Friday, 2017-05-26

*** r-daneel has quit IRC		00:02
*** markvoelker has joined #openstack-keystone		00:04
*** thorst has joined #openstack-keystone		00:06
*** stingaci has joined #openstack-keystone		00:10
*** markvoelker has quit IRC		00:16
*** Shunli has joined #openstack-keystone		00:18
*** adriant has joined #openstack-keystone		00:21
*** markvoelker has joined #openstack-keystone		00:21
*** thorst has quit IRC		00:22
*** thorst has joined #openstack-keystone		00:22
*** markvoelker has quit IRC		00:27
*** thorst has quit IRC		00:27
*** markvoelker has joined #openstack-keystone		00:30
*** markvoelker has quit IRC		00:31
*** lamt has quit IRC		00:36
openstackgerrit	Colleen Murphy proposed openstack/keystone master: WIP - start adding foundation for unified limits https://review.openstack.org/468223	00:39
*** lamt has joined #openstack-keystone		00:43
*** markvoelker has joined #openstack-keystone		00:54
*** markvoelker has quit IRC		00:58
*** markvoelker has joined #openstack-keystone		00:58
*** john5223_ has quit IRC		00:59
openstackgerrit	Merged openstack/keystone master: Basic overview of tempest and devstack plugins https://review.openstack.org/457768	01:01
*** lamt has quit IRC		01:02
*** lamt has joined #openstack-keystone		01:04
*** lamt has quit IRC		01:05
*** dikonoor has joined #openstack-keystone		01:08
openstackgerrit	yangweiwei proposed openstack/keystone master: update keystone federation auth https://review.openstack.org/467571	01:12
*** stingaci has quit IRC		01:12
*** dikonoor has quit IRC		01:15
*** gmann has joined #openstack-keystone		01:17
*** dave-mccowan has joined #openstack-keystone		01:21
*** edmondsw has joined #openstack-keystone		01:23
*** ducttape_ has joined #openstack-keystone		01:24
*** edmondsw has quit IRC		01:27
*** thorst has joined #openstack-keystone		01:27
*** lamt has joined #openstack-keystone		01:29
*** thorst has quit IRC		01:32
openstackgerrit	rocky proposed openstack/keystone master: Migrate render_token_data_response to keystone.common.controller https://review.openstack.org/464956	01:36
*** dave-mccowan has quit IRC		01:36
*** ducttape_ has quit IRC		01:41
*** markvoelker has quit IRC		01:41
*** thorst has joined #openstack-keystone		01:48
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements https://review.openstack.org/468242	01:48
*** thorst has quit IRC		01:48
*** ducttape_ has joined #openstack-keystone		01:50
*** zhurong has joined #openstack-keystone		01:51
*** ducttape_ has quit IRC		01:53
*** ducttape_ has joined #openstack-keystone		01:56
*** ducttape_ has quit IRC		02:01
*** ducttape_ has joined #openstack-keystone		02:03
*** ducttape_ has quit IRC		02:03
*** ducttape_ has joined #openstack-keystone		02:06
*** ducttape_ has quit IRC		02:17
openstackgerrit	ZhangHongtao proposed openstack/keystone master: Addition of "type" optional attribute to list credentials. https://review.openstack.org/468254	02:19
*** ducttape_ has joined #openstack-keystone		02:20
*** ducttape_ has quit IRC		02:26
*** ducttape_ has joined #openstack-keystone		02:32
*** ducttape_ has quit IRC		02:40
*** ducttape_ has joined #openstack-keystone		02:44
*** ducttape_ has quit IRC		02:47
*** ducttape_ has joined #openstack-keystone		02:47
*** thorst has joined #openstack-keystone		02:49
*** ducttape_ has quit IRC		02:53
*** thorst has quit IRC		02:54
*** ducttape_ has joined #openstack-keystone		02:55
*** ducttape_ has quit IRC		03:08
*** edmondsw has joined #openstack-keystone		03:11
*** edmondsw has quit IRC		03:15
*** prashkre has joined #openstack-keystone		03:23
*** stingaci has joined #openstack-keystone		03:38
*** thorst has joined #openstack-keystone		03:50
*** stingaci has quit IRC		03:53
*** thorst has quit IRC		03:54
*** lamt has quit IRC		03:59
*** aojea has joined #openstack-keystone		04:00
*** aselius has quit IRC		04:00
*** aojea has quit IRC		04:04
*** zhurong has quit IRC		04:07
*** aojea has joined #openstack-keystone		04:15
*** markvoelker has joined #openstack-keystone		04:19
*** zhurong has joined #openstack-keystone		04:45
*** lamt has joined #openstack-keystone		04:48
*** thorst has joined #openstack-keystone		04:51
*** thorst has quit IRC		04:55
*** edmondsw has joined #openstack-keystone		04:59
*** edmondsw has quit IRC		05:03
*** gyee has quit IRC		05:26
*** aojea has quit IRC		05:35
*** aojea has joined #openstack-keystone		05:42
*** stingaci has joined #openstack-keystone		05:42
*** pcaruana has joined #openstack-keystone		05:43
*** stingaci has quit IRC		05:47
*** adriant has quit IRC		05:49
*** thorst has joined #openstack-keystone		05:52
*** aojea has quit IRC		05:55
*** aojea has joined #openstack-keystone		05:57
*** aojea has quit IRC		06:00
*** AlexOughton has quit IRC		06:03
*** AlexOughton has joined #openstack-keystone		06:03
*** thorst has quit IRC		06:10
*** belmoreira has joined #openstack-keystone		06:10
*** rcernin has joined #openstack-keystone		06:10
*** markvoelker has quit IRC		06:12
*** toabctl has joined #openstack-keystone		06:15
toabctl	could some core approve https://review.openstack.org/#/c/467836 to fix the gate for keystonemiddleware please?	06:17
