Friday, 2016-02-26

*** sdake has quit IRC		00:00
jamielennox	stevemar, morgan: also has to be bootstrap --os-bootstrap-admin-url to match other commands	00:01
jamielennox	morgan: not sure why you added the bootstrap part of that	00:01
morgan	originally it didn't have -os and someone complained	00:01
morgan	iirc	00:01
jamielennox	os is unnecessary in cli!! but ok for consistency, but bootstrap seems redundant	00:01
*** shoutm has quit IRC		00:02
*** chlong_ has quit IRC		00:03
stevemar	jamielennox: we can modify it now and not deprecate :O	00:03
jamielennox	stevemar: it's in use by at least devstack	00:04
*** ayoung has quit IRC		00:04
jamielennox	we could do like a two week deprecation cycle	00:04
jamielennox	but i'm not sure it's worth the effort	00:05
*** jorge_munoz has joined #openstack-keystone		00:05
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Support `truncated` flag returned by identity service https://review.openstack.org/280162	00:06
*** su_zhang_ has joined #openstack-keystone		00:09
*** su_zhang has quit IRC		00:09
*** jorge_munoz has quit IRC		00:09
stevemar	morgan: why does the LDAP removal code depend on the in-process cache?	00:12
morgan	stevemar: because i'm really lazy and don't want to battle rebases	00:13
openstackgerrit	Steve Martinelli proposed openstack/keystone: Followup for LDAP removal https://review.openstack.org/277196	00:13
morgan	stevemar: and i want to force the issue on cache	00:13
stevemar	morgan: i moved it to master	00:13
morgan	lame	00:13
stevemar	morgan: why lame :)	00:14
morgan	the second part was the important reason	00:14
morgan	you get LDAP things with cache	00:14
morgan	duh	00:14
morgan	at least when i started they conflicted otherwise	00:14
stevemar	morgan: i pushed it through	00:15
morgan	the cache thing or the LDAP thing?	00:15
morgan	cause...	00:15
morgan	:P	00:16
morgan	i might cheer if you pushed the cache thing through	00:16
*** shoutm_ has quit IRC		00:20
*** shoutm has joined #openstack-keystone		00:21
*** sdake has joined #openstack-keystone		00:22
*** mylu has quit IRC		00:35
*** sdake has quit IRC		00:36
*** henrynash has joined #openstack-keystone		00:42
*** ChanServ sets mode: +v henrynash		00:42
*** mylu has joined #openstack-keystone		00:43
*** mylu has quit IRC		00:46
*** daemontool has quit IRC		00:47
dims	stevemar : where is pydev_debug_host config option defined?	00:49
morgan	dims: uhmmmmmmmm	00:50
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Delay using threading.local() - Not ready for Review :) https://review.openstack.org/284965	00:52
*** ayoung has joined #openstack-keystone		00:52
*** ChanServ sets mode: +v ayoung		00:52
dims	ah "pydev-debug-host"	00:54
*** shoutm_ has joined #openstack-keystone		00:56
openstackgerrit	Brad Pokorny proposed openstack/keystonemiddleware: Update documentation for running tests https://review.openstack.org/284997	00:57
*** RichardRaseley has quit IRC		00:57
*** shoutm has quit IRC		00:58
*** mylu has joined #openstack-keystone		00:58
*** vilobhmm11 has quit IRC		00:59
*** fpatwa_ has joined #openstack-keystone		00:59
*** jasonsb has joined #openstack-keystone		01:01
*** mylu has quit IRC		01:03
*** fpatwa_ has quit IRC		01:03
*** mylu has joined #openstack-keystone		01:04
*** mylu has quit IRC		01:06
*** ninag has quit IRC		01:09
*** vilobhmm11 has joined #openstack-keystone		01:10
roxanaghe	hi lhcheng, any strong opinions on the websso regions implementation on this patch https://review.openstack.org/#/c/279355/8 ?	01:13
patchbot	roxanaghe: patch 279355 - horizon - Add a configurable websso keystone url	01:13
roxanaghe	lhcheng, I'm trying to see if we want a separate list like WEBSSO_REGIONS or we want to enhance the existing AVAILABLE_REGIONS list	01:14
morgan	roxanaghe: oh hai	01:14
morgan	roxanaghe: :) /me waves	01:15
roxanaghe	hey morgan :)	01:15
*** mylu has joined #openstack-keystone		01:15
roxanaghe	how's the coffee in Portland?	01:15
*** EinstCrazy has joined #openstack-keystone		01:16
morgan	amazing!	01:16
*** mylu has quit IRC		01:17
*** mylu has joined #openstack-keystone		01:18
jamielennox	morgan, stevemar: should bootstrap update endpoints that are already created but different?	01:21
ayoung	morgan, so, as I rip out various revoke rules, the one that is now tripping me up is the roles. I a user loses a role on a project, and they have no roles at the end, the token should be invalid. If they have two roles, and lose one, when you validate the token, it should show the one role	01:21
ayoung	but...	01:22
*** davechen_afk is now known as grassy		01:22
ayoung	I'm modifying the test, and a role is deleted, but the token still has it at the end of the provider when validate is called	01:22
*** davechen1 has joined #openstack-keystone		01:22
ayoung	it feels like a cache error	01:22
ayoung	shouldn't a delete or a grant invalidate the cache?	01:23
*** mylu has quit IRC		01:23
*** jasonsb has quit IRC		01:25
*** arunkant_ has quit IRC		01:25
openstackgerrit	Dolph Mathews proposed openstack/keystone: Enable LDAP connection pooling by default https://review.openstack.org/285008	01:29
dolphm	i assume LDAP connection pooling was only disabled by default because it was a new feature 3 or 4 releases ago? ^	01:29
davechen1	stevemar: replied to your comments for this bug - https://bugs.launchpad.net/keystone/+bug/1549705.	01:30
openstack	Launchpad bug 1549705 in OpenStack Identity (keystone) "migrate DB failed due to password cannot be null" [Undecided,New] - Assigned to Dave Chen (wei-d-chen)	01:30
*** davechen1 is now known as davechen		01:30
davechen	this might just a sql issue, will dig into this.	01:31
*** roxanaghe has quit IRC		01:34
*** jasonsb has joined #openstack-keystone		01:35
*** lhcheng has quit IRC		01:38
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Delay using threading.local() - Not ready for Review :) https://review.openstack.org/284965	01:39
*** EinstCrazy has quit IRC		01:40
*** mylu has joined #openstack-keystone		01:41
*** su_zhang_ has quit IRC		01:41
*** su_zhang has joined #openstack-keystone		01:41
*** EinstCrazy has joined #openstack-keystone		01:42
*** su_zhang has quit IRC		01:45
*** dims has quit IRC		01:49
*** chlong_ has joined #openstack-keystone		01:49
*** gyee has quit IRC		01:55
*** annasort has joined #openstack-keystone		01:55
*** fangxu has quit IRC		01:59
*** mylu has quit IRC		02:00
*** csoukup has joined #openstack-keystone		02:05
*** mylu has joined #openstack-keystone		02:08
*** csoukup has quit IRC		02:09
*** diazjf has joined #openstack-keystone		02:10
*** diazjf has quit IRC		02:13
*** jasonsb has quit IRC		02:13
*** rk4n has quit IRC		02:14
*** jasonsb has joined #openstack-keystone		02:14
*** shoutm_ has quit IRC		02:14
*** rk4n has joined #openstack-keystone		02:14
ayoung	morgan, lbragstad, with fernet, once a token is passed in to validate, how are the roles on it populated? Could that come out of cache somewhere?	02:14
*** shoutm has joined #openstack-keystone		02:15
*** igornsa has joined #openstack-keystone		02:20
*** knikolla has joined #openstack-keystone		02:21
*** igornsa has quit IRC		02:26
*** henrynash has quit IRC		02:29
*** jasonsb has quit IRC		02:32
*** rk4n has quit IRC		02:32
*** mylu has quit IRC		02:34
*** fangxu has joined #openstack-keystone		02:34
*** mylu has joined #openstack-keystone		02:35
*** fangxu has quit IRC		02:36
*** mylu has quit IRC		02:39
*** browne has quit IRC		02:39
*** dan_nguyen has quit IRC		02:39
ayoung	OK, yeah, it is coming out of persistence...	02:39
*** vilobhmm11 has quit IRC		02:40
*** david-lyle has quit IRC		02:41
*** vilobhmm11 has joined #openstack-keystone		02:42
*** fpatwa_ has joined #openstack-keystone		02:44
*** fawadkhaliq has joined #openstack-keystone		02:48
*** fpatwa_ has quit IRC		02:50
dstanek	i wrote a book chapter as a review comment :-D	02:51
*** vilobhmm11 has quit IRC		02:56
*** pushkaru has quit IRC		03:05
stevemar	dstanek: if you're still up, want to take another whack at the truncated patch? https://review.openstack.org/#/c/280162/	03:06
patchbot	stevemar: patch 280162 - python-keystoneclient - Support `truncated` flag returned by identity service	03:06
stevemar	dstanek: i appreciate your chapter	03:06
*** D4RKS1D3 has quit IRC		03:08
*** dims has joined #openstack-keystone		03:10
*** knikolla has quit IRC		03:15
*** ianw has quit IRC		03:16
*** ianw has joined #openstack-keystone		03:19
dstanek	sure	03:20
*** boris-42 has quit IRC		03:24
dstanek	stevemar: i disagree about the list traversal - it is definitely happening twice	03:24
davechen	dstanek: nice, this chapter wrote on this patch - https://review.openstack.org/231289?	03:24
dstanek	stevemar: ...but it appears that the overhead of the function calls for small lists is slower than doing that	03:25
dstanek	davechen: that's the one	03:25
*** links has joined #openstack-keystone		03:26
stevemar	dstanek: i also want to cut the new release tomorrow :P	03:28
stevemar	dstanek: if that is an incentive :)	03:28
*** fpatwa_ has joined #openstack-keystone		03:29
dstanek	stevemar: +2+A the truncated review	03:31
dstanek	stevemar: do you have any thoughts on the domain issue i brought up?	03:31
stevemar	dstanek: i think they are legitimate issues	03:31
stevemar	i don't think there is a rush to put that into M	03:31
stevemar	it should be an internal only change, ideally	03:31
stevemar	so i don't get why it needs to be in M	03:32
*** fawadkhaliq has quit IRC		03:32
dstanek	i don't know either since it's not really interesting until the other patches merge too	03:32
stevemar	yeah, and i'm not eager about those either	03:33
dstanek	not keen on un-refactoring	03:34
*** csoukup has joined #openstack-keystone		03:35
stevemar	dstanek: btw, did you have an opinion on the number of fishbowls/workrooms/meetups we should have in austin?	03:35
stevemar	dstanek: last summit we have 7 / 3 / 2	03:35
stevemar	dstanek: dolphm seems to want fewer fishbowls	03:36
stevemar	which have the most amount of folks	03:36
stevemar	i'm inclined to agree	03:36
dstanek	i would definitely agree. fishbowls are much less productive	03:37
stevemar	i think fishbowls are great for introducing new features, but i think we have enough "features" to pick from at this point	03:37
stevemar	we really just need workrooms to argue	03:38
stevemar	:)	03:38
stevemar	i'll propose 3 / 8 / 2	03:38
stevemar	i think the fishbowls are handy to hear real feedback from ops	03:39
stevemar	both nova and neutron had 0 workrooms, interesting	03:41
dstanek	that sounds good to me. we should have some pretty broad topics for the fishbowls	03:41
dstanek	lots of fishbowls?	03:41
stevemar	dstanek: yep, 14 for nova and 10 for neutron	03:41
stevemar	err, 12	03:41
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Delay using threading.local() to fix check job failure https://review.openstack.org/284965	03:41
dstanek	holy crap. i wonder why they are doing that. feels like the exact opposite of the reason that they are thinking about splitting off the dev summit	03:42
