Monday, 2015-11-30

*** openstack has joined #openstack-keystone		14:13
*** openstack has quit IRC		14:13
*** openstack has joined #openstack-keystone		14:16
*** openstack has quit IRC		14:16
*** openstack has joined #openstack-keystone		14:21
*** openstack has quit IRC		14:22
*** openstack has joined #openstack-keystone		14:23
*** openstack has joined #openstack-keystone		14:26
*** openstack has quit IRC		14:26
*** openstack has joined #openstack-keystone		14:35
-wolfe.freenode.net- [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp		14:35
*** tjcocozz has quit IRC		14:36
*** openstack has joined #openstack-keystone		15:43
*** flaper87 has joined #openstack-keystone		15:46
*** ayoung has quit IRC		15:47
*** e0ne has joined #openstack-keystone		15:48
*** topol has joined #openstack-keystone		15:49
*** ChanServ sets mode: +v topol		15:49
*** dims has joined #openstack-keystone		15:49
*** roxanaghe has joined #openstack-keystone		15:50
*** martinus__ has quit IRC		15:50
openstackgerrit	Alexander Makarov proposed openstack/keystone: SQLAlchemy column type for materialized path https://review.openstack.org/251445	15:53
*** agireud has joined #openstack-keystone		15:53
*** martinus__ has joined #openstack-keystone		15:53
*** roxanaghe has quit IRC		15:54
*** jistr has quit IRC		15:57
*** jdennis has joined #openstack-keystone		15:58
*** jasondotstar has joined #openstack-keystone		15:58
*** richm has joined #openstack-keystone		15:58
*** slberger has joined #openstack-keystone		16:00
*** e0ne has quit IRC		16:02
*** ayoung has joined #openstack-keystone		16:03
*** ChanServ sets mode: +v ayoung		16:03
*** gordc has joined #openstack-keystone		16:05
*** btully has quit IRC		16:05
*** btully has joined #openstack-keystone		16:07
*** pnavarro has joined #openstack-keystone		16:09
*** slberger has quit IRC		16:09
*** EinstCrazy has quit IRC		16:13
*** slberger has joined #openstack-keystone		16:15
*** arif-ali_ has joined #openstack-keystone		16:15
openstackgerrit	Alexander Makarov proposed openstack/keystone: Materialized path convenience wrapper https://review.openstack.org/251455	16:15
*** davechen has joined #openstack-keystone		16:15
*** arif-ali has quit IRC		16:15
*** openstackstatus has joined #openstack-keystone		16:15
*** ChanServ sets mode: +v openstackstatus		16:15
*** arif-ali_ is now known as arif-ali		16:15
notmorgan	stevemar, jamielennox, ping re https://review.openstack.org/#/c/245304/ would like to get that landed before we do a release (which we should do this week)	16:28
notmorgan	stevemar: also https://review.openstack.org/#/c/250476/	16:28
notmorgan	ayoung, dstanek, bknudson, would be also good to get eyes on https://review.openstack.org/#/c/249794/ so we can work with cleaning up the icky "mock things out" stuff projects like ceilometer is doing	16:29
*** chlong has joined #openstack-keystone		16:40
ayoung	notmorgan, I like easy ones like that	16:44
notmorgan	ayoung: :)	16:44
openstackgerrit	Fernando Diaz proposed openstack/keystone: Strengthen Mapping Validation in Federation Mappings https://review.openstack.org/250162	16:45
ayoung	notmorgan, why is fixture not in the test directory there?	16:45
* ayoung thought there was a reason		16:45
*** LukeHinds has quit IRC		16:46
notmorgan	ayoung: this isn't for tests in ksm	16:47
notmorgan	ayoung: this is for other services to consume	16:47
ayoung	notmorgan, notmorgan and it needs to be in the stable interface for that?	16:47
notmorgan	ayoung: yes it does	16:47
notmorgan	imo	16:47
notmorgan	because changes to that fixture will break anyone who is using it	16:47
notmorgan	so if we changed the interface we could break all tests for everyone that is using it in their tests.	16:48
ayoung	notmorgan, ++	16:48
ayoung	I thought I remembered something along those lines	16:48
notmorgan	the reason for that fixture is that ceilometer (and others) were mocking out the memcache interface (internal) for auth_token, and we changed it and broke them	16:48
ayoung	notmorgan, do my specs need to be in /mitaka before Friday, or just approved?	16:49
notmorgan	ayoung: uhhh	16:49
notmorgan	stevemar: ^ what ayoung asked	16:49
ayoung	notmorgan, I'm going with "backlog is good enough"	16:49
ayoung	I fugure approved means approved to implement, in mitaka means "we're committed"	16:49
ayoung	and wiggle room always better	16:50
notmorgan	ayoung: i dunno :P I am only doing keystone-related work right now because either a) it's the unglamorous stuff that people need fixed or b) this is so much better than the way we were/are doing it and is affecting my PoC for sub-url mounted services	16:50
ayoung	notmorgan, I was looking at HAProxy due to your post. I am not certain what it means for security. And by that, I mea strict two way, authentication	16:51
ayoung	I somehow suspect that using HAProxy is breaking TLS, and we only get away with it because we blindly trust something we shouldn't	16:51
notmorgan	nope	16:51
notmorgan	it doesn't really break TLS	16:52
notmorgan	we can proxy the SSL through if we really want to	16:52
