Tuesday, 2016-05-03

« Monday, 2016-05-02 Index Wednesday, 2016-05-04 »
*** spzala has joined #openstack-keystone00:00
*** shaleh has quit IRC00:01
*** doug-fis_ has joined #openstack-keystone00:02
*** rderose has quit IRC00:02
*** doug-fish has quit IRC00:03
*** spzala has quit IRC00:05
*** doug-fis_ has quit IRC00:07
bknudsonoops, it was the apache config needs to match the keystone setting.00:07
*** markvoelker has joined #openstack-keystone00:09
*** furface has joined #openstack-keystone00:15
*** doug-fish has joined #openstack-keystone00:16
*** edtubill has joined #openstack-keystone00:22
*** mylu has quit IRC00:28
*** lhcheng has quit IRC00:37
*** rbridgeman has quit IRC00:38
openstackgerritZhiQiang Fan proposed openstack/keystone: switch to tempest instead of deprecated tempest-lib  https://review.openstack.org/31190100:43
*** sigmavirus24 is now known as sigmavirus24_awa00:45
*** fawadkhaliq has quit IRC00:50
*** dan_nguyen has quit IRC00:51
*** spzala has joined #openstack-keystone00:58
knikollao/01:01
knikollasorry for missing the discussion, still haven’t recovered from the cold01:01
*** david-lyle has joined #openstack-keystone01:09
stevemarbknudson: try "dos"01:13
*** EinstCrazy has joined #openstack-keystone01:22
*** EinstCra_ has joined #openstack-keystone01:31
*** adu has joined #openstack-keystone01:32
*** EinstCrazy has quit IRC01:35
knikollastevemar: “review at own risk” and firefox crashed :P01:35
*** dan_nguyen has joined #openstack-keystone01:40
*** edmondsw has quit IRC01:42
*** doug-fish has quit IRC01:57
*** doug-fish has joined #openstack-keystone01:57
*** adu has quit IRC01:57
*** jrist has quit IRC01:59
*** doug-fis_ has joined #openstack-keystone02:00
*** doug-fish has quit IRC02:01
*** doug-fis_ has quit IRC02:05
*** doug-fish has joined #openstack-keystone02:07
*** jrist has joined #openstack-keystone02:12
morganknikolla: feel better02:13
*** spzala has quit IRC02:17
*** topol has quit IRC02:18
*** TxGVNN has joined #openstack-keystone02:20
*** sdake has joined #openstack-keystone02:20
stevemarknikolla: clearly firefox is looking out for you :P02:21
stevemarknikolla: get some rest and start fresh tomorrow :)02:21
*** c_soukup has joined #openstack-keystone02:21
*** topol_ has joined #openstack-keystone02:23
knikollamorgan, stevemar: thank you02:23
knikollaand thank you firefox also :P haha02:25
*** hoonetorg has quit IRC02:35
*** ozialien10 has quit IRC02:39
*** hoonetorg has joined #openstack-keystone02:49
*** spzala has joined #openstack-keystone02:50
*** ChanServ sets mode: +v topol_02:55
*** topol_ is now known as topol02:55
*** richm has quit IRC03:01
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/31154803:13
*** fangxu has quit IRC03:17
*** wanghua has joined #openstack-keystone03:21
*** dave-mccowan has quit IRC04:06
*** tqtran has quit IRC04:07
*** spzala has quit IRC04:07
*** spzala has joined #openstack-keystone04:08
*** doug-fish has quit IRC04:09
*** spzala has quit IRC04:12
*** sudorandom has quit IRC04:14
*** pleia2 has quit IRC04:16
*** pleia2 has joined #openstack-keystone04:16
*** links has joined #openstack-keystone04:17
*** markvoelker has quit IRC04:19
*** sudorandom has joined #openstack-keystone04:19
*** c_soukup has quit IRC04:23
*** spzala has joined #openstack-keystone04:24
*** dan_nguyen has quit IRC04:26
*** spzala has quit IRC04:29
*** adu has joined #openstack-keystone04:45
*** adu has quit IRC04:49
*** josecastroleon has joined #openstack-keystone04:52
*** spzala has joined #openstack-keystone05:00
*** lhcheng has joined #openstack-keystone05:02
*** ChanServ sets mode: +v lhcheng05:02
*** spzala has quit IRC05:05
*** lhcheng_ has joined #openstack-keystone05:08
*** lhcheng has quit IRC05:11
*** markvoelker has joined #openstack-keystone05:19
TxGVNNhi everyone, i want to config federation in keystone.05:23
TxGVNNwhen i execute "keystone saml_idp_metadata"05:23
TxGVNNit is a error: http://paste.openstack.org/show/495922/05:24
*** markvoelker has quit IRC05:24
TxGVNNValidationError: Ensure configuration option idp_entity_id is set05:24
TxGVNNsorry, i have found my problem. thanks05:29
*** sdake has quit IRC05:37
*** sdake has joined #openstack-keystone05:39
openstackgerritTin Lam proposed openstack/keystoneauth: Fix ClientException message property not set properly  https://review.openstack.org/28575705:42
*** yolanda has joined #openstack-keystone05:44
*** yolanda has quit IRC05:48
*** yolanda has joined #openstack-keystone05:48
*** edtubill has quit IRC05:53
*** edtubill has joined #openstack-keystone05:55
*** spzala has joined #openstack-keystone06:02
*** spzala has quit IRC06:07
*** edtubill has quit IRC06:12
*** rcernin has joined #openstack-keystone06:15
*** EinstCra_ has quit IRC06:17
*** EinstCrazy has joined #openstack-keystone06:17
*** markvoelker has joined #openstack-keystone06:20
*** markvoelker has quit IRC06:25
*** yolanda has quit IRC06:27
*** yolanda has joined #openstack-keystone06:27
stevemarjamielennox: poke06:28
jamielennoxstevemar: poke06:28
jamielennoxstevemar: poke poke stab stab06:29
stevemarjamielennox: hope you're not sick :)06:29
jamielennoxstevemar: still scratchy but Jayne has gotten immediately sick06:29
stevemarjamielennox: :(06:29
jamielennoxso i have been blamed as a carrier - and i completely through you under a bus06:29
stevemarjamielennox: topol is also reporting in sick06:29
stevemari blame whoever gave it to me06:29
jamielennoxwithout solid names i have no one else to offer06:30
jamielennoxstevemar: you back to full health?06:31
stevemarjamielennox: just about -- DM'ed ya06:31
stevemarjamielennox: throat is still a bit scratchy06:32
*** yolanda has quit IRC06:34
*** yolanda has joined #openstack-keystone06:40
*** lhcheng_ has quit IRC06:42
*** tesseract has joined #openstack-keystone06:44
*** tesseract is now known as Guest4047906:44
-openstackstatus- NOTICE: Filesystem on logs.openstack.org is broken, we are on the process of repairing it. Please stop checking your jobs until further notice06:44
*** ChanServ changes topic to "Filesystem on logs.openstack.org is broken, we are on the process of repairing it. Please stop checking your jobs until further notice"06:44
*** daemontool_ has quit IRC06:45
*** Guest40479 has quit IRC06:47
*** tesseract- has joined #openstack-keystone06:49
*** fangxu has joined #openstack-keystone06:49
*** fangxu_ has joined #openstack-keystone06:57
*** fangxu has quit IRC06:58
*** fangxu_ is now known as fangxu06:58
*** furface has quit IRC07:02
*** spzala has joined #openstack-keystone07:03
*** rcernin_ has joined #openstack-keystone07:04
*** spzala has quit IRC07:09
*** jed56 has joined #openstack-keystone07:11
*** furface has joined #openstack-keystone07:21
*** markvoelker has joined #openstack-keystone07:21
*** EinstCrazy has quit IRC07:22
*** EinstCrazy has joined #openstack-keystone07:23
*** markvoelker has quit IRC07:26
*** rcernin_ has quit IRC07:33
*** pnavarro has joined #openstack-keystone07:36
*** rcernin has quit IRC07:36
*** chlong has quit IRC07:47
*** henrynash has joined #openstack-keystone07:53
*** ChanServ sets mode: +v henrynash07:53
*** sdake has quit IRC07:56
*** xek__ has joined #openstack-keystone07:57
*** zhiyan_ has joined #openstack-keystone07:58
*** DuncanT has quit IRC07:58
*** boris-42 has quit IRC07:58
*** zhiyan has quit IRC07:58
*** jed56 has quit IRC07:58
*** raddaoui has quit IRC07:58
*** sudorandom has quit IRC07:58
*** woodster_ has quit IRC07:58
*** zzzeek has quit IRC07:58
*** hughsaunders has quit