stevemar	dstanek: swift OTOH went 2 fishbowls, 12 workrooms	03:42
stevemar	yeah	03:42
stevemar	weird	03:42
*** browne has joined #openstack-keystone		03:42
dstanek	i have to find that article again so that i can look at the chart on a real screen.	03:43
ayoung	Can we own the unified policy session?	03:44
stevemar	ayoung: we can have a general "let's fix authorization / policy session"	03:44
ayoung	stevemar, that should be fishbowl	03:44
stevemar	ayoung: yep	03:44
openstackgerrit	Dave Chen proposed openstack/keystone: Remove the table attributes which have been dropped https://review.openstack.org/285095	03:45
ayoung	stevemar I think it needs to look something like this:	03:45
stevemar	ayoung: we probably need a PCI/DSS fishbowl and a "what the hell are we doing with reseller" fishbowl	03:45
ayoung	we are going to propose the top level roles, and the idea of implied roles	03:46
ayoung	each of the services then need to come up with "workflows" and the lowest level roles	03:46
ayoung	and then...when you create a service during install, the services upload their roles, including the inference rules	03:46
ayoung	should be a decent split of responsibilities	03:47
stevemar	ayoung: sure, i think a lot of that needs to be hashed up with other projects	03:50
stevemar	cause AFAICT, other projects will just do what we recommend	03:50
stevemar	we have a lot more "todos" than "discussions" IMO	03:50
*** markvoelker has quit IRC		03:51
ayoung	stevemar, the thing that the services need is an agreement on the set of roles that Keystone will provide. Then they can say "THis API will expect the Auditor role" in their policy files and use inference rules to make that work	03:52
stevemar	ayoung: yep, we also have a ton of technical debt we need to start paying down in both client and server	03:57
stevemar	which is why i'm leaning toward more work rooms	03:57
ayoung	stevemar, I'm paying some of that now	03:58
stevemar	ayoung: we have a loooot, everywhere.	03:58
*** shoutm_ has joined #openstack-keystone		03:59
stevemar	but we more or less have a plan on those, just some details need ironing out	03:59
stevemar	i'll propose 4 / 8 /2	03:59
ayoung	Oh...unified delegation	03:59
ayoung	that is internal: workroom	03:59
*** shoutm has quit IRC		04:01
ayoung	stevemar, if I delete a role assignemt (Grant) and then self.assignment_api.get_roles_for_user_and_project and that roles shows up, it sounds like a caching problem. Right?	04:06
*** jasonsb has joined #openstack-keystone		04:08
*** richm has quit IRC		04:10
openstackgerrit	Eric Brown proposed openstack/keystone: Minor community doc edits https://review.openstack.org/285099	04:13
*** spandhe has quit IRC		04:14
*** woodster_ has quit IRC		04:16
*** brad[] has quit IRC		04:17
openstackgerrit	Merged openstack/python-keystoneclient: Support `truncated` flag returned by identity service https://review.openstack.org/280162	04:18
stevemar	ayoung: could just still be cached, but yeah, it should be removed	04:18
ayoung	stevemar, still debugging. I think I was looking at the admin token, not the one being validated. The auth code is too complex. I want to refactor it.	04:19
ayoung	Ah...yep...validating token is using all cached data...	04:19
ayoung	ok	04:19
openstackgerrit	Merged openstack/keystonemiddleware: Update documentation for running tests https://review.openstack.org/284997	04:20
*** vilobhmm11 has joined #openstack-keystone		04:25
*** Nirupama has joined #openstack-keystone		04:28
openstackgerrit	Jamie Lennox proposed openstack/keystone: Add identity endpoint creation to bootstrap https://review.openstack.org/285102	04:30
jamielennox	morgan, stevemar: ^	04:31
* jamielennox server patch dance		04:31
*** shoutm_ has quit IRC		04:36
*** shoutm has joined #openstack-keystone		04:36
openstackgerrit	Jamie Lennox proposed openstack/keystone: Add identity endpoint creation to bootstrap https://review.openstack.org/285102	04:38
*** vilobhmm11 has quit IRC		04:39
*** vilobhmm11 has joined #openstack-keystone		04:39
stevemar	davechen: commented on https://review.openstack.org/#/c/285095/1	04:40
patchbot	stevemar: patch 285095 - keystone - Remove the table attributes which have been dropped	04:40
*** mylu has joined #openstack-keystone		04:41
openstackgerrit	Eric Brown proposed openstack/keystone: Minor edits to the configuration doc https://review.openstack.org/285105	04:46
morgan	jamielennox: sorry drink ing. Might not be in the right place to review.	04:50
*** markvoelker has joined #openstack-keystone		04:51
jamielennox	morgan: was just a heads up when you have a minute	04:55
ayoung	morgan, I'm having caching problems. I've rewritten the token validation so that it rebuilds the token every time. But when it validates after a grant delete, I still see the grant coming from	04:56
ayoung	roles = self.assignment_api.get_roles_for_user_and_project(	04:56
ayoung	user_id, project_id)	04:56
*** markvoelker has quit IRC		04:56
ayoung	jamielennox, you need that, don't you? You can't add the endpoint until there is an identity endpoint.	04:58
*** fawadkhaliq has joined #openstack-keystone		04:58
*** shoutm_ has joined #openstack-keystone		04:59
*** shoutm has quit IRC		05:01
morgan	ayoung: sure will look	05:03
jamielennox	ayoung: what context?	05:03
jamielennox	ayoung: from a client pespective i can't do that - but the terms are off	05:03
morgan	Sigh	05:03
morgan	So much beer	05:03
ayoung	jamielennox, I was looking at your patch	05:04
jamielennox	i need to have an identity endpoint in the catalog before i can make most of the ansible work with the user/password that bootstrap created	05:04
ayoung	you need an id endpoint in bootstrap don't you	05:04
jamielennox	because create user, create role etc all need an identity endpoint in catalog	05:04
morgan	ayoung: you're approaching it right. Honestku	05:04
ayoung	morgan, i've commented out a couple Memoize calls and still see the data...	05:04
*** shoutm has joined #openstack-keystone		05:04
ayoung	I'm wondering if the user had the role assignemnt via two different means: direct and group ... or something	05:05
morgan	Yeah	05:05
ayoung	morgan, which makes this interesting. if a user had the same role two ways before, and they lost one, the token would be revoked. Now it won't be any different than it was before	05:07
*** shoutm_ has quit IRC		05:07
ayoung	YEP...from group!@	05:07
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/285027	05:12
*** sdake has joined #openstack-keystone		05:13
*** sdake has quit IRC		05:23
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/285057	05:23
*** shoutm has quit IRC		05:25
*** mylu has quit IRC		05:25
openstackgerrit	Dave Chen proposed openstack/keystone: Remove the table attributes which have been dropped https://review.openstack.org/285095	05:29
davechen	stevemar: ;-)	05:29
*** shoutm has joined #openstack-keystone		05:30
*** fangxu has joined #openstack-keystone		05:32
*** fangxu has quit IRC		05:32
*** fangxu has joined #openstack-keystone		05:33
*** mylu has joined #openstack-keystone		05:35
openstackgerrit	Merged openstack/pycadf: Updated from global requirements https://review.openstack.org/285064	05:36
*** vilobhmm11 has quit IRC		05:39
*** su_zhang has joined #openstack-keystone		05:43
*** diazjf has joined #openstack-keystone		05:58
*** spandhe has joined #openstack-keystone		05:59
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/285065	06:02
openstackgerrit	Eric Brown proposed openstack/keystone: Minor edits to the developing doc https://review.openstack.org/285120	06:07
*** vilobhmm11 has joined #openstack-keystone		06:09
openstackgerrit	Merged openstack/keystone: Followup for LDAP removal https://review.openstack.org/277196	06:19
openstackgerrit	Eric Brown proposed openstack/keystone: Remove reference to legacy Ubuntu Precise https://review.openstack.org/285123	06:20
stevemar	davechen: thanks! :)	06:22
*** links has quit IRC		06:26
*** fpatwa_ has quit IRC		06:26
openstackgerrit	Eric Brown proposed openstack/keystone: Minor edits to the installation doc https://review.openstack.org/285123	06:27
openstackgerrit	Eric Brown proposed openstack/keystone: Minor edits to the installation doc https://review.openstack.org/285123	06:30
openstackgerrit	Eric Brown proposed openstack/keystone: Minor edits to the installation doc https://review.openstack.org/285123	06:30
*** su_zhang has quit IRC		06:34
*** su_zhang has joined #openstack-keystone		06:35
*** dims has quit IRC		06:37
*** lhcheng has joined #openstack-keystone		06:38
*** ChanServ sets mode: +v lhcheng		06:38
*** su_zhang has quit IRC		06:39
openstackgerrit	ayoung proposed openstack/keystone: Remove unneeded revocation events rebuild token on validation https://review.openstack.org/285134	06:40
*** josecastroleon has joined #openstack-keystone		06:48
jamielennox	ayoung: if you're still here, i don't think i need the get_roles_for_user_and_project	06:49
*** markvoelker has joined #openstack-keystone		06:53
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	06:55
openstackgerrit	Jamie Lennox proposed openstack/keystone: Add identity endpoint creation to bootstrap https://review.openstack.org/285102	06:55
*** markvoelker has quit IRC		06:57
*** shoutm_ has joined #openstack-keystone		06:59
*** jasonsb has quit IRC		07:00
*** shoutm has quit IRC		07:01
*** lhcheng_ has joined #openstack-keystone		07:05
*** rcernin has joined #openstack-keystone		07:05
*** lhcheng has quit IRC		07:08
*** chlong_ has quit IRC		07:26
*** daemontool has joined #openstack-keystone		07:31
*** shoutm_ has quit IRC		07:31
*** diazjf has quit IRC		07:33
*** tomoiaga has joined #openstack-keystone		07:39
*** tomoiaga has quit IRC		07:43
stevemar	davechen: did you get a chance to look at https://bugs.launchpad.net/keystone/+bug/1549705 ?	07:47
openstack	Launchpad bug 1549705 in OpenStack Identity (keystone) "migrate DB failed due to password cannot be null" [Undecided,New] - Assigned to Dave Chen (wei-d-chen)	07:47
*** spandhe has quit IRC		07:50
*** tomoiaga has joined #openstack-keystone		07:51
*** mylu has quit IRC		07:56
davechen	stevemar: yes, i am still work on it.	07:59
davechen	stevemar: baically it works, and no major changes but i am struggled to write a testcase.	08:00
stevemar	davechen: you have a patch? post the code, lets take a look	08:00
davechen	stevemar: debug into the testcase, sigh...	08:00
davechen	just add a new line there. :)	08:01
stevemar	davechen: ah, just made the password column nullable :)	08:01
davechen	stevemar: not that change.	08:02
*** sdake has joined #openstack-keystone		08:02
openstackgerrit	Dave Chen proposed openstack/keystone: WIP - Fix the migration issue for the user with null password https://review.openstack.org/285152	08:02
davechen	stevemar: since password was designed to be not allow to be null.	08:03
davechen	just align with this patch - https://review.openstack.org/#/c/283746	08:03
