Monday, 2016-06-06

« Sunday, 2016-06-05 Index Tuesday, 2016-06-07 »
*** clayton has joined #openstack-keystone00:00
*** amakarov has quit IRC00:33
*** shoutm_ has joined #openstack-keystone00:34
*** shoutm has quit IRC00:35
*** amakarov has joined #openstack-keystone00:39
*** shoutm_ has quit IRC00:48
*** shoutm has joined #openstack-keystone00:49
*** edtubill has quit IRC00:58
*** edtubill has joined #openstack-keystone00:59
*** edtubill has quit IRC01:03
*** iurygregory has quit IRC01:20
*** EinstCrazy has joined #openstack-keystone01:25
*** EinstCrazy has quit IRC01:29
*** EinstCrazy has joined #openstack-keystone01:30
openstackgerritAlex Xu proposed openstack/oslo.policy: Add note about not all APIs support policy enforcement by user_id  https://review.openstack.org/32564501:39
*** shoutm has quit IRC01:58
*** chlong has joined #openstack-keystone02:04
*** shoutm has joined #openstack-keystone02:04
*** tqtran has joined #openstack-keystone02:16
*** tqtran has quit IRC02:21
*** shoutm has quit IRC02:31
*** ozialien10 has quit IRC02:42
*** shoutm has joined #openstack-keystone02:53
*** sheel has joined #openstack-keystone03:09
*** jrist has quit IRC03:16
*** jrist has joined #openstack-keystone03:30
*** chlong has quit IRC03:34
*** dave-mccowan has quit IRC03:41
*** chlong has joined #openstack-keystone03:51
*** achatterjee has joined #openstack-keystone04:07
*** amit213 has quit IRC04:08
*** vint_bra has joined #openstack-keystone04:23
*** chlong has quit IRC04:26
*** chlong has joined #openstack-keystone04:38
*** nisha has joined #openstack-keystone04:41
*** jaosorior has joined #openstack-keystone04:41
*** vint_bra has quit IRC04:41
nishahey all!04:41
*** vint_bra has joined #openstack-keystone04:45
*** vint_bra has quit IRC04:56
*** nisha has quit IRC05:03
*** nisha has joined #openstack-keystone05:03
*** chlong has quit IRC05:05
openstackgerritSteve Martinelli proposed openstack/keystone: clean up test_resource_uuid  https://review.openstack.org/28154605:05
notmorganstevemar: i expect to have oython-memcached soon05:06
stevemaro/05:06
stevemarpython-memcached soon?05:06
notmorganwill be coordibatibg with sean this week05:06
notmorganthe current maintainer to impprt into our infra05:07
notmorganand then we have a chunk of options :)05:07
*** pcaruana has quit IRC05:13
*** chlong has joined #openstack-keystone05:18
*** chlong has quit IRC05:37
*** GB21 has joined #openstack-keystone05:49
*** TxGVNN has joined #openstack-keystone05:55
*** josecastroleon has joined #openstack-keystone05:57
jamielennoxdo we want to have python-memcached?06:02
*** openstackgerrit has quit IRC06:02
*** openstackgerrit has joined #openstack-keystone06:03
notmorganjamielennox: easier to own it and fix it than convert to oymemcshce etc06:05
notmorganjamielennox: pymemcache* as the interfaces are very different06:05
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add validation rules for create token using a JSON schema  https://review.openstack.org/32508606:12
*** tqtran has joined #openstack-keystone06:18
*** tqtran has quit IRC06:22
*** GB21 has quit IRC06:25
*** chlong has joined #openstack-keystone06:31
*** henrynash_ has joined #openstack-keystone06:35
*** ChanServ sets mode: +v henrynash_06:35
achatterjeeHi, I am working on liberty, and I observerd the following: in a 4CPU environment, if I set admin_workers=4 in keystone.conf, the number of processes do not increase. mutiple requests sent to keystone is thus handled sequentially, whereas for 4core setup there could be parallel processing.06:46
achatterjeeis this a known phenemenon ? or am i missing something here?06:46
*** tesseract has joined #openstack-keystone06:53
*** nisha_ has joined #openstack-keystone07:04
*** nisha has quit IRC07:05
*** frontrunner has quit IRC07:06
*** frontrunner has joined #openstack-keystone07:07
*** yolanda has quit IRC07:09
jamielennoxachatterjee: its likely to do with how your deploying, that option works for eventlet deploys (using bin/keystone-all) but if you're on apache or other it won't do anything07:11
jamielennoxthose servers all have their own ways of controlling the number of processes that get spawned07:12
*** yolanda has joined #openstack-keystone07:13
openstackgerritJamie Lennox proposed openstack/keystone: Pass a request to controllers instead of a context  https://review.openstack.org/31865807:14
*** pcaruana has joined #openstack-keystone07:14
*** jed56 has joined #openstack-keystone07:22
openstackgerritJamie Lennox proposed openstack/keystoneauth: Use SAML2 requests plugin  https://review.openstack.org/25505607:27
*** daemontool has joined #openstack-keystone07:31
*** tesseract has quit IRC07:32
*** tesseract has joined #openstack-keystone07:33
achatterjee@jamielennox - i'm on apache. In kilo however there were multi threaded processing. I noticed this in liberty only.07:35
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use oslo_cache in auth_token middleware  https://review.openstack.org/26866407:43
*** tesseract has quit IRC07:46
*** tesseract has joined #openstack-keystone07:46
jamielennoxachatterjee: so i'm guessing that's when you changed from the keystone-all runner to apache (which might have been done by your distro if you didn't notcie)07:52
jamielennoxachatterjee: http://modwsgi.readthedocs.io/en/develop/user-guides/processes-and-threading.html#the-mod-wsgi-daemon-processes07:53
jamielennoxso in mod_wsgi you should be using daemon mode and then you set process=X threads=Y in your apache conf07:53
jamielennoxsimilarly if it's uwsgi there's another method07:54
jamielennoxjust that those values are only read by the old eventlet process started07:54
jamielennoxstarter07:54
*** al_loew has joined #openstack-keystone07:56
*** chlong has quit IRC07:56
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** mancdaz has quit IRC08:04
*** mancdaz has joined #openstack-keystone08:11
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add validation rules for create token using a JSON schema  https://review.openstack.org/32508608:13
*** nisha__ has joined #openstack-keystone08:14
*** nisha_ has quit IRC08:17
*** dimonv has joined #openstack-keystone08:18
*** nisha__ has quit IRC08:20
*** TxGVNN has quit IRC08:22
*** jaosorior has quit IRC08:23
*** jaosorior has joined #openstack-keystone08:23
*** EinstCra_ has joined #openstack-keystone08:33
*** EinstCrazy has quit IRC08:33
*** shoutm has quit IRC08:35
*** _amrith_ is now known as amrith08:37
*** aloga has quit IRC08:40
*** jaosorior is now known as jaosorior_lunch08:48
*** nisha has joined #openstack-keystone08:52
*** aloga has joined #openstack-keystone08:52
*** mvk has joined #openstack-keystone08:54
*** permalac has joined #openstack-keystone09:22
*** nisha has quit IRC09:23
*** nisha has joined #openstack-keystone09:23
*** pnavarro has joined #openstack-keystone09:23
nishahey samueldmq09:24
*** pnavarro has quit IRC09:34
*** amrith is now known as _amrith_09:41
samueldmqnisha: hi09:42
nishasamueldmq, how was the conference? :)09:42
samueldmqnisha: it was good, thanks09:50
samueldmqnisha: hope you had a nice weekend too09:50
nishayeah, my summer vacations started, so I travelled and came home09:51
nishasamueldmq, I was going through the user functional tests you worked on, https://review.openstack.org/#/c/289306/09:52
patchbotnisha: patch 289306 - python-keystoneclient - Add users functional tests09:52
*** jaosorior_lunch is now known as jaosorior09:52
samueldmqnisha: so, from there you can basically know what the tests would look like for other entities too09:53
samueldmqnisha: tests are simple, create and check the entity, retrieve and check, etc09:54
nishasamueldmq, alright09:55
*** daemontool has quit IRC09:59
*** pnavarro has joined #openstack-keystone10:26
openstackgerritMerged openstack/keystone: Adding role assignment lists unit tests  https://review.openstack.org/25443610:32
*** al_loew has quit IRC10:35
nishasamueldmq, Sir I was looking at keystoneclient/tests/functional/v3/test_users.py to see the tests. You told me once that they test this https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py10:40
nishasamueldmq, I am not able to understand the functions, written in test_user.py e.g. check_user10:42
nishaHow are these functions used and what for, assertIsNotNone or assertIn ?10:43
*** chlong has joined #openstack-keystone10:44
nishaCan you please explain a bit or point a documentation that I can go through?10:44
*** daemontool has joined #openstack-keystone10:47
samueldmqnisha: those functions are used for testing .. see https://docs.python.org/2.7/library/unittest.html10:55
samueldmqnisha: assertIsNotNone asserts an object is not None type in python, otherwise it fails10:55
samueldmqnisha: assertIn asserts an object is included in a list, failing otherwise10:55
*** nisha_ has joined #openstack-keystone11:01
*** nisha has quit IRC11:01
*** nisha_ has quit IRC11:03
*** nisha_ has joined #openstack-keystone11:08
*** nisha_ is now known as nisha11:10
nishasamueldmq, thank you, reading the doc11:12
*** henrynash_ has quit IRC11:16
samueldmqnisha: it may useful for you to create a few tests using that library's method11:23
samueldmqmethods/functions11:24
samueldmqnisha: just to get familiar with it11:24
