Wednesday, 2014-10-22

*** NM has quit IRC		00:00
*** gokrokve has quit IRC		00:00
*** meker12 has quit IRC		00:20
*** huats_ has quit IRC		00:20
*** alee has quit IRC		00:20
*** afaranha has quit IRC		00:20
*** jamielennox has quit IRC		00:20
*** jacer_huawei has quit IRC		00:20
*** packet has quit IRC		00:20
*** lhcheng has quit IRC		00:20
*** navid_ has quit IRC		00:20
*** arunkant has quit IRC		00:20
*** amakarov_away has quit IRC		00:20
*** vishy has quit IRC		00:20
*** adam_g has quit IRC		00:20
*** ctracey has quit IRC		00:20
*** jraim has quit IRC		00:20
*** arif-ali has quit IRC		00:20
*** zigo has quit IRC		00:20
*** r-daneel has quit IRC		00:20
*** diegows has quit IRC		00:20
*** rm_work has quit IRC		00:20
*** hockeynut has quit IRC		00:20
*** HenryG has quit IRC		00:20
*** dtroyer has quit IRC		00:20
*** comstud has quit IRC		00:20
*** zhiyan has quit IRC		00:20
*** marekd has quit IRC		00:20
*** boris-42 has quit IRC		00:20
*** cjellick has quit IRC		00:20
*** rwsu has quit IRC		00:20
*** larsks has quit IRC		00:20
*** raildo has quit IRC		00:20
*** harlowja has quit IRC		00:20
*** f13o has quit IRC		00:20
*** vsilva has quit IRC		00:20
*** DavidHu__ has quit IRC		00:20
*** jorge_munoz has quit IRC		00:20
*** anteaya has quit IRC		00:20
*** dhellmann has quit IRC		00:20
*** mitz_ has quit IRC		00:20
*** Guest28430 has quit IRC		00:20
*** morganfainberg has quit IRC		00:20
*** d0ugal has quit IRC		00:20
*** nkinder has quit IRC		00:20
*** samuelms has quit IRC		00:20
*** xianghui has quit IRC		00:20
*** jamiec has quit IRC		00:20
*** csd has quit IRC		00:20
*** ekarlso has quit IRC		00:20
*** rharwood has quit IRC		00:20
*** rodrigods has quit IRC		00:20
*** palendae has quit IRC		00:20
*** dims_ has quit IRC		00:20
*** gyee has quit IRC		00:20
*** richm has quit IRC		00:20
*** openstackgerrit has quit IRC		00:20
*** htruta has quit IRC		00:20
*** wpf has quit IRC		00:20
*** gsilvis has quit IRC		00:20
*** _cjones_ has quit IRC		00:20
*** amcrn has quit IRC		00:20
*** breton has quit IRC		00:20
*** kevinbenton has quit IRC		00:20
*** marcoemorais has quit IRC		00:20
*** stevemar has quit IRC		00:20
*** mitz has quit IRC		00:20
*** swartulv has quit IRC		00:20
*** sudorandom has quit IRC		00:20
*** spligak has quit IRC		00:20
*** mgagne has quit IRC		00:20
*** lbragstad has quit IRC		00:20
*** mhu has quit IRC		00:20
*** d34dh0r53 has quit IRC		00:20
*** sigmavirus24_awa has quit IRC		00:20
*** serverascode__ has quit IRC		00:20
*** ByteSore has quit IRC		00:20
*** redrobot has quit IRC		00:20
*** EmilienM has quit IRC		00:20
*** jdennis has quit IRC		00:20
*** jimbaker has quit IRC		00:20
*** gothicmindfood has quit IRC		00:20
*** gus has quit IRC		00:20
*** Ephur has quit IRC		00:20
*** cyeoh has quit IRC		00:20
*** dolphm has quit IRC		00:20
*** russellb has quit IRC		00:20
*** nonameentername has quit IRC		00:20
*** mfisch has quit IRC		00:20
*** lvh has quit IRC		00:20
*** BAKfr has quit IRC		00:20
*** kragniz has quit IRC		00:20
*** uvirtbot has quit IRC		00:20
*** Kieleth has quit IRC		00:20
*** soren has quit IRC		00:20
*** notmyname has quit IRC		00:20
*** dobson has quit IRC		00:20
*** r1chardj0n3s has quit IRC		00:20
*** therve has quit IRC		00:20
*** boltR has quit IRC		00:20
*** gmurphy has quit IRC		00:20
*** vhoward has quit IRC		00:20
*** charz has quit IRC		00:20
*** bjornar has quit IRC		00:20
*** grantbow has quit IRC		00:20
*** chmouel has quit IRC		00:20
*** hugokuo has quit IRC		00:20
*** esmute has quit IRC		00:20
*** radez_g0n3 has quit IRC		00:20
*** wolsen has quit IRC		00:20
*** dguerri has quit IRC		00:20
*** ChanServ has quit IRC		00:20
*** thiagop has quit IRC		00:20
*** dvorak has quit IRC		00:20
*** tristanC has quit IRC		00:20
*** jedix has quit IRC		00:20
*** dstanek has quit IRC		00:20
*** achudnovets has quit IRC		00:20
*** kevinbenton has joined #openstack-keystone		00:27
*** breton has joined #openstack-keystone		00:27
*** _cjones_ has joined #openstack-keystone		00:27
*** jogo has joined #openstack-keystone		00:27
*** jamielennox has joined #openstack-keystone		00:27
*** huats_ has joined #openstack-keystone		00:27
*** alee has joined #openstack-keystone		00:27
*** soren has joined #openstack-keystone		00:27
*** dims_ has joined #openstack-keystone		00:27
*** packet has joined #openstack-keystone		00:27
*** gyee has joined #openstack-keystone		00:27
*** boris-42 has joined #openstack-keystone		00:27
*** meker12 has joined #openstack-keystone		00:27
*** afaranha has joined #openstack-keystone		00:27
*** marcoemorais has joined #openstack-keystone		00:27
*** zigo has joined #openstack-keystone		00:27
*** lhcheng has joined #openstack-keystone		00:27
*** cjellick has joined #openstack-keystone		00:27
*** Kieleth has joined #openstack-keystone		00:27
*** nonameentername has joined #openstack-keystone		00:27
*** stevemar has joined #openstack-keystone		00:27
*** r-daneel has joined #openstack-keystone		00:27
*** richm has joined #openstack-keystone		00:27
*** diegows has joined #openstack-keystone		00:27
*** htruta has joined #openstack-keystone		00:27
*** rwsu has joined #openstack-keystone		00:27
*** larsks has joined #openstack-keystone		00:27
*** openstackgerrit has joined #openstack-keystone		00:27
*** mitz has joined #openstack-keystone		00:27
*** rm_work has joined #openstack-keystone		00:27
*** hockeynut has joined #openstack-keystone		00:27
*** navid_ has joined #openstack-keystone		00:27
*** jacer_huawei has joined #openstack-keystone		00:27
*** HenryG has joined #openstack-keystone		00:27
*** nkinder has joined #openstack-keystone		00:27
*** raildo has joined #openstack-keystone		00:27
*** samuelms has joined #openstack-keystone		00:27
*** arunkant has joined #openstack-keystone		00:27
*** jorge_munoz has joined #openstack-keystone		00:27
*** dtroyer has joined #openstack-keystone		00:27
*** swartulv has joined #openstack-keystone		00:27
*** sudorandom has joined #openstack-keystone		00:27
*** mitz_ has joined #openstack-keystone		00:27
*** spligak has joined #openstack-keystone		00:27
*** mfisch has joined #openstack-keystone		00:27
*** amakarov_away has joined #openstack-keystone		00:27
*** mgagne has joined #openstack-keystone		00:27
*** comstud has joined #openstack-keystone		00:27
*** Guest28430 has joined #openstack-keystone		00:27
*** wpf has joined #openstack-keystone		00:27
*** harlowja has joined #openstack-keystone		00:27
*** gsilvis has joined #openstack-keystone		00:27
*** morganfainberg has joined #openstack-keystone		00:27
*** thiagop has joined #openstack-keystone		00:27
*** f13o has joined #openstack-keystone		00:27
*** lvh has joined #openstack-keystone		00:27
*** sigmavirus24_awa has joined #openstack-keystone		00:27
*** vhoward has joined #openstack-keystone		00:27
*** xianghui has joined #openstack-keystone		00:27
*** jamiec has joined #openstack-keystone		00:27
*** dvorak has joined #openstack-keystone		00:27
*** anteaya has joined #openstack-keystone		00:27
*** csd has joined #openstack-keystone		00:27
*** vishy has joined #openstack-keystone		00:27
*** zhiyan has joined #openstack-keystone		00:27
*** d0ugal has joined #openstack-keystone		00:27
*** DavidHu__ has joined #openstack-keystone		00:27
*** vsilva has joined #openstack-keystone		00:27
*** lbragstad has joined #openstack-keystone		00:27
*** mhu has joined #openstack-keystone		00:27
*** d34dh0r53 has joined #openstack-keystone		00:27
*** adam_g has joined #openstack-keystone		00:27
*** serverascode__ has joined #openstack-keystone		00:27
*** ctracey has joined #openstack-keystone		00:27
*** jraim has joined #openstack-keystone		00:27
*** arif-ali has joined #openstack-keystone		00:27
*** ByteSore has joined #openstack-keystone		00:27
*** redrobot has joined #openstack-keystone		