*** sdake has quit IRC		08:04
davechen	stevemar: so if the password is empty, don't try to insert to an entry into password table.	08:04
*** josecastroleon has quit IRC		08:05
*** csoukup has quit IRC		08:06
*** belmoreira has joined #openstack-keystone		08:08
*** josecastroleon has joined #openstack-keystone		08:08
openstackgerrit	Merged openstack/keystone: Remove get_session and get_engine https://review.openstack.org/284521	08:10
*** browne has quit IRC		08:11
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/285026	08:11
*** henrynash has joined #openstack-keystone		08:11
*** ChanServ sets mode: +v henrynash		08:11
davechen	stevemar: what do you think? is that okay?	08:11
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	08:13
stevemar	davechen: looking	08:14
davechen	stevemar: get some sleep, i will fix the testcase and you can take a look when you wake up.	08:15
stevemar	davechen: this fails? self.assertTableCountsMatch(USER_TABLE_NAME, LOCAL_USER_TABLE_NAME)	08:16
*** shoutm has joined #openstack-keystone		08:18
davechen	stevemar: yep, i have no idea why it failed.	08:21
davechen	stevemar: no such column: user.name [SQL: u'SELECT count(id) AS tbl_row_count \nFROM (SELECT user.id AS id, user.name AS name, user.extra AS extra, user.password AS password, user.enabled AS enabled, user.domain_id AS domain_id, user.default_project_id AS default_project_id \nFROM user)'].	08:22
stevemar	davechen: weird...	08:24
davechen	yep, it's still looking for the columns that have been dropped.	08:26
*** fpatwa_ has joined #openstack-keystone		08:27
*** shoutm has quit IRC		08:29
*** shoutm_ has joined #openstack-keystone		08:29
*** shoutm_ has quit IRC		08:31
*** fpatwa_ has quit IRC		08:31
*** daemontool has quit IRC		08:35
*** daemontool has joined #openstack-keystone		08:36
openstackgerrit	henry-nash proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	08:44
*** pnavarro has joined #openstack-keystone		08:52
*** markvoelker has joined #openstack-keystone		08:53
*** vilobhmm11 has quit IRC		08:54
* stevemar pokes henrynash to comment on the project cascade patch		08:55
*** fhubik has joined #openstack-keystone		08:57
*** markvoelker has quit IRC		08:57
marekd	stevemar:	09:06
marekd	a quick question	09:06
marekd	stevemar: jsut wanted to confirm that we cannot remove non private methods without any deprecations/warnings etc	09:06
marekd	stevemar: https://review.openstack.org/#/c/279162/52/keystone/auth/plugins/mapped.py -> line 212	09:07
patchbot	marekd: patch 279162 - keystone - Shadow users - Shadow federated users	09:07
marekd	henrynash: ^^	09:08
stevemar	marekd: i think that differs from case to case, in this instance i don't see a harm in it...	09:09
marekd	aha	09:09
marekd	i thought bknudson was super strict about that.	09:09
stevemar	marekd: no openstack project is using it: http://codesearch.openstack.org/?q=.keystone.auth.plugins.mapped&i=nope&files=&repos=	09:10
marekd	i know thath	09:10
stevemar	marekd: well, within reason. this method seems like it should have been private in the first place	09:10
marekd	stevemar: another thing - https://review.openstack.org/#/c/279162/54/keystone/identity/shadow_backends/sql.py line 47	09:11
patchbot	marekd: patch 279162 - keystone - Shadow users - Shadow federated users	09:11
stevemar	marekd: BUT, theres no reason for the renaming that ron is doing :)	09:11
marekd	i am not going to repeat that by raising UserNotFound with unique_id only is not a best thing	09:11
stevemar	so i'd be OK to revert the change on principle that it is not necessary	09:11
marekd	but i am not going to repeat it for the 3rd time.	09:11
marekd	so i will leave it to you as a PTL	09:12
stevemar	marekd: the unique id in this case is the url safe version taht we guess?	09:12
marekd	no	09:13
marekd	it's some parameter from the assertion	09:13
marekd	can be email	09:13
marekd	and whole federated user is identified by (proto, idp, unique_id) tuple	09:13
marekd	so my opinion on that is that you are loosing information about which user didn't really exist	09:14
*** rcernin has quit IRC		09:14
stevemar	marekd: commented	09:18
henrynash	stevemar: will look shortly	09:18
stevemar	marekd: right, it's normally the id from the assertion, or if we don't find one, we set it to the URL safe version of the name	09:19
marekd	stevemar: in fact i'd rather create another type of exception, sth like FederatedUserNotFound where one would put all 3 parameters (proto,idp,unique_id) and those would be included in the warning log message.	09:19
marekd	then the operator will know that something went wrong for user logging from idp=A, protocol=B	09:20
stevemar	makes sense	09:21
stevemar	marekd: sigh, i go to bed	09:21
marekd	sure sure	09:21
marekd	sorry for bothering you so late	09:21
stevemar	marekd: i am stuck configuring my google idp and keystone	09:21
marekd	thought you already did it in the past	09:21
stevemar	marekd: for some reason the query parameter 'origin' is missing	09:21
marekd	:(	09:21
stevemar	i did, i like to double check it before we ship m3	09:22
stevemar	i'm probably doing something silly	09:22
stevemar	meeting in 6 hrs :\	09:22
stevemar	gnite	09:22
marekd	what meeting?	09:22
stevemar	itnernal stuff and things	09:22
marekd	ah,ok	09:22
marekd	see ya then!	09:22
* stevemar salutes marekd		09:23
* marekd SIR, YES SIR!		09:23
*** lhcheng has joined #openstack-keystone		09:23
*** ChanServ sets mode: +v lhcheng		09:23
*** lhcheng has quit IRC		09:27
*** lhcheng_ has quit IRC		09:27
*** jistr has joined #openstack-keystone		09:27
*** rcernin has joined #openstack-keystone		09:28
openstackgerrit	Dave Chen proposed openstack/keystone: Fix migration issue for the user with null password https://review.openstack.org/285152	09:32
*** pnavarro has quit IRC		09:35
*** pnavarro has joined #openstack-keystone		09:35
*** fawadkhaliq has quit IRC		09:37
*** fangxu has quit IRC		09:41
*** fangxu has joined #openstack-keystone		09:41
*** EinstCrazy has quit IRC		09:55
*** davechen has left #openstack-keystone		09:55
*** grassy is now known as davechen_afk		09:56
*** rk4n has joined #openstack-keystone		10:16
*** daemontool has quit IRC		10:16
*** fpatwa_ has joined #openstack-keystone		10:28
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/285025	10:32
*** fpatwa_ has quit IRC		10:32
openstackgerrit	Merged openstack/keystone: Move admin_token_auth before build_auth_context in sample paste.ini https://review.openstack.org/281372	10:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	10:34
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	10:35
*** markvoelker has joined #openstack-keystone		10:54
*** markvoelker has quit IRC		10:58
*** csoukup has joined #openstack-keystone		11:02
*** rk4n has quit IRC		11:06
*** henrynash has quit IRC		11:06
*** rk4n has joined #openstack-keystone		11:07
bjornar	What is the type of the compute endpoint supposed to be? According to default_catalog.templates it is computev21, but "openstack compute service list" is not able to find this endpoint with status: publicURL endpoint for compute service not found	11:10
*** rk4n has quit IRC		11:12
*** rk4n has joined #openstack-keystone		11:13
*** fhubik has quit IRC		11:19
*** davechen has joined #openstack-keystone		11:26
*** davechen1 has joined #openstack-keystone		11:31
*** EinstCrazy has joined #openstack-keystone		11:32
*** davechen has quit IRC		11:33
*** rk4n has quit IRC		11:36
*** rk4n has joined #openstack-keystone		11:36
openstackgerrit	Dave Chen proposed openstack/keystone: Fix the migration issue for the user with null password https://review.openstack.org/285152	11:38
samueldmq	stevemar: hi, I am working on 243585 right now	11:50
*** davechen1 has quit IRC		11:53
openstackgerrit	Merged openstack/keystone: Minor community doc edits https://review.openstack.org/285099	12:03
*** rk4n has quit IRC		12:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	12:04
*** fangxu has quit IRC		12:09
*** fangxu has joined #openstack-keystone		12:11
*** krotscheck_dcm is now known as krotscheck		12:13
*** daemontool has joined #openstack-keystone		12:14
samueldmq	dstanek: hi, sorry I had gone afk yesterday	12:17
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade update https://review.openstack.org/243585	12:18
samueldmq	dstanek: stevemar: I have updated the proposal for policy cascade enforcement in the docstring here	12:19
samueldmq	https://review.openstack.org/#/c/243585/25/keystone/common/controller.py	12:19
patchbot	samueldmq: patch 243585 - keystone - API support for project cascade update	12:19
samueldmq	dstanek: stevemar: please let me know what you think about it, so I can update the code accordingly	12:19
samueldmq	ayoung or anyone else willing to look at it too :) ^	12:20
*** sdake has joined #openstack-keystone		12:29
*** raildo-afk is now known as raildo		12:32
*** rk4n has joined #openstack-keystone		12:34
samueldmq	raildo: htruta: you may also want to take a look at https://review.openstack.org/#/c/243585/25/keystone/common/controller.py	12:39
patchbot	samueldmq: patch 243585 - keystone - API support for project cascade update	12:39
samueldmq	raildo: htruta: the proposal in the comment	12:39
*** markvoelker has joined #openstack-keystone		12:40
*** markvoelker has quit IRC		12:44
*** rk4n has quit IRC		12:47
raildo	samueldmq: I'll, thanks	12:48
*** rk4n has joined #openstack-keystone		12:51
*** pauloewerton has joined #openstack-keystone		12:53
raildo	samueldmq: wow... this is getting a way to be more complex that I thought =/ Would not it be simpler to follow the second suggestion from henrynash?	12:53
samueldmq	raildo: yes, the other option is way less complex, the question is whether that's what we want or not	12:54
*** gordc has joined #openstack-keystone		13:00
raildo	samueldmq: we have the project context and we want to rescope the token for every subproject in the subtree. Follow this docstring, we need get the project token type, and then follow the same workflow for every subproject, right?	13:03
samueldmq	raildo: yes, exactly	13:04
raildo	on domain scoped token case, we can't perform this action, since the subprojects are not domains	13:04
raildo	samueldmq: doesn't make sense just get a project scoped token?	13:05
samueldmq	raildo: and if it fails, just try with the original token, that would pass in the case the policy was simply: "project_update": ""	13:05
samueldmq	raildo: ah, that you said above is only valid for project scoped tokens	13:05
samueldmq	raildo: domain scoped tokens do not change at all, we use the same token for all projects	13:05
samueldmq	raildo: this is point 1) in the docstring, point 2 is for project scope tokens	13:06
raildo	samueldmq: got it	13:06
raildo	samueldmq: yeap... I agree with this behaviour	13:06
raildo	samueldmq: if we are following the first suggestion, this is the best solution that we ahve	13:06
samueldmq	raildo: nice; I think this is the right way to go	13:07
raildo	have*	13:07
