exists04:59
mordganVs list/iterate through every trust to find out or to duplicate the trust05:00
gildubmordgan, why an infinite number of the same trusts can be created?05:00
mordganI think the easiest is to unique the fields together05:00
mordganThen you cannot duplicate the trust05:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/23287305:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/23046405:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/23287405:00
*** ngupta has quit IRC05:00
mordganIt is more of a defensive coding to prevent dos like actions05:00
mordganAnd it probably needs an api to say "find me trusts with values x,y,z"05:01
*** sdake_ has quit IRC05:01
mordgangildub: it is silly to allow 100% duplicated trusts. It just allows cluttering of the db05:02
mordganIf we unique constrain trusts - we solve both issues (a name is still superfluous and/or could be added) but the values are the important part05:02
mordganstevemar_: ^ any thoughts?05:03
*** roxanagh_ has joined #openstack-keystone05:03
gildubmordgan, so there was not use case for such need, it just happened to be?05:03
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/23288505:03
mordgangildub: as far as i can tell, there is no use-case for an exactly duplicated trust05:04
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/23289305:04
gildubmordgan, ok05:04
mordganDuplicated trust is: tustor, trustee, scope, roles, and expiration05:05
mordganIf those are identical, the trust already exists. Why add another record for it?05:06
stevemar_mordgan: i agree, that was my thought on why it is safe to use that as a has05:06
stevemar_i delegate to you a role on a project, set to expire tomorrow05:07
stevemar_why would i redo that?05:07
stevemar_it's still there and valid05:07
openstackgerritDave Chen proposed openstack/keystonemiddleware: Configuration is outdated  https://review.openstack.org/22054505:07
*** sdake has joined #openstack-keystone05:07
gildubmordgan, but then that would mean addressing that one too https://bugs.launchpad.net/keystone/+bug/147329205:08
openstackLaunchpad bug 1473292 in Keystone "Cannot delete or show a trust with an expired date" [High,Triaged]05:08
gildubstevemar_, ^^05:08
mordganEh05:08
stevemar_gildub: nice05:08
mordganSure05:08
mordganEasy to add a "find me a trust that looks like x" api05:08
mordganAnd allow that api to show expired trusts05:09
mordganI think that bug doesn't matter though. I Would also make it impossible to create a trust that is already expired05:09
mordganBecause it is already invalid why does deleting it matter? If anything a keystone-manage command can do "cleanup" on the db table05:10
mordganDeletion shouldnt need to be an api call to "prune" the db05:10
gildubmordgan, but I still don't understand why I cannot revoke (destroy/whatever) a trust I created, that has expired, doesn't make sense to me05:10
mordganIt just doesnt matter. The trust wont issue tokens. It is like an expired keystone token, it no longer exists05:11
gildubmordgan, but it's there, I can see it05:12
gildubmordgan, or I can list it but I can't touch it05:12
mordganWe can hide it. I mean that is fine05:12
mordganList should probably omit expired trusts05:12
gildubmordgan, ok hide it then.05:12
mordganThat is more likely the bug05:12
*** btully has joined #openstack-keystone05:12
stevemar_gildub: agreed that we should remove expired trusts from the list05:12
gildubstevemar_, mordgan, ok, I understand the expired are not an issue05:14
stevemar_i'll see if someone wants to pick this up, seems like a good candidate for a fix05:14
mordganShould be low hanging fruit too05:14
mordganJust a sql migration and some api docs05:15
mordganAnd a spec05:15
gildubstevemar_, mordgan, thanks, at least I feel I've achieved something today, because puppet makes me feel to go hide in a cave and develop only with Elixir05:15
stevemar_mordgan: spec?05:15
stevemar_gildub: \o/05:15
mordganstevemar_: it is an api change05:15
stevemar_gildub: now we need someone to actually do it05:15
stevemar_:)05:15
mordganNeed to change the api spec05:16
stevemar_mordgan: not an entire new spec though05:16
mordganV4!05:16
mordgan*ducks*05:16
stevemar_it's pretty much just adding a note here: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-trust-ext.html#list-trusts05:16
mordganthe create also needs to indicate conflict is now raised05:17
*** wwwjfy has joined #openstack-keystone05:18
mordganstevemar_: filgtm? ;)05:18
mordganstevemar_: how ya liking PTL job?05:19
stevemar_mordgan: added that bit to the bug05:20
stevemar_mordgan: it's constant firefighter duty05:20
mordganMake sure you delegate05:20
mordganSuper important05:20
stevemar_mordgan: wife and I have been yelling "I'm PTL'ing all the things" to each other05:20
mordganYou do not scale ;)05:20
stevemar_the weight scale says otherwise05:21
stevemar_i've pretty much given up on trying to make a commit05:21
mordganI think I lost like 20lbs while being PTL05:21
gildubCheaper than a gym subscription ^05:22
mordganYou'll get some basic commits added because you'll be like "omg just fix it!!!1111"05:22
stevemar_mordgan: oh i need you here: https://review.openstack.org/#/c/232764/05:22
stevemar_mordgan: and from tagging releases :)05:22
mordganThat may not be needed anymore actually05:23
mordganLet me check05:23
mordganSo. I think if we just swap tonusing https://bitbucket.org/zzzeek/dogpile.cache/src/3a7c719ede4e944f2e73edf5faadde348fa9215d/dogpile/cache/backends/memory.py?at=rel_0_2&fileviewer=file-view-default#memory.py-93 the isolating proxy can be removed05:26
mordganThe downside is we can't inspect the values directly as easily05:26
*** roxanagh_ has quit IRC05:27
*** spandhe has joined #openstack-keystone05:27
*** chlong has quit IRC05:31
*** Nirupama has joined #openstack-keystone05:33
*** gildub has quit IRC05:35
*** jbell8 has quit IRC05:37
*** kiran-r has joined #openstack-keystone05:47
*** dims has joined #openstack-keystone05:52
*** csoukup has quit IRC05:56
*** itlinux has joined #openstack-keystone05:58
*** kiranr has joined #openstack-keystone06:07
*** lhcheng has joined #openstack-keystone06:07
*** ChanServ sets mode: +v lhcheng06:07
*** kiran-r has quit IRC06:10
*** itlinux has quit IRC06:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/23292106:13
*** akanksha_ has quit IRC06:18
*** topol has quit IRC06:19
*** ParsectiX has joined #openstack-keystone06:22
*** dims has quit IRC06:25
*** spandhe has quit IRC06:26
*** yasu has quit IRC06:29
*** GB21 has joined #openstack-keystone06:32
*** GB21_ has joined #openstack-keystone06:32
*** GB21_ has quit IRC06:33
*** sdake has quit IRC06:33
*** rudolfvriend has joined #openstack-keystone06:35
*** chlong has joined #openstack-keystone06:39
*** yasu has joined #openstack-keystone06:42
*** fawadkhaliq has quit IRC06:43
*** jaosorior has quit IRC06:44
*** jaosorior has joined #openstack-keystone06:44
*** jaosorior has quit IRC06:47
*** jaosorior has joined #openstack-keystone06:48
*** browne has quit IRC06:49
*** jaosorior has quit IRC06:49
*** dims has joined #openstack-keystone06:49
*** jaosorior has joined #openstack-keystone06:49
*** jaosorior has quit IRC06:50
*** jaosorior has joined #openstack-keystone06:50
*** dims has quit IRC06:54
*** lhcheng has quit IRC06:57
openstackgerritDave Chen proposed openstack/keystone: Using the right format to render the docstring correctly  https://review.openstack.org/22622507:03
