Wednesday, 2015-11-18

« Tuesday, 2015-11-17 Index Thursday, 2015-11-19 »
gyeedoes it work with emojis?00:00
gyeejust kidding :)00:00
shalehgyee: there is a probably a way. But I am over 30 :-)00:01
*** aginwal__ has quit IRC00:02
shalehayoung: flyspell-prog-mode runs spell check in comments. Very handy.00:05
notmorgangyee: oh hai00:06
*** pushkaru has quit IRC00:07
*** adelia has quit IRC00:07
*** adelia has joined #openstack-keystone00:08
*** spandhe has quit IRC00:09
gyeenotmorgan, yes sir00:09
notmorganjust forgot what i was going to ask00:10
notmorganugh00:10
*** adelia has quit IRC00:10
*** adelia has joined #openstack-keystone00:10
notmorgangyee: oh right. want to get any performance information you're currently running across in deployments (not public cloud obv.) when you have time of course00:10
notmorganno rush00:10
*** aginwala has joined #openstack-keystone00:10
notmorgangyee: as in... bottlenecks you've seen [email is fine]00:10
gyeenotmorgan, yes, let me gather the information and email you00:11
notmorgansounds good00:11
gyeerole caching is one issue off the top of my head00:11
gyeewe don't cache roles00:11
stevemar_notmorgan: morgan!!!!!!00:11
notmorganstevemar_: hi there.00:11
notmorganstevemar_: what can i do fer you?00:11
gyeebut I can send you the numbers from our perf clusters00:11
stevemar_notmorgan: nothing, just saying hi00:12
stevemar_:)00:12
notmorganah but i'm "notmorgan"00:12
notmorgan:P00:12
*** jbell8 has quit IRC00:12
ayoungshaleh, yeah, that was actually what I meant...I didn't know about flyspell, either00:13
*** josecastroleon has quit IRC00:14
kfox1111do you need memcached with keystone if your using fernet tokens?00:14
*** adelia has quit IRC00:14
notmorgankfox1111: you don't need memcached with keystone00:14
*** aginwala has quit IRC00:14
notmorgankfox1111: no matter what you are using for tokens00:15
*** aginwala_ has joined #openstack-keystone00:15
kfox1111s/keystone/horizon00:15
notmorgankfox1111: shouldn't need it with horizon in either case.00:15
kfox1111pki + keystone = horizon + memcached...00:15
*** jbell8 has joined #openstack-keystone00:15
kfox1111the cookies ended up being too big without memcached.00:15
*** aginwala_ has quit IRC00:15
notmorganyou can use the db backing00:15
notmorganin either case00:15
notmorganbut memcache works better00:16
ayounggyee, shaleh thanks for the review.  I will actually make the changes you suggest in the next review, when I post it over to Mitaka as well00:16
gyeeayoung, no problem, will wait for your next patch then00:16
kfox1111yeah, but by the look of it,fernet tokens are small, so you don't need to persist it at all, and can just use cookies?00:16
notmorgankfox1111: i would move away from PKI if you can and to fernet, fernet tokens shouldn't blow out the cookie sizes00:16
shalehayoung: np. Good to see this going somewhere00:16
notmorgankfox1111: yeah00:16
ayounggyee, its workflow +1.  I'm going to let that go in00:16
kfox1111k. was planning on it. just double checking if I can safely get rid of memcached when I do.00:17
gyeeayoung, that's fine00:17
notmorgankfox1111: yeah you should be able to00:17
ayoungshaleh, not only is there no d in priveledged  there is an i in privileged00:17
shalehayoung: :-)00:17
gyeedamn spellcheck00:18
*** aginwala has joined #openstack-keystone00:18
shalehayoung: I still have scars from English teachers past. I am a pretty decent red ink wielder.00:18
ayoungshaleh, as I said, I wish this was end user documentation00:19
ayoungthis degree of dilligence is awesome, its just that the spec effort is a dead end.00:19
shalehayoung: the next step is having docs people digest the specs00:20
shalehayoung: we devels are good at writing for each other. Real users needs a different level and approach.00:21
*** jbell8 has quit IRC00:21
shalehayoung: I beat up on grammar because it makes it easier for ESL folk to read and follow along. Hard enough dealing with proper English :-)00:21
*** sthillma has joined #openstack-keystone00:27
gyeeshaleh, I was in ESL00:28
openstackgerritayoung proposed openstack/keystone-specs: Implied  Roles  https://review.openstack.org/12570400:28
ayoungallright you pedants...I did clean it up00:29
ayoungshaleh, there is nothing proper about English00:29
shalehayoung: hey, you know you like the attention00:29
shalehayoung: that is way, way, true00:29
shalehor is that weight, way, whey true?00:29
*** aginwala has quit IRC00:29
ayoungsthillma, mind if I discuss it here?00:29
sthillmaayoung, sure we can00:30
ayoungsthillma, why is your service catalog empty?00:30
ayoungYoui can certainly repopulate, but...it indicates larger problems00:30
sthillmaseems like that might be more an issue on the installer/OSP-D side, unfortunately we were adding nodes and hitting other issues so inital deployment was a week+ ago00:31
sthillmaif there’s anything in particular I should check for in the logs I can (this also isn’t my setup so I’m not 100% every step that was done), otherwise if it makes sense to repopulate, I’m open to giving it a shot00:34
kfox1111it looks like embeding keystone in apache is prefered these days?00:36
kfox1111what about https support? Is that best put in apache as well, or in haproxy?00:36
*** akanksha_ has quit IRC00:38
*** jasonsb_ has quit IRC00:42
ayoungsthillma, so...I would still wonder wjhy the service catalog was gone.  Was it deleted?  Was it never populated?  I would think that your install was seriously cmpromised00:42
ayoungIts easy enough to create the catalog entries, but I wouldn't trust the rest of the stack00:42
*** jasonsb has joined #openstack-keystone00:42
ayoungkfox1111, https can be done either way.00:42
ayoungkfox1111, if you are using HA Proxy for other things, and you want to include Keystone in there, then HTTPS can be done to the proxy.00:43
ayoungIf you are doing client cert auth, you want to go right to the HTTPD server, and do HTTPS out of there. You have options00:43
kfox1111k. thx.00:46
sthillmaayoung- yeah, agreed, so the likely explaination I was given was that the OSP-D post-deployment config didn’t run for some reason (if the initial deploy was more recent I’d try and find out). Right now though, I’m thinking we try restoring the catalog, then if we hit any other issues at all, call it borked and start over00:46
*** jasonsb has quit IRC00:47
*** RichardRaseley has quit IRC00:53
ayoungsthillma, if you didn't get a catalog, why would you think that anything else worked?  I'd reinstall.00:54
*** jerrygb has quit IRC00:55
*** hrou has joined #openstack-keystone00:55
sthillmaayoung, sure, will do that then, thanks!00:56
*** mylu has quit IRC00:56
*** aginwala has joined #openstack-keystone00:56
*** mylu has joined #openstack-keystone00:56
*** spandhe has joined #openstack-keystone00:57
*** gyee has quit IRC00:57
*** spandhe_ has joined #openstack-keystone01:00
*** spandhe has quit IRC01:01
*** spandhe_ is now known as spandhe01:01
*** mylu has quit IRC01:01
*** hrou has quit IRC01:04
*** EinstCrazy has joined #openstack-keystone01:07
*** jamielennox is now known as jamielennox|away01:10
*** shaleh has quit IRC01:21
*** aginwala has quit IRC01:23
*** stevemar_ has quit IRC01:23
*** aginwala has joined #openstack-keystone01:27
*** aginwala has quit IRC01:27
*** topol has joined #openstack-keystone01:29
*** ChanServ sets mode: +v topol01:29
ayounghenrynash, https://review.openstack.org/#/c/125704/20  still OK to +2?01:33
openstackgerritMerged openstack/keystone: Fix the wrong method name  https://review.openstack.org/24395101:33
*** topol has quit IRC01:33
*** mylu has joined #openstack-keystone01:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619701:45
openstackgerritayoung proposed openstack/keystone: set `is_admin` on tokens for admin project  https://review.openstack.org/24071901:46
*** spandhe has quit IRC01:49
openstackgerritSean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code  https://review.openstack.org/24671301:49
*** spandhe has joined #openstack-keystone01:50
*** boris-42 has joined #openstack-keystone01:50
*** sthillma has quit IRC02:01
openstackgerritMerged openstack/keystone: Use unit.new_user_ref consistently  https://review.openstack.org/24387702:05
ayoungbknudson_, can you give this a once over?  I think it would help if you  look it over as early as possible.  WOuld be wonderful to have it in for M1  https://review.openstack.org/#/c/240719/02:07
*** tqtran has quit IRC02:08
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619702:10
*** stevemar_ has joined #openstack-keystone02:14
*** ChanServ sets mode: +o stevemar_02:14
*** jasonsb has joined #openstack-keystone02:20
openstackgerritSteve Martinelli proposed openstack/keystone: Move federation extension into keystone core  https://review.openstack.org/21477502:26
openstackgerritSteve Martinelli proposed openstack/keystone: Move federation sql migrations to common  https://review.openstack.org/23453702:26
*** aginwala has joined #openstack-keystone02:28
*** jerrygb has joined #openstack-keystone02:29
openstackgerritSteve Martinelli proposed openstack/keystone: Move oauth1 extension into core  https://review.openstack.org/23459802:30
openstackgerritSteve Martinelli proposed openstack/keystone: Move oauth1 sql migrations to common  https://review.openstack.org/23512102:30
*** dims_ has quit IRC02:30
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke extension into core  https://review.openstack.org/23570402:30
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571202:30
*** LZ has joined #openstack-keystone02:32
*** aginwala has quit IRC02:32
*** stevemar_ has quit IRC02:42
*** fawadkhaliq has joined #openstack-keystone02:42
*** stevemar_ has joined #openstack-keystone02:42
*** ChanServ sets mode: +o stevemar_02:42
notmorganstevemar_: busy eh?02:48
*** lhcheng has quit IRC02:49
*** lhcheng has joined #openstack-keystone02:50
*** ChanServ sets mode: +v lhcheng02:50
*** lhcheng has quit IRC02:50
*** spandhe has quit IRC02:53
*** mylu has quit IRC02:59
stevemar_notmorgan: just a pinch :)03:00
notmorganstevemar_: i'm approving a spec unless you want more than 2x cores looking at it03:01
notmorganstevemar_: but it's been through a bunch of iterations and looks solid now.03:01
notmorganstevemar_: https://review.openstack.org/#/c/125704/2103:01
notmorganstevemar_: implied roles thing03:01
stevemar_notmorgan: leave your +203:02
stevemar_i was going to take one last look at it tonight03:02
notmorganstevemar_: ah ok will hold on +A then03:02
stevemar_and possibly issue a follow on to clean things up03:02
notmorganyeah. that's the view I have on it, anything outstanding really should be a followup03:02
