Tuesday, 2017-01-03

openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/415965	00:04
*** chris_hultin\|AWA is now known as chris_hultin		00:10
samueldmq	jamielennox: hey, you around ?	00:19
jamielennox	samueldmq: yea	00:19
samueldmq	jamielennox: I was looking at bug 1616105	00:19
openstack	bug 1616105 in python-keystoneclient "Request of large files raises a MemoryError due to logging" [High,In progress] https://launchpad.net/bugs/1616105 - Assigned to Tobias Diaz (int-0)	00:19
samueldmq	jamielennox: I agree with you that, ideally, we should avoid getting MemoryError to figure out the response body is too big	00:19
samueldmq	jamielennox: however I can't see a way to do it, as content-length is not always provided :(	00:20
jamielennox	samueldmq: i know there is a patch up for this but i haven't seen it, also i think this got fixed in keystoneauth, but maybe not in ksc	00:20
jamielennox	ksc obvoiusly being less important now, and this is a harsh but effective way to get people to transfer over :)	00:21
jamielennox	so yea, by the time MemoryError is actually thrown you've exhausted your RAM, so it's kinda late to be handling it]	00:21
samueldmq	jamielennox: agreed, but comment 9 says the issue persists in ksa https://bugs.launchpad.net/python-keystoneclient/+bug/1616105/comments/9	00:21
openstack	Launchpad bug 1616105 in python-keystoneclient "Request of large files raises a MemoryError due to logging" [High,In progress] - Assigned to Tobias Diaz (int-0)	00:21
jamielennox	ah, ok	00:21
jamielennox	a related review (but not exactly) is https://review.openstack.org/#/c/392442/	00:22
jamielennox	which i've been avoiding because it seems like overkill - but apparently has been half accepted by other libs	00:23
jamielennox	samueldmq: so i'd happy path it	00:23
jamielennox	samueldmq: i would only print the response.text if response.content_type in ('application/json', 'application/text') and response.content_length < 300: or something	00:24
samueldmq	jamielennox: yes, I was looking at that one too. it's been there for ages	00:24
jamielennox	i'm not sure what the exact combination of content_types and length would be, but i think you'd be safe to only debug print a response that you know is good	00:24
jamielennox	and avoid anything else	00:24
jamielennox	i think debug prints the request body as well	00:25
samueldmq	jamielennox: that makes sense to me. if there is not enough information abotu the content, do not try to log, as it can be dangerous (MemoryError)	00:25
jamielennox	right, and if the request/response is ambiguous then it's find to print *body omitted* or something	00:25
jamielennox	samueldmq: this is part of a larger thing of mine in that i don't think we should be debug printing CURL statements anymore	00:26
jamielennox	they used to be useful, but now the tokens and other bits are obsfucated so you can't actually use the line any more	00:26
jamielennox	and you can't really parse them	00:26
samueldmq	jamielennox: hmm. so perhaps just logging what call is being made is enough	00:27
jamielennox	so i'd like to just change them to something meaningful you could read in a log file, but i'm not sure how many people that would break	00:27
samueldmq	as the details can't really be understood	00:27
jamielennox	samueldmq: i think you need the detaisl for actually debugging	00:27
jamielennox	like in json req/resp i sometimes want to know what was sent	00:27
jamielennox	but just do it in key: val form	00:28
samueldmq	jamielennox: just the headers ? or the body too ?	00:28
jamielennox	url: http://service.openstakc.com/v3	00:28
jamielennox	Content-Type: application/json	00:28
jamielennox	body: {...}	00:28
samueldmq	++	00:28
samueldmq	I'll put a patch up to get ride of that MemoryError	00:29
jamielennox	samueldmq: i think the headers, i'm not sure if we whitelist or blacklist there	00:29
samueldmq	the other part looks to be part of a larger discussion	00:29
jamielennox	probably blacklist because i don't know what headers the different services rely on, swifts are crazy	00:29
samueldmq	:)	00:29
jamielennox	yea, bigger discussion	00:30
jamielennox	samueldmq: which you're welcome to drive if you would like :)	00:30
samueldmq	jamielennox: well, why not, but I'd need to understand it better first	00:31
samueldmq	jamielennox: I don't have all that knowledge about clients yet (as you do) :)	00:31
jamielennox	maybe i can put up an email to the lists today and we can work on it from there, i think it'd be valuable	00:32
*** guoshan has joined #openstack-keystone		00:38
*** chris_hultin is now known as chris_hultin\|AWA		00:39
samueldmq	jamielennox: ++	00:39
*** hoangcx has joined #openstack-keystone		00:45
samueldmq	jamielennox: does CONTENT_LENGTH_THRESHOLD = 4096 make sense to you ?	00:50
*** david-lyle has joined #openstack-keystone		00:51
samueldmq	jamielennox: I don't have a good number in mind, so I thought the max length of browser cookie may make sense	00:51
