Tuesday, 2016-08-16

« Monday, 2016-08-15 Index Wednesday, 2016-08-17 »
openstackgerritMerged openstack/python-keystoneclient: Add credential functional tests  https://review.openstack.org/34855700:00
*** markvoelker has joined #openstack-keystone00:00
*** ninag has joined #openstack-keystone00:01
*** ninag has quit IRC00:01
*** spzala has joined #openstack-keystone00:03
*** tqtran has quit IRC00:09
*** spzala has quit IRC00:12
*** woodster_ has quit IRC00:29
*** iurygregory_ has joined #openstack-keystone00:32
*** jamielennox is now known as jamielennox|away00:48
*** spzala has joined #openstack-keystone00:49
*** jamielennox|away is now known as jamielennox00:49
*** tonytan4ever has joined #openstack-keystone00:50
*** roxanaghe has quit IRC00:51
*** gyee has quit IRC00:59
*** tqtran has joined #openstack-keystone01:09
*** julim has joined #openstack-keystone01:10
*** adrian_otto has quit IRC01:11
*** tqtran has quit IRC01:13
*** BjoernT has joined #openstack-keystone01:14
*** BjoernT has quit IRC01:18
*** asettle has joined #openstack-keystone01:22
*** haplo37__ has joined #openstack-keystone01:24
*** spzala has quit IRC01:29
*** spzala has joined #openstack-keystone01:30
*** asettle has quit IRC01:32
*** spzala has quit IRC01:34
*** EinstCrazy has joined #openstack-keystone01:34
*** dkehn has quit IRC01:34
*** wangqun has joined #openstack-keystone01:37
*** davechen has joined #openstack-keystone01:43
*** dkehn_ has joined #openstack-keystone01:47
*** adriant_ has joined #openstack-keystone01:50
*** haplo37__ has quit IRC01:53
*** su_zhang has quit IRC01:54
*** EinstCrazy has quit IRC01:59
*** EinstCrazy has joined #openstack-keystone02:03
stevemaradriant_: o/02:06
stevemaradriant_: i'm still playing catch up :(02:06
*** jamielennox is now known as jamielennox|away02:07
adriant_stevemar: yeah, i assumed as much, hence the follow up email :)02:08
adriant_stevemar: am submitting the bug report now. I sadly don't have time to dig into the KeystoneAuth code myself, but hopefully the pastes I've added help show the issue.02:09
stevemaradriant_: yes, i'm hoping so :\02:09
stevemaradriant_: maybe i can sucker jamielennox|away into looking at it :P02:10
adriant_main jist seems to be, token auth isn't fetching a catalog02:10
stevemarsadly i have no carrot, only a stick02:10
adriant_and everything expects it to fetch one02:10
*** EinstCra_ has joined #openstack-keystone02:11
stevemaradriant_: so with a project scoped token -- you should be able to (as far as the API is concerned) either a) get a new token with the same scope, or b) supply it with a new scope and possibly get a new token with that scope02:11
adriant_stevemar: yeah, doing stuff directly with Keystone via curl seems to work fine for me02:12
adriant_but the problem is the client tools all assume token auth returns a catalog02:12
adriant_stevemar: So either they are in the wrong, or KeystoneAuth should when doing token auth fetch a catalog same as it does with password auth02:13
adriant_bug: https://bugs.launchpad.net/keystoneauth/+bug/161349802:14
openstackLaunchpad bug 1613498 in keystoneauth "Token Auth does not work (not fetching catalog)" [Undecided,New]02:14
*** EinstCrazy has quit IRC02:14
stevemaradriant_: danke02:15
adriant_stevemar: welcome :)02:16
*** jamielennox|away is now known as jamielennox02:26
openstackgerritLance Bragstad proposed openstack/keystone: Add key_hash column to credential table  https://review.openstack.org/35561802:27
openstackgerritLance Bragstad proposed openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505602:27
openstackgerritLance Bragstad proposed openstack/keystone: Create a fernet credential provider  https://review.openstack.org/35449602:27
jamielennoxadriant_: using Token like that is really for rescoping02:28
jamielennoxthere's nothing there that will fetch the current information - i don't know if we even have the ability for that02:29
jamielennoxif you do a project_id= in there it should fetch you a new token based on the old one02:29
jamielennoxand then work02:29
adriant_jamielennox: I thought the Keystone API supported asking for a catalog with token auth?02:31
jamielennoxadriant_: yea, but you need a bit more than that because you need to find like current project id and user id02:32
jamielennoxso you really need the whole token data02:32
adriant_jamielennox: although do look at how heatclient is using it. That isn't rescoping, it expects the token to authenticate and then use the new token/catalog. Unless I'm reading it wrong.02:32
*** asettle has joined #openstack-keystone02:33
jamielennoxadriant_: so it looks like it depends how you're creating the heatclient02:35
jamielennoxif you pass session it doesn't seem to be doing anything too crazy02:35
adriant_sec02:35
adriant_jamielennox: https://github.com/openstack/python-heatclient/blob/master/heatclient/shell.py#L51502:36
adriant_the openstackclient does something similar02:36
jamielennoxadriant_: oh, shell02:36
adriant_if token is present, try and auth with it02:36
jamielennoxgod i hate the shells02:36
adriant_I'm using heatclient as an example as it's easier to dig into than openstackclient02:37
adriant_and the same principle applies02:37
jamielennoxso it can be useful because most services allow --os-endpoint-override or something similar02:37
adriant_But that's painful02:38
jamielennoxyea02:38
*** asettle has quit IRC02:40
adriant_and: http://docs.openstack.org/developer/python-openstackclient/authentication.html02:40
adriant_if you look there, the token authentication as listed there seems to expect token auth to fetch a catalog02:41
adriant_without the need for explicitly setting the endpoint02:41
jamielennoxthe new osc is phasing out token02:41
jamielennoxit was really only used for ADMIN_TOKEN stuff02:41
adriant_But it's actually useful if you want to auth with a token as you can't password auth all the time.02:42
adriant_if that's gone then MFA via the shell is really painful...02:42
adriant_stevemar, jamielennox: So what's the way forward here? Because it seems like what you're saying is "this is expected functionality".02:46
jamielennoxsorry, tuned out briefly02:47
adriant_jamielennox: no problem. I'm just trying to figure out what I can do around all this. :(02:47
jamielennoxso i don't know if there's an MFA aspect here02:48
*** code-R has joined #openstack-keystone02:48
adriant_with the MFA solution I'm trying to get working, you need to append a passcode to your password.02:49
adriant_with CLI, that means entering a passcode EVERY call.02:49
adriant_which is daft02:49
adriant_so what I want to do is this: http://paste.openstack.org/show/553325/02:49
adriant_fetch a token, and for the duration of that token, use the shell tools.02:50
jamielennoxadriant_: so maybe more what you want is caching right?02:50
adriant_maybe? I'd just expect when authenticating with a token it fetches the catalog and uses the scope of the old token.02:51
adriant_that would solve it02:51
jamielennoxthe ideal case would be though from a shell you shouldn't have to fetch a token specifically and then use it02:53
jamielennoxthat case i have a bunch of stuff set up for we're just waiting for osc-lib and osc 3 to be finished02:53
jamielennoxfor token in general - i don't know how we go from what we have today to future02:54
adriant_Does it cache your token and catalog locally?02:54
jamielennoxyes02:54
adriant_ok, then yes that might solve my issue02:54
jamielennoxkeyring would be the default implementation but i've left that up to the implementation02:54
jamielennoxadriant_: see https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/plugin.py#L207-L252 for caching functions02:55
stevemarjamielennox: but we don't cache things today AFAIK02:55
stevemarwhuaa02:55
jamielennoxstevemar: no we don't do it today, i had a POC but it kept getting refactored with OSC302:56
stevemaryeah02:56
stevemarjamielennox: shouldn't this work with our APIs though? we can get a token from a token today02:56
jamielennoxstevemar: we can rescope sure02:57
stevemarbut we can't seem to do that with keystoneauth today02:57
adriant_yeah, I'm not sure why keystoneauth doesn't fetch a catalog with token auth02:57
jamielennoxstevemar: i'm not sure we have the retrieve current token data02:57
jamielennoxadriant_: it just wasn't the use case we had02:58
jamielennoxparticularly from shell02:58
jamielennoxbecause it doesn't implement get_user_id and get_project_id either02:58
adriant_jamielennox: but some shells seem to expect that02:59
adriant_see heat :P02:59
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Improve docs for v3 ec2  https://review.openstack.org/35017302:59
jamielennoxyea, lots of things in this space are implemented because someone needed something for some side case02:59
adriant_So can we expand token auth in Keystoneauth to fetch the catalog?03:01
openstackgerritMerged openstack/keystone: Move fernet utils into keystone/common/  https://review.openstack.org/35370703:01
*** code-R has quit IRC03:01
adriant_Still not as nice as caching, as we are still asking for a token+catalog every time, but it is no worse than doing so with username+password03:02
jamielennoxdoes https://github.com/openstack/keystone/blob/master/etc/policy.json#L106 mean that you can GET /auth/tokens with the same token data?03:03
*** iurygregory has quit IRC03:05
*** iurygregory has joined #openstack-keystone03:06
jamielennoxi'd be ok with extending token to fetch the data if get_endpoint, get_project_id or get_user_id is called03:07
jamielennoxi don't think a rescoing scenario should trigger that03:07
