Monday, 2016-08-29

« Sunday, 2016-08-28 Index Tuesday, 2016-08-30 »
openstackgerritAdrian Turjak proposed openstack/keystone-specs: New TOTP contrib plugin for non-admin access to TOTP credentials  https://review.openstack.org/34570500:10
openstackgerritAdrian Turjak proposed openstack/keystone-specs: New TOTP contrib plugin for non-admin access to TOTP credentials  https://review.openstack.org/34570500:12
*** chrisshattuck has quit IRC00:12
*** ravelar has joined #openstack-keystone00:24
*** adrian_otto has joined #openstack-keystone00:47
*** adrian_otto has quit IRC00:50
*** code-R has joined #openstack-keystone00:57
*** serverascode has quit IRC01:10
*** jraim has quit IRC01:10
*** xenogear has quit IRC01:11
*** ctracey has quit IRC01:11
*** zhiyan has quit IRC01:11
*** gagehugo has joined #openstack-keystone01:13
*** ctracey has joined #openstack-keystone01:19
*** davechen has joined #openstack-keystone01:20
*** xiaoyang has joined #openstack-keystone01:23
*** magic has joined #openstack-keystone01:24
*** magic is now known as Guest4707401:25
*** sdake_ has quit IRC01:25
*** serverascode has joined #openstack-keystone01:27
*** zhiyan has joined #openstack-keystone01:27
*** xiaoyang has quit IRC01:28
*** jraim has joined #openstack-keystone01:28
*** Guest47074 has quit IRC01:28
*** jamielennox is now known as jamielennox|away01:30
*** sdake has joined #openstack-keystone01:30
*** EinstCrazy has joined #openstack-keystone01:41
*** EinstCrazy has quit IRC01:42
*** EinstCrazy has joined #openstack-keystone01:42
*** jamielennox|away is now known as jamielennox01:43
*** wangqun has joined #openstack-keystone01:47
*** chrisshattuck has joined #openstack-keystone01:57
*** EinstCrazy has quit IRC02:00
*** EinstCrazy has joined #openstack-keystone02:01
*** su_zhang has joined #openstack-keystone02:02
stevemardavechen: for the mapping schema update... what about linking to http://git.openstack.org/cgit/openstack/keystone/tree/keystone/federation/utils.py ?02:16
*** EinstCrazy has quit IRC02:17
*** EinstCrazy has joined #openstack-keystone02:18
davechenstevemar: that's what I thought it should be, link to the file should be safer although that could be updated too.02:20
stevemartrue...02:20
stevemarwe could just remove the reference02:21
davechenstevemar: agreed.02:21
stevemardavechen: i'll make the change02:21
stevemari'll remove the sentence02:21
davechenstevemar: thank you sir!02:21
openstackgerritSteve Martinelli proposed openstack/keystone: Update mapping schema in the docs.  https://review.openstack.org/36125202:22
*** adrian_otto has joined #openstack-keystone02:24
*** adrian_otto has quit IRC02:28
stevemardavechen: ty!02:29
openstackgerritDave Chen proposed openstack/keystone: The mapping schema is now super long and complex, and anyone interested in it can go to our code base and read about it, no need to track in the doc.  https://review.openstack.org/36125202:30
openstackgerritDave Chen proposed openstack/keystone: Remove mapping schema from the doc  https://review.openstack.org/36125202:31
davechenstevemar: just copy and paste your comments02:32
davechen:)02:32
*** ravelar has quit IRC02:32
openstackgerritDave Chen proposed openstack/keystone: Remove mapping schema from the doc  https://review.openstack.org/36125202:33
davechendammnnn...02:33
*** haplo37__ has quit IRC02:49
stevemar:)02:51
stevemarthanks davechen02:51
*** code-R has quit IRC02:58
*** rkrum has joined #openstack-keystone03:11
*** su_zhang has quit IRC03:20
*** su_zhang has joined #openstack-keystone03:20
*** jamielennox is now known as jamielennox|away03:21
*** su_zhang has quit IRC03:24
*** markvoelker has joined #openstack-keystone03:27
*** markvoelker_ has joined #openstack-keystone03:29
*** markvoelker has quit IRC03:33
*** adrian_otto has joined #openstack-keystone03:38
*** code-R has joined #openstack-keystone03:38
*** adrian_otto has quit IRC03:39
*** chrisshattuck has quit IRC03:41
*** code-R has quit IRC03:45
*** aswadr_ has joined #openstack-keystone03:45
*** code-R has joined #openstack-keystone03:46
*** adrian_otto has joined #openstack-keystone03:46
*** code-R has quit IRC03:50
*** adrian_otto has quit IRC03:51
openstackgerritMerged openstack/keystone: [api] add relationship links to v3-ext  https://review.openstack.org/35648503:52
*** adrian_otto has joined #openstack-keystone03:52
*** markvoelker_ has quit IRC03:53
*** markvoelker has joined #openstack-keystone03:54
*** adrian_otto has quit IRC03:56
*** jamielennox|away is now known as jamielennox03:56
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using nultiple variables  https://review.openstack.org/36182203:57
*** roxanaghe has joined #openstack-keystone03:57
*** roxanaghe has quit IRC04:06
*** chlong has quit IRC04:12
*** tonytan4ever has quit IRC04:13
*** roxanaghe has joined #openstack-keystone04:19
*** chlong has joined #openstack-keystone04:25
*** namnh has joined #openstack-keystone04:28
*** sheel has joined #openstack-keystone04:33
*** links has joined #openstack-keystone04:33
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using nultiple variables  https://review.openstack.org/36182204:38
*** code-R has joined #openstack-keystone04:44
openstackgerritMerged openstack/keystone: Remove mapping schema from the doc  https://review.openstack.org/36125204:46
*** jaosorior has joined #openstack-keystone04:52
*** xiaoyang has joined #openstack-keystone04:52
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using multiple variables  https://review.openstack.org/36182204:53
*** magic has joined #openstack-keystone04:58
*** magic is now known as Guest9847404:59
*** xiaoyang has quit IRC05:02
*** sdake_ has joined #openstack-keystone05:10
bretonmorning keystone05:11
dstanekbreton: ha, morning. just getting ready to go to sleep05:12
*** sdake_ is now known as dake05:13
*** sdake has quit IRC05:13
*** dake is now known as sdake05:13
*** tonytan4ever has joined #openstack-keystone05:13
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using multiple variables  https://review.openstack.org/36182205:16
openstackgerritMerged openstack/keystone: Modify sql banned operations for each of the new repos  https://review.openstack.org/35872305:17
*** code-R_ has joined #openstack-keystone05:17
*** chrisshattuck has joined #openstack-keystone05:17
*** adriant has quit IRC05:17
*** tonytan4ever has quit IRC05:18
*** code-R has quit IRC05:20
*** chrisshattuck has quit IRC05:25
*** sdake has quit IRC05:26
*** chrisshattuck has joined #openstack-keystone05:31
*** chrisshattuck has quit IRC05:35
*** markvoelker has quit IRC05:36
*** richm has quit IRC05:38
*** roxanaghe has quit IRC05:39
*** code-R_ has quit IRC05:39
*** code-R has joined #openstack-keystone05:39
*** adrian_otto has joined #openstack-keystone05:56
*** adrian_otto has quit IRC06:04
*** markvoelker has joined #openstack-keystone06:07
*** markvoelker has quit IRC06:11
*** code-R has quit IRC06:12
*** code-R has joined #openstack-keystone06:13
*** code-R has quit IRC06:17
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using multiple variables  https://review.openstack.org/36188206:34
*** roxanaghe has joined #openstack-keystone06:36
*** markvoelker has joined #openstack-keystone06:36
*** roxanaghe has quit IRC06:40
*** markvoelker has quit IRC06:41
*** rcernin has joined #openstack-keystone06:47
*** pcaruana has joined #openstack-keystone07:00
openstackgerritTuan Luong-Anh proposed openstack/keystone: Remove import unused  https://review.openstack.org/36189007:01
*** tesseract- has joined #openstack-keystone07:01
*** aswadr_ has quit IRC07:01
*** markvoelker has joined #openstack-keystone07:06
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using multiple variables  https://review.openstack.org/36189507:06
