Wednesday, 2017-02-08

« Tuesday, 2017-02-07 Index Thursday, 2017-02-09 »
morganand i know how that goes00:00
morgani also know what a 10MM row keystone token table does to a cloud00:00
morganfirst hand00:00
adriantnot pretty :P00:00
morgan(~10MM/week) sorry00:00
adriantWe haven't yet, but switching to Fernet is next.00:01
morganfernet is much much better00:01
adriantActually, that's a thought. Is anyone doing Multi-Master keystone?00:01
adriantIs it possible?00:01
morganadriant: it is possible.00:01
morganadriant: i've done it, i've seen it, i would still do a corosync/pacemaker master/passive/passive deployment00:01
morganand for multi-DC/high-latency (read: WAN) setups, I would mostly be ok with a replication of keystone data with fernet, since it doesn't change much00:02
morganhigh-latency is anything > 5ms imo00:02
*** ngupta has joined #openstack-keystone00:02
stevemarlbragstad: congrats!00:03
adriantmorgan: We're looking at doing better DR for our keystone, and with fernet we were wondering if M-M was doable since it would also serve as a sort of load balancing to the nearest region.00:04
stevemarwow, some close election results this time around00:04
*** thorst_ has joined #openstack-keystone00:08
*** stradling has quit IRC00:11
*** mvk has joined #openstack-keystone00:11
gagehugocongrats lbragstad!00:14
morganadriant: doable, some folks have done it00:18
morgani just don't have enough solid data for modern deployments to know the success rate00:18
morganadriant: the biggest concern is revocation events (probably can just turn them off) and fernet key replication/distribution00:19
*** stradling has joined #openstack-keystone00:23
openstackgerritSteve Martinelli proposed openstack/keystone master: Readability/Typo Fixes in Release Notes  https://review.openstack.org/42989400:31
*** ngupta has quit IRC00:31
*** stradling has quit IRC00:36
*** adrian_otto has joined #openstack-keystone00:38
adrian_ottotx morgan00:39
*** david-lyle has quit IRC00:42
*** ngupta has joined #openstack-keystone00:42
*** thorst_ has quit IRC00:45
*** tovin07 has joined #openstack-keystone00:49
adriantmorgan: fernet keys I was intended to generate outside of the keystone nodes, and then sync them to all node. That was the process always keeps them in sync and throws warning and refuses to sync unless all nodes can be done.00:50
adriantintending*00:50
*** zhurong has joined #openstack-keystone00:50
adriantwow I can't type tonight00:51
*** tqtran has quit IRC00:51
morganadriant: and you're doing it right then00:52
adriantmorgan: I'll be doing a test multi-region deployment at some stage with multi-master and seeing how we can handle duplicate events, and replication honoring. Probably just sticking with 'newest wins'.00:53
lbragstadgagehugo thanks!00:53
morganhmm.00:53
*** hoangcx has joined #openstack-keystone00:57
morganhmm dolphm, lbragstad any recommendations on a cast iron griddle? i need one that doesn't have cut-out handles - and it doesn't have to be reversible (I don't need it for grilling, I expect to get a different pan just for that)00:57
morganor carbon steel.00:57
*** ngupta has quit IRC00:58
*** browne has quit IRC01:01
*** david-lyle has joined #openstack-keystone01:04
*** ngupta has joined #openstack-keystone01:06
*** ravelar has quit IRC01:10
*** yarkot has quit IRC01:10
adriantmorgan: sql to change parent seems to work in devstack without breaking anything01:18
*** thorst_ has joined #openstack-keystone01:19
adriantI feel so dirty using raw sql though :P01:19
*** adu has joined #openstack-keystone01:19
*** adu has quit IRC01:21
*** liujiong has joined #openstack-keystone01:25
openstackgerritGage Hugo proposed openstack/keystone master: Fix multiple uuid warnings with pycadf  https://review.openstack.org/42641101:30
openstackgerritvegezcj proposed openstack/keystone master: Keystone ldap tree_dn does not support Chinese  https://review.openstack.org/43049501:31
openstackgerritSteve Martinelli proposed openstack/keystone master: Fix multiple uuid warnings with pycadf  https://review.openstack.org/42641101:44
*** guoshan has joined #openstack-keystone01:51
*** guoshan_ has joined #openstack-keystone01:52
*** guoshan has quit IRC01:52
*** ngupta has quit IRC01:52
*** MasterOfBugs has quit IRC01:57
*** adrian_otto has quit IRC02:04
*** thorst_ has joined #openstack-keystone02:19
*** thorst_ has quit IRC02:24
*** adrian_otto has joined #openstack-keystone02:27
lbragstadmorgan cast iron griddle?02:30
lbragstadmorgan hmm02:30
*** adu has joined #openstack-keystone02:30
*** lucas_ has joined #openstack-keystone02:34
morganlbragstad: yeah02:36
morganlbragstad: lodge one is not sufficient for what i want02:36
morganlbragstad: trying to find a good one, pref a double burner one.02:36
morgani might need to find someone who'll do custom old-school cast iron in sand02:36
lbragstadmorgan that'd be sweet02:37
*** zhurong has quit IRC02:51
*** dikonoor has joined #openstack-keystone02:55
*** thorst_ has joined #openstack-keystone02:55
*** thorst_ has quit IRC02:55
openstackgerritSteve Martinelli proposed openstack/keystone master: Deprecate (and emit message) AdminTokenAuthMiddleware  https://review.openstack.org/42787803:04
ayounglbragstad, congrats03:07
ayoungmorgan, I don't think there is anything magic to cast iron frying pans.  Just make sure you get handle covers, as they scald quickly03:09
lbragstadayoung yes - exactly03:09
lbragstadayoung morgan i typically sand mine down to give them an ultra smooth finish before seasoning them03:09
ayoungziad, joe heck, dolphm, morgan, stevemar .... lbragstad you are in pretty good company.03:10
lbragstadayoung ++ i have some good examples to learn from03:13
*** zhurong has joined #openstack-keystone03:33
*** lucas_ has quit IRC03:37
*** adu has quit IRC03:41
*** ngupta has joined #openstack-keystone03:49
*** links has joined #openstack-keystone03:50
*** prashkre has joined #openstack-keystone03:51
morganayoung: it is about getting a good griddle.03:54
morganayoung: beyond that.. its shape/construction/QA etc. not anything else.03:54
*** thorst_ has joined #openstack-keystone03:56
*** guoshan_ has quit IRC04:00
*** prashkre has quit IRC04:01
*** thorst_ has quit IRC04:01
lbragstadmorgan what about https://goo.gl/oSWjLW04:01
*** zhurong has quit IRC04:04
*** nicolasbock has quit IRC04:12
*** martinlopes has quit IRC04:20
*** lucas_ has joined #openstack-keystone04:20
*** martinlopes has joined #openstack-keystone04:21
*** martinlopes has quit IRC04:28
*** ngupta has quit IRC04:48
*** ngupta has joined #openstack-keystone04:49
*** ngupta has quit IRC04:53
*** thorst_ has joined #openstack-keystone04:57
*** guoshan has joined #openstack-keystone05:01
*** thorst_ has quit IRC05:02
*** martinlopes has joined #openstack-keystone05:03
openstackgerritMerged openstack/keystone master: Remove unused api parameters  https://review.openstack.org/42979005:10
openstackgerritMerged openstack/keystone master: Readability/Typo Fixes in Release Notes  https://review.openstack.org/42989405:10
*** guoshan has quit IRC05:15
openstackgerritSteve Martinelli proposed openstack/keystone master: use the correct bp link for shadow-mapping rel note  https://review.openstack.org/43056905:29
*** lucas_ has quit IRC05:31
*** lucas_ has joined #openstack-keystone05:40
*** lucas_ has quit IRC05:40
*** thorst_ has joined #openstack-keystone05:58
*** thorst_ has quit IRC06:03
*** guoshan_ has joined #openstack-keystone06:08
*** adrian_otto has quit IRC06:13
*** prashkre has joined #openstack-keystone06:14
*** edmondsw has joined #openstack-keystone06:17
*** edmondsw has quit IRC06:21
*** zhurong has joined #openstack-keystone06:22
*** richm has quit IRC06:42
*** adrian_otto has joined #openstack-keystone06:42
*** zhurong has quit IRC06:43
*** zhurong has joined #openstack-keystone06:49
*** tqtran has joined #openstack-keystone06:50
*** tqtran has quit IRC06:54
*** abqkawi1000 has quit IRC06:57
*** rcernin has joined #openstack-keystone06:59
*** martinlopes has quit IRC06:59
*** zhurong has quit IRC07:05
openstackgerritgengchc2 proposed openstack/keystoneauth master: Remove support for py34  https://review.openstack.org/43059507:07