*** iurygregory has joined #openstack-keystone11:29
*** TxGVNN has joined #openstack-keystone11:33
*** dave-mccowan has joined #openstack-keystone11:46
*** pauloewerton has joined #openstack-keystone11:47
*** _amrith_ is now known as amrith12:01
*** markvoelker has joined #openstack-keystone12:01
*** julim has joined #openstack-keystone12:37
*** rodrigods has quit IRC12:38
*** rodrigods has joined #openstack-keystone12:38
*** afred312 has quit IRC12:41
*** afred312 has joined #openstack-keystone12:42
*** afred312 has quit IRC12:42
*** rcernin has joined #openstack-keystone12:58
*** rcernin has quit IRC12:59
*** EinstCra_ has quit IRC13:02
*** nisha has quit IRC13:04
*** nisha has joined #openstack-keystone13:05
*** ayoung has joined #openstack-keystone13:07
*** ChanServ sets mode: +v ayoung13:07
*** TxGVNN has quit IRC13:07
*** setuid has joined #openstack-keystone13:16
*** afred312 has joined #openstack-keystone13:18
*** edmondsw has joined #openstack-keystone13:26
*** henrynash_ has joined #openstack-keystone13:27
*** ChanServ sets mode: +v henrynash_13:27
*** roxanaghe has joined #openstack-keystone13:32
*** roxanaghe has quit IRC13:32
*** agrebennikov has joined #openstack-keystone13:36
*** anteaya has joined #openstack-keystone13:38
*** agrebennikov has quit IRC13:41
*** aurelien__ has joined #openstack-keystone13:42
*** dmk0202 has joined #openstack-keystone13:44
*** aurelien__ has quit IRC13:49
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428413:50
*** sdake has joined #openstack-keystone13:51
*** permalac has quit IRC13:54
*** julim has quit IRC13:55
*** sdake_ has joined #openstack-keystone13:56
*** julim has joined #openstack-keystone13:57
*** ametts has joined #openstack-keystone13:57
samueldmqkeystone cores, the rest of migrating from migrating api-ref to our own repo is up to review13:58
samueldmqhttps://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:migrate-identity-api-ref13:58
*** sdake has quit IRC13:58
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/32015614:00
*** BjoernT has joined #openstack-keystone14:01
*** sigmavirus24_awa is now known as sigmavirus2414:01
*** gordc has joined #openstack-keystone14:01
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058614:02
*** fundcor has left #openstack-keystone14:03
*** fawadkhaliq has joined #openstack-keystone14:05
*** rderose has joined #openstack-keystone14:07
*** yolanda has quit IRC14:10
*** yolanda has joined #openstack-keystone14:10
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add equality operator to policy.RuleDefault  https://review.openstack.org/32124214:13
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add helper scripts for generating policy info  https://review.openstack.org/32124314:13
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script and helper methods  https://review.openstack.org/31424414:13
openstackgerritMatthew Edmonds proposed openstack/keystone: Honor ldap_filter on filtered group list  https://review.openstack.org/32593914:17
*** dan_nguyen has joined #openstack-keystone14:18
*** richm has joined #openstack-keystone14:29
*** raddaoui has joined #openstack-keystone14:30
*** permalac has joined #openstack-keystone14:33
henrynashayoung, lbragstad: hi14:35
*** rk4n has joined #openstack-keystone14:35
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/32015614:36
ayounghenrynash, so...I think you have enough feedback from monty and notmorgan to go with, right?14:38
henrynash_ayoung: yep, agreed14:39
henrynash_ayoung: sperate subject14:39
ayoungI couldn't quite parse the final steps of the conversation, but it sounded like they were firm on one of the approaches...can you summarize which?14:39
ayoungAjh..OK, go on14:39
*** edtubill has joined #openstack-keystone14:40
henrynash_ayoung: do you think there is mileage on having an option to (effectively) have a cache on whether a fernet token has been revoked….i.e. so if a deploye was OK with fernet tokens taking, say 300s to expire afte revokation, then we could improve performacne?14:40
ayounghenrynash_, I suspect that we are going to have that with Galera and multisite anyway14:41
*** GB21 has joined #openstack-keystone14:41
henrynash_ayoung: do you mean that we will need it…or that somehowwe get that for free?14:41
ayounghenrynash_, I mean that somehow we will get bug reports on it working that way when people don't realize that revocations are DB replicated14:42
henrynash_ayoung: ah, I’m with you!14:42
ayounghenrynash_, revocations are dumb14:42
ayoungI really don't want to spend my adult years this way14:43
henrynash_ayoung: trying to see how we can shave down the cost of a fernet validation14:43
ayoungI'd rather be14:43
ayounga lumberjack14:43
henrynash_ayoung: (now, we’re talking)14:43
henrynash_(or singing)14:43
*** josecastroleon has quit IRC14:44
ayoungLeaping from tree to tree as they float down the mighty rivers of British Columbia14:44
*** d0ugal has quit IRC14:44
ayoungThe giant redwood, the larch, the fir, the mighty scots pine.14:44
henrynash_ayoung: :-)14:44
ayounganyway14:44
*** sdake_ has quit IRC14:45
openstackgerritAlexander Makarov proposed openstack/keystone: Add failed auth attempts logic to meet PCI-DSS  https://review.openstack.org/32402914:46
*** dan_nguyen has quit IRC14:47
*** vint_bra has joined #openstack-keystone14:48
lbragstaddolphm chain starts here - https://review.openstack.org/#/c/325514/14:48
patchbotlbragstad: patch 325514 - keystone - Add caching config for federation14:48
*** fawadkhaliq has quit IRC14:49
*** permalac has quit IRC14:52
openstackgerritKristi Nikolla proposed openstack/keystone: Devstack plugin for Federation  https://review.openstack.org/32062314:54
*** timcline has joined #openstack-keystone14:54
*** TxGVNN has joined #openstack-keystone14:54
knikollabreton: ^^14:55
*** gagehugo has joined #openstack-keystone14:58
*** mvk has quit IRC14:59
*** josecastroleon has joined #openstack-keystone15:04
*** dmk0202 has quit IRC15:05
*** nisha_ has joined #openstack-keystone15:06
bretonknikolla: thank you15:06
bretonknikolla: $mapping_file=$KEYSTONE_PLUGIN_FILES/mapping-k2k.json15:06
bretonknikolla: does it work? :) i think the $ in the beginning should not be there.15:06
knikollabreton: oops, you are right!15:07
openstackgerritKristi Nikolla proposed openstack/keystone: Devstack plugin for Federation  https://review.openstack.org/32062315:08
knikollabreton: fixed. i haven't tried it yet though.15:09
knikollabreton: will try now.15:09
*** nisha has quit IRC15:09
*** KevinE has joined #openstack-keystone15:11
*** nisha_ is now known as nisha15:15
*** dgonzalez has quit IRC15:17
*** dgonzalez has joined #openstack-keystone15:19
*** diazjf has joined #openstack-keystone15:19
*** tonytan4ever has joined #openstack-keystone15:19
henrynash_lbragstad: hi15:22
lbragstadhenrynash_ hey15:22
henrynash_lbragstad: so I’m also  looking at token validation performance...15:23
henrynash_lbragstad: what’s you view on where the time is going, that makes us so much slower than UUID to validate….15:23
lbragstadhenrynash_ I think it's because we rebuild everything on the fly with Fernet tokens (because things aren't persisted anywhere)15:24
lbragstadwhere as with UUID tokens, it just a database read15:24
lbragstadand we regurgitate whatever is stored in the database back to the user15:24
henrynash_lbragstad: agreed….do you have a feeling on whether it’s just reading the data (which by now I’d hope most is cached)….or the revokation check?15:25
lbragstadhenrynash_ as of last release - we have be adding a lot of patches for caching15:25
lbragstadlike role assignments, catalog, etc...15:25
henrynash_lbragstad: yep, noticed that15:26
lbragstadwhich should be making everything faster15:26
lbragstadso I think the next logical thing to start investigating would be the revocation events15:26
lbragstadsince that gets rebuilt and compared to every Fernet token that is validated15:26
henrynash_lbragstad: I wonderd about the idea of just chaching the token reponse, and giving the option for a deployer to say whether it’s Ok to have invlaidted tokens only expire after the cache timesout15:27
*** spzala has joined #openstack-keystone15:27
henrynash_lbragstad: for many cases, maybe that’s ok?15:27
lbragstadhenrynash_ don't we already do that with token caching?15:27
henrynash_lbragstad: I couldn’t see that we do that for fernet15:27
henrynash_lbragstad: we do, I think, for UUID15:28
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L31515:28
henrynash_llbragstda: but does that actually get called for fernet?15:28
lbragstadhenrynash_ _validate_token() does for sure - https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L29015:29
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L295-L29815:29
*** rk4n_ has joined #openstack-keystone15:30
henrynash_…exactly, so doesn’t that mean we DON’T call validate_v3_token15:31
lbragstadhenrynash_ only if we've already cached a fernet token, right?15:32
henrynash_lbragstad: ah, right15:32
henrynash_lbragstad…but isn’t teh sequence: Controller calles valide_v3_token, which calls validate_non_persistent_token?15:33
*** rk4n has quit IRC15:33
*** josecastroleon has quit IRC15:34
henrynash_lbragstad: ..and we never get to _validate_tolen()15:35
*** dan_nguyen has joined #openstack-keystone15:35
openstackgerritMerged openstack/keystonemiddleware: Improve documentation for auth_uri  https://review.openstack.org/31029015:35