00:27
*** BAKfr has joined #openstack-keystone		00:27
*** dhellmann has joined #openstack-keystone		00:27
*** charz has joined #openstack-keystone		00:27
*** EmilienM has joined #openstack-keystone		00:27
*** jdennis has joined #openstack-keystone		00:27
*** kragniz has joined #openstack-keystone		00:27
*** ekarlso has joined #openstack-keystone		00:27
*** bjornar has joined #openstack-keystone		00:27
*** tristanC has joined #openstack-keystone		00:27
*** jimbaker has joined #openstack-keystone		00:27
*** grantbow has joined #openstack-keystone		00:27
*** jedix has joined #openstack-keystone		00:27
*** rharwood has joined #openstack-keystone		00:27
*** gothicmindfood has joined #openstack-keystone		00:27
*** gus has joined #openstack-keystone		00:27
*** Ephur has joined #openstack-keystone		00:27
*** cyeoh has joined #openstack-keystone		00:27
*** rodrigods has joined #openstack-keystone		00:27
*** dstanek has joined #openstack-keystone		00:27
*** palendae has joined #openstack-keystone		00:27
*** dolphm has joined #openstack-keystone		00:27
*** russellb has joined #openstack-keystone		00:27
*** wolsen has joined #openstack-keystone		00:27
*** radez_g0n3 has joined #openstack-keystone		00:27
*** esmute has joined #openstack-keystone		00:27
*** chmouel has joined #openstack-keystone		00:27
*** dguerri has joined #openstack-keystone		00:27
*** hugokuo has joined #openstack-keystone		00:27
*** uvirtbot has joined #openstack-keystone		00:27
*** boltR has joined #openstack-keystone		00:27
*** achudnovets has joined #openstack-keystone		00:27
*** marekd has joined #openstack-keystone		00:27
*** r1chardj0n3s has joined #openstack-keystone		00:27
*** notmyname has joined #openstack-keystone		00:27
*** dobson has joined #openstack-keystone		00:27
*** therve has joined #openstack-keystone		00:27
*** gmurphy has joined #openstack-keystone		00:27
*** ChanServ has joined #openstack-keystone		00:27
*** wolfe.freenode.net sets mode: +oo dolphm ChanServ		00:27
rodrigods	jogo, nope	00:27
rodrigods	=)	00:27
morganfainberg	jogo, it wont me marked as expirmental because we can really test it. the keystone-to-keystone federation was very hard to test cleanly and we merged stuff to "fix" it last minute so we marked that as expirimental for juno	00:27
morganfainberg	jogo, multitenancy was delayed so we didn't need to mark it expirimental	00:28
gyee	interesting, doesn't appear oslo config set_override consider the deprecated options	00:28
morganfainberg	and give it a little more time for code review.	00:28
morganfainberg	gyee, nope. it wont.	00:28
morganfainberg	gyee, don't override the deprecated option	00:28
gyee	morganfainberg, should I file a bug?	00:28
morganfainberg	gyee, worth asking dhellmann about it	00:28
morganfainberg	wouldn't hurt to file a bug	00:28
jogo	morganfainberg: thanks, w.r.t. https://review.openstack.org/#/c/129420/ I think that spec can be split into two phases	00:28
morganfainberg	but largely i didn't see a need to "set_override" on them	00:28
gyee	morganfainberg, k, will do	00:28
jogo	morganfainberg: thanks for the clarification	00:29
morganfainberg	jogo, asolutely!	00:29
morganfainberg	jogo, anytime :)	00:29
gyee	morganfainberg, nova tests use set_override	00:29
morganfainberg	jogo, and i'm still working on the novaclient stuff.	00:29
gyee	self.flags() calls set_override	00:29
morganfainberg	jogo, spent about 1/2 of today re-learning novaclient code ;)	00:29
gyee	I am working on Jamie's patch and trying to figure why the tests failed	00:29
morganfainberg	gyee, ah	00:29
gyee	he deprecated url_timout in favor of just timeout	00:30
gyee	but the tests are still calling self.flags('url_timeout'...)	00:30
gyee	let me just change them to timeout	00:30
morganfainberg	jogo, just commented on that spec	00:31
morganfainberg	jogo, and yeah laying the foundation first is a good plan.	00:31
morganfainberg	gyee, ah	00:31
morganfainberg	gyee, yeah just chang eit to use the new flags	00:32
morganfainberg	gyee, but doesn't hurt to file a bug w/ oslo on it. might be low low prio though	00:32
gyee	understood	00:32
*** dims_ has quit IRC		00:36
*** dims has joined #openstack-keystone		00:36
jogo	morganfainberg: cool beans	00:36
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/126631	00:38
*** dims has quit IRC		00:40
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Change /POST to /ECP at federation config https://review.openstack.org/130081	00:41
rodrigods	morganfainberg, http://stackalytics.com/?release=kilo&metric=commits&module=keystone-group our university in 4th place! hehe	00:42
morganfainberg	rodrigods, woot	00:42
rodrigods	morganfainberg, lots of off hours commits, though	00:42
morganfainberg	stevemar, if you don't mind takeing a look at the non-persistent token spec	00:43
morganfainberg	lets get the "how do we pull a spec forward" concept hammered out	00:44
stevemar	link me dude!	00:44
morganfainberg	https://review.openstack.org/#/c/129736/	00:44
morganfainberg	basically it's the ..NOTE:: at the top, then the work items	00:44
stevemar	rodrigods, i am so happy it worked for you :D	00:45
rodrigods	stevemar, had the same feeling when I was finally able to make ECP stuff work	00:46
rodrigods	stevemar, webs is the next step, right? was chatting with marekd about it	00:46
rodrigods	websso*	00:46
stevemar	rodrigods, 100% correct	00:47
*** gyee has quit IRC		00:48
rodrigods	stevemar, great, already have this task in my queue	00:48
rodrigods	maintain HM stuff and figure out webs internals	00:48
rodrigods	=)	00:48
*** bknudson has joined #openstack-keystone		00:48
stevemar	rodrigods, so what are you counting as a success wrt k2k :)	00:51
stevemar	just getting back a token? or were you able to use client stuff?	00:51
rodrigods	stevemar, just getting back a token	00:51
rodrigods	am i too far to create an instance, for example? =(	00:52
stevemar	rodrigods, nice	00:52
stevemar	i suppose the client stuff should still work with what we have today	00:52
stevemar	but either way, thats a big win	00:52
rodrigods	stevemar, ++	00:52
rodrigods	once I saw the token in the response	00:52
rodrigods	I just stopped everything and almost took a beer =)	00:53
*** bknudson has quit IRC		00:53
rodrigods	stevemar, tomorrow will finish the final bits and complete the tutorial	00:53
stevemar	rodrigods, i would have had 6 beers	00:53
rodrigods	and then move to websso*	00:53
rodrigods	stevemar, btw, just changed the /POST to /ECP in the configure_federation doc, if makes sense	00:54
stevemar	yep, i see the change, just double checking with the shib docs, but i think you are right	00:54
*** cjellick has quit IRC		00:55
vsilva	don´t be shy, tell them what you really did rodrigods	00:56
vsilva	he called me and was quite histeric on the phone, stevemar	00:56
vsilva	I had been overseeing him bump his head against the monitor for a few hours	00:57
vsilva	still don´t quite understand how you got it to work, rodrigods	00:57
stevemar	vsilva, haha, that is hilarious! (in a good way!)	00:57
rodrigods	vsilva, I had to disable the security policy stuff, guess that we were not properly using SSL	00:58
rodrigods	stevemar, ^	00:58
stevemar	rodrigods, next time i see you, i owe you many drinks of your choice	00:58
vsilva	see rodrigods, I told you two places where the problem could be	00:58
rodrigods	stevemar, #openstack-keystone has a log! remember! hehe	00:59
vsilva	I´m glad you didn´t consider them because it wasn´t any of those	00:59
vsilva	lol	00:59
stevemar	hehe	00:59
