Monday, 2016-03-28

« Sunday, 2016-03-27 Index Tuesday, 2016-03-29 »
*** spzala has quit IRC00:04
*** spzala has joined #openstack-keystone00:09
*** bjornar has quit IRC01:00
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235801:21
*** spzala_ has joined #openstack-keystone01:24
*** spzala has quit IRC01:26
*** EinstCrazy has joined #openstack-keystone01:29
*** mylu has quit IRC01:42
*** mylu has joined #openstack-keystone01:43
*** dan_nguyen has joined #openstack-keystone01:49
*** EinstCrazy has quit IRC02:10
*** sdake has joined #openstack-keystone02:11
*** EinstCrazy has joined #openstack-keystone02:11
*** jamielennox is now known as jamielennox|away02:13
*** sdake has quit IRC02:18
*** dan_nguyen has quit IRC02:20
*** ebalduf has joined #openstack-keystone02:24
*** david_cu has joined #openstack-keystone03:12
*** EinstCra_ has joined #openstack-keystone03:22
*** EinstCrazy has quit IRC03:24
*** spzala_ has quit IRC03:26
*** spzala has joined #openstack-keystone03:27
*** spzala has quit IRC03:31
*** links has joined #openstack-keystone03:33
*** david_cu has quit IRC03:39
*** david_cu has joined #openstack-keystone03:40
*** dan_nguyen has joined #openstack-keystone03:41
*** dan_nguyen has quit IRC03:49
*** david_cu has quit IRC03:57
*** ebalduf has quit IRC04:03
*** david_cu has joined #openstack-keystone04:14
morganstevemar: i vote we ignore D400 indefintely04:21
morganstevemar: re: https://bugs.launchpad.net/keystone/+bug/156225004:21
openstackLaunchpad bug 1562250 in OpenStack Identity (keystone) "Enforce PEP8 coding convention - D400:First line should end with a period." [Wishlist,In progress] - Assigned to Steve Martinelli (stevemar)04:21
morganstevemar: this doesn't really provide a lot of benefit and is firmly in the category of "meh". I'm fine with the newline requirements etc, but this one feels like something we sholdn't bother with even though the code is proposed.04:22
stevemarmorgan: i had the same opinion, but I run a quick codesearch and i think we're in the minority04:24
morganstevemar: doesn't mean i still don't think it's worth enforcing04:25
morganstevemar: it's silly, trivial, and not worth causing the gate to bounce it out for imho04:25
morgani commented on the bug and on the patch (+1, but i wont ever +2 it)04:25
stevemarmorgan: yeah, i get ya. i did it on a whim since someone filed a bug04:26
morganif i'd had caught the bug i'd have "wont fixed" the bug ;)04:26
morganbut since you had written code and all....04:26
stevemarmorgan: dolph recommended it to a few utsa students as low hanging fruit, i didn't realize it was meant for them :(04:26
morgandoh!04:28
*** pgreg has joined #openstack-keystone04:48
*** david_cu has quit IRC04:52
*** roxanaghe has joined #openstack-keystone05:45
*** roxanaghe has quit IRC05:47
prometheanfirewell05:50
prometheanfiredb_sync fails from liberty -> mitaka05:50
prometheanfire2016-03-28 00:50:19.741 6595 ERROR oslo_db.sqlalchemy.exc_filters ProgrammingError: column "domain_id" of relation "role" already exists05:51
prometheanfireI'm guessing noone tested this on postgres?05:52
prometheanfirethat was 088_domain_specific_roles.py, 091_migrate_data_to_local_user_and_password_tables.py also fails05:58
prometheanfirefyi, none of the other services failed db_upgrade05:58
prometheanfirewell, this upgrade fucked my install I think06:03
prometheanfireand to run some stuff manually, not sure if I did it right, but keystone's running again06:10
*** harlowja_at_home has quit IRC06:12
*** GB21 has joined #openstack-keystone06:17
*** rk4n has joined #openstack-keystone06:17
*** Nirupama has joined #openstack-keystone06:18
*** harlowja_at_home has joined #openstack-keystone06:23
*** rk4n has quit IRC06:24
*** mylu has quit IRC06:27
*** naresht has joined #openstack-keystone06:28
*** spzala has joined #openstack-keystone06:32
*** spzala has quit IRC06:36
openstackgerritMerged openstack/keystone: Update dev docs and sample script for v3/bootstrap  https://review.openstack.org/29089706:38
*** roxanaghe has joined #openstack-keystone06:47
*** pcaruana has joined #openstack-keystone06:49
*** roxanaghe has quit IRC06:52
*** gangadhar has joined #openstack-keystone06:53
*** sheel has joined #openstack-keystone06:54
gangadharHi everyone. I want to configure keystone to ldap server.07:10
gangadharI have installed devstack with default sql driver and installed openldap in another machine07:11
gangadharHow can I create  users in ldap server and configure in keystone.conf?07:12
*** e0ne has joined #openstack-keystone07:15
*** e0ne has quit IRC07:18
prometheanfireya, they seem to be afk now07:27
*** spzala has joined #openstack-keystone07:32
prometheanfirehas anyone tested this? for some reason openstack endpoint list is trying to go somewhere it shouldn't, almost like it's removing a slash......07:33
prometheanfirehttps://example.com:35357admin/v3/auth/tokens:07:33
*** spzala has quit IRC07:38
prometheanfireso07:40
prometheanfirewhy is the openstack client mangling the url incorrectly07:40
prometheanfirebtw07:40
prometheanfirethis is with the stable/mitaka upper-constraints07:40
prometheanfireso this breaks shit07:40
*** GB21 has quit IRC07:43
prometheanfireseems to be common, not just the admin url07:48
prometheanfiredb has this for endpoint https://example.com:5000/v307:48
prometheanfireso that seems fine07:48
prometheanfirefirst request seems to pass, but returns the wrong url07:52
prometheanfirereturns it without the slash07:52
prometheanfireRESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "https://example.com:5000admin/v3/", "rel": "self"}]}}07:53
*** spzala has joined #openstack-keystone07:54
prometheanfiredebug log of keystone doesn't show anything other than keystone/middleware/auth.py:71 being called07:55
*** tqtran has joined #openstack-keystone07:58
*** spzala has quit IRC07:58
prometheanfireok, new release seems fucked, rolling back08:00
*** henrynash has joined #openstack-keystone08:01
*** ChanServ sets mode: +v henrynash08:01
prometheanfirewell, neat, can't because DB upgrades are one way08:01
prometheanfireso08:06
prometheanfirenot sure where the code keystone uses to build the url returned to clients is, but it fails08:07
prometheanfireit strips or doesn't include the slash between port and path08:07
prometheanfirehttps://example.com:5000admin/v3/ for example08:07
prometheanfirethis causes clients to fail08:07
*** e0ne has joined #openstack-keystone08:14
*** rk4n has joined #openstack-keystone08:15
*** rk4n has quit IRC08:18
*** rk4n has joined #openstack-keystone08:18
*** roxanaghe has joined #openstack-keystone08:36
*** GB21 has joined #openstack-keystone08:36
*** roxanaghe has quit IRC08:40
*** martinus__ has quit IRC08:48
*** spzala has joined #openstack-keystone08:55
*** spzala has quit IRC09:00
*** GB21 has quit IRC09:16
*** agireud has quit IRC09:27
*** agireud has joined #openstack-keystone09:28
*** gangadhar has quit IRC09:31
*** henrynash has quit IRC09:33
*** gangadhar has joined #openstack-keystone09:34
gangadharWhy project admin is unable to grant a role to user? Using this policy: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json09:34
gangadharBut changing the line from "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants" to "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants" it started working09:35
*** pcaruana has quit IRC09:42
*** pcaruana has joined #openstack-keystone09:55
*** spzala has joined #openstack-keystone09:56
*** GB21 has joined #openstack-keystone09:59
*** spzala has quit IRC10:01
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support flag `truncated` returned by identity service  https://review.openstack.org/29304810:01
gangadharAny help regarding issue "project admin is unable to grant a role to user"? ^^^10:11
*** GB21 has quit IRC10:14
*** GB21 has joined #openstack-keystone10:21
*** roxanaghe has joined #openstack-keystone10:24
*** EinstCra_ has quit IRC10:25
*** roxanaghe has quit IRC10:28
*** tqtran has quit IRC10:30
gangadharAny help on domain things?10:49
*** GB21 has quit IRC10:54
*** spzala has joined #openstack-keystone10:57
*** spzala has quit IRC11:02
*** rodrigods has quit IRC11:03
*** rodrigods has joined #openstack-keystone11:03
*** pcaruana has quit IRC11:09
*** GB21 has joined #openstack-keystone11:11
*** trown|outtypewww is now known as trown|PTO11:22
*** pcaruana has joined #openstack-keystone11:23
*** tqtran has joined #openstack-keystone11:26
*** doug-fish has joined #openstack-keystone11:27
*** GB21 has quit IRC11:27
*** tqtran has quit IRC11:31
*** gordc has joined #openstack-keystone11:33
*** GB21 has joined #openstack-keystone11:47
*** flaper87 has quit IRC11:48
*** EinstCrazy has joined #openstack-keystone11:50
*** flaper87 has joined #openstack-keystone11:51
*** pauloewerton has joined #openstack-keystone11:55
*** spzala has joined #openstack-keystone11:58
*** spzala has quit IRC12:03
*** roxanaghe has joined #openstack-keystone12:12
*** roxanaghe has quit IRC12:17
*** bjornar has joined #openstack-keystone12:20
*** spandhe has quit IRC12:29
*** edmondsw has joined #openstack-keystone12:30
*** GB21 has quit IRC12:34
*** pcaruana has quit IRC12:39
raildogangadhar: project admin can grant a role to user, "rule:project_admin_for_grants"12:49
*** pcaruana has joined #openstack-keystone12:52
*** pnavarro has joined #openstack-keystone12:52
*** spzala has joined #openstack-keystone12:59
*** xenogear has joined #openstack-keystone13:00
*** spzala has quit IRC13:04
*** ninag has joined #openstack-keystone13:11
*** spzala has joined #openstack-keystone13:12
*** rcrit_ has quit IRC13:16
*** xenogear has quit IRC13:18
*** pnavarro has quit IRC13:21
*** pnavarro has joined #openstack-keystone13:21
*** pnavarro has quit IRC13:21
*** ayoung has joined #openstack-keystone13:22
*** ChanServ sets mode: +v ayoung13:22
*** jsavak has joined #openstack-keystone13:25
*** amakarov has quit IRC13:26
*** tqtran has joined #openstack-keystone13:28
*** tqtran has quit IRC13:32
*** amakarov has joined #openstack-keystone13:32
*** links has quit IRC13:36
*** openstackgerrit has quit IRC13:48
*** openstackgerrit has joined #openstack-keystone13:48
*** richm has joined #openstack-keystone13:50
*** EinstCrazy has quit IRC13:52
*** Nirupama has quit IRC13:52
openstackgerritMerged openstack/keystone: Fix keystone-manage config file path  https://review.openstack.org/29611013:57
*** sigmavirus24_awa is now known as sigmavirus2413:59
*** ametts has joined #openstack-keystone13:59
*** roxanaghe has joined #openstack-keystone14:00
*** rdo has quit IRC14:00
*** ebalduf has joined #openstack-keystone14:00
*** hongbin has joined #openstack-keystone14:01
*** rdo has joined #openstack-keystone14:02
*** knikolla has joined #openstack-keystone14:04
*** roxanaghe has quit IRC14:04
*** hongbin has left #openstack-keystone14:07
*** gangadhar has quit IRC14:11
*** tellesnobrega_af is now known as tellesnobrega14:13
lbragstado/ mornin'14:18
*** doug-fis_ has joined #openstack-keystone14:19
*** slberger has joined #openstack-keystone14:19
*** knikolla has quit IRC14:20
*** knikolla has joined #openstack-keystone14:21
*** doug-fish has quit IRC14:21
knikollao/14:21
*** mhickey has joined #openstack-keystone14:23
morganOh hai14:32
ayoungknikolla, you tracking on the LDAP stuff?14:34
*** pauloewerton has quit IRC14:34
*** shangxdy has joined #openstack-keystone14:36
knikollaayoung, yeah.14:37
knikollamorgan, thanks for the feedback.14:37