notmorganits close enough that it wont be materially different03:03
*** aginwala has joined #openstack-keystone03:04
stevemar_notmorgan: review 'domain specific roles' now? :)03:04
notmorganstevemar_: uh.03:05
*** roxanaghe has quit IRC03:05
notmorganstevemar_: <whine>but i already reviewed one spec</whine>03:05
*** richm has quit IRC03:05
stevemar_notmorgan: hehe03:07
stevemar_ayoung: oh adam :)03:08
stevemar_if only you read 10 lines of scroll up :)03:08
*** aginwala_ has joined #openstack-keystone03:09
*** browne has joined #openstack-keystone03:09
*** aginwala_ has quit IRC03:10
openstackgerritMerged openstack/keystone-specs: Implied  Roles  https://review.openstack.org/12570403:11
*** aginwala has quit IRC03:12
*** aginwala has joined #openstack-keystone03:12
notmorganstevemar_: shhhhh ayoung is doing family things i'm sure03:15
*** aginwala has quit IRC03:16
notmorganstevemar_: oh i can't review domain specific roles, merge conflict </cop out reason>03:16
ayoungnotmorgan, I can rebase....03:17
notmorganayoung: don't make it easy :P it means i'll need to review more things03:17
notmorganactually... technically i'm still trying to un-burnout for another couple week03:17
notmorgans03:17
ayoungnotmorgan, glad you will be there to help keep Portland weird.03:18
notmorganayoung: portland is kindof awesome03:18
notmorganayoung: like... seriously so.03:18
notmorganayoung: i know it isn't east coast (timezone offset still)03:19
ayoungnotmorgan, while I don't disagree, I suspect you are in the Honeymoon period there...03:19
ayoungAlways fun to have a fresh start03:19
notmorganayoung: i've kindof spent a lot of time up here though. more than east coast.03:20
ayoungwhen it is assumed willingly, that is03:20
notmorganayoung: i've found LA to suck a lot. escaping LA has been a "must do" for like the last 5 years03:20
*** spandhe has joined #openstack-keystone03:20
notmorganayoung: so almost anywhere that isn't LA is a good change (real city wise)03:20
ayoungstevemar_, if it makes you feel better, the recent set of changes to the API doc means I have a serious bit of rewriting to do on the Implied Roles implementation03:20
ayoung"I've spent four lonely days in a a brown LA haze..."03:21
notmorganooh i found another CFL in my apartment i need to replace with an LED lightbulb03:21
* notmorgan finds CFLs still flicker too much03:21
*** lhcheng has joined #openstack-keystone03:23
*** ChanServ sets mode: +v lhcheng03:23
*** spandhe_ has joined #openstack-keystone03:23
ayoungand they have mercury03:24
ayoungGAH...Did something chqange that would make unit tests fail reading policy files?  DO I need to recreate the tox venv?03:24
*** spandhe has quit IRC03:25
*** spandhe_ is now known as spandhe03:25
openstackgerritDave Chen proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571203:27
ayoungstevemar_, somfing broken http://paste.openstack.org/show/479199/03:28
ayoungI can try a git bisect to figure out what...03:28
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698803:29
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337703:29
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261403:31
*** jasonsb has quit IRC03:33
*** aj2 has joined #openstack-keystone03:33
stevemar_ayoung: that on master?03:46
ayoungstevemar_, yep03:46
stevemar_ayoung: rm -rf .tox; tox -e py2703:47
ayoungstevemar_, I just submitted an updated patch that should pass unit tests.  Lets see if it is my machine or the code base.03:47
ayoungstevemar_, I did tox -r03:47
ayoungbut... let me be certain and sure...03:47
ayoungstevemar_, yep./..still happens...03:50
ayoungah..but that was not master....let me try master...03:50
ayoungstevemar_, yep, consistent.03:52
*** aj2 has quit IRC03:54
*** mylu has joined #openstack-keystone03:56
*** mylu_ has joined #openstack-keystone03:57
*** mylu has quit IRC04:00
*** jasonsb has joined #openstack-keystone04:04
*** mylu_ has quit IRC04:04
*** fawadkhaliq has quit IRC04:06
*** jasonsb has quit IRC04:09
stevemar_ayoung: you commit to master or something?04:10
ayoungstevemar_, noope04:10
ayounggit log shows commit 051aeffc164bff5b0267f8cc6ccd14fe8b7b5d7604:10
ayoungMerge: fb0e603 578428504:10
ayoungAuthor: Jenkins <jenkins@review.openstack.org>04:10
ayoungDate:   Wed Nov 18 02:05:25 2015 +000004:10
ayoung    Merge "Use unit.new_user_ref consistently"04:10
*** mylu has joined #openstack-keystone04:12
*** spandhe has quit IRC04:12
stevemar_weird04:15
ayoungstevemar_, gotta head to bed...if it is just my machine, not a big deal.  If it is a real breakage, others will see it.04:16
stevemar_yep04:17
stevemar_n04:17
stevemar_gn04:17
*** spandhe has joined #openstack-keystone04:17
openstackgerritMerged openstack/keystone-specs: Clarify is_domain project attribute in API version 3.5  https://review.openstack.org/22846904:24
*** fawadkhaliq has joined #openstack-keystone04:27
openstackgerritMerged openstack/keystone: Add testcases to check cache invalidation in endpoint filter extension  https://review.openstack.org/24563304:33
*** markvoelker_ has quit IRC04:40
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619704:40
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666104:43
*** hrou has joined #openstack-keystone04:43
*** aj2 has joined #openstack-keystone04:44
*** jasonsb has joined #openstack-keystone04:52
*** spandhe_ has joined #openstack-keystone04:53
*** jamielennox|away is now known as jamielennox04:54
*** spandhe has quit IRC04:55
*** spandhe_ is now known as spandhe04:55
*** sthillma has joined #openstack-keystone05:01
*** sthillma_ has joined #openstack-keystone05:03
*** sthillma has quit IRC05:06
*** sthillma_ is now known as sthillma05:06
*** LZ has quit IRC05:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619705:15
spandhelhcheng: Hi Lin05:18
lhchengspandhe: hey!05:18
spandhelhcheng: hey, have a qn.. what should we set KSCTEST_PATH value for tests? should be the repo or keystoneclient directory?05:20
spandhelhcheng: our unittests started failing since https://github.com/openstack/python-keystoneclient/commit/d9031c252848d89270a543b67109a46f9c505c8605:20
spandheand we realized that keystone was using master for keystoneclient05:21
openstackgerritSteve Martinelli proposed openstack/keystone: Add release notes for mitaka thus far  https://review.openstack.org/24674905:23
lhchengspandhe: where is KSCTEST_PATH set? Is that on our jenkins job?05:23
*** jerrygb has quit IRC05:25
stevemar_lhcheng: hey can you do me a simple favor05:27
stevemar_lhcheng: i'm heading to bed, but in ~5 minutes, can you recheck this patch: https://review.openstack.org/#/c/246145/ i looked at zuul and it's going to fail :(05:27
stevemar_see you all tmrw!05:27
*** stevemar_ has quit IRC05:27
lhchengstevemar_: sure, I'll baby sit the patch :)05:27
lhchenggood night!05:28
*** stevemar_ has joined #openstack-keystone05:28
*** ChanServ sets mode: +o stevemar_05:28
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698805:28
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337705:28
*** lhcheng_ has joined #openstack-keystone05:29
*** topol has joined #openstack-keystone05:29
*** ChanServ sets mode: +v topol05:29
*** stevemar_ has quit IRC05:30
*** akanksha_ has joined #openstack-keystone05:31
openstackgerrithenry-nash proposed openstack/keystone-specs: Move inherited assignments to core, and support new inheritance rules  https://review.openstack.org/20043405:32
*** lhcheng has quit IRC05:32
*** roxanaghe has joined #openstack-keystone05:40
*** topol has quit IRC05:50
*** gildub_ has quit IRC05:53
*** sthillma has quit IRC05:54
*** yangyapeng has joined #openstack-keystone05:57
*** hrou has quit IRC06:00
*** mylu has quit IRC06:08
*** mylu has joined #openstack-keystone06:09
*** mylu has quit IRC06:13
openstackgerritAjaya Agrawal proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743306:20
*** clayton has quit IRC06:22
*** clayton has joined #openstack-keystone06:23
*** tyagiprince has joined #openstack-keystone06:28
*** spandhe has quit IRC06:30
*** chirag has joined #openstack-keystone06:32
*** rcernin has joined #openstack-keystone06:37
*** lhcheng has joined #openstack-keystone06:39
*** ChanServ sets mode: +v lhcheng06:39
*** markvoelker has joined #openstack-keystone06:40
*** lhcheng_ has quit IRC06:42
*** roxanaghe has quit IRC06:43
*** markvoelker has quit IRC06:45
*** gildub_ has joined #openstack-keystone07:03
chiragHello Keystone team, can anyone help me with"Not Implemented (HTTP 501)" error received during execution of keystone user-role-add. its a bit urgent any leads would be greats07:07
*** josecastroleon has joined #openstack-keystone07:10
*** jaosorior has joined #openstack-keystone07:12
*** sthillma has joined #openstack-keystone07:12
*** jaosorior has quit IRC07:13
*** jaosorior has joined #openstack-keystone07:14
*** sthillma has quit IRC07:17
chiragHello Keystone team, can anyone help me with"Not Implemented (HTTP 501)" error received during execution of keystone user-role-add. its a bit urgent any leads would be great.07:21
*** gildub_ has quit IRC07:24
*** jerrygb has joined #openstack-keystone07:25
*** jerrygb has quit IRC07:30
*** LZ has joined #openstack-keystone07:32
lhchengchirag: more details on the error?07:38
lhchenglogs?07:38
*** Nirupama has joined #openstack-keystone07:39
chiragthanks lhcheng for reply07:40
*** gildub_ has joined #openstack-keystone07:41
*** markvoelker has joined #openstack-keystone07:41
chiragthere are no error logs being recieved07:41
chiragDEBUG:urllib3.connectionpool:"PUT http://***:35357/v2.0/tenants/db041652bebb474b9a2100525bc04c41/users/b7d03ef364294c6193265d79dd06c294/roles/OS-KSADM/fee42af040fb465c9f01476a86c9d464 HTTP/1.1" 501 None DEBUG:keystoneclient.session:RESP: DEBUG:keystoneclient.session:Request returned failure status: 501 Not Implemented (HTTP 501)07:42
chiragthis is the output of the debug mode07:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619707:43
lhchengwhat version of keystone are you running?07:44
*** markvoelker has quit IRC07:46
chiragits is 1.2.0    (keystone --version 1.2.0)07:46
lhchengI tried the same command, the REST endpoint you're hitting looks right07:46
chiragI am really blank why only this command is failing. Rest all command are running fine.07:47
lhchengso user-list works fine on port 35357 ?07:48
chiragYes07:48
*** jmccrory has quit IRC07:49
chiragI am getting proper output for  user-list07:49
lhchengare you using sql role assignment driver?07:49
*** urulama has joined #openstack-keystone07:50
chiragI am not sure of that how can I verify it?07:51
lhchengfrom keystone.conf07:51
chiragwhich variable are you taking about [assignment]  # # From keystone #  # Assignment backend driver. (string value) #driver = <None>07:52