samueldmq	raildo: I will discuss with others before updating the code	13:07
samueldmq	raildo: now I am reviewing reseller	13:07
samueldmq	raildo: we need that in until MOnday	13:07
raildo	samueldmq: sure, no problem, htruta are not here, right now, but I'll talk with him asap	13:07
samueldmq	raildo: otherwise won't land in M3	13:07
raildo	samueldmq: sure, dstanek reviewed this patch a lot yesterday	13:09
raildo	thanks dstanek :P	13:09
*** henrynash has joined #openstack-keystone		13:09
*** ChanServ sets mode: +v henrynash		13:09
samueldmq	henrynash: hi! good morning	13:10
raildo	samueldmq: henrynash is the perfect guy to see your comment on the update cascade patch :D	13:10
henrynash	samuedlmq: hi…just looking the latest patch on cascade	13:10
samueldmq	henrynash: perfect, I submitted it with the proposed approach in the docstring	13:11
samueldmq	henrynash: here: https://review.openstack.org/#/c/243585/25/keystone/common/controller.py	13:11
patchbot	samueldmq: patch 243585 - keystone - API support for project cascade update	13:11
samueldmq	henrynash: meanwhile I am reviewing reseller	13:11
raildo	samueldmq: I'll be working on fernet tokens, but everything that you need about reseller/cascade, just ping me :)	13:12
henrynash	samueldmq: ok (and on reseller- you will see that i have gone ahead an changed the V8 legacy wrapper to map calls back onto drive domain methods for those projects that are actingas domains)	13:12
samueldmq	raildo: perfect, thanks	13:12
samueldmq	henrynash: yes, same reasoning as you did for domain roles, right?	13:13
henrynash	sasamueldmq: yes	13:13
samueldmq	henrynash: perfect	13:13
henrynash	samueldmq: note dstanek’s comment, that maybe (in retorspect, and now that we have only one V9 driver and a rquirement for backward driver comapability) we should have done a lot of this in the driver itself….I’m not yet sure…but mulling that idea	13:14
*** daemontool has quit IRC		13:15
*** daemontool has joined #openstack-keystone		13:16
*** daemontool has quit IRC		13:17
samueldmq	henrynash: ok, will look at that too	13:18
*** daemontool has joined #openstack-keystone		13:18
*** markvoelker has joined #openstack-keystone		13:20
*** tomoiaga has quit IRC		13:23
henrynash	samueldmq: added a comment to update/cascade….	13:23
*** daemontool has quit IRC		13:24
raildo	henrynash: good point	13:25
*** brad[] has joined #openstack-keystone		13:25
samueldmq	henrynash: re-replied :)	13:26
henrynash	samuedlmq: I think you were agreeding….is that right?	13:28
samueldmq	henrynash: no, I don't care about the roles the user has in subprojects	13:28
samueldmq	henrynash: what I want to ensure is that: 'user x also can perform the same operation on every subproject'	13:29
samueldmq	henrynash: let me give you an example	13:29
henrynash	samueldmq: so we agree on that,	13:29
samueldmq	henrynash: "X -> Y" is a parent, child	13:29
henrynash	samuedlmq: ok	13:29
samueldmq	henrynash: user have role r1 on X and r2 on Y	13:29
henrynash	let’s say user has roles r1 and r2 on Y	13:30
samueldmq	henrynash: policy says : 'update_project': '(role:r1 and project_matches) OR (role:r2 and project_matches)'	13:30
samueldmq	henrynash: the user can do cascade update on X	13:30
samueldmq	henrynash: if user has roles r1 and r2 on Y it also works, but if he only has r2 it still works	13:31
henrynash	samueldmq: hmm, I understand why you area saying what you are….I have to say I am uneasy about bascially expanding the token roles for sub projects….it just feels wrong	13:32
samueldmq	henrynash: we are't exapnding the current token	13:33
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Adds parent_id to project model in models.py https://review.openstack.org/285301	13:33
samueldmq	henrynash: we simulate a new token, new creds	13:33
samueldmq	henrynash: as the user had effectivelly a token on the subproject on hands	13:33
henrynash	samuelldmq: yep, agreed…..without a formal authz setp!!!!	13:33
samueldmq	henrynash: exactly, this is like: 'if he had asked for a token in this subproject, he'd have this!'	13:33
samueldmq	henrynash: so let's now check if he'd be authorized	13:34
samueldmq	henrynash: I dont care about the roles/whatever he has in the subprojects, let's get it and try policy enforcement	13:34
samueldmq	henrynash: so are we in agreement ?	13:35
*** fawadkhaliq has joined #openstack-keystone		13:36
henrynash	samuedlmq: I do understand your logic…..I don’t like that we are (effectively) issuing them a new one-time-use token…but without running with the auth/token code that might make other chekcs (e.g. nobody gets role Y during production hours)	13:36
henrynash	samueldmq: so,no, I don;t think we are in ageement - we just hev different POV on this…..I’d liek ayoung to weigh in….he’s an expert in delgation or roels etc.	13:37
samueldmq	henrynash: if token issuance (regardless workflow) uses the roles of a ?effective call to list_role_assignmetns, we're doing it right	13:37
samueldmq	henrynash: if they do logic around the return of a ?effective call, I'd argue they're doing wrongly/bad code?	13:38
samueldmq	henrynash: also considering only a subset of roles from the parent would make the api understanding still harder	13:39
henrynash	samueldmq: I can certaily imagine peopel doing that……..and I wouldn’t call it wrong - I agree nobody does today	13:39
dstanek	samueldmq: sure i'll look	13:40
henrynash	samuedlmq: it’s only a subset of roles form the orgional ones the tokn had….eg.g. a trust might have restricted roels in it (i.e. less than the roles the trstor has on that project)	13:40
samueldmq	henrynash: for now, I'd explain that API as : 'cascade acts like the user asks a token for each project in the tree (with the same workflow) and tries to performe the operation project by project with its corresponding token'	13:40
henrynash	samuedlmq: agreed that is the current proposal….let’s get ayoung’s view on this	13:41
samueldmq	henrynash: for trusts, the user need to have trusts for every project in the subtree	13:41
samueldmq	henrynash: sure	13:41
samueldmq	henrynash: does trust work with inherited role assignments ?	13:42
samueldmq	henrynash: and/or group assingmetns ?	13:42
henrynash	dstanek: see my coments regarding projects as a domain….maybe I am missing some other sublety…but I tink we are now provding backeard comaptibility	13:42
henrynash	samuedlmq: not sure, I’d have to look!	13:43
dstanek	henrynash: how does the thirdparty driver's create_domain get called?	13:43
samueldmq	dstanek: perfect, looking forward to see your view on it	13:43
henrynash	dtsanek: it’s in the v8legacy wrapper	13:44
*** ninag has joined #openstack-keystone		13:44
dstanek	henrynash: but that itself won't get called because manager.create_domain no longer calls driver.create_domain right?	13:45
henrynash	dstanek: but the wrapper project calls check teh call is for a project acting as a domain…and if so, calls the domain driver method	13:45
samueldmq	henrynash: in the way you argued about ?cascade operations, we would be saying that ?cascade calls are designed to work with inherited role assignments	13:46
samueldmq	henrynash: that way we only get subsets ... interesting, if we make that argument of inherited role assignmetns, it makes sense t me	13:47
henrynash	samueldmq: it’s a bit liek we are saing cascade is an inherited trust down the tree	13:48
henrynash	samuedlmq: i”m not 100% for this…just trying to work out hwy I feel uneasy about teh current proposal	13:48
dstanek	henrynash: ok, i'll have to go over this again. this 'is_domain' makes my immediately want to refactor	13:49
samueldmq	henrynash: cool, let's get dstanek and ayoung opinions on it	13:50
dstanek	samueldmq: on something different?	13:50
samueldmq	dstanek: yes, on the ?cascade thing :)	13:50
openstackgerrit	Michael Krotscheck proposed openstack/keystone: Moved CORS middleware configuration into oslo-config-generator https://review.openstack.org/285308	13:50
dstanek	ah, ok	13:50
samueldmq	dstanek: call it is_identity_container	13:50
samueldmq	dstanek: (on the is_dmain thing this time)) ^	13:50
*** edmondsw has joined #openstack-keystone		13:50
henrynash	dstanek: i think we are nowing doing (effectively) what you would achieve by push all this into teh V9 driver….see my comment reply as to at least why we got to where we are!	13:51
krotscheck	morgan: ^^ That seems to work. Can you take a look at it when you get a chance?	13:52
samueldmq	krotscheck: nice, tjcocozz_ may want to test it again, as he had setup an env for that :)	13:53
samueldmq	tjcocozz_: :-)	13:53
*** dims has joined #openstack-keystone		13:54
*** daemontool has joined #openstack-keystone		13:54
krotscheck	No worries.	13:59
krotscheck	Now all I need is for everyone to agree that this is the way we want it to work in Mitaka, and then get enough help to lnd it in the other 22 projects.	14:00
samueldmq	krotscheck: 22 ? simple :)	14:02
samueldmq	krotscheck: have you landed the first proposal on all of them already?	14:02
*** henrynash has quit IRC		14:02
*** richm has joined #openstack-keystone		14:03
openstackgerrit	Stuart McLaren proposed openstack/keystonemiddleware: Add python-memcached to requirements https://review.openstack.org/285315	14:06
* krotscheck slaps samueldmq with a large trout		14:08
samueldmq	hehe	14:09
openstackgerrit	Brant Knudson proposed openstack/keystone: V2 operations create default domain on demand https://review.openstack.org/284778	14:10
*** EinstCrazy has quit IRC		14:14
*** petertr7_away is now known as petertr7		14:15
*** daemontool has quit IRC		14:16
*** therve has left #openstack-keystone		14:16
*** daemontool has joined #openstack-keystone		14:16
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Delay using threading.local() to fix check job failure https://review.openstack.org/284965	14:16
krotscheck	On a related note, is trusted_dashboards still a thing?	14:17
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Delay using threading.local() to fix check job failure https://review.openstack.org/284965	14:18
*** daemontool_ has joined #openstack-keystone		14:18
openstackgerrit	Dolph Mathews proposed openstack/keystone: Enable LDAP connection pooling by default https://review.openstack.org/285008	14:19
*** jsavak has joined #openstack-keystone		14:20
*** daemontool has quit IRC		14:22
EmilienM	ayoung, stevemar: I need your science	14:28
EmilienM	have you seen that already ? http://logs.openstack.org/76/284876/4/check/gate-puppet-keystone-puppet-beaker-rspec-dsvm-trusty/161cc03/console.html#_2016-02-26_11_27_31_950	14:28
*** Nirupama has quit IRC		14:29
EmilienM	I think keystone.credential.backends.ldap.Credential does not work anymore, I might need to just use "ldap"	14:32
*** sdake has quit IRC		14:35
*** su_zhang has joined #openstack-keystone		14:36
*** dansmith is now known as superdan		14:36
*** lmiccini has joined #openstack-keystone		14:39
*** knikolla has joined #openstack-keystone		14:43
raildo	lbragstad: ayoung about a failed test on make fernet default provider... there is a failed test "test_belongs_to_no_tenant" that was impacted with this change https://review.openstack.org/#/c/258650/26/keystone/token/provider.py	14:48