morganknikolla: of course. You're also going to want to propose moving the ldap3 spec from back log to Newton14:37
morganIn the keystone-specs repo14:38
*** markvoelker has joined #openstack-keystone14:38
morganknikolla: it is looking good. Some general cleanup, and tests and we might have an ldap3 driver early in the cycle ;)14:39
*** pushkaru has joined #openstack-keystone14:39
knikollamorgan, i'll do that. who should i set a assignees and contributors?14:40
morganYou as asignee and if someone else is contributing significantly, them.14:40
*** sdake has joined #openstack-keystone14:42
*** mylu has joined #openstack-keystone14:42
*** csoukup has joined #openstack-keystone14:43
ayoungthe spec is written knikolla , just git move it and submit as a review14:43
ayoungfeel free to update the contributors, but leave me as the owner14:44
stevemarayoung knikolla i'm actually going to clen up the specs today14:44
*** mylu has quit IRC14:44
knikollastevemar, ongoing = newton?14:44
ayoungknikolla, you get credit if it succeeds.  I take blame if it fails.14:44
*** mylu has joined #openstack-keystone14:44
morganknikolla: https://github.com/openstack/keystone-specs/blob/master/specs/backlog/ldap3.rst14:45
stevemarknikolla: yep14:45
knikollamorgan, yep, i've already read most of the specs :)14:45
knikollaayoung, thanks14:46
morganstevemar: so do we have a need for another RC yet? I think I saw some possible major issues with links overnight by prometheanfire14:46
morganstevemar: and possibly a postgres migrate fail14:46
stevemarmorgan: yeah... i saw those this morning, not sure whats going on there14:46
*** sdake has quit IRC14:46
*** sdake has joined #openstack-keystone14:47
morganThe links thing worries me the most14:47
morganSince it could potentially affect a wide range of deploys.14:48
*** timcline has joined #openstack-keystone14:48
bknudsonthere were changes to the links code -- https://review.openstack.org/#/c/226464/14:49
patchbotbknudson: patch 226464 - keystone - wsgi: fix base_url finding (MERGED)14:49
morganbknudson: that might be it. Let me take a look14:49
stevemarmorgan: did prometheanfire file a bug?14:49
morganstevemar: unknown, I opted to ignore when I was half asleep14:50
stevemarmorgan: maybe it is osc :P14:50
morganstevemar: nah, the json from keystone was missing the slash from what I saw in the backlog14:50
morganstevemar: let me take a gander at the code - it might be straightforward14:51
morganeuuw.. we use url = 'http://localhost:%d' % CONF.eventlet_server.public_port ... :P14:52
prometheanfireI didn't file a bug yey14:52
prometheanfireI didn't file a bug yet14:52
ayoungstevemar, morgan for the OpenStack deploys you have worked on, have they been puppet managed?  I'm trying to figure out how to distributed update policy files.14:52
prometheanfirealso, not using eventlet, but wsgi14:53
ayoungOr have we all just punted on that thus far?14:53
lbragstadtjcocozz morgan do we (as keystone) publish our test coverage results - or run them through jenkins?14:53
morganprometheanfire: oooh. yeah ok i think i know where this is then.14:53
morganprometheanfire: this is likely exclusive to eventlet (sorry) also move to mod_wsgi soon ;)14:53
morganprometheanfire: or uwsgi (eventlet is going away in Newton)14:53
tjcocozzlbragstad, we will soon. we were running the coverage test after patch gets merged for some reason https://review.openstack.org/#/c/297351/14:54
patchbottjcocozz: patch 297351 - openstack-infra/project-config - Move `keystone-coverage-db` job to check queue14:54
morganayoung: uhm. i have usually work with things ansible/puppet/chef based14:54
prometheanfireuwsgi uses the same code path as eventlet?14:54
morganprometheanfire: not exactly14:54
lbragstadtjcocozz so are test coverage results of a patch going to be viewable when it's up for review?14:55
morganprometheanfire: it usues a bit of code that is somewhere more similar to mod_wsgi, but it is run/managed by the uwsgi app instead of keystone's "keystone-all" script and python implemnetation of coroutines14:55
prometheanfireI do go though a socket with eventlet14:55
lbragstadtjcocozz I should be able to click on the job link and see the output of the coverage run, right?14:55
tjcocozzlbragstad, yes.14:55
lbragstadtjcocozz sweet14:55
prometheanfirebah14:55
prometheanfireI do go though a socket with uwsgi14:56
lbragstadtjcocozz so do we have a path forward for this?14:56
lbragstadhttps://review.openstack.org/#/c/294189/214:56
patchbotlbragstad: patch 294189 - keystone - Add `patch_cover` to keystone14:56
*** mylu has quit IRC14:56
morganprometheanfire: uwsgi is a standalone process(es) and can use a unix domain socket14:56
prometheanfireright14:56
lbragstadtjcocozz or do we need it anymore?14:56
openstackgerritMerged openstack/python-keystoneclient: Allow seeing full token response when debug enabled  https://review.openstack.org/29241414:56
*** pauloewerton has joined #openstack-keystone14:56
*** mylu has joined #openstack-keystone14:56
morganprometheanfire: or listen locally with uwsgi protocol, wsgi protocol, or serve HTTP directly14:56
morgantjcocozz: my -1 on your cover patch was in agreement with bknudson, but i am also concerned about strict gating.14:57
tjcocozzlbragstad, i am not sure what you mean by path forward . i think let me find another project that is doing that already to double check.14:57
tjcocozzmorgan, there won't be strick gating14:57
morgantjcocozz: then i'm happy with the patch post fix bknudson pointed out14:57
tjcocozzmorgan, it will be non-voting at best.14:57
morgantjcocozz: :)14:57
lbragstadtjcocozz I was wondering if we are still going to have a patch_cover method if we are going to be publishing our testing results on every patch14:57
*** fawadkhaliq has joined #openstack-keystone14:58
morganlbragstad: it could just be a jenkins job with results.14:58
morganprometheanfire: so let me take a look at the eventlet path - i think i have an idea of what is going on.14:58
lbragstadtjcocozz maybe we just start with publishing results first and then build more advanced coverage comparison one we get use to having coverage published/14:58
lbragstad?14:58
* lbragstad shrugs14:58
prometheanfirek14:58
tjcocozzlbragstad, with the current patches up we will have both.  Looking at other project they are running just my path_cover change under 'tox -e cover'14:59
morganlbragstad: i think it's fair to just start with coverage stuff like tjcocozz proposed especially if it's at most non-vote14:59
morganstevemar: ^ cc (re coverage)14:59
prometheanfireit was confusing for a long time, thought I was doing something wrong, but the DB has the right entries in the endpoint table14:59
morganprometheanfire: yeah i was going to ask for a copy of the DB entries once i got deeper if i didn't find anything15:00
prometheanfiremorgan: also, when bypassing auth (using the admin token, it works15:00
*** jsavak has quit IRC15:00
*** mylu has quit IRC15:00
stevemarmorgan: we have a coverage job that runs in the *post* section of our gate... not sure how useful it is there15:00
lbragstadtjcocozz is that script copy/pasted from somewhere - or another project/15:00
morganprometheanfire: expected w/ admin_token - it doesn't use the catalog15:00
prometheanfirek15:00
tjcocozzlbragstad, i added where i found it in the patch.15:00
morganstevemar: right, i think this should be (poribably) a check non-vote15:00
prometheanfirewell, I'm going afk for 10-15 min, will be back then15:00
morganstevemar: (and with a comment that says this should *always* be non-vote)15:01
morganprometheanfire: enjoy your AFK :)15:01
tjcocozzlbragstad, https://review.openstack.org/#/c/294189/2/tools/cover.sh15:01
patchbottjcocozz: patch 294189 - keystone - Add `patch_cover` to keystone15:01
*** ebalduf has quit IRC15:01
morganstevemar: once tjcocozz's patch lands.15:01
*** jsavak has joined #openstack-keystone15:01
lbragstadbut we also have https://review.openstack.org/#/c/297351/115:02
patchbotlbragstad: patch 297351 - openstack-infra/project-config - Move `keystone-coverage-db` job to check queue15:02
tjcocozzlbragstad, right before 'ALLOWED_EXTRA_MISSING'   <- do you think that comment is enough?15:02
morganstevemar: dude, 15" screen is sooooooooo massive compared to 14 and 13.15:02
*** diazjf has joined #openstack-keystone15:03
stevemarlbragstad: that's the right place for it :)15:03
*** mylu has joined #openstack-keystone15:03
morganprometheanfire: ok i have a fix ( stevemar we have a RC blocker, filing the bug now )15:03
lbragstadstevemar I agree15:04
ayoungmorgan, I want the policy file IDs to be a hash of the contents of the policy.15:04
morganstevemar: url = 'http://localhost:%d' % CONF.eventlet_server.public_port should be url = 'http://localhost:%d/' % CONF.eventlet_server.public_port15:04
stevemarmorgan: ugh! okay, file away15:04
stevemar....15:04
ayoungThat gives us a few things15:04
stevemardamn eventlet15:04
morganstevemar: or  the rstrip is doing it15:04
morganbut basically we used to do url = context['host_url']15:04
morgani am 2x checking before i write the code, but ick15:05
bknudsoncurl http://localhost:5000 works fine15:05
ayoungbah,...too much for an IRC conversation.  I'll write it up in an etherpad15:05
morganbknudson: it's an issue with the resulting links in the body15:05
morgan... <snip> "links": [{"href": "https://example.com:5000admin/v3/", "rel": "self"}]}} </snip>15:06
morganso looking into what we changed/how eventlet is horked specifically in link generation now.15:06
morganbknudson: or what could cause it.15:06
bknudsonhaven't seen that myself15:06
morganbknudson: but from what prometheanfire is saying, upgrade broke his environment because of that ^ and keystone/osc-identity uses that15:06
morganbknudson: it's eventlet specific it looks like.15:07
* morgan grabs power cord and goes and pokes at this a bit more.15:07
*** edmondsw has quit IRC15:07
*** rderose has joined #openstack-keystone15:08
*** tellesnobrega is now known as tellesnobrega_af15:09
morganayoung: ok.15:11
*** shangxdy has quit IRC15:12
prometheanfiremorgan: if you have a patch I can test15:16
morganprometheanfire: i'm trying to duplicate now. can you post your keystone.conf (minus sensitive data like sql-connection strings, admin_token value)?15:17
prometheanfirewas converting to v3 at the same time as upgrade15:17
prometheanfireit's very basic15:17
morganprometheanfire: just so i am sure i am looking at all the variables.15:17
prometheanfirek15:18
morganprometheanfire: also please use paste.openstack.org to post it if you don't mind.15:18
stevemarconverting endpoints to v3 at the same time is probably something you want to avoid doing at the same time15:18
morganwill be easier than fishing it out of irc15:18
morganand ++ upgrade then convert to v3, or convert to v3 then upgrade15:18
prometheanfireah15:19
*** woodster_ has joined #openstack-keystone15:19
prometheanfirejust made a gist :P15:19
bknudsonare deployers setting their identity endpoints to have /v3 now?15:19
morgangist is good15:19
prometheanfirehttp://paste.openstack.org/show/492081/15:19
morganprometheanfire: also, i'd like to know what you had to "fix" the migrations15:20
morganafter go through this15:20
prometheanfirebknudson: I know rackspace (private cloud) is15:20
*** mhickey has quit IRC15:20
morganthat is a VERY basic config15:20
prometheanfiremy fix was hackish and bad15:20
prometheanfireI told you15:20
prometheanfireI basically use defaults everwhere15:20
