Wednesday, 2016-04-06

« Tuesday, 2016-04-05 Index Thursday, 2016-04-07 »
*** marg7175 has joined #openstack-keystone00:10
*** tqtran has quit IRC00:13
*** stingaci has quit IRC00:19
*** roxanaghe has quit IRC00:28
*** sdake has joined #openstack-keystone00:32
*** sdake_ has quit IRC00:34
*** lhcheng has quit IRC00:42
openstackgerritRon De Rose proposed openstack/keystone: Fixes bug where the updated federated display_name is not getting returned  https://review.openstack.org/30198700:43
openstackgerritRon De Rose proposed openstack/keystone: Fixes bug where the updated federated display_name is not returned  https://review.openstack.org/30198700:45
*** dflorea has quit IRC00:46
*** dave-mcc_ has joined #openstack-keystone00:50
*** sdake_ has joined #openstack-keystone00:51
*** sdake has quit IRC00:51
*** dave-mccowan has quit IRC00:51
rderose_stevemar dolphm breton: fixed bug where updated display_name wasn't being returned: https://review.openstack.org/#/c/301987/00:52
patchbotrderose_: patch 301987 - keystone - Fixes bug where the updated federated display_name...00:52
rderose_breton: thanks for catching these 2 bugs; can't believe I missed that first one00:52
*** rderose_ has quit IRC00:54
*** knikolla has quit IRC00:56
*** mylu has quit IRC01:03
*** roxanaghe has joined #openstack-keystone01:07
*** zzzeek_ has quit IRC01:10
*** roxanaghe has quit IRC01:12
*** zzzeek has joined #openstack-keystone01:13
*** wxy has joined #openstack-keystone01:20
*** lhcheng has joined #openstack-keystone01:23
*** ChanServ sets mode: +v lhcheng01:23
*** lhcheng_ has joined #openstack-keystone01:24
*** lhcheng has quit IRC01:24
*** spandhe has quit IRC01:26
*** EinstCrazy has joined #openstack-keystone01:34
*** mylu has joined #openstack-keystone01:38
*** jamielennox is now known as jamielennox|away01:43
*** marg7175 has quit IRC01:47
*** woodster_ has quit IRC01:47
*** jamielennox|away is now known as jamielennox01:53
*** sdake has joined #openstack-keystone01:55
*** sdake_ has quit IRC01:56
*** EinstCra_ has joined #openstack-keystone02:01
*** lhcheng_ has quit IRC02:01
*** EinstCrazy has quit IRC02:04
*** mylu has quit IRC02:16
*** mylu has joined #openstack-keystone02:18
*** spandhe has joined #openstack-keystone02:19
stevemarmfisch: dolphm normally the CVE / OSSN has references to the commits/ changes no?02:19
*** zzzeek has quit IRC02:21
*** zzzeek has joined #openstack-keystone02:23
*** stingaci has joined #openstack-keystone02:28
*** marg7175 has joined #openstack-keystone02:29
*** edmondsw has quit IRC02:29
*** lhcheng has joined #openstack-keystone02:30
*** ChanServ sets mode: +v lhcheng02:30
*** lhcheng has quit IRC02:30
*** lhcheng has joined #openstack-keystone02:30
*** ChanServ sets mode: +v lhcheng02:30
*** spandhe_ has joined #openstack-keystone02:38
*** spandhe has quit IRC02:40
*** spandhe_ is now known as spandhe02:40
*** tobe has joined #openstack-keystone02:42
*** tobe has quit IRC02:42
*** richm has quit IRC02:43
*** mylu has quit IRC02:44
*** mylu has joined #openstack-keystone02:49
mfischlbragstad: you here?02:52
*** zqfan has joined #openstack-keystone02:53
lbragstadmfisch yo02:54
mfischlbragstad: so sometime between our old code and stable/L the token format changed02:54
mfischyou remember that discussion we had on the old token02:54
mfisch"old" tokens had a %3D at the end02:54
mfischand if you pass that into Stable/L it throws an exception and returns 50002:54
mfischit seems that for some reason some of my services dont like that02:55
lbragstadmfisch ah - we made it so that there is no padding returned on tokens02:55
mfischpadded tokens not throwing 500 would be nice, throwing 401 would be better02:55
lbragstadin mitaka02:55
mfischits in stable/liberty02:55
mfischalso02:55
lbragstada token from mitaka doesn't get validated on liberty02:56
lbragstadright?02:56
lbragstadcc dolphm ^02:56
lbragstadI thought we had fixes for taht02:56
mfischsorry you're off by 102:56
mfischkilo fernet on stable/L02:56
mfisch== 50002:56
lbragstadoh02:56
lbragstadwhat about mitaka and l?02:56
lbragstadliberty*?02:56
mfischI just deployed stable/lib tonight like 5 min ago dont get ahead of me ;)02:57
lbragstad:)02:57
lbragstadok - I'm pretty sure we made sure that tokens would be compatible between liberty and mitaka02:57
mfischyeah I hope so02:58
mfischI'm about to promise no token format changes anymore in an email to my whole team02:58
ayoungmfisch, fernet is it.  I will not support another token change.02:58
lbragstadhah02:58
lbragstad*iff* we do another change - it has to be one named after a better booze02:59
ayounglbragstad, nope.  If we do anything, we go tokenless02:59
ayoungFernet is the last token format.02:59
lbragstadayoung I'd be in favor of that03:00
mfischcan we call it bourbon03:00
mfischdont change fernet either by messing with padding03:00
ayoungmfisch, tokens are dumb.03:00
mfischoh mean I need booze for this03:00
ayoungmfisch, MacAllans waiting for me upstairs03:01
mfischI have GlenMorangie03:01
ayoungNIce03:01
*** sdake_ has joined #openstack-keystone03:01
lbragstadI have some listerine?03:01
mfischwhatever gets you though that Minnesota winter03:02
ayoungActually,, I lied.  I killed the MacAllans...think what I actually have is Glenfiddich?03:02
*** dan_nguyen has quit IRC03:02
ayoungTwas Glenlivet. And now it is sitting next to me in a glass as I try to learn more Rust03:03
mfischps4 for me03:03
mfischno more work03:03
*** sdake has quit IRC03:04
ayoungmfisch, this is Rust...this is not work03:04
mfischRust game or Rust programming language?03:04
ayoungProgramming language.  I'm writing a tftp server to learn the network API03:04
ayoungactually, learning the syntax is the hard part03:05
mfischintersting so far?03:06
ayoungyep...file transfer over UDP keeps you guessing...03:06
ayoungBut I want a PXE server03:06
ayoungso once I get this, it is DHCP03:06
*** diazjf has joined #openstack-keystone03:07
* lbragstad gets ready to go watch some Longmire03:07
mfischbattlefront03:07
lbragstadmfisch ah - good game03:07
*** marg7175 has quit IRC03:08
mfischhmu: Foco_mfisch on there03:08
ayoungI'm also growing two gardens on XKCD today03:09
*** diazjf has quit IRC03:09
*** mylu has quit IRC03:10
lbragstadayoung do you like westerns?03:10
lbragstadmfisch ^03:10
ayoungMovies?  Yeah, sortof.03:11
ayoungI like John Wayne.03:11
lbragstadayoung I bet you'd like Longmire - my father-in-law introduced it to me over easter03:11
mfischI like longmire03:11
mfischI like 45 miles from Wyoming03:11
mfischayoung would like longmire03:12
lbragstadi think so too...03:12
ayoungProbably.  But I don't watch much TV these days03:12
mfischits okay if you dont support me03:12
lbragstadnothin' can stop Walt Longmire and his 191103:12
ayoung"SHANE!"03:13
*** mylu has joined #openstack-keystone03:13
mfischneed to see Hateful 803:13
lbragstadmfisch yeah - that one's awesome03:13
mfischmovies cost 2x b/c I need a sitter so DVD/stream is easier03:14
ayoungTo be honest, violence in movies is not my idea of fantasy anymore.  I mean, I liked Deadpool, but more for the quips03:14
mfischneed to see that too03:14
ayoungI got date night credit for Deadpool03:14
lbragstadyeah - there we some good lines in that one03:14
*** mylu has quit IRC03:14
ayoungI talked her out of Zoolander 2.  Knew it was not going to stand up to 1.03:15
*** mylu has joined #openstack-keystone03:15
lbragstadi never saw that one03:15
lbragstadZoolander dos that is03:15
ayoung2 got panned03:15
*** roxanaghe has joined #openstack-keystone03:16
mfischthe one with Leo lost in Wyoming... it was good03:17
mfischcannot recall name03:17
lbragstadRevenant?03:17
mfischyep03:17
*** dan_nguyen has joined #openstack-keystone03:17
lbragstad13 hours was intense - my wife actually liked that one as much as i did03:17
*** dflorea has joined #openstack-keystone03:19
*** dflorea has quit IRC03:20
lbragstadalright - i'm clockin' out, catch you all tomorrow03:21
crinklemfisch: battlefront!03:21
mfischcrinkle: ok!03:21
mfischshe found me lol03:21
crinkle:P03:21
*** markvoelker has quit IRC03:26
*** roxanaghe has quit IRC03:29
*** stingaci has quit IRC03:32
*** dflorea has joined #openstack-keystone03:34
*** stingaci has joined #openstack-keystone03:37
morganoh my03:38
*** mylu has quit IRC03:41
*** mylu has joined #openstack-keystone03:41
*** mylu has quit IRC03:42
*** mylu has joined #openstack-keystone03:42
*** dflorea has quit IRC03:43
*** dflorea has joined #openstack-keystone03:43
*** roxanaghe has joined #openstack-keystone03:44
*** anush_ has joined #openstack-keystone03:49
*** tqtran has joined #openstack-keystone03:49
*** links has joined #openstack-keystone03:52
*** dflorea has quit IRC03:52
*** agrebennikov has quit IRC04:00
*** dan_nguyen has quit IRC04:01
*** tqtran has quit IRC04:02
*** jamielennox is now known as jamielennox|away04:21
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30062604:25
*** markvoelker has joined #openstack-keystone04:26
stevemarthere was chit chat going on and i didn't partake, darn!04:28
openstackgerritJamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware  https://review.openstack.org/25568604:29
*** jamielennox|away is now known as jamielennox04:29
*** jasonsb has joined #openstack-keystone04:30
*** markvoelker has quit IRC04:32
*** Nirupama has joined #openstack-keystone04:41
*** woodster_ has joined #openstack-keystone04:44
*** furface has quit IRC04:51
*** browne has joined #openstack-keystone04:51
*** mylu has quit IRC04:51
*** stingaci has quit IRC04:55
*** stingaci has joined #openstack-keystone04:55
*** jaosorior has joined #openstack-keystone04:55
*** anush_ has quit IRC05:01
*** jamielennox is now known as jamielennox|away05:01
*** browne has quit IRC05:07
*** mylu has joined #openstack-keystone05:08
*** furface has joined #openstack-keystone05:09
*** jamielennox|away is now known as jamielennox05:11
*** mylu has quit IRC05:12
*** GB21 has joined #openstack-keystone05:14
*** browne has joined #openstack-keystone05:14
*** furface has quit IRC05:16
*** browne has quit IRC05:18
*** jamielennox is now known as jamielennox|away05:22
*** jamielennox|away is now known as jamielennox05:30
*** sekrit has quit IRC05:30
*** stingaci has quit IRC05:36
*** sdake has joined #openstack-keystone05:40
*** stingaci has joined #openstack-keystone05:40
*** roxanaghe has quit IRC05:41
*** roxanaghe has joined #openstack-keystone05:42
*** sdake_ has quit IRC05:42
*** stingaci has quit IRC05:43
*** sdake_ has joined #openstack-keystone05:49
openstackgerritJamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware  https://review.openstack.org/25568605:49
*** sdake has quit IRC05:52
*** stingaci has joined #openstack-keystone05:54
*** stingaci has quit IRC05:55
*** dave-mcc_ has quit IRC05:56
*** stingaci has joined #openstack-keystone05:56
*** rcernin has joined #openstack-keystone05:59
*** stingaci has quit IRC06:01
*** fawadkhaliq has joined #openstack-keystone06:02
*** roxanaghe has quit IRC06:07
*** lhcheng has quit IRC06:13
*** aswadr_ has joined #openstack-keystone06:14
*** fawadkhaliq has quit IRC06:20
*** josecastroleon has joined #openstack-keystone06:21
*** sekrit has joined #openstack-keystone06:23
*** markvoelker has joined #openstack-keystone06:29
*** rk4n has joined #openstack-keystone06:29
*** belmoreira has joined #openstack-keystone06:30
*** dave-mcc_ has joined #openstack-keystone06:33
*** markvoelker has quit IRC06:35
*** furface has joined #openstack-keystone06:35
*** jamielennox is now known as jamielennox|away06:38
*** woodster_ has quit IRC06:47
*** dave-mccowan has joined #openstack-keystone06:49
*** dave-mcc_ has quit IRC06:54
*** ankur has joined #openstack-keystone06:54
*** lhcheng has joined #openstack-keystone07:00
*** ChanServ sets mode: +v lhcheng07:00
*** jaosorior has quit IRC07:00
*** openstackgerrit has quit IRC07:02
*** openstackgerrit has joined #openstack-keystone07:02
*** sheel has joined #openstack-keystone07:05
*** pcaruana has joined #openstack-keystone07:06
*** spandhe has quit IRC07:06
*** jaosorior has joined #openstack-keystone07:07
*** roxanaghe has joined #openstack-keystone07:08
*** rcernin has quit IRC07:08
*** rcernin has joined #openstack-keystone07:09
*** spandhe has joined #openstack-keystone07:10
*** roxanaghe has quit IRC07:13
*** stingaci has joined #openstack-keystone07:13
*** stingaci has quit IRC07:18
*** jaosorior has quit IRC07:22
*** jaosorior has joined #openstack-keystone07:22
*** jaosorior has quit IRC07:47
*** jaosorior has joined #openstack-keystone07:47
*** rdo has quit IRC07:47
*** spandhe has quit IRC07:58
*** GB21 has quit IRC07:58
*** daemontool has joined #openstack-keystone08:04
*** roxanaghe has joined #openstack-keystone08:14
*** rdo has joined #openstack-keystone08:15
*** roxanaghe has quit IRC08:18
*** jistr has joined #openstack-keystone08:22
*** brad[] has quit IRC08:26
*** brad[] has joined #openstack-keystone08:27
bretono/08:27