IRC07:58
*** DuncanT_ has joined #openstack-keystone07:58
*** yolanda has quit IRC07:58
*** xek_ has quit IRC07:58
*** dstanek has quit IRC07:58
*** dtroyer has quit IRC07:58
*** agrebennikov_ has quit IRC07:58
*** ayoung has quit IRC07:58
*** d0ugal has quit IRC07:58
*** gus has quit IRC07:58
*** lbragstad has quit IRC07:58
*** sudorandom has joined #openstack-keystone07:59
*** d0ugal has joined #openstack-keystone07:59
*** jistr has joined #openstack-keystone07:59
*** dstanek has joined #openstack-keystone07:59
*** ChanServ sets mode: +v dstanek07:59
*** raddaoui has joined #openstack-keystone07:59
*** lbragstad has joined #openstack-keystone07:59
*** ayoung has joined #openstack-keystone07:59
*** ChanServ sets mode: +v ayoung07:59
*** agrebennikov_ has joined #openstack-keystone08:00
*** zhiyan_ is now known as zhiyan08:00
*** dtroyer has joined #openstack-keystone08:00
*** hughsaunders has joined #openstack-keystone08:00
*** zzzeek has joined #openstack-keystone08:00
*** chlong has joined #openstack-keystone08:01
*** DuncanT_ is now known as DuncanT08:02
*** gus has joined #openstack-keystone08:02
*** yolanda has joined #openstack-keystone08:03
*** woodster_ has joined #openstack-keystone08:05
*** spzala has joined #openstack-keystone08:05
*** boris-42 has joined #openstack-keystone08:10
*** spzala has quit IRC08:11
*** jed56 has joined #openstack-keystone08:11
*** mvk has joined #openstack-keystone08:18
*** markvoelker has joined #openstack-keystone08:22
*** ChanServ changes topic to "Newton Summit Soon! | Midcycle Planning Thread: http://lists.openstack.org/pipermail/openstack-dev/2016-April/092298.html"08:24
-openstackstatus- NOTICE: Logs filesystem has been successfully restored, please recheck your jobs08:24
*** mdavidson has joined #openstack-keystone08:25
*** henrynash has quit IRC08:26
*** markvoelker has quit IRC08:27
*** josecastroleon has quit IRC08:28
-openstackstatus- NOTICE: Filesystem on docs-draft.openstack.org is broken, we are on the process of repairing it. Please stop checking jobs using this filesystem until further notice08:35
*** dmk0202 has joined #openstack-keystone08:35
*** e0ne has joined #openstack-keystone08:52
*** harbor has joined #openstack-keystone08:57
*** josecastroleon has joined #openstack-keystone09:00
*** sileht has quit IRC09:01
*** sileht has joined #openstack-keystone09:02
*** gangaec has joined #openstack-keystone09:03
*** spzala has joined #openstack-keystone09:07
harborHi, I am trying to get my head round mapping for federation and user groups - Currently i have ephemeral users sharing the Federation domain, and things are working pretty slick - however do you need to manually create a domain?->project->group->mapping for each user to provide isolation? With older versions of keystone I think i could have done this pretty easily by using the ldap assignment backend - but I'm09:08
harbor not sure what the best way to implement this would be? if anyone has any pointers I be most appreciative :)09:08
*** fangxu has quit IRC09:10
*** fangxu has joined #openstack-keystone09:10
*** spzala has quit IRC09:12
*** e0ne has quit IRC09:21
-openstackstatus- NOTICE: Docs-draft filesystem has been restored. Please check your affected jobs again09:22
*** belmoreira has joined #openstack-keystone09:23
*** markvoelker has joined #openstack-keystone09:23
*** markvoelker has quit IRC09:28
*** josecastroleon has quit IRC09:47
*** links has quit IRC09:48
*** henrynash has joined #openstack-keystone09:52
*** ChanServ sets mode: +v henrynash09:52
*** fangxu has quit IRC09:53
*** fangxu has joined #openstack-keystone09:54
*** mhickey has joined #openstack-keystone09:58
*** e0ne has joined #openstack-keystone10:02
*** links has joined #openstack-keystone10:04
*** links has quit IRC10:07
*** spzala has joined #openstack-keystone10:07
*** spzala has quit IRC10:13
*** henrynash has quit IRC10:14
*** links has joined #openstack-keystone10:14
*** dave-mccowan has joined #openstack-keystone10:23
*** markvoelker has joined #openstack-keystone10:24
*** markvoelker has quit IRC10:28
*** EinstCrazy has quit IRC10:28
*** TxGVNN has quit IRC11:02
*** spzala has joined #openstack-keystone11:09
*** eandersson has joined #openstack-keystone11:13
*** spzala has quit IRC11:13
*** adu has joined #openstack-keystone11:21
*** yolanda has quit IRC11:22
*** links has quit IRC11:24
*** markvoelker has joined #openstack-keystone11:24
*** josecastroleon has joined #openstack-keystone11:27
*** yolanda has joined #openstack-keystone11:27
*** markvoelker has quit IRC11:29
*** gordc has joined #openstack-keystone11:29
*** henrynash has joined #openstack-keystone11:40
*** ChanServ sets mode: +v henrynash11:40
*** adu has quit IRC11:44
*** naresh_ has joined #openstack-keystone11:58
*** naresh_ is now known as Guest566611:58
*** links has joined #openstack-keystone12:03
*** spzala has joined #openstack-keystone12:10
*** spzala has quit IRC12:15
*** markvoelker has joined #openstack-keystone12:22
*** vgridnev has joined #openstack-keystone12:28
*** julim has joined #openstack-keystone12:36
*** BlackDex has quit IRC12:38
*** richm has joined #openstack-keystone12:39
*** mou has joined #openstack-keystone12:41
openstackgerritBrant Knudson proposed openstack/keystone: Remove test_invalid_policy_raises_error  https://review.openstack.org/31180412:46
*** EinstCrazy has joined #openstack-keystone12:51
*** raildo-afk is now known as raildo12:58
*** csoukup has joined #openstack-keystone13:00
*** wanghua has quit IRC13:04
*** edmondsw has joined #openstack-keystone13:04
*** stingaci has joined #openstack-keystone13:07
samueldmqhowdy keystoners13:07
*** vgridnev has quit IRC13:07
*** spzala has joined #openstack-keystone13:11
*** mylu has joined #openstack-keystone13:11
*** EinstCrazy has quit IRC13:12
*** mylu has quit IRC13:12
raildo:)13:13
*** stingaci has quit IRC13:14
*** josecastroleon has quit IRC13:15
*** spzala has quit IRC13:16
*** fangxu_ has joined #openstack-keystone13:20
*** fangxu has quit IRC13:20
*** fangxu_ is now known as fangxu13:20
hoonetorglbragstad asked me to provide a link in the official docs where token.provider=uuid and keystone-manage pki_setup is mentioned13:22
hoonetorgtataa:13:22
hoonetorghttp://docs.openstack.org/juno/install-guide/install/yum/content/keystone-install.html13:22
hoonetorgas lbragstad said: pki_setup is not required when token.provider=uuid13:23
dstanekhoonetorg: did you get your stuff working?13:24
morganlbragstad, stevemar: re ML topic on fernet, should i dump the uuid payload thing?13:24
hoonetorgi'm still in progress13:26
hoonetorgfirst i needed to create a salt-formula to automatically deploy a HA-apache resource for keystone wsgi13:27
hoonetorgthat is done and works13:27
*** fangxu has quit IRC13:27
*** spzala has joined #openstack-keystone13:28
*** julim has quit IRC13:29
*** fangxu has joined #openstack-keystone13:29
hoonetorgdstanek; currently I'm reworking https://github.com/openstack/salt-formula-keystone, especially https://github.com/openstack/salt-formula-keystone/blob/master/keystone/files/mitaka/keystone.conf.Debian13:30
hoonetorgin a few hours there should be a reworked version on https://github.com/hoonetorg/salt-formula-keystone13:31
*** julim has joined #openstack-keystone13:32
hoonetorgdstanek: I will start up with token provider=uuid and persistence=sql and when that works (after some time) work in a high available compatible fernet key creation and rotation mechanism13:33
hoonetorgdstanek: can I ask u a question13:34
