Tuesday, 2014-09-02

« Monday, 2014-09-01 Index Wednesday, 2014-09-03 »
*** lsmola has quit IRC00:00
*** lsmola has joined #openstack-keystone00:12
*** dims has joined #openstack-keystone00:47
*** gokrokve_ has joined #openstack-keystone00:50
*** gokrokve has quit IRC00:52
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413800:53
*** gokrokve_ has quit IRC00:55
*** gokrokve has joined #openstack-keystone00:56
*** jamielen- has joined #openstack-keystone00:58
*** jamielennox has quit IRC01:00
*** gokrokve has quit IRC01:00
*** jamielen- is now known as jamielennox01:01
*** jamielennox_ has joined #openstack-keystone01:10
*** jamielen- has joined #openstack-keystone01:11
*** jamielen| has joined #openstack-keystone01:12
*** ncoghlan has joined #openstack-keystone01:12
*** jamielennox has quit IRC01:13
*** jamielennox_ has quit IRC01:15
*** jamielen- has quit IRC01:15
*** jamielen| is now known as jamielennox01:18
*** hrybacki has quit IRC01:25
*** gokrokve has joined #openstack-keystone01:26
*** gokrokve has quit IRC01:27
*** ncoghlan_ has joined #openstack-keystone01:27
*** jamielennox_ has joined #openstack-keystone01:28
*** gokrokve has joined #openstack-keystone01:28
*** ncoghlan__ has joined #openstack-keystone01:28
*** dims has quit IRC01:28
*** ncoghlan has quit IRC01:30
*** jamielennox has quit IRC01:31
*** ncoghlan_ has quit IRC01:32
*** gokrokve has quit IRC01:32
*** gokrokve has joined #openstack-keystone01:40
*** jamielennox_ is now known as jamielennox01:40
*** gokrokve has quit IRC01:44
*** packet has joined #openstack-keystone01:45
*** stevemar has joined #openstack-keystone01:53
*** ncoghlan has joined #openstack-keystone02:09
*** ncoghlan_ has joined #openstack-keystone02:10
*** jamielen- has joined #openstack-keystone02:10
*** jamielennox has quit IRC02:13
*** ncoghlan__ has quit IRC02:13
*** ncoghlan has quit IRC02:13
*** amerine has quit IRC02:19
*** diegows has quit IRC02:19
*** miqui has joined #openstack-keystone02:19
openstackgerritwanghong proposed a change to openstack/keystone: trustor_user_id not available in v2 trust token  https://review.openstack.org/10182902:21
*** wanghong has quit IRC02:25
openstackgerritwanghong proposed a change to openstack/keystone: V2 token from trust cannot be generated with user/password  https://review.openstack.org/11223002:30
openstackgerritBrant Knudson proposed a change to openstack/keystone: Return v3 JSON Home for GET / and GET /v2.0  https://review.openstack.org/11824002:35
*** gokrokve has joined #openstack-keystone02:40
*** wanghong has joined #openstack-keystone02:41
*** gokrokve has quit IRC02:45
*** jamielennox has joined #openstack-keystone02:47
*** ncoghlan__ has joined #openstack-keystone02:48
*** jamielennox_ has joined #openstack-keystone02:48
*** alex_xu has joined #openstack-keystone02:49
*** packet has quit IRC02:50
*** sigmavirus24_awa is now known as sigmavirus2402:51
*** packet has joined #openstack-keystone02:51
*** packet has quit IRC02:51
*** ncoghlan_ has quit IRC02:51
*** jamielen- has quit IRC02:52
*** jamielennox has quit IRC02:52
*** KanagarajM has joined #openstack-keystone02:56
stevemardstanek thanks for reviewing today and yesterday!03:00
stevemarbknudson too, but he's not online03:01
*** ncoghlan has joined #openstack-keystone03:01
*** ncoghlan_ has joined #openstack-keystone03:01
*** jamielen- has joined #openstack-keystone03:01
*** ncoghlan__ has quit IRC03:03
*** jamielennox_ has quit IRC03:05
*** ncoghlan has quit IRC03:05
dstanekstevemar: my pleasure03:08
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION  https://review.openstack.org/11399803:08
dstanekstevemar: i only did a few reviews here and there03:08
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: API for metadata generation  https://review.openstack.org/11807403:10
stevemardstanek, i still appreciate it03:11
openstackgerritA change was merged to openstack/keystone: Implement validation on the Catalog V3 API  https://review.openstack.org/9626603:16
*** ncoghlan_ is now known as ncoghlan03:17
*** rkofman has joined #openstack-keystone03:19
*** alex_xu has quit IRC03:28
*** xianghuihui has joined #openstack-keystone03:39
*** alex_xu has joined #openstack-keystone03:39
*** gokrokve has joined #openstack-keystone03:40
*** xianghui has quit IRC03:42
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller  https://review.openstack.org/11413803:44
*** gokrokve has quit IRC03:45
*** alex_xu has quit IRC03:45
*** ncoghlan is now known as ncoghlan_afk03:46
*** jamielennox has joined #openstack-keystone03:47
*** jamielennox_ has joined #openstack-keystone03:48
*** ncoghlan_ has joined #openstack-keystone03:48
*** jamielen- has quit IRC03:50
*** ncoghlan_afk has quit IRC03:51
*** jamielennox has quit IRC03:52
*** sigmavirus24 is now known as sigmavirus24_awa03:53
*** ncoghlan_ is now known as ncoghlan_afk03:55
*** alex_xu has joined #openstack-keystone03:58
*** rkofman has left #openstack-keystone04:03
*** rkofman has joined #openstack-keystone04:03
stevemardstanek, if you're still there... what did you mean by your first comment here: https://review.openstack.org/#/c/114850/19/keystone/tests/test_v3_federation.py04:07
*** chandankumar has joined #openstack-keystone04:11
*** ncoghlan_afk is now known as ncoghlan_04:11
*** jamielennox has joined #openstack-keystone04:14
*** ncoghlan__ has joined #openstack-keystone04:14
*** ncoghlan has joined #openstack-keystone04:15
*** jamielen- has joined #openstack-keystone04:15
*** jamielennox_ has quit IRC04:18
*** ncoghlan_ has quit IRC04:18
*** xianghuihui has quit IRC04:19
*** ncoghlan__ has quit IRC04:19
*** jamielennox has quit IRC04:19
*** xianghui has joined #openstack-keystone04:20
*** amirosh has joined #openstack-keystone04:21
*** chandankumar has quit IRC04:38
*** gokrokve has joined #openstack-keystone04:48
*** ncoghlan is now known as ncoghlan_afk04:50
*** chandankumar has joined #openstack-keystone04:51
*** gokrokve has quit IRC04:52
*** amirosh has quit IRC04:59
*** amerine has joined #openstack-keystone05:00
openstackgerritA change was merged to openstack/keystone: controller for the endpoint policy extension  https://review.openstack.org/11574605:02
*** ncoghlan_afk is now known as ncoghlan05:03
*** alex_xu has quit IRC05:04
*** rushiagr_away is now known as rushiagr05:05
dstanekstevemar: there is a config fixture that i think we got from oslo.config - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_versions.py#n36205:08
stevemarah05:08
*** gokrokve has joined #openstack-keystone05:13
*** ajayaa has joined #openstack-keystone05:16
*** gokrokve has quit IRC05:18
*** alex_xu has joined #openstack-keystone05:23
*** gokrokve has joined #openstack-keystone05:40
*** gokrokve has quit IRC05:46
*** ncoghlan_ has joined #openstack-keystone05:50
*** ncoghlan__ has joined #openstack-keystone05:51
*** jamielennox has joined #openstack-keystone05:52
*** ncoghlan has quit IRC05:54
*** jamielen- has quit IRC05:54
*** ncoghlan_ has quit IRC05:55
*** alex_xu has quit IRC06:04
*** k4n0 has joined #openstack-keystone06:06
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: API for metadata generation  https://review.openstack.org/11807406:06
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:07
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION  https://review.openstack.org/11399806:08
*** ukalifon has joined #openstack-keystone06:10
*** ncoghlan__ is now known as ncoghlan_afk06:10
*** henrynash has joined #openstack-keystone06:11
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: API for metadata generation  https://review.openstack.org/11807406:12
*** KanagarajM has quit IRC06:13
*** Clabbe has quit IRC06:23
*** alex_xu has joined #openstack-keystone06:24
jamielennoxstevemar: why can't you just take the token information from X-Auth-Token when generating a SAML assertion?06:24
jamielennoxwhy do you need to submit an auth request?06:25
stevemarjamielennox, ... i don't have a good reason06:26
stevemaryeah that seems like a good fit06:26
stevemarbah06:26
jamielennoxare you ever going to need to get a saml assertion for a token that you aren't currently using06:26
jamielennox(also because scope['region']['id'] is not a real thing)06:27
stevemarjamielennox, i think i was just trying to base if off the current rescoping model06:27
jamielennoxit's not really a rescoping IMO (and i'm coming to a lot of this late)06:28
jamielennoxwhy not just do it at GET /auth/OS-FEDERATION/saml2/assertion06:28
*** jimhoagland has joined #openstack-keystone06:28
jamielennoxstevemar: what happens to region?  is it going into the assertion somewhere? (can't see it)06:30
jamielennoxregion is not something we traditionally deal with as part of auth06:31
*** jimhoagland has quit IRC06:32
*** rm_work|away is now known as rm_work06:32
*** ncoghlan_afk is now known as ncoghlan__06:33
*** alex_xu has quit IRC06:34
stevemarjamielennox, the region is part of the assertion too06:37
stevemarwe get a URL from region06:37
stevemarjamielennox, https://review.openstack.org/#/c/114138/32/keystone/contrib/federation/controllers.py line 26806:38
stevemarthe thinking was that each SP would have a region, and within the URL field, it could specify some data it would want to include in the assertion06:38
stevemarthis way the catalog makes a bit more sense, since it'll have endpoints for a different region06:39
jamielennoxI don't object to making the catalog make more sense - but it's not how the rest of it works06:39
jamielennoxespecially to make it a required argument06:40
stevemarregion?06:40
jamielennoxyea06:40
stevemaryou need to determine who the SAML assertion is for06:40
jamielennoxwhy wouldn't that be done via GET /OS-FEDERATION/idp/{id}/  or similar06:41