*** markvoelker has joined #openstack-keystone08:30
*** mhickey has joined #openstack-keystone08:33
openstackgerritLi Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use  https://review.openstack.org/30141808:33
*** markvoelker has quit IRC08:35
*** e0ne has joined #openstack-keystone08:35
openstackgerritBoris Bobrov proposed openstack/keystone: Fixes bug where the updated federated display_name is not returned  https://review.openstack.org/30198708:38
*** dave-mccowan has quit IRC08:43
*** lhcheng has quit IRC08:43
*** e0ne has quit IRC09:00
*** pnavarro has joined #openstack-keystone09:00
*** Daviey_ has quit IRC09:10
*** Daviey has joined #openstack-keystone09:12
openstackgerritwangxiyuan proposed openstack/keystone: Update the description of the role driver option  https://review.openstack.org/30211809:16
*** GB21 has joined #openstack-keystone09:18
openstackgerrithenry-nash proposed openstack/keystone: Clean up test case for shadow users  https://review.openstack.org/30212309:24
*** henrynash has joined #openstack-keystone09:24
*** ChanServ sets mode: +v henrynash09:24
openstackgerrithenry-nash proposed openstack/keystone: Clean up test case for shadow users  https://review.openstack.org/30212309:25
*** phalmos has joined #openstack-keystone09:40
*** phalmos has quit IRC09:48
*** EinstCra_ is now known as EinstCrazy10:00
*** sdake_ has quit IRC10:02
openstackgerrithenry-nash proposed openstack/keystone: Fixes bug where the updated federated display_name is not returned  https://review.openstack.org/30198710:04
openstackgerrithenry-nash proposed openstack/keystone: Clean up test case for shadow users  https://review.openstack.org/30212310:04
*** GB21 has quit IRC10:05
*** e0ne has joined #openstack-keystone10:06
*** ekarlso- has quit IRC10:09
*** EinstCrazy has quit IRC10:12
-openstackstatus- NOTICE: npm lint jobs are failing due to a problem with npm registry. The problem is under investigation, and we will update once the issue is solved.10:17
*** ChanServ changes topic to "npm lint jobs are failing due to a problem with npm registry. The problem is under investigation, and we will update once the issue is solved."10:17
*** ekarlso- has joined #openstack-keystone10:21
*** ekarlso- has quit IRC10:22
*** ekarlso has joined #openstack-keystone10:22
*** mvk_ has quit IRC10:23
*** markvoelker has joined #openstack-keystone10:31
*** markvoelker has quit IRC10:36
*** rodrigods has quit IRC10:52
*** rodrigods has joined #openstack-keystone10:53
*** tqtran has joined #openstack-keystone10:56
*** GB21 has joined #openstack-keystone10:57
*** GB21 has quit IRC10:59
*** tqtran has quit IRC11:01
*** tellesnobrega is now known as tellesnobrega_af11:04
*** henrynash has quit IRC11:10
*** stingaci has joined #openstack-keystone11:16
*** marg7175 has joined #openstack-keystone11:17
*** stingaci has quit IRC11:20
*** mvk_ has joined #openstack-keystone11:38
*** gordc has joined #openstack-keystone11:42
*** tellesnobrega_af is now known as tellesnobrega11:48
*** roxanaghe has joined #openstack-keystone11:49
*** doug-fish has joined #openstack-keystone11:50
*** roxanaghe has quit IRC11:54
openstackgerritvenkatamahesh proposed openstack/keystone: Update the Administrator guide link  https://review.openstack.org/30220112:03
morganMornin Keystone's!12:04
morganKeystoners* damn you autocorrect12:04
morgan;)12:04
bretono/12:06
*** e0ne has quit IRC12:13
*** raildo-afk is now known as raildo12:14
*** markvoelker has joined #openstack-keystone12:15
*** hughsaunders has quit IRC12:16
*** e0ne has joined #openstack-keystone12:17
*** hughsaunders has joined #openstack-keystone12:18
*** Nirupama has quit IRC12:21
*** trown|outtypewww is now known as trown12:23
*** mhickey has quit IRC12:26
*** henrynash has joined #openstack-keystone12:29
*** ChanServ sets mode: +v henrynash12:29
dstanekmorgan: morning12:49
samueldmqmorning12:51
morgandstanek: how goes?12:51
morgansamueldmq: allo12:51
samueldmqmorgan: howdy12:52
dstanekmorgan: pretty good. slowly getting back into the swing of things after my vacation last week12:53
morgandstanek: nice12:53
morganVacation ++12:54
dstanekhow about you?12:55
morganNot too bad. Hopping on another plane12:56
morganWill be in the air soon(TM)12:56
*** links has quit IRC12:56
*** tellesnobrega is now known as tellesnobrega_af12:57
dstanekwhere are you off to now?12:58
*** mhickey has joined #openstack-keystone13:00
*** edmondsw has joined #openstack-keystone13:09
samueldmqmorgan: safe travels :)13:11
*** pauloewerton has joined #openstack-keystone13:12
*** sdake has joined #openstack-keystone13:15
*** sdake_ has joined #openstack-keystone13:19
*** sdake has quit IRC13:19
*** jsavak has joined #openstack-keystone13:21
*** sdake_ has quit IRC13:24
*** sdake has joined #openstack-keystone13:27
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Restructure resource backend  https://review.openstack.org/30225713:31
*** alex_xu has quit IRC13:33
*** ametts has joined #openstack-keystone13:35
*** alex_xu has joined #openstack-keystone13:35
morgandstanek: montreal.13:37
morgandstanek: finally in the air and have wifi going :)13:37
*** roxanaghe has joined #openstack-keystone13:37
morganbut man gogo is sllloooowwww WTB viasat13:37
*** tellesnobrega_af is now known as tellesnobrega13:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Restructure resource backend  https://review.openstack.org/30225713:38
samueldmqdstanek: bknudson  ^13:38
samueldmqin tests, it would be: test_controllers.py, test_managers.py and test_drivers.py13:39
bknudsonwe seem to have different developers all proposing different alternative layouts for the packages...13:39
bknudsonfor example, https://review.openstack.org/#/c/296140/ moves drivers to backends/base.py13:40
patchbotbknudson: patch 296140 - keystone - Remove backend interface and common code out of id...13:40
samueldmqI am not aware of other proposals13:40
* samueldmq 's looking13:40
bknudsonand now https://review.openstack.org/#/c/302257/ moves drivers to keystone/resource/drivers.py13:40
patchbotbknudson: patch 302257 - keystone - Restructure resource backend13:40
bknudsonI think we need a spec or a dev doc update rather than just moving things around.13:40
samueldmqbknudson: I agree, just would like to get opinions on it13:41
samueldmqbknudson: does it look better that way for you ?13:41
*** roxanaghe has quit IRC13:42
morganbknudson: a spec or at least a developer doc for it13:42
morganbknudson: so we can point to "this is the structure we want"13:42
samueldmqI agree on developer doc, spec isn't necessary imo13:42
morganeither works13:42
bknudsonsamueldmq: putting the driver interfaces in backends/base.py makes sense.13:43
morganbknudson: ++13:43
*** jaosorior has quit IRC13:44
samueldmqbknudson: yes, maybe that even makes more sense in cases like identity, where we have backends/base.py13:45
samueldmqmapping_backends/base.py and shadow_backends/base.py13:45
samueldmqrather than puttin everything inside a single drivers.py file13:45
morganand also "base" is a pretty logical name for that stuff13:46
samueldmqmorgan: ++13:46
morganit's where i'd expect that type of thing to live13:46
samueldmqbknudson: morgan: do you like renaming core.py to managers.py ?13:46
samueldmq"core" says nothing to me13:46
morgan"core" is no different than just what i'd expect in __init__.py13:46
morganjust ... not the magic file13:47
morganif the file only contains managers, a rename to manager.py or managers.py would be fine [again remember deprecation of symbol locations for N cycles etc etc etc]13:47
samueldmqyes, managers is more explicit13:47
samueldmqand we name other things explicitly, like "controllers" and "routers"13:48
morganso i think the steps are "propose developer doc for these things"13:48
morganor a series of edits to the developer docs.13:48
morganthen start making sure everything is aligned with the dev. docs13:49
morganit's a lot of code shuffle but we will have a target to point at.13:49
morganwhich is good.13:49
samueldmqmorgan: completely agree, I will propose a patch updating the docs13:49
samueldmqmorgan: and then work on updating the subsystems (resouce, assignments, etc) with rdrose (identity, and more if he wants)13:50
bknudsonsamueldmq: thanks!13:50
morgansamueldmq: i'd break it up into a couple changes: 1) Tests, 2) changes (like core -> managers, core.<thing> -> Base.py) etc13:50
morganbknudson: ++13:50
*** knikolla has joined #openstack-keystone13:57
*** EinstCrazy has joined #openstack-keystone13:59
*** EinstCrazy has quit IRC13:59
*** csoukup has joined #openstack-keystone13:59
*** EinstCrazy has joined #openstack-keystone13:59
*** rderose has joined #openstack-keystone14:00
knikollamorning!14:01
rderosebknudson -2 on Remove backend interface and common code out of identity.core??14:02
DinaBelovamorgan fyi I filed https://bugs.launchpad.net/keystone/+bug/1566835 and https://bugs.launchpad.net/keystone/+bug/1566857 - this might be my local issue somehow, I'm debugging this with amakarov and breton now14:09
openstackLaunchpad bug 1566835 in OpenStack Identity (keystone) "Keystone oslo_cache.memcache_pool cache seems not to work properly" [Undecided,New]14:09
openstackLaunchpad bug 1566857 in OpenStack Identity (keystone) "Keystone authtoken middleware seems to work wrong with memcached cache" [Undecided,New]14:09
*** EinstCrazy has quit IRC14:09
morganDinaBelova: sounds good14:10
*** EinstCrazy has joined #openstack-keystone14:10
DinaBelovamorgan in fact it sounds bad now :D14:10
DinaBelovaI really hope I'm wrong :)14:10
morganlol14:10
morganDinaBelova: for keystone memcache pool is almost pointless with eventlet going away14:11
morganDinaBelova: if not completely pointless14:11
morganDinaBelova: in middeware it's a little different14:12
*** jaosorior has joined #openstack-keystone14:12
openstackgerritSteve Martinelli proposed openstack/keystone: Update the description of the role driver option  https://review.openstack.org/30211814:12
morganand it likely is still useful/needed/something14:12
morganbut i dislike that it has to touch internal interfaces.14:12
DinaBelovamorgan well, yeah, looking on all this stuff now14:12
morganDinaBelova: so.. do you mind if i mark (not the oslo.cache part) but keystone specific (server) cases as "invalid"?14:13
morganuwsgi/mod_wsgi doesn't make sense to continue with it14:13
DinaBelovaam I wrong in Mitaka oslo_cache.memcache_pool seems to be the default value?14:13
DinaBelovafor keystone?14:14
morganshouldn't be i don't think14:14
bretonno, it's not default14:14
morganagain memcachepool really is pointless for non-eventlet systems14:14
morganfor keystone.14:14
bretonnot really14:14
morganyes really.14:14
bretonno14:15
DinaBelovalol14:15
morganit requires hacking internal interfaces14:15
morganand is generally awful14:15
bretonyes14:15
bretonbut there are still threads14:15
morganwe only use memcache pool to deal with explicit threadlocal issues in memcache14:15
morganthat deal with eventlet14:15
morganthe other ones don't get slammed with the greenthread explosion (threads are strictly controlled)14:15
morganso i'm going to go on a limb and say unless we make memcachepool not terrifyingly bad, it is a bad option for uwsgi/mod_Wsgi14:16
