Wednesday, 2014-10-22

*** NM has quit IRC00:00
*** gokrokve has quit IRC00:00
*** meker12 has quit IRC00:20
*** huats_ has quit IRC00:20
*** alee has quit IRC00:20
*** afaranha has quit IRC00:20
*** jamielennox has quit IRC00:20
*** jacer_huawei has quit IRC00:20
*** packet has quit IRC00:20
*** lhcheng has quit IRC00:20
*** navid_ has quit IRC00:20
*** arunkant has quit IRC00:20
*** amakarov_away has quit IRC00:20
*** vishy has quit IRC00:20
*** adam_g has quit IRC00:20
*** ctracey has quit IRC00:20
*** jraim has quit IRC00:20
*** arif-ali has quit IRC00:20
*** zigo has quit IRC00:20
*** r-daneel has quit IRC00:20
*** diegows has quit IRC00:20
*** rm_work has quit IRC00:20
*** hockeynut has quit IRC00:20
*** HenryG has quit IRC00:20
*** dtroyer has quit IRC00:20
*** comstud has quit IRC00:20
*** zhiyan has quit IRC00:20
*** marekd has quit IRC00:20
*** boris-42 has quit IRC00:20
*** cjellick has quit IRC00:20
*** rwsu has quit IRC00:20
*** larsks has quit IRC00:20
*** raildo has quit IRC00:20
*** harlowja has quit IRC00:20
*** f13o has quit IRC00:20
*** vsilva has quit IRC00:20
*** DavidHu__ has quit IRC00:20
*** jorge_munoz has quit IRC00:20
*** anteaya has quit IRC00:20
*** dhellmann has quit IRC00:20
*** mitz_ has quit IRC00:20
*** Guest28430 has quit IRC00:20
*** morganfainberg has quit IRC00:20
*** d0ugal has quit IRC00:20
*** nkinder has quit IRC00:20
*** samuelms has quit IRC00:20
*** xianghui has quit IRC00:20
*** jamiec has quit IRC00:20
*** csd has quit IRC00:20
*** ekarlso has quit IRC00:20
*** rharwood has quit IRC00:20
*** rodrigods has quit IRC00:20
*** palendae has quit IRC00:20
*** dims_ has quit IRC00:20
*** gyee has quit IRC00:20
*** richm has quit IRC00:20
*** openstackgerrit has quit IRC00:20
*** htruta has quit IRC00:20
*** wpf has quit IRC00:20
*** gsilvis has quit IRC00:20
*** _cjones_ has quit IRC00:20
*** amcrn has quit IRC00:20
*** breton has quit IRC00:20
*** kevinbenton has quit IRC00:20
*** marcoemorais has quit IRC00:20
*** stevemar has quit IRC00:20
*** mitz has quit IRC00:20
*** swartulv has quit IRC00:20
*** sudorandom has quit IRC00:20
*** spligak has quit IRC00:20
*** mgagne has quit IRC00:20
*** lbragstad has quit IRC00:20
*** mhu has quit IRC00:20
*** d34dh0r53 has quit IRC00:20
*** sigmavirus24_awa has quit IRC00:20
*** serverascode__ has quit IRC00:20
*** ByteSore has quit IRC00:20
*** redrobot has quit IRC00:20
*** EmilienM has quit IRC00:20
*** jdennis has quit IRC00:20
*** jimbaker has quit IRC00:20
*** gothicmindfood has quit IRC00:20
*** gus has quit IRC00:20
*** Ephur has quit IRC00:20
*** cyeoh has quit IRC00:20
*** dolphm has quit IRC00:20
*** russellb has quit IRC00:20
*** nonameentername has quit IRC00:20
*** mfisch has quit IRC00:20
*** lvh has quit IRC00:20
*** BAKfr has quit IRC00:20
*** kragniz has quit IRC00:20
*** uvirtbot has quit IRC00:20
*** Kieleth has quit IRC00:20
*** soren has quit IRC00:20
*** notmyname has quit IRC00:20
*** dobson has quit IRC00:20
*** r1chardj0n3s has quit IRC00:20
*** therve has quit IRC00:20
*** boltR has quit IRC00:20
*** gmurphy has quit IRC00:20
*** vhoward has quit IRC00:20
*** charz has quit IRC00:20
*** bjornar has quit IRC00:20
*** grantbow has quit IRC00:20
*** chmouel has quit IRC00:20
*** hugokuo has quit IRC00:20
*** esmute has quit IRC00:20
*** radez_g0n3 has quit IRC00:20
*** wolsen has quit IRC00:20
*** dguerri has quit IRC00:20
*** ChanServ has quit IRC00:20
*** thiagop has quit IRC00:20
*** dvorak has quit IRC00:20
*** tristanC has quit IRC00:20
*** jedix has quit IRC00:20
*** dstanek has quit IRC00:20
*** achudnovets has quit IRC00:20
*** kevinbenton has joined #openstack-keystone00:27
*** breton has joined #openstack-keystone00:27
*** _cjones_ has joined #openstack-keystone00:27
*** jogo has joined #openstack-keystone00:27
*** jamielennox has joined #openstack-keystone00:27
*** huats_ has joined #openstack-keystone00:27
*** alee has joined #openstack-keystone00:27
*** soren has joined #openstack-keystone00:27
*** dims_ has joined #openstack-keystone00:27
*** packet has joined #openstack-keystone00:27
*** gyee has joined #openstack-keystone00:27
*** boris-42 has joined #openstack-keystone00:27
*** meker12 has joined #openstack-keystone00:27
*** afaranha has joined #openstack-keystone00:27
*** marcoemorais has joined #openstack-keystone00:27
*** zigo has joined #openstack-keystone00:27
*** lhcheng has joined #openstack-keystone00:27
*** cjellick has joined #openstack-keystone00:27
*** Kieleth has joined #openstack-keystone00:27
*** nonameentername has joined #openstack-keystone00:27
*** stevemar has joined #openstack-keystone00:27
*** r-daneel has joined #openstack-keystone00:27
*** richm has joined #openstack-keystone00:27
*** diegows has joined #openstack-keystone00:27
*** htruta has joined #openstack-keystone00:27
*** rwsu has joined #openstack-keystone00:27
*** larsks has joined #openstack-keystone00:27
*** openstackgerrit has joined #openstack-keystone00:27
*** mitz has joined #openstack-keystone00:27
*** rm_work has joined #openstack-keystone00:27
*** hockeynut has joined #openstack-keystone00:27
*** navid_ has joined #openstack-keystone00:27
*** jacer_huawei has joined #openstack-keystone00:27
*** HenryG has joined #openstack-keystone00:27
*** nkinder has joined #openstack-keystone00:27
*** raildo has joined #openstack-keystone00:27
*** samuelms has joined #openstack-keystone00:27
*** arunkant has joined #openstack-keystone00:27
*** jorge_munoz has joined #openstack-keystone00:27
*** dtroyer has joined #openstack-keystone00:27
*** swartulv has joined #openstack-keystone00:27
*** sudorandom has joined #openstack-keystone00:27
*** mitz_ has joined #openstack-keystone00:27
*** spligak has joined #openstack-keystone00:27
*** mfisch has joined #openstack-keystone00:27
*** amakarov_away has joined #openstack-keystone00:27
*** mgagne has joined #openstack-keystone00:27
*** comstud has joined #openstack-keystone00:27
*** Guest28430 has joined #openstack-keystone00:27
*** wpf has joined #openstack-keystone00:27
*** harlowja has joined #openstack-keystone00:27
*** gsilvis has joined #openstack-keystone00:27
*** morganfainberg has joined #openstack-keystone00:27
*** thiagop has joined #openstack-keystone00:27
*** f13o has joined #openstack-keystone00:27
*** lvh has joined #openstack-keystone00:27
*** sigmavirus24_awa has joined #openstack-keystone00:27
*** vhoward has joined #openstack-keystone00:27
*** xianghui has joined #openstack-keystone00:27
*** jamiec has joined #openstack-keystone00:27
*** dvorak has joined #openstack-keystone00:27
*** anteaya has joined #openstack-keystone00:27
*** csd has joined #openstack-keystone00:27
*** vishy has joined #openstack-keystone00:27
*** zhiyan has joined #openstack-keystone00:27
*** d0ugal has joined #openstack-keystone00:27
*** DavidHu__ has joined #openstack-keystone00:27
*** vsilva has joined #openstack-keystone00:27
*** lbragstad has joined #openstack-keystone00:27
*** mhu has joined #openstack-keystone00:27
*** d34dh0r53 has joined #openstack-keystone00:27
*** adam_g has joined #openstack-keystone00:27
*** serverascode__ has joined #openstack-keystone00:27
*** ctracey has joined #openstack-keystone00:27
*** jraim has joined #openstack-keystone00:27
*** arif-ali has joined #openstack-keystone00:27
*** ByteSore has joined #openstack-keystone00:27
*** redrobot has joined #openstack-keystone00:27
*** BAKfr has joined #openstack-keystone00:27
*** dhellmann has joined #openstack-keystone00:27
*** charz has joined #openstack-keystone00:27
*** EmilienM has joined #openstack-keystone00:27
*** jdennis has joined #openstack-keystone00:27
*** kragniz has joined #openstack-keystone00:27
*** ekarlso has joined #openstack-keystone00:27
*** bjornar has joined #openstack-keystone00:27
*** tristanC has joined #openstack-keystone00:27
*** jimbaker has joined #openstack-keystone00:27
*** grantbow has joined #openstack-keystone00:27
*** jedix has joined #openstack-keystone00:27
*** rharwood has joined #openstack-keystone00:27
*** gothicmindfood has joined #openstack-keystone00:27
*** gus has joined #openstack-keystone00:27
*** Ephur has joined #openstack-keystone00:27
*** cyeoh has joined #openstack-keystone00:27
*** rodrigods has joined #openstack-keystone00:27
*** dstanek has joined #openstack-keystone00:27
*** palendae has joined #openstack-keystone00:27
*** dolphm has joined #openstack-keystone00:27
*** russellb has joined #openstack-keystone00:27
*** wolsen has joined #openstack-keystone00:27
*** radez_g0n3 has joined #openstack-keystone00:27
*** esmute has joined #openstack-keystone00:27
*** chmouel has joined #openstack-keystone00:27
*** dguerri has joined #openstack-keystone00:27
*** hugokuo has joined #openstack-keystone00:27
*** uvirtbot has joined #openstack-keystone00:27
*** boltR has joined #openstack-keystone00:27
*** achudnovets has joined #openstack-keystone00:27
*** marekd has joined #openstack-keystone00:27
*** r1chardj0n3s has joined #openstack-keystone00:27
*** notmyname has joined #openstack-keystone00:27
*** dobson has joined #openstack-keystone00:27
*** therve has joined #openstack-keystone00:27
*** gmurphy has joined #openstack-keystone00:27
*** ChanServ has joined #openstack-keystone00:27
*** sets mode: +oo dolphm ChanServ00:27
rodrigodsjogo, nope00:27
morganfainbergjogo, it wont me marked as expirmental because we can really test it. the keystone-to-keystone federation was very hard to test cleanly and we merged stuff to "fix" it last minute so we marked that as expirimental for juno00:27
morganfainbergjogo, multitenancy was delayed so we didn't need to mark it expirimental00:28
gyeeinteresting, doesn't appear oslo config set_override consider the deprecated options00:28
morganfainbergand give it a little more time for code review.00:28
morganfainberggyee, nope. it wont.00:28
morganfainberggyee, don't override the deprecated option00:28
gyeemorganfainberg, should I file a bug?00:28
morganfainberggyee, worth asking dhellmann about it00:28
morganfainbergwouldn't hurt to file a bug00:28
jogomorganfainberg: thanks, w.r.t. I think that spec can be split into two phases00:28
morganfainbergbut largely i didn't see a need to "set_override" on them00:28
gyeemorganfainberg, k, will do00:28
jogomorganfainberg: thanks for the clarification00:29
morganfainbergjogo, asolutely!00:29
morganfainbergjogo, anytime :)00:29
gyeemorganfainberg, nova tests use set_override00:29
morganfainbergjogo, and i'm still working on the novaclient stuff.00:29
