Tuesday, 2016-08-30

« Monday, 2016-08-29 Index Wednesday, 2016-08-31 »
*** woodster_ has quit IRC00:09
mordredjamielennox, notmorgan: I marked them WIP for now ... digging in to respond to jamielennox makes me think now isn't the right time to poke at this00:14
*** sdake has joined #openstack-keystone00:14
notmorganok00:14
notmorgani'll circle back on them then. didn't see much that stood out as "Wrong" beyond agreeing with some of jamielennox's comments00:14
*** spzala has quit IRC00:25
*** spzala has joined #openstack-keystone00:25
*** spzala has quit IRC00:30
*** browne has quit IRC00:30
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250100:37
*** su_zhang has quit IRC00:48
*** su_zhang has joined #openstack-keystone00:48
*** su_zhang has quit IRC00:49
*** su_zhang has joined #openstack-keystone00:53
*** edtubill has joined #openstack-keystone00:57
*** su_zhang has quit IRC00:57
*** adu has quit IRC01:06
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration issue where password created_at is nullable before fix  https://review.openstack.org/36251001:07
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250101:11
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251001:12
*** gyee has quit IRC01:14
*** sdake has quit IRC01:14
*** edtubill has quit IRC01:17
*** sdake has joined #openstack-keystone01:21
*** davechen has joined #openstack-keystone01:27
*** wangqun has joined #openstack-keystone01:32
*** EinstCrazy has joined #openstack-keystone01:38
*** code-R has joined #openstack-keystone01:40
*** code-R has quit IRC01:57
*** spzala has joined #openstack-keystone02:01
*** EinstCra_ has joined #openstack-keystone02:03
*** EinstCrazy has quit IRC02:06
*** spzala has quit IRC02:12
*** tqtran has quit IRC02:15
*** namnh has joined #openstack-keystone02:24
davechenrderose: Is it possible for password_expires_days or minimum_password_age be a negative value?02:25
rderosedavechen: no02:25
davechenrderose: when I read the 'If' block I think about the 'else' as well.02:26
rderosedavechen: well, else simply returns False02:26
davechenrderose: what does return false mean?02:27
davechenrderose: no symptom or warning message, right?02:27
rderoseexactly02:27
*** code-R has joined #openstack-keystone02:27
rderoseif true, return check else return False02:28
davechenrderose: so why check the condition that always true?02:28
*** EinstCrazy has joined #openstack-keystone02:28
*** code-R_ has joined #openstack-keystone02:30
rderose(min_age > 0 and expires > 0) is always true?02:30
davechenrderose: I think only the else could happen, it's necessary to be 'If' there.02:30
davechenhow it could be false?02:31
rderoseif min_age is 0 it could be false02:31
davechenwhat we do it's false?02:31
rderoseif the condition is False, such as min age is zero, then we return False02:31
rderoseit's essentially do this:02:32
rderoseif (both are enabled) return the symptom check02:32
*** EinstCra_ has quit IRC02:32
rderoseelse return false02:32
davechenwhy not just check if it is zero instead02:32
*** magic has joined #openstack-keystone02:32
*** magic is now known as Guest3343102:32
rderosebecause if I check if zero, then that means min_age is disabled and I only want to return the symptom check if both are enabled02:33
rderosedavechen: tell me what you would return02:33
*** code-R has quit IRC02:33
rderosejust code it up really quick02:33
rderoseI mean give me the return02:34
*** xiaoyang has quit IRC02:35
davechenyep, the min_age could be zero and this is also check the do that check, right?02:36
davechensorry, also need to do the check.02:36
davechenrderose: on need to toss up a review.02:37
rderosedavechen: sorry, not following... to check if enabled, I need to check that min_age and expires are both greater than zero02:37
rderosedavechen: it's okay, I'm just not getting what your concern is.  and I"m probably not explaining it very well.  anyway, let me know if you have an alternative or a suggestion on how to improve it02:39
*** jefrite has quit IRC02:39
rderosedavechen: I appreciate you reviewing it02:39
davechenThe only vlaue that condition could be false is min_age is zero, I think.02:39
rderosebecause password_expires_days min is 1?02:40
davechenpassword_expires_days  always >= 1 and min_age is always >002:42
davechenthat is what you defined.02:42
rderosedavechen: actually password_expires_days could be None, which wouldn't be greater than zero02:42
davechenmin_age >=002:42
davechenI mean if they are enabled.02:43
rderoseand minimum_password_age default is 002:43
rderoseoh02:43
*** jefrite has joined #openstack-keystone02:43
rderosedavechen: correct! if enabled, both would be > 002:44
rderosedavechen: and if enabled, now check if min_age > password_expires02:44
rderose:)02:45
rderoseright?02:45
*** code-R_ has quit IRC02:46
davechenrderose: you beat me :)02:46
*** code-R has joined #openstack-keystone02:46
rderosedavechen: hahaha02:46
rderoseI think we are just going around in circles02:46
rderoseit's probably my fault ;)02:47
davechenrderose: so  i still think min_age > 0 and expires > 1 would be better.02:48
openstackgerritMerged openstack/keystone: Adds check that minimum password age is less than password expires days  https://review.openstack.org/36073702:48
davechenmin_age >= 0 and expires >= 102:50
rderosedavechen: true02:50
rderoseI was thinking that the password_expires_days default was zero (and probably should be)02:51
rderosedavechen: but it still will work02:51
davechenyes, i think so, just need think more about margin value.02:52
openstackgerritMerged openstack/keystone: Adds password regular expression checks to doctor  https://review.openstack.org/36075702:55
*** daemontool has quit IRC03:07
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings when using multiple variables  https://review.openstack.org/36188203:08
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561803:08
*** roxanagh_ has joined #openstack-keystone03:09
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449703:10
*** daemontool has joined #openstack-keystone03:11
*** tqtran has joined #openstack-keystone03:13
*** tqtran has quit IRC03:18
*** tonytan_brb has quit IRC03:21
*** code-R has quit IRC03:44
*** code-R_ has joined #openstack-keystone03:44
*** links has joined #openstack-keystone03:51
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings in LOG.debug  https://review.openstack.org/36189503:56
openstackgerritNam Nguyen Hoai proposed openstack/keystone: Fix formatting strings in LOG.warning  https://review.openstack.org/36188204:03
*** akrzos_ has quit IRC04:07
*** roxanag__ has joined #openstack-keystone04:08
*** roxanagh_ has quit IRC04:09
*** akrzos has joined #openstack-keystone04:09
*** code-R_ has quit IRC04:10
*** tonytan4ever has joined #openstack-keystone04:22
*** tonytan4ever has quit IRC04:26
*** code-R has joined #openstack-keystone04:30
*** jrist has quit IRC04:33
*** jrist has joined #openstack-keystone04:34
*** ntpttr- has quit IRC04:36
*** code-R_ has joined #openstack-keystone04:38
*** ntpttr- has joined #openstack-keystone04:40
*** code-R has quit IRC04:41
*** ntpttr- is now known as ntpttr04:41
*** ntpttr has quit IRC04:44
*** ayoung has quit IRC04:58
*** code-R_ has quit IRC05:03
*** code-R has joined #openstack-keystone05:03
*** jaosorior has joined #openstack-keystone05:10
openstackgerritUkesh Kumar proposed openstack/keystone: check for user existence, for role add to user  https://review.openstack.org/36260605:13
*** lifeless_ is now known as lifeless05:15
*** agrebennikov has joined #openstack-keystone05:32
*** code-R_ has joined #openstack-keystone05:34
*** code-R has quit IRC05:38
*** richm has quit IRC05:38
*** code-R_ has quit IRC05:40
*** code-R has joined #openstack-keystone05:41
*** sdake has quit IRC05:47
*** sdake has joined #openstack-keystone05:50
*** agrebennikov has quit IRC05:53
*** su_zhang has joined #openstack-keystone05:56
*** su_zhang has quit IRC06:13
*** akrzos has quit IRC06:13
*** su_zhang has joined #openstack-keystone06:14
*** akrzos has joined #openstack-keystone06:15
*** su_zhang has quit IRC06:18
*** rcernin has joined #openstack-keystone06:19
*** pcaruana has joined #openstack-keystone06:26
*** akanksha_ has joined #openstack-keystone06:27
*** akanksha_ has left #openstack-keystone06:28
*** sdake has quit IRC06:44
*** roxanag__ has quit IRC06:50
*** roxanagh_ has joined #openstack-keystone06:51
*** roxanagh_ has quit IRC06:56
*** tesseract- has joined #openstack-keystone07:07
*** sheel has joined #openstack-keystone07:08
*** jpena|off is now known as jpena07:12
*** tqtran has joined #openstack-keystone07:16
*** code-R has quit IRC07:18
*** tqtran has quit IRC07:20
*** rkrum has quit IRC07:21
*** roxanagh_ has joined #openstack-keystone07:52
*** code-R has joined #openstack-keystone07:55
*** roxanagh_ has quit IRC07:56
*** zzzeek has quit IRC08:00
*** lhinds_ has joined #openstack-keystone08:02
*** zzzeek has joined #openstack-keystone08:02
*** lhinds_ has left #openstack-keystone08:04
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** magic has joined #openstack-keystone08:18
*** magic is now known as Guest9997308:19
*** Guest33431 has quit IRC08:22
*** tonytan4ever has joined #openstack-keystone08:23
*** tonytan4ever has quit IRC08:28
*** markd_ has joined #openstack-keystone08:40
*** asettle has joined #openstack-keystone08:46
*** daemontool has quit IRC08:46
*** daemontool has joined #openstack-keystone08:49
*** code-R_ has joined #openstack-keystone09:00
*** links has quit IRC09:00
*** code-R has quit IRC09:03
*** jaosorior is now known as jaosorior_lunch09:08
*** links has joined #openstack-keystone09:16
*** joerch has joined #openstack-keystone09:29
*** roxanagh_ has joined #openstack-keystone09:40
*** jaosorior_lunch is now known as jaosorior09:42
*** roxanagh_ has quit IRC09:45
*** GB21 has joined #openstack-keystone10:03
samueldmqmorning10:04