jamielennox	samueldmq: probably? i don't know either	00:51
jamielennox	samueldmq: maybe just content-length is defined so you don't get anything streaming	00:52
samueldmq	jamielennox: that makes sense	00:52
jamielennox	samueldmq: it's a bit of a guess, but we're logging everything now so maybe noone cares	00:52
samueldmq	jamielennox: also, if we check content-type, I guess a stream would not be 'application/json' or 'application/text'	00:53
samueldmq	so just checking on content-type could be enough too	00:54
*** david-lyle has quit IRC		00:55
jamielennox	samueldmq: i'd be ok with that as a start	00:56
jamielennox	i thought i remembered requests doing some encoding checking or something based on content-length but i can't find it now	00:56
jamielennox	i think you can stream json, but i'm not aware of anyone who does	00:57
samueldmq	jamielennox: and I don't think openstack produces any json large enough to produce a MemoryError	00:58
jamielennox	samueldmq: yea, that probably is definitely that it tries to debug log an image	00:59
samueldmq	jamielennox: ++	00:59
jamielennox	samueldmq: i'm going to go down to the gym and try and redeem myself a little from christmas, and run the fedora upgrade while i'm gone	01:02
jamielennox	if i'm not back in an hour or so the upgrade has gone badly, or i've died	01:03
samueldmq	jamielennox: sure, enjoy. ttyl	01:03
samueldmq	jamielennox: you won't, lol	01:03
*** markvoelker has joined #openstack-keystone		01:05
*** jamielennox is now known as jamielennox\|away		01:05
*** oomichi has quit IRC		01:05
*** oomichi has joined #openstack-keystone		01:07
*** guoshan has quit IRC		01:08
*** markvoelker has quit IRC		01:09
*** oomichi has quit IRC		01:13
*** oomichi has joined #openstack-keystone		01:16
*** liujiong has joined #openstack-keystone		01:31
*** guoshan has joined #openstack-keystone		01:34
openstackgerrit	Merged openstack/oslo.policy: Remove dead code and use default value of argparse. https://review.openstack.org/411986	01:37
stevemar	jamielennox\|away: best of luck on the upgrade and not dying	01:43
*** markvoelker has joined #openstack-keystone		02:05
*** clayton has quit IRC		02:06
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Prevent MemoryError when logging responses https://review.openstack.org/359292	02:08
samueldmq	jamielennox\|away: stevemar ^ I will wait some feedback on ^ before proposing the fix against keystoneauth	02:08
*** markvoelker has quit IRC		02:10
*** chris_hultin\|AWA is now known as chris_hultin		02:18
*** jamielennox\|away is now known as jamielennox		02:19
jamielennox	samueldmq: i'd say keystoneauth is the priority and backport to ksc	02:20
samueldmq	jamielennox: agreed, just wanted you to take a glance and see if that solution is fine as I coded	02:21
*** clayton has joined #openstack-keystone		02:25
jamielennox	samueldmq: i added some comments but they're minor	02:27
samueldmq	jamielennox: kk thanks, I will apply them to my ksa patch first	02:29
*** chris_hultin is now known as chris_hultin\|AWA		02:29
jamielennox	upgrade seems to have gone fine, however fitness has suffered over the holidays	02:30
samueldmq	jamielennox: well, tomorrow, I need to sleep and 53 tests failed in ksa	02:30
samueldmq	jamielennox: need to provide content-type to the stub urls thing in tests :p	02:30
jamielennox	samueldmq: urg, i'd be happy to rip out the stub_url thing and just use requests_mock directly	02:30
jamielennox	it was a hangover from a much harder mocking setup which we probably don't need any more	02:31
jamielennox	(if that helps)	02:31
samueldmq	jamielennox: hmm, I'll take a look. but that will probably require changing much more code (because it includes almost all the tests)	02:31
jamielennox	yep, just if it helps	02:32
samueldmq	jamielennox: I'll take a look at it tomorrow	02:33
* samueldmq hits the sack		02:33
samueldmq	see you tomorrow keystoners o/	02:33
openstackgerrit	Merged openstack/keystone: Fix import ordering in tempest plugins https://review.openstack.org/413244	02:35
*** guoshan has quit IRC		02:45
*** david-lyle has joined #openstack-keystone		02:52
*** david-lyle has quit IRC		02:57
*** markvoelker has joined #openstack-keystone		03:06
*** markvoelker has quit IRC		03:10
*** dave-mccowan has joined #openstack-keystone		03:23
*** links has joined #openstack-keystone		03:28
*** links has quit IRC		03:34
*** clayton has quit IRC		03:34
*** hoangcx has quit IRC		03:34
*** links has joined #openstack-keystone		03:35
*** clayton has joined #openstack-keystone		03:35
*** hoangcx has joined #openstack-keystone		03:35
*** trananhkma has joined #openstack-keystone		03:58
*** udesale has joined #openstack-keystone		04:10
*** sheel has joined #openstack-keystone		04:20
*** dave-mccowan has quit IRC		04:22
* stevemar waves to jamielennox		04:36
jamielennox	stevemar: happy new year	04:36
stevemar	jamielennox: likewise sir	04:36
stevemar	i'm glad no one went overboard on keystone during the holidays :)	04:36