notmorgan	but let me be clear, if HAProxy is talking TLS to the backends, and that is secure independant of user->service	16:52
notmorgan	that is also good.	16:52
notmorgan	the services requiring strict client certs isn't buying us a lot of security at the moment as long as the only ingress ot the services is via the HAProxy Balancer	16:53
ayoung	notmorgan, yeah, and that is something that no-one does, but we should require. Otherwise, datacenters become like unclorinated public swimming pools	16:53
notmorgan	and that is a fine restriction imo	16:53
notmorgan	require TLS, don't require pass-through TLS	16:53
ayoung	notmorgan, well, if HAProxy validates cerst (to include OCSP or CRL, which I'm guessing it does not) it would be fine....the more I learn about this stuff, the more I feel it is hopeless	16:53
notmorgan	if you saw i am also looking at ways to do the token validate at the edge in HAProxy	16:53
notmorgan	ayoung: yes it can	16:54
ayoung	notmorgan, don't focus on token validation	16:54
notmorgan	ayoung: you need to configure it to do so.	16:54
ayoung	its a mistake to pour more water into that boot	16:54
ayoung	we need to authenticate on each call	16:54
notmorgan	ayoung: i 100% disagree	16:54
ayoung	with a single HAProxy...	16:54
ayoung	we can make it cheap	16:54
ayoung	you just need to authenticate to HAProxy	16:54
ayoung	and that is only on the first call	16:54
notmorgan	ayoung: i still thing service-to-service is to be trusted	16:55
notmorgan	ayoung: oh yes, that is the goal.	16:55
notmorgan	i'm providing a way to make HAProxy handle that seemlessly, so we can go to a simple OAuth method long term	16:55
ayoung	notmorgan, Svc2Svc should be trusted for standard workflows.	16:55
ayoung	notmorgan, so the issue I had was that HAProxy didn't seem to handle crypto-auth	16:55
notmorgan	token auth just happens to be the PoC part, and if HAProxy can do the logic of KSM in the process, win	16:55
ayoung	either Client Certs or Kerb	16:55
notmorgan	ayoung: yeah it can. :)	16:55
*** lhcheng has joined #openstack-keystone		16:56
*** ChanServ sets mode: +v lhcheng		16:56
notmorgan	some requires some embedded lua to do it.	16:56
notmorgan	but it can totally do it	16:56
notmorgan	the client cert is baseline	16:56
notmorgan	unless you need to ask keystone questions	16:56
*** swebb has quit IRC		16:56
notmorgan	krb5 is going to be some embeded code, but also doable	16:56
ayoung	notmorgan, so, that is what I meant by "forget the tokens" I think we need to push the "ask keystone questions" off from token vlaidation...something like this:	16:57
ayoung	1. call to HA proxy gets authenticated	16:57
ayoung	2. HA proxy adds the "I know who the user is , it is blah validated by foo"	16:57
ayoung	to the call to the service	16:57
ayoung	service then calls keystone, like a token validation "foo/blah came in, looking for project X. give me the access_info"	16:57
notmorgan	negative	16:59
notmorgan	i would like the services to never need to ask keystone	16:59
ayoung	notmorgan think about that statement	16:59
notmorgan	the services should not need to ask keystone anything	16:59
ayoung	asking keystone is the only way to not get stale info	16:59
notmorgan	period.	16:59
ayoung	\yeah...disagree	16:59
notmorgan	what case are you trying to lock out of?	17:00
notmorgan	long running jobs with changing permissions middle of the task?	17:00
ayoung	user asks for a long running operation, should check at time of access "is this still valid"	17:00
notmorgan	heat, for example, would not be explicitly trusted	17:00
notmorgan	only at the time of issuance.	17:00
ayoung	notmorgan, glance snapshot	17:00
notmorgan	i say "make a snapshot"	17:00
notmorgan	that was trusted when requested, it should complete	17:00
notmorgan	not be checked every single step of the way	17:00
*** lhcheng has quit IRC		17:00
notmorgan	it was authorized when you started	17:00
notmorgan	if you ask for another snapshot, ask again	17:01
ayoung	yeah, but you don't know at time of request that it is going to be requested	17:01
notmorgan	check authorization	17:01
ayoung	you don't find out until auth would have timed out	17:01
notmorgan	no, that is the heat case.	17:01
ayoung	no	17:01
notmorgan	if i say make a snapshot, that is now	17:01
ayoung	this is standard VM running stuff	17:01
notmorgan	and it checked at request time	17:01
notmorgan	if you're saying "make a snapshot in 20 mins" you're asking in 20 mins.	17:01
ayoung	yo uare saying that all operations need to be pre-authed?	17:02
ayoung	that means you need to know a-=priori all possible code paths	17:02
ayoung	I'm fine with that, except that the other serives all make like whingy bsabies when I suggested it	17:02
notmorgan	so, see here is where i am coming from	17:02
notmorgan	i don't care if they whine	17:02
notmorgan	i'm writing code for this to prove it out	17:02
ayoung	its more like "do a long upload, and then do something, and the long upload is to glance, and the do something is to swift."	17:02
notmorgan	if it goes nowhere i still can gather operator support	17:03