*** wangqun has quit IRC10:08
*** daemontool has quit IRC10:09
*** daemontool has joined #openstack-keystone10:09
*** richm has joined #openstack-keystone10:12
bretono/10:22
*** tonytan4ever has joined #openstack-keystone10:24
*** tonytan4ever has quit IRC10:28
*** EinstCrazy has quit IRC10:31
*** EinstCrazy has joined #openstack-keystone10:31
*** EinstCrazy has quit IRC10:36
*** GB21 has quit IRC10:49
*** itisha has joined #openstack-keystone10:49
*** namnh has quit IRC10:49
*** GB21 has joined #openstack-keystone10:50
*** namnh has joined #openstack-keystone10:50
*** amakarov_away is now known as amakarov11:05
*** mdurrant_ has joined #openstack-keystone11:10
*** mdurrant has quit IRC11:13
*** tqtran has joined #openstack-keystone11:17
openstackgerritBoris Bobrov proposed openstack/keystone: Do not check that fernet keys exist on startup  https://review.openstack.org/36278511:19
*** tqtran has quit IRC11:22
marekda question: With Identity API V2 being deprecated, do we assume that services should use port 5000 while talking with keystone?11:22
marekdsamueldmq: breton ^^ any ideas?11:24
bretonmarekd: that's a long discussion and afaik there is no opinion we agreed on11:27
*** roxanagh_ has joined #openstack-keystone11:29
bretonmarekd: also stevemar was for 5000 some time ago. Also, in devstack keystone runs on 80.11:30
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848811:33
*** roxanagh_ has quit IRC11:33
*** asettle has quit IRC11:35
*** asettle has joined #openstack-keystone11:36
*** asettle has quit IRC11:51
*** namnh has quit IRC11:51
*** jpena is now known as jpena|lunch12:00
*** jaosorior has quit IRC12:04
*** namnh has joined #openstack-keystone12:04
*** jaosorior has joined #openstack-keystone12:04
*** namnh has quit IRC12:05
*** jaosorior has quit IRC12:11
*** jaosorior has joined #openstack-keystone12:12
*** afred312_ has joined #openstack-keystone12:12
*** tonytan4ever has joined #openstack-keystone12:13
openstackgerrithenry-nash proposed openstack/keystone: Update developer docs for new rolling upgrade repos  https://review.openstack.org/35938312:13
*** afred312 has quit IRC12:14
*** iurygregory has quit IRC12:15
*** clenimar has quit IRC12:15
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver  https://review.openstack.org/29131812:24
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager  https://review.openstack.org/36073512:24
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation trust driver  https://review.openstack.org/29187112:25
dstanekmarekd: breton: 443 using SSL would be ideal imo12:25
dstanekit looks like i just don't understand the cloud policy example12:26
dstanekwhat is admin_domain_id?12:27
dstanekjust whatever you want right?12:27
marekddstanek: breton even on mitaka?12:29
dstanekmarekd: i don't see why not12:30
marekddstanek: ok, thanks!12:31
bretondstanek: yes, you need to type it there manually12:31
*** su_zhang has joined #openstack-keystone12:31
bretondstanek: uuid of a domain12:31
dstanekbreton: yeah, that's what i thought. i must have something else wrong12:32
dstanekbreton: thanks for the confirmation12:32
*** adu has joined #openstack-keystone12:38
*** EinstCrazy has joined #openstack-keystone12:44
*** davechen has left #openstack-keystone12:47
henrynashdstanek: yes, so that was provided prior to us having the is_admin_project thing.....which in theory should be able to usurp the admin_domain_id requirement....although not sure if all the dots are joined up for is_admin_project (I think they are)12:49
bretonhenrynash: they are12:50
henrynashbreton: yep, excellent12:51
bretonhenrynash: could you please review https://review.openstack.org/#/c/339294/ ?12:52
henrynashbreton: sure12:52
bretonhenrynash: "Faster id mapping lookup"12:52
*** markvoelker has joined #openstack-keystone12:52
*** jpena|lunch is now known as jpena12:59
*** clenimar has joined #openstack-keystone13:00
*** iurygregory has joined #openstack-keystone13:00
*** guoshan has joined #openstack-keystone13:02
*** guoshan has quit IRC13:02
*** guoshan has joined #openstack-keystone13:03
*** guoshan has quit IRC13:03
*** GB21 has quit IRC13:04
*** guoshan has joined #openstack-keystone13:04
henrynashbreton: added a question on testing...but otherwise looks good.13:04
*** agrebennikov has joined #openstack-keystone13:05
*** agrebennikov has quit IRC13:06
*** su_zhang has quit IRC13:07
*** asettle has joined #openstack-keystone13:07
*** su_zhang has joined #openstack-keystone13:07
*** rodrigods has quit IRC13:09
*** rodrigods has joined #openstack-keystone13:09
*** david-lyle has quit IRC13:10
*** pauloewerton has joined #openstack-keystone13:10
*** su_zhang has quit IRC13:11
*** sfilatov has joined #openstack-keystone13:13
*** roxanagh_ has joined #openstack-keystone13:14
*** sheel has quit IRC13:16
*** markvoelker has quit IRC13:17
*** david-lyle has joined #openstack-keystone13:18
*** roxanagh_ has quit IRC13:19
*** sfilatov has quit IRC13:20
*** adu has quit IRC13:21
*** afaranha has joined #openstack-keystone13:21
*** GB21 has joined #openstack-keystone13:23
*** daemontool has quit IRC13:25
*** daemontool has joined #openstack-keystone13:27
*** raildo has joined #openstack-keystone13:28
*** EinstCrazy has quit IRC13:31
*** su_zhang has joined #openstack-keystone13:31
openstackgerritMikhail Nikolaenko proposed openstack/python-keystoneclient: Fix missing service_catalog parameter in Client object  https://review.openstack.org/33915013:37
rodrigodshenrynash, available time to revisit https://review.openstack.org/#/c/358770/ ?13:39
*** markvoelker has joined #openstack-keystone13:40
*** markvoelker has quit IRC13:45
*** woodburn has left #openstack-keystone13:46
*** afaranha has quit IRC13:47
*** daemontool has quit IRC13:49
*** daemontool has joined #openstack-keystone13:50
*** ayoung has joined #openstack-keystone13:52
*** ChanServ sets mode: +v ayoung13:52
henrynashrodigods: sure, will take a look shortly13:57
*** zzzeek has quit IRC14:00
rodrigodsthanks henrynash14:01
*** esp has quit IRC14:01
*** su_zhang has quit IRC14:03
*** zzzeek has joined #openstack-keystone14:03
*** hockeynut has joined #openstack-keystone14:03
*** su_zhang has joined #openstack-keystone14:04
*** zzzeek has quit IRC14:04
*** zzzeek has joined #openstack-keystone14:05
*** browne has joined #openstack-keystone14:07
*** sdake has joined #openstack-keystone14:08
*** su_zhang has quit IRC14:08
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250114:11
*** woodburn has joined #openstack-keystone14:11
*** sdake_ has joined #openstack-keystone14:12
*** sdake has quit IRC14:13
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251014:13
lbragstaddstanek dolphm did we ever figure out what we wanted to do about notification payloads? I remember we were talking about adding more stuff to them for a while there14:16
lbragstadimplementing soft deletes was another option14:16
lbragstadfor solving the same problem14:17
dolphmlbragstad: are you blocked by that issue / do you need a solution right now?14:17
lbragstaddolphm no not at all... I was just looking at one of my stale reviews14:17
dolphmhenrynash: breton: does that mean we should be able to more easily switch to the new default policy file soon?14:18
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251014:18
dolphmhenrynash: i just noticed the Partial-Bug on this one - what's missing? https://review.openstack.org/#/c/358723/14:19
henrynashdolphm: don't support (checking for) update, indexes or trigger14:20
dolphmhenrynash: ah, triggers will be particularly hard (if not impossible) to test for14:20
dolphmhenrynash: indexes might be doable? and we can't add update without dropping support for sqlite, right?14:20
henrynashdolphm: yeah, agreed, not sure how to do that14:21
dolphmhenrynash: sounds like i should be filing 3 more bugs then :)14:21
henrynashdolphm: I think update is a an issue across all DBs, since when they chaneg the migration version, you get an update!14:21
dolphmhenrynash: is that detected by those tests?14:22
henrynashdolphm: so the migration version update would trigger the banned check (whcih is why we don't check for update right now)14:22
dolphmhenrynash: ooh14:22
dolphmhenrynash: is there a complication with indexes?14:23
henrynashdolphm: really need to do something like "inspect the table being updated and if its the migration version then let it go through"....but not sure we can really do that with the current monkeypatching approach14:23
henrynashdolphm: I have not check for indexes yet14:24
henrynashdolphm: do don't know how easy/hard that is14:24
dolphmhmm, k14:24
dolphmhenrynash: aaand last question i wanted to pester you with - did you see my comment on https://review.openstack.org/#/c/357789/ ?14:25
*** spedione|AWAY is now known as spedione14:26
henrynashdolphm: so I think rderose was re-writing this patch entirely (at least that was my understanding as of yesterday)....although interested to undestand what is "simpler" about master now?14:28
*** daemontool has quit IRC14:28
*** daemontool has joined #openstack-keystone14:28
rderosehenrynash dolphm: yeah, stevemar asked me to do an alternative patch to fix the password created_at issue based on Michael Bayer's comments14:29
