Thursday, 2014-06-05

*** sbfox has quit IRC00:07
*** praneshp_ has joined #openstack-keystone00:10
*** praneshp has quit IRC00:11
*** praneshp_ is now known as praneshp00:11
*** dims__ has joined #openstack-keystone00:12
*** dims_ has quit IRC00:14
*** dims__ is now known as dims00:15
*** nkinder has joined #openstack-keystone00:20
* morganfainberg feels brainfriend from doing bug triag00:22
morganfainbergtriage even00:22
morganfainbergor well... bug cleanup00:22
*** rushiagr has quit IRC00:25
*** browne has quit IRC00:26
*** zhiyan_ is now known as zhiyan00:27
*** browne has joined #openstack-keystone00:30
*** rushiagr has joined #openstack-keystone00:32
*** rodrigods_ has joined #openstack-keystone00:48
gyeemorganfainberg, its mountain bike time here :)00:50
*** rwsu has quit IRC00:51
ayoungmorganfainberg, python question.  I need to do some DJango work, spcifically on django_openstack_auth, which is in a separate repo.  I want the HTTPD process to pull my code out of my git repo.  I did a build ;sudo python install  but that seems to put the code under /usr/lib.  Is there some way I can get it to read the code from my git repo, and have the egg just link to it?00:51
morganfainbergayoung, pip -e .00:51
morganfainbergayoung, or setup develop00:51
*** pheadron has quit IRC00:52
ayoungmorganfainberg, thanks...was googling for it, but came across too much noise in the signa;00:53
morganfainbergayoung, np!00:53
*** pheadron has joined #openstack-keystone00:54
*** gokrokve has joined #openstack-keystone00:54
*** rodrigods_ has quit IRC00:55
ayoungmorganfainberg, I'm getting some public space on Dreamhost beta, and I'm going to install a publically accessable FreeIPA instance00:57
*** pheadron has quit IRC01:01
*** amcrn has quit IRC01:07
*** pheadron has joined #openstack-keystone01:08
openstackgerritA change was merged to openstack/keystone: remove out of date docs for Fedora 15
*** pheadron has quit IRC01:14
*** pheadron has joined #openstack-keystone01:15
*** dstanek_zzz has quit IRC01:32
*** sbfox has joined #openstack-keystone01:37
*** gokrokve has quit IRC01:38
*** dstanek_zzz has joined #openstack-keystone01:39
*** dstanek_zzz is now known as dstanek01:39
*** dstanek has quit IRC01:44
*** dstanek_zzz has joined #openstack-keystone01:45
*** dstanek_zzz is now known as dstanek01:45
*** ncoghlan has joined #openstack-keystone01:59
*** pheadron has quit IRC02:02
*** sbfox has quit IRC02:04
*** marcoemorais has quit IRC02:10
*** richm has quit IRC02:17
*** browne has quit IRC02:27
*** xianghui has joined #openstack-keystone02:33
*** mberlin has joined #openstack-keystone02:51
*** mberlin1 has quit IRC02:52
*** dims has quit IRC02:53
*** dims has joined #openstack-keystone02:55
*** Abhijeet has joined #openstack-keystone02:56
*** gokrokve has joined #openstack-keystone03:02
*** browne has joined #openstack-keystone03:13
*** ayoung has quit IRC03:16
*** dims_ has joined #openstack-keystone03:39
*** dims has quit IRC03:39
*** stevemar has joined #openstack-keystone04:01
*** harlowja is now known as harlowja_away04:07
*** browne has quit IRC04:16
*** gokrokve has quit IRC04:17
*** dims_ has quit IRC04:20
openstackgerritVladimir Eremin proposed a change to openstack/python-keystoneclient: Keystone compact PKI token
*** dstanek is now known as dstanek_zzz04:32
*** dstanek_zzz is now known as dstanek04:34
*** ncoghlan is now known as ncoghlan_afk04:43
*** sbfox has joined #openstack-keystone04:54
*** stevemar has quit IRC04:59
*** Abhijeet has quit IRC05:13
*** Abhijeet has joined #openstack-keystone05:13
*** ajayaa has joined #openstack-keystone05:14
*** marcoemorais has joined #openstack-keystone05:17
*** marcoemorais1 has joined #openstack-keystone05:19
*** marcoemorais has quit IRC05:21
*** dstanek is now known as dstanek_zzz05:23
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Overwrite HelpFormatter constructur to extend argument column
*** topol has quit IRC05:27
*** ncoghlan_afk is now known as ncoghlan05:27
morganfainbergbah missed topol by a couple minutes05:31
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints
*** topol has joined #openstack-keystone05:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** gyee has quit IRC06:04
*** jraim has quit IRC06:05
*** jraim has joined #openstack-keystone06:06
*** ncoghlan is now known as ncoghlan_afk06:12
*** topol has quit IRC06:23
*** ajayaa has quit IRC06:26
*** ukalifon1 has joined #openstack-keystone06:28
*** sbfox has quit IRC06:42
*** ajayaa has joined #openstack-keystone06:43
*** sbfox has joined #openstack-keystone06:44
*** BAKfr has joined #openstack-keystone07:15
*** ncoghlan_afk is now known as ncoghlan07:20
*** ncoghlan has quit IRC07:21
*** bvandenh has joined #openstack-keystone07:43
*** xianghui has quit IRC07:43
*** xianghui has joined #openstack-keystone07:46
*** andreaf has joined #openstack-keystone07:50
*** toddnni_ has joined #openstack-keystone08:14
openstackgerritChristian Berendt proposed a change to openstack/keystone: remove unneeded definitions of Python Source Code Encoding
*** toddnni has quit IRC08:16
openstackgerritChristian Berendt proposed a change to openstack/keystone: remove unneeded definitions of Python Source Code Encoding
*** toddnni_ has quit IRC08:21
*** marekd|away is now known as marekd08:22
*** toddnni has joined #openstack-keystone08:24
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** marcoemorais1 has quit IRC09:05
*** nsquare has quit IRC09:14
*** jaosorior has joined #openstack-keystone09:15
*** zhiyan is now known as zhiyan_09:18
*** sbfox has quit IRC09:25
*** Abhijeet has quit IRC09:53
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: TestAuthInfo class in test_v3_auth made more efficient.