gyeeself.flags() calls set_override00:29
morganfainbergjogo, spent about 1/2 of today re-learning novaclient code ;)00:29
gyeeI am working on Jamie's patch and trying to figure why the tests failed00:29
morganfainberggyee, ah00:29
gyeehe deprecated url_timout in favor of just timeout00:30
gyeebut the tests are still calling self.flags('url_timeout'...)00:30
gyeelet me just change them to timeout00:30
morganfainbergjogo, just commented on that spec00:31
morganfainbergjogo, and yeah laying the foundation first is a good plan.00:31
morganfainberggyee, ah00:31
morganfainberggyee, yeah just chang eit to use the new flags00:32
morganfainberggyee, but doesn't hurt to file a bug w/ oslo on it. might be low low prio though00:32
*** dims_ has quit IRC00:36
*** dims has joined #openstack-keystone00:36
jogomorganfainberg: cool beans00:36
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements
*** dims has quit IRC00:40
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Change /POST to /ECP at federation config
rodrigodsmorganfainberg, our university in 4th place! hehe00:42
morganfainbergrodrigods, woot00:42
rodrigodsmorganfainberg, lots of off hours commits, though00:42
morganfainbergstevemar, if you don't mind takeing a look at the non-persistent token spec00:43
morganfainberglets get the "how do we pull a spec forward" concept hammered out00:44
stevemarlink me dude!00:44
morganfainbergbasically it's the ..NOTE:: at the top, then the work items00:44
stevemarrodrigods, i am so happy it worked for you :D00:45
rodrigodsstevemar, had the same feeling when I was finally able to make ECP stuff work00:46
rodrigodsstevemar, webs is the next step, right? was chatting with marekd about it00:46
stevemarrodrigods, 100% correct00:47
*** gyee has quit IRC00:48
rodrigodsstevemar, great, already have this task in my queue00:48
rodrigodsmaintain HM stuff and figure out webs internals00:48
*** bknudson has joined #openstack-keystone00:48
stevemarrodrigods, so what are you counting as a success wrt k2k :)00:51
stevemarjust getting back a token? or were you able to use client stuff?00:51
rodrigodsstevemar, just getting back a token00:51
rodrigodsam i too far to create an instance, for example? =(00:52
stevemarrodrigods, nice00:52
stevemari suppose the client stuff should still work with what we have today00:52
stevemarbut either way, thats a big win00:52
rodrigodsstevemar, ++00:52
rodrigodsonce I saw the token in the response00:52
rodrigodsI just stopped everything and almost took a beer =)00:53
*** bknudson has quit IRC00:53
rodrigodsstevemar, tomorrow will finish the final bits and complete the tutorial00:53
stevemarrodrigods, i would have had 6 beers00:53
rodrigodsand then move to websso*00:53
rodrigodsstevemar, btw, just changed the /POST to /ECP in the configure_federation doc, if makes sense00:54
stevemaryep, i see the change, just double checking with the shib docs, but i think you are right00:54
*** cjellick has quit IRC00:55
vsilvadon´t be shy, tell them what you really did rodrigods00:56
vsilvahe called me and was quite histeric on the phone, stevemar00:56
vsilvaI had been overseeing him bump his head against the monitor for a few hours00:57
vsilvastill don´t quite understand how you got it to work, rodrigods00:57
stevemarvsilva, haha, that is hilarious! (in a good way!)00:57
rodrigodsvsilva, I had to disable the security policy stuff, guess that we were not properly using SSL00:58
rodrigodsstevemar, ^00:58
stevemarrodrigods, next time i see you, i owe you many drinks of your choice00:58
vsilvasee rodrigods, I told you two places where the problem could be00:58
rodrigodsstevemar, #openstack-keystone has a log! remember! hehe00:59
vsilvaI´m glad you didn´t consider them because it wasn´t any of those00:59
*** amaurymedeiros has joined #openstack-keystone01:03
*** bknudson has joined #openstack-keystone01:06
*** packet has quit IRC01:08
*** gokrokve has joined #openstack-keystone01:10
*** david-lyle has joined #openstack-keystone01:11
*** packet has joined #openstack-keystone01:12
*** marcoemorais has quit IRC01:13
*** gokrokve has quit IRC01:16
*** meker12 has quit IRC01:16
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:17
*** _cjones_ has quit IRC01:20
*** _cjones_ has joined #openstack-keystone01:21
*** packet has quit IRC01:23
*** _cjones_ has quit IRC01:25
*** NM has joined #openstack-keystone01:27
*** gokrokve has joined #openstack-keystone01:27
morganfainbergstevemar, ping01:36
uvirtbotLaunchpad bug 1383924 in keystone "keystone notification should use different topic for CADF and  normal notificaiton" [Undecided,New]01:36
morganfainbergstevemar, i can't argue with that.01:37
morganfainbergstevemar, am i crazy?01:37
morganfainbergstevemar, unless we don't care with the old notification system going away in favor of 100% pycadf01:37
*** r1chardj0n3s_afk is now known as r1chardj0n3s01:38
morganfainbergstevemar, topic on the bus01:39
*** david-lyle has quit IRC01:39
morganfainberge.g. "KEystone" or "Keystone CADF"01:40
morganfainbergor  "audit"01:40
*** r-daneel has quit IRC01:40
stevemaroh that thing01:40
stevemarwe could change topics01:40
stevemarfor cadf01:40
morganfainbergor make it configurable01:40
stevemaryou mena this one?01:41
stevemarthat'll be tricky01:41
morganfainbergis that for CADF or normal notifications?01:41
morganfainbergi think the comment is split them into separate configs, but i'm happy to squash it since we're doing cadf only01:42
morganfainbergi'll defer to your thoughts and brad's on that topic01:42
*** gokrokve_ has joined #openstack-keystone01:43
morganfainbergwhich reminds me... need to go poke at pycadf01:43
morganfainbergsee if we have new bugs.01:43
stevemarmorganfainberg, ->
stevemari just don't know how to set up 2 different topics01:44
morganfainbergthe option is from oslo.messaging01:45
morganfainbergoh hah01:45
morganfainbergi see now01:45
stevemaris there a reason why the author wants it split up?01:45
stevemaraside from cleanliness01:45
morganfainbergi think it's because people don't view some things as audit events01:45
morganfainbergin this case all notifications from keystone really are audit events - we just determined that by appropving the cadf everywhere spec01:45
morganfainbergso I am guessing we say "nope, everything is auditable"01:46
*** gokrokve has quit IRC01:46
stevemari'm still not seeing the issue01:48
morganfainbergit's a "i don't want to suss out if this is a cadf event or something else"01:48
morganfainbergi think01:48
morganfainbergit's pure cleanliness, but moving to cadf everywhere and adding a toggle to turn off old events should be more than sufficient01:49
*** stevemar has quit IRC01:49
morganfainbergstevemar, lets just say no, we're going cadf everywhere and adding an option to turn off old notifications and deprecating.01:49
morganfainberghah, and he logs out01:50
morganfainbergor drops01:50
*** stevemar has joined #openstack-keystone01:50
morganfainbergstevemar, welcome back01:50
morganfainbergit's pure cleanliness, but moving to cadf everywhere and adding a toggle to turn off old events should be more than sufficient01:50
morganfainbergstevemar, lets just say no, we're going cadf everywhere and adding an option to turn off old notifications and deprecating.01:50
stevemarrandom isp drop01:51
*** ks-untriaged-bot has joined #openstack-keystone01:56
ks-untriaged-botUntriaged bugs for project keystone:01:56
uvirtbotLaunchpad bug 1383676 in keystone "endless loop when deleting region" [High,New]01:56
uvirtbotLaunchpad bug 1383924 in keystone "keystone notification should use different topic for CADF and  normal notificaiton" [Undecided,New]01:56
ks-untriaged-botUntriaged bugs for project python-keystoneclient:01:56
uvirtbotLaunchpad bug 1377080 in python-keystoneclient "Stale endpoint selection logic in keystone client" [Undecided,In progress]01:56
uvirtbotLaunchpad bug 1372710 in python-keystoneclient "cfn-push-stats fails to authenticate" [Undecided,Incomplete]01:56
*** ks-untriaged-bot has quit IRC01:56
uvirtbotLaunchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,New]01:56
*** gokrokve_ has quit IRC02:05
*** topol has joined #openstack-keystone02:06
*** meker12 has joined #openstack-keystone02:06
*** meker12_ has joined #openstack-keystone02:09
morganfainbergtopol, oh hi.02:09
*** meker12__ has joined #openstack-keystone02:10
*** meker12__ has quit IRC02:11
*** meker12 has quit IRC02:11
*** meker12 has joined #openstack-keystone02:12
*** meker12_ has quit IRC02:13
*** lhcheng has quit IRC02:14
openstackgerritA change was merged to openstack/pycadf: Use oslo tests fixture
openstackgerritA change was merged to openstack/keystone-specs: Clean up the comments in CADF everywhere spec
*** diegows has quit IRC02:28
morganfainbergdolphm, stevemar, i'm going to approve the identity v3 stuff in specs repo02:28
morganfainbergdolphm, stevemar, unless there is a reason not to02:28
morganfainbergbknudson, ayoung, ^02:28
morganfainberglbragstad, ^02:28
morganfainbergdstanek, ^ (damn it keep hitting enter too fast)02:29
stevemari figured it was one of those things we would chat about at summit, but if you're OK with it, so am i02:29
morganfainbergi'm actually very happy to see them published02:29
stevemarit's much easier to give ppl API links that DONT go back to github02:30
morganfainbergAND in the same repo so we can get spec + api spec at the same time02:30
morganfainbergstevemar, exactly02:30
openstackgerritA change was merged to openstack/keystone-specs: add v3 API documentation
openstackgerritA change was merged to openstack/keystone-specs: Publish the Identity v3 API specs
morganfainbergrodrigods, sorry to do this to you... but ...02:33
morganfainbergrodrigods, ^ you'll need to republish the spec changes over to the keystone-specs repo now02:34
morganfainbergrodrigods, let me know if you need any help, happy to assist.02:34
openstackgerritA change was merged to openstack/pycadf: Use correct name of oslo debugger script
openstackgerritA change was merged to openstack/keystone: Correct the code path of implementation for the abstract method
*** NM has quit IRC02:42
*** harlowja is now known as harlowja_away02:43
*** richm has quit IRC02:56
*** alex_xu has joined #openstack-keystone03:01
*** jacer_huawei has quit IRC03:02
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Changes regarding the functionality of Hierarchical Multitenancy - Changes in the Keystone API considering projects hierarchy.