*** henrynash has joined #openstack-keystone07:09
*** ChanServ sets mode: +v henrynash07:09
*** fawadkhaliq has joined #openstack-keystone07:11
*** stevemar_ has quit IRC07:16
openstackgerritDave Chen proposed openstack/keystonemiddleware: Deprecate class AuthTokenPlugin properly  https://review.openstack.org/22050907:18
*** su_zhang has quit IRC07:19
*** itlinux has joined #openstack-keystone07:23
*** henrynash has quit IRC07:27
*** henrynash has joined #openstack-keystone07:27
*** ChanServ sets mode: +v henrynash07:27
*** henrynash has quit IRC07:29
*** ParsectiX has quit IRC07:30
*** ParsectiX has joined #openstack-keystone07:36
*** ParsectiX has quit IRC07:37
*** marzif has joined #openstack-keystone07:45
*** dims has joined #openstack-keystone07:50
*** fhubik has joined #openstack-keystone07:51
*** btully has quit IRC07:53
*** pnavarro has joined #openstack-keystone07:53
*** afazekas_ has quit IRC07:54
*** vivekd_ has joined #openstack-keystone07:55
*** ParsectiX has joined #openstack-keystone07:55
*** vivekd has quit IRC07:56
*** vivekd_ is now known as vivekd07:56
*** dims has quit IRC07:56
*** openstackstatus has quit IRC08:02
*** jbell8 has joined #openstack-keystone08:02
*** openstackstatus has joined #openstack-keystone08:03
*** ChanServ sets mode: +v openstackstatus08:03
*** chlong has quit IRC08:09
*** ozialien has joined #openstack-keystone08:13
*** akanksha_ has joined #openstack-keystone08:13
*** ozialien has quit IRC08:19
*** ozialien has joined #openstack-keystone08:20
*** e0ne has joined #openstack-keystone08:20
*** Burgosz has joined #openstack-keystone08:25
*** ozialien has quit IRC08:27
*** ozialien has joined #openstack-keystone08:28
*** topol has joined #openstack-keystone08:31
*** ChanServ sets mode: +v topol08:31
*** topol has quit IRC08:35
*** ozialien has quit IRC08:37
*** ozialien has joined #openstack-keystone08:37
*** btully has joined #openstack-keystone08:38
*** jistr has joined #openstack-keystone08:41
*** btully has quit IRC08:43
openstackgerritDave Chen proposed openstack/keystone: test_backend_sql work with python34  https://review.openstack.org/20535208:45
*** jbell8 has quit IRC08:46
*** jbell8 has joined #openstack-keystone08:47
*** ozialien has quit IRC08:48
*** ozialien has joined #openstack-keystone08:48
*** ParsectiX has quit IRC08:48
*** dims has joined #openstack-keystone08:53
*** dims has quit IRC08:58
*** amakarov_away is now known as amakarov09:04
*** marzif has quit IRC09:10
*** kiranr_ has joined #openstack-keystone09:12
*** aix has joined #openstack-keystone09:13
*** kiranr has quit IRC09:15
*** ParsectiX has joined #openstack-keystone09:19
*** jraim has quit IRC09:33
*** ctracey has quit IRC09:34
*** zhiyan has quit IRC09:34
*** nzeer has quit IRC09:34
*** serverascode has quit IRC09:34
*** briancurtin has quit IRC09:36
*** kodokuu has joined #openstack-keystone09:39
kodokuuHi, Is it possible to force the tenant ID when create project ?09:40
*** ozialien has quit IRC09:40
*** fawadkhaliq has quit IRC09:45
*** fawadkhaliq has joined #openstack-keystone09:46
*** fawadkhaliq has quit IRC09:51
*** davechen has left #openstack-keystone09:54
*** zhiyan has joined #openstack-keystone09:56
*** zhiyan has quit IRC09:57
*** kodokuu has quit IRC09:59
*** marzif has joined #openstack-keystone10:00
*** nzeer has joined #openstack-keystone10:00
*** jraim has joined #openstack-keystone10:03
*** pnavarro is now known as pnavarro|lunch10:04
jvarlamovaHello, Keystone team! I have a small question. Is it planned to make a release of keystoneclient stable/kilo branch with fix of https://bugs.launchpad.net/python-keystoneclient/+bug/1480314? I am wondering because we have a related change in manilaclient project - https://review.openstack.org/#/c/207822/10:06
openstackLaunchpad bug 1480314 in python-keystoneclient "Branch "stable/kilo" is broken" [Undecided,In progress] - Assigned to Julia Varlamova (jvarlamova)10:06
*** ericksonsantos has joined #openstack-keystone10:06
*** yasu has quit IRC10:08
*** ctracey has joined #openstack-keystone10:10
*** serverascode has joined #openstack-keystone10:16
*** Burgosz has quit IRC10:18
*** zhiyan has joined #openstack-keystone10:18
*** chlong has joined #openstack-keystone10:25
openstackgerritBoris Bobrov proposed openstack/keystone: Use search_ext_s instead of search_s in ldap  https://review.openstack.org/23299510:25
*** btully has joined #openstack-keystone10:26
*** briancurtin has joined #openstack-keystone10:29
*** btully has quit IRC10:31
*** jbell8 has quit IRC10:31
*** GB21 has quit IRC10:35
*** vivekd_ has joined #openstack-keystone10:35
*** vivekd has quit IRC10:36
*** vivekd_ is now known as vivekd10:36
*** EinstCrazy has quit IRC10:51
*** EinstCrazy has joined #openstack-keystone10:52
openstackgerritSonali proposed openstack/keystone: Do not rebuild revoke_tree on each validate-token  https://review.openstack.org/23271510:54
*** fawadkhaliq has joined #openstack-keystone10:55
*** EinstCrazy has quit IRC10:58
*** lhcheng has joined #openstack-keystone10:59
*** ChanServ sets mode: +v lhcheng10:59
*** fawadkhaliq has quit IRC10:59
openstackgerritMerged openstack/keystone: Fixed missed translatable string inside exception  https://review.openstack.org/23254410:59
*** pnavarro|lunch is now known as pnavarro11:04
*** kiranr_ has quit IRC11:05
*** e0ne has quit IRC11:08
*** wwwjfy has quit IRC11:14
*** chlong has quit IRC11:15
*** kiran-r has joined #openstack-keystone11:16
*** vivekd has quit IRC11:19
*** EinstCrazy has joined #openstack-keystone11:20
*** lhcheng has quit IRC11:24
*** e0ne has joined #openstack-keystone11:24
*** fawadkhaliq has joined #openstack-keystone11:25
*** fawadkhaliq has quit IRC11:28
*** fawadkhaliq has joined #openstack-keystone11:28
*** GB21 has joined #openstack-keystone11:29
*** Nirupama has quit IRC11:31
*** Nirupama has joined #openstack-keystone11:31
*** alejandrito has joined #openstack-keystone11:32
*** kiran-r has quit IRC11:38
*** gordc has joined #openstack-keystone11:38
*** exploreshaifali has joined #openstack-keystone11:40
*** lhcheng has joined #openstack-keystone11:44
*** ChanServ sets mode: +v lhcheng11:44
*** weihan has joined #openstack-keystone11:48
*** exploreshaifali has quit IRC11:49
*** Nirupama has quit IRC12:02
openstackgerritBoris Bobrov proposed openstack/keystone: Use search_ext_s instead of search_s in ldap  https://review.openstack.org/23299512:04