openstackgerritEyal proposed openstack/keystone: Simplify chained comparison  https://review.openstack.org/30227914:16
DinaBelovaok, so I'm running keystone under apache mod_wsgi - what should I be looking at? What should be my default external caching solution?14:16
DinaBelovashould it be redis?14:17
morganbreton: also memcache token backend is deprecated/slated for eventual removal14:17
morganbreton: which is the key point in keystone server it was needed14:17
amakarovDinaBelova, you can try regular memcache backend14:18
morganDinaBelova: well 2 things: Fernet Tokens (not using memcache backend for token store), and for caching regular memcache backend14:18
*** slberger has joined #openstack-keystone14:18
amakarovI don't know if it will help14:18
bretonmorgan: i agree14:18
morganor bmemcache or pylibmc.14:18
morgan(dogpile configs)14:18
amakarovmorgan, it isn't about tokens - it's MEMOIZE that malfunctions14:20
morganmoved https://bugs.launchpad.net/oslo.cache/+bug/1566835 to oslo.cache14:20
openstackLaunchpad bug 1566835 in oslo.cache "Keystone oslo_cache.memcache_pool cache seems not to work properly" [Undecided,New]14:20
DinaBelovaack14:20
morganamakarov: right. and it's because memcache_pool is very fragile.14:20
morganat best.14:20
amakarovmorgan, I hope you are right :)14:21
morganamakarov: the standard memcache interface is tested on *Every* gate run14:21
morganenabled in devstack for all gate jobs14:21
amakarovcool14:21
morgan(mod_wsgi)14:21
morganwe'd know if that was broken ^_^14:22
morganand i think uwsgi runs are also enabling it.14:22
morganbknudson: for uwsgi deploy, we just need to restart uwsgi not apache when reconfiguring keystone (we should make sure we're doing that - i assume we are, just wifi on airplane is slow to load code)14:22
DinaBelovamorgan amakarov what should I set in my config to set standard memcache cache?14:23
amakarov[cache]driver=memcache14:23
amakarovsmth like that - there have to ve an example in comments14:23
morganyeah, set the memcache servers (looking for the option) and [cache]enabled=true14:23
DinaBelovahttps://github.com/openstack/keystone/blob/stable/mitaka/etc/keystone.conf.sample#L380-L384 - I just do not see this variant here?14:24
morganso fwiw14:25
morganmemcachepool is the default for us in gate14:25
morganhttp://paste.openstack.org/show/493169/14:25
morgantaken from http://logs.openstack.org/40/296140/13/check/gate-tempest-dsvm-full/6c4f4a5/logs/etc/keystone/keystone.conf.txt.gz14:25
DinaBelovaheh14:25
morganthe <11211> should be <port>14:25
morganso we are gating on memcachepool working14:26
morganand i can clearly point to test runs that show it working :)14:26
DinaBelovawell, I do not say the API is not working :)14:26
DinaBelovait's ok14:26
DinaBelovait just simply goes to the DB every time instead of cache using14:26
DinaBelova:D14:26
amakarovDinaBelova, btw, are there all cache calls are misses?14:27
*** sheel has quit IRC14:27
DinaBelovaamakarov can't get your question, sorry14:27
stevemarmorgan: mtl again? you trying to get citizenship here or something? :P14:27
morgancache misses will always hit the db, he's asking if the requests you're seeing are cache misses14:28
DinaBelovaamakarov can you please rephrase?14:28
morganstevemar: haha14:28
morganDinaBelova: not exactly the same call to a memoized function14:28
DinaBelovamorgan the issue is that it should be value in the cache for this case14:28
amakarovDinaBelova, are there successful cache requests?14:28
DinaBelovaamakarov yes, there are some14:28
morganalso for a given request (http), you will only ever see [except where cache is invalidated] one request to the db *if* the caching is enabled14:29
morganso .get_user('<DinaBelova's user_id') should only make one call to the db for auth if caching is enabled. and possibly never to memcache14:30
morganbecause we cache the data in a threadlocal cache too14:30
morgansubsequent http requests should hit memcache 1 time, at most.14:30
* morgan would try and do a synthetic test of this right now but can't due to low bandwidth14:31
DinaBelovaamakarov morgan - let's take a look on http://dinabelova.github.io/mitaka_user_list.html - if you'll click several keystone cache stuff you'll see that there are the same calls with get_user_by_name(, u'admin', 'default') - if I'll trace the keys generated for the backend it'll be the same one here14:32
DinaBelovamorgan ack14:32
bknudsonmorgan: for uwsgi proxy, apache will return some proxy error if it can't talk to keystone. So you can restart the uwsgi servers independently14:32
morganbknudson: right.14:32
morganDinaBelova: i'll likely have a few minutes to poke at this tomorrow.14:33
DinaBelovamorgan thank you sir14:33
morganDinaBelova: or whaen i get to JFK between flights14:33
DinaBelovaack14:33
amakarovDinaBelova, attach the links to the code please14:33
DinaBelovaamakarov where to attach links and to what code?14:33
amakarovwhere you inserted osprofiler magic14:33
DinaBelovaah14:33
morganDinaBelova: but i do know it works ;) [i'll wedge in some debug output that will show the memcache hits/misses while i'm poking at this]14:34
bknudsonrderose: we need developer docs for how the components will be laid out otherwise it's going to be a mess.14:34
morganDinaBelova: so, i'm good with landing OSProfiler in this cycle like it is. eventualyl i'd like to create clear hook points that anyone can use (not just osprofiler) so we don't need any osprofiler code in keystone itself14:34
DinaBelovamorgan ok, gotcha14:35
morganDinaBelova: if you would like to discuss that at the summit, I'd like to come up with a proposal on how that should look across all openstack projects :)14:35
DinaBelovamorgan that will be super interesting14:35
DinaBelovathank you sir14:35
morganDinaBelova: and you're clearly the right person to discuss that with! ^_^14:36
DinaBelova;)14:36
DinaBelovaamakarov fyi https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:osprofiler-support-in-keystone14:36
morgan(among other people that we should loop in like amakarov )14:36
amakarovmorgan, I'm in touch with the issue anyway along with breton :)14:37
morganamakarov: :)14:38
morganyes breton too14:38
*** richm has joined #openstack-keystone14:39
rderosebknudson finally got 2 +2s and then because Samuel puts up a patch you -2 it14:40
rderosebknudson come on man, it's a good change, let it go thru :)14:40
*** sigmavirus24_awa is now known as sigmavirus2414:40
morganrderose: we need a clear set of targets, so his hold is really "put dev doc up" so we can make sure we're consistent14:41
morganrderose: poke at samueldmq and i am sure we can land that quickly (dev doc) so all the code shuffling becomes consistent14:41
*** spandhe has joined #openstack-keystone14:41
morganrderose: fwiw, i think the -2 is correct for the moment but should be clearable right post summit since the devdoc can land prob while we're there14:41
rderosebknudson morgan: okay, by dev doc, you mean a spec?14:41
*** sdake_ has joined #openstack-keystone14:42
*** sdake has quit IRC14:42
morganrderose: no actually docs in keystone saying "code is structured like X" [updates] and structure of how tests work14:42
morgana "spec" is not likely needed14:42
bknudsonrderose: y, what morgan said14:42
*** sdake_ is now known as sdake14:43
bknudsonand I hope it doesn't take until the summit. It could be done today.14:43
rderosemorgan bknudson cool14:45
morganbknudson: i am overestimating14:45
morganbknudson: and will be happy if it's done today/tomorrow/nextweek14:45
morganbut summit is very close14:45
morgansooooooooo14:45
rderosemorgan bknudson: where in keystone to I put the docs?  sorry, can you point me in the right direction14:46
rderose* do I14:46
*** GB21 has joined #openstack-keystone14:46
bknudsonsamueldmq: were you working on some docs for the component layout now?14:46
bknudsonsomewhere under Developers Documentation ...14:47
bknudsonhttp://docs.openstack.org/developer/keystone/#developers-documentation14:47
rderosebknudson: okay, on it14:47
bknudsonI would think in http://docs.openstack.org/developer/keystone/architecture.html would make the most sense14:47
bknudsonor a separate file is fine14:47
*** sdake_ has joined #openstack-keystone14:48
*** clenimar has quit IRC14:48
morganbknudson: ++14:48
rderosebknudson: perfect, thx14:48
*** ericksonsantos has quit IRC14:48
*** pauloewerton has quit IRC14:48
*** iurygregory has quit IRC14:48
*** raildo is now known as raildo-afk14:49
*** pauloewerton has joined #openstack-keystone14:49
*** rderose has quit IRC14:50
*** sdake has quit IRC14:51
*** raildo-afk is now known as raildo14:51
*** clenimar has joined #openstack-keystone14:51
*** iurygregory has joined #openstack-keystone14:52
*** rderose has joined #openstack-keystone14:52
*** jsavak has quit IRC14:52
*** jsavak has joined #openstack-keystone14:53
DinaBelovaamakarov morgan in case of backend = dogpile.cache.memcached usage the memoize decorator work seems to be the same as I had for memcached_pool - so it's something different14:53
*** jaosorior has quit IRC14:54
samueldmqrderose: are you working on the docs ?14:54
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229914:54
rderosesamuelmq yes, now in fact :)14:54
*** diazjf has joined #openstack-keystone14:54
*** david_cu has joined #openstack-keystone14:54
rderose* samueldmq14:55
rodrigodsdstanek, bknudson, ayoung ^14:55
samueldmqrderose: perfect, thanks!14:55
ayoungrodrigods, cool I will look in a moment14:55
rderosesamueldmq: great minds think a like :)14:56
samueldmqrderose: could you also propose renaming core.py to managers.py in you doc change?14:56
dstanekrodrigods: nice14:56
rderosesamueldmq: sure14:56
rderosesamueldmq: will do14:56
samueldmqrderose: that's the only thing mine added when compared to yours, and "core" doesn't really tell anything14:56
samueldmqrderose: perfect, thanks14:56
samueldmq:)14:56
rderosesamueldmq: agree14:56
bknudsonwe've always used core to be essentially what you would put in __init__.py.14:57
bknudsonnot sure why we decided it was bad to put stuff into __init__.py... I guess it's a little harder to find.14:57
*** spandhe_ has joined #openstack-keystone14:57
morganbknudson: mostly because __init__ is magic14:57
rderosebknudson: so do you agree with the core to manager rename change?14:58
morganbknudson:  wecan make __init__ not import core for example, so you can do identity.core or (technically, but not practically) identity.controllers without .core [in practice this is not the case]14:58
bknudsonrderose: I don't know... haven't had a chance to look at samueldmq's patch.14:58
rderosebknudson: okay14:59
*** spandhe has quit IRC14:59
*** spandhe_ is now known as spandhe14:59
bknudsonpersonally, I think if you're writing up a doc just say to move the interfaces out of core.14:59
bknudsonand then samueldmq can make his case for renaming core separately14:59
morganbknudson: ++15:00
*** roxanaghe has joined #openstack-keystone15:00
rderosebknudson morgan samueldmq: okay ^15:00
*** roxanaghe has quit IRC15:01
*** sigmavirus24 is now known as sigmavirus24_awa15:02
*** pushkaru has joined #openstack-keystone15:03
*** sigmavirus24_awa is now known as sigmavirus2415:03
DinaBelovamorgan - quick question - local cache is cleaned for every API call to keystone? or is it shared between several API calls?15:04
morganDinaBelova: the request local cache is a cache *just* for that HTTP request15:05
morganDinaBelova: so it should be cleaned per-request since we reset threadlocal() context15:06
*** roxanaghe has joined #openstack-keystone15:06
*** roxanaghe has quit IRC15:08
morganDinaBelova: https://review.openstack.org/#/c/272007/15:08
patchbotmorgan: patch 272007 - keystone - Use requst local in-process cache per request (MERGED)15:08
DinaBelovamorgan a-ha... do you have any stats on how is this  cache effective? I see that I'm using this local cache on the env and no data is written to the memcached. By cache effectiveness I mean any stats about how many fucntion calls are cached for keystone for various API calls?15:11