*** markvoelker has quit IRC07:12
*** jpena|off is now known as jpena07:13
*** code-R has joined #openstack-keystone07:29
*** EinstCrazy has quit IRC07:34
*** EinstCrazy has joined #openstack-keystone07:35
*** rkrum has quit IRC07:35
*** markvoelker has joined #openstack-keystone07:36
*** Guest98474 has quit IRC07:37
*** xiaoyang has joined #openstack-keystone07:38
*** markvoelker has quit IRC07:41
*** xiaoyang has quit IRC07:42
*** xiaoyang has joined #openstack-keystone07:42
*** code-R_ has joined #openstack-keystone07:45
*** code-R has quit IRC07:48
*** EinstCra_ has joined #openstack-keystone07:50
openstackgerritTuan Luong-Anh proposed openstack/keystone: Remove import unused  https://review.openstack.org/36189007:51
*** EinstCrazy has quit IRC07:53
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** code-R_ has quit IRC08:02
*** code-R has joined #openstack-keystone08:02
*** markvoelker has joined #openstack-keystone08:05
*** links has quit IRC08:06
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** markvoelker has quit IRC08:10
*** marekd2 has joined #openstack-keystone08:14
*** roxanaghe has joined #openstack-keystone08:24
*** roxanaghe has quit IRC08:29
*** markvoelker has joined #openstack-keystone08:33
*** code-R has quit IRC08:34
*** markvoelker has quit IRC08:38
*** marekd2 has quit IRC08:40
*** tonytan4ever has joined #openstack-keystone08:44
*** tonytan4ever has quit IRC08:49
*** markvoelker has joined #openstack-keystone09:03
openstackgerritAnh Tran proposed openstack/keystone: Add Response Example for 'Update credential' API  https://review.openstack.org/36195409:03
*** markvoelker has quit IRC09:07
openstackgerritAnh Tran proposed openstack/keystone: Add Response Example for 'Passwd auth with unscoped authorization'  https://review.openstack.org/36196009:18
openstackgerritAnh Tran proposed openstack/keystone: Add Response Example for 'Passwd auth with unscoped authorization'  https://review.openstack.org/36196009:21
*** guoshan has joined #openstack-keystone09:30
*** markvoelker has joined #openstack-keystone09:31
*** flaper87 has quit IRC09:35
*** markvoelker has quit IRC09:35
*** code-R has joined #openstack-keystone09:37
*** code-R_ has joined #openstack-keystone09:39
*** code-R has quit IRC09:42
*** rkrum has joined #openstack-keystone09:42
openstackgerritAnh Tran proposed openstack/keystone: Fix wrong response codes in 'groups' APIs.  https://review.openstack.org/36197309:45
*** rkrum has quit IRC09:47
openstackgerritAnh Tran proposed openstack/keystone: Add Response Example for 'Create credential' API  https://review.openstack.org/36195409:48
*** flaper87 has joined #openstack-keystone09:53
*** flaper87 has quit IRC09:54
*** flaper87 has joined #openstack-keystone09:54
*** zigo_ is now known as zigo09:56
*** markvoelker has joined #openstack-keystone10:00
*** markvoelker has quit IRC10:05
*** namnh has quit IRC10:07
*** richm has joined #openstack-keystone10:12
*** roxanaghe has joined #openstack-keystone10:12
*** roxanaghe has quit IRC10:17
*** guoshan has quit IRC10:26
*** guoshan has joined #openstack-keystone10:26
*** markvoelker has joined #openstack-keystone10:28
*** amakarov_away is now known as amakarov10:28
*** markvoelker has quit IRC10:32
*** code-R_ has quit IRC10:43
*** guoshan has quit IRC10:44
*** code-R has joined #openstack-keystone10:44
*** wangqun has quit IRC10:44
*** tonytan4ever has joined #openstack-keystone10:45
*** _sigmavirus24 is now known as sigmavirus10:47
*** sigmavirus has joined #openstack-keystone10:47
*** tonytan4ever has quit IRC10:49
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager  https://review.openstack.org/36073510:56
*** markvoelker has joined #openstack-keystone10:59
*** markvoelker has quit IRC11:03
*** EinstCra_ has quit IRC11:11
*** rodrigods has quit IRC11:13
*** rodrigods has joined #openstack-keystone11:13
dstanekgood morning keystone!11:25
*** markvoelker has joined #openstack-keystone11:28
dstanekbreton: one last issue with caching that i need to figure out. i think it's a gate only issue.11:29
*** markvoelker has quit IRC11:32
samueldmqmorning11:39
*** code-R_ has joined #openstack-keystone11:55
*** code-R has quit IRC11:56
*** markvoelker has joined #openstack-keystone11:57
*** jpena is now known as jpena|lunch11:58
*** code-R has joined #openstack-keystone11:58
*** raildo has joined #openstack-keystone11:58
*** code-R_ has quit IRC12:01
*** markvoelker has quit IRC12:01
*** jaosorior has quit IRC12:02
*** jaosorior has joined #openstack-keystone12:03
*** aswadr_ has joined #openstack-keystone12:08
*** markvoelker has joined #openstack-keystone12:26
*** magic has joined #openstack-keystone12:26
*** magic is now known as Guest9404812:26
*** xiaoyang has quit IRC12:28
*** xiaoyang has joined #openstack-keystone12:28
*** markvoelker has quit IRC12:30
*** Guest94048 has quit IRC12:31
bretondstanek: awesome12:32
*** Ephur has joined #openstack-keystone12:54
*** markvoelker has joined #openstack-keystone12:56
*** markvoelker has quit IRC13:00
*** eandersson__ has quit IRC13:02
*** pcaruana has quit IRC13:02
*** sdake has joined #openstack-keystone13:03
*** roxanaghe has joined #openstack-keystone13:03
*** jpena|lunch is now known as jpena13:04
*** tonytan4ever has joined #openstack-keystone13:06
*** daemontool has joined #openstack-keystone13:06
*** markvoelker has joined #openstack-keystone13:06
*** markvoelker_ has joined #openstack-keystone13:07
*** roxanaghe has quit IRC13:08
*** raildo has quit IRC13:08
*** markvoelker_ has quit IRC13:10
*** markvoelker has quit IRC13:10
*** markvoelker_ has joined #openstack-keystone13:10
*** markvoelker has joined #openstack-keystone13:11
rderoserodrigods: left comments for https://review.openstack.org/#/c/360757/ and https://review.openstack.org/#/c/360737/13:12
rderoserodrigods: let me know if it makes sense13:12
*** markvoelker_ has quit IRC13:13
rderosedavechen: left comment for https://review.openstack.org/#/c/360737/, but I'm not sure I'm getting your concern13:13
openstackgerritMikhail Nikolaenko proposed openstack/python-keystoneclient: Fix missing service_catalog parameter in Client object  https://review.openstack.org/33915013:13
rderosedavechen: take a look at my last comment and let me know13:13
*** pcaruana has joined #openstack-keystone13:17
*** EinstCrazy has joined #openstack-keystone13:18
*** erhudy has joined #openstack-keystone13:20
*** sdake_ has joined #openstack-keystone13:23
*** sdake has quit IRC13:25
*** BjoernT has joined #openstack-keystone13:26
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager  https://review.openstack.org/36073513:29
openstackgerritDolph Mathews proposed openstack/keystone: Add a feature support matrix for identity sources  https://review.openstack.org/36211313:30
*** markvoelker has quit IRC13:30
*** hoonetorg has quit IRC13:33
openstackgerritLance Bragstad proposed openstack/keystone: Add credential setup command  https://review.openstack.org/36212213:39
*** raildo has joined #openstack-keystone13:40
*** sc68cal_ is now known as sc68cal13:44
*** su_zhang has joined #openstack-keystone13:45
openstackgerritDolph Mathews proposed openstack/keystone: Add a feature support matrix for identity sources  https://review.openstack.org/36211313:46
*** ayoung has joined #openstack-keystone13:47
*** ChanServ sets mode: +v ayoung13:47
*** woodburn has joined #openstack-keystone13:50
*** sdake_ has quit IRC13:50
*** sdake has joined #openstack-keystone13:51
*** woodster_ has joined #openstack-keystone13:54
openstackgerritLance Bragstad proposed openstack/keystone: Add credential setup command  https://review.openstack.org/36212213:55
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561813:55
*** pcaruana has quit IRC13:55
*** markvoelker has joined #openstack-keystone13:57
*** Ephur has quit IRC13:57
*** markvoelker has quit IRC14:01
stevemardstanek: mornin!14:06