jamielennox	heh, i checked my laptop on like boxing day and saw somebody trying to pose a question	04:37
jamielennox	no response	04:37
*** edtubill has joined #openstack-keystone		04:38
*** gagehugo has quit IRC		04:39
*** edtubill has quit IRC		04:42
*** gus has joined #openstack-keystone		04:44
stevemar	jamielennox: yah, saw someone ask a question on xmas, that was gonna fail hard	04:53
*** gagehugo has joined #openstack-keystone		04:55
*** nicolasbock has joined #openstack-keystone		05:04
*** gagehugo has quit IRC		05:05
*** g22 is now known as g2		05:11
*** gagehugo has joined #openstack-keystone		05:13
*** liujiong has quit IRC		05:15
*** liujiong has joined #openstack-keystone		05:16
*** jamielennox is now known as jamielennox\|away		05:52
*** jamielennox\|away is now known as jamielennox		06:00
Anticimex	jamielennox: yeah, the true need i have is project_domain_name	06:14
jamielennox	Anticimex: that's an unusual requirement, i assume it's a display thing	06:14
Anticimex	i've found django-openstack-auth things to modify either directly or pick up in our middleware now	06:14
jamielennox	Anticimex: ok, but yea your options are get it from the token or call GET /v3/projects/{project_id} and fetch it from there	06:15
Anticimex	it's a legacy 3rd party app authentication thing.	06:15
jamielennox	if you have a {project_id} scoped token then fetching /v3/projects/{project_id} should be in policy	06:16
Anticimex	i tried the GET and it won't work as users are strictly _members_, but it does exist in the token response apparently	06:16
jamielennox	Anticimex: that will only let you auth via project_domain_name? not project_id?	06:16
Anticimex	jamielennox: indeed. i did say legacy :) plan is to port the auth to keystone auth properly and all this will become a bit moot	06:17
jamielennox	Anticimex: how old is your keystone? default policy should let you fetch it: https://github.com/openstack/keystone/blob/master/etc/policy.json#L37	06:17
Anticimex	liberty	06:17
Anticimex	https://github.com/openstack/keystone/blob/liberty-eol/etc/policy.json#L37	06:18
jamielennox	yea, ok, looks like that rule wasn't there	06:18
jamielennox	if you know your admin it's a safe policy change	06:18
jamielennox	know/are the	06:18
jamielennox	but yea, convert it to keystoneauth and it will be easier	06:19
openstackgerrit	Cao Xuan Hoang proposed openstack/keystone: Fix test function name with two underscores to have only one https://review.openstack.org/416139	06:32
*** JoeStack has joined #openstack-keystone		06:34
*** udesale has quit IRC		06:56
*** guoshan has joined #openstack-keystone		07:05
*** udesale has joined #openstack-keystone		07:11
*** tesseract has joined #openstack-keystone		07:30
*** pcaruana has joined #openstack-keystone		07:41
*** gagehugo has quit IRC		07:42
*** rcernin has joined #openstack-keystone		08:03
*** kaisers has joined #openstack-keystone		08:46
*** kaisers has left #openstack-keystone		08:47
*** david-lyle has joined #openstack-keystone		08:57
*** zzzeek has quit IRC		09:00
*** LZ has joined #openstack-keystone		09:01
*** david-lyle has quit IRC		09:01
*** zzzeek has joined #openstack-keystone		09:02
*** gagehugo has joined #openstack-keystone		09:07
*** mvk has quit IRC		09:16
*** zhugaoxiao has joined #openstack-keystone		09:17
*** nolwenn has quit IRC		09:19
*** nicolasbock has quit IRC		09:20
*** asettle has joined #openstack-keystone		09:27
*** links has quit IRC		09:29
*** LZ has quit IRC		09:33
*** mvk has joined #openstack-keystone		09:51
*** guoshan has quit IRC		09:57
*** guoshan has joined #openstack-keystone		09:57
*** david-lyle has joined #openstack-keystone		09:58
*** liujiong has quit IRC		10:01
*** david-lyle has quit IRC		10:02
*** hoangcx has quit IRC		10:05
*** markvoelker has joined #openstack-keystone		10:10
*** markvoelker has quit IRC		10:15
openstackgerrit	Lucas Alvares Gomes proposed openstack/keystonemiddleware: Auth token, set the correct charset https://review.openstack.org/416198	10:15
*** guoshan has quit IRC		10:34
*** mvk has quit IRC		10:47
*** udesale has quit IRC		10:59
*** mvk has joined #openstack-keystone		11:00
*** ayoung has joined #openstack-keystone		11:10
*** ChanServ sets mode: +v ayoung		11:10
*** markvoelker has joined #openstack-keystone		11:11
*** rdopiera has joined #openstack-keystone		11:13
*** markvoelker has quit IRC		11:16
*** guoshan has joined #openstack-keystone		11:35
*** guoshan has quit IRC		11:39
rdopiera	hi guys, I wonder, what is the minimum requirement to see the "identity/domains" tab in horizon?	11:43
rdopiera	I have enabled keystone v3, multidomain suppport, configured an ldap domain, logged in as an admin -- but I can't see it	11:44
*** david-lyle has joined #openstack-keystone		11:59
*** david-lyle has quit IRC		12:04
*** markvoelker has joined #openstack-keystone		12:12
*** markvoelker has quit IRC		12:16
openstackgerrit	Lucas Alvares Gomes proposed openstack/keystonemiddleware: Auth token, set the correct charset https://review.openstack.org/416198	12:17
