Wednesday, 2016-11-02

*** guoshan has joined #openstack-keystone		00:03
*** jperry has joined #openstack-keystone		00:06
*** browne has quit IRC		00:09
*** iurygregory_ has joined #openstack-keystone		00:11
openstackgerrit	Merged openstack/keystoneauth: Add a service token wrapper https://review.openstack.org/384805	00:14
*** jerrygb has joined #openstack-keystone		00:17
*** adrian_otto has joined #openstack-keystone		00:17
openstackgerrit	Steve Martinelli proposed openstack/keystone: cache_on_issue default to true https://review.openstack.org/383333	00:18
openstackgerrit	Steve Martinelli proposed openstack/keystone: Allow running expand & migrate at the same time https://review.openstack.org/392320	00:19
*** jerrygb_ has joined #openstack-keystone		00:20
*** richm has joined #openstack-keystone		00:20
*** LamT__ has quit IRC		00:22
*** jerrygb has quit IRC		00:23
*** adrian_otto has quit IRC		00:28
*** agrebennikov has quit IRC		00:30
*** lamt has joined #openstack-keystone		00:30
openstackgerrit	Steve Martinelli proposed openstack/keystone: Switch fernet to be the default token provider. https://review.openstack.org/345688	00:31
openstackgerrit	Steve Martinelli proposed openstack/keystone: Switch fernet to be the default token provider. https://review.openstack.org/345688	00:33
*** kiran-r has quit IRC		00:43
*** kiran-r has joined #openstack-keystone		00:48
openstackgerrit	Tin Lam proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	00:50
*** jerrygb_ has quit IRC		00:52
openstackgerrit	Gage Hugo proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	00:57
*** hoangcx has joined #openstack-keystone		01:01
*** guoshan has quit IRC		01:05
*** Zer0Byte__ has quit IRC		01:10
openstackgerrit	Tin Lam proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	01:20
*** guoshan has joined #openstack-keystone		01:24
*** guoshan has quit IRC		01:31
*** guoshan has joined #openstack-keystone		01:32
ayoung	jamielennox, as I recall, termie -2ed that out of termieness	01:35
*** adrian_otto has joined #openstack-keystone		01:36
*** adrian_otto has quit IRC		01:38
jamielennox	ayoung: it was a giant patch from a fairly new contributor, i'm not bitter about it, but it was a good change	01:42
*** richm has quit IRC		02:00
*** jerrygb has joined #openstack-keystone		02:05
openstackgerrit	ChangBo Guo(gcb) proposed openstack/oslo.policy: Add missing parameter description in module _cache_handler https://review.openstack.org/387917	02:39
stevemar	ayoung: jamielennox what did he -2?	02:44
jamielennox	stevemar: oh, a test refactor i did years ago	02:45
stevemar	ah	02:45
ayoung	stevemar, and it was out of spite, too. Just nasty	02:46
ayoung	He was concerned about things getting overly complicated, and didn't want the tests moved out of the top level directory (they were not under keystone/keystone back then) either	02:47
ayoung	then he disappeared	02:47
stevemar	:)	02:47
stevemar	good times	02:47
ayoung	jamielennox, did you catch my whole spiel during the meeting today?	02:48
jamielennox	ayoung: no i haven't looked at the meeting this morning	02:48
ayoung	I think I have a solution to most of the remaining issues with RBAC split from the rest of policy	02:48
jamielennox	ayoung: have been distracted	02:48
ayoung	You;ll either love it or hate it	02:48
ayoung	but it does remove the need to return the role with the failed attempt.	02:49
ayoung	https://review.openstack.org/#/c/391624/	02:49
jamielennox	if it's what i think it is, it was something i had involved in reservations and has a huge caching problem	02:49
ayoung	I know you want to Nuke Policy from Orbit, and this does not do that	02:49
ayoung	no. no caching	02:49
ayoung	the role check is in Keystone	02:49
ayoung	you pass the URL to Keystone to do the role check	02:50
ayoung	I added 2 params to the token validate call	02:50
ayoung	service=compute and then the URL itself	02:50
stevemar	nuke policy from orbit, thats pretty much what i want to do	02:50
ayoung	then use routes.Mapping style matching to figure out what rule to apply	02:51
openstackgerrit	Steve Martinelli proposed openstack/keystone: cache_on_issue default to true https://review.openstack.org/383333	02:51
jamielennox	this is kind of what alexander wanted right? actually do the policy check in keytsone	02:52
ayoung	jamielennox, Oh and I added verb=PUT too	02:52
ayoung	jamielennox, yeah, I think so	02:52
ayoung	I have trouble understanding his writing. Let me go look at his again,	02:52
jamielennox	so at least with reservations i combined that step with token validate, because there's no reason to ask keystone for the token info and then ask it again to validate the roles in the tokne	02:53
ayoung	I think he was going further than I was	02:53
ayoung	jamielennox, that was why I put it all into the validate_token call	02:54
ayoung	curl	02:54
ayoung	-H "X-Auth-Token: 3d0b48b7bcdd" \	02:54
ayoung	-H "X-Subject-Token: adb5c708a55f" \	02:54
ayoung	-H "Content-type: application/json" \	02:54
ayoung	-H "X-Request-URL: https://nova1:8774/v2.1/2497f6/servers/83cbdc \	02:54
ayoung	GET \	02:54
ayoung	https://keystone1:35357/v3/auth/tokens?service=compute&verb=PUT&nocatalog=True	02:54
ayoung	I put the request URL in a header for security reasons	02:55
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs: User self management of TOTP credentials https://review.openstack.org/345705	02:55
ayoung	the others go as Request Params	02:55
ayoung	doing it as a POST would probably be better, but I didn't want to add a new API	02:56