openstackgerrit	yangweiwei proposed openstack/keystone master: fix bugs in mapping rules with blacklist https://review.openstack.org/468278	06:31
*** markvoelker has joined #openstack-keystone		06:44
*** jamielennox is now known as jamielennox\|away		06:48
*** markvoelker has quit IRC		06:49
*** zhurong has quit IRC		06:54
*** markvoelker has joined #openstack-keystone		06:56
*** zhurong has joined #openstack-keystone		07:00
*** markvoelker has quit IRC		07:02
*** jaosorior has joined #openstack-keystone		07:06
*** thorst has joined #openstack-keystone		07:07
*** Dinesh_Bhor has quit IRC		07:07
*** markvoelker has joined #openstack-keystone		07:11
*** thorst has quit IRC		07:11
*** tobberydberg has joined #openstack-keystone		07:13
*** Dinesh_Bhor has joined #openstack-keystone		07:13
*** markvoelker has quit IRC		07:15
*** pnavarro has joined #openstack-keystone		07:16
*** aojea has joined #openstack-keystone		07:18
*** stingaci has joined #openstack-keystone		07:20
*** markvoelker has joined #openstack-keystone		07:25
*** markvoelker has quit IRC		07:30
openstackgerrit	yangweiwei proposed openstack/keystone master: Fix bugs to list domains or projects to federated user https://review.openstack.org/468290	07:33
*** stingaci has quit IRC		07:35
*** openstackgerrit has quit IRC		07:48
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** thorst has joined #openstack-keystone		08:07
*** Shunli has quit IRC		08:10
*** Shunli has joined #openstack-keystone		08:11
*** thorst has quit IRC		08:13
*** openstackgerrit has joined #openstack-keystone		08:19
openstackgerrit	rocky proposed openstack/keystonemiddleware master: add a log when the option in conf can't be identitied https://review.openstack.org/467908	08:19
*** markvoelker has joined #openstack-keystone		08:19
*** markvoelker has quit IRC		08:28
pooja_jadhav	Hi all, I want to discuss about the keystone credential API, If user passes invalid query parameter while list of credentials, then what should be the output.. whether i should give all list of credentials or should give bad request for invalid query parameter?	08:35
*** edmondsw has joined #openstack-keystone		08:35
*** edmondsw has quit IRC		08:39
openstackgerrit	yangweiwei proposed openstack/keystone master: fix bug in keystone federation auth https://review.openstack.org/467571	09:02
*** thorst has joined #openstack-keystone		09:08
*** thorst has quit IRC		09:13
*** markvoelker has joined #openstack-keystone		09:13
*** markvoelker has quit IRC		09:18
*** zhurong has quit IRC		09:19
*** Shunli has quit IRC		09:27
*** markvoelker has joined #openstack-keystone		09:47
*** pnavarro has quit IRC		09:49
*** markvoelker has quit IRC		09:52
openstackgerrit	Merged openstack/keystonemiddleware master: Fix oslo.messaging deprecation of get_transport https://review.openstack.org/467836	10:07
*** lucasxu has joined #openstack-keystone		10:09
*** thorst has joined #openstack-keystone		10:09
*** thorst has quit IRC		10:13
*** markvoelker has joined #openstack-keystone		10:15
*** markvoelker has quit IRC		10:19
*** markvoelker has joined #openstack-keystone		10:34
*** markvoelker has quit IRC		10:39
*** lucasxu has quit IRC		10:40
*** markvoelker has joined #openstack-keystone		10:43
openstackgerrit	rocky proposed openstack/keystonemiddleware master: add a log when the option in conf can't be identitied https://review.openstack.org/467908	10:44
openstackgerrit	rocky proposed openstack/keystonemiddleware master: add a log when the option in conf can't be identitied https://review.openstack.org/467908	10:45
*** markvoelker has quit IRC		10:48
*** pnavarro has joined #openstack-keystone		10:53
*** raildo has joined #openstack-keystone		11:01
*** thorst has joined #openstack-keystone		11:10
*** thorst has quit IRC		11:14
*** stingaci has joined #openstack-keystone		11:16
*** markvoelker has joined #openstack-keystone		11:29
*** stingaci has quit IRC		11:32
*** markvoelker has quit IRC		11:34
*** thorst has joined #openstack-keystone		11:42
*** edmondsw has joined #openstack-keystone		11:56
*** masber has quit IRC		12:00
*** markvoelker has joined #openstack-keystone		12:00
*** d0ugal has quit IRC		12:02
*** markvoelker has quit IRC		12:05
*** markvoelker has joined #openstack-keystone		12:08
openstackgerrit	Michal Dulko proposed openstack/keystone master: Update doctor warning about caching https://review.openstack.org/468394	12:11