hoonetorgwhen I use memcache as cache backend (i have multiple, but they are not high available) and one of the memcache nodes goes down13:36
hoonetorgwill it cause troubles in keystone13:36
hoonetorg?13:36
dstanekhoonetorg: no, things should just slow down13:37
dstanekas long as you are not using it as a token store13:37
hoonetorg... because it's only a cache13:37
hoonetorgit will re-gather the objects from where they came13:38
dstanekhoonetorg: exactly, but we unfortunately provided a memcached back token backend - just don't use that13:38
hoonetorgk13:38
openstackgerritVictor Stinner proposed openstack/keystone: Port test_v2 unit test to Python 3  https://review.openstack.org/31206013:39
openstackgerritVictor Stinner proposed openstack/keystone: Port test_v3_auth unit test to Python 3  https://review.openstack.org/31206113:39
eanderssonWhat was the token change that happened in Kilo release 3 that made it backwards incompatible with old tokens?13:39
dstaneki can't remember off the top of my head, but i think we deleted it in newer releases13:39
eandersson*fernet tokens13:40
*** sheel has joined #openstack-keystone13:42
morganeandersson: removed padding13:42
eanderssonah13:42
eanderssonDo you think it would be difficult for me to write a backwards compatible fix for that? So that we can upgrade without having to re-create all the tokens?13:42
eanderssonhttps://github.com/openstack/keystone/commit/bd94a41eefa4a1208f06886c598b75cab833925013:43
eanderssonWas that the one?13:43
*** TxGVNN has joined #openstack-keystone13:45
eanderssonhttp://paste.openstack.org/show/oCQ27VXtbH38AuvU9RQQ/13:45
openstackgerritVictor Stinner proposed openstack/keystone: Port test_v3_auth unit test to Python 3  https://review.openstack.org/31206113:50
*** ametts has joined #openstack-keystone13:52
dstanekeandersson: i'm not sure it that was it or not, but i'm pretty sure over time we make a few backward incompatible changes. i just don't know the timeline.13:55
dstanekeandersson: we had redundant data that was removed and other data was added. i'm not sure how much time was spent on backward compat in the early releases as we harded the feature13:56
*** sigmavirus24_awa is now known as sigmavirus2413:56
eanderssonYea, I talked to someone earlier about this, and I think it was just an oversight in terms of backwards compat.13:59
eanderssonI understand from one major version to another, but just wasn't excepting it from one Kilo release to another =]14:00
*** tonytan4ever has joined #openstack-keystone14:01
*** josecastroleon has joined #openstack-keystone14:02
*** edtubill has joined #openstack-keystone14:04
*** phalmos has joined #openstack-keystone14:05
lbragstadeandersson there was a padding change on the tokens but that was between l and m I think?14:06
eanderssonHmm, so this is something else, as this happens from k to l, even k to k.3 I think.14:08
eanderssonIt's the traceback I posted above.14:08
*** links has quit IRC14:10
*** rderose has joined #openstack-keystone14:11
lbragstadeandersson oh - yeah that would be https://github.com/openstack/keystone/commit/bd94a41eefa4a1208f06886c598b75cab833925014:15
lbragstadeandersson looks like that went back all the way to kilo https://review.openstack.org/#/q/Ia4a4f760d67d8bbc22759c48fc800aef016b84ed14:15
eanderssonyep, that is the one I was looking at14:16
lbragstadstevemar do you know how we change docs from Juno?14:20
lbragstadstevemar or if we can?14:20
*** stingaci has joined #openstack-keystone14:22
raildolbragstad: ping, this patch https://review.openstack.org/#/c/311811/ is related to this bug https://bugs.launchpad.net/keystone/+bug/1576315, right?14:25
openstackLaunchpad bug 1576315 in OpenStack Identity (keystone) "Critically fail on startup if fernet_setup has not been run" [High,Confirmed]14:25
patchbotraildo: patch 311811 - keystone - Make keystone exit when fernet keys don't exist14:25
lbragstadraildo yep - I actually just saw that bug today14:27
lbragstadraildo I can link that bug in the commit message14:27
raildolbragstad: ++14:27
*** mylu has joined #openstack-keystone14:27
lbragstadraildo I have another patch up for getting v2 + fernet working14:27
lbragstadraildo in case you want to put some eyes on it (if you have time014:27
lbragstad)*14:27
*** BjoernT has joined #openstack-keystone14:27
raildolbragstad: so many new patches related to fernet :P14:28
raildolbragstad: sure, I'll14:28
lbragstadraildo https://review.openstack.org/#/c/311886/14:28
patchbotlbragstad: patch 311886 - keystone - Fix fernet audit ids for v2.014:28
raildolbragstad: thanks14:28
lbragstadraildo I need to fix up the tests on py3414:28
raildolbragstad: If you want,  I can take a look on it14:28
lbragstadraildo were you aware of the audit_ids issue at all?14:29
raildolbragstad: hum... not sure14:29
lbragstadno worries - just curious, I know you found a few things in the process of working on ayoung's patch14:29
ayounglbragstad, raildo I think I have just about gotten the simplified revocating check working14:30
ayoungone test failing.14:30
raildoayoung: awesome14:30
ayoungI'd like to see if that then makes the race condition go-away or at lease make it easier to debug14:31
ayoungraildo, https://review.openstack.org/#/c/311652/  WIP still14:32
patchbotayoung: patch 311652 - keystone - WIP replace revoke tree with linear search14:32
ayoungnet reduction of 40 lines, too14:32
ayoungUm...so more than one test failure, though....suspect that the failure I am seeing in test_revoke is the cause of most of those...14:33
ayoungNo serialization handler registered for type 'RevokeEvent'14:34
*** iurygregory has joined #openstack-keystone14:35
*** phalmos has quit IRC14:36
*** richm has quit IRC14:37
*** rderose has quit IRC14:37
hoonetorgfor caching dogpile.cache.memcached is recommended when using keystone with apache/wsgi (not! eventlet)14:37
hoonetorgisn't it???14:37
hoonetorg(mitaka, 3 memcached servers )14:38
*** slberger has joined #openstack-keystone14:39
openstackgerrithenry-nash proposed openstack/keystone: Create V9 driver for identity backend  https://review.openstack.org/30531514:40
*** phalmos has joined #openstack-keystone14:43
*** richm has joined #openstack-keystone14:44
*** e0ne has quit IRC14:47
*** josecastroleon has quit IRC14:47
*** fawadkhaliq has joined #openstack-keystone14:51
*** Guest5666 has quit IRC14:51
*** doug-fish has joined #openstack-keystone14:52
lbragstaddstanek https://review.openstack.org/#/c/311886/14:52
patchbotlbragstad: patch 311886 - keystone - Fix fernet audit ids for v2.014:52
lbragstaddstanek and https://review.openstack.org/#/c/311811/14:53
patchbotlbragstad: patch 311811 - keystone - Make keystone exit when fernet keys don't exist14:53
dstaneklbragstad: that's a strange py34 error. does it fail like that locally?14:56
*** doug-fis_ has joined #openstack-keystone14:58
*** doug-fi__ has joined #openstack-keystone15:00
lbragstaddstanek i need to test it with py34 locally15:00
*** doug-fish has quit IRC15:01
*** doug-fis_ has quit IRC15:02
*** jaugustine has joined #openstack-keystone15:02
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D208 PEP257 violation.  https://review.openstack.org/31178715:03
*** pauloewerton has joined #openstack-keystone15:04
*** doug-fi__ has quit IRC15:05
*** doug-fish has joined #openstack-keystone15:07
*** mylu has quit IRC15:08
*** BlackDex has joined #openstack-keystone15:08
*** BlackDex has quit IRC15:10
morganzzzeek: i am going to merge PR 49 for dogpile.cache, it's the same as PR 47, but now with my added test.15:11
