Monday, 2016-02-08

*** henrynash has joined #openstack-keystone		00:05
*** ChanServ sets mode: +v henrynash		00:05
*** henrynash has quit IRC		00:06
*** clenimar has quit IRC		00:07
*** darrenc_afk is now known as darrenc		00:13
*** erlarese has joined #openstack-keystone		00:13
*** gildub has joined #openstack-keystone		00:19
*** jsavak has joined #openstack-keystone		00:23
*** chlong has joined #openstack-keystone		00:26
*** mylu has quit IRC		00:31
*** gildub has quit IRC		00:33
*** jsavak has quit IRC		00:50
*** jsavak has joined #openstack-keystone		00:50
*** gildub has joined #openstack-keystone		00:50
*** gildub has quit IRC		00:58
*** dims has quit IRC		01:01
*** chlong has quit IRC		01:03
*** mylu has joined #openstack-keystone		01:05
*** su_zhang has joined #openstack-keystone		01:11
*** jsavak has quit IRC		01:15
*** gildub has joined #openstack-keystone		01:15
*** shoutm_ has joined #openstack-keystone		01:15
*** jsavak has joined #openstack-keystone		01:17
*** shoutm has quit IRC		01:17
*** shoutm has joined #openstack-keystone		01:18
*** shoutm_ has quit IRC		01:20
*** dims has joined #openstack-keystone		01:24
*** dims has quit IRC		01:46
*** EinstCrazy has joined #openstack-keystone		01:50
*** shoutm has quit IRC		01:53
*** shoutm has joined #openstack-keystone		01:54
notmorgan	zzzeek: is there an easy way to pile tests on top of a PR on bitbucket? [I really might be spoiled by gerrit]	01:54
*** EinstCrazy has quit IRC		01:54
*** mylu has quit IRC		01:57
*** mylu has joined #openstack-keystone		01:58
*** jsavak has quit IRC		02:02
*** chlong has joined #openstack-keystone		02:06
*** su_zhang has quit IRC		02:07
*** daemontool has quit IRC		02:12
*** daemontool has joined #openstack-keystone		02:13
*** su_zhang has joined #openstack-keystone		02:23
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/277231	02:39
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/277232	02:39
*** oomichi has quit IRC		02:43
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/272825	02:43
*** daemontool has quit IRC		02:47
*** samueldm1 has quit IRC		02:47
*** erlarese has quit IRC		02:49
*** roxanagh_ has joined #openstack-keystone		02:52
*** roxanagh_ has quit IRC		02:56
*** roxanagh_ has joined #openstack-keystone		02:58
*** roxanagh_ has quit IRC		03:09
*** dims has joined #openstack-keystone		03:13
*** mylu has quit IRC		03:17
*** mylu has joined #openstack-keystone		03:17
*** roxanagh_ has joined #openstack-keystone		03:20
*** roxanagh_ has quit IRC		03:20
*** roxanagh_ has joined #openstack-keystone		03:20
*** gildub has quit IRC		03:25
*** mylu has quit IRC		03:27
*** mylu has joined #openstack-keystone		03:28
*** mylu has quit IRC		03:29
*** mylu has joined #openstack-keystone		03:31
*** mylu has quit IRC		03:32
*** mylu has joined #openstack-keystone		03:34
*** mylu has quit IRC		03:35
*** dims has quit IRC		03:35
*** mylu has joined #openstack-keystone		03:36
*** daemontool has joined #openstack-keystone		03:38
ayoung	jamielennox, do you have code I could build on to do the client part of implied roles?	03:41
jamielennox	ayoung: i was away all last week so i haven't had a chance to re-test the patch with the new routes	03:41
jamielennox	ayoung: though i saw it got merged	03:41
ayoung	jamielennox, can I have your test code? I assume it is the core of what the client needs.	03:42
jamielennox	ayoung: i can give you the script i was using, but i don't think it will help any more that just copying similar code from the other managers	03:42
*** dims has joined #openstack-keystone		03:42
ayoung	OK	03:42
ayoung	just wanted to make sure I wasn't duplicating.	03:42
ayoung	I tested a live server with curl.	03:42
ayoung	Oh, by the way, I used Kolla to set it up. Its the future	03:42
ayoung	ansible and docker	03:42
ayoung	Kept me from having to reproduce the setup myself	03:43
ayoung	imaginge devstack, but each service running in a container instead of a screen window. Keeps you from polluting your system	03:44
jamielennox	ayoung: i had a go at kolla - for whatever reason something got in the way of me using it properly	03:44
jamielennox	i'm guessing it wsa something transient and i tried it at a bad time	03:44
ayoung	jamielennox, I spent some time in #kolla with the devs and there were certainly gotchas	03:44
ayoung	I had them walk me through it, and there is at least one bug in flight	03:45
ayoung	plus I had to briefly disable selinux, and I am not certain I accept their rationale for it, but I'll look deeper into that this week	03:45
ayoung	I shut off everything but keystone and mysql, so I didn;t trip over the nova issues, but those will be a show stopper on Fedora	03:46
*** EinstCrazy has joined #openstack-keystone		03:46
jamielennox	ayoung: oh? i would have thought selinux support would be one of the best parts about kolla	03:47
jamielennox	cause you just label the whole container and be done	03:47
ayoung	I was able to reenable it once the container was running, but they do something as a non-root user out of paranoia	03:48
ayoung	and its just backwards afaict	03:48
ayoung	but it was only when launching the container, once it was up and running I reenabled enforcing and it ran fine	03:48
jamielennox	http://paste.openstack.org/show/484619/ is what i had - or the last copy i can find	03:48
jamielennox	i can't find it on disk, but first hit in my history	03:49
ayoung	jamielennox, Cool, I'll give that a run.	03:50
ayoung	I think I can hack out the client side tomorrow,	03:50
ayoung	although ,we have snow coming, and thie kids will be home...maybe later than tomorrow.	03:51
*** shoutm_ has joined #openstack-keystone		03:51
*** EinstCrazy has quit IRC		03:51
*** shoutm has quit IRC		03:53
*** shoutm has joined #openstack-keystone		03:54
*** shoutm_ has quit IRC		03:57
*** gildub has joined #openstack-keystone		03:58
*** esp has joined #openstack-keystone		04:03
notmorgan	ayoung: have fun snow-wise	04:07
notmorgan	stevemar: https://review.openstack.org/#/c/275327/	04:07
ayoung	notmorgan, I'm hoping to get out on the X-country skis.	04:07
notmorgan	ayoung: nice	04:07
notmorgan	ayoung: i am hoping to swing out to NH later this month for snowboarding w/ friends	04:07
ayoung	Excellent!	04:08
ayoung	Whereabouts?	04:08
*** dims has quit IRC		04:08
notmorgan	no idea. have to check w/ friends are living, they move down from Bangor maine	04:08
notmorgan	so, not sure where they are now	04:08
ayoung	notmorgan, If the snow hits like it is suppose to tomorrow, there should be a pretty good base.	04:09
ayoung	Its been warm	04:09
notmorgan	yeah	04:09
ayoung	we hd a bunch on Friday (no school) and more tomorrow (no school again)	04:09
notmorgan	ayoung: should be a quick review: https://review.openstack.org/#/c/276079/ - just needs a second pair of eyes (basically do a migrate before and after and compare schema)	04:10
notmorgan	(clean migrate that is)	04:10
notmorgan	each time.	04:11
ayoung	notmorgan, ugh...not a quick one	04:11
notmorgan	jamielennox: so, session deprecation, if we make it warn once - [e.g. on import] that will work (in KSC) but we can warn on each-and-every instantiation	04:12
notmorgan	ayoung: i did the migrate to 2 different DBs	04:12
notmorgan	then mysqldump --skip-opt <db> > file	04:12
ayoung	notmorgan, and all the tests run...	04:12
ayoung	ah....	04:12
notmorgan	then diff -u <file1 from pre-squash> then <file2_post_squash>	04:12
notmorgan	no testing needed, just keystone-manage- db_sync	04:13
notmorgan	we know the tests pass, gate has said so :)	04:13
ayoung	notmorgan, OK... I can accept that	04:13
ayoung	let me look at the final migration for a visual to not be a rubber stamp...	04:14
notmorgan	yep.	04:14
*** links has joined #openstack-keystone		04:14
*** mylu has quit IRC		04:15
ayoung	OK...so now git thinkgs 67 is a renamed 44, but with some changes...that is heartening	04:15
notmorgan	yeah. :)	04:15
*** mylu has joined #openstack-keystone		04:16
ayoung	+ can get behind that one	04:16
notmorgan	i already made sure steve covered the issues with the squash before +2ing it	04:17
ayoung	notmorgan, I want to build functional test based on Kolla. I think it is better approach than devstack for LDAP and alternative live databases and the like	04:17
notmorgan	whatever is the functional base, it should be something zuul knows how to do	04:18
notmorgan	not something encoded in our unit tests	04:18
notmorgan	or whatever.	04:18
notmorgan	you can have a helper script, but zuul should be leveraged not "tox -e<thing>"	04:18
notmorgan	if i am not mis-reading what you're proposing	04:19
ayoung	notmorgan, so, I think that will work. I'm still learning Kolla, but it is setting up everything using ansible, and there are a handful of scripts for kicking things off that part part of kolla	04:19
ayoung	pretty sure tox is only used for Kolla testing.	04:19
ayoung	er, unit testing	04:20
notmorgan	right	04:20
notmorgan	as it should be	04:20
notmorgan	we should be moving restfultestcase -> something like you're describing, not conintuing with the pattern.	04:20
notmorgan	it'll mean we have to hang onto eventlet for a bit longer until dstanek finishes the other thing or you get this new thing working	04:21
ayoung	We should talk with the Kolla team at the summit, and see if we can make some headway on this. I think that we could get tests for SAML and LDAP	04:21
notmorgan	but not eventlet in production-y things.	04:21
ayoung	Nope.	04:21
ayoung	this was all Keystione Apache HTTPD	04:21
ayoung	Kolla is docker. You Run keystone in its own container	04:21
notmorgan	right, once we get this thing or dstanek's thing working to eliminate the in-process eventlet server for testing, we'll be in better shape	04:22
ayoung	ah...I didn't know he was working on that, but not surprised.	04:22
notmorgan	he is working on the test-case spinning up an isolated keystone instance when needed not "on every testcase"	04:22
notmorgan	and in it's own process, so it doesn't need to be eventlet	04:23
* notmorgan tries to figure out how to roll authcontext, url_normalize, and json_body into the main service_objects now		04:24
notmorgan	that'll make our pipeline basically <oslo_things> <keystone>	04:24
notmorgan	and we get to define things in code instead of paste-ini awfulness	04:25