ayoung	jamielennox, the actual enforcement would be based on the role inference rules.	02:56
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs: User self management of TOTP credentials https://review.openstack.org/345705	02:56
*** dave-mccowan has quit IRC		02:57
jamielennox	so middleware is only passing url and standard http things	02:57
jamielennox	so still a owner problem, but not a big deal	02:57
ayoung	so what we would have to set up would be rules like: Member implies "COMPUTE PUT /v2.1/{id}/servers/{id}"	02:57
ayoung	owner (scoping) is still done by existing policy mechanism	02:58
jamielennox	yep	02:58
ayoung	and we work to move that into code like Nova did	02:58
jamielennox	so reservations used something like this extensively	02:58
jamielennox	and the killer for reservations (after being unnecessary) was it was uncacheable	02:58
ayoung	If horizon wants to query operations for a role, they can use the Keystone API now to do it, or what roles are needed for an operation	02:58
jamielennox	also horizon needs a bulk query - not a one off	02:59
ayoung	not as restful as what we discussed this summit, but should make the security-concerns go away	02:59
ayoung	yep	02:59
ayoung	so nova would have a single config file that gets uploaded with a bunch of rules in it	03:00
ayoung	and then the admins can modify those as they see fit	03:00
jamielennox	so my version of this always maintained an out of band policy check for this rather that do it via keystone	03:01
*** iurygregory_ has quit IRC		03:02
jamielennox	mostly cause i don't mind if keysotne controls this and i didn't want to figure out the policy API :)	03:02
ayoung	You OK with this approach, then?	03:02
ayoung	We can axe the policy API	03:02
ayoung	I am not going to use it	03:02
ayoung	this is going to be an extension of the roles API	03:02
jamielennox	so i mean the high level concept is always what we've been moving towards, auth_token=PEP, something else=PDP	03:04
jamielennox	and we should be calling that from either auth_token middleware or another middleware	03:04
jamielennox	i'm not sure that something else should be keystone or something a bit faster	03:04
ayoung	But faster is getting it down to one remote call, no?	03:05
jamielennox	mostly i've been trying to encourage things to move in that direction, split role enforcement from owner enforcement and hopefully move people to url based policy enforcement	03:05
jamielennox	depends	03:05
ayoung	this does all that	03:05
jamielennox	depends how heavily your deployment utilizes token caching	03:06
jamielennox	and my understanding is most do it a lot	03:06
ayoung	yeah, we'd have to deal with that	03:06
jamielennox	so you can cache tokens and then do the call independantly if you can speed up the policy	03:07
jamielennox	or you can do it all in one step	03:07
ayoung	the case that would hurt is where the same token is used for multiple, different calls	03:07
jamielennox	yep	03:07
ayoung	for the same call, we could cache. We could also optimize the cache on keystone for rapid subsequent calls of the same token but different URLs	03:08
jamielennox	i think the exact same call is unlikely when you starting putting object ids in the url	03:09
ayoung	hmmm....we could do the URL to pattern parsing in middleware, to strip out the object IDs	03:10
*** adrian_otto has joined #openstack-keystone		03:10
jamielennox	did i have this conversation with you at summit or someone else?	03:10
ayoung	someone else	03:10
jamielennox	the problem with regexp in middleware is there's no way to make it a key lookup	03:10
jamielennox	so you have to scan big lists of urls to do policy match via url	03:10
ayoung	right...I say punt on caching for the first approximation	03:11
ayoung	actually, the same problem exists in Keystone. And, since the services need to do it a second time for the actual logic, we pay twice for it	03:11
ayoung	I don;'t know how to work around that, though	03:11
ayoung	I mean, in Keystone we could optimize...	03:12
ayoung	but that is cheating	03:12
jamielennox	right, but if you intermingle that regexp policy list with token validation and remove caching i don't know if we can handle the performance hit	03:12
jamielennox	hence my last proposal was token caching and small localized policy enforce checks	03:12
jamielennox	but we have no data for any of this	03:13
jamielennox	i'll admit i was hoping in like 6 months or so i'd have a nice big platform to test this sort of thing out on, and i won't anymore	03:14
ayoung	yeah	03:16
ayoung	well, distributed Keystone should be a reality for this	03:16
*** jperry has quit IRC		03:16
jamielennox	ayoung: my point is - i don't disagree and i think something like this is the right way to do dynamic policy there are just some big performance issues here that we haven't had to deal with yet	03:17
jamielennox	i'm not sure keystone today can handle it	03:17
ayoung	Do you really think that many tokens hit cache? I guess they probably do in Horizon driven workloads	03:18
jamielennox	but i think everything we're doing is working towards this, splitting role & url enforcement from ownership enforcement	03:18
jamielennox	i think they do	03:19
ayoung	So we are going to hammer Keystone in the token validation pipeline	03:19
jamielennox	everyone complains about CLI not reusing tokens (being fixed), but most communication is done service to service and they should be fairly good at token reuse	03:19