jamielennox(this is the first i've seen of using regions in federation - so i might be behind on the logic)06:42
*** rkofman has quit IRC06:43
*** alex_xu has joined #openstack-keystone06:47
*** bvandenh has joined #openstack-keystone06:50
stevemarjamielennox, well it would be an sp, not an idp06:50
stevemarso rather than building an entire /OS-FEDERATION/sp/{sp} framework, we opted to just leverage regions06:50
stevemarjamielennox, before i forget - log your comments in the API spec: https://review.openstack.org/#/c/113998/06:51
*** jamielennox_ has joined #openstack-keystone06:52
*** ncoghlan has joined #openstack-keystone06:52
*** ncoghlan_ has joined #openstack-keystone06:53
*** jamielen- has joined #openstack-keystone06:53
jamielen-stevemar: this seems to imply we have SPs listed in the service catalog?06:54
jamielen-bah - network has been flaky all day06:55
*** jamielennox has quit IRC06:56
jamielen-I would think that SPs that require a SAML assertion are rare - essentially only when you want to talk to a new keystone06:56
*** ncoghlan__ has quit IRC06:56
jamielen-that seems like a good thing to have controlled via an admin in some sort of /sp/{id} framework06:56
*** jamielennox_ has quit IRC06:57
*** ncoghlan has quit IRC06:57
jamielen-stevelle:  would an external keystone have the same public/private/admin endpoints that a catalog endpoint does?06:58
jamielen-stevemar: ^06:58
stevemarjamielen-, so we already have keystone as an SP being able to talk SAML (icehouse impl.)06:59
jamielen-right - that's token issuing07:00
stevemarjamielen-, re: sp/{sp} framework, i thought so too, but apparently too much overhead for just a url07:00
*** chandankumar has quit IRC07:01
stevemarjamielen-, so if i connect to my keystone, i get back a catalog (regionIBM is my local keystone), regionRH is the other service provider07:01
stevemarthen I can get an SAML assertion by giving a token ID and regionRH07:01
jamielen-so the SP url is just in the regular catalog?07:01
jamielen-under some bogus service_type?07:02
*** openstackgerrit has quit IRC07:02
stevemarjamielen-, i was working w/ the assumption that different regions were in the catalog07:04
jamielen-stevemar: oh god - when did we add a url to a region07:04
stevemari guess it depends on the endpoint07:04
jamielen-how is that more lightweight than having an SP url?07:05
stevemarfew weeks back07:05
jamielen-aww, this is such a bad idea....07:05
stevemarjamielen-, it was a whole discussion about adding less code07:06
jamielen-stevemar: by overloading concepts07:06
jamielen-what does a URL on a region mean if we aren't using federtaion?07:06
stevemarjamielen-, ugh07:07
jamielen-cause at the moment a region is pretty much just a label07:07
jamielen-something that you can filter the catalog by07:07
stevemarjamielen-, blah, we had the impl: https://review.openstack.org/#/c/104623/07:08
jamielen-even hierarchically it's just a way to filter07:08
stevemarjamielen-, talk it over with dolphm and marekd ... maybe i'm forgetting something fundamental here07:09
stevemarit is > 3am for me07:09
stevemari don't want to add to the fear machine that we f*ed things up07:09
jamielen-stevemar: yea, i figured it was late as it's end of day for me07:09
stevemarby giving you bad info07:09
stevemarkeystone meeting in <12 hrs07:10
stevemaryou might be able to catch marekd, he's starting soon07:10
jamielen-i'll add it to the agenda - feature freeze is in 2 days, maybe we can revert at least the regions bit for now because it won't be ready for juno anyway07:10
morganfainberg...07:11
stevemarjamielen-, thanks for looking at the API, add your concern about the region in scope there too07:11
* morganfainberg reads the scrollback07:11
stevemarah crap07:11
stevemaryou're awake07:11
*** KanagarajM has joined #openstack-keystone07:11
jamielen-morganfainberg: better late than never - but only just07:11
stevemarjamielen-, fwiw: http://specs.openstack.org/openstack/keystone-specs/specs/juno/keystone-to-keystone-federation.html07:11
morganfainbergstevemar, i've been awaek, ijust been ignoreing irc :P07:11
stevemarmorganfainberg, good idea07:11
*** jamielen- is now known as jamielennox07:11
* jamielennox is whole again 07:12
morganfainbergissue with k2k stuff?07:12
stevemaryeah07:12
stevemarwell maybe07:12
stevemarmorganfainberg, you were at the hackathon07:12
jamielennoxnot k2k specifically - just it's overloading core concepts that i think is a bad idea07:12
morganfainbergyes07:12
jamielennoxdamnit i was wondering where all this was discussed and i missed it07:12
morganfainbergi was at the hackathon07:12
stevemarwhat was the argument for using URL in regions vs adding OS-FED/sp/{sp} instead?07:12
morganfainbergthere was an argument for urls in regions?07:13
jamielennoxlol07:13
morganfainbergoh the auth url07:13
stevemari swear i'm not making this up07:13
morganfainbergyes, the auth url so you know where to send the SAML to07:13
stevemaryes07:13
morganfainbergit's IDP originated SAML assertions (vs. the normal SP originated[requested])07:14
morganfainbergsince you need a token from the remote IDP, the thought was (adn this might have been token, pre-saml) you then know who to re-auth with (exchange tokens)07:15
stevemarmorganfainberg, i recall someone mentioning that it wasn't worth adding OS-FEDERATION/sp/{sp} because of all the new code it would introduce (routers, controller, core, tests), when we could just add a field to regions (maybe dolphm?)07:15
morganfainbergi think that was the argument when usng keystone tokens as a transport07:15
stevemarah yes07:15
stevemari think it was the argument for either? (keystone tokens or saml assertions)07:16
morganfainbergnow you need to exchange for SAML anyway, so that isn't as relevant07:16
morganfainbergand i *think* it needed to be signed for the specific destination?07:16
morganfainberghonestly07:16
stevemarthat sounds right07:16
morganfainbergi don't remember all of it.07:17
morganfainbergi know that the auth url bit was *really* for the token transport07:17
morganfainbergif you're using mod_shib i think most of those concerns go out the window.07:17
morganfainbergor maybe not07:18
morganfainbergmaybe it still works out "get me a saml assertion, then use the auth_url for whatever region you're going to?"07:18
stevemarmorganfainberg, i think that sums up the intention07:19
stevemarmorganfainberg, now i'm worried about how the user is going to know the region ID?07:19
stevemarmorganfainberg, it's not exactly in the catalog07:20
stevemarbecause it's not an endpoint07:20
morganfainbergisn't region id supposed to be region name?07:20
stevemarmorganfainberg, it can be07:20
morganfainbergiirc that was the original intent, not opaque uuid07:20
morganfainbergunless you *really* want uuid regions (i dunno, maybe some govt install?)07:21
morganfainbergget_region_by_name?07:21
morganfainbergmethod07:21
stevemarmorganfainberg, so it's OK to assume that the client can figure that part out? (the region user defined name / id) ?07:21
morganfainbergmight need to add an api foe it07:22
morganfainbergregion names are unique right?07:22
morganfainbergif so obly use region namses not ids07:23
ajayaamorganfainberg, can you please do a review of https://review.openstack.org/#/c/110575/07:24
morganfainberganyway i need to sleep07:24
morganfainbergstevemar, talk tomorrow07:24
stevemarmorganfainberg, region's do not have names, they have user defined id's07:24
stevemaryeah07:24
stevemarsee ya07:24
morganfainbergajayaa, it's unfortunately past midnight, code reviewing is not in the books right now07:25
ajayaamorganfainberg, tommorw then07:25
ajayaa:)07:25
morganfainbergajayaa ++07:25
jamielennoxmorganfainberg: sorry missed that part of the conversation07:27
jamielennoxmorganfainberg: so what does a url on a region mean if you aren't using federation?07:27
jamielennoxhow does the concept of a federated region affect just using regions for the exsiting purposed07:28
jamielennoxpurposes07:28
morganfainbergan auth url you can use? i think it also is used for unscoped tokens (concept, where you have auth endpoints)07:28
*** afazekas has joined #openstack-keystone07:28
jamielennoxhow do i get a list of other SPs that i can send an assertion to?07:28
morganfainbergi think...07:28
morganfainbergi or maybe regions with urls are federated and otherwise don07:29
morganfainbergt have urls07:29
morganfainbergi think that *is* what we talked about07:29
morganfainbergonly federated regions would have url07:29
jamielennoxmorganfainberg: you're mixing core and extension concepts07:29
morganfainbergsorry it's late :(07:29
*** stevemar has quit IRC07:29
morganfainbergi absolutely dislike the extensions mechanism we have in keystone07:29
jamielennoxare we expecting k2k to be a part of juno?07:30
morganfainbergideally.07:30
jamielennoxmorganfainberg: what is a federated region?07:30
jamielennoxa region is just a region07:30
morganfainberga remote keystone you can send an asserttion to and get a token07:30
jamielennoxshit, so it's too late for me to propose backing this out07:30
jamielennoxmorganfainberg: why would we mix that with the existing concepts of regions07:30
morganfainbergbecause something something extension concepts are awful and segregate things in weird ways07:31
jamielennoxmorganfainberg: but we have that already07:31
jamielennoxmorganfainberg: my problem is that if you aren't using federation then this whole thing is wrong07:31
jamielennoxa URL is completely ignore07:32
jamielennoxd07:32
morganfainbergit is likely because instead of asking for OS-FEDERATION for a list of k2k endpoints, just use the current service catalog07:32
jamielennoxif we are using federation how do we know which regions are 'federated' and not07:32