*** wwwjfy has joined #openstack-keystone12:14
*** weihan has quit IRC12:15
*** weihan has joined #openstack-keystone12:15
*** dims has joined #openstack-keystone12:16
*** topol has joined #openstack-keystone12:19
*** ChanServ sets mode: +v topol12:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/23287312:20
*** lhcheng has quit IRC12:20
*** topol has quit IRC12:21
*** topol has joined #openstack-keystone12:21
*** ChanServ sets mode: +v topol12:21
*** weihan_ has joined #openstack-keystone12:21
*** raildo-afk is now known as raildo12:21
*** weihan has quit IRC12:24
*** chlong has joined #openstack-keystone12:26
*** aix has quit IRC12:31
*** edmondsw has joined #openstack-keystone12:34
*** devkulkarni has joined #openstack-keystone12:38
*** Nirupama has joined #openstack-keystone12:40
*** dsirrine has quit IRC12:41
*** dims is now known as dimsum__12:42
*** morgred is now known as mordred12:46
*** akanksha_ has quit IRC12:48
*** weihan_ has quit IRC12:50
*** weihan has joined #openstack-keystone12:50
*** dsirrine has joined #openstack-keystone12:50
*** Nirupama has quit IRC12:52
*** marzif has quit IRC12:52
*** marzif has joined #openstack-keystone12:53
*** markvoelker has joined #openstack-keystone12:54
*** fawadkhaliq has quit IRC12:55
*** jsavak has joined #openstack-keystone12:56
*** markvoelker_ has quit IRC12:58
*** fawadkhaliq has joined #openstack-keystone13:01
*** aix has joined #openstack-keystone13:02
*** devkulkarni has quit IRC13:03
*** su_zhang has joined #openstack-keystone13:05
*** fawadkhaliq has quit IRC13:06
*** zzzeek has joined #openstack-keystone13:09
*** hrou has joined #openstack-keystone13:11
*** devkulkarni has joined #openstack-keystone13:12
*** boris-42 has quit IRC13:18
*** links has quit IRC13:19
*** doug-fish has joined #openstack-keystone13:20
tjcocozzhas anyone while doing a backport ran into merge conflicts within the translations?13:21
*** kiran-r has joined #openstack-keystone13:22
tjcocozzIts saying the only differece is the project-id-version and the timestamp in the header13:22
*** exploreshaifali has joined #openstack-keystone13:22
*** njohnston is now known as nate_gone13:24
doug-fishtjcocozz: are you trying to explicitly backport the translations?13:27
tjcocozzdoug-fish: no the backport has nothing to do with the translations13:28
doug-fishI'm surprised an unrelated backport is picking up translations13:28
doug-fishI'd expect them to be pretty independent13:28
tjcocozzyeah i am confused how it is doing it since i am checking out the branch, cherry picking my code on top then doing a git-review.13:29
tjcocozzWithin all this I never touch these files13:29
doug-fishwhich patch are you cherry-picking?13:29
tjcocozzhttps://review.openstack.org/#/c/213742/13:29
tjcocozzhttps://review.openstack.org/#/c/226557/13:29
tjcocozzthis bug has two seperate commits for it: https://bugs.launchpad.net/keystone/+bug/150045913:30
openstackLaunchpad bug 1500459 in Keystone "Validating federated fernet token loses user domain info" [Medium,Fix committed] - Assigned to Brant Knudson (blk-u)13:30
*** kiran-r has quit IRC13:30
doug-fishtjcocozz: this isn't really a direct answer, but have you tried just using the "cherry pick to" button in gerrit?13:31
doug-fishif there are no conflicts that should work13:31
*** Ephur has joined #openstack-keystone13:33
*** Ephur has quit IRC13:33
*** Ephur has joined #openstack-keystone13:34
* tjcocozz is trying it now13:35
*** exploreshaifali has quit IRC13:40
*** devkulkarni1 has joined #openstack-keystone13:43
*** devkulkarni has quit IRC13:46
*** jaosorior_ has joined #openstack-keystone13:52
*** jaosorior_ has quit IRC13:52
*** jaosorior_ has joined #openstack-keystone13:53
*** jaosorior has quit IRC13:54
*** nate_gone is now known as njohnston13:57
openstackgerritBoris Bobrov proposed openstack/keystone: Make @truncated common for all backends  https://review.openstack.org/23306913:57
openstackgerritBoris Bobrov proposed openstack/keystone: Use @truncated in ldap  https://review.openstack.org/23307013:57
krotscheckHey everyone.13:58
doug-fishhi Mr NodeJS!13:59
doug-fish(wait - wrong community)13:59
* krotscheck slaps doug-fish 13:59
krotscheckSo, a question on middleware.14:00
*** jtomasek has joined #openstack-keystone14:00
*** jaosorior_ has quit IRC14:00
*** jaosorior has joined #openstack-keystone14:01
krotscheckWe've got an order-of-operations situation where the a client is trying to make an API OPTIONS request to check for valid CORS headers.14:01
krotscheckHowever the middleware chain appears to be first keystone, then cors. And keystone rejects the options request because it doesn't have a valid auth header.14:01
*** fawadkhaliq has joined #openstack-keystone14:02
*** sigmavirus24_awa is now known as sigmavirus2414:05
*** jrist has joined #openstack-keystone14:05
*** fawadkhaliq has quit IRC14:06
*** devkulkarni1 has quit IRC14:07
*** florianf has joined #openstack-keystone14:07
*** devkulkarni has joined #openstack-keystone14:07
florianfkrotscheck, jtomasek: hi14:08
bknudsonputting cors header ahead of auth_token makes sense.14:08
bknudsoncors middleware ahead of auth_token14:08
krotscheckbknudson: It does, however one is configured at the app level, while keystone is configured at the middleware level.14:08
krotscheckCORS is baked into ironic (and a few other services)14:08
florianfbknudson: I agree. Even if authentication fails, it's still a valid request (from an http/cors perspective)14:09
krotscheck(Like swift)14:09
bknudsonkeystone can be at the app level too14:09
krotscheckbknudson: Not all services are explicitly dependent on keystone.14:10
krotscheckbknudson: or want to be.14:10
*** browne has joined #openstack-keystone14:10
bknudsonthey're all explicitly dependent on cors?14:10
lbragstadbknudson question about https://review.openstack.org/#/c/227004/3/keystone/tests/unit/token/test_fernet_provider.py14:11
*** ParsectiX has quit IRC14:11
krotscheckbknudson: In the case of ironic, it's a documented feature, yes.14:11
*** slberger has joined #openstack-keystone14:11
lbragstadbknudson you don't recall a patch to change all the method names to not have 404 in them, do you?14:11
bknudsonhttps://review.openstack.org/#/q/file:keystone/tests/unit/token/test_fernet_provider.py,n,z14:12
bknudsonkrotscheck: the auth_token middleware has an option where it won't reject requests but instead set an env var to indicate whether the request had a valid token or not14:14
bknudsonso you could take advantage of that14:14
krotscheckjtomasek: ^^ Will that work for you?14:15
bknudsonhttp://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n25714:16
*** tonytan4ever has joined #openstack-keystone14:16
bknudsonlbragstad: I didn't check all those reviews but I don't see one that changes the method names14:17
jtomasekkrotscheck: not sure, does it mean that if we subsequentially do an ordinary requests such as GET /v1/nodes, without auth token, it will pass?14:18
krotscheckjtomasek: You'd want to add bknudson the question, I'm not that familiar with the middleware.14:19
bknudsonjtomasek: your application will have to check the HTTP_X_IDENTITY_STATUS and HTTP_X_SERVICE_IDENTITY_STATUS values in the env, see http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n6414:20
*** timcline has joined #openstack-keystone14:20
lbragstadbknudson cool, thanks... working on a patch to change those, too14:21
*** btully has joined #openstack-keystone14:21
lbragstadbknudson i mean, i think they should be changed, right?14:22