*** david-lyle has quit IRC		04:30
*** dstanek has quit IRC		04:31
*** spandhe has joined #openstack-keystone		04:32
*** dstanek has joined #openstack-keystone		04:33
*** ChanServ sets mode: +v dstanek		04:33
jamielennox	notmorgan, ayoung: sorry wasn't paying attention	04:34
ayoung	jamielennox, NP...I'm really just writing up my notes on running Kolla thing right now. We can discuss later this week.	04:34
jamielennox	why should kolla mean anything about eventlet?	04:34
jamielennox	i'm told it's fairly normal to use httpd within a container	04:35
*** jidar_ has joined #openstack-keystone		04:38
*** jidar has quit IRC		04:38
*** ktychkova has quit IRC		04:38
*** ktychkova_ has joined #openstack-keystone		04:38
*** jidar_ is now known as jidar		04:38
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Mark the ExtensionRouter deprecated https://review.openstack.org/277280	04:44
*** david-lyle has joined #openstack-keystone		04:45
ayoung	jamielennox, I was confused. Kolla does HTTP. It was the functional testing holding us on Eventlet the way it is written now	04:53
*** Nirupama has joined #openstack-keystone		04:57
*** spandhe has quit IRC		05:14
stevemar	ayoung: i need some ldap expertise on this patch: https://review.openstack.org/#/c/228644/	05:26
stevemar	notmorgan: if you're around, this one can be punted through: https://review.openstack.org/#/c/264475/	05:26
notmorgan	stevemar: moment, almost done refactoring things so we have authcontextmiddleware, jsonbody, and url_normalizer built-in	05:27
*** roxanagh_ has quit IRC		05:35
*** roxanagh_ has joined #openstack-keystone		05:36
*** roxanagh_ has quit IRC		05:37
*** roxanagh_ has joined #openstack-keystone		05:37
notmorgan	stevemar: our circular dependencies for imports is awful	05:41
*** Nirupama has quit IRC		05:43
*** roxanagh_ has quit IRC		05:44
*** spandhe has joined #openstack-keystone		05:49
*** su_zhang has quit IRC		05:50
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/277232	05:51
*** lhcheng has quit IRC		05:55
*** Nirupama has joined #openstack-keystone		05:56
*** mylu has quit IRC		05:58
stevemar	notmorgan: they are awful	06:21
*** nkinder has joined #openstack-keystone		06:23
*** petertr7_away has quit IRC		06:25
*** petertr7_away has joined #openstack-keystone		06:26
*** petertr7_away is now known as petertr7		06:26
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata https://review.openstack.org/275517	06:30
*** nkinder has quit IRC		06:39
*** su_zhang has joined #openstack-keystone		06:44
*** roxanagh_ has joined #openstack-keystone		06:44
openstackgerrit	Steve Martinelli proposed openstack/keystone: Mark the ExtensionRouter deprecated https://review.openstack.org/277280	06:48
*** roxanagh_ has quit IRC		06:50
*** esp has quit IRC		06:53
*** daemontool has quit IRC		06:53
*** daemontool has joined #openstack-keystone		06:54
*** EinstCrazy has joined #openstack-keystone		06:56
*** gildub has quit IRC		06:56
*** daemontool has quit IRC		06:58
*** lhcheng has joined #openstack-keystone		07:01
*** ChanServ sets mode: +v lhcheng		07:01
*** EinstCrazy has quit IRC		07:02
*** chlong has quit IRC		07:03
*** oomichi has joined #openstack-keystone		07:12
*** belmoreira has joined #openstack-keystone		07:14
*** jbell8 has joined #openstack-keystone		07:15
stevemar	notmorgan: that enginefacade change, oyyyy	07:24
openstackgerrit	Merged openstack/keystone: Set deprecated_reason on deprecated config options https://review.openstack.org/264475	07:28
openstackgerrit	Merged openstack/keystone: squash migrations - kilo https://review.openstack.org/276079	07:28
*** jbell8 has quit IRC		07:29
*** jbell8 has joined #openstack-keystone		07:29
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	07:30
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	07:31
*** jbell8 has quit IRC		07:37
*** jbell8 has joined #openstack-keystone		07:38
*** nkinder has joined #openstack-keystone		07:44
*** roxanagh_ has joined #openstack-keystone		07:47
*** roxanagh_ has quit IRC		07:52
*** Nirupama has quit IRC		07:53
*** jaosorior has joined #openstack-keystone		07:57
*** jbell8 has quit IRC		08:04
*** sinese has joined #openstack-keystone		08:04
*** jbell8 has joined #openstack-keystone		08:05
*** jaosorior has quit IRC		08:05
*** Nirupama has joined #openstack-keystone		08:07
*** rcernin has joined #openstack-keystone		08:09
*** jaosorior has joined #openstack-keystone		08:13
*** shoutm_ has joined #openstack-keystone		08:17
*** shoutm has quit IRC		08:19
*** su_zhang has quit IRC		08:21
odyssey4me	notmorgan ayoung what LDAP/SAML testing are you looking to do? OpenStack-Ansible already has functional testing in place and it's a short step to do either - I'm already working on a functionally tested gate with a DSBE, and we already have configs in place for SAML too so it'll be easy enough to do a gate test there too.	08:24
*** spandhe has quit IRC		08:29
openstackgerrit	Merged openstack/keystone: Imported Translations from Zanata https://review.openstack.org/275517	08:31
*** shoutm_ has quit IRC		08:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	08:33
*** jistr has joined #openstack-keystone		08:33
*** jistr is now known as jistr\|sick		08:33
*** shoutm has joined #openstack-keystone		08:33
*** fhubik has joined #openstack-keystone		08:42
*** fhubik is now known as fhubik_brb		08:43
*** chlong has joined #openstack-keystone		08:48
openstackgerrit	Steve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles https://review.openstack.org/277319	08:48
*** roxanagh_ has joined #openstack-keystone		08:49
*** fhubik_brb is now known as fhubik		08:50
*** shoutm_ has joined #openstack-keystone		08:50
*** shoutm has quit IRC		08:51
*** roxanagh_ has quit IRC		08:54
*** jaosorior has quit IRC		08:57
*** EinstCrazy has joined #openstack-keystone		09:01
*** openstackgerrit has quit IRC		09:02
*** openstackgerrit has joined #openstack-keystone		09:02
*** josecastroleon has quit IRC		09:03
*** jaosorior has joined #openstack-keystone		09:03
*** fhubik is now known as fhubik_brb		09:06
*** EinstCrazy has quit IRC		09:06
*** fhubik_brb is now known as fhubik		09:12
*** tomoiaga has joined #openstack-keystone		09:15
tomoiaga	Before I start to write a simple auth plugin, I can't seem to find any information related to this, maybe someone can help. Is there a way to use an "cloud admin" token to generate a token for a normal user ? (impersonation mainly)	09:18
*** fhubik is now known as fhubik_brb		09:29
*** mhickey has joined #openstack-keystone		09:34
*** shoutm has joined #openstack-keystone		09:43
*** shoutm_ has quit IRC		09:45
marekd	tomoiaga: are you talkin about ADMIN_TOKEN ?	09:45
*** fhubik_brb is now known as fhubik		09:49
*** mvk has joined #openstack-keystone		09:50
*** roxanagh_ has joined #openstack-keystone		09:50
*** roxanagh_ has quit IRC		09:55
*** mariusv has joined #openstack-keystone		09:58
*** henrynash has joined #openstack-keystone		09:59
*** ChanServ sets mode: +v henrynash		09:59
*** jbell8 has quit IRC		10:00
*** josecastroleon has joined #openstack-keystone		10:00
*** jbell8 has joined #openstack-keystone		10:01
tomoiaga	marekd: I am hoping that I may be able, using an admin token (a token for a user with admin privileges over a tenant, trying to avoid the ADMIN_TOKEN) I may be able to issue a token for another user (as if the user were to log in with his credentials). Users login to my system and I want to issue tokens for them (right now I just scope my "admin" token to a project "belonging" to a user).	10:02
breton	there are trusts with redelegation	10:04
tomoiaga	if anyone knows cPanel for example, it allows you to do that. I am sure there are other sistems out there allowing the same thing. This exists to allow someone to easily integrate.	10:04
*** richm has joined #openstack-keystone		10:05
tomoiaga	breton: the way I understand trusts, is that it requires the user to actually login with his openstack credentials before being able issue any actions on behalf of an "admin" or some other user. I may be wrong. I'll try to read more abot redelegation	10:06
marekd	tomoiaga: breton is right	10:08
marekd	tomoiaga: so admin needs to authenticate.	10:09
marekd	tomoiaga: but in general trusts, maybe oauth2 should be what you are looking for.	10:10
marekd	why would you always allow users to impersonate other users?	10:10
tomoiaga	marekd: indeed, oauth2 or finally integrate my system and openstack with ldap for example, should be the "right" thing to do (federation in the end). However, I am trying something simpler. I have my system with users already in place (it's a Django app, and…) and I can store openstack credentials for an "admin" (which may be bad, but let's go with it). Users log in to my system and should be able to issue api calls to openstack with	10:14
tomoiaga	I may be wrong in trying to avoid too much the federation support in openstack	10:18
breton	federation is simple	10:19
breton	especially for your use case	10:20
tomoiaga	breton: I'll dig a little deeper. My problem is that Django doesn't seem to have support for what I need, unless I install third party apps or do federation in a better way (ldap, and all). I guess I am just tired of installing too many daemons and "complicate" the setup.	10:21
tomoiaga	breton, marekd: thank you!	10:24
openstackgerrit	Rudolf Vriend proposed openstack/keystone: Adds user_description_attribute mapping support to the LDAP backend https://review.openstack.org/276873	10:26
*** gildub has joined #openstack-keystone		10:28
marekd	tomoiaga: federation?	10:31
marekd	tomoiaga: it's still not you are looking for as far as I understand your use case	10:31
notmorgan	marekd: oh hai	10:33
marekd	notmorgan: bonjour, monsieur Morgan!	10:34
marekd	what's up?	10:34
notmorgan	odyssey4me: the LDAP/SAML testing needs to be built into the gate jobs. the SAML one should have a SAML2 provider and also check the k2k SAML2 auth. it's not a small amount of work or "easy to just do via ansible"	10:34
notmorgan	marekd: late night work :P	10:34
marekd	notmorgan: :(	10:35
marekd	odyssey4me: he's right	10:35
notmorgan	also happy to have ditched apple... sitting on an apple laptop, and the fact that "24 hour clock is disabled by language/region settings" makes me sad.	10:36