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Changes regarding the functionality of Hierarchical Multitenancy
morganfainbergrodrigods, ^03:04
stevemarmorganfainberg, revieweddd03:35
morganfainbergstevemar, ty03:36
*** lhcheng has joined #openstack-keystone03:38
*** lhcheng has quit IRC04:03
*** _cjones_ has joined #openstack-keystone04:05
*** r1chardj0n3s is now known as r1chardj0n3s_afk04:06
*** fifieldt has joined #openstack-keystone04:08
*** _cjones_ has quit IRC04:17
*** _cjones_ has joined #openstack-keystone04:18
*** alee has quit IRC04:24
*** alee has joined #openstack-keystone04:24
*** lhcheng has joined #openstack-keystone04:40
*** lhcheng has quit IRC04:44
*** lhcheng has joined #openstack-keystone04:45
*** _cjones_ has quit IRC04:47
*** _cjones_ has joined #openstack-keystone04:47
*** _cjones_ has quit IRC04:52
*** KanagarajM has joined #openstack-keystone04:54
*** _cjones_ has joined #openstack-keystone04:57
*** KanagarajM has quit IRC05:01
*** gokrokve has joined #openstack-keystone05:11
*** gokrokve has quit IRC05:21
*** topol has quit IRC05:25
*** alex_xu has quit IRC05:28
*** jacer_huawei has joined #openstack-keystone05:33
*** k4n0 has joined #openstack-keystone05:36
*** r1chardj0n3s_afk is now known as r1chardj0n3s05:47
*** jorge_munoz has quit IRC05:47
*** jorge_munoz has joined #openstack-keystone05:48
*** afazekas has joined #openstack-keystone05:48
*** dvorak has quit IRC05:56
* marekd making dance of victory after reading rodrigod's message05:56
marekdrodrigods: ping me asap05:57
marekdrodrigods: please.05:57
*** dvorak has joined #openstack-keystone06:03
*** alex_xu has joined #openstack-keystone06:10
*** jamielennox has quit IRC06:10
*** gokrokve has joined #openstack-keystone06:11
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** gokrokve has quit IRC06:13
morganfainbergmarekd, will send you a follow up email tomorrow re: visiting CERN but, provided no issues the 11th of november is the best day06:13
*** gokrokve has joined #openstack-keystone06:13
morganfainbergmarekd, def. have 2 others joining (chet and his wife)06:13
marekdmorganfainberg: sure.06:14
*** alex_xu has quit IRC06:16
*** gokrokve has quit IRC06:18
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy
morganfainbergmarekd, have a good day it's time for me to sleep ;)06:19
marekdmorganfainberg: have a good night :-)06:24
*** jamielenz has joined #openstack-keystone06:28
*** alex_xu has joined #openstack-keystone06:28
*** jamielenz is now known as jamielennox06:29
*** lhcheng has quit IRC06:30
openstackgerritSergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3
*** r1chardj0n3s is now known as r1chardj0n3s_afk06:43
*** mrmoje has joined #openstack-keystone06:44
openstackgerritAndreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings
marekdmhu: o/ i heard some rumours that k2k was successfuly deployed. I need to grab some more details today.07:00
mhumarekd: awesome ! I07:12
*** gokrokve has joined #openstack-keystone07:14
*** gokrokve has quit IRC07:18
marekdstevemar: thanks for the review.07:26
*** ukalifon has joined #openstack-keystone07:26
*** _cjones_ has quit IRC07:28
*** _cjones_ has joined #openstack-keystone07:28
*** _cjones_ has quit IRC07:33
stevemarmarekd, np07:33
stevemarmarekd, bed time for me now :(07:33
stevemarmarekd, mhu yes the rumor is rodrigods was able to set it up, he said docs are coming :)07:34
stevemarmarekd, i need to finish our presentation hehe07:35
mhustevemar, marekd, rodrigods: looking forward to that !07:35
stevemargood night/morning all - have a fun day07:35
*** stevemar has quit IRC07:40
marekdsee you07:41
*** junhongl has joined #openstack-keystone07:45
*** jistr has joined #openstack-keystone08:02
*** gokrokve has joined #openstack-keystone08:12
*** henrynash has joined #openstack-keystone08:14
*** jamielennox has quit IRC08:14
*** gokrokve has quit IRC08:16
*** jamielenz has joined #openstack-keystone08:32
*** jamielennox has joined #openstack-keystone08:33
*** arunkant has quit IRC08:45
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Allow allow* passthroughs
jamielennoxekarlso: commented ^08:52
*** arunkant has joined #openstack-keystone08:52
*** jacer_huawei has quit IRC08:59
*** gokrokve has joined #openstack-keystone09:11
*** gokrokve has quit IRC09:12
*** gokrokve has joined #openstack-keystone09:13
*** jacer_huawei has joined #openstack-keystone09:15
*** gokrokve has quit IRC09:17
*** andreaf has joined #openstack-keystone09:22
*** jacer_huawei has quit IRC09:33
*** henrynash has quit IRC09:45
*** nellysmitt has joined #openstack-keystone09:49
*** NM has joined #openstack-keystone09:53
*** alex_xu has quit IRC09:54
openstackgerritA change was merged to openstack/keystonemiddleware: Updated from global requirements
*** NM has quit IRC09:59
*** aix has joined #openstack-keystone10:00
openstackgerritwanghong proposed a change to openstack/keystone: cann't update catalog objects when using kvs driver
*** gokrokve has joined #openstack-keystone10:11
*** gokrokve has quit IRC10:16
marekdmhu: o/10:21
marekdmhu: recently you've been a openstackclient master. Is openstackclient in a shape where a user can step 1) fetch unscoped token from...say ADFS, step 2) scope this token to a project (and get scopd token printed/stored) 3) create/delete a vm ?10:27
marekdmhu: i am concerned about fething and printing to stdout unscoped token and later scoping it.10:28
*** NM has joined #openstack-keystone10:34
*** dims has joined #openstack-keystone10:36
*** dims has quit IRC10:39
*** dims has joined #openstack-keystone10:39
rodrigodsmarekd, ping10:55
rodrigodsjust woke up =)10:55
marekdcongrats on k2k10:55
rodrigodsmarekd, \o/10:55
*** meker12 has quit IRC10:55
marekdrodrigods: so, what happened after you transformed the assertion into SOAP withthe code i shared with you yesterday?10:56
marekdrodrigods: i saw some convos on ssl-something10:56
marekdand you hitting wall with your head10:56
rodrigodsmarekd, haha10:56
rodrigodsmarekd, shibboleth was complaining about the IdP certificate10:57
rodrigodsmarekd, I haven't set up a properly keystone ssl deploy10:57
marekdrodrigods: that it couldn't validate a signature?10:57
rodrigodsmarekd, exactly10:57
marekdrodrigods: oh-ho10:57
marekdrodrigods: and what you did then?10:57
rodrigodsmarekd, used the security policy test mode10:57
rodrigodsdisable everything10:57
marekdrodrigods: what exactly?10:58
marekdwhat did you disable?10:58
*** diegows has joined #openstack-keystone10:58
rodrigodsused the last one10:59
rodrigodsI assumed the issues were due a not properly set keystone ssl deploy10:59
rodrigods(wasn't using https and so on)10:59
*** NM has quit IRC10:59
marekd<PolicyRule type="NullSecurity"/> ?11:00
marekdso it basically doesn't validate assertions's signature, right?11:01
rodrigodsmarekd, yeah, that11:01
marekdrodrigods: and did you manage to sestup keystone so this policy is no longer needed?11:01
*** meker12 has joined #openstack-keystone11:02
rodrigodsmarekd, no, once I got the token back, I just stopped there and took a beer11:02
marekdwell earned beer :-)11:02
marekdrodrigods: are  you planning to carry on with that?11:03
*** meker12_ has joined #openstack-keystone11:03
rodrigodsmarekd, the next step was to test the token itself11:03
*** meker12_ has quit IRC11:04
rodrigodsafter that, I can try to remove the test security policy11:04
marekdrodrigods: well, the token is icehouse federation token so I know it works.11:04
*** meker12_ has joined #openstack-keystone11:04
marekdi mean, i could really do things like booting/deleting machines, listing projects and so on.11:05
*** meker12 has quit IRC11:05
marekdmeh, listing images etc11:05
rodrigodsmarekd, ++11:05
marekdanyway, i have some code for that11:05
marekdso i can give it to you, bu ersonally making it work with proper signature validation is much more crucial part.11:06
rodrigodsmarekd, cool11:08
marekdrodrigods: anyway, good that you discovered that shibboleth option.11:08
marekdi also left a comment on you patch, so you can follow up laer :-)11:09
rodrigodsmarekd, just replied =)11:09
marekdand i am super glad that you made it work :-)11:10
rodrigodsmarekd, will have breakfast and go to the lab o/11:10
*** gokrokve has joined #openstack-keystone11:11
marekdrodrigods: sure thing.11:11
marekdbon app!11:11
marekdi will have lunch soon :-)11:12
marekdit's 1:12 pm here11:12
*** gokrokve has quit IRC11:16
*** fmarco76 has joined #openstack-keystone11:22
*** fmarco76 has quit IRC11:24
ekarlsojamielennox: where should tests for ^ go ?11:26
*** NM has joined #openstack-keystone11:34
mhumarekd, I have no way to test ADFS, but if it works like your saml plugins, it should be covered with the federation unscoped commands patch once I get back to it (
marekdmhu: ok, don't worry about keystoneclient part, i know adfs works (at least for me).11:47
marekdmhu: at some point i stopped following up and i am unsuer if i can do everything with commandline and openstackclient.11:47
mhumarekd, using this code, here's a way to do a full login:
mhumarekd, as for getting tokens, they are redacted in the debug logs, otherwise you can explicitly get them with the command "token issue" (not tested, but from glancing at the code, it should work) and of course the "federation token issue" for the unscoped token11:50
marekdmhu: do you think adding a patch that utilizes that utilizes is hard?11:50
marekdjamielennox: BTW: appreciate your eyes on . Even if that's only Python/software design check.11:52
mhumarekd, you mean in OSC ? I guess not ... are you implying  you're abandoning this change ?11:52
mhuit's a pity, though, I think the wrapper has its place in ksc11:52
marekdmhu: not at all!11:52
mhuah, good :)11:52
marekdmhu: i want osc use it11:52
marekdmhu: and i am asking if some new code must be developed for that.11:53
mhumarekd, no new code needed - it's the magic of plugins \o/11:53
marekdmhu: ah, great!11:53
marekdi will try that today then.11:53
mhumarekd, I actually got once to test it, but since I've wrecked up my virtualenv11:53
mhubut it definitely worked11:54
marekdand may bug you if i am stuck.11:54
marekdmhu: the wrapper?11:54
mhumarekd sure no prob11:54
mhumarekd, the wrapper through osc11:54
* marekd sweeeeeet, everything is going according to the plan11:54
marekdmhu: you are obviously attending summit?11:54
mhuMy main trouble was to get osc to use the right version of ksc, the one from the patch, but once I did it worked11:55
marekdmhu: what right version ?11:55
marekd=>0.11.1 ?11:55
marekdor it's simply because my patch was not merged?11:56
mhumarekd, yes, actually I live 10 minutes away by foot from the summit place11:56
marekdmhu: great!11:57
marekdmhu: i'd be happy to have a beer with in person :-)11:57
marekdwith you*11:57
mhumarekd, when you use "python install" on an untagged branch, it gets a special version number based on the latest git commit hash, and sometimes it doesn't play well with other version requirements11:58
marekdi see11:59
mhumarekd, likewise, and not just one ! :)11:59
marekdmhu: looking forward to RedHat (and not only) sponsored events :P11:59
*** gokrokve has joined #openstack-keystone12:11
*** gokrokve has quit IRC12:16
jamielennoxmarekd: so what would happen with that plugin if i didn't supply --project-id or any scoping information to that plugin12:31