*** amaurymedeiros has joined #openstack-keystone		01:03
*** bknudson has joined #openstack-keystone		01:06
*** packet has quit IRC		01:08
*** gokrokve has joined #openstack-keystone		01:10
*** david-lyle has joined #openstack-keystone		01:11
*** packet has joined #openstack-keystone		01:12
*** marcoemorais has quit IRC		01:13
*** gokrokve has quit IRC		01:16
*** meker12 has quit IRC		01:16
*** r1chardj0n3s is now known as r1chardj0n3s_afk		01:17
*** _cjones_ has quit IRC		01:20
*** _cjones_ has joined #openstack-keystone		01:21
*** packet has quit IRC		01:23
*** _cjones_ has quit IRC		01:25
*** NM has joined #openstack-keystone		01:27
*** gokrokve has joined #openstack-keystone		01:27
morganfainberg	stevemar, ping	01:36
morganfainberg	stevemar, https://bugs.launchpad.net/keystone/+bug/1383924	01:36
uvirtbot	Launchpad bug 1383924 in keystone "keystone notification should use different topic for CADF and normal notificaiton" [Undecided,New]	01:36
morganfainberg	stevemar, i can't argue with that.	01:37
morganfainberg	stevemar, am i crazy?	01:37
morganfainberg	stevemar, unless we don't care with the old notification system going away in favor of 100% pycadf	01:37
*** r1chardj0n3s_afk is now known as r1chardj0n3s		01:38
stevemar	topic?	01:39
morganfainberg	stevemar, topic on the bus	01:39
*** david-lyle has quit IRC		01:39
morganfainberg	e.g. "KEystone" or "Keystone CADF"	01:40
morganfainberg	or "audit"	01:40
morganfainberg	etc	01:40
*** r-daneel has quit IRC		01:40
stevemar	oh that thing	01:40
stevemar	we could change topics	01:40
stevemar	for cadf	01:40
morganfainberg	or make it configurable	01:40
stevemar	https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L315	01:41
stevemar	you mena this one?	01:41
stevemar	that'll be tricky	01:41
morganfainberg	is that for CADF or normal notifications?	01:41
stevemar	both	01:42
morganfainberg	i think the comment is split them into separate configs, but i'm happy to squash it since we're doing cadf only	01:42
morganfainberg	i'll defer to your thoughts and brad's on that topic	01:42
*** gokrokve_ has joined #openstack-keystone		01:43
morganfainberg	which reminds me... need to go poke at pycadf	01:43
morganfainberg	see if we have new bugs.	01:43
stevemar	morganfainberg, https://github.com/openstack/keystone/blob/0e9aefe73baf06997067e06f2485b883a1c29e6c/keystone/common/config.py#L933 -> https://github.com/openstack/keystone/blob/0e9aefe73baf06997067e06f2485b883a1c29e6c/keystone/notifications.py#L220	01:44
morganfainberg	right	01:44
stevemar	i just don't know how to set up 2 different topics	01:44
morganfainberg	oh	01:45
morganfainberg	the option is from oslo.messaging	01:45
morganfainberg	oh hah	01:45
morganfainberg	i see now	01:45
stevemar	is there a reason why the author wants it split up?	01:45
stevemar	aside from cleanliness	01:45
morganfainberg	i think it's because people don't view some things as audit events	01:45
morganfainberg	in this case all notifications from keystone really are audit events - we just determined that by appropving the cadf everywhere spec	01:45
morganfainberg	so I am guessing we say "nope, everything is auditable"	01:46
*** gokrokve has quit IRC		01:46
stevemar	i'm still not seeing the issue	01:48
morganfainberg	it's a "i don't want to suss out if this is a cadf event or something else"	01:48
morganfainberg	i think	01:48
morganfainberg	it's pure cleanliness, but moving to cadf everywhere and adding a toggle to turn off old events should be more than sufficient	01:49
*** stevemar has quit IRC		01:49
morganfainberg	stevemar, lets just say no, we're going cadf everywhere and adding an option to turn off old notifications and deprecating.	01:49
morganfainberg	hah, and he logs out	01:50
morganfainberg	or drops	01:50
*** stevemar has joined #openstack-keystone		01:50
morganfainberg	stevemar, welcome back	01:50
morganfainberg	it's pure cleanliness, but moving to cadf everywhere and adding a toggle to turn off old events should be more than sufficient	01:50
morganfainberg	stevemar, lets just say no, we're going cadf everywhere and adding an option to turn off old notifications and deprecating.	01:50
stevemar	random isp drop	01:51
*** ks-untriaged-bot has joined #openstack-keystone		01:56
ks-untriaged-bot	Untriaged bugs for project keystone:	01:56
ks-untriaged-bot	https://bugs.launchpad.net/keystone/+bug/1383676	01:56
uvirtbot	Launchpad bug 1383676 in keystone "endless loop when deleting region" [High,New]	01:56
ks-untriaged-bot	https://bugs.launchpad.net/keystone/+bug/1383924	01:56
uvirtbot	Launchpad bug 1383924 in keystone "keystone notification should use different topic for CADF and normal notificaiton" [Undecided,New]	01:56
ks-untriaged-bot	Untriaged bugs for project python-keystoneclient:	01:56
ks-untriaged-bot	https://bugs.launchpad.net/python-keystoneclient/+bug/1377080	01:56
ks-untriaged-bot	https://bugs.launchpad.net/python-keystoneclient/+bug/1372710	01:56
uvirtbot	Launchpad bug 1377080 in python-keystoneclient "Stale endpoint selection logic in keystone client" [Undecided,In progress]	01:56
ks-untriaged-bot	https://bugs.launchpad.net/python-keystoneclient/+bug/1357567	01:56
uvirtbot	Launchpad bug 1372710 in python-keystoneclient "cfn-push-stats fails to authenticate" [Undecided,Incomplete]	01:56
*** ks-untriaged-bot has quit IRC		01:56
uvirtbot	Launchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,New]	01:56
*** gokrokve_ has quit IRC		02:05
*** topol has joined #openstack-keystone		02:06
*** meker12 has joined #openstack-keystone		02:06
*** meker12_ has joined #openstack-keystone		02:09
morganfainberg	topol, oh hi.	02:09
*** meker12__ has joined #openstack-keystone		02:10
*** meker12__ has quit IRC		02:11
*** meker12 has quit IRC		02:11
*** meker12 has joined #openstack-keystone		02:12
*** meker12_ has quit IRC		02:13
*** lhcheng has quit IRC		02:14
openstackgerrit	A change was merged to openstack/pycadf: Use oslo tests fixture https://review.openstack.org/129643	02:18
openstackgerrit	A change was merged to openstack/keystone-specs: Clean up the comments in CADF everywhere spec https://review.openstack.org/130043	02:28
*** diegows has quit IRC		02:28
morganfainberg	dolphm, stevemar, i'm going to approve the identity v3 stuff in specs repo	02:28
morganfainberg	dolphm, stevemar, unless there is a reason not to	02:28
morganfainberg	bknudson, ayoung, ^	02:28
morganfainberg	lbragstad, ^	02:28
morganfainberg	dstanek, ^ (damn it keep hitting enter too fast)	02:29
stevemar	i figured it was one of those things we would chat about at summit, but if you're OK with it, so am i	02:29
stevemar	it	02:29
morganfainberg	i'm actually very happy to see them published	02:29
stevemar	it's much easier to give ppl API links that DONT go back to github	02:30
morganfainberg	AND in the same repo so we can get spec + api spec at the same time	02:30
morganfainberg	stevemar, exactly	02:30
openstackgerrit	A change was merged to openstack/keystone-specs: add v3 API documentation https://review.openstack.org/128712	02:33
openstackgerrit	A change was merged to openstack/keystone-specs: Publish the Identity v3 API specs https://review.openstack.org/128765	02:33
morganfainberg	rodrigods, sorry to do this to you... but ...	02:33
morganfainberg	rodrigods, ^ you'll need to republish the spec changes over to the keystone-specs repo now	02:34
morganfainberg	rodrigods, let me know if you need any help, happy to assist.	02:34
openstackgerrit	A change was merged to openstack/pycadf: Use correct name of oslo debugger script https://review.openstack.org/130000	02:39
openstackgerrit	A change was merged to openstack/keystone: Correct the code path of implementation for the abstract method https://review.openstack.org/129530	02:41
*** NM has quit IRC		02:42
*** harlowja is now known as harlowja_away		02:43
*** richm has quit IRC		02:56
*** alex_xu has joined #openstack-keystone		03:01
*** jacer_huawei has quit IRC		03:02
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: Changes regarding the functionality of Hierarchical Multitenancy - Changes in the Keystone API considering projects hierarchy. https://review.openstack.org/130103	03:03