notmorgan	but i'm done "talking about" the plans and doing the "code talks" method	17:03
ayoung	notmorgan, I trust you will get it right...so long as it supports existing use cases	17:03
notmorgan	:)	17:03
notmorgan	ayoung: the major change is that i am planning to make anything that is core-service to another core service just pass through the auth-headers	17:03
ayoung	notmorgan, good luck. I gave up on that approach once I got to a full page of abandoinded code reviews	17:03
*** jaosorior has quit IRC		17:03
*** rdo_ has quit IRC		17:03
notmorgan	ayoung: the exception is like heat or something that works on staged tasks	17:04
notmorgan	it always asks before performing an action as that may have changed (they are discreet actions)	17:04
ayoung	notmorgan, heh, solve the Nova to other core services case first and I'll be happy	17:04
notmorgan	ayoung: that is part of what this is aiming towards.	17:04
notmorgan	:)	17:04
notmorgan	but the 1st step is correcting the bug [yes like 1] in nova so glance can be sub-url mounted	17:05
ayoung	notmorgan, this is all going to be via keystoneauth, right?	17:05
notmorgan	ayoung: anything the clients use	17:05
ayoung	um...was that a yes or a no?	17:05
notmorgan	well auth in the edge [for my purposes] can't be KSA	17:05
notmorgan	because we don't run python at the edge	17:06
notmorgan	but inside the services yes.	17:06
notmorgan	it will be KSA and/or a patch to ksc.session when this mode is enabled [prob. out-of-tree]	17:06
notmorgan	s/patch/monkeypatch/	17:06
notmorgan	but ksa will receive first tier support for handling this in the right way(s)	17:07
ayoung	notmorgan, define "at the edge" if can, please?	17:08
notmorgan	ayoung: at the edge: the ingress point before the services.	17:09
notmorgan	so, HAProxy in my example	17:09
ayoung	notmorgan, HAProxy coming in, then....and going out?	17:09
notmorgan	ayoung: correct. HAProxy is the gateway to the services here	17:09
ayoung	notmorgan, so, HAProxy has to work with whatever you do, but the calling out from the other services will still be via keystoneauth.	17:10
notmorgan	ayoung: long term, i want to use "internal" interface for svc->svc	17:10
notmorgan	ayoung: yes, it would just route though a similar balancer [maybe without the heavier handed auth checking]	17:10
ayoung	notmorgan, agreed, although x509 clientless works fine there, too	17:10
notmorgan	ayoung: ksa would just be smart enough to bundle the auth stuff up that is needed to do svc->svc	17:11
ayoung	notmorgan, I think we're on the same page	17:11
notmorgan	and the x509 or whatever covers the "are you really a trusted service"	17:11
notmorgan	but haproxy can do all the stuff we are talking about and then some.	17:12
notmorgan	ayoung: but it isn't the only thing that can do it.	17:12
notmorgan	ayoung: just very convienent way to. and it addresses the "eventlet" problem [mostly]	17:12
ayoung	notmorgan, its part of the RDO solution, so an HAProxy approach works for me	17:12
ayoung	++	17:12
*** pnavarro has quit IRC		17:13
*** mfedosin has quit IRC		17:13
notmorgan	i have a working devstack with everything [except novnc] sub-url mounted (cause i just didn't care]	17:13
*** EinstCrazy has joined #openstack-keystone		17:14
ayoung	notmorgan, heh...websockets is its own kind of crazy	17:14
*** pnavarro has joined #openstack-keystone		17:15
*** lhcheng has joined #openstack-keystone		17:15
*** ChanServ sets mode: +v lhcheng		17:15
*** boris-42_ has quit IRC		17:15
notmorgan	ayoung: it is, but it still will work :)	17:16
notmorgan	ayoung: but it's more digging into things than i am willing to do for the first few steps	17:16
notmorgan	i'm almost to the point where I legitimately need a lab of nodes [not enough space to use VMs] to proove this out	17:17
ayoung	notmorgan, did you stray from https://wiki.openstack.org/wiki/URLs ? Cuz if you did, please update with the rationale, when you have a chance.	17:17
notmorgan	ayoung: i am	17:17
notmorgan	ayoung: i disagree with some of those choices	17:17
notmorgan	notably /identity/main	17:18
notmorgan	and identity/admin	17:18
ayoung	notmorgan, look at when I wrote that....	17:18
notmorgan	yah	17:18
notmorgan	but i think the rest are all in line	17:18
notmorgan	basically, i am doing /identity/(v2.0\|v3)	17:18
notmorgan	no distinction	17:18
notmorgan	and that is the only real change to what you wrote	17:18
ayoung	cool. And, FWIW, I am totally cool with ditching /main and /admin, as well you might guess	17:18
notmorgan	yah	17:18
notmorgan	and i am going to make the auth_url in my POC actually 100% separate	17:19
ayoung	notmorgan, this is why we should not allow productive coders to be PTL	17:19
ayoung	look at how much more wea re getting out of you now.	17:19
notmorgan	uh. i am doing very little work in keystone :P	17:19
notmorgan	and don't expect to be coming back actually.	17:19
ayoung	so long as the overall story gets better, I am OK with that	17:19
* stevemar is wondering how to take that		17:19
notmorgan	i'll stick on the KSA stuff but i'm seriously considering stepping down as keystone-core but staying on as ksa-core	17:20