dolphmhenrynash: i landed a patch to master that allows the sql upgrade test module to control all 4 repositories at once, which A) means you can write a single test that covers each step of the 3 phase rolling upgrade, and B) means that we can test edge cases, like things running out of order, etc14:29
henrynashdolphm: ah, right, that patch...Ok, udnerstand yes14:30
henrynashdolphm: and a fine patch it was, too14:30
*** jdennis1 has joined #openstack-keystone14:30
rodrigodshenrynash, do we have tests for our Hints() implementation?14:31
*** jdennis has quit IRC14:31
*** michauds has joined #openstack-keystone14:32
*** ravelar has joined #openstack-keystone14:32
dolphmhenrynash: lol. between mike's suggestion and the patch i landed, i hope your patch should be a little easier :)14:32
*** su_zhang has joined #openstack-keystone14:34
*** dikonoor has joined #openstack-keystone14:34
rodrigodshenrynash, hmm test_driver_hints?14:34
*** woodster_ has joined #openstack-keystone14:34
*** su_zhang has quit IRC14:36
*** su_zhang has joined #openstack-keystone14:37
*** tonytan_brb has joined #openstack-keystone14:37
*** tonytan4ever has quit IRC14:40
*** su_zhang has quit IRC14:41
*** tonytan_brb has quit IRC14:42
*** daemontool has quit IRC14:42
*** tonytan4ever has joined #openstack-keystone14:42
*** david-lyle has quit IRC14:43
dolphmrodrigods: the answer to "do we have tests for this?" is always to break the thing and see what tests fail ;)14:43
rodrigodsdolphm, right! :)14:44
rodrigodsdolphm, trying to fix https://bugs.launchpad.net/keystone/+bug/1614154 here14:44
openstackLaunchpad bug 1614154 in OpenStack Identity (keystone) "Hints with values of None seem to be broken" [Medium,Confirmed] - Assigned to Abhishek Kumar Tiwary (aktiwary)14:44
rodrigodsdolphm, not fix, but trying to prove a concept14:44
henrynashrodigods: do test_driver_hints tests the underlying mechanism, but that bug appears to indicate a problem with the processing of hints in sql core14:44
dolphmrodrigods: i was thinking we needed to replace the default values (None) with a NOVALUE constant so we could distinguish between them?14:45
*** jaosorior is now known as jaosorior_away14:45
rodrigodsdolphm, that's an alternative, it would also work for indexes using nullable values14:45
rodrigodsthink that's how we do for the project table when a domain_id is null14:46
*** adrian_otto has joined #openstack-keystone14:46
*** sdake_ has quit IRC14:47
*** guoshan has quit IRC14:47
*** david-lyle has joined #openstack-keystone14:48
*** adrian_otto has quit IRC14:53
dstanekdolphm: rodrigods: ++ NOVALUE = object()"14:54
dstanekthat's a common keystone pattern already 'grep -r "= object()" keystone' and you'll find a bunch14:55
*** asettle has quit IRC14:56
*** asettle has joined #openstack-keystone14:57
rodrigodsdstanek, dolphm my idea to fix the bug was to improve the Hints() to handle None values, but I guess the "object()" approach is cleaner15:00
dolphmrodrigods: by changing the defaults to something other than None, you're doing exactly that -- adding the ability to handle incoming None values15:00
rodrigodsdolphm, yes, and with the benefit of using them in indexes if desired15:02
*** david-lyle has quit IRC15:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/36292815:02
*** roxanagh_ has joined #openstack-keystone15:04
dstanekrodrigods: using in an index?15:06
*** tonytan_brb has joined #openstack-keystone15:07
*** roxanagh_ has quit IRC15:09
*** sdake has joined #openstack-keystone15:09
*** spedione is now known as spedione|AWAY15:11
*** tonytan4ever has quit IRC15:11
*** Michaellaneous has joined #openstack-keystone15:12
MichaellaneousHey, I got some questions about ldap integrations.15:12
MichaellaneousI wanna use it for my dashboard.15:12
MichaellaneousI am new to LDAP so...it's all a bit confusing.15:12
*** nkinder has quit IRC15:12
openstackgerritMerged openstack/keystone: Add man page info for credential setup command  https://review.openstack.org/36245315:14
openstackgerritMerged openstack/keystone: Remove unnecessary try/except from token provider  https://review.openstack.org/36235215:14
dstanekMichaellaneous: feel free to just ask your questions here any likely someone will eventually be around to help15:14
MichaellaneousWell, I followed this guide15:15
Michaellaneoushttp://docs.openstack.org/admin-guide/keystone-integrate-with-ldap.html15:15
MichaellaneousKinda. I think, the whole backends, multiple ones is confusing.15:15
MichaellaneousI also have my little ldap setup15:15
Michaellaneoushttps://i.imgur.com/pJadq34.png15:15
MichaellaneousIt works I tried it out on a linux machine.15:15
*** spedione|AWAY is now known as spedione15:16
MichaellaneousJust the...configuration is confusing.15:16
dstanekMichaellaneous: did you get it working?15:17
MichaellaneousNo.15:17
MichaellaneousI tried logging into the dashboard and it said nop.e15:17
dstanekMichaellaneous: which part is confusing?15:17
MichaellaneousWell there is integrate identity, identify backend and assignment.15:18
MichaellaneousWhat does what?15:18
dstanekMichaellaneous: have you looked in your keystone log to see error messages or maybe event the ldap query run?15:18
dstanekyou really only want to use ldap for identity (where the user info/auth/etc comes from)15:18
dstanekassignment is saying what a user can do15:18
*** tqtran has joined #openstack-keystone15:19
dstanekeverything in keystone is based on backends that can be configured for a particular cloud15:19
*** zzzeek has quit IRC15:19
dstanekfor instance you want your users from ldap, but i like mine from sql15:19
MichaellaneousOkay, hold on.15:20
MichaellaneousWhere is the difference between Identiy and Identity backend then?15:21
*** david-lyle has joined #openstack-keystone15:22
dstanekidentity is the system that deals with information for users/groups/etc and the identity backend if the specific storage mechanism for that data (sql, ldap, whatever)15:22
*** ddieterly has joined #openstack-keystone15:23
*** tqtran has quit IRC15:23
dstanekMichaellaneous: does that make sense?15:23
MichaellaneousKinda...I think?15:24
MichaellaneousNot really becuase both seem the same to me still.15:24
MichaellaneousIf I use ldap for authentification isn't that also my storage mechanism?15:24
dstanekldap is a backend15:24
dstaneksaying identity is really talking about the concept of user/groups/etc. nothing more than than. we have a user, we can auth a user, users are in groups etc.15:25
MichaellaneousOkay.15:25
dstanekthe backend is the implemenation of where that data comes from15:25
*** nkinder has joined #openstack-keystone15:25
MichaellaneousWell I want them coming from LDAP.15:26
dstanekthen use the ldap backend :-)15:26
MichaellaneousOkay.15:27
*** links has quit IRC15:28
dstanekMichaellaneous: did you have trouble configuring ldap?15:29
MichaellaneousYeah.15:30
Michaellaneoushttp://pastebin.com/yaQmdyA215:30
MichaellaneousThis is my config.15:30
Michaellaneouskeystone.conf to be exact.15:30
*** sdake has quit IRC15:31
dstanekMichaellaneous: is that just the ldap portion?15:31
dstanekof the whole file?15:31
MichaellaneousJust the ldap portion.15:31
MichaellaneousThe rest of openstack works perfectly.15:32
dstanekso what is the problem you are having?15:32
*** mdurrant_ is now known as mdurrant15:32
MichaellaneousWhen I try to login into dashboard it says user does not exist.15:33
Michaellaneoussyslog doesnt really say anything.15:33
MichaellaneousLemme check the keystone specific logs15:33
Michaellaneous.Wait.15:34
MichaellaneousERROR keystone ImportError: No module named ldap.filter15:34
MichaellaneousThat could certainly be the issue.15:34
dstanekif i were to guess i would say that the ldap python libraries are not installed15:34
MichaellaneousInstalled that and another one that was missing.15:37
MichaellaneousLemme quickly write that down for the docu..15:38
stevemaro/15:38
*** zzzeek has joined #openstack-keystone15:40
rodrigodsdstanek, yeah... nullable columns don't work in indexes15:40
rodrigodsdstanek, http://stackoverflow.com/questions/9175591/index-for-nullable-column15:40
*** david-lyle has quit IRC15:40
*** zzzeek has quit IRC15:41
*** gyee has joined #openstack-keystone15:42
*** akscram has quit IRC15:42
dstanekrodrigods: hmmm... we used to do it with oracle, but i have no idea about mysql15:42
MichaellaneousSo.15:42
MichaellaneousNow keystone says that the address is already in use.15:42
MichaellaneousTrying to bind to.15:42
dstanekhaving <<null>> in columns look terrible15:42
dstanekMichaellaneous: how are you running keystone?15:42
Michaellaneous3535715:42
Michaellaneousautomatically on startup.15:42
*** zzzeek has joined #openstack-keystone15:43
MichaellaneousAppearently apache2 is running on 3535715:44
dstanekMichaellaneous: to restart keystone did you restart apache?15:45
Michaellaneousnope15:45
Michaellaneousservice keystone restart15:45
dstanekif apache is on 35357 then that means you have apache configured to run keystone. try restarting that15:46
MichaellaneousOkay done that.15:47
MichaellaneousNow I can't login at all.15:47
MichaellaneousNeither with original admin nor ldap15:47
*** awayne has quit IRC15:48
*** akscram has joined #openstack-keystone15:49
*** david-lyle has joined #openstack-keystone15:50
dstanekMichaellaneous: bad config? what is in the log files?15:50
*** itisha has quit IRC15:50
MichaellaneousKeystone logs are silent.15:51
dstanekin /var/log/apache2/keystone.log?15:51