*** pcaruana has joined #openstack-keystone07:29
*** adriant has quit IRC07:32
openstackgerritgengchc2 proposed openstack/oslo.policy master: Remove support for py34  https://review.openstack.org/43061107:32
*** adrian_otto has quit IRC07:33
*** tesseract has joined #openstack-keystone07:35
*** david-lyle_ has joined #openstack-keystone07:37
*** thorst_ has joined #openstack-keystone07:59
*** thorst_ has quit IRC08:04
*** prashkre has quit IRC08:05
*** liujiong_66 has joined #openstack-keystone08:13
*** liujiong has quit IRC08:13
*** david-lyle_ has quit IRC08:28
*** chlong has quit IRC08:30
*** chlong has joined #openstack-keystone08:31
*** stevemar has quit IRC08:33
*** stevemar has joined #openstack-keystone08:35
*** prashkre has joined #openstack-keystone08:36
*** liujiong_66 is now known as liujiong08:46
*** ngupta has joined #openstack-keystone08:51
*** tqtran has joined #openstack-keystone08:52
*** ngupta has quit IRC08:56
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638308:56
*** tqtran has quit IRC08:56
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:02
*** ChanServ sets mode: +o stevemar09:06
*** slunkad has quit IRC09:30
*** slunkad has joined #openstack-keystone09:33
*** openstackgerrit has quit IRC09:34
*** links has quit IRC09:35
*** kukacz_ has joined #openstack-keystone09:39
*** nishaYadav has joined #openstack-keystone09:40
nishaYadavo/09:40
*** rdo_ has joined #openstack-keystone09:40
*** Guest66676 has joined #openstack-keystone09:41
*** hoangcx_ has joined #openstack-keystone09:41
*** med_` has joined #openstack-keystone09:43
*** lbragstad_ has joined #openstack-keystone09:43
*** topol_ has joined #openstack-keystone09:44
*** dolphm_ has joined #openstack-keystone09:44
*** ChanServ sets mode: +o dolphm_09:44
*** nonameentername has joined #openstack-keystone09:44
*** dims_ has joined #openstack-keystone09:44
*** hugokuo_ has joined #openstack-keystone09:45
*** Krenair_ has joined #openstack-keystone09:45
*** hoangcx has quit IRC09:45
*** masterjcool has quit IRC09:45
*** dims has quit IRC09:45
*** topol has quit IRC09:45
*** hoonetorg has quit IRC09:45
*** timss has quit IRC09:45
*** aloga has quit IRC09:45
*** rdo has quit IRC09:45
*** kukacz has quit IRC09:45
*** dolphm has quit IRC09:45
*** med_ has quit IRC09:45
*** Krenair has quit IRC09:45
*** lbragstad has quit IRC09:45
*** hugokuo has quit IRC09:45
*** _nonameentername has quit IRC09:45
*** Guest66666 has quit IRC09:45
*** dolphm_ is now known as dolphm09:45
*** hugokuo_ is now known as hugokuo09:45
*** Krenair_ is now known as Krenair09:46
*** Krenair has quit IRC09:46
*** Krenair has joined #openstack-keystone09:46
*** aloga_ has joined #openstack-keystone09:47
*** links has joined #openstack-keystone09:51
*** masterjcool has joined #openstack-keystone09:52
*** timss has joined #openstack-keystone09:52
*** aloga has joined #openstack-keystone09:53
*** hoonetorg has joined #openstack-keystone09:54
*** hoangcx_ has quit IRC09:57
*** thorst_ has joined #openstack-keystone10:00
*** nishaYadav has quit IRC10:02
*** thorst_ has quit IRC10:04
*** nishaYadav has joined #openstack-keystone10:05
*** liujiong has quit IRC10:08
*** aloga_ has quit IRC10:19
*** guoshan_ has quit IRC10:26
nishaYadavdolphm, hey, you around?10:29
*** aloga_ has joined #openstack-keystone10:41
Adobemanummm I'm looking at this blog10:41
Adobemanhttps://keithtenzer.com/2016/03/08/openstack-keystone-integrating-ldap-with-ipa/10:41
Adobemanso at the keystone section, export... openstack-config => openstack config10:42
Adobemannot entirely sure about the v2 with the url10:43
AdobemanI think morgan sort of mentioned I should be doing with additional following lines..10:43
AdobemanI am assuming "keystone user-role-add --user-id ospadmin --role admin --tenant admin"  ==(in newton)===>  openstack role add -user ospadmin --role admin --tenant admin10:44
Adobemanbut appears to be wrong10:45
Adobemanif I recall correctly, --tenant is v2, but does it work differently in newton ?10:45
Adobemanthen there is the "keystone user-role-add --user-id ospuser --role _member_ --tenant Project1"10:46
Adobemanthere is no Project1 yet10:46
*** links has quit IRC10:50
*** ngupta has joined #openstack-keystone10:53
*** ngupta has quit IRC10:57
*** nicolasbock has joined #openstack-keystone11:05
*** links has joined #openstack-keystone11:06
*** richm has joined #openstack-keystone11:12
Adobemanagh.. re-IP is not very fun in openstack..11:16
Adobemanok, I think I updated all the configuration file.  Something somewhere still think I'm on the old IP..11:20
*** aloga_ has quit IRC11:27
*** openstackgerrit has joined #openstack-keystone11:34
openstackgerritBoris Bobrov proposed openstack/keystone master: Enable trusts for federated users  https://review.openstack.org/41554511:34
Adobemandoes openstack put IP address in database somewhere..?11:40
nishaYadavstevemar, o/11:44
nishaYadavI tried setting up LDAP back end with DevStack and got an error, in particular this line no. 140 here https://github.com/openstack-dev/devstack/blob/master/lib/ldap11:46
*** aloga_ has joined #openstack-keystone11:48
nishaYadavI am getting no such object error, as one can't modify the hdb database because there isn't one already present. I asked for help on #openladap and they said adapt the manager.ldif to work with your existing setup. Can anyone please help me, any idea how to go about this?11:49
rodrigodsstevemar, ayoung, if you have a moment to review the implied roles tests in tempest: https://review.openstack.org/#/c/425927/1211:51
ayoungrodrigods, happy to do so11:51
rodrigodsthanks ayoung11:51
*** mvk has quit IRC11:53
samueldmqmorning keystone11:56
stevemarmorning samueldmq ayoung and rodrigods o/11:58
stevemaroh hi nishaYadav :)11:58
rodrigodsstevemar, samueldmq, morning o/11:58
ayoungstevemar, feel as if the weight of the world has been lifted from your shoulders?11:58
stevemarayoung: not yet, but almost :)11:59
nishaYadavstevemar, hi11:59
nishaYadavayoung, rodrigods samueldmq o/11:59
rodrigodsnishaYadav, o/11:59
*** thorst_ has joined #openstack-keystone12:00
* samueldmq waves to everyone :)12:01
ayoungWhen did Keystone become such an early morning project?12:03
*** thorst_ has quit IRC12:05
nishaYadavstevemar, Regarding the keystonemiddleware: allow_expires docs. The new feature is documented at a high level here, http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html and you said the new docs should describe how various services can use the new feature. So where can I find more details regarding this? Can you please suggest little more :)12:06
nishaYadavayoung, I am glad, had to stay up late otherwise :P12:07
*** dave-mccowan has joined #openstack-keystone12:07
*** raildo has joined #openstack-keystone12:12
*** edmondsw has joined #openstack-keystone12:13
*** mvk has joined #openstack-keystone12:21
*** david-lyle has quit IRC12:24
*** thorst_ has joined #openstack-keystone12:41
dstanekmorning12:48
stevemaro/ dstanek12:51
*** ayoung has quit IRC12:59
*** ayoung has joined #openstack-keystone13:00
*** ChanServ sets mode: +v ayoung13:00
*** mvk has quit IRC13:04
*** catintheroof has joined #openstack-keystone13:08
*** mvk has joined #openstack-keystone13:17
*** lbragstad_ is now known as lbragstad13:29
*** ChanServ sets mode: +v lbragstad13:29
*** iurygregory has joined #openstack-keystone13:29
lbragstado/13:35