*** browne has quit IRC07:52
chiragsnippet of keystone.conf   =====[assignment]  # # From keystone #  # Assignment backend driver. (string value) #driver = <None>=====07:53
*** jmccrory has joined #openstack-keystone07:54
lhchengthat looks right, should default to sql07:57
*** belmoreira has joined #openstack-keystone07:57
lhchengwhat does your keystone logs show?07:57
*** breitz has quit IRC07:58
*** breitz1 has joined #openstack-keystone07:58
chirag==INFO eventlet.wsgi.server [-] 10.128.101.11 - - [18/Nov/2015 17:43:08] "GET /v2.0/users/b7d03ef364294c6193265d79dd06c294 HTTP/1.1" 200 411 0.013134==08:01
chirag==eventlet.wsgi.server [-] 10.128.101.11 - - [18/Nov/2015 17:43:08] "GET /v2.0/OS-KSADM/roles/fee42af040fb465c9f01476a86c9d464 HTTP/1.1" 200 311 0.011922==08:01
chirag==ventlet.wsgi.server [-] 10.128.101.11 - - [18/Nov/2015 17:43:08] "GET /v2.0/tenants/db041652bebb474b9a2100525bc04c41 HTTP/1.1" 200 351 0.006384==08:01
chiragAll logs for req08:03
chiragventlet.wsgi.server [-] 10.128.101.11 - - [18/Nov/2015 17:43:08] "GET /v2.0/tenants/db041652bebb474b9a2100525bc04c41 HTTP/1.1" 200 351 0.00638408:03
chirag@lhcheng could you please help ?? any idea?08:04
lhchengwhat openstack version are you running?08:05
lhchengthe keystone version you gave is the version of keystoneclient08:05
lhchengcan you also put in paste the config (cleanup the credentials before posting)08:06
chiragI am using openstack Kilo release08:06
openstackgerrithenry-nash proposed openstack/keystone: Create new version of assignment driver interface  https://review.openstack.org/24285308:09
*** jaosorior has quit IRC08:10
lhchengso I noticed that if you didn't pass the --tenant it returns a 501 error :(08:10
lhchengcould that be the case08:10
lhcheng?08:10
chiragYes I have seen that08:11
chiragI passed tenantid with the same but no help08:11
chiragit returned same error08:11
chiragadmin_token = *** debug = true verbose = True log_dir = /var/log/keystone connection = mysql://keystone:***@controller/keystone servers = localhost:11211 driver = keystone.contrib.revoke.backends.sql.Revoke provider = keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.memcache.Token Distribution = Ubuntu08:12
*** stevemar_ has joined #openstack-keystone08:12
*** ChanServ sets mode: +o stevemar_08:12
chiragabove are the params defined in keystone.conf file08:13
*** jvarlamova has joined #openstack-keystone08:13
*** mkoderer has quit IRC08:15
chirag?08:15
*** stevemar_ has quit IRC08:16
*** mkoderer has joined #openstack-keystone08:17
lhchengdo other commands user-create works?08:18
lhchengthe conf seems ok..08:18
chiragYes other commands work fine08:18
chiragI have created few tenants,users,roles08:19
*** pnavarro has joined #openstack-keystone08:19
lhchengthe only reason I could think of is you used a custom assignment driver and have missing implementation08:20
lhchengbut looks like you just used the default driver08:20
lhchenghow about explicitly setting the driver value?08:20
henrynashlncheng, chirag: are we using domain specific identity backends08:21
lhchengno idea, chirag ^08:22
chiragSorry no idea08:22
lhchengchirag: can you try setting the driver explicitly for assignment08:22
lhcheng[assignment]08:22
lhchengdriver = sql08:22
henrynashchirag: try (for an experiment) specifying a domain filter in your use list command08:22
chiragOk wait I would try driver = sql, please lemme know in which filter should I define it?08:23
henrynashfirst, I may be jumping back into a problem I saw you raise earlier…and it may ahvemoved on….is your problem still that user list doesn’t wokrk?08:24
chiragNo, except role-add every other command is working08:25
henrynashok, sorry, my mistake….things have moved on!!!!08:25
*** shardy has joined #openstack-keystone08:26
chirag@lhcheng  I tried but failed error recieved is ===Unable to establish connection to http://*****:35357/v2.0/users/b7d03ef364294c6193265d79dd06c294===08:28
lhchengerror during keystone startup?08:29
chiragNo08:30
chiragit was restarted succesfully08:30
chiragkeystone logs ====CRITICAL keystone [-] ValueError: Empty module name====08:31
*** tyagiprince has quit IRC08:31
chiragreverted back to default config08:32
*** tyagiprince has joined #openstack-keystone08:33
lhchengoops try this driver = keystone.assignment.backends.sql.Assignment08:33
chirag:) ok would try again08:33
*** ygk has joined #openstack-keystone08:34
ygkHi All08:34
lhchengygk: hello!08:34
ygki am facing an issue with keystone commands on openstack kilo version08:34
ygkHI lhcheng08:34
ygkcan anyone help me with this08:35
lhchenguh oh another kilo customer :P08:35
ygkyes08:35
lhchengygk: what's up?08:35
ygki have kilo on centos 708:35
ygkwhen I setup a server wide proxy env variable for reaching internet, keystone related commands are failing08:36
ygkbut when I remove the proxy , it is working fine08:36
ygkwats the relation between keystone and proxy server ?08:36
lhchengyou running keystone as eventlet or in apache server?08:37
ygkin apache server08:37
ygkthis is the error08:37
ygkERROR: openstack Could not determine a suitable URL for the plugin08:37
lhchengthat's an error on the openstackclient?08:37
ygkyes08:38
ygki am using this command08:39
ygkopenstack --os-auth-url http://controller:35357 --os-project-name admin --os-username admin --os-auth-type password  user list08:39
ygkit is working fine if I remove the proxy env variable08:39
chiragYESSSSS it worked thansk a lot @lhcheng08:39
ygkbut doesnt work when I set it08:39
lhchengchirag: awesome!08:39
ygkwhat could be the issue with proxy server and keystone08:40
lhchengchirag: I thought the driver would set some smart default value.08:40
chirag@ygk try setting no_proxy  export no_proxy="local, localhost, 127.0.0.1, IP of your system"08:40
lhchengchirag: glad it worked08:40
ygkwhere should I set it ?08:40
chiragYes, it should have worked by default. But anyhow glad you suggested08:41
lhchengtry on the terminal where you run the openstack command08:41
*** fawadkhaliq has quit IRC08:41
chiragOn your console itself define it in evn variables08:41
*** jaosorior has joined #openstack-keystone08:41
ygkwhat exactly should I export and how ?08:42
*** fawadkhaliq has joined #openstack-keystone08:42
chiragjust type   export no_proxy="local, localhost, 127.0.0.1, IP address of your system"08:42
ygkshould I export it while retaining the proxy server env variable or without it ?08:43
chiragYes please retain your proxy server env variable08:45
lhchengygk: its almost 1am here, I'm logging out.  chirag can help you out :)08:45
lhchengnight everyone08:45
chirag THanks  . .Tc08:45
chiragWould try my best to help08:45
*** lhcheng has quit IRC08:45
ygkthanks lhcheng08:46
ygkgood night08:46
ygk@chirag. its not working when i setup noproxy08:46
ygkits throwing this error08:46
ygkERROR: openstack Could not determine a suitable URL for the plugin08:46
chiragsame error?08:46
ygkyes08:47
ygkthis is what i setup08:47
ygkno_proxy=local, localhost, 127.0.0.1, 20.20.20.12008:47
chiragplease define them in "" as "local, localhost, 127.0.0.1, 20.20.20.120"08:48
ygki did that08:48
chiragalso have you defined your controller IP in /etc/hosts ?08:48
*** akanksha_ has quit IRC08:48
ygkyes08:49
*** fhubik has joined #openstack-keystone08:50
ygkso any idea08:50
chiragany logs?08:51
ygkno logs08:51
ygkits not populating log files either08:51
chiragplease provide output of the command08:52
ygkok08:52
ygk[root@controller ~]# openstack --os-auth-url http://controller:35357 --os-project-name admin --os-username admin --os-auth-type password  user list WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service f08:52
ygkthats the output08:52
ygkERROR: openstack Could not determine a suitable URL for the plugin08:53
*** fhubik is now known as fhubik_brb08:56
*** fawadkhaliq has quit IRC08:57
ygk@chirag: any idea09:00
chiragtry url http://controller35357/v2.0/09:00
ygkoops it did not work either09:01
ygki tried it09:01
*** fhubik_brb is now known as fhubik09:01
ygkbut it is working once I remove the proxy settings09:01
chiragI am also using the same environemnt09:01
chiragMine is working great09:02
openstackgerritMarian Horban proposed openstack/python-keystoneclient: Remove lock object from BaseIdentityPlugin  https://review.openstack.org/24652109:03
chiragYou must have defined  OS_SERVICE_TOKEN  & OS_SERVICE_ENDPOINT09:03
*** tyagiprince has quit IRC09:04
*** stevemar_ has joined #openstack-keystone09:13
*** ChanServ sets mode: +o stevemar_09:13
*** stevemar_ has quit IRC09:17
*** fhubik is now known as fhubik_brb09:31
*** e0ne has joined #openstack-keystone09:32
*** xek has joined #openstack-keystone09:37
*** markvoelker has joined #openstack-keystone09:42
*** jistr has joined #openstack-keystone09:42
*** markvoelker has quit IRC09:46
*** topol has joined #openstack-keystone09:47
*** ChanServ sets mode: +v topol09:47
*** fhubik_brb is now known as fhubik09:51
*** topol has quit IRC09:51
*** tyagiprince has joined #openstack-keystone09:57
*** topol has joined #openstack-keystone10:01
*** ChanServ sets mode: +v topol10:01
*** chirag has quit IRC10:05
*** topol has quit IRC10:06
marekdayoung: looks like you don't need my help anymore ;-)10:08
*** aix has joined #openstack-keystone10:08
openstackgerritAndrey Pavlov proposed openstack/keystone: Fix string conversion in s3 handler for python 2  https://review.openstack.org/24684410:25
*** jerrygb has joined #openstack-keystone10:26
*** daemontool has joined #openstack-keystone10:28
*** ygk has left #openstack-keystone10:30
*** daemontool has quit IRC10:30
*** daemontool has joined #openstack-keystone10:30
*** jerrygb has quit IRC10:31
*** daemontool has quit IRC10:31
*** fawadkhaliq has joined #openstack-keystone10:36
*** e0ne has quit IRC10:43
*** LZ has quit IRC10:52
*** fhubik is now known as fhubik_brb10:53
tyagiprincehey i was working with keystone service.. now when i send a command to get the project list.. the logs are as follows..10:57
tyagiprincehey i was working with keystone service.. now when i send a command to get the project list.. the logs are as follows..10:57
tyagiprincehey i was working with keystone service.. now when i send a command to get the project list.. the logs are as follows..10:57
tyagiprince10.41.0.121 - - [18/Nov/2015:16:23:19 +0530] "GET / HTTP/1.1" 300 845 "-" "python-keystoneclient"10:57
tyagiprince10.41.0.121 - - [18/Nov/2015:16:23:19 +0530] "POST /v2.0/tokens HTTP/1.1" 200 1125 "-" "python-keystoneclient"10:57
tyagiprince10.41.0.121 - - [18/Nov/2015:16:23:20 +0530] "POST /v2.0/tokens HTTP/1.1" 200 1125 "-" "python-keystoneclient"10:57