morganDinaBelova: not off the top of my head. i profiled a bunch of devstack and it improved gate runtimes by a noticable amount15:12
*** roxanaghe has joined #openstack-keystone15:12
morganDinaBelova: i have not had a chance to dig into the request-local offload benefits. but in short what happens is we do [check request-local], [check memcache], [get from SQL], and we populate each cache as appropriate15:12
bknudsonfor some reason I wasn't paying attention and it looks like we can switch devstack to do fernet by default ? https://review.openstack.org/#/c/195780/15:13
patchbotbknudson: patch 195780 - openstack-dev/devstack - Switch fernet to be the default token provider15:13
bknudsonany reason we shouldn't do that?15:13
morganbknudson: i want to see that! :)15:13
lbragstadbknudson I want to say that was waiting on the whole trust + fernet + v2 thing15:13
morganlbragstad: prob.15:13
lbragstadbut I'll defer to ayoung15:13
ayoungreading up15:14
bknudsonI think we wanted to have the default changed in keystone rather than in devstack?15:14
stevemarlbragstad: we don't need to wait for the whole `trust + fernet + v2 thing` for a devstack change15:14
lbragstadbknudson yeah - that's what ayoung's patch did15:14
morganbknudson: yeah we do want the default in keystone changed too imo.15:14
lbragstad++15:14
morganbut we could do devstack today.15:14
ayoungok...so some history15:15
stevemarmorgan: definitely, no reason not to15:15
bknudsony, I'll lift my -1. we can cleanup devstack in a separate commit15:15
ayoungwhen "he who must not be named on IRC" rewrote Keystone, there was only a core file15:15
ayoungand everything ended up depending on everything15:15
*** dave-mccowan has joined #openstack-keystone15:15
morganayoung: termie (he's not in this channel)15:15
morgan?15:15
ayoungmorgan, where is the fun in that?15:15
stevemarmorgan: probably15:15
lbragstadlol15:15
stevemarhehe15:15
ayoungNah, he's beeen got for years now15:15
ayounggone15:15
morgani think he's in -dev still15:15
morganhe just never joined us here.15:16
ayoungyep15:16
ayoungand, actually, now that he can no longer -2 and sit on a patch, I would gladly welcome him in to a discussion15:16
* lbragstad just started jamming out to 'since you've been gone'15:16
stevemarhehe15:16
ayoungmorgan, now walk up to a mirror and say "Bloody Mary" three times...15:17
* morgan points people at -dev *shiftyeyes*15:17
*** belmoreira has quit IRC15:17
ayoungN E Ways15:17
morganayoung: north east ways?15:17
* morgan ducks.15:17
DinaBelovamorgan it's interesting.. It looks like now i have the following situation on my env: I have set up memcached cache, that is not (?) used in fact in benefit to local cache as working with local stuff it's just quicker. Although I can see that, for instance for Liberty fernet cache off VS cache on for user list request means 56 DB SELECTs vs 26 DB SELECTs, and for Mitaka it's 95 DB SELECTs VS 80 DB SELECTS - so this local cache logically15:17
DinaBelova increased the load on the DB layer - i just wonder if it was analysed the pros/cons for this step15:17
DinaBelovamorgan sorry for being pain in the a**, I just want to understand15:18
DinaBelovathanks in advance15:18
ayoungI did refactoring back then, and split the controllers off the core files, because we had an "everything depedns on everything" problem15:18
ayoungso the clean up was that the routers needed the controllers, the controllers needed the manager,15:18
morganDinaBelova: no worries. the main point is to offload the caching, it should still cache in memcache where possible15:18
ayoungat the top level, the service definitions needed the routers15:19
morganDinaBelova: requestlocal is on top of normal caching, it shouldn't be increasing the DB load at all. the db selects are more reflective of the changes in the code base15:19
*** rderose_ has joined #openstack-keystone15:20
ayoungIn retrospect, we could have left the routers and controllers together, but from a technology perspective, the controllers were not depending on the rest of the web etup, nor we even "web" at all15:20
morganDinaBelova: requestlocal will still cause memcache to see the data - the difference is that requestlocal limits the re-request of data from memcache. it can also be used without memcache, and just offload duplicted requests from the DB15:20
ayoungI left the manager and driver in core, as the internals of Keystone were "token needs identity"15:20
ayoungremember, none of the split had happened at this point15:20
morganDinaBelova: the concept is don't let keystone request the external data to the backends more than one time per HTTP request.15:20
ayoungidentity had users, tenants, and role assignements15:21
morganDinaBelova: so asking for .get_user_by_name(<name>) will not use socket code paths after the first request (uness the cache is explicitly invalidated in the .update_user()-like cases)15:21
ayoungbut a lot of the code had from keystone import identity and that was getting the manager.  Manager was already in core, and imported into __init__.py. So the origianl split was a termie-ism15:22
morganDinaBelova: if multiple requests for .get_user_by_name() occur across multiple HTTP requests, it would hit memcache if it has been cached or SQL if it's a complete cache miss. Any cache miss that hits sql populates both request_local cacheand / or the memcache depending on configuration15:22
*** rderose has quit IRC15:23
openstackgerritRon De Rose proposed openstack/keystone: Dev doc update for moving abstract base classes out of core  https://review.openstack.org/30231715:23
*** mylu has joined #openstack-keystone15:24
*** roxanaghe has quit IRC15:24
openstackgerritRon De Rose proposed openstack/keystone: Dev doc update for moving abstract base classes out of core  https://review.openstack.org/30231715:24
DinaBelovamorgan a-ha, thank you sir! So let's imagine the situation we have multiple HTTP calls and the first one get_user_by_name was called. Will it be then storeg in memcached? It looks like yes, and the next call should first time grab this value from memcached and use it later across this specific second HTTP call15:25
DinaBelovaam I right that is the idea?15:25
morganyep.15:25
ayoungthe managers used to be just very thin wrappers around the drivers.  Business logic was either in the controller or in the driver itself.  We had a discussion and made a deliberate decision to use the manager as the place for common business logic, the controler was to be web binding only, and the driver was persistence only15:25
morganDinaBelova: and in a single HTTP request you should never see .get_user_by_name() hit either sql or memcache (since it's request-local cache) as long as caching is enabled.15:26
ayoungrderose_, I guess that bit of storytelling was directed at you and your questions.15:26
morganDinaBelova: after the first one that is15:26
*** sheel has joined #openstack-keystone15:26
DinaBelovamorgan - ok, this looks very logical, but the results I'm seeing are telling that second time we still hit none for the same key in the memcached and are going back to the DB :(15:26
rderose_ayoung: ah, okay :)15:27
ayoungbknudson, before we switch devstack to default to fernet, lets get the "default to fernet to pass"15:27
DinaBelovamorgan - I see this working in terms of one HTTP call - so yes, in a single HTTP request you should never see .get_user_by_name() hit either sql or memcache (since it's request-local cache) as long as caching is enabled.15:27
morganDinaBelova: so there are a few reasons that could occur, 1) make sure memcache is infact running on the interface expected and is reachable by keystone.15:27
ayounglbragstad, ^^15:27
*** roxanaghe has joined #openstack-keystone15:27
morganDinaBelova: that is the most likely case, the network stack can't reach (port is blocked/etc, so instant fail)15:27
morganDinaBelova: or memcache isn't running15:27
DinaBelovamorgan I have all in one devstack VM with memcached running15:27
bknudsonayoung: I'm fine with it either way. It's passing tempest now so this will stop tempest adding any tests that don't work with fernet15:28
DinaBelovaI can connect to it and grab stats for instance15:28
morganok, and are you accessing via 127.0.x.x or via public facing interface?15:28
morganfor keystone and/or when you connect to it?15:28
ayoungbknudson, there are still issues with trusts.  THe latest patch ...15:28
ayounghttps://review.openstack.org/#/c/258650/15:28
patchbotayoung: patch 258650 - keystone - [WIP]Make fernet default token provider15:28
morgan[i figure you've gotten that all sussed out but i know sometimes it's just a 2x check to be sure)15:28
bknudsonthere must not be any tempest tests for trusts15:28
DinaBelovamorgan keystone uses public memcache_servers = 10.0.2.15:1121115:28
morganok cool.15:29
DinaBelovalemme try to do the same myself15:29
*** jsavak has quit IRC15:29
morganok :)15:29
ayoungfailures are on test_delete_tokens_for_user_invalidates_tokens_from_trust   fail15:29
ayoungtest_delete_trust_revokes_token  test_token_from_trust_cant_get_another_token  test_trust_get_token_fails_if_trustee_disabled15:29
bknudsonhttps://review.openstack.org/#/c/258650/ shows that fernet is totally broken... it's not just a few minor changes15:29
patchbotbknudson: patch 258650 - keystone - [WIP]Make fernet default token provider15:29
*** sdake has joined #openstack-keystone15:29
*** dave-mcc_ has joined #openstack-keystone15:30
ayoungI thought raildo was driving that one home.  raildo are you working on Fernet-by-default or do you need me to help there?15:30
*** jsavak has joined #openstack-keystone15:30
bknudsonI guess it also includes a bunch of unrelated changes, too.15:30
*** sdake_ has quit IRC15:30
*** EinstCrazy has quit IRC15:31
*** dave-mccowan has quit IRC15:32
DinaBelovamorgan it looks like it was something wrong with the connection from keystone to the memcached - I've restarted keystone and now it seems to connect and use memcached ok15:33
ayoungbknudson, yeah, there are 3 distinct issues15:33
DinaBelovaas you explained15:33
DinaBelovainteresting15:33
ayoung1 trust revocations15:33
ayoung2 group15:33
morganDinaBelova: :)15:33
ayoungand 3 admin_token15:33
morganDinaBelova: Yay, happy it is working for you now.15:34
DinaBelovamorgan me too!15:34
ayoungnone look horrible, I just have not addressed them yet.  Trust ones are, I think, the trickiest to deal. Would love to knock that out before summit15:34
DinaBelovaso we're left with the authtoken middleware thing15:34
morganDinaBelova: that is a bit of a different beast.15:34
DinaBelovamorgan indeed15:34
morganDinaBelova: i know jamielennox|away is trying to move it to oslo.cache15:34
morganDinaBelova: which would be at least a little easier15:35
DinaBelovamorgan ack, thank you sir15:36
*** ametts has quit IRC15:36
ayoungbknudson, ah, one other issue too, now that I look:  test_domain_scoped_token_is_invalid_after_deleting_grant  Which is on the Fernet tests themselves.15:37
ayoungthat one is, I think, OK, IFF the user had a second assignment on the same project.  It means that the token would be valid, but have a smaller set of roles15:37
bknudsony, interesting15:38
bknudsonit's different for fernet vs uuid15:38
morganbknudson: i think we should make uuid store the same data as the fernet payload and just reconstruct the token like we do with fernet15:39
*** stingaci has joined #openstack-keystone15:39
morganbknudson: the difference is that the uuid is the DB key vs the actual payload.15:40
bknudsonmorgan: me too. somebody has to do the work15:40
morganbknudson: i think lbragstad was working on that and got some of it done15:40
*** sdake_ has joined #openstack-keystone15:40
*** sdake has quit IRC15:43
jdandreaOn our cluster, adminurls are only reachable by a private network (10.1.1.1), inaccessible to VMs. Meanwhile, I have a service that is in a VM and needs to make admin requests of Keystone. If the adminurls can't be changed, are there any known workarounds? Using python-keystoneclient.15:45
jdandrea(By which I mean the python modules, not the CLI.)15:45
