Monday, 2016-05-02

« Sunday, 2016-05-01 Index Tuesday, 2016-05-03 »
*** mylu has quit IRC00:04
*** mylu has joined #openstack-keystone00:07
*** mylu has quit IRC00:10
*** mylu has joined #openstack-keystone00:11
*** mylu has quit IRC00:13
*** mylu has joined #openstack-keystone00:13
*** fedruantine has quit IRC00:15
*** sdake has quit IRC00:15
*** sdake has joined #openstack-keystone00:32
*** sdake_ has joined #openstack-keystone00:42
*** sdake has quit IRC00:44
*** jasonsb has joined #openstack-keystone00:49
*** stingaci has quit IRC00:50
*** markvoelker has joined #openstack-keystone00:51
*** jasonsb has quit IRC00:54
*** markvoelker has quit IRC00:56
*** stingaci has joined #openstack-keystone01:01
*** stingaci has quit IRC01:06
*** stingaci has joined #openstack-keystone01:07
*** fedruantine has joined #openstack-keystone01:10
*** stingaci has quit IRC01:25
*** ekarlso has quit IRC01:33
*** zqfan has joined #openstack-keystone01:51
*** markvoelker has joined #openstack-keystone01:52
*** ekarlso has joined #openstack-keystone01:53
*** markvoelker has quit IRC01:57
*** mylu has quit IRC01:59
*** mylu has joined #openstack-keystone02:02
*** mylu has quit IRC02:03
*** mylu has joined #openstack-keystone02:04
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/31153602:13
*** morgan is now known as notmorgan02:17
*** stingaci has joined #openstack-keystone02:18
openstackgerritayoung proposed openstack/keystone: WIP replace revoke tree with linear search  https://review.openstack.org/31165202:25
*** mylu has quit IRC02:25
*** mylu has joined #openstack-keystone02:44
*** markvoelker has joined #openstack-keystone02:49
*** jasonsb has joined #openstack-keystone02:51
*** jasonsb has quit IRC02:55
*** stingaci has quit IRC03:16
*** stingaci has joined #openstack-keystone03:16
*** edtubill has joined #openstack-keystone03:25
*** mylu has quit IRC03:25
*** stingaci has quit IRC03:25
*** mylu has joined #openstack-keystone03:26
*** raginbaji is now known as raginbajin03:28
*** edtubill has quit IRC03:34
*** mylu has quit IRC03:39
*** mylu has joined #openstack-keystone03:40
*** mylu has quit IRC03:42
*** mylu has joined #openstack-keystone03:54
*** mylu has quit IRC03:58
*** BigDogStl has joined #openstack-keystone03:58
*** dave-mccowan has quit IRC04:01
*** BigDogStl has quit IRC04:02
*** mylu has joined #openstack-keystone04:02
*** edtubill has joined #openstack-keystone04:03
*** links has joined #openstack-keystone04:07
*** edtubill has quit IRC04:08
*** mylu has quit IRC04:17
*** mylu has joined #openstack-keystone04:19
*** mylu has quit IRC04:21
*** mylu has joined #openstack-keystone04:34
*** mylu has quit IRC04:45
*** mylu has joined #openstack-keystone04:45
*** mylu has quit IRC04:47
*** mylu has joined #openstack-keystone04:48
*** markvoelker has quit IRC04:49
*** rcernin has joined #openstack-keystone05:05
*** vnogin1 has quit IRC05:12
*** mylu has quit IRC05:12
*** mylu has joined #openstack-keystone05:19
*** mylu has quit IRC05:22
*** mylu has joined #openstack-keystone05:27
*** mylu has quit IRC05:32
*** yolanda has joined #openstack-keystone05:32
*** yolanda has quit IRC05:34
*** yolanda has joined #openstack-keystone05:34
*** fedruantine has quit IRC05:45
*** sdake_ has quit IRC05:47
*** markvoelker has joined #openstack-keystone05:50
*** sdake has joined #openstack-keystone05:52
*** jasonsb has joined #openstack-keystone05:53
*** mylu has joined #openstack-keystone05:54
*** markvoelker has quit IRC05:55
*** jasonsb has quit IRC05:58
*** josecastroleon has joined #openstack-keystone06:02
*** mylu has quit IRC06:11
*** stingaci has joined #openstack-keystone06:26
*** roxanaghe has joined #openstack-keystone06:28
*** roxanaghe has quit IRC06:29
*** fedruantine has joined #openstack-keystone06:43
*** markvoelker has joined #openstack-keystone06:51
*** markvoelker has quit IRC06:55
*** daemontool has joined #openstack-keystone07:11
*** mylu has joined #openstack-keystone07:12
*** yolanda has quit IRC07:12
*** mylu has quit IRC07:18
*** daemontool has quit IRC07:21
*** daemontool has joined #openstack-keystone07:21
*** jed56 has joined #openstack-keystone07:23
*** roxanaghe has joined #openstack-keystone07:29
*** daemontool has quit IRC07:33
*** tesseract has joined #openstack-keystone07:33
*** tesseract is now known as Guest3759007:34
*** roxanaghe has quit IRC07:35
*** yolanda has joined #openstack-keystone07:36
*** daemontool has joined #openstack-keystone07:37
*** stingaci has quit IRC07:39
*** stingaci has joined #openstack-keystone07:40
*** stingaci has quit IRC07:45
*** markvoelker has joined #openstack-keystone07:51
*** markvoelker has quit IRC07:56
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** dmk0202 has joined #openstack-keystone08:06
*** henrynash has joined #openstack-keystone08:08
*** ChanServ sets mode: +v henrynash08:08
*** permalac has joined #openstack-keystone08:12
*** jistr has joined #openstack-keystone08:26
*** stingaci has joined #openstack-keystone08:41
*** stingaci has quit IRC08:46
*** markvoelker has joined #openstack-keystone08:52
*** daemontool has quit IRC08:54
*** markvoelker has quit IRC08:57
*** belmoreira has joined #openstack-keystone09:42
*** pnavarro has joined #openstack-keystone09:48
*** markvoelker has joined #openstack-keystone09:53
*** markvoelker has quit IRC09:58
*** pnavarro has quit IRC10:37
*** Guest68119 has quit IRC10:37
*** zeus- has joined #openstack-keystone10:38
*** pnavarro has joined #openstack-keystone10:38
*** chlong has joined #openstack-keystone10:38
*** stingaci has joined #openstack-keystone10:43
*** stingaci has quit IRC10:47
*** mylu has joined #openstack-keystone10:47
*** yolanda has quit IRC10:47
*** yolanda has joined #openstack-keystone10:51
*** markvoelker has joined #openstack-keystone10:54
*** jasonsb has joined #openstack-keystone10:57
*** zeus- is now known as zeus10:58
*** zeus is now known as Guest2591510:59
*** markvoelker has quit IRC10:59
*** jasonsb has quit IRC11:02
*** roxanaghe has joined #openstack-keystone11:06
*** josecastroleon has quit IRC11:09
*** roxanaghe has quit IRC11:10
*** yolanda has quit IRC11:16
*** josecastroleon has joined #openstack-keystone11:16
*** yolanda has joined #openstack-keystone11:16
*** BigDogStl has joined #openstack-keystone11:21
*** BigDogStl has quit IRC11:26
*** yolanda has quit IRC11:29
*** yolanda has joined #openstack-keystone11:30
*** e0ne has joined #openstack-keystone11:44
*** woodster_ has joined #openstack-keystone11:49
*** raginbajin has quit IRC11:50
*** markvoelker has joined #openstack-keystone11:55
*** mylu has quit IRC11:56
*** markvoelker has quit IRC11:59
*** markvoelker has joined #openstack-keystone12:06
*** e0ne has quit IRC12:14
*** Ephur has joined #openstack-keystone12:16