morgangood, eliminates icky config issues15:20
stevemarprometheanfire: defaults everywhere!15:21
morganstevemar: sane defaults!15:21
-openstackstatus- NOTICE: Gerrit is restarting on review.openstack.org in an attempt to address an issue reading an object from the ec2-api repository15:21
*** rderose has quit IRC15:22
prometheanfirethis was my old one http://paste.openstack.org/show/492082/15:22
*** mhickey has joined #openstack-keystone15:22
prometheanfireI switch to fernet as well, but did run the script to generate the keys, so that shold be fine15:22
prometheanfirethat was from liberty15:22
morganprometheanfire: hmm... i can't seem to duplicate this now.15:24
morganprometheanfire: it errored once and now it works.15:24
*** pgreg_ has joined #openstack-keystone15:24
morganyeah that should be fine.15:25
prometheanfirethink I've had this setup around since havana, so some old config stuff stuck around15:26
*** david_cu has joined #openstack-keystone15:27
*** spzala has quit IRC15:28
*** pgreg has quit IRC15:28
*** fawadkhaliq has quit IRC15:28
*** spzala has joined #openstack-keystone15:29
*** rderose has joined #openstack-keystone15:30
morganprometheanfire: ok, what command did you type to get the error15:30
*** roxanaghe has joined #openstack-keystone15:31
morganprometheanfire: because i can't duplicate it now... it's working.15:31
samueldmqbknudson: stevemar: dstanek: patch 289306 needs some love15:31
patchbotsamueldmq: https://review.openstack.org/#/c/289306/ - python-keystoneclient - Add users functional tests15:31
prometheanfiremorgan: openstack endpoint list --debug15:31
bknudsonlots of reviews need love15:32
samueldmqstevemar: about those functional tests in the client; there is a student who is willing to get involved in keystone15:32
samueldmqstevemar: my idea is to get that one in ^ and let her write the others, and then keep contributing in that front15:33
prometheanfirestill getting it too15:33
samueldmqstevemar: in the context of Outreachy program https://wiki.openstack.org/wiki/Outreachy15:33
*** spzala has quit IRC15:33
morganprometheanfire: hmm.. what auth URL (you can obscure the hostname) are you using?15:33
prometheanfireOS_AUTH_URL=https://master.openstack.mthode.org:5000/v315:34
prometheanfiremeh15:34
prometheanfirebehind a fw15:35
morganprometheanfire: and did you set OS_IDENTITY_API_VERSION ?15:35
*** roxanaghe has quit IRC15:35
prometheanfireyes15:35
prometheanfireOS_IDENTITY_API_VERSION=315:35
prometheanfireI can't see this as a problem client side15:35
morganok, can you provide me with the records in the db now? -- though i am not seeing why that should be an issue.15:35
morganeverything is looking correct...15:36
morganrelated: what version of openstack-client do you have installed?15:36
morgani'm trying with: (keystone-venv) whitewalker:~ notmorgan$ openstack --version15:36
morganopenstack 2.2.015:36
*** diazjf has quit IRC15:36
prometheanfirehttp://paste.openstack.org/show/492087/15:37
prometheanfire2.2.015:37
*** pgreg_ has quit IRC15:38
*** spandhe has joined #openstack-keystone15:38
prometheanfirenow, if only we could get it to do it again for you :P15:38
*** pgreg has joined #openstack-keystone15:38
ayoungsamueldmq, can you take a look at https://etherpad.openstack.org/p/tripleo-policy-updates and tell me if it passes a sanity check?15:39
prometheanfirewhich codepath were you looking at?15:39
*** mylu has quit IRC15:40
*** spzala has joined #openstack-keystone15:40
morganprometheanfire: well i was looking at the stuff in wsgi.py, but now i just need to duplicate it so i can poke at the server w/o the client15:40
ayoungsamueldmq, I know you worked on the DYnamic Policy proof of concept last summer, and I think that you can best understand what I am trying to say. Even if I don't say it very well15:40
morganprometheanfire: it's weird that you have "35757admin/v3"15:40
morganthat is the part that is tripping me up15:40
morganor 5000admin/v315:41
prometheanfireya, the stripping is killing the clients15:41
morganwell, no15:41
morganthe "admin" is erroneous15:41
prometheanfireUnexpected exception for https://master.openstack.mthode.org:5000admin/v3/auth/tokens: Failed to parse: master.openstack.mthode.org:5000admin15:41
morganright15:41
ayoungmorgan, so  https://etherpad.openstack.org/p/tripleo-policy-updates  is my first attempt to make the approach coherent.15:41
morganthat shouldn't be "5000admin/v3" it should be "5000/v3"15:41
morgan5000admin isn't something inet can parse as a valid port15:42
*** diazjf has joined #openstack-keystone15:42
prometheanfirecould it be related to 088 or 091 migrations?15:42
morgani doubt it15:42
prometheanfirethose are the two I had trouble with15:42
*** roxanaghe has joined #openstack-keystone15:42
morganif the records from the db are what are in your paste... it should be fine15:43
prometheanfireok15:43
*** ebalduf has joined #openstack-keystone15:43
morgani assume you're using an openrc file?15:43
prometheanfireya15:43
morgancan you just take a look to make sure your auth_URL isn't somehow in there twice, once with "admin" wedged next to the port?15:44
*** real56 has joined #openstack-keystone15:44
morganjust 3x checking15:44
prometheanfireadmin isn't in there at all15:44
morgancool.15:44
morganhmm15:44
samueldmqayoung: sure, looking15:45
ayoungthanks15:46
morganayoung: what if i don't want to look?! what then? :P15:46
morganayoung: will look when i'm done with helping prometheanfire15:46
ayoungmorgan, then you can just come in at the last minute and -2 something like someone else that couldn't be bothered being involved in design decisions15:46
morganayoung: oh, perfect15:46
morganayoung: let me just -2 it now15:46
morgan;)15:47
ayoungmorgan, can you -2 an Etherpad?15:47
*** mylu has joined #openstack-keystone15:47
morganayoung: there we go.15:48
morgani think i just did15:48
prometheanfiremorgan: it could have something to do with my project domain name and user domain name maybe?  though default is the only entry in the domain table15:48
ayoungHeh15:48
morganayoung: ok ok back to helping prometheanfire15:48
morganprometheanfire: unlikely.15:48
*** mylu has quit IRC15:49
*** mylu has joined #openstack-keystone15:49
prometheanfirewonder if it's in here https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L37115:50
morganprometheanfire: ok... next step, can you give me a full paste of the openstack endpoint list --debug?15:50
morganprometheanfire: that was what i was looking at, but i need to duplicate the issue / have confidence i know where the issue comes from before we change something15:51
morganprometheanfire: most of that code only is triggerd if you have [eventlet_server] in your config file15:52
prometheanfiremorgan: http://paste.openstack.org/show/492094/15:52
*** jsavak has quit IRC15:53
*** mylu has quit IRC15:53
*** jsavak has joined #openstack-keystone15:53
morganprometheanfire: oooh15:54
morganyou have your keystone behind nginx?15:54
prometheanfireyes15:54
morganprometheanfire: ok. this might help me a bit more15:55
prometheanfireyou want the location bit from the nginx config?15:55
morganone sec. maybe15:55
morganyeah15:56
prometheanfireI can confirm it doesn't hit that base_url method (inserted prings15:56
prometheanfireI can confirm it doesn't hit that base_url method (inserted prints)15:56
*** pgreg has quit IRC15:56
morganprometheanfire: cool. thnx for confirming15:56
prometheanfirehttp://paste.openstack.org/show/492096/15:56
morganprometheanfire: oh are you using uwsgi or eventlet on a socket?15:57
morganprometheanfire: /me is a little confused.15:57
morganor is nginx just cool :P15:58
prometheanfirenginx -> uwsgi15:58
morganahhh ok15:58
morgannginx looks sane15:58
*** diazjf has quit IRC15:58
morganthis feels like "admin" somewhere has gotten wedged into the host URL. somehow15:58
morganand keystone is just doing magic to append it.15:59
morganin a bad way15:59
prometheanfireI think I figured it out16:00
prometheanfiretesting now16:00
prometheanfirewell, it seems to be getting it from uwsgi_param SCRIPT_NAME16:01
prometheanfirehttp://paste.openstack.org/show/492098/16:01
morganoooh16:01
prometheanfirebut removing the param doesn't work16:01
morganright16:02
*** mylu has joined #openstack-keystone16:02
morganbut hmmm that shouldn't affect the base links like that16:03
prometheanfirewell, setting it to an empty string seems to get further16:03
prometheanfire2016-03-28 11:03:15.329 9855 ERROR keystone.auth.plugins.core DomainNotFound: Could not find domain: default16:03
*** mylu has quit IRC16:03
morganthat one i've seen before16:04
*** lhcheng has joined #openstack-keystone16:04
*** ChanServ sets mode: +v lhcheng16:04
*** tqtran has joined #openstack-keystone16:04
prometheanfireoh?16:05
morganprometheanfire: that is likely you did OS_DOMAIN_NAME=default16:05
morganwhich the name is "Default"16:05
prometheanfireah, right16:05
morganif you used OS_DOMAIN_ID=default it would work16:05
prometheanfireid is default, name is Default16:05
prometheanfirein the db16:05
morganyep16:05
*** jorge_munoz has joined #openstack-keystone16:05
morganOS_DOMAIN_ID=default or OS_DOMAIN_NAME=Default16:06
morganwe... are case sensitive in domain_name (even though I am not sure we should be)16:06
morganor osc does something weird on the name.16:06
prometheanfireya, switch and now it can't access fernet keys, perm issue16:06
*** jorge_munoz_ has joined #openstack-keystone16:06
morganok, that is totally solvable16:07
morganand not a keystone issue :P but a posix permissions issue16:07
lbragstaddolphm yeah - _get_roles_for_user is taking a ton of time16:07
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L279-L28716:07
prometheanfireor that dir went away16:07
morganright. the keys are... not available to the app, regardless of the reason16:07
lbragstaddolphm both calls to the assignment_api are cached and the role_api.get_role() is also cached16:07
*** mylu has joined #openstack-keystone16:08
morganso can you summarize exactly what triped you up in the upgrade? So we can either fix developer docs and/or provide a fix in code? [just so i am not chasing through a ton of IRC locks to find it]16:08
prometheanfireand there, it works16:09
dolphmlbragstad: _list_effective_role_assignments = _get_group_ids_for_user_id + list_role_assignments_for_actor16:09
dolphmboth of which are dog slow16:09
prometheanfiredolphm: hi16:09
dolphmprometheanfire: o/16:10
prometheanfiremorgan: the issue was in my nginx config16:10
*** jorge_munoz has quit IRC16:10
*** jorge_munoz_ is now known as jorge_munoz16:10
prometheanfirethe before and after16:10
prometheanfire#        uwsgi_param SCRIPT_NAME admin; uwsgi_param SCRIPT_NAME '';16:10
prometheanfirewell, not all in one line...16:10
morganprometheanfire: great. thnx- can you now let me know what was wrong with the migrations?16:10
ayoungdolphm, nested queires the problem?16:10
lbragstaddolphm but get_roles_for_user_and_domain and get_roles_for_user_and_project should cache on argument, right?16:10
prometheanfiresure16:10
morganprometheanfire: those [if needed] are likely going to be another RC.16:11
dolphmayoung: not sure yet16:11
prometheanfiremorgan: those variables do seem to be needed16:11
morganah.16:11
prometheanfirewithout it I get the error here http://paste.openstack.org/show/492098/16:12
*** dan_nguyen has joined #openstack-keystone16:12
morganprometheanfire: ahh, so we are doing weird things with the links.16:13
prometheanfireya, somewhere16:13