*** samueldmq has quit IRC		12:19
*** serverascode has quit IRC		12:19
*** rm_work has quit IRC		12:19
*** BlackDex has quit IRC		12:19
*** BlackDex has joined #openstack-keystone		12:19
*** rm_work has joined #openstack-keystone		12:20
*** samueldmq has joined #openstack-keystone		12:22
*** ChanServ sets mode: +v samueldmq		12:22
*** serverascode has joined #openstack-keystone		12:25
*** trananhkma has quit IRC		12:33
*** wolsen has quit IRC		12:38
*** wolsen has joined #openstack-keystone		12:41
*** itisha has joined #openstack-keystone		12:44
stevemar	welcome back keystoners!	12:54
samueldmq	stevemar: hey! happy new year	12:58
rdopiera	stoners?	12:58
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Add Constraints support https://review.openstack.org/413288	13:00
rodrigods	stevemar, o/	13:00
stevemar	happy new year rodrigods / samueldmq	13:07
rodrigods	happy new year!	13:07
stevemar	rdopiera: it's the best name we came up with at the time	13:07
stevemar	rdopiera: i saw you had a question in -horizon	13:07
rdopiera	stevemar: how about keystonists?	13:07
stevemar	keystonistas	13:08
stevemar	i like neutronios	13:08
rodrigods	stevemar, ^ sounds portuguese	13:08
rdopiera	stevemar: yes, basically people want to test the domains tab, but they can't figure out how to get it to appear, they ask me, and I have no idea either	13:09
rdopiera	I tries to follow this, https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow	13:10
rdopiera	but it seems to be outdated	13:10
rdopiera	the datatabse columns mentioned there don't exist, for example	13:11
*** markvoelker has joined #openstack-keystone		13:12
*** markvoelker has quit IRC		13:17
openstackgerrit	Merged openstack/keystone: Fix test function name with two underscores to have only one https://review.openstack.org/416139	13:21
dstanek	morning stevemar	13:24
*** jdennis has joined #openstack-keystone		13:26
stevemar	morning dstanek	13:26
stevemar	rdopiera: you have all the proper settings set to v3 in the horizon config?	13:26
rdopiera	stevemar: yes, all that is mentioned on that wiki page, at least	13:28
rdopiera	except for the policy file, I think	13:29
*** lamt has joined #openstack-keystone		13:30
*** dave-mccowan has joined #openstack-keystone		13:30
rdopiera	I can try that	13:30
rdopiera	ah, no, even the policy file is the cloudsample one	13:36
dstanek	having a different keystone policy file for keystone and horizon has tripped me up so many times :-(	13:37
rdopiera	it's the same	13:38
rdopiera	diff /etc/keystone/policy.json /opt/stack/horizon/openstack_dashboard/conf/keystone_policy.json	13:38
*** akrzos has quit IRC		13:46
*** akrzos has joined #openstack-keystone		13:46
*** dancn` has quit IRC		13:47
*** jidar has quit IRC		13:47
*** toddnni has quit IRC		13:47
*** toddnni has joined #openstack-keystone		13:47
*** dancn has joined #openstack-keystone		13:47
openstackgerrit	Merged openstack/ldappool: Add Constraints support https://review.openstack.org/413295	13:47
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	13:47
*** jidar has joined #openstack-keystone		13:48
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	13:48
rodrigods	stevemar, ^ ... regarding your comment in the review. We can not use the clean up approach since the fk already exists, we could delete the fk and use it, but don't see a reason why	13:49
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	13:52
rdopiera	ok, found the problem	13:54
rdopiera	I was missing this:	13:54
rdopiera	SESSION_ENGINE = 'django.contrib.sessions.backends.cache'	13:54
*** zhugaoxiao has quit IRC		14:00
*** david-lyle has joined #openstack-keystone		14:01
*** zhugaoxiao has joined #openstack-keystone		14:01
*** david-lyle has quit IRC		14:05
stevemar	rodrigods: i thought ayoung was against it since some DBs supported cascade and others don't	14:08
stevemar	i thought we were, in general, avoiding the use of cascade	14:08
ayoung	stevemar, I am against using DBs that don't support basic functionality like Cascade	14:09
ayoung	I personnally am a PostgreSQL bigot, but have accepted MySQL as the default for Keystone functionality	14:09
ayoung	if MySQL supports cascades, lets use it	14:09
openstackgerrit	Lucas Alvares Gomes proposed openstack/keystonemiddleware: Switch tox unit test command to use ostestr https://review.openstack.org/416248	14:10
stevemar	ayoung: isn't that against what you siad here: https://review.openstack.org/#/c/368422/	14:10
ayoung	stevemar, that is a different question	14:10
ayoung	cascades across backends is not something we can support	14:11
ayoung	stevemar, different hair to split there :)	14:11
ayoung	stevemar, within the identity backend, it is OK to use cascades	14:11
ayoung	but not from, say identity to trust, or policy to assignment	14:12
stevemar	ayoung: but federation to federation is ok	14:12