dstanekstevemar: morning... it would be a good one if i could reproduce a gate issue :-)14:07
*** lmiccini has quit IRC14:07
stevemar:(14:07
*** davechen has left #openstack-keystone14:08
*** pcaruana has joined #openstack-keystone14:09
*** iurygregory has joined #openstack-keystone14:12
*** lmiccini has joined #openstack-keystone14:14
*** adrian_otto has joined #openstack-keystone14:18
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449714:18
*** spzala has joined #openstack-keystone14:18
*** jaosorior is now known as jaosorior_away14:25
*** ravelar has joined #openstack-keystone14:25
*** rkrum has joined #openstack-keystone14:25
*** clenimar has joined #openstack-keystone14:34
*** Ephur has joined #openstack-keystone14:35
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager  https://review.openstack.org/36073514:35
rodrigodsrderose, cool14:35
*** browne has joined #openstack-keystone14:36
*** sheel has quit IRC14:36
rodrigodsrderose, how can I change my password if it gets "old" at the same time it expires?14:38
stevemarlbragstad: so... credential encryption, how you feeling about it?14:38
rodrigodsrderose, (i14:38
rodrigodsrderose, (i'm not referring to the condition in the middle)14:39
rderoserodrigods: the condition in the middle just checks if the settings are enabled14:39
rderoserodrigods: value_when_true if condition else value_when_false14:39
rodrigodsrderose, i'm not talking about it14:40
rderose:)14:40
rodrigodsi'm taking about the >=14:40
rodrigodsthe "=" part14:40
rderoseah, yeah, so min password age is equal to password expires, you'll never be able to change your password before it expires14:41
rderoseso doesn't make sense14:41
*** asettle has joined #openstack-keystone14:41
rderoseshould be less than password expires14:41
rderoserodrigods: have to run, but will be back online in about an hour14:42
lbragstadstevemar better after yesterday14:42
rodrigodsrderose, ahh the check fails if it returns True, right?14:42
rodrigodswas thinking the other way around14:42
lbragstadstevemar want the run down?14:42
*** tonytan_brb has joined #openstack-keystone14:42
stevemarlbragstad: of course14:42
lbragstadstevemar sweet - so you're already familiar with https://review.openstack.org/#/c/360667/5 - which makes testing the entire upgrade much easier14:43
lbragstadthen I broke https://review.openstack.org/#/c/362122/2 into it's own patch because we need to the ability for devstack to be able to setup a key repository14:43
stevemarlbragstad: the gate is in good shape, so i'm no longer worried about that, but rather about general confidence in the code; a lot of eyes have seen it, so that is positive14:43
stevemar++ keep goin14:44
lbragstadstevemar then we have https://review.openstack.org/#/c/361536/2 which add that stuff to devstack14:44
lbragstadso - https://review.openstack.org/#/c/361536/2 has a dependency on https://review.openstack.org/#/c/362122/214:44
stevemarlbragstad: make use of Depends-On in the commit msg14:45
*** tonytan4ever has quit IRC14:45
lbragstadand the main implementation, https://review.openstack.org/#/c/355618/31 has a dependency on https://review.openstack.org/#/c/361536/214:45
lbragstadstevemar already did14:45
*** tonytan_brb is now known as tonytan4ever14:45
stevemarah, i see it now...14:46
lbragstadstevemar make sense?14:46
stevemarlbragstad: yeah, how do you feel about mike bayers comments?14:46
dstanekn/b 2714:46
stevemarhas anyone from the QA team looked at the devstack patch?14:46
lbragstadstevemar not that I am aware of14:46
stevemar(no)14:46
lbragstadstevemar regarding zzzeek's comments - I completely agree with dropping the sqlite support14:47
*** code-R has quit IRC14:47
lbragstadjust not sure how to get some of the tests to run without it14:47
*** pauloewerton has joined #openstack-keystone14:48
lbragstadstevemar dolphm had a comment on that here, too https://review.openstack.org/#/c/355618/26/keystone/common/sql/expand_repo/versions/002_add_key_hash_and_encrypted_blob_to_credential.py,unified14:50
stevemarlbragstad: +2 for the split14:50
stevemarlbragstad: and i added mtreinish and dtroyer to the devstack patch, hopefully they can take a peek14:50
lbragstadstevemar thanks!14:50
stevemarlbragstad: okay, you're in decent shape -- if it lands, it lands; but i'm okay with this thing missing the cut off14:51
stevemari think that was already the expectation that was set14:52
*** eandersson has joined #openstack-keystone14:52
lbragstadstevemar according to the failures I was seeing yesterday, the current series should pass14:52
stevemarcool14:52
stevemarlbragstad: i've seen the actual encryption part a long time ago, and that looked fine14:52
stevemarjust setting up all the other bits14:52
lbragstadstevemar that and the rotation policy that is now enforced14:53
*** su_zhang has quit IRC14:53
lbragstadstevemar I'd love to have some more eyes on the rotation flow just to be sure14:53
stevemarhmm14:54
stevemarlbragstad: why is it enforced here? iirc it is not enforced with tokens?14:54
*** asettle has quit IRC14:55
lbragstadstevemar correct - with tokens if we over-rotate we provide a little bit of bad user-experience14:55
lbragstadwhich is corrected by reauthenticating14:55
lbragstadwith encrypted credentials - if we over-rotate we will never be able to recover those credentials14:55
lbragstadand the only way to fix it is to have the user delete the useless one and recreate it14:56
lbragstadso - one way we can prevent that is to store the hash of the key that was used to encrypt the credential14:56
lbragstadthen when we go to rotate - we can ask the credential fernet provider for the hash of the current primary key and if any credentials have a key has that doesn't match - we should abort because if we continue to rotate we are going to rotate out a key that is still needed to decrypt a credential14:57
lbragstadif all credential key hashes match the hash of the current primary key, then we know we are good to do a rotation because there shouldn't be any credentials encrypted with that old key14:59
*** slberger has joined #openstack-keystone15:00
*** spedione is now known as chris_hultin15:02
*** hockeynut has joined #openstack-keystone15:03
*** daemontool has quit IRC15:07
lbragstadravelar did you have a review posted for your revocation event + sql work?15:08
*** daemontool has joined #openstack-keystone15:09
*** jaosorior_away is now known as jaosorior15:10
*** michauds has joined #openstack-keystone15:15
*** agrebennikov has joined #openstack-keystone15:15
*** hoonetorg has joined #openstack-keystone15:16
*** markvoelker has joined #openstack-keystone15:17
openstackgerritDolph Mathews proposed openstack/keystone: Add a feature support matrix for identity sources  https://review.openstack.org/36211315:17
*** sdake_ has joined #openstack-keystone15:18
*** sdake has quit IRC15:20
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend  https://review.openstack.org/35649915:21
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970415:21
openstackgerritMerged openstack/keystone: Add Response Example for 'Create credential' API  https://review.openstack.org/36195415:22
*** rkrum has quit IRC15:23
openstackgerritMerged openstack/keystone: Fix formatting strings when using multiple variables  https://review.openstack.org/36182215:23
*** sdake has joined #openstack-keystone15:24
stevemarlbragstad: that sounds a little fragile15:25
*** sdake_ has quit IRC15:26
stevemarlbragstad: if a deployer sets things up incorrectly, it could all go to shit, no?15:26
lbragstadstevemar which part?15:26
stevemarlbragstad: "if we over-rotate we will never be able to recover those credentials"15:26
ravelarlbragstad yes, since then though I have updated and haven't merged it yet.15:27
lbragstadstevemar yeah - that's the tricky part15:28