morganfainbergorigoinally we were going to use tokens as the transport, not saml07:32
jamielennoxmorganfainberg: what if i want to use my token to get access to an endpoint in a different region to my saml provider07:33
morganfainbergand therefore didn't need to ask the local keystone to do a transform07:33
morganfainbergyou must *always* get a token from the authoritative keystone for a federated region07:33
jamielennoxthe only way this works is if we suddenly enforce that region is part of authentication - currently it's not, it's just a filter07:33
morganfainbergkeystone for region X cannot issue a token that works in region Y, you must ask region y for a token07:34
jamielennoxso what happens with our existing regions that are just kind of floating?07:34
morganfainbergyou pass the assertion to region Y and it gives a token07:34
morganfainbergrgions w/o that are authed normally.07:34
morganfainberge.g. standard auth endpoint07:34
morganfainbergexisting regions wouldn't have a url iirc07:35
morganfainbergbecause the token from any of those regions would work07:35
morganfainberghonestly, you need to ask marekd at this point. it's too late and i don't remember07:35
morganfainbergi'm making things up and giving bad info i'm sure07:36
morganfainbergalso, if this can't land in Juno it can't land. broken = worse than waiting for K07:36
morganfainbergtoo late = omg past midnight here and i'm tired07:36
jamielennoxmorganfainberg: right, does this falls under feature freeze?07:36
morganfainbergafaik yes07:37
morganfainbergi also think we can revert post FF if it's not viable07:37
morganfainbergwe could easily get it on a feature branch and get it right there, then in K move it to master07:38
morganfainberg(same as the heirarchyg stuff)07:38
jamielennoxi tagged it for tomorrows meeting07:38
jamielennoxand next time i think i need to push to go to the midcycles07:38
*** gokrokve has joined #openstack-keystone07:40
*** gokrokve has quit IRC07:42
*** gokrokve has joined #openstack-keystone07:42
*** henrynash has quit IRC07:42
*** gokrokve has quit IRC07:46
*** dims has joined #openstack-keystone07:56
*** dims has quit IRC08:00
*** afazekas has quit IRC08:05
*** afazekas has joined #openstack-keystone08:06
*** wanghong has quit IRC08:08
*** jamielennox is now known as jamielennox|away08:09
*** morganfainberg is now known as morganfainberg_Z08:12
*** amirosh has joined #openstack-keystone08:18
*** KanagarajM has quit IRC08:19
*** jaosorior has joined #openstack-keystone08:25
*** wanghong has joined #openstack-keystone08:27
*** gokrokve has joined #openstack-keystone08:40
*** gokrokve has quit IRC08:46
*** andreaf has joined #openstack-keystone08:47
*** mflobo_ has joined #openstack-keystone08:58
*** mflobo has quit IRC09:01
*** ncoghlan_ has quit IRC09:09
*** i159 has joined #openstack-keystone09:20
*** mflobo has joined #openstack-keystone09:22
*** mflobo_ has quit IRC09:25
*** alex_xu has quit IRC09:25
*** mflobo_ has joined #openstack-keystone09:26
*** mflobo has quit IRC09:29
*** aix has joined #openstack-keystone09:29
*** mflobo has joined #openstack-keystone09:32
*** mflobo_ has quit IRC09:36
*** rm_work is now known as rm_work|away09:37
*** gokrokve has joined #openstack-keystone09:40
*** gokrokve has quit IRC09:45
*** rm_work|away is now known as rm_work09:59
*** rm_work is now known as rm_work|away10:13
*** ajayaa has quit IRC10:32
*** KanagarajM has joined #openstack-keystone10:33
*** ajayaa has joined #openstack-keystone10:33
*** gokrokve has joined #openstack-keystone10:40
*** gokrokve has quit IRC10:44
*** dims has joined #openstack-keystone10:46
*** dims has quit IRC10:50
*** gokrokve has joined #openstack-keystone11:40
*** dims has joined #openstack-keystone11:42
*** gokrokve has quit IRC11:45
*** k4n0 has quit IRC11:46
*** alex_xu has joined #openstack-keystone11:48
*** jaosorior has quit IRC12:02
*** dims has quit IRC12:08
*** dims has joined #openstack-keystone12:08
*** AJaeger has joined #openstack-keystone12:16
*** KanagarajM has quit IRC12:17
*** jasondotstar has quit IRC12:19
*** rushiagr is now known as rushiagr_away12:22
*** diegows has joined #openstack-keystone12:22
*** htruta has joined #openstack-keystone12:24
*** htruta has quit IRC12:27
*** alex_xu has quit IRC12:29
*** gordc has joined #openstack-keystone12:58
*** samuelmz has joined #openstack-keystone13:09
*** AJaeger has left #openstack-keystone13:12
*** ayoung has joined #openstack-keystone13:14
*** htruta has joined #openstack-keystone13:16
*** jaosorior has joined #openstack-keystone13:17
*** bknudson has joined #openstack-keystone13:23
*** joesavak has joined #openstack-keystone13:24
*** rushiagr_away is now known as rushiagr13:27
*** gokrokve has joined #openstack-keystone13:40
*** jasondotstar has joined #openstack-keystone13:41
*** gokrokve has quit IRC13:45
*** BAKfr has joined #openstack-keystone13:47
*** openstackgerrit has joined #openstack-keystone13:50
*** openstackgerrit has joined #openstack-keystone13:51
*** lnxnut has joined #openstack-keystone13:51
*** r-daneel has joined #openstack-keystone13:54
*** gokrokve has joined #openstack-keystone13:56
*** zzzeek has joined #openstack-keystone13:59
*** openstackgerrit has joined #openstack-keystone14:01
*** stevemar has joined #openstack-keystone14:04
*** _d34dh0r53_ is now known as d34dh0r5314:04
*** openstackgerrit has joined #openstack-keystone14:05
*** topol has joined #openstack-keystone14:07
*** montanvi is now known as bambam114:14
marekdstevemar: ping.14:14
stevemarmarekd, pong14:14
stevemarim awake now14:14
marekdstevemar: erm, token2saml is merged, but my metadata generator still depends on the previous commit. Any quick advice how to push the commit fast? Simply type 'yes' when gerrit asks if I really want to push two commits (like you always do in case depending patches)?14:15
stevemarmarekd, i'll do something quick14:16
marekdstevemar: ok.14:16
marekdwell, actually my question can be answered by anybody :-)14:16
stevemarmarekd, i'll rebase it, and upload a new version, thats ok?14:16
marekdtoken2saml?14:16
marekdor metadata gen?14:17
stevemarmarekd, the rebase button in gerrit doesn't work?14:19
stevemarmetadata gen14:19
stevemarmarekd, when it asks you to upload 2 versions, what's the change id?14:19
openstackgerritMarek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485014:20
*** amirosh has quit IRC14:21
marekdstevemar: IdP Metadata Generator: I9e4b2f068a8190215749b95f31d634eb09c1e3f114:21
marekdso the same as on the review.openstack.org14:21
*** amirosh has joined #openstack-keystone14:21
*** david-lyle has joined #openstack-keystone14:22
stevemarnah, the other one... when you type in git review14:22
i159bknudson: Hi! I'm sorry for disturbing you... I have couple of KS patches, which you had reviewed. Can you please pay a little more attention to it? https://review.openstack.org/#/c/80630/ https://review.openstack.org/#/c/93558/ Thanks!14:24
*** bvandenh has quit IRC14:25
marekdstevemar: http://pasteraw.com/jya2kalpz9tjhk7br7z20d2n0vudgtx14:25
*** amirosh has quit IRC14:26
bknudsoni159: I've been reviewing changes for the feature freeze deadline lately14:26
stevemarmarekd, looks like you posted something14:27
marekdrebase14:27
marekdso generator is not depending on the token2saml14:28
*** nkinder has joined #openstack-keystone14:28
stevemarmarekd, cool14:28
marekdstevemar: but it doesn't reflect my changes14:28
marekdthat address your comments.14:29
marekdw814:29
stevemarsure14:29
*** andreaf has quit IRC14:31
*** alex_xu has joined #openstack-keystone14:32
dstaneklbragstad: where you still working on trust validation?14:33
*** rkofman has joined #openstack-keystone14:33
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Fix minor nits for token2saml generation.  https://review.openstack.org/11827214:34
openstackgerritMarcos FermĂ­n Lobo proposed a change to openstack/keystone: Initial kerberos plugin implementation.  https://review.openstack.org/7431714:35
i159bknudson: yep, ok. So, if you will have several minutes, I'll be very grateful!14:36
dstanekstevemar: ping14:41
stevemardstanek, pong14:42
dstanekstevemar: quick question about https://review.openstack.org/#/c/113998/ - the token id in the body - is it the id of the token in the header?14:42
openstackgerritMarek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485014:42
*** sigmavirus24_awa is now known as sigmavirus2414:43
stevemardstanek, yeah, i guess it should be ... someone should only be able to swap their own token for a SAML assertion14:44
dstanekstevemar: if that's the case do you need it in the body?14:45
dstanekstevemar: i'm assuming the thought there was that i could specify the id for an of my valid tokens, but i'm not sure what that buys yo14:46
dstaneku14:46
stevemardstanek, that's true14:46
stevemarbut tokens only last for so long before they expire, do people really have a bunch of token ids they can use?14:47
*** shakamunyi has joined #openstack-keystone14:48
dstanekstevemar: i doubt it which is why i think taking the token from the header would be enough14:49
stevemarmarekd, hit that rebase button on your other patches!14:49
marekdstevemar: yeah14:49
openstackgerritMarek Denis proposed a change to openstack/keystone: Generate IdP Metadata with keystone-manage.  https://review.openstack.org/11556414:50
stevemardstanek, alright, you and jamielennox|away think it's better that way, i'll start working on new patches, hoping dolphm can weigh in14:50
stevemardstanek, it's all going to be hidden from the user anyway, by using keystoneclient14:50
lbragstaddstanek: yeah, hitting an issue with it14:51
marekdstevemar: you are talking returning saml assertion in a header now?14:52