ayoung	knowing that two URLs would hit the same policy rule would go a long way to mitigate the hammer	03:20
ayoung	or that any two APIs hit the same role, for that matter	03:20
ayoung	the validation could pass back a set of matching patterns and say "these all would match, too"	03:21
jamielennox	this is the sort of thing i thought we could control better via a unix socket or something to a local process rather than stick it all on a request	03:24
ayoung	is a remote call to Keystone with a cache that much worse? I guess we hit apache and the whole wsgi pipeline there	03:26
jamielennox	depends	03:26
jamielennox	a) i don't know	03:26
openstackgerrit	ayoung proposed openstack/keystone-specs: Token Verify Role Check https://review.openstack.org/391624	03:26
jamielennox	b) in my mind this was a small dedicated, possibly not python process that did local communications from in-memory policy info	03:27
ayoung	We could still do that. Maybe as a performance tune afterwards	03:27
jamielennox	policy distribution was handling internally in any number of ways	03:27
ayoung	All the info we want is still queryable	03:27
ayoung	the service already has the token's auth data	03:28
ayoung	so the local process queries the rules from Keystone and applies them locally	03:28
ayoung	Phase 2 that as a performance tune	03:28
jamielennox	it's a different model though	03:29
jamielennox	whether you put it as token validation or a seperate step	03:29
ayoung	Well, there is the possiblity that the first token validation would fail due to RBAC but that is not a deal breaker	03:30
ayoung	we could provide sufficient information to the service so it knows the difference, and does not try to re-validate if the token itself is bad	03:30
ayoung	Don't seriously see that as a problem, though	03:31
ayoung	OK...off to bed. THanks for the input.	03:37
*** markvoelker has quit IRC		03:41
*** lifeless has quit IRC		03:41
jamielennox	ayoung: lots more to talk about	03:42
*** lifeless has joined #openstack-keystone		03:42
*** g2[cubs-ATL] is now known as g2		03:48
*** lamt has quit IRC		03:48
*** nicolasbock has quit IRC		03:59
*** guoshan has quit IRC		04:03
morgan_	jamielennox: you're still on the other side of the world eh... I can tell because youre talking at weird times west coast.	04:12
jamielennox	morgan_: i'm in my regular timezone	04:12
jamielennox	so yes, the otherside of the world, but not the otherside of the world i was in last week :)	04:13
jamielennox	morgan_: oh! i'm going to be in portland on sunday/monday - beer?	04:14
*** jerrygb has quit IRC		04:19
*** ravelar has joined #openstack-keystone		04:21
*** jerrygb has joined #openstack-keystone		04:24
*** chlong has quit IRC		04:24
*** ravelar has quit IRC		04:26
*** ravelar has joined #openstack-keystone		04:27
*** ravelar has quit IRC		04:31
*** markvoelker has joined #openstack-keystone		04:42
*** markvoelker has quit IRC		04:48
morgan_	jamielennox: i fly out on Tuesday, but yes. beer in PDX on sunday	04:52
jamielennox	morgan_: great - i'm flying out tuesday too, i'll let you know what's happening, catching up with greg and others for some time too	04:53
morgan_	jamielennox: nice.	04:53
morgan_	yeah def ping me	04:54
*** hoangcx has quit IRC		04:54
jamielennox	morgan_: got a whatsapp or hangouts or something?	04:54
morgan_	yeah hangouts and whatsapp	04:55
jamielennox	morgan_: or i can twitter dm i guess. i need to figure out a better phone IRC than i have	04:55
morgan_	twtter = badd choice too	04:55
morgan_	use sms, whatsapp, or hangouts	04:55
jamielennox	morgan_: msg me a phone number	04:55
morgan_	just did	04:55
jamielennox	morgan_: cool, msg sent, i wasn't planning on having data - didn't expect to need it - but i'll let you know what's happening	04:58
morgan_	greg can also poke at me	04:58
*** jerrygb has quit IRC		05:03
*** guoshan has joined #openstack-keystone		05:03
*** jerrygb has joined #openstack-keystone		05:06
*** guoshan has quit IRC		05:07
*** sheel has joined #openstack-keystone		05:33
*** jerrygb has quit IRC		05:53
*** jerrygb has joined #openstack-keystone		05:57
*** guoshan has joined #openstack-keystone		06:04
*** guoshan has quit IRC		06:09
*** adriant has quit IRC		06:11
*** guoshan has joined #openstack-keystone		06:21
*** jerrygb has quit IRC		06:22
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Added test cases for hints https://review.openstack.org/388541	06:23
*** jerrygb has joined #openstack-keystone		06:27
*** namnh has joined #openstack-keystone		06:27
*** adrian_otto has quit IRC		06:37
*** markvoelker has joined #openstack-keystone		06:44
*** dikonoor has joined #openstack-keystone		06:47
*** dikonoor has quit IRC		06:48
*** markvoelker has quit IRC		06:50
*** rcernin has joined #openstack-keystone		06:50
*** dikonoor has joined #openstack-keystone		06:53
*** tobberydberg has joined #openstack-keystone		07:01
*** LiYuenan has joined #openstack-keystone		07:01
*** jerrygb has quit IRC		07:06
*** belmoreira has joined #openstack-keystone		07:09
*** jerrygb has joined #openstack-keystone		07:10
*** tesseract has joined #openstack-keystone		07:17
*** tesseract is now known as Guest48712		07:17
openstackgerrit	Abhishek Kekane proposed openstack/keystoneauth: Log request-id for each api call https://review.openstack.org/392442	07:30