dolphmayoung: we're digging through a profiling run of fernet token validation w/ caching enabled http://cdn.pasteraw.com/q3frata9qgad1g0nx971nj9p4le9kek16:13
dolphmlbragstad: caching *is* enabled here, right?16:13
prometheanfiremorgan: I had to comment out this https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/sql/migrate_repo/versions/088_domain_specific_roles.py#L32-L3316:13
lbragstaddolphm CONF.cache.enabled = True16:14
morganprometheanfire: oooh16:14
lbragstadcatalog caching defaults to true16:14
morganprometheanfire: so we need to figure out how to do that same thing in pgsql16:14
prometheanfireI had to comment out a thing here too, but forget which :( https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/sql/migrate_repo/versions/091_migrate_data_to_local_user_and_password_tables.py16:14
morganprometheanfire: can you restore an isolated DB from a backup and just try to do a migration and see where it fails (and file a couple bugs on the specifics)16:15
lbragstaddolphm I can set CONF.resource.caching = true and CONF.catalog.caching = true and rerun?16:15
lbragstadeven though they default to true anyway16:15
*** e0ne has quit IRC16:16
ayoungdolphm, the cache looks like it is slow16:16
prometheanfireno, I was stupid, forgot to do a snap16:16
morganprometheanfire: and ping me with the IDs and (or i can) tag the bugs for the rc-potential16:16
ayoung/opt/stack/keystone/keystone/common/cache/_context_cache.py:93(get)                                             ->   1038816:16
morganprometheanfire: since i think if it's an issue we are legitimately going to need another RC.16:16
prometheanfireI'll make a bug for 088 and mention 09116:17
dolphmlbragstad: ideally, we would just have caching on list_role_assignments() and be done -- but ... morgan: can we cache on kwargs in mitaka?16:17
prometheanfireboth should fail with psql16:17
morgandolphm: no, but i have a fix that could make it work16:17
ayoungdolphm, that is one of the larges numbers in there.  Is it caching to memcache?  Maybe the IPC is the bottleneck.16:18
lbragstaddolphm list_role_assignments()? where do we call that in get_token_data?16:18
lbragstadhere - https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L41516:19
dolphmayoung: i think we're just doing a bunch of repetitive work in keystone that we were not doing in liberty16:19
ayoungdolphm, during token validation?16:19
morgandolphm: https://bitbucket.org/zzzeek/dogpile.cache/pull-requests/46/add-a-key-word-arg-aware-cache-key/diff this is the kwarg aware key-generator16:20
dolphmlbragstad: list_role_assignments() is called by /opt/stack/keystone/keystone/common/manager.py:115(wrapped)16:20
dolphmlbragstad: which is called by /opt/stack/keystone/keystone/middleware/auth.py:77(_build_token_auth_context)16:20
morgandolphm: if we apply that to oslo.cache (it would need to be oslo.cache at this point i think -- might be something we can apply to mitaka in our code)16:21
lbragstadoh - it looks related to implied roles16:21
lbragstadhttps://github.com/openstack/keystone/commit/a270766eb9c3f2074af550a72661a6a825e9975b16:21
prometheanfiremorgan: https://bugs.launchpad.net/keystone/+bug/156293416:21
openstackLaunchpad bug 1562934 in OpenStack Identity (keystone) "liberty -> mitaka db migrate fails on postgresql" [Undecided,New]16:21
morganprometheanfire: thanks.16:21
dolphmlbragstad: so, morgan's solution sounds like a possible solution. otherwise, we should look further down the stack16:22
dolphm(in keystone, for places to add caching)16:22
roxanagheayoung: knikolla: so I've started looking at unit tests for the new ldap3 driver and it seems like there is no completely implemented mock lib for ldap3 yet16:22
roxanagheayoung: knikolla: see https://github.com/cannatag/ldap3/issues/11516:23
ayoungroxanaghe, looking16:23
morganprometheanfire: can you try and duplicate the 91  issue?16:23
ayoungroxanaghe, I don;t think we were using those in Keystone.  We built our own...IIRC16:24
prometheanfiremorgan: the SCRIPT_NAME thing, that a doc issue?16:24
roxanagheayoung: yes, I saw we have the fakeldap module which is basically our own mock16:25
*** fawadkhaliq has joined #openstack-keystone16:25
ayoungyep http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/fakeldap.py16:25
*** diazjf has joined #openstack-keystone16:25
morganprometheanfire: the db_sync one (91 migration)16:25
morganprometheanfire: maybe in an isolated restore from a previous db snapshot?16:25
roxanagheayoung: but that fakeldap won't be good for ldap3 because it uses python-ldap16:25
prometheanfiremorgan: not sure I can reproduce :(16:25
ayoungroxanaghe, and, yes, I don't love it and would rather use the upstream16:25
prometheanfireI don't have a snapshot16:25
morganprometheanfire: ah no worries then16:25
morganah, next time for upgrade i recommend taking a dump/snapshot (for restore purposes) and also so we can try fixing it if you run across things like this again.16:26
prometheanfiremorgan: if I could get translations into sql syntax (for both 88 and 91) then I might be able to give more info16:26
prometheanfireyour stuff isn't as easy to read as neutron's db_upgrade stuff16:26
morganprometheanfire: sure. let me know, i'll see what i can do (I admit I'm way way way less familiar with pgsql)16:26
*** spzala_ has joined #openstack-keystone16:26
prometheanfiremorgan: mysql syntax is fine16:27
prometheanfireI'll translate16:27
morganstevemar: https://bugs.launchpad.net/keystone/+bug/1562934 RC-Potential16:27
openstackLaunchpad bug 1562934 in OpenStack Identity (keystone) "liberty -> mitaka db migrate fails on postgresql" [High,New]16:27
lbragstaddolphm what would be our other option? We could try and make list_role_assignments() not take kwargs and make it explicit, then we could add caching like we do to everything else in keystone16:27
prometheanfirestevemar: I'm around on irc to help with that too16:27
*** madhuri has joined #openstack-keystone16:27
morganstevemar: going to work with prometheanfire to try and address it.16:27
ayoungsamueldmq, so, what do you think?  Do we drive on with Puppet and Heat, or do we try to make it work with the Dynamic approach?16:27
*** gyee has joined #openstack-keystone16:28
*** ChanServ sets mode: +v gyee16:28
morganprometheanfire: i, unfortunately have a job interview today and a flight and a ton of things to do when I get home, so it might be tomorrow.16:28
madhuriHi keystone team! I am facing this error "Could not determine a suitable URL for the plugin" with devstack setup16:28
roxanagheayoung: so should we try help the development of the mock lib for ldap3 upstream in the open source repo?16:28
morganprometheanfire: yay for being unemployed :(16:28
prometheanfiremorgan: ok16:28
prometheanfiremorgan: good luck16:28
madhuriCould you please help?16:28
ayoungroxanaghe, well, that would be the more generally useful approach.16:28
morganroxanaghe: /wave - that would be a nice approach16:28
prometheanfiremorgan: stevemar: if you know a way to re-run a particular migration that would work16:29
morganprometheanfire: usually - I use a DB restore16:29
roxanagheayoung: yeah, not sure if it's the fastest :)16:29
morganprometheanfire: then run it, try a fix, restore DB, run it, etc16:29
prometheanfireya16:29
morganprometheanfire: it's really the only sure-fire way to guarantee reproduction of migration issues16:29
roxanagheayoung: morgan: but I would like to take a look at how big the work is there16:29
morganroxanaghe: ++16:29
ayoungroxanaghe, but it is probably the most long-term maintainable. We could carry a local copy of the mock until it got merged upstream.  It looks like somone has started16:30
prometheanfireI'll see if I can decode your sql statements :P16:30
*** spzala has quit IRC16:30
morganprometheanfire: thanks.16:30
ayoungroxanaghe, ah...no it looks like he went his own way16:30
morganprometheanfire: i am guessing the uniqueconstraing error is just an issue with "what the heck pgsql does with unique constraints"16:31
ayoungroxanaghe, https://github.com/tjcsl/ion/issues/369  ?16:31
prometheanfirepribably16:31
ayoungclosed?16:31
prometheanfirethe second one worked though16:31
prometheanfireit's how it interacts with the drop most likely16:31
morganprometheanfire: right.16:31
*** jsavak has quit IRC16:31
ayoungah, that is an external project16:31
prometheanfirewhat does that do anyway, I'm not familiar with UniqueConstraint16:32
roxanagheayoung: https://github.com/cannatag/ldap3/blob/master/ldap3/strategy/mockSync.py this is the start of it16:32
*** mylu has quit IRC16:32
*** jsavak has joined #openstack-keystone16:32
*** browne has quit IRC16:32
roxanagheayoung: I saw that - that seems to be another project which I didn't quite understand what it really does :)16:32
ayoungyeah16:32
morganit would be nice if ldap3 had a "betamax" like interface16:33
*** jsavak has quit IRC16:33
morganwhere we could just record responses from a real ldap server and replay them.16:33
ayoungmorgan, better than the normal one but doomed to obscurity?16:33
prometheanfiremorgan: I'll tell sigmavirus24, iirc he wrote it16:33
*** jsavak has joined #openstack-keystone16:33
sigmavirus24prometheanfire: you realize I am right here, right?16:33
morganprometheanfire: the way betamax works is hooks into requests - a very different interface/style than ldp316:33
sigmavirus24That said, I don't have a need for that, so I'm not about to write it :P16:34
prometheanfiresigmavirus24: of course :P16:34
sigmavirus24morgan: is also correct16:34
*** rderose has quit IRC16:34
roxanagheayoung: morgan: what these guys are trying to do is implement a pure python ldap server http://sldap3.readthedocs.org/en/latest/ and use that to do mocking16:34
morganroxanaghe: i've seen that... i'm suspect on a "pure python ldap" server16:34
roxanaghemorgan: aha16:35
prometheanfiremorgan: if you have a mitaka server, can you 'select * from role;' and tell me what's in the domain_id collumn16:35
*** mylu has joined #openstack-keystone16:35
prometheanfirealso, 'ixu_role_name' isn't mentioned at all anywhere in that table16:36
prometheanfireso maybe I don't have to care or it was removed and still errored16:36
ayoungroxanaghe, I'm tempted to leave our implementation in place to start, maybe clean it up.  A general purpose mock often degenerates into a full, but poor, implementation16:36
morganprometheanfire: ah we might need to do a lookup on the constraint.16:36
morganprometheanfire: instead of fixed name drop16:36
prometheanfirewell, I consider 088 to have completed 'successfully' based off what I can see it trying to do16:37
ayoungroxanaghe, If thee were something already available, I might be more tempted to rewrite, but since there isn't, maybe we just look at the nastiness of ours and clean it up16:37
morganprometheanfire: right.16:37
prometheanfirethat collumn is full of <<null>> for me though16:37
prometheanfirethat seems odd16:37
roxanagheayoung: so you're thinking make a fakeldap for ldap3?16:38
ayoungroxanaghe, yes, but I am easily persuadable either way.  You make the call.16:38
morganprometheanfire: we'll need to just check before dropping/make sure constraints are cleared as expected16:38
morganprometheanfire: i wont have a mitaka db for a bit16:39
prometheanfireok16:39
morganprometheanfire: like i said, this might be tomorrow. or at least later this afternoon16:39
prometheanfirek16:39
prometheanfireif I understood UniqueConstraint better I could translate easier16:40