lbragstaddstanek: I think it boils down to how far we want to take validating the expires_at field14:52
stevemarmarekd, no, it would still be returned in the body14:53
stevemarjust the keystone token, does it go in header vs in body14:53
lbragstaddstanek: this is already in the controller, https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L18314:53
lbragstaddstanek: we could try and leverage the format checking provided in jsonschema, but that depends on strict-rfc3999, which is GNU licensed I believe.14:56
dstaneklbragstad: i just commented on the review14:59
dstaneki think that the date needs to be nullable14:59
lbragstaddstanek: yeah, I worked that in, here is what it looks like now: http://paste.openstack.org/show/104783/15:01
*** ukalifon has quit IRC15:01
marekdstevemar: thanks for the +2!:-)15:01
openstackgerritMarek Denis proposed a change to openstack/keystone: Routes for Keystone-IdP metadata endpoint  https://review.openstack.org/11588315:01
marekdstevemar: however, please take a look here https://review.openstack.org/#/c/114850/19..21/keystone/contrib/federation/idp.py, especially my comment about sigver.read_cert_from_file() in patch version 19.15:03
*** diegows has quit IRC15:03
stevemarmarekd, yeah, i read it this morning, i think it's fine to make our own function15:03
marekdstevemar: ok.15:03
marekdstevemar: thanks.15:03
stevemari used sigver.read_cert_from_file in a test, but i guess thats OK15:03
marekdstevemar: test is not a real code :-)15:04
stevemaryep15:04
marekdstevemar: and i think the function is not correct15:04
marekd(no close() on a file handler)15:04
stevemaryeah15:04
*** marekd is now known as marekd|away15:04
*** shakamunyi has quit IRC15:07
*** alex_xu has quit IRC15:08
stevemardstanek, ping15:10
dstanekstevemar: poing15:10
stevemardstanek, so if i go towards x-auth-token in the header for that call15:10
stevemarhow should i change the request body? i don't think i can use /auth at the beginning either15:11
dstanekstevemar: with the API as written you'd already be expecting the token right?15:11
*** shakamunyi has joined #openstack-keystone15:11
dstanekstevemar: or i guess you probably wouldn't15:12
stevemarcorrect15:13
stevemardstanek,15:13
dstanekstevemar: what does the api for exchanging a token for another token look like? i'm not at all opposed to what you have - i just wanted to understand the discussion15:13
stevemarhttps://etherpad.openstack.org/p/token2saml15:13
stevemardstanek, it looks exactly like what I initially had15:14
dstanekstevemar: then i'm fine with leaving it as is - makes sense to be the same15:14
*** gokrokve has quit IRC15:15
stevemardstanek, it looks like http://docs.openstack.org/developer/keystone/api_curl_examples.html#getting-a-token-from-a-token15:16
dstanekstevemar: brb - picking up my son from his first day at preschool15:17
stevemardefinitely more important15:17
*** gokrokve has joined #openstack-keystone15:19
raildo1dstanek: dolphm, We have a question about our branch of hierarchical multitenancy.15:23
raildo1What better way to keep it updated with the master?15:23
raildo1We want to commit our code, but it shows that will commit all the other changes together. (as you can see here: http://paste.openstack.org/show/104791/)15:24
raildo1What we should do to keep our branch updated and commit only our change?15:24
*** ukalifon has joined #openstack-keystone15:35
dstanekstevemar: back15:41
stevemardstanek, that was quick15:41
dstanekraildo1: did you checkout that branch locally and put your changes on top?15:42
*** cjellick has joined #openstack-keystone15:43
dstanekraildo1: it looks like you are pushing all master commit to it - i think you would normally do that with a single merge commit15:43
openstackgerritSergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838315:44
stevemarbknudson, whats the option for enumerating values for an oslo config option?15:45
bknudsonstevemar: I don't know if there is one.15:45
bknudsonseems like there should be.15:45
*** gyee has joined #openstack-keystone15:45
bknudsonI don't see one... we'd have to roll our own.15:46
*** shakamunyi has quit IRC15:46
*** mflobo has quit IRC15:46
stevemarbknudson, https://github.com/openstack/oslo.config/blob/master/oslo/config/cfg.py#L579-L63215:46
stevemari don't see one either15:46
stevemarbknudson, regarding the defaults and such15:47
bknudsonok, let's just stick with a StrOpt and validate it ourselves.15:48
*** sigmavirus24 is now known as sigmavirus24_awa15:48
*** mflobo has joined #openstack-keystone15:48
stevemarbknudson, idp_entity_id and idp_sso_endpoint are the only ones that are really required15:48
dstanekstevemar: he was right down the street15:48
stevemarwe can generate a valid metadata without contact person info, some SPs might require it, but we don't need to enforce it15:48
bknudsonstevemar: ok... then the command should fail with a useful error message if they're not present.15:49
stevemarbknudson, so bail out / error out if the 2 required ones are not present15:49
stevemarand if the contact related ones are present, then we should build the contact info, otherwise, don't15:49
*** radez_g0` is now known as radez15:49
stevemarbknudson, so for the two required ones, do we want to put some default value in there?15:50
stevemaror because it'll be meaningless, we shouldn't default, but rather error out... ?15:50
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Trust V3 API  https://review.openstack.org/10406615:50
dstanekstevemar, bknudson: i thought there was an easy way to iterate over the config15:51
bknudsonstevemar: if there's no meaningful default then don't put one there and fail if it wasn't set15:52
*** richm has joined #openstack-keystone15:56
*** rkofman has quit IRC15:56
*** andreaf has joined #openstack-keystone15:57
*** rkofman has joined #openstack-keystone15:58
*** wwriverrat has joined #openstack-keystone15:59
*** afazekas has quit IRC15:59
*** i159 has quit IRC16:03
*** andreaf has quit IRC16:04
*** shakamunyi has joined #openstack-keystone16:04
stevemarbknudson, if the options are not there, error out on 400?16:05
bknudsonstevemar: I'm going to get a 400 response from keystone-manage ?16:06
*** dhu_super_super has quit IRC16:08
stevemarbknudson, OK that doesn't fit? any suggestions?16:08
bknudsonstevemar: raise an exception16:08
*** morganfainberg_Z is now known as morganfainberg16:11
*** andreaf has joined #openstack-keystone16:17
morganfainbergmornin16:18
*** andreaf has quit IRC16:18
*** andreaf has joined #openstack-keystone16:18
morganfainberglbragstad, ping16:19
*** shakamunyi has quit IRC16:20
*** hrybacki has joined #openstack-keystone16:23
dstanekraildo1: looks like you got it working OK now16:23
dstaneklbragstad: running those tests locally now16:23
*** BAKfr has quit IRC16:24
dstanekmorganfainberg: that date validation is a little tricky16:30
morganfainbergdstanek, i'd just use a custom formatchecker that overrides datetime to parse_isotime()16:30
morganfainbergdstanek, it's really what we expect internally for the most part16:31
*** marcoemorais has joined #openstack-keystone16:31
dstanekyep, i totally agree16:31
*** rushiagr is now known as rushiagr_away16:32
morganfainbergshould be an easy addon, but doesn't need to go in that patchset16:32
morganfainbergthat can be done as a bug fix / followup16:32
lbragstadmorganfainberg: dstanek back16:33
lbragstadneeded a reboot16:33
lbragstadwell, the computer needed a reboot16:33
lbragstadmorganfainberg: dstanek do you want a FIXME added to the schema for trusts?16:36
morganfainberglbragstad, nah, just do it as a followup patch :)16:36
lbragstadmorganfainberg: ok, sounds good16:36
morganfainberglbragstad, we are going to want the timevalidation for other things.16:36
lbragstadmorganfainberg: like tokens16:36
lbragstad?16:36
morganfainberglbragstad, in K i'm going to convert the token model to use it16:36
morganfainberglbragstad, ++ yep16:37
lbragstadmorganfainberg: cool16:37
lbragstadmorganfainberg: what formats do we want to validate for timestamps?16:39
morganfainberglbragstad, funnel it through parse_isotime16:39
morganfainbergit's how we validate strings, ISO8601 format16:39
dstaneklbragstad: morganfainberg: look at the very bottom of https://python-jsonschema.readthedocs.org/en/latest/validate/#validating-formats16:40
morganfainbergdstanek, that is what i was looking at16:41
lbragstadFor backwards compatibility, isodate is also supported, but it will allow any ISO 8601 date-time, not just RFC 3339 as mandated by the JSON Schema specification.16:41
dstaneklbragstad: yep, unfortunately that's what we accept16:43
dolphmjamielennox|away: when you're up, can you follow up on https://review.openstack.org/#/c/113998/16:44
*** bklei has joined #openstack-keystone16:44
dolphmdstanek: you're probably already looking at this, but this implements the API you just reviewed https://review.openstack.org/#/c/114138/16:45
dolphmdstanek: if jamie is +1, then i'd like to be ready to +A that one16:45
dstanekdolphm: k, i'll look again now. since it's WF-1 it doesn't show up in my searches16:46
dolphmdstanek: =D https://review.openstack.org/#/q/starredby:dolph+is:open,n,z16:46
*** wwriverrat has left #openstack-keystone16:46
*** bobt has joined #openstack-keystone16:46
dolphmdstanek: thanks!16:46
dstanekdolphm: yeah, i went through all of those once so now I'm back to my original patterns...16:47
*** gokrokve has quit IRC16:47
morganfainberglbragstad, +2, a couple more comments16:47
morganfainberglbragstad, once jenkins weighs in, anyone can +A16:48
lbragstadawesome16:48
lbragstadmorganfainberg: just to double check16:48
dstanekdolphm: we have a pattern of returning 404s when we should probably be returning 400s16:48