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: Changes regarding the functionality of Hierarchical Multitenancy https://review.openstack.org/130103	03:03
morganfainberg	rodrigods, ^	03:04
stevemar	morganfainberg, revieweddd	03:35
morganfainberg	stevemar, ty	03:36
*** lhcheng has joined #openstack-keystone		03:38
*** lhcheng has quit IRC		04:03
*** _cjones_ has joined #openstack-keystone		04:05
*** r1chardj0n3s is now known as r1chardj0n3s_afk		04:06
*** fifieldt has joined #openstack-keystone		04:08
*** _cjones_ has quit IRC		04:17
*** _cjones_ has joined #openstack-keystone		04:18
*** alee has quit IRC		04:24
*** alee has joined #openstack-keystone		04:24
*** lhcheng has joined #openstack-keystone		04:40
*** lhcheng has quit IRC		04:44
*** lhcheng has joined #openstack-keystone		04:45
*** _cjones_ has quit IRC		04:47
*** _cjones_ has joined #openstack-keystone		04:47
*** _cjones_ has quit IRC		04:52
*** KanagarajM has joined #openstack-keystone		04:54
*** _cjones_ has joined #openstack-keystone		04:57
*** KanagarajM has quit IRC		05:01
*** gokrokve has joined #openstack-keystone		05:11
*** gokrokve has quit IRC		05:21
*** topol has quit IRC		05:25
*** alex_xu has quit IRC		05:28
*** jacer_huawei has joined #openstack-keystone		05:33
*** k4n0 has joined #openstack-keystone		05:36
*** r1chardj0n3s_afk is now known as r1chardj0n3s		05:47
*** jorge_munoz has quit IRC		05:47
*** jorge_munoz has joined #openstack-keystone		05:48
*** afazekas has joined #openstack-keystone		05:48
*** dvorak has quit IRC		05:56
* marekd making dance of victory after reading rodrigod's message		05:56
marekd	rodrigods: ping me asap	05:57
marekd	rodrigods: please.	05:57
*** dvorak has joined #openstack-keystone		06:03
*** alex_xu has joined #openstack-keystone		06:10
*** jamielennox has quit IRC		06:10
*** gokrokve has joined #openstack-keystone		06:11
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/130126	06:12
*** gokrokve has quit IRC		06:13
morganfainberg	marekd, will send you a follow up email tomorrow re: visiting CERN but, provided no issues the 11th of november is the best day	06:13
*** gokrokve has joined #openstack-keystone		06:13
morganfainberg	marekd, def. have 2 others joining (chet and his wife)	06:13
marekd	morganfainberg: sure.	06:14
*** alex_xu has quit IRC		06:16
*** gokrokve has quit IRC		06:18
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy https://review.openstack.org/130103	06:18
morganfainberg	marekd, have a good day it's time for me to sleep ;)	06:19
marekd	morganfainberg: have a good night :-)	06:24
*** jamielenz has joined #openstack-keystone		06:28
*** alex_xu has joined #openstack-keystone		06:28
*** jamielenz is now known as jamielennox		06:29
*** lhcheng has quit IRC		06:30
openstackgerrit	Sergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3 https://review.openstack.org/118383	06:39
*** r1chardj0n3s is now known as r1chardj0n3s_afk		06:43
*** mrmoje has joined #openstack-keystone		06:44
openstackgerrit	Andreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings https://review.openstack.org/118048	06:56
marekd	mhu: o/ i heard some rumours that k2k was successfuly deployed. I need to grab some more details today.	07:00
mhu	marekd: awesome ! I	07:12
*** gokrokve has joined #openstack-keystone		07:14
*** gokrokve has quit IRC		07:18
marekd	stevemar: thanks for the review.	07:26
*** ukalifon has joined #openstack-keystone		07:26
*** _cjones_ has quit IRC		07:28
*** _cjones_ has joined #openstack-keystone		07:28
*** _cjones_ has quit IRC		07:33
stevemar	marekd, np	07:33
stevemar	marekd, bed time for me now :(	07:33
stevemar	marekd, mhu yes the rumor is rodrigods was able to set it up, he said docs are coming :)	07:34
stevemar	marekd, i need to finish our presentation hehe	07:35
mhu	stevemar, marekd, rodrigods: looking forward to that !	07:35
stevemar	good night/morning all - have a fun day	07:35
*** stevemar has quit IRC		07:40
marekd	see you	07:41
*** junhongl has joined #openstack-keystone		07:45
*** jistr has joined #openstack-keystone		08:02
*** gokrokve has joined #openstack-keystone		08:12
*** henrynash has joined #openstack-keystone		08:14
*** jamielennox has quit IRC		08:14
*** gokrokve has quit IRC		08:16
*** jamielenz has joined #openstack-keystone		08:32
*** jamielennox has joined #openstack-keystone		08:33
*** arunkant has quit IRC		08:45
openstackgerrit	Endre Karlson proposed a change to openstack/python-keystoneclient: Allow allow* passthroughs https://review.openstack.org/130159	08:46
jamielennox	ekarlso: commented ^	08:52
*** arunkant has joined #openstack-keystone		08:52
*** jacer_huawei has quit IRC		08:59
*** gokrokve has joined #openstack-keystone		09:11
*** gokrokve has quit IRC		09:12
*** gokrokve has joined #openstack-keystone		09:13
*** jacer_huawei has joined #openstack-keystone		09:15
*** gokrokve has quit IRC		09:17
*** andreaf has joined #openstack-keystone		09:22
*** jacer_huawei has quit IRC		09:33
*** henrynash has quit IRC		09:45
*** nellysmitt has joined #openstack-keystone		09:49
*** NM has joined #openstack-keystone		09:53
*** alex_xu has quit IRC		09:54
openstackgerrit	A change was merged to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/126631	09:54
*** NM has quit IRC		09:59
*** aix has joined #openstack-keystone		10:00
openstackgerrit	wanghong proposed a change to openstack/keystone: cann't update catalog objects when using kvs driver https://review.openstack.org/130180	10:04
*** gokrokve has joined #openstack-keystone		10:11
*** gokrokve has quit IRC		10:16
marekd	mhu: o/	10:21
marekd	mhu: recently you've been a openstackclient master. Is openstackclient in a shape where a user can step 1) fetch unscoped token from...say ADFS, step 2) scope this token to a project (and get scopd token printed/stored) 3) create/delete a vm ?	10:27
marekd	mhu: i am concerned about fething and printing to stdout unscoped token and later scoping it.	10:28
*** NM has joined #openstack-keystone		10:34
*** dims has joined #openstack-keystone		10:36
*** dims has quit IRC		10:39
*** dims has joined #openstack-keystone		10:39
rodrigods	marekd, ping	10:55
rodrigods	just woke up =)	10:55
marekd	rodrigods:	10:55
marekd	o/	10:55
marekd	congrats on k2k	10:55
rodrigods	marekd, \o/	10:55
*** meker12 has quit IRC		10:55
marekd	rodrigods: so, what happened after you transformed the assertion into SOAP withthe code i shared with you yesterday?	10:56
marekd	rodrigods: i saw some convos on ssl-something	10:56
marekd	and you hitting wall with your head	10:56
rodrigods	marekd, haha	10:56
marekd	:-)	10:56
rodrigods	marekd, shibboleth was complaining about the IdP certificate	10:57
rodrigods	marekd, I haven't set up a properly keystone ssl deploy	10:57
marekd	rodrigods: that it couldn't validate a signature?	10:57
rodrigods	marekd, exactly	10:57
marekd	rodrigods: oh-ho	10:57
marekd	rodrigods: and what you did then?	10:57
rodrigods	marekd, used the security policy test mode	10:57
rodrigods	disable everything	10:57
rodrigods	hehe	10:58
marekd	rodrigods: what exactly?	10:58
marekd	what did you disable?	10:58
*** diegows has joined #openstack-keystone		10:58
rodrigods	marekd, https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPPolicyRule	10:59
rodrigods	used the last one	10:59
rodrigods	I assumed the issues were due a not properly set keystone ssl deploy	10:59
rodrigods	(wasn't using https and so on)	10:59
*** NM has quit IRC		10:59
marekd	<PolicyRule type="NullSecurity"/> ?	11:00
marekd	this?	11:00
marekd	so it basically doesn't validate assertions's signature, right?	11:01
rodrigods	marekd, yeah, that	11:01
marekd	rodrigods: and did you manage to sestup keystone so this policy is no longer needed?	11:01