ayoung	stevemar, we give you one rotation, then we need you back on real stuff	17:20
stevemar	lol	17:20
ayoung	stevemar, I say next time we make topol take it.	17:20
stevemar	i'm make a mess of things no matter where i am	17:20
*** jorge_munoz has quit IRC		17:21
*** EinstCrazy has quit IRC		17:21
*** ChanServ sets mode: +o dolphm		17:22
*** davechen1 has joined #openstack-keystone		17:24
*** davechen has quit IRC		17:26
*** Guest23729 is now known as zeus		17:27
*** lhcheng_ has joined #openstack-keystone		17:27
*** zeus has quit IRC		17:27
*** zeus has joined #openstack-keystone		17:27
*** gyee has joined #openstack-keystone		17:28
*** ChanServ sets mode: +v gyee		17:28
topol	ayoung, notmorgan you actually trust me enough to want to hand me something???	17:28
topol	stevebot	17:28
ayoung	stevemar, topol ever heard of the Peter principle?	17:29
ayoung	topol, Or did you ever read the part in the Hitchhiker's trilogy explaining why Zaphod Bebblebrox was made Predident of the Galaxy?	17:29
topol	ayoung I live it :-)	17:29
notmorgan	topol: HEY don't loop me into this :P I stayed out of that comment for a reason.	17:29
*** rdo has joined #openstack-keystone		17:29
topol	notmorgan :-)	17:29
*** swebb has joined #openstack-keystone		17:30
*** lhcheng has quit IRC		17:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Use assertDictEqual instead of assertEqualPolicies https://review.openstack.org/251482	17:32
notmorgan	ayoung: feedback on https://review.openstack.org/#/c/250476/ is of course welcome	17:36
ayoung	notmorgan, betamax? Someone was feeling retro	17:36
ayoung	notmorgan, WTF is a BetaMax interface?	17:37
notmorgan	ayoung: betamax is basically record requests session	17:38
notmorgan	and then you can use that exact recording in a replay for testing	17:38
notmorgan	it is based on requests-mock	17:38
ayoung	notmorgan, vcr " Record your test suite's HTTP interactions and replay them during future test runs for fast, deterministic, accurate tests.	17:39
ayoung	"	17:39
notmorgan	yep.	17:39
ayoung	we need that in the review somewhere, either in the commit, or in the doc, or a bug link or something	17:39
notmorgan	so the plan here is to use this and record interactions with "real" clouds.	17:39
notmorgan	and then OCC can replay that and make sure there isn't regression when things are added to OCC's feature set	17:39
notmorgan	:)	17:39
ayoung	jst throwing a new technology in there to someone like me that is not paying too much attention to the discussion makes it hard to review	17:39
notmorgan	ayoung: but we're pushing the fixture/interface down to ksa level since it belongs at the low level rather than in the consuming projects [the basic support that is]	17:40
ayoung	notmorgan, that approach to testing can be fragile.	17:40
ayoung	"record/replay" that is	17:40
notmorgan	it is only one set of functional tests	17:40
ayoung	its agood "get started" approach,	17:40
notmorgan	but it is needed for things like OCC	17:41
notmorgan	because occ and then shade have cloud-specific code paths	17:41
*** tjcocozz has quit IRC		17:41
ayoung	are go going to hold up a checking if it breaks a Betamax based test?	17:41
notmorgan	so we need to be sure that they don't break when we make a change. if it breaks because the cloud changes, we can re-record and go from there.	17:41
notmorgan	ayoung: in OCC and Shade? probably	17:42
notmorgan	for the specified code paths	17:42
notmorgan	because they are there to support cloud-specific deployment configs	17:42
*** tjcocozz has joined #openstack-keystone		17:43
notmorgan	will KSA ever be held up because betamax? no.. unless you break the betamax interface in ksa (itself)	17:43
notmorgan	but not because we have pre-recorded anything	17:43
*** edmondsw has joined #openstack-keystone		17:44
ayoung	We are getting fucking code review commens on the numer of spaces after a period. Berke Brehed was right	17:44
notmorgan	we are?	17:45
ayoung	I am	17:45
ayoung	in the help sttrings for config	17:45
htruta	hey stevemar, should I mark this https://review.openstack.org/#/c/207218/ as deprecated-of-mitaka ?	17:45
notmorgan	ayoung: if there was no other reason for the -1 i'd call it out, but i'd classify those as nits, and could be ignored if there were no other issues with the patch	17:47
*** davechen has joined #openstack-keystone		17:48
ayoung	notmorgan, its just noise	17:48
ayoung	notmorgan, but I've had three people jump on that	17:48
ayoung	whippersnappers	17:48
notmorgan	if that is the only reason they are -1, i'd call it out as "great but this isn't worth the re-spin re-review time"	17:49
notmorgan	(politely)	17:49
notmorgan	if they have other concerns, i'm fine with those comments	17:49
* notmorgan shrugs		17:49
*** spandhe has joined #openstack-keystone		17:50
*** davechen1 has quit IRC		17:50
raildo	stevemar: ping, quickly question (ML email about deprecating features) you said that the code will keep for at least four releases, on this part, are you talk about the hole v2.0 API or only the authentication routes?	17:51