*** edmondsw has joined #openstack-keystone12:33
*** ninag has joined #openstack-keystone12:43
*** stingaci has joined #openstack-keystone12:44
*** gordc has joined #openstack-keystone12:45
*** stingaci has quit IRC12:49
*** dave-mccowan has joined #openstack-keystone12:53
*** jasonsb has joined #openstack-keystone13:00
*** sdake has quit IRC13:00
*** sdake has joined #openstack-keystone13:01
*** jdennis has joined #openstack-keystone13:03
*** sdake_ has joined #openstack-keystone13:04
*** jasonsb has quit IRC13:05
*** richm has joined #openstack-keystone13:05
*** sdake has quit IRC13:06
*** rderose has joined #openstack-keystone13:08
*** julim has joined #openstack-keystone13:19
*** arunkant__ has joined #openstack-keystone13:19
*** julim has quit IRC13:20
*** c_soukup has joined #openstack-keystone13:25
*** arunkant__ has quit IRC13:26
*** belmoreira has quit IRC13:29
openstackgerritRon De Rose proposed openstack/keystone: Move the resource abstract base class out of core  https://review.openstack.org/30282613:30
*** jaosorior has joined #openstack-keystone13:32
*** yolanda has quit IRC13:32
*** doug-fish has joined #openstack-keystone13:33
*** TxGVNN has joined #openstack-keystone13:34
*** links has quit IRC13:35
*** yolanda has joined #openstack-keystone13:36
*** jaosorior has quit IRC13:41
*** tonytan4ever has joined #openstack-keystone13:44
*** EinstCrazy has joined #openstack-keystone13:46
stevemarmornin! o/13:53
dimshey stevemar13:54
*** Guest25915 is now known as zeus`13:54
*** sigmavirus24_awa is now known as sigmavirus2413:54
*** e0ne has joined #openstack-keystone13:56
bknudsonstevemar: dims: almost time to remove keystone cli.13:58
dimsbknudson : the pypi mirroring is broke we'll need to wait for it13:59
stevemarbknudson: true that13:59
*** edtubill has joined #openstack-keystone13:59
*** josecastroleon has quit IRC14:00
*** stingaci has joined #openstack-keystone14:02
*** ametts has joined #openstack-keystone14:02
*** TxGVNN has quit IRC14:05
openstackgerritRon De Rose proposed openstack/keystone: Move the catalog abstract base class and common code out of core  https://review.openstack.org/30923814:06
*** EinstCrazy has quit IRC14:10
*** ngupta has joined #openstack-keystone14:10
*** pgbridge has joined #openstack-keystone14:10
*** EinstCrazy has joined #openstack-keystone14:11
*** sdake_ is now known as sdake14:11
*** e0ne has quit IRC14:13
*** e0ne has joined #openstack-keystone14:14
*** EinstCrazy has quit IRC14:16
notmorganstevemar, bknudson: yay14:28
notmorgandims: boo :(14:28
*** EinstCrazy has joined #openstack-keystone14:32
*** jorge_munoz has joined #openstack-keystone14:32
lbragstado/14:35
*** EinstCrazy has quit IRC14:40
*** nkinder has joined #openstack-keystone14:48
*** ayoung has joined #openstack-keystone14:50
*** ChanServ sets mode: +v ayoung14:50
*** raddaoui has joined #openstack-keystone14:51
*** slberger has joined #openstack-keystone14:53
*** ebalduf_ has joined #openstack-keystone14:55
*** ebalduf_ has quit IRC14:59
*** phalmos has joined #openstack-keystone15:00
*** timcline has joined #openstack-keystone15:00
*** timcline has quit IRC15:00
*** timcline has joined #openstack-keystone15:01
*** ChanServ sets mode: +v topol_15:02
*** topol_ is now known as topol15:02
*** jorge_munoz has quit IRC15:04
*** dan_nguyen has joined #openstack-keystone15:08
*** charz_ has joined #openstack-keystone15:11
*** links has joined #openstack-keystone15:14
*** links has quit IRC15:14
*** josecastroleon has joined #openstack-keystone15:15
*** mtreinish_ has joined #openstack-keystone15:16
*** doug-fis_ has joined #openstack-keystone15:21
*** sudorandom_ has joined #openstack-keystone15:21
*** charz has quit IRC15:21
*** mancdaz has quit IRC15:21
*** mancdaz has joined #openstack-keystone15:21
*** mtreinish has quit IRC15:21
*** rcernin has quit IRC15:21
*** jrist has quit IRC15:21
*** phalmos has quit IRC15:21
*** sudorandom has quit IRC15:21
*** mancdaz has quit IRC15:21
*** jlvillal has quit IRC15:21
*** mtreinish_ is now known as mtreinish15:21
*** sudorandom_ is now known as sudorandom15:21
*** jlvillal has joined #openstack-keystone15:21
*** doug-fish has quit IRC15:22
*** rcernin has joined #openstack-keystone15:22
*** mancdaz has joined #openstack-keystone15:23
*** ebalduf_ has joined #openstack-keystone15:25
*** phalmos has joined #openstack-keystone15:25
*** rcernin has quit IRC15:30
*** Ephur has quit IRC15:34
*** yolanda has quit IRC15:35
*** jrist has joined #openstack-keystone15:37
*** chlong has quit IRC15:38
*** stingaci has quit IRC15:38
*** josecastroleon has quit IRC15:47
*** e0ne has quit IRC15:47
*** haplo37 has joined #openstack-keystone15:47
dimsnotmorgan : LOL15:56
*** ngupta has quit IRC15:57
*** ozialien10 has joined #openstack-keystone15:58
*** dmk0202 has quit IRC15:59
*** yolanda has joined #openstack-keystone15:59
*** Guest37590 has quit IRC15:59
*** ngupta has joined #openstack-keystone15:59
*** spzala has joined #openstack-keystone16:07
*** navidp has joined #openstack-keystone16:12
*** links has joined #openstack-keystone16:12
*** lhcheng has joined #openstack-keystone16:13
*** ChanServ sets mode: +v lhcheng16:13
*** navid_ has joined #openstack-keystone16:14
*** gyee has joined #openstack-keystone16:14
*** ChanServ sets mode: +v gyee16:14
*** gyee has quit IRC16:15
*** tqtran has joined #openstack-keystone16:15
*** navidp has quit IRC16:17
*** fawadkhaliq has joined #openstack-keystone16:18
*** jistr has quit IRC16:23
*** haplo37 has quit IRC16:24
*** ebalduf_ has quit IRC16:25
*** gyee has joined #openstack-keystone16:25
*** ChanServ sets mode: +v gyee16:25
*** haplo37 has joined #openstack-keystone16:31
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D301 PEP257 violation.  https://review.openstack.org/31178316:31
*** pumaranikar has joined #openstack-keystone16:33
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D211 PEP257 violation.  https://review.openstack.org/31178516:37
*** roxanaghe has joined #openstack-keystone16:39
*** real56 has joined #openstack-keystone16:43
*** tonytan4ever has quit IRC16:44
*** harlowja has joined #openstack-keystone16:45
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D208 PEP257 violation.  https://review.openstack.org/31178716:48
*** daemontool has joined #openstack-keystone16:52
*** Ephur has joined #openstack-keystone17:03
*** edtubill has quit IRC17:13
*** roxanaghe has quit IRC17:24
*** daemontool_ has joined #openstack-keystone17:24
*** navid_ has quit IRC17:26
*** daemontool has quit IRC17:27
*** david-lyle has joined #openstack-keystone17:28
*** david-lyle has quit IRC17:29
*** david-lyle has joined #openstack-keystone17:30
*** links has quit IRC17:33
*** fangxu has joined #openstack-keystone17:34
*** Ephur has quit IRC17:35
*** fangxu has quit IRC17:35
*** fangxu has joined #openstack-keystone17:44
*** c_soukup has quit IRC17:46
*** fawadkhaliq has quit IRC17:50
*** permalac has quit IRC17:52
*** julim has joined #openstack-keystone17:52
stevemarlooks like KSC is faliing functional tests17:58