jamielennoxthe way the current plugins work like Password is if you don't supply a scope you get unscoped, that may not be right, but i think if you don't provide scope to the v3saml2 it will fail right/12:33
marekdjamielennox: ValidationError12:33
jamielennoxmarekd: is that what you want?12:34
jamielennoxi don't necessarily think the unscoped/scoped behaviour of the existing plugins is very good - it was a pattern i inheritted from the old clients, i was just looking at how this one is different12:35
marekdi mean, in the saml2Scopedtoken plugin if you don't provide enough information (project_id or domain_id) you get ValidationError. Here, it is simply repeated.12:35
marekdjamielennox: what pattern? the fact that unscoped tokens actually exist?12:36
marekdI don't say ValidationError is a right thing to do, bu i don't have any better idea.12:36
jamielennoxmarekd: no the pattern that you can't really tell if your plugin contains a scoped token or not, you have to remember what you submitted12:36
ekarlsojamielennox: ?12:37
jamielennoxsaml2ScopedToken kind of makes sense to throw ValidationError - you are specifically making an object with a scoped token12:37
jamielennoxif you didn't provide the scope it would fail anyway12:37
*** diegows has quit IRC12:37
marekdjamielennox: yes.12:37
jamielennoxi'm wondering for the v3saml2 plugin though if you don't provide a scope should it act like an unscoped token12:38
jamielennoxso in get_auth_ref if no scoping is provided you'd return the unscoped auth_ref12:38
marekdmy initial thought was: if you want unscoped token use plugin for that, but i can add this12:38
ekarlsojamielennox: where do tests for my change go ?12:39
jamielennoxi think that people using the specific saml2 format plugins would be rare, particularly from the cmdline you would just teach people how to use this wrapper12:39
marekdjamielennox: format - you mean either adfs/shib or scoped/unscoped?12:40
marekdjamielennox: because at the moment there is no 'discovery'12:40
jamielennoxekarlso: am looking12:40
jamielennoxmarekd: yep, would love to add that12:41
marekdjamielennox: i can take a look at that, but we might end up with stupid "if method a didn't work, try method b and only then fail with Unauthorized"12:41
jamielennoxmarekd: but from a UX and doc perspective you would tell people to do --os-auth-plugin v3saml2 --unscoped-token-plugin shib --stuff....12:42
marekdjamielennox: correct12:42
jamielennoxrather than to even bother explaining how to use --os-auth-plugin shib12:42
marekdjamielennox: ok, i wil check it so it stops without errors if no project_id/domain_id is provided.12:42
marekdone more thing...12:43
marekdcause everywhere i was adding project_id for project scoping (domain_id for domains). Shouldn't we actually add project_name, project_domain_name also?12:43
jamielennoxalso is there something better we can call --unscoped-token-plugin? like --saml-format or --saml-protocol12:43
jamielennoxmarekd: yea, you will want to pass pretty much all the options of v3.Token through for scoping12:44
jamielennoxall but --os-token i would think12:44
marekdjamielennox: hm, i need to put os-token...12:45
marekdas i am scoping unscoped token..12:45
jamielennoxwouldn't the value of --os-token come from the unscoped plugin?12:45
*** vejdmn has joined #openstack-keystone12:47
marekdjamielennox: ah, you are talking the wrapper now - so yes, --os-token is passed from unscoped token. However, currently if you just want to scope your unscoped token you must provide project_id or domain_id:
marekdso i think it will not work with human readable names.12:49
jamielennoxmarekd: yep, i mean the wrapper, so the wrapper would want to expose the same scoping options that the other v3 auth plugins expose (looking no v3.Token only add's --os-token everything else is from the base class)12:50
marekdjamielennox: agreed.12:50
jamielennoxso those options are easy to inherit12:50
marekd**kwargs i guess.12:50
marekdand the rest will be handled in a base class12:50
marekdjamielennox: ok, do you think that constraint in Saml2ScopedToken class for either project_id or domain_id should be dropped?12:52
marekdjamielennox: ok i think i can answer my own question: yes12:53
jamielennoxmarekd: no :)12:55
*** diegows has joined #openstack-keystone12:55
marekdjamielennox: haha12:55
marekdjamielennox: why?12:55
jamielennoxI mean you could, but the whole class name indicates that you are creating a scoped token - if you don't have scoping information i don't know what it would be used for12:55
marekdjamielennox: right, but you have to specify project_id, and cannot user project_name, project_domain_name pair.12:56
jamielennoxideally we wouldn't need Saml2ScopedToken at all and the standard unscoped -> scoped would work12:56
jamielennoxmarekd: is that a server requirement or those options just aren't inherited up to that plugin?12:56
jamielennoxmarekd: also left some comments on the review, nothing serious i think12:57
marekdjamielennox: server requirement for having project_id only?12:57
jamielennoxright - why doesn't Saml2ScopedToken accept project_name?12:58
marekdwhen i think about it know i think everybody assumed project_id would be passed.12:58
marekdi need to check it.12:58
marekdwell..passed to the server12:59
jamielennoxdoesn't it inherit from v3.Token?12:59
*** richm has joined #openstack-keystone12:59
marekdit does12:59
jamielennoxor inherit the same options as the other v3 plugins? wouldn't it get project_name that way?12:59
*** amakarov_away is now known as amakarov12:59
marekdat the moment it will accept project_id13:00
marekdnot project_name13:00
jamielennoxoh - right13:00
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed
jamielennoxhmm, well at least adding the additional options isn't a compatibility issue13:00
jamielennoxso no rush on that13:00
marekdjamielennox: i think that if clause should be dropped13:01
*** afazekas has quit IRC13:01
marekdall in all so every thing can be resolved at the v3.Token level (if all required options are present)13:01
*** bknudson has quit IRC13:01
*** gordc has joined #openstack-keystone13:01
marekdand i will check if actually keystone accepts project_name13:01
marekdif now -> bug and fix at the keystone side.13:01
jamielennoxif you want to keep it the easy thing to do would be add a property like contains_scoping_data in the v3 base plugin and you can check that13:03
jamielennoxi was looking because i thought i had a method like that already13:03
*** stevemar has joined #openstack-keystone13:03
jamielennoxbut i don't mind if you drop ti13:04
*** tellesnobrega has joined #openstack-keystone13:04
jamielennoxi don't think it changes the wrapper either way because if there wasn't any scoping data you wouldn't call it13:04
marekd options presence and their combinations are being resolved somewhere here13:04
jamielennoxotherwise you'd be making to auth calls and you'd still only end up with an unscoped token13:04
marekdjamielennox: no it doesn't13:04
marekdi just wanted to consult since we were talking.13:05
jamielennoxnp, are you guys using it in production yet/13:06
jamielennoxthe auth plugins?13:06
marekdwe have websso with horizon, and i think auth plugins with cli will be available quite soon for our users.13:07
marekdhowever, locally i think kerberos with cli will be more tempting.13:08
marekdso the answer is: not yet :-)13:08
marekdplus it took a while o reorganize osc to be able to use all those ksc plugins.13:08
marekdand the new version has not yet been cut.13:08
jamielennoxyea, i haven't looked at OSC since i got back, ayoung was saying there had been some work there to do plugins but it wasn't quite there yet13:09
marekdit is now.13:09
*** dims has quit IRC13:09
marekdi think right now you have almost all you need to use fedeferation from cli.13:10
*** dims has joined #openstack-keystone13:10
jamielennoxok, cool. he had a snippet of code showing osc with kerberos but it still needed you to provide a password field or something cause they hadn't quite figured out the options13:10
jamielennoxekarlso: sorry, that took longer than i meant - so for the main part you should be ok to add the allows to
*** gokrokve has joined #openstack-keystone13:11
jamielennoxekarlso: but i think it would be good to have a more realistic test, maybe in that tested actually using it with a discover object that had an experimental api version13:13
*** afazekas has joined #openstack-keystone13:13
jamielennoxmarekd: i saw dtroyer complaining about something to do with the plugins the other day, which i consider to be a good sign that they're really trying13:14
marekdjamielennox: when exactly?13:14
marekdjamielennox: BTW:
*** joesavak has joined #openstack-keystone13:15
*** sigmavirus24_awa is now known as sigmavirus2413:16
*** gokrokve has quit IRC13:16
jamielennoxonly the other day, something part he wanted he though was missing but i haven't caught up with him yet13:17
jamielennoxmarekd: ah, i saw that and put it in the to read list but haven't yet13:17
stevemarmarekd, thanks for filling in that slide, i was going to do it today, you just saved me some time :)13:17
*** nkinder has quit IRC13:18
marekdstevemar: sure13:18
jamielennoxstevemar: you are probably the right person to ask about this - how's OSC going with ksc plugins?13:18
stevemarjamiec, well, we are using plugins now, and no longer have the 'options' for most in our code13:19
stevemarjamielennox, ^13:19
jamielennoxmarekd: hmm, having not looked at the code yet that seems almost right13:19
marekdjamielennox: yes.13:19
jamielennoxi don't like the idea that OSC should guess the plugin from available options13:20
stevemarjamielennox, we also noticed a lack of support for a specific flow in KSC, service token + endpoint13:20
jamielennoxthe plan was always that you can write a plugin that is the default and if you don't specify --os-auth-plugin then you get the default plugin13:20
marekdjamielennox: and the plugins mechanism is generic enough, so adding new plugin (like my wrapper) will not need any code changes in osc13:20
jamielennoxstevemar: that exists, what specifically are you missing13:21
jamielennoxmarekd: ++13:21
*** vejdmn has quit IRC13:21
*** bknudson has joined #openstack-keystone13:21
*** vejdmn has joined #openstack-keystone13:21
jamielennoxstevemar: token/endpoint is keystoneclient.auth.token_endpoint.Token13:21
stevemarjamielennox, here's where we added our own, i'll see about getting rid of it in favor or the one you mention above:
*** dims has quit IRC13:25
stevemarjamielennox, this was the change that started using plugins, if a plugin is specified then we use that one, otherwise we try to guess it given what we know13:25
jamielennoxstevemar: yea, that's what marekd linked above and i'm looking through13:26
*** dims has joined #openstack-keystone13:26
*** dims has quit IRC13:26
stevemarjamielennox, hold your comments for a bit or ask dtroyer, i'm about to drive to work13:26
jamielennoxstevemar: ok13:27
*** dims has joined #openstack-keystone13:27
*** dims has quit IRC13:27
*** dims has joined #openstack-keystone13:29
*** dims has quit IRC13:29
vsilvaping stevemar - I heard you were wishing for real federation tests. I'd love to take a good look into that13:31
*** stevemar has quit IRC13:31
marekdvsilva: i was wishing for that too13:31
marekdand was thinking about it as a next cycle task.13:31