*** ayoung has quit IRC		17:57
openstackgerrit	Merged openstack/keystoneauth: Add argparse registration from Adapter objects https://review.openstack.org/245304	18:01
notmorgan	stevemar: https://review.openstack.org/251493	18:05
stevemar	notmorgan: https://review.openstack.org/#/c/250523/	18:06
stevemar	raildo: reply to the ML with that and i'll reply ;)	18:07
raildo	stevemar: sure :)	18:07
notmorgan	stevemar: i am also against calling it 2.0 of ksa	18:07
notmorgan	stevemar: like... massively against it	18:07
stevemar	raildo: the answer is: we'll keep the whole of v2.0 CRUD routes around for 4 releases, and the authentication routes for longer (indefinitely) cc dolphm notmorgan	18:07
stevemar	notmorgan: py26 support dropped, so we have to do a major bump	18:08
notmorgan	stevemar: ugh	18:08
notmorgan	stevemar: i am not happy about that at all	18:08
notmorgan	stevemar: btw	18:08
notmorgan	at all.	18:08
raildo	stevemar: that was I thought, thanks	18:09
notmorgan	stevemar: but -1 on your release request until we get at least updated hashes to the most recent merge (preferably)	18:09
notmorgan	stevemar: the major version bump for droppy py26 is really crappy still.	18:09
stevemar	dhellmann: ^ thoughts?	18:10
*** harlowja has joined #openstack-keystone		18:10
openstackgerrit	Merged openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol https://review.openstack.org/249794	18:10
notmorgan	but i'm fine if we have to	18:10
stevemar	notmorgan: yeah, let me know what hash you want and i'll update it	18:10
stevemar	or you update it, whatevsss	18:10
notmorgan	stevemar: commented in the review and also ^ the ksm one	18:10
notmorgan	that just landed	18:10
*** chlong has quit IRC		18:10
dhellmann	stevemar , notmorgan : yeah, dropping support for a whole deployment platform is a major version change	18:11
*** edmondsw has quit IRC		18:11
dhellmann	you're declaring a backwards-incompatible change	18:11
notmorgan	still super crappy for KSA since i don't think we had any 26 specific code.	18:11
notmorgan	and no one who used ksa was 26 dependant afaik	18:11
notmorgan	but meh.	18:11
stevemar	dhellmann: that's true, we didn't have py26 specific code	18:12
notmorgan	i wont make too much of a stink. just very displeased with that part of the change.	18:12
dhellmann	it's not about your code, it's about the declaration of support	18:12
stevemar	notmorgan: you're saying to not release ksm?	18:12
stevemar	dhellmann: true true	18:12
notmorgan	stevemar: just include the new fixture in the release (that just merged)	18:12
notmorgan	stevemar: thats all.	18:12
stevemar	roger roger	18:13
stevemar	gotcha, the auth token fixture	18:13
notmorgan	stevemar: yah.	18:13
stevemar	notmorgan: cool beans	18:13
notmorgan	seems like it's silly not to drop that in cause it landed :)	18:13
notmorgan	stevemar: but the ksa from_argparse is the more important thing to incliude in the release	18:14
notmorgan	stevemar: that is holding up client fixes	18:14
notmorgan	and OCC fixes	18:14
notmorgan	i kinda want to see https://review.openstack.org/#/c/235090/ land... but...	18:16
notmorgan	it can wait until m2	18:16
*** zeus has quit IRC		18:17
*** rm_work has quit IRC		18:17
*** odyssey4me has quit IRC		18:19
*** swebb has quit IRC		18:19
*** EinstCrazy has joined #openstack-keystone		18:21
*** zeus has joined #openstack-keystone		18:22
*** zeus is now known as Guest21588		18:22
*** rm_work has joined #openstack-keystone		18:22
*** Guest21588 is now known as zeus`		18:23
*** Guest83268 has quit IRC		18:23
*** reed has quit IRC		18:24
*** EinstCrazy has quit IRC		18:25
*** odyssey4me has joined #openstack-keystone		18:25
*** chlong has joined #openstack-keystone		18:26
stevemar	notmorgan: i want it to land too :(	18:27
*** crinkle has quit IRC		18:27
stevemar	theres no reason the two of us can't review it now?!	18:27
*** petertr7 is now known as petertr7_away		18:27
*** mgagne has joined #openstack-keystone		18:28
*** mgagne is now known as Guest63453		18:28
*** doug-fish has quit IRC		18:28
*** reed has joined #openstack-keystone		18:28
notmorgan	stevemar: I can rubber stamp it now. But real review on a couple hours?	18:29
*** crinkle has joined #openstack-keystone		18:29
stevemar	we don't have to force it	18:29
*** swebb has joined #openstack-keystone		18:30
openstackgerrit	Priti Desai proposed openstack/keystone: Fix for listing role assignments by project admin https://review.openstack.org/248892	18:30
*** aginwala has joined #openstack-keystone		18:31
*** lhcheng_ has quit IRC		18:32
stevemar	notmorgan: bump for review: https://review.openstack.org/#/c/240474/	18:35
*** shaleh has joined #openstack-keystone		18:36
*** hogepodge has joined #openstack-keystone		18:37
*** jistr has joined #openstack-keystone		18:37
*** Guest63453 has quit IRC		18:38
*** Guest63453 has joined #openstack-keystone		18:38
*** Guest63453 is now known as mgagne		18:39
*** davechen1 has joined #openstack-keystone		18:40
*** davechen has quit IRC		18:41
*** mfedosin has joined #openstack-keystone		18:44
stevemar	bknudson: notmorgan dolphm if i could get reviews on these before M1: https://review.openstack.org/#/c/251160/ https://review.openstack.org/#/c/251161/ << adding release notes for keystone libs	18:44