patchbot	raildo: patch 258650 - keystone - [WIP]Make fernet default token provider	14:48
raildo	lbragstad: on token_belongs_to	14:48
raildo	lbragstad: I want to know what is the expected behavior for fernet token on v2 api? This should work properly?	14:49
lbragstad	raildo checking	14:52
*** woodster_ has joined #openstack-keystone		14:54
*** fawadkhaliq has quit IRC		14:55
*** slberger has joined #openstack-keystone		14:56
*** daemontool_ has quit IRC		15:01
*** jsavak has quit IRC		15:01
*** jsavak has joined #openstack-keystone		15:02
*** daemontool has joined #openstack-keystone		15:05
*** sdake has joined #openstack-keystone		15:05
*** jsavak has quit IRC		15:06
*** jsavak has joined #openstack-keystone		15:07
*** sigmavirus24_awa is now known as sigmavirus24		15:07
openstackgerrit	Michael Krotscheck proposed openstack/keystone: Moved CORS middleware configuration into oslo-config-generator https://review.openstack.org/285308	15:08
krotscheck	blah blah pep8 grumble grumble	15:08
*** jsavak has quit IRC		15:08
*** jsavak has joined #openstack-keystone		15:09
*** jorge_munoz has joined #openstack-keystone		15:32
*** henrynash has joined #openstack-keystone		15:34
*** ChanServ sets mode: +v henrynash		15:34
*** jsavak has quit IRC		15:34
openstackgerrit	Stuart McLaren proposed openstack/keystonemiddleware: Add python-memcached to requirements https://review.openstack.org/285315	15:34
*** timcline has quit IRC		15:35
*** jsavak has joined #openstack-keystone		15:37
*** roxanaghe has joined #openstack-keystone		15:40
*** jsavak has quit IRC		15:41
*** jsavak has joined #openstack-keystone		15:42
*** belmoreira has quit IRC		15:43
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Shadow federated users https://review.openstack.org/279162	15:47
*** sdake has quit IRC		15:47
*** timcline has joined #openstack-keystone		15:47
*** rderose has joined #openstack-keystone		15:48
*** diazjf has joined #openstack-keystone		15:49
*** spandhe has joined #openstack-keystone		15:49
*** roxanaghe has quit IRC		15:49
stevemar	EmilienM: i don't think "keystone.credential.backends.ldap.Credential" ever existed..	15:50
EmilienM	yeah	15:50
EmilienM	stevemar: can you review https://review.openstack.org/#/c/285345/ please?	15:51
patchbot	EmilienM: patch 285345 - puppet-keystone - use stevedore names for driver / backends	15:51
EmilienM	it's puppet but you can easily see what I'm doing	15:51
rderose	stevemar dolphm can we talk about the unique_id and display_name fields for federated users	15:51
*** josecastroleon has quit IRC		15:51
stevemar	EmilienM: yes sir	15:51
EmilienM	stevemar++	15:51
stevemar	rderose: sure, whats up	15:51
rderose	stevemar saw your comment regarding how the id is used (ID is a URL safe representation)	15:52
rderose	stevemar was planning on mapping the id to unique_id and name to display_name	15:52
rderose	stevemar can we change the meaning of id to be unique id?	15:52
rderose	stevemar or, what would you suggest?	15:53
stevemar	rderose: what's the user_id column for federated_users represent?	15:53
*** spandhe has quit IRC		15:54
dolphm	stevemar: o/	15:54
dolphm	rderose: o/	15:54
rderose	stevemar: the foreign key to the id in the user table	15:54
dolphm	stevemar: the actual user ID presented to openstack	15:54
*** diazjf has quit IRC		15:55
stevemar	dolphm: rderose right -- the name coming ffrom the mapping backend is gonna be something like stevemar@ibm.com, and my ID will be some ibm id (123456)	15:55
*** diazjf has joined #openstack-keystone		15:55
stevemar	dolphm: rderose that ID doesn't really gel with openstack. i can't assign it roles and it's guaranteed to be unique (domains could assign the same numbers), and if i don't set up that mapping rule, we default the ID to be a url safe version of the name	15:56
stevemar	cause we something to stick in the token	15:56
EmilienM	dumb question: where is patchbot code? I want to use it	15:58
dolphm	stevemar: ++ so the user_id column can basically be a UUID, just like SQL users	15:58
dolphm	whereas unique_id = 123456 and display_name=stevemar@ibm.com	15:59
rderose	stevemar: which it is, user_id is UUID	15:59
rderose	dolphm ++	15:59
dolphm	so your display name coming from the IdP could change, but that unique ID coming from that IdP via that protocol should always map to the same user_id	16:00
openstackgerrit	Trevor McCasland proposed openstack/keystone: Add validation parameter "max_name_size" https://review.openstack.org/285393	16:01
dolphm	EmilienM: just went looking for patchbot ... and i have no idea	16:02
dolphm	EmilienM: ask in -infra maybe?	16:02
*** browne has joined #openstack-keystone		16:02
*** jsavak has quit IRC		16:03
*** jsavak has joined #openstack-keystone		16:03
SamYaple	ayoung morgan wont the "no default domaon created with db_sync" cause alot of the same drama as the admin token thing did?	16:04
morgan	EmilienM: notmyname's repo on github	16:04
morgan	SamYaple: not with bknudson's second fix	16:05
bknudson	no drama!!!!	16:05
morgan	dolphm: ^ patchbot	16:05
EmilienM	morgan: ok thx	16:06
morgan	Called "patches"	16:06
SamYaple	what was the second fix?	16:06
SamYaple	i may have missed that	16:06
morgan	It's a supybot plugin	16:06
EmilienM	https://github.com/notmyname/Patches	16:06
morgan	EmilienM: yep	16:06
rderose	stevemar dolphm: so are we good with mapping the "id" to "unique_id" and "name" to "display_name"?	16:07
rderose	stevemar dolphm: and do we want to keep the same logic:	16:07
rderose	setting the id to a url safe representation of the name	16:07
dolphm	rderose: the ID and name coming out of the mapping?	16:07
rderose	dolphm: yes	16:07
*** daemontool has quit IRC		16:07
dolphm	rderose: link me to code before i say yes :)	16:08
rderose	https://review.openstack.org/#/c/279162/54/keystone/auth/plugins/mapped.py	16:08
patchbot	rderose: patch 279162 - keystone - Shadow users - Shadow federated users	16:08
rderose	stevemar dolphm: and do we want to keep this for setting the name:	16:09
rderose	user.get('name') or context['environment'].get('REMOTE_USER')	16:09
rderose	* display_name = user.get('name') or context['environment'].get('REMOTE_USER')	16:10
*** ChanServ sets mode: +v topol_		16:15
*** topol_ is now known as topol		16:15
dolphm	rderose: i don't understand all the conditional stuff going on in that method... stevemar, why would the mapping not return an ID?	16:16
*** henrynash has quit IRC		16:17
dolphm	stevemar: marekd: left questions for you in https://review.openstack.org/#/c/279162/54/keystone/auth/plugins/mapped.py	16:19
patchbot	dolphm: patch 279162 - keystone - Shadow users - Shadow federated users	16:19
dolphm	stevemar: marekd: also, can one of y'all help write the test in https://review.openstack.org/#/c/284943/ -- i'm really hesitant to merge the "shadow federated users" patch without seeing support for local role assignments working	16:20
patchbot	dolphm: patch 284943 - keystone - Shadow users - Concrete role assignments for feder...	16:20
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Concrete role assignments for federated users https://review.openstack.org/284943	16:22
*** dims has quit IRC		16:22
*** pnavarro has quit IRC		16:22
*** roxanaghe has joined #openstack-keystone		16:23
marekd	dolphm: let me look	16:24
rderose	dolphm: regarding the conditional stuff, there are 2 conditions:	16:27
rderose	1. if "name" is not supplied, set it to "context['environment'].get('REMOTE_USER')" or "id"	16:27
rderose	2. if "id" is not supplied, then set it to the "name"	16:27
ayoung	SamYaple, so bknudson has a patch out that will create the default domain on demand. I think it is a cool idea	16:28
marekd	dolphm: in https://review.openstack.org/#/c/279162/54/keystone/auth/plugins/mapped.py i don't actually have any problem (and never had) with changing the names of local variables in setup_username()	16:28
patchbot	marekd: patch 279162 - keystone - Shadow users - Shadow federated users	16:28
bknudson	ayoung: SamYaple: https://review.openstack.org/#/c/284778/	16:29
patchbot	bknudson: patch 284778 - keystone - V2 operations create default domain on demand	16:29
*** rk4n has quit IRC		16:29
marekd	dolphm: if you are asking on why this logic was implemented in the first place (deriving user_id from user_name) the reason was that if the user_id was not specified in the mapping we had to come up with something. It was more like mimicing of 'classic' users creation where you may specify the name, but will not specify id as it was random generated user.	16:30
ayoung	EmilienM, ImportError: No module named ldap could be an RPM problem. Did the python-ldap RPM dependency get dropped?	16:30
EmilienM	ayoung: I ran Ubuntu	16:30
ayoung	EmilienM, shhh	16:30
EmilienM	and yes, the DEB is installed	16:30
ayoung	don't ever admit that	16:30
EmilienM	ayoung: it's upstream CI :-P	16:30
ayoung	ha	16:30
ayoung	I didn't know we had an LDAP credential back end	16:31
EmilienM	but yeah, don't tell my manager	16:31
ayoung	I don't think we do.	16:31
*** rcernin has quit IRC		16:31
*** jsavak has quit IRC		16:32
*** jsavak has joined #openstack-keystone		16:33
marekd	dolphm: rderose i am actually unsure how role assignments for fed users would work - after the first login an entry is created in the backend and until operator assigns some roles the user is powerless and can access literally nothing?	16:33
marekd	rderose: for the display_name - are you using it anywhere?	16:33
rderose	marekd no, I'm not using display_name, I imagine it would be used in a UI or part of an API call	16:35
ayoung	EmilienM, I'm really puzzled. I wrote all the LDAP backends m with the exception of the Role one that Henry wrote by splitting the assignment one. I never wrote an LDAP backend. How is that even getting into the mix?	16:35
marekd	because from a short discussion with dolphm it looks that the rest of the keystone will always execute operation on backend.sql.User object and everybody would call User.name property	16:35
ayoung	I never wrote and LDAP credential backend that is	16:35
marekd	rderose: ^^	16:35
marekd	rderose: and AFAIR it can return proper name if the user is actually LocalUser and None otherwise.	16:36
marekd	which does not make sense to me since you wanted to unify all types of users.	16:36
*** csoukup has quit IRC		16:37
*** spandhe has joined #openstack-keystone		16:38
rderose	marekd: regarding assigning roles, once the fed user is mapped to a user and has a user id, an admin can then assign roles to that user	16:38
stevemar	dolphm: while looking at https://review.openstack.org/#/c/284943/ ... what about fixing the mapping engine to not blow up if there's no "group" found?	16:38
patchbot	stevemar: patch 284943 - keystone - Shadow users - Concrete role assignments for feder...	16:38
ayoung	raildo, OK...let's look	16:39