jmccarthyHiya samueldmq :) You still about ?13:38
jmccarthyFollow up question re: grant http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.roles.RoleManager.grant13:39
samueldmqjmccarthy: hi13:39
*** links has quit IRC13:39
jmccarthyI have a v3 client working like this at the moment for example:13:39
jmccarthykeystone type: <class 'keystoneclient.v3.client.Client'>13:39
jmccarthykeystone.auth_token: 66b2344091b14be7b471f5be70705a7913:39
jmccarthyI'm not sure how to try grant ?13:40
samueldmqjmccarthy: to get to that grant operation you should be able to do13:40
samueldmqkeystone.roles.grant(...)13:40
jmccarthyAh ok lemme see13:41
samueldmqand pass the parameters as needed, all the params are specified in that doc13:41
samueldmq^13:41
openstackgerritMerged openstack/oslo.policy master: Remove support for py34  https://review.openstack.org/43061113:41
*** AlexeyAbashkin has joined #openstack-keystone13:42
*** AlexeyAbashkin has quit IRC13:42
jmccarthyHmm what would be equivalent to this ? openstack role add --user test --project proj _member_13:43
*** prashkre has quit IRC13:44
jmccarthyI guess this is wrong ?13:48
jmccarthy    keystone.roles.grant(_member_, user=test, group=_member_, domain=admin, project=default, os_inherit_extension_inherited=False, **kwargs)13:48
jmccarthyNameError: name '_member_' is not defined13:48
jmccarthysamueldmq: Any suggestions on what params I have messed up ? I think role is first but says not defined (openstack role list shows it there)13:55
*** zhurong has joined #openstack-keystone13:56
*** lucas_ has joined #openstack-keystone13:58
*** stradling has joined #openstack-keystone14:02
*** prashkre has joined #openstack-keystone14:03
openstackgerritDavid Stanek proposed openstack/keystone master: Removed the deprecated pki_setup command  https://review.openstack.org/43093814:04
samueldmqjmccarthy: that's a python error, try something like  keystone.roles.grant("_member_", user="test")14:06
jmccarthyHmm interesting, ok aside from 'Using keystoneclient sessions has been deprecated. Please update your software to use keystoneauth1' it complains: keystoneauth1.exceptions.http.NotFound: Could not find role: _member_14:08
openstackgerritBoris Bobrov proposed openstack/keystone master: Enable trusts for federated users  https://review.openstack.org/41554514:09
jmccarthysamueldmq Oh ah ok - it requires role id (not the friendly name)14:10
*** nishaYadav_ has joined #openstack-keystone14:10
jmccarthyNow I get user test not found ;)14:10
jmccarthyOk that is great - let me go and try that out some more - thanks again !14:10
*** nishaYadav has quit IRC14:12
samueldmqjmccarthy: yeah, try keystone.users.list() and get a valid one for the role assignment14:12
odyssey4mecongrats lbragstad14:12
odyssey4meand commiserations :p14:12
samueldmqjmccarthy: sure, np14:12
lbragstadodyssey4me thank you!14:13
*** AlexeyAbashkin has joined #openstack-keystone14:13
jmccarthysamueldmq Hmm the users list squawks: UserWarning: Using keystoneclient sessions has been deprecated. Please update your software to use keystoneauth1.14:15
jmccarthy  warnings.warn('Using keystoneclient sessions has been deprecated. ' and no results :/14:15
samueldmqjmccarthy: that's odd, a warning should not suppress the results14:16
*** lucas_ has quit IRC14:18
*** nishaYadav_ has quit IRC14:20
jmccarthysamueldmq it's ok I'm just using openstack client to get other info, seems to be working14:22
jmccarthyNeed to check a bit more14:22
samueldmqjmccarthy: nice14:24
*** lamt has joined #openstack-keystone14:26
*** ngupta has joined #openstack-keystone14:33
*** spilla has joined #openstack-keystone14:38
jmccarthysamueldmq Oh hmm looks like I may have added this user previously with openstack client, new ones don't seem to be added :/14:42
samueldmqjmccarthy: creating new users is not working ?14:42
samueldmqjmccarthy: the method to create a new user is described at http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.users.UserManager.create14:43
jmccarthyI'm creating them ok using openstack client, I mean assigning role isn't working looks like14:43
samueldmqjmccarthy: are you getting an error ?14:44
openstackgerritDavid Stanek proposed openstack/keystone master: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528714:44
jmccarthyNo other output aside from same depr warn14:44
samueldmqjmccarthy: you should also be able to use openstackclient to assign roles too.14:44
samueldmqjmccarthy: so that means it was successfully added14:44
jmccarthyYea, the client works, but the api is wanted for the role bit14:44
samueldmqjmccarthy: there is no output when a role assignment is successful, because the rest api returns 204 no content14:45
samueldmqso the client doesn't show anything14:45
jmccarthyYes !14:45
jmccarthyOk you were right, my bad - typo14:45
jmccarthy:)14:45
jmccarthyIt is working :)14:45
jmccarthyOk I'll stop going on about it now, thank you once again for the help :) !14:46
samueldmqjmccarthy: anytime14:46
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Move federated attributes spec to Pike  https://review.openstack.org/43097414:49
jmccarthysamueldmq: Out of curiousity, is https://github.com/openstack/python-openstacksdk keeping up with parity of other/older clients do you know ?14:50
samueldmqjmccarthy: sorry I don't know the current status of that effort. stevemar lbragstad may have a better idea ? ^14:51
lbragstadjmccarthy that'd be something stevemar can probably answer better than I can14:52
jmccarthyOk just curious, no probs14:54
*** chris_hultin|AWA is now known as chris_hultin14:55
stevemarjmccarthy: the SDK is a best-effort project, ideally there is partity with all projects and API versions, but unless someone puts up the patches for a specific item, you may be waiting14:58
stevemarjmccarthy: drop by #openstack-sdks and ping briancurtin (oh actually he's here)14:58
briancurtinwe don’t care about other clients. the goal is always to have 100% parity with what the REST APIs provide, but as steve says, it sometimes depends on someone to just write the support for certain APIs. when we kicked off some of the libraries, it was just a matter of writing code for parts of a service we understood, rather than trying to get 100% coverage15:00
*** lamt has quit IRC15:01
briancurtinwe’re working back through the services to complete them, and can add new services relatively easily, but there’s no consideration for how other python-*client libs have done things15:01
samueldmqbriancurtin: doesn't that make adoption harder? in the case people already use the python-*client libs?15:02
*** AlexeyAbashkin has quit IRC15:05
briancurtinsamueldmq: yep, and that’s fine. there’s no possible way to make a new library that caters to the vast differences each of those libraries has. if you look at the original three: novaclient, glanceclient, and swiftclient, they use (or at least used) three naming formats, three return formats, three ways to get started, etc. this is one view to openstack,15:05
briancurtinnot a continuation of ‘everything is different just because'15:05
*** adrian_otto1 has joined #openstack-keystone15:05
samueldmqbriancurtin: interesting, and that's challenging to get to a point to say: "okay you can migrate to -sdk, we support x% of APIs and we'll prioritize it as a team, openstack team"15:07
samueldmqthe openstack cross-project community will need to have that in mind if we want that to be the main client someday15:07
samueldmqimh15:07
samueldmqimho15:07