marekd	notmorgan: why would it make you sad?	10:36
notmorgan	marekd: thanks apple for disabling an opt-in option because "users are too dumb to read 24 hour clock"	10:36
marekd	notmorgan: i mean, it's sad when machine tries to be smarter thei its users but..did it really bother you? I thought you have 12h (and am/pm) clocks in the US...	10:37
notmorgan	marekd: it's idiotic to disable an option based on regional settings like currency notation/language	10:37
notmorgan	marekd: i use 24 hr clocks for everything, have for years	10:37
marekd	notmorgan: and how are you feeling with ubuntu vs MacOSX?	10:37
marekd	notmorgan: in fact i starter to think about getting MacBook	10:38
marekd	i've never had any	10:38
notmorgan	marekd: ubuntu is actually, imo, more usable except when it comes to some minor things	10:38
notmorgan	x1-carbon w/ 15.10 on it is damn nice	10:38
notmorgan	:)	10:38
notmorgan	though next install might be debian vs ubuntu	10:38
marekd	uh, why debian	10:38
notmorgan	for $opensource$ reasons	10:38
marekd	what's ubuntu doing wrong?	10:39
notmorgan	and depending on how unity 8 ends up	10:39
marekd	i have debian and ubuntu on desktop and laptops	10:39
marekd	actually ended up with some problems with debian	10:39
marekd	but i was using testing branch	10:39
notmorgan	like i said, might change	10:39
marekd	because....no for kernel 2.6 or something :P	10:39
notmorgan	marekd: so.. doyou have a little code review bandwidth?	10:39
marekd	i do	10:40
notmorgan	woo	10:40
odyssey4me	notmorgan I don't expect that would would be easy to do, necessarily... I'm just saying that we already have a multi-node keystone testing job setup - it may be relatively simple to setup a specific gate test for it	10:40
marekd	odyssey4me: oh, that's interesting	10:40
odyssey4me	we're splitting out our keystone role anyway, so we'll be able to setup keystone-specific gate tests on the role - and perhaps keystone could make use of the role repo for testing purposes too	10:41
notmorgan	https://review.openstack.org/#/c/272007/ https://review.openstack.org/#/c/274489/ (<--- and if you're brave the rest of the chain), and https://review.openstack.org/#/c/274085/	10:41
odyssey4me	I'd like the role test to implement tempest tests as far as possible, so some help to make that happen would be great.	10:41
notmorgan	odyssey4me: right. we have multinode but we need an LDAP server populated with sane things [we don't have that and don't do write-ldap via keystone anymore], and the SAML2 providers are either highly synthetic or hard to automate setup, see populated interesting info	10:42
marekd	notmorgan: starred them, let me just finish patch i am working on and i will get straight to your patches	10:42
odyssey4me	I'll check with cloudnull when he's online how far he is with the role repo split, as that will make work like this far simpler.	10:42
notmorgan	marekd: the deprecation whole chain is a bit dense.	10:42
notmorgan	marekd: the user/admin_crud move should also be non-controversial	10:42
marekd	notmorgan: okay	10:42
notmorgan	odyssey4me: aye.	10:43
notmorgan	marekd: i almost have a patchset ready for merging authcontextmiddleware, token_auth, json_body, and url_normalizer into the __call__ function of the router class, so we reduce the things in our paste pipleline significantly	10:44
notmorgan	like... 3 items per pipeline: sizelimit request_id [api_admin\|api_public\|service_v3]	10:45
notmorgan	it's MUCH cleaner	10:45
marekd	notmorgan: oh, nice	10:45
marekd	i am going to finish filters for service providers soon (i hope so)	10:45
marekd	it's a pain in the back....	10:45
notmorgan	our filtering code is brain-breaking complex	10:45
notmorgan	next fix will be to break out @protected and @filterprotected decorators	10:46
notmorgan	so we stop trying to do magic	10:46
marekd	yeah, there is definitely too much of magic	10:46
notmorgan	and just call .enforce where we should be callint it	10:46
notmorgan	calling it*	10:46
*** shoutm_ has joined #openstack-keystone		10:46
notmorgan	that should ease some of the next steps in newton	10:47
marekd	notmorgan: hm, ever wondered on how to make DB calls across managers within a db transaction?	10:47
notmorgan	marekd: don't.	10:47
marekd	notmorgan: why, it's just..."you don do this that way"	10:47
notmorgan	marekd: validate once, if it is valid assume it is valid, if you're across managers the backends are not the same.	10:47
notmorgan	so you can't enforce transactionality, you can ensure only atomicity within a single manager/backend	10:48
marekd	notmorgan: ah, multi backend stuff	10:48
notmorgan	yep	10:48
*** shoutm has quit IRC		10:48
notmorgan	so if i need to get a user, i check the user exists and then if i need to act in assignment, i have to assume the user data is valid, it can race	10:49
marekd	well, i can see it's resolved in the manager/controller level	10:49
marekd	which clearly exposes us to data races.	10:49
notmorgan	only sortof	10:49
marekd	why sortof?	10:49
notmorgan	right	10:49
notmorgan	sortof resolved	10:49
notmorgan	because of races	10:49
notmorgan	:)	10:49
notmorgan	data races are fine, if we have some orphaned data because of it, really we can write something to do cleanup	10:50
notmorgan	the worst thing we get is either an erroneous failure because data wasn't yet populated [rare], or orphaned data that is useless because we use auto-gen ids mostly	10:51
notmorgan	both are safe.	10:51
notmorgan	in most cases.	10:51
*** roxanagh_ has joined #openstack-keystone		10:51
notmorgan	and if they aren't we should make sure they are	10:51
marekd	sure	10:51
*** e0ne has joined #openstack-keystone		10:53
marekd	notmorgan: what's actually json home for?	10:55
notmorgan	allows for discoverability	10:55
*** roxanagh_ has quit IRC		10:55
notmorgan	better than random thing we built outselves	10:55
notmorgan	it's one of those "standards we can use"	10:56
marekd	yeah	10:56
marekd	but where do i see it?	10:56
notmorgan	on like /	10:56
marekd	or how to use that discoverability	10:56
notmorgan	it's all of our "what is here" things	10:56
notmorgan	we used to have a home-grown-ish-thing	10:56
*** lhcheng has quit IRC		10:59
*** fhubik is now known as fhubik_brb		11:00
*** pnavarro has joined #openstack-keystone		11:06
marekd	notmorgan: hm, i thought V2 is gonna be deprecated except for authentication.	11:07
notmorgan	marekd: it will be	11:07
notmorgan	marekd: this is moving the extensions into the core so we have a cleaner pipeline	11:07
notmorgan	s/willbe/is?	11:08
notmorgan	it will make code removal better since we'll just drop the code.	11:08
marekd	notmorgan: hm, ok, makes sense.	11:08
marekd	had some dissonance in my head..	11:09
notmorgan	yeah, it's one of those odd things	11:09
marekd	why bother about the code that's gonna dissapear soon	11:09
notmorgan	but basically we'd need to maintain the paste entries	11:09
openstackgerrit	henry-nash proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	11:09
notmorgan	and i'm trying to consolidate us down to bascially 1 entry in paste for all of keystone	11:10
notmorgan	so it's impossible to "break	11:10
notmorgan	" things by accident	11:10
notmorgan	or by removing the wrong things/reordering	11:10
notmorgan	if it's part of keystone, it's in the main api entry	11:10
notmorgan	the only exception is S3/EC2 for "legal" reasons	11:10
notmorgan	which you'll see how i addressed	11:11
notmorgan	as you go down that chain...	11:11
*** pnavarro has quit IRC		11:17
*** pnavarro has joined #openstack-keystone		11:18
*** rcernin has quit IRC		11:19
openstackgerrit	Rudolf Vriend proposed openstack/keystone: Adds user_description_attribute mapping support to the LDAP backend https://review.openstack.org/276873	11:20
marekd	notmorgan: ok, goona go for lunch	11:21
marekd	gonna	11:21
notmorgan	marekd: enjoy!	11:21
*** rcernin has joined #openstack-keystone		11:22
*** pnavarro has quit IRC		11:22
marekd	thanks!	11:23
*** rcernin has quit IRC		11:25
breton	notmorgan: what have you decided at midcycle on https://bugs.launchpad.net/bugs/1513541 ? Do we fix the issue in tempest with sleep()?	11:25
openstack	Launchpad bug 1513541 in OpenStack Identity (keystone) "Support sub-second accuracy in Fernet's creation timestamp" [Medium,Won't fix]	11:25
breton	*have we decided	11:25
breton	(ok, you, I was not there)	11:25
notmorgan	breton: we are keeping the sleep and dropping subsecond everywhere	11:25
notmorgan	https://review.openstack.org/#/c/275497/	11:25
*** rcernin has joined #openstack-keystone		11:26
breton	notmorgan: should we drop https://review.openstack.org/#/c/243742/ then?	11:30
notmorgan	i think lbragstad is planning to drop that	11:30
*** jistr\|sick has quit IRC		11:37
*** fhubik_brb is now known as fhubik		11:40
*** jaosorior has quit IRC		11:41
*** jaosorior has joined #openstack-keystone		11:43
*** jbell8 has quit IRC		11:48
*** jbell8 has joined #openstack-keystone		11:51
*** roxanagh_ has joined #openstack-keystone		11:52
*** vgridnev has joined #openstack-keystone		11:55
*** roxanagh_ has quit IRC		11:56
*** GB21 has joined #openstack-keystone		11:58
henrynash	notmorgan: I know you feel the need to reimplent the protected/filterprotect decorator approach - fyi, further to our previous conversation, I don’t think any of the callbacks actually check policy in code…they just marshal data to be passed back into oslo.policy	11:59
notmorgan	henrynash: not reimplement, breakit so we stop the callback madness	12:00
notmorgan	henrynash: basically go back to the old-style where we just call .enforce where we need it	12:00
henrynash	notmorhan: why is it maddness	12:00
notmorgan	henrynash: impossible to follow/understand.	12:00
*** mvk has quit IRC		12:00
henrynash	notmorgan: you mean like pythn in general?	12:00
notmorgan	henrynash: there is maybe you who can debug anything in it if it occurs	12:00
notmorgan	henrynash: so the callback thing was added because we didn't have enough insight into the scope check	12:01
notmorgan	henrynash: right?	12:01
notmorgan	do you own X	12:01
henrynash	notmorgan: so not opposed to an alternative implemtantion…infact my orgional one didn’t use decorators, but the PTL of the moment (no, not you!) felt decorators where a better approach	12:01