jtomasekbknudson, krotscheck I am not sure that clientside js app will be able to access those env variables14:22
*** EinstCrazy has quit IRC14:23
bknudsonlbragstad: "TokenNotFound" would be easier to understand than "404" is.14:23
bknudsonjtomasek: the client will get a 401 error if it didn't provide a valid auth token.14:24
bknudsonor, the application can do whatever it wants if it bypasses auth_token responses using delay_auth_decision14:25
jtomasekbknudson: ok, I am going to test it, so to make it work I need to add delay_auth_decision=true to keystone.conf?14:25
bknudsonjtomasek: no, that goes in the server's configs in the keystoneauth section.14:26
krotscheckbknudson: why is keystone middlewrae intercepting the OPTIONS request? I'm looking at the HTTP spec and can't really figure out why it should be ACL-gated14:26
bknudsonkrotscheck: that's a good question... it intercepts all requests.14:26
*** r-daneel has joined #openstack-keystone14:27
krotscheckbknudson: I suppose some people care about even exposing OPTIONS things to the outside world?14:27
*** devkulkarni has quit IRC14:27
bknudsonsome applications might want to hide the existence of a resource14:28
bknudsonso that only authenticated users can tell if it exists14:28
*** david_cu has joined #openstack-keystone14:28
*** markvoelker has quit IRC14:29
*** stevemar_ has joined #openstack-keystone14:29
*** ChanServ sets mode: +o stevemar_14:29
john5223in openstack_auth for horizon it calls python-keystoneclient like this:   unscoped_auth = plugin.get_plugin(auth_url=auth_url, **kwargs)   , which is the Password plugin in auth/v3/identity/password.py14:31
john5223and then it calls:   unscoped_auth_ref = unscoped_auth.get_access(session)14:31
john5223what if you wanted to use more than one method?  for example:   "methods": ["password", "otp"]14:31
*** itlinux has quit IRC14:31
john5223b/c i was trying to make a keystoneclient method similiar to this:   https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/password.py#L5114:32
john5223but noticed it only has one part of the keystone request, the password part14:32
john5223and my keystone plugin has a seperate plugin / method for otp14:33
john5223like so... https://gist.github.com/john5223/5cf071648dedf30c93ba14:33
florianfbknudson: But wouldn't it be better if the application using keystonemiddleware would explicitely hide the resource from non-auth'd users if they want to? as opposed to making it an automatism in keystonemiddleware?14:35
john5223but... looks like openstack only uses only one plugin for keystone and then calls .get_access() here: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/backend.py#L9614:35
*** EinstCrazy has joined #openstack-keystone14:35
*** ayoung has joined #openstack-keystone14:39
*** ChanServ sets mode: +v ayoung14:39
*** GB21 has quit IRC14:39
*** devkulkarni has joined #openstack-keystone14:40
*** devkulkarni has quit IRC14:40
*** hurgleburgler has joined #openstack-keystone14:40
*** hurgleburgler has left #openstack-keystone14:40
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/23287314:42
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/23289314:45
*** petertr7 is now known as petertr7_away14:50
*** petertr7_away is now known as petertr714:52
openstackgerritMonty Taylor proposed openstack/python-keystoneclient: Accept v2 params to v3 service create  https://review.openstack.org/23310214:57
*** markvoelker has joined #openstack-keystone14:57
mordredstevemar_: I actually do not care if that lands ^^ but that's how I would argue stuff like this should be done14:57
mordredstevemar_: breaking users because someone decided to make niggly pedantic wording changes is just mean14:57
mordredstevemar_: I'd ACTUALLY argue that the REST API should do that, but that would take way more work for me to rage-code a quick patch for :)14:59
*** jsavak has quit IRC15:00
*** jsavak has joined #openstack-keystone15:01
*** timcline has quit IRC15:01
*** timcline has joined #openstack-keystone15:02
ayoungmordred, stevemar_ just ran off to a dentist appt15:02
mordredayoung: mmm. dentist15:03
ayoungmordred, but you can argue ^^ with Jamie.  I think that is his doing, and expect him to argue convincingly for his views15:03
mordredayoung: I'm sure his arguments are convincing - he's a very sound and rational person15:03
*** fawadkhaliq has joined #openstack-keystone15:03
mordredayoung: my counter arguments would be that I think the fundamental reality we are operating in might be different than it was assumed to be when that decision was made15:04
mordredwhich is mainly that multi-cloud is a real thing, and that expecting interoperability across clouds is not insane, and that "just use the latest version" or even "be aware of the version of a service your cloud is running" are not tennable15:04
mordredif that was different, then making a nice new clean API would be a completely reasonable thing to do15:05
mordredor if the only market was private clouds, where you'd never expect people to want to use the same consume code on more than one cloud15:05
ayoungmordred, so...two different sessions, one percloud15:05
mordredayoung: yes. one typically has two different sessions, one per cloud15:06
ayoungah...yeah, service catalog...15:06
mordredayoung: for context, I just had to write this: https://review.openstack.org/#/c/232530/15:06
ayoungmordred, that is probably the most significant difference between the the two APIs.  for most of the other entities, it is just taking domain into account15:06
mordredayoung: yah - and having domain or not having domain is actually not terrible and keystone auth does a great job of making it not terrible15:07
mordredthey way ksa discovery works is a shining example of it being done really well for the end user15:07
*** fawadkhaliq has quit IRC15:08
*** csoukup has joined #openstack-keystone15:08
*** GB21 has joined #openstack-keystone15:08
ayoungmordred, so, if jamie can be convinced, the rest of us will roll over.15:08
mordred\o/15:08
ayoungIn his absense, bknudson is probably your best point of contact15:08
openstackgerritMerged openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/23292115:09
mordredI can wait for jamie - it's not urgent15:09
mordredthis is more "I encountered pain as a consumer, I should communicate the pain back and also make a suggestion as to how I might not experience that pain"15:09
mordredI've already worked around it :)15:09
*** sdake has joined #openstack-keystone15:13
*** mordgan is now known as morgan15:14
*** fawadkhaliq has joined #openstack-keystone15:14
*** davidsha has joined #openstack-keystone15:16
davidshaHey, quick question! are there any bugs in keystone master related to the database atm15:16
*** lastops has joined #openstack-keystone15:17
morganmordred: do you have a good doc for znc setup thesedays?15:17
*** ozialien has joined #openstack-keystone15:18
morganmordred: stevemar_ needs it15:18
mordredmorgan: I stopped doing znc a while ago - I think sdague and dhellmann have some good docs on it15:18