*** prashkre has quit IRC15:09
*** lamt has joined #openstack-keystone15:12
*** stradling has quit IRC15:12
*** jmccarthy has quit IRC15:12
*** jose-phillips has joined #openstack-keystone15:13
*** mvk has quit IRC15:14
*** jdennis1 has joined #openstack-keystone15:15
*** lucas_ has joined #openstack-keystone15:16
*** jdennis has quit IRC15:16
*** dikonoor has quit IRC15:18
*** dave-mccowan has quit IRC15:20
*** adrian_otto1 is now known as adrian_otto15:21
*** jose-phillips has quit IRC15:22
knikollao/ moning15:25
knikollamorning*15:25
*** jmccarthy has joined #openstack-keystone15:29
knikollalbragstad: congrats!15:33
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638315:33
*** dave-mccowan has joined #openstack-keystone15:38
*** stradling has joined #openstack-keystone15:39
*** mvk has joined #openstack-keystone15:42
*** ravelar has joined #openstack-keystone15:51
*** adrian_otto has quit IRC15:57
lbragstadfriendly reminder that we have the policy meeting starting in #openstack-meeting-cp!16:01
odyssey4mestevemar ravelar lbragstad I added some comments to https://review.openstack.org/#/c/416383/ in both the latest and previous PS16:07
odyssey4meI'm happy to discuss further and will do daily reviews of the patch from here on.16:08
ravelarlbragstad, odyssey4me, stevemar sure, I would like to discuss the use of return codes for the purpose of checking up to date versions in the db_sync commands after the meeting16:09
odyssey4meravelar ping me when you're ready16:09
*** jaugustine has joined #openstack-keystone16:10
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638316:14
*** adrian_otto has joined #openstack-keystone16:16
*** david-lyle has joined #openstack-keystone16:23
*** zhurong has quit IRC16:25
*** rcernin has quit IRC16:39
*** david-lyle has quit IRC16:52
*** Guest66676 is now known as Guest666616:53
*** stradling has quit IRC16:55
*** prashkre has joined #openstack-keystone16:57
*** oomichi has left #openstack-keystone16:57
*** stradling has joined #openstack-keystone16:59
lbragstadjohnthetubaguy sorry - totally didn't mean to cut you off17:01
*** stradling has quit IRC17:05
*** tesseract has quit IRC17:05
*** dikonoor has joined #openstack-keystone17:05
*** tqtran has joined #openstack-keystone17:06
*** jdennis1 is now known as jdennis17:08
lbragstadravelar odyssey4me stevemar still available to discuss https://review.openstack.org/#/c/416383/ ?17:10
*** tqtran has quit IRC17:10
odyssey4meo/17:11
ravelarlbragstad o/17:11
lbragstadodyssey4me o/17:11
*** david-lyle has joined #openstack-keystone17:12
lbragstaddo we want this check to perform the check against the migration scripts or the various versions of the migration repos stored in the db?17:12
openstackgerritRon De Rose proposed openstack/keystone master: Ensure migration file names are unique to avoid caching errors  https://review.openstack.org/42991217:12
lbragstadi.e. these migration numbers https://github.com/openstack/keystone/tree/master/keystone/common/sql/expand_repo/versions or the actual repository version stored in the database?17:13
odyssey4mehmm, I'm not sure I understand the difference in approach17:14
lbragstadodyssey4me you expect to use the tool in automated fashion with osa, right?17:14
lbragstadodyssey4me you'd run the check during the upgrade process?17:14
odyssey4meyes17:14
odyssey4methe check would run during both a greenfleld deployment and an upgrade (both minor and major)17:15
lbragstadok17:16
lbragstadsqlalchemy keeps track of the repository state in the database - http://cdn.pasteraw.com/l47gkky5df2awt8g9y9yl29ux6dk7sq17:16
lbragstadand the current approach is checking those values17:16
lbragstad(there could be another approach to check the available migrations installed)17:17
odyssey4mewhich is the best source of truth?17:18
lbragstadwhere keystone-manage db_sync --check could check the version of the repositories from the database, but also check to see if there were any migrations installed that haven't run17:18
lbragstadpersonally, i think the state in the database would be better17:18
lbragstadinstallations can be rolled back17:18
lbragstador swapped out with virtualenvs17:18
lbragstadso - you could get different check results depending on the code you have installed17:19
ravelarlbragstad odyssey4me you mean checking for up-to-date versions by checking what the version is in the database against what is installed/available in the repos right?17:20
odyssey4meravelar yes, that's pretty much part of what I hope to achieve17:21
odyssey4meone part if to check whether all available migrations have run17:21
*** jaosorior has joined #openstack-keystone17:21
lbragstadodyssey4me so after you install a new venv on a keystone node that has new migration scripts available, you'd expect keystone-manage db_sync --check to say something like "hey, you have migrations you need to run!"17:22
odyssey4meanother is to identify at what stage of migration an upgrade may be at17:22
odyssey4melbragstad yes17:22
lbragstadodyssey4me aha17:22
lbragstadravelar so i was wrong17:22
lbragstadravelar sorry about that17:22
odyssey4meyou have migrations to run would be one state17:23
lbragstadI was under the assumption that all the decisions about db state would be driven by the versions in the db17:23
lbragstadodyssey4me another state would be that your expand repository is up to date but the others aren't17:24
odyssey4meyep17:24
lbragstadand you'd expect each of these states to emit a different return code17:24
odyssey4meyes, ideally17:24
lbragstadand each return code should be documented17:24
odyssey4meyes17:25
lbragstad(preferably in the upgrade docs?)17:25
odyssey4mein the upgrade docs would make sense17:25
lbragstad++17:25
lbragstadravelar does that make sense?17:25
odyssey4meit's ideal to refer to a single point where explanations are, instead of scattering them all over the place17:25
ravelarodyssey4me so basically "identify at what stage of migration an upgrade may be at" (currently done by notifying the user of the next step that is needed to be taken)17:26
openstackgerritGage Hugo proposed openstack/keystone master: Fixed warning when building keystone docs  https://review.openstack.org/43107717:26
odyssey4meravelar yes17:26
ravelarodyssey4me as for the error code, I see how this is commented to be added under some of the if statements. What I don't understand is what additional information you wanted to add that isnt there in the log?17:26
odyssey4methe information about the next step is for humans though - machines just want an error code17:26
ravelarodyssey4me ah, so just add a corresponding error code17:27
lbragstadravelar so original output you had would be nice17:27
lbragstadwhere you just listed the various versions of each repo17:27
ravelarlbragstad yes, I have added this back on at the end17:27
ravelar:)17:27
odyssey4methe info output as it is now is fine, I haven't checked back very far17:28
lbragstadbut the return code would be different17:28
lbragstadok17:28
odyssey4meravelar the error code is a return code, not a number in the output17:28
lbragstadravelar aha - line 479 here https://review.openstack.org/#/c/416383/20/keystone/cmd/cli.py17:28
ravelarodyssey4me right returned as a systemexit17:29
odyssey4meravelar yep17:29
edmondswstevemar lbragstad isn't https://bugs.launchpad.net/keystone/+bug/1662911 just working as designed?17:29
openstackLaunchpad bug 1662911 in OpenStack Identity (keystone) "v3 API create_user does not use default_project_id" [Undecided,New]17:29
ravelarodyssey4me sweet, will get on that. Just needed clarification :)17:29
edmondswI don't think we want to use default_project_id with v317:29
ravelarlbragstad yse :)17:29
ravelaryes*17:29
odyssey4methanks all - love your work :)17:30
