Wednesday, 2016-05-11

« Tuesday, 2016-05-10 Index Thursday, 2016-05-12 »
*** pumarani__ has quit IRC00:00
morganbknudson: are we running bandit on keystoneauth because i notices patch 311133 set a mutable default argument00:00
patchbotmorgan: https://review.openstack.org/#/c/311133/ - keystoneauth - Use betamax hooks to mask fixture results00:00
ayoungjamielennox, erm, maybe language to that effect.  I was setting up Keycloak using that, but the older commits should still be working00:00
jamielennoxayoung: yea, i was just browsing to see if i could remember how to pull it apart because i don't need packstack just ipa, ipsilon and keystone00:01
ayoungjamielennox, I really want to think about moving the kerberos enable to the session and then use a generic federation auth plugin00:01
jamielennoxi don't want to figure out keycloak00:01
ayoungkeycloak is...meh.00:01
jamielennoxayoung: i don't know how we indicate that from CLI without overloading the session params00:01
ayoungjohn is still working on the installer.  Its a clone of the ipsilon one00:02
jamielennoxi agree i would like to deprecate the straight kerberos plugin00:02
*** julim has joined #openstack-keystone00:02
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/extras/kerberos.py#L51-L6700:02
jamielennoxi think you should always be using the MappedKerberos one00:02
jamielennoxi haven't tested using kerberos as an actual token method for ages00:03
ayoungjamielennox, what if it is a flag on the auth plugin that, when set, does a lazy load of python-gssapi for the associated session?00:03
jamielennoxayoung: the auth plugin is in extras so requires you to have additional stuff installed anyway00:03
jamielennoxso it's more explicitly lazy00:04
jamielennoxwhat i would like is to revive https://review.openstack.org/#/c/255056/ and contribute the requests part up as requests-saml00:05
patchbotjamielennox: patch 255056 - keystoneauth - Use SAML2 requests plugin00:05
jamielennoxbecause there is then a really simple base class which does federation but assumes the requests plugin will do all the hard work00:05
jamielennoxso kerberos, saml etc would all just be the base "do keystone federation with this requests plugin"00:05
jamielennoxbut i need to get a saml provider running again for proper testing, and find some people capable of reviewing it00:06
*** spzala has quit IRC00:07
*** spandhe has quit IRC00:07
*** pgbridge has quit IRC00:11
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Return default value for pkg_version if missing  https://review.openstack.org/22204200:15
jamielennoxmorgan: that ^ just fixed the merge conflict, can you re +A (when jenkins passes)00:16
morganjamielennox: feel free to re+a for me.00:17
morganIf it was just a conflict resolve.00:17
morganjamielennox: done.00:19
jamielennoxmorgan: i'm looking at the betamax review00:20
jamielennox(and i don't know yolanda's nick)00:20
morganjamielennox: yolanda she might not be in this channel ATM.00:21
*** chlong_ has joined #openstack-keystone00:22
*** chlong_ has quit IRC00:22
jamielennoxi'm trying to figure out what is happening with this prerecord, i'm not a fan of the guessing at creds00:23
jamielennoxthe find_credentials defaults are v2 terms00:23
morganYeah. It's a little odd00:24
jamielennoxmy feeling is we should know exactly what to add as placeholders00:24
jamielennoxfor auth we just take out everything in the auth blocks00:24
jamielennoxso methods:['password'] remain, but the 'password' section goes entirely00:25
jamielennoxsafer that guessing for plugins00:25
jamielennoxbut taking out like project name etc seems dodgy to me, shouldn't you want to keep that?00:26
jamielennoxit's going to affect how all subsequent requests are handled00:26
*** chlong_ has joined #openstack-keystone00:27
*** chlong_ has quit IRC00:28
jamielennoxoh, well, commented - just i'm not sure where it's going00:30
jamielennoxayoung or stevemar: can you add https://review.openstack.org/#/c/268662/ to your review list for today? will let me move onto the next bit which is always in merge conflict00:32
patchbotjamielennox: patch 268662 - keystonemiddleware - Handle cache invalidate outside cache object00:32
*** stingaci has quit IRC00:37
*** lhcheng has quit IRC00:49
*** Ephur has joined #openstack-keystone00:53
*** Ephur has joined #openstack-keystone00:53
*** Ephur has quit IRC00:54
*** ozialien10 has quit IRC00:59
openstackgerritMerged openstack/keystoneauth: Refactor variables for fixture and service  https://review.openstack.org/31121600:59
*** crinkle has joined #openstack-keystone01:03
*** spzala has joined #openstack-keystone01:08
*** lhcheng has joined #openstack-keystone01:08
*** ChanServ sets mode: +v lhcheng01:08
openstackgerritMerged openstack/keystonemiddleware: s3token config with auth URI  https://review.openstack.org/31226001:09
*** tqtran has quit IRC01:12
*** spzala has quit IRC01:13
*** Raildo_ has quit IRC01:14
*** EinstCrazy has joined #openstack-keystone01:18
*** edtubill has joined #openstack-keystone01:26
ayoungjamielennox, looks fine, but I don't understand the need for it.01:27
ayoungIs it roughly that you are making things more like oslo.cache?01:27
jamielennoxayoung: it mimics the oslo.cache interface so we can swap that in later01:27
ayoungjamielennox, and that includes having the invalidation external?01:28
jamielennoxayoung: yea, auth_token's cache was always too opinionated. it told you things like tokeninvalid rather than just being a set/get layer01:28
jamielennoxlike most other caches01:28
ayoungjamielennox, looks good, +2a01:29
jamielennoxayoung: making that cache a pure get/set layer makes it easier to do the follow on oslo.cache change01:29
* jamielennox is getting heaps of +A today01:29
ayoungjamielennox, I was just noticing that.01:31
jamielennoxand they seem to be things that have been open for months01:31
ayoungjamielennox, this is just moving from client to ksa right https://review.openstack.org/#/c/314401/201:33
patchbotayoung: patch 314401 - keystoneauth - Add oauth plugin to keystoneauth01:33
jamielennoxayoung: yea, the  base of that was supported in ksc though there was no loading section there01:33
jamielennoxayoung: there's a test script there if you want to play with it01:34
ayoungjamielennox, no desire whatsoever01:34
jamielennoxlol, yep01:34
ayoungit makes sense, and if it is not new code, I'm ok with it moving over01:34
ayoungwe won't really know if it is broken until someone deploys it in anger, which really means it needs tempest tests01:35
jamielennoxthere was discussion at summit from dolphm and others how oauth should be used to do self delegation with lesser roles01:35
ayoungor something01:35
jamielennoxbased on https://gist.github.com/jamielennox/013bbc9e32cfc886fd7b211d191a8909#file-create-oauth-py i'm not sure it's a good fit01:35
ayoungjamielennox, https://review.openstack.org/#/c/314409/  should probably have reused my change id01:35
patchbotayoung: patch 314409 - keystoneauth - Expose is_admin_project in AccessInfo01:35
jamielennoxayoung: right, if it didn't transfer properly then someone will file a bug which is better than having no implementation at all01:35
stevemarjamielennox: why the sudden use of oauth these days? :)01:36
jamielennoxayoung: which change-id? i didn't know of another implementation01:36
ayounghttps://review.openstack.org/#/c/295870/01:36
patchbotayoung: patch 295870 - oslo.context - Add is_admin_project check01:36
jamielennoxstevemar: because my sub-credential idea was shut down because of it01:36
ayoungaj  different one01:36
ayoungthat is ksa01:36
ayoungjamielennox, you have one for context too, though01:36
jamielennoxand i might have mentioned to murano (or someone) that they existed and could be used instead of trusts for long running auth01:37
*** raddaoui has quit IRC01:37
stevemarjamielennox: makes sense01:37
*** lhcheng has quit IRC01:37
stevemarjamielennox: i was thinking something at ibm needed it *shrugs*01:37
jamielennoxstevemar: no, but i do need to do some more learning on oidc01:38
jamielennoxayoung: oh - that's going to be needed and can probably go in as is, but i would like to have the corresponding X_IS_ADMIN_PROJECT bit in from_environ which requires auth_token which requires keystoneauth01:39
ayoungjamielennox, I thought context was what was passed to policy01:39
stevemarjamielennox: leaning oauth1 won't help with oidc :P01:39
ayoungso we need changes in everything01:39
jamielennoxstevemar: yea, that was me going through ksa bugs and seeing it removed from docs01:39
jamielennoxayoung: :)01:39
jamielennoxayoung: i think i can fudge the auth_token one so we don't have to wait for a ksa version bump01:40
jamielennoxpossibly the oslo.context one as well01:40
ayoungjamielennox, does not really matter.  lets get all the changes to land, then we can start tackling policies01:40
stevemarman, how am i behind on so many reviews!01:40
jamielennoxi'm guessing it'd be kwargs.setdefault('X_IS_ADMIN_PROJECT', True) in from_environ01:40
jamielennoxbut i'd at least like to get the X_IS_ADMIN_PROJECT bit committed in auth_token in case someone tries to change the name01:41
jamielennoxstevemar: also you and i are still not friends for this f*g cold that will not die01:42
*** haplo37 has joined #openstack-keystone01:44
morganjamielennox: so I made the right choice not hanging out in keystone ;)01:44
morganjamielennox: infra saved me the Martinelli plague.01:44
*** agrebennikov has quit IRC01:44
*** pdardeau has left #openstack-keystone01:45
*** edtubill has quit IRC01:45
jamielennoxmorgan: gah, seriously, that thing should go on the border protection watchlist01:45
jamielennoxmorgan: want to handle https://review.openstack.org/#/c/314409/ - then i can do the auth_token bit01:46
patchbotjamielennox: patch 314409 - keystoneauth - Expose is_admin_project in AccessInfo01:46
stevemarjamielennox: LOL!01:47
stevemarjamielennox: i think topol is just getting over the 'martinellifluenza'01:48
stevemari kept telling you guys that *i* don't get sick easy, and if something takes *me* out, it's bad times01:48
jamielennoxstevemar: i don't get sick easily either, i actually think i managed to carry it, give it to jayne, then that prolonged exposure got me - but that still makes it your fault01:51
*** haplo37 has quit IRC01:55
*** haplo37 has joined #openstack-keystone01:56
*** spzala has joined #openstack-keystone01:57
*** phalmos has joined #openstack-keystone02:02
*** TxGVNN has joined #openstack-keystone02:02
openstackgerritRyosuke Mizuno proposed openstack/keystone: Disable user lists without a filter  https://review.openstack.org/31482902:02
*** phalmos has quit IRC02:07
jamielennoxstevemar: i think morgan's gone, can you have a look at https://review.openstack.org/#/c/314409/ i don't want to submit the auth_token patch until i know that's going through with those parameter names02:13
patchbotjamielennox: patch 314409 - keystoneauth - Expose is_admin_project in AccessInfo02:13