marekdvsilva: o/13:31
marekdvsilva: have you start working on that yet?13:32
vsilvasweet marekd. I was hoping to have a plan on how to tackle that in the next couple of days13:32
marekdvsilva: well, first of all: make sure people like dolphm or morganfainberg will accept that :P13:33
marekdpersonally - i think it's super useful13:33
vsilvamarekd, yep, that's right13:33
marekdvsilva: secondly i'd figure out what's the procedure for adding tests to the gate13:33
marekdprobably morganfainberg can help as well13:34
marekdor point to right people13:34
marekdthird: the infrastructure, i can help you wth that if you want.13:34
marekdpysaml2 might be a good idea13:34
marekdas a real idp.13:34
marekdmod_shib w/ apache for the sp side as a starter13:35
rodrigodsmarekd, there is also ipsilon (, nkinder pointed to that in a previous discussion13:36
marekdor ipsilon, whatever13:36
*** dims has joined #openstack-keystone13:36
marekdgood that you reminded me that...13:39
marekdhm, nkinder is not here.13:39
rodrigodsmarekd, vsilva, figure out how to gate the SP would be a good start13:42
rodrigods( vsilva is in the same physical room that I am =P )13:42
*** afazekas has quit IRC13:42
dstanekthe use of kwargs in keystoneclient is driving me crazy :-(13:44
jamielennoxdstanek: yea13:45
marekddstanek: ++++++++++++++13:45
jamielennoxanywhere in partiular? (new code or old code?)13:45
marekdrodrigods: isn't keystone running apache in gate?13:46
marekddstanek: ^^ ?13:47
rodrigodsmarekd, not sure, heard that it was running eventlet13:47
marekdmorganfainberg: can answer that13:47
dstanekmarekd: i don't think so - i'm pretty sure it's eventlet13:47
marekddstanek: :(((((13:47
marekdvsilva: so you have step 013:47
marekdvsilva: rodrigods any of you comming to Paris?13:50
vsilvanope marekd13:50
jamielennoxso is there a compatibility issue if i fix auth_token middleware to do real discovery?13:51
jamielennoxat the moment it does some discovery, like it checks to see if v2 and v3 are listed in the discover page and if so force appends /v2.0/ or /v3/13:51
jamielennoxhow many people do you think it would break if i actually made it object the URLs found on the discovery page?13:52
*** bknudson has quit IRC13:52
*** nellysmi_ has joined #openstack-keystone13:53
bretonayoung: morganfainberg: regarding Alembic blueprint. What's the issue with approach?13:53
marekdvsilva:  :(13:55
vsilvaI'm new here, marekd - rodrigods should, though13:55
*** nellysmitt has quit IRC13:56
rodrigodsmarekd, didn't get sponsored13:56
*** thedodd has joined #openstack-keystone13:57
*** radez_g0n3 is now known as radez13:57
*** bknudson has joined #openstack-keystone14:06
morganfainbergWe test both event let and Apache in gate. Most tempest runs are Apache though.14:06
*** nkinder has joined #openstack-keystone14:07
marekdmorganfainberg: so adding mod_shib and predefined config shouldn't be a big thing ?14:07
morganfainbergNot if it is something devstack can configure.14:07
*** NM has quit IRC14:08
morganfainbergBut it will need a toggle / flag.14:08
marekdmorganfainberg: what flag?14:08
morganfainbergIn tempest if tempest is testing it.14:09
*** henrynash has joined #openstack-keystone14:09
morganfainbergIt can't be tested in the unit tests, unit tests don't use Apache14:09
marekdmorganfainberg: i don't want any unit tests, any mocking and so on.14:10
marekdi want to talk with real IdP14:10
marekdget real assertion14:10
marekdetc etc14:10
morganfainbergYeah, this is either tempest or the new functional testing (will be discussed at the summit)14:11
*** gokrokve has joined #openstack-keystone14:11
marekdmorganfainberg: ok14:11
marekdi was once thinking about adding federation tests to the gate, and now vsilva mentiones the same.14:12
*** gokrokve has quit IRC14:16
vsilvamarekd, I have no strong preference for either approach - maybe just a slight one for tempest14:16
vsilvamorganfainberg, I'm eager to hear what you guys decide, then, and I'd love to help14:17
*** k4n0 has quit IRC14:17
marekdvsilva: morganfainberg does tempest allow for real tests? not unittests with mocking etc?14:18
marekdso real HTTP calls are send/received14:18
morganfainbergYes, tempest is doing full integration. It actually runs against a full devstack14:19
vsilvawhat's stopping us from using it then, morganfainberg? Or how could functional testing be better for this?14:20
morganfainbergFunctional tests wil be similar, but be keystone only (think like the "restful test cases" we have now in unit but against any keystone).14:20
morganfainbergThere is a lot of work to set this all up in either case. Devstack, actual test writing, etc.14:21
vsilvais the second approach less than you want, marekd?14:22
morganfainbergSo, I just would wait until the summit (it's very soon) to figure out the best place to do this work b14:22
morganfainbergIf the qa team doesn't want this in tempest, no reason to put it there14:23
vsilvasure morganfainberg, that makes sense14:23
samuelmsmorganfainberg, so if we stop calling assignment_api directly inside API tests (for simplicity on seting up scenarios) and do only api calls, they'd become functional tests .. :)14:23
samuelmsmorganfainberg, and we could receive keystone url from a config14:23
morganfainbergIf we're moving lots to functional out of tempest, thus might be a prime candidate for new testing. Or to lead in with.14:24
morganfainbergsamuelms: partly14:24
morganfainbergIt also needs a way to be told how to run against an active keystone vs a very contrived setup.14:25
samuelmsmorganfainberg, ++14:26
*** radez is now known as radez_g0n314:29
morganfainbergunrelated, good morning14:29
breton18:29 < morganfainberg> unrelated, good morning14:30
bretonmorning :014:30
breton* :)14:30
morganfainbergit's 0730 here14:30
marekd16:29 < morganfainb>| unrelated, good morning14:30
*** gokrokve has joined #openstack-keystone14:30
*** henrynash has quit IRC14:32
vsilva[11:29]  <morganfainberg> unrelated, good morning14:33
vsilvastill applies, I guess14:33
*** henrynash has joined #openstack-keystone14:34
morganfainbergvsilva, hey it's morning there! no mocking me if it isn't past noon ;)14:34
* morganfainberg hasn't even had coffee yet14:34
vsilvaall right, all right!14:34
*** stevemar has joined #openstack-keystone14:36
openstackgerritA change was merged to openstack/pycadf: Remove unused dependencies from pycadf
*** henrynash has quit IRC14:44
marekdvsilva: sorry, missed your msg.14:44
*** henrynash has joined #openstack-keystone14:44
marekdvsilva: i don't have any preferrences14:44
*** radez_g0n3 is now known as radez14:46
*** ukalifon has quit IRC14:51
*** andreaf has quit IRC14:52
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation
*** tellesnobrega has quit IRC14:59
*** thedodd has quit IRC15:00
*** vhoward has left #openstack-keystone15:02
*** gokrokve_ has joined #openstack-keystone15:09
*** dims_ has joined #openstack-keystone15:11
*** gokrokve_ has quit IRC15:12
*** gokrokve_ has joined #openstack-keystone15:12
amakarovayoung, Hi! I've done trust chain users validation in a token provider. Do I correctly understand that trust chain validation is spread across several api?15:13
*** gokrokve has quit IRC15:13
*** dims__ has joined #openstack-keystone15:14
*** david-lyle has joined #openstack-keystone15:14
*** dims has quit IRC15:15
rodrigodsmarekd, seems like I don't have the token yet. Shibboleth is redirecting me to http://keystone:5000/ instead to http://keystone:5000/v3/OS-FEDERATION/identity_providers/.../auth. Problem with attribute mappings?15:15
*** dims_ has quit IRC15:16
*** gokrokve_ has quit IRC15:17
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests
*** david-lyle has quit IRC15:19
*** zzzeek has joined #openstack-keystone15:20
*** _cjones_ has joined #openstack-keystone15:22
*** _cjones_ has quit IRC15:23
*** _cjones_ has joined #openstack-keystone15:23
rodrigodsmarekd, I need to manually go to the correct url =( (but I succeed to get back the token)15:24
marekdrodrigods: at what point?15:25
marekdrodrigods: are you talking about unscoped token still?15:25
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Authenticated Encryption Tokens
*** vejdmn has quit IRC15:30
*** vejdmn has joined #openstack-keystone15:31
rodrigodsmarekd, yep, once we send the SAML assertion, the response is a 302 to another URL15:34
marekdrodrigods: correct15:34
rodrigodswhich should be /OS-FEDERATION/...15:34
rodrigodsbut, here is redirecting me to http://keystone:5000/15:34
rodrigodsif I manually put the /OS-FEDERATION/ url, the unscoped token is returned15:34
*** cjellick has joined #openstack-keystone15:35
marekdrodrigods: what do you have configured in your region?15:35
*** ayoung is now known as ayoung-afk15:40
*** david-lyle has joined #openstack-keystone15:43
rodrigodsmarekd, /Shib.../SAML2/ECP15:53
marekdrodrigods: can you by any chance paste me the assertion Keystone-Idp is returning yo you?15:53
marekdrodrigods: i am afraid client library will have to handle this.15:54
rodrigodsmarekd, just a sec =)15:57
rodrigodsmarekd, but how the IdP will generate the correct URL to be redirected, if it depends on the idp id at the SP?15:59
*** lhcheng has joined #openstack-keystone16:00
*** jsavak has joined #openstack-keystone16:00
*** marcoemorais has joined #openstack-keystone16:01
*** joesavak has quit IRC16:01
*** larsks has quit IRC16:03
*** larsks has joined #openstack-keystone16:03
*** joesavak has joined #openstack-keystone16:04
*** jsavak has quit IRC16:05
*** NM has joined #openstack-keystone16:13
*** jistr has quit IRC16:18
*** mrmoje has quit IRC16:19
*** gokrokve has joined #openstack-keystone16:20
marekdrodrigods: well, user will need to specify that16:23
marekdor cloud admin.16:23
rodrigodsmarekd, where?16:25
*** radez is now known as radez_g0n316:28
marekdrodrigods: this would need code change.16:30
marekdor simply keystoneclient would need to take care of that.16:31
rodrigodsmarekd, ++16:35
marekdrodrigods: i will take a look a ut later, i need to go for now.16:35
rodrigodsmarekd, will take a look too. Thanks for the help16:36
marekdrodrigods: sure16:36
*** thedodd has joined #openstack-keystone16:36
*** vejdmn has quit IRC16:36
*** packet has joined #openstack-keystone16:38
*** vejdmn has joined #openstack-keystone16:38
*** r-daneel has joined #openstack-keystone16:39
*** marcoemorais has quit IRC16:47
*** marcoemorais has joined #openstack-keystone16:47
*** marcoemorais has quit IRC16:47
*** wwriverrat has joined #openstack-keystone16:48
*** marcoemorais has joined #openstack-keystone16:48
*** marcoemorais has quit IRC16:48
*** vejdmn has quit IRC16:51
*** vejdmn has joined #openstack-keystone16:51
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects
morganfainbergrodrigods: sorry I didn't get to reproposing the second api change there.16:56
morganfainbergI was just too tired when everything merged to do both last night.16:56
*** jistr has joined #openstack-keystone16:56
rodrigodsmorganfainberg, no problem, not a big deal changing it. Thanks for reproposing the other one16:56
morganfainbergYeah, markdown is easier to write, rst is a better format.16:57
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects
*** gyee has joined #openstack-keystone17:01
*** marcoemorais has joined #openstack-keystone17:02
rodrigodslbragstad, henrynash, guess the second HM patch is ready to +A?