marekd	rderose: so, in the time before me logging for the first time and operators action i can do nothing	16:39
*** daemontool has joined #openstack-keystone		16:40
rderose	marekd correct, until you get your first unscoped token, the operator would not be able to assign you roles	16:40
marekd	unless some groups were assigned to myself as part of mapping process (mapping engine)	16:41
rderose	marekd you still wouldn't be able to make local role assignments without an entry in the user table	16:42
marekd	rderose: i know	16:42
marekd	i just want to make sure you are not blocking it, or not going to for now at least.	16:42
marekd	:-)	16:42
rderose	marekd :)	16:42
marekd	ok, what about display_name?	16:43
rderose	marekd yes, currently only LocalUser.name is used	16:44
rderose	marekd, so you are right, name would return None for federated users	16:44
SamYaple	ayoung: bknudson cool. thannks for the info	16:44
*** gyee has joined #openstack-keystone		16:44
*** ChanServ sets mode: +v gyee		16:44
bknudson	SamYaple: can you try it out with your deployer?	16:44
*** jasonsb has joined #openstack-keystone		16:44
SamYaple	bknudson: sure thing!	16:44
marekd	rderose: ok, but why can't we return display_name then?	16:45
marekd	(and why it's called display_name for federated users)	16:45
rderose	marekd we can, we could just change the hybrid property to check for this	16:45
marekd	rderose: unless there is some logical reason for not doing this i'd simply do this.	16:46
rderose	marekd but I was thought of display_name having a different meanting than username	16:46
marekd	like?	16:46
rderose	marekd display_name being more "Ron De Rose" and username being more "rderose"	16:46
rderose	dolphm: ^^ is that your understanding as well?	16:47
rderose	marekd I think of display_name as the display-name in an identity store; which isn't typically the username	16:51
marekd	rderose: dolphm: I will leave this decision to Dolph, but my opinion is that you are already writing logic that will make others (Horizon etc) do if/else clauses and handle some strange corner cases with names. Either you unify all types of users and they all at least pretend to have similar set of attributes or you keep them separate and then it's ok to split attribute sets...	16:51
* dolphm is reading back		16:52
rderose	marekd I think it would make sense to have a display name attribute for localusers	16:52
dolphm	(the goal is fewer edge cases for other projects...)	16:52
*** csoukup has joined #openstack-keystone		16:53
marekd	my unserstanding of shadow users is that we must have >1 types of users but for all the other services thy don't really care and always see a user with an id.	16:53
dolphm	rderose: ah, can the expression for User.name basically be "local_user.name or federated_user.display_name" ?	16:53
rderose	dolphm: yes	16:53
dolphm	sort of left join a local user name, and then left join a federated display name otherwise	16:53
dolphm	rderose: that would be a good balance between existing behavior and not doing anything funky in the API (null names in the API are surely going to break something)	16:54
dolphm	marekd: does that make sense?	16:54
marekd	dolphm: yes, i didn get why it's not like that and what was the reason splitting localuser.name and feduser.display_name. Ron is explaining it right now.	16:54
marekd	dolphm: i think so.	16:54
rderose	dolphm: okay	16:55
dolphm	rderose: we might also want to update the display_name we store on each authentication, in case it changes	16:55
dolphm	it should be reflected in horizon on next auth	16:55
rderose	dolphm: good point	16:55
marekd	dolphm: ++	16:55
ayoung	jorge_munoz, dolphm, I'm not done yet but : https://review.openstack.org/#/c/285134/ removes most of the revocation events. The cost is that we can no longer cache token validations, but since those work with all cached data anyway, it should not be too expensive.	16:56
patchbot	ayoung: patch 285134 - keystone - Remove unneeded revocation events rebuild token on...	16:56
ayoung	I'm going to split that up into two patches once I get it working	16:56
marekd	ok i need to logout now, i shall look into that later on.	16:57
dolphm	ayoung: interesting tradeoff	16:57
ayoung	and it should make your lives and lbragstad 's work on Fernet easier	16:57
ayoung	dolphm, yeah; you need to do a liveness check on each field	16:57
dolphm	dstanek would also be interested ^	16:57
ayoung	if we always reassemble the token, we get that in place	16:57
dolphm	ayoung: "need" :P	16:57
ayoung	I'm workiong on it. I was up til 2 trying to get the tests to run, but then paid for it this morning	16:58
lbragstad	nonameentername ping - you around? I have a spec for MFA that was dependent on your TOTP implementation. I was curious if you've seen it? I just remember you saying that you were working on specs.	16:58
dstanek	dolphm: indeed, thanks for the heads up	16:58
dolphm	ayoung: what if i'm totally willing to return stale tokens for 60 seconds, or something?	16:58
dolphm	even after a domain has been disabled or whatever	16:58
dolphm	lbragstad: he's got a credential encryption spec up as an intermediary step	16:59
ayoung	dolphm, I think that would still require an additional change. THe current just memoized the token validation resposne, not sure how long that is cached for	16:59
dolphm	lbragstad: i think it's WIP, last i looked	16:59
ayoung	it would also mess with a lot of tests	16:59
ayoung	I'd make it optional, and off by default to start,	16:59
lbragstad	dolphm nonameentername this is the one that i drafted a while back - https://review.openstack.org/#/c/272287/	17:00
patchbot	lbragstad: patch 272287 - keystone-specs - Add spec for multifactor authentication	17:00
ayoung	+101, -718that is how I like my patches....	17:02
ayoung	DIE LAVACODE DIE!	17:02
ayoung	Just think of the reduction when we finally remove PKI....	17:02
*** jsavak has quit IRC		17:02
jorge_munoz	ayoung: So, those changes only check for operation in V3, are we not interested in reducing the revocation events in v2?	17:02
ayoung	jorge_munoz, its WIP	17:03
ayoung	I'll get V2	17:03
*** jsavak has joined #openstack-keystone		17:03
ayoung	I think that is what I'm hitting next	17:03
*** henrynash has joined #openstack-keystone		17:04
*** ChanServ sets mode: +v henrynash		17:04
ayoung	def test_v3_trust_token_get_token_fails(self):	17:05
ayoung	OK, so I guess I am still debugging V3 failures...what is the rule there: I can't do a token-for-token exchange with a trust token, I need to re-execute the trust?	17:05
jorge_munoz	ayoung: FYI I was testing this type of change using the tempest test and their run times. Checking if project and domain are enabled doesn’t really help too much with performance, maybe the reduction of deletegrates helps more.	17:06
*** vilobhmm11 has joined #openstack-keystone		17:07
stevemar	dolphm: rderose back	17:07
rderose	stevemar :)	17:07
rderose	stevemar: does the user_id make sense now? you were saying that it doesn't gel with openstack...	17:08
ayoung	jorge_munoz, I think a lot will depend on useage patterns, but it should use all cached data, and not hit the backends. But this will greatly simplify revocations, and we can further optimize afterwards, too	17:09
*** dims has joined #openstack-keystone		17:09
*** browne has quit IRC		17:09
*** dims has quit IRC		17:10
rderose	stevemar I just want to kind of agree on 2 things:	17:11
rderose	1. we can map "id" and "name" from the mapped properties to "unique_id" and "display_name"	17:11
rderose	And 2, do we want to keep this logic:	17:12
rderose	dolphm: regarding the conditional stuff, there are 2 conditions:	17:12
rderose	*. if "name" is not supplied, set it to "context['environment'].get('REMOTE_USER')" or "id"	17:12
rderose	*. if "id" is not supplied, then set it to the "name"	17:12
rderose	stevemar ^^ what do think?	17:12
*** jasonsb_ has joined #openstack-keystone		17:12
*** bknudson_ has joined #openstack-keystone		17:12
*** ChanServ sets mode: +v bknudson_		17:12
*** xek__ has joined #openstack-keystone		17:13
*** spandhe has quit IRC		17:13
stevemar	EmilienM: finally commented	17:14
*** rk4n has joined #openstack-keystone		17:14
rderose	stevemar: and just to clarify, unique_id is unique within the scope of the IdP	17:15
*** pleia2_ has joined #openstack-keystone		17:15
stevemar	rderose: okay, i agree that it's unique to the idp, just sounds weird	17:15
*** Trident has joined #openstack-keystone		17:15
*** baffle___ has joined #openstack-keystone		17:15
stevemar	rderose: say i want to create a role assignment, do i create the role assignment with the unique_id or the user_id (a uuid)	17:16
rderose	stevemar yeah, I can see that. we could change it	17:16
rderose	with the user_id (uuid)	17:16
*** spring_ has joined #openstack-keystone		17:16
*** kfox1111_ has joined #openstack-keystone		17:16
*** sshen_ has joined #openstack-keystone		17:16
*** Nakato_ has joined #openstack-keystone		17:17
rderose	stevemar the unique_id is only used for identifying the federated user. user_id would be the id used throughout keystone	17:17
stevemar	rderose: i think that's why marekd was mentioning to use a uuid instead of the unique id when raising the exception, someone can do a user lookup against that ID and see what it represents	17:17
rderose	but if the user is not found, there wouldn't be a user_id	17:18
*** rodrigod` has joined #openstack-keystone		17:18
rderose	stevemar ^	17:18
rderose	stevemar similar to get_user_by_user_name()	17:18
*** jorge_munoz_ has joined #openstack-keystone		17:19
rderose	stevemar user is not found, exception is thrown with user_id=user_name	17:19
*** BrAsS_mO- has joined #openstack-keystone		17:19
stevemar	rderose: if the user id is not found, we should return back the id that the user supplied?	17:20
*** jasonsb has quit IRC		17:20
*** timcline has quit IRC		17:20
*** jorge_munoz has quit IRC		17:20
*** edmondsw has quit IRC		17:20
*** xek_ has quit IRC		17:20
*** rodrigods has quit IRC		17:20
*** miguelgrinberg has quit IRC		17:20
*** ekarlso- has quit IRC		17:20
*** jdennis has quit IRC		17:20
*** Nakato has quit IRC		17:20
*** anteaya has quit IRC		17:20
*** krotscheck has quit IRC		17:20
*** bknudson has quit IRC		17:20
*** davechen_afk has quit IRC		17:20
*** _fortis has quit IRC		17:20
*** fpatwa has quit IRC		17:20
*** iurygregory has quit IRC		17:20
*** blogan has quit IRC		17:20
*** sshen has quit IRC		17:20
*** mkoderer__ has quit IRC		17:20
*** arunkant has quit IRC		17:20
*** BAKfr has quit IRC		17:20
*** BrAsS_mOnKeY has quit IRC		17:20
*** hughsaunders has quit IRC		17:20
*** dolphm has quit IRC		17:20
*** afazekas has quit IRC		17:20
*** smurke has quit IRC		17:20
*** pleia2 has quit IRC		17:20
*** timburke has quit IRC		17:20
*** bapalm has quit IRC		17:20
*** Tridde has quit IRC		17:20
*** lmiccini has quit IRC		17:20
*** baffle has quit IRC		17:20
*** kfox1111 has quit IRC		17:20
rderose	stevemar which is the unique_id	17:20