ayoung	stevemar, correct	14:13
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Add Constraints support https://review.openstack.org/413288	14:13
*** markvoelker has joined #openstack-keystone		14:13
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystoneauth: Prevent MemoryError when logging response bodies https://review.openstack.org/416249	14:14
samueldmq	jamielennox: stevemar ^	14:14
dstanek	stevemar: i've always disliked cascades because it's so easy to allow users to make mistakes that they can't recover from	14:14
dstanek	samueldmq: what causes the memory error. just the response being too large?	14:15
stevemar	dstanek: yep	14:16
stevemar	dstanek: like trying to log an image :P	14:16
samueldmq	dstanek: yes, as stevemar said	14:16
samueldmq	yeah, which does not make sense at all	14:16
dstanek	that's kinda funny	14:18
*** markvoelker has quit IRC		14:18
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Just a test with python3.5 https://review.openstack.org/412500	14:20
lbragstad	jamielennox did you happen to see the pings in a conversation I was having with dtroyer and a user regarding keystoneauth auth types and documentation?	14:21
openstackgerrit	Lucas Alvares Gomes proposed openstack/keystonemiddleware: Switch tox unit test command to use ostestr https://review.openstack.org/416248	14:30
lbragstad	stevemar are we sure https://bugs.launchpad.net/neutron/+bug/1652929 is fixed?	14:32
openstack	Launchpad bug 1652929 in neutron "keystone token warning flood" [Low,Confirmed] - Assigned to Kevin Benton (kevinbenton)	14:32
lbragstad	stevemar i was thinking that the warning should only be emitted if the token being used by auth_token wasn't a service token.	14:32
*** edmondsw has joined #openstack-keystone		14:32
*** erhudy has joined #openstack-keystone		14:34
lbragstad	stevemar I was thinking the fix would have included something to make sure the neutron service user has the proper service role (so that the check is forward compatible)?	14:35
*** jperry has joined #openstack-keystone		14:36
*** edmondsw_ has joined #openstack-keystone		14:38
*** markvoelker has joined #openstack-keystone		14:38
*** edmondsw_ has quit IRC		14:38
*** oomichi has quit IRC		14:42
*** oomichi has joined #openstack-keystone		14:43
stevemar	samueldmq: briancurtin has a nice suggestion for the log	14:46
stevemar	lbragstad: umm, tbh it worked for the neutron folks so i was happy	14:46
stevemar	lbragstad: if you want to swtich things up you can	14:46
*** udesale has joined #openstack-keystone		14:47
lbragstad	stevemar I'll leave a comment on the bug and see what they say	14:47
stevemar	samueldmq: just an FYI, we also do not log requests already for KSA -- https://github.com/openstack/keystoneauth/commit/9b994205a896fe69c7e9a9bfe1c393f820ffa6ae	14:50
samueldmq	stevemar: I saw that patch, however in the bug report someone said they were htting the issue even after migrating ksc -> ksa	14:52
samueldmq	stevemar: brb will be back soon	14:52
samueldmq	yeah, I saw the suggestion from briancurtin, I'll apply it as soon as I'm back	14:53
*** chlong has joined #openstack-keystone		14:55
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Do not log binary data during debug https://review.openstack.org/416260	14:56
stevemar	jamielennox: samueldmq while we're making the logging code in session not silly ^	14:57
stevemar	(that one is for the request)	14:57
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Do not log binary data during request https://review.openstack.org/416260	14:58
*** spzala has joined #openstack-keystone		14:59
stevemar	jvarlamova_: o/	15:01
stevemar	jvarlamova_: do you know why https://review.openstack.org/#/c/414438/ is not passing the grenade test?	15:01
openstackgerrit	Merged openstack/keystonemiddleware: Auth token, set the correct charset https://review.openstack.org/416198	15:01
*** david-lyle has joined #openstack-keystone		15:01
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	15:04
*** udesale has quit IRC		15:05
*** edtubill has joined #openstack-keystone		15:05
*** david-lyle has quit IRC		15:06
*** chris_hultin\|AWA is now known as chris_hultin		15:07
*** udesale has joined #openstack-keystone		15:10
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove CONF.domain_id_immutable https://review.openstack.org/416267	15:14
*** udesale has quit IRC		15:17
*** ravelar has joined #openstack-keystone		15:17
*** jaugustine has joined #openstack-keystone		15:27
*** med_` is now known as medberry		15:28
*** medberry is now known as med_		15:28
*** med_ is now known as Guest46232		15:29
*** Guest46232 is now known as medberry		15:29
*** medberry has joined #openstack-keystone		15:29
*** andrewbogott has quit IRC		15:33
*** andrewbogott has joined #openstack-keystone		15:33
stevemar	lbragstad: thanks for picking up the bug	15:41
*** chlong has quit IRC		15:41
stevemar	jamielennox: can we just include pyhton-memcached in keystonemiddleware already?	15:41