stevemarmorgan: prometheanfire: what ended up happening with the funky url?16:40
prometheanfirestevemar: the script requires a variable SCRIPT_NAME to be passed16:41
stevemarprometheanfire: ah nice16:41
prometheanfirepreviously it was set to admin, this caused URLs to have that variable prepended to the path16:41
knikollaayoung, roxanaghe: just read the conversation16:41
prometheanfireso http://example.com:5000admin/v316:42
stevemarprometheanfire: yep yep, now for the postgres bug16:42
prometheanfireit still requires that variable to be set, but I set it to ''16:42
prometheanfireok, done with the SCRIPT_NAME bug16:42
stevemarbknudson: are the opportunistic db tests running?16:42
roxanagheayoung: ok, let me research some more. I'm more inclined to contribute to the open source project since our fakeldap is strongly related to our python-ldap implementation16:43
prometheanfirestevemar: if you could translate this to actual sql, I might be able to test some more https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/sql/migrate_repo/versions/088_domain_specific_roles.py#L32-L3716:43
ayoungroxanaghe, ++16:43
*** ebalduf has quit IRC16:43
knikollaroxanaghe, ++16:43
stevemarprometheanfire: sure, lemme see16:44
*** david-lyle_ has joined #openstack-keystone16:44
knikollaayoung, we're pretty early in the so I think we can afford going the longer term best route.16:44
knikollain the cycle*16:44
*** rderose has joined #openstack-keystone16:44
*** david-lyle has quit IRC16:44
ayoungknikolla, sure, just want to make sure we are realistice about that.16:45
roxanagheknikolla: ldap3 seems so cool in terms of APIs and docs, it just that they are still early implementation in terms of unit testing tools :)16:45
*** real56 has quit IRC16:45
prometheanfireI think that drops the old entries from the domain_id collumn and repopulates it with ixu_role_name_domain_id staticly16:46
*** real56 has joined #openstack-keystone16:46
lbragstadrderose nice clean up here - https://review.openstack.org/#/c/294305/16:46
patchbotlbragstad: patch 294305 - keystone - Moved name formatting (clean) out of the driver16:46
knikollaroxanaghe, agree on the APIs, but I found the docs a bit shallow at places.16:47
rderoselbragstad: thanks man :)16:47
lbragstadrderose thank you16:47
*** real56 has quit IRC16:47
*** david-lyle has joined #openstack-keystone16:48
*** real56 has joined #openstack-keystone16:48
roxanagheknikolla: I see. also, do you know if we will have to do a lot of code customization to work with AD server?16:48
*** david-lyle_ has quit IRC16:49
knikollaroxanaghe, i don't think so. we'll find out.16:50
knikollagotta go now, lunch break.16:50
roxanagheknikolla: cool, have a good one!16:50
openstackgerritRodrigo Duarte proposed openstack/keystone: Base for keystone tempest plugin  https://review.openstack.org/29729216:51
prometheanfirestevemar: morgan I figured out how to manually run a migration script again, just replace migrate_engine with sql.create_engine('connection_string_here')16:54
morganprometheanfire: but that doesn't really "re-run" the migration properly16:54
morganit could also clobber data16:54
morganok so the section you highlighted is changing what column is the unique constraint16:55
prometheanfiremorgan: true16:55
prometheanfireI've been careful about it so far16:55
morganprometheanfire: instead of just unique constraint of "role_name"16:55
morganit now makes the unqiue constraint (role_name, domain_id)16:55
prometheanfire    "ixu_role_name_domain_id" UNIQUE CONSTRAINT, btree (name, domain_id)16:56
morganyeah similar16:56
prometheanfirethat's what I have in psql16:56
morgannow... i think this is a broken migration16:56
morganlooking at it16:56
morgan*sigh*16:56
prometheanfirelol16:56
morganstevemar: ping16:56
stevemarmorgan: poke16:56
stevemari have been trying to translate that into sql, not easy16:56
morganstevemar: are we doing magic to ensure we aren't duplicating role_name with <<null>> domain_id?16:57
morganstevemar: oh. i see what we're doing16:57
morganoh gah.. that is awful16:57
morganok16:57
prometheanfirelook at my last comment16:57
prometheanfirehttps://bugs.launchpad.net/keystone/+bug/156293416:57
openstackLaunchpad bug 1562934 in OpenStack Identity (keystone) "liberty -> mitaka db migrate fails on postgresql" [High,New]16:57
prometheanfireincludes translations16:57
*** jsavak has quit IRC16:58
prometheanfirethe second error I don't think I got, but am getting now because it was already run16:58
morganprometheanfire: that makes sense since you already ran the migration16:58
morganprometheanfire: since the constraint already exists now16:58
prometheanfirethe first error I was getting though16:58
morganok, it's an issue where the constraint name isn't consistent in pgsql16:58
morganprometheanfire: can you show me the constraints on your role table?16:59
morganprometheanfire: in mysql i'd do something like "show create table <role_table_name>"16:59
morgannot sure waht the pgsql equiv is.16:59
morganbut i want to see if you were just missing the contraint before or if it was named differently and is now possibly broken (having both constraints would be bad(tm))17:00
morganboth = unique(role_name), unique(role_name, domain_id)17:00
prometheanfirehttp://paste.openstack.org/show/492114/17:00
morganyep17:00
morganrole_name_key17:00
prometheanfirethat's after the migrate17:01
morganthat is the one that should have been dropped. so we need to do a constraint search17:01
morganand look for the constraint that only affects role_name17:01
stevemaryeah, role names had to be unique before17:01
prometheanfireso I need to drop that?17:01
morganok stevemar this is an RC blocker.17:01
morganprometheanfire: well we need to fix the migration to do the right thing and make a new one to also do it for people like you who are beyond the migration17:01
morganit shouldn't impact you today, but it will def. break things in the future17:02
prometheanfireok17:02
prometheanfireI can test the migration when you have the next one17:02
stevemarmorgan: prometheanfire the initial migration failed because the unique constraint (role names) was never there?17:03
prometheanfirestevemar: yes, that's the section I commented out17:03
prometheanfirethe drop statement17:03
stevemari wonder why it was never there... it should have been created long ago17:03
prometheanfireit sounds like it still isn't correct17:03
stevemaryou upgraded from havana to liberty, then mitaka?17:04
prometheanfireeach release I did db_upgrade17:04
prometheanfireso I didn't skip any17:04
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Cleanup LDAP models  https://review.openstack.org/28530117:04
morganstevemar: yeah he's on the latest mitaka RC17:05
morganstevemar: marked as "critical" and attached to mitaka and newton.17:05
morganstevemar: i'll start working on a fix to search for the constraint instead of blindly using the "name"17:06
morgan(we need a new RC target for mitaka)17:06
morganstevemar: awww.. we already added placeholders =/17:07
stevemarmorgan: yep...17:08
samueldmqayoung: I looked at it17:08
samueldmqayoung: maybe starting by improving the existing tooling makes more sense17:08
samueldmqayoung: what do you propose exactly ? make CMS use the keystone API ?17:09
samueldmq*keystone policy API17:09
stevemarmorgan: time to modify one of the placeholders i guess?!17:10
*** nisha has joined #openstack-keystone17:10
*** henrynash has joined #openstack-keystone17:10
*** ChanServ sets mode: +v henrynash17:10
prometheanfirestevemar: morgan: added reminder for myself to make sure the contraints in the role table are corrected17:10
*** browne has joined #openstack-keystone17:11
samueldmqtjcocozz: hi17:14
samueldmqtjcocozz: did we get to a conclusion on this thing : patch 28186317:14
patchbotsamueldmq: https://review.openstack.org/#/c/281863/ - keystone-specs - Clarify projects subtree as list option docs17:14
samueldmqtjcocozz: I mean, I submitted this patch in complement to something you were submitting17:14
morganstevemar: yeah17:15
samueldmqtjcocozz: iirc it was a test that assumed the ordering17:15
morganprometheanfire: will ping you with a migration to test17:15
morgan:)17:15
prometheanfirek17:15
prometheanfirelooking at 91 now17:15
morganprometheanfire: we might need to split 91 issue into it's own bug17:16
morganin fact, we should17:16
*** mylu has quit IRC17:16
nishahi everyone :)17:16
samueldmqnisha: hi!17:17
prometheanfirethat's fine17:17
prometheanfirethis row doesn't exist for me17:17
prometheanfirehttps://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/sql/migrate_repo/versions/091_migrate_data_to_local_user_and_password_tables.py#L5117:17
nishahey samueldmq17:17
*** mylu has joined #openstack-keystone17:18
samueldmqnisha: regarding our proposal for outreachy17:18
samueldmqnisha: we can actually start working on the tests themselves (for keystoneclient)17:18
samueldmqnisha: I started the effort by adding the tests for users, see patch 28930617:18
patchbotsamueldmq: https://review.openstack.org/#/c/289306/ - python-keystoneclient - Add users functional tests17:18
nishasamueldmq, do you mean running the tests ?17:18
*** mylu has quit IRC17:19
prometheanfiremorgan: bug https://bugs.launchpad.net/keystone/+bug/156296517:19
openstackLaunchpad bug 1562965 in OpenStack Identity (keystone) " liberty -> mitaka db migrate fails on postgresql 091 migration" [Undecided,New]17:19
*** jsavak has joined #openstack-keystone17:19
samueldmqnisha: we first need to write them; I just wrote the tests for user (see link above)17:19
samueldmqnisha: you can take a look at that, review and test it17:19
samueldmqnisha: so start writting the other tests is already a great step17:20
samueldmqnisha: and we can keep this in the program, and also work on some other improvements17:20
samueldmqnisha: does this make sense ?17:23
*** edmondsw has joined #openstack-keystone17:23
samueldmqhenrynash: hi, I addressed your comment in patch 28530117:23
patchbotsamueldmq: https://review.openstack.org/#/c/285301/ - keystone - Cleanup LDAP models17:23
samueldmqhenrynash: I didn't know that common/models.py thing was only used by ldap17:23
samueldmqhenrynash: lots of things got removed in the new patchset17:23
henrynashsamuedlmq: ok, thanks, will take a look17:24
*** agrebennikov has joined #openstack-keystone17:24
*** mylu has joined #openstack-keystone17:24
*** david-lyle has quit IRC17:24
morganstevemar: this looks "right" http://paste.openstack.org/show/492118/17:25
*** david-lyle has joined #openstack-keystone17:25
morganstevemar: 2x check and i'll roll an update to the placeholder17:25
morganstevemar: also.. lets evaluate low-cost backports since we have RC blocker. (bugs that fixes landed post mitaka rc)17:26
nishayeah, I think that will work :)17:26
nishaHow can I know, which areas need tests and the ones that need improvements?17:27
nishacan we mention that in application or do we plan to work on them as we go?17:27
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Add federation related tests  https://review.openstack.org/29304017:28
bknudsonstevemar: the opportunistic tests are running in http://logs.openstack.org/37/295837/8/check/gate-keystone-python27-db/61ba0c1/console.html.gz#_2016-03-23_17_29_27_06117:29
ayoungsamueldmq, I don;t know.  I don't think we can make a decision until we have the issues clearly laid out17:29
prometheanfireI'm not sure that this will work for anyone17:29