*** adriat has joined #openstack-keystone03:10
openstackgerritSteve Martinelli proposed openstack/keystone: Make a FernetUtils class  https://review.openstack.org/35376103:10
*** adriat is now known as adriant03:10
openstackgerritSteve Martinelli proposed openstack/keystone: Pass key_repository and max_active_keys to FernetUtils  https://review.openstack.org/35376203:11
openstackgerritSteve Martinelli proposed openstack/keystone: Add credential encryption exception  https://review.openstack.org/35449403:11
openstackgerritSteve Martinelli proposed openstack/keystone: Add conf to support credential encryption  https://review.openstack.org/35449503:11
adriantjamielennox: sorry, network trouble.03:11
openstackgerritSteve Martinelli proposed openstack/keystone: Create a fernet credential provider  https://review.openstack.org/35449603:11
adriantso is the token auth in Keystoneauth explicitly for rescoping?03:11
openstackgerritSteve Martinelli proposed openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505603:11
openstackgerritSteve Martinelli proposed openstack/keystone: Add key_hash column to credential table  https://review.openstack.org/35561803:11
*** esp has joined #openstack-keystone03:11
*** adriant_ has quit IRC03:12
stevemarlbragstad rebased as far as i could03:12
wangqunping stevemar03:16
jamielennoxadriant: i don't want to say explicitly, you can use it for whatever but it was the intention03:17
adriantjamielennox: the API seems to support what I am expecting keystoneauth to do: http://developer.openstack.org/api-ref/identity/v3/?expanded=token-authentication-with-scoped-authorization-detail#token-authentication-with-scoped-authorization03:18
jamielennoxadriant: POST creates a new token03:18
stevemarwangqun: pong03:19
adriantisn't that what keystoneauth is doing anyway?03:19
wangqunI want to make the keystone member role have the permissions that can access the keystone user list. Do I only modify the /etc/keystone/policy.json?03:19
jamielennoxadriant: it's what you do when you rescope a token03:19
wangqunThanks stevemar to answer me.03:19
jamielennoxadriant: GET is what we use to retrieve the data for a current token03:19
stevemarwangqun: yes, that should be all you need to do. just add " or role:member"03:20
stevemarwangqun: please note that policy is *only evaluated with v3!*03:20
stevemarwangqun: if you are using v2.0 APIs it's a straight "are you admin" call for most APIs03:20
stevemarwangqun: see http://lists.openstack.org/pipermail/openstack-dev/2016-July/099596.html for details03:21
*** haplo37__ has joined #openstack-keystone03:22
wangqunstevemar, I use the v2.0 APIs. Can't it realize?03:22
wangqunI try to modify the policy.json.03:23
wangqungrep list_users policy.json03:23
wangqun"identity:list_users": "",03:23
wangqun"identity:list_users_in_group": "",03:23
wangqunRROR: openstack You are not authorized to perform the requested action: admin_required03:23
adriantjamielennox: Ok, this is where I'm confused. Keystoneauth with a password does a POST to get a token, while token auth is just getting the token to validate it, and not fetching a new one+catalog, correct?03:23
wangqunIt doesn't work indeed .03:24
jamielennoxadriant: it depends, there's different ways you can do stuff03:24
jamielennoxadriant: yes, password does a POSt to get a token03:24
jamielennoxwhen you rescope you are getting a new token with an old token so that's a POST as well03:24
*** su_zhang has joined #openstack-keystone03:24
jamielennoxvalidation like auth_token middleware is just validating an incoming token so thats a GET03:24
adriantyeah, what I'm mainly concerned with is this: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/generic/token.py03:25
jamielennoxkeystoneauth isn't doing any validation03:25
adriantI assume that is a get?03:25
stevemarwangqun: unfortunately, no, the v2.0 APIs all using a function called "assert_admin" --> https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L42-L52 and https://github.com/openstack/keystone/blob/3f32423241bff496da5ff35616aeafd096f5f951/keystone/common/wsgi.py#L283-L31403:25
stevemarwangqun: it is one of the main reasons we highly recommend everyone use v303:26
jamielennoxadriant: generic is just a wrapper around selecting v2 or v3 depending on what's available03:26
jamielennoxthat involves a GET /03:26
wangqunOk, I got it, and Thanks stevemar.03:26
adriantassume v3 :)03:26
jamielennoxyep, generic is what happens when you do auth_url=https://keystone:5000/ VERSION=3 so it uses the discovery page03:27
jamielennoxbut that has nothing to do with actually validating the token03:27
adriantI'm aware, I was just linking it as an example of the process I was refering to03:28
jamielennoxadriant: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/token.py#L2703:28
adriantok, so once you are authed like that, asking for a given endpoint fails as you don't have a catalog03:28
jamielennoxadriant: so there is not actual lookup03:28
adriantwould it be possible to, if asked for an endpoint, fetch a catalog?03:29
adriantand yes, I realise this is not a usecase that this was written for03:30
adriantjamielennox: also, i apologise as I haven't dug into the Keystoneauth codebase too much yet.03:31
adriantso expect partially stupid questions.03:31
jamielennoxadriant: i'm just looking how that would work03:31
adriantBasically, I seems silly that you can create an auth with a token, and then asking for an endpoint just throws errors.03:32
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/base.py#L11203:32
jamielennoxget_auth_ref is designed to fetch a new token03:32
adriantthen what is this meant to do?: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/base.py#L7503:34
jamielennoxso the flow when the plugin needs to know something about its auth will fetch a newtoken rather than evaluate the current one03:34
adriantah03:34
jamielennoxget_token -> get_access -> get_auth_ref03:34
adriantso is there a way to in the service catalog, to if it is empty, to attempt to get a new one, or ask for a new token at the same scope with a catalog?03:36
jamielennoxi'm not sure how you'd make it use the current token instead in a backwards compatible way03:36
adriantusing a new token is fine, my issue is that when trying to use the catalog it falls over03:37
jamielennoxa new token with the same scope will work03:37
jamielennoxbut there's no way to know the current scope, you'd have to provide that as a user03:37
adriantok03:37
jamielennoxyou might be able to fix it to say if there's no scope provided fetch rather than rescope03:37
jamielennoxgoing from scoped->unscoped token shouldn't be allowed (whether it works i can't remember)03:38
adriantyeah, but using a token you can get a catalog03:38
adriantso maybe just use the existing token to fill it. As currently password auth relies on the catalog coming with a token03:38
jamielennoxyea - there's no catalog with an unscoped anyway03:39
jamielennoxso if you provide a --os-token and --os-project-id it should work today03:39
jamielennoxit'll just do a rescope to the same thing03:39
*** iurygregory_ has quit IRC03:40
adriantBut that would mean explicitly using keystoneauth to do that? As the way all the shell stuff works currently is to pass just the token and auth url through.03:42
*** julim has quit IRC03:42
*** roxanaghe has joined #openstack-keystone03:43
*** roxanaghe has quit IRC03:43
adriantjamielennox: Could we stick something in here that fetches a catalog using the current token if one isn't present?: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/base.py#L15903:47
*** roxanaghe has joined #openstack-keystone03:48
*** code-R has joined #openstack-keystone03:56
*** asettle has joined #openstack-keystone03:56
*** code-R_ has joined #openstack-keystone03:59
*** GB21 has joined #openstack-keystone04:01
*** asettle has quit IRC04:01
stevemarjamielennox: your view BP impl isn't getting much traction04:02
stevemarviews*04:02
*** code-R has quit IRC04:03
stevemarjamielennox: would you be totally miffed if it was bumped? just trying to be realistic about it04:03
jamielennoxadriant: well that's the way some of the heat shell stuff works, ideally we want this to use the keystoneauth stuff as much as possibl e04:08
jamielennoxstevemar: not really - it's not an urgent change04:08
jamielennoxstevemar: and it has the potential to change output at the last minute04:09
*** tqtran has joined #openstack-keystone04:10
stevemarjamielennox: yeah, rather worried about that04:12
*** code-R_ has quit IRC04:12
stevemarall of a sudden a "links" goes missing or some nonsense04:12
*** code-R has joined #openstack-keystone04:12
jamielennoxyep04:12
stevemarjamielennox: OK, i'm going to keep it targeted for N, if it gets reviews then all the power to you and it can go in; otherwise it'll be bumped to O -- cool?04:13
jamielennoxyep04:13
*** tqtran has quit IRC04:14
*** ravelar has quit IRC04:16
*** GB21 has quit IRC04:17
*** links has joined #openstack-keystone04:20
*** code-R has quit IRC04:22
adriantjamielennox: just wrote this to try something out with token auth: http://paste.openstack.org/show/558037/04:27
*** tonytan4ever has quit IRC04:27
adriantI'm assuming if valid password auth,   auth.get_token(session) returns your current token, yes?04:27
jamielennoxyep04:28
jamielennoxif you pass project_name and project_domain_name to v3.Token that should work though04:28
adriantok, let me try04:28
adriantok, that does work. So should the fix be to update the client tools to correctly pass those values along to keystone auth as well?04:30