morganzzzeek: (uses the PR47 commit/author)15:11
*** tesseract- has quit IRC15:12
*** dan_nguyen has joined #openstack-keystone15:15
*** links has joined #openstack-keystone15:19
*** sdake has joined #openstack-keystone15:23
*** pushkaru has joined #openstack-keystone15:25
*** sdake_ has joined #openstack-keystone15:26
*** belmoreira has quit IRC15:26
*** tonytan_brb has joined #openstack-keystone15:27
stevemarmorgan: the ops in the room thought the fernet+uuid modified token was not cool15:28
stevemarlbragstad: you mean dev docs from juno?15:28
*** sdake has quit IRC15:28
*** vgridnev has joined #openstack-keystone15:29
morganstevemar: ookay15:29
morganstevemar: will just kill it15:30
morganstevemar: dead15:30
*** tonytan4ever has quit IRC15:31
stevemarmorgan: ty sir15:31
*** julim has quit IRC15:32
*** julim has joined #openstack-keystone15:33
*** timcline has joined #openstack-keystone15:35
dstaneklbragstad: sounds good15:35
*** mou has quit IRC15:35
hoonetorgdstanek: the [memcache] section in keystone conf is only required if memcached is used for persistence (which you didn't recommend)15:38
hoonetorgwhere all memcached settings for [cache] dogpile.cache.memcached are done in section [cache] (memcache_servers at minimum) , right?15:40
openstackgerritMatthew Edmonds proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212615:40
*** pgbridge has joined #openstack-keystone15:40
*** mylu has joined #openstack-keystone15:41
kfox1111is there a reason validate token needs an admin account?15:43
kfox1111you already have the token to validate against.15:43
kfox1111I'm looking at how to hook in kubernetes so that the users can authenticate with a keystone token, but it requres kubernetes to have an admin cred, which seems like more power then it might need?15:44
*** mylu has quit IRC15:45
*** tonytan_brb has quit IRC15:49
*** haplo37 has joined #openstack-keystone15:49
*** stingaci has quit IRC15:50
morgankfox1111: with V2, yes15:51
morgankfox1111: because v2 is very limited15:51
*** doug-fish has quit IRC15:52
*** doug-fish has joined #openstack-keystone15:52
morgankfox1111: but with v3 you should be able to grant that to a non-admin role15:52
*** tonytan4ever has joined #openstack-keystone15:52
morgankfox1111: also keep in mind that v2 the token validate puts the token_id on the URI vs in the header15:52
*** tonytan4ever has quit IRC15:53
*** doug-fish has quit IRC15:53
*** stingaci has joined #openstack-keystone15:56
*** TxGVNN has quit IRC16:00
kfox1111nice.16:02
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/31154816:02
*** fangxu has quit IRC16:02
*** dmk0202 has quit IRC16:03
kfox1111so, if I recommend we stick to v3, then add a new role type for "validateOnly" or something, and change the policy on that one service, we should be good making service accounts that use only that role?16:03
*** stingaci has quit IRC16:03
*** phalmos has quit IRC16:04
morgankfox1111: yeah,16:04
morgankfox1111: you'll need to update hte keystone policy.json too16:05
*** BjoernT has quit IRC16:05
*** doug-fish has joined #openstack-keystone16:05
*** doug-fish has quit IRC16:05
morgankfox1111: make sure the new role can do the validate16:05
*** gordc has quit IRC16:05
*** doug-fish has joined #openstack-keystone16:06
*** phalmos has joined #openstack-keystone16:06
*** doug-fish has quit IRC16:08
kfox1111I wonder how many other openstack service accounts could remove their admin bit if they had this role.16:08
*** doug-fish has joined #openstack-keystone16:08
kfox1111should I submit a patch to keystone to add the validate role to the policy file by default? I'd think many clouds would benifit.16:09
lbragstadstevemar yeah - for juno16:10
*** mylu has joined #openstack-keystone16:11
stevemarlbragstad: i don't think you can: https://github.com/openstack/keystone/tree/juno-eol16:11
stevemaryou'd have to edit the docs there16:11
lbragstadstevemar gotcha -16:11
lbragstadjust curious16:11
*** e0ne has joined #openstack-keystone16:11
lbragstadbecause we apparently say to use uuid and run pki_setup http://docs.openstack.org/juno/install-guide/install/yum/content/keystone-install.html16:11
lbragstadwhich doesn't make sense to me?16:11
*** mylu has quit IRC16:13
*** roxanaghe has joined #openstack-keystone16:15
*** mylu has joined #openstack-keystone16:16
stevemarlbragstad: ah, thats the install guide16:16
lbragstadstevemar hoonetorg was referencing it and it was causing some confusion16:17
*** mylu has quit IRC16:18
*** roxanaghe has quit IRC16:19
stevemarlbragstad: i think you may have to edit it here: https://github.com/openstack/openstack-manuals/blob/juno-eol/doc/install-guide/section_keystone-install.xml16:19
stevemarbut it's also EOL16:19
lbragstadstevemar gotcha16:21
lbragstaddstanek for running py34 tests locally - have you ever gotten this? http://cdn.pasteraw.com/d4r3ojmxd2uoj0n37i9qigv49npqmt916:21
*** fawadkhaliq has quit IRC16:22
dstaneklbragstad: you don't have the python dev libs installed so it can't compile the C extensions16:22
lbragstaddstanek ah - i'm missing python3-dev16:22
*** stingaci has joined #openstack-keystone16:25
edmondswbknudson, if you could take a look at https://review.openstack.org/#/c/307335 I would appreciate it16:26
edmondswdims as well16:27
*** gyee has joined #openstack-keystone16:27
*** ChanServ sets mode: +v gyee16:27
lbragstaddstanek look like i can recreate that py34 failure locally16:30
dimsedmondsw : lgtm16:30
edmondswtx16:30
*** doug-fish has quit IRC16:36
edtubillstevemar: I was going to start working on PCI-DSS mentioned in https://etherpad.openstack.org/p/newton-keystone-work-session -Who is ron again?16:37
*** doug-fish has joined #openstack-keystone16:37
*** doug-fish has quit IRC16:37
lbragstaddstanek looks like that test is failing because the project.id is bytes instead of a string16:39
*** roxanaghe has joined #openstack-keystone16:43
*** gordc has joined #openstack-keystone16:46
dstaneklbragstad: not fun16:49
*** navidp has joined #openstack-keystone16:50
*** rbridgeman has joined #openstack-keystone16:52
*** doug-fish has joined #openstack-keystone16:57
*** rderose has joined #openstack-keystone16:58
openstackgerritLance Bragstad proposed openstack/keystone: Fix fernet audit ids for v2.0  https://review.openstack.org/31188616:59
lbragstaddstanek fixed - https://review.openstack.org/#/c/311886/17:00
patchbotlbragstad: patch 311886 - keystone - Fix fernet audit ids for v2.017:00
lbragstaddstanek that works for me locally and I added a comment. but i'll defer to you if you have a better way to do that17:00
*** doug-fish has quit IRC17:00
*** fangxu has joined #openstack-keystone17:00
*** tonytan4ever has joined #openstack-keystone17:01
*** jistr has quit IRC17:04
*** doug-fish has joined #openstack-keystone17:06
*** ericksonsantos has joined #openstack-keystone17:06
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Allow 'domain' property for local.group  https://review.openstack.org/31014717:08
*** mvk has quit IRC17:08
*** doug-fish has quit IRC17:12
zzzeekmorgan: thanks17:16
zzzeekmorgan: not too much time to look closely this week / next as we are moving but will try to catch up17:16
*** doug-fish has joined #openstack-keystone17:16
*** pushkaru has quit IRC17:17
*** phalmos has quit IRC17:21
*** tellesnobrega_af is now known as tellesnobrega17:21
*** roxanaghe has quit IRC17:23
*** roxanaghe has joined #openstack-keystone17:24
stevemaredtubill: ron is rderose :)17:25