zigoHas keystone removed its capability to run as a standalone server?15:35
zigoDoes it requires Apache now?15:35
lbragstadwe call _validate_non_persistent_token with validate_v3_token, validate_v2_token and _validate_token15:35
zigo(ie: in Newton b1)15:35
lbragstadhenrynash_ i think part of that problem is that we have different parts of keystone that enter into the token provider at different places15:36
henrynash_lbragstad: agreed…It’s hellishly confusing!15:37
lbragstadyes - it is15:37
dstanekzigo: is doesn't technically require Apache, just a WSGI server - Apache is the recommended one15:37
lbragstadhenrynash i think one good step forward that would help with understanding/consolidating the problem would be to make a single entry point into the token provider module15:37
zigodstanek: Ok, well just wanted to know, as I'm packaging Newton b1.15:38
henrynash_lbragstad: but it does appear to me that the /auth/tokens validation DOESN’T call _validate_token for non-persistance token formats…hence no caching15:38
lbragstadright now the token_provider_api has validate_v2_token, validate_v3_token (which are pretty straight-forward), but we also have a validate_token() method15:38
lbragstadhenrynash auth/tokens/ ?15:39
*** d0ugal has joined #openstack-keystone15:39
lbragstadhenrynash do you mean from the auth controller?15:39
henrynash_lbragdstad: the auth controller calls token_provider_api.validate_v3_token to validate a v3 token15:40
lbragstadhenrynash https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L56015:40
lbragstadyep15:40
lbragstadhenrynash which calls - https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L26715:40
bknudsonzigo: you can use uwsgi or gunicorn to run keystone standalone15:40
zigobknudson: Yeah, that's what I'm about to do.15:40
zigobknudson: I hate using a web server, that's IMO a very bad way to do things.15:41
henrynash_yep…which for non-persistant tokns bypasses _validate_token15:41
zigobknudson: Simply because then, when adding / removing / reconfigure an unrelated service, then you got to restart them all.15:41
bknudsonzigo: for devstack we'll likely switch to apache forwarding to uwsgi15:41
henrynash_line 27715:41
lbragstadhenrynash yes15:41
lbragstadhenrynash i see what you mean15:41
zigobknudson: The only issue is that uwsgi is *very* badly maintained in Debian. :(15:42
bknudsonzigo: actually, we already have a devstack setup that does apache forwarding to uswsgi, just tuning it now.15:42
lbragstadhenrynash we should change /auth/controllers.py to call - https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L20415:42
notmorganbknudson: gunicorn does not work atm15:42
bknudsonto get rid of the port.15:42
zigoCool.15:42
bknudsonnotmorgan: what's wrong with gunicorn?15:42
bknudsoneventlet?15:43
notmorganoslo config conflicts with its options15:43
bknudsonthat's weird.15:43
notmorganpytjon argparse15:44
henrynash_lbragstad: I don’t think so, firts list is to generate an ID !15:44
henrynash_lbragstad: actually, not sure what that does15:44
notmorganwe need to remove.cli options for keystone or somehow fix oslo.config15:44
notmorganbut gunicorn gets real cranky15:45
*** pnavarro has quit IRC15:45
lbragstadhenrynash_15:46
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/token/utils.py#L1715:46
henrynash_lbragstad: which seems irreleavnt for fernet!15:46
notmorganit was the main reason i puahed for uwsgi instead of gunicorn15:46
*** gyee has joined #openstack-keystone15:46
*** ChanServ sets mode: +v gyee15:46
*** TxGVNN has quit IRC15:47
notmorgansince we had to maintain eventlet support and cli options15:47
*** TxGVNN has joined #openstack-keystone15:47
bknudsonI don't know how you pass CLI options to uwsgi.15:47
*** KevinE has quit IRC15:47
bknudsonI didn't think you could15:47
henrynash_lbragstad: ok, so at least we agree there is a problem here….I’ll investigate further….15:48
lbragstadhenrynash_ yeah - that seems like it's PKI specific15:48
bknudsonyou can do it running keystone-admin / public scripts now.15:48
lbragstadhenrynash_ one thing we do know is that token caching doesn't seem to be working for Fernet + v315:48
lbragstadhenrynash_ right?15:48
henrynash_lbragstad: yep15:49
lbragstadhenrynash_ can we open a bug against that?15:49
bknudsonwe're not caching fernet tokens, though?15:49
*** josecastroleon has joined #openstack-keystone15:49
bknudsonjust the data that fernet uses (like role assignments)15:49
henrynash_lbragstad, bknudson: correct15:49
bknudsonor did you want to actually cache token_id -> data?15:49
lbragstadwell we have @MEMOIZE wrapping a bunch of the validate token methods in the token_provider_api15:50
bknudsondid we cache uuid tokens like this?15:50
henrynash_bknudson: but it occured to me that if we did actualy cached of teh ID (like we do for other token types), then we wouldn;t do all teh revolation checking, etc.15:50
zigoWhat's the launchpad package for os-api-ref ?15:50
henrynash_bknudson: I think so, yes...15:50
zigoKeystone needs it, but it contains a compressed/minified javascript of bootstrap 3.2.0 ...15:51
zigo(ie: that's non-free in debian's world...)15:51
lbragstadhenrynash_ the revocation checking is unrelated to the actual caching of the token - right?15:51
henrynash_bknudson: I walked through teh code today, and it appears we DO cache tokens that are persistent, but not those that are non-persistent !!15:51
bknudsonwe'd still need to check for revocations, although should be easy to invalidate the cache for a token that's revoked.15:51
*** KevinE has joined #openstack-keystone15:52
lbragstadbknudson yeah15:52
bknudsonseems like you wouldn't want to cache tokens just due to the size... memcache line is only so long.15:52
henrynash_lbragstad: except I was wondering if we provdied an option to allow a deployer to say that it was OK for revoked tokens to life for no more than the cache lifetime, we could (effectively) cache that answer too15:52
lbragstadbknudson but we cache a bunch of other things - like role assignments, catalogs, etc... and we invalidate those15:52
henrynash_bknudson: and if that’s true, then even what I suggest isn’t requried15:53
lbragstadthe revocation event problem isn't related to caching stuff I don't think .15:53
dstanekzigo: why does keysotne need that?15:54
lbragstadthe reason being is because the revocation event is the only way we can tell if a token has been revoked in certain cases.15:54
henrynash_llbragstad: bit we search for revokation events as part of validation, no15:54
henrynash_?15:54
lbragstadsince we have no persistent record of the token15:54
lbragstadhenrynash_ right15:54
lbragstadhenrynash_ so if someone is caching fernet tokens, they wouldn't be validating against the revocation events (I'd have to double check that code path though)15:55
henrynash_lbragstad: so what if we cached the (boolean) answerto that15:55
bknudsonI think the default is 1MB for the item size -- "Override the default size of each slab page. Default is 1mb."15:55
bknudsonso that should be big enough for a token15:55
*** sdake has joined #openstack-keystone15:56
zigodstanek: For its sphinx doc.15:56
henrynash_lbragstad: basically that’s what I’m trying to get us to….If I have a fernet token and use it 1000 times, then most of the time I don’t the to hit the DB15:56
KevinEboris-42: Hello! Has agrebennikov had a chance to speak to you about the Rally/keystone bug we have been trying to figure out?15:57
bknudsonhenrynash_: since all the data to rebuild the fernet token is cached then it won't hit the db15:57
lbragstadhenrynash_ after the first validation you shouldn't hit the db15:57
bknudsonit'll hit the cache a few times.15:57
dstanekzigo: to generate the docs? i'm not familiar with that as a dependency15:57
henrynash_bknudson: if that were true, agreed…15:57
zigodstanek: $ grep os-api-ref test-requirements.txt15:58
zigoos-api-ref>=0.1.0 # Apache-2.015:58
zigodstanek: Or maybe I can just skip it?15:58
*** dmk0202 has joined #openstack-keystone15:58
henrynash_bknudson, lbragstad: as an aside, I also notcied that we don’t pass down whether to include the catalog from the controller for validation…we also return it tehn strip it out at the controller15:59
henrynash_…if it is not required15:59
bknudsonI'm not sure if anyone is even using the option to include catalog anywhere.15:59
lbragstadhenrynash_ i go back and forth on that15:59
dstanekzigo: do you need to package all the test requirements when you package keystone?16:00
henrynash_bknudson: you mean the option to not include it?16:00
bknudsonwhen checking x-auth-token there's no need to get the catalog since keystone doesn't care.16:00
*** dimonv has quit IRC16:00
dolphmnonameentername: is this a transient failure? http://logs.openstack.org/periodic-stable/periodic-keystone-python27-db-mitaka/a445f52/console.html#_2016-06-02_06_15_19_20516:00
zigodstanek: Everything that is used in unit tests, yes, so I can run unit tests at build time, and everything which is used to run sphinx-build, so I can package the doc.16:00
bknudsonhenrynash_: yes, I wonder if anyone is setting that option on the validate request.16:00
zigodstanek: It's like that for *all* packages I do.16:00
bknudsonyou can configure it in auth_token middleware... not sure if you can set it on the session even?16:01