MichaellaneousHold on.15:51
MichaellaneousCould not find domain: 36d024eae7ea4865b87d1e29bd73cef515:52
*** ddieterly is now known as ddieterly[away]15:53
MichaellaneousINVALID_CREDENTIALS: {'desc': 'Invalid credentials'}15:53
*** chrisshattuck has joined #openstack-keystone15:54
dstanekdo you have debug logging on?15:55
dstanekif so, i'm hoping that you have some ldap stuff in there15:55
MichaellaneousI set it to 015:56
Michaellaneouswhat should Is et it to15:56
dstanek'debug = true'15:57
MichaellaneousWait, where?15:57
dstanekyou probably also want debug_level set to a reasonable number15:58
*** ddieterly[away] is now known as ddieterly15:58
dstanek[DEFAULT]/debug and [ldap]/debug_level15:59
dstanekMichaellaneous: also does that domain exist?16:00
MichaellaneousWell no.16:01
MichaellaneousIt's not my domain.16:01
MichaellaneousMy domain is named differently.16:01
dstanekwhere is that id coming from?16:01
MichaellaneousNo idea.16:01
dstanekmaybe that's the if for one of your domains?16:02
Michaellaneousif?16:03
MichaellaneousID16:03
Michaellaneousnot sure how to figure that out tho.16:03
dstaneksince keystone isn't working yet you'd have to look in the database16:04
rderosestevemar: https://review.openstack.org/#/c/362501/ and https://review.openstack.org/#/c/362510/16:04
dstanekonce you set debugging you should get more information to help you16:04
stevemarthanks rderose16:04
rderosestevemar: np16:05
rderosestevemar: that is, if I can get it through the gate16:06
*** adrian_otto has joined #openstack-keystone16:06
*** adrian_otto has quit IRC16:06
rderosestevemar: getting a strange error16:06
*** adrian_otto has joined #openstack-keystone16:06
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561816:07
*** ravelar has quit IRC16:07
*** ravelar1 has joined #openstack-keystone16:07
*** adrian_otto has quit IRC16:09
*** adrian_otto has joined #openstack-keystone16:09
*** tonytan_brb has quit IRC16:17
openstackgerritRon De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol  https://review.openstack.org/36239716:21
*** david-lyle has quit IRC16:21
*** krotscheck has joined #openstack-keystone16:23
*** david-lyle has joined #openstack-keystone16:23
openstackgerritBoris Bobrov proposed openstack/keystone: Do not check that fernet keys exist on startup  https://review.openstack.org/36278516:27
krotscheckHey everyone, devstack question. When reading the service catalog from the clouds.yaml file created for devstack, the inital URL is http://HOST/identity_v2_admin, which eventually ends up pointing at http://HOST/identity/ (if you follow all the various links). However, http://HOST:5000/ is also available. Is there a particular reason that the devstack keystone service is registered as a proxy via port 80, rather than 5000?16:29
*** adrian_otto has quit IRC16:31
bretonkrotscheck: the reason to support 80 is to have everything on a single domain. Also easier to SSL.16:32
*** hockeynut has quit IRC16:33
*** adrian_otto has joined #openstack-keystone16:33
*** code-R_ has quit IRC16:34
dstanekbreton: single domain on ssl is hard16:35
*** joerch has quit IRC16:35
*** david-lyle_ has joined #openstack-keystone16:36
*** tqtran has joined #openstack-keystone16:36
MichaellaneousIf I have ldap and use apache2 as auth provider.16:36
MichaellaneousWhat do I have to config?16:36
Michaellaneouskeystone.conf or somethig else?16:37
dstanekMichaellaneous: what do you mean by auth provider?16:37
krotscheckbreton: Thanks, I guess I can't change that. I'm trying to brainstorm how to sanely extract the root version endpoint, given that a service in keystone may be registered as the root resource, a specific version resource (like nova), something with a token in it, etc.... http://paste.openstack.org/show/564857/16:38
*** david-lyle has quit IRC16:39
*** roxanaghe has quit IRC16:40
*** roxanaghe has joined #openstack-keystone16:41
MichaellaneousWell, then I restart keystone it says address already in use.16:41
MichaellaneousBecause apache is running on that address.16:41
dstanekMichaellaneous: that's because apache is runnning keystone16:42
MichaellaneousYeah.16:42
MichaellaneousAppearently.16:42
MichaellaneousSo what config do I have to edit?16:42
*** joerch has joined #openstack-keystone16:42
Michaellaneouskeystone.conf still?16:42
dstanekservice keystone start - is the old way that didn't use apache - it's no longer supported in newer releases16:42
dstanekyes, keystone.conf16:43
MichaellaneousOkay.16:43
MichaellaneousThanks.16:43
*** roxanaghe_ has joined #openstack-keystone16:44
*** esp has joined #openstack-keystone16:46
*** ddieterly is now known as ddieterly[away]16:47
*** roxanaghe has quit IRC16:47
*** roxanaghe__ has joined #openstack-keystone16:47
*** roxanaghe_ has quit IRC16:51
*** jaosorior_away has quit IRC16:51
*** ddieterly[away] is now known as ddieterly16:52
*** gyee has quit IRC16:53
*** joerch has quit IRC16:53
MichaellaneousI don't quite get this:16:54
Michaellaneoususer = dc=Manager,dc=example,dc=org16:54
Michaellaneousdc=user16:54
MichaellaneousWhat is a dc=user16:54
MichaellaneousI only have my cn=admin16:54
*** gyee has joined #openstack-keystone16:55
*** jpena is now known as jpena|off16:58
*** su_zhang has joined #openstack-keystone17:01
*** su_zhang has quit IRC17:03
*** su_zhang has joined #openstack-keystone17:04
*** su_zhang has quit IRC17:04
*** su_zhang has joined #openstack-keystone17:05
*** su_zhang has quit IRC17:11
*** su_zhang has joined #openstack-keystone17:11
*** rcernin has quit IRC17:12
*** amakarov is now known as amakarov_away17:12
*** tesseract- has quit IRC17:14
*** su_zhang has quit IRC17:16
*** asettle has quit IRC17:16
*** asettle has joined #openstack-keystone17:17
*** shaleh has joined #openstack-keystone17:17
*** tonytan4ever has joined #openstack-keystone17:18
dstanekwhere are you seeing that?17:22
*** tonytan4ever has quit IRC17:23
*** tesseract- has joined #openstack-keystone17:24
*** pcaruana has quit IRC17:25
*** ddieterly is now known as ddieterly[away]17:27
*** sdake has joined #openstack-keystone17:27
*** tesseract- has quit IRC17:28
*** tonytan4ever has joined #openstack-keystone17:29
MichaellaneousI think I am getting closer to the issue.17:29
MichaellaneousWhen I don't use any ldap config.17:29
MichaellaneousI can see use openstack domain list17:29
MichaellaneousIf i switch to ldap he said "Domain not available".17:29
MichaellaneousI also can't create new domains.17:29
rderosezzzeek: having an issue when trying to add a default datetime value here: https://review.openstack.org/#/c/362501/3/keystone/common/sql/migrate_repo/versions/105_add_password_date_columns.py17:31
zzzeekrderose: did you mean server_default ?17:32
rderosezzzeek: not necessarily17:32
zzzeekrderose: if you are using the python function here, then you'd use default and it doesnt matter if you're on sqlite17:32
zzzeekrderose: also SQLite supports datetime server default17:32
*** su_zhang has joined #openstack-keystone17:32
rderosezzzeek: hmm... well tests fail when trying to run it via sqlite17:33
rderosecurrently, I'm seeing the following error in this log file: http://logs.openstack.org/01/362501/3/check/gate-grenade-dsvm-neutron-ubuntu-trusty/ed5469f/logs/grenade.sh.txt.gz17:33
rderosezzzeek: (pymysql.err.InternalError) (1292, u"Incorrect datetime value: '0000-00-00 00:00:00' for column 'created_at' at row 1") [SQL: u'\nALTER TABLE password ADD created_at DATETIME NOT NULL']17:33
zzzeekrderose: that's a mysql error17:34
rderosezzzeek: when it runs locally using mysql it works17:34
rderosezzzeek: what am I doing wrong?17:34
*** su_zhang has quit IRC17:35
*** adrian_otto has quit IRC17:35
*** su_zhang has joined #openstack-keystone17:36
rderosezzzeek: my understanding of server_default is that it is for table creates17:37
*** asettle has quit IRC17:37
rderosezzzeek: this is an existing table where I'm adding a new column17:38
zzzeekrderose: when you add a column to a table that has lots of rows in it, if you say NOT NULL, you need to give a server default, else the operation makes no sense17:38
zzzeekmysql is nice enough to make a guess but like all guesses, it is tragically wrong17:38
zzzeekit probably works locally because your local table has no data in it17:38
*** NishaYadav has joined #openstack-keystone17:39
rderosezzzeek: ah, okay. so server_default=datetime.datetime.utcnow should work17:39
rderose?17:39
zzzeekrderose: unfortuanely no, because utcnow is a Python function17:39
zzzeeka SQL databse server default is computed by the databse iself17:39
zzzeekso... func.now() in this case17:39
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Target Fernet key store to Ocata  https://review.openstack.org/36306517:39
rderosezzzeek: okay, I think I've tried func.now(), but will try it again here17:40
rderosezzzeek: thanks17:40
zzzeekrderose: good luck17:40
*** hockeynut has joined #openstack-keystone17:42
*** jaugustine_ has joined #openstack-keystone17:43
*** jaugustine has quit IRC17:44
*** jaugustine_ is now known as jaugustine17:44
* NishaYadav waves hello o/17:44
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250117:45
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250117:45
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251017:45
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251017:48
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Target Fernet key store to Ocata  https://review.openstack.org/36306517:48
*** michauds has quit IRC17:52
*** markvoelker has joined #openstack-keystone17:54
bretonstevemar: how short is ocata?17:55