lbragstad	stevemar no problem - looked like an easy one	15:42
*** mvk has quit IRC		15:43
*** edtubill has quit IRC		15:49
stevemar	lbragstad: easy review: https://review.openstack.org/#/c/416260/	15:50
stevemar	well, easy-ish :)	15:50
*** adrian_otto has joined #openstack-keystone		15:51
hugokuo	Can keystone CLI output as JSON format ?	15:52
*** JoeStack has quit IRC		15:53
*** JoeStack1 has joined #openstack-keystone		15:53
stevemar	hugokuo: you can trying running ``openstack user list --format json`` -- some examples here: http://ronaldbradford.com/blog/moving-to-openstackclient-cli-2015-04-20/	15:54
*** chlong has joined #openstack-keystone		15:54
*** edtubill has joined #openstack-keystone		15:54
hugokuo	got it. Seems like keystone doesn't support outout in JSON but openstack client does. hmm... I may need to install extra openstack client in my keystone box.	15:56
hugokuo	thx @stevemar	15:56
lbragstad	hugokuo just FYI - python-keystoneclients CLI has been removed. We recommend using python-openstackclient for all keystone related CLI things	15:57
*** JoeStack1 has quit IRC		15:57
lbragstad	python-openstackclient uses python-keystoneclient for keystone operations though.	15:58
*** nklenke has joined #openstack-keystone		15:59
hugokuo	@lbragstad make sense. I'm doing ansible playbooks for deploying keystone servers from kilo to the latest version. I need to inject sample data like pre-created tenants and users. I must to find out a best way for parsing result from keystone server.	15:59
hugokuo	The keystone CLI is not good enough. I may go openstack CLI or using curl in the playbook. thx	16:00
*** jaugustine has quit IRC		16:00
lbragstad	hugokuo good luck!	16:00
*** edtubill has quit IRC		16:00
*** richm has joined #openstack-keystone		16:01
*** d0ugal has joined #openstack-keystone		16:03
*** zhugaoxiao has quit IRC		16:03
*** zhugaoxiao has joined #openstack-keystone		16:04
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystoneauth: Prevent MemoryError when logging response bodies https://review.openstack.org/416249	16:08
samueldmq	stevemar: briancurtin ^	16:08
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystoneauth: Prevent MemoryError when logging response bodies https://review.openstack.org/416249	16:09
*** chris_hultin is now known as chris_hultin\|AWA		16:09
hugokuo	just FYI... openstack CLI supports csv or table but not json	16:09
hugokuo	```	16:09
hugokuo	openstack project list: error: argument -f/--format: invalid choice: 'json' (choose from 'csv', 'table')	16:09
*** chris_hultin\|AWA is now known as chris_hultin		16:10
*** alex_xu has quit IRC		16:11
*** davechen has quit IRC		16:13
*** davechen has joined #openstack-keystone		16:13
lbragstad	ayoung have you had a chance to look at the comment here - https://review.openstack.org/#/c/391624/21/specs/keystone/ongoing/role-check-from-middleware.rst ?	16:17
*** lamt has quit IRC		16:20
*** jaugustine has joined #openstack-keystone		16:20
samueldmq	lbragstad: that's an interesting point. we don't have different policies today for different ports :(	16:21
samueldmq	lbragstad: perhaps they have 2 entries in the policy file currently ?	16:21
*** lamt has joined #openstack-keystone		16:21
*** alex_xu has joined #openstack-keystone		16:22
*** edtubill has joined #openstack-keystone		16:23
lbragstad	samueldmq i believe it was oomichi that left that comment	16:24
*** rcernin has quit IRC		16:25
openstackgerrit	Merged openstack/keystonemiddleware: Add Constraints support https://review.openstack.org/413288	16:27
stevemar	samueldmq: release note and we're good :)	16:27
*** dmellado_ has joined #openstack-keystone		16:28
morgan	o/	16:31
morgan	mornin	16:31
samueldmq	stevemar: oh, that's true!	16:31
morgan	and happy new years	16:31
samueldmq	morgan: morning, happy new year :)	16:31
*** tesseract has quit IRC		16:31
lbragstad	morgan happy new year	16:31
*** chlong has quit IRC		16:31
dstanek	happy new year morgan	16:33
rodrigods	morgan, happy new year! :)	16:34
*** adrian_otto has quit IRC		16:35
*** adrian_otto has joined #openstack-keystone		16:36
stevemar	morgan: yay you survived	16:39
lbragstad	oomichi I'm interested in discussing https://review.openstack.org/#/c/391624/21/specs/keystone/ongoing/role-check-from-middleware.rst more with you if you have any time available (feel free to ping me whenever!)	16:40
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Just a test with python3.5 https://review.openstack.org/412500	16:41
lbragstad	oomichi we have a policy meeting tomorrow http://eavesdrop.openstack.org/#Keystone_Policy_Meeting but if that's too short notice maybe we can shoot for next week.	16:41
*** adrian_otto has quit IRC		16:45
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	16:46
*** chlong has joined #openstack-keystone		16:47
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk https://review.openstack.org/415906	17:01