morganfainbergdstanek,++16:48
lbragstadwe are going to use a regex to validate timestamps very similar to how we do url validation,16:48
lbragstadwhich means we won't rely on the format checker built in jsonschema/16:49
dstaneklbragstad: a regex instead of using the python lib?16:49
dstaneki would rather leave it as string/null - i think it would be too hard to make a regex and be sure it's backward compatible16:49
morganfainbergalso, if it doesn't pass parse_isotime, it would fail anyway16:50
dolphmstevemar: marekd|away: is it really text/xml instead of application/xml on https://review.openstack.org/#/c/118074/4/v3/src/markdown/identity-api-v3-os-federation-ext.md16:50
lbragstadso we are going to use isodate?16:50
morganfainbergdon't do a regex if there is a method that we use to validate/handle it that would work in the same manner16:50
dstanekmorganfainberg: but we may fail valid dates before the get there16:50
lbragstador strict-rfc3999?16:50
dstanekwe can't use rfc399916:51
lbragstadthat's what i thought16:51
morganfainbergdstanek, with parse_isotime? how weould we fail valid dates since we already use that and would have weird results otherwise16:51
dstanekit's GPL (a no, no right?) and we actually accept iso dates not 3999 dates16:51
lbragstadok16:51
dstanekmorganfainberg: if we use a regex in the jsonschema we can fail before it ever gets to our code16:52
morganfainbergdstanek, ++ yeah i mean we should use a formatchecker that runs it through parse_isotime16:52
morganfainbergdstanek, doable, but more work than just a regex16:52
morganfainbergafaict16:52
stevemardolphm, i think so16:53
morganfainbergthough i *guess* that isn't needed16:53
morganfainbergif we're already running it through parse_isotime in our code16:53
dstanekmorganfainberg: i think a formatter would be pretty quick, but i don't think we need to rush to get it in today16:53
dstanekmorganfainberg: exactly16:53
morganfainbergit feels weird to validate one thing at the validator level and something else in the code16:53
morganfainbergdstanek, ++ yeah some followup patch not a rush, i still +2'd that validator :)16:54
rodrigodsdstanek, raildo1 so we created this review https://review.openstack.org/#/c/118405/ to keep track from the changes from master. All the other HM patches will depend on it. Seems correct?16:55
openstackgerritLance Bragstad proposed a change to openstack/keystone: Fix type in common/controller.py  https://review.openstack.org/11840616:55
openstackgerritLance Bragstad proposed a change to openstack/keystone: Fix typo in common/controller.py  https://review.openstack.org/11840616:55
morganfainbergdolphm, https://review.openstack.org/#/c/111949/16:56
morganfainbergdolphm, i think we approved a spec for that.16:56
morganfainbergdolphm, for Juno, might want to get eyes on it today. (adding to the meeting)16:56
*** rkofman1 has joined #openstack-keystone16:57
*** amcrn has joined #openstack-keystone16:58
morganfainberglbragstad, psst16:58
morganfainbergcan we get DNS name on 50.56.175.133 :P16:59
morganfainberghttp://50.56.175.133/weekly-bug-reports/keystone-weekly-bug-report.html ;)16:59
lbragstadmorganfainberg: lol, it's on my todo list16:59
morganfainberglbragstad, i can point a subdomain of my personal domains over to it if it's deep on your todo list16:59
morganfainbergkeystone-weekly-bugs.<somedomain>17:00
lbragstadsure17:00
morganfainbergso..17:00
dstanekit would be nice to be able to search gerrit and eliminate reviews i've already reviewed17:00
dolphmmorganfainberg: i'm happy to see it land if it's ready, but i'm probably not going to commit too many brain cells to it17:00
morganfainbergdolphm, i added to the meeting, if it can't land it can't land17:01
dolphmdstanek: that's one reason i wrote next-review17:01
*** harlowja has joined #openstack-keystone17:04
openstackgerritLance Bragstad proposed a change to openstack/keystone: Fix typos in common/base64utils.py  https://review.openstack.org/11840717:04
*** rushiagr_away is now known as rushiagr17:07
*** hrybacki_ has joined #openstack-keystone17:11
*** hrybacki has quit IRC17:13
*** diegows has joined #openstack-keystone17:15
*** portante_ is now known as portante17:18
*** marcoemorais has quit IRC17:24
*** marcoemorais has joined #openstack-keystone17:24
*** hrybacki_ has quit IRC17:25
*** jimbaker` is now known as jimbaker17:32
bknudsondstanek: if you go to https://review.openstack.org/#/ the incoming reviews are bold if you haven't reviewed it17:34
dstanekbknudson: yeah, but that doesn't happen on a search17:35
*** aix has quit IRC17:35
bknudsondstanek: search what?17:36
*** bklei has quit IRC17:37
dstanekbknudson: here is a simple example http://bit.ly/1pERPbg17:37
bknudsonfancy17:38
bknudsondstanek: other projects have dashboards in gerrit17:38
dstaneki also would love to see the current votes in the emails17:39
bknudsonhttps://review.openstack.org/#/projects/openstack/nova,dashboards/important-changes:review-inbox-dashboard17:41
bknudsonhere's an example17:41
bknudsonhttps://review.openstack.org/#/projects/openstack/keystone,dashboards/important-changes:review-inbox-dashboard17:41
bknudsonkeystone works, too17:41
*** dencaval has joined #openstack-keystone17:43
*** nkinder has quit IRC17:43
dstanekbknudson: that's pretty neat17:43
*** amcrn has quit IRC17:51
*** arborism has joined #openstack-keystone17:52
*** arborism is now known as amcrn17:52
*** hrybacki has joined #openstack-keystone17:58
*** hrybacki has quit IRC17:59
*** bobt has quit IRC17:59
dolphmstevemar: marekd|away: sent https://review.openstack.org/#/c/114138/ off to the gate, but holding on the API review until jamielennox|away speaks up (who's probably still asleep)17:59
*** miqui has quit IRC18:00
stevemarthanks dolphm18:00
*** rodrigods has quit IRC18:01
*** rodrigods has joined #openstack-keystone18:02
*** rodrigods has quit IRC18:02
*** rodrigods has joined #openstack-keystone18:02
*** gothicmindfood has quit IRC18:03
*** gothicmindfood has joined #openstack-keystone18:04
*** rm_work|away is now known as rm_work18:04
*** nkinder has joined #openstack-keystone18:06
*** bklei has joined #openstack-keystone18:07
*** marcoemorais has quit IRC18:08
*** marcoemorais has joined #openstack-keystone18:08
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Trust V3 API  https://review.openstack.org/10406618:09
lbragstaddstanek: dolphm fixed ^18:09
*** jamielennox|away is now known as jamielennox_18:09
*** bklei has quit IRC18:12
*** harlowja has quit IRC18:12
*** harlowja has joined #openstack-keystone18:13
*** rm_work is now known as rm_work|away18:14
dolphmdstanek: morganfainberg: one of ya'll want to rubberstamp the pep8 fix ^? https://review.openstack.org/#/c/104066/18:15
morganfainbergdolphm, done18:16
dstanekmorganfainberg: damn, you beat me to it :-)18:16
dstanekraildo1: you should only have your new commits on that branch and nothing else from master18:17
openstackgerritLance Bragstad proposed a change to openstack/keystone: Fix typoes in keytone/common/config.py  https://review.openstack.org/11842718:17
openstackgerritLance Bragstad proposed a change to openstack/keystone: Fix typos in keystone/common/config.py  https://review.openstack.org/11842718:18
openstackgerritSteve Martinelli proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485018:19
stevemarbknudson, https://review.openstack.org/#/c/114850/ not sure if i'm handling the exceptions exactly the way you want, but it's better than before18:20
*** sigmavirus24_awa is now known as sigmavirus2418:22
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Generate IdP Metadata with keystone-manage.  https://review.openstack.org/11556418:25
raildo1dstanek: So we will not do git rebase with master? just keep our code in this branch18:26
raildo1dstanek: Sounds good to me. Thanks!18:26
dstanekraildo1: yes, i think you just want to work on your branch18:26
openstackgerritA change was merged to openstack/identity-api: Add SAML generation route to OS-FEDERATION  https://review.openstack.org/11399818:27
*** richm has quit IRC18:28
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Routes for Keystone-IdP metadata endpoint  https://review.openstack.org/11588318:29
*** rushiagr is now known as rushiagr_away18:33
openstackgerritBrent Roskos proposed a change to openstack/keystone: Error trapping for ldap2py  https://review.openstack.org/11843018:34
*** marcoemorais1 has joined #openstack-keystone18:35
*** marcoemorais has quit IRC18:36
*** ajayaa has quit IRC18:38
*** rkofman has quit IRC18:39
*** afazekas has joined #openstack-keystone18:40
*** richm has joined #openstack-keystone18:42
*** gokrokve has joined #openstack-keystone18:44
*** adam_g` is now known as adaM_g18:44
*** adaM_g is now known as adam_g18:44
*** bklei has joined #openstack-keystone18:46
*** amirosh has joined #openstack-keystone18:52
dolphmjamielennox_: will you start an etherpad stating your concern? then we can enumerate alternatives and compare them?18:53
dolphmstevemar: ^18:53
*** jimbaker has quit IRC18:54
stevemardolphm, jamielennox_ https://etherpad.openstack.org/p/token2saml18:56
*** jimbaker has joined #openstack-keystone18:58
*** jimbaker has quit IRC18:58
*** jimbaker has joined #openstack-keystone18:58
topolhere19:00
jamielennox_dolphm, bknudson: so we have an existing discovery object that is queried to determine the available versions19:01
dolphmi'm being poked IRL, brb19:01
jamielennox_the way i thought of supporting json home would be to ask that discovery object for the URL to use for a resource - with a fallback19:01
bknudsonthat sounds like a good way to go.19:02
jamielennox_so like disc.resource_url(service_type='identity', version=3, resource_type='users', default='/users')19:02