notmorgan	the original @protected was fine, but when we went down the path of the callback and re-implmenting the check wholesale makes understanding very hard	12:02
notmorgan	so my view is stop with the decorator madness.	12:02
henrynash	notmorgan: basically yes, some scope checks need more info than others, which may not be simply teh entities passed into teh API	12:02
notmorgan	call .enforce when you need to.	12:02
notmorgan	don't pass callbacks in, don't make complext decorators that behave differently [massively so] depending on incantations	12:03
henrynash	notmorgan: are you suggesting we won’t call enfoce somethimes?	12:03
notmorgan	we already don't	12:03
notmorgan	where we don't decorate	12:03
notmorgan	i'm looking at it from the perspective of we want to ensure we call enforce. that is fine	12:04
notmorgan	we should have a decorator that says "did we enforce"	12:04
notmorgan	but we shouldn't have to guess when/how/why enforcement was call with what values by chasing into "was this a filter thing, was this a callback, what does the callback reimplment different than normal enforce"	12:04
notmorgan	etc	12:04
notmorgan	basically: when you have the data you need to enforce, call .enforce	12:05
henrynash	notmorgan: so my concern is that if we ahve a mixture of enforce in our code vs enforce in policy, it will be an even bigger mess	12:05
notmorgan	we simply will call .enforce like today against policy	12:05
notmorgan	instead of a decorator caling it	12:05
notmorgan	then we have clear code paths to work on the next level of changes with policy as we define them	12:06
notmorgan	but frankly, i've spend hours looking at the decorators and it is never clear what the enfrocement should be doing.	12:06
henrynash	notmorgan: OK, so I’m fine with if we want to move away from decoaration, as long as that doesn’t implictely make the deiscison as to whether we shold be adding checks in our code vs poicy	12:06
notmorgan	meaning, i don't trust this to be maintainable in the long term	12:06
notmorgan	henrynash: one code path for enforcement, one for filtering	12:06
notmorgan	don't reimplement enforcement code in callbacks	12:07
notmorgan	that is my only goal here	12:07
*** vgridnev has quit IRC		12:07
notmorgan	no change in functionality	12:07
notmorgan	changes in functionality [i still am not sold on external checks but i'm waiting for the spec before we change that]	12:07
notmorgan	will be based on the spec samuel and ayoung are working on [with your input]	12:07
*** dims has joined #openstack-keystone		12:07
henrynash	notmorgan: ok, got it…and remember that we do actually todau sye callbacks in both filterproetcted and protected	12:08
henrynash	(today use callbacks…	12:08
notmorgan	the callbacks are the core of the issue imnsho	12:08
notmorgan	and it isn't your fault, you hit the request perfectly	12:08
notmorgan	it's just stupidly hard to follow/write code for/enhance/maintain	12:08
henrynash	notmorgan: ok, understand your goal, I’m fine with that	12:08
* notmorgan is doing all the 'this is bad in keystone, lets fix it' code.		12:09
notmorgan	at the moment	12:09
notmorgan	since it seems like everyone else is busy with "Features"	12:09
henrynash	cool	12:09
notmorgan	also, look at the fix for EC2 / S3	12:10
notmorgan	it should solve your needs. but without EC2 auth, heat cfn is broken	12:10
notmorgan	ftw	12:10
notmorgan	ftr*	12:10
notmorgan	or was it brant's needs.	12:10
henrynash	notmorgan: I think brant/brad, but there is an issue there, yes	12:11
* notmorgan is awake far too late to know what anyone is complaining about atm :P		12:11
henrynash	was gonna say, what the hell is the time there…..up celebrating teh superbowl?	12:11
notmorgan	henrynash: no. just insomnia	12:12
notmorgan	it's 0412	12:12
notmorgan	almost time i'd wake up anyway	12:12
henrynash	ouch	12:12
notmorgan	i'm also going to move the enforcement strictly out to keystone.common.policy_enforce	12:13
notmorgan	so it's not lumped into keystone.policy.<backend> oddly	12:13
*** vgridnev has joined #openstack-keystone		12:13
henrynash	soudns fine	12:13
notmorgan	and i almost have a patch to roll authcontext, jsonbody, url normalizer, and token_auth into one entry in the pipeline	12:14
notmorgan	the main keystone entry	12:14
notmorgan	so someone can't "break" keystone by accident by reordering things / omitting them	12:14
notmorgan	our pipelines will be size_limit(oslo), request_id(oslo), [pblic_api\|admin_api\|service_v3]	12:15
notmorgan	doesn't prevent new middleware, just prevents breaking.	12:15
*** jaosorior has quit IRC		12:17
*** dims has quit IRC		12:20
*** gildub has quit IRC		12:21
*** dims has joined #openstack-keystone		12:22
openstackgerrit	Rudolf Vriend proposed openstack/keystone: Adds user_description_attribute mapping support to the LDAP backend https://review.openstack.org/276873	12:27
*** gordc has joined #openstack-keystone		12:30
openstackgerrit	Merged openstack/keystone: Add in TRACE logging for the manager https://review.openstack.org/274085	12:32
*** mvk has joined #openstack-keystone		12:33
*** GB21 has quit IRC		12:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	12:35
*** krotscheck_dcm is now known as krotscheck		12:39
*** erlarese has joined #openstack-keystone		12:43
*** mdavidson has joined #openstack-keystone		12:43
*** jed56 has joined #openstack-keystone		12:44
*** jaosorior has joined #openstack-keystone		12:46
*** shoutm_ has quit IRC		12:46
*** shoutm has joined #openstack-keystone		12:49
*** jaosorior has quit IRC		12:51
*** roxanagh_ has joined #openstack-keystone		12:53
*** roxanagh_ has quit IRC		12:58
*** shoutm has quit IRC		12:58
*** daemontool has joined #openstack-keystone		13:01
*** pnavarro has joined #openstack-keystone		13:02
*** dikonoor has joined #openstack-keystone		13:04
*** EinstCrazy has joined #openstack-keystone		13:05
*** jbell8 has quit IRC		13:05
*** jbell8 has joined #openstack-keystone		13:06
*** krotscheck has quit IRC		13:06
*** EinstCrazy has quit IRC		13:09
openstackgerrit	Merged openstack/keystone: Move user and admin crud to core https://review.openstack.org/274489	13:10
*** rudolfvriend has joined #openstack-keystone		13:10
*** jbell8 has quit IRC		13:12
*** jbell8 has joined #openstack-keystone		13:13
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move v3->v2 compat static methods https://review.openstack.org/277379	13:13
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move v3->v2 compat static methods https://review.openstack.org/277379	13:15
*** krotscheck has joined #openstack-keystone		13:18
*** links has quit IRC		13:20
*** jbell8 has quit IRC		13:27
*** edmondsw has joined #openstack-keystone		13:32
openstackgerrit	javeme proposed openstack/python-keystoneclient: Encode the url parameters for base.CrudManager https://review.openstack.org/254154	13:34
*** ninag has joined #openstack-keystone		13:41
*** permalac has joined #openstack-keystone		13:44
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	13:48
*** su_zhang has joined #openstack-keystone		13:56
*** jsavak has joined #openstack-keystone		14:01
*** jsavak has quit IRC		14:07
*** Nirupama has quit IRC		14:09
*** jsavak has joined #openstack-keystone		14:10
*** jaosorior has joined #openstack-keystone		14:11
*** jsavak has quit IRC		14:14
*** jsavak has joined #openstack-keystone		14:14
*** jaosorior has quit IRC		14:21
*** jaosorior has joined #openstack-keystone		14:21
*** bdossant has joined #openstack-keystone		14:22
*** tomoiaga has left #openstack-keystone		14:26
*** su_zhang has quit IRC		14:28
*** GB21 has joined #openstack-keystone		14:28
*** peter-hamilton has joined #openstack-keystone		14:34
*** jsavak has quit IRC		14:35
*** jsavak has joined #openstack-keystone		14:36
*** jbell8 has joined #openstack-keystone		14:39
*** jbell8 has quit IRC		14:41
*** jbell8 has joined #openstack-keystone		14:43
*** superdan is now known as dansmith		14:45
*** henrynash has quit IRC		14:48
lbragstad	stevemar do you know where in the keystone api docs it says that we have to return a 404 when validating a token that doesn't have roles?	14:53
*** EinstCrazy has joined #openstack-keystone		14:57
*** henrynash has joined #openstack-keystone		14:58
*** ChanServ sets mode: +v henrynash		14:58
*** bdossant has quit IRC		14:59
*** vgridnev has quit IRC		14:59
*** sigmavirus24_awa is now known as sigmavirus24		15:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles https://review.openstack.org/277436	15:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles https://review.openstack.org/277436	15:02
*** EinstCrazy has quit IRC		15:04
*** slberger has joined #openstack-keystone		15:05
lbragstad	stevemar have you confirmed this one? https://bugs.launchpad.net/keystone/+bug/1541657	15:08
openstack	Launchpad bug 1541657 in OpenStack Identity (keystone) "Scoped OS-FEDERATION token not working" [Undecided,New]	15:08
*** nkinder has quit IRC		15:09
lbragstad	stevemar it's targeted to mitaka-3 but it doesn't have any priority or importance set	15:09
*** nkinder has joined #openstack-keystone		15:10
*** Nirupama has joined #openstack-keystone		15:16
*** timcline has joined #openstack-keystone		15:21
*** vgridnev has joined #openstack-keystone		15:23
*** Nirupama has quit IRC		15:23
*** spandhe has joined #openstack-keystone		15:37
*** clenimar has joined #openstack-keystone		15:37
*** GB21 has quit IRC		15:38
*** jsavak has quit IRC		15:40
stevemar	lbragstad: i haven't confirmed it yet, it's on my list, but haven't had a chance yet	15:41
*** phalmos has joined #openstack-keystone		15:41
stevemar	lbragstad: if it's real, it's a regression, so that's why i have it marked to m3	15:41
lbragstad	stevemar gotcha	15:41
*** rcernin has quit IRC		15:42
*** doug-fish has joined #openstack-keystone		15:42
notmorgan	lbragstad: i don't think we say a token can't have roles	15:44
notmorgan	lbragstad: anywhere. i just know horizone/nothing else works with no roles	15:44
*** jbell8 has quit IRC		15:44
*** spandhe has quit IRC		15:45
*** jsavak has joined #openstack-keystone		15:48
*** links has joined #openstack-keystone		15:49
*** jsavak has quit IRC		15:54
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/277231	15:55
*** links has quit IRC		15:57
*** jsavak has joined #openstack-keystone		15:58
*** vgridnev has quit IRC		15:59
stevemar	notmorgan: lbragstad fernet still behave the same as UUID, even if it's not documented anywhere	16:00