*** xianghui has quit IRC09:59
*** xianghui has joined #openstack-keystone10:05
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Cross Backend Unique Idenifiers for User and Group Entities
*** Chicago has joined #openstack-keystone10:25
*** Chicago has joined #openstack-keystone10:25
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication
*** xianghui has quit IRC10:26
ajayaajaosorior, ping! Can you please point out some problem with
jaosoriorI wrote it as a comment in the commit message10:29
jaosoriorplease change the commit message to be in accordance to this: :)10:33
ajayaajaosorior, it could be less than 80 characters per line, right?10:35
*** leseb has joined #openstack-keystone10:36
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: TestAuthInfo class in test_v3_auth made more efficient.
jaosoriorAnd the title preferable 50 characters or less, as stated in the Gerrit Workflow link "Git commit messages should start with a short 50 character or less summary in a single paragraph."10:38
jaosoriorbut that's no biggie10:38
jaosoriorother than that it seems like good stuff :) Gotta wait for Jenkins to pass though10:38
*** leseb has quit IRC10:40
ajayaajaosorior, thanks10:40
*** praneshp has quit IRC10:42
*** xianghui has joined #openstack-keystone10:43
*** praneshp has joined #openstack-keystone10:44
jaosoriorDoes anybody know what's up with the openstack/common folder? I've seen that in a couple of projects with very similar files. Thing is, I have a simple patch for one of the files there, but would like to know if this is some openstack-wide folder (perhaps it should be a submodule? or something) or how should patches for files in that folder be handled?10:44
*** praneshp has quit IRC10:45
boris-42jaosorior it's openstack oslo code10:51
boris-42jaosorior take a look here
boris-42jaosorior for more details10:51
*** leseb has joined #openstack-keystone11:11
ajayaaIs it a good idea to write unit tests/ functional tests for custom roles?11:17
*** Chicago has quit IRC11:36
*** lbragstad has quit IRC11:38
*** afazekas has joined #openstack-keystone11:48
*** juanmo has joined #openstack-keystone12:03
openstackgerritKristy Siu proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations
openstackgerritKristy Siu proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations
openstackgerritKristy Siu proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations
*** ajayaa has quit IRC12:39
openstackgerritMarek Denis proposed a change to openstack/keystone: Enforce ``saml2`` protocol in Apache config
*** lbragstad has joined #openstack-keystone12:47
*** gordc has joined #openstack-keystone12:51
*** radez_g0n3 is now known as radez12:53
openstackgerritKristy Siu proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations
*** nkinder has quit IRC13:10
*** ayoung has joined #openstack-keystone13:21
*** samuelmz has quit IRC13:24
*** bknudson has joined #openstack-keystone13:27
*** jdennis has quit IRC13:39
*** jdennis has joined #openstack-keystone13:40
*** stevemar has joined #openstack-keystone13:43
*** hrybacki has joined #openstack-keystone13:51
*** xianghui has quit IRC13:53
*** amuller has joined #openstack-keystone13:56
amullerlbragstad: Heya, I wanted to talk about Keystone events about user/tenant create/update/delete13:56
lbragstadamuller: sure, what's up13:56
amullerI filed a Neutron spec:
amullerSo that when Neutron receives a Keystone tenant delete, it deletes all of that tenant's Neutron resources13:57
amullerHowever, Keystone doesn't send these notifications by default13:57
amullerFirst off, is that something you find reasonable? Emitting these notifications by default?13:57
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add example script for role_assignments module
amullerIt would be great in my mind if Keystone did. It would ease the deployment, make Tempest testing easier14:00
*** nkinder has joined #openstack-keystone14:01
*** gokrokve has joined #openstack-keystone14:01
lbragstadwhen we originally looked into notifications for Keystone, it was sort of an opt in feature14:04
*** nkinder has quit IRC14:05
*** joesavak has joined #openstack-keystone14:07
amullerAs far as I could tell, all of the defaults are correct for sending out messages by default, apart from notification_driver, which defaults to the empty list14:08
amullerIf I change that to ['messaging']14:08
amullerKeystone starts sending out notifications14:08
amullerlbragstad: ^14:09
*** jsavak has joined #openstack-keystone14:09
amullerThe default is in oslo messaging though, not in Keystone14:09
lbragstadthe notification driver kind of depends on what platform you're running on though14:10
lbragstadi.e. Ubuntu vs RHEL14:10
amullerlbragstad: I think you mean qpid vs rabbit?14:11
lbragstadamuller: right...14:11
amullerThe notification_driver value is for log vs noop vs messaging (RPC)14:11
amullernot for qpid vs rabbit14:11
lbragstadamuller: but you have to specify an 'rpc' driver don't you?14:11
amullerSure but that's already taken care of by the deployment tools14:12
*** joesavak has quit IRC14:12
amullerI'm talking about changing the upstream default to 'messaging' so that the deployment tools don't have to touch that14:12
amullerIt's a matter of least surprise, imo... I'd guess that if an admin deletes a tenant he'd expect all of its resources gone from all of the projects14:13
amullerSo I think that making Keystone emit the tenant delete notifications by default is a strong step towards that14:13
amullerrelying on the deployment tools to do that would be a pain14:13
lbragstadamuller: I can see your point, I'd like to hear what some of the other Keystone people think about it though...14:14
lbragstadmorganfainberg: bknudson ^14:14
lbragstadsubject: enabling messaging (rpc) as the default notification delivery mechanism for Keystone14:15
amullerlbragstad: Can Keystone work without RPC configured? IE: Without the deployment tool setting the RPC driver?14:15
amullerAssuming you don't care about notifications to other projects14:15
amullerI guess one issue with setting messaging to the default is what happens if the rpc driver / etc weren't set, but I'm asking if Keystone works at all in that case14:16
*** andreaf has quit IRC14:16
bknudsondoesn't make any difference to me if notifications are enabled by default or not.14:16
bknudsonmaybe ask on the operators list?14:16
lbragstadamuller: yeah, that would be a good idea.14:16
amullerbknudson: Do these notifications currently have any clients / uses?14:16