*** diegoadolfo__ has joined #openstack-keystone		18:45
shaleh	samueldmq: hey, please look at the comments I made to yours on the project_ref review and consider turning that -1 into a +1.	18:51
*** pnavarro has quit IRC		18:54
*** pnavarro has joined #openstack-keystone		18:58
*** tyagiprince has joined #openstack-keystone		18:58
*** pnavarro has quit IRC		19:02
*** aginwala has quit IRC		19:02
*** sripriya has joined #openstack-keystone		19:03
*** sileht has quit IRC		19:05
*** aginwala has joined #openstack-keystone		19:07
*** jaosorior has joined #openstack-keystone		19:08
*** tyagiprince has quit IRC		19:10
*** tyagiprince has joined #openstack-keystone		19:10
*** btully has quit IRC		19:10
*** btully has joined #openstack-keystone		19:11
*** jaosorior has quit IRC		19:15
*** petertr7_away is now known as petertr7		19:18
*** mancdaz has quit IRC		19:20
*** xek has quit IRC		19:21
*** mancdaz has joined #openstack-keystone		19:22
*** aginwala is now known as aginwala87		19:24
*** aginwala87 is now known as aginwala		19:24
*** mkoderer has quit IRC		19:26
*** davechen has joined #openstack-keystone		19:26
*** tyagiprince has quit IRC		19:27
*** aginwala has quit IRC		19:27
*** c_soukup has joined #openstack-keystone		19:28
*** lhcheng has joined #openstack-keystone		19:29
*** ChanServ sets mode: +v lhcheng		19:29
*** mkoderer has joined #openstack-keystone		19:29
*** davechen1 has quit IRC		19:29
openstackgerrit	Alexander Makarov proposed openstack/keystone: Use path hybrid property in query filtering https://review.openstack.org/251513	19:31
openstackgerrit	Sean Perry proposed openstack/keystone: Use unit.new_project_ref consistently https://review.openstack.org/244523	19:31
*** csoukup has quit IRC		19:32
*** petertr7 is now known as petertr7_away		19:33
*** diazjf has left #openstack-keystone		19:36
*** petertr7_away is now known as petertr7		19:42
*** aginwala has joined #openstack-keystone		19:43
raildo	stevemar: Do you know when will be the next release for keystoneclient?	19:44
stevemar	raildo: soon, before M1 ends	20:06
stevemar	raildo: i've proposed updates here: https://review.openstack.org/#/c/250523/	20:06
*** c_soukup has quit IRC		20:06
raildo	stevemar: great, I'll take a look	20:07
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Remove hardcoded endpoint filter for update password https://review.openstack.org/231749	20:08
stevemar	raildo: i'm just waiting on this change to merge ^	20:10
bknudson	stevemar: https://review.openstack.org/#/c/251161/ is gating	20:10
stevemar	thanks bknudson, much appreciated	20:10
bknudson	https://review.openstack.org/#/c/251160/ needs another +2	20:10
bknudson	(from non-ibm)	20:11
raildo	stevemar: so it will be really soon :)	20:11
stevemar	notmorgan: dolphm lbragstad dstanek ^ ?	20:11
*** mserngawy_ has joined #openstack-keystone		20:11
stevemar	raildo: yes, the intention is to release ksc/ksm/ksa tomorrow (early in the week)	20:11
stevemar	i wonder if i need to stagger those releases	20:12
shaleh	gyee is back too	20:12
stevemar	meh, shouldn't need to	20:12
stevemar	gyee: finall!	20:12
stevemar	finally!	20:12
dstanek	stevemar: release notes!	20:12
lbragstad	stevemar looking	20:12
stevemar	dstanek: yeah, libraries need them too :(	20:13
stevemar	brb, making tea	20:13
dstanek	stevemar: running tox now and i'll +2 when it completes	20:13
*** doug-fish has joined #openstack-keystone		20:14
*** ayoung has joined #openstack-keystone		20:18
*** ChanServ sets mode: +v ayoung		20:18
*** martinus__ has quit IRC		20:21
stevemar	just a heads up that ksm/ksc/ksa are all going to receive major version bumps this time around because we are removing py26 support	20:22
stevemar	dstanek: lhcheng ayoung gyee lbragstad dolphm: just a heads up that ksm/ksc/ksa are all going to receive major version bumps this time around because we are removing py26 support	20:22
*** martinus__ has joined #openstack-keystone		20:22
dolphm	stevemar: ++	20:22
ayoung	stevemar, good	20:22
lbragstad	sweet	20:22
dstanek	stevemar: it's about time!	20:22
lhcheng	great	20:23
*** NM has quit IRC		20:24
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Deprecating API v2.0 https://review.openstack.org/251530	20:26
* ayoung ready to remove py27 support, too		20:27
*** jistr has quit IRC		20:27
raildo	ayoung: haha	20:28
shaleh	ayoung: beyond string annoyance, 27 is largely 3x already	20:28
*** shaleh is now known as shaleh\|away		20:29
bknudson	if we didn't have py27 support in keystone you couldn't run it at all.	20:30
*** mfedosin has quit IRC		20:31
*** adelia has joined #openstack-keystone		20:31
gyee	stevemar, awesome!	20:32
stevemar	bknudson: maybe that's ayoung's plan	20:32
ayoung	I'm ready to deprecate Keystone	20:32
gyee	ayoung,whatever you are drinking, I want some :)	20:33
ayoung	gyee, Coffee.	20:33