adriantOr can keystoneauth, if the token is valid, just fetch a new catalog on it's own?04:30
adriantwithout needing to pass project (since the old token is already correctly scoped)04:31
*** ravelar has joined #openstack-keystone04:31
jamielennoxso the client tools should be able to do that already04:32
adriantWell, not heat, but heat is special. Not sure yet on openstackclient04:32
jamielennoxyou could fix heatclient, but gah04:32
adriantHow far away is version 3?04:32
jamielennoxopenstackclient should be able to do it04:32
jamielennox--os-auth-type token --os-project-name proj --os-project-domain-name dom04:33
jamielennox--os-token token04:33
adriantopenstackclient 2.6 does not pass along the projectname and such to the token auth I don't think04:33
adriantcan double check, but I think I played with that a couple of weeks back04:33
jamielennoxif you do --os-auth-type this stuff should be dynamic rather than something that OSC has to do04:34
adriantjamielennox: just tried this bash against OS-Client 2.6: http://paste.openstack.org/show/558043/04:39
adrianterror: ":__init__() got an unexpected keyword argument 'user_domain_name'"04:40
adriantjust tried doing a project list04:40
jamielennoxlol - that's notgood04:41
adriantyou can see my frustration :(04:42
adriantWill wait for 3.0 and check again I guess. But if setting the envvar for those works in 3, then yes that also fixes my problem :)04:43
jamielennoxdo you know where user_domain_name is failing?04:44
jamielennoxif you add --debug it prints tracebacks04:44
adriantsorry yeah, should have pasted a debug04:44
adriantjamielennox: http://paste.openstack.org/show/558045/04:45
adrianttoken plugin itself it seem04:45
jamielennoxadriant: oh, so yea you can't have user_domain_name there04:46
jamielennoxyou need project_domain_name not user_domain_name04:46
adriantso the client is being stupid04:46
jamielennoxthere's no user infromation in token plugin04:46
adriantI'm not passing in that value, it's something with how the OSclient is trying to do it04:46
jamielennoxyep, it'd depend if it was osc or keystoneauth at fault, if it's ksa we'd fix it, but i doubt it04:47
jamielennoxOSC has had various attempts at making auth "more intuitive" that fail in some weird edge cases04:47
adriantNah, it looks like OSC is passing in extra parameters.04:47
adriantmaybe because it expects the same parameters needed for token auth as password auth?04:48
adriantwhat is the mechanism that is used to figure out which parameters to pass along dynamically?04:50
adriantbecause it could be that OSC is throwing in a large set of kwargs and expecting keystoneauth to use the ones it needs.04:50
jamielennoxadriant: yea, it makes a number of assumptions, this is part of what the osc-lib and osc 3 is supposed to figure out04:51
jamielennoxthe mechanism is in keystoneuaht and generally called loaders04:52
adriantYeah, I'll wait for osc3 and play with that. Any clue when they'll be done with it?04:53
adriantor at least have a test version we can grab04:53
adriantjamielennox: Also, thanks a hell of a lot for helping me work this out. :)04:55
*** esp has quit IRC04:55
jamielennoxadriant: i think the test version is probably master04:56
jamielennoxdtroyer: in #openstack-sdks is the person leading that04:56
jamielennoxi know he intended to get it done for the newton release - but i'm skeptical that is realistic04:56
adriantso pull master for both OSC and OS-lib and install?04:57
adriantor osc-lib, whatever that second library is called04:57
adriantas I know they needs to be synced up04:57
jamielennoxyea, i'd pull master of both04:59
jamielennoxmaster of OSC should rely on osc-lib today, but i don't know where he is with getting things released04:59
*** tonytan4ever has joined #openstack-keystone05:03
*** GB21 has joined #openstack-keystone05:03
*** code-R has joined #openstack-keystone05:15
*** su_zhang has quit IRC05:16
openstackgerritThomas Bechtold proposed openstack/keystone: Fix tempest.conf generation  https://review.openstack.org/35572305:19
openstackgerritMerged openstack/python-keystoneclient: Improve docs for v3 ec2  https://review.openstack.org/35017305:25
*** jaosorior has joined #openstack-keystone05:30
*** code-R has quit IRC05:39
*** haplo37__ has quit IRC05:41
*** david_cu has joined #openstack-keystone05:43
*** roxanaghe has quit IRC05:45
*** tonytan4ever has quit IRC05:46
*** dkehn_ has quit IRC05:48
*** tonytan4ever has joined #openstack-keystone05:54
*** markvoelker has quit IRC05:58
*** dkehn_ has joined #openstack-keystone06:01
*** jpena|off has quit IRC06:02
*** akrzos has quit IRC06:02
*** akrzos has joined #openstack-keystone06:02
*** jpena|off has joined #openstack-keystone06:04
*** tonytan4ever has quit IRC06:04
*** jpena|off has quit IRC06:10
*** jpena|off has joined #openstack-keystone06:11
*** tqtran has joined #openstack-keystone06:11
*** rcernin has joined #openstack-keystone06:14
*** tqtran has quit IRC06:15
*** wangqun_ has joined #openstack-keystone06:18
*** wangqun has quit IRC06:21
*** adriant has quit IRC06:26
*** ravelar has quit IRC06:26
*** maestropandy has joined #openstack-keystone06:28
*** spzala has joined #openstack-keystone06:31
*** maestropandy has quit IRC06:32
*** maestropandy has joined #openstack-keystone06:32
*** maestropandy has left #openstack-keystone06:33
*** spzala has quit IRC06:35
*** EinstCra_ has quit IRC06:38
*** EinstCrazy has joined #openstack-keystone06:42
*** ravelar has joined #openstack-keystone06:46
*** markvoelker has joined #openstack-keystone06:51
*** maestropandy1 has joined #openstack-keystone07:05
*** jpena|off is now known as jpena07:07
*** maestropandy1 has quit IRC07:17
*** maestropandy has joined #openstack-keystone07:17
*** pnavarro has joined #openstack-keystone07:19
openstackgerrithenry-nash proposed openstack/keystone: POC of data migration using database triggers  https://review.openstack.org/35434307:19
*** tonytan4ever has joined #openstack-keystone07:22
*** maestropandy has left #openstack-keystone07:22
*** tonytan4ever has quit IRC07:26
*** GB21 has quit IRC07:28
*** dkehn_ has quit IRC07:43
*** belmoreira has joined #openstack-keystone07:46
*** chlong has quit IRC07:50
*** GB21 has joined #openstack-keystone07:50
*** code-R has joined #openstack-keystone07:52
*** code-R has quit IRC07:57
*** josecastroleon has joined #openstack-keystone07:58
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** markvoelker has quit IRC08:01
*** dkehn_ has joined #openstack-keystone08:02
*** afred312 has quit IRC08:05
*** afred312 has joined #openstack-keystone08:06
openstackgerritHawh YnL proposed openstack/keystone: a  https://review.openstack.org/35577408:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** asettle has joined #openstack-keystone08:20
*** tonytan4ever has joined #openstack-keystone08:23
*** wangqun_ has quit IRC08:27
*** tonytan4ever has quit IRC08:28
*** mvk has quit IRC08:29
*** dikonoor has joined #openstack-keystone08:35
*** maestropandy has joined #openstack-keystone08:35
*** maestropandy1 has joined #openstack-keystone08:36
*** maestropandy has quit IRC08:40
*** maestropandy1 has left #openstack-keystone08:49
*** dkehn_ has quit IRC08:51
*** davechen has left #openstack-keystone08:55
*** mvk has joined #openstack-keystone08:55
*** markvoelker has joined #openstack-keystone09:02
*** dkehn_ has joined #openstack-keystone09:04
*** markvoelker has quit IRC09:07
*** GB21 has quit IRC09:18
*** ravelar has quit IRC09:33
bretonstevemar: hey. Why doesn't OSC backport bugfixes? I am wondering in context of https://review.openstack.org/#/c/354271/09:37
patchbotbreton: patch 354271 - python-openstackclient (stable/mitaka) - Fix SSL/TLS verification for network commands (ABANDONED)09:37
samueldmqmorning keystone09:43
*** nkinder has quit IRC09:44
*** jpena has quit IRC09:46
*** dmellado has quit IRC09:46
*** amoralej has quit IRC09:46
*** jpena has joined #openstack-keystone09:47
*** GB21 has joined #openstack-keystone09:51
*** code-R has joined #openstack-keystone09:53
*** dmellado has joined #openstack-keystone09:56
*** code-R has quit IRC09:58
*** EinstCrazy has quit IRC10:01
*** markvoelker has joined #openstack-keystone10:03
*** jed56 has joined #openstack-keystone10:03
bretonsamueldmq: o/10:03
*** EinstCrazy has joined #openstack-keystone10:04
*** markvoelker has quit IRC10:08
*** tqtran has joined #openstack-keystone10:12
*** nkinder has joined #openstack-keystone10:13
*** mnikolaenko_ has joined #openstack-keystone10:14
*** tqtran has quit IRC10:17
*** dikonoor has quit IRC10:20
*** asettle has quit IRC10:22
*** tonytan4ever has joined #openstack-keystone10:24
*** mvk has quit IRC10:25
*** mvk has joined #openstack-keystone10:26
*** tonytan4ever has quit IRC10:28
*** ntpttr has quit IRC10:30
*** spzala has joined #openstack-keystone10:31
*** ntpttr has joined #openstack-keystone10:35
*** spzala has quit IRC10:36
*** josecastroleon has quit IRC10:40
*** dikonoor has joined #openstack-keystone10:44
*** EinstCrazy has quit IRC10:44
*** EinstCrazy has joined #openstack-keystone10:45
*** dikonoor has quit IRC10:47
*** dikonoor has joined #openstack-keystone10:47
*** EinstCrazy has quit IRC10:50
*** dikonoor has quit IRC10:50
*** markvoelker has joined #openstack-keystone11:04
openstackgerritBoris Bobrov proposed openstack/keystone: Add prepare_ldap command  https://review.openstack.org/34302811:07
*** markvoelker has quit IRC11:08
*** asettle has joined #openstack-keystone11:09
openstackgerritBoris Bobrov proposed openstack/keystone: Add prepare_ldap command  https://review.openstack.org/34302811:09