*** topol has quit IRC15:18
hogepodgemordred: fwiw, on the defcore/interop side we're starting to push clouds to upgrade to v215:18
mordredmorgan: I just run weechat in a tmux session15:18
morganWill send stevemar_ their way15:18
mordredhogepodge: v2 of?15:18
*** browne has quit IRC15:18
hogepodgemordred: these api transitions that take years to happen gets a bit old, and creates many more special snowflakes15:19
morganmordred: glance?15:19
hogepodgemordred: v3 on15:19
hogepodgemordred: keystone, glance, cinder15:19
hogepodgemordred: none have really completely transitioned, to be fair, it's a really difficult problem15:19
mordredhogepodge: nod. awesome. so - the main thing from my point of view is that we cannot have these transitions ever again15:19
mordredhogepodge: like, I don't care whether the API is semver marked - we, as a tech community quite simply cannot agree to breaking API changes15:20
morganmordred: the biggest issue with keystone v3 adoption was the hard tie of auth to the crud api15:20
hogepodgemordred: I don't have any idea how we would handle a new api transition from an interop point of view15:20
mordredbecause they ALWAYS will take years to happen15:20
mordredhogepodge: new API transition can only be incremental adds15:20
mordredhogepodge: we've passed the point where removing something is acceptable15:20
morganBecause otherwise the v2v3 concern would have been narrow15:20
mordredhogepodge: like, I dont mean long deprecation - I mean NEVER15:21
*** geoffarnoldX has quit IRC15:22
morganAnd fwiw I agree that v2 needed to die way earlier and only for one reason - security model15:22
hogepodgeI'm ok if you deprecate like you mean it.15:22
mordredI'm not15:22
morganOtherwise v2 could live on forever as frozen15:22
morganNo new features15:22
mordredthe ones that are in deprecation alreayd - k2, g1, nova-net - the cat is already out of the bag on those transitions and we can't fix it15:23
mordredbut we cannot do any more of these15:23
mordredbecause 'deprecation' is meaningless when there are 100s of clouds out there with different lifecycles15:23
morganBut didnt need to be removed. If auth was separate and the security model wasnt awful v2 keystone could just be "deprecated" or frozen forever never removed15:23
mordredmorgan: yup15:23
morganTo be fair we could probably fix v2 security model and still split auth out. But.. Hard to do right15:24
mordredyah15:25
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/23288515:26
ayoungmordred, we should have just made projects hierarchical and not introduced domains15:26
*** mylu has joined #openstack-keystone15:26
hogepodge"It's projects all the way down"15:26
ayounghogepodge, It worked for the File system15:28
mordredayoung: I agree. but then, there are many things we should have done15:30
*** roxanagh_ has joined #openstack-keystone15:30
ayoungmordred, In this case, though, I suggested it back then, and I regret not sticking to my guns.15:31
jristkrotscheck: is your name pronounced how it looks? krots  check ?15:31
*** su_zhang has quit IRC15:32
*** BAKfr has quit IRC15:32
krotscheckjrist: emphasis on the first syllable, 'kro'-scheck15:33
*** BAKfr has joined #openstack-keystone15:33
odyssey4meI'm busy working through liberty configs, and as far as I know we're supposed to be configuring 'user_name' under the keystone_authtoken section for all services. Is that correct?15:34
jristkrotscheck: ah cool. neat name15:34
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: change 404 status codes in test names  https://review.openstack.org/23312415:34
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: change 400 status codes in test names  https://review.openstack.org/23312515:34
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: change 410 status codes in test names  https://review.openstack.org/23312615:34
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: change 403 status codes in test names  https://review.openstack.org/23312715:34
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: Don't hard code 409 Conflict error codes  https://review.openstack.org/23312815:34
*** EinstCrazy has quit IRC15:35
*** EinstCrazy has joined #openstack-keystone15:35
*** marzif has quit IRC15:35
*** marzif has joined #openstack-keystone15:36
*** e0ne has quit IRC15:37
*** ozialien has quit IRC15:37
*** e0ne has joined #openstack-keystone15:39
mordredGAH15:40
mordredmorgan, stevemar_: SAD PANDA v2 and v3 endpoint creation is completely different15:41
*** e0ne has quit IRC15:43
odyssey4melbragstad dolphm got a minute? I need to puzzle out the appropriate way to configure keystone middleware for the services15:44
lbragstadodyssey4me sure, what's up?15:45
ayoungmarekd, OK, Federation queston for you.  If I have an Ephemeral user identified vi a Principal, should I use this field as the username, and then use it to generat the userid, or can I feed this in as the user id, and the whole thing will be hashed to create the actual userid?15:46
odyssey4melbragstad well, I thought that the config needed to switch from https://github.com/openstack/openstack-ansible/blob/master/playbooks/roles/os_glance/templates/glance-api.conf.j2#L61-L71 to use 'user_name' in the configuration15:46
odyssey4melbragstad but that doesn't work - then this tells me a totally different story: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_auth.py#L180-L18715:47
odyssey4melbragstad but I've seen hints all over the place that the right way to do it from now on is to use the plugin method, but I can't seem to find a useful reference for how that works15:48
odyssey4melbragstad this perhaps needs to move along, along with the patch behind it: https://review.openstack.org/#/c/219162/15:48
*** fhubik has quit IRC15:50
ayoungmorgan, bknudson lbragstad is there any reason we need to make the local_id of the identity mapping field varchar(64) or can we expand it?  As I recally, we don't take a hit until > 255, right?15:50
lbragstadodyssey4me interesting, according to dave's patch, you still need to have the username in the keystone_authtoken section, right?15:52
*** jbell8 has joined #openstack-keystone15:52
lbragstadayoung for the overall length of the token,  eys15:52
lbragstadyes*15:52
odyssey4melbragstad it's inconsistent - line 250 says admin_user15:53
odyssey4melbragstad but line 261 says this method is deprecated15:53
odyssey4melbragstad then line 316 uses username15:54
lbragstadodyssey4me ah, right... checking the code15:54
odyssey4melbragstad it would appear that the right method is outlined in 308-318 - but other stuff I've read seems to indicate that when you have 'auth_plugin = foo' then the config file needs a section '[foo]15:55
*** dims_ has joined #openstack-keystone15:56
*** dims_ has quit IRC15:56
odyssey4melbragstad eg: http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/15:56
lbragstadodyssey4me this shows that the admin_token option is deprecated  - https://github.com/openstack/keystonemiddleware/blob/647f2ab9c437e2bcd6fd9a12a6f52a39553c9a80/keystonemiddleware/auth_token/_auth.py#L171-L17915:56
odyssey4meyep, that is not where the confusion is :p15:57