*** krotscheck has joined #openstack-keystone		17:20
*** jorge_munoz_ is now known as jorge_munoz		17:20
*** su_zhang has quit IRC		17:20
raildo	ayoung: sorry, I'm back	17:20
*** afazekas has joined #openstack-keystone		17:21
rderose	stevemar: user doesn't supply a user_id	17:21
*** miguelgrinberg_ has joined #openstack-keystone		17:21
*** bapalm has joined #openstack-keystone		17:21
*** dolphm has joined #openstack-keystone		17:21
*** ChanServ sets mode: +o dolphm		17:21
*** blogan has joined #openstack-keystone		17:21
*** miguelgrinberg_ is now known as miguelgrinberg		17:21
*** su_zhang has joined #openstack-keystone		17:21
*** BAKfr has joined #openstack-keystone		17:21
*** hughsaunders has joined #openstack-keystone		17:21
*** mkoderer___ has joined #openstack-keystone		17:21
*** dims has joined #openstack-keystone		17:22
rderose	stevemar: sorry for the confusion, we get the "id" from the mapped properties, which is actually the unique id within the scope of the IdP	17:22
*** lmiccini has joined #openstack-keystone		17:23
rderose	stevemar: so the unique id is what we used to look up the user; if not found, exception with user_id = unique_id	17:23
*** fpatwa has joined #openstack-keystone		17:23
rderose	stevemar: does that make sense?	17:23
*** timburke has joined #openstack-keystone		17:23
stevemar	rderose: you gotta stop prefixing commits with "shadow users - "	17:23
stevemar	:)	17:23
stevemar	hmm	17:23
stevemar	marekd: good point	17:24
stevemar	rderose: i meant you, not marekd	17:24
stevemar	okay, keep it like that for now then	17:24
raildo	ayoung: lbragstad I added a comment here about it: https://review.openstack.org/#/c/258650/26/keystone/token/provider.py	17:25
patchbot	raildo: patch 258650 - keystone - [WIP]Make fernet default token provider	17:25
rderose	stevemar I stop the prefix, is it causing problems?	17:25
*** su_zhang has quit IRC		17:25
*** iurygregory has joined #openstack-keystone		17:26
*** ekarlso- has joined #openstack-keystone		17:27
*** edmondsw has joined #openstack-keystone		17:27
*** jsavak has quit IRC		17:28
*** arunkant has joined #openstack-keystone		17:28
*** jdennis has joined #openstack-keystone		17:28
*** anteaya has joined #openstack-keystone		17:28
*** jsavak has joined #openstack-keystone		17:28
*** rderose has quit IRC		17:29
*** timcline has joined #openstack-keystone		17:29
*** wasmum has joined #openstack-keystone		17:30
*** _fortis_ has joined #openstack-keystone		17:30
*** rk4n has quit IRC		17:30
samueldmq	henrynash: just left a couple of initial comments on patch 231289	17:31
patchbot	samueldmq: https://review.openstack.org/#/c/231289/ - keystone - Projects acting as domains	17:31
*** rderose has joined #openstack-keystone		17:31
samueldmq	henrynash: will keep reviewing; I posted them so we can start discussing/fixing	17:31
*** sdake has joined #openstack-keystone		17:34
*** _fortis_ is now known as _fortis		17:35
*** vilobhmm11 has quit IRC		17:38
samueldmq	ayoung: hi, I'd like to see your view on patch 243585	17:38
patchbot	samueldmq: https://review.openstack.org/#/c/243585/ - keystone - API support for project cascade update	17:38
samueldmq	ayoung: basically on the docstring at https://review.openstack.org/#/c/243585/25/keystone/common/controller.py	17:38
patchbot	samueldmq: patch 243585 - keystone - API support for project cascade update	17:38
samueldmq	ayoung: and the discussions round it	17:38
samueldmq	around*	17:39
stevemar	rderose: no problems, just friendly banter :)	17:39
rderose	stevemar :)	17:39
stevemar	rderose: same way you don't have to put everything as WIP until it's absotely perfect	17:39
stevemar	brb, gettin foodS!	17:40
ayoung	samueldmq, in a bit...heads down atthe moment	17:40
samueldmq	ayoung: kk	17:40
*** smurke has joined #openstack-keystone		17:41
samueldmq	stevemar: bon apetit	17:42
*** fhubik has joined #openstack-keystone		17:47
*** fhubik has quit IRC		17:48
*** jistr has quit IRC		17:49
*** su_zhang has joined #openstack-keystone		17:53
*** dan_nguyen has joined #openstack-keystone		17:55
*** browne has joined #openstack-keystone		17:56
*** spandhe has joined #openstack-keystone		17:57
*** vilobhmm11 has joined #openstack-keystone		17:59
*** jasonsb_ has quit IRC		18:00
*** jsavak has quit IRC		18:01
*** vilobhmm11 has quit IRC		18:02
henrynash	samueldmq: thx	18:04
*** rodrigod` is now known as rodrigods		18:04
*** su_zhang has quit IRC		18:06
samueldmq	henrynash: np, I still need to review the tests, doing in a bit	18:07
*** dims is now known as dimsum__		18:09
*** petertr7 is now known as petertr7_away		18:11
*** RichardRaseley has joined #openstack-keystone		18:11
EmilienM	stevemar: thanks	18:13
*** su_zhang has joined #openstack-keystone		18:16
kfox1111_	um, was just trying to move services out to its own domain...	18:16
*** clenimar has quit IRC		18:16
kfox1111_	keystone_authtoken doesn't seem to support setting user domain and project domain?	18:16
*** roxanagh_ has joined #openstack-keystone		18:19
kfox1111_	whats the difference between user and admin_user in keystone_authtoken?	18:22
*** roxanaghe has quit IRC		18:23
*** vilobhmm11 has joined #openstack-keystone		18:23
*** vilobhmm11 has quit IRC		18:23
*** vilobhmm11 has joined #openstack-keystone		18:23
kfox1111_	ah. old style vs new style config.	18:23
*** rderose has quit IRC		18:24
*** henrynash has quit IRC		18:26
*** rk4n has joined #openstack-keystone		18:27
*** su_zhang has quit IRC		18:28
*** su_zhang has joined #openstack-keystone		18:29
*** spzala has joined #openstack-keystone		18:30
*** bjornar__ has joined #openstack-keystone		18:30
*** lhcheng has joined #openstack-keystone		18:33
*** ChanServ sets mode: +v lhcheng		18:33
*** pushkaru has joined #openstack-keystone		18:34
*** vilobhmm11 has quit IRC		18:37
*** knikolla has quit IRC		18:40
*** knikolla has joined #openstack-keystone		18:40
*** vilobhmm11 has joined #openstack-keystone		18:41
*** rodrigods has quit IRC		18:49
*** rodrigods has joined #openstack-keystone		18:50
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Show unexpected error that was unexpected :) https://review.openstack.org/285495	18:50
*** fangxu has quit IRC		18:54
*** agireud has quit IRC		18:55
*** agireud has joined #openstack-keystone		18:57
*** rderose has joined #openstack-keystone		18:58
SamYaple	bknudson_: your patch does not seem to be doing what I would expect it to do (when applied my deployer still breaks and needs an explict keystone-bootstrap call to create domain)	18:59
SamYaple	bknudson_: but i havent debuged it yet, it looks like it should	19:00
bknudson_	SamYaple: what operation is it failing on?	19:00
*** vilobhmm11 has quit IRC		19:00
*** rk4n has quit IRC		19:00
*** vilobhmm11 has joined #openstack-keystone		19:01
SamYaple	bknudson_: so initial bootstrap we do in kolla via a python script we have via an admin token	19:02
SamYaple	thats still breaking	19:02
ayoung	stevemar, going to suggest we have one working session with the installers: invite in the Kolla and puppet-keystone folks to work with us on basic setup, install, and configuration issues	19:02
SamYaple	im looking into why	19:02
*** petertr7_away is now known as petertr7		19:02
*** su_zhang has quit IRC		19:03
marekd	stevemar: rderose what i was mentioning to use all three attributes when user was not found.	19:04
*** su_zhang has joined #openstack-keystone		19:04
marekd	stevemar: rderose but since i seem to cause troubles and others dont see it required i am not going to do it anymore.	19:04
rderose	marekd :)	19:05
marekd	my point is just: if you identify fed user by a tuple (idp, proto,unique_id) keep doing this when you raise an exception saying who is missing in the database.	19:05
*** RichardRaseley has quit IRC		19:05
SamYaple	bknudson_: yea i think i see the issue	19:06
SamYaple	even though we are explictly specifying the v2.0 api, the keystone client is still sending it to v3 autodetected api i think	19:07
stevemar	ayoung: good call	19:07
*** su_zhang has quit IRC		19:08
samueldmq	stevemar: hey	19:11
stevemar	samueldmq: hey	19:11
bknudson_	SamYaple: that sounds messed up	19:11
samueldmq	stevemar: so, need your view on cascade & reseller	19:11
*** su_zhang has joined #openstack-keystone		19:11
stevemar	samueldmq: gimmie the recap	19:11
rodrigods	ayoung, stevemar, ++	19:11
SamYaple	bknudson_: might be. im digging into it. ill save you my random musing while doing so ;)	19:12
samueldmq	stevemar: basically to confirm our plan still works	19:12
samueldmq	stevemar: reseller just needs a cople of updates, I am reviewing that	19:13
samueldmq	stevemar: I am also updating cascade thing	19:13
*** jed56 has quit IRC		19:13
samueldmq	stevemar: our plans are still to get them until Monday right ?	19:13
*** su_zhang has quit IRC		19:15
*** wasmum has quit IRC		19:15
*** su_zhang has joined #openstack-keystone		19:15
*** dimsum__ has quit IRC		19:16
*** petertr7 is now known as petertr7_away		19:17
samueldmq	stevemar: and if we don't, what's the plan? get them to rc or N (worst case I don't believe to be necessary)?	19:20
SamYaple	bknudson_: no its hitting v2.0, confirmed	19:20
SamYaple	keystone_client.tenants.create(tenant_name=project_name)	19:20
SamYaple	*** NotFound: Could not find domain: default (HTTP 404) (Request-ID: req-8b01232f-7cf8-4762-91b1-8d6928a1538c)	19:20
SamYaple	perhaps i misunderand the purpose of the patch	19:21
SamYaple	?	19:21
bknudson_	SamYaple: hmm, that should be taken care of with https://review.openstack.org/#/c/284778/3/keystone/resource/controllers.py line 100	19:21
patchbot	bknudson_: patch 284778 - keystone - V2 operations create default domain on demand	19:21
bknudson_	I'll try it out in a few minutes. I just wrote the test!	19:22
SamYaple	bknudson_: let me validate that line has changed in the running keystone deploy	19:22
boltR	j #openstack-horizon	19:24
*** wasmum has joined #openstack-keystone		19:25
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix doc build warnings https://review.openstack.org/285507	19:25
SamYaple	bknudson_: disregard!	19:26
SamYaple	patch didnt properly apply	19:26
SamYaple	all is well	19:26
bknudson_	SamYaple: great, thanks for trying it out	19:26
SamYaple	yea thanks for the patch, now lets get it merged before people notice!	19:26
*** spzala has quit IRC		19:34
*** petertr7_away is now known as petertr7		19:36
*** porunov has joined #openstack-keystone		19:38
stevemar	samueldmq: i'm not inclined to introduce a massive change like reseller into the RC period, it can go into N	19:41
stevemar	samueldmq: i don't understand the rush to squeeze that into M, can you explain why?	19:42
ayoung	self.v3_create_token(scoped_token, expected_status=http_client.INTERNAL_SERVER_ERROR) 500? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_federation.py#n2039	19:42
ayoung	stevemar, its been malingereing for ove a year now	19:42
ayoung	but I have a feeling a few things will Miss Mitaka	19:43