jamielennox_of something like that19:02
bknudsonI figured there'd be a fake JSON Home document if the server didn't provide one.19:02
jamielennox_so that if jsonhome is available we could use that and if not we had a default to fall back to to enable the current behaviour19:03
*** marekd|away is now known as marekd19:03
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194919:03
*** ChanServ sets mode: +o morganfainberg19:03
openstackgerritSergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838319:03
bknudsonjamielennox_: having the discovery do resource lookup looks like the right way to do it to me.19:04
jamielennox_if we have /v2.0 linking to /v3 resources then if i make the above call for a v2 resource then i'll get back a v3 url and my requests won't make sense19:04
jamielennox_i don't want to support it for v2 - it's more that this is happening at a version independant point19:04
bknudsonjamielennox_: the v3 resources have a rel like http://identity/3/users19:04
bknudsona v2 resource would have http://identity/2/users19:04
bknudsonso there's no confusion19:05
* dolphm is catching up.19:05
jamielennox_bknudson: ok - that's fine and how i assumed it would work, i was just thrown by the suggestion of returning v3 resource URLs for everything19:05
bknudsonI could also make a JSON Home document for v2.019:06
bknudsonthat might take more than a day19:06
jamielennox_bknudson: i don't think we need it, there will need to be fallback URLs anyway - just don't return something that's not real19:06
dolphmbknudson: but as a client, i shouldn't have to introspect the URLs i'm given19:07
jamielennox_bknudson: do you have a sample output from the jsonhome we are using for keystone?19:07
bknudsonyou won't have to introspect the urls, the href or href-template for http://identity/3/users will tell you where to go whether you do / /v3 or /v2.019:08
bknudsonjamielennox_: curl -H "Accept: application/json-home" http://localhost:5000/v319:08
jamielennox_oh, merged - i've been really bad on keeping up on server side this cycle19:08
bknudsonif you GET / , the href for users is /v3/users , if you GET /v3 the href for users is /users19:09
bknudsonif you GET /v2.0 , the href for users is ../v3/users19:09
bknudsonthe client doesn't introspect is just takes the href given back and uses it.19:09
jamielennox_bknudson: ah - that will be a problem because i will want to do discovery with v2 and get a v2 url19:10
bknudsonthen we'd need a JSON Home document for /v2.019:10
jamielennox_bknudson: or just ignore the accept header on /v2.019:10
dolphmjamielennox_: which i'm in favor of for juno, i think19:11
bknudsonok, it should be quick to finish up the GET / work.19:11
bknudsonI assume you all realize how crazy the version controller is.19:11
dolphmbknudson: it has grown quite crazy lol19:12
jamielennox_bknudson: very well19:12
openstackgerritLance Bragstad proposed a change to openstack/keystone: Fix Policy backend driver documentation  https://review.openstack.org/11844319:13
dolphmraildo1: so there's some instructions for keeping a feature branch up to date here https://wiki.openstack.org/wiki/GerritJenkinsGit#Merge_Commits19:13
dolphmraildo1: but i think you need to be in the keystone-milestone group to follow them, because infra doesn't want A) anyone uploading merge commits, which are dangerous, or B) people to upload hundreds/thousands of changes to feature branches gerrit at once to keep the branch up to date19:15
jamielennox_bknudson: is there any way for me to tell in one go what the version number is19:15
bknudsonjamielennox_: all the v3 resources have a rel like http://docs.openstack.org/api/openstack-identity/3/rel/user_groups19:15
jamielennox_the thing i rely most on in the current discovery is the id field19:16
bknudsonso they all have  http://docs.openstack.org/api/openstack-identity/319:16
bknudsonan extension is like http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role19:17
jamielennox_bknudson: is there any thing else we can do to be able to distinguish between api versions?19:17
bknudsonjamielennox_: this is all we have now... we could add a "hint" to all the relationships with a version?19:18
bknudsonI'm not sure why this would be necessary19:18
bknudsonIf I want the v3 users resource then I use http://docs.openstack.org/api/openstack-identity/3/rel/user19:18
bknudsonif I want the v2 users resource then I'd use http://docs.openstack.org/api/openstack-identity/2/rel/user19:18
dolphmraildo1: so updating the feature branch looks funky, but this is a merge commit produced by those instructions https://review.openstack.org/#/c/118445/19:18
bknudson(that should have been http://docs.openstack.org/api/openstack-identity/3/rel/users)19:19
jamielennox_bknudson: so i guess i'm trying to retrofit it to current behaviour where i expect a version parameter19:19
morganfainbergdolphm, merge commits are weird19:20
bknudsonjamielennox_: your example before was like discovery.get_url(version=3, rel='users')19:20
jamielennox_if i get a json home document rather than the old style but i don't know the resource name i have the fallback where do i source the url/v3 from19:20
bknudsonso this would turn into looking up the http://docs.openstack.org/api/openstack-identity/3/rel/users rel and following that link19:21
bknudsonjamielennox_: you wouldn't get a json home document rather than the old style, you need to do Accept: application/json-home19:21
jamielennox_bknudson: but i only ever want to do one of these version discoveries and then cache it for as long as possible19:22
jamielennox_that means it can serve multiple cases19:22
bknudsonjamielennox_: you'd have to store the original request URL, because all the URLs in the JSON Home document are relative to it.19:22
jamielennox_bknudson: ugh19:23
bknudsonif you get the JSON Home document and it doesn't have the relationship that you want then the server doesn't support it.19:23
jamielennox_bknudson: ugh - not because this way isn't better but because i did a lot to support the existing way of doing it19:23
jamielennox_bknudson: so i guess what i want then is a fallback kind of root relationship19:23
bknudsonjamielennox_: as dolphm mentioned, we'll still have to support the old way for old servers.19:24
jamielennox_bknudson: yea - i guess i just have to fetch both19:24
*** bobt has joined #openstack-keystone19:24
bknudsonif you ask for JSON Home and the server doesn't support it then you get the old version doc19:24
bknudsonwhich is probably incorrect behavior since the server should return 406 Not Acceptable but that's how it works19:25
jamielennox_yep, so what i was thinking of was the case where i get a json-home document and store that in my discovery, but the requests the client is giving me are not jsonhome aware19:26
bknudsonjamielennox_: like what?19:26
jamielennox_because all of this stuff is global now - so we're not just thinking of keystoneclient19:26
bknudsonmaybe I can work on JSON Home for the other projects in K19:27
jamielennox_bknudson: it should be alright. i haven't tried to implement any of this stuff i'm just trying to reason through issues19:28
bknudsondolphm: 0 files changed, 0 insertions(+), 0 deletions(-)19:29
dolphmbknudson: yeah, it's weird19:29
bknudsondolphm: are you the only one with permissions to push a merge?19:30
dolphmbknudson: that wiki says you need to be in the keystone-milestone group... not sure who's in that19:31
morganfainbergdolphm, you19:31
morganfainbergdolphm, and the rest of us19:32
morganfainberg:P19:32
morganfainberghttps://review.openstack.org/#/admin/groups/57,members19:32
morganfainbergactually... we probably should clean that list up :P19:32
dolphmha termie is in there19:32
morganfainbergmaybe just make it inherit keystone-core ?19:32
dolphmmorganfainberg: fixed19:32
morganfainberg++19:33
*** amirosh has quit IRC19:33
jamielennox_bknudson: i managed to get nova and neutronclient working with sessions19:33
topoldolphm well thats awkward :-)19:33
jamielennox_bknudson: https://github.com/jamielennox/nova/blob/session-test/nova/network/neutronv2/__init__.py19:33
dolphmmorganfainberg: bknudson: raildo1: nothing special, but i also just scripted the merge process. https://github.com/dolph/dotfiles/blob/master/bin/git-update19:34
morganfainbergdolphm, ++19:34
jamielennox_bknudson: requires fixes to keystoneclient and neutronclient that i've pushed up19:34
dolphmmorganfainberg: don't want to screw that up and owe infra a case of beer :)19:34
topoldolphm, do they accept domestic?19:34
morganfainbergscrewing that one up might owe them a keg of something really nice not just a case19:34
bknudsonjamielennox_: working with sessions, and also supporting v3?19:35
topoldolphm, we could buy them a case of Keystone!!!!19:35
jamielennox_bknudson: yes19:35
bknudsonjamielennox_: ah, the conf options19:35
topoldolphm witht he specially lined aluminum can19:36
jamielennox_bknudson: if you put auth_plugin=v3password in the config file it will pick it up in priority to the existing19:36
bknudsonthat is easier.19:36
morganfainbergtopol, ... keystone ... light?19:36
morganfainbergerm lite19:36
topolmorganfainberg, +++ even better. so smooth19:36
*** marcoemorais1 has quit IRC19:37
*** marcoemorais has joined #openstack-keystone19:38
*** marcoemorais has quit IRC19:38
*** bambam1 has quit IRC19:38
*** marcoemorais has joined #openstack-keystone19:39
*** bambam1 has joined #openstack-keystone19:40
*** miqui has joined #openstack-keystone19:40
*** rushiagr_away is now known as rushiagr19:43
lbragstaddstanek: just curious if you have a follow up here? https://review.openstack.org/#/c/116374/19:49
dstaneklbragstad: it's probably fine, i think the existence of the optional decorator is the real bug :-)19:50