stevemardoh!17:58
*** annasort has joined #openstack-keystone18:00
*** rbridgeman has joined #openstack-keystone18:00
*** agrebennikov_ has joined #openstack-keystone18:01
*** pnavarro has quit IRC18:02
*** jed56 has quit IRC18:04
*** roxanaghe has joined #openstack-keystone18:10
openstackgerritBrant Knudson proposed openstack/keystone: Remove test_invalid_policy_raises_error  https://review.openstack.org/31180418:14
*** pushkaru has joined #openstack-keystone18:15
ayoungstevemar, no, not DOH!  This is a good thing18:16
bknudsonwe get to figure out how easy / hard it is to debug ksc functional tests18:17
notmorganbknudson: hehe18:17
notmorganbknudson: always looking at the bright side of things I see18:17
ayoungthat and we catch problems early.  Function tests will break a lot.18:18
ayoungstevemar, BTW, post a link when you raise an alarm like this, so we are all looking at the same thing, please.18:18
*** pumaranikar has quit IRC18:19
*** timcline has quit IRC18:22
stevemarayoung: i usually do, i just noticed it before lunch and then left18:23
*** stingaci has joined #openstack-keystone18:23
stevemaranyway, easy enough to find: https://review.openstack.org/#/c/311548/18:23
notmorganstevemar: commit it and quit! i mena.. wait no not that.18:24
stevemarno wait, that one doesn't work18:24
patchbotstevemar: patch 311548 - python-keystoneclient - Updated from global requirements18:24
*** stingaci has quit IRC18:25
*** stingaci has joined #openstack-keystone18:25
*** spzala has quit IRC18:27
bknudsonhttps://review.openstack.org/#/c/311548/ has bigger problems.18:27
patchbotbknudson: patch 311548 - python-keystoneclient - Updated from global requirements18:27
*** notmorgan is now known as morgan18:28
*** spzala has joined #openstack-keystone18:28
*** fawadkhaliq has joined #openstack-keystone18:28
stevemarbknudson: whats the bigger problem, aside from the functional test job failing (in 2 minutes, some timeout)18:28
*** spzala has quit IRC18:30
*** real56 has quit IRC18:30
*** spzala has joined #openstack-keystone18:30
bknudsonthink it's the change to fernet that caused the functional tests to fail?18:30
*** lhcheng has quit IRC18:30
bknudsonI assumed it was one of the new tests but this is really old.18:30
bknudsonthe test is showing that the audit ID chain isn't consistent.18:31
*** lhcheng has joined #openstack-keystone18:31
*** ChanServ sets mode: +v lhcheng18:31
*** mkoderer__ has quit IRC18:32
bknudsonI'd prefer not to revert the change to make fernet the default.18:32
*** roxanaghe has quit IRC18:33
bknudsonlbragstad dolphm: do you know if this is expected ^ ?18:34
*** navid_ has joined #openstack-keystone18:35
lbragstadbknudson what link?18:35
lbragstador which link?18:35
bknudsonlbragstad: that the audit ID chain isn't consistent with fernet and v2 tokens18:37
lbragstadhmm - that's strange18:40
lbragstadbknudson which tests are you seeing this in?18:40
bknudsonlbragstad: http://logs.openstack.org/87/311787/1/check/gate-keystoneclient-dsvm-functional/5ba3799/console.html#_2016-05-02_17_08_55_60218:41
bknudsonlbragstad: here's the line http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/tests/functional/test_access.py#n4718:41
bknudsonpretty simple test18:41
bknudsonlooks like it just rescopes a token and validates the chain.18:42
*** roxanaghe has joined #openstack-keystone18:42
*** stingaci has quit IRC18:43
kfox1111is there a simple api to validate if a scoped token is valid, and get the user_id and project_id?18:46
kfox1111need to do that from some go code.18:47
bknudsonV2 fernet doesn't preserve the audit IDs according to my test.18:47
lbragstadbknudson ah ha - digging in the fernet code now18:47
kfox1111looks like /v3/auth/tokens?18:48
kfox1111hmm.... do you need to have an admin token to use it?18:48
*** roxanagh_ has joined #openstack-keystone18:50
bknudsonlbragstad: it's strange because the child token has 2 audit_ids, it's just the audit_ids in the child are unrelated to the parent.18:51
lbragstadbknudson ok - going to push something that I'm working on and I'll see if I can recreate18:53
lbragstadbknudson we don't have a test in keystone somewhere that tests this?18:53
lbragstadI feel like that should have been caught by the server18:53
*** timcline has joined #openstack-keystone18:54
*** timcline has quit IRC18:54
*** edtubill has joined #openstack-keystone18:54
*** timcline has joined #openstack-keystone18:55
*** alejandrito has joined #openstack-keystone18:55
*** roxanagh_ has quit IRC18:55
*** alejandrito has quit IRC18:56
*** alejandrito has joined #openstack-keystone18:57
*** alejandrito has quit IRC18:57
openstackgerritLance Bragstad proposed openstack/keystone: Make keystone exit when fernet keys don't exist  https://review.openstack.org/31181118:58
*** pushkaru has quit IRC19:00
stevemarayoung: theres the faliure! http://logs.openstack.org/48/311548/1/check/gate-keystoneclient-dsvm-functional/e8920ef/console.html#_2016-05-02_18_47_52_81119:01
ayoungtest_access_audit_id19:02
ayoungV219:02
stevemarayoung: fails here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/functional/test_access.py#L46-L4719:03
ayoungstevemar, so two hypotheses19:04
ayoung1.  Keystone server is not honoring the Audit chain from the unscoped token19:05
morganayoung: uhm. wait what? /me looks at the link19:05
ayoung2.  this test is no properly using the unscoped token to get the scoped token19:05
*** pumaranikar has joined #openstack-keystone19:05
ayoungmorgan, IIUC the test gets an unscoped, grabs the audit ID, then uses the unscoped to get a scoped, and confirms that the audit ID from unscoped is in the scoped as well19:05
morganwhen did this magicaally break?19:05
ayoungmorgan, https://review.openstack.org/#/c/311548/19:06
patchbotayoung: patch 311548 - python-keystoneclient - Updated from global requirements19:06
morgan*blink*19:06
morganoh19:06
morganuhm19:06
ayoungwhat is iso8601?  Is that from Les Mis?19:06
morgani think this is session weirdness19:07
ayoungOh, that was 2460119:07
morganso, if you used a new session vs self.session, i bet this would succeed19:07
morganleading me to see an issue with ksc.Session or KSA.session19:07
ayoungand thus we see the value of functional tests!19:08
morganbut i almost guarantee you're going to see this is related to that and not that the server is doing something wrong19:08
morganit is almost 100% assuredly not (since we test that explicitly in the server)19:08
ayoungmorgan, that sounds like a good working hypothesis.  How do we test?19:09