*** jerrygb has quit IRC		07:42
*** jerrygb has joined #openstack-keystone		07:46
*** openstackgerrit has quit IRC		07:48
*** openstackgerrit has joined #openstack-keystone		07:48
*** jerrygb_ has joined #openstack-keystone		07:50
*** jerrygb has quit IRC		07:52
*** jerrygb has joined #openstack-keystone		07:56
*** jerrygb_ has quit IRC		07:58
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** jerrygb has quit IRC		08:08
*** pcaruana has joined #openstack-keystone		08:09
*** markvoelker has joined #openstack-keystone		08:13
*** jerrygb has joined #openstack-keystone		08:13
*** markvoelker has quit IRC		08:19
*** jerrygb_ has joined #openstack-keystone		08:27
*** xek__ is now known as xek		08:28
*** jerrygb has quit IRC		08:29
*** mdovgal has quit IRC		08:42
*** jaosorior has joined #openstack-keystone		08:45
*** jpich has joined #openstack-keystone		08:47
*** haplo37 has quit IRC		08:51
*** haplo37_ has joined #openstack-keystone		08:54
*** GB21 has joined #openstack-keystone		08:55
*** jerrygb_ has quit IRC		09:08
*** jerrygb has joined #openstack-keystone		09:12
*** jaosorior has quit IRC		09:14
*** jaosorior has joined #openstack-keystone		09:14
*** GB21 has quit IRC		09:15
*** kiran-r has quit IRC		09:23
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	09:38
*** markvoelker has joined #openstack-keystone		09:41
*** markvoelker has quit IRC		09:46
*** jaosorior has quit IRC		09:48
*** guoshan has quit IRC		09:48
*** jaosorior has joined #openstack-keystone		09:49
*** guoshan has joined #openstack-keystone		09:49
*** jerrygb has quit IRC		09:54
*** jerrygb has joined #openstack-keystone		09:58
*** jaosorior is now known as jaosorior_lunch		10:08
*** LiYuenan has quit IRC		10:21
*** guoshan has quit IRC		10:28
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	10:38
*** guoshan has joined #openstack-keystone		10:46
*** namnh has quit IRC		10:48
*** pnavarro has joined #openstack-keystone		11:00
*** GB21 has joined #openstack-keystone		11:15
*** nicolasbock has joined #openstack-keystone		11:15
*** jaosorior_lunch is now known as jaosorior		11:21
*** daemontool has joined #openstack-keystone		11:25
*** GB21 has quit IRC		11:33
*** Administrator__ has quit IRC		11:34
*** Administrator__ has joined #openstack-keystone		11:35
*** dave-mccowan has joined #openstack-keystone		11:35
*** zhugaoxiao has joined #openstack-keystone		11:37
*** Administrator__ has quit IRC		11:40
*** markvoelker has joined #openstack-keystone		11:42
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	11:45
*** jperry has joined #openstack-keystone		11:46
*** markvoelker has quit IRC		11:46
*** guoshan has quit IRC		11:56
*** guoshan has joined #openstack-keystone		12:08
*** jperry has quit IRC		12:10
*** edmondsw has joined #openstack-keystone		12:21
*** jvarlamova has quit IRC		12:34
*** jvarlamova has joined #openstack-keystone		12:34
*** markvoelker has joined #openstack-keystone		12:41
*** jerrygb has quit IRC		12:42
*** jerrygb has joined #openstack-keystone		12:45
*** sheel has quit IRC		13:00
*** haplo37_ has quit IRC		13:07
*** haplo37_ has joined #openstack-keystone		13:09
*** prashkre has joined #openstack-keystone		13:14
*** jperry has joined #openstack-keystone		13:18
*** iurygregory_ has joined #openstack-keystone		13:29
*** ktychkova has joined #openstack-keystone		13:34
*** agrebennikov has joined #openstack-keystone		13:38
*** adrian_otto has joined #openstack-keystone		13:39
openstackgerrit	ayoung proposed openstack/keystone-specs: Token Verify Role Check https://review.openstack.org/391624	13:40
*** adrian_otto1 has joined #openstack-keystone		13:41
*** rodrigods has quit IRC		13:43
*** rodrigods has joined #openstack-keystone		13:43
*** adrian_otto has quit IRC		13:44
jvarlamova	@dolphm Hi Dolph! Could you please tell what are plans of the Keystone community regarding multinode grenade job for upgradability testing? Is anyone already working on it?	13:46
*** adrian_otto1 has quit IRC		13:47
*** adrian_otto has joined #openstack-keystone		13:48
*** edtubill has joined #openstack-keystone		13:49
*** LamT__ has joined #openstack-keystone		13:51
*** jaosorior has quit IRC		13:53
*** guoshan has quit IRC		14:00
*** GB21 has joined #openstack-keystone		14:01
lbragstad	jvarlamova o/	14:05
jvarlamova	lbragstad: hi	14:05
lbragstad	jvarlamova dolphm is out for the rest of the week - but I don't think he has anything laid down yet for the multinode stuff	14:06
lbragstad	jvarlamova (i'm kind of illiterate when it comes to the multi-node grenade approach) did you have any approaches in mind on how you'd start?	14:07
*** guoshan has joined #openstack-keystone		14:09
*** chris_hultin\|AWA is now known as chris_hultin		14:11
*** bjolo_ has joined #openstack-keystone		14:12
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	14:16
lbragstad	stevemar your pki patch merged ;)	14:19
stevemar	lbragstad: i noticed!	14:19
stevemar	lbragstad: i was kinda surprised )	14:19
stevemar	:)	14:19
lbragstad	me too	14:19
lbragstad	in a good way	14:19
lbragstad	I was wondering why all my token refactor patches had merge conflicts	14:20
stevemar	:)	14:20
knikolla	o/	14:21
jvarlamova	lbragstad: This need to be discussed:) We cannot test Keystone in the same way as other projects. Probably we need to deploy multi-controller OpenStack with 2 Keystones and then upgrade one of them. But I saw discussion http://lists.openstack.org/pipermail/openstack-dev/2016-February/085781.html, it was an idea of just testing how Keystone stable works with master DB. Maybe it would be enough? What's your opinion?	14:22