*** afred312_ has quit IRC17:58
*** roxanaghe_ has joined #openstack-keystone17:59
*** asettle has joined #openstack-keystone17:59
stevemarbreton: https://review.openstack.org/#/c/357214/18:00
*** su_zhang has quit IRC18:00
*** roxanaghe has joined #openstack-keystone18:01
stevemarbreton: there are 12 weeks between the summit and milestone 3, that includes christmas and new years and all that18:01
*** roxanaghe__ has quit IRC18:02
*** roxanaghe_ has quit IRC18:04
*** tesseract- has joined #openstack-keystone18:05
*** tesseract- has quit IRC18:05
*** tesseract- has joined #openstack-keystone18:06
*** nisha_ has joined #openstack-keystone18:07
*** NishaYadav has quit IRC18:07
*** nisha_ is now known as nishaYadav18:07
*** spzala has joined #openstack-keystone18:07
*** tesseract- has quit IRC18:08
*** michauds has joined #openstack-keystone18:09
*** tesseract- has joined #openstack-keystone18:10
*** tonytan4ever has quit IRC18:13
*** tonytan4ever has joined #openstack-keystone18:14
*** dikonoor has quit IRC18:15
*** dikonoor has joined #openstack-keystone18:16
openstackgerritSteve Martinelli proposed openstack/keystone: Filter data when deserializing RevokeEvents  https://review.openstack.org/35887218:18
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/36292818:21
*** markvoelker has quit IRC18:22
*** tqtran has quit IRC18:24
*** su_zhang has joined #openstack-keystone18:25
*** tqtran has joined #openstack-keystone18:25
*** su_zhang has quit IRC18:26
*** ddieterly[away] has quit IRC18:27
*** asettle has quit IRC18:27
*** tqtran has quit IRC18:28
*** tqtran has joined #openstack-keystone18:28
*** tesseract- has quit IRC18:30
*** tesseract- has joined #openstack-keystone18:30
*** tesseract- has quit IRC18:30
*** tesseract- has joined #openstack-keystone18:31
*** ddieterly has joined #openstack-keystone18:35
*** itisha has joined #openstack-keystone18:35
*** tesseract- has quit IRC18:37
*** tonytan_brb has joined #openstack-keystone18:42
*** GB21 has quit IRC18:43
*** su_zhang has joined #openstack-keystone18:43
*** su_zhang has quit IRC18:45
*** tonytan4ever has quit IRC18:45
*** tqtran has quit IRC18:46
*** tqtran has joined #openstack-keystone18:46
*** tonytan4ever has joined #openstack-keystone18:47
*** NikitaKonovalov has quit IRC18:50
*** topol has quit IRC18:50
*** afred312 has joined #openstack-keystone18:50
*** tonytan_brb has quit IRC18:50
*** bknudson has quit IRC18:51
*** ianw has quit IRC18:51
*** jrist has quit IRC18:52
*** basilAB has quit IRC18:52
*** bknudson has joined #openstack-keystone18:56
*** ChanServ sets mode: +v bknudson18:56
*** NikitaKonovalov has joined #openstack-keystone18:57
*** bknudson has left #openstack-keystone18:57
*** ddieterly is now known as ddieterly[away]18:58
*** topol_ has joined #openstack-keystone18:59
*** bknudson has joined #openstack-keystone18:59
*** ChanServ sets mode: +v bknudson18:59
stevemarhenrynash: lbragstad dolphm o/19:00
dolphmstevemar: o/19:00
rderosezzzeek: now getting (pymysql.err.InternalError) (1067, u"Invalid default value for 'created_at'") [SQL: u'\nALTER TABLE password ADD created_at DATETIME NOT NULL DEFAULT now()']19:00
lbragstadhenrynash yeah - i'm just saying that if we delay the trigger decision it is unlikely that we are going to have R/W upgrades for newton19:00
*** basilAB has joined #openstack-keystone19:01
rderosezzzeek: server_default=sql.func.now()19:01
dolphmdid i miss anything in the keystone meeting?19:01
henrynashrderose: I would think you have to update any rows first that are already null19:01
stevemardolphm: a whole lot19:01
lbragstaddolphm discussing the path for triggers and encrypted credentials19:01
rderosehenrynash: that's the point of server_default19:01
rderoseto automatically update existing rows19:01
dolphmoh noes19:01
stevemardolphm: lbragstad i thought you can do a RW upgrade now? no?19:01
dolphmstevemar: with triggers, yes19:02
lbragstadhenrynash stevemar mentioned holding off on the trigger decision until O19:02
rderosezzzeek: any ideas what I'm doing wrong here: https://review.openstack.org/#/c/362501/5/keystone/common/sql/migrate_repo/versions/105_add_password_date_columns.py19:02
stevemarsince there aren't any table or column deletions / alters up to migration 11019:02
samueldmqwhat is a RW upgrade?19:02
henrynashrderose: I always assumed it didn't work for existing rows...i19:02
samueldmqRW ?19:02
lbragstadhenrynash which would also bump R/W upgrades - since the current implementation leverages triggers19:02
dolphmsamueldmq: read/write19:02
stevemarsamueldmq: read/write19:02
dolphmsamueldmq: rather than downtime or read-only19:02
bknudsonI thought server_default was the value that got set when a row is inserted19:02
henrynashsamueldmq: a no downtime upgrade that lets new and old code cersions continue to R and W during the upgrade process19:03
samueldmqdolphm: stevemar: ok, allowing to read and write during the upgrade process19:03
henrynashbknudson: ++19:03
dolphmstevemar: what is the benefit of waiting - and what are we waiting *for*, exactly? what do we expect to learn between now and then?19:03
zzzeekrderose: what mysql is that?19:03
rderosehenrynash: that doesn't seem to be the problem, it's complaining about the default value19:03
samueldmqhenrynash: thx19:03
henrynashrderose: oh19:03
rderosezzzeek: it's pymysql19:03
rderosezzzeek: are you asking which version?19:03
zzzeekrderose: mysql version19:04
*** ddieterly[away] is now known as ddieterly19:04
rderosehenrynash: do you know which version?19:04
stevemardolphm: theres a few things in play here19:04
henrynashlbragstad, stevemar, dolphm: I say put in the mfa changes, with triggers - noya bad thing to use as our guinea pig, anyway19:04
rderosehenrynash zzzeek here is the log: http://logs.openstack.org/01/362501/5/check/gate-grenade-dsvm-neutron-ubuntu-trusty/ab6ce83/logs/grenade.sh.txt.gz19:04
stevemar1 - mfa and totp depends on credential encryption19:05
*** david-lyle_ is now known as david-lyle19:05
stevemar2 - credential encryption depends on triggers19:05
samueldmqstevemar: are they targeted to m3?19:05
stevemar3 - everyone hates triggers19:05
rderoseanyone know the mysql version used by grenade?19:05
stevemarsamueldmq: no - totp was done in M, and MFA is targeted for O19:06
zzzeekrderose: your statement works so far in mysql 5.7, mariadb 10.119:06
zzzeekrderose: will try mysql 5.519:06
samueldmqstevemar: if totp was done in M, how does it depend on cred encryption?19:06
rderosezzzeek: okay, thanks19:06
stevemardolphm: theres also a devstack patch, a grenade patch, both need to land in the next day19:06
lbragstadsamueldmq the current implementation of TOTP puts user secrets in the keystone backend19:06
stevemarsamueldmq: they are currently unencrypted19:06
lbragstadsamueldmq so while it works, it is insecure19:06
samueldmqk gotcha19:07
dolphmstevemar: lbragstad: has there been any traction on the grenade patch today?19:07
samueldmqand we have agreed to support rolling upgrades in M, right ?19:07
lbragstadsamueldmq if keystone accepts supporting TOTP, we should also support secure storage of use secrets19:07
*** jrist has joined #openstack-keystone19:07
lbragstaddolphm I socialized it in -qa19:07
lbragstadno additional reviews yet19:08
dolphmstevemar: credential encryption does not depend on triggers-- triggers only facilitate the *rolling* upgrade19:08
lbragstadthe devstack change has one +219:08
henrynashrderose: I am using: Server version: 5.5.49-0ubuntu0.14.04.1 (Ubuntu)19:08
samueldmqdolphm: how can we do it without triggers ?19:08
lbragstadi already reworked the entire thing to support triggers19:08
rderosehenrynash: do you know which version of mysql we support?19:08
dolphmstevemar: if we have the option to "opt out" of setting triggers, then everyone wins? https://review.openstack.org/#/c/360723/19:09
dolphmsamueldmq: the triggers simply protect a live upgrade process, they don't prevent anyone from doing a boring upgrade19:09
zzzeekrderose: fails in 5.5.4219:10
samueldmqdolphm: exactly, my question is: do we say we support rolling upgrades in M?19:10
rderosezzzeek: :)19:10
henrynashsamueldmq: YES....and we commited to it at teh summit and the midcycle19:10
rderosezzzeek: what would you suggest?  change to timestamp maybe?19:10
samueldmqif not, let's just do in the old way , and support rolling upgrqdes next release19:10
samueldmqhenrynash: ok19:10
zzzeekrderose: on mysql use the datatype TIMESTAMP19:10
dolphmsamueldmq: "here's a new feature, here's how to consume it, here's how to opt out if you don't think they'll work for you (insert instructions for boring upgrade process)"19:10
zzzeekrderose: or, lets get off mysql 5.519:11
*** adrian_otto has joined #openstack-keystone19:11
samueldmqdolphm: the most right to me (since we don't have a decision on triggers yet), if we really want cred encryption in19:11
henrynashdolphm: ...but have no problem with not running things we don't need to do when running the offline (aka boring) upgrade rpocess19:12
samueldmqwould be to get thqt in without triggers19:12
stevemarhenrynash: dolphm: doesn't a rolling upgrade work now? if we were to cut using current master?19:12
dolphmi apparently need to go read the meeting logs - i don't understand what decision we're lacking19:12
henrynashstevema: yes19:12
henrynashstevemar: yes19:12
*** gyee has quit IRC19:12
rderosezzzeek: so is it func.current_timestamp()?19:12
zzzeekrderose: no.   replace sqlalchemy.DateTime with sqlalchemy.TIMESTAMP19:13