stevemar	it's become what people expect	16:01
dolphm	lbragstad: unscoped tokens don't have roles -- unscoped tokens should not raise 404	16:01
*** pushkaru has joined #openstack-keystone		16:02
*** vgridnev has joined #openstack-keystone		16:03
*** topol_ is now known as topol		16:06
*** BAKfr has quit IRC		16:07
*** sinese has quit IRC		16:12
*** belmoreira has quit IRC		16:12
stevemar	dolphm: good morning sir!	16:12
dolphm	stevemar: /salute	16:13
stevemar	few more weeks til feature freeze!	16:14
stevemar	~21 more days til feature freeze!	16:16
*** stevemar changes topic to "21 more days til feature freeze! \| Mitaka-3: https://launchpad.net/keystone/+milestone/mitaka-3 \| See you at the midcycle!"		16:16
dstanek	lbragstad: is this something you are currently working on? https://bugs.launchpad.net/keystone/+bug/1268751	16:17
openstack	Launchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)	16:17
*** stevemar changes topic to "21 more days til mitaka-3 feature freeze - please prioritize reviews accordingly! \| Mitaka-3: https://launchpad.net/keystone/+milestone/mitaka-3"		16:17
dstanek	henrynash: are you still working on this? https://bugs.launchpad.net/keystone/+bug/1517038	16:18
openstack	Launchpad bug 1517038 in OpenStack Identity (keystone) "API-based Domain config method could temporarily show partial update" [High,Triaged] - Assigned to Henry Nash (henry-nash)	16:18
*** clenimar has quit IRC		16:19
dstanek	dolphm: is there anything on the keystone side that needs to be done for https://bugs.launchpad.net/keystone/+bug/1473567 ?	16:20
openstack	Launchpad bug 1473567 in OpenStack Identity (keystone) "Fernet tokens fail tempest runs" [High,In progress] - Assigned to Dolph Mathews (dolph)	16:20
dolphm	lbragstad: ^	16:20
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move s3 Extension to core https://review.openstack.org/274973	16:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move EC2 extension to core https://review.openstack.org/275280	16:21
*** Ephur has joined #openstack-keystone		16:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate admin_token_auth https://review.openstack.org/275443	16:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Followup for LDAP removal https://review.openstack.org/277196	16:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Mark the ExtensionRouter deprecated https://review.openstack.org/277280	16:22
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move v3->v2 compat static methods https://review.openstack.org/277379	16:22
notmorgan	dolphm: any remaining outstanding concerns here: https://review.openstack.org/#/c/272007/ ?	16:25
dolphm	notmorgan: nope, i just have not run the code	16:26
stevemar	notmorgan: why does v3->v2 compat depend on the other patches	16:26
notmorgan	stevemar: because it's deep in the chain of this squash the pipeline	16:26
stevemar	oh, i guess there is one related change keystone/compat/aws/ec2/_ec2_core.py	16:26
notmorgan	stevemar: all of the *contrib->core has to happen before the next step which is roll the "required middleware" into the base router	16:27
dstanek	stevemar: we may be down to only medium and lower bugs by m3	16:29
notmorgan	stevemar: i am ~2-3 patches from having this whole chain done.	16:30
*** esp has joined #openstack-keystone		16:30
notmorgan	stevemar: and our pipeline will look like "size_limit request_id service_v3"	16:30
*** vgridnev has quit IRC		16:31
notmorgan	dstanek: ^	16:31
*** browne has joined #openstack-keystone		16:31
*** vgridnev has joined #openstack-keystone		16:31
*** vgridnev has quit IRC		16:31
dstanek	notmorgan: ?	16:32
*** pnavarro has quit IRC		16:32
stevemar	dstanek: notmorgan figures you like small pipelines	16:32
notmorgan	dstanek: what we discussed before	16:32
notmorgan	dstanek: rolling everything up into a single entry in paste	16:32
dstanek	stevemar: notmorgan: ah, yes	16:32
notmorgan	dstanek: hopefully it makes it easier to restructure things going forward for flask/etc/whatever	16:33
*** spzala has joined #openstack-keystone		16:34
*** esp has quit IRC		16:37
*** diazjf has joined #openstack-keystone		16:39
permalac	hello guys.	16:41
*** clenimar has joined #openstack-keystone		16:41
permalac	the HA config from the documentation looks like is missing something. http://docs.openstack.org/ha-guide/controller-ha-keystone.html	16:41
permalac	am I missing something?	16:42
*** spandhe has joined #openstack-keystone		16:43
*** bill_az has joined #openstack-keystone		16:43
*** nkinder has quit IRC		16:44
*** jgriffith_away is now known as jgriffith		16:45
dstanek	permalac: what's missing?	16:46
permalac	it's like I have to install the keystone again, I don't see how to move the working one to the HA without touching to many config files.	16:48
*** gyee has joined #openstack-keystone		16:48
*** ChanServ sets mode: +v gyee		16:48
*** vivekd has joined #openstack-keystone		16:48
dstanek	permalac: i imagine you just add your existing keystone to pacemaker, but i have no idea. i don't know who maintains that document from the docs group	16:50
*** mhickey has quit IRC		16:50
*** rudolfvriend has quit IRC		16:50
*** fhubik is now known as fhubik_brb		16:51
dstanek	permalac: i think the thing to take away there is to make sure you update the endpoint urls	16:51
*** su_zhang has joined #openstack-keystone		16:52
permalac	I will read more, and check it out.	16:52
*** pnavarro has joined #openstack-keystone		16:53
dstanek	permalac: you would change those 'creates' to 'updates'	16:54
*** sinese has joined #openstack-keystone		16:54
permalac	Understood	16:57
permalac	I was not seeing it.	16:57
permalac	dstanek, thanks.	16:57
*** fhubik_brb is now known as fhubik		16:59
*** jgriffith is now known as jgriffith_away		17:00
*** jsavak has quit IRC		17:01
*** permalac has quit IRC		17:02
*** jgriffith_away is now known as jgriffith		17:04
*** jsavak has joined #openstack-keystone		17:05
*** dikonoor has quit IRC		17:05
*** su_zhang has quit IRC		17:05
openstackgerrit	David Stanek proposed openstack/keystone: Fixes a language issue in a release note https://review.openstack.org/277496	17:09
*** jsavak has quit IRC		17:09
*** jsavak has joined #openstack-keystone		17:10
*** esp has joined #openstack-keystone		17:10
*** fhubik has quit IRC		17:13
*** dims has quit IRC		17:14
*** lhcheng has joined #openstack-keystone		17:17
*** ChanServ sets mode: +v lhcheng		17:17
*** richm has quit IRC		17:18
*** browne has quit IRC		17:19
*** cgalan has joined #openstack-keystone		17:20
stevemar	dstanek: dolphm notmorgan poke to close a bug: https://review.openstack.org/#/c/228644/	17:21
*** lhcheng_ has joined #openstack-keystone		17:21
*** cgalan has quit IRC		17:21
henrynash	dstanek: so I still have https://bugs.launchpad.net/keystone/+bug/1517038 on my list, haven’t implemneted yet, but have a plan!	17:22
openstack	Launchpad bug 1517038 in OpenStack Identity (keystone) "API-based Domain config method could temporarily show partial update" [High,Triaged] - Assigned to Henry Nash (henry-nash)	17:22
stevemar	gyee: you know by opening bugs in osc, you agree to fix them, right? ^_^	17:22
*** lhcheng has quit IRC		17:23
*** sinese has quit IRC		17:24
stevemar	henrynash: whats the deal with https://blueprints.launchpad.net/keystone/+spec/assignment-inherit-rule	17:24
dstanek	stevemar: looking now	17:25
dstanek	henrynash: sounds good. if you need help i can help on bug day this friday	17:25
henrynash	stevemar: so I’m not sure we should do this _ I’m not convinced that the gain of introucing a more standard inheritance model will outweigh the potential confusion of having two models!	17:26
*** timcline has quit IRC		17:26
stevemar	henrynash: yeah, definitely want to avoid confusion	17:26
henrynash	stevemar: we already moved the inheriatnce to core	17:27
stevemar	henrynash: it's enabled by default right	17:27
gyee	stevemar, yes sir, patches coming today :)	17:27
stevemar	gyee: \o/	17:27
henrynash	stevemar: have to check that….I think that was changed, yes	17:27
henrynash	stevemar: yep, enabled by default	17:28
stevemar	henrynash: so then what's left to do? :)	17:28
henrynash	stevemar: nothing really for movingto core	17:28
*** jsavak has quit IRC		17:28
stevemar	henrynash: it's already moved to core	17:28
henrynash	stevemar: yes, sorry, that’s what I meant	17:29
stevemar	henrynash: so... done?	17:29
henrynash	stevemar: I think we’ll just close this one..I’ll add a note about the alternate inheriatnce model and potential confusio	17:29
stevemar	henrynash: sounds great - add as much info as possible, i think its very muddled	17:30
*** sinese has joined #openstack-keystone		17:30
*** mylu has joined #openstack-keystone		17:30
henrynash	stevemar: actually, I think this spec gets abandoned, since we did the move to core as part of the blanket bp	17:31
stevemar	henrynash: even better, we can mark it as obsolete	17:31
*** dims has joined #openstack-keystone		17:32
*** vgridnev has joined #openstack-keystone		17:35
*** mvk has quit IRC		17:39
notmorgan	stevemar: i vote we make keystone API v4 tomorrow	17:40
notmorgan	stevemar: so we can fix everything we did wrong in v3	17:40
notmorgan	since clearly no one is using v3	17:40
dstanek	stevemar: had to back track the openldap code into its module and finally into openldap calls	17:43
*** boris-42 has quit IRC		17:43
*** e0ne has quit IRC		17:46
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Test list project hierarchy is correct for a large tree https://review.openstack.org/277512	17:50
henrynash	ayoung: I fixed up most of your concerns with https://review.openstack.org/#/c/261870/ if you’ve got time to check you’re happy, that would be great	17:50
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Test list project hierarchy is correct for a large tree https://review.openstack.org/277512	17:51