lbragstadamuller: are you thinking from the perspective of "does Keystone require a messaging service to run?"14:16
lbragstadamuller: like Nova does?14:17
amullerto communicate with agents for example14:17
lbragstadamuller: no, it doesn't14:17
amulleruh huh14:17
bknudsonI believe the notifications are required to get the cadf audit records14:17
amullerI know that the Red Hat oriented deployment tools do set the rpc values for keystone.conf14:18
lbragstadcadf notification are dependent on the notifcation framework in Keystone14:18
amullerdunno about other deployment tools14:18
amullerI guess it could be an issue to set the default notifications driver to 'messaging' if Keystone isn't even configured for RPC14:18
lbragstadif you do use a messaging/rpc driver for keystone notifications you need to specify that in your keystone.conf14:18
*** nkinder has joined #openstack-keystone14:18
amullerDevstack sets 'rpc_backend' to rabbit or qpid for example14:19
*** diegows has joined #openstack-keystone14:20
lbragstadamuller: what are you using for deployment tools?14:20
amullerdevstack, packstack, foreman14:21
amullerthey all set the rpc_backend14:21
lbragstadamuller: I think checking with the ops list would be a good start too...14:22
amullerAnd what devs should I CC?14:23
amullerI have a feeling the email to the ops list won't get responses14:23
amullerdunno if anyone cares about this feature at this point14:24
lbragstadyou could send a topic to the -dev list with a link to the ops list message14:26
*** topol has joined #openstack-keystone14:28
amullerI'll type up an email14:28
amullerHopefully we'll get a consensus in a reasonable time frame14:28
amullerlbragstad: Slight technical difficulty on my end, probably due to my lack of expertise with oslo config, but the default for notifications_driver is set in Oslo messaging and not in Keystone14:29
*** gokrokve has quit IRC14:30
amullerChanging the default in Oslo messaging seems unreasonable to me, but I don't exactly know how to override that default in Keystone14:30
amullerRegistering the same option is an error, so I tried unregistering and registering, but then I'd have to read the conf file again14:31
lbragstadcould see if the oslo guys have an opinion?14:34
amullerYeah I'll talk to one of the Oslo config guys at some point in the future14:34
amullerbknudson: May I have your email please so I could CC you as well?14:34
bknudsonamuller: I'm subscribed to the -dev mailing list14:35
lbragstadamuller: same, I'm on the -dev list too14:35
bknudsonIf ops people say it's ok, there's not much to it for us... we just change the default14:36
bknudsonI would assume since everyone's using rpc for nova already it shouldn't be a bid deal.14:36
bknudsonbig deal14:36
amullernotifications were merged to Keystone in Havana right?14:37
marekdmorganfainberg: -> I hope I addressed your suggestions.14:39
amullernm checked the bp14:39
*** gokrokve has joined #openstack-keystone14:39
*** dims_ has joined #openstack-keystone14:44
amullerlbragstad: bknudson: Alright thanks guys, I'll send out the email now.14:45
*** thedodd has joined #openstack-keystone14:47
*** doddstack has joined #openstack-keystone14:49
*** thedodd has quit IRC14:51
*** ukalifon1 has quit IRC14:59
*** ukalifon1 has joined #openstack-keystone15:02
marekdtopol: o/ You mentioned oAuth2.0 security vuln somewhere in a review recently. Did you mean this: ?15:04
topolmarekd, yes15:04
marekdtopol: ups.15:05
*** joesavak has joined #openstack-keystone15:05
marekdtopol: oauth (and later openid connect) seemed to be a robust and reliable solution :-)15:07
*** jsavak has quit IRC15:07
topolmarekd, we use openid a lot here15:09
marekdtopol: everybody does!15:09
topolSo I just pointed it ou because I was wondering if this issue was impacting oAuth2.0 adoption15:10
marekdtopol: I didn't read the bug description, but it looks like a bug in a protocol design? or just implementations?15:10
marekdtopol: well...detailed bug description15:10
topolmarekd, but it sounds like you are saying the answer, hey topol nothings perfect and we need to go forward :-)15:10
topolmarekd, whicvh I am fine with. Honestly I was more concerned about having keystone support a web based login page15:11
topolI have gone back to see the responses to  my questions but will circle back soon15:11
marekdtopol: reading them now.15:12
topolerr I have not yet gone back to see the responses..15:12
topolK, I need to run out for lunch before my next cal15:12
dolphmtopol: i'm totally lost as to what the news is in that article15:12
marekdtopol: cheers,15:12
dolphmtopol: it just sounds like it's describing an oauth flow of a compromised website, in which case, the website is already fucked15:12
*** radez is now known as radez_g0n315:13
*** jsavak has joined #openstack-keystone15:15
*** amuller has quit IRC15:15
*** joesavak has quit IRC15:19
*** ajayaa has joined #openstack-keystone15:24
*** ukalifon1 has quit IRC15:28
*** rodrigods_ has joined #openstack-keystone15:30
*** richm has joined #openstack-keystone15:32
*** ajayaa has quit IRC15:38
*** rodrigods_ has quit IRC15:45
*** afazekas has quit IRC15:47
morganfainbergmarekd, yeah that looks good15:47
marekdmorganfainberg: thanks.15:48
*** gokrokve has quit IRC15:49
topoldolphm, I agree and am okay with what you say.  and we use openid a ton. so that was mostly for awareness. In any case I was more worried about add a web login page to keystone15:51
*** larsks has left #openstack-keystone15:51
*** radez_g0n3 is now known as radez15:51
* topol really wishing I didnt mention the security issue. its like I have a mariachi band following me15:52
morganfainbergayoung, that is still fedora right?15:54
ayoungmorganfainberg, yep15:55
morganfainbergtopol, oooh! I know what to do at your next presentation then, i mean fungi was a good start, but... wonder how much mariachi bands cost to hire :P15:55
ayoungmorganfainberg, I think that tjaalten doesn';t have the time on this, which means it is on tbabej...let me check15:55
morganfainbergayoung, figured as much15:56
*** bboris has joined #openstack-keystone15:56
bborisi want to limit a user to specific service only15:57
bboristhe idea is that i have swift and ceph users and i want each to see different endpoints15:58
bborisi.e swift can only see the swift proxy and ceph can only see rados gateway15:58
morganfainbergayoung, ^ this sounds an awful lot like endpoint enforcement.15:58
ayoungmorganfainberg, well, also service/endpointspecific roles15:59