morganOh hi02:13
morganWhat's up?02:13
jamielennoxmorgan: ksa review02:14
morganAh02:14
jamielennoxmorgan: generally not urgent, but it fits in the keystone -> ksa -> auth_token -> oslo.context chain02:14
morganRight.02:14
*** haplo37 has quit IRC02:14
morganI will review post dinner for sure.02:14
morganChatting with thingee and cburgess over drinks ATM.02:15
jamielennoxmorgan: oh, then really don't worry about it02:15
jamielennoxpriorities02:15
morganHaha. Will def review tonight though.02:15
morganKind of on a review kick today.02:15
*** phalmos has joined #openstack-keystone02:16
*** spandhe has joined #openstack-keystone02:19
*** gyee has quit IRC02:20
ayoungjamielennox, still chewing this is_admin_project approach over.  What is your rationale that the defaulting logic should be in the ksa instead of keystone server?02:22
jamielennoxayoung: well the logic is that ksa has to handle tokens that are not from a completely up to date keystone, so it has to handle the case where is_admin_project is unset anyway02:23
jamielennoxayoung: so if clients are handling the default in the same way as the server then it doesn't really matter02:24
jamielennoxand from the other service perspective the only thing they should ever care about is what auth_token middleware tells them02:25
ayoungjamielennox, so, here's my concern: the default "unset means True" is useful now, but is not a good security default.  When we want to move away from that assumption, to tighten things up, it means a change in a library code as opposed to the server defaults.  And people might be dependant on that default, and stick with old version of the library02:26
ayoungits not hugem just a sense that Keystone server should really be driving this02:27
jamielennoxagreed it's a bad default02:27
jamielennoxand i would completely agree that we at some point want to transition people to always setting an admin project02:28
jamielennoxbut it doesn't change the fact that today ksa _must_ default to True02:28
lbragstadmorgan feel like doing another stable/liberty review? https://review.openstack.org/#/c/314728/102:28
patchbotlbragstad: patch 314728 - keystone (stable/liberty) - Remove test_invalid_policy_raises_error02:29
jamielennoxregardless of what we want to do in future02:29
morganlbragstad: in a few.02:29
lbragstadmorgan thanks02:29
jamielennoxso it's then just that we need to deprecate keystone running without admin project defined and start putting False in the token02:29
jamielennoxbut that would still be reflected correctly by KSA02:30
*** EinstCrazy has quit IRC02:30
*** EinstCrazy has joined #openstack-keystone02:31
*** fangxu has quit IRC02:31
*** EinstCrazy has quit IRC02:40
*** EinstCrazy has joined #openstack-keystone02:48
*** richm has quit IRC02:52
*** sheel has joined #openstack-keystone02:53
*** jorge_munoz has quit IRC02:53
openstackgerritMerged openstack/keystoneauth: Add oauth plugin to keystoneauth  https://review.openstack.org/31440102:54
*** jorge_munoz has joined #openstack-keystone02:57
*** EinstCrazy has quit IRC02:59
*** EinstCrazy has joined #openstack-keystone03:07
*** spzala has quit IRC03:12
*** spzala has joined #openstack-keystone03:12
*** spzala has quit IRC03:17
*** erhudy has quit IRC03:21
*** links has joined #openstack-keystone03:21
*** EinstCra_ has joined #openstack-keystone03:24
*** ankur has joined #openstack-keystone03:27
*** EinstCrazy has quit IRC03:28
*** haplo37 has joined #openstack-keystone03:34
*** phalmos has quit IRC03:41
lbragstadmorgan why did we abandon this change again? https://review.openstack.org/#/c/271536/03:58
patchbotlbragstad: patch 271536 - keystone - Apply invalidation proxy to the catalog cache region (ABANDONED)03:58
lbragstadmorgan looks like the osa folks were waiting on that for a fix (https://github.com/openstack/openstack-ansible-os_keystone/blob/master/templates/keystone.conf.j2#L102-L108)03:58
lbragstadmorgan I thought I remember us addressing that shortly after the mid-cycle though03:59
*** pcaruana has joined #openstack-keystone04:02
*** edtubill has joined #openstack-keystone04:06
*** spzala has joined #openstack-keystone04:13
*** spzala has quit IRC04:18
morganlbragstad: maybe?04:19
morganlbragstad:  no.04:20
*** markvoelker_ has joined #openstack-keystone04:50
stevemarmorgan: want to punt https://review.openstack.org/#/c/314728/1 through?04:51
patchbotstevemar: patch 314728 - keystone (stable/liberty) - Remove test_invalid_policy_raises_error04:51
morganSec.04:52
morganDone04:53
*** rcernin has joined #openstack-keystone04:58
*** spzala has joined #openstack-keystone05:02
*** jaosorior has joined #openstack-keystone05:04
*** fawadkhaliq has joined #openstack-keystone05:05
*** spzala has quit IRC05:07
*** sdake has quit IRC05:08
*** raddaoui has joined #openstack-keystone05:17
*** furface has quit IRC05:18
*** furface has joined #openstack-keystone05:19
*** roxanaghe has joined #openstack-keystone05:25
*** roxanaghe has quit IRC05:39
*** roxanaghe has joined #openstack-keystone05:48
openstackgerritRyosuke Mizuno proposed openstack/keystone: Disable user lists without a filter  https://review.openstack.org/31482905:51
openstackgerritChangBo Guo(gcb) proposed openstack/python-keystoneclient: Trivial: ignore openstack/common in flake8 exclude list  https://review.openstack.org/31487105:53
*** edtubill has quit IRC05:56
*** roxanaghe has quit IRC05:57
*** roxanaghe has joined #openstack-keystone05:57
*** roxanaghe has quit IRC06:01
*** spandhe has quit IRC06:03
*** spzala has joined #openstack-keystone06:03
*** ankur has quit IRC06:07
*** spzala has quit IRC06:09
*** itlinux has joined #openstack-keystone06:18
*** david-lyle has quit IRC06:23
*** david-lyle has joined #openstack-keystone06:26
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Improve docs for v3 users  https://review.openstack.org/30579606:28
openstackgerritSteve Martinelli proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325806:33
stevemarmorgan: punted a few others through, and set a few others to be ready-to-merge once the gate is fixed06:35
*** naresh_ has joined #openstack-keystone06:38
*** woodster_ has quit IRC06:38
*** naresh_ is now known as Guest7759106:39
*** haplo37 has quit IRC06:39
*** fawadkhaliq has quit IRC06:44
*** fawadkhaliq has joined #openstack-keystone06:44
*** Guest77591 has quit IRC06:48
*** henrynash has joined #openstack-keystone06:48
*** ChanServ sets mode: +v henrynash06:48
*** naresht has joined #openstack-keystone06:49
nareshtHi Keystoners06:49
nareshtI am trying to do Keystone2Keystone authentication. One Keystone acting as an Identity Provider(Ks-IdP) and  the another one acting as a Service Provider(Ks-SP)06:50
nareshtI am getting an error while ks-sp asking for user attributes here is the log file http://paste.openstack.org/show/496650/06:53
nareshtThis log file from keystone sp06:53
*** vgridnev has quit IRC06:54
*** vgridnev has joined #openstack-keystone06:56
nareshtooopss ...This log file from keystone IdP here is keystone Idp http://paste.openstack.org/show/496653/06:57
nareshtAnyone has experienced such kind of configuration with  Keystone/shibboleth/Apache?06:57
nareshtAny help will be very appreciated06:57
nareshtThis is error from Horizon http://paste.openstack.org/show/496654/06:59
*** lhcheng has joined #openstack-keystone07:02
*** ChanServ sets mode: +v lhcheng07:02
*** spzala has joined #openstack-keystone07:04
-openstackstatus- NOTICE: pip 8.1.2 broke our local python mirror, some jobs will fail with "No matching distribution found". We're investigating. Do not "recheck" until the issue is solved07:06
*** ChanServ changes topic to "pip 8.1.2 broke our local python mirror, some jobs will fail with "No matching distribution found". We're investigating. Do not "recheck" until the issue is solved"07:06
*** rcernin has quit IRC07:09
*** furface has quit IRC07:09
*** spzala has quit IRC07:09
*** rcernin has joined #openstack-keystone07:10
*** belmoreira has joined #openstack-keystone07:11
openstackgerritMerged openstack/keystoneauth: Expose is_admin_project in AccessInfo  https://review.openstack.org/31440907:13
*** fhubik has joined #openstack-keystone07:24
*** daemontool_ has joined #openstack-keystone07:26
*** lhcheng has quit IRC07:28
*** markvoelker_ has quit IRC07:30
*** yolanda has joined #openstack-keystone07:37
*** chlong has quit IRC07:49
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** fhubik has quit IRC08:02
*** fhubik has joined #openstack-keystone08:03
*** fhubik has quit IRC08:04
*** fhubik has joined #openstack-keystone08:05
*** spzala has joined #openstack-keystone08:05
*** dmk0202 has joined #openstack-keystone08:08
*** spzala has quit IRC08:10
*** fawadkhaliq has quit IRC08:14
*** fawadkhaliq has joined #openstack-keystone08:15
*** daemontool_ has quit IRC08:18
*** daemontool_ has joined #openstack-keystone08:20
*** vgridnev has quit IRC08:22
*** vgridnev has joined #openstack-keystone08:24
*** fawadkhaliq has quit IRC08:25
*** fawadkhaliq has joined #openstack-keystone08:25
openstackgerritMerged openstack/python-keystoneclient: Improve docs for v3 users  https://review.openstack.org/30579608:32
*** mhickey has joined #openstack-keystone08:32
nareshtHi Keystoners  I am trying to do Keystone2Keystone authentication. One Keystone acting as an Identity Provider(Ks-IdP) and  the another one acting as a Service Provider(Ks-SP)08:37
nareshtHi Keystoners  I am trying to do Keystone2Keystone authentication. One Keystone acting as an Identity Provider(Ks-IdP) and  the another one acting as a Service Provider(Ks-SP)08:37
naresht I am getting an error while ks-sp asking for user attributes here is the log file  http://paste.openstack.org/show/496653/08:37
naresht This is error from Horizon http://paste.openstack.org/show/496654/08:37
*** jistr has joined #openstack-keystone08:38
*** vgridnev has quit IRC08:39
*** rha has quit IRC08:44
*** markvoelker has joined #openstack-keystone08:48
*** markvoelker has quit IRC08:55
*** spzala has joined #openstack-keystone09:07
*** spzala has quit IRC09:11
*** tesseract has joined #openstack-keystone09:20
*** daemontool_ has quit IRC09:21
*** daemontool_ has joined #openstack-keystone09:22
*** raddaoui has quit IRC09:27
*** fawadkhaliq has quit IRC09:32
*** fawadkhaliq has joined #openstack-keystone09:32
*** daemontool_ has quit IRC09:40
*** daemontool_ has joined #openstack-keystone09:40
*** daemontool_ has quit IRC09:40
*** daemontool_ has joined #openstack-keystone09:40
*** dolphm has quit IRC09:50
*** dolphm has joined #openstack-keystone09:51
*** ChanServ sets mode: +o dolphm09:51
*** naresht has quit IRC09:58
*** spzala has joined #openstack-keystone10:08
*** daemontool_ has quit IRC10:08
*** daemontool_ has joined #openstack-keystone10:08
*** markvoelker has joined #openstack-keystone10:10
*** stevemar has quit IRC10:13
*** spzala has quit IRC10:13
*** tsufiev has joined #openstack-keystone10:14
*** markvoelker has quit IRC10:15
*** stevemar has joined #openstack-keystone10:15
tsufievmorning, folks!10:16