*** fawadkhaliq has joined #openstack-keystone		17:56
*** jasonsb has quit IRC		17:58
*** daemontool has quit IRC		17:58
*** daemontool has joined #openstack-keystone		17:58
*** sigmavirus24 is now known as sigmavirus24_awa		17:59
*** agireud has quit IRC		18:00
*** su_zhang has joined #openstack-keystone		18:00
*** su_zhang has quit IRC		18:01
*** agireud has joined #openstack-keystone		18:02
*** vivekd_ has joined #openstack-keystone		18:03
*** petertr7 is now known as petertr7_away		18:03
*** vivekd has quit IRC		18:05
*** timcline has joined #openstack-keystone		18:05
*** vivekd_ is now known as vivekd		18:05
*** browne has joined #openstack-keystone		18:05
*** petertr7_away is now known as petertr7		18:08
*** doug-fish has quit IRC		18:08
*** doug-fish has joined #openstack-keystone		18:09
*** daemontool has quit IRC		18:09
*** daemontool_ has joined #openstack-keystone		18:09
*** jsavak has joined #openstack-keystone		18:12
*** doug-fish has quit IRC		18:13
*** jsavak has quit IRC		18:16
lbragstad	dstanek ah - I'm don't think I've seen that bug before?	18:17
lbragstad	dstanek it was assigned to me though	18:17
*** petertr7 is now known as petertr7_away		18:17
*** su_zhang has joined #openstack-keystone		18:17
*** mylu has quit IRC		18:24
krotscheck	Need some advice from cores on the headers listed here. https://review.openstack.org/#/c/241317/9/etc/keystone-paste.ini	18:28
krotscheck	A review comment was made that the various X-509 headers ar enot actually needed, and don't really exit the middleware layer. Is that true?	18:29
notmorgan	krotscheck: right now most of the headers are stripped out by keystonemiddleware	18:31
notmorgan	krotscheck: X-Subject-Token, X-Auth-Token, X-OpenStack-Request-Id i think are the ones you need.	18:31
lbragstad	ayoung ping	18:31
*** mylu has joined #openstack-keystone		18:32
lbragstad	ayoung does my last comment here make sense with what you detailed in comment #28 - https://bugs.launchpad.net/keystone/+bug/1268751	18:32
openstack	Launchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)	18:32
*** jsavak has joined #openstack-keystone		18:33
krotscheck	notmorgan: Coolio, thanks	18:33
notmorgan	np	18:33
*** mylu has quit IRC		18:33
*** pnavarro has quit IRC		18:33
openstackgerrit	Michael Krotscheck proposed openstack/keystone: Added CORS support to Keystone https://review.openstack.org/241317	18:34
krotscheck	Let's see if that works....	18:34
notmorgan	edmondsw: answered your question. in short yes, v2 only now, will have a fix to create a proper v3 router class a bit further down the chain.	18:37
notmorgan	edmondsw: but it's the same as what we do today fwiw.	18:37
notmorgan	just as a separate paste entry	18:37
edmondsw	yeah	18:38
notmorgan	edmondsw: i've been trying to "replicate today logic" then "fix to better logic"	18:38
notmorgan	when doing these changes	18:38
edmondsw	makes sense	18:38
edmondsw	might through a TODO in there, though?	18:38
notmorgan	i was planning on rolling a fix in a couple hours ;)	18:39
edmondsw	ok then :)	18:39
notmorgan	felt like a TODO would be meaningless if it just is replaced 5 patches down the chain later ;)	18:39
lbragstad	notmorgan reviewed - https://review.openstack.org/#/c/275497/1	18:39
edmondsw	well, the meaning would have been to avoid this discussion :)	18:39
edmondsw	:p	18:40
notmorgan	edmondsw: heh	18:40
notmorgan	lbragstad: can you do the edit? happy to if you can't.	18:40
henrynash	davchen, samueldmq: fancy sharpening those new core-teeth on domain-specific roles? Patch chain starts here: https://review.openstack.org/#/c/261870/	18:40
lbragstad	notmorgan sure	18:41
notmorgan	lbragstad: cool.	18:41
openstackgerrit	Jorge Munoz proposed openstack/keystone: Fix trust redelegation tests https://review.openstack.org/273232	18:41
openstackgerrit	Jorge Munoz proposed openstack/keystone: Add tests for trust using impersonation https://review.openstack.org/273279	18:41
henrynash	davechen: see above	18:41
*** spandhe has quit IRC		18:42
lbragstad	stevemar i need your expert opinion on https://bugs.launchpad.net/keystone/+bug/1506653	18:44
openstack	Launchpad bug 1506653 in OpenStack Identity (keystone) "Retrieving either a project's parents or subtree as_list does not work" [Medium,Confirmed] - Assigned to Lance Bragstad (lbragstad)	18:44
lbragstad	htruta and raildo-afk can also weigh in on that, too ^	18:44
*** e0ne has joined #openstack-keystone		18:44
lbragstad	jorge_munoz you have a patch to fix https://bugs.launchpad.net/keystone/+bug/1532280 right?	18:45
openstack	Launchpad bug 1532280 in OpenStack Identity (keystone) "Fernet trust token is still valid when trustee's domain is disabled." [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)	18:45
*** clenimar has quit IRC		18:46
*** mylu has joined #openstack-keystone		18:48
jorge_munoz	lbragstad: Yes, but its only fix if we move forward with doing explicit enable checks for disabled domains. Currently done throu revocation records.	18:48
*** spandhe has joined #openstack-keystone		18:49
*** jsavak has quit IRC		18:52
stevemar	notmorgan: lets just abandon v3 and add domains to v2	18:53
*** jsavak has joined #openstack-keystone		18:53
notmorgan	stevemar: lets go with V1!	18:53
david-lyle	\o/	18:53
stevemar	notmorgan: see, david-lyle agrees	18:53
david-lyle	:P	18:53
edmondsw	lbragstad, I would argue that the API needs to change, not just the docs... there needs to be some way for the caller to distinguish between 1) no parents and 2) lack access to that information	18:53
david-lyle	the lesson to learn is openstack can't support increasing API versions, period	18:54
edmondsw	e.g., we could return the project ids and just not the other info they don't have access to.	18:54
edmondsw	really it's pretty odd that we have these two parents query params	18:55
*** su_zhang has quit IRC		18:55
david-lyle	our governance model is not equipped to handle such things as moving forward	18:55
lbragstad	htruta raildo-afk thoughts on what edmondsw said?	18:56
*** su_zhang has joined #openstack-keystone		18:56
david-lyle	free for all === mess for all	18:56
edmondsw	it would be a lot better API design to return the parents_as_list format all the time, but then when you don't have access to information beyond the id just return the id field alone... in the same format, not in the parents_as_ids format	18:56
* david-lyle sits back down		18:56
*** su_zhang has quit IRC		18:58
*** peter-hamilton has quit IRC		18:58
*** jsavak has quit IRC		18:59
*** jsavak has joined #openstack-keystone		19:00
*** sigmavirus24_awa is now known as sigmavirus24		19:02
*** EinstCrazy has joined #openstack-keystone		19:04
*** petertr7_away is now known as petertr7		19:08
*** EinstCrazy has quit IRC		19:09
*** spandhe has quit IRC		19:13
*** doug-fish has joined #openstack-keystone		19:16
*** jgriffith is now known as jgriffith_away		19:16
*** su_zhang has joined #openstack-keystone		19:18
*** doug-fish has quit IRC		19:21
*** mylu has quit IRC		19:22
*** doug-fish has joined #openstack-keystone		19:22
*** esp has left #openstack-keystone		19:22
*** spandhe has joined #openstack-keystone		19:24
*** dan_nguyen has joined #openstack-keystone		19:26
*** BAKfr has joined #openstack-keystone		19:30
stevemar	david-lyle: you're not exactly far off dude	19:33
*** BAKfr has quit IRC		19:37
*** mylu has joined #openstack-keystone		19:39
*** fawadkhaliq has quit IRC		19:40
*** jbell8 has joined #openstack-keystone		19:41
*** mylu_ has joined #openstack-keystone		19:41
*** mylu has quit IRC		19:42
*** BAKfr has joined #openstack-keystone		19:44
*** jbell8 has quit IRC		19:45
*** jbell8 has joined #openstack-keystone		19:46
*** jsavak has quit IRC		19:50
*** jsavak has joined #openstack-keystone		19:51
*** sinese has quit IRC		19:53
*** sinese_ has joined #openstack-keystone		19:53
*** daemontool_ has quit IRC		19:56
*** jsavak has quit IRC		19:57
*** jsavak has joined #openstack-keystone		19:58
*** ninag has quit IRC		20:00
*** ninag has joined #openstack-keystone		20:02
*** woodster_ has joined #openstack-keystone		20:02
*** mylu_ has quit IRC		20:02
*** maxabidi has joined #openstack-keystone		20:03
*** vgridnev has quit IRC		20:05
*** ninag has quit IRC		20:06
*** daemontool has joined #openstack-keystone		20:10
*** jgriffith_away is now known as jgriffith		20:13
*** gildub has joined #openstack-keystone		20:14
*** esp has joined #openstack-keystone		20:14
stevemar	ayoung: token created from trust... that should include all the roles of a 'prior role'?	20:17
openstackgerrit	Steve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles https://review.openstack.org/277319	20:18
stevemar	ayoung: ^	20:18
*** mylu has joined #openstack-keystone		20:20
*** su_zhang has quit IRC		20:21
*** esp has quit IRC		20:21
*** mhickey has joined #openstack-keystone		20:23
*** pgbridge has joined #openstack-keystone		20:24
*** henrynash has quit IRC		20:25
*** mylu has quit IRC		20:26
*** su_zhang has joined #openstack-keystone		20:28
*** mylu has joined #openstack-keystone		20:28
*** ajayaa has joined #openstack-keystone		20:29
*** henrynash has joined #openstack-keystone		20:29
*** ChanServ sets mode: +v henrynash		20:29
*** su_zhang has quit IRC		20:33
*** su_zhang has joined #openstack-keystone		20:33
*** vivekd_ has joined #openstack-keystone		20:37
*** mylu has quit IRC		20:38
ajayaa	Hi guys. Is there an opposite of l in pdb?	20:39
ajayaa	I want to go up in the file while debugging.	20:39
*** vivekd has quit IRC		20:40
*** vivekd_ is now known as vivekd		20:40
*** ninag has joined #openstack-keystone		20:44
*** ninag_ has joined #openstack-keystone		20:46
*** jbell8 has quit IRC		20:48
*** ninag has quit IRC		20:48
*** roxanaghe has quit IRC		20:50
*** jbell8 has joined #openstack-keystone		20:50
*** su_zhang has quit IRC		20:50
*** dims_ has joined #openstack-keystone		20:51
*** ninag_ has quit IRC		20:51
ayoung	stevemar, good question. I think it should.	20:51
*** ninag has joined #openstack-keystone		20:52
*** dims has quit IRC		20:52
ayoung	stevemar, I could actually see that one going either way, but all implied roles from a prior role is the most sensible	20:52
openstackgerrit	Merged openstack/keystone: Support multiple URLs for LDAP server https://review.openstack.org/228644	20:55
*** mylu has joined #openstack-keystone		21:03
*** mylu has quit IRC		21:03
openstackgerrit	Steve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles https://review.openstack.org/277319	21:03
*** henrynash has quit IRC		21:04
stevemar	ajayaa: no idea, https://docs.python.org/2/library/pdb.html docs?	21:05