lbragstadravelar odyssey4me so a very basic idea would be http://cdn.pasteraw.com/aks00vy015d29jshc4n3f38n0f4l21o17:30
odyssey4melbragstad RC one is reserved for a failure17:30
odyssey4meRC = 117:30
ravelarright so use 2 & 3 instead17:31
odyssey4mebut yes, that's the general idea17:31
lbragstadupdated - http://cdn.pasteraw.com/230kik24j4adzna20e162jjhw2y19kg17:32
odyssey4meyeah, that's better17:32
odyssey4meit may be good to get mfisch's thoughts too?17:32
odyssey4meor EmilienM ?17:32
lbragstadodyssey4me ++17:33
*** ChanServ sets mode: +v topol_17:33
*** topol_ is now known as topol17:33
andrewbogottHello, all!  I'm running keystone/liberty with uwsgi, and I'm getting periodic 'Connection reset by peer' issues.17:36
andrewbogottI've been assuming that this was some screwup in my uwsgi config, but having googled a bit it looks like maybe a known issue with keystone itself… is this a familiar issue to others?17:36
andrewbogott(The failure is intermittent, and transient, and I can't find anything in the logs to acknowledge that it's happening.)17:37
EmilienModyssey4me: what's up?17:37
odyssey4meEmilienM we're discussing an addition to keystone-manage which allows the migration state to be checked, with unique return codes based on the state17:38
odyssey4methe general idea is that automation tooling (puppet, ansible, etc) can react based on the RC instead of having to guess17:38
odyssey4meand instead of having to parse output meant for humans17:38
odyssey4mefor example: http://cdn.pasteraw.com/230kik24j4adzna20e162jjhw2y19kg17:39
*** adrian_otto1 has joined #openstack-keystone17:39
odyssey4methe patch state is currently https://review.openstack.org/416383 but does not yet include return codes17:39
lbragstadravelar I added that paste to the bug reoprt17:40
lbragstadreport*17:40
ravelarlbragstad sweet, thanks!17:40
odyssey4meEmilienM based on that very brief conceptual overview, are there any issues/concerns/comments?17:40
odyssey4melbragstad ravelar Are you hoping to squeeze this one into Ocata?17:41
lbragstadodyssey4me not that I am aware of17:42
odyssey4meok, so this is for pike17:42
odyssey4me'tis all good - that gives us some time to try it out :)17:42
lbragstadodyssey4me but I'm totally willing to be convinced17:42
*** adrian_otto has quit IRC17:42
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638317:42
odyssey4melbragstad my concern would be is that the RC's are essentially an interface - like an API17:43
EmilienModyssey4me: oh I see. Yeah in Puppet we can tell "don't fail if RC is 1", etc17:43
lbragstadodyssey4me yeah - true17:43
ravelarlbragstad, odyssey4me let me know if that is what you are looking for :)17:43
EmilienMwe can even tell "fail if code is XX"17:43
odyssey4meso it'd be better to try and get the automation projects to consume the tooling and give feedback17:43
lbragstadodyssey4me ++17:43
odyssey4meEmilienM same here, but we ideally don't want RC 1 as that's typically the 'fail'code which everyone knows17:44
odyssey4meso basically here you'd be able to say 'if RC 2, then run migrate'17:44
odyssey4meif RC 2, then run contract17:44
odyssey4meoops17:44
odyssey4meif RC 0, everything is good17:45
odyssey4meif RC 1, something is broken17:45
odyssey4meif RC 2, execute the expand17:45
odyssey4meif RC 3, execute the migrate17:45
odyssey4meif RC 4, execute the contract17:45
odyssey4meno guessing17:45
odyssey4meand major upgrades can be effectively orchestrated17:46
lbragstadright17:46
EmilienMoh wow, that's complex17:46
lbragstadRC = 0 would mean the latest migration script version would match all the repository versions in the database17:46
EmilienMwe'll have to write a provider to do that17:46
odyssey4meEmilienM upgrades are complex, and the idea here is to prvide the right information in a machine-readable way to be able to orchestrate them17:47
ravelarlbragstad what do you mean "available by inspecting the return code" are you talking about in main?17:49
lbragstadthe return code can be checked using `echo $?` for example17:50
ravelarlbragstad ah17:50
ravelarlbragstad and back to comparing max repo version as well?17:51
ravelarlbragstad just to clarify17:51
lbragstadravelar correct17:51
ravelarlbragstad alrighty!17:51
*** adrian_otto1 has quit IRC17:51
lbragstadravelar make sense?17:51
*** lucas_ has quit IRC17:52
ravelarlbragstad yes perfect sense now, thanks all17:52
lbragstadravelar example - http://cdn.pasteraw.com/uukzhx01zsntq4rppucmxqd4f82lqw17:53
*** adrian_otto has joined #openstack-keystone17:53
ravelarlbragstad ah, so manually checked return codes17:54
lbragstadravelar yeah - that was just an example... but you can tell automation tooling, like ansible, to do things based on return codes of a command17:55
lbragstadravelar like this - http://stackoverflow.com/questions/34340562/evaluating-return-code-in-ansible-conditional17:56
lbragstadravelar http://docs.ansible.com/ansible/common_return_values.html#rc17:56
*** jamielennox is now known as jamielennox|away18:00
*** tqtran has joined #openstack-keystone18:04
EmilienModyssey4me, lbragstad: is this migration thing is designed somewhere in a spec or documented somewhere?18:18
EmilienMlbragstad: I want to start planning puppet work18:18
EmilienMlbragstad: though in the case of tripleo, we use ansible to do upgrades18:19
lbragstadEmilienM we have a bug? https://bugs.launchpad.net/keystone/+bug/164221218:19
openstackLaunchpad bug 1642212 in OpenStack Identity (keystone) "RFE: keystone-manage db_sync --check" [Wishlist,In progress] - Assigned to Richard (csravelar)18:19
*** aloga_ has quit IRC18:25
*** dikonoor has quit IRC18:30
*** stradling has joined #openstack-keystone18:35
*** portdirect has quit IRC18:35
*** robcresswell has quit IRC18:35
*** waj334 has quit IRC18:35
*** pkoraca has quit IRC18:35
*** erlon has quit IRC18:35
*** wolsen has quit IRC18:35
*** nikhil has quit IRC18:35
*** DuncanT has quit IRC18:37
*** cargonza has quit IRC18:37
*** AndyWojo has quit IRC18:37
*** kamal___ has quit IRC18:37
*** raddaoui has quit IRC18:37
*** morgan has quit IRC18:45
*** jraim has quit IRC18:45
*** ctracey has quit IRC18:45
*** serverascode has quit IRC18:45
*** lucas_ has joined #openstack-keystone18:50
antwashHas anyone every had this traceback error with sqlalchemy? http://paste.openstack.org/show/598127/ -- I'm updating a column value for (one or more) rows depending on number returned from query. For the changes to execute I have 'session.commit()', but it's giving me the traceback error.18:50
lbragstadantwash yeah - i was getting that same error yesterday when I was playing with your patch locally18:52
*** stradling has quit IRC18:52
lbragstadantwash these are the changes I was making locally - http://cdn.pasteraw.com/ins0fam7p8i86khn4zda2dhftuf2w0l18:53
*** stradling has joined #openstack-keystone18:53
antwashlbradstad : yeah I was reading some docs, and I seen that was another approach to update the values, instead of the way I'm currently doing18:55
lbragstadantwash also - most of the session_for_write() stuff just uses the attributes defined in the model18:55
lbragstadhttps://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/common/sql/core.py#L22018:56
lbragstadthe session_for_write() method is wrapped so I assume it handles the context manager accordingly18:56
knikollasorry for not being much around this week, i'm not feeling well.19:06
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638319:07
lbragstadknikolla no worries - hopefully you start feeling better19:12
*** MasterOfBugs has joined #openstack-keystone19:22
*** jraim has joined #openstack-keystone19:23
dstanekantwash: are you not in a session19:24
dstanek?19:24
*** erlon has joined #openstack-keystone19:25
antwashdstanek: yeah I am, that's why it's weird19:26