*** haplo37__ has joined #openstack-keystone11:20
*** dikonoor has joined #openstack-keystone11:23
*** GB21 has quit IRC11:24
*** josecastroleon has joined #openstack-keystone11:28
*** GB21 has joined #openstack-keystone11:29
*** asettle has quit IRC11:30
*** haplo37__ has quit IRC11:31
openstackgerrithenry-nash proposed openstack/keystone: POC of data migration using database triggers  https://review.openstack.org/35434311:33
*** jaosorior has quit IRC11:35
*** jaosorior has joined #openstack-keystone11:35
*** sdake has joined #openstack-keystone11:36
*** GB21 has quit IRC11:37
*** asettle has joined #openstack-keystone11:44
stevemarbreton: we should probably revisit that stance11:47
*** rodrigods has quit IRC11:51
*** asettle has quit IRC11:51
*** rodrigods has joined #openstack-keystone11:51
*** asettle has joined #openstack-keystone11:52
*** tonytan4ever has joined #openstack-keystone11:55
*** jpena is now known as jpena|lunch11:57
*** tonytan4ever has quit IRC11:59
*** markvoelker has joined #openstack-keystone12:05
*** sigmavirus|away is now known as sigmavirus12:05
amakarovzzzeek, hi! Can you please upload dogpile.cache 0.6.2 to pypi?12:06
*** haplo37__ has joined #openstack-keystone12:09
*** markvoelker has quit IRC12:09
*** haplo37__ has quit IRC12:13
*** su_zhang has joined #openstack-keystone12:16
*** mnikolaenko_ has quit IRC12:19
*** manous has joined #openstack-keystone12:21
*** gordc has joined #openstack-keystone12:24
*** markvoelker has joined #openstack-keystone12:26
stevemaro/12:37
*** pauloewerton has joined #openstack-keystone12:44
*** raildo has joined #openstack-keystone12:45
*** itisha has quit IRC12:50
amakarovstevemar, good day!12:54
*** mnikolaenko_ has joined #openstack-keystone12:55
amakarovstevemar, what can we do for https://review.openstack.org/#/c/351260/ ?12:55
patchbotamakarov: patch 351260 - keystone - Trust controller refactoring12:55
*** asettle has quit IRC12:55
amakarovayoung, greetings, can you please review? ^^12:56
*** jpena|lunch is now known as jpena12:56
*** asettle has joined #openstack-keystone12:58
*** julim has joined #openstack-keystone13:00
*** guoshan has joined #openstack-keystone13:00
*** woodster_ has joined #openstack-keystone13:04
*** nishaYadav has joined #openstack-keystone13:05
nishaYadavo/13:06
nishaYadavsamueldmq, good morning13:06
amakarovayoung, thank you13:07
samueldmqnishaYadav: hey13:07
*** edmondsw has joined #openstack-keystone13:11
*** lifeless has quit IRC13:11
*** spzala_ has joined #openstack-keystone13:19
openstackgerritBoris Bobrov proposed openstack/keystone: Add prepare_ldap command  https://review.openstack.org/34302813:24
*** su_zhang has quit IRC13:24
*** su_zhang has joined #openstack-keystone13:25
*** lifeless has joined #openstack-keystone13:29
*** su_zhang has quit IRC13:29
*** ashyoung has joined #openstack-keystone13:32
*** jpena is now known as jpena|brb13:33
lbragstaddolphm I did some thinking about the max_active_keys default for credential encryption - here is what i came up with - https://review.openstack.org/#/c/354495/313:33
patchbotlbragstad: patch 354495 - keystone - Add conf to support credential encryption13:33
lbragstaddolphm i left a comment there explain my thought process, but I would appreciate any holes that could be poked13:34
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add ec2 functional tests  https://review.openstack.org/35024513:36
*** catintheroof has joined #openstack-keystone13:36
nishaYadavsamueldmq, rodrigods please have a look, the tests are failing in my VM13:37
openstackgerritDave Chen proposed openstack/keystone: Replace the content type with correct one  https://review.openstack.org/34924913:40
*** ashyoung has quit IRC13:43
*** catintheroof has quit IRC13:43
dstaneklbragstad: i'm going to punt on te uuid vs. fernet behavior for right now13:46
lbragstaddstanek for the 403 versus 401?13:47
*** erhudy has joined #openstack-keystone13:48
dstaneklbragstad: yeah, i can work on that after the cching bug...just going to override the test if i can13:48
lbragstaddstanek I have a patch for that13:48
dstaneklbragstad: oh, nice. what's the gerrit #?13:48
lbragstaddstanek https://review.openstack.org/#/c/350704/2/keystone/tests/unit/test_auth.py13:49
patchbotlbragstad: patch 350704 - keystone - Make all token provider behave the same with trusts13:49
lbragstaddstanek feel free to steal that if you want to13:49
lbragstadI spent a good day trying to figure all that out a couple weeks ago - i left as much of a description in the comments as i could13:49
lbragstaddstanek which is pretty much what we talked about last week13:49
*** ashyoung has joined #openstack-keystone13:50
dstaneklbragstad: once these tests are done running i'll rebase on top of that and see what happens13:51
*** amoralej has joined #openstack-keystone13:51
lbragstaddstanek cool13:51
lbragstaddstanek I'm not sure how much of that patch you'll need but - feel free to incorporate it into your if that's easier13:52
lbragstadyours*13:52
*** tonytan4ever has joined #openstack-keystone13:53
*** permalac has joined #openstack-keystone13:53
*** haplo37__ has joined #openstack-keystone13:55
*** ashyoung has quit IRC13:56
*** jpena|brb is now known as jpena13:58
*** ashyoung has joined #openstack-keystone14:00
*** guoshan has quit IRC14:02
*** jistr is now known as jistr|debug14:03
dstanekyeah, not good http://paste.openstack.org/show/558396/14:05
lbragstadooo - ouch14:05
dstanekthat's what happens when you misplace a comma14:06
openstackgerritLance Bragstad proposed openstack/keystone: Add conf to support credential encryption  https://review.openstack.org/35449514:06
stevemaramakarov: yay it was approved14:11
amakarovstevemar, cool! I can continue with trust using delegation!14:12
*** su_zhang has joined #openstack-keystone14:13
amakarovstevemar, there is a problem there: tons of logic is performed in controller and uses request context. Should I tear it out and move to the manager or leave it be and make delegation changes in the controller?14:14
*** tqtran has joined #openstack-keystone14:14
openstackgerritMerged openstack/keystone: Make a FernetUtils class  https://review.openstack.org/35376114:14
*** BjoernT has joined #openstack-keystone14:14
* amakarov wishes to do the former14:15
*** jaosorior has quit IRC14:17
*** asettle has quit IRC14:18
*** su_zhang has quit IRC14:18
*** tqtran has quit IRC14:18
*** asettle has joined #openstack-keystone14:18
*** edtubill has joined #openstack-keystone14:19
*** asettle has quit IRC14:23
*** edtubill has quit IRC14:23
*** su_zhang has joined #openstack-keystone14:26
stevemaramakarov: it should probably go in the manager, try refactoring it, if it gets ugly... use your best judgement :)14:28
*** mnikolaenko_ has quit IRC14:29
*** ravelar has joined #openstack-keystone14:29
lbragstadstevemar words of wisdom right there14:30
*** ravelar has quit IRC14:30
*** ravelar has joined #openstack-keystone14:30
*** edtubill has joined #openstack-keystone14:31
*** spedione|AWAY is now known as spedione14:31
*** michauds has joined #openstack-keystone14:35
*** jed56 has quit IRC14:35
*** asettle has joined #openstack-keystone14:35
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 auth  https://review.openstack.org/35598014:36
nishaYadavsamueldmq, rodrigods please have a look ^14:37
*** links has quit IRC14:39
robcresswellstevemar: We ran into some oddities with testing in d_o_a and keystoneclient due to requests 2.11.0. It appears to just be an incomplete mock on our side, but I wanted to flag it in case you see any similar issues.14:43
robcresswellhttps://bugs.launchpad.net/django-openstack-auth/+bug/161374014:43
openstackLaunchpad bug 1613740 in django-openstack-auth "All test are broken" [Critical,In progress] - Assigned to Rob Cresswell (robcresswell)14:43
robcresswellAs I said, got a fix up, but just in case anyone finds something strange it might be useful as a reference.14:44
openstackgerritDavid Stanek proposed openstack/keystone: WIP: Removes extra verbose revocation logging  https://review.openstack.org/35598914:44
*** jistr|debug is now known as jistr14:50
*** hatTip has joined #openstack-keystone14:50
*** hatTip has left #openstack-keystone14:51
*** hatTip has joined #openstack-keystone14:51
*** ashyoung has quit IRC14:52
*** woodburn has joined #openstack-keystone14:52
*** LamT_ has joined #openstack-keystone14:53
zzzeekamakarov: looking14:54
*** permalac has quit IRC14:58
*** su_zhang has quit IRC15:03
*** su_zhang has joined #openstack-keystone15:04
*** su_zhang_ has joined #openstack-keystone15:05
*** su_zhang has quit IRC15:06
*** itisha has joined #openstack-keystone15:09
*** hockeynut has joined #openstack-keystone15:10
*** dikonoor has quit IRC15:11
*** michauds has quit IRC15:15
*** josecastroleon has quit IRC15:15
*** hockeynu_ has joined #openstack-keystone15:15
*** mfisch has joined #openstack-keystone15:15
*** mfisch has quit IRC15:15
*** mfisch has joined #openstack-keystone15:15
*** belmoreira has quit IRC15:17
*** hockeynut has quit IRC15:18
*** hatTip has quit IRC15:20
openstackgerritSean Dague proposed openstack/keystone: Revert "Add debug logging to revocation event checking"  https://review.openstack.org/35601015:24
*** michauds has joined #openstack-keystone15:30
stevemarrobcresswell: thanks for sharing!15:32
stevemarrobcresswell: we were hit with one bug with requests 2.11.0, user agent string is now validated against a schema, it broke us15:33
*** roxanaghe has joined #openstack-keystone15:35
*** su_zhang_ has quit IRC15:35
zzzeekamakarov: done15:36