stevemar	ayoung: the specific last patch doesn't provide any benefit AFAICT, just a restructure of internal data	19:43
ayoung	stevemar, I'm just jumping in here...hadn't looked at it.	19:44
stevemar	ayoung: i feel cascade delete/update will make it, we can even shove it what we have now and deal with policy as a bug, meh	19:44
ayoung	cool	19:44
stevemar	ayoung: i'm talking about this one for reseller: https://review.openstack.org/#/c/231289/	19:44
patchbot	stevemar: patch 231289 - keystone - Projects acting as domains	19:44
*** aginwala has joined #openstack-keystone		19:44
ayoung	stevemar, according to nkinder , LDAP doesn't even support tree delete without a special control. It makes you go node by node	19:44
ayoung	stevemar, yeah...nice to have, not need to have I think	19:45
stevemar	ayoung: ldap for resource is nuked anyway, but that's a good reference point	19:45
ayoung	stevemar, nah, I am just using that as a comparison other for the project tree.	19:45
ayoung	I need food	19:46
stevemar	and shadow users i'm testing now, but running into config issues with federation as a whole	19:46
stevemar	ayoung: go eat!	19:46
stevemar	ayoung: understood	19:46
ayoung	stevemar, I just find it funy that we have federation unit tests that expect a 500	19:46
ayoung	see above	19:46
stevemar	=\	19:47
stevemar	ayoung: see last nights technical debt convo, we need better error messages for federation work flow	19:47
*** vilobhmm11 has quit IRC		19:47
*** vilobhmm111 has joined #openstack-keystone		19:48
*** erhudy has joined #openstack-keystone		19:48
openstackgerrit	Trevor McCasland proposed openstack/keystone: Add validation parameter "max_name_size" https://review.openstack.org/285393	19:48
openstackgerrit	Alexander Makarov proposed openstack/keystone: WIP/DNM Closure table for HMT https://review.openstack.org/285521	19:50
*** gordc has quit IRC		19:51
openstackgerrit	Merged openstack/keystone: Delay using threading.local() to fix check job failure https://review.openstack.org/284965	19:51
*** jorge_munoz has quit IRC		19:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	19:55
*** rk4n has joined #openstack-keystone		19:58
*** spandhe has quit IRC		19:58
*** spzala has joined #openstack-keystone		20:02
*** aginwala has quit IRC		20:02
openstackgerrit	Steve Martinelli proposed openstack/keystone: Fix the migration issue for the user with null password https://review.openstack.org/285152	20:05
*** aginwala has joined #openstack-keystone		20:06
*** spzala has quit IRC		20:06
*** spzala has joined #openstack-keystone		20:06
stevemar	bknudson_: can you look @ https://review.openstack.org/#/c/285152/4 ?	20:07
patchbot	stevemar: patch 285152 - keystone - Fix the migration issue for the user with null pas...	20:07
openstackgerrit	Merged openstack/keystone: Enable LDAP connection pooling by default https://review.openstack.org/285008	20:07
bknudson_	stevemar: I'll add it to my list	20:08
stevemar	bknudson_: thank you	20:12
*** spandhe has joined #openstack-keystone		20:13
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/284804	20:17
*** alejandrito has joined #openstack-keystone		20:20
*** henrynash has joined #openstack-keystone		20:22
*** ChanServ sets mode: +v henrynash		20:22
*** yarkot_ has joined #openstack-keystone		20:22
*** gordc has joined #openstack-keystone		20:23
openstackgerrit	Jamie Lennox proposed openstack/keystone: Add identity endpoint creation to bootstrap https://review.openstack.org/285102	20:25
*** yarkot_ has quit IRC		20:26
*** spzala has quit IRC		20:27
*** su_zhang has quit IRC		20:27
*** su_zhang has joined #openstack-keystone		20:28
*** spzala has joined #openstack-keystone		20:28
*** spzala has quit IRC		20:28
stevemar	jamielennox: go to sleep	20:28
*** rk4n has quit IRC		20:31
*** su_zhang has quit IRC		20:32
*** pushkaru has quit IRC		20:33
*** aginwala has quit IRC		20:42
*** roxanagh_ has quit IRC		20:42
*** dims has joined #openstack-keystone		20:48
*** annasort has quit IRC		20:54
*** aginwala has joined #openstack-keystone		20:54
*** dave-mccowan has quit IRC		20:56
*** pauloewerton has quit IRC		20:57
*** fesp has joined #openstack-keystone		20:58
*** petertr7 is now known as petertr7_away		21:01
*** petertr7_away is now known as petertr7		21:02
*** su_zhang has joined #openstack-keystone		21:05
openstackgerrit	henry-nash proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	21:06
henrynash	samuedlmq, ayoung, dstanek: latest version of projects as a domain patch availlable with all suggested fixes so far….	21:07
ayoung	henrynash, cool	21:07
ayoung	henrynash, I'm busy doing unspeakable things to the token validation process	21:07
*** pgbridge has quit IRC		21:08
samueldmq	henrynash: nice, I will take another look	21:08
henrynash	ayoung: and more power to you, sir	21:08
*** yarkot_ has joined #openstack-keystone		21:13
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Shadow federated users https://review.openstack.org/279162	21:14
*** admin0 has joined #openstack-keystone		21:15
*** alejandrito has quit IRC		21:16
admin0	guys . i am not a developer, but an operator .. can keystone ( only keystone) be upgraded from say icehouse => liberty, keeping the icehouse cluster/region working .. and opening up the possibility to add region2 in liberty ?	21:16
*** rderose has quit IRC		21:17
samueldmq	henrynash: and we still need someone else's opinion on ?cascade thing :(	21:20
stevemar	why is mod_auth_openidc eating my assertion data? :X	21:21
stevemar	admin0: i think you may be better off asking the question in #openstack-operators	21:21
stevemar	or on the mailing list	21:22
admin0	which specific mailing list ?	21:22
stevemar	i think all the devs will want to say "yes!"	21:22
admin0	the general one ?	21:22
admin0	:D	21:22
stevemar	admin0: there's an operator one	21:22
stevemar	admin0: http://lists.openstack.org/pipermail/openstack-operators/	21:22
*** henrynash has quit IRC		21:23
*** fangxu has joined #openstack-keystone		21:23
* admin0 still could not find the search archives button		21:25
*** rk4n has joined #openstack-keystone		21:27
samueldmq	stevemar: ayoung: would like to get your view on patch 243585	21:28
patchbot	samueldmq: https://review.openstack.org/#/c/243585/ - keystone - API support for project cascade update	21:28
samueldmq	so we can update it to a potential final version :)	21:28
ayoung	samueldmq, and I would like to figure out the Freaking Federation token flow	21:28
ayoung	why do we have test that check that we throw a 500?	21:29
ayoung	GAH	21:29
ayoung	and what did I do to break that	21:29
*** yarkot_ has quit IRC		21:29
stevemar	samueldmq: will do	21:29
samueldmq	ayoung: sound sodd	21:30
stevemar	samueldmq: huh? i thought it was updated :\	21:30
samueldmq	ayoung: odd*	21:30
samueldmq	stevemar: almost, just need a decision until I send a new patchset	21:30
samueldmq	stevemar: you just need to read the doc in https://review.openstack.org/#/c/243585/25/keystone/common/controller.py	21:30
patchbot	samueldmq: patch 243585 - keystone - API support for project cascade update	21:30
stevemar	samueldmq: yeah, reading it now	21:30
samueldmq	stevemar: and the suggestion henry raised tehre	21:31
*** roxanaghe has joined #openstack-keystone		21:31
*** jorge_munoz has joined #openstack-keystone		21:34
*** ninag has quit IRC		21:36
*** aginwala has quit IRC		21:36
*** henrynash has joined #openstack-keystone		21:36
*** ChanServ sets mode: +v henrynash		21:36
*** fesp has quit IRC		21:37
*** henrynash has quit IRC		21:37
*** fesp has joined #openstack-keystone		21:38
openstackgerrit	Monty Taylor proposed openstack/python-keystoneclient: Revert "Support `truncated` flag returned by identity service" https://review.openstack.org/285549	21:39
*** agireud has quit IRC		21:41
*** jamielennox is now known as jamielennox\|away		21:43
*** agireud has joined #openstack-keystone		21:43
stevemar	breton: ^ :(	21:44
*** porunov has quit IRC		21:45
*** browne has quit IRC		21:46
*** pushkaru has joined #openstack-keystone		21:48
*** browne has joined #openstack-keystone		21:49
*** rk4n has quit IRC		22:01
*** petertr7 is now known as petertr7_away		22:03
*** aginwala has joined #openstack-keystone		22:07
openstackgerrit	ayoung proposed openstack/keystone: Remove unneeded revocation events rebuild token on validation https://review.openstack.org/285134	22:10
*** knikolla has quit IRC		22:11
admin0	where can i find good tests of keystone ( without installing all openstack components ) — so that i can be assured it works	22:14
admin0	like install juno,test .. upgrade to kilo .. test again, upgrade to liberty .. test again ..are those tests defined ?	22:15
*** browne has quit IRC		22:17
*** browne has joined #openstack-keystone		22:24
*** su_zhang has quit IRC		22:32
*** su_zhang has joined #openstack-keystone		22:32
*** su_zhang has quit IRC		22:39
*** su_zhang has joined #openstack-keystone		22:39
*** lhcheng has quit IRC		22:43
*** lhcheng has joined #openstack-keystone		22:46
*** ChanServ sets mode: +v lhcheng		22:46
*** aginwala has quit IRC		22:46
*** aginwala has joined #openstack-keystone		22:49
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Shadow federated users https://review.openstack.org/279162	22:51
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Concrete role assignments for federated users https://review.openstack.org/284943	22:55
*** gordc has quit IRC		22:56
*** rk4n has joined #openstack-keystone		22:58
*** fesp has quit IRC		22:59
*** lhcheng has quit IRC		23:01
*** aginwala has quit IRC		23:06
*** lhcheng has joined #openstack-keystone		23:06
*** ChanServ sets mode: +v lhcheng		23:06
*** dims has quit IRC		23:07
*** sigmavirus24 is now known as sigmavirus24_awa		23:08
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Shadow federated users https://review.openstack.org/279162	23:10
*** daemontool_ has joined #openstack-keystone		23:10
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users - Concrete role assignments for federated users https://review.openstack.org/284943	23:10
*** aginwala has joined #openstack-keystone		23:13
*** daemontool has quit IRC		23:13
*** rk4n has quit IRC		23:15
*** rk4n has joined #openstack-keystone		23:16
*** ccard_ has joined #openstack-keystone		23:16
*** ccard__ has quit IRC		23:19
openstackgerrit	Sam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz https://review.openstack.org/283905	23:19
*** pushkaru has quit IRC		23:21
*** slberger has left #openstack-keystone		23:31
*** dims has joined #openstack-keystone		23:34
*** rk4n has quit IRC		23:34
*** spandhe has quit IRC		23:35
*** jorge_munoz has quit IRC		23:39
*** edmondsw has quit IRC		23:39
*** erhudy has quit IRC		23:40
*** rk4n has joined #openstack-keystone		23:45
*** rk4n has quit IRC		23:47
*** spandhe has joined #openstack-keystone		23:47
*** aginwala has quit IRC		23:52
*** sdake has quit IRC		23:53
*** sdake_ has joined #openstack-keystone		23:53
*** aginwala has joined #openstack-keystone		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!