stevemar	ayoung: at the midcycle, you mentioned it should have all the implied roles in the token	21:07
stevemar	ayoung: you can re-use this bug (https://bugs.launchpad.net/keystone/+bug/1539240) or create a new one, i don't know how to fix it, but I slapped up a test	21:08
openstack	Launchpad bug 1539240 in OpenStack Identity (keystone) "create tests for trusts and implied roles" [Low,In progress] - Assigned to Steve Martinelli (stevemar)	21:08
*** petertr7 is now known as petertr7_away		21:08
ayoung	stevemar, I saw a comment that said the token only has one role, not three	21:09
stevemar	ayoung: yep	21:09
ayoung	and that shows that the trust expansion for implied roles is not happening, is that how you read it?	21:09
stevemar	yep	21:09
ayoung	OK, not surprised. I can take that	21:09
ayoung	stevemar, I need to work on the client pieces for implied roles, too. I'll stay on the whole effort.	21:10
stevemar	ayoung: OK, i will change the description of that bug and assign it to you, and mark my patch as a partial fix... 1 sec	21:11
ayoung	stevemar, nah, lets split it	21:11
stevemar	ayoung: alright	21:12
ayoung	yours addresses one issue, and we should track that, too	21:12
*** petertr7_away is now known as petertr7		21:12
stevemar	ayoung: okay, review the patch and open a new bug for role expansion for trusts (target it to mitaka-3)	21:14
stevemar	ayoung: on a somewhat related note... just a heads up that you also have https://bugs.launchpad.net/keystone/+bug/1541540 assigned to you	21:14
openstack	Launchpad bug 1541540 in OpenStack Identity (keystone) "Implied role "root_role" config needs to be expanded" [High,Triaged] - Assigned to Adam Young (ayoung)	21:14
*** henrynash has joined #openstack-keystone		21:16
*** ChanServ sets mode: +v henrynash		21:16
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/272825	21:17
*** su_zhang has joined #openstack-keystone		21:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move EC2 extension to core https://review.openstack.org/275280	21:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move v3->v2 compat static methods https://review.openstack.org/277379	21:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate admin_token_auth https://review.openstack.org/275443	21:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move s3 Extension to core https://review.openstack.org/274973	21:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Roll up JSON_BODY middleware to always be applied https://review.openstack.org/277570	21:26
*** su_zhang has quit IRC		21:26
*** dims has joined #openstack-keystone		21:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Followup for LDAP removal https://review.openstack.org/277196	21:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Mark the ExtensionRouter deprecated https://review.openstack.org/277280	21:26
*** dims_ has quit IRC		21:29
*** jsavak has quit IRC		21:30
*** su_zhang has joined #openstack-keystone		21:30
stevemar	henrynash: fyi, adam is taking a look at the bug	21:31
*** jsavak has joined #openstack-keystone		21:31
henrynash	stevemar: ok..I had a cursor look at the code, and it looked ok...	21:32
stevemar	henrynash: were you going to debug the problem or the test?	21:32
henrynash	stevemar: the problem	21:32
*** henrynash has quit IRC		21:33
stevemar	henrynash: up to you, i already talked to ayoung about it	21:33
*** timcline has quit IRC		21:33
openstackgerrit	Merged openstack/pycadf: Adding ironic api specific audit map configuration https://review.openstack.org/275538	21:33
*** henrynash has joined #openstack-keystone		21:34
*** ChanServ sets mode: +v henrynash		21:34
*** henrynash has quit IRC		21:34
*** jsavak has quit IRC		21:36
*** jsavak has joined #openstack-keystone		21:37
ayoung	stevemar, you didn't open the bug for "trust does not expand implied roles" right?	21:37
ayoung	Ah..you checked the trust...I want to confirm that myself,	21:38
*** jaosorior has quit IRC		21:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: include sample config file in docs https://review.openstack.org/277574	21:41
stevemar	bknudson_: ^	21:42
stevemar	ayoung: correct, haven't opened the bug yet	21:42
stevemar	ayoung: yeah, i checked the trust and token, i think i tested things correctly shrugs	21:42
stevemar	dhellmann: ^ if that works, i'll consider removing the config file we have checked into the repo	21:43
dhellmann	stevemar : let me know if you run into trouble with it	21:45
stevemar	roger that	21:45
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Roll up TOKEN_AUTH middleware https://review.openstack.org/277580	21:50
ayoung	stevemar, nah, the trust should show one, the token multple. Just ran your version..about to edit	21:50
ayoung	stevemar, ah, I misread. Yeah. that looks like you tested correctly	21:51
*** sinese_ has quit IRC		21:51
*** dan_nguyen has left #openstack-keystone		21:58
*** boris-42 has joined #openstack-keystone		21:58
*** jsavak has quit IRC		22:01
*** jsavak has joined #openstack-keystone		22:03
*** e0ne has quit IRC		22:03
*** daemontool_ has joined #openstack-keystone		22:03
*** timcline has joined #openstack-keystone		22:04
*** ninag has quit IRC		22:05
*** petertr7 is now known as petertr7_away		22:05
*** daemontool has quit IRC		22:06
*** timcline has quit IRC		22:07
*** timcline has joined #openstack-keystone		22:08
*** jgriffith is now known as jgriffith_away		22:10
*** jsavak has quit IRC		22:10
*** dan_nguyen has joined #openstack-keystone		22:11
*** jaosorior has joined #openstack-keystone		22:12
*** mhickey has quit IRC		22:14
*** jsavak has joined #openstack-keystone		22:16
*** jgriffith_away is now known as jgriffith		22:17
*** mylu has joined #openstack-keystone		22:19
*** jsavak has quit IRC		22:19
*** mylu has quit IRC		22:21
*** phalmos has quit IRC		22:23
*** jsavak has joined #openstack-keystone		22:25
*** esp has joined #openstack-keystone		22:25
*** jsavak has quit IRC		22:26
notmorgan	ayoung: i disagree with the CMS driven root_role thing	22:29
notmorgan	ayoung: pretty strongly, and definely the way it's implemented now	22:29
notmorgan	ayoung: asking people to use the API, change the config, and then restart keystone would have gotten a -1 before it started gating if I had gotten to it.	22:30
ayoung	notmorgan, I hear you, but others feel just as strongly tyhe other way	22:30
notmorgan	ayoung: by ID is incorrect	22:30
ayoung	it was a fail safe	22:30
notmorgan	and it shouldn't be a single role	22:31
ayoung	notmorgan, that we can change	22:31
notmorgan	it needs to be by name and a list if it's in the config.	22:31
ayoung	why did I do by id...	22:31
ayoung	trying to remember...	22:31
notmorgan	but i still disagree with carrying yet-another-bad-config-option-that-most-people-wont-set	22:31
notmorgan	ayoung: easier.	22:31
ayoung	no	22:31
*** dims has quit IRC		22:31
ayoung	name makes sense, there was a reaon	22:32
notmorgan	because lookup by name hits implied roles too?	22:32
*** timcline has quit IRC		22:32
notmorgan	and this can't be an implied role	22:32
*** esp has quit IRC		22:32
*** lhcheng has joined #openstack-keystone		22:32
*** ChanServ sets mode: +v lhcheng		22:32
*** lhcheng_ has quit IRC		22:32
notmorgan	also... what happens if someone changes the value after setting the role as implied?	22:32
ayoung	notmorgan, no, that is name....	22:32
notmorgan	this will need to block this role at runtime from appearing in an implied role.	22:32
ayoung	the config option is by name, and it is set by default	22:32
ayoung	that works now, too	22:33
notmorgan	it must have been id in a previous patch	22:33
notmorgan	ok, so then please make it a listopt	22:33
notmorgan	and i'll grump about it to myself	22:33
ayoung	notmorgan, is that sufficient?	22:33
ayoung	I'm willing to work with you here. This is a security matter, so I need to be dilligent, but I am pragmatic, and openminded	22:34
* notmorgan views most of the opts that are like this as just plain terrible. but this ship has sailed.		22:34
*** mylu has joined #openstack-keystone		22:34
ayoung	notmorgan, its a bit of a bootstrap problem. We might be able to work around this by locking things down in the bootstrap phase	22:35
notmorgan	so, from a security standpoint this doesn't buy you much	22:35
notmorgan	if someone has access to change the role, they can assign it directly	22:35
ayoung	notmorgan, what I was shooting for was "you can't get admin via an inf\erence rule"	22:35
notmorgan	not really a big win.	22:35
notmorgan	but like i said, make it a listopt and i'll grump to myself instead of harping on this	22:36
ayoung	considereing we only have 2 roles today, I think it was important enough to cover	22:36
notmorgan	the single-role isn't really very useable.	22:36
ayoung	I'm fine with that	22:36
notmorgan	there are many deploys that want to protect support roles	22:36
ayoung	so long as that is sufficient	22:36
*** diazjf has quit IRC		22:36
*** lhcheng has quit IRC		22:37
notmorgan	ayoung: like i said, i disagree, but there is only so much i am willing to argue for in depth. i'll take "more functional" over arguing this should be an API thing	22:37
* notmorgan has enough fish to fry		22:37
ayoung	notmorgan, I think I was going to try for MultiStrOpt or whatever it was, and was afraid of getting it wrong. Will that work for you instead of list?	22:38
*** lhcheng has joined #openstack-keystone		22:38
*** ChanServ sets mode: +v lhcheng		22:38
*** cdcasey has joined #openstack-keystone		22:38
notmorgan	ayoung: i'd prefer list tbh	22:38
notmorgan	multistropt sucks from a CMS perspective	22:38
notmorgan	since it's the same key over and over	22:38
ayoung	notmorgan, or, if what you want is for us to enforce it at the API level, I can do that instead, and make it so it works for many, and we can just leave this as is and quietly ignore it until auditors pop in to check	22:39
notmorgan	but i guess we need to use it because roels can have ',' in it	22:39
notmorgan	nah, don't put the extra API thing in.	22:39
ayoung	OK	22:39
notmorgan	so multistropt	22:39
ayoung	ok...can you comment that on the bug so we have record?	22:39
notmorgan	well the original bug sait to make it plural. i didn't update the description	22:40
notmorgan	was more of a done	22:40
cdcasey	I have a question about logging	22:41
ayoung	GAH! Something overwrote my vpn config	22:41