*** guoshan has quit IRC		14:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove format_token method https://review.openstack.org/389364	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v2_token https://review.openstack.org/386762	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove metadata from token provider https://review.openstack.org/389365	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v3_token in favor of issue_token https://review.openstack.org/386837	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Clarify the v2.0 validation path https://review.openstack.org/389366	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Use issue_v3_token instead of issue_v2_token https://review.openstack.org/386665	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: refactor the token controller https://review.openstack.org/386726	14:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove the v2.0 validate path from validate_token https://review.openstack.org/389371	14:30
lbragstad	jvarlamova that sounds like it would work	14:31
lbragstad	jvarlamova the multi-node testing it only testing master -1 and upgrading to master, right?	14:31
*** daemontool has quit IRC		14:31
*** daemontool has joined #openstack-keystone		14:32
lbragstad	er.. latest stable branch and upgrading it to master	14:33
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move V2TokenDataHelper to the v2.0 controller https://review.openstack.org/389383	14:34
jvarlamova	lbragstad: <the multi-node testing it only testing master -1 and upgrading to master, right> yes, master-1, and master	14:35
jvarlamova	lbragstad: <that sounds like it would work> do you mean multi-node testing?	14:36
*** narasimha_SV has joined #openstack-keystone		14:37
lbragstad	jvarlamova right - from an infrastructure perspective I think all we would need would be a controller node (with all default services enabled - assuming keystone is in that list) and another devstack node (that really only just needs keystone, mysql, etc enabled)	14:38
lbragstad	then the bits to tie the two together	14:38
*** dikonoor has quit IRC		14:40
dstanek	jvarlamova: I think that's a good start	14:40
*** prashkre has quit IRC		14:41
*** jaosorior has joined #openstack-keystone		14:41
*** dmellado is now known as dmellado\|lunch		14:42
lbragstad	luckily - keystone doesn't require other services in order to run... so standing up the second node shouldn't be too bad	14:43
morgan_	lbragstad: heh.	14:43
morgan_	lbragstad: famous last words	14:43
lbragstad	morgan_ i know, right?	14:43
lbragstad	"they said it would be easy" - http://www.memecreator.org/static/images/templates/1321291.jpg	14:45
*** guoshan has joined #openstack-keystone		14:48
jvarlamova	lbragstad: <a controller node (with all default services enabled - assuming keystone is in that list) and another devstack node (that really only just needs keystone, mysql, etc enabled)> agree	14:49
lbragstad	jvarlamova do you know if the multi-node deployments are orchestrated with something?	14:49
lbragstad	like ansible?	14:49
dstanek	morgan_: you're a debbie downer	14:53
morgan_	dstanek: shhhhhhhhh	14:53
jvarlamova	lbragstad: actually I don't know. But I could create a BP related to multinode job and start doing investigation in this direction.	14:53
lbragstad	jvarlamova that would be awesome	14:56
jvarlamova	lbragstad: ok	14:56
lbragstad	jvarlamova thanks for taking the initiative on this :)	14:56
lbragstad	jvarlamova dolphm has an interest in this work, too.. but he'll be back on Monday I think	14:56
jvarlamova	lbragstad: no problem	14:57
*** daemontool has quit IRC		14:58
*** guoshan has quit IRC		14:59
jvarlamova	lbragstad: I'll get in touch with him on Monday	15:01
lbragstad	jvarlamova great!	15:01
*** Zer0Byte__ has joined #openstack-keystone		15:03
*** sdoherty has joined #openstack-keystone		15:11
*** sdoherty has left #openstack-keystone		15:12
*** browne has joined #openstack-keystone		15:13
*** guoshan has joined #openstack-keystone		15:13
*** ravelar has joined #openstack-keystone		15:13
*** woodster_ has joined #openstack-keystone		15:21
*** guoshan has quit IRC		15:23
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/392810	15:39
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/392821	15:40
*** woodburn has joined #openstack-keystone		15:46
*** dmellado\|lunch is now known as dmellado		15:47
*** Zer0Byte__ has quit IRC		15:48
*** adrian_otto has quit IRC		15:53
*** adrian_otto has joined #openstack-keystone		16:01
*** narasimha_SV has quit IRC		16:01
*** tobbery__ has joined #openstack-keystone		16:02
*** adrian_otto has quit IRC		16:02
*** anushkrishnamurt has joined #openstack-keystone		16:02
*** tobberydberg has quit IRC		16:06
*** pcaruana has quit IRC		16:06
*** tobbery__ has quit IRC		16:06
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	16:09
*** rcernin has quit IRC		16:09
*** spilla has joined #openstack-keystone		16:13
*** adrian_otto has joined #openstack-keystone		16:22
*** jaosorior has quit IRC		16:28
*** bjolo_ has quit IRC		16:31
openstackgerrit	David Stanek proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	16:33
*** Guest48712 has quit IRC		16:34
lbragstad	breton are you still working https://bugs.launchpad.net/python-keystoneclient/+bug/1520244 ?	16:35
openstack	Launchpad bug 1520244 in python-keystoneclient "flag "truncated" in responses to list operations is not supported" [Medium,Triaged] - Assigned to Boris Bobrov (bbobrov)	16:35
lbragstad	breton or can I unassign in case someone else has bandwidth to pick it up?	16:36