*** meker12 has joined #openstack-keystone		11:02
rodrigods	marekd, no, once I got the token back, I just stopped there and took a beer	11:02
marekd	well earned beer :-)	11:02
marekd	rodrigods: are you planning to carry on with that?	11:03
*** meker12_ has joined #openstack-keystone		11:03
rodrigods	marekd, the next step was to test the token itself	11:03
*** meker12_ has quit IRC		11:04
rodrigods	after that, I can try to remove the test security policy	11:04
marekd	rodrigods: well, the token is icehouse federation token so I know it works.	11:04
*** meker12_ has joined #openstack-keystone		11:04
marekd	i mean, i could really do things like booting/deleting machines, listing projects and so on.	11:05
*** meker12 has quit IRC		11:05
marekd	meh, listing images etc	11:05
rodrigods	marekd, ++	11:05
marekd	anyway, i have some code for that	11:05
marekd	so i can give it to you, bu ersonally making it work with proper signature validation is much more crucial part.	11:06
rodrigods	marekd, cool	11:08
marekd	rodrigods: anyway, good that you discovered that shibboleth option.	11:08
marekd	i also left a comment on you patch, so you can follow up laer :-)	11:09
rodrigods	marekd, just replied =)	11:09
rodrigods	thanks	11:09
marekd	and i am super glad that you made it work :-)	11:10
rodrigods	marekd, will have breakfast and go to the lab o/	11:10
*** gokrokve has joined #openstack-keystone		11:11
marekd	rodrigods: sure thing.	11:11
marekd	bon app!	11:11
marekd	i will have lunch soon :-)	11:12
marekd	it's 1:12 pm here	11:12
*** gokrokve has quit IRC		11:16
*** fmarco76 has joined #openstack-keystone		11:22
*** fmarco76 has quit IRC		11:24
ekarlso	jamielennox: where should tests for ^ go ?	11:26
*** NM has joined #openstack-keystone		11:34
mhu	marekd, I have no way to test ADFS, but if it works like your saml plugins, it should be covered with the federation unscoped commands patch once I get back to it (https://review.openstack.org/#/c/124101/)	11:46
marekd	mhu: ok, don't worry about keystoneclient part, i know adfs works (at least for me).	11:47
marekd	mhu: at some point i stopped following up and i am unsuer if i can do everything with commandline and openstackclient.	11:47
mhu	marekd, using this code, here's a way to do a full login: http://paste.openstack.org/show/123098/	11:47
mhu	marekd, as for getting tokens, they are redacted in the debug logs, otherwise you can explicitly get them with the command "token issue" (not tested, but from glancing at the code, it should work) and of course the "federation token issue" for the unscoped token	11:50
marekd	mhu: do you think adding a patch that utilizes that utilizes https://review.openstack.org/#/c/106751/ is hard?	11:50
marekd	jamielennox: BTW: appreciate your eyes on https://review.openstack.org/#/c/106751/ . Even if that's only Python/software design check.	11:52
mhu	marekd, you mean in OSC ? I guess not ... are you implying you're abandoning this change ?	11:52
mhu	it's a pity, though, I think the wrapper has its place in ksc	11:52
marekd	mhu: not at all!	11:52
mhu	ah, good :)	11:52
marekd	mhu: i want osc use it	11:52
marekd	mhu: and i am asking if some new code must be developed for that.	11:53
mhu	marekd, no new code needed - it's the magic of plugins \o/	11:53
marekd	mhu: ah, great!	11:53
marekd	i will try that today then.	11:53
mhu	marekd, I actually got once to test it, but since I've wrecked up my virtualenv	11:53
mhu	but it definitely worked	11:54
marekd	and may bug you if i am stuck.	11:54
marekd	mhu: the wrapper?	11:54
mhu	marekd sure no prob	11:54
mhu	marekd, the wrapper through osc	11:54
* marekd sweeeeeet, everything is going according to the plan		11:54
marekd	mhu: you are obviously attending summit?	11:54
mhu	My main trouble was to get osc to use the right version of ksc, the one from the patch, but once I did it worked	11:55
marekd	mhu: what right version ?	11:55
marekd	=>0.11.1 ?	11:55
marekd	or it's simply because my patch was not merged?	11:56
mhu	marekd, yes, actually I live 10 minutes away by foot from the summit place	11:56
marekd	mhu: great!	11:57
marekd	mhu: i'd be happy to have a beer with in person :-)	11:57
marekd	with you*	11:57
mhu	marekd, when you use "python setup.py install" on an untagged branch, it gets a special version number based on the latest git commit hash, and sometimes it doesn't play well with other version requirements	11:58
marekd	i see	11:59
mhu	marekd, likewise, and not just one ! :)	11:59
marekd	mhu: looking forward to RedHat (and not only) sponsored events :P	11:59
*** gokrokve has joined #openstack-keystone		12:11
*** gokrokve has quit IRC		12:16
jamielennox	marekd: so what would happen with that plugin if i didn't supply --project-id or any scoping information to that plugin	12:31
jamielennox	the way the current plugins work like Password is if you don't supply a scope you get unscoped, that may not be right, but i think if you don't provide scope to the v3saml2 it will fail right/	12:33
marekd	jamielennox: ValidationError	12:33
jamielennox	marekd: is that what you want?	12:34
jamielennox	i don't necessarily think the unscoped/scoped behaviour of the existing plugins is very good - it was a pattern i inheritted from the old clients, i was just looking at how this one is different	12:35
marekd	i mean, in the saml2Scopedtoken plugin if you don't provide enough information (project_id or domain_id) you get ValidationError. Here, it is simply repeated.	12:35
marekd	jamielennox: what pattern? the fact that unscoped tokens actually exist?	12:36
marekd	I don't say ValidationError is a right thing to do, bu i don't have any better idea.	12:36
jamielennox	marekd: no the pattern that you can't really tell if your plugin contains a scoped token or not, you have to remember what you submitted	12:36
ekarlso	jamielennox: ?	12:37
jamielennox	saml2ScopedToken kind of makes sense to throw ValidationError - you are specifically making an object with a scoped token	12:37
jamielennox	if you didn't provide the scope it would fail anyway	12:37
*** diegows has quit IRC		12:37
marekd	jamielennox: yes.	12:37
jamielennox	i'm wondering for the v3saml2 plugin though if you don't provide a scope should it act like an unscoped token	12:38
jamielennox	so in get_auth_ref if no scoping is provided you'd return the unscoped auth_ref	12:38
marekd	ah...	12:38
marekd	my initial thought was: if you want unscoped token use plugin for that, but i can add this	12:38
ekarlso	jamielennox: where do tests for my change go ?	12:39
jamielennox	i think that people using the specific saml2 format plugins would be rare, particularly from the cmdline you would just teach people how to use this wrapper	12:39
marekd	jamielennox: format - you mean either adfs/shib or scoped/unscoped?	12:40
jamielennox	adfs/shib	12:40
marekd	jamielennox: because at the moment there is no 'discovery'	12:40
jamielennox	ekarlso: am looking	12:40
jamielennox	marekd: yep, would love to add that	12:41
marekd	jamielennox: i can take a look at that, but we might end up with stupid "if method a didn't work, try method b and only then fail with Unauthorized"	12:41
jamielennox	marekd: but from a UX and doc perspective you would tell people to do --os-auth-plugin v3saml2 --unscoped-token-plugin shib --stuff....	12:42
marekd	jamielennox: correct	12:42
jamielennox	rather than to even bother explaining how to use --os-auth-plugin shib	12:42
marekd	jamielennox: ok, i wil check it so it stops without errors if no project_id/domain_id is provided.	12:42
marekd	one more thing...	12:43
marekd	cause everywhere i was adding project_id for project scoping (domain_id for domains). Shouldn't we actually add project_name, project_domain_name also?	12:43