*** jasondotstar has quit IRC19:54
*** morganfainberg is now known as needs19:57
*** needs is now known as needscoffee19:57
*** jsavak has joined #openstack-keystone19:59
*** jasondotstar has joined #openstack-keystone19:59
*** joesavak has quit IRC20:01
*** marcoemorais has quit IRC20:02
*** bobt has quit IRC20:03
*** marcoemorais has joined #openstack-keystone20:04
stevemardolphm, bknudson, dstanek can y'all review: https://review.openstack.org/#/c/118074/20:05
stevemarit's the API for mareks patch20:05
stevemari'm hoping to get all his stuff landed today too20:05
*** afazekas has quit IRC20:09
jamielennox_ayoung: as a member of the defence, you have anything you want to add to https://etherpad.openstack.org/p/token2saml20:10
bknudsonstevemar: why is it text/xml and not application/xml?20:10
ayoungjamielennox_, uhm...probably20:10
*** Lordanat3 has joined #openstack-keystone20:11
stevemarbknudson, afaik, the only difference is if it's easy to read ?20:11
bknudsonstevemar: does the spec say to use one or the other?20:12
bknudsonsaml?20:12
*** rushiagr is now known as rushiagr_away20:12
*** Lordanat1 has quit IRC20:12
stevemarbknudson, last time i looked it up, i couldn't find anything about that.20:13
gyeestevemar, did you ever tested saml2 stuff against Microsoft IdP?20:25
gyeejust curious20:25
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: API for metadata retrieval  https://review.openstack.org/11807420:25
stevemarbknudson, responded to a few nits ^20:26
stevemargyee, i believe marekd has20:26
gyeehttp://en.wikipedia.org/wiki/Active_Directory_Federation_Services20:26
stevemargyee, shameless self promotion: https://www.ibm.com/developerworks/cloud/library/cl-keystone-tfim/index.html20:26
stevemargyee, also marek was working on it: https://review.openstack.org/#/c/111771/20:27
bknudsonstevemar: hopefully it will show up in the openstack weekly newsletter20:27
gyeeoh I am a fan of Tivoli20:27
stevemargyee, yeah so marek also had ADFS on his radar too, and he's got patches for it20:28
gyeenice!20:28
stevemarit's all here:  https://review.openstack.org/#/c/111771/20:28
stevemargyee, i'm betting he has it working in-house, and he's just contributing it back20:29
gyeestevemar, I am setting up ADFS to try it out20:29
raildo1bknudson: sorry but i don't understand your comment, what did you say with "Home relationship information"? https://review.openstack.org/#/c/111355/9/v3/src/markdown/identity-api-v3-os-inherit-ext.md20:30
stevemargyee, you will probably need his patch to full use keystone client20:30
gyeedo I need an eval license for Tivoli?20:30
gyeeI may ended up trying both20:30
bknudsonraildo1: Look at all the other existing operations, they have Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/<whatever`20:30
*** marcoemorais has quit IRC20:31
bknudsonraildo1: this is so that applications can discover if the resource is available.20:31
*** marcoemorais has joined #openstack-keystone20:32
raildo1bknudson: OK, i get it, thanks :)20:32
raildo1bknudson: I will abandon that patch and create a new patch in the hierarchical multitenancy branch and I will correct with your comments.20:45
bknudsonraildo1: there's a HMT branch in identity-api?20:46
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens  https://review.openstack.org/10683820:47
raildo1Good thinking, the branch was just for keystone. :-(20:47
raildo1bknudson: so, i will not abandon this patch hahaha20:47
openstackgerritBrent Roskos proposed a change to openstack/keystone: Error trapping for ldap2py  https://review.openstack.org/11843020:52
marekdgyee: I have.20:52
marekdgyee: ADFS20:52
gyeemarekd, excellent! I probably will some questions for you later :)20:53
*** andreaf has quit IRC20:54
openstackgerritguang-yee proposed a change to openstack/keystone: Use id attribute map for read-only LDAP  https://review.openstack.org/11765820:54
marekdgyee: i am on a work training this week so i am little bit quiet there days :-) If you don't find me here, it's better to shoot me an email marek.denis@cern.ch :-)20:54
marekdthese*20:54
gyeemarekd, will do, thanks!20:54
marekdgyee: but basically stevemar is right. I have a patch proposed for keystoneclient and it just waits for a review a hopefully one day a merge :-)20:55
gyeemarekd, sorry I am a bit behind on the saml2 stuff, but catching up20:56
*** needscoffee is now known as morganfainberg20:56
*** henrynash has joined #openstack-keystone20:56
*** rushiagr_away is now known as rushiagr20:56
samuelmzhey, KvsInheritanceTests does not use backend KVS as identity driver, could you take a look at bug #136461820:56
uvirtbotLaunchpad bug 1364618 in keystone "KvsInheritanceTests does not use backend KVS" [Undecided,New] https://launchpad.net/bugs/136461820:56
morganfainbergsamuelmz, are you using KVS identity as a real backend?20:57
morganfainbergsamuelmz, i only ask because that is a little scary :) even in testing it's an odd backend20:57
samuelmzmorganfainberg, no20:57
morganfainbergsamuelmz, *phew* :)20:57
samuelmzmorganfainberg, :)20:57
morganfainbergsamuelmz, that backend is slated for removal in K btw.20:58
*** marcoemorais has quit IRC20:58
samuelmzmorganfainberg, yes .. do you think it's worth to fix it?20:58
*** marcoemorais has joined #openstack-keystone20:59
samuelmzmorganfainberg, as they are today, we are testing with backend SQL (again)20:59
morganfainbergsamuelmz, eh. not sure.20:59
*** marcoemorais has quit IRC20:59
morganfainbergsamuelmz, if it's an easy fix i mean i wont block it, but i wouldn't put a ton of effort into the fix20:59
*** marcoemorais has joined #openstack-keystone20:59
samuelmzmorganfainberg, I just created the config_overrides method and ran the tests21:00
samuelmzmorganfainberg, everything is working21:00
morganfainbergsamuelmz, sure! submit the fix :)21:00
samuelmzmorganfainberg, can you confirm the bug?21:00
samuelmzmorganfainberg, :)21:00
morganfainbergsamuelmz, looks legitimate.21:01
*** marcoemorais has quit IRC21:01
*** marcoemorais has joined #openstack-keystone21:02
henrynashdolphm: a) sorry I missed the call, and b) would be good to get this small kvs deprecated item in: https://review.openstack.org/#/c/118067/21:04
lbragstaddolphm: thanks for the recheck21:05
lbragstadjust about retriggered21:05
*** jsavak has quit IRC21:07
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Making KvsInheritanceTests use backend KVS  https://review.openstack.org/11846621:07
samuelmzmorganfainberg, ^21:07
morganfainbergsamuelmz, cool!21:07
*** crinkle has joined #openstack-keystone21:14
*** rushiagr is now known as rushiagr_away21:14
dolphmhenrynash: eek, i crossed that off my list as if it had landed!21:15
dolphmhenrynash: i'll make sure it gets in21:15
dolphmhenrynash: thank you!21:15
*** rkofman has joined #openstack-keystone21:16
henrynashdolphm: np21:18
henrynashdolphm: other kvs ones got in…this was an extra request form morganfainberg to mark the revoke kvs as well21:18
bknudsonadding support for JSON Home for GET / is proving to be more complicated than expected... the v3 service gets instantiated twice and doesn't know if it's public or admin.21:19
morganfainbergdolphm, yeah saw an extra kvs backend we missed21:19
bknudsonas I told you the version controllers are freaky21:19
openstackgerritBrent Roskos proposed a change to openstack/keystone: Error trapping for ldap2py  https://review.openstack.org/11843021:19
*** jasondotstar has quit IRC21:20
dolphmmorganfainberg: henrynash: ooh wow totally glossed over that21:21
morganfainbergdolphm, it doesn't use the old KVS backend, but it is very limited and suffers from the same drawbacks as the other kvs drivers21:21
dolphmmarekd: stevemar: is /metadata intended to be a no-auth API?21:22
dolphmmorganfainberg: ++21:23
stevemardolphm, yes, it should be publicly available21:23
dolphmstevemar: why does the controller not extend V3Controller?21:23
dolphmstevemar: oh the other federation specific controllers do the same, nvm.21:24
stevemarit does21:24
dolphmstevemar: commented on some nits https://review.openstack.org/#/c/115883/21:25
bknudsonwe should regenerate the man page21:27
openstackgerritSteve Martinelli proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485021:28
dolphmstevelle: while you're rebasing stuff, i posted a suggested diff on/for 11588321:30
dolphmstevemar: ^ (sorry stevelle)21:30
* stevelle hides21:31
*** stevelle has left #openstack-keystone21:31
stevemardolphm, thanks, i'm addressing brants nits on the other one21:31
stevemarthe rebase blew away from votes :(21:31
dolphmnew rule: you're not allowed to share the same first two characters of your nick with anyone else because i autocomplete fail21:31
dolphmstevemar: i know21:31
*** morganfainberg is now known as steve_notmorgan21:32
steve_notmorgan>.>21:32
*** amerine_ has joined #openstack-keystone21:32
*** steve_notmorgan is now known as morganfainberg21:32
stevemardolphm, so for pep8, does _ come before _LE ?21:35
dolphmstevemar: do not understand question21:35
bknudsonput them on the same line21:35
bknudson_, _LE21:36
stevemarthanks brant21:36
stevemardolphm, take notes21:36
dolphmsteve_notmorgan: will do21:36
dolphmdammit21:36
*** amerine has quit IRC21:36
dolphmstevemar: was the potential merge conflict just in tests?21:37
stevemaryes21:38
*** henrynash has quit IRC21:38
dolphmstevemar: you made pep8 sad https://review.openstack.org/#/c/114850/21:38
stevemardolphm, sommmmmm B21:39
stevemarnew one coming in two shakes21:39
dolphmstevemar: two shakes of whitespace might be too much21:40
openstackgerritSteve Martinelli proposed a change to openstack/keystone: IdP SAML Metadata generator  https://review.openstack.org/11485021:40