tyagiprince10.41.0.121 - - [18/Nov/2015:16:23:20 +0530] "GET / HTTP/1.1" 300 844 "-" "python-keystoneclient"10:57
tyagiprince10.41.0.121 - - [18/Nov/2015:16:23:20 +0530] "GET /v2.0/tenants HTTP/1.1" 200 671 "-" "python-keystoneclient"10:57
tyagiprincewhy are there 2 POSTs and GETs at the end10:57
tyagiprince?10:57
tyagiprinceI am using uuid currently.. but will be shifting to pki soon..10:58
*** e0ne has joined #openstack-keystone11:04
*** exploreshaifali has joined #openstack-keystone11:05
*** dims has joined #openstack-keystone11:07
*** dims has quit IRC11:12
*** EinstCrazy has quit IRC11:13
*** yangyapeng has quit IRC11:13
*** stevemar_ has joined #openstack-keystone11:14
*** ChanServ sets mode: +o stevemar_11:14
*** fhubik_brb is now known as fhubik11:15
*** daemontool has joined #openstack-keystone11:17
*** stevemar_ has quit IRC11:18
*** dims has joined #openstack-keystone11:18
*** daemontool has quit IRC11:18
*** daemontool has joined #openstack-keystone11:19
*** daemontool has quit IRC11:21
*** daemontool has joined #openstack-keystone11:24
*** pgreg has joined #openstack-keystone11:24
*** pgreg has quit IRC11:24
openstackgerritKseniya Tychkova proposed openstack/oslo.policy: Draft implementation of LDAP RBAC blueprint  https://review.openstack.org/24405911:24
*** fhubik is now known as fhubik_brb11:26
*** aix has quit IRC11:31
*** aswadr has joined #openstack-keystone11:32
*** aix has joined #openstack-keystone11:32
*** urulama has quit IRC11:33
*** urulama has joined #openstack-keystone11:33
*** aj2 has quit IRC11:42
*** markvoelker has joined #openstack-keystone11:43
*** daemontool has quit IRC11:47
*** markvoelker has quit IRC11:47
*** daemontool has joined #openstack-keystone11:47
*** exploreshaifali has quit IRC11:49
*** fhubik_brb is now known as fhubik11:49
*** exploreshaifali has joined #openstack-keystone11:52
*** topol has joined #openstack-keystone11:56
*** ChanServ sets mode: +v topol11:56
*** gildub_ has quit IRC11:59
*** doug-fish has joined #openstack-keystone12:02
*** exploreshaifali has quit IRC12:03
*** gildub_ has joined #openstack-keystone12:03
*** EinstCrazy has joined #openstack-keystone12:06
*** pnavarro is now known as pnavarro|lunch12:07
*** Nirupama has quit IRC12:11
*** aswadr has quit IRC12:15
*** gildub_ has quit IRC12:17
*** wolsen has quit IRC12:20
*** alejandrito has joined #openstack-keystone12:23
*** pauloewerton has joined #openstack-keystone12:27
*** hrou has joined #openstack-keystone12:29
*** jsheeren has joined #openstack-keystone12:29
*** yangyapeng has joined #openstack-keystone12:32
*** hrou has quit IRC12:34
*** fhubik is now known as fhubik_brb12:37
*** aj2 has joined #openstack-keystone12:38
*** fawadkhaliq has quit IRC12:42
*** markvoelker has joined #openstack-keystone12:43
*** fhubik_brb is now known as fhubik12:45
*** markvoelker has quit IRC12:48
*** NM has joined #openstack-keystone12:54
*** e0ne has quit IRC12:57
*** jerrygb has joined #openstack-keystone13:06
raildohenrynash: nice email for ML :)13:07
*** gordc has joined #openstack-keystone13:07
henrynashraildo: thx, gotta spell it out!13:07
*** markvoelker has joined #openstack-keystone13:09
*** gordc_ has joined #openstack-keystone13:09
*** jerrygb has quit IRC13:10
*** e0ne has joined #openstack-keystone13:10
*** aj2 has quit IRC13:12
*** gordc has quit IRC13:13
*** stevemar_ has joined #openstack-keystone13:15
*** ChanServ sets mode: +o stevemar_13:15
*** stevemar_ has quit IRC13:18
*** pnavarro|lunch is now known as pnavarro13:25
*** peter-hamilton has joined #openstack-keystone13:28
*** topol has quit IRC13:30
ayounghenrynash, I know we want the feature for "domain specific roles" but can we perhaps give it a more generic name?  It will have wider application.13:33
* ayoung just saw reseller email13:34
*** peter-hamilton has quit IRC13:34
*** gordc_ has quit IRC13:34
henrynashayoung: suggestions (on the domain specific roles)?13:38
ayounghenrynash, I think I withdraw the comment...everything I've thought of sucks13:39
ayounglets go with domain specific13:39
henrynashayoung: ha!13:40
ayounghenrynash, I've got a couple engineers I'm walking through things...your DSR specs comes right after13:40
henrynashayoung: sure, thx13:40
ayounghenrynash, I might broaden it in the future, but use the same mechanism13:40
ayoungbut future...progres...13:40
henrynashayoung: ok13:40
*** kashyap has joined #openstack-keystone13:45
kashyapWith today's DevStack, I'm hitting this 'Could not determine a suitable URL for the plugin' while DevStack attempts to import a disk image into Glance13:46
kashyapFails here:13:46
kashyap...13:47
kashyap2015-11-18 13:16:57.406 | + openstack --os-cloud=devstack-admin image create cirros-0.3.3-x86_64-disk --public --container-format=bare --disk-format qcow213:47
kashyap2015-11-18 13:16:58.198 | Could not determine a suitable URL for the plugin13:47
kashyap...13:47
kashyapAnyone else see this too?13:47
kashyapSeems like it's coming from here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/generic/base.py#L17913:47
* kashyap checks w/ Glance folks, too.13:48
*** jsheeren has quit IRC13:51
*** thiagop has joined #openstack-keystone13:52
*** richm has joined #openstack-keystone13:52
*** bill_az has joined #openstack-keystone13:53
samueldmqhenrynash: hi, you around ? :)13:56
*** doug-fish has quit IRC13:58
*** tjcocozz has joined #openstack-keystone13:58
samueldmqhenrynash: re: name clashing13:58
*** hrou has joined #openstack-keystone13:59
*** tjcocozz has quit IRC13:59
*** peter-hamilton has joined #openstack-keystone13:59
henrynashsamuedlmq: hi14:02
henrynashsamueldmq: I’ll be back on in a while…willping you back14:03
*** henrynash has quit IRC14:03
*** ktychkova_ has quit IRC14:03
*** opilotte has joined #openstack-keystone14:04
*** exploreshaifali has joined #openstack-keystone14:04
*** LukeHinds has joined #openstack-keystone14:06
openstackgerritOlivier Pilotte proposed openstack/keystone-specs: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21630814:07
*** bapalm has joined #openstack-keystone14:08
*** boris-42 has quit IRC14:08
*** fhubik is now known as fhubik_brb14:09
*** tjcocozz has joined #openstack-keystone14:14
*** tjcocozz_ has joined #openstack-keystone14:14
*** chirag has joined #openstack-keystone14:15
chiragUrgent help needed : I am trying to authenticate glance with my keystone server but again again receiving authentication errors. logs from keystone says ==keystone.token.controllers [-] User 050ce8abbfe24c82be59778e9155a9c9 is unauthorized for tenant service==14:17
chiragCan anyone help me out with this??14:17
chiragcommand being executed is ==glance member-list The request you have made requires authentication. (HTTP 401) (Request-ID: req-127f74a0-286d-43e9-9337-147bbee95d4c)==14:17
samueldmqchirag: looks like a clear message from a keystone pov14:18
samueldmqchirag: the given user has no role assignnment on that project14:19
chiragYes, but I have added glance user under my service tenant14:19
samueldmqchirag: check the role assignments (grants)14:19
opilottemarekd, dolphm, dstanek: can we proceed with the review of https://review.openstack.org/#/c/210581 and https://review.openstack.org/#/c/216308/ ? thanks14:19
mordrednotmorgan, jamielennox: https://review.openstack.org/#/c/245304/ (or anyone else) I'd love some feedback as to whether this is good, good but needs more work, or a no-go14:20
chiragI have assigned admin role to the same14:20
samueldmqchirag: I need to leave now, I will be back in a bit and help you digging a bit more on this if anyone else doesn't14:20
mordredif it's a no-go, I can work on putting the same sort of thing elsewhere14:20
*** fhubik_brb is now known as fhubik14:20
chiragno issues . . .14:20
*** doug-fish has joined #openstack-keystone14:21
notmorganmordred: I don't have any issues with it, with exception of not seeing tests/in action example14:21
samueldmqmordred: so basically authenticate using the data passed as arguments with --etc14:21
notmorganmordred: I think it is a reasonable addition14:22
samueldmqmordred: I will take a look in a bit :)14:22
mordrednotmorgan: k. so writing tests is worth the effort?14:22
notmorgancheck with jamielennox, but I don't see why this isn't a good idea14:22
mordrednotmorgan: in-action example here: https://review.openstack.org/#/c/245200/ via https://review.openstack.org/#/c/241715/14:23
notmorganlooking14:23
notmorgan this makes sense to me14:25
*** daemontool_ has joined #openstack-keystone14:25
*** daemontool_ has quit IRC14:26
*** lsmola has quit IRC14:26
*** daemontool_ has joined #openstack-keystone14:27
notmorganthe adapter feels like the right place to manage these args14:27
*** daemontool has quit IRC14:27
*** daemontool_ has quit IRC14:28
*** daemontool_ has joined #openstack-keystone14:29
*** lsmola has joined #openstack-keystone14:29
chiragUrgent help needed : I am trying to authenticate glance with my keystone server but again again receiving authentication errors. logs from keystone says ==keystone.token.controllers [-] User 050ce8abbfe24c82be59778e9155a9c9 is unauthorized for tenant service==14:29
*** hrou has left #openstack-keystone14:30
chiragIt would be really helpful if anyone could provide any lead14:30
*** timcline has joined #openstack-keystone14:31
*** lsmola has quit IRC14:31
*** openstackgerrit has quit IRC14:31
*** openstackgerrit has joined #openstack-keystone14:32
notmorganl14:34
*** timcline has quit IRC14:37
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261414:40
*** bapalm has quit IRC14:43
*** tjcocozz has quit IRC14:43
*** bapalm has joined #openstack-keystone14:43
*** chirag has quit IRC14:44
*** tjcocozz has joined #openstack-keystone14:44
*** fawadkhaliq has joined #openstack-keystone14:44
*** raildo is now known as raildo-afk14:46
*** asd has joined #openstack-keystone14:47
*** asd has left #openstack-keystone14:47
*** opilotte has quit IRC14:50
openstackgerritBrant Knudson proposed openstack/keystone: Refactor test use of new_*_ref  https://review.openstack.org/23720514:50
*** daemontool_ has quit IRC14:51
*** petertr7_away is now known as petertr714:52
*** mhickey has joined #openstack-keystone14:55
openstackgerritBrant Knudson proposed openstack/keystone: Remove keystoneclient tests  https://review.openstack.org/24047414:56
*** tyagiprince has quit IRC15:00
dstanekopilotte-: ?15:00
openstackgerritBoris Bobrov proposed openstack/keystone: Fix exposition of bug about limiting with ldap  https://review.openstack.org/23422615:00
openstackgerritBoris Bobrov proposed openstack/keystone: Simplify LimitTests  https://review.openstack.org/23430015:00
openstackgerritBoris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups  https://review.openstack.org/23484915:00