*** doug-fish has quit IRC		22:41
cdcasey	Is there a simple way, through configuration or otherwise, to add a user name to relevant log entries so it's easy to tell who did what?	22:42
*** mylu has quit IRC		22:42
notmorgan	ayoung: ouch	22:44
ayoung	notmorgan, nah, its something else...	22:44
bknudson_	hackers	22:44
*** doug-fish has joined #openstack-keystone		22:44
ayoung	Warning: password for 'vpn.secrets.Xauth password' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.	22:44
*** mylu has joined #openstack-keystone		22:44
ayoung	I think it is just getting confused; it is supposed to pop up a dialog to let me put in the OTP (which it does) but then loses it.	22:45
*** doug-fis_ has joined #openstack-keystone		22:46
ayoung	The name org.freedesktop.NetworkManager.vpnc was not provided by any .service files	22:47
ayoung	Ah...rpm missing, I bet...	22:47
*** doug-fish has quit IRC		22:48
*** doug-fis_ has quit IRC		22:50
*** dims_ has joined #openstack-keystone		22:51
*** ayoung has quit IRC		22:53
*** clenimar has joined #openstack-keystone		22:54
notmorgan	bknudson_: ++	22:55
*** EinstCrazy has joined #openstack-keystone		22:58
*** doug-fish has joined #openstack-keystone		22:59
*** lhcheng has quit IRC		23:03
*** esp has joined #openstack-keystone		23:03
*** lhcheng has joined #openstack-keystone		23:03
*** ChanServ sets mode: +v lhcheng		23:03
*** doug-fish has quit IRC		23:03
cdcasey	i'm guessing not	23:03
*** doug-fish has joined #openstack-keystone		23:04
*** jsavak has joined #openstack-keystone		23:04
*** sigmavirus24 is now known as sigmavirus24_awa		23:04
notmorgan	cdcasey: not really, sorry	23:04
notmorgan	stevemar: so, almost have the next two of these done.	23:04
cdcasey	notmorgan that's what I figured, thanks.	23:05
*** EinstCrazy has quit IRC		23:05
notmorgan	bknudson_: i think i've addressed the legal concern and clearly documented so someone doesn't roll it back in and break you until/unless the legal stuff is changed	23:05
*** pushkaru has quit IRC		23:05
bknudson_	notmorgan: thanks!	23:05
notmorgan	bknudson_: and ran a few tests so, it looks like it works as expected	23:05
*** pushkaru has joined #openstack-keystone		23:06
*** jaosorior has quit IRC		23:06
openstackgerrit	Merged openstack/keystone: Fixes a language issue in a release note https://review.openstack.org/277496	23:06
notmorgan	bknudson_: also it sets forth a pattern if we have more compat code that can work in a similar way [if needed], but anythin outside of the compat tree, i'll say "no" to	23:06
bknudson_	let's not have more compat code.	23:07
notmorgan	bknudson_: +++++	23:07
notmorgan	bknudson_: but if we do for some strange reason... we have this pattern setup	23:07
*** daemontool_ has quit IRC		23:07
*** esp has quit IRC		23:07
*** ayoung has joined #openstack-keystone		23:09
*** ChanServ sets mode: +v ayoung		23:09
*** spzala has quit IRC		23:09
*** jsavak has quit IRC		23:10
*** pushkaru has quit IRC		23:11
*** vivekd has quit IRC		23:12
*** doug-fish has quit IRC		23:14
*** doug-fish has joined #openstack-keystone		23:14
*** dims_ has quit IRC		23:14
*** doug-fish has quit IRC		23:15
*** doug-fish has joined #openstack-keystone		23:15
*** slberger has left #openstack-keystone		23:16
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Roll up AUTH_CONTEXT_MIDDLEWARE middleware https://review.openstack.org/277607	23:19
notmorgan	stevemar: ^ that was painful.	23:19
*** dims_ has joined #openstack-keystone		23:19
notmorgan	bknudson_: ^ that one should make it easier to start collapsing the logic down between our "required" middlewares	23:20
openstackgerrit	Dina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone https://review.openstack.org/103368	23:23
*** doug-fish has quit IRC		23:23
*** ajayaa has quit IRC		23:24
*** gordc has quit IRC		23:24
openstackgerrit	Clenimar Filemon Sousa proposed openstack/keystone: Avoid wrong deletion of domain assignments https://review.openstack.org/275706	23:24
*** doug-fish has joined #openstack-keystone		23:26
*** doug-fish has quit IRC		23:27
*** cdcasey has quit IRC		23:27
*** doug-fish has joined #openstack-keystone		23:28
openstackgerrit	Brant Knudson proposed openstack/keystone: Text schema https://review.openstack.org/277608	23:28
*** can8dnSix has joined #openstack-keystone		23:36
*** doug-fish has quit IRC		23:38
jamielennox	notmorgan: ideally i would have like to get the auth_token middleware dep in there and base it on that	23:39
notmorgan	jamielennox: either direction is going to be horrific to rebase	23:40
jamielennox	yea, that's fine	23:40
*** doug-fish has joined #openstack-keystone		23:40
jamielennox	they're both working to the same goal more or less	23:40
notmorgan	also, the middleware rollups slow our tests WAY down	23:40
notmorgan	because we actually are testing the stack properly on the restful tests.	23:41
notmorgan	rather than short-circuting things	23:41
notmorgan	or my laptop is cranky	23:41
notmorgan	[also possible]	23:41
notmorgan	jamielennox: if we land the request-cache one, that'll speed it back up	23:41
notmorgan	jamielennox: but also force a rebase	23:41
jamielennox	notmorgan: did you propose that?	23:42
notmorgan	jamielennox: https://review.openstack.org/#/c/272007/	23:42
notmorgan	jamielennox: and https://review.openstack.org/#/c/277198/2 but that one is pending some info from dhellmann	23:42
jamielennox	notmorgan: you've been busy	23:42
notmorgan	jamielennox: and we landed the nova ksc->ksa and novaclient->ksa	23:43
notmorgan	jamielennox: next is novaclient to OCC	23:43
jamielennox	yep, those i saw	23:43
jamielennox	i don't care so much about that one	23:43
notmorgan	jamielennox: and then if we can get cinder, barbican, and glance over to KSA i can do evil things once we land request.local in ksm	23:43
notmorgan	jamielennox: erm thread.local	23:43
jamielennox	prefer to make people switch to osc	23:43
notmorgan	jamielennox: we need to use OCC [this is for lib. use]	23:43
notmorgan	so novaclient is v3 compat	23:44
jamielennox	wait - why do the libs care	23:44
notmorgan	because shade consumes them this way	23:44
notmorgan	for example	23:44
jamielennox	gah, i've really never like the way OCC is done	23:44
notmorgan	and we need ksc to get using ksa.	23:44
jamielennox	it should just be cloud_config.get_session(name=XXX) or similar	23:44
notmorgan	so i can do evil evil things.	23:44
jamielennox	then pass that to client creation	23:44
jamielennox	i don't like that OCC took that over	23:44
notmorgan	well KSA is way way too low level	23:45
notmorgan	and has restrictions that occ doesn't [notably oslo_config, etc]	23:45
notmorgan	something had to fill the mid-ground	23:45
*** doug-fish has quit IRC		23:46
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Rollup URL_NORMALIZER middleware https://review.openstack.org/277615	23:46
notmorgan	jamielennox: ^ boom. all our middleware rolled up and out of the pipeline.	23:47
notmorgan	and then we need to go through and do speed-cleanup again.	23:47
notmorgan	=/	23:47
notmorgan	but it's progress.	23:47
*** can8dnSix has quit IRC		23:48
notmorgan	jamielennox: "pipeline = sizelimit request_id service_v3" <---- soooooo much better	23:49
jamielennox	notmorgan: why does the request cache stuff depend on dogpile?	23:50
notmorgan	jamielennox: because i use dogpile to capture the data.	23:50
*** doug-fish has joined #openstack-keystone		23:50
*** doug-fish has quit IRC		23:50
notmorgan	anywhere we memoize we capture the request	23:50
*** doug-fish has joined #openstack-keystone		23:50
notmorgan	it means it's always acting on anything we already would want to cache.	23:51
notmorgan	and happens behind the scenes	23:51
jamielennox	oh, you've installed like a full cache layer	23:51
notmorgan	yep	23:51
notmorgan	it adds a 2nd tier of cache, closer to the request	23:51
jamielennox	that's ugly, but effective	23:52
notmorgan	at the cost of a little cpu.	23:52
notmorgan	once we trim the revoke code, we can move to json serialize	23:52
notmorgan	and drop msgpack there	23:52
jamielennox	maybe not that ugly, just not at all what i was thinking	23:52
notmorgan	i tried to make it as close to the business logic as i could	23:53
notmorgan	so we got the most benefit of the offload	23:53
jamielennox	yea, it does a good job of not actually changing the way the code works	23:53
jamielennox	but what is the advantage there of a per-request cache as opposed to simply a working big general cache?	23:54
*** doug-fish has quit IRC		23:54
notmorgan	it's guaranteeing we at least get one-off check that X item is what it says it is	23:55
notmorgan	the advantage vs memcache is the lack of socket + tcp + serialization	23:55
notmorgan	it's just serialization/deserialize	23:55
notmorgan	fwiw, i've seen ~5-15min improvements on gate jobs w/ it	23:55
notmorgan	and that is with full memcache caching enabled too	23:56
notmorgan	it artificially limits the number of times a request can ask the backend for a specific bit of data. long term, it should be able to be removed, but we have a long way to go before that.	23:56
jamielennox	ok, so it's cutting out the time to memcache	23:57
notmorgan	and socket overhead	23:57
jamielennox	why msgpack?	23:57
notmorgan	revoketree is a trainwreck	23:57
jamielennox	oh, this was the faster than deepcopy thing?	23:57
jamielennox	agreed	23:57
notmorgan	it's slower than deepcopy in some cases	23:57
notmorgan	it is faster in others	23:57
notmorgan	deepcopy is very very unreliable	23:57
notmorgan	if we make revoke tree go away, then we can json serialize,	23:58
notmorgan	avg time for json was 7usec	23:58
jamielennox	but why serialize?	23:58
notmorgan	you need to buffer between what is handed back to the request	23:58
notmorgan	otherwise errant code could do .get_domain(default)['id'] = 'omg	23:58
notmorgan	'	23:58
jamielennox	right - ok, so it's still just an instead of deepcopy thing	23:59
*** browne has quit IRC		23:59
notmorgan	and now for the rest of that request the cached value is modified and defualt_domain is 'omg'	23:59
notmorgan	yep.	23:59
jamielennox	ok	23:59
notmorgan	deepcopy was 30usec on avg iirc	23:59
notmorgan	msgpack was 60usec	23:59
notmorgan	but... deepcopy was anywhere from 13usec to 150usec	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!