tsufievrecently the failure rate for Horizon integration tests has increased significantly, after reading the logs I got an impression that Keystone may be involved10:16
tsufievthe specific part that looks suspiciously to me is http://logs.openstack.org/42/236042/62/check/gate-horizon-dsvm-integration/d8d590e/logs/apache/keystone.txt.gz#_2016-05-10_18_10_43_03610:17
tsufievwhich was traced back from http://logs.openstack.org/42/236042/62/check/gate-horizon-dsvm-integration/d8d590e/logs/apache/horizon_error.txt.gz#_2016-05-10_18_10_43_932655 which in turn traced back from http://logs.openstack.org/42/236042/62/check/gate-horizon-dsvm-integration/d8d590e/console.html#_2016-05-10_18_26_13_34210:17
*** daemontool_ has quit IRC10:17
*** daemontool has joined #openstack-keystone10:18
*** chaithu has joined #openstack-keystone10:18
tsufievcould someone advice if the first ^^^ fragment in Keystone logs is an expected behavior, or something that should be dug into?10:19
*** jed56 has quit IRC10:44
*** EinstCra_ has quit IRC10:46
*** daemontool has quit IRC10:48
*** jistr is now known as jistr|mtg11:00
openstackgerritMerged openstack/python-keystoneclient: Trivial: ignore openstack/common in flake8 exclude list  https://review.openstack.org/31487111:03
*** markvoelker has joined #openstack-keystone11:04
*** ChanServ sets mode: +o stevemar11:04
*** tellesnobrega is now known as tellesnobrega_af11:08
*** spzala has joined #openstack-keystone11:09
*** markvoelker has quit IRC11:09
samueldmqmorning keystone11:12
*** spzala has quit IRC11:14
*** rodrigods has quit IRC11:20
*** rodrigods has joined #openstack-keystone11:20
*** jaosorior has quit IRC11:22
*** jaosorior has joined #openstack-keystone11:22
samueldmqtsufiev: hi, good morning11:26
tsufievhi!11:26
samueldmqtsufiev: looking at the logs, there was a call to change that user's password just above11:27
samueldmqtsufiev: http://logs.openstack.org/42/236042/62/check/gate-horizon-dsvm-integration/d8d590e/logs/apache/keystone.txt.gz#_2016-05-10_18_10_42_99511:27
tsufievyes, that's true - we're testing that change password works11:27
tsufievthe problem is that we cannot login back with the password we changed11:27
tsufievwith the _new_ password11:27
samueldmqtsufiev: are you sure the new password is the one used ?11:28
tsufievsamueldmq, yes, because if it weren't that way, the test would fail permanently11:29
samueldmqtsufiev: is this always failing ? or does it pass sometimes ?11:29
tsufievbut it is intermittent11:29
* samueldmq nods11:29
samueldmqtsufiev: this is on master branch right?11:30
tsufievyep11:30
tsufievI got an impression that we may have hit https://bugs.launchpad.net/keystone/+bug/147356711:30
openstackLaunchpad bug 1473567 in tempest "Fernet tokens fail tempest runs" [Undecided,Fix released] - Assigned to Lance Bragstad (lbragstad)11:30
*** yiorgos_272 has joined #openstack-keystone11:30
*** belmoreira has quit IRC11:31
samueldmqtsufiev: there was a tempest test failing recently11:32
samueldmqtsufiev: it was related to token invalidation11:32
samueldmqtsufiev: in your case you are not able to use the new credentials, which is odd11:32
tsufievsamueldmq, so you think that it's not related to above bug?11:33
samueldmqtsufiev: maybe it is11:34
samueldmqtsufiev: are you able to reproduce the error locally?11:34
tsufievsamueldmq, not yet11:36
samueldmqhow can I run that test in a devstack?11:41
chaithuHi All11:42
chaithuWe are trying to do keystone to keystone federation. We are following this blog http://rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/11:42
samueldmqtsufiev: do I need to add openstack_dashboard to LIBS_FROM_GIT in devstack?11:43
chaithuWe got unscoped token. When we are trying to get the list of federated projects using unscoped token. We got an error http://paste.openstack.org/show/496702/11:43
chaithuThis is how we are trying to get the list of federated projects http://paste.openstack.org/show/496701/11:44
tsufievsamueldmq, that's more complicated11:44
tsufievsamueldmq, you would need to run https://github.com/openstack/horizon/blob/master/openstack_dashboard/test/integration_tests/tests/test_user_settings.py#L6411:46
*** fawadkhaliq has quit IRC11:46
*** jamie_h has quit IRC11:46
*** fawadkhaliq has joined #openstack-keystone11:47
tsufievsamueldmq, https://github.com/openstack/horizon/blob/master/tox.ini#L105 - here is tox command for running integration tests11:48
chaithuAny help will be highly appreciated.11:48
tsufiev1. clone horizon repo. 2. tox -epy27integration -- openstack_dashboard.test.integration_tests.tests.test_user_settings:TestPasswordChange.test_show_message_after_logout11:49
* samueldmq nods11:50
*** ChanServ changes topic to "Keystone Midcycle Update: http://lists.openstack.org/pipermail/openstack-dev/2016-May/094574.html | Hosted By Cicso, July 20-22, 170 W Tasman Dr, San Jose, CA 95134"11:57
-openstackstatus- NOTICE: We have a workaround for our mirrors to attempt to translate package names if a match isn't immediately obvious. A more complete fix is yet to come. It is now safe to 'recheck' any jobs that failed due to "No matching distribution found". Please join #openstack-infra if you discover more problems.11:57
*** markvoelker has joined #openstack-keystone11:58
*** markvoelker has quit IRC12:03
*** EinstCrazy has joined #openstack-keystone12:04
*** EinstCrazy has quit IRC12:05
*** raildo-afk is now known as raildo12:08
*** spzala has joined #openstack-keystone12:10
*** jistr|mtg is now known as jistr12:11
*** amrith has joined #openstack-keystone12:11
amrithstevemar, yt?12:12
*** spzala has quit IRC12:15
*** richm has joined #openstack-keystone12:30
rodrigodsstevemar, there? or morgan12:31
*** EinstCrazy has joined #openstack-keystone12:32
*** openstackgerrit has quit IRC12:33
*** openstackgerrit has joined #openstack-keystone12:33
*** EinstCrazy has quit IRC12:35
*** ayoung has quit IRC12:36
*** EinstCrazy has joined #openstack-keystone12:40
*** jamielennox is now known as jamielennox|away12:45
*** belmoreira has joined #openstack-keystone12:46
rodrigodschaithu, can you paste the code your are using? seems you haven't configured an IdP12:48
*** daemontool has joined #openstack-keystone12:51
*** edtubill has joined #openstack-keystone12:51
*** links has quit IRC12:52
*** markvoelker has joined #openstack-keystone12:52
*** daemontool has quit IRC12:53
*** jamielennox|away is now known as jamielennox12:53
*** daemontool has joined #openstack-keystone12:53
*** erhudy has joined #openstack-keystone12:54
*** sdake has joined #openstack-keystone12:55
*** gagehugo has joined #openstack-keystone12:55
*** jamie_h has joined #openstack-keystone12:56
*** markvoelker has quit IRC12:57
*** pauloewerton has joined #openstack-keystone12:58
*** sdake_ has joined #openstack-keystone12:58
chaithurodrigods: We got unscoped token. When we are trying to get the list of federated projects using unscoped token. We got an error http://paste.openstack.org/show/496702/12:59
rodrigodschaithu, did you add role assignments for the group/user in the mapping?13:00
chaithurodrigods: This is how we are trying to get the list of federated projects http://paste.openstack.org/show/496701/13:00
*** jaugustine has joined #openstack-keystone13:00
chaithurodrigods:http://paste.openstack.org/show/496720/13:01
*** sdake has quit IRC13:02
*** zqfan has quit IRC13:03
*** mou has joined #openstack-keystone13:03
*** edmondsw has joined #openstack-keystone13:04
chaithurodrigods: I think No. This is the mapping file http://paste.openstack.org/show/496720/ .13:05
chaithurodrigods: could you review the mapping once ?13:06
*** Nakato has quit IRC13:08
*** Nakato has joined #openstack-keystone13:08
*** dave-mccowan has quit IRC13:09
rodrigodschaithu, did you create the group and user?13:10
*** spzala has joined #openstack-keystone13:11
chaithurodrigods:  Yes created in SP http://paste.openstack.org/show/496723/13:12
*** gordc has joined #openstack-keystone13:13
rodrigodschaithu, and added mapped_user to federated group13:13
rodrigodsand added a role assignment for federated group in a project?13:14
*** jsavak has joined #openstack-keystone13:14
*** spzala has quit IRC13:16
chaithurodrigods: Yes we added13:19
*** spzala has joined #openstack-keystone13:20
rodrigodschaithu, need to investigate the logs and etc, it might be a bug, not sure13:21
*** edtubill has quit IRC13:25
chaithurodrigods: Here is the keystone.log in IdP http://paste.openstack.org/show/496727/ might be helpfull13:25
chaithusorry here is the link http://paste.openstack.org/show/496725/13:26
rodrigodschaithu, you need to check the keystone SP log, since is the one who is denying the call13:26
*** BAKfr has quit IRC13:26
chaithurodrigods: It seems good in log file. This is the SP log shibd.log  http://paste.openstack.org/show/496727/13:27
rodrigodschaithu, keystone SP, i meant, sorry :)13:27
*** dave-mccowan has joined #openstack-keystone13:28
*** BAKfr has joined #openstack-keystone13:28
chaithuHere is the Keystone SP log http://paste.openstack.org/show/496728/13:29
lbragstadmorgan do you remember why we didn't merge/continue with that? (re: https://review.openstack.org/#/c/271536/)13:30
patchbotlbragstad: patch 271536 - keystone - Apply invalidation proxy to the catalog cache region (ABANDONED)13:30
rodrigodschaithu, invalid token? that's odd13:31
rodrigodschaithu, need to dig in the code to understand what's going on13:32
morganlbragstad: nope13:32
rodrigodscan you print the token? i can check later13:33
chaithuUnscoped token id: f6e8ba81393841a7953566e2d28ec4bf13:33
rodrigodsmorgan, there you are... i don't think we want to add more stuff in this folder: https://review.openstack.org/#/c/203258/13:33
patchbotrodrigods: patch 203258 - keystone - Federation Identity Provider functional tests13:33
rodrigodschaithu, not the ID, the content13:33
rodrigodsmorgan, see my comment13:34
*** daemontool has quit IRC13:34
chaithurodrigods: http://paste.openstack.org/show/496731/ Is that you are asking13:35
*** rderose has joined #openstack-keystone13:35
rodrigodschaithu, what happens if you try to list the domains? OS-FEDERATION/domains13:36
samueldmqtsufiev: you still around ?13:36
samueldmqtsufiev: when have those failures started appearing ?13:37
tsufievsamueldmq, yes. I'm going to apply the same fix as tempest folks did13:37
tsufievI think a week or two ago13:37
samueldmqtsufiev: what was the fix ?13:37
chaithurodrigods: The same error http://paste.openstack.org/show/496732/13:37
morganrodrigods: yeah that was why I did +2 not +A before, didn't know where/if it ran.13:37
tsufievbut that may be simply a result of faster hardware13:37
morganrodrigods: we can bug stevemar about this today.13:37
tsufievsamueldmq, time.sleep(1) after logout13:38
rodrigodsmorgan, ok13:38
*** jed56 has joined #openstack-keystone13:38
*** chlong has joined #openstack-keystone13:38
samueldmqtsufiev: ok, not sure about this approach, better to check with lbragstad and dolphm13:38