stevemaredtubill: glad you can start working on it, let me or rderose know if you need help :)17:26
edtubillstevemar: thanks, I'm gonna look at dstanek's old patches and take a look around the mysql drivers in keystone.17:26
rderoseedtubill: is this for the PCI stuff?17:27
edtubillrderose: yup17:27
rderoseedtubill: cool17:27
stevemaredtubill: rderose feel free to start an etherpad that outlines some of the work17:29
rderosestevemar edtubill: will do.  I'm out today, dealing with the after-summit-sickness.17:31
rderoseI blame stevemar17:31
*** e0ne has quit IRC17:31
rderoseedtubill: go ahead and start; I'll catch up in the next day or 217:31
edtubillrderose: lol, sure17:32
*** sheel has quit IRC17:34
*** serverascode has quit IRC17:34
*** woodster_ has quit IRC17:35
*** zhiyan has quit IRC17:35
*** zhiyan has joined #openstack-keystone17:37
*** sheel has joined #openstack-keystone17:37
*** woodster_ has joined #openstack-keystone17:37
*** serverascode has joined #openstack-keystone17:38
bknudsonedmondsw: the commit message says it adds babel but it doesn't.17:39
*** tonytan4ever has quit IRC17:39
*** rbridgeman has quit IRC17:41
ayoungmorgan, need help serializing the revocation events17:42
*** sileht has quit IRC17:42
ayoungthe RevokeTree (which I will rename later) gets serialized, and needs to serialize all of the events it has inside.  And these each need to be serialized to bytes.17:42
ayoungI can user dictionaries as the basis, as the Events are created by dicts with a kwargs param and cna createa dict with obj.to_dict() call17:44
*** pnavarro has quit IRC17:44
ayoungI can't just put them in a python list, as that is not "bytes"17:44
*** gagehugo has joined #openstack-keystone17:45
*** lhcheng has joined #openstack-keystone17:46
*** ChanServ sets mode: +v lhcheng17:46
*** sileht has joined #openstack-keystone17:48
stevemarrderose: i took out you, topol, jamielennox's wife, and i think knikolla17:49
stevemarbknudson: it didn't need babel17:51
raildowill we have meeting today?17:51
lbragstadanyone hitting this locally when running unittests (against py27 and py34)? http://cdn.pasteraw.com/j69h9lhyqsbikglma7fgx7hkaiqja1j17:51
stevemarbknudson: the same change is also on liberty and mitaka17:51
edmondswbknudson, yeah, stevemar removed that and I guess forgot to update the commit17:52
stevemaredmondsw: yep17:52
morganayoung: this is why i did a bit of magic in the msgpack thing17:53
morganayoung: in all seriousness don't overload list17:53
lbragstadlooks like it was added here - https://review.openstack.org/#/c/300131/17:53
patchbotlbragstad: patch 300131 - keystone - Add logging to cli if keystone.conf is not found (MERGED)17:53
morganayoung: make it something else17:53
ayoungmorgan, I was not going to overload list17:53
ayoungit needs to be bytes, so msgpack makes some sense17:53
morganayoung: wait are you serializing w/ msgpack still or with json?17:53
morganayoung: and why does it need to be bytes?17:54
ayoungmorgan, that was the error message I got17:54
morganoh17:54
ayoungI tried returning a list of the msgpacked values (yeah dumb but whatev)17:54
stevemartheres nothing on the agenda for the meeting17:55
morganstevemar: so lets skip! :)17:55
ayoungis there a better way to serialize?  The Events should be converted to-from dicts pretty easy17:55
stevemaranyone have anything they want to discuss?17:55
stevemarmorgan: :)17:55
stevemari think the midcycle is the only thing i wanted to talk about17:55
morgani told the folks i needed an answer by tomorrow.17:55
morganon space17:55
morgan... i haven't heard anything17:55
stevemari need to get deadlines in order17:55
stevemarso i can't announce that yet17:56
lbragstadstevemar I want to get https://review.openstack.org/#/c/311886/3 in to fix the ksc functional tests17:56
patchbotlbragstad: patch 311886 - keystone - Fix fernet audit ids for v2.017:56
stevemarlbragstad: yeah, that will go in even if we don't have a meeting17:56
topolIm requesting that hazmat suits be provided to all attendees... #typhoidsteve17:56
stevemarwe can skip this meeting17:56
stevemarno agenda topics, just immediate stuff that needs eyes (lances patch) and meds (topol)17:57
morganayoung: so, if you aren't building a strang tree object you can probably move to json17:57
morganayoung: and it'll serialize better17:58
morgan / easier17:58
ayoungok serialize to-from JSON.  And then JSON to bytes?17:58
stevemarmeeting is canceled17:59
*** pushkaru has joined #openstack-keystone17:59
*** rbridgeman has joined #openstack-keystone18:00
morganayoung: don't use msgpack18:00
morganayoung: change the request_local thing to just use json18:01
ayoungmorgan, looking...18:01
morganthe only reason we used msgpack was because the revoke tree was a very complex object18:01
samueldmqstevemar: ++18:01
* samueldmq nods18:01
jamielennoxkeystone meeting?18:03
rderose++18:03
morganjamielennox: cancelled18:03
morganjamielennox: no agenda18:03
rderosecool18:03
stevemarjamielennox: rderose canned it18:03
henrynashwe always have an agenda….just not one for the meeting18:03
*** lhcheng has quit IRC18:04
dolphmi'm sure we could come up with an agenda real quick18:04
*** markvoelker has quit IRC18:04
dstanekyay!18:04
dolphmmy summit notes, if anyone is interested http://dolphm.com/openstack-newton-design-summit-outcomes-for-keystone/18:04
jamielennoxalright back to bed then18:04
stevemardolphm: nice!18:05
jamielennoxoh - dolphm, stevemar18:05
jamielennoxi watched the keystone panel18:05
dolphmjamielennox o/18:05
stevemardolphm: i need to do one too18:05
stevemarjamielennox: uh oh18:05
jamielennoxmy sub-users/credential thing nailed that case18:05
*** markvoelker has joined #openstack-keystone18:05
dolphmjamielennox: what was the question?18:05
stevemarjamielennox: which case?18:05
*** BlackDex has joined #openstack-keystone18:05
dstaneki was surpised that there were no hard questions for the panel. almost like you guys set up a bunch of softballs :-P18:05
*** frontrunner has quit IRC18:05
dolphmjamielennox: instance users?18:06
jamielennoxumm, a way to set up a user with less roles that you could give off to other services18:06
jamielennoxbut then expand that for like 5 minutes18:06
dolphmdstanek: the questions brad has were relatively soft, but catered to different panel members. a couple of them came up as organic questions anyway18:06
jamielennoxalso - AFAICT you can add/remove/modify shibboleth IDPs without restarting keystone18:07
dolphmjamielennox: and it's not oauth delegation which we already support? :P18:07
jamielennoxshibd runs as a seperate process and configuration to apache which can be reloaded independantly18:07
*** markvoelker_ has joined #openstack-keystone18:07
dolphmjamielennox: .. you can swap certs and everything?18:07
*** markvoelker has quit IRC18:08
jamielennoxdolphm: almost :) i sent a few people from magnum or something looking at oauth because they were trying to replicate heat's setup18:08
jamielennoxhaven't looked again myself18:08
stevemardolphm: your blog overlaps so much with what i want to write -_-18:08
dolphmjamielennox: cool, i'm hoping that API gets some use this cycle. it seems to solve a bunch of problems that people are looking for18:08
dstanekjamielennox: dolphm: i can give it a try and see, but from what i'm told you can't18:08
dolphmstevemar: that just means we talked a lot :P18:09
dolphmstevemar: i also want to watch & recap a few of the main conference sessions that i missed, but i'll do that over the next couple weeks18:09