*** markvoelker has quit IRC		12:13
*** d0ugal has joined #openstack-keystone		12:18
*** ducttape_ has joined #openstack-keystone		12:20
*** frontrunner has joined #openstack-keystone		12:23
*** d0ugal has quit IRC		12:24
*** ducttape_ has quit IRC		12:25
*** ducttape_ has joined #openstack-keystone		12:26
openstackgerrit	Merged openstack/keystonemiddleware master: Updated from global requirements https://review.openstack.org/467155	12:37
*** d0ugal has joined #openstack-keystone		12:37
*** ducttape_ has quit IRC		12:40
*** ducttape_ has joined #openstack-keystone		12:40
*** ducttape_ has quit IRC		12:42
*** thorst has quit IRC		12:45
*** markvoelker has joined #openstack-keystone		12:51
*** markvoelker has quit IRC		12:58
*** thorst has joined #openstack-keystone		13:04
*** Dinesh_Bhor has quit IRC		13:05
*** dims has quit IRC		13:07
*** chlong has joined #openstack-keystone		13:07
*** piliman974 has joined #openstack-keystone		13:11
*** markvoelker has joined #openstack-keystone		13:12
*** lucasxu has joined #openstack-keystone		13:14
*** ducttape_ has joined #openstack-keystone		13:28
*** ducttap__ has joined #openstack-keystone		13:30
*** ducttape_ has quit IRC		13:33
*** cristicalin has joined #openstack-keystone		13:37
*** ducttap__ has quit IRC		13:38
*** pooja_jadhav has quit IRC		13:39
*** ducttape_ has joined #openstack-keystone		13:43
*** jerrygb has joined #openstack-keystone		13:45
*** jerrygb has quit IRC		13:45
*** jerrygb has joined #openstack-keystone		13:45
*** __Nautilus__ has joined #openstack-keystone		13:58
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Specification for global roles https://review.openstack.org/464763	13:58
*** dims has joined #openstack-keystone		14:04
*** markvoelker has quit IRC		14:15
*** AlexOughton has quit IRC		14:27
*** AlexOughton has joined #openstack-keystone		14:28
lbragstad	morgan: didn't you have a patch for deprecating the credential API?	14:32
lbragstad	I found this one - https://review.openstack.org/#/c/438096/	14:33
*** tobberydberg has quit IRC		14:33
morgan	lbragstad nope	14:37
morgan	not that I remember	14:37
morgan	policy API, but that was a nightmare to suss out	14:37
morgan	tempest checks it	14:38
morgan	so, I wasn't really willing to drive a deprecation.	14:38
morgan	it was low priority anyway	14:38
*** piliman974 has quit IRC		14:38
lbragstad	yeah	14:39
lbragstad	morgan: https://bugs.launchpad.net/keystone/+bug/1693498 was opened and i don't know if its worth the work given we wanted to deprecate both	14:39
openstack	Launchpad bug 1693498 in OpenStack Identity (keystone) "Credential list API returns list of available credentials when user passes invalid name as query parameter" [Undecided,New] - Assigned to Pooja Jadhav (poojajadhav)	14:39
*** piliman974 has joined #openstack-keystone		14:40
breton	we want to deprecate credentials?	14:43
breton	we just switched them to be encrypted, no?	14:43
lbragstad	breton: we did - but it was something we discussed in ATL during the PTG	14:43
*** markvoelker has joined #openstack-keystone		14:45
*** ducttape_ has quit IRC		14:53
lbragstad	morgan: what was the reasoning for attaching secrets to the user?	14:54
lbragstad	from the etherpad https://etherpad.openstack.org/p/pike-ptg-keystone-deprecations	14:54
lbragstad	"OUTCOME: Make TOTP and EC2 secrets attach to the user and give it a specific API, then we can deprecate the credential API just like we did the policy API"	14:54
lbragstad	morgan: unless keeping the policy API around is useful for future policy work?	14:56
*** masuberu has joined #openstack-keystone		14:58
morgan	because the credential api sucks	15:00
morgan	it basically assumes a relational model and leaks that to the user	15:00
morgan	if it was attached to the user itself, like passwords are, you have less overhead. also we can be more strict about the data involved	15:01
lbragstad	morgan: sure - but what did we mean by "make TOTP and EC2 secrets attach to the user"	15:01
morgan	the credential api was kindof a dumping ground of ick	15:01
*** stingaci has joined #openstack-keystone		15:01
morgan	like passwords	15:01
morgan	an actual loaded data value	15:01
morgan	user.ec2_creds or user.totp_secrets	15:01
lbragstad	ah	15:01
morgan	vs user -> get creds -> look for totp_creds, try, fail, next, nope, error	15:02
lbragstad	so making those things first class attributes	15:02
morgan	yeah	15:02
morgan	i think that was what we said	15:02
morgan	honestly, i am guessing based upon context	15:02
lbragstad	but - they still shouldn't be in keystone	15:02
lbragstad	so - it would be the best case for having something like that in keystone, if i'm understanding this correctly	15:03
lbragstad	option 1) store ec2 and totp secrets in something that's not keystone 2.) store them as first class attributes of the user	15:03
*** jerrygb has quit IRC		15:03
*** rcernin has quit IRC		15:04
*** d0ugal has quit IRC		15:04
morgan	any and all auth creds need to be in keystone or something like vault	15:04