morganayoung: fix the test (synthentically) to use a new session with no credentials in it19:09
morganand re-run19:10
morganthat way you cannot run through the normal auth path.19:11
lbragstadbknudson ok - I think I can recreate what you're seeing19:11
lbragstadbknudson I add a test to test_auth.py19:11
morgansince the new session has never seen unscoped_plugin19:11
lbragstadwhich should be specific to v219:11
lbragstadauth19:11
ayoungmorgan, so...no19:12
ayoungI think that what this does is a legitimate use case, and would not be done in a session19:13
ayoungunscoped in one session, but grab the auth plugin and create a second19:13
*** yolanda has quit IRC19:14
ayoungthe audit ID should be generated by the server, and should match that of the original, but I would think that, in the scoped token, it would be a list, not a single value?19:14
* ayoung does not quite understand our audit approach here19:14
lbragstadayoung yeah - you're right19:14
ayoungaudit_chain_id  can only be a single value?19:14
openstackgerritLance Bragstad proposed openstack/keystone: Expose bug in Fernet v2 audit ids  https://review.openstack.org/31181619:16
edtubillHi, I had a quick question -currently, there's no way to use the k2k federation auth plugin when using the CLI right?19:17
lbragstadayoung I'm not sure about audit_chain_id but I know that when you get an unscoped token you should have one audit_id in the list of audit_ids of the response19:18
lbragstadif you use that unscoped token to get a project scoped token the audit_id from the unscoped token should be one of the two audit ids in the project scoped token response19:18
morganayoung: no i was saying how we confirm the issue19:19
morganayoung: not that is how you fix it19:19
ayoungmorgan, so you think that there are two sessions in play here, and the second one is doing...what?19:21
*** jaosorior has joined #openstack-keystone19:22
edtubillping rodrigods19:25
*** mylu has joined #openstack-keystone19:28
ayoungmorgan, ok, I think I had what you said exactly backwards.19:28
morganayoung: yep.19:29
morganayoung: 1 session in play, and a bug associated to that19:29
*** fawadkhaliq has quit IRC19:29
*** mylu has quit IRC19:30
ayoungso instead of self.session  create a new session on line 41 and it should pass.  But that is just a workaround, and the use case as shown by this test failure is still legit.  DO I read that right?19:30
*** lhcheng has quit IRC19:31
roxanaghemorgan, ayoung: we now have a mock strategy in ldap3: https://github.com/cannatag/ldap3/blob/dev/ldap3/strategy/mockSync.py19:31
roxanagheor at least in a branch that will be released soon :)19:31
*** fawadkhaliq has joined #openstack-keystone19:31
roxanagheknikolla: ^^19:31
ayoungroxanaghe, so....we had a discussion at the summit about python319:32
roxanagheayoung, ok..19:32
ayoungroxanaghe, one thing we have IDed is that the pyldap port of python-ldap to python3 is the bettter approach19:32
ayoungroxanaghe, but, that is all the old, crappy code19:32
ayoungand I like what we have with ldap3.  So, I think we need to figure out what we are going to do with the current code.19:33
*** jaosorior has quit IRC19:33
ayoungBut, we really should not be using ldap3, as it does a lot of stuff in Python that is hard to get right, and the openldap libraries have worked long and hard to nail that down19:33
*** lhcheng has joined #openstack-keystone19:33
*** ChanServ sets mode: +v lhcheng19:33
*** jaosorior has joined #openstack-keystone19:33
ayoungthe whole LDAP wire protocol is non-trivial, and reimplementing in Python is likely to introduce errors19:34
ayoungroxanaghe, there was a fork of python-ldap done to just get the code to python319:34
ayounghttps://github.com/pyldap/pyldap19:34
roxanagheayoung, hmmm, why do you think ldap3 code is risky?19:35
roxanagheit is used by other companies that deal with ldap19:35
gyeelets just use JNDI :-)19:36
dimsgyee : LOL19:36
*** dan_nguyen has quit IRC19:37
stevemarayoung: ah the failure is cause we switched devstack to run fernet by default19:40
stevemarnice19:40
stevemarayoung: that's a nice catch, yay func. tests19:40
ayoungWhoa19:41
ayoungroxanaghe, so...I'm ok with completing the work on ldap3, but don't be surprised if we end up having to go to pyldap with the old driver19:41
*** mylu has joined #openstack-keystone19:42
stevemarroxanaghe: i was wondering about that over the weekend19:42
ayoungstevemar, and I like the new code and the new approach19:42
roxanagheayoung, sorry I was just surprised so I am glad I opened the convo19:42
ayoungso it might be OK.19:43
ayoungstevemar, I kindof want to do this:19:43
ayoung1. get the new driver working (complete the task as is)19:43
stevemari'm wondering why we don't use pyldap + ldappool (but a py3 friendly version of it)19:43
* morgan very much prefers ldap319:43
ayoung2.  start hammering on it19:43
morganvery very much19:43
ayoung3.  be prepared to rework the existing code to pyldap if required19:43
ayoungmorgan, I am not the right person to judge, as I hate the original LDAP code so so much19:44
morganayoung: not our code19:44
morganthe library19:44
*** mylu has quit IRC19:44
morganhaving used both, i would NEVER write anything with the old lib/a py3 version of it19:44
morganever19:44
ayoungmorgan, but I do prefer using openldap to using a reimplementation...ldap is a beast19:44
morganunless the interfaces massively change19:45
ayoungmorgan, one of my earliest blog posts: http://adam.younglogic.com/2008/08/openldap-api-is-somewhat-hostile/19:45
kfox1111if you auth with project_id, you don't need a project domain right?19:45
ayoungkfox1111, um....no you still need it.  But you shouldn;t19:46
ayoungkfox1111, which should probably be filed as a bug.  IDs are unique, and should not need to be scoped to domains19:47
kfox1111k. just trying to document some things for the kubernetes folks.19:47
roxanagheayoung, morgan in my opinion I don't think we do any extraordinary things with ldap so that this new ldap3 wouldn't support it19:48
kfox1111they have most of a keystone plugin written, but it doesn't support tokens. just usernames/passwords, which I think is not what we would want.19:48
*** lamt has joined #openstack-keystone19:48
roxanagheit is both scary and exciting that the library is stil in very much development but I guess that's just open source19:48
roxanaghemorgan, and I very much love the code, since I've been reading ldap3 code more in depth by trying to help on this mock strategy19:49
ayoungroxanaghe, so one other thing learnt at the summit:  we had a presentation on Active Directory, and the presentor tested all his changes against Sambe.  So we can use that for functio9nal/integration tests19:49