*** david-lyle has joined #openstack-keystone		17:03
*** nkinder has joined #openstack-keystone		17:05
*** adrian_otto has joined #openstack-keystone		17:06
*** chris_hultin is now known as chris_hultin\|AWA		17:07
*** david-lyle has quit IRC		17:08
*** chris_hultin\|AWA is now known as chris_hultin		17:11
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Switch tox unit test command to use ostestr https://review.openstack.org/416248	17:13
*** medberry is now known as med_		17:14
stevemar	easy one to kick through: https://review.openstack.org/#/c/416248/ i think we should be moving to ostestr in our projects	17:16
dstanek	stevemar: infra won't mind the extra output will they?	17:18
stevemar	dstanek: i doubt it's big enough to cause an issue, it loaded in my browser pretty quickly	17:18
stevemar	dstanek: compared to say, a tempest job, where i'm constantly scrolling :P	17:19
dstanek	stevemar: running the tests now	17:22
*** arunkant has joined #openstack-keystone		17:24
stevemar	dstanek: coolio	17:24
*** jaosorior has joined #openstack-keystone		17:26
*** chris_hultin is now known as chris_hultin\|AWA		17:26
*** stingaci has joined #openstack-keystone		17:28
*** jaugustine has quit IRC		17:31
*** chris_hultin\|AWA is now known as chris_hultin		17:32
*** adrian_otto has quit IRC		17:33
*** adrian_otto has joined #openstack-keystone		17:35
*** chris_hultin is now known as chris_hultin\|AWA		17:37
*** chris_hultin\|AWA is now known as chris_hultin		17:37
*** jaosorior has quit IRC		17:43
morgan	stevemar: yay had time to tear down the tree before meeting(s) started	17:54
ayoung	lbragstad, so, the short version is that I knew about that, and chose to ignore it for the moment	17:54
ayoung	lbragstad, the case for a bulk API like that is going to be "common denominator" role. so _member_	17:55
ayoung	If nova wants more granular RBAC, they have to meet us halfway: either better APIs, or they should have backend the dynamic policy stuff from a couple years back	17:56
*** mvk has joined #openstack-keystone		17:56
lbragstad	ayoung so - how would they migrate to using the URL pattern as the operation?	17:56
ayoung	lbragstad, split out separate APIs for the specific actions	17:57
lbragstad	so a new api	17:57
ayoung	add roles that can execute those APIs specifically	17:57
ayoung	and in the bulk one, they check admin versus non-admin, leave it at that,	17:57
ayoung	the top level API would be handled by the catch all rule	17:58
*** pcaruana has quit IRC		17:58
ayoung	he posted non-admin: Reboot a server	17:58
ayoung	admin: Migrate a server	17:58
lbragstad	right - but they are both the same URL and HTTP method	17:58
ayoung	existing policy is still enforced. So they are just missing out on on better enforcement	17:58
*** jaugustine has joined #openstack-keystone		17:58
ayoung	lbragstad, so, say you wanted a read only role, that role should not be able to execute this API at all	17:59
stevemar	meeting soon! ^_^	17:59
ayoung	since there would be no way to distinguish between member and reader	17:59
lbragstad	POST /servers/{server_id}/action for an admin user would be different operation than POST /servers/{server_id}/action for a non-admin user	17:59
ayoung	lbragstad, right, but existing policy already enforces that.	18:00
ayoung	They would have to leave that in place	18:00
stevemar	keystoners! assemble!	18:00
ayoung	just that there would be no way to distinguish roles between the various non-admin operations	18:00
stevemar	meeting time agrebennikov, amakarov, annakoppad, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc, stevemar,	18:00
stevemar	topol	18:00
lbragstad	ayoung yeah - i think we need to sit down with oomichi though and talk some of it through	18:00
*** asettle has quit IRC		18:02
*** asettle has joined #openstack-keystone		18:03
*** david-lyle has joined #openstack-keystone		18:03
*** asettle has quit IRC		18:07
*** david-lyle has quit IRC		18:08
*** browne has joined #openstack-keystone		18:09
*** chlong has quit IRC		18:10
*** esp has joined #openstack-keystone		18:17
*** adrian_otto has quit IRC		18:38
*** adrian_otto has joined #openstack-keystone		18:39
*** chlong has joined #openstack-keystone		18:41
*** david-lyle has joined #openstack-keystone		18:42
*** jaugustine has quit IRC		18:46
*** chlong has quit IRC		18:48
*** jose-phillips has joined #openstack-keystone		18:51
*** jaugustine has joined #openstack-keystone		18:54
morgan	:)	18:58
jlvillal	Does anyone know when the keystonemiddleware package will be released?	19:02
*** chlong has joined #openstack-keystone		19:02
jlvillal	The Ironic gate is broken until a new release occurs.	19:03
samueldmq	stevemar: ^	19:05
samueldmq	stevemar: https://review.openstack.org/#/c/416198/ has merged, new release required to unlock ironic gates	19:05
*** dave-mccowan has quit IRC		19:16
stevemar	jlvillal: i'll propose a new release now, was waiting for our meeting to be over	19:17
jlvillal	stevemar: Awesome, thanks :)	19:17