*** dikonoor has joined #openstack-keystone		16:36
dstanek	^ that one should be a relatively easy one	16:36
breton	lbragstad: yes, i do. But we decided that i will wait for https://review.openstack.org/#/c/267456/	16:37
*** pnavarro has quit IRC		16:38
lbragstad	breton got it - was that something that was decided at the summit?	16:39
lbragstad	or was that in a meeting?	16:39
*** ayoung has quit IRC		16:40
breton	lbragstad: we decided it... a year ago in a meeting	16:40
*** anushkrishnamurt has quit IRC		16:40
lbragstad	breton ah - cool	16:41
lbragstad	so https://review.openstack.org/#/c/267456/ will have to be a prerequisite for fixing that bug?	16:41
breton	lbragstad: kinda. I'll take the same approach as there.	16:41
lbragstad	will https://review.openstack.org/#/c/267456/ close that bug?	16:42
breton	lbragstad: no.	16:43
*** LamT__ has quit IRC		16:52
*** belmoreira has quit IRC		16:53
openstackgerrit	David Stanek proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	16:56
openstackgerrit	Richard Avelar proposed openstack/keystone: Fix test_revoke to run all tests after pki removal https://review.openstack.org/392883	16:56
openstackgerrit	Richard Avelar proposed openstack/keystone: Fix test_revoke to run all tests after pki removal https://review.openstack.org/392883	16:58
*** xarses has joined #openstack-keystone		17:01
*** LamT__ has joined #openstack-keystone		17:02
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Support domain-specific configuration management https://review.openstack.org/358770	17:03
stevemar	lbragstad: thanks for updating the domain config bug	17:04
*** ravelar has quit IRC		17:04
stevemar	rodrigods: fyi -- https://review.openstack.org/#/c/358770/ needs an update to functional tests	17:04
xarses	I'm having some problems with the openstack client and auth under a v3 policy highly similar to https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json. I can auth the user with --os-user-domain and it can do admin operations, but the compute endpoint is missing from catalog, where if I include --os-project-name it is, but then I can't do admin things with out building another auth context.	17:09
*** adrian_otto has quit IRC		17:11
knikolla	stevemar: about removing ldap write support, any ideas on the approach to take about unit tests? i've been slowly poking at it for a while now but layer upon layer of the unit tests assumes write access to the identity_api.	17:11
xarses	Just to be extra annoying, the openstack client --debug between me and a co-worker, on the same host, with the same creds and evn (ostensibly) theirs will print the body of the token response, and mine will not	17:11
*** jaosorior has joined #openstack-keystone		17:13
knikolla	going all the way down to core.py https://github.com/openstack/keystone/blob/master/keystone/tests/unit/core.py#L747	17:14
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/392810	17:15
openstackgerrit	David Stanek proposed openstack/keystone: Add test cases for passing "None" as a hint https://review.openstack.org/388541	17:18
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/392733	17:19
*** harlowja has quit IRC		17:21
*** Marcellin__ has joined #openstack-keystone		17:30
dstanek	knikolla: you will probably have to fake the write access in the setup	17:32
knikolla	dstanek: subclass a writeable driver, or monkeypatch?	17:35
openstackgerrit	Kam Nasim proposed openstack/keystone: Network conn timeout on Identity LDAP backend https://review.openstack.org/390948	17:37
morgan_	dstanek: i'd argue the answer is break out the ldap write tests	17:37
morgan_	dstanek: and only run them on SQL/non-ldap	17:37
morgan_	dstanek: rather than "mocking" write capability	17:37
morgan_	knikolla: ^ cc	17:37
morgan_	erm the identiy write tests	17:38
morgan_	also lining things into setUp instead of calling identity_api	17:38
morgan_	so it does direct writes in the case of LDAP setup	17:39
knikolla	morgan_: that was my approach too, but even load_fixtures expects to be able to call create_users	17:39
morgan_	knikolla: work around it. if you need to install data in fixtures, directly populate the data.	17:40
dstanek	morgan_: you'll still need to write data somehow in order to read it	17:42
morgan_	i am not sure the best plan though. you could mock it out but... i think that we should work to provide a way to directly populate	17:42
morgan_	not assuming you have write access via identity_api	17:42
openstackgerrit	Kam Nasim proposed openstack/keystone: Network conn timeout on Identity LDAP backend https://review.openstack.org/390948	17:43
dstanek	my though is that the tests would create a "fake" implementation of the API that would populate the data store	17:43
dstanek	we already have an api for adding the data - we just don't have a way to do it in this particular case	17:43
lbragstad	stevemar no problemo	17:44
*** harlowja has joined #openstack-keystone		17:44
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/392821	17:45
*** jpich has quit IRC		17:47
knikolla	dstanek: will see what i can do. i'll poke at it longer and then maybe add it to next weeks agenda.	17:48
dstanek	knikolla: which review is it?	17:49
*** pnavarro has joined #openstack-keystone		17:50
knikolla	dstanek: https://review.openstack.org/#/c/374482/	17:50
dstanek	knikolla: another option is to override load_fixtures to preload the backend	17:50