*** jerrygb has joined #openstack-keystone		15:04
morgan	it can't be in barbican or something that relies on keystone	15:04
lbragstad	right	15:04
morgan	they're likely going to have to be 1st class (even in remote backend) from a keystone perspective	15:05
morgan	all auth data should be	15:05
*** gyee has joined #openstack-keystone		15:06
lbragstad	ok - so our totp implementation will have to consider that	15:07
lbragstad	and change as well	15:07
morgan	yeah	15:07
lbragstad	morgan: ok - cool, that helps clear that up	15:08
lbragstad	morgan: with policy and the discussion we've been having, could the existing implementation be repurposed in the future?	15:08
morgan	unlikely	15:09
morgan	you want something very service specific	15:09
morgan	not lumped into a poor key-value-store of blobs	15:09
lbragstad	morgan: imo it looks like the policy api was an initial attempt at copying AWS IAM	15:10
morgan	the policy api should be deprecated, and default turned off (policy.json/incode) but that is a big hurdle because now tempest (not in-tree plugin) tests it's existence	15:10
lbragstad	and how it does policy	15:10
morgan	it sortof was	15:10
lbragstad	ok	15:10
morgan	it was "shove a policy.json into keystone and give an id to retrieve it"	15:10
morgan	the problem is this poses a lot of caching issues, deployment issues, and "store by uuid" issues	15:10
lbragstad	so let's say we actually get the a better place with policy across openstack and we end up needing additional policy in keystone	15:11
morgan	it's really a generic "store blob in a db and call it policy"	15:11
lbragstad	but the policy api namespace is taken	15:11
lbragstad	for v3 anyway	15:11
morgan	make v4	15:11
morgan	and i am being serious	15:11
* lbragstad blinks		15:11
morgan	split auth/catalog to /auth and /catalog	15:11
morgan	/v4 becomes v3 without cruft	15:12
lbragstad	so reuse the policy namespace but break everything about it and do it right	15:12
morgan	if needed	15:12
morgan	though i also think policy is a bad name	15:12
morgan	you could call it /RBAC	15:12
morgan	or something like that	15:12
lbragstad	sure	15:12
lbragstad	if we still wanted to do it in v3	15:12
morgan	i am an advocate of v4 being a thing w/o auth, without catalog (rendering, get for token, it can still be constructed)	15:13
morgan	and dumping other cruft	15:13
morgan	v3 becomes deprecated / maintained.	15:13
morgan	and we work on /auth and /catalog	15:13
morgan	and then move ksa to that	15:13
morgan	... anyway ...	15:14
lbragstad	ah	15:14
*** pnavarro has quit IRC		15:14
lbragstad	so making auth and catalog versionless	15:15
lbragstad	well - no	15:15
lbragstad	just not having to roll it into v4	15:15
*** stingaci has quit IRC		15:16
*** d0ugal has joined #openstack-keystone		15:18
morgan	yes	15:18
*** cristicalin has quit IRC		15:25
*** belmoreira has quit IRC		15:39
*** aojea has quit IRC		15:43
*** aojea has joined #openstack-keystone		15:44
knikolla	ayoung: stumbled upon a very old article of yours https://adam.younglogic.com/2013/07/a-vision-for-keystone/	15:46
ayoung	knikolla, ah to be young and naive again	15:48
ayoung	knikolla, I just noticed that I posted that on my birthday.	15:48
ayoung	I really need to straighten out my priorities	15:48
*** aojea has quit IRC		15:49
knikolla	ayoung: writing visions of the future is not a good way to spend birthdays	15:50
knikolla	ayoung: it was one of the top results on google for keystone jwt somehow	15:51
ayoung	knikolla, I did an updated one a few years later	15:51
*** aselius has joined #openstack-keystone		16:06
openstackgerrit	Kristi Nikolla proposed openstack/python-keystoneclient master: Moved release no to the correct path https://review.openstack.org/468458	16:12
openstackgerrit	Kristi Nikolla proposed openstack/python-keystoneclient master: Moved release note to the correct path https://review.openstack.org/468458	16:12
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Route based RBAC Management Interface https://review.openstack.org/401808	16:28
*** david-lyle has joined #openstack-keystone		16:30
*** markvoelker has quit IRC		16:30
openstackgerrit	Kristi Nikolla proposed openstack/keystonemiddleware master: WIP - Role check in middleware https://review.openstack.org/458931	16:32
gyee	ayoung, knikolla, about RBAC, in the talk, one of you mentioned to you a magic script to get an inventory of all the service APIs or was I hearing it wrong	16:33
ayoung	gyee, I was projecting. I scraped mine from the API docs:	16:38
ayoung	https://developer.openstack.org/api-ref/compute/	16:38
*** piliman974 has quit IRC		16:38
ayoung	If you view source on it, you should be able to see how straight forward it would be to convert that to a JSON doc	16:38