amakarovzzzeek, thanks! That blocks oslo.cache fix )15:36
*** su_zhang has joined #openstack-keystone15:38
*** edtubill has quit IRC15:38
*** slberger has joined #openstack-keystone15:39
*** andreykurilin has quit IRC15:41
robcresswellstevemar:\o/15:45
*** rcernin has quit IRC15:46
*** haplo37__ has quit IRC15:47
dstaneklbragstad: even with your patch keystone.tests.unit.test_auth.FernetAuthWithTrust.test_trust_get_token_fails_if_trustee_disabled seems to fail15:49
dstaneklbragstad: bot not working https://review.openstack.org/#/c/349704/15:51
patchbotdstanek: patch 349704 - keystone - WIP: region namespace POC for cache invalidation15:51
lbragstaddstanek bot not working?15:52
dstaneki updated a change, but didn't see it show up here15:52
lbragstaddstanek oh15:53
crinklefor https://review.openstack.org/#/c/347543/ since this only needs to exist for one release should I propose it only to stable/mitaka or keep it in master and leave a TODO to remove it?15:53
patchbotcrinkle: patch 347543 - keystone - Add dummy domain_id column to cached role15:53
samueldmqcrinkle: fair question, perhaps master+TODO+backport is safer ?15:54
crinklesamueldmq: sounds good to me15:54
samueldmqdolphm: bknudson: stevemar ^15:54
dstanekbreton: https://review.openstack.org/#/c/349704/ has some updates15:54
patchbotdstanek: patch 349704 - keystone - WIP: region namespace POC for cache invalidation15:54
samueldmqcrinkle: nice, just want to get someone else's opinion :)15:55
bknudsonsamueldmq: crinkle: if the bug doesn't exist on master then no need to propose a change there.15:56
bretondstanek: thanks, will have a look15:56
stevemarcrinkle: i was going to get back to you about that tody15:56
stevemarcrinkle: so i'm of bknudson's opinion, if it only needs to belong in mitaka, then let's just fix it there15:57
dolphmcrinkle: can you not solve that issue by restarting memcache as part of the upgrade process?15:57
*** wolsen has joined #openstack-keystone15:57
dstanekbreton: still a failing test that i need to fix15:57
crinkledolphm: you can, i don't think it's desireable to add more upgrade steps though15:57
stevemardolphm: would restarting memcache empty the cache?15:58
crinkleyes it does15:58
bknudsondolphm: memcache isn't the only dogpile backend. what about redis?15:58
wolsenstevemar, re: https://review.openstack.org/#/c/348040/4 - if there is little to no interest in this change, I'm happy to abandon it and free it from review queues15:58
patchbotwolsen: patch 348040 - keystone - Maintain ordered list for KVS token persistence15:58
bknudsonalso, this probably does need to be there for master to fix the problem, since the deployer might quickly go from mitaka to n.15:59
bretonwolsen: the problem with that one is that very few people use kvs for tokens15:59
stevemarwolsen: let's see what dolphm thinks of it ^ i think there may be little to no interest in it (sorry!)15:59
wolsenbreton, completely agreed that few people use it15:59
bretonwolsen: and they generally are happy with it15:59
stevemarwolsen: i hope we don't discourage you from contributing other patches15:59
bretonwolsen: because their load is not that big15:59
wolsenstevemar, oh don't be apologetic - I don't want to waste anyones time15:59
crinklebknudson: the problem is only for liberty -> mitaka and i thought it was resolved yesterday that we only support n -1 -> n15:59
stevemarwolsen: comes with being canadian16:00
bretonlol16:00
wolsenstevemar, bah that'd never discourage me :-) time is precious16:00
bknudsoncrinkle: you can go from n-1 -> n and then n -> n+1 .16:00
stevemarcrinkle: that is correct, only n-1. so it would be going into liberty then16:00
wolsenftr, the environment I was working with originally for that is moving to fernet tokens anyways, so its little and less value for us as well, but I thought someone might benefit16:01
bknudsoncrinkle: that's what deployers do.16:01
crinklebknudson: ah yeah and then the cache would still have the wrong thing in it if you do it quickly16:01
crinklegotcha16:01
bknudsonit's not like you have to stop at m if you were at l.16:01
*** edtubill has joined #openstack-keystone16:04
*** spedione is now known as spedione|AWAY16:06
*** sdake has quit IRC16:09
*** hockeynu_ has quit IRC16:10
*** asettle has quit IRC16:13
stevemarcrinkle: alright, let's get back to your patch16:15
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add auth functional tests  https://review.openstack.org/35604116:15
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Minimum password age requirements  https://review.openstack.org/34331416:16
stevemarcrinkle: should we add a note about removing the function in P or some non-sense, or let it live indefinitely16:16
crinkle¯\_(ツ)_/¯16:17
stevemarcrinkle: :)16:17
stevemarcrinkle: have you validated it manually?16:19
stevemarcrinkle: maybe we can get mfisch to give it a ticky mark16:19
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Minimum password age requirements  https://review.openstack.org/34331416:19
mfisch?16:20
stevemarmfisch: https://bugs.launchpad.net/keystone/+bug/159216916:20
openstackLaunchpad bug 1592169 in OpenStack Identity (keystone) "cached tokens break Liberty to Mitaka upgrade" [High,In progress] - Assigned to Colleen Murphy (krinkle)16:20
crinklestevemar: yes it works on my machine but would be great to have someone double check16:20
mfischyes thats annoying16:20
mfischI have to shell into every node and run cache invalidation in a loop over and over during the upgrade16:20
stevemarmfisch: crinkle has a fix https://review.openstack.org/#/c/347543/16:20
patchbotstevemar: patch 347543 - keystone - Add dummy domain_id column to cached role16:20
*** adrian_otto has joined #openstack-keystone16:21
mfischok if the fix works I'm on board16:21
stevemarmfisch: if you could test that out, it would be awesome. this one would be tricky to unit test16:21
mfischI can but it might not be until tomorrow16:22
mfischI'll get an L environment setup today16:22
stevemarmfisch: on a separate note, dstanek is working his butt off to fix the caching issues16:22
mfisch+116:22
mfisch+beer when I see him ;)16:22
stevemarcrinkle: mfisch: the fix would only go into stable/mitaka IIUC16:22
mfischyep16:22
stevemarsince it's the upgrade process16:23
stevemarokay cool16:23
stevemarcrinkle: i'll +2 and -W it so it doesn't get accidentally merged, but as soon as mfisch verifies, i'll pull the trigger16:23
mfischok16:23
crinklecool16:23
mfischI will start on the env now that will take a few hours but I'm out of the office all afternoon16:23
stevemarmfisch: s'all good, we have a good chunk of runway on our side still16:24
mfischok16:25
mfischthx16:25
stevemarmfisch: it was all crinkle16:25
mfischbesides you guys should just trust all the code she writes16:25
crinklelol16:25
stevemarmfisch: oh man, i totally do16:26
stevemari've never seen a crinkle patch that isn't awesome16:26
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Minimum password age requirements  https://review.openstack.org/34331416:26
openstackgerritLance Bragstad proposed openstack/keystone: Create a fernet credential provider  https://review.openstack.org/35449616:27
openstackgerritLance Bragstad proposed openstack/keystone: Make KeyRepository shareable  https://review.openstack.org/35605316:27
openstackgerritLance Bragstad proposed openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505616:28
openstackgerritLance Bragstad proposed openstack/keystone: Add key_hash column to credential table  https://review.openstack.org/35561816:38
*** nishaYadav has quit IRC16:39
*** nishaYadav has joined #openstack-keystone16:39
*** hockeynut has joined #openstack-keystone16:40
*** thumpba has joined #openstack-keystone16:43
dstaneklbragstad: two different test runs with two different exceptions for the same test. no code changes in between runs. http://paste.ubuntu.com/23062173/16:43
lbragstaddstanek was that with my patch?16:46
lbragstaddstanek sync up after lunch?16:47
*** esp has joined #openstack-keystone16:47
*** su_zhang has quit IRC16:48
*** nishaYadav has quit IRC16:49
*** nishaYadav has joined #openstack-keystone16:49
*** nishaYadav has quit IRC16:50
*** su_zhang has joined #openstack-keystone16:50
henrynashrderose: hi16:55
rderosehenrynash: hi16:55
henrynashrderose: so when you say the expand cycle should have its own repo...do you mean separate from the existing main repo?16:56
openstackgerritThomas Bechtold proposed openstack/keystone: Fix tempest.conf generation  https://review.openstack.org/35572316:57
rderosehenrynash: yes16:57
henrynashrderose: what would go in the main one, as opposed to the otehr ones?16:58
rderosehenrynash: so that expand migrate and contract all start with the same number16:58
rderosehenrynash: main one from this point forward would just be around for a couple releases; then go away16:58
henrynashrderose: what's the advantage (given that most expand changes don't have migrate or contract equivilents)17:00
*** edtubill has quit IRC17:00
*** su_zhang has quit IRC17:00
*** su_zhang has joined #openstack-keystone17:01
stevemardstanek you're looking fancy here: https://www.openstack.org/community/members/profile/1009717:01
rderosehenrynash: hmm... if they do though, then this will keep them together17:02
*** hockeynut has quit IRC17:03
henrynashrderose: ...and except for Newton...since our one contract is already in the main repo17:03
henrynash(the expand for our one contract....)17:03
stevemarhenrynash: thanks for accepting my bikeshed comments :)17:04