stevemarcopy/paste and remove osic and fernet talk18:09
stevemardolphm: yeah, i wanted to write up a "my top summit presentations"18:09
dolphmdstanek: i've never tried it myself, but that's how marek did it18:09
jamielennoxdstanek: it's been a while since i tried, but i'm sure i was able to add a provider then restart only shibd18:09
dolphmjamielennox: so, at least federation stops working for a moment?18:10
stevemardolphm: maybe i'll recap the work sessions and fishbowls instead, and outline goals for newton18:10
dolphmjamielennox: if so, that's not terrible, but it still doesn't allow domain admins to manage their own federations18:10
dolphmstevemar: i'm sure you can disagree or add to some of the things i wrote about as well18:11
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D204, D205, and D207 PEP257 violation.  https://review.openstack.org/31219218:11
jamielennoxdolphm: so there is an automatic reload if you touch the config file, but there are some things excluded from that and so depending on how apache buffers you'd probably get a temporary federation outzage18:12
jamielennoxbut yea - it doesn't support the domain admin case18:12
dolphmjamielennox: that was the original goal, but we catered to operators first and foremost since our domain admin story was weak anyway. it's much more well defined today!18:12
dolphmjamielennox: that'd be good to document! i swear we have the opposite documented somewhere -- i.e. bounce everything if you add an IdP to shib, etc18:13
jamielennoxdolphm: it's been a while since i set it up, but i assume i'll have to again soon and will make sure to doc it18:14
*** lhcheng has joined #openstack-keystone18:15
*** ChanServ sets mode: +v lhcheng18:15
*** tonytan4ever has joined #openstack-keystone18:19
*** lhcheng has quit IRC18:23
stevemardolphm: yeah, for sure :)18:24
*** vgridnev has quit IRC18:25
*** edmondsw has quit IRC18:32
ayoungmorgan, think we were double caching events18:37
morganayoung: uhm. we *are* double caching a lot of things.18:38
ayoungmorgan, going to kill one layer of cacher here18:38
morgando not.18:38
morganwait which layer?18:38
ayoungmorgan, the sql queries from the backend are already cached18:38
ayoungso no need to cache the tree, as that is now just a list18:39
morganayoung: if you're youching the request_local layer thing, don't18:39
ayoungmorgan, Oh yes I will! And you can't stop me....18:39
ayoungheh18:39
morganayoung: you have a spare @memoize somewhere?18:39
ayoungmorgan, nah, I just mean that I can drop caching the tree, and hold on to the events from the sql layer18:39
ayoungI was getting circular references.18:39
morganayoung: fix the circualr references18:40
morgancache the tree, cache higher up in the business logic where possible.18:40
ayoungmorgan, nah, no reason to18:40
ayoungthe logic is much simpler now18:40
ayoungmorgan, let me get the tests to pass, and you can take a look18:40
ayoungand I think I am there now....18:41
*** fangxu has quit IRC18:41
*** d34dh0r53 is now known as m1r4nt15_b0y18:42
ayoungmorgan, the new logic is an interation through the events.  The events are an ordered list returned by sql, and cached by the dogtag layer.  The tree is no longer built.  I think I can even remove the RevokeTree as an abstraction18:42
morganayoung: ok cool then cache the list_events() call18:43
morganand if revoketree goes away18:43
morganrequest_locla cache can move to .json18:44
morganwhich is way faster than msgpack18:44
ayoungyeah, this should be good18:44
*** phalmos has joined #openstack-keystone18:46
morganayoung: and using json to serialize will mean it also prevents the complex data structure like the revoke tree again18:46
ayoungmorgan, I wish I had done this before tackling the "remove spurious revocation events" patch.  Its going to be so much simpler18:48
ayoungOK, tests pass now18:49
morganayoung: i actually tried to say you should have done it this order then ;)18:49
morganayoung: glad it's working out though18:49
ayoungmorgan, yeah, I didn't realize how easy it would be to pull the code out of the revoke_test, thought I was going to be reimplementing it18:49
stevemarhow are folks feeling about newton-1 milestone as the spec freeze deadline?18:49
ayoungstevemar, what is that June 1?18:50
morganstevemar: i vote the week after18:50
morganstevemar: tbh18:50
ayounghttp://releases.openstack.org/newton/schedule.html18:50
*** roxanaghe has quit IRC18:50
morganstevemar: since our midcycle will be post M2 this time around18:50
stevemartrue18:51
ayoungwhat are we saying is the norm now?  Spec freeze M1, Feature Freeze M2?18:51
stevemarayoung: feature *proposal* freeze is M218:51
stevemarmeaning - get your code up in a patch that is passing jenkins and not WIP!18:52
ayoungWhat is the diff between  feature *proposals* and specs?18:52
ayoungAh18:52
ayoungOK18:52
*** roxanaghe has joined #openstack-keystone18:52
ayoungSo...lets stick with that, and then be forgiving on spec freeze extensions this time around?18:52
ayoungLike, M1 is spec proposal freeze, and it has to be close.18:53
stevemari don't think we have too many specs proposed this time around18:54
ayoungSo, spec proposal freeze at Newton 1, feature proposal at Newton 2.  If a spec is not approaved by Newton 2, the feature gets rejected.18:56
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D202 and D203 PEP257 violation.  https://review.openstack.org/31220718:56
stevemarayoung: i can dig it18:56
*** yolanda has quit IRC18:56
stevemari'll whip up an email and blast it to ML18:56
ayoungstevemar, I think add in there a guideline to be actiovely reviewing specs.  DOn't come in at the last second and -2 something that has been under active development, and the spec is just going back for spelling editing18:57
*** fangxu has joined #openstack-keystone18:57
*** links has quit IRC18:58
*** doug-fis_ has joined #openstack-keystone18:58
gyeestevemar, if we are not doing anything with MFA/TOTP, I'll abandon my client side patches, please let me know18:59
gyeeayoung, where I can find more doc on certmonger plugin?18:59
stevemargyee: the TOTP auth plugin should still land18:59
ayounggyee, ask me that again in #freeipa18:59
gyeestevemar, k, I'll make sure they are up-to-date18:59
*** clenimar has joined #openstack-keystone18:59
ayounggyee, ah one sec18:59
*** doug-fi__ has joined #openstack-keystone19:00
gyeeayoung, http://www.freeipa.org/page/Certmonger, that the latest?19:00
knikollawhere’s the url which details the dates for the various milestones?19:00
openstackgerritLance Bragstad proposed openstack/keystone: Make keystone exit when fernet keys don't exist  https://review.openstack.org/31181119:00
ayounggyee, there are more docs...hold on19:00
stevemarknikolla: http://releases.openstack.org/newton/schedule.html19:01
dstanekgyee: is there docs on how to do the tokenless auth?19:01
stevemarayoung: i'm going to move the spec deadline a bit earlier, just so we are not swamped that one week19:01
ayoungWFM19:02
gyeedstanek, yes, https://github.com/openstack/keystone/blob/master/doc/source/configure_tokenless_x509.rst19:02
openstackgerritNavid Pustchi proposed openstack/python-keystoneclient: Fixing D200 PEP257 violation.  https://review.openstack.org/31220819:02
*** doug-fish has quit IRC19:02
gyeedstanek, I have a script to generate self-signed PKI, let me know if you want it19:03
dstanekgyee: sure, thanks!19:03
knikollastevemar: thanks!19:03
gyeeayoung, looking at Anchor doc, I think we may have a bootstrapping problem19:03