ayoungmorganfainberg, cuz every other server would have to be hacked to enforce "endpoint only"  right now15:59
ayoungbut...yeah, least privilege is kindof the standard for security16:00
*** sbfox has joined #openstack-keystone16:00
ayoungmorganfainberg, and we really need keystone to act as the policy store if we are going to do any sort of "on the fly policy update"  stuff16:00
*** dolphm changes topic to "Everyone thank morganfainberg for closing 40+ bugs yesterday!"16:00
ayoungthanks morganfainberg16:00
marekdthank you uncle Morgan!16:01
morganfainbergbboris, you can limit based upon policy at the moment (e.g. require a specific role to access the endpoint) but it can't prevent a user from seeing an endpoint. If the user has the role that the endpoint's policy will accept, the user can use that endpoint16:01
*** jaosorior has quit IRC16:02
dolphmbknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, topol, lbragstad, joesavak, shardy, fabiog, fmarco76, nkinder, lloydm, shrekuma, ksavich: see topic ^16:02
*** praneshp has joined #openstack-keystone16:02
*** marcoemorais has joined #openstack-keystone16:02
bknudsonmorganfainberg: thanks for closing 40+ bugs!16:02
lbragstadmorganfainberg: thanks!16:02
*** praneshp has quit IRC16:02
bknudsonwas that all of them?16:02
morganfainbergbknudson, a lot of bug sweeping.16:02
* lbragstad owes morganfainberg a whisky16:02
topolTHANKS Morgan!!!!16:02
morganfainbergbknudson, most were bugs that had been fixed bug statuses were wrong16:03
stevemarlol uncle morgan, nice one marekd16:03
morganfainbergalso, no open bugs targeting folsom, essex, or grizzly16:03
topolI prepaid my whiskey obligation for him in ATL :-)16:03
topolokay a few more in San Anton... fine16:03
marekdstevemar: :-)16:03
*** yottatsa has joined #openstack-keystone16:03
nkindermorganfainberg: woohoo!16:03
morganfainbergprobably one or two of the ones targeting havana are also wedged, but spending that much time interacting with launchpad makes my head hurt16:04
yottatsahi guys!16:05
ayoungmorganfainberg, way to take one for the team.16:05
ayoungdolphm, I think morganfainberg 's bucking for your job.16:06
bborismorganfainberg: okay, so my next question is how to make such policy?16:06
ayoungbboris, I can help16:06
ayounga policy rule needs to enforce:  user has this what do you want to call the role?16:06
yottatsadolphm, I've implemented catalog repopulation in the middleware, wanna check out?16:06
*** BAKfr has quit IRC16:07
ayoungbboris, for exaple, we have the rule  "service_role": [["role:service"]],  in v3cloudsample16:08
*** _afazekas is now known as afazekas16:08
yottatsadolphm, there is it
*** rodrigods_ has joined #openstack-keystone16:08
yottatsaGuys, do you really not affected by large PKI token problem?16:08
ayoungboris-42, wait...when you say endpoints, do you mean endpoints of the same service16:09
ayoungyottatsa, we are all affected16:09
ayoungyottatsa, compression is about to merge...just waiting on Zuul16:09
yottatsaayoung, you've done nice patch16:09
yottatsaayoung, but why don't just remove it?16:09
ayoungyottatsa, I'm a hack, but I hope to at least be hacking in the right direction16:09
ayoungyottatsa, the catalog?16:09
ayoungbecause things will need it.16:10
yottatsayottatsa, yep, from SIGNED payload16:10
bborisayoung: not the same service16:10
ayoungyottatsa, the goal is to pare it down using catalog filtering16:10
ayoungand then to do endpoint binding16:10
bborisayoung: one service is os swift, other is ceph radosgw16:10
morganfainbergyottatsa, there is a bigger effort to reduce the size of the catalog and the tokens as a whole16:10
yottatsaayoung, things needed just catalog, not in the PKI token, am I right?16:10
morganfainbergyottatsa, but we can't remove it at the moment because everything expects it to be there16:10
yottatsaayoung, morganfainberg, so I implemented it's repopulation16:11
ayoungbboris, are the user getting to these two endpoint via the same project?  Or, could you use endpoint filtering and have a "blah_swift" project that doesn't know about Ceph and a "blah_ceph" proejct that doens't know about swift?16:11
ayoungyottatsa, and you are a pretty cool guy for doing so16:11
bborisayoung: they can be completely separated16:12
ayoungyottatsa, I like the idea16:12
morganfainbergayoung, that was my thought on id-only tokens, when you issue the token you send the catalog [filtered] via x-catalog header to the user. - auth_token can do other magic. like that yottatsa is doing there16:12
ayoungbboris, then is it a question of enforcement, or just "don't show it to them and they can ignore it?"16:12
yottatsaayoung, it's totally dolphm idea16:12
* ayoung likes16:13
uvirtbotLaunchpad bug 1228317 in python-keystoneclient "Need to be able to opt-out of X-Service-Catalog header" [Wishlist,Confirmed]16:13
ayoungyottatsa, what is the logic16:13
ayoungdoes it need a config file option to repopulate?16:13
bborisayoung: just dont show it16:13
ayoungbboris, then use endpoint filtering.  Its in Havana and later16:13
yottatsaayoung, no, I repopulate it if catalog is requested and there is no catalog in token16:14
dolphmayoung: we talked about a config option in auth_token like catalog_required, defaulting to true, that would retrieve a catalog if one wasn't available in the token16:14
ayoungyottatsa, does it assume that the service catalog is global?  That is really not what we want long term.  But it might be ok for a short term fix16:14
ayoungdolphm, so the "default" catalog16:14
dolphmayoung: default?16:15
ayoungdolphm, I'm thinking about various requests we 've had, including the endpoint filtering16:15
ayoungbut also the one where certain endpoints were not visible by default16:15
morganfainbergayoung, auth_token middleware probably needs / should have all endpoints16:15
morganfainbergayoung, ok except for explicitly hidden ones?16:16
ayoungmorganfainberg, but then how does it know which nova to talk to for a give user?  We need a smart default16:16
yottatsadolphm, ayoung, I colud implement this option then16:16
ayoungyottatsa, it might not be a client side option16:16
morganfainbergayoung, ah, we're talking two different things16:17
ayoungyottatsa, it might make more sense to have a better set of options for managing the catalog server side,16:17
morganfainbergayoung, i was thinking id-only catalog in the token16:17
*** gyee has joined #openstack-keystone16:17
ayoungmorganfainberg, he's talking about filling in a missing catalog16:17