*** jaugustine has joined #openstack-keystone17:04
henrynashrderose: I'm not sure it's worth trying to align them...in the latest patch I renamed the main repo to be the expand repo17:04
henrynashstevemar: just painting it red now, sir17:04
rderosehenrynash: yeah, I saw that17:04
openstackgerritSteve Martinelli proposed openstack/keystone: Password expires ignore user list  https://review.openstack.org/35174917:05
rderosehenrynash: I just think for debugging purpose, we'd want to keep the 3 changes in lock step17:05
rderosehenrynash: don't you think?17:06
rderosehenrynash: if you are making a change that requires expand, migrate, and contract, wouldn't you want them to all be the same version number?17:06
stevemardolphm: abandon https://review.openstack.org/#/c/355095/ and look at the last 2 pci patches in https://review.openstack.org/#/q/topic:bp/pci-dss ?17:08
patchbotstevemar: patch 355095 - keystone - Fix nits in PCI-DSS Minimum password age requirements17:08
henrynashrderose: while that might be nice, it just seems like (given the history of changes) end up with lots of null migrations. Further, after experimenting with triggers, I suspect we'll have 2 migration numbers for an expand change that needs them (one to do the change and one to add the triggers)17:09
*** david-lyle_ has joined #openstack-keystone17:09
*** tonytan4ever has quit IRC17:11
henrynash..since the triggers probably need to be written in raw sql, while the table changes can stay in a python migrate file...further complicating it17:11
rderosehenrynash: good point17:11
henrynash(which you could of course also have null migrations for in the other repos)17:12
henrynashI was also trying to not change the migration version number of the main/expand repo for continuity, simplicity and backporting ease17:12
*** david-lyle has quit IRC17:13
rderosehenrynash: still do it in one file though, if 'mysql': stmt = 'create trigger...' session.execute(stmt)17:13
rderosehenrynash: but I see your point17:13
stevemarbreton: still around?17:13
*** david-lyle_ is now known as david-lyle17:13
henrynashrderose: you can, although multiple (sql) statement lines can get tricky...17:14
rderose:)17:14
henrynashrderose: I started out that way, and had to revert to raw sql17:14
*** amoralej is now known as amoralej|off17:15
rderosehenrynash: I see, yeah I imagine the triggers are going to be tricky. haven't got into postgres triggers yet.17:16
henrynashrderose: see: https://review.openstack.org/#/c/354343/ ...and the postgresql ones are still not working yet17:17
patchbothenrynash: patch 354343 - keystone - POC of data migration using database triggers17:17
rderosehenrynash: okay17:17
*** spedione|AWAY is now known as spedione17:19
*** tqtran has joined #openstack-keystone17:19
bretonstevemar: yes17:21
stevemarbreton: added comments to your prep-ldap patch, it's looking close17:21
bretonstevemar: thanks, will address after the meeting17:22
*** esp has quit IRC17:23
*** tonytan4ever has joined #openstack-keystone17:26
dolphmstevemar: abandoned - i meant to abandon it earlier17:26
*** gyee has joined #openstack-keystone17:30
*** ChanServ sets mode: +v gyee17:30
*** Gorian|work has joined #openstack-keystone17:32
bretondstanek: your patch works!17:34
dolphmhenrynash: what is your concern with having empty migration scripts?17:35
bretondstanek: i even understood how it works17:35
bretondstanek: could you please add some comments?17:35
dolphmhenrynash: we have them today, and we have empty downgrades today -- i see above you pointed out that they could cause confusion, but the ones we have today don't seem to cause any confusion.17:36
dolphmhenrynash: furthermore, having expand, migrate, and contract repos that have related (usually equal) version numbers should actually eliminate more confusion for deployers than empty migrations would ever cause17:37
henrynashdolphm: nothing in particular (other than we'll have a lot of them)...I also didn't really want to change the migrate version of the main/expand repo17:37
bretondstanek: also, my biggest concern is that it overrides all the stuff related to "invalidation strategies" pushed by amakarov to dogpile. But it will work for us for master and should be safe to backport to mitaka17:37
dolphmhenrynash: you shouldn't have to touch the legacy repository for any of this work17:37
bretondstanek: nice work, i will comment on the review in a couple of hours17:37
dolphmhenrynash: why would you have to change the migration version there?17:37
dolphmhenrynash: keeping the 3 new repos essentially in lock step with each other allows us to trivially prevent deployers from shooting themselves in the foot, by accidentally running repositories out of order17:38
henrynashdolphm: what I mean is that "version" is the Newton DB?17:38
dolphmhenrynash: ?17:38
henrynashdolphm: it would have a main_repo version and an expand repo version (which would be 0), since all teh "expand" changes  for Newton are in the main repo17:39
*** pnavarro has quit IRC17:40
dolphmhenrynash: so, the legacy repository would stop at whatever version we last landed a migration at, and the expand, migrate, and contract repos would start at 0 (or 1, with the first migration there)17:40
bretonstevemar: https://bugs.launchpad.net/oslo.cache/+bug/1590779 is fixed by patch https://review.openstack.org/#/c/349704/.17:40
openstackLaunchpad bug 1590779 in oslo.cache "Cache region invalidation works for local CacheRegion object only" [Undecided,In progress] - Assigned to Alexander Makarov (amakarov)17:40
patchbotbreton: patch 349704 - keystone - WIP: region namespace POC for cache invalidation17:40
bretoni like how the bots work together17:41
henrynashdolphm: I was trying to be cautious for Newton and basically treat the main repo as the expand repo17:42
henrynash(since that's what it is_17:42
dolphmhenrynash: how is that cautious?17:42
henrynash)17:42
dolphmhenrynash: i must not understand the issue you're trying to prevent?17:42
henrynashIt's just less change (well it would have been if a certain someone didn't want me to change the name of it!17:43
dolphmhenrynash: why did you need to rename it?17:44
*** esp has joined #openstack-keystone17:44
henrynashdolphm: I didn't *have* to rename it....but assuming we were treating it as the expand repo, then there is an arguemnt to call to something tahat describes that17:45
henrynashdolphm: which I do undestand is not something you want to do anywya17:46
dolphmhenrynash: okay, so why do we have to repurpose the repo at all? there are substantial benefits to creating 3 new repos to replace the existing one, and it's more complicated to try to repurpose the old repo17:46
dolphmhenrynash: i'm skimming back through the last day of review comments on https://review.openstack.org/#/c/349939/ -- is there one i missed that has some reasoning?17:48
patchbotdolphm: patch 349939 - keystone - Add data migration and contract schema logic to ke...17:48
henrynashdolphm: was just trying to change as little conceptually as possible...especially as Newton is almost entirely additive17:48
*** ravelar has quit IRC17:48
henrynashdolphm: I certainly considered doing exactly what you (and rderose) is suggesting....and am OK with doing it, if people would prefer that balance of changes17:49
dolphmhenrynash: so, to avoid change, you've changed the purpose of the legacy repo? :P17:49
henrynashdolpm: since we only allow additive changes in it....it is indeed the expand repo!17:50
henrynashdolphm: remember that for Newton, we have restricted the changes we allow in it17:51
dolphmhenrynash: but that's only true by coincidence, we can't rewrite our migration history, and we can introduce a changeover to the new repositories at literally any moment - we don't have to wait for a major release to cut over17:52
*** gagehugo has joined #openstack-keystone17:52
henrynashdolphm: (agree to all that).....and so having said all this, if people feel strongly that they would prefer the the 3 (new) repo approach, I'm OK with that...the change are not that hard17:53
dolphmhenrynash: does anyone feel strongly otherwise? if so, what is the reasoning?17:53
*** sdake has joined #openstack-keystone17:55
*** tqtran has quit IRC17:55
henrynashstevemar, dstanek: you're probably both the closest to this (I know rderose's view already) ^17:56
*** ravelar has joined #openstack-keystone17:56
* breton will miss the meeting unfortunatelly, but will catch up17:56
henrynashstevemar, dstanek: the question being do we close the main repo and restart with new expand repo17:57
*** shaleh has joined #openstack-keystone17:57
stevemarbreton: thanks for the heads up17:57
*** tqtran has joined #openstack-keystone17:58
*** tonytan4ever has quit IRC17:59
stevemarhenrynash: sorry, was on a call, i will weigh-in in the code review17:59
henrynashstevemar:ok17:59
stevemarajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gagehugo, gyee, henrynash, hogepodge, htruta, jamielennox, jaugustine, joesavak, jorge_munoz, knikolla, lbragstad, MaxPC, morgan, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, xek  goto meeting!17:59
rderosestevemar should be a politician17:59
stevemarrderose: oh?18:00
stevemarrderose: you calling me a liar?! (or a spy :) )18:00
rderosestevemar: both!18:00
rderosejk18:00
stevemarrderose: zing!18:00
*** ravelar has quit IRC18:01
*** ravelar has joined #openstack-keystone18:01
*** rcernin has joined #openstack-keystone18:01
*** tqtran has quit IRC18:03
dolphmhenrynash: if you're interested, i put together a demo of a real 3-phase migration using sqlite, and two application scripts that read and write to two completely different schemas during the migration phase https://gist.github.com/dolph/72dae9391ec4e13444498f977bc92ad918:03