dstanekbknudson: so competing renaming proposals15:46
bknudsondstanek: there were, now there aren't as far as I know.15:46
bknudsonunless you've got your own ideas for where to put code15:47
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200615:47
dstanekbknudson: ah i see that rderose_'s won. i'm not a fan of base.py, but i'll get over it15:51
bknudsondstanek: now is a good time to pick a better name.15:51
rderose_dstanek: I'm open, what do you have in mind?15:51
bknudsonit was renamed to interface in a different part15:51
bknudsonand I think interface is descriptive15:52
samueldmqbknudson: ++15:52
bknudsonalthough it contains stuff other than the interface now like common functions15:52
rderose_bknudson: yeah, I went back and forth from interface to base15:52
dstaneki was thinking some along interface since that's what it is.15:52
dstanekit really shouldn't be a base implememtation right?15:52
rderose_dstanek: yeah15:53
bknudsonit should be an interface, unfortunately the identity interface contains other junk.15:53
dstanekbknudson: delete it!15:53
bknudsonI'll add it to my list of things to do... should get to it around 2020.15:54
rderose_dstanek bknudson: technically, it is an abstract base class, so I was finally comfortable with base.py15:54
rderose_dstanek bknudson: but if you guys feel strongly about it, I'm willing to change to interface15:54
* morgan nitpicks.15:55
bknudsonI don't feel strongly about it.15:55
jdandreaHow do I do an endpoint_override when authenticating in keystoneclient.v2_0.tokens? (Which kwargs and what values?)15:55
morgani'm good with whichever15:55
morganpersonally15:55
* jdandrea is currently tracing through keystoneauth1/session.py ...15:55
rderose_bknudson: cool15:55
bknudsonI feel strongly about being consistent among the different components15:55
morganbknudson: +∞15:56
samueldmqmorgan: does '?' equals to 1, 2 or A ?15:56
samueldmq:)15:56
dstanekmaybe we need a spec or something to define what the names should be and what they should hold15:56
rderose_bknudson: re: docs, are you saying reference the current location keystone.assignment.core.AssignmentDriverV815:57
rderose_instead of: keystone.assignment.core.backends.base.AssignmentDriverV815:57
morgansamueldmq: infinity15:57
dstanekdoing a rename without a path isn't useful because it'll be renamed next cycle15:57
samueldmqdstanek: maybe, or just update developer docs15:57
rderose_bknudson: or, are you talking about the version?15:57
bknudsonrderose_: yes, the docs need to reference where the files are now.15:57
samueldmqdstanek: which is what rderose_ is doing15:57
rderose_bknudson: ah, okay15:57
dstaneksamueldmq: a spec?15:57
rderose_thx15:57
bknudsonrderose_: :class: needs to reference a class that exists, so that it's a link that I can click on.15:57
morgansamueldmq: your client/terminal doesn't see the utf-8 char15:57
dstanekoh, developer docs15:58
samueldmqmorgan: weechat :(15:58
samueldmqmorgan: maybe I need to configure it, if possible15:58
samueldmqdstanek: yep15:58
samueldmqdstanek: rderose_'s on it, so we can agree on the docs first, and then propagate the cahnges to all subsystems15:59
morgansamueldmq: depends on your terminal/etc.16:00
morgansamueldmq: i'm on OS X atm, so it's there.16:00
morgansamueldmq: and i use weechat as well16:00
samueldmqmorgan: I use terminator16:01
*** jsavak has quit IRC16:03
DinaBelovamorgan I've decided to rerun all measurements for Mitaka just in case I was affected by the same stuff for authtoken middleware16:03
DinaBelovamorgan just in case16:03
DinaBelovawill ping you back tomorrow16:04
samueldmqmorgan: looks like it's my weechat, locally my terminal can print infinity symbol16:05
samueldmqmorgan: or maybe it's the locale settings in the vm I'm connected on16:05
*** jsavak has joined #openstack-keystone16:05
*** dan_nguyen has joined #openstack-keystone16:09
morganDinaBelova: sounds good16:09
raildoayoung: I'm still working on that, but I appreciate any help on it.16:09
*** jistr has quit IRC16:10
*** anush_ has joined #openstack-keystone16:13
ayoungraildo, OK...I'll give it a hack in abit16:14
raildoayoung: thank you16:14
*** mylu has quit IRC16:14
*** henrynash has quit IRC16:15
*** real56 has joined #openstack-keystone16:15
*** dflorea has joined #openstack-keystone16:17
*** anush_ has quit IRC16:17
dimsDinaBelova : so...what's the summary? is there a show stopper for Mitaka?16:18
*** dflorea has quit IRC16:18
DinaBelovadims for internal keystone cache - nope16:19
DinaBelovafor authtoken middleware I need to rerun measurement16:19
DinaBelovameasurements*16:19
DinaBelovawill keep you guys tuned - and I'll update you tomorrow16:19
dimsDinaBelova : i see 2 bugs opened, is one of them invalid?16:19
DinaBelovayes, I'll mark it as invalid now16:20
dimsthanks Dina!16:20
*** mylu has joined #openstack-keystone16:20
dimsamakarov : DinaBelova : "authtoken middleware" is that devstack only issue? or both devstack and MOS?16:21
DinaBelovadims I'll install MOS tomorrow with the freshest ISO with the latest sync with stable/,itaka16:21
DinaBelova*mitaka16:21
DinaBelovaso dunno yet16:21
DinaBelovaI wanted to get todays sync in place16:21
dimsack thanks DinaBelova16:22
*** dflorea has joined #openstack-keystone16:24
*** woodster_ has joined #openstack-keystone16:25
bretoni am checking the issue with cache in ksm16:27
*** roxanaghe has quit IRC16:28
*** daemontool has quit IRC16:28
*** mhickey has quit IRC16:28
*** jistr has joined #openstack-keystone16:28
*** browne has joined #openstack-keystone16:28
*** diazjf has quit IRC16:30
*** trown is now known as trown|lunch16:30
bretonmorgan: it seems that memcache as cache backend in ksm doesn't work.16:32
bretonmorgan: because cache set is not performed16:32
bretonmorgan: and we don't check return value of set()16:32
*** pushkaru has quit IRC16:32
morganbreton: yeah i haven't looked at the KSM bits in a while - it also is a different config from what we use (it's super super basic).16:33
*** diazjf has joined #openstack-keystone16:33
morganin keystone server (it doesn't use dogpile). we should move it to handling things via memoization16:33
bretonoh no, wait a minute16:34
*** jistr is now known as jistr|off16:34
bretonit's a different bug16:34
morganbreton: it should work. but the config is very very different/weird.16:34
morgancomparitively16:34
morganhence the move to dogpile and oslo.cache would be good.16:34
*** roxanaghe has joined #openstack-keystone16:34
bretonmorgan: we already moved to oslo_cache in ksm afaik16:35
morganbreton: no i think we haven't fully. we do some wonky interface things.16:39
morganso it's not *really* using oslo_cache the way you should.16:39
morganand we should move to @memoize imo16:39
bretonwhen HOST_IP is set, devstack sets this ip to memcache_service and memcache doesn't listen to on this ip16:39
*** doug-fish has quit IRC16:40
breton*memcache_server16:40
*** stingaci has quit IRC16:40
*** doug-fish has joined #openstack-keystone16:40
*** jasonsb has quit IRC16:42
morganbreton: so lets look at fixing devstack :)16:43
*** lhcheng has joined #openstack-keystone16:44
*** ChanServ sets mode: +v lhcheng16:44
*** roxanaghe has quit IRC16:44
*** doug-fish has quit IRC16:45
*** c_soukup has joined #openstack-keystone16:46
*** roxanaghe has joined #openstack-keystone16:46
*** csoukup has quit IRC16:49
*** c_soukup has quit IRC16:50
*** david_cu_ has joined #openstack-keystone16:54
*** mylu has quit IRC16:54
*** dflorea has quit IRC16:54
*** david_cu has quit IRC16:55
*** ayoung has quit IRC16:59
*** dflorea has joined #openstack-keystone17:00
*** spandhe has quit IRC17:03
*** diazjf has quit IRC17:03
*** jsavak has quit IRC17:04
*** stingaci has joined #openstack-keystone17:06
*** sigmavirus24 is now known as sigmavirus24_awa17:14
*** jsavak has joined #openstack-keystone17:15
*** real56 has quit IRC17:16
*** e0ne has quit IRC17:17
*** real56 has joined #openstack-keystone17:17
*** marg7175 has quit IRC17:20
*** marg7175 has joined #openstack-keystone17:20
*** dflorea has quit IRC17:20
*** sdake_ is now known as sdake17:21
*** doug-fish has joined #openstack-keystone17:24
*** dflorea has joined #openstack-keystone17:25
*** jsavak has quit IRC17:26
*** jsavak has joined #openstack-keystone17:26
*** sdake_ has joined #openstack-keystone17:29
*** sdake has quit IRC17:29
*** spandhe has joined #openstack-keystone17:30
*** tqtran has joined #openstack-keystone17:32
*** mylu has joined #openstack-keystone17:32
*** ayoung has joined #openstack-keystone17:33
*** ChanServ sets mode: +v ayoung17:33
openstackgerritCristian Sava proposed openstack/keystone: Customize config file location when run as wsgi app.  https://review.openstack.org/28821617:37
*** ayoung has quit IRC17:38
*** ayoung has joined #openstack-keystone17:39
*** ChanServ sets mode: +v ayoung17:39
*** pnavarro has quit IRC17:42
*** sdake has joined #openstack-keystone17:42
*** david-lyle has quit IRC17:44
*** sdake_ has quit IRC17:44
*** marg7175 has quit IRC17:48
*** sigmavirus24_awa is now known as sigmavirus2417:52
*** ayoung has quit IRC17:52
*** trown|lunch is now known as trown17:53
*** vgridnev has joined #openstack-keystone17:53
*** dflorea has quit IRC17:55
*** rcernin has quit IRC17:56
openstackgerritMerged openstack/keystone: Remove backend interface and common code out of identity.core  https://review.openstack.org/29614017:56
*** dflorea has joined #openstack-keystone17:58
*** timcline has joined #openstack-keystone18:02
*** david-lyle has joined #openstack-keystone18:02
*** timcline has quit IRC18:03
*** jsavak has quit IRC18:03
*** timcline has joined #openstack-keystone18:04
*** e0ne has joined #openstack-keystone18:04
*** stingaci has quit IRC18:05
*** sshen has quit IRC18:06
*** sshen has joined #openstack-keystone18:07
*** doug-fis_ has joined #openstack-keystone18:11
*** stingaci has joined #openstack-keystone18:12
*** doug-fi__ has joined #openstack-keystone18:12
*** e0ne has quit IRC18:14
*** doug-fish has quit IRC18:14
openstackgerritRon De Rose proposed openstack/keystone: Dev doc update for moving abstract base classes out of core  https://review.openstack.org/30231718:14
*** doug-fish has joined #openstack-keystone18:15
*** doug-fis_ has quit IRC18:15
*** doug-fi__ has quit IRC18:17
*** zqfan has quit IRC18:22
*** e0ne has joined #openstack-keystone18:24
*** dflorea has quit IRC18:27
*** ayoung has joined #openstack-keystone18:29
*** ChanServ sets mode: +v ayoung18:29
openstackgerritMerged openstack/keystone: Update the description of the role driver option  https://review.openstack.org/30211818:30
*** real56 has quit IRC18:30
*** dflorea has joined #openstack-keystone18:30
*** jsavak has joined #openstack-keystone18:31
*** GB21 has quit IRC18:32
*** pushkaru has joined #openstack-keystone18:33
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30239818:33
*** rderose_ has quit IRC18:34
stevemarthanks bot ^18:34
morganhehe18:34
*** dflorea has quit IRC18:35
*** dflorea has joined #openstack-keystone18:35
*** mvk_ has quit IRC18:35
openstackgerritMerged openstack/keystone: Update the Administrator guide link  https://review.openstack.org/30220118:38
stevemarbknudson: you are almost done all your deployment changes18:39
stevemarjust 2 left18:39
*** jsavak has quit IRC18:39
bknudsonstevemar: then the real fun begins18:39
*** jsavak has joined #openstack-keystone18:40
bknudsone.g., no ports18:40
bknudsonand figuring out the tls_proxy deploy18:40
*** timcline has quit IRC18:45
*** e0ne has quit IRC18:46
dstanekbknudson: is that request id wrapping what other projects are doing?18:48
stevemarbknudson: and the project-config changes18:48
bknudsondstanek: there's a cross-project spec... I'll see if I can find it.18:48
bknudsondstanek: http://specs.openstack.org/openstack/openstack-specs/specs/return-request-id.html18:48
dstanekthx18:49
bknudsonI still think we need an opt-in for keystoneclient, since everything kept breaking whenever we changed the return type.18:50
dstanekthis seems so fragile and wrong18:50