ayoungid only needs all endpoints, agreed16:17
morganfainbergayoung, right.16:17
morganfainbergayoung, sorry, cross the streams16:17
ayoungmorganfainberg, so we need two APIs, one that gets the default one that gets everything.16:18
yottatsaayoung, it will be nice if we had some /v3/catalog hander, but it leads to api change16:18
ayoung"everything" might be a privilged action16:18
*** browne has joined #openstack-keystone16:18
morganfainbergayoung, yeah that sounds right.16:18
ayoungyottatsa, yeah16:18
* morganfainberg writes up the token version split from api version spec today16:18
ayoungyottatsa, your change might be Ok for now, and then we work in the ability to define a default set of endpoints from a non-filtered GET /v3/catalog"16:19
ayoungand also16:19
ayoungGET /v3/catalog?all16:19
*** rodrigods_ has quit IRC16:19
ayoungwhich requires a specific role to execure16:19
*** openstackgerrit has quit IRC16:20
dolphmayoung: ?all should be implied by GET /v3/catalog16:20
*** openstackgerrit has joined #openstack-keystone16:20
ayoungdolphm, but policy doesn't know how to filter on that parameter16:21
ayoungdolphm, and no, it should not16:21
* yottatsa is checkking out endpoint_filter_extension16:21
ayoungdolphm, /v3/catalog should show the default catalog16:21
*** ChanServ changes topic to "Everyone thank morganfainberg for closing 40+ bugs yesterday! | | Review Specifications:,n,z"16:21
ayoungor we tailor the output based on roles16:21
*** nkinder has quit IRC16:21
ayoungGET /v3/catalog?default  can be the first hack, though16:22
ayoungwhat if we had named filters...16:22
yottatsaayoung, dolphm, so could you please review for merge ?16:22
ayoungGET /v3/catalog?filter=default16:22
ayoungyottatsa, no.  Get it working first16:23
dolphmyottatsa: talk to gyee about the -2 first16:23
dolphmyottatsa: i'd also suggest proposing something to keystone-specs16:23
yottatsaayoung, dolphm, it's working now and passed all the tests16:23
ayoungyottatsa, you break a heckofa lot of tests there16:23
*** nkinder has joined #openstack-keystone16:23
morganfainbergdolphm, ++16:24
gyeesorry I missed most of the conversation, are we talking about a new catalog api instead of the current hack?16:24
ayoung...ok, was looking at an old review16:24
yottatsagyee, hi16:24
bborisayoung: so... i enabled this filter i think. how do i use it?16:24
ayounggyee, this is a way to populate the catalog if they use :no catalog in token16:24
yottatsagyee, yes, we're talking about new catalog api16:25
yottatsaayoung, I don't like nocatalog patch at all16:25
gyeeayoung, yottatse, but that's still a hack right, using the admin user's catalog instead of the requesting user's catalog16:25
ayoungbboris, create a user, add a role for him in each project, and get a token scoped to each project...the GET token call actually reutrns the whole catalog in the response.  You can see it if16:25
ayoungkeystone token-get --debug16:25
gyeenew catalog api is the right approach16:26
ayounggyee, yes, that is correct, it uses the admins catalog,  which is why I was saying we should have a clear default16:26
yottatsaayoung, I'm not using admin catalog, I'm using catalog from admin token request, which is exactly the same if we don't use filtering16:26
gyeeyottatsa, are you going to abandon the current review and starting fresh with a keystone-specs review?16:27
gyeeI wasn't clear on that16:27
ayounggyee, I think, so long as his feature is trigged by a config option, we should go with his approach16:27
ayoungt abandon the review16:27
openstackgerritMarco Fargetta proposed a change to openstack/keystone-specs: Web Authentication for SAML federated Keystone
yottatsagyee, sorry, I'm kinda newbee, what is keystone-specs?16:27
morganfainbergayoung, ++ don't abandon.16:27
*** bvandenh has quit IRC16:28
*** ayoung is now known as ayoung-lunch16:28
gyeeyottatsa, I can remove the -2 if you make it configurable16:28
morganfainbergyottatsa, it is how we are reviewing/approving blueprints16:28
gyeeat least it won't break endpoint filtering16:28
gyeejust add an option, something like use_admin_catalog or something16:28
yottatsagyee, ok16:30
*** doddstack has quit IRC16:32
gyeeyottatsa, done16:32
*** thedodd has joined #openstack-keystone16:33
gyeedolphm, jammielennox|away, can you guys please review this when you have a chance?
gyeeI am trying to do this once for all the service clients16:34
*** jsavak has quit IRC16:34
*** jsavak has joined #openstack-keystone16:34
yottatsagyee, could you please explain me what is include_service_catalog in keystoneclient/middleware/ option for?16:35
gyeeyottatsa, that option controls whether to ask for service catalog on token validation and to set the X-Service-Catalog header16:37
yottatsagyee, I ran into the bug if it is enabled:
uvirtbotLaunchpad bug 1228317 in python-keystoneclient "Need to be able to opt-out of X-Service-Catalog header" [Wishlist,Confirmed]16:38
yottatsagyee, nova requires X-Service-Catalog to be populated is some cases16:39
*** praneshp has joined #openstack-keystone16:40
gyeeyottatsa, yes, I understand the problem16:41
yottatsagyee, so is there any conditions when we need to prevent X-Service-Catalog population?16:41
gyeeyottatsa, its a deployment option16:42
gyeeif you don't use the nova-cinder extension, for example, you can disable it16:42
gyeeI mean enable it16:42
gyeebut I agree with the others, having a separate API to fetch the service catalog on-demand is a better option for you16:43
*** andreaf has joined #openstack-keystone16:44
yottatsagyee, I've got it16:46
*** praneshp has quit IRC16:48
*** harlowja_away is now known as harlowja16:50
topoldolphm, is jsavak's keystone to keystone blueprint in the spec repo?  Or is it just being done in v3/markdown?16:51
topolI just read one of his emails and realized I was doing out of sight out of mind...16:52
yottatsagyee, I just found out that no option required for admin catalog population16:52
gyeeyottatsa, right, but you are going to add one right?16:53
yottatsagyee, yep16:53
gyeemorganfainberg, could use your blessing here as well
yottatsagyee, populate_admin_service_catalog for example16:54
gyeeyottatsa, yes, that'll work16:54
gyeeyottatsa, perhaps use_admin_service_catalog?16:55
morganfainberggyee, i'll look over it today.16:55
gyeemorganfainberg, thank you sir16:55
*** ayoung-lunch is now known as ayoung16:56
*** radez is now known as radez_g0n316:57
gyeemorganfainberg, dolphm, can you guys please remove the red cross on this one?