zigoI don't *have* to, but like this, we find lots and lots of issues before actually trying the software.16:01
lbragstadhenrynash_ I think that the controller layer or core layer should be handling the "should this data look like v2 or v3?" question and the token provider should just provide that data. It's interface should be issue_token(), validate_token() and revoke_token()16:01
bknudsonlbragstad: the tricky part is the catalog is so different from v2 to v3.16:01
lbragstadbknudson right16:02
lbragstadright now all of the logic that figures out how the catalog looks lives in the token provider16:02
lbragstadand it's kind of confusing because there are edge cases everywhere16:02
bknudsonsolvable but it'll take some time.16:03
lbragstadright - it's a huge refactor16:03
lbragstadone that would probably be easier with only one token providers supported16:03
lbragstadprovider*16:03
bknudsonshould be able to change the controller to only request v3 tokens16:04
bknudsonthen do the translation16:04
bknudsonthen can remove the v2 code from the providers16:04
bknudsonbut I think that the v3 response is missing data that v2 needs so that would have to be changed, too.16:05
lbragstadthe auth controllers should be in charge of making the token data look a certain way16:05
henrynash_lbragstad: agreed16:05
lbragstadif the v3 auth controller gets a token ID, then i should be able to pass that to the token_provider_api, which just passes back a token object... then the auth controller should just format it's response in a way that makes sense for v316:06
*** dmk0202 has quit IRC16:06
lbragstadthat would remove all the v3 and v2 logic and edge cases from the token provider paths16:06
lbragstadand keep them in the controllers, where they are explicit16:07
*** ddieterly has joined #openstack-keystone16:08
lbragstadand as an added benefit - when a particular token version goes away, all the logic for it goes with it16:08
*** jaugustine has joined #openstack-keystone16:10
*** lamt_ has joined #openstack-keystone16:12
lbragstadhenrynash_ bknudson so - where do we want to start? ;)16:12
henrynash_lbragstad: so I think the need is presssing for us to at least achieve the “validate a fernet token should have all its DB accesses cached”16:13
henrynash_lbragstad: and many are now covered16:14
henrynash_lbragstad: (e.g. role assignemnets)16:14
lbragstadhenrynash_ I have two patches that need to land to help with that16:14
lbragstadhenrynash_ https://review.openstack.org/#/c/325514/116:14
patchbotlbragstad: patch 325514 - keystone - Add caching config for federation16:14
henrynash_lbragstad: if we can achieve that (which might be worth back porting to Mitaka, ideall), then we can yhink about refactoring16:15
henrynash_lbragstad: you added a catalog chache already, right?16:16
lbragstadhenrynash_ yeah - and a role assignment cache16:16
lbragstadwe merged both of those at the last keystone midcycle16:16
henrynash_lbragstad: cool16:16
henrynash_lbragstad: are you able to get performance numbers on these changes…I saw you did post some with a few of these patche16:17
henrynash_patches16:17
lbragstadhenrynash_ I need to recollect numbers16:17
lbragstadhenrynash_ i also asked for some input on the mailing list last week16:18
lbragstadhttp://lists.openstack.org/pipermail/openstack-dev/2016-June/096593.html16:18
henrynash_lbragstad: I remember that UUID validations were around 5ms….I dont see why we shouldn’t be able to get to teh same thing…16:18
lbragstadhenrynash_ i would like to try and find a way performance test patches before we merge them16:18
henrynash_lbragsatd: agreed….I fully support that16:19
lbragstadbut we need to have a performance test environment that isn't susceptible to noisy neighbors16:19
*** TxGVNN has quit IRC16:19
lbragstadand it needs to be recreateable16:19
lbragstadso - last friday I started working on using openstack/ansible to deploy stand-alone keystone16:19
lbragstadand start writing a basic set of performance tests (token create and token validate)16:20
*** josecastroleon has quit IRC16:20
lbragstadrun the tests against master - then run the tests against keystone built with the patch under review16:20
lbragstadthen publish the results to gerrit as a comment on the patch16:20
bknudsonopenstack/ansible doesn't support standalone keystone?16:20
henrynash_lbragstad: cool16:21
lbragstadbknudson openstack/ansible has an os_keystone role that is isolated from the rest of the ansible bits for standing up the rest of the openstack services16:21
*** tqtran has joined #openstack-keystone16:21
lbragstadbut you have to provide it a certain set of variable in order to get it to stand up by itself16:21
lbragstadhttps://github.com/openstack/openstack-ansible-os_keystone16:22
*** ddieterly is now known as ddieterly[away]16:22
*** josecastroleon has joined #openstack-keystone16:23
*** jaosorior has quit IRC16:23
*** ddieterly[away] is now known as ddieterly16:23
*** ddieterly is now known as ddieterly[away]16:23
*** jaosorior has joined #openstack-keystone16:24
bknudsonopenstack/ansible should switch to uwsgi.16:24
*** ddieterly[away] is now known as ddieterly16:25
*** tqtran has quit IRC16:25
*** rk4n has joined #openstack-keystone16:26
bknudsonwhy have keystone_pip_packages config option? keystone has requirements.txt.16:26
*** woodster_ has joined #openstack-keystone16:26
*** rk4n_ has quit IRC16:28
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428416:29
*** tesseract has quit IRC16:33
*** pcaruana has quit IRC16:34
openstackgerritRon De Rose proposed openstack/keystone: Drop EPHEMERAL user type  https://review.openstack.org/29663916:37
*** tonytan4ever has quit IRC16:49
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058616:52
notmorganbknudson: dunno16:52
*** josecastroleon has quit IRC16:52
*** diazjf has quit IRC16:57
*** GB21 has quit IRC17:03
*** nisha_ has joined #openstack-keystone17:05
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/32360217:06
*** nisha_ has quit IRC17:07
*** nisha has quit IRC17:09
*** josecastroleon has joined #openstack-keystone17:12
*** nisha has joined #openstack-keystone17:14
*** ddieterly is now known as ddieterly[away]17:19
*** jaosorior has quit IRC17:20
*** setuid has left #openstack-keystone17:21
*** catintheroof has joined #openstack-keystone17:25
*** roxanaghe has joined #openstack-keystone17:26
*** rderose has quit IRC17:28
*** josecastroleon has quit IRC17:42
*** tqtran has joined #openstack-keystone17:43
*** browne has joined #openstack-keystone17:43
*** daemontool has quit IRC17:44
KevinEwhat is lxml? I see that keystone uses it. I'm trying to add scenarios in rally and I try to import lxml but it says it can't find the module17:46
*** harlowja has joined #openstack-keystone17:48
*** daemontool has joined #openstack-keystone17:48
bknudsonKevinE: https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=lxml17:49
*** sdake_ has joined #openstack-keystone17:49
*** sdake has quit IRC17:49
*** rderose has joined #openstack-keystone17:51
*** lhcheng has joined #openstack-keystone17:52
*** ChanServ sets mode: +v lhcheng17:52
KevinEwow17:52
*** tqtran has quit IRC17:52
*** josecastroleon has joined #openstack-keystone17:53
samueldmqKevinE: hi, are you trying to add code to rally repo ?17:53
KevinEsamueldmq: yes I am. I realized that the repo I pulled from for testing doesn't include lxml in test-requirements for some reason17:54
*** daemontool has quit IRC17:54
*** daemontool has joined #openstack-keystone17:55
samueldmqKevinE: so you should add it to rally test-requirements.txt17:55
dstanekKevinE: likely rally doesn't need to parse XML17:55
KevinEdstanek: The plugin I file I have here associated with the scenarios I'm to move up import it17:56
*** nisha has quit IRC17:56
KevinEsamueldmq: will do! I just need to figure out how to do it locally until I make an upstream commit17:57
samueldmqKevinE: if you really need lxml in your plugin and you're trying to put it upstream17:58
samueldmqKevinE: yes you will need to add lxml to rally/test-requirements.txt17:58
samueldmqKevinE: https://github.com/openstack/rally/blob/master/test-requirements.txt17:58
samueldmqKevinE: after adding, you can recreate your env using -r option to tox command17:59
samueldmqdstanek: ^ makes sense ?17:59
*** rderose_ has joined #openstack-keystone18:00
KevinEsamueldmq: awesome thanks, I'll see where this takes me18:01
*** sdake_ has quit IRC18:01
samueldmqKevinE: yw18:01
*** rderose has quit IRC18:03
*** julim has quit IRC18:04
*** julim has joined #openstack-keystone18:07
dstaneksamueldmq: yes, you are correct18:07
dstanekKevinE: i assume you need lxml for saml stuff?18:07
*** nisha_ has joined #openstack-keystone18:08
*** afred312 has quit IRC18:09
*** diazjf has joined #openstack-keystone18:10
KevinEdstanek: Description of the file using it says it's a "Module for parsing statistical output from Ganglia *gmond) server. The module opens a socket connection to collect statistical data. It parses the raw data in xml format."18:11
nisha_samueldmq, what's an Assertion error Exception? I read that the unit test outcome is fail if it doesn't pass it and error, if there was an exception other than this.18:13
nisha_samueldmq, If I get an Assertion error then, does it mean, tests were written wrongly ?18:14