*** tellesnobrega is now known as tellesnobrega_af18:50
*** tellesnobrega_af is now known as tellesnobrega18:51
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Credential Encryption  https://review.openstack.org/28495018:51
morgani kindof wish that could have just been baked into session18:52
*** rderose has joined #openstack-keystone18:52
morganrather than the way it is being implemented.18:52
bknudsonI offered up a few different ways to do it but this is what was agreed to.18:53
dstaneki actually see the step #1 as good enough18:53
morganbknudson: yeah it just feels ... odd.18:53
samueldmqdstanek: hi, re: https://review.openstack.org/#/c/212957/7/keystone/tests/unit/backend/policy/test_sql.py18:53
patchbotsamueldmq: patch 212957 - keystone - Create unit tests for the policy drivers18:53
dstanekif we wanted a response-style object that's what we should be returning. this is just a hack18:53
morgani'd totally like to just have it be something they get as a side effect of using ksa.session18:53
samueldmqdstanek: are you refering to the comment? or to the test?18:53
morganwhich the response object could have it then.18:54
*** dflorea has quit IRC18:54
*** diazjf has joined #openstack-keystone18:54
dstanekmorgan: yep. resp.value, resp.request_id, etc.... a request_id isn't an attribute of a list18:54
morgandstanek: since this was "agreed" to.. i am staying out of it.18:55
morgani frankly refused to review it.18:55
morganbecause this is so hacky.18:55
morganreview = score in this case.18:55
morganbut i also missed the comment time where it was agreed upon18:56
morganso i would feel bad blocking it.18:56
dstanekmorgan: i've been comfortable giving -1s :-)18:56
*** jsavak has quit IRC18:56
morganhehe18:56
morganlets metaclass up the low level objects.18:56
morgan#nope18:56
*** jsavak has joined #openstack-keystone18:57
*** rderose has quit IRC18:57
dstaneksamueldmq: i think i was just poking fun at our need to test the table structure :-) that's why i didn't actually score it18:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200618:58
*** mylu has quit IRC18:59
*** dflorea_ has joined #openstack-keystone18:59
*** vgridnev has quit IRC19:00
*** mylu has joined #openstack-keystone19:01
*** vgridnev has joined #openstack-keystone19:01
*** vgridnev has quit IRC19:02
*** diazjf has quit IRC19:04
*** diazjf has joined #openstack-keystone19:04
*** agrebennikov has joined #openstack-keystone19:05
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295719:07
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261119:10
mnaserhi everyone, is there a possible way operating under the v2 model to allow a user to create other users for the same tenant?19:10
mnaserex: mnaser is part of tenantA with role tenant_admin, mnaser can create a user which has access to tenantA only (and that user does not have tenant_admin role for example)19:11
morganmnaser: create a user? not really in V2 since V2 only has "admin" and "member" roles, not the richer RBAC capability fo v319:16
*** ayoung has quit IRC19:16
morganit's really mostly a v3 semantic you're describing19:16
*** ayoung has joined #openstack-keystone19:16
*** ChanServ sets mode: +v ayoung19:16
morganwith domains.19:16
mnaseri figured :( it's just a bit difficult to switch this particular customer to domains19:16
*** klindgren has left #openstack-keystone19:17
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261119:17
morganyeah. =/19:17
*** sheel has quit IRC19:17
mnaserbasically right now subaccounts in our billing system use the same credentials as main user19:17
mnaserso larger customers with multiple users would rather have credentials broken down to small sectors (domain per user would be the ideal, but we're not there yet)19:18
mnaserfederated auth to access tenant would be ideal19:19
* mnaser goes to read more blueprints19:19
samueldmqdstanek: cool :-)19:19
*** rderose has joined #openstack-keystone19:19
*** e0ne has joined #openstack-keystone19:20
openstackgerritBrant Knudson proposed openstack/keystone: Define identity interface - easy cases  https://review.openstack.org/29195019:20
*** stingaci has quit IRC19:20
openstackgerritBrant Knudson proposed openstack/keystone: Opportunistic LDAP testing  https://review.openstack.org/30023719:22
*** dflorea_ has quit IRC19:24
mnaseris there a (supported or possible) way of moving a tenant into their own domain?19:24
*** dflorea has joined #openstack-keystone19:25
*** stingaci has joined #openstack-keystone19:25
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261119:28
*** dflorea_ has joined #openstack-keystone19:29
*** dflorea has quit IRC19:29
*** dancn has quit IRC19:31
*** ametts has joined #openstack-keystone19:31
*** mvk_ has joined #openstack-keystone19:31
*** tellesnobrega is now known as tellesnobrega_af19:35
*** tellesnobrega_af is now known as tellesnobrega19:35
raildomnaser: what you want to say with moving a tenant into their own domain? a tenant (in v2) only know about the domain default. we don't have the domain concept in v219:35
mnaserraildo: well, assuming that the tenant would drop v2 to v3, but we want to get them into their own domain in v319:36
mnaserinstead of being on the default domain19:36
*** mylu has quit IRC19:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295719:36
samueldmqdstanek: ^19:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200619:38
samueldmqdstanek: ^ this is a similar thing, but to the endpoint_policy subsystem19:38
samueldmqdstanek: thanks for the reviews :)19:38
*** dflorea_ has quit IRC19:40
raildomnaser:got it, in fact, we deprecated the update the domain_id in liberty, so yes, you can update domain_id for now19:40
raildomnaser: https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L373-L37719:40
raildomnaser: ops not liberty, it was deprecated in mitaka19:41
mnaserraildo: so a simple PUT request will let you change domain_id if i understand correctly19:41
raildomnaser: yes19:41
mnaserinteresting, the only thing is that this would break the API for the customer19:42
mnaserbecause they have to update everything to v319:42
*** rk4n_ has joined #openstack-keystone19:42
raildomnaser: http://developer.openstack.org/api-ref-identity-v3.html#updateProject19:42
*** pushkaru has quit IRC19:42
*** pumarani__ has joined #openstack-keystone19:42
mnaserthats ideal, i think i'll get the customers to move all their endpoints to v319:43
raildomnaser: update to v3 it's something that the customers needs to do, since API v2.0 was deprecated in mitaka too19:43
mnaserand once that's all done, then we can update their domain and they'll just move off the default domain19:43
raildomnaser: sounds a good plan :)19:44
*** rk4n has quit IRC19:44
mnaserraildo: unfortunately the UX isn't great (or i've struggled) to have a config that worked for the openstack client as well as the other clients (nova/glance/etc)19:44
mnaserit's kinda been one-or-the-other19:44
*** mylu has joined #openstack-keystone19:45
raildomnaser: can you be more specific about this UX issue? it's something related to domains, or v3?19:45
raildomnaser: you just need a few changes to get v3 working on openstackclient19:46
mnaserfor example, right now i have a file that exports OS_AUTH_URL, OS_USERNAME, OS_PASSWORD and OS_TENANT_NAME .. when i try to have OS_AUTH_URL with no suffix (v2 or v3), `openstack server list` works fine, `nova list` gives a 40419:46
*** timcline has joined #openstack-keystone19:46
mnaseras it looks like it tries to do a GET on / with X-Auth-{Key,Project-Id,User} headers19:47
mnaserwhere the openstack client hits the /, then decides to contact /v3/auth/tokens19:47
mnaserEven when I upgrade to latest novaclient now, it's happening19:48
raildoto get openstack client with v3, you just need set the OS_IDENDITY_API_VERSION=3 and OS_AUTH_URL with v3 sufix, maybe novaclient have some internal v2 reference and you're having this problem19:50
*** aswadr_ has quit IRC19:50
*** e0ne has quit IRC19:50
samueldmqbknudson: about patch 28930619:50
patchbotsamueldmq: https://review.openstack.org/#/c/289306/ - python-keystoneclient - Add users functional tests19:50
raildomnaser: but there is a couple of v3 switch tutorials on internet, which can be useful for you19:50
bknudsonif you're using openstackclient then you should create a clouds.yaml and use that19:51
samueldmqbknudson: I find it bad to have 2 separate test classes: 1 that uses fixtures and other that doesn't19:51
*** timcline has quit IRC19:51
bknudsonsamueldmq: don't you think it's bad to have a test creating a bunch of stuff it doesn't need?19:51
samueldmqbknudson: I think too, then I propose we step back19:52
bknudsonthis is why the keystone unit tests take so long to run. They create all sorts of junk they don't use.19:52
samueldmqbknudson: and make the tests create what they need19:52
mnaseri tried to do my fair share of checking, couldn't find a reference for using python-{nova,glance,*}client with the v3.  using OS_IDENTITY_API_VERSION=3 + OS_AUTH_URL=http://..../v3 gives  a 404 as it's not trying to auth19:52
bknudsonsamueldmq: works for me... didn't I suggest that?19:52
samueldmqbknudson: without using fixtures19:52
bknudsonsamueldmq: individual tests can create fixtures.19:52
samueldmqbknudson: tests are too simple anyways19:52
bknudsonI mean can use fixtures to create things19:52
bknudsontests are supposed to be simple!!!!19:53
samueldmqbknudson: using the 'fixtures' thing ?19:53
bknudsonthe fixture makes the test simpler since then the test doesn't have to specify the teardown19:53
samueldmqbknudson: if I call19:55
bknudsonfunctional tests can get complicated if we want them to... it would be handy to have a sample that performs a lot of operations19:55
samueldmq        fixture = test_fixtures.UserGroupFixture(self.client,19:55
samueldmq                                                 self.project_domain_id)19:55
samueldmq        self.useFixture(fixture)19:55
samueldmqbknudson: in the test itself, it can't work, because setUp has already been run19:55
bknudsonsamueldmq: it does work. The fixture gets created and the cleanup is registered19:55
samueldmqbknudson: oh that's magic then, will update it19:56
bknudsonit would be magic if useFixture only worked in setUp.19:56
mnasershould the OS_AUTH_URL be http://.../v3 or http://.../v3/auth ... because python-keystoneclient is making the request to /v3/tokens (or is it thinking it's using a v2 api?)19:57
samueldmqbknudson: I thought all setUp's were called at the beggining19:57
mnaserOS_IDENTITY_API_VERSION=3 as well19:57
samueldmqbknudson: but in fact fixtures' setUp may be called when we call useFixture19:57
samueldmq:)19:57
bknudsony, useFixture calls the fixture's setUp()19:58
*** mylu has quit IRC19:59
*** roxanaghe has quit IRC20:00
*** rk4n has joined #openstack-keystone20:02
*** mkrcmari__ has joined #openstack-keystone20:03
*** mgagne_ is now known as mgagne20:04
*** rk4n_ has quit IRC20:05
*** mvk_ has quit IRC20:06
*** rcernin has joined #openstack-keystone20:09
*** pcaruana has quit IRC20:14
zigoI got a big issue with the Debian packages and the keystone_authtoken. I hope someone in here can help me.20:18
zigomorgan: You maybe?20:18
zigoThere's no admin_password and such in all the packages, so I'm guessing there's an issue in keystonemiddleware.auth_token and/or oslo.config20:19
stevemarzigo: admin_password and admin_user are old news20:21
stevemarwe use the same arguments now as keystoneauth plugins20:22
zigostevemar: Where have they gone then?20:22
*** e0ne has joined #openstack-keystone20:22
zigostevemar: This broke all of my packages... :(20:22
zigostevemar: Surprisingly, now glance-api.conf has admin_password in the [DEFAULT] section instead of [keystone_authtoken].20:23
zigostevemar: This changed over the last versions of keystonemiddleware or something?20:26
zigostevemar: Like between 4.0.0 and 4.4.0 ?20:26
stevemarzigo: let me take a look, i'm positive we deprecated things, didn't think we removed it yet20:27
*** mylu has joined #openstack-keystone20:27
*** e0ne has quit IRC20:28
*** dflorea has joined #openstack-keystone20:28
zigostevemar: I'm re-building Neutron with the older keystonemiddleware 4.0.0, to see if that fixes the issue.20:28