dstanekstevemar: yeah if the over rotate they will have to recover credentials from backup15:28
lbragstadstevemar that's why we store a hash of the key that was used to encrypt the credential15:28
dstanekstevemar: ideally they are using something to manage their keys15:28
lbragstadstevemar but - that's also why we build a safeguard into keystone-manage credential-rotate15:29
openstackgerritMerged openstack/keystone: Add Response Example for 'Passwd auth with unscoped authorization'  https://review.openstack.org/36196015:29
openstackgerritMerged openstack/keystone: api-ref: Splitting status lines in API v3.  https://review.openstack.org/36026415:29
*** browne has quit IRC15:29
*** adrian_otto has quit IRC15:29
lbragstadstevemar keystone-manage will abort if a credential key hash doesn't match the primary key hash - https://review.openstack.org/#/c/355618/31/keystone/cmd/cli.py15:32
*** adrian_otto has joined #openstack-keystone15:32
*** markvoelker has quit IRC15:32
*** hockeynut has quit IRC15:33
*** gyee has joined #openstack-keystone15:34
*** adrian_otto has quit IRC15:35
*** Ephur has quit IRC15:38
stevemarlbragstad: i'll need to refamiliarise myself with the flow15:39
stevemarlbragstad: haven't looked at it since the introduction of the key_hash15:39
lbragstadstevemar ah - cool15:40
lbragstadstevemar let me know if you want to walk through it on google +  or something, if that makes it easier15:40
stevemardstanek: and yourself, just chasing down one last gate issue?15:40
*** EinstCrazy has quit IRC15:40
*** browne has joined #openstack-keystone15:40
openstackgerritMerged openstack/keystone: api-ref: Splitting status lines in API v3-ext.  https://review.openstack.org/36026715:40
stevemar(wrt caching bug)15:41
lbragstaddstanek i'm looking at your caching fix again15:41
stevemarhenrynash: o/15:41
*** tesseract- has quit IRC15:42
*** opilotte| has quit IRC15:43
*** pcaruana has quit IRC15:43
*** rcernin has quit IRC15:44
*** ruoyu has joined #openstack-keystone15:46
*** slberger has quit IRC15:52
*** edtubill has joined #openstack-keystone15:57
lbragstaddolphm here is an easy review for you based on a comment you had on a previous patch of mine - https://review.openstack.org/#/c/362220/115:57
dolphmlbragstad: why was it not passed in during validation before?15:59
*** su_zhang has joined #openstack-keystone15:59
lbragstaddolphm it looks like it was always injected later15:59
lbragstad(?)15:59
lbragstaddolphm almost like the entire token response was formatted - then the token id was populated as it went out the door15:59
lbragstadbut - the spot that wasn't passing it in has it in the token_ref - so I'm pulling it from there and passing it to v3_to_v2_token16:00
dolphmlbragstad: is that to support PKI or something, which doesn't have a token ID until everything else is ready?16:01
lbragstaddolphm i could see that being a possibility16:01
*** david-lyle_ is now known as david-lyle16:01
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561816:03
*** browne has quit IRC16:04
dstaneklbragstad: i just left some comments on your older review for credential encryption16:05
openstackgerritRichard Avelar proposed openstack/keystone: POC sql query revoked tokens  https://review.openstack.org/35937116:06
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449716:07
lbragstaddstanek sweet - thanks16:08
*** Ephur has joined #openstack-keystone16:08
dstaneklbragstad: it's easy to critized when your not doing the work16:09
lbragstaddstanek :)16:09
*** browne has joined #openstack-keystone16:09
dstaneklbragstad: have you seen this and its spec? https://review.openstack.org/#/c/356499/16:10
lbragstadbrowne thanks for the review on the credential encryption docs - comments have been addressed16:10
lbragstaddstanek just barely16:10
brownelbragstad: no problemo16:10
lbragstaddstanek it is forsure on my plate of things to review once the credential encryption work is done16:10
*** su_zhang has quit IRC16:11
lbragstaddstanek I believe I was the one who created the spec for that16:11
*** su_zhang has joined #openstack-keystone16:11
dstaneklol16:11
lbragstaddstanek https://github.com/openstack/keystone-specs/commit/82fde50122ae0ab3b5c795140f95ec2468a2f77716:12
*** mdurrant_ has quit IRC16:12
lbragstaddstanek that was something a few people talked to us about after the austin fernet talk16:12
lbragstaddstanek dolphm and I wanted to capture it in a backlogged spec so that we wouldn't lose it16:13
samueldmqlbragstad: cred encryption is also in my list to review16:14
lbragstadsamueldmq cool16:14
samueldmqlbragstad: I have been looking at the cache reviews16:14
samueldmqlbragstad: for credential, I was just not sure it was worth it to review as it is now16:14
lbragstadsamueldmq we have a few people keeping tabs on the credential encryption work16:14
samueldmqlbragstad: before tomorrow's discussion about triggers vs versionedobjects16:14
*** mdurrant has joined #openstack-keystone16:15
*** su_zhang has quit IRC16:15
stevemarsamueldmq: dolphm: dstanek lbragstad if you have a minute, i'd like to still get opinions on https://review.openstack.org/#/c/309146/16:16
samueldmqstevemar: I looked at that at the beggining, but I saw some concerns about it changing the behavior16:17
dstanekstevemar: sure16:17
samueldmqI didn't really get it, I will take another look16:17
samueldmq"The patch uses dogpile.cache internal functionality so some calls may look strange" :-)16:17
*** sdake has quit IRC16:19
lbragstadstevemar sorry - just saw your comment about the performance bot16:19
lbragstadstevemar i rekicked it16:19
lbragstadit should be running some new tests16:19
*** browne has quit IRC16:21
dstanekstevemar: lots of new invalidations there16:21
samueldmqstevemar: reviewed16:24
dstanekstevemar: performance bot seems to disagree with amakarov's timings16:29
samueldmqit's just improving for the first call16:29
samueldmqafter that it'd be cached anyways16:29
amakarovsamueldmq, ++16:29
amakarovand single validation right after issue is a very common use case16:30
*** sdake has joined #openstack-keystone16:30
samueldmqmy point (and I guess haneef's too) is about if it is worth it to add more logic there just for that16:30
samueldmqif we want to do that, I am okay if we don't try to cache v2 validation when issuing v3 tokens (and vice-versa) to not make the code very confusing16:31
samueldmqamakarov: I left a review there16:31
*** atod has joined #openstack-keystone16:32
dstanekalso what is the probabiltity that any of the events that now need to clear the cache will happen?16:32
samueldmqdstanek: amakarov: performance bot talks about the mean, so that specific review won't show up as something significant in those tests16:32
amakarovsamueldmq, the result depends on scenario: if performance bot validates the same token N times, then mean will be the same16:34
amakarovMy script does 1 validation per 1 issue16:34
dstanekoh man, i suck at life16:34
amakarovso the difference can be seen16:35
samueldmqamakarov: where are your results ?16:35
amakarovsamueldmq, it the patch comments a bit above yours16:36
amakarovsamueldmq, dstanek: https://gist.github.com/x-eye/8d2fc75f027b7e222284112787c8b13f16:37
amakarovthat's the scenario16:37
amakarovrun it as root on devstack16:37
samueldmqamakarov: I don't have a devstack up right now16:37
samueldmqamakarov: do you have some results ?16:38
*** ruoyu has quit IRC16:38
amakarovsamueldmq, yes - in the patch comment @25. Aug 22:2316:38
*** Guest35918 is now known as mgagne16:39
*** mgagne has quit IRC16:39
*** mgagne has joined #openstack-keystone16:39
*** ddieterly has joined #openstack-keystone16:39
samueldmqamakarov: what the time unit there ?16:40
amakarova second16:40
samueldmqamakarov: seconds ?16:40
samueldmqok16:40
samueldmqamakarov: so it is, i naverage, 27 milliseconds faster in the first validation?16:42