*** ddieterly[away] is now known as ddieterly18:14
samueldmqnisha_: either the test is wrong, or there's something going wrong with the code under test18:15
samueldmqnisha_: if you test self.assertEqual(4, multiply(2, 2))18:16
samueldmqnisha_: and that raises an exception, it's likely the function multiply is wrong, someone may have added an error to it (we call that a regression)18:17
samueldmqnisha_: if you were testing self.assertEqual(5, multiply(2, 2)) your test is likely the one wrong there :)18:17
nisha_samueldmq, so, the former will give an error as output and latter will give fail because of assertion error exception18:19
*** daemontool has quit IRC18:19
*** sdake has joined #openstack-keystone18:20
samueldmqnisha_: yes18:21
samueldmqnisha_: that's what tests are for, you try to break the program :)18:21
nisha_samueldmq, that was a really nice example. Thanks18:21
samueldmqnisha_: and they will emit an error if someone's bronken it18:21
samueldmqbroken18:21
samueldmqnisha_: yw18:21
samueldmqnisha_: keep asking whenever you have questions18:22
nisha_samueldmq, sure :)18:22
*** sdake_ has joined #openstack-keystone18:23
*** josecastroleon has quit IRC18:23
*** sdake has quit IRC18:24
*** rderose_ has quit IRC18:26
*** daemontool has joined #openstack-keystone18:27
*** pcaruana has joined #openstack-keystone18:29
*** josecastroleon has joined #openstack-keystone18:38
*** woodburn has joined #openstack-keystone18:42
*** krotscheck has quit IRC18:42
*** krotscheck_ has joined #openstack-keystone18:42
*** diazjf has quit IRC18:43
*** krotscheck_ is now known as krotscheck18:44
*** diazjf has joined #openstack-keystone18:44
*** jed56 has quit IRC18:45
*** rderose has joined #openstack-keystone18:45
*** afred312 has joined #openstack-keystone18:47
*** BrAsS_mO- is now known as BrAsS_mOnKeY18:48
*** SamYaple has quit IRC18:51
ayoungrodrigods, I think the issue with federation is this18:53
*** frontrunner has quit IRC18:53
ayoungclass Saml2ScopedToken(v3.Token):18:53
ayoung def __init__(self, auth_url, token, **kwargs):18:53
ayoungsee the token param?18:53
ayoungunscoped does not have that problem, as it does not take in a token18:54
ayoungthe kerb one ...18:54
ayoungv3fedkerb = keystoneclient_kerberos.v3:FederatedKerberos18:55
ayoungclass FederatedKerberos(v3.FederatedBaseAuth):18:57
ayoungand pretty sure the FederatedBaseAuth handes unscoped to scoped18:57
ayoungall it implements is18:57
ayoungdef get_unscoped_auth_ref(self, session, **kwargs):18:57
openstackgerritSean Perry proposed openstack/keystoneauth: Show deprecation when a user_agent is not set  https://review.openstack.org/28964518:58
*** sdake has joined #openstack-keystone18:58
*** ddieterly is now known as ddieterly[away]18:59
lbragstadbknudson i stood up keystone using the os_keystone openstack/ansible role and i ran an authenticate against it 1000 times18:59
lbragstadhttp://cdn.pasteraw.com/nmvcz06yjcguxsvf30ta7nqjzkd5jc819:00
*** sdake_ has quit IRC19:00
lbragstadusing all the defaults from os_keystone19:00
lbragstadthey use fernet by default19:00
bknudsongAAAAABXVcb !19:00
lbragstadtimes are printed at the end of the paste19:00
bknudson0.0842203118801117 seconds per authentication request -- that's pretty good.19:00
bknudsonyou've got a fast computer19:01
lbragstadjust a beefed up vm i'm using to test the performance criteria19:01
bknudsonthis is master?19:01
bknudson  P50/P90: 0.0556974411011/0.0588443040848 min/max: 0.0523588657379/0.11437106132519:01
bknudsonI guess my laptop is faster.19:01
nisha_samueldmq, I finished up reading this doc, https://pymotw.com/2/unittest/19:02
lbragstadbknudson yes - this should be master19:02
nisha_samueldmq, I have one small doubt though19:02
bknudsonlbragstad: memcache is on? Also, I assume this includes your patch since that was on master?19:02
bknudsonor was there something wrong with the caching fix that it didn't do anything?19:03
nisha_samueldmq, the doc uses failUnlessRaises()for testing Exceptions.19:03
bknudsonlbragstad: also, try it with uuid.19:03
notmorganayoung: checking in on krb5 plugin test?19:04
nisha_samueldmq, def raises_error(*args, **kwds):   print args, kwds   raise ValueError('Invalid value: ' + str(args) + str(kwds))19:04
lbragstadbknudson uuid - http://cdn.pasteraw.com/pso3psw2w3miyirqktvfxiqiygw4wm919:04
ayoungnotmorgan, not yet19:04
bknudsonlbragstad: uuid is slower in your case.19:04
notmorganayoung: any idea on general timeline?19:04
ayoungnotmorgan, I'm still trying to get SAML2 Federation to work with the CLI19:04
ayoungafter19:04
nisha_samueldmq, def testFailUnlessRaises(self):19:04
nisha_        self.failUnlessRaises(ValueError, raises_error, 'a', b='c')19:04
lbragstadbknudson is it, which is strange19:04
ayoung<miyagi>after after</miyagi>19:04
notmorganayoung: so we should look for someone else to validate it loads if they can?19:04
ayoungnotmorgan, is there someone else?19:05
notmorganayoung: i only ask because i'd like to get general fixes like that landed sooner vs later. not trying to pre-empt your workload, just if we have someone else who can validate19:05
bknudsonlbragstad: I wonder why I get such different results... for me it was 0.0128 for uuid and 0.0556 for fernet19:05
notmorganbknudson: for what?19:06
notmorganbknudson: uuid vs fernet? easy19:06
nisha_samueldmq, I understood, why it's used and all. What type of argument does this (*args, **kwds) suggest ? I saw them in the v3 keystoneclient api too19:06
notmorganbknudson: SQL vs SQL+SQL+SQL+SQL+SQL+SQL19:06
lbragstadbknudson second run http://cdn.pasteraw.com/m5xeyswe42gl0h1nqpty069vr4jmh6o19:06
notmorganbknudson: we do most of the loading from the body in the db table instead of having to reconstruct, we only ensure things are "valid" still. (lower cost)19:06
ayoungnotmorgan, I should be able to test that against an OSP8 (Liberty) install, right?19:06
bknudsonnotmorgan: lbragstad ran tests and in his case fernet is faster.19:07
notmorganayoung: i would hope you can.19:07
notmorganayoung: if you can't we did something very very wrong19:07
notmorganbknudson: what was the test?19:07
lbragstadnotmorgan bknudson let me push what i have19:07
notmorganbknudson, lbragstad: because i can think of two reasons for it to be faster, depending on what the test scenario is19:07
ayoungnotmorgan, OK...I have a setup I can test against...what is the simplest test?19:07
lbragstadit's mostly ansible to set things up19:07
bknudsonnotmorgan: My test just validates a single token over and over again.19:07
notmorganayoung: does the plugin load/auth19:07
notmorganayoung: thats really what we're looking for. :)19:07
lbragstadmy test is authenticate repeatedly19:07
notmorganayoung: that is 100 times better than "can't load the plugin"19:08
notmorganayoung: or a million times ;)19:08
bknudsonlbragstad: that's totally different. We were only asked to look at validation perf for now.19:08
nisha_samueldmq, https://pymotw.com/2/unittest/#testing-for-exceptions19:08
ayoungnotmorgan, so I have venv with keystoneauth tests run19:08
notmorganayoung: edge cases/other bugs can be addressed after but fundamentally working is the important part :)19:08
bknudsonlbragstad: that would explain why you're printing out so many tokens.19:08
lbragstadbknudson right19:08
notmorganlbragstad: and caching enabled?19:08
lbragstadbknudson let me write a new test19:08
bknudsonlbragstad: https://github.com/brantlk/keystone_performance/blob/master/keystone_performance/test1.py19:09
lbragstadbknudson it's is known that token creation with fernet is faster than uuid19:09
ayoungGAH...something at my office messes up DNS entries for gerrit19:09
ayounggit fetch19:09
ayoungssh_exchange_identification: Connection closed by remote host19:09
notmorganlbragstad: because you're basically hitting cache a TON -- and with local_request cache.19:09
ayoungonly inside the VPN...19:09
notmorganayoung: weird. so the auth plugin test should be "from the CLI or from a synthetic script, auth against a KRB enabled openstack"19:09
notmorganayoung: and if that loads/works we're good. :)19:10
nisha_samueldmq, Also why is invalid value not printed along with the arguments, in the output?19:10
notmorganayoung: but like i said, just was getting a timeline from you. happy to poke elsewhere if you really are swamped :)19:10
ayoungnotmorgan, I'll try to hit it today/tonight19:10
ayoungnah, just want to close out on this bug19:10
notmorganayoung: perfect. or just give me a "will plan to do it by X" and hit it by then :)19:11
*** josecastroleon has quit IRC19:11
notmorganayoung: that way i wont be asking consistently :)19:11
ayoungnotmorgan, we need a Federated SAML plugin, that works like the Kerberos on:  requests an unscoped via federation, then uses that tokne via normal means to get a scoped token.  we have each of theopieces, but not the end to end.  THUS ECP sodes not work19:11
ayoungI'd test right now, but I can't pull the patch from Geerit19:12
ayoungis it merged yet?19:12
notmorganayoung: no. it's waiting for your ack19:12
ayoungah ,wait, I think I have it anyway19:12
notmorgansince you said you would test it locally.19:12
ayoungommit 33133581aea946c82f629128d079d031bacc6b6419:12
ayoungAuthor: Colleen Murphy <colleen@gazlene.net>19:12
ayoungDate:   Thu May 26 12:01:59 2016 -070019:12