prometheanfirehttps://github.com/openstack/keystone/blob/9.0.0.0rc1/keystone/common/sql/migrate_repo/versions/091_migrate_data_to_local_user_and_password_tables.py#L5117:29
prometheanfirethe user_password row is never pulled that I can see17:30
ayoungsamueldmq, At this exact moment in time I think that the dynamic is still the better approach.17:30
*** spandhe_ has joined #openstack-keystone17:30
ayoungsamueldmq, to do that, it would take two things:17:30
ayoung1.  Fetch by URL or something capable of doing the lookup17:30
ayoung2. Having Puppet configure the URL17:30
*** spandhe has quit IRC17:31
*** spandhe_ is now known as spandhe17:31
samueldmqayoung: which is basically the same thing we had proposed before17:31
ayoungI guess it would take more than that: we'd also have to prepopulate the config files inside of Keystone.  But I guess the endpoints could fall back to the local copy until that happens17:31
samueldmqayoung: except that ksmiddleware is not hte one fetching the policies (but CMS instead)17:31
morganprometheanfire: ah good to know17:31
ayoungsamueldmq, was middleware fetching in your Proof of concept?17:32
samueldmqayoung: yes17:32
morganprometheanfire: i'll take a closer look once i'm done with this change set.17:32
prometheanfirek17:32
*** ebalduf has joined #openstack-keystone17:32
ayoungsamueldmq, but policy was still evaluated at the lower level, after middleware, right?17:33
prometheanfiremorgan: that patch doesn't work17:33
prometheanfirefor 08817:33
morganprometheanfire: what is failing on it?17:33
prometheanfirehttp://paste.openstack.org/show/492119/17:33
morganprometheanfire: i might need to reconstruct the constraint itself.17:33
morganoh.17:34
morganthat is annoying17:34
morganok i'll fix.17:34
morgansec17:34
prometheanfirek17:34
*** BigWillie has joined #openstack-keystone17:36
ayoungsamueldmq, I think there are some other issues with the middleware approach. Namely, the directory management part is tricky to get right.  That was a part of PKI tokens I never felt happy with.17:38
samueldmqayoung: well, if we provide a consistent policy API and people do use it with their CMS17:39
samueldmqayoung: I'd be happy with that too; it's up to deployers if they decide to use the API that way17:39
prometheanfireif role_table.c.name.name in c.columns and len(c.columns) == 1:17:40
prometheanfirethough c.drop doesn't work, it isn't a method17:40
ayoungsamueldmq, OK, I'm going to put this on the Agenda for tomorrow.17:40
samueldmqayoung: sounds good17:41
bknudsonthere's a postgres gate job that runs all the time and db_sync works fine -- http://logs.openstack.org/10/296110/2/check/gate-tempest-dsvm-postgres-full/e9c77d9/logs/devstacklog.txt.gz#_2016-03-28_11_50_13_45217:42
prometheanfirebknudson: might be an edge case17:43
ayoungbknudson, so, I had a downstream request for a "limit" parameter for token flush.  I had brushed it off (since we are headed toward fernet) but...starting to think it would be the right thing to do17:43
ayoungwould that gate job test token flush, too?17:43
*** doug-fis_ has quit IRC17:43
bknudsonayoung: gate jobs don't configure token flushing as far as I know17:44
bknudsonthe token flush job already splits up the deletes into chunks17:44
ayoungbknudson, ok...might be a difference in behavior between RDBMSes.  WHat is you take?  Should we to a limit?17:44
ayoungwhen did that happen?17:44
bknudsonwhat's the problem that they're trying to solve?17:45
bknudsonit's probably been a year or a year and a half since that was added to token flush17:45
ayoungbknudson, huge initial flush if it was not set up at the start17:45
ayoungbknudson, https://bugzilla.redhat.com/show_bug.cgi?id=112778817:45
openstackbugzilla.redhat.com bug 1127788 in openstack-keystone "[RFE] keystone-manage token_flush fails when there is a huge number of tokens to flush" [Low,Assigned] - Assigned to ayoung17:45
morganprometheanfire: so something more like http://paste.openstack.org/show/492122/17:46
morgansee the difference between my last one and the new one on line 27,28,2917:47
prometheanfireyep17:47
bknudsonayoung: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/persistence/backends/sql.py#n278 -- there's the loop17:47
bknudsonthe code kept changing for some reason17:48
prometheanfiremorgan: fails, but maybe I don't need to run it on my DB17:48
bknudsonayoung: batch_size=100017:48
morganprometheanfire: did it fail ont he second one?17:48
morgancreating the constraint or in the drop line?17:49
morganif it failed in the drop line i have a bit more work to do, but it's getting closer17:49
morganif it failed making the constraint, it worked as expected (and i'll need you to check the constraints on your table again)17:49
prometheanfiresec17:49
prometheanfiredoes this need the migration run? http://paste.openstack.org/show/492124/17:50
morganyup17:50
morganok it didn't work17:50
morgan*argh*17:50
prometheanfireProgrammingError: (psycopg2.ProgrammingError) constraint "name" of relation "role" does not exist [SQL: 'ALTER TABLE role DROP CONSTRAINT name']17:50
morgangive me a few, pushing it to gerrit and then will spin up a VM for me to really dig more into it.17:50
prometheanfirethat's the error17:50
prometheanfireok17:51
prometheanfirewhy's the sql you want to run?17:51
prometheanfirealter table role drop constraint role_name_key;17:51
prometheanfiremorgan: ^ I think that's what you want?17:51
prometheanfirein my case17:51
morganprometheanfire: right. but i'm trying to do it as part of the ORM, so i need to figure out the correct syntax to make the ORM return that17:52
prometheanfireright17:52
prometheanfireI'll try to figure it out as well, just wanted to be clear on the goal before I worked toward it17:52
morganyeah, i think i know what it needs to be, i was just trying to be a bit more clever than I should have been17:53
*** tqtran has quit IRC17:53
*** tellesnobrega_af is now known as tellesnobrega17:53
gmmahamorgan: quick Q about the _member_ role. When should we really need it? I have a fresh master install of sources and admin user cannot create new project or user without the _member_ role being added.. Am i missing something w.r.t configs thats causinng this?17:54
morganprometheanfire: ok try changing line 39 to: migrate.UniqueConstraint(role_table.c.name, name=c.name).drop()17:54
prometheanfireok17:54
prometheanfirestill the same17:55
morganexact same error?17:55
morganit should be ALTER TABLE role DROP CONSTRAINT role_name_key now... afact17:56
prometheanfirec.name has three values17:56
morganerp... wha?17:56
prometheanfireI replaced the c.drop with print c.name17:56
morganwhat are the values?17:56
prometheanfirehttp://paste.openstack.org/show/492126/17:57
prometheanfireI think it's because I have this already17:57
prometheanfire    "ixu_role_name_domain_id" UNIQUE CONSTRAINT, btree (name, domain_id)17:57
*** e0ne has joined #openstack-keystone17:57
morganhmm.17:57
morganno something else is weird.17:57
morganok well i am a lot closer.17:57
morgani just need to figure out if i can just use the constraint object from the table instead of needing to reconstruct it.17:58
morganhave a phone call in 3 mins... so back when that is done17:58
prometheanfirek, good luch17:59
prometheanfirek, good luck17:59
*** jsavak has quit IRC18:01
openstackgerritTom Cocozzello proposed openstack/keystone: Add `patch_cover` to keystone  https://review.openstack.org/29418918:01
*** jsavak has joined #openstack-keystone18:02
*** doug-fish has joined #openstack-keystone18:04
*** doug-fis_ has joined #openstack-keystone18:05
tjcocozzsamueldmq, hey! about 281863. as far as i know between the push back from both our patches i didn't see a conclusion :p Any idea on how to move foward?18:06
*** ericksonsantos has quit IRC18:07
*** agrebennikov has quit IRC18:08
*** doug-fish has quit IRC18:09
openstackgerritTom Cocozzello proposed openstack/keystone: Add `patch_cover` to keystone  https://review.openstack.org/29418918:10
*** david-lyle_ has joined #openstack-keystone18:12
*** david-lyle has quit IRC18:14
*** pcaruana has quit IRC18:16
samueldmqtjcocozz: looks like we can't make sure the drivers do that18:18
samueldmqtjcocozz: but could order in the manager18:18
samueldmqtjcocozz: if we want to do that18:18
tjcocozzsamueldmq, I think that would be best.18:19
*** henrynash has quit IRC18:20
*** henrynash has joined #openstack-keystone18:20
*** ChanServ sets mode: +v henrynash18:20
*** agrebennikov has joined #openstack-keystone18:21
*** edmondsw has quit IRC18:23
*** nisha_ has joined #openstack-keystone18:25
stevemarprometheanfire: i wonder how many other ppl will hit this issue18:26
prometheanfirestevemar: dunno, I'm guessing people that have had long lived installs18:27
*** nisha has quit IRC18:29
*** rderose has quit IRC18:29
samueldmqtjcocozz: first questions first18:30
prometheanfirestevemar: maybe only long lived with postgres, not sure18:30
*** real56 has quit IRC18:30
samueldmqtjcocozz: do we have a reason to constrain it that way?18:30
samueldmqtjcocozz: i.e the result is ordered?18:30
*** pcaruana has joined #openstack-keystone18:30
*** nisha_ has quit IRC18:30
tjcocozzsamueldmq, i am pretty sure it required for the hierarchical bp to work18:31
samueldmqtjcocozz: to work or to be optimized ? if it isn't ordered, the hierarchical code could order it18:32
*** real56 has joined #openstack-keystone18:32
samueldmqtjcocozz: or we could simply make the manager order it before returning18:32
tjcocozzsamueldmq, i thought we used it make sure the project were delete in the correct order.18:32
samueldmqtjcocozz: and that's very bad if the hmt code is making that assumption18:32
samueldmqtjcocozz: ah yes, in the case of a delete cascade18:33
samueldmqtjcocozz: ++18:33
samueldmqtjcocozz: I think in that case, the caller should order it; it's a very specific case18:33
*** ebalduf has quit IRC18:33
tjcocozzsamueldmq, okay then that won't be to hard to do.  I one of the patch set of the delete patch had a function to order the projects18:34
*** tqtran has joined #openstack-keystone18:34
*** sdake_ has joined #openstack-keystone18:34
tjcocozzsamueldmq, should just be copy paste :p18:34
*** sdake_ has quit IRC18:35
rodrigodstjcocozz, why do you need specifically the list? can't you use subtree_as_ids?18:35
rodrigods(which returns a dict)18:35
rodrigodsand ensures ordering18:35
* tjcocozz is looking at subtree_as_ids now18:36
*** sdake has quit IRC18:37
tjcocozzrodrigods this is what you are talking about https://github.com/openstack/keystone/blob/ca04d535c8d14d082fb785cf414b30e1405a7360/keystone/resource/core.py#L637?18:38
rodrigodstjcocozz, yes18:38
ayounghow can I find out who has +2 on a project?   oslo.context in this case, but is there a definitive place to look these up?18:39
*** sdake has joined #openstack-keystone18:39
rodrigodsayoung, groups in gerrit18:39
*** henrynash has quit IRC18:39
stevemarrodrigods: ++18:39
*** rderose has joined #openstack-keystone18:39
rodrigodsayoung, for example https://review.openstack.org/#/admin/groups/106,members18:39
*** pushkaru has quit IRC18:40
ayoungrodrigods, so that is the group itself.  Is there a publically queryable way to map from repo to group?18:40
*** pushkaru has joined #openstack-keystone18:40
ayoungrodrigods, for example,  I can approve oslo policy changes, but I am not on that list18:40
rodrigodsayoung, is always something like *-core18:41
*** knikolla_ has joined #openstack-keystone18:41
rodrigodsayoung, you can approve because you are here https://review.openstack.org/#/admin/groups/556,members18:41