samueldmqbut now it is also 11 milliseconds slower for token generation16:42
amakarovsamueldmq, yes. In idle environment.16:43
samueldmqso at the end, in average, we gain 16 milliseconds per issue/1st validate16:43
samueldmqamakarov: is that really worth it ?16:43
*** chrisshattuck has joined #openstack-keystone16:44
samueldmqthe callbacks there will also have milliseconds added, because of the invalidation calls16:44
samueldmqand in terms of code, it's harder to maintain?16:45
samueldmqoh way, we are talking about a dozen milliseconds ...16:45
amakarovsamueldmq, on our scale lab when we modelled peak loads token validation was the bottleneck, so I think it's needed.16:45
samueldmqamakarov: so I think we need the numbers, it seems like most of reviewers are not convinced it it worth it16:46
samueldmqat least with the numbers you provided so far16:46
amakarovsamueldmq, ok, got it16:46
samueldmqalso, if your scale lab is doing the same test as you are (1 issue for 1 validation), does that represent the real world ?16:46
lbragstaddstanek responded to your comments on the credential encryption patch16:48
*** slberger has joined #openstack-keystone16:48
amakarovsamueldmq, that's most common use in real-life envs (from our guys working with customers)16:49
samueldmqamakarov: 1 token for a single request ?16:50
samueldmqok16:50
amakarovsamueldmq, usually is looks like equal number of issue/validations in the logs :)16:51
amakarovnot precisely equal of course16:51
samueldmqthat seems odd to me, I am not sure assuming 1 token is almost all the times used a single time is a good thing16:52
samueldmqand if that is really happening, maybe there is something else wrong with how tokens are used16:52
samueldmqamakarov: I am not very experienced in production, I am just sharing my thoughts on how I would expected things to work16:53
*** ddieterly is now known as ddieterly[away]16:55
amakarovsamueldmq, you may be interested in how keystone client authN/Z using token: iirc it issues a new one - does not reuse the old16:55
samueldmqamakarov: with sessions ?16:57
amakarovsamueldmq, so when a service needs to work with another one, is re-auth even having a token16:57
*** tonytan4ever has quit IRC16:57
amakarovs/is/it/16:57
samueldmqok, if we have designed our official clients to use 1 token per request16:57
samueldmqI don't know why we talk about revocation timeout, etc16:58
*** tonytan4ever has joined #openstack-keystone16:58
amakarovsamueldmq, to prevent that re-auth :)16:58
samueldmqok, so if it is what our client does (re-auth for every request) and that is the real case in production16:59
samueldmqI am quite impressed16:59
*** jaosorior has quit IRC17:00
dstanekthat seems like a problem worth fixing17:00
amakarovsamueldmq, the logic is simple: service gets called for some action - it needs some other service to do something - it auth using given token, gets a new one from keystone and uses it to call the next service in chain17:00
*** atod has quit IRC17:00
amakarovmaybe now it's different, but I several times was approached with the issue that trust token doesn't work, and that re-auth was the reason17:01
*** tonytan4ever has quit IRC17:01
amakarovdstanek, it's expected: re-auth cannot exchange trust scoped token for a regular one17:02
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561817:02
amakarovdstanek, the fix for that is unified delegation I'm working on17:02
dstanekamakarov: the client should be able to cache tokens locally17:02
amakarovdstanek, no problem - let him cache it17:03
samueldmqdstanek: and re-use them17:03
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449717:03
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Add manager and base interface for fernet key store  https://review.openstack.org/36228317:03
samueldmqhaving 1 token per request seems insane17:03
*** chrisshattuck has quit IRC17:03
amakarovsamueldmq, funny thing is that the common re-usage pattern is re-auth using this token )17:03
*** chrisshattuck has joined #openstack-keystone17:03
*** ddieterly[away] is now known as ddieterly17:04
samueldmqamakarov: so it is not re-usage17:04
*** chrisshattuck has quit IRC17:04
samueldmqamakarov: so I have a keytone client17:05
amakarovsamueldmq, why? the token is re-used as auth credential17:05
samueldmqI have passed my creds and auth'ed in a session17:05
samueldmqamakarov: called user.list() and user.get() ; that used 1 new token for each17:05
*** browne has joined #openstack-keystone17:05
amakarovsamueldmq, the session itself can of course be re-used17:05
samueldmqsession is a client side object17:06
amakarovI'm talking about passing tokens around between services17:06
samueldmqthe important bit is requesting tokens excessively17:06
*** tonytan4ever has joined #openstack-keystone17:08
*** jpena is now known as jpena|off17:09
*** ddieterly is now known as ddieterly[away]17:11
samueldmqdstanek: only pep8 is failing now17:12
samueldmqdstanek: \o/17:12
samueldmqhttps://review.openstack.org/#/c/349704/17:13
*** slberger has quit IRC17:13
*** esp has joined #openstack-keystone17:16
lbragstadsamueldmq do we want to rebase https://review.openstack.org/#/c/345688/9 on ^^17:16
lbragstad?17:16
lbragstadsamueldmq that should fix some of the issues with the fernet default patch - right?17:16
*** slberger has joined #openstack-keystone17:16
samueldmqlbragstad: I did it already :-)17:17
lbragstadsamueldmq nice17:17
dstaneksamueldmq: oops, i thought i pushed that up already17:17
samueldmqlbragstad: just left a recheck17:17
samueldmqdstanek: ++17:17
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970417:18
openstackgerritLance Bragstad proposed openstack/keystone: Make token_id a required parameter in v3_to_v2_token  https://review.openstack.org/36222017:18
amakarovsamueldmq, I've replied your comments17:19
dstaneksamueldmq: lbragstad: for that one i want to get confirmation from amakarov or breton that their issues are indeed fixed17:21
*** su_zhang has joined #openstack-keystone17:21
lbragstadsamueldmq did you rebase it or just recheck?17:24
samueldmqlbragstad: I just rechecked, I had rebased already17:26
samueldmqlbragstad: last week17:26
samueldmqamakarov: kk will look17:26
lbragstadsamueldmq it looks like it is still dependent on patch set 1117:26
samueldmqdstanek: yeah makes sense17:26
lbragstadof the cache fix17:26
openstackgerritLance Bragstad proposed openstack/keystone: Switch fernet to be the default token provider.  https://review.openstack.org/34568817:26
samueldmqlbragstad: Patch Set 9: Patch Set 8 was rebased17:26
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager  https://review.openstack.org/36073517:27
samueldmqlbragstad: ah, so it rebases in a specific patch set17:27
samueldmqlbragstad: vs rebasing on the change17:27
samueldmqlbragstad: got it17:27
lbragstadsamueldmq yeah - i think patch set 9 was still pointing to patch set 11 from dstanek's patch17:27
samueldmqlbragstad: ++17:27
lbragstadsamueldmq so patch set 10 should be dependent on 14 now17:28
*** chrisshattuck has joined #openstack-keystone17:29
samueldmqlbragstad: 14 or 15 ? dstanek just uploaded 1517:29
lbragstadsamueldmq oops 1517:30
*** Gorian|work has joined #openstack-keystone17:32
*** Gorian|work has quit IRC17:32
*** maestropandy has joined #openstack-keystone17:39
*** maestropandy has left #openstack-keystone17:40
*** chrisshattuck has quit IRC17:42
*** tonytan4ever has quit IRC17:42
openstackgerritLance Bragstad proposed openstack/keystone: Make token_id a required parameter in v3_to_v2_token  https://review.openstack.org/36222017:44