*** pnavarro has joined #openstack-keystone20:30
zigostevemar: I'm seriously believing that this is my issue, as it matches the time where I did rebuild everything...20:30
zigostevemar: BINGO !!!20:31
zigostevemar: Version 4.0.0 generates the [keystone_authtoken] section correctly.20:31
*** roxanaghe has joined #openstack-keystone20:32
*** dflorea has quit IRC20:33
zigostevemar: What would keystone people advise now? :/20:34
*** jsavak has quit IRC20:35
*** jsavak has joined #openstack-keystone20:36
*** sdake_ has joined #openstack-keystone20:37
stevemarzigo: hmm, i wonder if this is related to the migration to keystoneauth20:37
stevemarzigo: both nova and neutron moved to keystoneauth in mitaka20:37
*** timcline has joined #openstack-keystone20:37
zigostevemar: And Glance?20:37
zigostevemar: It broke Glance too.20:37
stevemarnot sure if others did20:37
zigostevemar: And Ceilometer ?20:38
stevemarzigo: actually, as long as they are using keystonemiddleware it shouldn't matter20:38
zigostevemar: What would you advise me to do then?20:39
zigo*all* is broken right now in Debian... :(20:39
*** sdake has quit IRC20:39
zigoJust the day before the release.20:39
zigoI'm tempted to go back to version 4.0.0 of keystonemiddleware.20:39
stevemarzigo: use the newer options, the ones not prefixed with "admin_"20:39
zigostevemar: How do you define credentials then?20:40
stevemarlet me pull up a working example20:40
zigostevemar: Here's an example generated [keystone_authtoken] section which I currently have: http://paste.debian.net/425268/20:41
stevemarzigo: http://paste.openstack.org/show/493233/20:41
dimszigo : so when you run "tox -e genconfig"?20:41
zigodims: That's a FAQ which I should somehow print on a t-shirt: we cannot and will never use tox in packaging.20:41
dimszigo : just asking what you use :)20:42
zigostevemar: Here, you have a "username" directive. The thing is, it's *not* generated for glance, cinder, ceilometer, neutron, etc.20:42
*** sdake has joined #openstack-keystone20:42
zigoWhich is the problem...20:42
dimszigo : there's a [keystone_authtoken] section but username is not there?20:43
dimshow are you generating the config?20:43
zigodims: I'm just manually calling oslo-config-generator with the correct options, and the PYTHONPATH=$(CURDIR)/debian/tmp/usr/lib/python2.7/dist-packages set correctly...20:43
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add users functional tests  https://review.openstack.org/28930620:43
stevemarzigo: mmm, it should be, provided they are using the recommended keystonemiddleware version20:44
*** sdake_ has quit IRC20:44
zigoLet me fetch an example...20:44
*** trown is now known as trown|outtypewww20:44
*** spandhe has quit IRC20:44
samueldmqbknudson:  ^ updated20:44
zigodims: stevemar: Here's an example of what I do to generate the config files of Glance: http://anonscm.debian.org/cgit/openstack/glance.git/tree/debian/rules20:45
samueldmqbknudson: I am not feeling too comfrtable with that fixture thing, and that's because I am thinking in terms of # of lines of code20:45
zigoI of course pickup the correct oslo-config-generator parameters from what I can see in tox.ini in the egenconfig section...20:45
samueldmqbknudson: rather than making the test code much simpler (because it doesnt' deal with tearDown things)20:45
samueldmqbknudson: and it does make sense :)20:45
bknudsonsamueldmq: don't think in terms of lines of code, think in terms of clarity and maintenance20:45
zigostevemar: So, you agree we have an issue here, no?20:46
zigostevemar: There should be at least "username" or something ...20:46
samueldmqbknudson: yes, I agree, just looking different from what I've done so far20:46
samueldmqbknudson: but I do agree it's a good thing20:46
zigodims: Do you think you can help me fixing that issue? :)20:48
*** bknudson has left #openstack-keystone20:49
*** bknudson has joined #openstack-keystone20:49
*** ChanServ sets mode: +v bknudson20:49
zigoWhen I do:20:49
zigooslo-config-generator --output-file test.conf --namespace keystonemiddleware.auth_token20:49
zigoHere's the result:20:49
zigohttp://paste.openstack.org/show/493236/20:49
zigoie: no username, tenant-name/project-name, or password ...20:49
zigoIMO, there's a serious issue.20:49
*** mvk has joined #openstack-keystone20:50
*** stingaci has quit IRC20:50
stevemarzigo: related: https://github.com/openstack/keystonemiddleware/commit/f0965c955dba16afaf350e65de2db68dc2c35c5020:51
stevemarzigo: that went into 4.4.0 and 4.3.020:51
*** mkrcmari__ has quit IRC20:52
zigostevemar: Thanks. I may revert that commit in Debian for now then.20:52
*** rderose_ has joined #openstack-keystone20:52
zigostevemar: That's super helpful, and may save my release !!! :)20:52
stevemarzigo: i would still like to dig in and see why you are seeing what you're seeing20:52
zigostevemar: What should be the correct behavior?20:53
zigostevemar: Should I expect to see, for example, a [keystone_authtoken]username ?20:53
stevemarzigo: basically keystonemiddleware had the old admin_ options, but we want people to be able to use any keystone plugin (from keystoneauth)20:53
stevemarzigo: yes, that should be the correct way20:54
zigoWell, it's not there ... :(20:54
stevemarfor some reason, in your last paste, none of the auth options are there20:54
stevemarzigo: what are the keystoneauth, keystonemiddleware and oslo.config versions you are using?20:54
stevemarjamielennox could probably figure this out in 2 minutes, but $timezones, you're stuck with me20:55
*** rderose has quit IRC20:55
*** rk4n has quit IRC20:56
zigopython-keystoneauth1 2.4.0, keystonemiddleware 4.4.0, oslo.config 3.9.020:56
*** dflorea has joined #openstack-keystone20:56
*** knikolla has quit IRC20:57
stevemarzigo: yep... those are all good20:57
zigostevemar: That's the latest from upper-constraints.txt from last week-end.20:57
*** diazjf1 has joined #openstack-keystone20:58
*** spandhe has joined #openstack-keystone20:58
stevemaryep, just looked at that exact file :)20:58
zigostevemar: I'm trying to revert the patch you sent URL to, and see what's the behavior, if I get things working again.20:59
stevemarzigo: and your parameters to oslo config generator match that of here: https://github.com/openstack/glance/blob/master/etc/oslo-config-generator/glance-api.conf20:59
zigostevemar: It sure does !20:59
*** diazjf has quit IRC20:59
stevemarlooking at http://paste.openstack.org/show/493236/ it seems like the keystoneauth options are not listed there21:00
zigoRight.21:01
*** stingaci has joined #openstack-keystone21:02
*** raildo is now known as raildo-afk21:02
*** tlbr has joined #openstack-keystone21:02
*** dancn has joined #openstack-keystone21:02
*** diazjf1 has quit IRC21:03
*** jistr|off has quit IRC21:04
*** pauloewerton has quit IRC21:05
dimszigo : i bet the actual configuration just works fine, you just don't see it in the generated sample21:05
dimsright?21:05
*** diazjf has joined #openstack-keystone21:05
zigodims: It doesn't work at all, as it doesn't included the needed parameters.21:05
dims"doesn't work at all".... i am trying to nail it down to specifics. if you use the params like you used to, does it fail?21:07
dimsat runtime21:07
dimsnot config sample generation21:07
*** mvk_ has joined #openstack-keystone21:08
*** jsavak has quit IRC21:09
zigodims: Because of the wrong config, the packages aren't deployed correctly on my Tempest CI, and it completely fails.21:09
zigodims: ie, services can't auth against keystone.21:10
dimszigo : what's the error in tempest?21:10
*** mvk has quit IRC21:10
*** jmlowe has quit IRC21:10
rodrigodsbknudson, thanks for the review :)21:10
rodrigodsvery thorough review21:11
zigodims: It declares itself when I try to do a "neutron net-list" in my CI, though all of my packages have the issue since I upgrading keystonemiddleware last Monday, before rebuilding all service packages.21:12
zigodims: https://mitaka-jessie.pkgs.mirantis.com/job/openstack-tempest-ci/65/consoleFull21:12
*** pnavarro has quit IRC21:12
zigoNeutron doing an error 500 ...21:12
*** knikolla has joined #openstack-keystone21:13
*** doug-fish has quit IRC21:13
zigostevemar: Reverting that patch isn't enough to get back on my feets...21:13
*** doug-fish has joined #openstack-keystone21:13
*** doug-fish has quit IRC21:14
*** doug-fish has joined #openstack-keystone21:14
dimszigo : what's in the neutron api log?21:15
zigodims: That it doesn't know the protocol.21:15
zigodims: ie: auth_protocol is missing.21:15
zigoIt should be currently set to None, or even be undefined, I guess.21:15
zigoie: the default of https isn't even there...21:16
dimszigo : paste please?21:16
zigodims: http://paste.openstack.org/show/493240/21:17
zigoSame type of error when I do "glance image-list"21:18
openstackgerritMerged openstack/keystone: Add py3 debugging  https://review.openstack.org/29424521:18
*** doug-fish has quit IRC21:18
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/30239821:19
*** stingaci has quit IRC21:19
*** vkmc has joined #openstack-keystone21:19
zigostevemar: Reverting the commit doesn't help, do you have any suggestion?21:20
*** stingaci has joined #openstack-keystone21:20
*** doug-fish has joined #openstack-keystone21:21
*** stingaci has quit IRC21:21
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30244421:21
*** stingaci has joined #openstack-keystone21:22
openstackgerritSteve Martinelli proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30244421:23
*** mkrcmari__ has joined #openstack-keystone21:25
*** doug-fish has quit IRC21:25
stevemardolphm ayoung pile on the mailing list!21:25
stevemardolphm: i'm too slow at writing emails apparently21:26
*** rcernin has quit IRC21:27
*** knikolla has quit IRC21:28
*** mvk_ has quit IRC21:28
dimszigo : looking at http://logs.openstack.org/38/302338/3/check/gate-neutron-dsvm-api/22ab9d3/logs/etc/neutron/neutron.conf.txt.gz the section of interest is http://paste.openstack.org/show/493241/21:29
*** knikolla has joined #openstack-keystone21:29
dimszigo : what's in the same section in your neutron.conf?21:29
*** david_cu_ has quit IRC21:29
zigodims: Devstack doesn't use the oslo.config generated config files.21:29
zigodims: Again, I'm the only person in the whole OpenStack community to do so.21:30
*** david_cu has joined #openstack-keystone21:30
zigodims: It's been a very long time issue that there's no gate for it.21:30
dimszigo : so, can you please paste me what you have :)21:30
zigodims: In neutron.conf for [keystone_authtoken] ? Sure, I did many times already, but I can do once more! :)21:31
zigodims: Something like this: http://paste.openstack.org/show/493236/21:31
dimszigo : you mean you want to use all the defaults?21:32
dimsas-is21:32
zigodims: I mean that I insist that my Debian package have working, good, configuration files by default, yes.21:32
zigodims: You should be able to just edit it, change a password here and there, then it should work.21:32
zigodims: That's IMO the least we can do for our users.21:32
dimszigo : if that's the case, are you using SSL in your apache configuration for 35357?21:34
dimszigo : http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_auth.py#n16221:34
zigodims: I'm normally not.21:34
zigodims: I'm setting http as default auth_protocol.21:34
openstackgerritMerged openstack/keystone: Run federation tests under Python 3  https://review.openstack.org/29479721:34
*** david_cu has quit IRC21:34
dimszigo : i don't see that in your paste21:34
dimshttp://paste.openstack.org/show/493236/ this one21:34
zigodims: Sure, as auth_protocol isn't even present when you call oslo-config-generator !!!21:35
zigoIT SHOULD...21:35
dimsthat's an entirely different problem21:35
dimslet's deal with this one first21:35
zigoWell, let me define the issue then.21:35
zigokeystonemiddleware used to have a working list_opts() function that was listing needed config options.21:35
zigoThat's not the case anymore, and that's generating non-useable-by-default config files.21:36