tsufievwell, it wouldn't hurt anyways13:38
*** tonytan4ever has joined #openstack-keystone13:38
samueldmqtsufiev: it shouldn't be related to the token type (uuid, fernet, whatever)13:39
rodrigodschaithu, hmm try /v3/auth/projects13:39
samueldmqtsufiev: since it's the passwd that has changed, and the auth workflow should just work :(13:39
rodrigodsinstead of OS-FEDERATION/projects13:40
tsufievsamueldmq, then why did tempest test fail in the first place?13:40
tsufievI'm talking about https://bugs.launchpad.net/horizon/+bug/147356713:41
openstackLaunchpad bug 1473567 in OpenStack Dashboard (Horizon) "Fernet tokens fail tempest runs" [High,New] - Assigned to Timur Sufiev (tsufiev-x)13:41
rodrigodschaithu, btw, which version are you using? the token has "saml2" method, which is kind of "old"13:41
samueldmqtsufiev: I don't know about that one13:43
samueldmqtsufiev: there was another recent failure that started appearing when fernet were made the default13:44
chaithurodrigods: with /v3/auth/projects same error13:45
tsufievsamueldmq, I'm all ears13:46
*** markvoelker has joined #openstack-keystone13:46
bknudsonwe're going to have to revert the change to switch to fernet as the devstack if we can't figure out these bugs quickly.13:47
samueldmqtsufiev: I need to check with lbragstad13:47
samueldmqbknudson: I agree with you, we need to solve that somehow, and putting sleep() everywhere shouldn't be the solution13:47
lbragstadbknudson I'm rechecking patches that have more logging proposed to tempest - hoping to get more information since I'm unable to recreate it locally13:48
samueldmqlbragstad: you have links for such tests ? I am also unable to reproduce locally13:48
bknudsonok, as long as someone's working on it. I don't have time lately.13:48
lbragstadhttps://review.openstack.org/#/c/314330/13:48
patchbotlbragstad: patch 314330 - tempest - Do not merge - add logging for bug 157886613:48
openstackbug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed] https://launchpad.net/bugs/157886613:48
samueldmqlbragstad: such tests/such patches13:48
lbragstadand jordanP has one up too https://review.openstack.org/#/c/314121/13:49
patchbotlbragstad: patch 314121 - tempest - WIP : also log Auth-Token13:49
chaithurodrigods: We are using "saml2"13:49
samueldmqtsufiev: this is the other error I was talking about ^(see bug aboce)13:49
samueldmqabove*13:49
rodrigodschaithu, openstack version i meant13:49
chaithurodrigods: Both are liberty13:50
*** fawadkhaliq has quit IRC13:50
*** fawadkhaliq has joined #openstack-keystone13:50
tsufievsamueldmq, thanks! added the bug reference to my patch https://review.openstack.org/#/c/315050/13:55
patchbottsufiev: patch 315050 - horizon - In integration tests wait 1 second after changing ...13:55
*** markvoelker has quit IRC13:55
*** kfox1111 has joined #openstack-keystone13:56
kfox1111v3 validate token question....13:56
kfox1111the is_admin bit. is that returned in the json doc somewhere too?13:56
*** ametts has joined #openstack-keystone13:56
*** spzala has quit IRC13:57
samueldmqtsufiev: hmm nice description in the commit13:57
*** spzala has joined #openstack-keystone13:57
samueldmqlbragstad: maybe all these errors are related to the fact fernet doesn't support subsecond precision?13:57
*** daemontool has joined #openstack-keystone13:58
kfox1111I see is_admin referenced in the V2TokenDataHelper, but nothing in v3.13:59
tsufievI did my best :D14:00
*** ayoung has joined #openstack-keystone14:01
*** ChanServ sets mode: +v ayoung14:01
*** links has joined #openstack-keystone14:01
*** sigmavirus24_awa is now known as sigmavirus2414:01
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add helper methods for generating policy info  https://review.openstack.org/31477414:01
*** spzala has quit IRC14:02
*** jed56 has quit IRC14:04
*** jed56 has joined #openstack-keystone14:05
*** rderose has quit IRC14:06
*** jed56 has quit IRC14:07
*** jed56 has joined #openstack-keystone14:07
ayounghenrynash, what if, as a precursor to https://review.openstack.org/#/c/310048/7 we create a mechanism (config option) that says the name of a project is the full path of that project, from domain, through all partend.  So if I have Domain D and create a project with name=P, the name as reported will be D/P  and if I add a child Q I get D/P/Q as the project name?  Or, if the / is going to mess people up, we could do it Python style D.P.Q14:07
patchbotayoung: patch 310048 - keystone-specs - Relax the project name uniqueness constraints14:07
*** rderose has joined #openstack-keystone14:07
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229914:07
ayoungHeh...we could have P, add D, then add Q, then add Bach and get P.D.Q.Bach14:08
*** jed56 has quit IRC14:08
*** jed56 has joined #openstack-keystone14:09
chaithurodrigods: You are referring to liberty or openstack 2.0.0 ?14:09
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428414:09
*** fawadkhaliq has quit IRC14:10
*** fawadkhaliq has joined #openstack-keystone14:10
*** daemontool has quit IRC14:13
*** jed56 has quit IRC14:15
*** jed56 has joined #openstack-keystone14:15
*** fawadkhaliq has quit IRC14:15
*** woodburn has quit IRC14:15
*** jaosorior has quit IRC14:16
*** jed56 has quit IRC14:18
*** jed56 has joined #openstack-keystone14:18
*** TxGVNN has quit IRC14:22
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add policy registration  https://review.openstack.org/31314114:27
*** sdake_ has quit IRC14:28
*** sdake has joined #openstack-keystone14:29
*** spzala has joined #openstack-keystone14:29
*** woodburn has joined #openstack-keystone14:30
*** jsavak has quit IRC14:30
*** jsavak has joined #openstack-keystone14:30
*** daemontool has joined #openstack-keystone14:31
*** jed56 has quit IRC14:31
*** jed56 has joined #openstack-keystone14:32
*** rderose has quit IRC14:32
*** sdake has quit IRC14:35
*** gagehugo has quit IRC14:36
*** TxGVNN has joined #openstack-keystone14:41
*** gagehugo has joined #openstack-keystone14:42
*** navidp has joined #openstack-keystone14:42
*** jaosorior has joined #openstack-keystone14:43
*** slberger has joined #openstack-keystone14:44
*** edtubill has joined #openstack-keystone14:44
*** daemontool has quit IRC14:45
*** jed56 has quit IRC14:47
*** jed56 has joined #openstack-keystone14:47
*** pgbridge has joined #openstack-keystone14:49
*** woodster_ has joined #openstack-keystone14:50
*** timcline has joined #openstack-keystone14:51
*** raddaoui has joined #openstack-keystone14:52
*** spzala has quit IRC14:53
*** spzala has joined #openstack-keystone14:53
*** links has quit IRC14:54
*** fhubik has quit IRC14:55
*** daemontool has joined #openstack-keystone14:55
ayoungmorgan, as I work to reduce the number of revocation events, I'm starting to bump into the detailed caching we have on the token.  For exmaple, right now, I have Broken the TokenCacheInvalidation set, as now checking a token validation needs to check that the project is not disabled in the backend14:56
*** jaosorior has quit IRC14:57
ayoungShould I treat the whole thing as cached, and put the project and user ids into the caches, somehow, or create real proejct and user objects in the backends?14:58
morganayoung: hmm14:58
morganDon't validate project enabled in the token creation/validation. Assert its enabled from above the token system maybe and pass the ID down. We already (if caching is enabled at all) never check the back end more than once for users or projects.15:00
dstanekbknudson: what do you think we should do merge identity and shadow users?15:01
morganMaybe?15:01
bknudsonwe've done this in the past when we split assignment from identity15:01
*** pgbridge has quit IRC15:01
bknudsondstanek: rather than using foreign keys notifications were used to tell the other managers/drivers that things were deleted (for example)15:02
*** sdake has joined #openstack-keystone15:03
dstanekbknudson: iirc, i asked why we just didn't update the identity driver and that was to save other driver implementation (like LDAP) from having to implement shadow users. and i think the compromise was that we wanted to reuse the existing user table to prevent unnecessary churn15:03
*** navidp has quit IRC15:04
dstaneklbragstad: is ron in the office? it would be useful to have time in here15:05
*** haplo37 has joined #openstack-keystone15:05
*** slberger1 has joined #openstack-keystone15:05
lbragstaddstanek he is15:05
lbragstaddstanek i manually pinged him15:05
lbragstaddstanek he's on his way15:06
*** rderose has joined #openstack-keystone15:06
*** slberger has quit IRC15:07
lbragstadfyi - this is the patch in question https://review.openstack.org/#/c/292611/15:07
patchbotlbragstad: patch 292611 - keystone - Move identity.backends.sql model code to sql_model.py15:07
rderosedstanek, bknudson: just getting on, any new thoughts on this?15:07
dstanekrderose: i'll repeat my last statement so that you can comment on it's accuracy15:08
bknudsonI'm in a meeting for a while so won't be able to have a conversation here.15:08
*** spandhe has joined #openstack-keystone15:08
dstanekiirc, i asked why we just didn't update the identity driver and that was to save other driver implementation (like LDAP) from having to implement shadow users. and i think the compromise was that we wanted to reuse the existing user table to prevent unnecessary churn15:08
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add authorize method to Enforcer  https://review.openstack.org/31314215:08
dstanekbknudson: np, we can discuss a little and you can chime in when you have time15:09
rderosedstanek: agree and to me it just made sense to reuse the user table.  Essentially, wanted to create a model that unified all identities.15:10
fricklerare there plans to release keystoneauth1 for stable/[lm]*?15:10
* frickler would like to finally get rid of the username deprecation messages everywhere15:11
rderosedstanek: and I don't see an issue with having shadow users and the identity sql backends both depending on the same sql model15:11
rderosedstanek bknudson: anyway, I posted a comment, I'm open to suggestions.15:12
*** dan_nguyen has joined #openstack-keystone15:13
dstanekrderose: ok, when bknudson is back we should have a little design pow-wow here15:13
rderosedstanek: cool.  I have a 10:30, but should be free afterwards15:13
*** jistr has quit IRC15:13
dstanekit would be nice to get this all figured out to make some progress here15:13
rderosedstanek: yep, for sure15:13
dstanekrderose: are you central today?15:14
rderosedstanek: yes15:14
dstanekcool, thx15:14
*** pgbridge has joined #openstack-keystone15:20
*** fawadkhaliq has joined #openstack-keystone15:22
*** edtubill has quit IRC15:22
*** edtubill has joined #openstack-keystone15:23
*** spandhe has quit IRC15:23
*** EinstCrazy has quit IRC15:23
*** spandhe has joined #openstack-keystone15:24
arunkantdstanek: Can you review this ..https://review.openstack.org/#/c/279828/  ?15:25
patchbotarunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...15:25
*** jsavak has quit IRC15:27
*** AJaeger has joined #openstack-keystone15:28
dstanekarunkant: yeah, it's on my list of todos, but i've got lots of todos unfortunately15:28
*** tonytan_brb has joined #openstack-keystone15:28
*** jsavak has joined #openstack-keystone15:28
AJaegerkeystone team, with publishing of the generated config file at http://docs.openstack.org/developer/keystone/sample_config.html do you still need to have the proposal job for the in-tree file? Or can we remove job and file?15:29
*** mou has quit IRC15:29
AJaegerstevemar: I think you set the initial job up ^15:29
*** mou has joined #openstack-keystone15:29
*** jsavak has quit IRC15:30
arunkantdstanek, okay..hopefully you will look into this soon. I have been trying to get it reviewed and approved from keystoners for quite some time.15:30
*** jsavak has joined #openstack-keystone15:30
stevemarfrickler: i'll be releasing a whole bunch of L and M stuff soon15:31
*** amrith is now known as _amrith_15:31
*** tonytan4ever has quit IRC15:31
*** jistr has joined #openstack-keystone15:31
stevemarAJaeger: i think people like the compiled etc/keystone.conf.sample in-tree15:32
AJaegerstevemar: and we prefer not to have these proposal jobs ;)15:32
dstanekstevemar: AJaeger: if ours tests don't require it then i'm not tied to it15:32
rodrigodsstevemar, can you take a look in my comment at https://review.openstack.org/#/c/203258/ ? i don't think we want to put things in that folder anymore15:32
patchbotrodrigods: patch 203258 - keystone - Federation Identity Provider functional tests15:32
AJaegerit would free you from approving them ;)15:33
*** _amrith_ is now known as amrith15:33
*** jistr has quit IRC15:33
stevemarAJaeger: looks like i am over-ruled on this one15:33
henrynashayoung: so to your suggestion of having a config switch that would return nams as paths...15:33
*** jistr has joined #openstack-keystone15:33
stevemarwe can periodically check in new sample configs i guess15:33
AJaegerstevemar, dstanek feel free t odiscuss in your next IRC meeting on what to do...15:34
stevemarAJaeger: i guess you can remove the job, seems no one but me likes it15:34
stevemarbknudson: did you have any strong feelings on this one?15:34
*** belmoreira has quit IRC15:34
bknudsonstevemar: no strong feelings15:34
AJaegerstevemar: let me propose something and add you to the change for review, so that you can think a bit more...15:34
AJaegerthanks!15:34
ayounghenrynash, Ideally it would be triggered by the "strict" option we already have, but that might be too much to backport.  It should depend on "strict" though15:35
henrynashayoung: …and so what would this give us?15:35
ayounghenrynash, a step closer to the uniqueness15:36
henrynashayoung: we could also allow the use of paths in auth, but would be optional15:36
ayoungthis way, even if we have two [project that get named "London"  one would be London/England and the other London/Massachusetts15:36
ayounghenrynash, maybe drop the domain name from my suggestion, though, as that would break exisitng top level15:37
henrynashayoung: yes, agreed.15:37
ayoungand we don't say projet names haveto be globally unque, just within domains, right?15:37
henrynashayoung: correct15:38
*** spandhe has quit IRC15:38
AJaegerhttps://review.openstack.org/315130 is the change to remove the proposal job, stevemar15:38
ayoungLets call this HMT naming15:38
henrynashayoung: ….and would you be able to use HMT naming in auth?15:39
ayounghenrynash, yes15:39
ayounghenrynash, that is the point.  the project.name would be the HMT naming, even if created with just the segment15:40
ayoungkeeps the letter of the law, gives us the new intent15:40
henrynashayoung: what if auth just has: project name = “test”15:40
henrynashayoung: do we assume it is at the top level…or can be anywhere (this is the rub with the current proposal)15:41
henrynashayoung: (anywhere in the domain)15:41
ayoungif test is at the top level, no change. if tet is under nash, then its new name is nahs/test15:41
henrynashayoung: which breaks today’s call semantics15:42
ayounghenrynash, it is an explicit change made by a domain admin...maybe we could do this on a per domain basis?15:42
henrynashayoung: eek15:42
ayounghenrynash, have aglobal default. but with a domain level config you could override15:43
henrynashayoung: we could certainly do that....15:43
*** ramishra has quit IRC15:44
henrynashayoung: One issue I have is that from domain admin point of view, what’s their advantage of them turning this on? Not sure it let’s them do anything they can’t do today....15:44
ayounghenrynash, it would have to be opt in to start, or we would break everyone.  why not opt in per domain?15:44
henrynashayoung: (I know why WE like it….but)15:44
ayounghenrynash, clone:15:45
ayoungwe want a templte that has:15:45
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229915:45
ayoungtop level dev/qa/live  under each we want 3 projects frontend/appserver/database15:45
*** ramishra has joined #openstack-keystone15:46
henrynashayoung: ok, so tree operations15:47
ayoungat each level, the project name is unique, but it forces them to be consistent15:47
*** lhcheng has joined #openstack-keystone15:47
*** ChanServ sets mode: +v lhcheng15:47
ayoungif you do it by naming convention, then you could have wordpress/dev/frontend  under etherpad/stage/database15:47
*** rcernin has quit IRC15:47
henrynashayoung: ah, right (light bulb….I see where you are going with this)15:48
ayounghenrynash, and if you change a project name (we allow that, right?)then all the child project names change, too15:49
ayoungbut we still enforce global uniqeness15:49
henrynashayoung: interesting….15:49
henrynashayoung: off to mull….(thinking….not the Isle Of….)15:51
ayounghenrynash, and not preparing beverages for the colder months, either unfortunately15:52
henrynashayoung: never to early....15:52
ayounghenrynash, play with the idea.  I think it is what you are looking for, maybe with additional tweaking15:53
henrynashayoung: could be indeed, sir….nice thinking15:54
*** jsavak has quit IRC16:01
*** jsavak has joined #openstack-keystone16:02
*** fawadkhaliq has quit IRC16:02
*** roxanaghe has joined #openstack-keystone16:03
*** ninag has joined #openstack-keystone16:05
*** rderose has quit IRC16:06
*** dmk0202 has quit IRC16:07
*** pgbridge has quit IRC16:07
*** ninag has quit IRC16:08
*** lhcheng has quit IRC16:09
*** jaugustine has quit IRC16:09
*** pushkaru has joined #openstack-keystone16:09
*** rderose has joined #openstack-keystone16:10
*** ninag has joined #openstack-keystone16:11
*** gyee has joined #openstack-keystone16:13
*** ChanServ sets mode: +v gyee16:13
*** amrith has left #openstack-keystone16:17
*** agrebennikov has joined #openstack-keystone16:17
morganhenrynash: i am thinking project=test *is* only top lev3l16:18
morganfwiw16:18
morganayoung: the other thing to keep in mind... the name can't exceed 255 characters in total due to the schema we use16:18
henrynashmorgan: in my origional proposal………or what adam is suggesting?16:19
morganthis is sounding more and more like HMT needs love and microversions can get us there.16:19
morganbasically we force a microversion that makes subprojects have restricted characters and end up with the X.Y.Z.Q nameing16:19
morganor something16:19
morganand you always reference the whole path for the name?16:19
morganthat way name can be consistent.16:19
* morgan has been sleeping on this issue fwiw16:20
henrynashmorgan: on microversioning…..in general, do we want a linear increasing version…or two we want a “capability map” accessible pre-auth?16:21
morganhenrynash: monotonic increasing version16:21
morgannot semver/capabilities.16:21
*** rderose has quit IRC16:21
henrynashmorgan: is that a cross-project decision?16:21
morganand we will need to move auth out from under the <versioned> CRUD api generally for sanity.16:21
morganhenrynash: it's the way nova does it, the way ironic does.16:22
morgani'm inclined to say we should follow in suit16:22
morganit is much much much simpler than needing to make a capabilities graph16:22
henrynashmorgan: do they have any config settings that modify the meaning of APIs?16:23
morganoutside of the versions, not that i am aware of16:23
morganwhich is the right answer16:23
morganafaiac16:23
henrynashmorgan: ok, understand the proposal....16:23
morganusing API version XXX means you get features/responses of XXX16:23
*** chaithu has quit IRC16:24
morganif we work to improve HMT and change the APIs so the real featuresets are based in the new microversion(s) so we can say to do the proper naming, we now reserve characterset [.,/], and you must be using the new version to be able to do the proper nested projects with auth capabilities.16:25
*** ninag has quit IRC16:25
morganit also means some people might need to rename projects long term for support in HMT things16:25
morgane.g. if a project uses a reserved char in the name we don't allow HMT things with it16:26
*** ninag has joined #openstack-keystone16:26
morgansimple changes, microversion based. gets us to where you want to be.16:26
morganif you don't specify the path, it's a top-level "today" project16:26
morganand we can work on improving auth things to be smarter as we version auth (once it's split from CRUD apis)16:26
ayoungmorgan, so one backward compat issue is if a project is nested today, but the name is flat, we will break them if we force name to be the path.  I was trying to avoid that16:27
morganhenrynash: and GET / (or [prefix]/) on keystone can say "we support version X -> Y of the microversions16:27
ayoungmicroversions won't fix that16:27
morganayoung: we basically leave it as is today and don't try and solve that issue. it's semi-broken today16:28
morganayoung: and we document how it is broken make sure it's clear <this is the correct way forward with new microversion thing>16:28
ayoungmorgan, then how do we co-existg with the brokeness is a way that lets us move forward, too?16:28
morganayoung: it is a little sucky for end users, but we're providing a clear path forward that will be better16:28
ayoungmorgan, that is why I like per-domain16:29
morganayoung: i'd flag projects that need "fixing"16:29
morganand anything flagged as such, can't work with the nested bits (even provide a reporting tool so an operator can cleanup/fix) and/or proper responses from the API for end users to indicate what is wrong16:30
ayoungmorgan, I'd rather not have to get things to 100% clean before a deployer can move forward, otherwise, they are never going to move16:30
morganayoung: i also am fine with leaving it "unique names per domain" long term16:30
morganayoung: and you don't get nested name collisions.16:30
*** ninag has quit IRC16:30
ayoungmorgan, so, if the whole path is the name, then, yes, names stay unique16:30