lbragstaddolphm the question at hand is whether or not to include encrypted credentials in this release19:13
zzzeekrderose: TIMESTAMP is a magic datatype in MySQL that allows for server defaults19:13
dolphmlbragstad: is that a question related to trigger or a question regarding encrypted credentials?19:13
samueldmqstevemar: have we got to a decision on use vs do not use triggers ?19:13
rderosezzzeek: will it automatically set the current timestamp?19:13
zzzeekrderose: they've improved this stupid design but if we are stuck supporting 5.5 (can we really check on that?  ) then we can't use it19:13
lbragstaddolphm maybe both, but i'll let stevemar clarify19:13
rderosezzzeek stevemar dolphm: how hard would it be to stop supporting mysql 5.519:14
rderosehenrynahs: ^19:14
zzzeekrderose: I would advise specifying server_default=func.current_timestamp(), it is kind of magical on their end but it accepts it. but also note, there can only be one such column in 5.5:  ncorrect table definition; there can be only one TIMESTAMP column with CURRENT_TIMESTAMP in DEFAULT or ON UPDATE clause19:15
henrynashrderose: not really sure.......more worried about customer base, rather then dev environments19:15
rderosezzzeek: would this work with postgresql?19:16
zzzeekrderose: the other way to do this is:19:16
samueldmqlbragstad: what is the alternative with versioned objects ?19:16
zzzeek1. add new DAteTime column, make it NULL19:16
samueldmqlbragstad: anywhere I can read from ?19:16
lbragstadsamueldmq i have no idea19:16
samueldmqlbragstad: I didn't see anything about that in the meeting19:16
zzzeek2. populate the column with date values19:16
zzzeek3. alter again, set NOT NULL19:16
lbragstadsamueldmq we would have to start incorporating versioned objects from scratch19:16
rderosezzzeek: problem with that approach is rolling upgrades19:16
rderose:)19:16
zzzeekrderose: yeah then yuo have to leave it NULL19:16
zzzeekrderose: if it wre me, Id just do the UPDATE right there19:17
zzzeekrderose: because it will run in a blink.19:17
rderosehenrynash: ^ what do you think?19:17
samueldmqlbragstad: how would we do it without triggers ? (and without versioned obejcts either)19:17
zzzeekrderose: but I'm not in charge of any decisions here.    all the things to be afraid of w/ migrations, and things to be not afraid of, are detemined by other people who know more than me19:17
samueldmqlbragstad: I guess it is what we had at the first patchsets?19:18
rderosezzzeek: :)19:18
lbragstadsamueldmq well - that didn't support rolling upgrades either19:18
rderosezzzeek: let me try the timestamp approach19:18
lbragstadsamueldmq that was a much different implementation as far as the migration goes19:18
zzzeekrderose: for POstgresql , sqlite others you need to stick with the DateTime + server_default=func.now()19:18
lbragstadsamueldmq credentials would be migrated manually and orchestrated through configuration changes19:18
henrynashrderose: is it 100% safe, no, is it 99.9% safe, probably....but you could surely write a pathalogica test that would show the issue19:18
rderosezzzeek: okay, I can do that19:19
rderosehenrynash: I knew you were going to say that ;)19:19
zzzeekrderose: I might check for MySQL version here too19:19
zzzeekrderose: for 5.6 and up do the better thing19:19
henrynashrderose: ..and I didn't want to disappoint you....19:19
zzzeekrderose: though need to see where 5.6 is at19:19
samueldmqhenrynash: are you going to remove triggers from that created_at review you posted?19:20
samueldmqI read somewhere it was not needed19:20
rderosezzzeek: okay, this could be tricky19:20
zzzeekrderose: how does it even make sense to put "NOW" into existing timestamp columns?19:20
henrynashsamueldmq: so we are waiting to see if rderose and zzzeek come up with a "more traditional" solution using server defaults (i.e. correct the original issue)....of not, then triggers it is19:21
zzzeekrderose: if this is expand/contract, you'd make the coumn NULL and then in contract make it NOT NULL19:21
samueldmqhenrynash: kk thanks19:21
*** adrian_otto has quit IRC19:21
samueldmqhenrynash: let me know and I can review it (given we want it for tomorrow)19:21
zzzeekhenrynash: why not leave it as NULL.   also known as, please give me an example for clint on the mailng list :)19:21
rderosezzzeek: I'm not using the new expand/contract repos19:21
rderosezzzeek: I'm using our existing repo19:21
zzzeekrderose: if you arent doing expand/contract then this is not an "online" upgrade, do the UPDATE :)19:22
* stevemar needs coffee19:22
rderosezzzeek: hmm...19:23
zzzeekrderose: how many rows in this table for a huge customer ?19:23
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449719:23
henrynashrderose: so you should really put this in the expand phase, with null data migration and contracts19:24
rderosehenrynash: well, was just trying to fix the existing 105 migration19:24
henrynashzzzeek: ...although where rderose is putting it right now will still be run autaomatically in the exapnd phase, since we run any legacy migtations first19:24
rderosehenrynash: how many rows for a huge customer would you estimate?  thousands?19:25
henrynashrderose: so this will be only local users, or will it be populated for any federatted user that authenticates19:26
rderosehenrynash: currently only local users19:26
zzzeekpeople, here is the thing:   if you add a NULL column to a table, that has like 10K rows, then do "UPDATE table SET new_column=now()", then set it up as NOT NULL.  this is a *very* fast operation.  nobody is going to see their clusters go down waiting for that19:26
zzzeekall of these migration horror stories apply to:  facebook19:27
henrynashrderose: have to still assume 1000s....that was the drive to add things like mfa beacuse people ARE using local sql users19:27
zzzeekwith ten kabillion rows19:27
zzzeekopenstack doesn't have that19:27
rderosezzzeek: true19:27
*** ianw_ has joined #openstack-keystone19:28
*** ccneill has joined #openstack-keystone19:28
bknudsonI hope our cloud winds up having more than thousands of users.19:28
bknudsonalthough if that was the case I expect we'd have a different solution than the sql backend.19:28
ccneillhi, all. can anyone here tell me about typical use cases for keystone's "credentials" endpoints? I'm specifically curious what kinds of things typically get used as "access" keys in EC2 credential creation requests19:29
ccneilli.e. http://developer.openstack.org/api-ref/identity/v3/?expanded=assign-role-to-user-on-projects-owned-by-domain-detail,create-policy-detail,show-credential-details-detail,list-credentials-detail,create-credential-detail#list-credentials19:29
ccneillthis documentation seems to show MD5s and tenant IDs(?), but then AWS seems to use a different format for access/secret: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html19:29
openstackgerritDolph Mathews proposed openstack/keystone: Only create triggers during a rolling upgrade  https://review.openstack.org/36072319:31
dolphmstevemar: rderose: henrynash: ^ this skips lbragstad's trigger create / drops when you do a plain ol' db_sync19:32
dolphmstevemar: so, if you opt into the rolling upgrade process, you get triggers. if you don't, you don't get triggers. the same upgrade code applies, otherwise.19:32
henrynashzzzeek: the problem with just doing the update and setting it to not NULL is that since we still ahve old code runnig, we need the server default to be working...or any inserts from old code will fail19:33
samueldmqdolphm: what is the effect if triggers are not used ?19:33
dolphmsamueldmq: there's no effect... you just can't write to the database during the upgrade process19:34
dolphmsamueldmq: which means, you're not doing a rolling upgrade19:34
openstackgerritDolph Mathews proposed openstack/keystone: Only create triggers during a rolling upgrade  https://review.openstack.org/36072319:34
samueldmqdolphm: got it19:35
henrynashdolphm: not so easy if we have written the 3 separate raw sql scripts...would need to pull the trigger code into the .py file (which I don't see any real reason against)19:35
breton> [24;2~WARNING: document isn't included in any toctree19:35
bretonwhat does it want from me?19:35
dolphmhenrynash: oh yeah, i guess this wouldn't cover your approach :-/19:35
zzzeekhenrynash: yeah, so, mailing list wisdom == new code just deals with it :)19:36
dolphm(which i think is better when you've got more complicated triggers to write)19:36
dstanekbreton: it's in linked from anywhere19:36
henrynashdolphm: agreed, but needs must19:36
dstanekbreton: i think that's what happens when you add a new file, but don't link to it19:36
samueldmqdolphm: lbragstad if we made the code write to both columns, then writes would be possible too19:36
dolphmsamueldmq: welcome to the rabbit hole of versionedobjects19:37
bretondstanek: yeah, looks like it. Thanks!19:37
zzzeekhenrynash: if you'd like to clarify your case here on the mailing list discussion that woudl be very helpful.19:37
samueldmqdolphm: ah now I know what versioned objects are19:37
samueldmqdolphm: but what is the issue with that?19:38
henrynashzzzeek: so when you run --expand, there is still old code running. This old code knows nothing about the new column....so that column is NOT NULL, it had better have a server default19:38
henrynash(....so IF that column is NOT NULL...)19:39
*** rcernin has joined #openstack-keystone19:39
dolphmsamueldmq: ask neutron https://review.openstack.org/#/q/topic:bp/adopt-oslo-versioned-objects-for-db19:39
zzzeekhenrynash: preaching to the choir :)19:39