openstackgerritBoris Bobrov proposed openstack/keystone: Make @truncated common for all backends  https://review.openstack.org/23306915:00
openstackgerritBoris Bobrov proposed openstack/keystone: Use @truncated in ldap for users  https://review.openstack.org/23307015:00
*** daemontool has joined #openstack-keystone15:01
*** topol has joined #openstack-keystone15:04
*** ChanServ sets mode: +v topol15:04
*** akanksha_ has joined #openstack-keystone15:06
openstackgerritBoris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups  https://review.openstack.org/23484915:11
openstackgerritBoris Bobrov proposed openstack/keystone: Use @truncated in ldap for users  https://review.openstack.org/23307015:11
openstackgerritDave Chen proposed openstack/keystone: Move federation extension into keystone core  https://review.openstack.org/21477515:11
*** exploreshaifali has quit IRC15:12
*** jaosorior has quit IRC15:13
*** jaosorior has joined #openstack-keystone15:13
openstackgerritDave Chen proposed openstack/keystone: Move federation sql migrations to common  https://review.openstack.org/23453715:13
openstackgerritDave Chen proposed openstack/keystone: Move oauth1 extension into core  https://review.openstack.org/23459815:13
openstackgerritDave Chen proposed openstack/keystone: Move oauth1 sql migrations to common  https://review.openstack.org/23512115:13
openstackgerritDave Chen proposed openstack/keystone: Move revoke extension into core  https://review.openstack.org/23570415:14
openstackgerritDave Chen proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571215:14
*** davechen has joined #openstack-keystone15:15
*** henrynash has joined #openstack-keystone15:16
*** ChanServ sets mode: +v henrynash15:16
*** stevemar_ has joined #openstack-keystone15:16
*** ChanServ sets mode: +o stevemar_15:16
*** sborkows has joined #openstack-keystone15:16
*** andrewbogott has quit IRC15:16
henrynashsamueldmq: hi15:16
*** d34dh0r53 has quit IRC15:17
*** Nakato has quit IRC15:17
*** d34dh0r53 has joined #openstack-keystone15:17
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261415:17
*** andrewbogott has joined #openstack-keystone15:18
*** jaosorior has quit IRC15:18
*** Nakato has joined #openstack-keystone15:18
*** pumaranikar has joined #openstack-keystone15:18
*** jaosorior has joined #openstack-keystone15:18
*** stevemar_ has quit IRC15:18
samueldmqhenrynash: hey15:20
henrynashsamueldmq: I think you had a question/comment on project names....15:20
*** tonytan4ever has joined #openstack-keystone15:21
*** timcline has joined #openstack-keystone15:21
*** timcline has quit IRC15:22
*** kashyap has left #openstack-keystone15:22
*** timcline has joined #openstack-keystone15:23
*** aj2 has joined #openstack-keystone15:23
*** andrewbogott has quit IRC15:23
*** andrewbogott has joined #openstack-keystone15:23
samueldmqhenrynash: ah yes, name clashing15:24
samueldmqhenrynash: so, the issue is when we have a project and a domain with the same name15:24
samueldmqhenrynash: and we want to get a project scoped token in the is-domain project, so that becomes confusing15:24
samueldmqhenrynash: is that right ?15:24
*** slberger has joined #openstack-keystone15:24
*** urulama has quit IRC15:25
henrynashsamueldmq: well, yes, that’s the thing we would not support if we allow name clashing projects15:25
*** raildo-afk is now known as raildo15:25
*** urulama has joined #openstack-keystone15:25
henrynashsamueldmq: you can use projectID of course, but not project name15:26
henrynashsamueldmq: although I’m alos suggesting that we might just want to avoid the confusion for now by making it illegal (as per my mail)15:26
samueldmqhenrynash: what if we don't allow pure project scoped tokens in is-domain projects ?15:26
samueldmqhenrynash: and just is-domain project scoped tokens on them ?15:27
henrynashsamuedmq: what’s an is-domain project scoped token?15:27
samueldmqhenrynash: a domain scoped token15:27
samueldmqhenrynash: but in the project format15:27
samueldmqhenrynash: containing the is_domain=true in it15:27
*** csoukup has joined #openstack-keystone15:27
samueldmqhenrynash: that we keep our current behavior, but just adding the alternative representation, that brings the advantage of easier adoption by other projects (and policies)15:28
henrynashsamueldmq: so I suggested that way back…and some people really did not like it (and Im still not sure why)15:28
samueldmqhenrynash: at the worst we arent' removing something; we are just not adding it15:28
ayounghenrynash, I think we need to solve hierarchical naming before we can nest domains, or we will get ourselves stuck15:29
samueldmqhenrynash: at the end, that means you won't be able to create openstack resources (like instances) on domains, which is the current behavior15:29
ayoungcan we tackle that first?15:29
ayoungSay we have a domain "customers"15:29
ayoungand we want "customers"."pepsi"  and "customers"."coke" as subdomains15:29
henrynashayoung: I really don’t want to solve that problem now…and for many cloud providers we don’t need to solve that problem now…we debated this at length during Liberty and agreed we didn’t need to (yet)15:30
ayounghenrynash, nested domains but a flat namespace will be a mistake we can't reverse15:30
ayounghenrynash, I know, but without it, I am kindo fixed on domains have to be flat15:31
ayounghenrynash, the solution might be some horrible naming approach now, with maybe more constraints:15:31
henrynashayoung: why, it’s more restrictive than we need when we solve hierarchical naming, so not sure what we are blocking off for teh future15:31
ayoungdomain names must be limited to a-zA-Z15:31
ayounghenrynash, so if the dom,ains are hierarchical but the names are not, we can never move to hierarchical names.15:32
ayoungit blocks us15:32
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698815:32
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337715:32
henrynashayoung: maybe I’m being dumb, but how?15:32
ayoungand a local change having  globally side effects will lead to security issues15:32
ayoungit effectively breaks the encapsulation of our scoped RBAC15:32
ayoungand I want to get you where you need to be on this...so I am not blocking, I am activekly tyring to solve15:33
samueldmqhenrynash: please let me know what you think about my proposal above, I think we need to consider it as a strong option :)15:33
samueldmqhenrynash: my proposal/the idea you had too :)15:33
ayounghenrynash, lets define the burning problem you are trying to solve here.  Is it "let a customer add and manage their own users?"15:34
ayounghenrynash, here is a really dumb idea...tell me if you like it15:35
ayounglets assume we scewed the pooch on domain names15:35
henrynashsamueldmq: so the only issue I do have with that is that you must now explictely ask for a domain token..mayeb that’s ok, but wonder ow long to get support for it15:35
ayoungwe should have limited the charachters, but we didn't15:35
ayoungso...15:35
ayounglets add a new value...domain URL15:35
ayoungdomain URLS must be nestable15:35
ayoungnames are only usable for top level domains.15:36
samueldmqhenrynash: that way you'd have to explicitly ask for an is-domain project scoped token (domain token); but thta's what we do today already15:36
samueldmqhenrynash: + the facility of handling it on other projects + policies15:36
*** jaosorior has quit IRC15:36
ayoungin order to get a token for a subdomain, you set OS_USER_DOMAIN_URL=http://keystone:443/v3/doms/parent/child1/child215:36
*** jaosorior has joined #openstack-keystone15:36
samueldmqhenrynash: and is a smaller step for now; making it less confusing15:37
henrynashsamueldmq: understand what you are suggesting, let me mull on it15:37
*** tjcocozz_ has quit IRC15:37
ayounghenrynash, alternatively...we can add a config option the restricts domain names to the safe segment of a URL, and then in order to have nested domains..URL again....15:38
samueldmqhenrynash: glad you got it, yes please mull on it a bit more; as it definitely makes sense to me :)15:38
ayoungbut using the exisiting env vars15:39
samueldmqhenrynash: thanks15:39
henrynashayoung: and where is this URL specified…in the auth call?15:39
ayounghenrynash, yes15:40
mhickeyHey. Does anyone know what modulw I need to include to get config items :'auth_section' and 'auth_plugin'?15:40
ayounghenrynash, if we can make domain naming hierarchical, all my objects melt away15:40
mhickey*module*15:40
*** stevemar_ has joined #openstack-keystone15:40
*** ChanServ sets mode: +o stevemar_15:40
ayoungas that allows names to stay global, without bleed over15:40
openstackgerritAjaya Agrawal proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743315:40
ayoungmhickey, keystonemiddleware.auth15:41
*** adelia has joined #openstack-keystone15:41
henrynashayoung: (just making sure I understand the scope of the change you are suggesting) - so we would add an alternate scope option to auth which allowed domain_url rather than domain_name (and ID)15:42
mhickeyayoung: thanks. :)15:42
ayounghenrynash, I would suggest that, but it would cause serious retooling.  I tjhink that we need to make domkain names fit into a URL scheme15:42
ayounghenrynash, so, let me find the right term...15:43
*** adelia has quit IRC15:43
*** tjcocozz_ has joined #openstack-keystone15:44
sborkowsHi, I have a problem with accessing keystone through python client. The listing: http://paste.openstack.org/show/479266/ . The token was generated by 'keystone token-get' from admin account. However, when I typed 'keystone user-list' in terminal I got normal response with 5 users. What am I doing wrong?15:45
*** annasort_ has quit IRC15:54
*** jerrygb has joined #openstack-keystone15:57
*** hrou has joined #openstack-keystone15:58
*** fhubik has quit IRC15:58
*** daemontool has quit IRC15:58
*** daemontool has joined #openstack-keystone15:59
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable retrieval of default values of domain config options  https://review.openstack.org/18565015:59
samueldmqwould a documentation on keystone dev docs to list our current gate jobs16:02
henrynashsamuedlmq: so just trying to (re-understand) what you are suggesting….we already saying we will add is_domain to the token, so that part (and whether policy files let callers create VMs in projects acting as a domain) is already covered16:02
samueldmqand to show what each one is supposed to test16:02
samueldmqwould that be useful ?16:02
samueldmqbknudson_: dstanek ? ^16:02
henrynashsamueldmq: I assume the new bit youare suggetsing is that teh auth request must have is_domain in it?16:02