*** chrisshattuck has joined #openstack-keystone17:45
*** markvoelker has joined #openstack-keystone17:53
*** chrisshattuck has quit IRC17:56
*** chrisshattuck has joined #openstack-keystone17:58
*** asettle has joined #openstack-keystone17:58
*** adrian_otto has joined #openstack-keystone18:01
*** tqtran has joined #openstack-keystone18:01
*** asettle has quit IRC18:03
*** mugsie_ is now known as mugsie18:05
*** markvoelker has quit IRC18:09
*** amakarov is now known as amakarov_away18:12
openstackgerritSteve Martinelli proposed openstack/keystone: Fix wrong response codes in 'groups' APIs.  https://review.openstack.org/36197318:19
*** ddieterly[away] is now known as ddieterly18:19
*** su_zhang has quit IRC18:23
*** su_zhang has joined #openstack-keystone18:25
*** esp has quit IRC18:26
*** chrisshattuck has quit IRC18:28
samueldmqlbragstad: I have a comment in https://review.openstack.org/#/c/36222018:29
*** tonytan4ever has joined #openstack-keystone18:38
dstanekthanks for the love jenkins....you can go back to hating all the others now18:39
samueldmqdstanek: lol hehehe18:40
*** hockeynut has joined #openstack-keystone18:40
samueldmqdstanek: +2ed18:42
samueldmqdstanek: let's wait to check with breton and amakarov_away that works for them18:43
stevemardstanek: so how many different bugs does that fix? :)18:43
*** ddieterly is now known as ddieterly[away]18:46
*** esp has joined #openstack-keystone18:46
*** su_zhang has quit IRC18:46
samueldmqstevemar: well, the ones we are aware of .....18:47
samueldmq> a very large number18:47
samueldmq:-)18:47
*** ddieterly[away] is now known as ddieterly18:50
openstackgerritDolph Mathews proposed openstack/keystone: Add a feature support matrix for identity sources  https://review.openstack.org/36211318:56
*** edtubill has quit IRC19:01
lbragstadsamueldmq responded - https://review.openstack.org/#/c/349704/1519:15
*** zhugaoxiao has quit IRC19:16
samueldmqlbragstad: wrong link ?19:16
lbragstadsamueldmq yep - https://review.openstack.org/#/c/362220/319:16
lbragstad^ that one19:16
*** zhugaoxiao has joined #openstack-keystone19:16
samueldmqlbragstad: so you agree on keeping that as it was?19:17
lbragstadsamueldmq nope - i updated again19:17
samueldmqlbragstad: and changing to token_ref['id'] in a separate patcH,19:17
lbragstadsamueldmq the original token_id that was in the log message was wrong and actually bug19:17
samueldmqlbragstad: ok, you confused me !19:17
lbragstadbecause token_ref isn't a token reference formatted in the way of v219:18
samueldmqlbragstad: so the previous one was wrong ?19:18
lbragstadinstead its a token reference from the token_model19:18
lbragstadsamueldmq yep19:18
samueldmqlbragstad: no tests for that then :/19:18
lbragstadthrew me for a loop too when I tried to pull it from the 'access' dictionary of token_ref originally19:18
samueldmqlbragstad: a followup could add a test then19:18
lbragstadsamueldmq that would have been an issue with logging19:19
lbragstadyeah19:19
samueldmqlbragstad: commented and approved19:21
lbragstadsamueldmq thanks19:23
lbragstadsamueldmq I was just looking at that method in the `except exception.ValidationError` part, and I don't actually see where that exception can possibly get raised within the calls of that method19:24
lbragstadsamueldmq which might explain why there were no tests for it!19:24
*** su_zhang has joined #openstack-keystone19:25
samueldmqlbragstad: so propose to remove the try:except clause19:26
lbragstadyep doing that now19:26
*** Ephur has quit IRC19:26
*** jdennis1 has quit IRC19:30
*** su_zhang has quit IRC19:31
*** ddieterly has quit IRC19:31
*** adrian_otto has quit IRC19:33
*** jdennis has joined #openstack-keystone19:33
*** slberger has quit IRC19:34
*** edtubill has joined #openstack-keystone19:45
*** sdake has quit IRC19:48
dolphmlbragstad: stevemar: are we going to be able to land this to devstack before we hit feature freeze? https://review.openstack.org/#/c/361536/19:48
lbragstaddolphm I'm hoping so - right now the only thing encrypted credentials trips on is something strange in grenade19:49
lbragstadi'm still investigating it19:49
dolphmlbragstad: define strong?19:49
dolphmstrange*19:49
lbragstaddolphm the patch to devstack configures keystone to point '[credential] key_repository` to /etc/keystone/credential-keys/19:50
*** slberger has joined #openstack-keystone19:50
dolphmlbragstad: is that not keystone's default anyway?19:50
lbragstaddolphm it is - but we do the same thing we fernet tokens19:50
lbragstadso I figured we'd be consistent/explicit?19:51
dolphmlbragstad: sure, that's to let people override it in devstack through devstack's config19:51
dolphmlbragstad: is that causing problems?19:51
*** aswadr_ has quit IRC19:51
* lbragstad dolphm I don't think so - but this is the problem http://logs.openstack.org/18/355618/33/check/gate-grenade-dsvm-neutron-ubuntu-trusty/b3446e3/logs/apache/keystone.txt.gz?level=ERROR19:51
bretonwow19:52
bretonyou merged it already!19:52
* breton is happy that https://review.openstack.org/349704 is merged19:52
lbragstaddolphm which causes http://logs.openstack.org/18/355618/33/check/gate-grenade-dsvm-neutron-ubuntu-trusty/b3446e3/console.html#_2016-08-29_17_43_31_65381519:52
*** markvoelker has joined #openstack-keystone19:52
dstanekbreton: well, it will soon. can you verify in your environment?19:53
lbragstaddolphm so I have a feeling figuring out why that error message happens will fix that test19:53
stevemarbreton: you and me both19:53
dolphmlbragstad: maybe you should put some more detail into that error message to make it easier to debug?19:53
bretondstanek: i will, but tomorrow, sorry19:54
lbragstaddolphm yeah - I can do that19:54
stevemardolphm: i am also concerned about landing the devstack patch for cred enc.19:54
openstackgerritDavid Stanek proposed openstack/keystone: Fixes small grammar mistake in docstring  https://review.openstack.org/36234819:54
lbragstaddolphm do you happen to know off the top of your head if devstack creates the fernet repository? Or does it just initialize it using `keystone-manage fernet_setup`?19:55
stevemardolphm: lbragstad my gut is saying to bump credential encyption to O, there are still too many parts to land :\19:55
lbragstadstevemar 4 patches - 3 in keystone and 1 in devstack19:56
stevemarlbragstad: yeah, the doc one can land during rc19:57
stevemarso 3 patches, 2 of which are OK by my eyes19:57
openstackgerritLance Bragstad proposed openstack/keystone: Remove unnecessary try/except from token provider  https://review.openstack.org/36235220:00
*** Ephur has joined #openstack-keystone20:01
dolphmlbragstad: it should create the directory20:01
lbragstaddolphm so this is grenade right...20:01
dolphmlbragstad: oh wait, fernet_setup will create the dir20:02
lbragstaddolphm i just thought of this - but i wonder if it is because grenade might not have the required tooling in place for our new migration process!20:02
dolphmlbragstad: what tooling?20:03
lbragstadwhich would mean that the credentials aren't migrated when the `keystone-manage db_sync --migrate` command is run20:03
lbragstadmm20:04
lbragstadactually - that might not be the case20:04
dolphmlbragstad: would grenade be specifying a specific version number to upgrade to?20:05
*** gus has quit IRC20:05
*** darrenc has quit IRC20:05
*** jhesketh has quit IRC20:05
lbragstaddolphm a specific version number for `keystone-manage db_sync`?20:05
lbragstadthat I'm not sure20:05
dolphmlbragstad: yes20:05
dolphmlbragstad: that would cause migrate not to run20:05
*** darrenc has joined #openstack-keystone20:07
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Update reno for stable/newton  https://review.openstack.org/36237520:07
*** markvoelker has quit IRC20:08
*** slberger has quit IRC20:10
lbragstaddolphm so it fails creating a credential when it gets into the validate_key_repository method of keystone/common/fernet_utils.pu20:11
*** roxanaghe has joined #openstack-keystone20:11
stevemari wonder where henrynash is, he didn't update any of his patches20:11