jamielennox	also is there something better we can call --unscoped-token-plugin? like --saml-format or --saml-protocol	12:43
jamielennox	marekd: yea, you will want to pass pretty much all the options of v3.Token through for scoping	12:44
jamielennox	all but --os-token i would think	12:44
marekd	jamielennox: hm, i need to put os-token...	12:45
marekd	as i am scoping unscoped token..	12:45
jamielennox	wouldn't the value of --os-token come from the unscoped plugin?	12:45
*** vejdmn has joined #openstack-keystone		12:47
marekd	jamielennox: ah, you are talking the wrapper now - so yes, --os-token is passed from unscoped token. However, currently if you just want to scope your unscoped token you must provide project_id or domain_id: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L877	12:48
marekd	so i think it will not work with human readable names.	12:49
jamielennox	marekd: yep, i mean the wrapper, so the wrapper would want to expose the same scoping options that the other v3 auth plugins expose (looking no v3.Token only add's --os-token everything else is from the base class)	12:50
marekd	jamielennox: agreed.	12:50
jamielennox	so those options are easy to inherit	12:50
marekd	**kwargs i guess.	12:50
marekd	and the rest will be handled in a base class	12:50
marekd	jamielennox: ok, do you think that constraint in Saml2ScopedToken class for either project_id or domain_id should be dropped?	12:52
marekd	jamielennox: ok i think i can answer my own question: yes	12:53
jamielennox	marekd: no :)	12:55
*** diegows has joined #openstack-keystone		12:55
marekd	jamielennox: haha	12:55
marekd	jamielennox: why?	12:55
jamielennox	I mean you could, but the whole class name indicates that you are creating a scoped token - if you don't have scoping information i don't know what it would be used for	12:55
marekd	jamielennox: right, but you have to specify project_id, and cannot user project_name, project_domain_name pair.	12:56
jamielennox	ideally we wouldn't need Saml2ScopedToken at all and the standard unscoped -> scoped would work	12:56
jamielennox	marekd: is that a server requirement or those options just aren't inherited up to that plugin?	12:56
jamielennox	marekd: also left some comments on the review, nothing serious i think	12:57
marekd	jamielennox: server requirement for having project_id only?	12:57
jamielennox	right - why doesn't Saml2ScopedToken accept project_name?	12:58
marekd	when i think about it know i think everybody assumed project_id would be passed.	12:58
marekd	i need to check it.	12:58
marekd	well..passed to the server	12:59
jamielennox	doesn't it inherit from v3.Token?	12:59
*** richm has joined #openstack-keystone		12:59
marekd	it does	12:59
jamielennox	or inherit the same options as the other v3 plugins? wouldn't it get project_name that way?	12:59
*** amakarov_away is now known as amakarov		12:59
marekd	https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L884	12:59
marekd	at the moment it will accept project_id	13:00
marekd	not project_name	13:00
jamielennox	oh - right	13:00
openstackgerrit	Alexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed https://review.openstack.org/120043	13:00
jamielennox	hmm, well at least adding the additional options isn't a compatibility issue	13:00
jamielennox	so no rush on that	13:00
marekd	jamielennox: i think that if clause should be dropped	13:01
*** afazekas has quit IRC		13:01
marekd	all in all so every thing can be resolved at the v3.Token level (if all required options are present)	13:01
*** bknudson has quit IRC		13:01
*** gordc has joined #openstack-keystone		13:01
marekd	and i will check if actually keystone accepts project_name	13:01
marekd	if now -> bug and fix at the keystone side.	13:01
jamielennox	ok,	13:02
jamielennox	if you want to keep it the easy thing to do would be add a property like contains_scoping_data in the v3 base plugin and you can check that	13:03
jamielennox	i was looking because i thought i had a method like that already	13:03
*** stevemar has joined #openstack-keystone		13:03
jamielennox	but i don't mind if you drop ti	13:04
*** tellesnobrega has joined #openstack-keystone		13:04
jamielennox	i don't think it changes the wrapper either way because if there wasn't any scoping data you wouldn't call it	13:04
marekd	https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3.py#L89 options presence and their combinations are being resolved somewhere here	13:04
jamielennox	otherwise you'd be making to auth calls and you'd still only end up with an unscoped token	13:04
marekd	jamielennox: no it doesn't	13:04
jamielennox	s/to/two	13:04
marekd	i just wanted to consult since we were talking.	13:05
jamielennox	np, are you guys using it in production yet/	13:06
jamielennox	the auth plugins?	13:06
marekd	we have websso with horizon, and i think auth plugins with cli will be available quite soon for our users.	13:07
marekd	however, locally i think kerberos with cli will be more tempting.	13:08
marekd	so the answer is: not yet :-)	13:08
marekd	plus it took a while o reorganize osc to be able to use all those ksc plugins.	13:08
marekd	and the new version has not yet been cut.	13:08
jamielennox	yea, i haven't looked at OSC since i got back, ayoung was saying there had been some work there to do plugins but it wasn't quite there yet	13:09
marekd	it is now.	13:09
*** dims has quit IRC		13:09
marekd	i think right now you have almost all you need to use fedeferation from cli.	13:10
*** dims has joined #openstack-keystone		13:10
jamielennox	ok, cool. he had a snippet of code showing osc with kerberos but it still needed you to provide a password field or something cause they hadn't quite figured out the options	13:10
jamielennox	ekarlso: sorry, that took longer than i meant - so for the main part you should be ok to add the allows to https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/test_session.py#L599	13:11
*** gokrokve has joined #openstack-keystone		13:11
jamielennox	ekarlso: but i think it would be good to have a more realistic test, maybe in https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/auth/test_identity_v3.py that tested actually using it with a discover object that had an experimental api version	13:13
*** afazekas has joined #openstack-keystone		13:13
jamielennox	marekd: i saw dtroyer complaining about something to do with the plugins the other day, which i consider to be a good sign that they're really trying	13:14
marekd	jamielennox: when exactly?	13:14
marekd	jamielennox: BTW: http://openstack-in-production.blogspot.ch/2014/10/kerberos-and-single-sign-on-with.html	13:15
*** joesavak has joined #openstack-keystone		13:15
*** sigmavirus24_awa is now known as sigmavirus24		13:16
*** gokrokve has quit IRC		13:16
jamielennox	only the other day, something part he wanted he though was missing but i haven't caught up with him yet	13:17
jamielennox	marekd: ah, i saw that and put it in the to read list but haven't yet	13:17
stevemar	marekd, thanks for filling in that slide, i was going to do it today, you just saved me some time :)	13:17
*** nkinder has quit IRC		13:18
marekd	stevemar: sure	13:18
jamielennox	stevemar: you are probably the right person to ask about this - how's OSC going with ksc plugins?	13:18
marekd	jamielennox: https://review.openstack.org/#/c/108325/	13:18
stevemar	jamiec, well, we are using plugins now, and no longer have the 'options' for most in our code	13:19
stevemar	jamielennox, ^	13:19
jamielennox	marekd: hmm, having not looked at the code yet that seems almost right	13:19
marekd	jamielennox: yes.	13:19
jamielennox	i don't like the idea that OSC should guess the plugin from available options	13:20
stevemar	jamielennox, we also noticed a lack of support for a specific flow in KSC, service token + endpoint	13:20