*** code-R has joined #openstack-keystone18:06
*** tqtran has joined #openstack-keystone18:12
*** code-R has quit IRC18:14
*** tqtran has quit IRC18:19
*** jaosorior has joined #openstack-keystone18:21
openstackgerritMerged openstack/keystone: Revert "Add debug logging to revocation event checking"  https://review.openstack.org/35601018:24
openstackgerritMerged openstack/keystone: api-ref: Document implied roles API  https://review.openstack.org/35521918:24
*** jaosorior has quit IRC18:25
*** tqtran has joined #openstack-keystone18:32
*** michauds has quit IRC18:34
*** mvk has quit IRC18:38
*** michauds has joined #openstack-keystone18:46
*** su_zhang has quit IRC18:49
stevemaramakarov: ping18:50
amakarovstevemar, o/18:50
stevemaramakarov: i'm not sure why the peformance bot is showing an improvement for precaching tokens18:51
stevemaramakarov: do you have another way of showing that caching improves perf?18:51
stevemarrather, pre-caching ...18:51
stevemaramakarov: just want to set the expectation that unless we can get some metrics, i may bump this to ocata. are you okay with that?18:52
amakarovstevemar, I have only manual tests18:52
stevemaramakarov: :(18:52
stevemaramakarov: the code is fine, i just don't want to merge things that are on critical paths so late in the cycle18:53
stevemarwithout firm results saying that things are improved18:53
stevemari hope you understand :)18:53
amakarovstevemar, I understand18:53
amakarovstevemar, Just how firm results may look like? )18:54
stevemaramakarov: anything, a script folks can run, the perf bot, i assumed you would use rally or something *shrugs*18:54
amakarovstevemar, the only difference is in first validation18:54
knikollaso maybe a script that gets a token, and then calls validate on it, repeat 1000 times?18:55
amakarovbtw, a script...18:55
knikollaand time it18:55
amakarovknikolla, that I can do18:55
stevemarsomething repeatable18:55
amakarovstevemar, are you ok if I prepare a gist with a script tomorrow?18:55
stevemaramakarov: of course!18:56
amakarovstevemar, it's 10PM for me now ))18:56
stevemaramakarov: go to bed ! :)18:56
henrynashdolphm: cool...my POC used different tables, and there are some additional issues (like not creating an infinite loop), but all seem solveable18:56
* amakarov goes to bed :)18:56
*** amakarov is now known as amakarov_away18:56
henrynashdolphm: postgresql trigger syntax is a bit non-standard as well, so we will probably end up with writing separate .sql files for each db type18:57
*** tonytan4ever has joined #openstack-keystone18:58
*** gagehugo has quit IRC19:00
*** edtubill has joined #openstack-keystone19:02
*** ezpz has joined #openstack-keystone19:02
*** edtubill has quit IRC19:04
*** fifieldt has quit IRC19:06
knikollain a multitenant application, if i want to cache keystone tokens received from a service provider (k2k) to avoid doing saml exchange again within a short period of time, what would be the most sensible way? barbican?19:09
stevemarknikolla: leave that up to the application, osc should use keyring and local cache, horizon does what it does19:10
stevemarrderose: oh btw, you owe me a ton of release notes and docs for PCI19:12
stevemarlike a metric ton19:12
knikollastevemar: does the keystoneauth library do any kind of caching?19:12
stevemarknikolla: it provides abstraction layers for others to implement19:12
stevemarknikolla: i just spoke with jamielennox about this last night19:13
rderosestevemar: docs, okay19:13
rderosestevemar: and release notes19:13
*** edtubill has joined #openstack-keystone19:13
stevemarrderose: ya damn straight19:13
rderosestevemar: dam19:13
*** sdake_ has joined #openstack-keystone19:14
*** asettle has joined #openstack-keystone19:14
*** sdake has quit IRC19:14
rderosestevemar: yes sir19:14
knikollastevemar: cool. can you point me to any kind of documentation? the service i'm writing is basically a proxy which sits in front of the cinder/glance endpoints and may forward the requests to cinder/glance in service providers federated through k2k (swapping the token in the header)19:15
*** sdake_ has quit IRC19:15
ayoungdoes run_test.sh have any reason to continue to exist?19:16
*** sdake has joined #openstack-keystone19:16
stevemarayoung: *you* were the one that wanted it around! :)19:17
stevemarayoung: but no19:17
stevemarit can die19:17
ayoungstevemar, I wanted it to continue to document how to run the tests19:17
ayoungbut it does not seem to work anymore19:17
stevemarknikolla: whatever happened to your k2k patch for osc19:17
stevemarayoung: rip er our19:17
stevemarout19:17
knikollastevemar: i was waiting for the osc_libs patches to merge19:18
*** edtubill has quit IRC19:18
ayoungstevemar, ah...must be just in older code.  Looks like it is gone in master19:18
stevemarknikolla: thats mostly done19:18
knikollastevemar: this is to get nova to attach remote volumes. as the nova guys didn't really like our changes to be in nova. so we made a proxy.19:18
*** fifieldt has joined #openstack-keystone19:18
knikollastevemar: cool. then i'll also update the patch for osc.19:20
stevemarknikolla: you could add caching support to osc :P19:20
openstackgerritMerged openstack/keystone: Pass key_repository and max_active_keys to FernetUtils  https://review.openstack.org/35376219:20
openstackgerritMerged openstack/keystone: Add credential encryption exception  https://review.openstack.org/35449419:20
*** asettle has quit IRC19:21
ayoungdstanek what uis the least overhead, bestest way to run unit tests agaisnt our Keystone repo.  Specifically, I want to run only one test keystone.tests.test_v3_identity.IdentityTestCase.test_delete_user_and_check_role_assignment_fails19:21
knikollastevemar: for the k2k tokens? sure19:21
ayoungI have the py27 venv activated19:21
ayoungtestr?  some other tool?19:21
stevemarknikolla: osc lacks caching in general19:22
stevemar:(19:22
ayoungpython -m unittest  ?19:22
knikollastevemar: hmmmm ok. any pointers on the abstraction keystoneauth provides for caching?19:24
*** roxanaghe has quit IRC19:25
ayoungAh... old oslo-utils19:25
ayoungknikolla, Um I think caching is not done in auth19:26
ayoungit is done in the client19:26
ayounglook in the code repo, though19:26
*** edtubill has joined #openstack-keystone19:27
knikollaayoung: from the keystoneauth docs19:28
ayoungknikolla, read the code, not the docs19:28
knikolla~keystoneauth1.plugin.BaseAuthPlugin.get_token` is called to retrieve the string token from a plugin. It is intended that a plugin will cache a received token and so if the token is still valid then it should be re-used rather than fetching a new one.19:28
ayoungbut you should have learned by now that I lie19:28
*** edtubill has quit IRC19:28
ayoungknikolla, in that case, the auth plugin just maintains a pointer to the python object19:28
ayoungthat is what is meant by caching there, not something like memcache19:29
knikollaayoung: well, it didn't say it does cache. it said the plugin should. i assume it doesn't.19:29
*** gagehugo has joined #openstack-keystone19:29
ayoungknikolla, start here http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/identity/base.py#n8919:30
*** edtubill has joined #openstack-keystone19:30
*** code-R has joined #openstack-keystone19:30
*** gagehugo has quit IRC19:30
ayoungknikolla, and know that it won't be called a :token: it will be an auth_ref19:31
ayoungor access_info19:31
knikollaayoung: thanks. i'll have a look.19:31
ayoungor whatever you want to call the wrapper around the data returned from the token...the token will be there, as a blob, somewhere ,too19:31
*** code-R_ has joined #openstack-keystone19:32
ayoungknikolla, for example, from the session19:32
ayounghttp://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/session.py#n74919:32
stevemarknikolla: honestly i'd bug jamielennox and dtroyer i think both of them have planned out the whole thing in their head, they just need time (or someone else) to implement it19:33
stevemarknikolla: want me to reach out to them for ya?19:33
*** tqtran has quit IRC19:34
knikollastevemar: sure. if they want to spec out something i can go ahead and implement it. and that would solve the osc case.19:34
knikollaayoung: thanks, i'll do a deep dive into keystonauth and see.19:34
ayoungUse the source!19:34
knikollaayoung: my main concern was securely caching tokens to service providers in a multitenant proxy.19:35
*** code-R has quit IRC19:35
ayoungstevemar, BTW, I am probably going to be pushing a Fernet key sync strategy using a technology called Custodia.  It is something our team has been developing for dealing with shared secrets.  At some level, I suspect it will look a lot like Barbican, but Barbican needs Keystone...chicken/egg19:36
ayoungknikolla, the more I parse that statement, the more scared I get.19:36
knikollaayoung: i kind of agree. but nova makes 4 successive calls to cinder to attach a volume. it would be preferable to not do SAML exchange to the remote service provider and token scoping 4 times to do a call to the remote cinder.19:38
*** manous has quit IRC19:40
dtroyerknikolla: are those nova calls from a long-running service or from a client that re-loads, like a CLI might?19:40
knikolladtroyer: the calls are from nova itself, but they go through a proxy. the proxy figures out in which service provider the volume/image is, gets a SAML assertion and a token for the remote cinder/glance and forwards the original request and the response back to the callee.19:42