samueldmqdolphm: thanks for the link19:40
*** chianingwang has joined #openstack-keystone19:40
dstanekbreton: thank you for offering to do the backport :-) now i can continue with what i was working on this morngin19:40
henrynashdstanek: don't ya just love morngins,19:43
*** su_zhang has joined #openstack-keystone19:43
bknudsonpython-memcache has a SERVER_MAX_VALUE_LENGTH constant19:44
bknudsonamakarov_away: ^19:45
*** su_zhang has quit IRC19:48
*** hockeynut has quit IRC19:49
stevemardstanek: take a quick look at https://review.openstack.org/#/c/359383/ you had a few comments on it, should only take a minute or two :P19:52
*** tqtran has quit IRC19:54
*** tqtran has joined #openstack-keystone19:56
*** harlowja has quit IRC19:58
*** su_zhang has joined #openstack-keystone19:58
stevemaramakarov_away: ETA on the precache config option?20:01
*** su_zhang has quit IRC20:02
*** afred312 has quit IRC20:04
Michaellaneousyeah I still don't know what's wrong20:07
Michaellaneouswhen LDAP is disabled I can see my default domains20:07
Michaellaneouswhen I enable it it tells me my domains don't exist anymore20:07
Michaellaneousand I can't create a new one20:07
*** tqtran has quit IRC20:08
*** ddieterly is now known as ddieterly[away]20:09
*** tqtran has joined #openstack-keystone20:09
*** dikonoor has quit IRC20:10
*** nishaYadav has quit IRC20:10
*** su_zhang has joined #openstack-keystone20:10
*** sdake has quit IRC20:11
*** tqtran has quit IRC20:12
*** sdake has joined #openstack-keystone20:12
*** ddieterly[away] is now known as ddieterly20:15
*** ddieterly is now known as ddieterly[away]20:19
*** tqtran has joined #openstack-keystone20:21
bknudsondstanek: notmorgan: Adding tracing statements to python-memcached so that it prints out the data read from the server.20:22
bknudsonhttp://paste.openstack.org/show/564886/20:22
notmorganbknudson: *nod*20:22
bknudsonThere's some of the output. So looking for the place where there's a problem (based on the keystone log)20:22
bknudson"VALUE 1921523d6734d44e88ed58dfc76ef681a36b8e9b 1 6020" -- is good20:22
bknudson"VALUE 1921523d6734d44e88ed5" -- is not good20:22
notmorganyep20:22
notmorganw.t.f20:23
bknudsonso note that "VALUE 1921523d6734d44e88ed5" happened to be some of the last value read20:23
notmorganoh is this some magic overflow slab thing?20:23
dstanekthat's strange20:23
notmorganwhere memcache is sending more data back than a packet handles?20:23
notmorganand the memcache library is unable to cope?20:23
bknudsonHere's the code: https://github.com/linsomniac/python-memcached/blob/master/memcache.py20:24
bknudson(without my logging)20:24
notmorganyeah not super interested in that. this looks like something the memache server is sending20:24
notmorganwondering why VALUE format is different all of a sudden20:24
notmorganalso.. if we were using the binary protocol it might be better.20:25
bknudsony, it probably is the server since the next recv should have gotten the rest of the line.20:25
notmorgan(not possible in python-memcache20:25
*** gyee has joined #openstack-keystone20:25
*** ChanServ sets mode: +v gyee20:25
*** chrisshattuck has quit IRC20:26
bknudsonoh, I did this wrong.20:28
dstanekis it possible that the rest of that line appears later in the output?20:28
bknudsonwill recreate with better data20:28
notmorgan?20:28
bknudsonI wanted to have it log every recv but I missed it.20:28
notmorganah20:28
*** spedione is now known as spedione|AWAY20:29
notmorganbknudson: afaict that response is a violation of the text protocol: https://github.com/memcached/memcached/blob/master/doc/protocol.txt#L228-L24720:30
notmorganat least the spec for the protocol20:30
notmorganafaict it should *always* have flags and bytes20:30
dstaneknotmorgan: I'm wondering if the steam was logged out of order20:32
bknudsonhere's a new one: 2016-08-30 20:32:23.262 5770 ERROR keystone.common.wsgi ValueError: day is out of range for month20:32
notmorgandstanek: well, bknudson has said he's seen this issue mostly with uwsgi and threading.20:33
bknudsonI changed keystone so that there's a single process and thread.20:33
bknudsonit's still uwsgi20:33
notmorganhm20:33
bknudsonso I should not be able to see things out of order20:33
notmorganand not using the memcachepool20:33
*** rcernin has quit IRC20:33
notmorganjust to be sure20:33
notmorganbecause... gross.20:33
*** rcernin has joined #openstack-keystone20:33
bknudsonyes, I remembered to change to dogpile.cache.memcached20:34
notmorgandstanek: i mean the output really does look like it's just flat missing flags/bytes20:34
notmorgannot seeing flags/bytes in some other line erroneously20:34
*** awayne has joined #openstack-keystone20:37
ccneillsorry for the spam, but if anyone has a sec to look over this potential keystone bug and give your thoughts, I'd greatly appreciate it: https://bugs.launchpad.net/keystone/+bug/161861520:38
openstackccneill: Error: malone bug 1618615 not found20:38
ccneill(currently marked as a potential security issue)20:38
notmorganccneill: yep20:38
notmorganccneill: i just saw it /me puts VMT hat on20:38
notmorganccneill: reading it and will get people subscribed20:38
ccneillnotmorgan: thanks!20:39
*** ianw_ is now known as ianw20:39
notmorganccneill: keystone-coresec has been subscribed (etc) and the VMT process has been started20:41
ccneillawesome, ty notmorgan !20:41
notmorganccneill: i'm also reading the bug (hard to read via email because the way LP formats it)20:41
notmorganso, i might also have a comment on it20:41
*** ddieterly[away] is now known as ddieterly20:46
*** asettle has joined #openstack-keystone20:49
*** raildo has quit IRC20:49
bknudsondstanek: notmorgan: http://paste.openstack.org/show/564889/20:50
bknudsonhere you can see it's not working right20:50
bknudsonit does readline which should be "VALUE 3487474327a81e31a4ce383688d6c132f23276dd 1 5801" -- so that's good20:50
bknudsonthen it does "*** recv data:" to get the rest of the data20:51
bknudson(if the data is more than 4096 bytes it's not in the buffer)20:51
bknudsonI'm going to improve my logging to include the # bytes requested for the recv data.20:52
bknudsonbecause it should have done readline, recv ; not readline, recv, recv20:53
notmorganccneill: responded on the bug.20:54
notmorganbknudson: ah20:55
notmorganbknudson: so it is a socket issue it looks like.20:55
*** chrisshattuck has joined #openstack-keystone20:55
notmorganccneill: also thanks for the report.20:58
ccneillnotmorgan: np! sorry I forgot to mention that it was only EC2 creds >_<20:59
lbragstadstevemar https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#file-migration-md21:00
bknudsonthis is starting to look a little fishy from the client side. we'll see.21:00
Michaellaneouswait21:00
Michaellaneousdoes the domain name for LDAP need to be openstack.org?21:00
lbragstadstevemar docs on doing a rolling upgrade with limited read-only and no downtime and triggers21:00
lbragstads/docs/documented live example/21:01
lbragstadcc dolphm dstanek rderose henrynash ^ in case you want to review21:01
lbragstadfwiw - the upgrade is actually from stable/mitaka to my patch up for review (so not official master)21:02
dolphmMichaellaneous: no?21:04
Michaellaneousyeah I thought so. I am just trying to debug right now.21:05
dolphmlbragstad: did you write all that?21:05
lbragstaddolphm yeah - that's what i've been working on today21:05
*** jamielennox is now known as jamielennox|away21:06
lbragstaddolphm I wanted to test the rolling upgrade process with multiple nodes anyway21:06
dolphmlbragstad: ++21:06
lbragstadfigured it would serve as a good upgrade document21:06
lbragstadfor folks with existing credentials21:07
*** pauloewerton has quit IRC21:09
*** spzala has quit IRC21:12
*** tqtran has quit IRC21:15
*** tqtran has joined #openstack-keystone21:15
*** harlowja has joined #openstack-keystone21:17
*** hockeynut has joined #openstack-keystone21:17
*** ayoung has quit IRC21:19
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250121:21
dstaneklbragstad: those instructions look great21:21
lbragstaddstanek thanks21:21
lbragstaddolphm dstanek the only thing I found is the 500 that is issued when running both a mitaka node and newton node is this - http://cdn.pasteraw.com/a8iojjp1a2qxvf3qprd3ogs2unzoo3121:22
lbragstadit's a 500, which blocks the write to the credential table21:22
lbragstadbut it's not because of the trigger21:22
lbragstadit's because the blob attribute is None and it can't be21:22
lbragstad(otherwise i'm assuming the trigger would block that write)21:23
dstanekcan you relax the constraint in the expand?21:23
lbragstadbut I'm not sure how much we can do about it since the blob attribute would be defined as nullable=False already21:23
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251021:24
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251021:24
lbragstaddstanek why would we want to relax it?21:24
lbragstaddstanek relax the trigger?21:24
dstanekno, the constaint on blob...don't we remove it anyway when contracting?21:24
lbragstaddstanek is it possible to make blob nullable in the expand when it has data in it?21:25
bknudsondstanek: python-memcached has a constant for the max key length: https://github.com/linsomniac/python-memcached/blob/master/memcache.py#L20521:25
bknudsonwhich is 25021:25
dstaneklbragstad: yeah, it just means that new rows don't need a value21:25
lbragstaddstanek ah - i can try that quick21:26
dstanekbknudson: that's why we sha256 our keys21:26
bknudsondstanek: sha121:26