morganfainberggyee, but red is totally it's color! (removing -2 now)16:58
*** sbfox has quit IRC17:00
yottatsagyee, f*ck, test suite is not working on my mac (17:01
yottatsagonna use linux box17:01
yottatsagyee, Ran 758 tests and passed!17:02
*** praneshp has joined #openstack-keystone17:02
*** sbfox has joined #openstack-keystone17:03
*** nkinder has quit IRC17:04
yottatsagyee, should I leave it enabled by default. It is not broke things.17:05
yottatsagyee, ?17:05
gyeeyottatsa, yes17:06
gyeeyottatsa, default is fine17:06
gyeeyottatsa, are you using homebrew on mac?17:07 works fine on my mac, tox is a bit problematic for some reason17:08
openstackgerritVladimir Eremin proposed a change to openstack/python-keystoneclient: Keystone compact PKI token
gyeestill troubleshooting17:08
morganfainberggyee, what issues are you running into with TOX?17:08
gyeemorganfainberg, its failing py3317:08
gyeebut no error logs17:08
yottatsagyee, I've got 38 errors on mac17:09
morganfainberggyee, hm. did you install py33?17:09
morganfainberggyee, os x doesn't have py33 by default17:09
gyeemorganfainberg, I installed python317:09
yottatsagyee, homebrew for gcc17:09
*** nsquare has joined #openstack-keystone17:12
yottatsagyee, oh I fixed my mac17:12
yottatsagyee, ln -s /usr/local/Cellar/openssl/1.0.1g/bin/openssl /Users/yottatsa/Documents/Python/bin/17:13
*** sbfox has quit IRC17:13
yottatsaguys, what IDE do you use? vim?17:15
gyeeI use vim17:15
yottatsabye guys17:19
* yottatsa is going to cook a steak!17:19
*** yottatsa has quit IRC17:19
*** nkinder has joined #openstack-keystone17:20
*** leseb has quit IRC17:21
*** gokrokve has joined #openstack-keystone17:27
morganfainbergayoung, cool.17:28
ayoungso employee  and admin are both user names you can connect with17:29
morganfainbergvery cool17:29
ayounghelpdesk and maanger as well17:29
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: Revocation event API
morganfainbergmaybe we should setup a longer running infra box (fedora) that lets us do a full SAML workflow in a unit test17:30
morganfainberguntil we get something that runs on ubuntu17:30
morganfainbergif we had fedora tempest gate jobs i'd just set that all up there.17:31
* morganfainberg ponders17:31
morganfainbergmaybe... we should just push for ubuntu freeipa...17:31
ayoungmorganfainberg,  is going to be needed for Ephemeral17:31
ayounghrybacki is going to work on the auth_token middleware integration17:32
morganfainbergayoung, yes it will.17:32
*** marcoemorais has quit IRC17:32
morganfainbergayoung, cool17:32
ayoungmorganfainberg, I'm just concerned about how long a stable Ubuntu FreeIPA is going to take.17:32
*** bboris has quit IRC17:32
*** marcoemorais has joined #openstack-keystone17:32
*** marcoemorais has quit IRC17:33
*** marcoemorais has joined #openstack-keystone17:33
*** leseb has joined #openstack-keystone17:33
*** sbfox has joined #openstack-keystone17:33
morganfainbergayoung, yeah but i feel like the only way we'll see real adoption is if we can get it running under ubuntu17:34
morganfainbergayoung, real adoption = "recommended deployment method"17:35
richmdo we have any fedora tempest gate jobs for any project?17:36
morganfainbergrichm, no, we have RHEL for py2.617:38
morganfainbergrichm, afaik17:39
*** thedodd has quit IRC17:42
*** leseb has quit IRC17:47
*** ctracey has quit IRC17:51
*** ctracey has joined #openstack-keystone17:51
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Convert explicit session get/begin to transaction context
*** sbfox has quit IRC17:57
gyeemorganfainberg, how did you manage to get tox working with py33 on mac?18:00
gyeeI have python3 installed but tox can't see it18:00
*** browne has quit IRC18:00
*** leseb has joined #openstack-keystone18:01
*** sbfox has joined #openstack-keystone18:02
*** amcrn has joined #openstack-keystone18:03
*** leseb has quit IRC18:05
*** vhoward has left #openstack-keystone18:08
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Propose api-validation blueprint
*** browne has joined #openstack-keystone18:25
jsavakyo topol!18:25
jsavak will be in the spec repo - just haven't drafted spec yet. In the works. : )18:26
topoljsavak, awesome. cause I have already programmed myself to only look for these things in the spec repo  :-)18:27
topolits a one way door for me. ain't goin back :-)18:28
jsavakI've gotten myself used to conditionals. ;)18:28
jsavaktopol - i have listed workitems in the BP - i've got the first one but they aren't necessarily all dependent. Maybe stevemar can pick up #2?18:29
*** andreaf has quit IRC18:30
topoljsavak, most of the BPs in launchpad are now just one liners and the guts go into the spec repo18:30
jsavakah gotcha. My guts are all over the place. Lots of guts.18:31
topoljsavak but yes, stevemar will definetly be working on this topic18:31
marekdtopol: yay!18:32
topolwe are drinking the fed identity kool aid18:32
topolhenrynash is gonna do some as well.18:32
jsavakit's refreshing. : )18:32
topolstevemar is gonna set all of us up a meeting soon18:33
marekdstevemar: topol can we do this early next week, please?18:33
marekdjsavak: so you are rewriting bp into keystone-specs format, right?18:34
marekdjsavak: great.18:34
topoljsavak, Hopefiully he can avoid June 10 and 11 cause I am going to NY for an analyst thing.  stevemar Imhoping we can land this on June 9th18:34
marekdtopol: meeting?18:35
marekdmeeting on june 9th?18:35
topolmarekd, yes, have a meeting on June 9th. Im hoping18:35
marekdtopol: ok, i'd like to take part as well if you let me :-)18:36
topoldoes june 9th work for marekd and jsavak18:36
topolmarekd, OF COURSE18:36
marekdtopol: june 9th works for me.18:36