ayounggyee, https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/helpers.txt19:03
ayounggyee, also:19:03
*** doug-fis_ has quit IRC19:03
gyeeAnchor can auth via keystone19:03
dstanekany few minutes i can save here and there helps.19:04
gyeewe can start with static accounts19:04
ayoungthere is a python exampole in the IPA directory19:04
*** julim has quit IRC19:04
*** doug-fi__ has quit IRC19:04
gyeeayoung, k, let me setup Anchor and certmonger locally to see it works19:04
gyeeif not, I'll give Dogtag a go19:04
ayounggyee, let me find alee, as he wrote a helper not long ago19:05
gyeeayoung, helper can be in Python right?19:05
ayounggyee, yes19:06
ayounggyee, I started to write one that was srtaight bash19:06
ayounglet me see...19:06
gyeecool!19:06
*** nalind has joined #openstack-keystone19:06
nalindayoung: hey, you rang?19:06
*** alee has joined #openstack-keystone19:06
ayounggyee, nalind was one of the certmonger devs for a while19:06
ayounghe knows it bettern I do19:06
gyeehi nalind!19:06
nalindhi gyee! what's up?19:07
gyeeI am trying to do some homework on certmonger and Anchor19:07
aleegyee, fun stuff !19:07
gyeeAnchor is all rest API19:07
aleegyee, you trying to write an anchor certmonger plugin?19:07
gyeealee, yes19:07
aleecool beans19:07
*** julim has joined #openstack-keystone19:07
gyeeshould be straight forward once I figure out the administrative stuff19:08
gyees/administrative/boilerplate/19:08
ayoungthere was an ipa helper in python19:08
ayoungI'm trying to find it now nalind19:08
aleegyee, nalind is your guy.  although I'll be super curious to see what you come up with.19:09
gyeek, will ping you guys if I run into anything, off to hacking land now19:09
nalindayoung: i probably pointed you at https://git.fedorahosted.org/cgit/freeipa.git/tree/install/certmonger/dogtag-ipa-ca-renew-agent-submit, right?19:09
ayoungnalind, that was it19:10
ayounggyee, I would start with ^^19:10
ayoungthat does the calls got dogtag, so you want to do essentially the same thing.19:10
ayoungI should use that for my "chained selfsigned" helper, too19:11
ayounggyee, BTW, you can use the session approach, to.19:11
gyeeis ipautil using request underneath?19:12
gyeemaybe I can just do a replacement there19:13
ayounggyee, nah19:13
ayounggyee, its JSON RPC I think19:13
ayoungused to be XML RPC19:13
ayoungBut I think its all JSON RPC now19:13
ayounggyee, just get the original request part working:19:14
ayoungrequest_cert():19:14
gyeeyeah, should be OK19:14
*** navidp has quit IRC19:14
ayoungyou an skip all the ldap stuff19:14
ayoungI should make a toy helper in python that does the selfsigned19:15
gyeeright19:15
gyeeI need to go offline for a few. will update you guys tomorrow19:16
*** gyee has quit IRC19:17
*** csoukup has quit IRC19:17
ayoungnalind, does the certmonger helper have to store the cert,. or is that just a vestige of what Jan was using that code to do, to store the cert in LDAP?19:23
ayoungI thought the NSS/OpenSSL storage code was part of certmonger, not the helper19:24
nalindayoung: the daemon normally handles storing keys and certs, and only wants the helper to help it get signing requests to the CA and reading back the results19:25
nalindthe one in ipa is taking advantage of that to, on replicas, instead retrieve from the directory server a copy of a cert that might have been issued to the primary, and uploaded to the directory server from there19:26
nalindwow, that sentence could have been clearer19:26
ayoungnalind, We've been pushing people to write certmonger helpers, but C is not the language of choice for most people.  I think I Need to write a clear, simple example in Python19:27
nalindyeah, i wouldn't expect people to enjoy writing them in C19:28
*** roxanaghe has quit IRC19:28
*** amrith has joined #openstack-keystone19:29
*** ericksonsantos has quit IRC19:39
*** BjoernT has joined #openstack-keystone19:39
ayoungnalind, I tried to do one in shell:19:40
ayounghttps://adam.younglogic.com/2016/04/remote-certmongers-local/19:40
*** trey has quit IRC19:42
*** gordc has quit IRC19:42
*** jrist has quit IRC19:42
*** david-lyle has quit IRC19:42
*** rvba has quit IRC19:42
*** kfox1111 has quit IRC19:42
*** fangxu has quit IRC19:42
*** henrynash has quit IRC19:42
*** eandersson has quit IRC19:42
*** d0ugal has quit IRC19:42
*** xek__ has quit IRC19:42
*** nkinder has quit IRC19:42
*** fungi has quit IRC19:42
*** crinkle has quit IRC19:42
*** rdo has quit IRC19:42
*** kevinbenton has quit IRC19:42
*** hugokuo has quit IRC19:42
*** jgriffith has quit IRC19:42
*** dobson has quit IRC19:42
*** andreaf has quit IRC19:42
nalindayoung: communicating more of the environment variables that the daemon sets for your helper across to the remote invocation would help19:43
ayoungnalind, yeah...ssh makes that difficult to do without writing a wrapper on the remote side19:45
nalindayoung: agreed19:45
ayoungwas trying to avoid that, or setting up the19:45
ayoungssh config to accept all from the remote side19:45
ayoungI might start with a selfsigned one in python19:46
*** ericksonsantos has joined #openstack-keystone19:47
*** yolanda has joined #openstack-keystone19:47
*** dmk0202 has joined #openstack-keystone19:51
*** david-lyle has joined #openstack-keystone19:51
*** fangxu has joined #openstack-keystone19:51
*** henrynash has joined #openstack-keystone19:51
*** eandersson has joined #openstack-keystone19:51
*** d0ugal has joined #openstack-keystone19:51
*** xek__ has joined #openstack-keystone19:51
*** nkinder has joined #openstack-keystone19:51
*** fungi has joined #openstack-keystone19:51
*** crinkle has joined #openstack-keystone19:51
*** rdo has joined #openstack-keystone19:51
*** hugokuo has joined #openstack-keystone19:51
*** kevinbenton has joined #openstack-keystone19:51
*** jgriffith has joined #openstack-keystone19:51
*** dobson has joined #openstack-keystone19:51
*** andreaf has joined #openstack-keystone19:51
*** wilhelm.freenode.net sets mode: +v henrynash19:51
*** fedruantine has quit IRC19:51
*** gordc has joined #openstack-keystone19:51
*** jrist has joined #openstack-keystone19:51
*** rvba has joined #openstack-keystone19:51
*** kfox1111 has joined #openstack-keystone19:51
*** trey has joined #openstack-keystone19:56
*** yolanda has quit IRC19:56
*** fangxu has quit IRC19:57
bknudsonI wonder if this will work : https://review.openstack.org/#/c/312230/ (keystone doesn't listen on :5000 and :35357 anymore)20:07
patchbotbknudson: patch 312230 - openstack-dev/devstack - Keystone httpd stop listening on ports20:07
*** csoukup has joined #openstack-keystone20:07
*** doug-fish has joined #openstack-keystone20:08
*** doug-fish has quit IRC20:08
bigjoolsWe don't seem to have foreign key constraints turned on in unit tests, is this deliberate?20:10
*** amrith is now known as _amrith_20:12
bknudsonbigjools: I don't think sqlite suports fk constraints20:13
bigjoolssqllite 3 does20:13
*** mhickey has quit IRC20:13
bigjoolseither way it seems odd we'd rely on different DB behaviour in unit tests20:14
bknudsonwe're not going to start up mysql or postgresql for unit tests.20:14
bknudsonthe unit tests would take hours to run20:14
bigjoolsdo you want them to be right, or quick? :)20:15
bknudsonit's a balance20:15
stevemarbknudson: oh man, i don't see https://review.openstack.org/#/c/312230/ passing at all :)20:16
patchbotstevemar: patch 312230 - openstack-dev/devstack - Keystone httpd stop listening on ports20:16
bknudsonstevemar: sure, but what if it does?20:16
bigjoolsso are people not all using sqllite3? FK constraints could be turned on there.20:16