ayoung    Make the kerberos plugin loadable19:12
ayoungthat one?19:12
notmorganyes let me check the sha19:12
ayoungdoes not matter...wil be close enough19:12
notmorganc600c81db5bf269f0abd464869d24d3046c3add7 is the latest19:12
notmorganit had a rebase and a minor test fix i think19:13
notmorganayoung: 'git fetch https://git.openstack.org/openstack/keystoneauth refs/changes/14/321814/7 && git cherry-pick FETCH_HEAD' should work19:13
notmorganif ssh is broken19:13
notmorganlbragstad: ok so caching or no caching?19:14
lbragstadnotmorgan yes - keystone is setup using the defaults that osa deploys keystone with19:15
lbragstadthe only caching they don't use by default is catalog caching19:15
*** gyee has quit IRC19:15
ayoungnotmorgan, export OS_AUTH_TYPE=v3fedkerb19:15
ayoung?19:15
notmorganlbragstad: also i think a better benchmark to use is: "get base 'validation' token, get new_token, validate new_token with validator token"19:15
notmorganayoung: looking..19:15
notmorganayoung: v3kerberos19:15
notmorganayoung: this is the basic krb5 auth not even federated19:16
ayoungah...19:16
ayounghmmm, not sure if I am set to test that...one sec19:16
KevinEIn scenario files under context, I have "user_role" and it's not happy about that. is that depreciated or something? sorry if this doesn't make sense lol19:16
lbragstadnotmorgan https://github.com/openstack/openstack-ansible-os_keystone/blob/master/templates/keystone.conf.j2#L101-L10719:16
notmorganlbragstad: uhm.. we fixed that didn't we?19:16
ayoungnotmorgan, I think I need something else...19:16
lbragstadnotmorgan there was a follow on patch you had that never landed19:17
notmorganayoung: no worries then. circle back on it later on.19:17
notmorganayoung: lets plan that i'll ask you again on wednesday if you haven't had a chance.19:17
notmorganayoung: go back to your federation on the cli stuff :)19:17
* notmorgan tries to keep this under 15min context switch thing19:17
*** yolanda has quit IRC19:17
ayoungtoo late, you forced a context shif19:18
ayoungt19:18
notmorgan15 mins is where you can context switch back usually pretty easily19:18
notmorgantypically19:18
notmorgan:)19:18
notmorganafter that...19:18
ayoungSo Keystone on this machine is running on 35357...19:18
notmorganlbragstad: i think this patch is no longer needed19:19
openstackgerritSean Perry proposed openstack/keystoneauth: Show deprecation when a user_agent is not set  https://review.openstack.org/28964519:19
notmorganlbragstad: we fixed the main patchset.19:19
lbragstadnotmorgan i proposed a patch to osa to enable catalog caching again but i think we need to test it a bit more https://review.openstack.org/#/c/314854/19:20
patchbotlbragstad: patch 314854 - openstack-ansible-os_keystone - Remove catalog section19:20
notmorganlbragstad: ++19:20
samueldmqnisha_: **kwargs accept any additional argument passed in19:21
dolphmnonameentername: is this a transient failure that you're aware of? http://logs.openstack.org/periodic-stable/periodic-keystone-python27-db-mitaka/a445f52/console.html#_2016-06-02_06_15_19_20519:21
*** frontrunner has joined #openstack-keystone19:22
ayoungnotmorgan, too much to do now.  Needs a hacked Keystone set up to test.  Will do that after this plugin19:22
*** roxanaghe has quit IRC19:22
KevinEsamueldmq: Could you take a look at this? It's mad that I have user_role in there but I just don't know what consequences there will be if I remove it http://pastebin.com/fmss8GbV19:22
notmorganayoung: wfm19:22
notmorganayoung: i'll bug you again wednesday afternoon if i haven't heard.19:23
ayoungnotmorgan, ++19:23
samueldmqKevinE: I am not familiar with rally, maybe it's better to ask in #openstack-rally ?19:23
*** tqtran has joined #openstack-keystone19:23
KevinEsamueldmq: I did, this channel is so much more helpful lol. I figured you may know just because the config is the same for keystone too from what I saw :)19:24
nisha_samueldmq, **kwargs are optional right?19:25
*** sheel has quit IRC19:25
samueldmqnisha_: yes19:26
lbragstadbknudson uuid token validation - http://cdn.pasteraw.com/hfjbhc29v4ihpmnp7tgola58y8a9a7719:26
lbragstadbknudson rerunning with fernet now19:27
*** ddieterly[away] is now known as ddieterly19:27
bknudsonlbragstad: that's right in line with what I get.19:27
lbragstadbknudson cool - at least i'm on the right track with what you're seeing19:28
lbragstadbknudson fernet results http://cdn.pasteraw.com/tj389xab8yablnzyrhxarmbr4k3qptb19:28
bknudsonlbragstad: that's slower than my system but in line.19:28
bknudsonlbragstad: I'm not too worried about uuid vs fernet. I think we're going to be using fernet to support local database in datacenter.19:29
bknudsondistributed database is too slow.19:30
lbragstadbknudson yeah - fernet's lack of speed seems to be the lesser of two evils when compared to backend replication19:30
bknudsonalthough we're running liberty so maybe caching improvements would cover that up.19:30
bknudsonwe still have to figure out how to replicate things like users and projects.19:31
lbragstadbknudson what do you mean?19:31
bknudsonto share tokens between data centers we need to have users with the same user ID19:31
bknudsonprojects with the same project ID, etc.19:32
lbragstadbknudson ah - right19:32
bknudsonnot sure how we're going to do that... will probably have to write a tool19:32
bknudsonthe data centers will have keystones at different code levels so even sync at db level isn't going to work.19:33
*** nisha_ has quit IRC19:34
*** woodburn has quit IRC19:45
*** woodburn has joined #openstack-keystone19:46
*** openstackstatus has quit IRC19:55
*** openstackstatus has joined #openstack-keystone19:57
*** ChanServ sets mode: +v openstackstatus19:57
*** josecastroleon has joined #openstack-keystone19:57
*** browne1 has joined #openstack-keystone20:00
*** browne has quit IRC20:00
*** rderose has quit IRC20:02
*** amrith is now known as _amrith_20:05
*** rderose has joined #openstack-keystone20:07
lbragstadbknudson here are my ansible bits for setting up my performance host20:10
lbragstadhttps://github.com/lbragstad/keystone-performance20:10
bknudsonlbragstad: that was too easy.20:11
bknudsonlbragstad: what does this do? https://github.com/lbragstad/keystone-performance/blob/master/setup_perf_host.yml#L3020:12
lbragstadbknudson those are pre_tasks pulled from osa's testing setup20:13
lbragstadi can't remember what the % character does in sql-land20:13
lbragstadbut that task is for granting the keystone user privileges20:13
bknudsonlbragstad: "You can specify wildcards in the host name. For example, user_name@'%.example.com' applies to user_name for any host in the example.com domain"20:14
bknudsonhttp://dev.mysql.com/doc/refman/5.7/en/grant.html20:15
lbragstadah20:15
lbragstadbknudson i'm going to test this out from top-to-bottom on a bare metal node20:15
bknudsongalera_root_password: password20:15
bknudsonNow I know your password20:15
lbragstadbknudson you can auth as many times as you want - and you can steal all my super secrete performance data20:16
bknudsonhttps://lkml.org/lkml/2012/6/5/356 -- git bisect works backwards when the "good" thing is newer (e.g., when performance is newer in mitaka vs liberty)20:17
*** gyee has joined #openstack-keystone20:20
*** ChanServ sets mode: +v gyee20:20
*** protoz has joined #openstack-keystone20:23
lbragstaddstanek notmorgan dolphm fyi - https://github.com/lbragstad/keystone-performance20:26
lbragstadPR's welcome :)20:26
protozHello, I can't seem to find anything on an issue I'm having with keystone and LDAP.  A user's password expired in ldap and was changed but keystone is still expecting the old password.20:26
lbragstadcc henrynash ^20:27
dstanekprotoz: are you using an ldap backend?20:27
protozyes20:27
*** josecastroleon has quit IRC20:27
protozThe user did not exist in keystone until the user logged in with ldap creds20:27
dstanekprotoz: i don't think we are caching anything. it should go back to your ldap server to authenticate20:27
henrynash_protoz: you are using the LDAP Identity driver I assume20:28
dstanekprotoz: using the ldap backend we don't store the password20:28
protozYes, driver = keystone.identity.backends.ldap.Identity20:28
*** BjoernT has quit IRC20:28
protozI didn't think Keystone would which is probably why I couldn't find anything20:28
zigoWhen building Keystone, I get this: http://paste.openstack.org/show/508448/20:28
zigoWhat's going on?20:28
zigo(FYI: that's Newton b1...)20:29
dstanekprotoz: can you auth directly against ldap using the new creds?20:29
bknudsonzigo: a newer version of oslo.log is required20:29
zigoOh...20:29
zigobknudson: This should be addressed in requirements.txt then !20:29
protozYes I've confirmed it with my account and another users account20:29
bknudsonzigo: you're right... we need better testing for min versions20:29
*** ayoung has quit IRC20:30
dstanekprotoz: are you able to see in keystone's log that it is hitting the ldap server?20:30
zigobknudson: Much much better now, thanks! :)20:31
bknudsonzigo: no problem.20:31
zigoI've made a (build-)depends on oslo.log 3.8.0 ... :P20:31
zigobknudson: Do you know if keystone *really* needs mock >= 2.0 ?20:32
zigoIt's annoying that the maintainer of mock in Debian isn't responsive, and hasn't packaged it yet.20:32
bknudsonzigo: Nope, probably something else needs it.20:32