*** ctracey has joined #openstack-keystone19:28
*** DuncanT has joined #openstack-keystone19:31
*** serverascode has joined #openstack-keystone19:31
*** DuncanT has quit IRC19:35
dstanekantwash: are you in a writable session?19:38
lbragstaddstanek i think it was because we wanted to update any default_project_ids to NOne19:39
dstaneklbragstad: that's a weird message.19:41
lbragstaddstanek it is19:41
lbragstaddstanek antwash it might be worth asking zzzeek, too19:42
dstaneklbragstad: i've only seen messages like that when i didn't actually have a connection or seesion. i don't remember that specific message though19:43
lbragstaddstanek yeah - that sounds about right19:43
dstaneklbragstad: antwash: is this a unit test that's failing?19:43
lbragstaddstanek but most of the time (at least from what i can tell) we use the session_for_read and session_for_write context managers to handle all that stuff for us19:44
antwashdstanek: awe, yep it's a unit test that's failing19:44
dstanekantwash: do you have the latest in gerrit?19:44
antwashdstanek : not yet I could push it up if needed -- didn't change much, but this 'with sql.session_for_write() as session:'19:45
antwashI've been reading docs and stackoverflow for hours19:45
*** haplo37 has quit IRC19:46
dstanekantwash: push up the latest and i can give it a try19:46
antwashdstanek : give me a minute or two19:46
dstanekantwash: np. i have to run and get my kids from school. i'll be back in 2019:47
*** lucas_ has quit IRC19:49
*** browne has joined #openstack-keystone19:49
*** DuncanT has joined #openstack-keystone19:51
*** pkoraca has joined #openstack-keystone19:53
*** waj334 has joined #openstack-keystone19:53
*** robcresswell has joined #openstack-keystone19:55
*** portdirect has joined #openstack-keystone19:57
*** haplo37_ has joined #openstack-keystone19:57
*** david-lyle has quit IRC19:57
*** spzala has joined #openstack-keystone19:59
*** spzala has quit IRC19:59
*** jaosorior has quit IRC20:02
*** nikhil has joined #openstack-keystone20:03
openstackgerritAnthony Washington proposed openstack/keystone master: Clear the project ID from user information  https://review.openstack.org/42904720:03
openstackgerritAnthony Washington proposed openstack/keystone master: Clear the project ID from user information  https://review.openstack.org/42904720:05
*** edtubill has joined #openstack-keystone20:05
antwashdstanek : cool, I just pushed it up for you https://review.openstack.org/#/c/429047/20:06
*** stradling has quit IRC20:07
*** wolsen has joined #openstack-keystone20:08
openstackgerritAnthony Washington proposed openstack/keystone master: Clear the project ID from user information  https://review.openstack.org/42904720:10
*** cargonza has joined #openstack-keystone20:10
dstanekantwash: sweet. back now.20:11
*** raddaoui has joined #openstack-keystone20:11
*** morgan has joined #openstack-keystone20:12
*** AndyWojo has joined #openstack-keystone20:13
*** david-lyle has joined #openstack-keystone20:15
morganwow... openstack is so unusable20:16
*** kamal___ has joined #openstack-keystone20:16
morgansorry openstackclient -- i can't get it even to work with basic examples20:16
* morgan goes and hunts down mordred20:16
lbragstadmorgan hey - we've had some discussions about default_project_id and options, right?20:17
lbragstadmorgan is there anything we could do to make this easier using your route? https://bugs.launchpad.net/keystone/+bug/166291120:18
openstackLaunchpad bug 1662911 in OpenStack Identity (keystone) "v3 API create_user does not use default_project_id" [Undecided,New]20:18
morgannot really20:18
zzzeekantwash: the error means you are calling session.commit() on a Session that has autocommit=True and the begin() method has not been called20:19
antwashzzzeek, awe so the it's no need to even call session.commit() since autocommit is true.20:20
*** david-lyle has quit IRC20:20
zzzeekantwash: i wouldn't say that.  if using the session w/ autocommit, begin() should always be called.  autocommit is a legacy mode of operation.    keystone should move to enginefacade in any case which takes care of the correct patterns20:20
morgananyone here able to look at a clouds.yaml and tell me what i'm doing wrong?20:21
*** spzala has joined #openstack-keystone20:21
*** spzala has quit IRC20:21
morgan... this is ... wow.20:21
morganhttps://www.irccloud.com/pastebin/939qFOcZ/20:21
morgan^This does not work, with auth-url, without, with api-version, without, looks like os-client-config also cannot work with user_idand project_id. basically i don't know how anyone uses this successfully atm20:22
*** lucas_ has joined #openstack-keystone20:23
morganstevemar, mordred, lbragstad, ^20:24
* morgan is trying to get back to work and needs to get access via API to vexxhost and doing it via curl is just... wlel no.20:25
morganjust no20:25
lbragstadmorgan I know dstanek uses it alot20:25
morganlbragstad: the bad part is there is zero usable documentation on this crap20:26
morganlbragstad: i've now spent an hour trying to figure out what i did wrong here.20:26
dstanekantwash: left you some comments on the review20:26
morganand nothing is making sense, curl to the keystone API works, but occ and openstackclient... afaict just don't work20:26
morganat all20:27
dstanekmorgan: do you have an auth url specified somewhere else?20:27
morgandstanek: it should be part of the vexxhost profile20:27
morganit is talking to auth.vexxhost.net20:27
morganwhich is correct20:28
morganUsing auth plugin: password20:28
morganUsing parameters {'username': 'aecf76e9-15ea-46e0-b982-446f32d1e150', 'project_name': 'aecf76e9-15ea-46e0-b982-446f32d1e150', 'user_domain_name': 'Default', 'auth_url': u'https://auth.vexxhost.net', 'password': '***', 'project_domain_name': 'Default'}20:28
dstanekhmmm... i don't use user_id and project_id together. just username and project_id20:28
morgandstanek: when i try and user user_id I get errors like must supply usename with --os-username20:29
dstanekmorgan: you paste looks correct to me20:29
morganafaict occ and osc are broken.20:29
morganand just don't work20:29
dstanekdoes occ support user_id?20:29
morgansure doesn't seem like it20:30
*** martinlopes has joined #openstack-keystone20:31
dstanekmorgan: not sure it it actually works, but the code appears to be doing something with it20:31
morganyeah i tried to use user_id or "id" or variations20:31
morgani ended up being told i have to supply a username on the cli20:31
* morgan tries again withoout using clouds.yaml20:32
morganbut ... i think osc just doesn't work atm20:32
*** stradling has joined #openstack-keystone20:36
morganftr: this is the latest "pip install python-openstackclient"20:39
*** jaosorior has joined #openstack-keystone20:42
*** pcaruana has quit IRC20:43
mordredmorgan: occ supports user-id and username and if you provide both it should just pass both to keystoneauth20:43
mordredmorgan: so - I just reinstalled osc with pip install -U python-openstackclient20:47
mordredmorgan: and it's working for me ... can you paste your most recent (redacted) clouds.yaml again (and I'm sorry this is breaking for you)20:47
dstanekmordred: it is broken for me too20:50
*** aastha has joined #openstack-keystone20:50
dstanekmordred: this check fails http://git.openstack.org/cgit/openstack/osc-lib/tree/osc_lib/api/auth.py#n10920:50
dstanekopenstack --os-cloud devstack-admin user list -- works fine, but replace username: admin with user_id: XXXX and it starts to fail20:52
mordreddstanek: ah- that's one of those places where osc and occ do things different ... so I agree, it seems osc does not support user_id20:54
dstanekmordred: i'm planning on filing a bug and patch after this meeting unless someone gets to it first20:54