gyee	ayoung, I was thinking you have something like pulling the catalog from Keystone, then following the refs to collect all the APIs our there	16:39
gyee	similar to version discovery	16:40
*** piliman974 has joined #openstack-keystone		16:41
lbragstad	stevemar: want to kick this through stable? https://review.openstack.org/#/c/466873/1	16:46
lbragstad	stevemar: it closes a bug for us	16:46
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: Handle group NotFound in effective assignment list https://review.openstack.org/468103	16:48
*** jaosorior has quit IRC		16:49
*** ducttape_ has joined #openstack-keystone		16:54
*** david-lyle has quit IRC		16:58
edmondsw	knikolla would appreciate your review on https://review.openstack.org/#/c/468103	17:05
edmondsw	knikolla the original test_list_role_assignments_group_not_found you'd written wasn't actually working properly. It was skipping some of what you were trying to test because there were no group assignments entering that method. I believe I've fixed it	17:06
samueldmq	edmondsw: there was a similar issue for that but for user rather than group	17:13
samueldmq	edmondsw: I remember reviewing something like that lately	17:14
edmondsw	samueldmq the user test shouldn't have the same issue since there are users entering that method	17:14
edmondsw	but then again, it should still be fixed to check that, or not rely on that being the case	17:14
samueldmq	edmondsw: ++	17:14
samueldmq	I have reviewed something similar to that	17:15
edmondsw	samueldmq I only addressed the group issue, since the defect I was working under was group-specific	17:15
samueldmq	I will see if I can find it, sanity check	17:15
samueldmq	edmondsw: https://review.openstack.org/#/c/465395/	17:15
edmondsw	samueldmq that's where the test was added	17:16
edmondsw	samueldmq I'd be surprised if there was a review up to fix the tests, other than the one I linked above (which only addresses groups)	17:17
samueldmq	edmondsw: ok, and the issue is that the tests added there were wrong	17:17
edmondsw	samueldmq right	17:18
samueldmq	and cause another bug?	17:18
samueldmq	the one referenced in the patch you mentioned?	17:18
edmondsw	samueldmq no... just don't check everything they intend to check	17:18
*** sjain has joined #openstack-keystone		17:18
edmondsw	samueldmq the bug I mentioned is separate, but related, so the same test needed to be updated to account for it... and in doing so I noticed the original test wasn't really working as designed	17:19
samueldmq	edmondsw: hmm would you mind to walk me through why it was not working properly	17:20
samueldmq	I dont see why we need to clean up all the role assignments in the test setup	17:20
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements https://review.openstack.org/468242	17:20
samueldmq	since we're creating a brand new group	17:20
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements https://review.openstack.org/468485	17:20
sjain	Hi, can someone please review this patch, https://review.openstack.org/#/c/466066/ Thanks!	17:20
edmondsw	samueldmq those are separate questions :) but I can answer them both	17:21
edmondsw	first, why it wasn't working properly...	17:21
edmondsw	the `if 'group_name' in assignment` check was always false, so that block was never entered	17:21
samueldmq	ok :)	17:21
edmondsw	because there were no group assignments	17:22
edmondsw	to make sure that never happens again, I added the stuff about includes_group_assignments	17:22
samueldmq	no group assigs	17:22
samueldmq	++	17:22
edmondsw	but it also got me thinking that this shouldn't have been possible if we were good about not leaving things behind from previous tests	17:23
edmondsw	each test should be self-contained unless specifically noted otherwise	17:23
samueldmq	I think I am the one who pushed that patch through :p	17:23
edmondsw	I don't have bandwidth to go cleanup all the tests to be self-contained (cleaning up what they create before they exit) but I did that for this one	17:23
samueldmq	edmondsw: yeah that's a recurrent question on where we should or not include things in the global setup things (for the whole test class)	17:24
samueldmq	edmondsw: oh I think what exists if coming from the setUp	17:24
edmondsw	samueldmq I think some global setup is fine if it's going to be needed globally, or at least doesn't hurt globally	17:24
samueldmq	but it's possible things are coming from other tests too	17:24
samueldmq	++	17:24
edmondsw	samueldmq but when you get into individual tests (not global setup), they shouldn't be leaving things behind	17:25
samueldmq	I like the addCleanup calls to make sure things get properly cleaned up	17:25
samueldmq	edmondsw: completely agree	17:25
edmondsw	samueldmq I guess you could argue that I should cleanup more than the grant at the end...	17:26
edmondsw	samueldmq yeah, let me go do that and push up another revision	17:26