*** RichardRaseley has joined #openstack-keystone		20:34
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Deprecating API v2.0 https://review.openstack.org/251530	20:35
*** aginwala has quit IRC		20:39
*** navid_ has quit IRC		20:39
*** aginwala has joined #openstack-keystone		20:42
*** EinstCrazy has joined #openstack-keystone		20:42
*** c_soukup has joined #openstack-keystone		20:45
stevemar	mfisch`: poke	20:46
*** EinstCrazy has quit IRC		20:47
*** doug-fish has quit IRC		20:51
*** belmoreira has joined #openstack-keystone		20:53
*** raildo is now known as raildo-afk		20:53
*** dims_ has joined #openstack-keystone		20:53
*** doug-fish has joined #openstack-keystone		20:54
*** doug-fis_ has joined #openstack-keystone		20:55
*** dims has quit IRC		20:56
*** mfisch` has quit IRC		20:56
*** mfisch has joined #openstack-keystone		20:57
notmorgan	~.	20:57
*** mfisch is now known as Guest7150		20:57
*** doug-fi__ has joined #openstack-keystone		20:57
*** pauloewerton has quit IRC		20:57
*** doug-fish has quit IRC		20:58
openstackgerrit	Dave Chen proposed openstack/keystonemiddleware: Configuration is outdated https://review.openstack.org/220545	20:58
*** doug-fis_ has quit IRC		21:00
*** Guest7150 has quit IRC		21:01
*** doug-fi__ has quit IRC		21:02
breton	stevemar: I will work on memcache_pool patches tomorrow	21:02
*** aginwala has quit IRC		21:02
breton	stevemar: althought that patch really can be abandoned, memcache_pool still doesn't work	21:02
*** dims_ has quit IRC		21:03
stevemar	breton: :(	21:03
*** lhcheng has quit IRC		21:03
*** doug-fish has joined #openstack-keystone		21:04
*** doug-fish has quit IRC		21:09
*** aginwala has joined #openstack-keystone		21:13
*** diazjf has joined #openstack-keystone		21:14
*** dims has joined #openstack-keystone		21:14
*** rdo has quit IRC		21:18
*** raildo-afk is now known as raildo		21:19
*** aginwala has quit IRC		21:19
davechen	breton: I don't know how to contradict you, acutally, I agree with you at some points.	21:23
openstackgerrit	Merged openstack/keystonemiddleware: Add release notes for keystonemiddleware https://review.openstack.org/251161	21:23
davechen	breton: let's just wait to see if there is any comments from jamielennox or marekd who filed the bug.	21:24
*** rdo has joined #openstack-keystone		21:26
*** topol has quit IRC		21:26
*** doug-fish has joined #openstack-keystone		21:32
breton	davechen: ok, I agree. I am not strictly against the change, just have some concerns.	21:33
*** doug-fis_ has joined #openstack-keystone		21:35
*** doug-fis_ has quit IRC		21:35
*** doug-fis_ has joined #openstack-keystone		21:35
*** doug-fish has quit IRC		21:37
*** aginwala has joined #openstack-keystone		21:37
*** opilotte has quit IRC		21:38
*** opilotte has joined #openstack-keystone		21:38
davechen	breton: your comments is great! so I checked bunches of websites and didn't find any exceptions that can assist the change. :)	21:41
*** navid_ has joined #openstack-keystone		21:42
*** dims_ has joined #openstack-keystone		21:42
openstackgerrit	Merged openstack/keystoneauth: Add release notes for keystoneauth https://review.openstack.org/251163	21:43
*** dims has quit IRC		21:43
*** mfisch has joined #openstack-keystone		21:48
*** mfisch has quit IRC		21:48
*** mfisch has joined #openstack-keystone		21:48
*** jasonsb has quit IRC		21:48
*** aginwala has quit IRC		21:49
*** petertr7 is now known as petertr7_away		21:55
*** andrewbogott has quit IRC		21:56
*** andrewbogott has joined #openstack-keystone		21:56
ayoung	OK....what is the rationale for not being able to deprecate V2 Auth?	21:58
shaleh\|away	1) non python users 2) lots of existing users 3) ease of upgrade	21:59
*** aginwala has joined #openstack-keystone		21:59
shaleh\|away	not exactly in that order	21:59
*** shaleh\|away is now known as shaleh		21:59
shaleh	as I recall from the summit	21:59
shaleh	(not my list)	22:00
ayoung	shaleh, I'm looking at the Etherpad and ... well, I just don't get it	22:00
*** navid_ has quit IRC		22:00
ayoung	I think we are wrong. I see no reason V2 Auth needs to stick around	22:00
ayoung	shaleh, https://etherpad.openstack.org/p/keystone-mitaka-summit-deprecations	22:00
*** navid_ has joined #openstack-keystone		22:00
shaleh	ayoung: as usual, talk to morded. He is a major proponent.	22:01
shaleh	other people felt that breaking v2 style auth would cause lots of strife with existing users/customers	22:02
shaleh	I seem to recall bknudson or lbragstad being in that crowd	22:03
bknudson	I'm fine with deprecating v2 auth	22:03
shaleh	stevemar would suggest dropping v2, be reminded by somebody of xyz and then agree that at least v2 auth needed to live on	22:03
shaleh	bknudson: sorry if I am not remembering correctly	22:04
*** csoukup_ has joined #openstack-keystone		22:04
shaleh	bknudson: I was still learning names and voices during some of these conversations	22:04
bknudson	I think it was dolphm that had an issue with deprecating v2 auth	22:04
shaleh	bknudson: yeah, that sounds plausible	22:04
shaleh	bknudson: I was getting you and him mixed up the first day	22:04