dolphmlbragstad: with a value or type error??20:11
dolphmstevemar: since when?20:11
*** jhesketh has joined #openstack-keystone20:12
dolphmstevemar: he's got revisions within the last business day :P20:12
stevemardolphm: really?20:13
stevemardolphm: he didn't update https://review.openstack.org/#/c/357789/20:13
stevemarsince 26th20:13
dolphmstevemar: that was friday20:13
lbragstaddolphm it doesn't look like validate_key_repository will raise a ValueError or a TypeError, instead it just logs the warning saying that the repository isn't valid... I think the TypeError/ValueError is coming from the usage of self.crypto.encrypt() because load_keys will just return an empty list (signifying that there are no keys in the repository)20:13
stevemardolphm: his monday was over 5 hours ago :P20:13
lbragstadso - even though the repository isn't valid, we will still attempt to use it to encrypt and decrypt things20:14
stevemarputting it out there, in case someone wants to post an alternate to https://review.openstack.org/#/c/357789/ -- rderose samueldmq ? :P20:14
dolphmhenrynash: you forgot to punch your time card for steve20:14
stevemardolphm: hehe20:15
*** gus has joined #openstack-keystone20:15
stevemardolphm: he set my expectation too high!20:15
dolphmlbragstad: does that method raise an exception or anything when things are invalid?20:15
dolphmlbragstad: otherwise, what's the point of running it?20:15
lbragstaddolphm validate_key_repository?20:15
dolphmlbragstad: yes20:15
lbragstaddolphm no - it doesn't20:15
lbragstadjust logs a warning20:15
dolphmlbragstad: what's it for20:16
dolphmlbragstad: sounds like it should be moved to doctor if it behaves that way20:16
lbragstaddolphm ++20:16
lbragstaddolphm well - it logs this Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/20:16
openstackgerritRon De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol  https://review.openstack.org/36239720:16
lbragstadbut it is checking to make sure the key repository is there and readable20:17
*** markvoelker has joined #openstack-keystone20:17
rderosestevemar: I can take this on20:18
rderosestevemar: but don't want to step on henrynash's toes (as the bug is assigned to him)20:18
*** tonytan_brb has joined #openstack-keystone20:18
*** su_zhang has joined #openstack-keystone20:19
stevemarrderose: post an alternate patch, you have my blessing :P20:19
rderose:)20:20
rderosestevemar: okay, I'm on it20:20
lbragstaddolphm bah!20:21
*** tonytan4ever has quit IRC20:21
dstanek#success I posted a review where the commit message was 40 times larger than the code diff!20:22
openstackstatusdstanek: Added success to Success page20:22
stevemardstanek: lol20:22
dstanek#winning20:22
*** slberger has joined #openstack-keystone20:23
lbragstaddolphm line 621 here should create the key repository https://review.openstack.org/#/c/362122/2/keystone/cmd/cli.py20:25
lbragstadlike you were saying20:25
openstackgerritDoug Hellmann proposed openstack/keystoneauth: Update reno for stable/newton  https://review.openstack.org/36241220:27
openstackgerritDoug Hellmann proposed openstack/keystonemiddleware: Update reno for stable/newton  https://review.openstack.org/36241420:27
henrynashstevemar: and today is a public holiday in the uK (and I'm not really here)20:35
*** spzala has quit IRC20:37
*** spzala has joined #openstack-keystone20:38
bknudsonWhat do you celebrate on "August Bank Holiday"?20:39
henrynashbknudson: the end of summer, the passing of sunshine into rain, the fading of the forbidden sun.....and the last holiday we get for (basically) the rest of the year!!20:40
*** spzala has quit IRC20:42
stevemarah20:42
*** spzala has joined #openstack-keystone20:44
* lbragstad leaves to go celebrate with henrynash 20:45
samueldmqstevemar: what would an alternative to that look like?20:45
stevemarlbragstad: good move20:46
lbragstadstevemar ;)20:46
henrynashlbragstad: I'll mix up the egg-nog right away20:46
stevemarsamueldmq: wait and see what rderose proposes20:46
samueldmqstevemar: ah OK, didnt know he was on it20:46
lbragstadhenrynash ++20:46
* stevemar leaves for a while20:46
stevemarsee you all in the evening20:46
lbragstadstevemar o/20:46
samueldmqrderose: is the alternative using versionedobjects?20:47
*** markvoelker has quit IRC20:48
*** sdake has joined #openstack-keystone20:52
rderosesamuelmq: no20:55
rderosesamuelmq: I just think it's creating another migration script that sets the default and runs an update script if sqlite20:55
lbragstaddolphm yeah - so here is the upgrade script for keystone in grenade20:56
lbragstadhttps://github.com/openstack-dev/grenade/blob/master/projects/10_keystone/upgrade.sh20:56
lbragstadi don't think we're running `keystone-manage credential_setup`20:57
lbragstadwe are on fresh devstack runs - but not the upgrade case with grenade20:57
*** su_zhang has quit IRC20:59
*** su_zhang has joined #openstack-keystone20:59
*** ravelar has quit IRC20:59
*** raildo has quit IRC20:59
openstackgerritMerged openstack/keystone: Make token_id a required parameter in v3_to_v2_token  https://review.openstack.org/36222021:02
openstackgerritMerged openstack/keystone: Fix wrong response codes in 'groups' APIs.  https://review.openstack.org/36197321:03
openstackgerritMerged openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970421:03
openstackgerritMerged openstack/keystone: Let upgrade tests control all 4 repositories at once  https://review.openstack.org/36066721:03
openstackgerritMerged openstack/keystone: Add credential setup command  https://review.openstack.org/36212221:04
*** hockeynut has quit IRC21:04
lbragstaddolphm actually - i think it is because grenade will *install* new services, but it won't re-init them, which is where our code is to create the credential key repository21:05
dolphmlbragstad: isn't there an exception process in grenade? "run this script to do extra work that is required"21:06
lbragstaddolphm yep - patching it now21:07
lbragstador, adding one for this release21:07
*** chris_hultin is now known as spedione|AWAY21:08
*** pauloewerton has quit IRC21:08
*** su_zhang has quit IRC21:10
*** su_zhang has joined #openstack-keystone21:10
*** daemontool has quit IRC21:11
*** daemontool has joined #openstack-keystone21:13
openstackgerritEric Brown proposed openstack/keystone: Add man page info for credential setup command  https://review.openstack.org/36245321:21
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449721:23
lbragstaddolphm stevemar so now https://review.openstack.org/#/c/355618/ is dependent on https://review.openstack.org/#/c/361536/ and https://review.openstack.org/#/c/362450/21:25
dolphmlbragstad: your implementation patch should have a release note documenting the same (or add it in a follow up, but get it into review)21:27
dolphmlbragstad: would be good to link to that release note (in review) in the devstack and grenade patches (which will make it easier for those projects to review things)21:28
*** Ephur has quit IRC21:29
openstackgerritEric Brown proposed openstack/keystone: Add man page info for credential setup command  https://review.openstack.org/36245321:29
dolphmlbragstad: let me know if you're posting any more revisions on 355618 today - i want to take one last review pass for the day21:29
lbragstaddolphm working on the release note now - I had one before but it got lost somewhere (nice catch!)21:30
openstackgerritEric Brown proposed openstack/keystone: Add man page info for credential setup command  https://review.openstack.org/36245321:32
*** sdake has quit IRC21:33
notmorganlbragstad: -1 on the encrypt credentials. please do not truncate the hash of the key without a solid comment on why 7 bits is sufficient/what prompted that pick21:33
notmorganlbragstad: there is no reason afaict to truncate the hash besides making it easier to collide.21:33