mordreddstanek: woot! I'm 12 things deep in my stack, so you'll certainly get to it before me20:55
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638320:56
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638320:57
*** lucas_ has quit IRC21:00
dstanekmordred: lol21:02
*** stradling has quit IRC21:02
*** jamielennox|away is now known as jamielennox21:03
*** stradling has joined #openstack-keystone21:05
*** lucas_ has joined #openstack-keystone21:09
*** lucas_ has quit IRC21:16
*** lucas_ has joined #openstack-keystone21:16
*** adriant has joined #openstack-keystone21:20
*** lucas_ has quit IRC21:20
*** lucas_ has joined #openstack-keystone21:20
*** prashkre has quit IRC21:21
openstackgerritRon De Rose proposed openstack/keystone master: Add 'token' to the methods in the federated scoped token response  https://review.openstack.org/43118121:24
morganrderose: ^ is that intended?21:26
*** dave-mccowan has quit IRC21:26
morganrderose: you're adding "token" in all cases?21:26
morganrderose: in theory you should only use token if you're explicitly using a token for rescoping21:26
morganhence the "token" plugin21:27
morganthis feels like it should still not be "token"21:27
rderosemorgan: hmm... for federation you use token to authenticate to get a scoped token21:27
morganrderose: then you should be hitting the Token plugin21:28
morgansince you're already using a keystone token21:28
morganadding it in the federated plugin doesn't make sense21:28
rderosemorgan: this is federation, has it's own path21:28
* morgan facepalms.21:28
rderosemorgan: I agree though, totally needs to be refactored21:28
rderosemorgan: federation has it's own API for tokens21:29
morganadd "federated_scoped" then or some such21:29
morgancall it something not "token" if it doesn't explicitly hit the auth method named "token"21:29
rderosemorgan: http://developer.openstack.org/api-ref/identity/v3-ext/#os-federation-api21:29
*** adrian_otto has quit IRC21:29
rderosemorgan: /v3/auth/tokens21:30
morganso you *have* to use the os-federation path to rescope to a scoped token?21:30
* morgan is confused.21:30
rderoseme too21:30
rderoseyes21:30
openstackgerritGage Hugo proposed openstack/keystoneauth master: Fixed multiple target Auth warning in docstring  https://review.openstack.org/43118421:30
morganstill not correct to use mapped in that case.21:31
morganferm21:31
morganerm*21:31
morgantoken21:31
jamielennoxyou shouldn't21:31
jamielennoxwe deprecated that21:31
morganok so, you *can* use the standard token auht path?21:31
jamielennoxyou should be able to use the standard /auth/tokens role and if it's a federated token it just goes down a slightly different code path21:31
jamielennoxs/role/route21:31
morganok, yeah then don't muck with adding "token" auth to mapped like that21:31
morganthat is incorrect21:31
morganin the auth methods that is21:32
*** lucas_ has quit IRC21:32
openstackgerritRon De Rose proposed openstack/keystone master: Include 'token' in the method list for federated scoped tokens  https://review.openstack.org/43118121:32
jamielennoxregarding the federated token there shouldn't be anything left that doesn't treat it jsut like a normal token21:32
rderosemorgan: https://bugs.launchpad.net/keystone/+bug/150103221:32
openstackLaunchpad bug 1501032 in OpenStack Identity (keystone) "incorrect method list is returned when scoping tokens with federation" [Low,Triaged] - Assigned to Ron De Rose (ronald-de-rose)21:32
*** lucas_ has joined #openstack-keystone21:32
morganarguably we shoiuld redirect that into the token plugin in that case21:33
morganmapped should *not* ever add "token" as a method itself21:33
openstackgerritRon De Rose proposed openstack/keystone master: Include 'token' in the method list for federated scoped tokens  https://review.openstack.org/43118121:33
rderosemorgan: let see where I can add that then21:33
*** lucas_ has quit IRC21:34
morganrderose: it means we're calling that incorrectly if the token plugin isn't doing the lifting21:34
morganthats all.21:34
rderosemorgan: yeah, just so hard to trace this freakin code21:35
rderose:)21:35
morganwell it's worth doing it right in this case21:35
morgani'm guessing we need to make the Token method handler smarter21:35
morganso it can handle the mapped magic21:35
lbragstadravelar reviewed - https://review.openstack.org/#/c/416383/2421:36
jamielennoxlbragstad: congrats on the job!21:36
lbragstadjamielennox thanks!21:36
morganlbragstad: https://review.openstack.org/#/c/428472/ should be quick/easy and should prevent future ick from sneaking into the sql models21:37
morganlbragstad: and https://review.openstack.org/#/c/427878/ just so it's early on and we can prevent weirdness down the line.21:37
lbragstadravelar also - i just responded to the comments you had on patch set 22 - https://review.openstack.org/#/c/416383/2221:41
lbragstadmorgan checking21:41
lbragstadmorgan was https://review.openstack.org/#/c/428472/ fixing a developer problem?21:42
*** lucas_ has joined #openstack-keystone21:42
morganlbragstad: it is fixing a "people keep using the "extras"-included base even when they shouldnt and when they don't include an extras column"21:43
morganwe should not ever add "Extras" going forward21:43
morganand we shouldn't expect it to magically work if someone added the column21:44
lbragstadmorgan ah21:44
*** dave-mccowan has joined #openstack-keystone21:46
*** adrian_otto has joined #openstack-keystone21:47
lbragstadmorgan so what happens if someone is already using extras in any of these models?21:48
lbragstadmorgan nevermind that last question21:48
morganhehe21:49
morganno model that supplied extras was changed21:49
morgananything that didn't use it was21:49
lbragstadmorgan so just to double check - extras had to be defined in the model attributes in order to be used in the table21:49
morganyep21:50
morganit didn't break because *magic* we checked some extra stuff21:50
morganbut reality, we were lucky21:50
lbragstadso if the model doesn't have extras in it's attributes, we should be able to switch it to ModelDictBase cleanly21:50
morganyep.21:50
morganas shown by that patch, which does that21:50
morganif it has extras defined, it is assumed that we need the "extras" processing and do the weird mapping of things into a json blob21:51
*** raildo has quit IRC21:51
lbragstadso this would have been much worse if people were actually defining the model with extras21:51
lbragstadbecause then we wouldn't be able to remove it21:51
morganyes21:52
morganthis is an effort to make sure someone doesn't go and define "extras" everywhere21:52
morganwe can't get rid of it (atm)21:52
morganbut we sure can not use it going forward21:52
morganfor new things21:52
lbragstadthe User model doesn't have extras in the attributes?21:52
morganyou have to look at how to_dict and from_dict work21:52
morganit's not a column that is directly populated21:53
morganit's... ugh, just icky21:53
*** thorst_ has quit IRC21:53
morganbut basically anything that isn't in the attributes, gets stashed in exteas21:53
morganextras*21:53
morganit's super ugly21:53
*** thorst_ has joined #openstack-keystone21:53
lbragstadmorgan oh - i thought you were only talking about the attribute list21:54
lbragstadnot extra = sql.Column(sql.JsonBlob(), nullable=False) for example21:54
morganyes. this is the column itself21:54
lbragstadlooking at line 38 here - https://review.openstack.org/#/c/428472/4/keystone/oauth1/backends/sql.py,unified21:54
morganand the mixin does the lifting magic for that serialization21:54
morganok so21:55
morgani also renamed it to ModelDictMixinWithExtras21:55
morgansee that one has extras21:55
lbragstadright21:55