morganayoung: i'm trying to offer a way to unwind this if we're loosening the restrictions16:30
morganayoung: personally, i'd just keep it as is.16:31
ayoungmorgan, yeah, I think there is a path through here that makes use of all the tools16:31
morganayoung: and say "sorry names are unique per domain"16:31
morganlet people deal with that in how they name things16:31
ayoungmorgan, but that way I can't retrocatively win an argument I lost 3 years ago.16:31
morganayoung: i'm not here for your retroactive argument winnings.16:31
morgan:P16:32
*** rderose has joined #openstack-keystone16:32
ayoungmorgan, you are not?  I was mislead.16:32
ayoungseriously, though, I think we can make this work.  I wanted the full path for the project name for a while anyway16:32
morganayoung: the only concern is we cannnnnnnnot have a name that exceeds 25516:32
morganand right now, you could (with full path) be x*255.Y*255.Z*255.<maxnestdepth>16:33
ayoungmorgan, that was due to the database column16:33
morganayoung: and it's a behavior in our API we can't break... microversion *can* be used here.16:33
ayoungnot due to any other concern.  If we build the name from parent then the restriction should be 255 per segment16:33
morganbut the baseline would not work with those new names.16:33
ayoungmorgan, you mean because of the JSON scheme enforcement>16:34
ayoung?16:34
morganyep.16:34
morgandon't change the behavior of a non-experimental API16:34
morganuntil microversions, then microversions would be a version bumpt to fix things.16:34
* morgan had a conversation with lifeless that convinced me microversions are not as evil as originally thought.16:35
*** ninag has joined #openstack-keystone16:35
morganand it does back us out of a corner we're in.16:35
*** mhickey has quit IRC16:35
morganbut we need to be *very* strict about not breaking API contracts otherwise. (and i'll continue to be strict on that front here as much as I can)16:36
ayoungmorgan, to be blunt, who cares?  What is making things less restrictive than origianlly published going to break?  I'm all for supporting end users, but this is pedantry for its own sake.  I mean, I'm not against microversions (at all, I think I want them) , but that is not the standard we should judge this by.  If a change is not going to break backwards compat, the worst that I could se happening is that people would have bult tooling that rest16:36
ayoungricts what they can entr to the old rules.16:36
ayoungBut I don't thnk microversions are a saviour here.  They are, again, pedantically correct, and should be used for these kind of changes, but we've been doing that, just not ultra strcitly16:37
ayoungstrictly.16:37
*** fangxu has joined #openstack-keystone16:38
*** ninag has quit IRC16:38
*** ninag has joined #openstack-keystone16:38
ayoungWe've made lots of behavior changes over time, and only now do we have a rule in place "we can't be less strict than in the past."16:39
ayoungI mean, yeah, I could see it being tricky for WebUI.16:39
ayoungmorgan, how about this16:39
ayoungI think this is a backwards compat change.16:39
ayoungWe create a new field for projects (optional)16:40
ayoungcalled name_segment16:40
ayoungOn a per domain basis, we allow that to be used in place of name for editing.16:40
ayoungIf that value is set, the name becomes the full path....gah,that hits the JSON scheme restriction....16:40
*** tellesnobrega_af is now known as tellesnobrega16:41
ayoungmaybe not, actually.  If you can never set the name IFF it is in segments, then the JSON schema is still valid when accepting a new project or changed project16:42
ayoungWe would overflow the schema only on reads, but  I don't think that is validated16:42
ayoungand, what we are discussing doing here would still require webUI changes in order to take advantage of it anyway16:43
ayoungmorgan, OK,  lets talk microversions for a moment.  What would it take for Keystone to implement microversions?16:43
ayounglets say we want to allow name-segments.  Lets say the API microversion to do that is 3.8, and anything less does not do nested.16:44
*** phalmos has joined #openstack-keystone16:44
morganayoung: sec. doing something need to ask you a question off channel16:44
*** fawadkhaliq has joined #openstack-keystone16:53
openstackgerritMerged openstack/keystone: Make keystone exit when fernet keys don't exist  https://review.openstack.org/31181116:53
*** jorge_munoz_ has joined #openstack-keystone16:57
*** jorge_munoz has quit IRC16:57
*** jorge_munoz_ is now known as jorge_munoz16:57
*** belmoreira has joined #openstack-keystone16:58
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/31505817:00
ayoungmorgan, backto the microversion thing.  If you do the nested version of a project name (MV>=7.8 = S.P.Q.R  ... something longer than 255 chars.  What would I get if I tried to query it with MV < 7.8?  Error code?17:01
morganayoung: ok.17:01
ayoung7.8  should read 3.8 but you get it17:01
morganbad request17:01
ayoungOK....I can deal with that17:01
ayoungI think....17:01
*** jistr has quit IRC17:02
morganand the error should communicate why17:02
ayoungmorgan, so, I think I would still want it on a per domain basis.  Just thinking like a sysadmin here, they are not going to want to force all of their users  to change.  So  we would need some degree of granularity to say "this is where it is OK to do that"17:03
*** AJaeger has left #openstack-keystone17:03
ayoungmorgan, lets call this Full Path Naming, and what we have now as segment only naming (for this discussion only) and so I would want to say that if a site has 10000 projects, of which say, 30% are nested via HMT, we can't break those 30 to enable Full path naming.17:05
ayoungSo we could say:  ok, this domain is 98% of the way there, we can enable it, and then break those 2 projects that need to be updated17:05
ayounghmmm17:05
*** stingaci has joined #openstack-keystone17:06
ayounglist projects for user is not going to work though, is it?17:06
ayoungAh!17:06
morganyeah17:06
ayoungOK so if MV < 3.8 it gets the safe names.  if MV >= 3.8 it gets the full list, with the names in path format17:06
morganyes17:06
morganexactly17:07
morganyou're starting to get it.17:07
ayoungmorgan, and to start, we say the default mv is < 3.8 so we don't break existing, and people that want to use it request 3.817:08
*** BAKfr has quit IRC17:08
ayoungor "latest"17:08
ayoungdefault ==stable.  "latest" =new hotness17:08
ayoungmorgan, can you drop your -2 to a -1 and I17:09
morganbasically default is "before microversions"17:09
morgancomment on the way forward on the review and i'll drop my -2.17:10
morganjust so we have it recorded there.17:10
*** BjoernT has joined #openstack-keystone17:10
morganvs. just in IRC :)17:10
ayoungactually, lets get a spec for microversions (even a placeholder) up first17:10
ayoungwant me to dothat?17:10
*** spzala has quit IRC17:10
morganplease do.17:10
*** roxanaghe has quit IRC17:10
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428417:10
ayoungOK...I'll get that up17:10
*** BAKfr has joined #openstack-keystone17:10
morganaslo ping sdague and maybe nova folks to 2x check the microversion spec.17:10
morganmake sure we're not wildly off-base from their general approach17:11
morganwe want to follow in suit to keep things as common as we can in openstack :)17:11
*** ninag has quit IRC17:11
*** fawadkhaliq has quit IRC17:12
*** ninag has joined #openstack-keystone17:12
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963517:14
*** jed56 has quit IRC17:14
*** spzala has joined #openstack-keystone17:14
*** roxanaghe has joined #openstack-keystone17:15
*** ninag has quit IRC17:16
*** tqtran has joined #openstack-keystone17:18
*** rderose has quit IRC17:18
*** henrynash has quit IRC17:18
*** rderose has joined #openstack-keystone17:19
*** ninag has joined #openstack-keystone17:19
*** spzala has quit IRC17:19
*** ninag has quit IRC17:21
*** simondodsley has joined #openstack-keystone17:23
*** jsavak has quit IRC17:23
*** ninag has joined #openstack-keystone17:23
*** ninag has quit IRC17:24
*** ninag_ has joined #openstack-keystone17:25
*** stingaci has quit IRC17:25
*** stingaci has joined #openstack-keystone17:26
*** ninag__ has joined #openstack-keystone17:27
morgandstanek, stevemar: ping re @wip17:29
dstanekmorgan: pong17:29
morgandstanek, stevemar: we should make @wip take "expected exception" and bugid=<id>17:29
*** ninag_ has quit IRC17:30
dstaneki wouldn't have any issue with that17:30
morganso we can optionally track the exception expected *and* what bug it's blocking on if possible17:30
morganwould generally be better.17:30
* morgan will propose this in a few moments.17:30
morgandstanek: just doing massive code review and realizing @wip needs to be better.17:30
*** openstackgerrit has quit IRC17:33
*** openstackgerrit has joined #openstack-keystone17:33
dstanekmorgan: no argument from me :-)17:34
*** sileht has quit IRC17:37
ayoungmorgan, placeholder spec https://review.openstack.org/315180 Microversions17:38
*** timcline has quit IRC17:41
*** spzala has joined #openstack-keystone17:43
*** sileht has joined #openstack-keystone17:44
dstanekhmm... so what is the difference between Higgins and Magnum?17:45
*** rbridgeman has joined #openstack-keystone17:46
*** TxGVNN has quit IRC17:46
*** henrynash has joined #openstack-keystone17:47
*** ChanServ sets mode: +v henrynash17:47
*** timcline has joined #openstack-keystone17:48
*** rbridgeman has quit IRC17:48
*** rbridgeman has joined #openstack-keystone17:48
rodrigodsdstanek, morgan, http://docs.openstack.org/developer/tempest/HACKING.html#test-skips-because-of-known-bugs17:53
morgandstanek: higgens is more COE abstraction17:54
dstanekrodrigods: that's not the saw as wip17:54
morgan(generalized) i think.17:54
*** belmoreira has quit IRC17:54
rodrigodsdstanek, so i think we need to differ between wip and skip_due_a_bug17:54
dstanekmorgan: looks like i need to look at how openstack does container things17:55
dstanekrodrigods: what do you mean?17:55
rodrigodsdstanek, sometimes we want to skip things to fix the bug in a follow up patch17:55
rodrigodsand sometimes is indeed a wip17:56
rodrigodsright?17:56
dstanekrodrigods: wip has a very specific purpose in that it is test code that you expect to fail. in the case where you fix the code in a follow up patch you would just need to remove the @wip17:57
dstanekin that case wip or skip are both fine17:57
dstanekwip's real value is that it'll fail the test if it accidentally succeeds17:58
zzzeekmorgan: this is kind of a bad week for me to get aroudn to dogpile reviews since we're moving to a new house next week.  but the reviews are in my inbox for when i get through it17:58
morganzzzeek: wfm17:58
morganzzzeek: also, enjoy the new house!17:59
zzzeekmorgan: oh also my gerrit just passed.   hm.   guess that bug went away.17:59
* zzzeek runs it again17:59
zzzeekerr my jenkins build17:59
zzzeekmorgan: thanks!17:59