rodrigodsmorganfainberg, if you want to take a look in it as well ^17:02
lbragstadrodrigods: I'll add it to the queue17:03
rodrigodslbragstad, ++17:03
rodrigodslbragstad, not big changes since your +2, just a method renaming17:03
*** vejdmn has quit IRC17:04
*** vejdmn has joined #openstack-keystone17:04
lbragstadrodrigods: cool17:04
*** jsavak has joined #openstack-keystone17:04
*** browne has joined #openstack-keystone17:05
*** joesavak has quit IRC17:08
*** harlowja_away is now known as harlowja17:16
*** mrmoje has joined #openstack-keystone17:16
morganfainbergrodrigods: def will look.17:17
morganfainbergUnless it's merged before I get a I my desk. :)17:18
rodrigodsmorganfainberg, hehe thanks17:18
*** browne has quit IRC17:21
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation
*** zzzeek has quit IRC17:33
*** radez_g0n3 is now known as radez17:36
*** marcoemorais has quit IRC17:37
*** wwriverrat has left #openstack-keystone17:41
*** vejdmn has quit IRC17:42
*** marcoemorais has joined #openstack-keystone17:43
*** dims__ has quit IRC17:45
*** dims has joined #openstack-keystone17:45
*** dims has quit IRC17:46
*** dims has joined #openstack-keystone17:46
nkindermorganfainberg: how acceptable would it be to allow the domain_id to accept names or ids for calls like 'list users'?17:47
morganfainbergnkinder, in what context?17:47
morganfainbergnkinder, from the REST API or in the client or???17:47
nkindermorganfainberg: It would need to be API.  Here's the scenario...17:47
nkinderWhen I use OSC with domains and the v3 policy, my domain admin needs to manage users, groups, and projects within their domain17:48
nkinderA domain admin is not able to look up the domain objects themselves17:48
nkinderIf I have an 'ipa' domain, I can't do 'openstack user list --domain ipa', as names aren't accepted17:48
*** vejdmn has joined #openstack-keystone17:49
nkinderI need to know my domain id and remember/write it down17:49
nkinderI also can't look up my domain id17:50
nkinderThat's only allowed by the cloud admin (not domain admin)17:50
nkindermorganfainberg: So this is really a usability issue with domains, and it would be much nicer if we had a way to just specify the domain by name in the REST API17:51
morganfainbergnkinder, can't you do a get domain by name already?17:51
morganfainbergand why is get domain by name only available to cloud admin?17:51
nkindermorganfainberg: there may be a client bug there (it uses list domains to look it up instead of just doing a get)17:51
nkindermorganfainberg: confirming that in the policy now...17:52
morganfainbergi think keystoneclient has some of this logic already17:52
nkinderThe client should be fixed to not use 'list_domain'17:52
morganfainbergbut honestly haven'tl loo... oh hi jamielennox !17:52
nkinderI fixed a bunch of those issues in OSC last week, but not for domain show17:52
jamielennoxi have an irc alert for keystoneclient - i sometimes think i should turn it off17:52
morganfainbergjamielennox, kindof like i have one for "keystone" ;)17:53
nkindermorganfainberg: still, wouldn't it be a better experience to allow just specifying the name instead of making two calls?17:53
jamielennoxmorganfainberg: ah, that would get annoying17:53
morganfainbergnkinder, it should be a separate call17:53
morganfainbergnkinder, what if I have a domain called asdfasdf123417:53
morganfainbergand somehow the uuid ended up looking the same17:53
morganfainbergooor i used uuid.uuid4().hex to generate a name for the domain17:54
nkindermorganfainberg: there's nothing wrong with that17:54
morganfainberghow do you know if it's an id or a name then?17:54
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin
morganfainbergif the REST api has to guess17:54
nkindermorganfainberg: so you're worried about collisions between name and id?17:54
morganfainbergnkinder, basically i don't want the API to have to guess which one you mean17:54
jamielennoxanything i can help with- otherwise i'm out17:54
nkindermorganfainberg: to avoid collisions, we would need a separate parameter in the REST calls (domain_id and domain_name)17:55
morganfainbergjamielennox, nah we're good.17:55
morganfainbergnkinder, that would be fine.17:55
*** jamielennox has quit IRC17:55
morganfainbergnkinder, unless there is already a way to accomplish this. (i'd need to look)17:55
*** jamielenz is now known as jamielennox17:55
morganfainbergnkinder, while the end user expeirence is not as simple, the overall design and consistency is better if you know what you're asking for17:56
morganfainbergif you know your domain name, ask for the information via the name, don't ask via the ID feild and hope you get something useful back17:56
*** aix has quit IRC17:56
morganfainbergsimlilar thoughts on the inverse17:56
nkindermorganfainberg: makes sense17:57
nkindermorganfainberg: the corner case to watch out for is when someone specifies both id and name.  We would want to reject that17:57
morganfainbergnkinder, likely this needs to be a separate API call.17:57
morganfainbergGET domain/{domain_id} is for ids17:57
morganfainbergnot sure what the by-name version looks like17:58
*** amcrn has joined #openstack-keystone17:58
morganfainbergget domain/{domain_id_but_really_a_name}?query_by_name  is equally bad imo17:58
nkindermorganfainberg: I'm thinking more GET v3/users17:58
nkindermorganfainberg: that has a 'domain_id' param17:58
morganfainbergnkinder, ah sure.17:59
morganfainbergdomain anmes are unique17:59
morganfainbergthat is a fine place to have either/or17:59
nkinderwe would just need to add a 'domain_name' optional param17:59
morganfainbergand if both are specified yeah, 40017:59
nkindermorganfainberg: ok, cool.  I'm assuming this needs a spec?17:59
morganfainbergnkinder, yes, if it changes the API it absolutely needs a spec17:59
nkindermorganfainberg: cool, I'll work on writing one up17:59
nkindermorganfainberg: I'll also fix OSC to not do a 'list domains' when you try to show a domain18:00
morganfainberggood plan18:01
morganfainbergif that doesn't have an option, we might need to add a way to get domain by name18:01
morganfainbergdomain is a special case since both name and id are unique (comared to say projects, or users)18:01
*** jamielennox has quit IRC18:01
nkindermorganfainberg: though we have this - "identity:get_domain": "rule:cloud_admin"18:01
afaranhaDid anyone notice this bug in the policy rules? In the v3 policy I replaced this rule: "admin_or_owner": "(rule:admin_required and domain_id:%( or rule:owner" for this "admin_or_owner": "(role:admin and domain_id:%( or rule:owner" and then got an error running keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token18:02
nkindermorganfainberg: so I guess it's pointless to avoid the 'list domains' unless we change policy18:02
afaranhabefore this I didn't get this error18:02
morganfainbergnkinder, ugh. we *HAVE* to get to a smarter policy18:02
nkindermorganfainberg: I think show domain should be allowed for an 'admin' of the matching domain18:03
*** afaranha has left #openstack-keystone18:03
nkindermorganfainberg: yet another fix I can propose...18:03
*** afaranha has joined #openstack-keystone18:03
stevemaraf<tab> left the channel before i could answer :(18:03
nkindermorganfainberg: I better shut up before my to-do list gets any longer... :)18:03
nkinderstevemar: you have a second chance.... :)18:04
stevemarafaranha, there you are18:06
stevemarafaranha, you changed it from rule:admin_required to role:admin18:07
notmynamethe the keystone v3 API new in juno, or did it exist in icehouse? (in a prod-ready sense, not a preview)18:07
*** dims has quit IRC18:07
notmynamemorganfainberg: ^18:07
morganfainbergnotmyname, Keystone V3 has been available and workable since i think Grizzly or Havana18:08
stevemarthe testTokenRevokeSelfAndAdmin sounds like it uses the Admin token to revoke tokens, but the admin token carries no role data with it18:08
notmynamemorganfainberg: ah, ok. thanks18:08
*** dims has joined #openstack-keystone18:08
stevemarso it would fail that policy check, afaranha ^18:08
morganfainbergnotmyname, juno has been the big push to get everyone moved over to using it18:08
*** afaranha has quit IRC18:08
morganfainbergnotmyname, and similar for Kilo, we want to deprecate V2.0 keystone api18:08
notmynameah, interesting18:08
morganfainbergnotmyname, the v3 api solves a lot of issues the v2 api couldn't solve w/o breaking the contract18:09
morganfainbergnotmyname, if all goes well, we'll have full v3 support across the board in Kilo, and we can mark V2 api as deprecated, with planed obsolescence around 2 cycles out. removal pending "when we think we can without riots"18:10
notmynamegood luck with that ;-)18:11
*** jogo has left #openstack-keystone18:11
notmynamethanks for the info :-)18:12
morganfainbergnotmyname, if everything is using V3 say in K, and we deprecate, by M we should likely be able to say "guys... stop using this, no really we mean it... we aren't maintaining it - you should have moved to v3 2 cycles ago"18:12
*** thedodd has quit IRC18:12
*** gokrokve has quit IRC18:12
*** _cjones_ has quit IRC18:15
*** _cjones_ has joined #openstack-keystone18:15
*** afaranha has joined #openstack-keystone18:17
*** radez is now known as radez_g0n318:18
afaranhastevemar: but the rule:admin_required is defined as "role:admin", so its the same, isn't it?18:18
openstackgerritNathan Kinder proposed a change to openstack/keystone: Allow domain admin to show their own domain
stevemarafaranha, nah, "admin_required": is "role:admin or is_admin:1",18:19
stevemarusing the ADMIN_TOKEN from your config file sets is_admin to true :)18:19
afaranhastevemar: not in v3cloudsample
stevemari don't think that is used in the tests18:20
*** _cjones_ has quit IRC18:20
afaranhaIn this test it uses it, because I'm replacing the v3cloudsample to a new one, and I'm changing the v3 policy to pass the tests18:21
vsilvahey stevemar, we were discussing (real) federation tests and I remember you were wishing for those. What's your take on how it should be done? Functional along with a new testing "framework" or integrated with tempest?18:22