*** catintheroof has quit IRC		19:33
*** catintheroof has joined #openstack-keystone		19:34
jamielennox	stevemar: how does that break the gate?	19:35
*** fungi has quit IRC		19:35
*** itisha has quit IRC		19:35
*** wolsen has quit IRC		19:35
*** serverascode has quit IRC		19:35
*** rm_work has quit IRC		19:35
*** BlackDex has quit IRC		19:35
*** ayoung has quit IRC		19:35
*** gus has quit IRC		19:35
*** sheel has quit IRC		19:35
*** peterstac has quit IRC		19:35
*** ktychkova_ has quit IRC		19:35
*** hyakuhei has quit IRC		19:35
*** Tahvok has quit IRC		19:35
*** BlackDex has joined #openstack-keystone		19:35
*** ktychkova has joined #openstack-keystone		19:36
*** ayoung has joined #openstack-keystone		19:36
*** ChanServ sets mode: +v ayoung		19:36
*** gus has joined #openstack-keystone		19:36
*** fungi has joined #openstack-keystone		19:36
*** peterstac has joined #openstack-keystone		19:36
*** hyakuhei has joined #openstack-keystone		19:36
jamielennox	is that a new webob?	19:36
*** Tahvok has joined #openstack-keystone		19:36
*** rm_work has joined #openstack-keystone		19:36
*** asettle has joined #openstack-keystone		19:37
*** harlowja has joined #openstack-keystone		19:38
*** catintheroof has quit IRC		19:38
*** sheel has joined #openstack-keystone		19:39
*** guoshan has joined #openstack-keystone		19:41
*** jaugustine has quit IRC		19:42
*** itisha has joined #openstack-keystone		19:42
*** wolsen has joined #openstack-keystone		19:43
*** guoshan has quit IRC		19:46
stevemar	jamielennox: yeah, new webob came out over the holidays	19:52
*** serverascode has joined #openstack-keystone		19:52
stevemar	jamielennox: jd had a fix to fix the new version (i think he encountered the error in his dev env), but it broke CI's since they still use the old version	19:52
stevemar	jamielennox: the recent change should work on both old and new versions	19:52
jamielennox	stevemar: the one that was approved looks good	19:53
stevemar	jamielennox: vague comment is vague	19:53
*** dave-mccowan has joined #openstack-keystone		20:03
*** openstackgerrit has quit IRC		20:03
*** jaugustine has joined #openstack-keystone		20:08
*** haplo37_ has quit IRC		20:09
*** jaugustine has quit IRC		20:10
*** adrian_otto has quit IRC		20:11
*** haplo37_ has joined #openstack-keystone		20:12
*** adriant has joined #openstack-keystone		20:16
*** guoshan has joined #openstack-keystone		20:42
*** asettle has quit IRC		20:44
*** guoshan has quit IRC		20:47
*** jaugustine has joined #openstack-keystone		20:49
samueldmq	stevemar: perhaps we could approve https://review.openstack.org/#/c/399472	20:56
samueldmq	stevemar: I left it to you as you wanted to see a successful build.	20:56
*** adrian_otto has joined #openstack-keystone		21:02
stevemar	samueldmq: depends-on stuff	21:03
*** openstackgerrit has joined #openstack-keystone		21:18
openstackgerrit	Merged openstack/keystonemiddleware: Switch tox unit test command to use ostestr https://review.openstack.org/416248	21:18
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	21:19
*** dave-mccowan has quit IRC		21:35
openstackgerrit	Gage Hugo proposed openstack/keystone: Clean up exception handling for CADF reason https://review.openstack.org/413822	21:36
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	21:38
*** spzala has quit IRC		21:44
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove CONF.domain_id_immutable https://review.openstack.org/416267	21:47
*** agrebennikov has joined #openstack-keystone		21:58
*** chlong has quit IRC		22:10
*** chris_hultin is now known as chris_hultin\|AWA		22:15
*** jaugustine has quit IRC		22:19
*** edmondsw has quit IRC		22:21
*** edmondsw has joined #openstack-keystone		22:21
*** edmondsw has quit IRC		22:25
*** edtubill has quit IRC		22:28
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove CONF.domain_id_immutable https://review.openstack.org/416267	22:51
*** adrian_otto has quit IRC		22:52
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct timestamp format in V3 token responses https://review.openstack.org/416372	22:54
stevemar	bknudson: i see you got tired of bad patches :(	22:56
bknudson	stevemar: trying to save time.	22:58
*** phalmos has joined #openstack-keystone		22:58
*** chris_hultin\|AWA is now known as chris_hultin		22:59
*** jperry has quit IRC		23:11
*** openstack has joined #openstack-keystone		23:13
*** jaugustine has joined #openstack-keystone		23:17
*** chris_hultin is now known as chris_hultin\|AWA		23:19
*** lamt has quit IRC		23:27
*** chris_hultin\|AWA is now known as chris_hultin		23:29
*** chris_hultin is now known as chris_hultin\|AWA		23:30
*** spzala has joined #openstack-keystone		23:30
*** guoshan has joined #openstack-keystone		23:45
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP add db_sync check https://review.openstack.org/416383	23:49
*** guoshan has quit IRC		23:49

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!