zigo(I filed a bug, of course...)20:32
*** dave-mccowan has quit IRC20:32
zigoOk, cheers.20:32
zigoAgain, again and again, the same dependency management type of issues ... :)20:33
*** dave-mccowan has joined #openstack-keystone20:33
bknudsonI don't think anybody's got time to work on fixing the issues.20:33
zigoRight, not even me...20:33
bknudsonI might be able to get it on my things to do.20:33
zigoDoug clearly expressed the fact it's taking too much time.20:34
knikollarodrigods: can you point me to where i can find information on how to run the tempest tests in keystone_tempest_plugin? we're having some trouble20:34
dstanekbknudson: how do you fix it if potentially every project needs different versions in g-r?20:34
knikollarodrigods: i'm gonna head off now but will check back in a few hours. thanks20:34
zigoThough the main issue I'm seeing when packaging all of OpenStack is that some *rules* are wrong. Like bumping a requirement to everyone when only a single package needs it ...20:34
bknudsonMy goal will be to make it so that keystone doesn't need to update the min version unless keystone uses the feature.20:34
zigoThen we get to this type of situation: "well I don't know, maybe someone else needs it..." just like you stated.20:35
bknudsonzigo: yes, I don't agree with that one either20:35
zigoAnyway, the only solution is to get us to gate with lower bounds, that's no news! :)20:35
bknudsondstanek: the way to do that is to not cap so that the latest version works with everything.20:35
zigoIt's been only 2 years we're talking about it.20:36
zigo:)20:36
bknudsonzigo: yes, it's too hard to expect projects to maintain their own min level correctly. Needs min testing in place.20:36
*** itisha has joined #openstack-keystone20:36
bknudsonzigo: apparently swift maintains their own mins... is that working for you?20:37
bknudsonswift does this by just not accepting the reviews from the proposal bot.20:37
protozdstanek: Authorization failed. KS-58299FC The request you have made requires authentication.20:38
*** julim has quit IRC20:39
notmorganbknudson, zigo: iirc there has been talk about min testing as well in some projects20:40
notmorganbut part of the issue is pip/dep-solver doesn't know how to do minimums well20:40
notmorganso a separate requirements thing is/might be needed?20:40
zigonotmorgan: Robert Collins said we should therefore patch pip ! :)20:41
notmorganzigo: yes. someone needs to do that work20:41
zigo(which I agree...)20:41
notmorgan:)20:41
*** roxanaghe has joined #openstack-keystone20:42
KevinEPython question: is this line the same with or without the single quotes around those variables? val = str(self.get_metric_value(parsed_node, host['NAME'], host['metrics'][count]['NAME']))20:43
dstanekKevinE: nope. using single quotes means you want a string20:43
notmorgandstanek: said better than what i was typing20:44
KevinEdstanek: ok, so why is pep saying to remove the single quotes?20:44
dstanekKevinE: you'd have to show the error message20:44
KevinEdstanek: it's just "N350 Remove Single quotes" and points to all of the single quotes in this file20:45
notmorganuhm.20:45
* notmorgan looks up N35020:45
bknudsonhttp://git.openstack.org/cgit/openstack/rally/tree/tests/hacking/checks.py#n31920:45
dstanekKevinE: never heard of that :-( maybe they want double quotes?20:45
KevinEnotmorgan: I don't know where to look that up lol20:46
notmorgani would explicitly disable that check personally20:46
notmorganthat seems exceedingly silly20:46
bknudsonlooks like rally likes " rather than '20:46
* notmorgan prefers single quotes.20:46
notmorganyeah20:46
notmorganwow.20:46
KevinEdstanek: will it be exactly the same function-wise?20:46
bknudson(which is actually against pep8)20:46
dstanekKevinE: yes single == double20:46
KevinEbknudson: wait, double quotes are against pep8?20:46
notmorganKevinE: well.. pep8 is a guideline document20:46
notmorganand says "feel free to be inconsistent"20:47
dstaneksingle quotes are preferred by openstack projects20:47
notmorganforcing a style of quotes is against pep8 explicitly20:47
bknudsonoh, I was wrong, it's openstack style guide that says '20:47
notmorganwe tend to prefer '' in openstack over ""20:47
dstaneki don't think pep8 cares about single vs. double20:47
notmorganbut it is 100% reasonable to be inconsistent to avoid needing to do 'can\'t'20:47
bknudsonalthough we maybe got rid of that?20:48
notmorganbasically, "tend to use the same quotes" is the best option.20:48
notmorganthe fact that rally enforces "" seems silly to me. but i'm not a rally dev...20:48
notmorgansooooooooooo20:48
notmorgani have little to say in it20:48
bknudsonI like a rule of " for human strings and ' for constants.20:48
dstanekor 'for strings less than 10 characters and " for everything else20:49
notmorganbknudson: except when it requires \' :)20:49
notmorganbknudson: but that is about knowing when to be inconsistent :)20:49
bknudsony, it's unlikely that a special value is going to have ' in it.20:49
KevinEsorry guys, so should I make them "" and make the pep tests happy before merging or go against pep? lol20:49
bknudsonwhereas it's a lot more likely in english20:50
bknudsonKevinE: you should ask the rally guys about their style guidelines.20:50
bknudsonoops, they're not all guys20:50
dstanekKevinE: they likely won't accept your code if it goes against their standard20:50
KevinEokie thanks for the help y'all20:50
*** josecastroleon has joined #openstack-keystone20:51
lbragstadfernet authentication performance on a bare metal node with 20 cores and 128 GB of RAM - http://cdn.pasteraw.com/nfxjkt9tp8w2nb09zg39axn2tz91vj320:59
bknudsonlbragstad: if you're not doing 20 concurrently then more cores isn't going to help20:59
*** gagehugo has quit IRC20:59
lbragstadbknudson you're right - but I'm doing it on bare metal which is the closest thing to a "consistent" environment I can find21:00
*** daemontool_ has joined #openstack-keystone21:00
lbragstadfernet validaton on the same node - http://cdn.pasteraw.com/2plinbed539cb8r9rpekemqm2bb5xhz21:00
*** jaugustine has quit IRC21:01
bknudsonlbragstad: how to make it faster? I guess the point of comparing fernet to UUID is more to show that it could be faster.21:02
lbragstadbknudson i guess the reason i'm comparing is that uuid performance is more of a known quantity for our uses21:02
lbragstadusers*21:02
*** daemontool has quit IRC21:03
*** daemontool_ has quit IRC21:03
*** mvk has joined #openstack-keystone21:05
bknudsonunfortunately, the story today is that fernet validation performance is worse than uuid.21:06
lbragstadbknudson i'm hoping we can aim to make them the same - then that argument goes away21:07
*** ddieterly is now known as ddieterly[away]21:08
*** pcaruana has quit IRC21:08
*** pauloewerton has quit IRC21:09
lbragstaduuid authentication performance - http://cdn.pasteraw.com/rjrt9nwtn7sblfs90ihahh59591ikxm . uuid validation performance - http://cdn.pasteraw.com/9yyyllwrpxglmqu0pde6ggaoxng1sle21:09
rodrigodsknikolla, of course... "tox -e all-plugin -- keystone" in tempest21:11
henrynash_lbragstad: good initial data….and I agree, I don’t see why we can’t make these perform approximately the same...21:14
zigodh_install: usr/etc/keystone/keystone.conf/keystone.conf.sample exists in debian/tmp but is not installed to anywhere21:14
zigodh_install: usr/etc/keystone/default_catalog.templates/default_catalog.templates exists in debian/tmp but is not installed to anywhere21:14
zigodh_install: usr/etc/keystone/policy.json/policy.json exists in debian/tmp but is not installed to anywhere21:14
zigodh_install: usr/etc/keystone/sso_callback_template.html/sso_callback_template.html exists in debian/tmp but is not installed to anywhere21:14
zigodh_install: usr/etc/keystone/keystone-paste.ini/keystone-paste.ini exists in debian/tmp but is not installed to anywhere21:14
henrynash_lbragstad:…which of your caching patches were in teh code taht ran those tests?21:15
zigoGuys, we're *NOT* supposed to install stuff in /etc through setup.cfg.21:15
zigoThis is a *bug*.21:15
zigoGrrr...21:15
lbragstadhenrynash_ all of them?21:15
zigoJulien Danjou ...21:15
lbragstadexcept the catalog caching patch21:15
lbragstadcatalog caching isn't enabled21:15
bknudsonlbragstad: I think we're going to want these tests to have high concurrency. It's not realistic otherwise. Nobody running a cloud is only going to be doing 1 verify at a time.21:16
henrynash_lbragstad: ok, that’s what I would have thought from the results….it used to be around 80-90ms before any of your patches21:16
bknudsonlbragstad: it would be interesting to see if you get better results with the patch to enable catalog caching.21:16
henrynash_(validation of fernet, that is)21:17
lbragstadbknudson henrynash_ we need to track down and figure out how to fix - https://github.com/openstack/openstack-ansible-os_keystone/blob/master/templates/keystone.conf.j2#L101-L10721:17
lbragstadi can enable it but upstream osa turns it off by default because they had some issues with it21:17
bknudsonlbragstad: devstack has that same exception21:18
lbragstadwe should sync up with both the osa group and the devstack people and see if we can get that enabled again21:19
*** _amrith_ is now known as amrith21:20
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/32015621:20