bknudsonbigjools: we're probably all using sqlite3 now.20:17
bigjoolsok - would you take a patch to turn it on then?20:17
stevemarbknudson: it'll be a20:17
bknudsonbigjools: yes, if you propose a patch to turn it on and it passes I don't think anyone will complain20:17
bigjoolsbknudson: cool, thank you.20:17
stevemarbknudson: it'll be interesting, it's a yuuuge change, lots of auth_url's will need to be updated20:17
bknudsonstevemar: are you trying to put a picture in there? that only works in slack.20:18
stevemarbknudson: nah, accidentally hit enter20:18
knikollais that what we want in the future? keystone listening on :80 only?20:19
*** chrisplo has joined #openstack-keystone20:19
stevemarknikolla: yep, with proper subroutes20:20
stevemarso... :80/identity :80/compute20:20
stevemaretc20:20
knikollastevemar: that’s totally not going to be as hard as getting anyone on v320:20
knikollaeveryone*20:21
bknudsonI think s3token is going to be a problem, swift is configuring it with port / host20:24
bknudsonno path20:24
dstanekbknudson: bigjools: i have a patch to turn on FK constraints for sqlite, but it only had a luke warm reception20:25
bknudsonwe're luke-warm in general20:26
dstanekif it's still interesting i can rebase and try to get it through again20:26
dstanekbknudson: more like semi-cold20:26
bknudsonice cold20:27
-openstackstatus- NOTICE: restarting apache on review.openstack.org to pick up security patches. Gerrit web ui may disappear for a short time.20:27
bigjoolsdstanek: it seems like a major oversight to me20:31
*** e0ne has joined #openstack-keystone20:34
*** roxanaghe has joined #openstack-keystone20:34
dstanekbigjools: depends on your view. i actually don't like that we use a DB in unit tests at all, but that ship has sailed20:34
bigjoolshow would you avoid it? besides mocking everything, which is pretty nasty20:35
dstaneka different design and some strategic mocking would work wonders20:36
dstaneki with i had the time to start proposing more test/design patches20:37
*** timcline_ has joined #openstack-keystone20:41
*** timcline has quit IRC20:41
*** doug-fish has joined #openstack-keystone20:42
*** bigjools has quit IRC20:43
openstackgerritNavid Pustchi proposed openstack/keystone: Fixing D105, D203, and D205 PEP257  https://review.openstack.org/30949120:44
*** navidp has joined #openstack-keystone20:44
*** bigjools has joined #openstack-keystone20:45
navidpsimple patch to review !!! https://review.openstack.org/#/c/309491/'20:45
patchbotnavidp: patch 309491 - keystone - Fixing D105, D203, and D205 PEP25720:45
*** doug-fish has quit IRC20:46
*** gyee has joined #openstack-keystone20:47
*** ChanServ sets mode: +v gyee20:47
*** vgridnev has joined #openstack-keystone20:50
*** jaugustine has quit IRC20:53
*** doug-fish has joined #openstack-keystone21:07
*** doug-fis_ has joined #openstack-keystone21:08
*** mylu has joined #openstack-keystone21:09
*** doug-fi__ has joined #openstack-keystone21:09
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165221:09
*** mvk has joined #openstack-keystone21:09
*** mylu has quit IRC21:10
*** doug-fish has quit IRC21:11
openstackgerritClenimar Filemon proposed openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237721:11
*** doug-fis_ has quit IRC21:13
*** e0ne has quit IRC21:13
*** mylu has joined #openstack-keystone21:15
*** raildo is now known as raildo-afk21:15
*** vgridnev has quit IRC21:17
*** fangxu has joined #openstack-keystone21:19
*** gagehugo has quit IRC21:20
*** tonytan4ever has quit IRC21:21
*** haplo37 has quit IRC21:21
*** roxanaghe has quit IRC21:23
*** spzala has quit IRC21:24
*** pauloewerton has quit IRC21:28
*** jsavak has joined #openstack-keystone21:30
*** julim has quit IRC21:30
*** sdake_ is now known as sdake21:33
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: s3token config with auth URI  https://review.openstack.org/31226021:33
*** e0ne has joined #openstack-keystone21:34
*** fedruantine has joined #openstack-keystone21:36
bknudsonstevemar: that devstack patch failed spectacularly.21:37
bknudsonlooks like tempest issues as per usual.21:37
*** e0ne has quit IRC21:38
*** spzala has joined #openstack-keystone21:45
*** spzala has quit IRC21:45
*** henrynash has quit IRC21:48
openstackgerritBrant Knudson proposed openstack/keystone: Make all fixture project_ids into uuids  https://review.openstack.org/30668121:51
*** mylu has quit IRC22:04
*** doug-fi__ has quit IRC22:04
*** mylu has joined #openstack-keystone22:05
*** slberger has left #openstack-keystone22:06
*** csoukup has quit IRC22:08
*** navidp has quit IRC22:08
*** mylu has quit IRC22:09
*** sigmavirus24 is now known as sigmavirus24_awa22:10
*** tlbr has joined #openstack-keystone22:12
*** mylu has joined #openstack-keystone22:12
*** jsavak has quit IRC22:19
*** jsavak has joined #openstack-keystone22:20
*** nalind has quit IRC22:20
*** phalmos has quit IRC22:25
*** alee has quit IRC22:36
*** pushkaru has quit IRC22:38
*** mylu has quit IRC22:38
*** krotscheck is now known as krotscheck_dcm22:44
*** rbridgeman has quit IRC22:45
*** ametts has quit IRC22:45
*** mylu has joined #openstack-keystone22:46
*** mylu has quit IRC22:47
*** _amrith_ is now known as amrith22:49
*** timcline_ has quit IRC22:50
*** edtubill has quit IRC22:50
*** dmk0202 has quit IRC22:54
*** sdake has quit IRC22:55
*** sdake has joined #openstack-keystone22:55
*** stingaci has quit IRC23:02
*** roxanaghe has joined #openstack-keystone23:07
*** pgbridge has quit IRC23:10
*** gordc has quit IRC23:11
*** jsavak has quit IRC23:12
gyeebknudson, topol, not sure if you guys try it lately, but ldap option with devstack doesn't appear to work23:13
gyeeenable_service ldap23:13
gyeeKEYSTONE_IDENTITY_BACKEND=ldap23:13
*** pushkaru has joined #openstack-keystone23:15
*** markvoelker_ has quit IRC23:16
*** rbridgeman has joined #openstack-keystone23:20
*** alee has joined #openstack-keystone23:23
*** BjoernT has quit IRC23:24
bknudsongyee: works for me.23:37
openstackgerritLance Bragstad proposed openstack/keystone: Fix fernet audit ids for v2.0  https://review.openstack.org/31188623:38
lbragstadbknudson fixed ^23:38
lbragstadwe should be able to merge that once ayoung's patch lands23:38
bknudsonok, thanks23:39
*** pushkaru has quit IRC23:39
gyeebknudson, I think I have proxy issue, looking into it now23:39
*** pushkaru has joined #openstack-keystone23:40
bknudsonI don't have a proxy so don't have any advice.23:40
*** pumarani__ has joined #openstack-keystone23:44
*** pushkaru has quit IRC23:44
*** rbridgeman has quit IRC23:45
hoonetorghttps://bugs.launchpad.net/keystone/+bug/1516946/comments/1023:53
openstackLaunchpad bug 1516946 in puppet-keystone "keystone WSGI fail: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Undecided,Invalid]23:53
hoonetorgwhere are these actual wsgi scripts???23:53
hoonetorgi'm using the ones packaged with centos-cloud-openstack-mitaka23:54
bknudsonhoonetorg: when you install keystone pbr generates wsgi scripts in bin23:54
hoonetorgand get ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option23:54
bknudsonI don't know what centos does23:54
hoonetorgbknudson: how to create???23:55
bknudsoncreate a virtualenv, then pip install -e /path/to/keystone23:55
bknudsonI have no idea how centos would expect you to do it... probably best to ask on a centos channel?23:56
*** pumarani__ has quit IRC23:57
« Monday, 2016-05-02 Index Wednesday, 2016-05-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!