samueldmq	edmondsw: what if we fixed the original test in a separate test	17:26
samueldmq	and make a different test for that new case?	17:26
samueldmq	just an idea, not sure would be better, but the test looks a bit big	17:27
edmondsw	samueldmq I thought they made sense to go together	17:27
edmondsw	if we split them, the name will need to change for both to cover the different variations	17:27
edmondsw	but they're extremely related	17:27
edmondsw	samueldmq it's only big now because of the setup/cleanup involved	17:28
samueldmq	edmondsw: yeah, I am fine with that as it is	17:28
*** ducttape_ has quit IRC		17:34
*** piliman974 has quit IRC		17:35
*** ducttape_ has joined #openstack-keystone		17:38
*** sjain has quit IRC		17:39
*** tobberydberg has joined #openstack-keystone		17:48
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: Handle group NotFound in effective assignment list https://review.openstack.org/468103	17:49
*** stingaci has joined #openstack-keystone		17:49
*** stingaci has quit IRC		17:50
*** stingaci has joined #openstack-keystone		17:50
*** raildo has quit IRC		17:51
*** tobberydberg has quit IRC		17:53
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: Handle group NotFound in effective assignment list https://review.openstack.org/468103	17:55
edmondsw	samueldmq couldn't cleanup the users/groups because that raises LDAP read-only issues... surprised it let me create them, but I guess that's probably mocked somewhere and the same just wasn't done for delete	17:56
edmondsw	samueldmq so I just added a TODO about that for now	17:57
*** ducttap__ has joined #openstack-keystone		17:59
knikolla	edmondsw: oh right, assignment_list is for both users and group assignments	18:00
*** rderose has joined #openstack-keystone		18:00
knikolla	but there are only user assignments	18:00
knikolla	edmondsw: thanks for catching that	18:00
*** pcaruana has quit IRC		18:00
*** ducttape_ has quit IRC		18:00
knikolla	edmondsw: unit tests make ldap writable because almost every single unit test depends on creating them	18:02
edmondsw	knikolla makes sense... should also make it writable for deletes :)	18:02
knikolla	edmondsw: no, i deleted the code for ldap delete entirely	18:03
*** raildo has joined #openstack-keystone		18:03
edmondsw	knikolla means we can't really cleanup during UTs :( but I guess we've lived without that this long...	18:04
*** ducttape_ has joined #openstack-keystone		18:04
knikolla	edmondsw: at least in the case of ldap, the ldapdb is completely deleted after each unit test.	18:05
knikolla	edmondsw: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/ksfixtures/ldapdb.py#L33	18:06
knikolla	edmondsw: i believe the same to be the case for sql	18:07
*** ducttap__ has quit IRC		18:07
edmondsw	knikolla must not be every UT, else the assignments that are getting carried over from one test to another would have been pointing to users and groups that no longer existed, and we'd have caught these bugs a long time ago	18:07
edmondsw	knikolla maybe ever UT class?	18:08
knikolla	edmondsw: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/default_fixtures.py	18:08
knikolla	these are recreated for each unit test	18:08
knikolla	https://github.com/openstack/keystone/blob/master/keystone/tests/unit/core.py#L687	18:09
edmondsw	knikolla ah, ic	18:09
edmondsw	knikolla but that only has 1 assignment, and I was seeing 6	18:10
edmondsw	knikolla oh, I guess assignments are in sql, so they wouldn't be cleaned up the same way	18:11
edmondsw	knikolla I didn't check to see if the 6 assignments all used those users	18:11
knikolla	there's a for loop that assigns users to projects	18:11
knikolla	edmondsw: maybe that's that https://github.com/openstack/keystone/blob/master/keystone/tests/unit/core.py#L722-L741	18:12
knikolla	i haven't paid too close attention to assignments as the part i was refactoring for ldap is the identity	18:12
edmondsw	knikolla yeah that would probably do it... 5 users would mean 5 assignments from that, plus the 1 assignment in default_fixtures = 6	18:13
knikolla	edmondsw: yes :)	18:14
knikolla	edmondsw: instead of creating users, try to use the existing ones from setup	18:15
edmondsw	knikolla it's not going to be a problem to add those to a group?	18:15
edmondsw	knikolla I saw a bunch of places in that file creating users, so I just did the same	18:15
knikolla	edmondsw: no, but no groups are created from the default_fixtures, so you'll have to create one	18:15
knikolla	edmondsw: i know, that is wrong.	18:16
edmondsw	knikolla.... eh... I'm not sure why we need the default_fixtures users, honestly	18:16
*** aojea has joined #openstack-keystone		18:17
knikolla	edmondsw: then we have to maintain mocks for create_user for ldap. we shouldn't depend on identity_api having create_user since not all backends are writable. instead we should ask the test to precreate the backend in the state we want it to be.	18:18