samueldmqhenrynash: so with a project scoped token with is_domain=true, is one expected to execute only domain actions or domain+project actions16:05
henrynashsameuldmq: that’s up to how people write their policy rule16:05
henrynashsameuldmq: this is already what we are proposing16:05
samueldmqhenrynash: I agree, so let's add is_domain in the token request16:06
samueldmqhenrynash: what I propose is to NOT be able to get a project scoped token (without is_domain in the token request) for an is-domain project16:06
henrynashsamueldmq: and is your suggestion taht you MUST provide is_domain=True in order to get a project toke on a project acting as a domain?16:06
samueldmqhenrynash: yes that's it16:06
henrynashright!16:06
samueldmqhenrynash: that way there is NO confusion at all16:07
samueldmqhenrynash: this is a new special type of project, and there is a new special type of request for tokens on it16:07
henrynashsamuedlmq: my anuease that we have a special type of tolen requst/response today (its called a domain request) and it’s taken us yeards to get anyone to use it!16:08
*** rcernin has quit IRC16:09
samueldmqhenrynash: domains are different than projects, so we need a difference in the token request16:09
openstackgerritAjaya Agrawal proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743316:09
samueldmqhenrynash: we have been having this since we introduced domain16:09
samueldmqhenrynash: but now, we are making the token request and the token response much closer to a project one (which people already support)16:10
samueldmqhenrynash: so it will be much easier for adoption imo16:10
henrynashsamuedlmq: I know, and I guess conceptaiully I want to remove this difference unless you NEED to know….and if you ahve a role on a project acting as a domain, you should just ask for a project scoped token on it16:10
openstackgerrithenry-nash proposed openstack/keystone: Use list_role_assignments to get projects/domains for user  https://review.openstack.org/24251316:11
*** wuhg has quit IRC16:11
ayounghenrynash, lets add a config option that limits domain names to path segments.  Any domain name that does not meet that criteria will be conisdered invalid16:12
openstackgerrithenry-nash proposed openstack/keystone: Show defect in list_user_ids that only lists direct user assignments  https://review.openstack.org/24256416:12
ayoungthen we can make domain names into URLs16:12
*** sthillma has joined #openstack-keystone16:13
henrynashayoung: meaning you can’t have ‘/‘ in a domain name, I assume16:13
ayounghenrynash, at least that, yes16:13
ayounghenrynash, plus any other non-url safe characters16:13
ayoungno @16:13
ayoungno ?16:13
samueldmqhenrynash: does that make sense to completely remove that difference ? I mean, projects and domains have different entities and responsabilities16:13
samueldmqhenrynash: I still think keeping domains for identity and projects for other openstack resources is a good thing, but making the auth requests/responses close is a great step torwards adoption16:14
henrynashayoung: and on migration, if we find a bad character we…….? change it?16:14
ayounghenrynash, no migration.  It is a config option.  If it is set, and a domain does not match it, treat the domain as disabled16:15
ayounghenrynash, we could do that for all names...call it "strict_url_checking" ...16:15
ayounghenrynash, so, in order to get hierarchical domains, you need to have that option set16:16
henrynashayoung: ouch! I see what this might be a good thing in the longer run…would this config switch by on or off by default!!?!?!?16:16
*** david8hu has quit IRC16:16
ayoungoff by default16:17
henrynashok, get that16:17
*** yangyapeng has quit IRC16:17
ayounghenrynash, it means that people who want hierarchical domains have to opt in, and do the due dilligence prior to enabling16:17
henrynashand how do you acually speciify the url…just in the domain name attribute in the scope of he auth request?16:17
ayounghenrynash, and...with that option, domain names are globally unique without breaking RBAC16:18
ayounghenrynash, the domain name value would then be either the full URL or the relative URL from http://hostname:port/v3/domains  I would thing16:18
ayoungthink16:18
henrynashayoung: Oh! You’re saying we actually store the url-style name in the entity16:19
*** wolsen has joined #openstack-keystone16:19
henrynashayoung: or maybe not?16:19
ayounghenrynash, right, we restrict domain.name to be a proper url-fgragment, and then the name is the full path16:19
*** edmondsw has quit IRC16:19
ayoungwe can use DOMAIN_URL if we want to do it as a proper URL in the future...name should be the relative URL I think, from  http://hostname:port/v3/domains16:20
*** Ephur has joined #openstack-keystone16:20
*** fawadkhaliq has quit IRC16:20
henrynashayoung: just to be clear, in the domain entity we store the just the fragment of the url (i.e. a simple name), and then the requeust uses a “url”?16:20
ayounghenrynash, not quite16:21
henrynashayoung: or the entity name is the “url from the root"16:21
ayounghenrynash, "in the domain entity we store the just the fragment of the url"  yes16:21
ayoungand then the domain name is the fully composed name from parent to node16:21
ayoungso if the top level domain is "customers"16:21
ayoungand the subdomain is "pepsi"16:21
ayoungthe domain name is "customers/pepsi"16:22
henrynashayoung: “customers/pepsi “is what is stored ias the project name n the project acting as a domain that is pepsi16:22
*** dims_ has joined #openstack-keystone16:22
ayounghenrynash, so in the SQL entry domain_name="pepsi"16:23
*** urulama has quit IRC16:23
*** urulama has joined #openstack-keystone16:23
henrynashayoung: Ok16:23
*** dims has quit IRC16:24
*** belmoreira has quit IRC16:24
*** exploreshaifali has joined #openstack-keystone16:25
henrynashayoung: so I get what you are suggesting, and so just let me go back to understand why you think the current proposal (e.e. without hierarchical naming) kills our future16:27
openstackgerritAjaya Agrawal proposed openstack/keystone: removed conflict wrapper on delete_project  https://review.openstack.org/24701716:27
*** jbell8 has joined #openstack-keystone16:27
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185416:28
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593616:28
henrynashayoung: is that that you think we couldn’t migrate to a more restrictive scheme (like you are suggetsing), or that it is that once people get used to being able to just speciify a simple name (and it will find the doamin whatever level it is), then we’ll never be able to wean them off it>16:28
henrynash?16:28
*** edmondsw has joined #openstack-keystone16:28
ayounghenrynash, ok...so the first is closer.  The issue is that if we allow people to make changes that can have global effects based on a project or domain scoped token, we are breaking the RBAC side of things.  It means that we can't let a user ever have admin on a project, as they could then allocate a domain name we don;t want them to have16:30
ayoungif admin means "you can assign all roles to a user on this project"16:30
ayoungand one of those roles is "you can create a subdomain"16:30
ayoungthen any admin user can create any domain name, and we are back in the land of 96869616:31
henrynash(thinking)16:31
henrynash(it’s a slow process)16:32
*** sthillma has quit IRC16:32
henrynashayoung: Ok, i get your specific concern…let me think on it for an hour or two16:33
ayounghenrynash, I really like the idea of URLs as our primary tool for naming.  Making it an opt-in is a powerful incentive16:34
henrynashayoung: I do agree with that…i16:34
ayoungI bet that most things domain names will work fine.  So, we should have a plan to help those few that don't16:35
*** roxanaghe has joined #openstack-keystone16:36
aj2Hi henrynash. Regarding 127433, If we put the method delete_domain_assignments in V9 driver, then how do we backport it to Kilo?16:39
ayounghenrynash, it still means only domaiuns under domains16:39
slbergerI am doing testing trying to upgrade keystone from kilo to liberty, and everything is going good but I get an error with verifying the certificate when using the keystone client, which is an updated version of what was being previously used: was 1.3 now 1.6.  I don't get this error with the openstack client or if I use --insecure or define the path to the certificate in the keystone client call.16:39
slbergerIs this just new functionality from the keystone client or is there something that must be set in keystone now that it is at liberty?16:39
aj2I apologize if I am interrupting.16:39
henrynashaj2: hmm…I think you’d have to manually port it into the (non versioned ) driver in Kilo16:40
henrynashaj2: sorry, have to drop off, be back on line later16:41
*** henrynash has quit IRC16:41
sborkowsHi, I have a problem with accessing keystone through python client. The listing: http://paste.openstack.org/show/479266/ . The token was generated by 'keystone token-get' from admin account. However, when I typed 'keystone user-list' in terminal I got normal response with 5 users. What am I doing wrong?16:42
notmorganaj2: what henrynash said is correct. for backporting to non-versioned driver(s), it's just manual.16:44
*** EinstCrazy has quit IRC16:46
*** slberger1 has joined #openstack-keystone16:46
*** jbell8 has quit IRC16:47
*** slberger has quit IRC16:48
aj2notmorgan, Do you think it is a good candidate for backporting to Kilo and Liberty?16:49
notmorganaj2: i hve not looked at the code16:49
notmorganaj2: so not sure.16:49
aj2https://review.openstack.org/#/c/12743316:49
aj2Please have a look if you have some time.16:49
*** pumaranikar has quit IRC16:50
openstackgerritAjaya Agrawal proposed openstack/keystone: Removed conflict wrapper on delete_project  https://review.openstack.org/24701716:50
*** pumaranikar has joined #openstack-keystone16:50
*** petertr7 is now known as petertr7_away16:52
*** fawadkhaliq has joined #openstack-keystone16:54
*** fawadkhaliq has quit IRC16:55
*** fawadkhaliq has joined #openstack-keystone16:55
openstackgerritAjaya Agrawal proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743316:56
*** belmoreira has joined #openstack-keystone16:58
*** tjcocozz_ has quit IRC16:58
*** stevemar_ has quit IRC16:59
*** sborkows has quit IRC16:59
*** e0ne has quit IRC17:01
*** lhcheng has joined #openstack-keystone17:01
*** ChanServ sets mode: +v lhcheng17:01
*** lhcheng_ has joined #openstack-keystone17:02
*** lhcheng has quit IRC17:02
*** mylu has joined #openstack-keystone17:03
*** mylu has quit IRC17:05
*** lhcheng_ is now known as lhcheng17:05
*** ChanServ sets mode: +v lhcheng17:05
*** mylu has joined #openstack-keystone17:05
kfox1111any idea why I might see this: http://pastebin.com/q46evsZU17:06