jamielennox	the plan was always that you can write a plugin that is the default and if you don't specify --os-auth-plugin then you get the default plugin	13:20
marekd	jamielennox: and the plugins mechanism is generic enough, so adding new plugin (like my wrapper) will not need any code changes in osc	13:20
jamielennox	stevemar: that exists, what specifically are you missing	13:21
jamielennox	marekd: ++	13:21
*** vejdmn has quit IRC		13:21
*** bknudson has joined #openstack-keystone		13:21
*** vejdmn has joined #openstack-keystone		13:21
jamielennox	stevemar: token/endpoint is keystoneclient.auth.token_endpoint.Token	13:21
stevemar	jamielennox, here's where we added our own, i'll see about getting rid of it in favor or the one you mention above: https://review.openstack.org/#/c/127655/3/openstackclient/api/auth.py	13:24
*** dims has quit IRC		13:25
stevemar	jamielennox, this was the change that started using plugins, https://review.openstack.org/#/c/108325/27 if a plugin is specified then we use that one, otherwise we try to guess it given what we know	13:25
jamielennox	stevemar: yea, that's what marekd linked above and i'm looking through	13:26
*** dims has joined #openstack-keystone		13:26
*** dims has quit IRC		13:26
stevemar	jamielennox, hold your comments for a bit or ask dtroyer, i'm about to drive to work	13:26
stevemar	bbl	13:26
jamielennox	stevemar: ok	13:27
*** dims has joined #openstack-keystone		13:27
*** dims has quit IRC		13:27
*** dims has joined #openstack-keystone		13:29
*** dims has quit IRC		13:29
vsilva	ping stevemar - I heard you were wishing for real federation tests. I'd love to take a good look into that	13:31
*** stevemar has quit IRC		13:31
marekd	vsilva: i was wishing for that too	13:31
marekd	and was thinking about it as a next cycle task.	13:31
marekd	vsilva: o/	13:31
marekd	vsilva: have you start working on that yet?	13:32
vsilva	sweet marekd. I was hoping to have a plan on how to tackle that in the next couple of days	13:32
marekd	vsilva: well, first of all: make sure people like dolphm or morganfainberg will accept that :P	13:33
marekd	personally - i think it's super useful	13:33
vsilva	marekd, yep, that's right	13:33
marekd	vsilva: secondly i'd figure out what's the procedure for adding tests to the gate	13:33
marekd	probably morganfainberg can help as well	13:34
marekd	or point to right people	13:34
marekd	third: the infrastructure, i can help you wth that if you want.	13:34
marekd	pysaml2 might be a good idea	13:34
marekd	as a real idp.	13:34
marekd	mod_shib w/ apache for the sp side as a starter	13:35
rodrigods	marekd, there is also ipsilon (https://fedorahosted.org/ipsilon/), nkinder pointed to that in a previous discussion	13:36
marekd	or ipsilon, whatever	13:36
*** dims has joined #openstack-keystone		13:36
marekd	good that you reminded me that...	13:39
marekd	hm, nkinder is not here.	13:39
rodrigods	marekd, vsilva, figure out how to gate the SP would be a good start	13:42
rodrigods	( vsilva is in the same physical room that I am =P )	13:42
*** afazekas has quit IRC		13:42
dstanek	the use of kwargs in keystoneclient is driving me crazy :-(	13:44
jamielennox	dstanek: yea	13:45
marekd	dstanek: ++++++++++++++	13:45
rodrigods	+1000	13:45
jamielennox	anywhere in partiular? (new code or old code?)	13:45
marekd	rodrigods: isn't keystone running apache in gate?	13:46
marekd	dstanek: ^^ ?	13:47
rodrigods	marekd, not sure, heard that it was running eventlet	13:47
marekd	morganfainberg: can answer that	13:47
dstanek	marekd: i don't think so - i'm pretty sure it's eventlet	13:47
marekd	dstanek: :(((((	13:47
marekd	vsilva: so you have step 0	13:47
marekd	vsilva: rodrigods any of you comming to Paris?	13:50
vsilva	nope marekd	13:50
jamielennox	so is there a compatibility issue if i fix auth_token middleware to do real discovery?	13:51
jamielennox	at the moment it does some discovery, like it checks to see if v2 and v3 are listed in the discover page and if so force appends /v2.0/ or /v3/	13:51
jamielennox	how many people do you think it would break if i actually made it object the URLs found on the discovery page?	13:52
jamielennox	s/object/respect	13:52
*** bknudson has quit IRC		13:52
*** nellysmi_ has joined #openstack-keystone		13:53
breton	ayoung: morganfainberg: regarding Alembic blueprint. What's the issue with approach?	13:53
marekd	vsilva: :(	13:55
vsilva	I'm new here, marekd - rodrigods should, though	13:55
*** nellysmitt has quit IRC		13:56
rodrigods	marekd, didn't get sponsored	13:56
rodrigods	=/	13:57
marekd	:(	13:57
*** thedodd has joined #openstack-keystone		13:57
*** radez_g0n3 is now known as radez		13:57
*** bknudson has joined #openstack-keystone		14:06
morganfainberg	We test both event let and Apache in gate. Most tempest runs are Apache though.	14:06
*** nkinder has joined #openstack-keystone		14:07
marekd	morganfainberg: so adding mod_shib and predefined config shouldn't be a big thing ?	14:07
morganfainberg	Not if it is something devstack can configure.	14:07
*** NM has quit IRC		14:08
morganfainberg	But it will need a toggle / flag.	14:08
marekd	morganfainberg: what flag?	14:08
morganfainberg	In tempest if tempest is testing it.	14:09
*** henrynash has joined #openstack-keystone		14:09
morganfainberg	It can't be tested in the unit tests, unit tests don't use Apache	14:09
marekd	morganfainberg: i don't want any unit tests, any mocking and so on.	14:10
marekd	i want to talk with real IdP	14:10
marekd	get real assertion	14:10
marekd	etc etc	14:10
morganfainberg	Yeah, this is either tempest or the new functional testing (will be discussed at the summit)	14:11
*** gokrokve has joined #openstack-keystone		14:11
marekd	morganfainberg: ok	14:11
marekd	i was once thinking about adding federation tests to the gate, and now vsilva mentiones the same.	14:12
*** gokrokve has quit IRC		14:16
vsilva	marekd, I have no strong preference for either approach - maybe just a slight one for tempest	14:16
vsilva	morganfainberg, I'm eager to hear what you guys decide, then, and I'd love to help	14:17
*** k4n0 has quit IRC		14:17
morganfainberg	:)	14:17
marekd	vsilva: morganfainberg does tempest allow for real tests? not unittests with mocking etc?	14:18
marekd	so real HTTP calls are send/received	14:18
morganfainberg	Yes, tempest is doing full integration. It actually runs against a full devstack	14:19
vsilva	what's stopping us from using it then, morganfainberg? Or how could functional testing be better for this?	14:20
morganfainberg	Functional tests wil be similar, but be keystone only (think like the "restful test cases" we have now in unit but against any keystone).	14:20
morganfainberg	There is a lot of work to set this all up in either case. Devstack, actual test writing, etc.	14:21
vsilva	is the second approach less than you want, marekd?	14:22
morganfainberg	So, I just would wait until the summit (it's very soon) to figure out the best place to do this work b	14:22
morganfainberg	If the qa team doesn't want this in tempest, no reason to put it there	14:23
vsilva	sure morganfainberg, that makes sense	14:23
samuelms	morganfainberg, so if we stop calling assignment_api directly inside API tests (for simplicity on seting up scenarios) and do only api calls, they'd become functional tests .. :)	14:23
samuelms	morganfainberg, and we could receive keystone url from a config	14:23
morganfainberg	If we're moving lots to functional out of tempest, thus might be a prime candidate for new testing. Or to lead in with.	14:24
morganfainberg	samuelms: partly	14:24
morganfainberg	It also needs a way to be told how to run against an active keystone vs a very contrived setup.	14:25
samuelms	morganfainberg, ++	14:26
*** radez is now known as radez_g0n3		14:29
morganfainberg	unrelated, good morning	14:29
morganfainberg	:)	14:29