*** aojea has quit IRC		18:18
*** aojea has joined #openstack-keystone		18:18
knikolla	during setup	18:18
edmondsw	knikolla makes sense	18:19
edmondsw	knikolla it's the "how to precreate" that I'm stuck on	18:19
edmondsw	knikolla I'd be happy to move all that setup I did into a fixture if I knew how	18:20
edmondsw	knikolla we can't just have everyone using the default fixture if everyone needs a different pre-created state, so there would have to be a lot more fixtures	18:21
edmondsw	knikolla which probably isn't a bad thing... again, back to the how	18:22
knikolla	edmondsw: that's true.	18:22
knikolla	edmondsw: but going through identity_api.create_user is different than creating the user straight in ldap	18:22
knikolla	for example identity mappings	18:22
edmondsw	knikolla sure... I'm sold that using a fixture would be better. Give me the "how" and I'll try to do it	18:23
knikolla	edmondsw: there's a lot of cases which we've discovered by the ldap state changing without keystone's control	18:23
knikolla	edmondsw: working on that https://review.openstack.org/#/c/466406/	18:23
knikolla	it'll be a looooooooooong way though	18:23
*** ducttape_ has quit IRC		18:24
knikolla	i'm mocking create_user with the bare minimums for ldap first.	18:24
knikolla	eventually i want to read the state from a dictionary	18:24
*** rderose has quit IRC		18:24
knikolla	it's painful for ldap. for sql i think we can get by with how it works now. since we assume full control of sql.	18:24
knikolla	just have the fixtures use the api like they do now. so only ldap needs to change.	18:25
edmondsw	knikolla you going to add _create_group as well?	18:25
knikolla	yes. with the bare minimum code for it to pass tests. so that the tests verify my bare minimum implementation. then i'll drop the mocks and use fixtures once i have a clear handle on what ldap directory fixtures are needed.	18:27
knikolla	edmondsw	18:27
knikolla	i want to make this evolutionary rather than revolutionary	18:28
edmondsw	+1	18:28
edmondsw	knikolla I don't really know much about how to use fixtures... can you help me figure out how to replace my setup code with a fixture?	18:29
edmondsw	I'm not finding an example	18:29
edmondsw	or can I just leave it as-is for now?	18:29
knikolla	edmondsw: for example, instead of creating a user and a project https://github.com/openstack/keystone/blob/master/keystone/tests/unit/assignment/test_backends.py#L680-L681	18:30
knikolla	the test gets the users from the fixtures	18:30
knikolla	user foo and tenant bar	18:30
edmondsw	knikolla but that's from the default fixture... how do I make it use a different fixture of my creation?	18:32
edmondsw	and there's this: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/default_fixtures.py#L15-L16	18:32
knikolla	edmondsw: you can't save from adding them to default fixtures. and default fixtures has no groups, so you would still need to create a group.	18:34
knikolla	edmondsw: i would say for now just go ahead and keep it like you're doing it	18:34
knikolla	with create_group	18:34
knikolla	and create_user	18:35
edmondsw	knikolla k, I'll leave it as-is... thanks!	18:35
*** ducttape_ has joined #openstack-keystone		18:35
*** ducttape_ has quit IRC		18:35
*** ducttape_ has joined #openstack-keystone		18:36
knikolla	edmondsw: as for the performance impact, that is because everything in that file is created before each unit tests is run. you saw the double for loops. but having different fixtures for different tests will help with that :)	18:36
edmondsw	++	18:36
*** aojea has quit IRC		18:42
*** aojea has joined #openstack-keystone		18:42
*** aojea has quit IRC		18:47
*** ducttap__ has joined #openstack-keystone		18:49
*** ducttap__ has quit IRC		18:50
*** ducttap__ has joined #openstack-keystone		18:51
*** ducttape_ has quit IRC		18:52
*** Aurelgadjo has quit IRC		18:53
*** lucasxu has quit IRC		18:58
gyee	lbragstad: https://bugs.launchpad.net/keystonemiddleware/+bug/1693907	19:02
openstack	Launchpad bug 1693907 in keystonemiddleware "audit middleware changed the request context causes breakage in HEAT" [Undecided,New]	19:02
gyee	I think this one is pretty serious	19:02
lbragstad	gyee: checking	19:05
gyee	I suspect this one may impact other services which depending on the request context	19:07
*** piliman974 has joined #openstack-keystone		19:08
lbragstad	gyee: the patch in question merged a year ago?	19:11
lbragstad	https://review.openstack.org/#/c/216889/7	19:11
gyee	yes	19:12
lbragstad	gyee: is there trace of this breaking in heat?	19:12
gyee	some people just upgraded to Newton, ya known :-)	19:12
lbragstad	or in the gate somewhere?	19:12
gyee	problem is, I don't think services have any gates with audit middleware deployed	19:13
lbragstad	devstack?	19:13