knikolla	dstanek: steve's orignal attempt removed every single line of ldap code related to writing. most of that will probably have to go back in if we're mocking.	17:50
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/392732	17:51
*** ravelar has joined #openstack-keystone		17:52
stevemar	knikolla: yeah, my bad. i went down the rabbit hole way too far	17:54
stevemar	knikolla: sucks that we'll need to leave code around only for setting up data for tests	17:55
knikolla	stevemar: no worries. if we could preload the fixtures we might avoid that. ldapdb is faked in sql right?	17:56
morgan_	knikolla: afaik in memory	17:56
morgan_	not in sql	17:56
morgan_	but... i also might be mis-remembering	17:57
*** dikonoor has quit IRC		17:58
knikolla	morgan_: you're right. it's shelve	17:59
morgan_	knikolla: so, it should be possible to at least maintain part of the fixture (move the write bits into the fixture?)	18:00
*** andreww has joined #openstack-keystone		18:01
knikolla	morgan_: by moving into the fixture you mean load the fixture already written?	18:02
morgan_	knikolla: make the fixture handle the write, if the backend is lddapdb, write via the methods to handle writes	18:03
morgan_	or make the fixture mock ldapdb write interactions	18:03
morgan_	you don't want to globally mock write or keep the write capabilities in the dirver	18:03
morgan_	otherwise you end up with possible continued write in production	18:04
morgan_	or partial wtites	18:04
*** xarses has quit IRC		18:04
dstanek	i don't know that the fixture should mock the write api - that's better done with a fake implementation	18:04
morgan_	ideally we would populate the SQL and shelve data independant of identity_api unless you are explicitly testing write functionality	18:04
dstanek	a fake impl wouldn't have be be at detailed at the code we are deleting	18:04
* morgan_ shrugs		18:05
*** haplo37_ has quit IRC		18:05
*** haplo37_ has joined #openstack-keystone		18:08
* knikolla going for lunch		18:08
knikolla	i have enough info to give it another go after lunch	18:09
*** adriant has joined #openstack-keystone		18:16
*** openstackgerrit has quit IRC		18:18
*** openstackgerrit has joined #openstack-keystone		18:18
*** andreww has quit IRC		18:21
*** GB21 has quit IRC		18:24
*** jperry has quit IRC		18:27
*** pnavarro has quit IRC		18:27
*** jperry has joined #openstack-keystone		18:28
openstackgerrit	Richard Avelar proposed openstack/keystone: Fix test_revoke to run all tests after pki removal https://review.openstack.org/392883	18:33
*** rocketballs has joined #openstack-keystone		18:40
*** rocketballs has left #openstack-keystone		18:45
*** jperry has quit IRC		18:52
*** jperry has joined #openstack-keystone		18:53
*** lamt has joined #openstack-keystone		19:04
*** prometheanfire has joined #openstack-keystone		19:06
*** knikolla has left #openstack-keystone		19:12
*** knikolla has joined #openstack-keystone		19:12
*** knikolla has left #openstack-keystone		19:13
*** andreww has joined #openstack-keystone		19:13
*** knikolla has joined #openstack-keystone		19:13
*** andreww has quit IRC		19:13
prometheanfire	roles are domain wide, admin in domain1 cannot view users in domain2?	19:14
prometheanfire	or if they can view, cannot change?	19:14
*** jerrygb has quit IRC		19:21
*** jerrygb has joined #openstack-keystone		19:22
stevemar	prometheanfire: roles are global actually	19:22
prometheanfire	ya, talking to dstanek about it now	19:23
prometheanfire	seems like I'm SOL	19:23
prometheanfire	dstanek: might as well talk here	19:25
prometheanfire	as far as I can tell roles are domain specific, but the admin role is still admin everywhere	19:26
*** jerrygb has quit IRC		19:26
dstanek	admin is more of a cloud admin	19:26
*** lamt has quit IRC		19:27
dstanek	this is something that i'm hoping our policy discussions will work out	19:27
*** ayoung has joined #openstack-keystone		19:34
*** ChanServ sets mode: +v ayoung		19:34
jamielennox	ergh, god i hate the request-id thing	19:35
jamielennox	having to log every link from request to created requests took an easy debugging idea and screwed it for everyone	19:37
*** jerrygb has joined #openstack-keystone		19:42
jamielennox	stevemar: does https://review.openstack.org/#/c/392442/1 seem reasonable to you? i want to ask someone because we are now going to add another debug log entry for every client request	19:43
jamielennox	"We have made these changes in python-glanceclient, python-cinderclient, python-novaclient and python-neutronclient." - gah, how is fixing keystoneauth so far down this list	19:44
*** rcernin has joined #openstack-keystone		19:45
stevemar	jamielennox: i'm not a huge fan of it	19:46
*** raj_singh has joined #openstack-keystone		19:46
jamielennox	stevemar: neither, but if its correct that they've already got those clients support, and have already put it through the ML	19:47
jamielennox	the only name i recognize from the mail chain is dhellmann who seems skeptical	19:47
*** dave-mcc_ has joined #openstack-keystone		19:47
jamielennox	ignoring the fact i don't like the code, they've done everything right it just seems to me it is a whole lot more logging	19:47
*** dave-mccowan has quit IRC		19:48
jamielennox	and god i hate the request-id linking thing	19:48
stevemar	uep	19:48
stevemar	yep	19:48
raj_singh	jamielennox: I have WIP spec up for Nova to use "Allow expired user token" functionality. https://review.openstack.org/#/c/387711	19:50
prometheanfire	it doesn't look like assigning admin to a group helps either	19:53