odyssey4meit's whether it should be admin_user, username or a whole separate section of options15:57
*** ankurgupta has joined #openstack-keystone15:58
ayounglbragstad, Heh..you are carrying too many conversations.  I mean at the database level for that table. I have some really long REMOTE_USER values coming from Kerberos, and I'd rather not truncate them15:58
*** dimsum__ has quit IRC15:59
*** phalmos has joined #openstack-keystone16:00
lbragstadayoung oh, in that case, i don't know if there was a reason we stuck to varchar(64)16:02
lbragstadayoung stevemar_  might know?16:02
*** _cjones_ has quit IRC16:02
*** phalmos has quit IRC16:02
*** phalmos has joined #openstack-keystone16:03
ayounglbragstad, actually, I think it is the public_id field I need.  I'm going to see if I can chop off the REALM section of that.16:03
ayounglbragstad, he has hands in his mouth at the moment16:03
lbragstadayoung oh, that's right..16:03
lbragstadodyssey4me i'm going to do some digging and see if i can come up with some better information16:05
odyssey4methanks lbragstad :)16:06
*** sdake_ has joined #openstack-keystone16:06
*** sdake has quit IRC16:06
stevemar_lbragstad: ayoung back, no more hands in my mouth16:08
*** jistr has quit IRC16:08
*** ozialien has joined #openstack-keystone16:08
stevemar_so there wasn't a good reason to keep it at varchar(64) other than 'that's what user ids in keystone are limited to'16:08
ayoungstevemar_, so its the remote that I care about16:09
ayoungI have service principals that are pretty long16:09
ayoungwe used to have a mechanism for splitting on the @ sign, but I think that does not work with mapping16:09
*** dimsum__ has joined #openstack-keystone16:09
stevemar_ayoung: that remote_user id from a federated source is still be shoved into a token16:09
*** dimsum__ has quit IRC16:09
ayoungregex is just for matching, not for splitting16:09
*** kiran-r has joined #openstack-keystone16:09
*** dimsum__ has joined #openstack-keystone16:10
stevemar_yep16:10
mordredso - in k2, you have one API call to set public/internal/admin ... what happens if you do create_endpoint(service, region, publicurl='foo') and then create_endpoint(service, region, adminurl='foo')16:10
mordred?16:10
mordredis that permissable?16:11
ayoungstevemar_, going to hack my install to let it be 200 chars long, but I suspect we will want to do a mix:16:11
mordredor does that break something?16:11
ayoungwe should be able to select the domain based on REALM, and only use the user specific portion of the  principal as the user name16:11
*** pnavarro is now known as pnavarro|off16:11
*** gyee has joined #openstack-keystone16:12
*** ChanServ sets mode: +v gyee16:12
ayoungmordred, no idea.16:12
stevemar_mordred: that should work16:12
ayoungI think Keystone would be fine, but the other services?16:12
*** kiran-r has quit IRC16:12
stevemar_mordred: in v3 it's 3 calls to create_endpoint to do what was done in 1 call in v216:12
mordredstevemar_: yup. but if I can do it in 3 calls in v2 as well, then it simplifies the consolidation interface in ansible16:13
mordredstevemar_: so I'm going to go with that for now and see what breaks16:13
*** tonytan4ever has quit IRC16:18
*** lsmola_ has quit IRC16:18
stevemar_ayoung: yeah, jamie showed me the error a few days ago16:19
*** phalmos has quit IRC16:19
*** topol has joined #openstack-keystone16:19
*** ChanServ sets mode: +v topol16:19
ayoungstevemar_, did it have this in it:2015-10-09 12:18:04.622 3136 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/contrib/federation/utils.py", line 615, in _update_local_mapping16:19
ayoung2015-10-09 12:18:04.622 3136 TRACE keystone.common.wsgi     new_value = v.format(*direct_maps)16:19
ayoungI'm wondering if this is a different issue.16:19
stevemar_but agreed, we should either fix the mapping to pick up the user name, or change it from varchar64 to something bigger..16:19
stevemar_ayoung: i was only shown the mapping output and generated username (how it's greater than 64 chars)16:20
ayoungstevemar_, there was an option on  mod_auth_kerb to chop out the REALM name, but  I think that only works for very limited cases.16:20
ayoungstevemar_, local_id is  the user_id, post mopping, and public_id is the value from REMOTE_USER, right?16:22
*** topol has quit IRC16:23
*** davidsha has left #openstack-keystone16:24
*** mylu has quit IRC16:24
ayoung#success proton driver running with Kerberos for encryption and authentication16:24
openstackstatusayoung: Added success to Success page16:24
*** mylu has joined #openstack-keystone16:25
ayoungHeh16:25
*** itlinux has joined #openstack-keystone16:25
stevemar_#success unlocked secret success bot16:26
openstackstatusstevemar_: Added success to Success page16:26
stevemar_how am i just learning about this NOW?!?16:26
stevemar_ayoung: that's cool, glad there is an option in kerb16:26
ayoungstevemar_, Yeah, this is very good.  I need to solve this issue with principal names for the long term. I can fake it by keeping my princiapls short for the demo16:27
ayoungbut...meh16:27
*** _cjones_ has joined #openstack-keystone16:28
*** sdake_ is now known as sdake16:28
*** mylu has quit IRC16:29
*** browne has joined #openstack-keystone16:32
*** browne1 has joined #openstack-keystone16:35
*** browne has quit IRC16:35
*** su_zhang has joined #openstack-keystone16:37
*** mylu has joined #openstack-keystone16:41
*** tonytan4ever has joined #openstack-keystone16:43
*** jsavak has quit IRC16:44
*** jsavak has joined #openstack-keystone16:45
*** stevemar_ has quit IRC16:46
*** phalmos has joined #openstack-keystone16:49
*** mdavidson has quit IRC16:49
*** thiagop has joined #openstack-keystone16:53
*** BAKfr has quit IRC16:53
*** BAKfr has joined #openstack-keystone16:55
*** zzzeek_ has joined #openstack-keystone16:56
*** zzzeek has quit IRC16:58
*** zzzeek_ is now known as zzzeek16:58
*** weihan has quit IRC16:59
*** jaosorior has quit IRC17:00
*** aix has quit IRC17:02
*** phalmos has quit IRC17:06
*** spandhe has joined #openstack-keystone17:08
*** amakarov is now known as amakarov_away17:08
*** markvoelker has quit IRC17:12
morgan#success Survived PTLing for two cycles and am able to now write code again.17:14
openstackstatusmorgan: Added success to Success page17:14
morgan:P17:14
*** alextricity has joined #openstack-keystone17:15
*** GB21 has quit IRC17:18
*** fawadkhaliq has quit IRC17:18
*** stevemar_ has joined #openstack-keystone17:20
*** ChanServ sets mode: +o stevemar_17:20
*** stevemar_ has quit IRC17:20
*** diazjf has joined #openstack-keystone17:21
*** GB21 has joined #openstack-keystone17:24
samueldmqmorgan: ++ :)17:24