ayoungrodrigods, I know...but that is a heuristic.  I was wondering where that is enforced, and if it is public18:41
rodrigodsayoung, it appears in launchpad too18:41
stevemarayoung: that may be in project-config18:41
rodrigodsstevemar, ++18:41
morganstevemar: anyone who has long-lived installs could have mis-matched keys18:42
stevemarayoung: https://github.com/openstack-infra/project-config/blob/e028bf1b358b4dde96326fe193ad8193b575ab0f/gerrit/acls/openstack/oslo.policy.config#L318:42
morganstevemar: i also think very few have upgraded to mitaka yet18:42
*** doug-fis_ has quit IRC18:43
*** doug-fish has joined #openstack-keystone18:44
*** sdake has quit IRC18:44
ayoungah so for us it is http://git.openstack.org/cgit/openstack-infra/project-config/tree/gerrit/acls/openstack/keystone.config#n618:44
stevemarayoung: yeah, each repo has it's own config18:45
*** henrynash has joined #openstack-keystone18:46
*** ChanServ sets mode: +v henrynash18:46
*** sdake has joined #openstack-keystone18:48
*** madhuri has quit IRC18:48
*** e0ne has quit IRC18:50
dolphmmorgan: i'm running into a circular dependency trying to add caching to the federation backend... is there a better place to put this? https://github.com/openstack/keystone/blob/master/keystone/common/cache/_context_cache.py#L22-L4718:50
dolphmmorgan: circular dependency when /opt/stack/keystone/keystone/federation/core.py tries to "from keystone.common import cache" http://cdn.pasteraw.com/bjy7z0v2jf8efe3651l276jot3we2ns18:51
ayoungdolphm, didn't we use internal notifications for just this reason?  Cache invalidation?18:52
prometheanfiremorgan: stevemar: th 088 issue, I'm not sure how to do this in sqlalchemy https://stackoverflow.com/questions/6843692/how-to-get-the-name-of-a-unique-constraint-in-postgresql18:52
morgandolphm: uhmmmmm.18:53
prometheanfirepostgres makes it harder to find the proper name18:53
dolphmayoung: that handler looks to allow the revoke tree to be cachable18:53
morganprometheanfire: yeah. that is the issue18:53
morgandolphm: yeah we used the internal notification bits for cache invalidation so we could avoid needing to import <<other module>> and circular deps.18:53
ayoungdolphm, If I understand what you are seeing, Federation depends on cache, cached depends on revoke.  And that last...seems wrong18:53
morganayoung: ^ cc18:53
morgandolphm: uhm.18:54
prometheanfirethis might be a problem with sqlalchemy not knowing how to do that18:54
ayoungmorgan, why would the revoke code be in the cache?  Is that just an artifact of "trying anything to make it work?"18:54
morganayoung: that is in the cache because the revoketree is hard to serialize18:55
*** fawadkhaliq has quit IRC18:55
morganayoung: and we're trying to offload multiple requests.18:55
ayoungmorgan, kill the tree.  Make it a linear search18:55
morganayoung: if the revoketree stops being a tree and is more of a "ask the SQL backend directly"18:55
morganayoung: and let the driver suss that out, it becomes way easier.18:55
*** fawadkhaliq has joined #openstack-keystone18:55
morganand a simple memoize18:56
morgan slash invalidate (like everything else)18:56
ayoungI had the simplification patch 2/4rd done and then rebase hell hit...18:56
patchbotayoung: https://review.openstack.org/#/c/2/18:56
ayounglet me see18:56
ayounghttps://review.openstack.org/#/c/285134/18:56
patchbotayoung: patch 285134 - keystone - Remove unneeded revocation events18:56
ayoungit was not pretty18:56
morganprometheanfire: that would be unfortunate. i guess we could do direct DDL manipulation18:56
ayoungbut +240, -83018:56
morganprometheanfire: for PGSQL.18:56
prometheanfiremorgan: ya, for that check/modification18:56
prometheanfiredoes suck though18:57
ayoungits is on the queue of things to rework18:57
morganayoung: i'm wondering if we could just move to direct SQL query first.18:57
morganayoung: and then do the reduction.18:57
morganit might be more straightforward, but would require adding a bunch of indexes to the table18:57
dolphmayoung: that's accurate18:57
ayoungmorgan, and a linear match?  yeah, The code should still be there somewhere18:57
ayoungthe tests used to do that as a check on the logic for the tree18:57
morganayoung: i was thinking .query(<filers for SQL>)18:58
dolphmayoung: i just added the "Federation depends on cache" part though18:58
morganand just ditch the tree completely18:58
morganthen do the reduction of your stuff.18:58
morgans/reduction/simplification of event types18:58
ayoungmorgan, if it is not in the tests, then it is in the origianl patch series18:58
morganayoung: yeah it's in the original patch series, but i'd go a step further and just make SQL do the heavy lifting18:59
morgandolphm: hmm... how to unwind this18:59
ayoungmorgan, I don;t know if you can.  There are a lot of "don18:59
ayoung"don't cares" in the query18:59
morganayoung: we can probably doit with .OR.18:59
morganayoung: this or this or this or this19:00
ayoungselect the whole list, cache, and then do a linear search, with the logic in python is, I think much more correct19:00
ayoungit would be a really nasty sql query19:00
morganayoung: if we had the reduced types, it would be trivial to do it in SQL19:00
ayoungwhy not just cache the whole list? We won't have that many19:00
ayoungtrue19:00
ayoungnot 100 trivial, but much easier19:00
morganand SQL is going to be faster/better with indexes than python will be liniarly19:00
morganat the smaller scope that is19:01
*** edmondsw has joined #openstack-keystone19:01
ayoungmorgan, but I think dolphm needs something for this release, and that is too big an effort for Mitaka19:01
ayoungIf this is for Newton, would suggest this order:19:02
ayoung1. Fernet default19:02
ayoung2. Use Fernet mechanism for UUID19:02
ayoung3. Reduce revocation events19:02
ayoung3. Optimize revoke events further19:02
ayoungthat should be 419:02
morgani might be able to conver to SQL ... let me take a look once i've deal with the pgsql icky that prometheanfire hit19:02
ayoungmorgan, its going to be a lot of throwaway work.  I would not suggest doing that until we reduce the number of revoke events19:03
morganayoung: we'll see how it shakes out. for now the migration issue is a RC blocker :(19:04
*** jorge_munoz has quit IRC19:07
*** jorge_munoz has joined #openstack-keystone19:08
prometheanfiremorgan: friend wants to just do a try except with ixu_role_name or role_name_key19:08
morganprometheanfire: that is ok, but it doesn't solve the root problem :(19:09
morganprometheanfire: i'll bet we have a number of variations on a theme here.19:09
morganprometheanfire: i'd like to solve this programatically if at all possible.19:09
prometheanfiremorgan: so, we need something unique to key off of to do the drop right?19:11
prometheanfirehttp://paste.openstack.org/show/492143/19:11
prometheanfirethat's our options19:11
prometheanfireit's the second one we want19:11
*** pushkaru has quit IRC19:14
morganprometheanfire: yeah19:15
morganprometheanfire: i'm building a mysql db to test with right now19:15
morganprometheanfire: and then i'll poke at pgsql once i'm sure the logic is sane19:16
morganeven if it's DDL calls19:16
morganooh i think i see what i did wrong19:17
morganblargh.19:17
*** real56 has quit IRC19:17
prometheanfireoh?19:17
morgani don't like the way the constraint ends up looking19:17
morganblech. yeah i'm referencing something in a weird way. this will be easier to suss out once i have my DB in hand19:18
morgan(downloading mysql atm)19:18
prometheanfirek19:18
*** rderose has quit IRC19:18
*** e0ne has joined #openstack-keystone19:19
morgancrinkle: btw: YAY config file being found properly now.19:19
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Add federation related tests  https://review.openstack.org/29304019:20
dolphmmorgan: can request local caching be backported to mitaka?19:20
morgandolphm: uhm. it landed in mitaka ;)19:20
ayoungmorgan, migration issue is what?19:20
dolphmmorgan: as soon as i asked, i realized i was getting release names wrong19:21
morganayoung: unrelated.19:21
morganayoung: it's an issue with uniqueconstraints being misnamed19:21
*** e0ne has quit IRC19:21
*** rderose has joined #openstack-keystone19:21
ayoungajh19:21
morgandolphm: :P19:21
morgandolphm: to liberty you mean?19:21
morgandolphm: probably.19:21
morganit's pretty darn isolated code.19:21
dolphmmorgan: yeah, i'd be curious what the effort would be19:22
morgandolphm: it would probably be a pretty clean backport19:22
morganwith just shuffling things around19:22
*** pushkaru has joined #openstack-keystone19:22
*** doug-fis_ has joined #openstack-keystone19:22
*** doug-fish has quit IRC19:25
*** roxanaghe has quit IRC19:25
*** e0ne has joined #openstack-keystone19:26
prometheanfiremorgan: think I have it19:27
prometheanfiremorgan: http://paste.openstack.org/show/492148/19:27
prometheanfirethat seemd to drop my     "role_name_key" UNIQUE CONSTRAINT, btree (name)19:27
morganhmm19:27
morgani thought i had that19:27
*** doug-fis_ has quit IRC19:27
*** doug-fish has joined #openstack-keystone19:28
*** e0ne has quit IRC19:28
prometheanfireit still throws a runtime error19:28
prometheanfirehttp://paste.openstack.org/show/492149/19:28
morganoh19:28
morganthat is easy to fix19:29
morganthat is just me being a bit derpy19:29
morganprometheanfire: http://paste.openstack.org/show/492150/19:30
prometheanfireya, that'd work19:31
prometheanfireyep19:33
openstackgerritMorgan Fainberg proposed openstack/keystone: Correct `role_name` constraint dropping  https://review.openstack.org/29840219:34
morganprometheanfire: ^19:34
*** maxabidi has joined #openstack-keystone19:35
*** roxanaghe has joined #openstack-keystone19:35
*** sdake_ has joined #openstack-keystone19:36
*** mylu has quit IRC19:36
prometheanfirenot sure why it's needed in both 96 and 10119:36
prometheanfireoh19:37
prometheanfireread the commit message19:37
morganprometheanfire: yeah. it's being overly cautious19:37
morganand then 88 and 96 will backport to stable/mitaka19:37
prometheanfireya19:37
prometheanfirenow, 9119:37
prometheanfirelol19:37
*** mylu has joined #openstack-keystone19:38
*** fawadkhaliq has quit IRC19:38
*** sdake has quit IRC19:38
*** fawadkhaliq has joined #openstack-keystone19:38
prometheanfiremorgan: you want to look at 91, I think this one is simpler19:39
prometheanfireand should fail in all cases that I can see, not postgres related19:39
morganprometheanfire: mitaka version: https://review.openstack.org/#/c/298406/19:41
patchbotmorgan: patch 298406 - keystone (stable/mitaka) - Correct `role_name` constraint dropping19:41
morganprometheanfire: ok 91...19:42
morganwhat was the failure you were seeing? [bug id works]19:43
prometheanfirehttps://bugs.launchpad.net/keystone/+bug/156296519:43
openstackLaunchpad bug 1562965 in OpenStack Identity (keystone) " liberty -> mitaka db migrate fails on postgresql 091 migration" [Undecided,New]19:43
morganooh19:45
morganok19:45
*** clenimar has quit IRC19:45
morganhuh19:45
morganhow the heck does that pass gate then...19:45
morganoh .. no rows in user_rows :(19:45
prometheanfiremorgan: I remaped it like this19:46
prometheanfireuser_rows = sel.execute19:46
prometheanfireand for row in user_rows():19:46
prometheanfireso it would fetch it each time19:46
prometheanfirefor debugging purposes19:46
morganright19:46
morganthis one is ... grumble ...19:47
prometheanfireI agree, either I'm doing something wrong or it is passing gate via magic19:47