kfox1111trying to do a keystone tenant-list on the cli.17:07
kfox1111same happens with an 'openstack project list'17:08
bknudson_samueldmq: I don't think it would be useful to document in keystone what the jobs are. the jobs are defined in infra not in keystone17:08
bknudson_we could have a link in the keystone dev docs to infra docs17:08
*** akanksha_ has quit IRC17:08
kfox1111or just a 'keystone token-get'17:09
*** petertr7_away is now known as petertr717:09
*** mylu has quit IRC17:10
*** sileht has quit IRC17:10
*** sileht has joined #openstack-keystone17:11
*** jistr has quit IRC17:11
*** mylu has joined #openstack-keystone17:12
dstanekkfox1111: that looks like a bug. what version are you using?17:15
*** mylu has quit IRC17:16
kfox1111openstack-keystone-8.0.0-1.el7.noarch17:18
*** henrynash has joined #openstack-keystone17:18
*** ChanServ sets mode: +v henrynash17:18
kfox1111trying it in apache.17:18
*** opilotte has joined #openstack-keystone17:19
*** daemontool has quit IRC17:20
*** browne has joined #openstack-keystone17:20
*** gyee has joined #openstack-keystone17:20
*** ChanServ sets mode: +v gyee17:20
*** mylu has joined #openstack-keystone17:20
*** exploreshaifali has quit IRC17:22
*** exploreshaifali has joined #openstack-keystone17:23
*** tyagiprince has joined #openstack-keystone17:23
*** belmoreira has quit IRC17:25
henrynashaj2: hi17:27
henrynashaj2: just checking if you have any other questions on that driver interface17:27
*** tyagiprince has quit IRC17:27
kfox1111dstanek: any idea what may be wrong?17:29
*** stevemar_ has joined #openstack-keystone17:31
*** ChanServ sets mode: +o stevemar_17:31
*** tyagiprince has joined #openstack-keystone17:32
*** jaosorior has quit IRC17:33
*** david8hu has joined #openstack-keystone17:33
*** gordc has joined #openstack-keystone17:33
*** tonytan4ever has quit IRC17:33
davechenmarekd: you can pick up other two pieces from the chain now, they are in good shape now. :)17:34
dstanekkfox1111: hmm...not really. the comment in oslo.i18n is a little confusing since it talks about 2.617:35
openstackgerrithenry-nash proposed openstack/keystone-specs: Optionally return names in the list assignment API.  https://review.openstack.org/24046617:35
*** mylu has quit IRC17:35
*** mylu has joined #openstack-keystone17:36
*** urulama has quit IRC17:36
*** mylu has quit IRC17:36
tyagiprincechirag: yes chirag.. paste the logs in pastebin..17:36
kfox1111ah.... think I figured it out...17:36
kfox1111strace showed it trying to open the cert file for the ldap server and not finding it.17:36
*** urulama has joined #openstack-keystone17:36
tyagiprincechirag: does glance image-list works??17:37
henrynashdstanek, notmorgan: sorry to bug, but could do with your combined wisdom on https://review.openstack.org/#/c/242853/ since there are a number of changes building up needing a new V9 assignment driver17:39
dstanekkfox1111: it's bad that the error doesn't bubble up17:40
dstanekkfox1111: i tried to quickly reproduce form the command line but couldn't - http://pastebin.com/EXE9VY3P17:40
*** tyagiprince1 has joined #openstack-keystone17:40
*** tyagiprince has quit IRC17:41
*** tyagiprince1 is now known as tyagiprince17:41
dstanekkfox1111: i'll see if i can setup the same case that you had. was the cert not found because it didn't exist or was it a permissions thing?17:41
dstanekhenrynash: sure i can take a look. i think it's already on my list for today anyway17:42
henrynashdtsanek: great, thanks!17:42
henrynashdstanek: great, thanks!17:43
*** jbell8 has joined #openstack-keystone17:44
*** exploreshaifali has quit IRC17:47
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261417:47
*** exploreshaifali has joined #openstack-keystone17:48
*** aix has quit IRC17:51
*** petertr7 is now known as petertr7_away17:53
*** jerrygb_ has joined #openstack-keystone17:54
*** shaleh has joined #openstack-keystone17:54
*** jerrygb_ has quit IRC17:54
*** jerrygb_ has joined #openstack-keystone17:55
kfox1111dstanek: I have a file: /etc/keystone/domains/keystone.Default.conf17:55
kfox1111in it is an ldap domain, with:17:56
kfox1111use_tls                  = True17:56
kfox1111tls_cacertfile           = /etc/openldap/certs/pnnlca02r3.cer17:56
kfox1111the cacertfile didn't exist.17:56
*** tyagiprince1 has joined #openstack-keystone17:56
*** jerrygb has quit IRC17:57
*** EinstCrazy has joined #openstack-keystone17:58
*** jerrygb_ has quit IRC17:59
*** tyagiprince has quit IRC17:59
*** tyagiprince1 is now known as tyagiprince17:59
*** jerrygb_ has joined #openstack-keystone18:01
*** jerrygb_ has quit IRC18:01
*** itlinux has joined #openstack-keystone18:01
*** jerrygb_ has joined #openstack-keystone18:01
*** mylu has joined #openstack-keystone18:04
*** belmoreira has joined #openstack-keystone18:04
*** EinstCrazy has quit IRC18:05
*** daemontool has joined #openstack-keystone18:05
*** mylu has quit IRC18:05
*** belmoreira has quit IRC18:05
*** mylu has joined #openstack-keystone18:06
*** tyagiprince has quit IRC18:06
*** tyagiprince1 has joined #openstack-keystone18:06
ayounghenrynash, reviewed.18:06
*** tyagiprince1 is now known as tyagiprince18:08
*** mylu has quit IRC18:10
*** mylu has joined #openstack-keystone18:11
*** mylu has quit IRC18:11
*** lhinds has joined #openstack-keystone18:12
*** mylu has joined #openstack-keystone18:12
*** mylu has quit IRC18:13
*** mylu has joined #openstack-keystone18:13
*** lhinds has left #openstack-keystone18:13
*** e0ne has joined #openstack-keystone18:15
*** tonytan4ever has joined #openstack-keystone18:15
*** daemontool has quit IRC18:16
*** jerrygb_ has quit IRC18:17
samueldmqbknudson_: something like : tempest-dsvm-whatever; this job runs on this and that condition and ensures keystone isn't introducing a regression that affects tempest tests, etc18:20
samueldmqbknudson_: I mean, describing what benefit having those jobs bring to keystone18:21
*** fawadkhaliq has quit IRC18:21
*** tyagiprince has quit IRC18:22
*** tyagiprince has joined #openstack-keystone18:23
samueldmqstevemar_: marekd: hey, iurygregory is working on federation scripts for puppet-keystone18:24
samueldmqstevemar_: marekd: puppet folks (cc crinkle ) are looking at the change from a puppet point of view18:25
samueldmqstevemar_: marekd: it'd be nice to have your expertise on federation and evaluate that patch from a federation point of view too18:25
samueldmqstevemar_: marekd: if you don't mind: https://review.openstack.org/#/c/216821/18:25
*** pnavarro has quit IRC18:27
*** ayoung has quit IRC18:27
*** mylu has quit IRC18:28
*** mylu has joined #openstack-keystone18:29
openstackgerritAjaya Agrawal proposed openstack/keystone: Remove assignments when deleting a domain  https://review.openstack.org/12743318:30
*** tyagiprince1 has joined #openstack-keystone18:31
*** tyagiprince has quit IRC18:33
*** tyagiprince1 is now known as tyagiprince18:33
*** timcline has quit IRC18:33
*** mylu has quit IRC18:34
*** timcline has joined #openstack-keystone18:35
*** tonytan4ever has quit IRC18:37
*** jerrygb has joined #openstack-keystone18:44
*** petertr7_away is now known as petertr718:45
mhickeyHey. I tried the following 'namespace = keystonemiddleware.auth; to include 'auth_section' and 'authplugin' config items when generating config file using oslo generation. However, the module inclusion does not generate any config items. Anyone know what might be going wrong?18:52
*** timcline has quit IRC18:53
*** timcline has joined #openstack-keystone18:53
*** tyagiprince1 has joined #openstack-keystone18:54
*** tonytan4ever has joined #openstack-keystone18:55
*** tyagiprince has quit IRC18:57
*** tyagiprince1 is now known as tyagiprince18:57
*** mylu has joined #openstack-keystone18:59
*** petertr7 is now known as petertr7_away19:00
*** doug-fis_ has joined #openstack-keystone19:00
*** mylu has quit IRC19:01
*** mylu has joined #openstack-keystone19:01
*** doug-fi__ has joined #openstack-keystone19:03
*** mylu_ has joined #openstack-keystone19:04
*** doug-fish has quit IRC19:04
mhickeyI have tried 'keystoneclient.auth.conf' as well but no good either even though it is defined in keystoneclient/auth/conf.py19:04
*** doug-fi__ has quit IRC19:04
*** tyagiprince has quit IRC19:04
*** Guest12059 is now known as med_19:04
*** mylu has quit IRC19:04
*** med_ has quit IRC19:04
*** med_ has joined #openstack-keystone19:04
*** tyagiprince1 has joined #openstack-keystone19:04
*** doug-fish has joined #openstack-keystone19:04
*** doug-fish has quit IRC19:04
*** doug-fis_ has quit IRC19:05
*** doug-fish has joined #openstack-keystone19:05
*** harlowja has quit IRC19:05
stevemar_samueldmq: i'll take a peek19:06
*** doug-fish has quit IRC19:06
*** doug-fish has joined #openstack-keystone19:07
*** tyagiprince1 is now known as tyagiprince19:07
stevemar_mhickey: you have a change up for review?19:07
samueldmqstevemar_: thanks! I appreciate your time19:07
*** itlinux_ has joined #openstack-keystone19:07
mhickeystevemar_: yes; trying to close out wip. missing the above config items! :)19:08
*** harlowja has joined #openstack-keystone19:08
*** itlinux has quit IRC19:08
*** ChanServ sets mode: +o dolphm19:10
*** mylu_ has quit IRC19:11
*** mylu has joined #openstack-keystone19:11
stevemar_mhickey: link us!19:11
mhickeystevemar_: sorry but not sure what you mean?19:12
bknudson_samueldmq: we (keystone) don't pick what the jobs are. infra does.19:16
bknudson_and they can change it any time they feel like it19:16
stevemar_mhickey: oh i thought you had an open patch that i could review19:17
*** tyagiprince1 has joined #openstack-keystone19:17
mhickeystevemar_: sorry just looking for info on config items..19:18
*** tyagiprince has quit IRC19:19
*** tyagiprince1 is now known as tyagiprince19:19
samueldmqbknudson_: okay, I thought it was we that proposed o add/remove jobs19:20
stevemar_mhickey: try #openstack-oslo or ping dims_19:20
stevemar_will a wild dims_ appear?19:20
* dims_ says your wish is my command sir!19:21
*** petertr7_away is now known as petertr719:21
*** doug-fish has quit IRC19:22
*** browne has quit IRC19:22
*** doug-fish has joined #openstack-keystone19:23
*** bapalm has quit IRC19:23
*** tjcocozz has quit IRC19:23
mhickeystevemar_: thanks Steve. Just chatting to dims_ on oslo channel19:25
openstackgerritMerged openstack/keystone-specs: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21630819:25
*** bapalm has joined #openstack-keystone19:26
*** tjcocozz has joined #openstack-keystone19:26
*** tyagiprince has quit IRC19:29
openstackgerritSean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code  https://review.openstack.org/24671319:33