*** fawadkhaliq has joined #openstack-keystone17:24
*** fawadkhaliq has joined #openstack-keystone17:24
*** fawadkhaliq has quit IRC17:25
*** thiagop has quit IRC17:29
*** jbell8 has quit IRC17:30
*** henrynash has joined #openstack-keystone17:31
*** ChanServ sets mode: +v henrynash17:31
*** itlinux has quit IRC17:31
*** nicodemos has joined #openstack-keystone17:33
*** itlinux has joined #openstack-keystone17:33
*** dsirrine has quit IRC17:34
*** dsirrine has joined #openstack-keystone17:35
*** marzif has quit IRC17:37
*** jbell8 has joined #openstack-keystone17:38
*** timcline has quit IRC17:38
*** thiagop has joined #openstack-keystone17:40
*** lhcheng has joined #openstack-keystone17:42
*** ChanServ sets mode: +v lhcheng17:42
*** ankurgupta has left #openstack-keystone17:47
*** mylu has quit IRC17:49
*** mylu has joined #openstack-keystone17:51
*** sdake has quit IRC17:53
*** sdake has joined #openstack-keystone17:54
*** timcline has joined #openstack-keystone17:57
*** alextricity has quit IRC17:59
*** pnavarro|off has quit IRC17:59
*** mylu has quit IRC18:00
*** fhubik has joined #openstack-keystone18:00
*** timcline has quit IRC18:02
*** stevemar_ has joined #openstack-keystone18:02
*** ChanServ sets mode: +o stevemar_18:02
*** fhubik has quit IRC18:03
*** jbell8 has quit IRC18:03
*** lastops has quit IRC18:03
*** jbell8 has joined #openstack-keystone18:03
*** spandhe has quit IRC18:05
*** mylu has joined #openstack-keystone18:06
*** sdake has quit IRC18:07
openstackgerritMerged openstack/keystone: Enable password_config_option_not_marked_secret Bandit test  https://review.openstack.org/22569118:07
*** roxanaghe has quit IRC18:07
*** jbell8 has quit IRC18:08
*** ayoung has quit IRC18:08
*** jbell8 has joined #openstack-keystone18:08
*** jbell8 has quit IRC18:09
*** timcline has joined #openstack-keystone18:09
*** timcline_ has joined #openstack-keystone18:10
*** roxanagh_ has quit IRC18:12
*** fawadkhaliq has joined #openstack-keystone18:13
*** roxanaghe has joined #openstack-keystone18:14
*** timcline has quit IRC18:14
*** timcline has joined #openstack-keystone18:15
*** fawadk has joined #openstack-keystone18:15
*** spandhe has joined #openstack-keystone18:16
*** jbell8 has joined #openstack-keystone18:16
*** fawadkhaliq has quit IRC18:17
*** mylu has quit IRC18:18
*** timcline_ has quit IRC18:18
*** mylu has joined #openstack-keystone18:18
*** spandhe has quit IRC18:19
*** timcline_ has joined #openstack-keystone18:19
*** topol has joined #openstack-keystone18:20
*** ChanServ sets mode: +v topol18:20
*** ayoung has joined #openstack-keystone18:20
*** ChanServ sets mode: +v ayoung18:20
*** jbell8 has quit IRC18:20
*** itlinux has quit IRC18:22
*** timcline has quit IRC18:22
*** itlinux has joined #openstack-keystone18:23
*** mylu has quit IRC18:23
*** mylu has joined #openstack-keystone18:23
*** spandhe has joined #openstack-keystone18:26
*** sdake has joined #openstack-keystone18:31
*** woodster_ has joined #openstack-keystone18:33
*** jsavak has quit IRC18:34
*** jbell8 has joined #openstack-keystone18:34
*** jbell8 has quit IRC18:34
*** sigmavirus24 is now known as sigmavirus24_awa18:34
*** jsavak has joined #openstack-keystone18:34
*** sigmavirus24_awa is now known as sigmavirus2418:35
*** su_zhang has quit IRC18:36
*** jbell8 has joined #openstack-keystone18:37
*** jistr has joined #openstack-keystone18:40
*** jbell8 has joined #openstack-keystone18:40
*** itlinux has quit IRC18:43
*** mylu has quit IRC18:45
*** GB21 has quit IRC18:46
*** fawadkhaliq has joined #openstack-keystone18:49
*** jsavak has quit IRC18:49
*** jsavak has joined #openstack-keystone18:50
*** jistr is now known as jistr|afk18:50
*** petertr7 is now known as petertr7_away18:52
*** fawadk has quit IRC18:52
*** tsymancz4k has quit IRC18:59
*** tsymanczyk has quit IRC18:59
*** petertr7_away is now known as petertr719:00
*** exploreshaifali has joined #openstack-keystone19:00
*** tsymanczyk has joined #openstack-keystone19:01
*** fawadk has joined #openstack-keystone19:01
*** tsymanczyk is now known as Guest3759119:02
*** jsavak has quit IRC19:03
*** roxanaghe has quit IRC19:03
*** fawadkhaliq has quit IRC19:03
*** pnavarro|off has joined #openstack-keystone19:04
*** jistr|afk has quit IRC19:05
*** jsavak has joined #openstack-keystone19:07
*** Guest37591 has quit IRC19:09
*** spandhe has quit IRC19:10
*** lhcheng has quit IRC19:12
*** harlowja has quit IRC19:12
*** mylu has joined #openstack-keystone19:15
*** pnavarro|off has quit IRC19:18
*** lhcheng has joined #openstack-keystone19:19
*** ChanServ sets mode: +v lhcheng19:19
*** itlinux has joined #openstack-keystone19:19
*** mylu has quit IRC19:19
*** mylu has joined #openstack-keystone19:20
*** mylu_ has joined #openstack-keystone19:22
*** mylu has quit IRC19:23
*** harlowja has joined #openstack-keystone19:24
*** diazjf has quit IRC19:25
*** diazjf has joined #openstack-keystone19:26
*** itlinux has quit IRC19:26
dstanekstevemar_: until recently i didn't know what el capitan was :-)19:30
*** tonytan4ever has quit IRC19:31
*** hrou has quit IRC19:36
*** spandhe has joined #openstack-keystone19:36
samueldmqdstanek: I didn't know until .. now19:36
*** su_zhang has joined #openstack-keystone19:37
samueldmqayoung: henrynash so we will probably have an outreachy student this year19:38
*** ayoung has quit IRC19:38
samueldmqand I am thinking about (with her) potential project proposals19:38
samueldmqI am thinking about something policy related, but we can't have something more concrete pre-summit19:38
samueldmqand I don't want to leave her fustrated by working in a subject in which we haven't 100% agreement19:39
samueldmqhenrynash: dstanek: gyee: stevemar_: anyoneelse: any idea in your mind already ? ^19:40
dstaneksamueldmq: she should start with fixing bugs and getting used to the process19:40
dstanekimo, stability is the most important thing19:41
*** su_zhang has quit IRC19:41
samueldmqdstanek: yes, she started looking at it already, but we need to create a project proposal too, that's why I wonder about the specific subject19:41
samueldmqdstanek: so maybe something about functional tests ?19:42
samueldmq(I don't know how far we are in that front)19:42
*** itlinux has joined #openstack-keystone19:42
*** tonytan4ever has joined #openstack-keystone19:44
stevemar_dstanek: i just learned what it is19:45
*** tsymanczyk has joined #openstack-keystone19:48
*** tsymanczyk is now known as Guest7197919:48
*** itlinux has quit IRC19:48
*** e0ne has joined #openstack-keystone19:49
*** nicodemos has quit IRC19:50
dstaneksamueldmq: so some sort of school requirement?19:55
*** timcline_ has quit IRC19:55
samueldmqstevemar_: for the program it's required to ahve a project proposal, like what you will do during the program, etc19:55
samueldmqstevemar_: oops, sorry .. dstanek ^19:56
dstanekyeah, no idea then. best advice i have is to stick the non-controversial topics19:58
*** tsymancz1k has joined #openstack-keystone19:58
*** fawadkhaliq has joined #openstack-keystone19:58
*** timcline has joined #openstack-keystone19:58
*** florianf is now known as florianf|away19:58
samueldmqdstanek: yes I agree with you19:59
dstaneksamueldmq: what about picking a topic that has lots of bugs write a proposal to fix them all :-)19:59
samueldmqdstanek: so that we avoid frustation19:59
samueldmqdstanek: can be a good idea, you have an example in mind ?19:59
dstanekunfortunately with open source there is a lot of frustration20:00
* samueldmq should look at the existing bugs20:00
dstaneknot to pick on federation, but i was just looking at the list of bugs with that tag http://bit.ly/1huJrbO20:02