ayoungnkinder, I think we want to pursue the ldap3 approach.  We can treat pyldaop as a fallback, but we've put enough work into the new driver, and the code is much, much prettier. Is that a deal breaker?19:50
roxanagheayoung, do you have a link on that?19:50
ayoungroxanaghe, not sure if the presentations are up yet, but I can find the session link, and it should be off that soonish19:50
roxanagheayoung, cool thanks19:51
nkinderayoung: I think we should look at performance under load, and also ensure crypto is working properly19:51
nkinderayoung: also see how it performs with LDAPS and/or startTLS19:51
ayoungnkinder, ++  it was SASL support that I was most worried about. It seems to be an after thought in a lot of libraries19:51
ayoungroxanaghe, are you comfortable setting up FreeIPA?  WIth that, we can test both X509 and Kerberos based Auth. I'd be happy to help with the rough points19:52
ayoungand it will lead to the functional test setup19:52
ayoungroxanaghe, https://www.openstack.org/summit/austin-2016/summit-schedule/events/7315  was the sesssion. Martin Lopes is a tech writer here at RH, and since he is doing Keystone related things, he's affiliated with our team19:53
ayoungI can get him here if we need to talk to him19:54
roxanagheayoung, ok, I'm gonna take a look at it19:55
ayoungroxanaghe, ARGH expired...the schedule app sux19:55
ayoungAh...came back...rant retracted but kept near at hand19:56
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: review at own risk: switch to pyldap  https://review.openstack.org/31182719:56
*** annasort has quit IRC19:57
ayoungstevemar, you are amazing19:58
stevemarayoung: i'm also pulling an entire library locally :(19:59
stevemarayoung: but the library was one file :\19:59
ayounghttps://review.openstack.org/#/c/311827/1/keystone/common/ldap/ldappool.py  stevemar ?20:00
patchbotayoung: patch 311827 - keystone - WIP: review at own risk: switch to pyldap20:00
stevemarayoung: that is basiclly https://github.com/mozilla-services/ldappool/blob/master/ldappool/__init__.py20:02
stevemari'm not sure if we can legally use that...20:02
ayoungstevemar, Yep.  Yep20:02
ayoungstevemar, I think that it depends on the license, but we should be able to annotate at the top of the file20:02
stevemarthe library is unmaintained and hasn't accepted a pull request in years20:02
stevemarayoung: thats my hope20:02
stevemari wonder if the tests will pass20:02
stevemarprob not20:02
ayoungstevemar, we can fork, like pyldap, and support.  My guess is that if nkinder thinks we need pyldap, we can do pyldappool20:02
stevemarayoung: true, you red hatters are maintaining pyldap right?20:02
*** dan_nguyen has joined #openstack-keystone20:03
ayoungstevemar, yep20:04
ayoungstevemar, I think the pyldap maintainer is a FreeIPA dev20:04
morganfwiw, the ldappool is less relavant for the same reasons memcachepool is20:04
stevemarldappool is nice, it makes all operations we do with ldap much faster20:05
morganstevemar: that was mostly the case with greenthreads and per-connection things20:06
stevemarooooh20:06
morganstevemar: with the no-more-eventlet path, we could simply work around that problme more directly20:06
*** shaleh has joined #openstack-keystone20:06
stevemarnice20:07
*** maxabidi has joined #openstack-keystone20:07
morganit is easy to maintain a single ldap connection and just check status of it/etc per active process if we aren't doing threads/etc20:07
*** shaleh has quit IRC20:08
*** shaleh has joined #openstack-keystone20:08
ayoungmorgan, I say we pursue both approaches. I know that sounds crazy, but since we have so much done on ldap3, seems a pity to throw it a way.  And we can use pyldap as a migration measure.  RUn them off against each other, and keep whichever is the better tool. But force the config options to be a strict subset of the original options20:08
*** sdake_ has joined #openstack-keystone20:08
*** sdake has quit IRC20:08
morganayoung: as long as if we go pyldap we commit to rolling up all the awful "common" code into the driver20:09
morganayoung: if it wins that is20:09
stevemarid prefer to not pursue both, but that is sound logic20:10
morganstevemar: if pyldap is drop in replacement it's easy20:10
stevemaryep20:10
roxanaghestevemar, agree with you :)20:10
morganotherwise... i am pretty anti pyldap unless someone is (like roxanaghe ) committed to really doing the work.20:10
morganwhich case, i can't stop them20:10
morganbut we have people comitted and actively working on ldap320:11
roxanaghemorgan, hah20:11
shalehI thought ldap3 was perceived to be a better choice20:11
shalehmore pythonic, etc.20:11
*** ngupta has quit IRC20:11
stevemardepends on how good the port of python-ldap to pyldap is :)20:11
stevemarshaleh: it is, but pyldap is supposed to be a drop-in replacement20:11
morganshaleh: it is for some reasons, but some of the folks at red hat are also concerned about the interfaces and crypto bits20:11
roxanagheI thought that too and ldap3 code prooved to be very easy to use so far20:11
morganshaleh: which are valid concerns20:11
edtubillHi, I had a quick question: Is the k2k auth plugin available for the CLI? I was looking at the code/CLI options and it doesn't seem to be available.20:11
morganstevemar: ^ bus, you k2k auth :P20:12
morganedtubill: i recommend asking stevemar on that front :)20:12
stevemaredtubill: the code for that is in keystoneauth20:12
ayoungshaleh, so, yes, if Pythonic is the only criteria.  However, it is a wire protocol, old, crufty, and temperamental we have here.  And the openldap code is native and battle tested,20:12
shalehso let the RH folks talk to the ldap3 owner and get it straight. He has seemed reasonable thus far.20:12
stevemaredtubill: but openstackclient needs to migrate to keystoneauth20:12
morganshaleh: basically if we don't have folks doing work to prove out/parallel pyldap, ldap3 wins by default20:13
stevemaredtubill: i think... knikolla has some experience there too20:13
morganshaleh: since we have people doing it.20:13
ayoungshaleh, the issue is that ldap3 is python impl of the LDAP protocol.20:13
morganshaleh: and we can work to fix ldap3 going forward if needed20:13
shalehayoung: ah, I see.20:13
morganif someone wants to run off the two, pyldap needs stake holders contributing20:13
edtubillmorgan: oops. I also just realized I asked the question twice on accident ><. stevemar: okay thanks, I was just wondering if it was generally available.20:14
morganedtubill: not a problem :)20:14
morganedtubill: i just tossed you over to stevemar cause i knew he knew the answer20:14
ayoungmorgan, if ldap3 does not support SASL that is a deal breaker20:14
shalehayoung: I had not looked that close at it. I was hoping it was just a sane layer on top of the C code.20:14