*** LukeHinds has quit IRC19:36
shalehstevemar_: I replied to your question about the deletes on my project_ref review. This is more of the unexpected optional values stuff. Since the tests created their refs locally there was quite a bit of inconsistency.19:40
*** aj2 has quit IRC19:40
shalehstevemar_: I can either lop off the values like I was or attempt to fix the tests.19:40
*** mylu has quit IRC19:42
stevemar_shaleh: coolio19:42
stevemar_shaleh: oh, pfft19:43
*** mylu has joined #openstack-keystone19:43
stevemar_shaleh: you can lop them off, just leave a TODO comment saying the test needs to be fixed19:43
shalehstevemar_: long term I am down with bknudson's suggestion of dropping optional values completely19:43
stevemar_shaleh: when i was reviewing i was surprised, so just needed some context there19:44
shalehstevemar_: I appreciate. People kept asking about the deletes in places. All of them were to bypass test issues. LDAP in particular went crazy when 'description' was present.19:45
*** ayoung has joined #openstack-keystone19:45
*** ChanServ sets mode: +v ayoung19:45
shalehstevemar_: I refreshed the credential ref patchset. Should be what you were looking for19:46
*** gildub_ has joined #openstack-keystone19:46
*** jasonsb has quit IRC19:55
*** itlinux_ has quit IRC19:59
*** itlinux has joined #openstack-keystone20:02
*** peter-hamilton has quit IRC20:06
*** NM has quit IRC20:09
*** petertr7 is now known as petertr7_away20:09
*** itlinux has quit IRC20:10
*** itlinux has joined #openstack-keystone20:11
*** e0ne has quit IRC20:13
*** NM has joined #openstack-keystone20:17
*** mylu has quit IRC20:17
*** mylu has joined #openstack-keystone20:18
openstackgerritRon De Rose proposed openstack/keystone-specs: Shadow users: unified identity  https://review.openstack.org/24059520:18
*** ccard has quit IRC20:19
*** mylu_ has joined #openstack-keystone20:20
ayoungsamueldmq, shaleh, bknudson_ https://review.openstack.org/#/c/240719/  please.  That might be the most important review of the release.  Would love to get it beat on early.20:21
ayounglbragstad, you too ^^20:21
*** mylu has quit IRC20:21
openstackgerritMerged openstack/keystone: Fix inaccurate debug mode response  https://review.openstack.org/23863620:21
samueldmqayoung: will look for sure20:21
*** mylu_ has quit IRC20:22
samueldmqlbragstad: looking at your patch now (assignments cache)20:22
shalehayoung: so this is the code to implement the project blessed as the admin project?20:22
*** mylu has joined #openstack-keystone20:22
ayoungshaleh, yep20:22
openstackgerritRon De Rose proposed openstack/keystone-specs: Shadow users: unified identity  https://review.openstack.org/24059520:23
*** petertr7_away is now known as petertr720:24
*** mylu_ has joined #openstack-keystone20:24
lbragstaddolphm stevemar_ @all ZOMG! https://review.openstack.org/#/c/231191/520:24
*** mylu has quit IRC20:25
*** ccard has joined #openstack-keystone20:25
shalehlbragstad: high five!20:25
lbragstadI'm so excited to see that ^ my hands are sweating20:26
* lbragstad wonders if that's normal20:26
*** henrynash has quit IRC20:27
*** henrynash has joined #openstack-keystone20:28
*** ChanServ sets mode: +v henrynash20:28
*** itlinux has quit IRC20:33
samueldmqlbragstad: left a comment on #21571520:34
samueldmqlbragstad: just a few more cases and we're good to go!20:34
samueldmqlbragstad: thanks for working on that20:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24710720:35
*** lhcheng has quit IRC20:35
*** harlowja has quit IRC20:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/24711320:39
*** harlowja has joined #openstack-keystone20:41
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_project_ref consistently  https://review.openstack.org/24452320:43
*** tonytan4ever has quit IRC20:45
stevemar_lbragstad: what i miss?!20:45
stevemar_ohhh https://review.openstack.org/#/c/231191/520:45
stevemar_dayuuum20:46
lbragstadstevemar_ we should be able to retrigger bknudson_ 's patch to flip fernet as the default in devstack20:46
lbragstadafter that merges20:46
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/24711320:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/24392520:47
stevemar_lbragstad: dolphm i'm gonna start starring things ! https://gist.github.com/stevemart/46d664e486e2edce497220:47
*** jasonsb has joined #openstack-keystone20:50
*** jasonsb has quit IRC20:50
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/24714020:50
*** itlinux has joined #openstack-keystone20:51
*** jasonsb has joined #openstack-keystone20:51
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/24715420:51
*** EinstCrazy has joined #openstack-keystone20:58
*** mhickey has quit IRC21:00
*** openstack has joined #openstack-keystone21:03
*** EinstCrazy has quit IRC21:03
*** tonytan4ever has joined #openstack-keystone21:03
*** alejandrito has quit IRC21:04
*** itlinux has quit IRC21:05
*** petertr7 is now known as petertr7_away21:08
*** e0ne has joined #openstack-keystone21:09
*** petertr7_away is now known as petertr721:09
*** pumaranikar has quit IRC21:09
*** pumaranikar has joined #openstack-keystone21:10
*** jistr has joined #openstack-keystone21:10
*** jerrygb_ has joined #openstack-keystone21:12
*** NM has quit IRC21:12
*** jerrygb has quit IRC21:15
*** mylu_ has quit IRC21:15
*** raildo is now known as raildo-afk21:15
*** jerrygb_ has quit IRC21:22
*** jerrygb_ has joined #openstack-keystone21:23
*** lhcheng has joined #openstack-keystone21:24
*** ChanServ sets mode: +v lhcheng21:24
*** breitz1 is now known as breitz21:25
*** tonytan4ever has quit IRC21:25
*** jerrygb__ has joined #openstack-keystone21:26
shalehcredential_id = hashlib.sha256(blob['access']).hexdigest() <--- That line of code is failing the py34 gate now. All I did was move it from one file to a different one. The complaint is that you cannot hash a unicode string it needs to be bytes. Why is this triggering now?21:27
*** jerrygb__ has quit IRC21:27
*** pauloewerton has quit IRC21:28
*** tonytan4ever has joined #openstack-keystone21:28
*** jerrygb has joined #openstack-keystone21:28
*** jerrygb_ has quit IRC21:28
dstanekshaleh: was it being tested before? or was blob['access'] bytes in the other file?21:30
*** e0ne has quit IRC21:31
shalehI moved code from test_v3_credential.py to core.py in tests/unit. No fundamental change, just pulled them up to a top level function21:31
*** opilotte_ has joined #openstack-keystone21:33
dstanekmaybe is wasn't being executed before21:34
dstanekdo you have a link to the review?21:34
*** opilotte_ has quit IRC21:35
shalehdstanek: https://review.openstack.org/#/c/246713/21:36
*** urulama has quit IRC21:36
shalehas expected if I call .encode() on the data the test passes. It fails under py27 because a test depends on the order of a dictionary. Sigh.21:36
shalehlooks like the popular '' v. u'' issue21:37
shalehyay21:37
dstanekshaleh: some of the files you are changing are not tested on 3.4 yet because they don't work21:38
shalehdstanek: what controls that?21:39
dstanektox.ini21:39
shalehdstanek: and it looks like i get to make it work now :-)21:39
shalehdstanek: BTW, how goes your speedup branch?21:39
dstaneknot terrible....i'm hacking on it now. some things that merged while i was on vacation are giving me a little trouble21:40
dstanekgonna grab some dinner now, but i'll be back on in a few hours21:40
*** jistr has quit IRC21:41
*** opilotte has quit IRC21:41
*** opilotte has joined #openstack-keystone21:42
*** mylu has joined #openstack-keystone21:42
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666121:45
*** opilotte has quit IRC21:45
openstackgerritSteve Martinelli proposed openstack/keystone-specs: do not review, test  https://review.openstack.org/24719021:46
*** e0ne has joined #openstack-keystone21:47
*** NM has joined #openstack-keystone21:47
*** e0ne has quit IRC21:50
*** ayoung has quit IRC21:54
*** muralia has joined #openstack-keystone21:58
*** jerrygb has quit IRC22:00
muraliaHi, Can someone tell me how I can generate a trust token using the openstack CLI? I have a trust_id and want to generate the trust token.22:01
*** opilotte has joined #openstack-keystone22:02
*** lhcheng has quit IRC22:04
*** mylu has quit IRC22:06
*** mylu has joined #openstack-keystone22:07
*** doug-fish has quit IRC22:10
*** mylu has quit IRC22:11
*** lhcheng has joined #openstack-keystone22:15
*** ChanServ sets mode: +v lhcheng22:15
openstackgerritSean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code  https://review.openstack.org/24671322:17
*** davechen has quit IRC22:22
*** mylu has joined #openstack-keystone22:24
*** mylu has quit IRC22:26
*** mylu has joined #openstack-keystone22:27
*** jasonsb has quit IRC22:28
*** jasonsb has joined #openstack-keystone22:30
*** mylu has quit IRC22:31
*** mylu has joined #openstack-keystone22:33
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_project_ref consistently  https://review.openstack.org/24452322:34
*** petertr7 is now known as petertr7_away22:35
*** mylu has quit IRC22:36
*** mylu has joined #openstack-keystone22:36
*** browne has joined #openstack-keystone22:39
*** tonytan4ever has quit IRC22:40
*** browne has quit IRC22:41
*** mylu has quit IRC22:41
*** mylu has joined #openstack-keystone22:42
*** mylu has quit IRC22:45
*** mylu has joined #openstack-keystone22:46
*** henrynash has quit IRC22:46
*** csoukup has quit IRC22:48
*** edmondsw has quit IRC22:49
*** ayoung has joined #openstack-keystone22:50
*** ChanServ sets mode: +v ayoung22:50
*** mylu has quit IRC22:50
*** gordc has quit IRC22:50
*** topol has quit IRC22:57
*** topol has joined #openstack-keystone22:57
*** ChanServ sets mode: +v topol22:57
*** topol has quit IRC23:01
*** jerrygb has joined #openstack-keystone23:05
*** jerrygb has quit IRC23:09
*** mylu has joined #openstack-keystone23:10
*** jerrygb has joined #openstack-keystone23:14
*** pumaranikar has quit IRC23:16
openstackgerritBrant Knudson proposed openstack/keystone: Config option for insecure responses  https://review.openstack.org/20722623:17
*** slberger1 has left #openstack-keystone23:18
*** timcline has quit IRC23:30
*** mylu has quit IRC23:38
*** mylu has joined #openstack-keystone23:40
*** mylu has quit IRC23:42
*** mylu has joined #openstack-keystone23:42
*** mylu has quit IRC23:44
*** mylu has joined #openstack-keystone23:44
openstackgerritSean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code  https://review.openstack.org/24671323:45
*** gildub_ has quit IRC23:51
« Tuesday, 2015-11-17 Index Thursday, 2015-11-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!