dtroyerso the calls are stateless?  ie, you can't keep the Session object around long enough to maintain the auth_ref?19:43
knikolladtroyer: they are different calls from nova (is volume available, set attaching, set attached, etc), so they are stateless. the only thing they have in common is the x-auth-token and therefore user,project,etc.19:44
openstackgerritMerged openstack/keystone: Add support for rolling upgrades to keystone-manage  https://review.openstack.org/34971619:46
dtroyerso ya, you would have to do the caching of Session yourself, but that's really all you need to do, keep the Session around long enough to find it later, and have enough info to validate that you're not using the wrong one or that it has expired, which you'll get the first time19:46
*** tqtran has joined #openstack-keystone19:47
dtroyerthis essentially is what we'll do in OSC to cache auth between CLI invocations.  the hard part for us is securing the bits on disk; you can do it in memory so that should be easier19:47
*** hockeynut has joined #openstack-keystone19:48
knikolladtroyer: true. an in-memory structure would work in my case. as for osc, i'd like to help when you start working on it.19:49
dtroyergreat!  It'll definately be post-3.0, I've been saying Real Soon Now for far too ling, so I'm not going to say that now19:50
*** hockeynut has quit IRC19:53
knikolladtroyer: cool.19:53
*** gagehugo has joined #openstack-keystone19:53
*** hockeynut has joined #openstack-keystone19:54
*** su_zhang has joined #openstack-keystone19:55
bknudsonIs there a reason why "Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/" needs to be info?19:55
*** asettle has joined #openstack-keystone19:59
*** asettle has quit IRC19:59
*** tqtran has quit IRC19:59
openstackgerritLance Bragstad proposed openstack/keystone: Make KeyRepository shareable  https://review.openstack.org/35605320:01
openstackgerritLance Bragstad proposed openstack/keystone: Add conf to support credential encryption  https://review.openstack.org/35449520:01
openstackgerritLance Bragstad proposed openstack/keystone: Add key_hash column to credential table  https://review.openstack.org/35561820:01
openstackgerritLance Bragstad proposed openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505620:01
openstackgerritLance Bragstad proposed openstack/keystone: Create a fernet credential provider  https://review.openstack.org/35449620:01
*** julim has quit IRC20:03
*** tqtran has joined #openstack-keystone20:05
*** edtubill has quit IRC20:07
*** slberger has quit IRC20:09
*** Trixboxer has quit IRC20:09
*** slberger has joined #openstack-keystone20:14
*** tqtran has quit IRC20:16
lbragstadsamueldmq added an explanation here - https://review.openstack.org/#/c/356053/120:19
patchbotlbragstad: patch 356053 - keystone - Make KeyRepository shareable20:19
lbragstadsamueldmq let me know if that makes sense20:19
openstackgerritLance Bragstad proposed openstack/keystone: Add conf to support credential encryption  https://review.openstack.org/35449520:20
openstackgerritBoris Bobrov proposed openstack/keystone: Add prepare_ldap command  https://review.openstack.org/34302820:22
openstackgerritLance Bragstad proposed openstack/keystone: Make KeyRepository shareable  https://review.openstack.org/35605320:26
openstackgerritLance Bragstad proposed openstack/keystone: Add key_hash column to credential table  https://review.openstack.org/35561820:26
openstackgerritLance Bragstad proposed openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505620:26
openstackgerritLance Bragstad proposed openstack/keystone: Create a fernet credential provider  https://review.openstack.org/35449620:26
*** Trixboxer has joined #openstack-keystone20:26
stevemardolphm: your -1 in this patch was after it merged :( https://review.openstack.org/#/c/349716/1420:30
patchbotstevemar: patch 349716 - keystone - Add support for rolling upgrades to keystone-manage (MERGED)20:30
*** tqtran has joined #openstack-keystone20:31
*** tqtran has quit IRC20:34
stevemarhenrynash: thanks :)20:35
*** tqtran has joined #openstack-keystone20:42
*** roxanaghe has joined #openstack-keystone20:44
*** tqtran has quit IRC20:48
*** edtubill has joined #openstack-keystone20:52
samueldmqlbragstad: replied. I agree with you20:55
samueldmqlbragstad: but does not max_active_keys need to be put in the config_fixture? In this case at least for the fernet case?20:57
*** tonytan4ever has quit IRC20:59
*** raildo has quit IRC21:01
*** erhudy has quit IRC21:02
*** tqtran has joined #openstack-keystone21:07
*** mdurrant_ has joined #openstack-keystone21:09
*** pauloewerton has quit IRC21:12
*** mdurrant has quit IRC21:12
lbragstadsamueldmq it doesn't need to be in the config fixture - we will just make sure that when we do rotations we always set max_active_keys to 3 when dealing with credentials21:15
*** gyee has quit IRC21:20
*** edtubill has quit IRC21:20
*** gagehugo has quit IRC21:22
*** mvk has joined #openstack-keystone21:23
*** spzala_ has quit IRC21:23
*** spzala has joined #openstack-keystone21:23
*** gyee has joined #openstack-keystone21:23
*** ChanServ sets mode: +v gyee21:23
jamielennoxknikolla: from a keystoneauth perspective the docs are basically https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/plugin.py#L207-L25221:25
jamielennoxknikolla: the first gives you a static ID to use, then there's a get and set state function21:25
jamielennoxso get the ID for the plugin, check if state exists in your store under that plugin ID if so set it21:26
jamielennoxwhen finished get the state and update your store21:26
*** code-R_ has quit IRC21:26
*** rcernin has quit IRC21:27
knikollajamielennox: i see, thanks. that was really helpful.21:27
*** spzala has quit IRC21:28
jamielennoxknikolla: also you should only need this really for CLI, anything else where you use the same session it will do the right thing with reusing tokens21:28
knikollajamielennox: thats what i was planning to do. but eventually this stuff needs to be built for OSC, so it's good to know how it is expected to work.21:30
*** spedione is now known as spedione|AWAY21:37
*** tqtran has quit IRC21:37
*** tqtran has joined #openstack-keystone21:37
*** adriant has joined #openstack-keystone21:37
*** tqtran has quit IRC21:42
*** ravelar has quit IRC21:43
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Minimum password age requirements  https://review.openstack.org/34331421:47
*** roxanaghe has quit IRC21:50
*** tqtran has joined #openstack-keystone21:54
*** edmondsw has quit IRC21:58
*** tqtran has quit IRC21:59
*** spzala has joined #openstack-keystone22:00
*** michauds has quit IRC22:02
*** tqtran has joined #openstack-keystone22:10
*** chrichip has quit IRC22:13
lbragstadhmm - for some reason hints.add_filter('key', None) seems to be broken22:15
lbragstadif you're asking a backend for all entries where a specific key is None, it doesn't seem to work22:16
lbragstadyet - we seem to have places in keystone that use it https://github.com/openstack/keystone/blob/0b4f6ebdcc866388e1c6788f45f270414b45aeef/keystone/assignment/controllers.py#L43722:17
lbragstadand here - https://github.com/openstack/keystone/blob/0b4f6ebdcc866388e1c6788f45f270414b45aeef/keystone/tests/unit/test_backend_sql.py#L50622:18
*** tqtran has quit IRC22:20
*** gordc has quit IRC22:22
bknudsonmaybe it's different on sqlite than other dbs?22:24
*** tqtran has joined #openstack-keystone22:27
*** sdake has quit IRC22:27
*** sdake has joined #openstack-keystone22:28
*** tqtran has quit IRC22:36
*** roxanaghe has joined #openstack-keystone22:37
*** adrian_otto has quit IRC22:38
*** tqtran has joined #openstack-keystone22:39
*** tqtran has quit IRC22:43
*** thumpba has quit IRC22:46
*** thumpba has joined #openstack-keystone22:49
*** thumpba has quit IRC22:49
openstackgerritBoris Bobrov proposed openstack/keystone: Faster id mapping lookup  https://review.openstack.org/33929422:49
*** hockeynut has quit IRC22:55
*** chrichip has joined #openstack-keystone22:58
openstackgerrithenry-nash proposed openstack/keystone: Add expand, data migration and contract logic to keystone-manage  https://review.openstack.org/34993922:59
*** thumpba has joined #openstack-keystone22:59
*** spzala has quit IRC23:01
openstackgerrithenry-nash proposed openstack/keystone: Add expand, data migration and contract logic to keystone-manage  https://review.openstack.org/34993923:01
*** spzala has joined #openstack-keystone23:01
*** LamT_ has quit IRC23:01
*** ezpz has quit IRC23:03
*** asettle has joined #openstack-keystone23:05
*** tqtran has joined #openstack-keystone23:05
*** spzala has quit IRC23:06
*** chrichip has quit IRC23:07
*** asettle has quit IRC23:09
openstackgerrithenry-nash proposed openstack/keystone: Tidy up for late-breaking review comments on keystone-manage  https://review.openstack.org/35615823:10
openstackgerritColleen Murphy proposed openstack/keystone: Set default value for [saml]/idp_contact_surname  https://review.openstack.org/35616023:12
*** tqtran has quit IRC23:19
*** Gorian|work has quit IRC23:27
*** thumpba_ has joined #openstack-keystone23:37
*** thumpba has quit IRC23:39
*** shaleh has quit IRC23:39
*** tqtran has joined #openstack-keystone23:46
*** BjoernT has quit IRC23:47
*** tqtran has quit IRC23:51
*** tqtran has joined #openstack-keystone23:54
*** slberger has left #openstack-keystone23:56
« Monday, 2016-08-15 Index Wednesday, 2016-08-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!