ayoungand that is the tricky part20:14
ayounglet me look20:14
morganayoung: if it doesn't support SASL, we look at how hard it is to fix it20:15
stevemar:)20:15
roxanagheayoung, it does support SASL20:15
ayoungroxanaghe, don't be so quick to say that20:15
morganayoung: i would rather see ldap3 win - pure python > c libs20:15
roxanagheayoung, hah20:15
morganin this case.20:15
morganin most cases.20:15
ayoungroxanaghe, I've seen libraries (like Rabbit) that say they do SASL, but then only implement a small subset20:15
roxanagheayoung, I see I guess testing it is the ultimate answer20:15
ayoungmorgan, python !> native for security sensitive and perfomrnat stuff20:16
roxanaghebut do we support that in the current code?20:16
ayounghttp://ldap3.readthedocs.io/bind.html#sasl20:16
shalehayoung: you are showing up pretty late to be complaining about ldap3. We have been talking about it for at least the year I have been here.20:16
morganayoung: you throw all of that out in 99% of the cases cause you use python on top of the c-libs20:16
morganayoung: i can totally buy if we weren't layering python on top.20:16
ayoungthat looks good...20:16
morgani've been *VERY* impressed with ldap320:17
ayoungshaleh, um...I've been participating. You missed the start of this discussion.20:17
ayoungIt came up at the summit.  I personally like ldap320:17
bknudsonwe wanted ldap3 because python-ldap + ldappool doesn't support python3.20:18
bknudsonI don't think we wanted ldap3 just because we wanted to rewrite everything20:18
rderosebknudson ++20:18
morganbknudson: ldap3 being more pythonic/easier to use/understand *and* python3 support20:19
morganbknudson: both peices sold us.20:19
ayoungshaleh, so this was my concern when we first discussed it.  At that time, I did not know about pyldap, and thought we were stuck with ldap3.  And I do like the ldap3 code better, but then, I hate the existing LDAP code anyway20:19
*** mylu has joined #openstack-keystone20:19
shalehayoung: fair points20:19
bknudsonldap3 isn't going to be a drop-in switch for deployers either. The config options are going to be different20:19
shalehbknudson: we can't mask that?20:20
lbragstadbknudson do we have a bug open for the audit_id + fernet + v2 issues?20:20
*** pnavarro has joined #openstack-keystone20:20
ayoungmorgan, shaleh it looks like the ldap3 SASL support is == to python-ldap as far as supported mechanisms.20:20
bknudsonshaleh: I don't think it's worth it to try to mask it. the config options are essentially python-ldap symbols20:20
stevemarlbragstad: no20:20
lbragstadstevemar ok - i'm going to open one since I'm working on it now]20:21
stevemarlbragstad: ++20:21
ayoungWell, except that ldap3 doesn't have to support some legacy ones like kerberos4, which we don't want to deal with anyway20:21
ayoungso...no, that is not true20:21
ayoungthe config options are a case of bad coding that I cut and pasted20:21
*** mylu has quit IRC20:21
ayoungand I hated them then, and hate them more now20:22
roxanagheayoung, do we use SASL in the current keystone code?20:22
ayoungbut we can't change those.20:22
ayoungroxanaghe, it is a possibility20:22
ayoungroxanaghe, I've tested it in the past, and it is an essential feature is some places. But the baseline does not do anything other than simple bind anywhere20:22
ayoungwhich is, TBH, a horrible Security hole20:22
roxanagheayoung, I see20:23
ayoungI thought LDAP could do X509 client auth somehow...let me see what the path is to that.  I thought it was SASL20:23
roxanagheayoung, also no reason to have simple bind without TLS if we talk about security :)20:23
*** notmorgan has joined #openstack-keystone20:24
ayoungroxanaghe, so, right.  I think X509 does not need sasl20:24
ayounghttp://www.openldap.org/doc/admin24/tls.html20:24
*** morgan has quit IRC20:24
*** notmorgan is now known as morgan20:24
*** maxabidi has quit IRC20:24
lbragstadstevemar bknudson20:24
lbragstadhttps://bugs.launchpad.net/keystone/+bug/157755820:24
openstackLaunchpad bug 1577558 in OpenStack Identity (keystone) "v2.0 fernet tokens audit ids are inconsistent" [Undecided,New]20:24
lbragstadcc dolphm ^20:24
ayoung"The DN of a client certificate can be used directly as an authentication DN."20:24
ayoungroxanaghe, so, we do enable TLS, and we can specify the auth DN.  But I have not tested that with X509...That would be a good one to knock out20:25
roxanagheayoung, sounds reasonable20:25
*** sheel has quit IRC20:25
stevemarlbragstad: should backport the fix20:25
bknudsondo we have a way to specify the client cert in the ldap config?20:25
ayoungmorgan, so, I think I want to do this:20:25
ayoung1.  Pursue ldap3 as the long term rewrite20:25
ayoung2. hack the existing driver to use pyldap. That should support python2 and 320:26
morganayoung: i can't stop you.20:26
ayoungdeprecate pyldap if the ldap3 driver stands up to testing20:26
lbragstadstevemar tagged it with mitaka-backport-potential20:26
*** serverascode_ has joined #openstack-keystone20:26
morgani'd rather not move to pyldap unless you *really* need it.20:26
morgani'm totally ok with current ldap code in keystone dieing20:26
morganin a deprecation cycle20:26
morganif it's the only code we don't test py3, i'm content20:27
*** andreykurilin___ has joined #openstack-keystone20:27
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n1079 -- why would keystone have incoming TLS for ldap??20:27
*** annasort has joined #openstack-keystone20:27
bknudsonI don't see a config option for the ldap client cert.20:28
*** afazekas_ has joined #openstack-keystone20:28
*** bapalm_ has joined #openstack-keystone20:28
*** bapalm has quit IRC20:29
*** odyssey4me has quit IRC20:29
*** afazekas has quit IRC20:29
*** dstanek has quit IRC20:29
*** serverascode has quit IRC20:29
*** fungi has quit IRC20:29
*** dtroyer has quit IRC20:29
*** andreykurilin__ has quit IRC20:29
bknudsonbtw - dhellmann said that if there's any config of keystone that supports python3 we should say we support it in the trove classifiers.20:29
morganbknudson: today, no.20:29
bknudsonI tried running keystone under py3 but it failed in a memcache. Maybe I could disable memcache20:29
morganbknudson: we have some generic code still that is not 100% python 3...but it's hard to suss out because the way our tests work.20:30
*** dtroyer has joined #openstack-keystone20:30
*** andreykurilin___ is now known as andreykurilin__20:30
bknudsonhttps://review.openstack.org/#/c/311804/ (or something like it) is needed for oslo.policy release.20:31
patchbotbknudson: patch 311804 - keystone - Remove test_invalid_policy_raises_error20:31