*** knikolla has quit IRC21:36
dimszigo : my objective is to see if there's any problem at runtime first if the correct params are present. that's a show stopper21:36
dimsconfig files, i'll let you negotiate with the teams :)21:37
* dims wearing release hat21:37
*** knikolla has joined #openstack-keystone21:37
zigodims: If I add auth_protocol = http (manually in the config file), then restart the service, it will still not be able to auth, because there's no password set, as there's no such directive by default...21:37
dimszigo : here's the example from neutron/dsvm job21:38
dimszigo : http://paste.openstack.org/show/493241/21:38
dimsauth_type = password and password = secretservice21:38
zigodims: Please stop pasting stuff from devstack, that's not relevant, as it's *not* using oslo-config-generator generated files.21:38
zigodims: Devstack knows that there's a password field supported, and just writes it ...21:38
dimszigo : ok i am going to stop now. this is not helping me or you thanks21:38
zigodims: :)21:39
*** ayoung has quit IRC21:39
zigodims: What I need to find out is how to hack list_opts() to do what I want. I probably will end up just hacking a Debian specific patch to restore sanity.21:40
*** dflorea has quit IRC21:40
dimszigo : it's your call. all of my interest is as mentioned before. does the runtime work given correct params21:40
zigodims: I believe there's no runtime issue indeed.21:41
zigodims: But only a problem with generating the config files as it should.21:41
dimszigo : thanks for confirming! big load of my mind21:41
dimsas stevemar mentioned your right contact is jamielennox|away21:41
zigodims: I can't believe that *ALL* of the services would be broken, and still pass the DVSM gate ... :P21:41
dimszigo : we differ on that definition :)21:42
*** fhubik has joined #openstack-keystone21:45
*** dflorea has joined #openstack-keystone21:45
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200621:46
*** dflorea has quit IRC21:46
*** dflorea has joined #openstack-keystone21:47
dstanekstevemar: i was going to pile on that the rational used for benefit #2 isn't correct21:53
*** knikolla has quit IRC21:53
stevemardstanek: go ahead sir21:54
*** sdake has quit IRC21:54
*** sigmavirus24 is now known as sigmavirus24_awa21:58
morganI <3 that the keystone team responded exactly how I was going to respond!22:00
morganstevemar: I'll toss my $0.02 in but almost 100% covered.22:00
*** diazjf has quit IRC22:01
morganzigo: deprecated for removal options may not show up in the generated sample configs.22:02
*** rderose_ has quit IRC22:04
*** timcline has quit IRC22:04
*** pumarani__ has quit IRC22:05
*** timcline has joined #openstack-keystone22:05
morgandims: ^ haven't read the full backlog but that is my guess of what isngoing on.22:05
zigomorgan: Sure, but we may at least expect to see some kind of username and password showing up, at least, no?22:06
zigomorgan: Currently, there's none ...22:06
morganUhm. I can't look now. Because e_mobile.22:07
morganNot sure.22:07
zigomorgan: No pb, I think I know how to revert and will do for now, so I have a working release tomorrow.22:07
zigomorgan: Though probably we should talk in Austin! :)22:07
morganSure.22:08
morganLikely something you're doing is slightly different than what we test, so we should get both mechanisms in sync. ;)22:08
morgan(Regardless of being called with tox or not)22:08
morganI'm sure we'll resolve it.22:09
*** timcline has quit IRC22:09
*** dflorea has quit IRC22:12
*** pushkaru has joined #openstack-keystone22:20
*** ametts has quit IRC22:21
zigodims: stevemar: morgan: I'm adding this patch to the Debian package: http://paste.openstack.org/show/493246/22:24
zigoDefinitively, we should talk in Austin.22:24
zigoI'm ok to do whatever you guys will advise, but I have to know what direction we're heading.22:24
zigo(btw, this patch breaks some unit tests which I'll disable)22:25
*** rderose has joined #openstack-keystone22:27
*** rderose_ has joined #openstack-keystone22:31
*** rderose has quit IRC22:32
*** dflorea has joined #openstack-keystone22:35
morganzigo: lets def. sync up in austin22:36
morgan:)22:36
dimszigo : my feeling is unless there's a job that runs default generated configuration directly with very very little modifications we cannot claim that it will be complete or working22:36
dims+1 to sync up in austin zigo22:36
* morgan puts dims and zigo in the room to sync up and runs and hides in another room :P (hehe j/k)22:37
*** dflorea has quit IRC22:37
dimsLOL as long as there's micro brews :)22:38
morgandims: what do you consider "micro" :P22:41
*** rderose_ has quit IRC22:42
*** rderose has joined #openstack-keystone22:47
*** slberger has left #openstack-keystone22:48
*** rderose has quit IRC22:51
*** dflorea has joined #openstack-keystone22:54
*** dflorea has quit IRC22:56
roxanaghemorgan: I think I found a way to mock the ldap3 calls at the socket level22:58
* roxanaghe happy22:58
*** gordc has quit IRC22:59
*** agrebennikov has quit IRC23:01
*** timcline has joined #openstack-keystone23:06
*** ayoung has joined #openstack-keystone23:09
*** ChanServ sets mode: +v ayoung23:09
*** henrynash has joined #openstack-keystone23:10
*** ChanServ sets mode: +v henrynash23:10
*** timcline has quit IRC23:10
*** pushkaru has quit IRC23:14
rodrigodsbknudson, ping.. re: rename form keystone_tempest_plugin to tempest_plugin23:23
*** fhubik has quit IRC23:29
*** jamielennox|away is now known as jamielennox23:34
jamielennoxzigo: i didn't read all that, but did you figure it out?23:37
jamielennoxthe old options should still be there, they will still work, we just removed them from appearing in the generated sample config files because they are deprecated23:37
zigojamielennox: Kind of. I found a way to get back to generating the old type of config files:http://anonscm.debian.org/cgit/openstack/python-keystonemiddleware.git/tree/debian/patches/re-add-missing-auth-options.patch23:38
*** stingaci has quit IRC23:39
zigojamielennox: I do agree with deprecation, but I don't agree with no valid value at all.23:39
zigojamielennox: If we're switching to "username" instead of "admin_user", then "username" should appear, and it doesn't currently.23:39
jamielennoxzigo: ah - your seeing nothing there at all?23:39
zigoRight.23:40
zigoThat's what I've been saying all of tonight.23:40
jamielennoxzigo: there's a lot of backscroll23:40
zigo:)23:40
zigoSure.23:40
zigoI'm happy to repeat.23:40
jamielennoxi'm looking for the nova bit, sec23:40
zigojamielennox: Also, I've raised in the dev list that I would like the auth fragments to not be deprecated.23:41
zigojamielennox: An URL is a pain to parse, having separated fields is a lot easier.23:41
zigoauth_protocol, auth_host and such...23:42
zigoI would prefer to have them stay.23:42
zigojamielennox: Is there a session in Austin where we can talk about it?23:42
zigoI'd be happy to join such session.23:43
jamielennoxnot that i'm aware of23:43
jamielennoxok, so the problem with options is that we don't know ahead of time whats relevant23:43
jamielennoxthe opts that are consumed depend on the value of auth_type23:43
jamielennoxso neutron at least does: https://github.com/openstack/neutron/blob/master/neutron/opts.py#L291-L30223:43
*** sdake has joined #openstack-keystone23:44
jamielennoxso for the sake of config generation it adds all the options for password, v2password, and v3password - which is essentially redundant and should just be password23:44
jamielennoxby doing that you at least get the options showing up in samples23:44
jamielennoxagain whether they are used depends on the value of auth_type, but at least this way people get less confused23:44
zigojamielennox: That's truth for the [neutron] section in nova, not for keystone_authtoken which is also wrong.23:45
zigojamielennox: I'm just vouching for "a config file useable by default", nothing more.23:45
zigoCurrently, that's not the case for keystone_authtoken. :(23:45
jamielennoxi definitely see the point, it's just hard throughout the deprecation process23:46
zigoI can switch the debconf stuff to v3, if that's the thing we want to promote. But in this case, then a v3password auth should be generated by default when using --namespace keystonemiddleware.auth_token23:46
jamielennoxso to add all the options for password to config you have to set auth_type = password23:46
*** sdake_ has joined #openstack-keystone23:46
jamielennoxbut we as upstream can't set the default for auth_type because that would break everyone who hasn't set it23:46
zigoOh...23:47
jamielennoxthat's the idea here to just ship auth_type = password as default23:47
zigoHow about mass bug filling?23:47
zigoThere's only so many server packages...23:47
zigoI package 20-ish myself in Debian, and I think that's more than everyone else.23:47
jamielennoxwell the problem isn't the servers because they aren't really configuring this23:47
jamielennoxit's the puppet and ansible and devstack and packstack and tripleo and ...23:48
jamielennoxall the people who rolled it by hand23:48
zigoWell, I don't agree.23:48
zigoNONE of what you just wrote is using the oslo generated version of the config file.23:48
zigoIn the whole OpenStack community, I'm the only one that does.23:48
zigoEveryone else pretends to "know the world" and just write a config file that they think is correct.23:49
*** sdake has quit IRC23:49
jamielennoxbut to make that work you are changing a default23:49
zigoAs a package maintainer, I strongly believe it's my dutie to provide workable config files, and I insist in doing so, so that's what my CI is actually testing.23:49
jamielennoxthe sample configs that are generated have every single option commented out23:49
zigoYes, but I never add an option which doesn't exist to begin with.23:50
jamielennoxso if we change the default there such that auth_type = password and add everything then we are lying, because the actual default is not password23:50
zigoSo the package will be shipped by default with that option.23:50
*** roxanaghe has quit IRC23:50
*** sdake has joined #openstack-keystone23:50
zigoThe actual default is what?23:50
zigov3password ?23:50
zigoThen do auth_type = v3password, and then correctly generate #username = None23:51
zigoThat's fine to me as well...23:51
jamielennoxthe default is empty, if nothing is specified it falls back to the old admin_user, admin_password etc23:52
*** sdake_ has quit IRC23:52
zigoWhy not just displaying everything, and writing in the help that it's deprecated?23:52
zigoThat's what we've been doing everywhere else.23:53
zigoThis definitively deserves a fishball room discussion ! :)23:54
jamielennoxzigo: it was part of the cleanup from the docs perspective to remove old options23:55
jamielennoxif you're looking for a real simple patch to fix it...23:56
*** spandhe has quit IRC23:56
*** spandhe_ has joined #openstack-keystone23:56
jamielennoxit's the difference between this list: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/opts.py#L2723:57
jamielennoxand this list: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L2023:57
zigoI don't think it's the best idea to have the docs people influence the way we generate config files in a way that they become not useable. :)23:57
jamielennoxthe first one has everything because some servers were using that public function in testing23:57
jamielennoxthe second list is what we put in the sample config23:57
jamielennoxso you can either make those two lists the same23:57
zigoI'm not sure I understand this code... :/23:58
jamielennoxor change https://github.com/openstack/keystonemiddleware/blob/master/setup.cfg#L31 to point to the first list instead of the second23:58
zigoAh, that I get it.23:58
zigojamielennox: So, just changing the entry point will be enough to get *all* options?23:59
jamielennoxzigo: yep23:59
zigoCool, easy enough.23:59
*** pushkaru has joined #openstack-keystone23:59
* zigo tries right away23:59
« Tuesday, 2016-04-05 Index Thursday, 2016-04-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!