stevemardolphm, there ya go ^21:41
stevemarit's rebased on top of the one thats gating21:41
stevemarand it has fixes for brants nits21:41
stevemarbknudson, ^21:41
* stevemar is hoping to get that one approved, hint hint21:41
dolphmstevemar: comments from patchset 22?21:41
stevemaryes21:42
dolphmstevemar: does oslo not support enum options?21:43
dolphmoslo.config21:43
morganfainbergdolphm, afaik no21:45
dolphmoh.21:45
dolphmboo.21:45
*** lnxnut has quit IRC21:46
*** rodrigods has quit IRC21:46
stevemardolphm, nope, bknudson and i both took a peek at it, nada21:48
bknudsonDo we know why we have both these VersionV3 routers? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/service.py#n10421:48
dolphmlast 7 days of gate depth. the gate is loading up again! http://graphite.openstack.org/render/?from=-7days&width=1920&height=160&margin=0&hideLegend=true&hideAxes=false&hideGrid=true&target=color(stats.gauges.zuul.pipeline.gate.current_changes,%20%27000000%27)&bgcolor=ffffff21:48
*** nkinder has quit IRC21:48
dolphmbknudson: for v3, i do not recall21:49
bknudsonseems like it wouldn't work... it maps / twice.21:49
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Generate IdP Metadata with keystone-manage.  https://review.openstack.org/11556421:50
morganfainbergbknudson, we have both routers because it's in both pipelines?21:50
bknudsonmorganfainberg: that makes sense... only I don't think it works that way.21:51
stevemardolphm, alright one more rebase21:51
morganfainbergbknudson, it shouldn't matter though, they are the same for V3 as long as both pipelines respond who cares.21:51
bknudsonI'm going to check.21:51
morganfainbergbknudson, try removing one?21:51
morganfainbergbknudson, i'm guessing it's doing it wrong :P21:51
bknudsonit would actually return the wrong link...21:52
morganfainbergoh. huh21:52
dolphmstevemar: you mean, one left to go?21:53
bknudsonyep, it does: curl http://localhost:5000/v3 -- http://192.168.122.176:35357/v3/21:53
bknudsonshould hvae been 5000/v321:53
stevemardolphm, yep, the one that creates the controller/routers for metadata generation21:53
dolphmstevemar: don't forget my nits ;)21:53
dolphmstevemar: curl http://pasteraw.com/uhnf0obeqhd9ilk2dmxfu6fypea1s0 | git apply21:53
*** ayoung has quit IRC21:54
*** bklei has quit IRC21:54
stevemaroh ok21:54
*** bklei has joined #openstack-keystone21:54
stevemardolphm, just saw them now, adding them now...21:55
dolphmstevemar: readying +221:55
stevemardolphm, what do you want the help text to be?21:56
dolphmstevemar: just remove the --21:56
stevemaralright21:56
dolphmstevemar: i just won't want it to be *wrong*21:56
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Routes for Keystone-IdP metadata endpoint  https://review.openstack.org/11588321:58
stevemardolphm, ^21:58
*** bklei has quit IRC21:59
dolphmstevemar: changes look good. and it passes flake821:59
stevemaryahoo21:59
dolphmstevemar: +2! i'm going to keep an eye on them, but as soon as they pass jenkins, +A22:00
stevemardolphm, re: +A'ing and timeliness, are you fine with me +A'ing, after the first patch in the chain merges22:00
dolphmstevemar: yes22:00
stevemardolphm, get out of my brain!22:00
dolphmstevemar: the sooner the +A the better the +A22:01
bknudsonwhat do you think about changing api-paste.ini to have 2 v3_api pipelines, a public and an admin?22:01
stevemardolphm, OK, thats cool, i think i'm only co-author on the first one of marek's patches, but you and brant have +2'ed22:01
stevemarso I don't break any rules there22:01
stevemarbknudson, i thought we wanted to not do that for as long as possible22:02
bknudsonand then I'd probably have to have a PublicVersionV3 and AdminVersionV322:02
dolphmbknudson: why? we chose to only have one pipeline because no one understood or took advantage of the multi-port thing, and it just caused bugs22:02
dolphmand RBAC was a better solution, really.22:02
bknudsondolphm: I'll have to look into this more but there is something seriously fishy going on.22:03
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Fix minor nits for token2saml generation.  https://review.openstack.org/11827222:04
bknudsonI didn't notice this before but the JSON Home response is different for :5000 and :35357.22:05
bknudsonI have to run to bowling league22:05
*** bknudson has quit IRC22:05
dolphm:D22:07
openstackgerritA change was merged to openstack/identity-api: API for metadata retrieval  https://review.openstack.org/11807422:07
*** dims has quit IRC22:07
*** dims has joined #openstack-keystone22:08
stevemaryay something merged22:08
dolphmYAY API22:09
stevemari wonder how well bknudson bowls22:09
stevemarprobably well22:09
dolphmstevemar: i imagine he has the patience to not throw bowling balls into the other lanes22:09
*** sigmavirus24 is now known as sigmavirus24_awa22:09
openstackgerritSarvesh Ranjan proposed a change to openstack/keystone: Spelling Correction in comments  https://review.openstack.org/11791922:09
stevemardolphm, he has the patience to put up with me and my 1000 patches22:09
dolphmWHY CAN'T YOU BOWL BETTER HERE LET ME HELP YOU WITH THOSE LAST TEN PINS22:09
stevemarso yeah, balls in other lanes should be easy22:09
stevemarsee, ibmers do fun things22:10
stevemarbrant goes to bowling on tuesday, i go to softball on wednesday, henry goes to .... on thursday22:10
stevemarcricket?22:11
dolphmride planes22:11
stevemaroh that too22:11
dolphmhenry rides airplanes22:11
stevemarhe does that very often22:11
stevemarhe must enjoy it22:11
dolphmprofessional hobbyist22:11
stevemartopol rides a lot of planes too22:11
dolphmi eat pizza so i'm going to go do that TTYL HAPPY FEATURE FREEZE EVERYONE22:11
jamielennox_dolphm, stevemar: if i rant a lot on this etherpad about regions - is there some sort of goal?22:11
dolphm\o/22:12
jamielennox_:( - and that's my concern - FF22:12
dolphmjamielennox_: oh crap i didn't follow up on that22:12
*** dims has quit IRC22:12
stevemardolphm, https://etherpad.openstack.org/p/token2saml22:13
dolphmstevemar: already pinned the tab in my browser for later / tomorrow. i'll follow up jamielennox_22:13
dolphmgtg!22:13
stevemarsee ya dolphm22:13
jamielennox_later22:13
stevemarjamielennox_, i'm equally tired of keystone/openstack for today, i'm out22:13
stevemarjamielennox_, tomorrow as well for me, but honestly thanks for looking at it22:14
openstackgerritSarvesh Ranjan proposed a change to openstack/keystone: Spelling corrections in comments  https://review.openstack.org/11791922:14
jamielennox_stevemar: no worries - you were doing it late last night22:14
jamielennox_stevemar: tomorrow i'm going to make people do client reviews22:14
jamielennox_well i'm going to try that today but it looks like everyone's gone22:14
*** amerine_ has quit IRC22:14
stevemarwe'll figure out the region malarky, it shouldn't be that much work (compared to what we've done to support it)22:15
stevemarjamielennox_, if i get a second wind, i'll take a look at client22:15
stevemarsee ya tmrw22:15
jamielennox_stevemar: bye22:15
*** stevemar has quit IRC22:21
*** jaosorior has quit IRC22:22
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Fix return from list role assignments on KVS  https://review.openstack.org/11848222:25
samuelmzmorganfainberg, ping22:26
*** marcoemorais has quit IRC22:26
morganfainbergsamuelmz, pong22:26
samuelmzmorganfainberg, ^ another simple patch :)22:26
*** marcoemorais has joined #openstack-keystone22:27
morganfainbergsamuelmz, ty for contributing, expect we'll circle back on most of this opnce the milestone lands in a couple days (things are really impacted right now)22:27
morganfainbergsamuelmz, but def. fixes to get in prior to RC22:27
samuelmzmorganfainberg, ok thanks22:28
*** gordc has quit IRC22:28
*** amerine has joined #openstack-keystone22:33
*** bobt has joined #openstack-keystone22:33
*** henrynash has joined #openstack-keystone22:42
*** stevemar has joined #openstack-keystone22:54
openstackgerritBob Thyne proposed a change to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194922:56
*** david-lyle has quit IRC23:02
*** bklei has joined #openstack-keystone23:05
*** zzzeek has quit IRC23:05
*** bklei has quit IRC23:06
*** marcoemorais has quit IRC23:07
*** marcoemorais has joined #openstack-keystone23:08
*** marcoemorais has quit IRC23:09
*** marcoemorais has joined #openstack-keystone23:09
*** zzzeek has joined #openstack-keystone23:12
*** rm_work|away is now known as rm_work23:16
*** jamielen^ has joined #openstack-keystone23:18
*** jamielennox_ has quit IRC23:20
*** gokrokve has quit IRC23:23
*** gokrokve has joined #openstack-keystone23:23
*** topol has quit IRC23:24
*** jamielennox has joined #openstack-keystone23:27
*** jamielen^ has left #openstack-keystone23:28
*** marcoemorais has quit IRC23:33
*** marcoemorais has joined #openstack-keystone23:33
*** alex_xu has joined #openstack-keystone23:33
*** marcoemorais has quit IRC23:34
*** marcoemorais has joined #openstack-keystone23:34
*** stevemar has quit IRC23:35
*** oomichi has quit IRC23:35
*** jamielennox|home has joined #openstack-keystone23:35
*** bklei has joined #openstack-keystone23:37
*** jamielennox|home has quit IRC23:38
*** bklei has quit IRC23:42
*** jamielennox|home has joined #openstack-keystone23:44
*** gokrokve has quit IRC23:44
*** jamielennox|home has quit IRC23:44
*** oomichi has joined #openstack-keystone23:45
*** gokrokve has joined #openstack-keystone23:45
*** zzzeek has quit IRC23:48
*** gokrokve has quit IRC23:49
morganfainbergbobt, +2 on that review (following stevemar's review)23:53
morganfainbergbobt, +A can come once jenkins weighs in23:53
*** alex_xu has quit IRC23:56
« Monday, 2014-09-01 Index Wednesday, 2014-09-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!