topoldidnt you see my eloquent rant about stakeholder driven design :-)?18:36
jsavak: ) Afternoon central time works and should align with morning for marekD18:36
marekdtopol: I DID, thanks :-)18:36
marekdjsavak: there is some bank holiday here on monday but i will be very likely online, but if possible could we try to do this around 3pm pacific time? it'd already be evening here in Switzerland, so I will be preparing for the work eitherway :P18:38
topolstevemar appears to be away.  but if both of you can get him times that you are avail on monday june 9th that would help.18:38
marekdtopol: sure thing.18:38
marekdtopol: btw, feel free to weig in into internal mail loop about keystone2keystone :-)18:38
topolHe may want to do it as a conf call. we have international tool free callin numbers to use18:38
*** gyee has quit IRC18:42
*** thedodd has joined #openstack-keystone18:51
*** sbfox1 has joined #openstack-keystone18:52
*** sbfox has quit IRC18:54
openstackgerritDolph Mathews proposed a change to openstack/keystone: gitignore etc/keystone/
stevemartopol, you are correct...19:00
topolstevemar, did you catchup can you find a time on monday that works for everyone.   I can bump anything on my cal on monday to accommodate19:02
stevemartopol, i'll find a time, hopefully not too late for marekd19:02
stevemarall caught up19:02
topolgreat thanks19:02
*** jsavak has quit IRC19:05
*** marcoemorais1 has joined #openstack-keystone19:08
*** marcoemorais has quit IRC19:08
stevemarmarekd, 2pm EST on monday work for you?19:10
*** leseb has joined #openstack-keystone19:11
stevemarit's 8pm for you local time :(19:12
*** leseb has quit IRC19:16
raildostevemar: I am also interested participate in a meeting about keystone2keystone, can I participate?19:23
*** sbfox1 has quit IRC19:24
*** gokrokve_ has joined #openstack-keystone19:26
marekdstevemar: should be fine.19:26
dolphmmarekd: did you know there's a Denis M. at mirantis? #confusing19:28
marekddolphm: that's definitely not me!19:29
marekddolphm: how did you find out?19:29
dolphmmarekd: just bug activity19:30
*** gokrokve has quit IRC19:30
uvirtbotLaunchpad bug 1326811 in trove "Client failing with six =>1.6 error" [Undecided,New]19:30
lbragstadmarekd: I noticed there are a few people with your name on twitter too... found that out when I took bknudson's picture next to your superuser.19:31
*** erecio has quit IRC19:32
marekdlbragstad: but Marek or Denis ?19:32
*** erecio has joined #openstack-keystone19:32
marekdheh :-)19:33
jdennisstevemar: I understand you're an oauth2 expert, can I pick your brain for a minute?19:33
marekdMarek is not a very international name...19:33
marekdoh, another Den(n)is here ^^  :P19:34
*** hrybacki has quit IRC19:35
*** afazekas is now known as _afazekas_slp19:37
*** sbfox has joined #openstack-keystone19:38
*** gokrokve_ has quit IRC19:38
*** gokrokve_ has joined #openstack-keystone19:40
*** gyee has joined #openstack-keystone19:46
*** gokrokve_ has quit IRC19:57
*** erecio has quit IRC20:03
*** erecio has joined #openstack-keystone20:09
*** dolphm changes topic to "Keystone hackathon RSVP | Review Specifications:,n,z"20:13
dolphmayoung, bknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, topol, marekd, lbragstad, joesavak, shardy, fabiog, fmarco76, nkinder, lloydm, shrekuma, ksavich: keystone hackathon RSVP
dolphmlooking for an early headcount to make sure we have appropriate space and whatnot20:16
lbragstadnice survey :)20:17
ayoungValencia is the hotel of choice, right?20:17
gyeedolphm, I like the choices :)20:18
lbragstad"I'm choosing this option because I am unable to disambiguate my opinion on the matter and I am generally a useless individual." needs to be on a shit20:18
lbragstadthat was suppose to be shirt... oops20:18
gyeelbragstad, nice going man!20:18
* lbragstad hangs head20:19
ayoungWho is Adam?20:19
* ayoung goes back to looking for plane tickets.20:19
*** joesavak has joined #openstack-keystone20:19
dolphmlbragstad: ++20:20
*** amerine has quit IRC20:20
*** richm1 has joined #openstack-keystone20:21
*** amerine has joined #openstack-keystone20:21
*** richm1 has left #openstack-keystone20:21
*** richm1 has joined #openstack-keystone20:24
stevemarthat is an awesome survey20:24
*** richm1 has left #openstack-keystone20:24
*** andreaf has joined #openstack-keystone20:27
*** gokrokve has joined #openstack-keystone20:29
*** gokrokve has quit IRC20:34
*** jsavak has joined #openstack-keystone20:34
*** gokrokve has joined #openstack-keystone20:36
*** joesavak has quit IRC20:38
*** erecio has quit IRC20:38
*** joesavak has joined #openstack-keystone20:39
*** nkinder has quit IRC20:40
*** jsavak has quit IRC20:41
topoldolphm, I have filled out your survey. Personally I view the who is ayoung question as a test. If you dont know Adam you should not be at the hackathon!!!20:44
ayoungtopol, necessary but not sufficient20:44
ayoungtoo many people know me.20:44
ayoungmany of whom you would not want to associate with20:45
topolayoung, yes, so answering no is a huge red flag20:45
ayoungtopol, might actually be an endorsement20:45
ayoungthose people are untainted20:45
ayoungor liars20:45
*** gokrokve has quit IRC20:47
*** marcoemorais1 has quit IRC20:47
*** marcoemorais has joined #openstack-keystone20:48
*** juanmo has quit IRC21:01
dolphmayoung: which group are you in?21:08
*** joesavak has quit IRC21:10
ayoungdolphm, that is one of those questions that Gödel used to prove his incompleteness theorems21:14
morganfainbergayoung, "Waiting for Gödel?"21:16
ayoung"I'd never be a member of a  club that would have me as a member."21:16
*** andreaf has quit IRC21:17
*** sbfox has quit IRC21:18
dolphmjdennis: did you see apevec's latest comment here?