dolphmnotmorgan: renaming the column is necessary to maintain consistency during the rolling upgrade21:37
lbragstadnotmorgan updated with a comment21:37
dolphmnotmorgan: both columns are read independently by different releases at the same time21:37
notmorganoh right21:37
notmorganthats fine then was a nit-pick.21:37
notmorganthe hash length though...21:37
notmorgandon't truncate cryptographic data if you're using it as an identifier.21:38
dolphmnotmorgan: also, there's only 3 keys in play at once, so odds of 2 out of 3 random 7 bit strings colliding is much lower than 2 out of billions in play at once21:38
notmorgandolphm: i am still a strong -1 on that, because you could have more keys21:39
dolphmnotmorgan: it's hardcoded to max at 321:39
notmorgandolphm: and the cost of a few more bytes (really) is worth futureproofing.21:39
notmorganstill don't do that. it is bad practice to get into.21:40
*** edtubill has quit IRC21:40
dolphmnotmorgan: agree on practice21:40
notmorganwe shouldn't be encouraging saving a few bytes needlessly considering how much (even with 3 keys) it opens the door for colliding hashes. i will almost guarantee future looking more than 3 keys will be used.21:42
*** spzala has quit IRC21:45
openstackgerritMorgan Fainberg proposed openstack/keystone: WIP: Switch fernet to be the default token provider.  https://review.openstack.org/34568821:46
notmorganlbragstad: ^ added WIP to that because the commit message needs work before it can land.21:47
notmorganand clearly it's still not working "right" :P21:48
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449721:51
lbragstaddolphm release note^ '21:51
lbragstadnotmorgan cool - thanks21:52
*** BjoernT has quit IRC21:52
openstackgerritMerged openstack/keystone: Add a feature support matrix for identity sources  https://review.openstack.org/36211321:53
*** gagehugo has quit IRC21:57
*** gagehugo has joined #openstack-keystone21:57
*** hockeynut has joined #openstack-keystone21:59
*** gagehugo_ has joined #openstack-keystone22:01
*** ayoung has quit IRC22:07
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561822:08
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449722:08
lbragstaddolphm notmorgan ^22:09
notmorganlbragstad: my concerns look addressed you may still want to index the hash column22:09
notmorganif you ever look up anything by that22:10
lbragstadnotmorgan sounds good - I gotta run but I'll tinker with that when I get back on tonight22:14
openstackgerritMonty Taylor proposed openstack/keystoneauth: Import TaskManager from shade/nodepool  https://review.openstack.org/36247322:17
openstackgerritMonty Taylor proposed openstack/keystoneauth: Use TaskManager for all request interactions  https://review.openstack.org/36247422:17
mordrednotmorgan: ^^22:17
mordrednotmorgan: merry christmas22:17
*** slberger has left #openstack-keystone22:17
*** chrichip has joined #openstack-keystone22:18
*** michauds has quit IRC22:23
*** chrichip has quit IRC22:25
bknudsonbrowne: are you using keystone with uwsgi?22:26
brownenope.  eventlet22:26
bknudsonbrowne: custom kernel?22:26
bknudsonwhat distro are you using?22:27
bknudsonthis issue with caching is not making any sense.22:27
brownenope, unmodified ubuntu stable/mitaka22:27
brownebknudson: it does seem concurrency related.  but i couldn't figure out how22:28
bknudsonI haven't been able to recreate with a single client.22:28
brownei actually assumed at first it was because we still used eventlet and not wsgi22:28
bknudsonHappens all the time when I have multiple clients.22:28
browneby clients, do you mean keystone instances?22:29
bknudsonno, test programs running concurrently22:29
brownecause we do have 2 keystones behind haproxy22:29
browneah22:29
brownewe immediately saw an issue with role caching in our ansible deployment playbooks22:30
browneso we turned off role caching.  but then under high load we saw caching problems everywhere (tokens, etc22:31
openstackgerritMonty Taylor proposed openstack/keystoneauth: Use TaskManager for all request interactions  https://review.openstack.org/36247422:34
bknudsonfor some reason I can't recreate this with devstack whereas it's easy with this arrrsula dev deploy in vagrant22:35
mordredbknudson: I blame vagrant22:35
bknudsoncould be!22:35
bknudsonvirtualbox22:35
bknudsonshould switch to docker!22:36
browneswitch to fusion ;)22:36
bknudsonif it solves this memcache issue I'd be willing to try just about anything22:37
brownebknudson: can you recreate with redis?22:38
bknudsongood question. Haven't tried that.22:39
bknudsondevstack doesn't use redis22:39
*** browne has quit IRC22:43
*** spzala has joined #openstack-keystone22:46
*** daemontool has quit IRC22:49
*** daemontool has joined #openstack-keystone22:50
*** spzala has quit IRC22:53
*** markvoelker has joined #openstack-keystone23:02
notmorganmordred: yay23:05
notmorganit's like christmas in august!23:05
notmorganmordred: also... ramen place was closed today (*sigh*) so no awesome ramen for lunch23:05
mordrednotmorgan: booo23:07
mordrednotmorgan: I chatted with jamielennox a smidge about it in #openstack-sdks23:08
jamielennoxnotmorgan, mordred: i put up some basic comments, i just need to figure out how it fits in to the non-nodepool cases23:10
notmorganjamielennox: fair enough.23:10
jamielennoxi'm a little concerned about the wait() in the standard case, but it looks ok23:10
*** agrebennikov has quit IRC23:10
mordredjamielennox: yah - in the non-nodepool case that doesn't actually wait23:10
jamielennoxand as per comment if we were going to make this generic i would like to remove the self._client from taskmanager and just make that a *args, **kwargs kind of deal23:11
mordredjamielennox: ansible modules use the passthrough there23:11
jamielennoxi don't know if they're Task() or run() paramters though23:11
mordredrun takes the client as a the argument, which gets passed to self.main23:13
mordredit allows us to have one copy of a client and pass it to each thing ... shade/_tasks.py might give a better sense of how that's used ...23:13
mordredhttp://git.openstack.org/cgit/openstack-infra/shade/tree/shade/_tasks.py#n25 for instance23:13
jamielennoxtep, it's just weird to me that client is a run command and everything else is in self._args23:14
jamielennoxwhy is client different there?23:14
jamielennoxparticularly because client in this (all?) case is just session23:14
jamielennoxwhy not make it a part of self._args and remove the limitation of needing to pass only client to task23:15
mordredclient isn't session in the non-ksa case, it allows specifying the client once at TaskManager instantiation23:15
mordredrather than in every invocation of a Task23:15
mordredit's _totally_ unneeded for the case inside of ksa Session23:16
mordredbecause of the reason you mentoin :)23:16
mordredbut in, for instance, shade, where we have 183 different pre-defined Task objects, it's noise23:17
mordredalso - in nodepool, we use TaskManager to manage not-OpenStack API things23:17
mordredfor instance: http://git.openstack.org/cgit/openstack-infra/nodepool/tree/nodepool/jenkins_manager.py#n2723:18
*** ayoung has joined #openstack-keystone23:20
*** ChanServ sets mode: +v ayoung23:20
*** adu has joined #openstack-keystone23:23
*** rkrum has joined #openstack-keystone23:24
*** spzala has joined #openstack-keystone23:24
*** spzala has quit IRC23:25
*** spzala has joined #openstack-keystone23:25
*** martinus__ has quit IRC23:30
*** browne has joined #openstack-keystone23:31
*** gagehugo has quit IRC23:32
*** martinus__ has joined #openstack-keystone23:33
*** hockeynut has quit IRC23:39
*** martinus__ has quit IRC23:49
*** martinus__ has joined #openstack-keystone23:55
*** markvoelker has quit IRC23:58
« Sunday, 2016-08-28 Index Tuesday, 2016-08-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!