*** sdake has quit IRC21:26
bknudsonor did that change?21:26
dstanekbknudson: oh, maybe sha1. who can remember the details :-P21:27
bknudsonsomebody who's been staring at this for a few weeks21:27
dstaneki think that's the problem21:28
dstanekbknudson: i'm going to build an env based off of those instructions and see what happens21:30
bknudsondstanek: once you21:30
*** hockeynut has quit IRC21:31
bknudsonyou've got it running I've got a test program21:31
*** sdake has joined #openstack-keystone21:32
stevemarrderose: i don't think you want to tinker around with migration 10521:33
stevemarsome folks running on mater have already run it21:34
*** ddieterly is now known as ddieterly[away]21:34
dstanekmater? like to tow truck from Cars?21:35
*** ddieterly[away] is now known as ddieterly21:37
*** adriant has joined #openstack-keystone21:37
lbragstaddstanek ++21:37
Michaellaneousdolphm, when I have LDAP enabled, do I need to change the domain_name in my little export file?21:39
*** spzala has joined #openstack-keystone21:40
dstanekbknudson: post the test script somewhere?21:41
*** jdennis1 has quit IRC21:42
dolphmMichaellaneous: i'm not sure what export file you're referring to :-/ but domain names should be entirely up to you21:43
MichaellaneousThe admin-openrc file21:43
dstanekdolphm: Michaellaneous: likely openrc?21:43
MichaellaneousThe one you source when you wanna do stuff.21:43
MichaellaneousYeah.21:43
bknudsondstanek: https://github.com/brantlk/keystone_samples/blob/master/revocation_event_test.py21:43
MichaellaneousI just don't know why it stops recognizing my domains.21:44
dstanekthat shouldn't change unless you changed the keystone domain data21:44
*** spzala has quit IRC21:44
dstanekbknudson: gracyas21:44
dstanekmy Spanish is a bit rusty21:44
dolphmMichaellaneous: oh, that needs to match whatever domain your user / credentials belong to in keystone21:44
MichaellaneousYeah it does.21:44
Michaellaneousbut I switch to LDAP and it says "Domain does not exist: <ID of default domain>21:44
MichaellaneousDo I need to...make my own domain for LDAP?21:44
bknudsondstanek: so what I do is go into the vagrant env and change the uwsgi config for keystone to listen on http21:45
bknudsondstanek: then run this on the host: python ./revocation_event_test.py --url http://10.10.0.11:5008/ --insecure --password <whatever>21:45
dolphmMichaellaneous: is LDAP configured to serve your default domain?21:46
MichaellaneousI...I don't know.21:46
MichaellaneousHow do I set that up?21:46
dolphmMichaellaneous: is LDAP configured in keystone.conf or in a domain-specific manner? /etc/keystone/domains/ (i think) or via the API?21:46
MichaellaneousIt is configured in keystone.conf21:47
dstanekMichaellaneous: what is the id of your default domain?21:47
dolphmMichaellaneous: then i believe you need to use the 'default' domain in openrc in order to authenticate via LDAP21:47
Michaellaneous36d024eae7ea4865b87d1e29bd73cef521:48
MichaellaneousYes I have that set up but as soon as I actually activate ldap21:48
MichaellaneousIt says "Domain does not exist: 36d024eae7ea4865b87d1e29bd73cef5"21:48
dolphmthe LDAP backend does not support non-default domains... unless you use domain-specific identity backends, right?21:48
dstanekMichaellaneous: check to make sure that is actually your default domain. it is usually just 'default'21:48
Michaellaneous| 36d024eae7ea4865b87d1e29bd73cef5 | default | True    | Default Domain           |21:49
dolphmMichaellaneous: how do you have a domain ID other than 'default', and what does that domain have to do with LDAP, exactly?21:49
*** chrichip has joined #openstack-keystone21:49
MichaellaneousNah I have only the default domain21:49
MichaellaneousAnd I am not changing my OpenRC.21:49
MichaellaneousBut when I activate it and do an openstack command it tells me that my default domain does not exist.21:49
*** asettle has quit IRC21:51
browneMichaellaneous: you should use keystone-manage bootstrap21:51
browneit'll create the default domain with an id of "default"21:51
*** asettle has joined #openstack-keystone21:51
MichaellaneousOkay hold on.21:52
MichaellaneousGetting some errors.21:52
brownethis works best.  creating the default domain later via api will create a UUID which means you need to add that back into keystone.conf and restart it21:52
MichaellaneousOh I need a password for it?21:53
MichaellaneousBut wait...if I delete the default domain now.C21:53
MichaellaneousCan I still bootstrap?21:53
browneyeah, believe it should still bootstrap21:53
*** tonytan4ever has quit IRC21:54
*** jdennis has joined #openstack-keystone21:54
MichaellaneousJust trying to figure out how I can disable the other one21:56
*** asettle has quit IRC21:56
MichaellaneousOh fuck.22:00
MichaellaneousI disabled it.22:00
MichaellaneousNow I can't delete or reenable it.22:01
MichaellaneousOr bootstrap one.22:01
MichaellaneousFuuuuck22:03
*** michauds has quit IRC22:03
*** chrichip has quit IRC22:06
lbragstaddstanek yep - that worked22:07
openstackgerritChris Spencer proposed openstack/keystone: Add documentation on how to set a user's tenant.  https://review.openstack.org/36329222:07
*** ddieterly is now known as ddieterly[away]22:08
*** ddieterly[away] has quit IRC22:08
*** topol_ is now known as topol22:09
*** ChanServ sets mode: +v topol22:09
openstackgerritChris Spencer proposed openstack/keystone: Add documentation on how to set a user's tenant.  https://review.openstack.org/36329222:11
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561822:12
lbragstaddstanek fixed ^22:13
lbragstadstevemar dolphm most recent and correct draft with the implementation that is up for review - https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#migrating-credentials-from-mitaka-to-newton22:17
lbragstadwhich updates the example to show that the triggers make keystone read only for both mitaka and newton22:19
*** su_zhang has quit IRC22:22
openstackgerritChris Spencer proposed openstack/keystone: Add documentation on how to set a user's tenant.  https://review.openstack.org/36329222:23
*** spzala has joined #openstack-keystone22:24
*** ravelar1 has quit IRC22:25
*** ianw has quit IRC22:26
*** jrist has quit IRC22:32
*** su_zhang has joined #openstack-keystone22:34
*** chrisshattuck has quit IRC22:35
*** chrisshattuck has joined #openstack-keystone22:35
*** sdake has quit IRC22:36
*** chrisshattuck has quit IRC22:37
*** spzala has quit IRC22:38
*** spzala has joined #openstack-keystone22:38
*** jrist has joined #openstack-keystone22:39
*** spzala has quit IRC22:43
dstaneklbragstad: nice!22:45
lbragstaddstanek :)22:48
lbragstadlet me know if it doesn't make sense - everything is still in review22:48
*** erhudy has quit IRC22:52
*** ianw has joined #openstack-keystone22:57
*** ayoung has joined #openstack-keystone22:59
*** ChanServ sets mode: +v ayoung22:59
bknudsondstanek: notmorgan: check this out : http://paste.openstack.org/show/564910/23:00
*** roxanaghe has quit IRC23:00
bknudsonthe first line is the statement23:00
bknudsonhow is len(data) only 149??23:00
bknudsonthere's definitely more than 149 chars in that str23:00
dolphmlbragstad: awesome!23:02
dolphmbknudson: does data have a __len__ definition?23:02
bknudsondolphm: https://github.com/linsomniac/python-memcached/blob/master/memcache.py#L1459 is the source of data23:05
bknudsonI hope socket.recv just returns a regular str with no special methods23:06
*** chrisshattuck has joined #openstack-keystone23:08
bknudsoncheck out the junk at the bottom -- http://paste.openstack.org/show/564915/23:08
bknudsonthat shouldn't be possible I've only got the 1 thread.23:08
*** tqtran has quit IRC23:09
*** chrisshattuck has quit IRC23:10
*** rkrum has joined #openstack-keystone23:12
bknudsonwondering if someone can provide their python version in devstack or some working system?23:13
bknudsonii  python                                                      2.7.5-5ubuntu3                     amd64                              interactive high-level object-oriented language (default version)23:13
bknudsonthat's probably not good.23:13
*** tqtran has joined #openstack-keystone23:14
bknudsonbrowne: what version of python are you running keystone under?23:14
bknudsonPython 2.7.623:14
bknudsonpython --version says 2.7.623:14
bknudsonii  python2.7                         2.7.6-8ubuntu0.2                 amd64        Interactive high-level object-oriented language (version 2.7)23:15
brownewe use ubuntu 14.04, but with upgraded Python 2.7.1023:15
brownepython 2.7.6 doesn't support TLS 1.1/1.223:15
bknudsonwe've got apache in front of keystone23:16
brownePython 2.7.6 mostly useless for ldap support23:16
browneapache doesn't matter23:16
notmorganbknudson: yeah something odd there23:17
brownemost AD servers nowadays close down TLS 1.0 to comply with PCI-DSS23:17
notmorganbknudson: i'm about to revisit just writing a dogpile driver for pymemcache23:18
notmorganbknudson: it might solve the issue - or i can revisit taking over python-memcache and fixing it23:19
lbragstaddolphm i'm making more edits :(23:23
*** su_zhang has quit IRC23:23
lbragstaddolphm my wife is proof reading23:23
dolphmlbragstad: hopefully not to your patch :P23:32
*** jaugustine has quit IRC23:34
*** rcernin has quit IRC23:35
lbragstaddolphm ok - i'm done23:35
* lbragstad https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#file-migration-md23:35
*** tonytan4ever has joined #openstack-keystone23:58
« Monday, 2016-08-29 Index Wednesday, 2016-08-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!