rodrigodsdstanek, hmm thought this skip_because would do the same18:00
rodrigodsbut yeah, it needs to fail if passes18:00
rodrigodsnot just "skip"18:00
morgandstanek: i should have this patch posted for review shortly18:01
morgandstanek: this is 1st pass, not added testing, will do testing if you like the new @wip18:02
*** stingaci has quit IRC18:05
amakarovmorgan, can you please comment on this one: https://review.openstack.org/#/c/309146/ ? Why can't we cache that way?18:18
patchbotamakarov: patch 309146 - keystone - Pre-cache new tokens18:18
morganamakarov: yes will do18:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Add new functionality to @wip  https://review.openstack.org/31519818:20
morgandstanek: ^18:20
*** jsavak has joined #openstack-keystone18:22
*** spandhe has joined #openstack-keystone18:25
openstackgerritSteve Martinelli proposed openstack/keystone: Switch to use `new_domain_ref` for testcases  https://review.openstack.org/28451018:25
*** dan_nguyen has quit IRC18:26
stevemarmorgan: ^ ... in about 2 seconds when the next one is uploaded18:28
*** krotscheck_ has joined #openstack-keystone18:30
dstanekmorgan: nice18:31
openstackgerritSteve Martinelli proposed openstack/keystone: Switch to use `new_domain_ref` for testcases  https://review.openstack.org/28451018:31
*** krotscheck has quit IRC18:31
dstanekamakarov: i'm guessing line 281 at least18:32
*** jsavak has quit IRC18:32
*** krotscheck_ is now known as krotscheck18:33
*** jsavak has joined #openstack-keystone18:34
*** belmoreira has joined #openstack-keystone18:34
*** dave-mccowan has quit IRC18:35
*** tonytan_brb has quit IRC18:36
*** spandhe has quit IRC18:36
*** jorge_munoz has quit IRC18:36
*** stingaci has joined #openstack-keystone18:37
amakarovdstanek, were you talking to me? :)18:38
dstanekamakarov: yes, for that cache review18:38
amakarovdstanek, oh, I see...18:39
dstanekamakarov: i'm guessing that there is some login in there that isn't supposed to be cached18:39
*** jorge_munoz has joined #openstack-keystone18:40
*** jorge_munoz has quit IRC18:41
*** jorge_munoz has joined #openstack-keystone18:42
amakarovdstanek, so the logic is to be token type aware, isn't it?18:42
dstanekamakarov: i'd have to really take a look at it to see what logic isn't cachable18:45
*** jorge_munoz_ has joined #openstack-keystone18:46
amakarovdstanek, I wonder why can't we use token_id as a cache key if we pass it around anyway...18:46
amakarovdstanek, OTOH 8Kb cache key in case of PKI is a bit insane18:47
*** jorge_munoz has quit IRC18:47
*** jorge_munoz_ is now known as jorge_munoz18:47
*** sdake has quit IRC18:48
*** tesseract has quit IRC18:51
*** edtubill has quit IRC18:52
*** dave-mccowan has joined #openstack-keystone18:53
*** dan_nguyen has joined #openstack-keystone18:54
*** mou1 has joined #openstack-keystone18:56
*** vgridnev_ has joined #openstack-keystone18:57
*** vgridnev_ has quit IRC18:57
*** mou has quit IRC18:59
*** tonytan4ever has joined #openstack-keystone18:59
*** roxanaghe has quit IRC19:00
*** vgridnev_ has joined #openstack-keystone19:00
morganstevemar: rebase?19:00
stevemarmorgan: yes, but a hell of one, so double check it...19:01
morganstevemar: because it looks pretty much the same?19:01
morganstevemar: yeah 2x reading19:01
morganstevemar: it looks ok to me19:02
morgannothing looks wrong, lets see what jenkins says19:02
stevemarmorgan: alrighty19:02
stevemaryep19:02
morganstevemar: also https://review.openstack.org/315198 eyes would be nice.19:02
stevemarmorgan: rgr19:02
morganjust see if you like the direction19:02
stevemarmorgan: i like it, just one thing for readability19:04
stevemarmorgan: so https://review.openstack.org/#/c/302299/ vs https://review.openstack.org/#/c/203258/19:04
patchbotstevemar: patch 302299 - keystone - Add identity providers integration tests19:04
patchbotstevemar: patch 203258 - keystone - Federation Identity Provider functional tests19:04
stevemarmorgan: i think we should abandon marek's in favor of rodrigods patch19:06
stevemarsince umm, one runs tests in the gate :)19:06
morganstevemar: wfm19:06
stevemarrodrigods: let me know if you need eyes on that patch19:07
morganstevemar: also the lack of space was intentional, look at line 78 on that patch19:07
morganstevemar: it would be readable with the bugid added19:07
stevemarmorgan: yeah, i see that19:07
morganstevemar: trying to avoid variable space/non-space/whatevers19:08
* morgan shrugs.19:08
stevemarmorgan: i get ya19:10
stevemarmorgan: ready for https://review.openstack.org/#/c/279828/  ?19:10
patchbotstevemar: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...19:10
stevemari'm on the fence for this one :O19:11
morganstevemar: i don't like the guessing19:11
morgani really don't19:11
gyeeayoung, I think I am just about to give up on certmonger19:14
morganstevemar: but i could see it going either way19:15
*** edtubill has joined #openstack-keystone19:15
stevemarrodrigods: crinkle if you have time: https://review.openstack.org/#/c/279828/ wouldn't mind a few opinions on it19:17
patchbotstevemar: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...19:17
gyeeayoung, I'll send you an email on the reasons, but basically, in a nutshell19:17
gyee1) doc does not match reality19:17
gyee2) extremely difficult to troubleshoot19:17
gyee3) certmonger-session is unstable19:18
stevemargyee: sounds like openstack19:18
morgangyee: oooh are you debugging openstack?19:18
gyeestevemar, certmonger is worst, believe me!19:18
morgan:P19:18
gyeemorgan, at least openstack has logs and code is easier to follow19:18
gyeecertmonger have no good logs19:19
*** vgridnev_ has quit IRC19:19
bknudsonwe can put that on the advertising -- openstack: better than certmonger19:19
gyeehellyeah!19:19
gyeebknudson, try to troubleshoot dbus once in your life and see how you feel :-)19:20
crinklestevemar: i don't have a lot to offer on that, i don't know much about auditing19:23
stevemarcrinkle: darn, was trying to get a few opinions on it, i'm not super warm on it, but for no particular reason19:24
*** jsavak has quit IRC19:33
*** jsavak has joined #openstack-keystone19:33
openstackgerritMerged openstack/oslo.policy: Trivial: ignore openstack/common in flake8 exclude list  https://review.openstack.org/31500919:33
*** jaosorior has joined #openstack-keystone19:34
*** dmk0202 has joined #openstack-keystone19:38
*** edtubill has quit IRC19:41
*** jsavak has quit IRC19:46
*** jsavak has joined #openstack-keystone19:46
*** r-daneel has joined #openstack-keystone19:49
*** jaosorior has quit IRC19:51
ayounggyee, did you follow my blog post?20:02
ayounghttps://adam.younglogic.com/2016/05/logging-certmonger/20:02
ayoungyou should not need to look at dbus, if you get enough logging from certmonger itself20:03
*** jsavak has quit IRC20:03
gyeeayoung, my helper got the cert back from Anchor20:04
*** jsavak has joined #openstack-keystone20:04
gyeeI returned it as is, which according to the doc, it should work20:04
*** sdake has joined #openstack-keystone20:05
gyeebut keep getting NEED_GUILDANCE, which means it choke on parsing the output20:05
gyeebut it didn't tell me what does it choke on20:05
rodrigodsstevemar, same as crinkle, but will try to figure out later tonight20:06
gyeecarriage returns, new lines, or what20:06
gyeeayoung, according to the doc, I should be enable to return the entire PEM content as output20:06
ayounggyee, yes, and return 020:07
ayoungas the exit code20:07
gyeeright, the script exited with 0 status20:07
ayounghmmm20:07
gyeeNEED_GUILDANCE means it can't parse the PEM content20:07
ayounggyee, did the log give any data?20:08
gyeeis 15 the highest log level?20:08
gyeelet me restart it again20:08
*** nalind has joined #openstack-keystone20:09
nalindayoung: you rang?20:09
gyeecertmonger-session tend to wrote over my changes on restart20:09
ayoungyou were running nalind we have gyee here trying to build a certmonger helper20:09
gyeeso I had to kill it first, then make changes20:09
ayounghe's getting a pem back, and exit 0, but get NEED_GUIDANCE20:09
nalindwhat's the output?20:09
ayounggyee, right, but you then ran20:09
ayoung/usr/libexec/certmonger/certmonger-session -n -d 1520:09
ayoungright?20:09
*** daemontool has quit IRC20:09
gyeenalind, I keep getting NEED_GUILDANCE20:10
nalindthat'd work. the -n is implied by -d, but it's not an error20:10
gyeeas far as I can tell, I return the entire PEM content20:10
nalinddo you have a captured copy of it?20:10
ayounggyee, if you kill the one that dbus kicks off, then run it as per above, it finds the debus connection and grabs iut20:10
ayounggyee, I had the same thing happening, and when I kickedit off that way, I found out what certmonger was complaining about20:11
gyeeayoung, nalind, I logged it to syslog and here's what the output look like20:12
gyeehttp://paste.openstack.org/show/496814/20:12
*** vgridnev has joined #openstack-keystone20:12
*** vgridnev has quit IRC20:12
ayounggyee, were you skiping right to certmonger, or using session?20:13
stevemarrodrigods: that's all i ask :P20:13
gyeeayoung, I am using getcert -s20:13
nalindare the #012 sequences escaping for the log message, or was it in the data that the daemon got back, too?20:13
ayounggyee, ok, so try this20:13
ayoungkillall certmonger-session20:13
ayoung/usr/libexec/certmonger/certmonger-session -n -d 1520:14
ayoungand from another windwo20:14
gyeenalind, I logged it as is from http response20:14
ayounggetcert -s list20:14
ayoungyou should then see a slew of logging from the first window, certmonger-session20:14
*** daemontool has joined #openstack-keystone20:14
ayoungthat is the logging you need20:14
ayounggyee, can you paste the output from calling your helper script directly?20:15
gyeeone sec20:16
stevemarmorgan: another backport: https://review.openstack.org/#/c/314727/20:17
patchbotstevemar: patch 314727 - keystone (stable/mitaka) - Remove test_invalid_policy_raises_error20:17
gyeeayoung, how do I make getcert split out the CSR so I can set it in CERTMONGER_CSR?20:19
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add policy registration  https://review.openstack.org/31314120:21
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add authorize method to Enforcer  https://review.openstack.org/31314220:21
ayounggyee, um, you shouldn't need to do that explicitly, it should be set already in the environment when certmonger calls your app20:21
gyeeI know, you asking for running the script directly20:21
ayounggyee, try it out:  in your app, you should be able to dump the value from getenv20:21
gyeenm, I found it in ~/.config/certmonger/requests/2...20:21
nalindfor troubleshooting cases, it's handy to have the helper able to read a CSR on stdin if there isn't one in the environment20:22
stevemarrderose: please create the bp pci-dss :)20:22
ayoungnalind, he's got the helper working well enough to see the PEM.  The issue is the handshake between certmonger and the helper that is not clear20:22