*** nellysmitt has joined #openstack-keystone18:22
vsilvaThere should be a discussion about that on the summit, I'm just gathering some info beforehand18:23
stevemarafaranha, then we need to evaluate if we want ADMIN_TOKEN to be able to revoke stuff18:23
afaranhastevemar, I got this error when I was changing the policy sample, but I just adjust the rule to: "admin_or_owner": "rule:owner or (role:admin and domain_id:%(" and it works, just replacing the orders of the rules18:23
stevemarvsilva, i was going to put up a keystone-spec for that, it might be a bit general18:23
*** nellysmi_ has quit IRC18:24
stevemarvsilva, so i don't know too much about how the 3rd party CI tests run18:25
stevemarand i'm not convinced that tempest is the right spot18:25
stevemarmaybe it is18:25
stevemarbut we might want to just make a functional test suite that is fired off against a devstack cloud, the only problem is the idp setup18:26
stevemarin short, i don't know :(18:26
vsilvastevemar, I was going to work on that but since we still don't have that decision I figured I could at least put up a doc comparing the two approaches. Any other pros/cons you see in any?18:27
vsilvamorganfainberg, marekd ^18:27
*** thedodd has joined #openstack-keystone18:28
stevemari like the functional test idea, simply because i've already done that with openstackclient18:28
morganfainbergstevemar, i'm thinking that functional iss where it's going to need to go18:28
morganfainbergbut... i am willing to discuss more at the summit since we need to address how all of our testing is done.18:28
morganfainberg3rd party CI is also acceptable, but i think there are other cases 3rd party ci will make more sense. k2k and federation (in general) should be something that we have tests showing it works in-tree (or at least in the functional grouping)18:29
nkindermorganfainberg: ok, turns out OSC is doing the correct thing with 'domain show' -
uvirtbotnkinder: Error: Could not parse data returned by Launchpad: _ssl.c:489: The handshake operation timed out18:29
morganfainbergnkinder, so maybe we should provide an interface to get domain by name18:29
nkindermorganfainberg: so there's just the policy change I proposed a patch for, and then the other API changes I need to write a spec for18:30
*** __TheDodd__ has joined #openstack-keystone18:30
nkindermorganfainberg: might be a bit tricky for RBAC18:30
*** jamielennox has joined #openstack-keystone18:30
nkindermorganfainberg: we'd need to look up the id by name, then compare it to the domain id in the token before returning anything18:31
morganfainbergnkinder, we have a lot of that capability already18:31
morganfainbergthe @protected decorator (or is it filterprotected) is pretty smart18:31
nkindermorganfainberg: I thought someone recently mentioned that we don't look up the target from the database before RBAC18:32
nkindermorganfainberg: I was under the impression we did from reading the code a little while back though18:32
morganfainbergwe *can* do that with callbacks18:32
nkindermorganfainberg: I'll investigate when I write the spec18:32
morganfainbergit's possible to say match <thing> from context against <returned ref>18:33
*** thedodd has quit IRC18:33
rodrigodsis there a reason for keystonemiddleware to try  parsing everything to json?18:34
morganfainbergrodrigods, what other format would middleware use?18:34
morganfainbergsince mostly it's only caring about the token, which is JSON serialized18:34
rodrigodsmorganfainberg, hmm GET OS-FEDERATION/saml2/metadata for example18:35
rodrigodsit has a XML body18:35
morganfainbergbut keystonemiddleware doesn't interact with that18:35
morganfainbergkeystonemiddleware only sits in front of non-keystone endpoints.18:35
morganfainberg(this is auth_token)18:36
rodrigodsmorganfainberg, not keystonemiddleware, sorry. Middleware core from keystone =)18:36
morganfainbergif you're talking about keystone.middleware.core, the auth_context middleware (keystone server specific)18:36
morganfainbergbecause we don't support XML directly (except in some limited special usecases). with Federation/SAML2 we rely on mod_shib to do most of the heavy lifting in decoding/handling the xml, for issuing the XML body there is a special case18:37
rodrigodsmorganfainberg, this seems one of those limited special usecases18:38
rodrigodscan you give an example? So I can figure out how to fix it.... The issue is causing the SP to never receive the Keystone IdP metadata, unless we copy it manually18:39
morganfainbergrodrigods, we might need to exempt that call specifically if it doesn't work.18:39
morganfainbergspecial case as in, we make it a special case if needed ;)18:40
rodrigodsmorganfainberg, should I start by reporting a bug?18:40
morganfainbergrodrigods, if it's a legitmate bug, yes.18:41
rodrigodsmorganfainberg, looks like one to me18:41
morganfainbergthen yep, report a bug :)18:41
afaranhastevemar, I reported a bug detailing the problem, could you check?18:45
uvirtbotLaunchpad bug 1384377 in keystone "Policy rule position errors" [Undecided,New]18:45
*** amakarov is now known as amakarov_away18:45
stevemarafaranha, sure dude, morganfainberg cc ^18:45
gordcstevemar: in, which docs are you referring to?18:48
afaranhastevemar, thanks :)18:48
*** gabriel-bezerra has joined #openstack-keystone18:48
rodrigodsmorganfainberg, stevemar
uvirtbotLaunchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,New]18:49
stevemargordc, these:
gordcstevemar: cool cool. will do18:50
gordcstevemar: in a separate patch?18:53
stevemargordc, sure18:53
gordcstevemar: also, i added a question18:53
stevemargordc, 4218:53
*** _cjones_ has joined #openstack-keystone18:53
gordcstevemar: i've never seen that movie... or book... or whatever it comes from.lol18:54
gordcjackie robinson?18:54
stevemarhitchhikers guide18:54
gordche broke the colour barrier. :)18:54
stevemaryou're out in left field, pun intended18:54
stevemargordc, yes i'm aware of that lol18:56
gordci don't know how to link in wikipedia but you get the point18:56
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: add context to keystonemiddleware
*** amcrn has quit IRC19:01
*** joesavak has joined #openstack-keystone19:07
*** david-lyle_ has joined #openstack-keystone19:07
*** jsavak has quit IRC19:08
*** david-lyle has quit IRC19:09
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements
*** _cjones_ has quit IRC19:12
*** _cjones_ has joined #openstack-keystone19:13
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use correct name of oslo debugger script
openstackgerritOpenStack Proposal Bot proposed a change to openstack/pycadf: Updated from global requirements
*** _cjones_ has quit IRC19:17
*** david-lyle_ is now known as david-lyle19:18
openstackgerritSteve Martinelli proposed a change to openstack/keystonemiddleware: Use correct name of oslo debugger script
*** tellesnobrega has joined #openstack-keystone19:19
*** _cjones_ has joined #openstack-keystone19:22
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Use oslo_debug_helper and remove our own version
*** dims has quit IRC19:29
*** dims has joined #openstack-keystone19:30
*** dims has quit IRC19:34
*** jamielennox has quit IRC19:36
*** pc-m has quit IRC19:39
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware
*** dims has joined #openstack-keystone19:57
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: add context to keystonemiddleware
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware
*** meker12_ has quit IRC20:12
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware
gordcstevemar: i just realised i never created a bp even though spec got merged:
stevemargordc, shit, i'ma -2 everything of yours now20:17
stevemarget that paper work done!20:17
gordcwell the spec is in20:21
gordcstevemar: it just didn't autocreate a bp i guess20:21
gordcuse your approve powers20:22
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:24
bknudsondo we actually need 2 +2 for OpenStack Proposal Bot's Updated from global requirements ?20:25
*** amcrn has joined #openstack-keystone20:26
*** amcrn has quit IRC20:26
gordcbknudson: give it a try and see if someone starts yelling. :)20:32
morganfainbergbknudson, no20:32
morganfainbergbknudson, 1x+2 is enough20:32
morganfainbergsame for translations20:32
*** amcrn has joined #openstack-keystone20:33
*** gokrokve has joined #openstack-keystone20:35
bretonmorganfainberg: hey20:38
morganfainbergbreton, pong20:38
bretonmorganfainberg: what about approach on ?20:38
morganfainbergbreton, you're working on it :), it is just a "how do we get from here to there"20:39
morganfainbergmy comment was because i was sweeping up the BPs, making sure i knew i had looked at/addressed that one20:39
bretonoh, ok. I also wondered whether someone could asign the bp to me20:40
*** meker12 has joined #openstack-keystone20:40
morganfainbergi think you can assign the bp to yourself.20:40
morganfainbergi *think*20:41
bretonI can't20:41
morganfainbergare you logged into LP?20:41
morganfainbergand more importantly, what is your LP account [i'm happy to assign it over]20:41
bretonI am. It's bbobrov20:42
bretoncool, thanks20:42
*** NM has quit IRC20:43
*** meker12 has quit IRC20:43
*** nellysmitt has quit IRC20:44
*** meker12 has joined #openstack-keystone20:44
*** jistr has quit IRC20:46
*** NM has joined #openstack-keystone20:47
*** NM has quit IRC20:48
morganfainbergstevemar, is it possible to make have the sections collapsible, (e.g. so we can make the "implemented" and/or "past" releases all collapsed.20:51
stevemarthats a good question20:52
morganfainbergor even maybe move to "past" specs where we have the past specifications listed etc20:52
morganfainbergyou know, make the UX better (no rush on it, but just was thinking)20:52
morganfainbergespecially with the API specs now being in there20:53
*** vejdmn has quit IRC20:53
stevemarmorganfainberg, lemme dig into it20:53
morganfainbergstevemar, my thought is we probably want to make implemented specs a separate page which would contain links for each past release and the list for middleware/client. the collapse a section would be a nice add, but not as important if done like that20:54