*** josecastroleon has quit IRC21:20
openstackgerritDolph Mathews proposed openstack/keystone: Scaffolding for keystone.conf package  https://review.openstack.org/32560421:22
dolphmnonameentername: ping21:24
lbragstadbknudson henrynash_ https://github.com/lbragstad/keystone-performance/tree/master/results21:26
lbragstadbknudson henrynash_ let me turn on catalog caching and re-run those21:27
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32558921:27
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32558921:27
*** diazjf has quit IRC21:29
*** ddieterly[away] is now known as ddieterly21:31
*** josecastroleon has joined #openstack-keystone21:32
openstackgerritDolph Mathews proposed openstack/keystone: Scaffolding for keystone.conf package  https://review.openstack.org/32560421:32
lbragstadbknudson henrynash_ I see no performance increase with fernet authentication when catalog caching is enabled - running the validation tests now21:33
*** rk4n has quit IRC21:34
lbragstadbknudson i think i see an 8% performance improvement on fernet token validation with catalog caching enabled21:35
lbragstadwithout caching: Validated token 1000 times in 56.432976961135864 seconds21:36
lbragstadwith caching: Validated token 1000 times in 51.833451986312866 seconds21:36
bknudsonnot bad, but still not sure how we're going to get to uuid speeds21:37
lbragstadbknudson yeah - we're going to have to look for speeds in other areas21:37
bknudsonother than, the idea of caching the tokens instead of caching the parts.21:37
*** spzala has quit IRC21:39
*** spzala has joined #openstack-keystone21:40
*** frontrunner has quit IRC21:43
bknudsonbecause then we'd bypass all that logic given the same token and the performance should be the same as uuid21:43
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32558921:44
*** spzala has quit IRC21:44
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058621:45
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/32015621:45
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428421:46
*** catintheroof has quit IRC21:46
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/32015621:46
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058621:46
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32558921:46
*** tqtran has quit IRC21:47
dimsbknudson : lbragstad : am i reading this right (how/why we need pykerberos) https://review.openstack.org/#/c/325658/ (please see my last 2 comments)21:47
patchbotdims: patch 325658 - openstack-infra/system-config - krb5 dependencies for pykerberos21:47
bknudsondims: keystoneauth uses requests-kerberos21:50
bknudsonso maybe that's bringing in pykerberos...21:50
*** rderose has quit IRC21:51
dimsbknudson : ack thanks21:51
bknudsondims: https://github.com/requests/requests-kerberos/blob/master/requirements.txt#L321:52
dimsyep, that should do it21:52
bknudsonoh, that's what you said already21:52
*** sdake_ has joined #openstack-keystone21:52
*** julim has joined #openstack-keystone21:53
openstackgerritThomas Goirand proposed openstack/keystone: Revert "Install necessary files in etc/"  https://review.openstack.org/32615221:54
*** sdake has quit IRC21:54
*** jdennis1 has quit IRC21:58
*** edmondsw has quit IRC21:58
*** jdennis has joined #openstack-keystone21:59
*** rk4n has joined #openstack-keystone21:59
*** gyee has quit IRC22:00
*** julim has quit IRC22:00
*** markvoelker has quit IRC22:00
*** markvoelker has joined #openstack-keystone22:00
*** josecastroleon has quit IRC22:02
*** ayoung has joined #openstack-keystone22:04
*** ChanServ sets mode: +v ayoung22:04
openstackgerritRoxana Gherle proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/32228022:05
*** spzala has joined #openstack-keystone22:06
*** r-daneel has joined #openstack-keystone22:11
KevinEI'm failing pep8 with an error that says "import only modules" when trying to import OptionParser. Anyone know what that is?22:12
*** gyee has joined #openstack-keystone22:12
*** ChanServ sets mode: +v gyee22:12
lbragstadKevinE OptionParser looks like a class22:13
lbragstadKevinE instead it probably wants you to do something like `from module import submodule`22:13
lbragstadthen reference OptionParser like:22:13
*** edtubill has quit IRC22:13
lbragstad`op = submodule.OptionParser()`22:13
KevinElbragstad: currently I have ' from optparse import OptionParser '22:14
lbragstadKevinE try just using `import optparser`22:14
lbragstadthen reference it like `optparser.OptionParser`22:14
*** henrynash_ has quit IRC22:15
*** sdake has joined #openstack-keystone22:15
*** sdake_ has quit IRC22:18
KevinElbragstad: worked, thanks :) Any reason why that happened? Or is that just a styling thing22:19
lbragstadKevinE i'm pretty sure it's just a styling thing22:19
lbragstadmost of the openstack project (from what i can tell) don't allow the import of classes22:20
lbragstadinstead, you have to import the module and us that to reference the class22:20
*** protoz has quit IRC22:24
*** ametts has quit IRC22:25
*** gordc has quit IRC22:29
*** ddieterly is now known as ddieterly[away]22:35
*** sdake has quit IRC22:36
*** vint_bra has quit IRC22:36
*** dan_nguyen has quit IRC22:39
*** spzala has quit IRC22:41
*** timcline has quit IRC22:43
*** KevinE has quit IRC22:55
*** roxanaghe has quit IRC22:56
*** ddieterly[away] is now known as ddieterly22:59
*** sdake has joined #openstack-keystone23:00
*** harlowja has quit IRC23:01
*** sdake_ has joined #openstack-keystone23:03
*** sdake has quit IRC23:05
*** ddieterly has quit IRC23:09
*** raddaoui has quit IRC23:17
*** markvoelker has quit IRC23:19
ayoungjamielennox, I was able to get an ECP plugin that works for scoped calls, not just unscoped.  THe Scoped SAML plugin in keystoneclient (this is OSP8 work)  looks like it is unusable as is.  It expects a token in its parameter list, but then the entry point fails23:36
*** dan_nguyen has joined #openstack-keystone23:38
*** rk4n has quit IRC23:38
*** tqtran has joined #openstack-keystone23:39
jamielennoxayoung: expects a token?23:47
jamielennoxi was really hoping to do a setup that would let me test the saml token in ksa23:47
jamielennoxjust not sure when yet23:47
jamielennoxayoung: oh wtf, why is v3scopedsaml pointing to that plugin?23:50
ayoungjamielennox, no idea, but it is borked right?23:50
ayoungjamielennox, I was able to cobble together a simple one that works extending the federation one23:51
ayounghttps://paste.fedoraproject.org/375517/44872146/  (line 13 on)23:51
jamielennoxayoung: in ksc? did you look at the ksa one?23:51
openstackgerritMerged openstack/keystonemiddleware: Determine project name from oslo_config or local config  https://review.openstack.org/32012323:51
ayoungjamielennox, had not looked yet, as I needed this for OSP823:51
ayoungand that seems to be using KC still23:52
jamielennoxayoung: i'm sure we had this working23:52
jamielennoxbut the plugins available via entrypoing23:52
ayoungjamielennox, rippowam was generating an RC file with unscoped23:52
jamielennoxyou would need to do openstack --os-auth-plugin v3unscopedsaml ... token get23:52
jamielennoxthen use v3scopedsaml to scope it23:52
jamielennoxwhich is ridiculous23:52
ayoungjamielennox, so the Federation plugin is the way to go23:53
ayoungJust wrapped the unscoped plugin, worked fine23:53
ayoungtrickiest part was figuring out how to get the params listed23:54
jamielennoxyep, there is a base federation plugin that will take another plugin and handle the socping for you23:54
ayoungjamielennox, ah...did I now even need to explicitly wrap it?23:54
jamielennoxayoung: it might be a subclass, i can't remember23:54
ayoungjamielennox, maybe in KSA?23:55
jamielennoxayoung: so i rebased https://review.openstack.org/#/c/255056/ yesterday and i'm looking for somewhere to test it23:55
patchbotjamielennox: patch 255056 - keystoneauth - Use SAML2 requests plugin23:55
openstackgerritMerged openstack/keystonemiddleware: Make sure audit can handle API requests which does not require a token  https://review.openstack.org/32072523:55
jamielennoxi was going to rewrite some ansible (copy most from rippowam) to set up an environment i could use23:55
ayoungjamielennox, rippowam should work for you using keycloak now instead of Ipsilon23:56
ayounghave not tested agains Centos, but the rest should be ok.23:56
ayoungYou could probably even re-introduce Ipsilon if you wanted23:56
jamielennoxayoung: there were a few problems, like i don't have access to the repos it was pointed at, and i'm not setting this up on an openstack cloud so the ossipee integration won't work23:57
jamielennoxand there are some assumptions from rippowam that you set things up that way23:57
ayoungjamielennox, I was starting to break things into smaller roles.23:57
ayounglook at the last few commits23:57
ayoungrhsso aside, I pulled out roles for23:57
jamielennoxoh, i didn't really want packstack either23:57
ayoungjamielennox, right, you just need an ossippe compatible inventory file23:58
ayoungkeycloak is running in an ipa client merely for HTTPS set up23:58
jamielennoxisn't the 'identtiy-provider' opt provided by the base clsas?23:59
ayoungjamielennox, yeah.  The missing one was protocol23:59
jamielennoxoh?23:59
« Sunday, 2016-06-05 Index Tuesday, 2016-06-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!