ayoungI need to run home here, gyee.  Got a birthday dinner for my 10 year old.20:24
ayounggyee, write up what you have working, and I'll give it a go.  Do you have you helper app in a public repo yet?20:25
stevemarayoung: happy birthday to the little person20:25
ayoungTYVM stevemar20:25
gyeeayoung, nalind, http://paste.openstack.org/show/496819/20:28
gyeethe script works fine by itself20:28
*** jorge_munoz has quit IRC20:29
gyeeayoung, sure, will push my help to my github account, assume the corp lawyers are OK with it :-)20:29
nalindhmm, that looks like expected output, and if the status is 0, i'm not sure what it doesn't like. got the debug log from the session daemon?20:31
gyeenalind, give me a sec, I'll paste the debug logs20:31
arunkantstevemar: I saw you posted message on ldappool repo. Are you using it somewhere? I remember adding it in keystone, not sure if its still used.20:34
gyeenalind, http://paste.openstack.org/show/496820/20:34
nalindexit status was 1?20:35
gyeewth?20:36
ayoungOK, I think you guyus are tracking.  Send me an email with the final story, would you gyee ?20:36
gyeeayoung, sure20:37
SpamapSI think bootstrap may have been broken recently20:37
SpamapSIt's failing with this in our CI update path:20:37
SpamapSConflict project: (pymysql.err.IntegrityError) (1062, u\"Duplicate entry 'default-admin' for key 'ixu_project_name_domain_id'\") [SQL: u'INSERT INTO project (id, name, domain_id, description, enabled, extra, parent_id, is_domain) VALUES (%(id)s, %(name)s, %(domain_id)s, %(description)s, %(enabled)s, %(extra)s, %(parent_id)s, %(is_domain)s)'] [parameters: {'is_domain': 0, 'description': 'Bootstrap20:38
SpamapSproject for initializing the cloud.', 'extra': '{}', 'enabled': 1, 'domain_id': 'default', 'parent_id': 'default', 'id':20:38
SpamapSin the past, re-running it just exitted cleanly on duplicate key20:38
*** roxanaghe has joined #openstack-keystone20:38
nalindgyee: is it attempting to read anything from stdin? or expecting anything in the environment?20:39
gyeenalind, works now20:40
nalinddid something change?20:40
gyeeI changed to print(pem); exit(0) at the end20:41
gyeenow it works fine20:41
gyeeits now in MONITORING state20:41
nalindwhat was it doing before?20:41
*** fangxu has quit IRC20:41
gyeeit was doing "return pem"20:41
*** ayoung has quit IRC20:41
gyeeI thought I just return it20:41
gyeebut I left out the rest of the code I copied over from IPA20:42
nalindah. no idea what the python interpreter does when you return a string from main20:42
gyeeit interpret as non-zero :-)20:42
nalindlooks like. that's a relief20:42
*** pcaruana has quit IRC20:42
gyeenalind, ok, now lets see if it does auto renewal20:43
gyeeshall find out in an hour20:43
gyeenalind, thanks for the help!20:43
nalindglad to be of help20:43
*** rcernin has joined #openstack-keystone20:44
morganSpamapS: it should just exit on dupe20:45
SpamapSoh!20:47
SpamapSthat's INFO level20:47
*** jorge_munoz has joined #openstack-keystone20:47
SpamapSI think it's the order of our deploy tooling20:47
SpamapSkeystone-manage is exitting because there's no fernet keys20:47
SpamapSwhich seems....20:47
bknudsonthere was a fix just put in that was supposed to shut down keystone if there are no fernet keys20:47
SpamapSright20:48
SpamapSthat's the thing20:48
SpamapSit should shut down _keystone_, not keystone-manage.20:48
lbragstadhttps://github.com/openstack/keystone/commit/61873caef93bbadfc52fe4cedd836cd75df14c1720:48
SpamapSRight, Ok, so I think there's a fix here20:48
SpamapSjust to catch that error in manage20:48
*** jsavak has quit IRC20:49
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script  https://review.openstack.org/31424420:50
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add helper methods for generating policy info  https://review.openstack.org/31477420:50
*** fangxu has joined #openstack-keystone20:52
SpamapShm20:54
SpamapSno this is not that20:54
SpamapSred herring20:54
stevemararunkant: it's still being used, morgan and i are talking to the repo owner about taking over the repo20:55
bknudsonI wonder how this passed the gate? Do the devstack nodes have fernet keys pre-installed?20:55
bknudsonMaybe it's the order that keystone-manage runs in the gate.20:55
stevemararunkant: currently it's unmaintained and forgotten about :)20:55
stevemararunkant: the goal is to make it py3 compatible, release a new version and then change python-ldap to pyldap, and voila... py3 support in keystone \o/20:56
*** fangxu has quit IRC20:56
SpamapSbknudson: no it works fine20:57
arunkantstevemar: yes, that was the situation when I added ldappool in keystone..i have one issue which was better addressed in pool library, then handling it in keystone side, did not get any response20:57
SpamapSbknudson: red herring. Our deploy tooling was not restarting uwsgi20:57
bknudsonSpamapS: oh, got it.20:57
bknudsonthere was just a confusing or useless message printed?20:58
stevemararunkant: when we bring it under the keystone umbrella i was planning on looking at the the open PRs for ldappool21:00
*** raildo is now known as raildo-afk21:00
SpamapSbknudson: a lot of logs yeah21:00
*** nalind has quit IRC21:01
*** gagehugo has quit IRC21:01
arunkantstevemar: Okay..I can provide more details on my issue logged on ldappool side.21:01
*** pushkaru has quit IRC21:02
*** pushkaru has joined #openstack-keystone21:02
edmondswstevemar, I made some further changes in https://review.openstack.org/#/c/311206/ , please reiterate your +1 if you're still on board there21:08
patchbotedmondsw: patch 311206 - python-openstackclient - Use resource id when name given for identity show21:08
morganSpamapS: phew.21:08
*** tonytan4ever has quit IRC21:10
*** ekarlso has quit IRC21:11
edmondswis there an IRC channel for openstackclient?21:11
rderosestevemar: okay21:11
stevemaredmondsw: #openstack-sdks21:11
edmondswtx21:11
*** ekarlso has joined #openstack-keystone21:14
openstackgerritClenimar Filemon proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733121:14
*** ayoung has joined #openstack-keystone21:15
*** ChanServ sets mode: +v ayoung21:15
*** pauloewerton has quit IRC21:15
rderosestevemar: #link https://blueprints.launchpad.net/keystone/+spec/pci-dss21:17
edmondswstevemar, I added the mitaka-backport-potential tag on https://bugs.launchpad.net/keystone/+bug/157780421:18
openstackLaunchpad bug 1577804 in OpenStack Identity (keystone) "/v3/users?name=<name> bypasses user_filter for LDAP" [Undecided,In progress] - Assigned to Matthew Edmonds (edmondsw)21:18
edmondswif you're looking for more things to review, the fix for that is at https://review.openstack.org/#/c/312126/21:18
patchbotedmondsw: patch 312126 - keystone - Honor ldap_filter on filtered user list21:18
edmondsw;)21:18
openstackgerritMerged openstack/keystone: Update documentation to remove keystone-all  https://review.openstack.org/31462821:18
*** slberger has joined #openstack-keystone21:19
*** slberger1 has quit IRC21:21
openstackgerritMerged openstack/keystone: Always add is_admin_project if admin project defined  https://review.openstack.org/31232321:21
morganstevemar: i'll start putting together the import ldappool patches.21:23
*** rderose has quit IRC21:24
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428421:27
*** belmoreira has quit IRC21:30
*** haplo37 has quit IRC21:30
openstackgerritayoung proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733121:32
*** rderose has joined #openstack-keystone21:34
*** edmondsw has quit IRC21:34
rodrigodsstevemar, regarding the idp tests, would be great to have more ppl taking a look on it! :)21:47
*** julim has quit IRC21:47
*** gordc has quit IRC21:47
*** lhcheng has joined #openstack-keystone21:51
*** ChanServ sets mode: +v lhcheng21:51
*** jsavak has joined #openstack-keystone21:55
*** slberger has left #openstack-keystone21:59
*** gagehugo has joined #openstack-keystone22:00
morganstevemar: https://review.openstack.org/31526722:02
rodrigodsstevemar, i guess i understood https://review.openstack.org/#/c/279828/11, but would be good to check it working in a real env with transport_url22:11
patchbotrodrigods: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...22:11
*** rderose has quit IRC22:12
*** jsavak has quit IRC22:12
*** gagehugo has quit IRC22:18
*** sigmavirus24 is now known as sigmavirus24_awa22:19
*** ozialien10 has joined #openstack-keystone22:21
openstackgerritMerged openstack/keystonemiddleware: Handle cache invalidate outside cache object  https://review.openstack.org/26866222:24
openstackgerritClenimar Filemon proposed openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237722:33
*** fangxu has joined #openstack-keystone22:33
openstackgerritMerged openstack/keystonemiddleware: use the same context across a request  https://review.openstack.org/21688922:34
*** roxanaghe has quit IRC22:34
*** gagehugo has joined #openstack-keystone22:34
*** gagehugo has quit IRC22:35
*** pumarani__ has joined #openstack-keystone22:36
*** pushkaru has quit IRC22:36
*** gagehugo has joined #openstack-keystone22:36
*** roxanaghe has joined #openstack-keystone22:37
*** phalmos has quit IRC22:39
jamielennoxstevemar: has the gate pip issue been fixed?22:44
*** ninag__ has quit IRC22:46
*** xek has quit IRC22:46
*** xek has joined #openstack-keystone22:47
*** dmk0202 has quit IRC22:47
*** gagehugo has quit IRC22:56
*** dan_nguyen has quit IRC22:59
*** gagehugo has joined #openstack-keystone23:00
*** jamielennox is now known as jamielennox|away23:02
*** pumarani__ has quit IRC23:02
*** pushkaru has joined #openstack-keystone23:02
*** agrebennikov has quit IRC23:03
*** ninag has joined #openstack-keystone23:06
*** pushkaru has quit IRC23:08
*** r-daneel has quit IRC23:08
openstackgerritMerged openstack/keystone: Restructure endpoint policy abstract driver  https://review.openstack.org/30737323:08
*** ninag has quit IRC23:11
*** zigo has quit IRC23:14
*** Daviey has quit IRC23:15
*** dan_nguyen has joined #openstack-keystone23:15
*** Daviey has joined #openstack-keystone23:15
*** zigo has joined #openstack-keystone23:15
*** cburgess has quit IRC23:15
*** cburgess has joined #openstack-keystone23:16
*** furface has joined #openstack-keystone23:22
*** pushkaru has joined #openstack-keystone23:23
*** roxanaghe has quit IRC23:24
*** ninag has joined #openstack-keystone23:26
*** timcline has quit IRC23:26
*** ozialien10 has quit IRC23:27
*** pushkaru has quit IRC23:27
*** ozialien10 has joined #openstack-keystone23:28
*** ozialien10 has quit IRC23:37
*** ozialien10 has joined #openstack-keystone23:38
*** gagehugo has left #openstack-keystone23:46
*** ninag has quit IRC23:49
*** BjoernT has quit IRC23:50
*** simondodsley has quit IRC23:50
*** erhudy has quit IRC23:51
*** jamielennox|away is now known as jamielennox23:51
*** timcline has joined #openstack-keystone23:57
*** jsavak has joined #openstack-keystone23:58
« Tuesday, 2016-05-10 Index Thursday, 2016-05-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!