gyee	won't be devstack, it would be in each services paste ini file	19:14
*** lucasxu has joined #openstack-keystone		19:14
gyee	not sure if any service enable it by default	19:16
gyee	I kinda doubt it	19:17
lbragstad	we need steps to recreate it	19:17
lbragstad	gyee: can that be included in the bug report?	19:17
gyee	sure	19:17
lbragstad	what needs to be enabled for this to break heat?	19:18
gyee	just enable it here https://github.com/openstack/heat/blob/master/etc/heat/api-paste.ini	19:20
gyee	let me see if I can get the folks to share the deployment configuration	19:20
lbragstad	that would help	19:20
lbragstad	gyee: lets see if we can get stevemar and jamielennox\|away involved	19:22
lbragstad	the original bug was triaged as low initially and never escalated to anything higher	19:23
*** aojea has joined #openstack-keystone		19:27
gyee	lbragstad, yeah	19:27
*** ducttap__ has quit IRC		19:27
gyee	we either back that one out or implement an adapter and properly deprecate it	19:27
gyee	to me, req.context is API	19:27
gyee	I can push a patch once we decided what to do	19:30
*** prashkre has quit IRC		19:30
*** cristicalin has joined #openstack-keystone		19:40
*** ducttape_ has joined #openstack-keystone		19:43
*** frontrunner has quit IRC		19:44
*** stingaci has quit IRC		19:44
*** ducttap__ has joined #openstack-keystone		19:44
*** stingaci has joined #openstack-keystone		19:45
morgan	holy crap, it's a wild gyee	19:46
gyee	morgan: :-)	19:48
*** ducttape_ has quit IRC		19:48
gyee	still need to pay the bills man	19:48
knikolla	ayoung: for matching routes, the routes mapper might not be the best choice. it can only match one, and order matters in the case of the catchall.	19:54
knikolla	ayoung: i'm feeling tempted to hardcode behaviour for a "*" route.	19:55
*** piliman974 has quit IRC		19:58
*** piliman974 has joined #openstack-keystone		20:00
*** aojea has quit IRC		20:02
*** aojea has joined #openstack-keystone		20:03
*** aojea has quit IRC		20:08
lbragstad	gyee: yeah - the original bug didn't seem super high priority	20:08
* lbragstad is headed out for the day		20:09
lbragstad	i hope everyone has a safe and happy memorial weekend!	20:10
gyee	lbragstad, have a great long weekend to you too	20:10
ayoung	knikolla, do it	20:12
ayoung	if none are matched, and there is a catchall, then see if the catchall matches?	20:12
knikolla	ayoung: that was my plan.	20:12
ayoung	works for me.	20:12
ayoung	we can unit test that code thoroughly	20:12
knikolla	ayoung: yes. it's pretty easy to extensively unit test.	20:13
knikolla	ayoung: i also need to add validation in the server side. if any of the the routes has wrong syntax the mapper will fail to build.	20:13
knikolla	ayoung: but on the bright side, i tested it and it worked.	20:14
*** aojea has joined #openstack-keystone		20:24
ayoung	knikolla, ah. adding a route should do a syntax check. Good point	20:29
*** raildo has quit IRC		20:32
*** piliman974 has quit IRC		20:36
*** thorst has quit IRC		20:40
*** cristicalin has quit IRC		20:43
openstackgerrit	Kristi Nikolla proposed openstack/keystonemiddleware master: WIP - Role check in middleware https://review.openstack.org/458931	20:46
*** d0ugal has quit IRC		20:46
*** nkinder has quit IRC		20:46
*** frontrunner has joined #openstack-keystone		20:50
*** aojea has quit IRC		20:53
*** aojea has joined #openstack-keystone		20:53
*** aojea_ has joined #openstack-keystone		20:57
*** aojea has quit IRC		20:59
*** nkinder has joined #openstack-keystone		20:59
*** thorst has joined #openstack-keystone		21:00
*** thorst has quit IRC		21:04
*** masuberu has quit IRC		21:07
*** ducttap__ has quit IRC		21:14
*** gyee has quit IRC		21:19
*** lucasxu has quit IRC		21:26
*** catintheroof has joined #openstack-keystone		21:33
*** catintheroof has quit IRC		21:39
*** ducttape_ has joined #openstack-keystone		21:40
*** ducttape_ has quit IRC		21:55
*** ducttape_ has joined #openstack-keystone		22:06
openstackgerrit	Boris Kudryavtsev proposed openstack/keystone master: Add user_id_attribute support to _dn_to_id https://review.openstack.org/466389	22:07
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: Handle group NotFound in effective assignment list https://review.openstack.org/468103	22:10
*** aojea_ has quit IRC		22:12
*** bkudryavtsev has quit IRC		22:17
*** __Nautilus__ has quit IRC		22:26
*** piliman974 has joined #openstack-keystone		22:46
*** ducttape_ has quit IRC		23:05
*** chlong has quit IRC		23:10
*** piliman974 has quit IRC		23:30
*** david-lyle has joined #openstack-keystone		23:31
*** david-lyle has quit IRC		23:36
*** stingaci has quit IRC		23:40
*** piliman974 has joined #openstack-keystone		23:41
*** stingaci has joined #openstack-keystone		23:46
*** stingaci has quit IRC		23:51

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!