*** dstanek has joined #openstack-keystone20:31
*** ChanServ sets mode: +v dstanek20:31
ayoungmorgan, so, I'll get back to you on that.  For Tripleo and downstream, I don;t know when we are going to force A Python3 only approach.  I think that, from a RH perspective, we are going to need to get another package in to Fedora, EPEL, RDO whatever, and one package is better than two.  So, if we go ldap3, I need to figure out where and when.  Does ldap3 support python2?  I was under the impression that it does, probabl20:31
ayoungy via 6?20:31
morganayoung: it afaict works with py2 and py320:32
morganayoung: just fine20:32
*** ngupta has joined #openstack-keystone20:32
*** fungi has joined #openstack-keystone20:34
*** serverascode_ is now known as serverascode20:34
*** odyssey4me has joined #openstack-keystone20:35
ayoungmorgan, ldap3  might be a case where my team would prefer pyldap, but I can honestly go back and say I was overruled.  I see both sides.  From the plaform perspective, it is better to have only one python library to support, and FreeIPA is A) not going to rewrite and B) already dependant on openldap Native libraries anyway.  So there pyldap is certainly the better choice20:35
*** adu has joined #openstack-keystone20:35
ayoungFor Keystone, the fact that the work is done coupled with the improved code quality is a big seller20:35
*** rderose has quit IRC20:35
bknudsonCan you even have both python-ldap and python-ldap3 installed at the same time?20:35
ayoungbknudson, yes20:35
ayoungbknudson, I don;t think ldap3 sits on any of the ldap namespace20:35
bknudsonok, I thought maybe they both used ldap20:36
ayounghttps://review.openstack.org/#/c/296090/20:36
patchbotayoung: patch 296090 - keystone - WIP - ldap3 Identity Driver20:36
ayoungimport ldap320:36
*** annasort has quit IRC20:37
bknudsonright, that's ldap3, not the python3 python-ldap20:37
*** rderose has joined #openstack-keystone20:37
dstaneki actualy like the idea of RH maintaining a port of python-ldap20:37
bknudsonpyldap is the python3 python-ldap20:38
bknudsonand that must use the ldap namespace20:38
dstanekas must as i like the cleaner interface of ldap3, it is nice to rely on the C libs20:38
bknudsonthe python C libs are also crappy. I used to maintain them for ibm's ldap.20:39
*** sileht has quit IRC20:39
ayoungdstanek, right.  I'd like to keep the interface (the config) the same between the two drivers, and really give the ldap3 one a test drive, but be able to maintain the python-ldap based code for a release, using pyldap instead20:39
bknudsonayoung: so is redhat planning to ship pyldap rather than python-ldap?20:40
ayoungbknudson, yes.  We need it for our IdM20:40
ayoungbknudson, I don;t know when, though.  I can find out20:40
bknudsonthen all you need is ldappool320:40
bknudson(or whatever a python3-enabled ldappool is)20:40
*** henrynash has quit IRC20:40
*** sileht has joined #openstack-keystone20:41
*** fangxu has quit IRC20:41
dstanekayoung: it sucks that the python-ldap maintainers doesn't was to maintain it20:44
ayoungdstanek, forking is fine for a case like this20:44
dstanekayoung: it has to be :-) as long as the new thing is maintained then i'm happy20:45
*** jaosorior has quit IRC20:45
*** stingaci has joined #openstack-keystone20:46
bknudsonexcept when pyldap mainters don't want to maintain it and we get another fork20:46
*** mylu has joined #openstack-keystone20:48
openstackgerritayoung proposed openstack/keystone: WIP - ldap3 Identity Driver  https://review.openstack.org/29609020:49
*** mylu has quit IRC20:49
ayoung bknudson morgan dstanek so ^^ is just a Pep 8 fix.  I'm going to consider that not a sufficient change to void me from +2ing in the future20:50
*** stingaci has quit IRC20:51
*** rderose has quit IRC20:58
*** rderose has joined #openstack-keystone20:59
*** dmk0202 has joined #openstack-keystone21:00
*** adu has quit IRC21:01
*** sdake_ has quit IRC21:03
*** sdake has joined #openstack-keystone21:03
morganayoung: pep8 correction is fine imo21:04
*** fangxu has joined #openstack-keystone21:05
*** xek_ has joined #openstack-keystone21:10
*** rodrigods has quit IRC21:10
*** rodrigods has joined #openstack-keystone21:10
*** xek has quit IRC21:11
*** dmk0202 has quit IRC21:12
*** jlvillal has quit IRC21:12
*** jlvillal has joined #openstack-keystone21:12
dstanekayoung: i'll take a look after dinner21:16
*** haplo37 has quit IRC21:19
*** adu has joined #openstack-keystone21:21
*** julim has quit IRC21:26
*** pnavarro has quit IRC21:28
lbragstadbknudson I noticed something else with our token model21:32
lbragstadbknudson this will fail when run with fernet - for the same reason you pointed out before https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_auth.py#L52321:33
lbragstadwhen we go to get the scoped token with the unscoped token, the token_model thinks we're using a v3 model21:34
*** roxanaghe has quit IRC21:35
ayounglbragstad, fernet does not say token version, does it?21:37
lbragstadayoung as in can you tell what type of token it is from looking at a fernet token?21:38
ayounglbragstad, right. We always need to assume V3, and then convert to V2, i thought21:38
lbragstadayoung yeah - i think that is true... i'm just trying to figure out why the audit ids are generated/passed different for v2 uuid versus v2 fernet21:39
lbragstadthe fernet provider code is doing the right thing with the audit ids it gets in the provider21:39
lbragstadbut it's passed bogus audit ids from the keystone/token/controller.py:authenticate method21:40
bknudsonthe token code is way too complicated.21:44
lbragstad++21:44
bknudsonso why does https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_auth.py#L523 pass?21:44
lbragstadI can't wait for the day where we have one provider21:45
bknudsonit's only run on uuid?21:45
bknudsonor it's v3?21:45
lbragstadyeah - so that passes on uuid21:45
lbragstadok - I think I figured it out...21:54
*** roxanaghe has joined #openstack-keystone21:54
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: review at own risk: switch to pyldap  https://review.openstack.org/31182721:55
lbragstadayoung bknudson when we execute this test https://github.com/openstack/keystone/blob/61a135cf7d76f0bf4322d44aed18312c711c1eea/keystone/tests/unit/test_auth.py#L52321:56
lbragstadwe get an unscoped token and then use that to get another unscoped token21:56
ayounglbragstad, in the test or in the provider?21:56
lbragstadwhich means we are going to hit https://github.com/openstack/keystone/blob/61a135cf7d76f0bf4322d44aed18312c711c1eea/keystone/token/controllers.py#L183 in the v2 token controller21:57
lbragstadayoung that is what the test is doing21:57
lbragstadbut when we pass the first unscoped token to get a new unscoped token21:57
lbragstadwe call token_data=self.token_provider_api.validate_token(old_token)21:57
ayoungas we should21:57