*** BigWillie has quit IRC19:50
*** jaugustine has joined #openstack-keystone19:51
*** gagehugo has joined #openstack-keystone19:53
prometheanfiremorgan: probably just needs to change to if row.has_key('user_password'):19:54
morganpossibly19:55
morgani'll look at it more in a bit.19:55
morganneed to take a break and #lunch19:55
morgan(and get to the airport)19:55
prometheanfirek19:56
prometheanfireya, think it needs more19:57
*** sheel has quit IRC19:57
*** knikolla_ has quit IRC19:57
*** sdake has joined #openstack-keystone20:03
tjcocozzhas anyone had pip get stuck when installing the requirements.txt file on 'oslo.service'?20:04
*** rderose has quit IRC20:05
*** sdake_ has quit IRC20:06
openstackgerritSteve Martinelli proposed openstack/keystone: Correct `role_name` constraint dropping  https://review.openstack.org/29840220:07
stevemarmorgan: pushed a pep8 friendly patch ^20:07
morganstevemar: thanks20:07
morganstevemar: don't have a VM to run on atm and unfortunately internet is sloooooow20:07
crinklemorgan: yay for my things being merged \o/20:09
morgancrinkle: right?! :)20:10
morgancrinkle: also, we have a new RC, planning to get your config file search added to mitaka20:10
crinklemorgan: neat :)20:10
morganif stevemar doesn't mind that is20:11
*** akscram has quit IRC20:11
stevemarmorgan: may as well20:11
stevemarcrinkle: want to propose the backport?20:11
crinklestevemar: sure20:11
morganyay backport!20:11
*** akscram has joined #openstack-keystone20:11
morganstevemar: gonna look at https://review.openstack.org/#/c/285521/ for a rebase20:14
patchbotmorgan: patch 285521 - keystone - Closure table for HMT20:14
morganstevemar: and also poke at request-local-cache as a backport to liberty on dolphm's request [since it's mostly transparent/encapsulated]20:14
stevemarmorgan: closure table?20:14
morganzzzeek: i should have some idea where i'm landing soon and hopefulyl will be able to pick back up w/ dogpile :)20:14
morganstevemar: yeah rebase so it can land20:14
morganstevemar: it would be good to have for the HMT stuff.20:14
morganstevemar: but not for liberty, for newton.20:15
stevemarmorgan: oh okay, you confsued me there20:15
morganstevemar: step 1: unconfuze the ptl20:15
morganstevemar: step 2: profit?20:15
stevemarmorgan: backported crinkle fix https://review.openstack.org/#/c/298420/120:16
patchbotstevemar: patch 298420 - keystone (stable/mitaka) - Fix keystone-manage config file path20:16
morganstevemar: +320:16
*** BigWillie has joined #openstack-keystone20:17
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Add federation related tests  https://review.openstack.org/29304020:24
*** fawadkhaliq has quit IRC20:24
morgantopol: you're too quiet20:24
*** fawadkhaliq has joined #openstack-keystone20:25
*** spzala_ has quit IRC20:34
*** jsavak has quit IRC20:40
*** mhickey has quit IRC20:43
*** sdake_ has joined #openstack-keystone20:43
*** sdake has quit IRC20:43
*** mylu has quit IRC20:51
*** BigWillie has quit IRC20:52
*** jsavak has joined #openstack-keystone20:54
*** fawadkhaliq has quit IRC20:59
*** pauloewerton has quit IRC21:00
*** fawadkhaliq has joined #openstack-keystone21:00
*** ericksonsantos has joined #openstack-keystone21:02
openstackgerritTom Cocozzello proposed openstack/keystone: Test list project hierarchy is correct for a large tree  https://review.openstack.org/27751221:05
tjcocozzsamueldmq, ^^ updated my patch to add a test for get_projects_in_subtree_as_ids() Now to delete code needs to be updated to use get_projects_in_subtree_as_ids()21:08
*** diazjf has quit IRC21:12
*** tqtran has quit IRC21:16
openstackgerritayoung proposed openstack/keystone: default policy  https://review.openstack.org/14011321:18
openstackgerritayoung proposed openstack/keystone-specs: Identify Policy by Hash  https://review.openstack.org/29789721:21
*** prometheanfire has quit IRC21:21
*** prometheanfire has joined #openstack-keystone21:22
*** raildo is now known as raildo-afk21:23
openstackgerritTom Cocozzello proposed openstack/keystone: Add `patch_cover` to keystone  https://review.openstack.org/29418921:26
*** sdake_ is now known as sdake21:27
*** jsavak has quit IRC21:33
zzzeekmorgan: good to hear21:35
*** doug-fish has quit IRC21:36
*** ebalduf_ has joined #openstack-keystone21:37
*** tqtran has joined #openstack-keystone21:39
*** gagehugo has quit IRC21:48
*** david_cu has quit IRC21:48
*** jaugustine has quit IRC21:50
*** doug-fish has joined #openstack-keystone21:57
*** dflorea has joined #openstack-keystone21:58
*** ninag has quit IRC22:09
*** slberger has left #openstack-keystone22:16
*** pushkaru has quit IRC22:25
*** henrynash has quit IRC22:29
*** markvoelker has quit IRC22:29
*** harlowja has joined #openstack-keystone22:32
*** harlowja has quit IRC22:32
*** harlowja has joined #openstack-keystone22:33
dfloreaHi everyone. I hope this is the right forum to ask this question. Is there any plan to deprecate the v2 API? We currently use the jclouds library to talk to Keystone. But jclouds only supports Keystone v2 so I'm wondering if we should move to another library that supports Keystone v3. I know there are technical advantages to v3, but I'm taking a pragmatic look at what customers use today and what they will use in the next 12-24 mon22:35
dfloreaths. Thanks!22:35
bknudsondflorea: the v2 api is mostly deprecated already22:36
bknudsonand the parts that put stuff in the URL that shouldn't be there22:37
stevemardflorea: yeah what bknudson said... it's completely deprecated and will be removed in the Q release, 18+ months from now22:37
bknudsonshould say "the parts that aren't deprecated"22:37
*** doug-fish has quit IRC22:37
*** ebalduf_ has quit IRC22:37
dfloreabknudson, stevemar: Thanks for the reply. When I look online, the Identity API v2.0 still says "Supported". Are there parts of the API that are nevertheless deprecated?22:40
bknudsondflorea: where are you looking?22:41
dfloreabkundson: http://developer.openstack.org/api-ref-identity-v2.html22:41
bknudsonmaybe I'll find some time to update that site.22:42
*** gordc has quit IRC22:43
dfloreaOk. I'll take your word over the site. :)22:43
morgandflorea: if there is a way to communicate/work with jclouds, we should (the keystone/openstack team) work to help them understand/handle the deprecation of v222:43
morganbknudson, stevemar: ^ cc22:44
dfloreamorgan: Ok. We will try to do that. I worry that we will end up in a bad situation if we continue to use jclouds.22:44
morgandflorea: excatly why we should work with them22:47
morgandflorea: don't hesitate to loop me in (or stevemar [haha see what i did there steve? also cc topol]) to help on that front22:47
morgandflorea: we may not be java-programmers (i can't speak to topol's experience, he's been around forever), but we can def. help with any questions folks have when updating jclouds code22:48
morgandflorea: also communication on the openstack-dev mailing list is a good option as well. :)22:48
*** fawadkhaliq has quit IRC22:48
dfloreamorgan:Great. Thanks. We will reach out to them. Thanks for the support!!22:48
*** csoukup has quit IRC22:49
morgandflorea: absolutely! long term i'd like to find a java programmer to make a keystoneauth library for that language22:49
*** fawadkhaliq has joined #openstack-keystone22:49
morganso people aren't trying to update every lib that does openstack auth.22:49
dfloreamorgan:Makes a ton of sense22:50
morganstevemar: how cranky would -infra get if we tried to wedge in a Rust keystoneAuth lib?22:51
stevemarmorgan: not at all :)22:51
morganstevemar: i really want to use protobuf for ksa22:52
morganstevemar: but i think that is a hard sell.22:52
morganstevemar: i'm going to revisit the "split auth and catalog" routes spec this cycle if i'm writing code22:53
morganstevemar: i think it would be a win to make us able to iterate on auth/tokens/catalog separate from api/crud22:53
*** pushkaru has joined #openstack-keystone22:54
*** harlowja has quit IRC22:54
*** harlowja has joined #openstack-keystone22:54
knikollastevemar, on which keystoneauth1 release will this be included? https://review.openstack.org/#/c/289472/22:55
patchbotknikolla: patch 289472 - keystoneauth - Adding authentication compatibility for OpenStackC... (MERGED)22:55
stevemarknikolla: the next one, but we our libraries are frozen right now while we release mitaka22:56
*** david-lyle_ is now known as david-lyle22:57
knikollastevemar, i see. with that, this passes passes the py27 tests https://review.openstack.org/#/c/276350/22:57
patchbotknikolla: patch 276350 - python-openstackclient - Moving authentication from keystoneclient to keyst...22:57
knikollai manually checked22:57
openstackgerritRon De Rose proposed openstack/keystone: Cleaning up identity.core  https://review.openstack.org/29614022:58
morganstevemar: so, for austin (assuming i'm there) I'd like to talk "non-python ksa" with everyone.22:58
stevemarmorgan: better bring your tomato shield22:58
morgansee what the best approach will be to handle KSA and non-python variants and gating22:59
stevemarknikolla: as soon as we get the OK to release new libraries, i will release a new KSA22:59
morganyeah but it's a real concern.22:59
knikollastevemar, thanks!23:00
knikollathat would really help as getting the openstackclient change upstream is my task for the upcoming sprints. haha23:01
stevemarknikolla: believe me, i want to see OSC move to KSA more than anyone23:01
*** pushkaru has quit IRC23:01
*** timcline has quit IRC23:01
stevemarknikolla: with OSC using KSA, then we'll really have sweet federation support via CLI23:01
knikollastevemar, amen!23:02
topolmorgan, stevemar I will not admit to knowing Java23:08
stevemartopol: 9 people have recommended you on linkedin for your java skill23:10
stevemarmad java skills23:10
topolstevemar, morgan its worse: http://dl.acm.org/citation.cfm?id=126801123:11
stevemarCOOTS'9823:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Correct `role_name` constraint dropping  https://review.openstack.org/29840223:12
morgantopol: it's ok i expect you to write a lot of java23:16
*** arunkant has quit IRC23:17
*** bjornar has quit IRC23:20
*** ametts has quit IRC23:22
*** harlowja has quit IRC23:25
*** harlowja has joined #openstack-keystone23:25
*** rk4n has quit IRC23:28
*** mylu has joined #openstack-keystone23:31
*** furface has joined #openstack-keystone23:43
*** knikolla has quit IRC23:44
morganstevemar: yay osc using KSA23:47
*** fawadkhaliq has quit IRC23:50
*** fawadkhaliq has joined #openstack-keystone23:50
*** mylu has quit IRC23:51
*** fawadkhaliq has quit IRC23:52
*** fawadkhaliq has joined #openstack-keystone23:52
*** furface has quit IRC23:53
prometheanfiremorgan: wooo :D23:55
prometheanfirejust need to update my compute nodes and I'm on mitaka23:56
*** furface has joined #openstack-keystone23:57
*** sigmavirus24 is now known as sigmavirus24_awa23:58
morganprometheanfire: i expect to dig out the migration #91 tomorrow23:59
prometheanfiremorgan: I'll be available23:59
*** fawadkhaliq has quit IRC23:59
morganprometheanfire: i think i can address it. i am pretty sure this one wont require magic migrations to solve (forward ports)23:59
*** fawadkhaliq has joined #openstack-keystone23:59
morganprometheanfire: since it is just a broken migration. we'll see though23:59
morganprometheanfire: also, what TZ are you in?23:59
« Sunday, 2016-03-27 Index Tuesday, 2016-03-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!