dstanekthere are 300 bugs so there should be no shortage of bugs to fix20:02
lbragstaddstanek ++ i love the idea20:02
*** fawadk has quit IRC20:02
dstanekkeystone is getting too feature heavy imo and we need to fix and stabilize what we have20:03
*** timcline has quit IRC20:03
*** tsymancz1k has quit IRC20:04
*** Guest71979 has quit IRC20:04
stevemar_dstanek: agreeeed20:06
*** tsymancz1k has joined #openstack-keystone20:08
*** gordc has quit IRC20:09
samueldmqdstanek: ++20:09
samueldmqlike hardening exisitng features by testint them more (functional ?), maybe looking at performance too ?20:10
alejandritohi all, how a bad practice is to have for example an openstack kilo production deployment with admin_token configured on keystone ?20:11
dstanekalejandrito: i'm going to go with super bad20:11
dstanekalejandrito: depends on the risk that you could leak that value20:12
alejandritoso, what would be the BEST PRACTICE knowing that i dont have SSL communication between apis ?20:14
alejandritodstanek, ^^20:14
dstanekalejandrito: why do you have it on? if you don't have SSL it's even worse20:14
*** tsymancz4k has joined #openstack-keystone20:15
dstanekalejandrito: you can also leak regular tokens without SSL20:15
alejandritoso, doesnt having SSL its the same having or not admin_token because i can also leak normal tokens right ?20:16
alejandritodstanek, ^^20:16
dstanekalejandrito: the recommendation from the docs is to use it to bootstrap and turn it off after20:16
dstanekwithout SSL everything leaks.20:16
dstanekalejandrito: is there any reason you need admin tokens?20:18
stevemar_lbragstad: i find your test refactoring to be pointless, and i mean that in the nicest way possible20:18
dstanek#fail20:18
stevemar_you went to a lot of effort for it, so i still +2'ed but mehhhh20:19
dstanekalejandrito: also any reason why you don't use SSL in production?20:19
alejandritodstanek, mainly cause the documentation on each project its not clear about how to enable ssl communication between them, or i dont have enough experience20:20
dstanekalejandrito: it's easy at least for Keystone.20:21
stevemar_alejandrito: sounds like it's not quite production yet then20:21
dstanekalejandrito: if nothing else turn off the admin token in production20:21
*** jsavak has quit IRC20:22
alejandritostevemar_, sure ... seems not20:22
stevemar_dstanek: alejandrito yes, definitely turn off admin token in your live environment20:22
*** jsavak has joined #openstack-keystone20:23
*** roxanaghe has joined #openstack-keystone20:24
*** e0ne has quit IRC20:26
*** diazjf has quit IRC20:29
alejandritostevemar_, dstanek thanks so much for the advices20:30
stevemar_np20:31
dstanekalejandrito: np20:32
*** tsymancz4k has quit IRC20:35
*** tsymancz1k has quit IRC20:35
*** roxanaghe has quit IRC20:36
*** roxanaghe has joined #openstack-keystone20:36
*** hrou has joined #openstack-keystone20:36
*** jsavak has quit IRC20:37
*** jsavak has joined #openstack-keystone20:38
*** tsymancz2k has joined #openstack-keystone20:40
*** su_zhang has joined #openstack-keystone20:41
*** mylu_ has quit IRC20:42
*** mylu has joined #openstack-keystone20:42
*** akanksha_ has joined #openstack-keystone20:42
*** jsavak has quit IRC20:42
*** jsavak has joined #openstack-keystone20:43
*** tsymanczyk has joined #openstack-keystone20:46
*** tsymanczyk is now known as Guest9889920:46
*** njohnston is now known as nate_gone20:46
*** su_zhang has quit IRC20:49
*** su_zhang has joined #openstack-keystone20:49
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains  https://review.openstack.org/21121920:50
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128920:50
openstackgerritHenrique Truta proposed openstack/keystone: Removes project.domain_id FK  https://review.openstack.org/23327420:50
*** roxanaghe has quit IRC20:50
*** roxanaghe has joined #openstack-keystone20:51
*** raildo is now known as raildo-afk20:55
*** petertr7 is now known as petertr7_away21:00
*** marzif has joined #openstack-keystone21:02
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128921:04
*** sdake_ has joined #openstack-keystone21:04
*** sdake has quit IRC21:06
*** david_cu has quit IRC21:08
*** edmondsw has quit IRC21:12
*** edmondsw has joined #openstack-keystone21:12
*** jsavak has quit IRC21:13
*** sdake_ has quit IRC21:14
*** csoukup has quit IRC21:15
*** edmondsw has quit IRC21:17
*** sdake has joined #openstack-keystone21:19
*** exploreshaifali has quit IRC21:21
*** EinstCrazy has quit IRC21:21
*** EinstCrazy has joined #openstack-keystone21:24
*** phalmos has joined #openstack-keystone21:26
bretonbtw21:28
bretonwhat happened to the previous student who worked with henrynash?21:29
*** fawadkhaliq has quit IRC21:30
*** mylu has quit IRC21:30
*** fawadkhaliq has joined #openstack-keystone21:31
*** jbell8 has quit IRC21:33
*** fawadkhaliq has quit IRC21:34
*** hrou has quit IRC21:38
*** phalmos has quit IRC21:39
*** browne1 has quit IRC21:43
*** sigmavirus24 is now known as sigmavirus24_awa21:58
*** shaleh has joined #openstack-keystone21:58
*** stevemar_ has quit IRC22:06
*** slberger has left #openstack-keystone22:14
harlowjabtw example in http://lists.openstack.org/pipermail/openstack-dev/2015-October/076664.html could also be how keystone discovers services :-P22:21
harlowjawink wink, ha22:21
harlowjarelabel resource watcher in http://paste.openstack.org/show/475938/ ---> 'service watcher' , lol22:22
*** henrynash has quit IRC22:34
*** alejandrito has quit IRC22:34
*** mfisch has quit IRC22:34
*** mfisch has joined #openstack-keystone22:35
*** mfisch is now known as Guest2776422:35
*** Guest27764 is now known as mfisch22:37
*** mfisch has joined #openstack-keystone22:37
*** tonytan4ever has quit IRC22:39
harlowjaor even better, http://paste.openstack.org/show/475941/22:39
*** diazjf has joined #openstack-keystone22:41
samueldmqdstanek: ++ on keystone office hours :)22:42
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/23287422:46
*** dims_ has joined #openstack-keystone22:50
*** marzif has quit IRC22:51
*** dimsum__ has quit IRC22:53
*** miguelgrinberg has quit IRC22:53
*** miguelgrinberg has joined #openstack-keystone22:53
*** r-daneel has quit IRC23:07
*** dims_ has quit IRC23:07
harlowjainteresting i see why u guys wouldn't mind consul, it pretty much provides the stuff keystone wants, haha23:09
harlowjahttp://python-consul.readthedocs.org/en/latest/#consul-catalog :-P23:09
*** markvoelker_ has joined #openstack-keystone23:10
harlowjaseems like the python client though doesn't have watch apis :(23:11
harlowjahttp://python-consul.readthedocs.org/en/latest/#consul-event seems nice though23:11
*** topol has quit IRC23:25
*** sdake has quit IRC23:26
*** woodster_ has quit IRC23:29
*** btully has quit IRC23:41
*** hrou has joined #openstack-keystone23:54
*** jsavak has joined #openstack-keystone23:56
*** su_zhang has quit IRC23:57
*** mylu has joined #openstack-keystone23:57
*** jsavak has quit IRC23:59
« Thursday, 2015-10-08 Index Saturday, 2015-10-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!