jamielennox	raj_singh: oh cool,	19:54
jamielennox	raj_singh: did you see https://review.openstack.org/#/c/384805/	19:54
raj_singh	looking	19:54
jamielennox	damn, looks like it just missed being a part of the last release	19:56
*** adrian_otto has joined #openstack-keystone		19:56
*** openstack has joined #openstack-keystone		19:58
raj_singh	jamielennox: Is there any functional test or sample to test the full path? Like creating a service token and passing it along with expired user token?	19:58
jamielennox	raj_singh: not really :)	19:58
jamielennox	raj_singh: do you have a WIP for nova?	19:58
jamielennox	if not i can do a full end-to-end	19:59
raj_singh	not yet, I will try to have something this week or early next week. I might ping you for some details around that.	19:59
jamielennox	raj_singh: ok, i was just thinking if you had something i would look at modifying that, but i can write you a script that will load and send stuff	20:00
raj_singh	jamielennox: that will be nice!	20:00
jamielennox	raj_singh: i'll try and get that done today and put it on a paste somewhere, you have an irc bouncer or want me to email you a link?	20:04
raj_singh	I do have a bouncer	20:04
jamielennox	cool, i'll just link you to it later then	20:05
raj_singh	But do shoot me an email on sarafraj.singh@intel.com if you don't mind	20:05
*** anushkrishnamurt has joined #openstack-keystone		20:05
jamielennox	ok	20:05
*** gagehugo has quit IRC		20:07
*** anushkrishnamurt has quit IRC		20:09
*** knikolla has left #openstack-keystone		20:11
*** knikolla has joined #openstack-keystone		20:11
*** xarses has joined #openstack-keystone		20:14
*** openstackgerrit has quit IRC		20:18
*** openstackgerrit has joined #openstack-keystone		20:18
*** kiran-r has joined #openstack-keystone		20:31
*** richm has joined #openstack-keystone		20:42
*** adrian_otto has quit IRC		20:45
*** adrian_otto has joined #openstack-keystone		20:47
*** adrian_otto has quit IRC		20:49
*** edmondsw has quit IRC		20:50
*** adrian_otto has joined #openstack-keystone		20:54
*** adrian_otto has quit IRC		20:55
*** adrian_otto has joined #openstack-keystone		20:56
openstackgerrit	Merged openstack/python-keystoneclient: Support domain-specific configuration management https://review.openstack.org/358770	20:59
* morgan_ looks around		21:00
* morgan_ eyes the review queue.		21:01
* morgan_ debates doing mass code review today		21:01
*** ravelar has quit IRC		21:09
*** xarses has quit IRC		21:12
andrewbogott	I'm trying to get role inheritance to work… would y'all expect any role set on a domain to be automatically inherited by projects in that domain, or are there other steps?	21:14
*** edtubill has quit IRC		21:16
openstackgerrit	Merged openstack/keystone: Fix test_revoke to run all tests after pki removal https://review.openstack.org/392883	21:16
*** tobberyd_ has joined #openstack-keystone		21:17
*** spilla has quit IRC		21:17
*** dave-mcc_ has quit IRC		21:24
stevemar	morgan_: lol	21:24
stevemar	morgan_: that is something you would do!	21:24
stevemar	anyone want to review a presentation i have to give tomorrow? :P	21:25
*** g2 is now known as g2[CUBS-ATL]		21:32
*** adrian_otto has quit IRC		21:34
knikolla	stevemar: what kind of presentation? lol	21:37
*** browne has quit IRC		21:41
stevemar	knikolla: presenting to university faculty and grad students, research ideas	21:49
stevemar	knikolla: i was given a rather vague set of requirements	21:49
stevemar	knikolla: "present about openstack"	21:49
*** Zer0Byte__ has joined #openstack-keystone		21:49
rodrigods	stevemar, knikolla lol	22:00
*** adrian_otto has joined #openstack-keystone		22:00
rodrigods	the university you've studied?	22:00
morgan_	stevemar: sorry... pass :P	22:01
*** jperry has quit IRC		22:02
*** harlowja has quit IRC		22:02
*** tobberyd_ has quit IRC		22:06
*** chris_hultin is now known as chris_hultin\|AWA		22:09
*** xarses has joined #openstack-keystone		22:09
*** adrian_otto has quit IRC		22:12
*** gyee has joined #openstack-keystone		22:14
*** Marcellin__ has quit IRC		22:18
*** browne has joined #openstack-keystone		22:23
*** flaper87 has quit IRC		22:29
*** LamT__ has quit IRC		22:32
*** adrian_otto has joined #openstack-keystone		22:33
knikolla	stevemar: that's very vague. good luck :P	22:36
knikolla	i still have no idea how to go about presenting openstack	22:37
*** xarses has quit IRC		22:39
*** xarses has joined #openstack-keystone		22:39
jlk	stevemar: I made this to present at a Python meetup, a generic OpenStack primer. http://slides.com/jessekeating/openstack-primer	22:44
jlk	aww, a link got broken	22:45
jlk	huh, hasn't aged well.	22:46
knikolla	jlk: looks pretty cool. though yeah, i can see from the old gerrit interface that it's pretty old.	22:48
*** kiran-r has quit IRC		22:49
*** gagehugo has joined #openstack-keystone		22:55
*** david-lyle has quit IRC		23:04
*** chris_hultin\|AWA is now known as chris_hultin		23:08
*** harlowja has joined #openstack-keystone		23:08
*** jaosorior has quit IRC		23:10
*** chris_hultin is now known as chris_hultin\|AWA		23:15
*** xarses has quit IRC		23:17
*** ravelar has joined #openstack-keystone		23:18
*** ravelar has quit IRC		23:23
*** agrebennikov has quit IRC		23:27
*** david-lyle has joined #openstack-keystone		23:30
*** rcernin has quit IRC		23:31
*** dave-mccowan has joined #openstack-keystone		23:31
*** gyee has quit IRC		23:39
*** gyee has joined #openstack-keystone		23:48

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!