*** zzzeek has joined #openstack-keystone20:54
bknudsonnkinder: I heard back from our product team. They're using user_additional_attribute_mapping , and only using it for description.20:58
nkinderbknudson: ok, thanks for checking.  I haven't looked, but did you add an explicit option for mapping description?20:58
nkinderbknudson: it would be nice to use that instead of an additional mapping20:59
bknudsonnkinder: no, why add an explicit option when there's additional_attribute_mapping?20:59
*** boris-42 has quit IRC21:00
*** tellesnobrega has quit IRC21:04
*** meker12 has quit IRC21:06
*** boris-42 has joined #openstack-keystone21:06
nkinderbknudson: why have explicit mappings for any of the other items either then?21:08
bknudsonnkinder: legacy21:09
bknudsonit was already there21:09
*** david-lyle_ has joined #openstack-keystone21:10
*** david-lyle has quit IRC21:11
*** joesavak has quit IRC21:14
*** nkinder has quit IRC21:24
*** mrmoje has quit IRC21:26
*** packet has quit IRC21:30
*** david-lyle_ is now known as david-lyle21:31
openstackgerritA change was merged to openstack/pycadf: Updated from global requirements
*** marcoemorais has quit IRC21:43
*** marcoemorais1 has joined #openstack-keystone21:43
*** marcoemorais1 has quit IRC21:45
*** marcoemorais has joined #openstack-keystone21:45
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove XML middleware from default paste config
morganfainbergdolphm, :( my first world problem is making me sad.21:56
morganfainbergdolphm, i'm too used to retina displays now.21:56
*** thiagop has quit IRC21:56
dolphmmorganfainberg: what, did you go antique shopping?21:56
stevemarhe bought a thinkpad21:57
morganfainbergdolphm, no the thunderbolt display looks icky compared to the retina display on the MBPr21:57
dolphmoh just sit back21:57
morganfainbergdolphm, and i was playing with a iMac 5k when i was getting the key caps on my laptop replaced due to chipping.21:57
dolphmi still use a thunderbolt at work :P21:57
dolphmmorganfainberg: oh well then you've been scarred21:57
dolphmthat's not reversible21:57
morganfainbergi just dusted my thunderbolt display off after ... uh... i joined HP ~6mo ago21:57
morganfainberg2x thunderbolt displays have been gathering dust since i changed jobs21:58
morganfainbergjust never set them up when i moved all my stuff back home from the office21:58
morganfainbergand i have a 30" dell monitor too in a box somewhere (the photo calibrated one)21:59
morganfainbergi should sell off some of this gear :P21:59
dolphmooh which dell22:00
morganfainberglet me check it's a u30XX something22:00
morganfainbergyep a u301122:01
morganfainbergbeen in a box for... 2yrs now? 2.5 yrs?22:01
openstackgerritA change was merged to openstack/keystone: Updated from global requirements
morganfainbergsince i moved from santa monica so 2.5years or so just gathering dust.22:02
dolphmi wanted one of those forever - i ended up settling for a higher frequency monitor instead of a high res one22:04
dolphmwe have a ton of ultrasharps at work, i love them22:04
dolphmnever owned one myself22:04
morganfainbergi got it when i was doing photographic stuff (when i worked for blizzard)22:05
morganfainbergwas super nice to have a calibrated monitor22:05
morganfainbergand since all my camera gear was stolen since i haven't really needed to pull the thing out.22:05
*** marcoemorais has quit IRC22:07
*** marcoemorais has joined #openstack-keystone22:08
stevemarmorganfainberg, so i found something22:11
stevemara sphinx extension:
stevemarit's one file:
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: This blueprint details the work required for Multi-factor Authentication
stevemarmorganfainberg, thats about as close as we are going to get for collapsible section22:12
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: This blueprint details the work required for Multi-factor Authentication
*** sigmavirus24 is now known as sigmavirus24_awa22:13
morganfainbergstevemar, what about splitting up to "active" and "implemented/past release cycles"?22:13
stevemarmorganfainberg, thats the other options22:14
morganfainbergmight be easier / cleaner?22:14
stevemari just dug into that to make sure i wasn't missing something, and it was kinda interesting :)22:14
stevemaralbeit, pointless22:15
*** gordc has quit IRC22:16
*** __TheDodd__ has quit IRC22:17
morganfainbergdolphm, second question, upgrade to Yosemite -> do you have issues with gdbm not being available for testr?22:19
dolphmmorganfainberg: i can't get past missing sasl headers22:19
*** adam_g is now known as adam_g_gone22:19
dolphmmorganfainberg: apparently mavericks included sasl.h, and yosemite doesn't, but i installed openldap with no luck22:20
dolphmmorganfainberg: anyway, i can't install python-ldap22:20
morganfainbergi'm not having that issue.22:20
dolphmmorganfainberg: so haven't gotten as far as tests22:20
* morganfainberg shrugs.22:20
*** marcoemorais has quit IRC22:20
dolphmmorganfainberg: clean install or upgrade?22:21
*** marcoemorais has joined #openstack-keystone22:21
morganfainbergcouldn't afford a clean install. too time intensive.22:21
dolphmpip install python-ldap
morganfainbergbut i also did beta -> GM upgrade.22:21
morganfainbergand had beta of xcode for a while.22:21
dolphmthe "defines: HAVE_SASL" suggests that something is already awry because have NO sasl apparently22:22
morganfainbergnew VENV22:22
morganfainbergand my brew list is: autoconfautomakelibgpg-errorlibksbalibtoollibyamlmakedependopensslpkg-configreadline22:23
morganfainbergbut i don't thnk i have any linked22:23
gyeeI am about to upgrade to Yosemite, should I hold off?22:25
morganfainberggyee do you use a VM to run tests?22:25
morganfainbergif the answer is "yes" no worries.22:25
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Create a seperate page for old specs
morganfainbergif the answer is "no" you might want to wairt22:25
dolphmmorganfainberg: hmm, you're python-ldap is built with cc, mine uses clang22:26
gyeemorganfainberg, my other options is virtualbox22:26
stevemarmorganfainberg, dolphm ^22:26
gyeeI have VB running on Mac as well22:26
morganfainbergdolphm, ohh22:26
morganfainbergdolphm, ARCHFLAGS=-Wno-error=unused-command-line-argument22:26
*** marcoemorais has quit IRC22:26
morganfainbergdolphm, the "fix" for mavericks changed to that22:26
stevemari think it looks better organized now :)22:27
*** bknudson has quit IRC22:27
dolphmwhat is that the fix for?22:27
morganfainbergcli tools doing stupid things other compilers don't do22:27
morganfainberghm. cc = clang for me22:28
morganfainberg(VENV)nullptr:work morgan$ cc22:28
morganfainbergclang: error: no input files22:28
dolphmoh same here22:28
stevemarmorganfainberg, is this what you were thinking of:
*** david-lyle_ has joined #openstack-keystone22:30
*** david-lyle has quit IRC22:30
morganfainbergdolphm, do you ahve /usr/include/sasl ?22:31
morganfainbergdolphm, if you do, then it's that ARCHFLAG thing22:31
morganfainbergin mavericks i needed ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future22:31
morganfainbergstevemar, pretty much spot on22:32
dolphmmorganfainberg: i have no /usr/include/22:32
morganfainbergdolphm, did you reinstall latest xcode and did the whole SDK install?22:32
morganfainbergxcode-select --install or whatever it is22:33
dolphmi upgraded xcode, i think via app store22:33
morganfainbergyou need to do some re-install magic on upgrade even from app store22:33
stevemaryee haw22:33
dolphmmorganfainberg: oh alrighty, doing that now22:33
morganfainbergdolphm, all sorts of things were somewhat broken when i just upgraded w/o the install22:34
*** marcoemorais has joined #openstack-keystone22:35
*** amerine has joined #openstack-keystone22:37
dolphmmorganfainberg: yay, thanks!22:39
morganfainbergdolphm, :)22:39
*** jorge_munoz has quit IRC22:40
*** stevemar has quit IRC22:40
*** jorge_munoz has joined #openstack-keystone22:41
*** dims_ has joined #openstack-keystone22:44
*** dims_ has quit IRC22:45
*** dims_ has joined #openstack-keystone22:46
*** dims has quit IRC22:47
*** r-daneel has quit IRC22:50
*** dims_ has quit IRC22:50
morganfainbergdolphm, i'd totally get a iMac 5k, but i don't want to spend 5k on a computer :P22:51
dolphmmorganfainberg: no worries. they'll make a 5k display soon and then you can spend 4k on a monitor22:52
morganfainbergi'd need to sell my ~$$$$ in monitors first22:53
dolphmmaybe it'll have a built in last gen apple tv22:53
morganfainbergjust what i always wanted... an AppleTV in my monitor!22:53
* morganfainberg should call my buddy who works at Apple... i mean he works on Siri, thats the same thing as AppleTV and Monitors, right?22:54
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove XML middleware from default paste config
dolphmmorganfainberg: with siri you don't need a monitor, duh22:54
morganfainbergit's like having closed c aptions on,... and being read to you... by an au.. i'll just see myself out22:55
dolphmmorganfainberg: i bet he has a lifesize siri22:55
*** marcoemorais has quit IRC23:03
*** marcoemorais has joined #openstack-keystone23:04
*** marcoemorais has quit IRC23:04
*** marcoemorais has joined #openstack-keystone23:04
*** marcoemorais has quit IRC23:06
*** marcoemorais has joined #openstack-keystone23:07
*** gokrokve_ has joined #openstack-keystone23:09
*** gokrokve has quit IRC23:12
*** diegows has quit IRC23:13
*** lhcheng has quit IRC23:18
*** marcoemorais has quit IRC23:19
*** lhcheng has joined #openstack-keystone23:19
*** henrynash has quit IRC23:27
*** gokrokve_ has quit IRC23:27
*** tellesnobrega has joined #openstack-keystone23:34
*** marcoemorais has joined #openstack-keystone23:41
*** gokrokve has joined #openstack-keystone23:43
*** dims has joined #openstack-keystone23:44
rodrigodsdolphm, just saw your response at ml, do you have some time to take a look at ?23:46
uvirtbotLaunchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,New]23:46
*** gyee has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!