morganwhere requesttoken (below) doesn't have "extras"21:55
morganbut was using dictbase21:55
lbragstadright21:56
morganso someone could define extras on it and we'd be stuf with it21:56
*** jaosorior has quit IRC21:56
morganstuck*21:56
morgannot that the code supported it21:56
morganbut you see.21:56
lbragstadmorgan how come we don't put extras in the attribute list on line 34?21:56
morganbecause we don't support <dict>['extras']21:56
openstackgerritGage Hugo proposed openstack/keystonemiddleware master: Fixed man_pages no value warning when making docs  https://review.openstack.org/43119621:56
morgananything in extras becomes <dict>[<key>]21:56
morganin to_dict21:56
morganand from_dict takes things not in attributes and does self.extras[<key>] = value21:57
lbragstadoh21:57
lbragstad..... oh!@21:57
morgani told you. ugly21:57
lbragstadit's like a nice little anit-pattern21:57
morgan"nice"21:57
morgannot the word i'd use21:58
lbragstadcute?21:58
*** thorst_ has quit IRC21:58
morgan"omg who thought this was a good idea"21:58
morgan;21:58
morgan;)21:58
morgani wish we could kill extras21:58
morganbut we wont ever be able to21:58
morganeven with microversions21:58
morganbut we can eliminate it from future things21:58
morganjust user, project, etc has it forevers21:59
*** stradling has quit IRC21:59
adriantmorgan: metadata table!22:03
adriantthen extras can die and go away22:03
morganadriant: don't even get me started on that22:05
morganadriant: :P22:05
adriantIn my case, i 'need' something like extras :(22:05
adriantbut a proper metadata table for projects/users would solve my problem much better22:05
*** ngupta has quit IRC22:06
adriantcan't be secretly replace 'extra' with a metadata table and write a migration from 'dict' to key=value row? :P22:06
adriantcan't we*22:06
adriantno one has to know!22:07
*** jaugustine has quit IRC22:13
morganadriant: i tried to pitch that22:17
morganbut... i was told no22:17
morganalso, extras itself is terrible22:17
morganmost everything someone is doing with extras should be stored in a CRM tool external to openstack22:17
morganor similar thing22:17
*** gyee has joined #openstack-keystone22:17
morganstoring the data in openstack is 99.9% of the time incorrect22:18
morganaka, billing information per project, add the project_id in your salesforce type thing and correlate there.22:18
morganetc.22:18
morganthe issue with extras is it is not validatable at the API layer22:18
morganand therefore we also can't provide indexing/searching/limiting on it22:19
morganyou have to inspect every single element in the backend to know if an option is set22:19
adriantwe do that, but some basic metadata for projects and such we store in keystone since it's not worth talking to an external system for it.22:19
* morgan has considered a config for vendor data that works like options22:19
morganand i'd argue you're putting it in the wrong place22:19
adriantAlthough! What about user.email :P22:20
morgani mean, i might be wrong, but almost every single case is better served externally22:20
adriantemail is stored in extras!22:20
morganemail shouldn't be stored on the user object22:20
morganperiod22:20
morganwe shouldn't be storing any PII in keystone22:20
morganbut that is a legacy thing we are stuck with... much like "extras" itself22:20
morganideally keystone should be as far out of scope of PII data as possible22:21
morganbecause if keystone is in scope, your entire cloud is in scope22:21
morgansince that data can leak from keystone into other services if you're not careful (someone adds a silly line of code)22:21
morgans/you're/we-the-devs-or-you-the-operator-changing-a-line-of-code/22:22
morganalso ftr, email is used by nothing inside keystone or openstack. it's just random data shoved into the user object.22:23
adriantWe're kind of stuck with it thought since we're using an unfederated keystone backed by sql.22:23
morganwe can't even search a user based upon it22:23
morganemail should likewise be outside keystone.22:23
adriantalthough, in our case we are doing username = email22:23
lbragstaddstanek since you proposed https://review.openstack.org/#/c/305287/ would you be interested in reviewing https://review.openstack.org/#/c/427878/ ?22:23
morganif i had won the argument, extras would have gone away w/ no replacement22:23
morgana few cycles ago22:23
morganwhen email == username, the scope is a little different22:24
morganbut that is one of the edge-cases22:24
morganremember usernames are not relaly considered PII.22:24
morgan(they can't be)22:24
adriantwe don't actually use the email field (extras field), but we set it for legacy purposes22:24
adriantalthough I'm going to stop doing that...22:25
adriantusername==email was our way to avoid namespace conflicts since we are running a single domain public cloud...22:25
adriantI'm trying, trying very hard so we can one day move to giving all new customers their own domain.22:26
adriantbut we will be left with quite a few in the default domain we can't do anything about expect tell them to slowly migrate to their own domain.22:26
adriantthis is one usecase where reparenting and moving a project/user to a new domain would be useful :P22:27
*** dave-mccowan has quit IRC22:31
*** ngupta has joined #openstack-keystone22:32
*** spilla has quit IRC22:34
*** erlon has quit IRC22:35
morganadriant: the way i'd probably do it is sunset the product that isn't a per-customer domain and then provide inscentives to migrate.22:35
morganadriant: i get it would be useful, but it's just not something we can really support. it was examined and we came up with a huge slew of edge cases and massive security concerns22:36
*** ngupta has quit IRC22:36
*** lucas_ has quit IRC22:36
morgani think we discussed it over multiple cycles (reparenting and domain changes for resources)22:36
morganit's a massive headache.22:37
adriantmorgan: I know, I'm just teasing22:39
adriantI'm hoping to get us offering per customer domains as we upgrade and are happy with the offering, plus I'm working on shoehorning some HMT-lite features into single domain.22:40
*** edmondsw has quit IRC22:41
adriantpartly because I doubt we'll move to using multiple domains any time soon unless something very drastic changes :(22:41
lbragstadmorgan can i trade you a review? https://review.openstack.org/#/c/428543/22:43
*** browne has quit IRC22:48
*** edtubill has quit IRC22:52
*** edtubill has joined #openstack-keystone22:54
*** chris_hultin is now known as chris_hultin|AWA23:03
lbragstadravelar https://review.openstack.org/#/c/429113/1 looks good, just one minor suggestion on the commit message :)23:05
*** edtubill has quit IRC23:05
*** ngupta has joined #openstack-keystone23:06
openstackgerritMerged openstack/keystone master: Fixed warning when building keystone docs  https://review.openstack.org/43107723:09
*** catintheroof has quit IRC23:25
*** zhurong has joined #openstack-keystone23:30
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638323:33
*** zhurong has quit IRC23:36
*** browne has joined #openstack-keystone23:37
openstackgerritRichard Avelar proposed openstack/keystone master: Add unit test for db_sync run out of order  https://review.openstack.org/42911323:41
openstackgerritOctave Orgeron proposed openstack/keystone master: Closes-bug: 1662624  https://review.openstack.org/43122923:47
openstackbug 1662624 in OpenStack Identity (keystone) "MySQL Cluster support for Keystone" [Wishlist,In progress] https://launchpad.net/bugs/1662624 - Assigned to Octave Orgeron (octave-orgeron)23:47
*** phalmos has joined #openstack-keystone23:48
*** ngupta has quit IRC23:49
« Tuesday, 2017-02-07 Index Thursday, 2017-02-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!