jdennisdolphm: yes I did and it's on my to-do list21:24
*** topol has quit IRC21:30
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources
*** lbragstad has quit IRC21:34
*** stevemar has quit IRC21:36
*** nkinder has joined #openstack-keystone21:42
*** marekd is now known as marekd|away21:43
*** gokrokve has joined #openstack-keystone21:44
*** sbfox has joined #openstack-keystone21:45
*** hrybacki has joined #openstack-keystone21:46
*** rodrigods_ has joined #openstack-keystone21:48
*** dims__ has joined #openstack-keystone21:51
*** marcoemorais has quit IRC21:52
*** marcoemorais has joined #openstack-keystone21:52
*** dims_ has quit IRC21:53
*** rodrigods_ has quit IRC22:07
*** bknudson has quit IRC22:16
*** hrybacki has quit IRC22:18
*** marcoemorais has quit IRC22:22
*** marcoemorais has joined #openstack-keystone22:23
*** thedodd has quit IRC22:41
*** gordc has quit IRC22:52
*** jamielennox|away is now known as jamielennox22:54
*** amcrn has quit IRC23:03
*** rodrigods_ has joined #openstack-keystone23:04
morganfainbergit's kinda quiet in here...23:05
jamielennoxlove the hackfest survey23:07
jamielennoxthough because i said 'no' (i don't have community spirit or some such) i didn't get to see the rest of the options without checking out the results page23:08
jamielennoxi feel my opinions on steak are still valid23:09
morganfainbergjamielennox, i dunno, did you eat steak whilst in the US or anywhere in the northern hemisphere?23:15
morganfainbergjamielennox, :P23:16
jamielennoxumm, crap maybe i didn't23:16
jamielennoxa whole lot of pizza23:16
morganfainbergjamielennox, maybe you've only ever had upsidedown steak then :P23:17
morganfainberghow do you know if you'd like it flipped the other way23:17
jamielennoxthat's true - it's probably crap23:17
*** rodrigods_ has quit IRC23:17
morganfainbergit's kindof like how the water spins the opposite direction down the drain around you <MORBO>CORIOLIS EFFECT DOES NOT WORK THAT WAY</MORBO>23:18
* morganfainberg stops giving incorrect science lessons in #openstack-keystone23:19
*** rodrigods_ has joined #openstack-keystone23:19
*** praneshp has quit IRC23:20
*** praneshp has joined #openstack-keystone23:22
*** sbfox has quit IRC23:23
*** radez_g0n3 is now known as radez23:24
jamielennoxmorganfainberg: easy one:
jamielennox(not mine)23:28
morganfainbergjamielennox, fwiw, not approving anything with the gate as backed up as it is23:28
morganfainberghappy to review though23:28
jamielennoxi though they fixed that?23:29
morganfainbergi think they did fix it some, but we're still ~120+ deep and a bunch of patches runnin 35+hrs23:29
jamielennoxmorganfainberg: don't worry about it then - it had sat there for a long time unreviewed and it was an easy +A23:29
morganfainbergi was going to opt to give it some time to run the queue before stacking more on.23:29
jamielennoxi wasn't working yesterday but we had that problem tuesday and then it caught up23:30
morganfainbergyeah its not pretty atm.23:30
*** rodrigods_ has quit IRC23:30
jamielennoxi'm guessing it's just because there are so many recheck errors, at least 50% of my patches have been failing for some transient bug23:31
morganfainbergthat is the case23:31
morganfainbergjamielennox, here is the top of the thread about it
*** marcoemorais has quit IRC23:33
*** marcoemorais has joined #openstack-keystone23:33
morganfainbergand yeah it's still racing pretty badly23:35
morganfainbergso, approving new stuffs = no-so-good23:35
jamielennoxso i conclude we are blaming HP cloud23:37
morganfainbergnot really, it was partially because of the move23:38
morganfainbergbut also because we have a lot of race bugs23:38
morganfainbergand they've all stacked up23:38
morganfainbergw/o the race bugs, this wouldn't have exploded23:38
morganfainbergwithout the cloud change... it would have exploded less violently23:38
jamielennoxi always forget a </sarcasm>23:38
morganfainberghah, sarcasm via text is hard to catch sometimes23:39
morganfainbergfor did you want to just verify it was called23:39
morganfainbergor that it was called once23:39
morganfainbergbecause it's possible to verify the number of times it was called23:39
morganfainbergs/you/the design is/23:39
jamielennoxit's not mine, assert_called_once() doesn't exist so it was returning a magicmock and not testing anything23:40
morganfainbergmy question is - do we want to make sure the mocked thing is only called once?23:40
jamielennoxthere's an assert_called_once_with - but there are so many arguments passed that it's not worth checking them all23:40
morganfainbergor just make sure it was called23:40
jamielennoxhis patch #1 just check called - i said a more direct translation from the old was to check once - i don't think it matters23:41
jamielennoxi +2ed the first patch as well with the comment23:41
morganfainbergjamielennox, i was just curious what the intent of the original test was23:42
morganfainbergit's not clear if it really should be called once or...23:42
jamielennoxi don't know - but the original had a _once so i'm assuming the intention was to check it was 123:42
jamielennoxanother chunk of code i'd love to move out23:43
*** ozialien has quit IRC23:51
* morganfainberg needs coffee :(23:51
*** stevemar has joined #openstack-keystone23:52
*** stevemar2 has joined #openstack-keystone23:52
*** stevemar3 has joined #openstack-keystone23:54

Generated by 2.14.0 by Marius Gedminas - find it at!