*** notmyname has quit IRC		22:05
dolphm	bknudson: ++ deprecation is okay, but it'll need to be supported for a long time	22:05
dolphm	and there are things we can do to reduce the maintenance cost in the mean time	22:06
dolphm	like, implement it as translation middleware on top of the v3 app	22:06
shaleh	dolphm: right, thanks I remember that being suggested	22:06
bknudson	dolphm: that's what I was thinking too, that we deprecate it even if we're not going to remove it. just so that keystone complains about it.	22:06
*** c_soukup has quit IRC		22:06
*** notmyname has joined #openstack-keystone		22:06
dolphm	at startup?	22:07
*** markvoelker has joined #openstack-keystone		22:07
bknudson	(but that's not what I thought we agreed to at the summit)	22:07
bknudson	keystone would log the deprecation warning when it's used.	22:07
shaleh	right, it could not interfere with the user.	22:07
bknudson	when a /v2/auth/tokens request comes in it'll log warning	22:07
openstackgerrit	Merged openstack/keystonemiddleware: Add domain and trust details to user plugin https://review.openstack.org/244987	22:08
shaleh	ayoung: agree, the etherpad is not clear	22:08
lbragstad	shaleh ahh, it this regarding the deprecation session in tokyo?	22:12
dolphm	bknudson: hopefully only on the first call!	22:13
bknudson	dolphm: that's how the deprecated warning is supposed to work.	22:14
dolphm	bknudson: ++ wasn't sure if you were implying otherwise	22:14
*** csoukup_ has quit IRC		22:16
ayoung	so, the issue with automatically translating V2 to V3 is that we have no way of querying the default domain id or name	22:20
ayoung	that was one reason for: https://review.openstack.org/#/c/242852/ "Query Config from Web UI "	22:20
ayoung	probably the main one	22:20
notmorgan	OMG HI dolphm !	22:21
* notmorgan goes back to the corner now		22:21
*** roxanaghe has joined #openstack-keystone		22:24
*** mancdaz has quit IRC		22:26
*** csoukup_ has joined #openstack-keystone		22:27
dolphm	notmorgan: OMG HI	22:27
dolphm	stevemar: why is ksm 2.4.x and 3.0.x not on pypi?	22:27
notmorgan	dolphm: we have ksm 3.0?	22:28
stevemar	notmorgan: we do	22:28
dolphm	there appear to be tags for 2.4.0 2.4.1 and 3.0.0	22:28
*** mancdaz has joined #openstack-keystone		22:28
dolphm	but none are on pypi	22:28
dolphm	and they break stable/liberty	22:28
notmorgan	dolphm: maybe 3.0 was just tagged and delay in pushing to pypi?	22:28
notmorgan	2.4 no clue	22:28
notmorgan	oh no	22:28
notmorgan	wut?	22:28
stevemar	dolphm: i asked dstufft about this in #pypa-dev	22:29
stevemar	dolphm: join me there?	22:29
dolphm	sure	22:29
stevemar	dolphm: but that was all before US turkey day	22:29
*** davechen has left #openstack-keystone		22:31
*** jasonsb has joined #openstack-keystone		22:36
*** jasonsb has quit IRC		22:37
*** fangxu has joined #openstack-keystone		22:37
*** adelia_ has joined #openstack-keystone		22:37
*** jasonsb has joined #openstack-keystone		22:37
*** adelia has quit IRC		22:41
*** btully has quit IRC		22:41
*** tjcocozz has quit IRC		22:41
*** tjcocozz has joined #openstack-keystone		22:42
*** adelia_ has quit IRC		22:42
*** btully has joined #openstack-keystone		22:43
*** doug-fis_ has quit IRC		22:44
*** doug-fish has joined #openstack-keystone		22:44
*** doug-fish has quit IRC		22:49
*** doug-fish has joined #openstack-keystone		22:49
*** doug-fis_ has joined #openstack-keystone		22:50
shaleh	lbragstad: yes, that was what we were talking about	22:52
*** navid_ has quit IRC		22:53
*** doug-fish has quit IRC		22:54
*** diazjf has quit IRC		22:54
*** doug-fis_ has quit IRC		22:55
*** dims has joined #openstack-keystone		23:02
*** doug-fish has joined #openstack-keystone		23:03
*** dims_ has quit IRC		23:03
*** aginwala_ has joined #openstack-keystone		23:06
*** doug-fish has quit IRC		23:07
*** aginwala has quit IRC		23:10
*** breitz has quit IRC		23:15
*** breitz has joined #openstack-keystone		23:15
*** Ephur has quit IRC		23:20
ayoung	bknudson, https://review.openstack.org/#/c/240719/6/keystone/tests/unit/test_v3_auth.py,cm when say "There should also be a test that shows that the authenticate response has is_admin_project=..." do you mean the token validation response?	23:21
bknudson	ayoung: there's already code that checks the token validation (GET /auth/tokens) response	23:21
bknudson	there isn't code that checks the auth response POST /auth/tokens	23:21
ayoung	bknudson, you mean test the response from the initial self.get_requested_token?	23:22
bknudson	ayoung: yes	23:22
ayoung	bknudson, OK...cool;.	23:22
openstackgerrit	Merged openstack/python-keystoneclient: Remove hardcoded endpoint filter for update password https://review.openstack.org/231749	23:35
*** gordc has quit IRC		23:39
*** jerrygb has quit IRC		23:39
*** jerrygb has joined #openstack-keystone		23:39
*** Ephur has joined #openstack-keystone		23:44
*** RichardRaseley has quit IRC		23:54
*** RichardRaseley has joined #openstack-keystone		23:56
*** slberger has left #openstack-keystone		23:56
*** miyagishi_t has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!