*** ninag has quit IRC21:57
*** ametts has quit IRC21:57
lbragstadwhich gets into this - https://github.com/openstack/keystone/blob/61a135cf7d76f0bf4322d44aed18312c711c1eea/keystone/token/provider.py#L20421:58
lbragstadeverything looks good, right?21:58
ayoungso far it looks right to me21:58
lbragstadayoung but...21:58
lbragstadthis happens21:58
lbragstadhttps://github.com/openstack/keystone/blob/61a135cf7d76f0bf4322d44aed18312c711c1eea/keystone/token/provider.py#L295-L29821:58
lbragstadwe call _validate_token(token_id) from within validate_token21:59
bknudsonwhat's validation have to do with it?21:59
bknudsonvalidating the original token?21:59
lbragstad_validate_token() validates the token as if it were a v3 token21:59
lbragstadand returns that v3 token reference to the TokenModel21:59
lbragstadwhat we should be doing is converting that v3 response to be a v2 response22:00
bknudsonwe seem to use TokenModel sometimes and a dict other times.22:00
lbragstadlike this22:00
*** tonytan4ever has joined #openstack-keystone22:00
lbragstadhttps://github.com/openstack/keystone/blob/61a135cf7d76f0bf4322d44aed18312c711c1eea/keystone/token/provider.py#L233-L24422:00
bknudsonwhy convert to a v2 response there? that token isn't being returned it's just being used to fill in the new token.22:00
lbragstadbknudson I would guess that is because the keystone/token/controller.py stuff is expecting things to come back as v2.022:01
lbragstadsince that is the v2.0 controller22:01
lbragstadfor tokens22:01
bknudsonI never tried using a v3 token as the original token22:03
bknudsonI mean v3 unscoped -> v2 scoped22:03
lbragstadbknudson well - the test is v2 unscoped -> v2 unscoped22:05
lbragstad-> unscoped22:05
lbragstadso the test just gets 3 unscoped tokens22:06
bknudsonI tried v3 unscoped -> v3 scoped and that worked.22:06
lbragstadyeah - that makes sense22:06
lbragstadbknudson I think the reason why this is broken is because we use v3 to validate v2 tokens and convert the v3 response to be a v2 response22:06
bknudsonwhat doesn't make sense is that the v2 -> v2 puts a completely random parent audit ID. Where's it getting that?22:07
lbragstadwe do that in a few difference places but I don't think we do that in all places22:07
bknudsonboth v3 and v2 have audit IDs.22:07
lbragstadbknudson right - but they live in difference places in the response22:07
bknudsonso there's no reason for this to be broken22:07
lbragstadv2 uses ['access'] and v3 doesn't22:08
bknudsonthe TokenModel should hide the differences.22:08
lbragstadit should, but it doesn't because we haven't converted the v3 response to be a v2 response before passing it to the token model22:09
lbragstadwhich is why the model thinks it's dealing with the a v3 token22:09
bknudsonv3->v2 conversion should happen in the v2 controller.22:10
lbragstadbknudson yeah - or the v2 controller should call part of the token provider that knows how to do the conversion22:10
bknudsontoken provider shouldn't know anything about v2 or v3.22:10
lbragstadyeah, it shouldn't22:11
lbragstadright22:11
*** fawadkhaliq has quit IRC22:11
*** fawadkhaliq has joined #openstack-keystone22:11
*** stingaci has joined #openstack-keystone22:14
*** markvoelker has quit IRC22:15
*** furface has joined #openstack-keystone22:16
*** stingaci has quit IRC22:20
*** ngupta has quit IRC22:20
openstackgerritJulien Danjou proposed openstack/python-keystoneclient: httpclient: remove unused debug kwargs  https://review.openstack.org/23673922:23
*** jamielennox|away is now known as jamielennox22:25
*** adu has quit IRC22:26
*** david-lyle has quit IRC22:28
*** navid_ has quit IRC22:31
*** slberger has left #openstack-keystone22:33
*** pgbridge has quit IRC22:35
*** fawadkhaliq has quit IRC22:38
*** fawadkhaliq has joined #openstack-keystone22:40
*** phalmos has quit IRC22:42
lbragstadbknudson fixed part of it22:49
lbragstadwell - at least the audit ids part22:49
lbragstadlooks like there are still a bunch of issues with v2 tokens + fernet + revocation events22:49
lbragstadcc ayoung22:49
*** edtubill has quit IRC22:49
*** timcline has quit IRC22:50
openstackgerritLance Bragstad proposed openstack/keystone: Fix fernet audit ids for v2.0  https://review.openstack.org/31188622:52
lbragstadbknudson ayoung ^22:53
*** rodrigods has quit IRC22:56
*** rodrigods has joined #openstack-keystone22:56
*** spzala has quit IRC22:59
*** spzala has joined #openstack-keystone23:00
*** lamt has quit IRC23:02
*** edtubill has joined #openstack-keystone23:03
*** doug-fis_ has quit IRC23:04
*** spzala has quit IRC23:04
*** doug-fish has joined #openstack-keystone23:05
*** pumaranikar has quit IRC23:07
*** nkinder has quit IRC23:08
*** furface has quit IRC23:08
*** markvoelker has joined #openstack-keystone23:16
*** nkinder has joined #openstack-keystone23:18
*** jrist has quit IRC23:19
*** c_soukup has joined #openstack-keystone23:20
*** fawadkhaliq has quit IRC23:20
*** markvoelker has quit IRC23:21
*** tonytan4ever has quit IRC23:23
*** mylu has joined #openstack-keystone23:23
*** fawadkhaliq has joined #openstack-keystone23:25
*** roxanaghe has quit IRC23:27
*** mylu has quit IRC23:30
*** mylu has joined #openstack-keystone23:30
bknudsonI thought the fernet provider says it doesn't support token binding23:31
*** gyee has quit IRC23:32
*** c_soukup has quit IRC23:33
*** jrist has joined #openstack-keystone23:34
*** mylu has quit IRC23:36
lbragstadbknudson it doesn't23:36
openstackgerritLance Bragstad proposed openstack/keystone: Fix fernet audit ids for v2.0  https://review.openstack.org/31188623:37
lbragstadayoung ^ that might help with your make fernet default patch23:38
bknudsonopenstack CLI's version checking is crazy -- http://logs.openstack.org/94/193894/23/check/gate-tempest-dsvm-full/1400d33/logs/devstacklog.txt.gz#_2016-05-02_22_08_47_71423:40
*** edtubill has quit IRC23:40
*** sdake_ has joined #openstack-keystone23:41
*** edtubill has joined #openstack-keystone23:43
*** sdake has quit IRC23:43
*** gordc has quit IRC23:43
*** edtubill has quit IRC23:46
*** doug-fish has quit IRC23:46
*** doug-fish has joined #openstack-keystone23:47
*** doug-fis_ has joined #openstack-keystone23:51
bknudsonapparently you can't have a number anywhere in the path23:51
*** mylu has joined #openstack-keystone23:51
*** chlong has joined #openstack-keystone23:52
*** doug-fish has quit IRC23:52
bknudsonhopefully I can use "two" rather than "2"23:52
bknudsonI tried it. It's too smart.23:54
*** doug-fis_ has quit IRC23:55
*** sdake_ has quit IRC23:55
*** sdake has joined #openstack-keystone23:56
*** sdake has quit IRC23:56
*** sdake has joined #openstack-keystone23:57
*** doug-fish has joined #openstack-keystone23:58
*** sdake has quit IRC23:58
« Sunday, 2016-05-01 Index Tuesday, 2016-05-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!