breton	18:29 < morganfainberg> unrelated, good morning	14:30
breton	morning :0	14:30
breton	* :)	14:30
morganfainberg	it's 0730 here	14:30
marekd	16:29 < morganfainb>\| unrelated, good morning	14:30
*** gokrokve has joined #openstack-keystone		14:30
*** henrynash has quit IRC		14:32
vsilva	[11:29] <morganfainberg> unrelated, good morning	14:33
vsilva	still applies, I guess	14:33
*** henrynash has joined #openstack-keystone		14:34
morganfainberg	vsilva, hey it's morning there! no mocking me if it isn't past noon ;)	14:34
morganfainberg	hehe	14:34
* morganfainberg hasn't even had coffee yet		14:34
vsilva	all right, all right!	14:34
*** stevemar has joined #openstack-keystone		14:36
openstackgerrit	A change was merged to openstack/pycadf: Remove unused dependencies from pycadf https://review.openstack.org/129765	14:39
*** henrynash has quit IRC		14:44
marekd	vsilva: sorry, missed your msg.	14:44
*** henrynash has joined #openstack-keystone		14:44
marekd	vsilva: i don't have any preferrences	14:44
*** radez_g0n3 is now known as radez		14:46
*** ukalifon has quit IRC		14:51
*** andreaf has quit IRC		14:52
openstackgerrit	Alexander Makarov proposed a change to openstack/keystone: Trust redelegation https://review.openstack.org/126897	14:57
*** tellesnobrega has quit IRC		14:59
*** thedodd has quit IRC		15:00
*** vhoward has left #openstack-keystone		15:02
*** gokrokve_ has joined #openstack-keystone		15:09
*** dims_ has joined #openstack-keystone		15:11
*** gokrokve_ has quit IRC		15:12
*** gokrokve_ has joined #openstack-keystone		15:12
amakarov	ayoung, Hi! I've done trust chain users validation in a token provider. Do I correctly understand that trust chain validation is spread across several api?	15:13
*** gokrokve has quit IRC		15:13
*** dims__ has joined #openstack-keystone		15:14
*** david-lyle has joined #openstack-keystone		15:14
*** dims has quit IRC		15:15
rodrigods	marekd, seems like I don't have the token yet. Shibboleth is redirecting me to http://keystone:5000/ instead to http://keystone:5000/v3/OS-FEDERATION/identity_providers/.../auth. Problem with attribute mappings?	15:15
*** dims_ has quit IRC		15:16
*** gokrokve_ has quit IRC		15:17
openstackgerrit	Jamie Lennox proposed a change to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests https://review.openstack.org/130247	15:18
*** david-lyle has quit IRC		15:19
*** zzzeek has joined #openstack-keystone		15:20
*** _cjones_ has joined #openstack-keystone		15:22
*** _cjones_ has quit IRC		15:23
*** _cjones_ has joined #openstack-keystone		15:23
rodrigods	marekd, I need to manually go to the correct url =( (but I succeed to get back the token)	15:24
marekd	rodrigods: at what point?	15:25
marekd	rodrigods: are you talking about unscoped token still?	15:25
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Authenticated Encryption Tokens https://review.openstack.org/130050	15:29
*** vejdmn has quit IRC		15:30
*** vejdmn has joined #openstack-keystone		15:31
rodrigods	marekd, yep, once we send the SAML assertion, the response is a 302 to another URL	15:34
marekd	rodrigods: correct	15:34
rodrigods	which should be /OS-FEDERATION/...	15:34
rodrigods	but, here is redirecting me to http://keystone:5000/	15:34
rodrigods	if I manually put the /OS-FEDERATION/ url, the unscoped token is returned	15:34
*** cjellick has joined #openstack-keystone		15:35
marekd	rodrigods: what do you have configured in your region?	15:35
*** ayoung is now known as ayoung-afk		15:40
*** david-lyle has joined #openstack-keystone		15:43
rodrigods	marekd, /Shib.../SAML2/ECP	15:53
marekd	rodrigods: can you by any chance paste me the assertion Keystone-Idp is returning yo you?	15:53
marekd	rodrigods: i am afraid client library will have to handle this.	15:54
rodrigods	marekd, just a sec =)	15:57
rodrigods	marekd, but how the IdP will generate the correct URL to be redirected, if it depends on the idp id at the SP?	15:59
*** lhcheng has joined #openstack-keystone		16:00
*** jsavak has joined #openstack-keystone		16:00
*** marcoemorais has joined #openstack-keystone		16:01
*** joesavak has quit IRC		16:01
*** larsks has quit IRC		16:03
*** larsks has joined #openstack-keystone		16:03
*** joesavak has joined #openstack-keystone		16:04
*** jsavak has quit IRC		16:05
*** NM has joined #openstack-keystone		16:13
*** jistr has quit IRC		16:18
*** mrmoje has quit IRC		16:19
*** gokrokve has joined #openstack-keystone		16:20
marekd	rodrigods: well, user will need to specify that	16:23
marekd	or cloud admin.	16:23
rodrigods	marekd, where?	16:25
*** radez is now known as radez_g0n3		16:28
marekd	rodrigods: this would need code change.	16:30
marekd	or simply keystoneclient would need to take care of that.	16:31
rodrigods	marekd, ++	16:35
marekd	rodrigods: i will take a look a ut later, i need to go for now.	16:35
rodrigods	marekd, will take a look too. Thanks for the help	16:36
marekd	rodrigods: sure	16:36
marekd	o/	16:36
rodrigods	o/	16:36
marekd	o\	16:36
*** thedodd has joined #openstack-keystone		16:36
*** vejdmn has quit IRC		16:36
*** packet has joined #openstack-keystone		16:38
*** vejdmn has joined #openstack-keystone		16:38
*** r-daneel has joined #openstack-keystone		16:39
*** marcoemorais has quit IRC		16:47
*** marcoemorais has joined #openstack-keystone		16:47
*** marcoemorais has quit IRC		16:47
*** wwriverrat has joined #openstack-keystone		16:48
*** marcoemorais has joined #openstack-keystone		16:48
*** marcoemorais has quit IRC		16:48
*** vejdmn has quit IRC		16:51
*** vejdmn has joined #openstack-keystone		16:51
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects https://review.openstack.org/130277	16:53
morganfainberg	rodrigods: sorry I didn't get to reproposing the second api change there.	16:56
morganfainberg	I was just too tired when everything merged to do both last night.	16:56
*** jistr has joined #openstack-keystone		16:56
rodrigods	morganfainberg, no problem, not a big deal changing it. Thanks for reproposing the other one	16:56
morganfainberg	Yeah, markdown is easier to write, rst is a better format.	16:57
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects https://review.openstack.org/130277	16:59
*** gyee has joined #openstack-keystone		17:01
*** marcoemorais has joined #openstack-keystone		17:02
rodrigods	lbragstad, henrynash, guess the second HM patch is ready to +A? https://review.openstack.org/#/c/117785/	17:02
rodrigods	morganfainberg, if you want to take a look in it as well ^	17:02
lbragstad	rodrigods: I'll add it to the queue	17:03
rodrigods	lbragstad, ++	17:03
rodrigods	lbragstad, not big changes since your +2, just a method renaming	17:03
*** vejdmn has quit IRC		17:04
*** vejdmn has joined #openstack-keystone		17:04
lbragstad	rodrigods: cool	17:04
*** jsavak has joined #openstack-keystone		17:04
*** browne has joined #openstack-keystone		17:05
*** joesavak has quit IRC		17:08
*** harlowja_away is now known as harlowja		17:16
*** mrmoje has joined #openstack-keystone		17:16
morganfainberg	rodrigods: def will look.	17:17
morganfainberg	Unless it's merged before I get a I my desk. :)	17:18
rodrigods	morganfainberg, hehe thanks	17:18
*** browne has quit IRC		17:21
openstackgerrit	Alexander Makarov proposed a change to openstack/keystone: Trust redelegation https://review.openstack.org/126897	17:31
*** zzzeek has quit IRC		17:33
*** radez_g0n3 is now known as radez		17:36
*** marcoemorais has quit IRC		17:37
*** wwriverrat has left #openstack-keystone		17:41
*** vejdmn has quit IRC		17:42
*** marcoemorais has joined #openstack-keystone		17:43
*** dims__ has quit IRC		17:45
*** dims has joined #openstack-keystone		17:45
*** dims has quit IRC		17:46
*** dims has joined #openstack-keystone		17:46
nkinder	morganfainberg: how acceptable would it be to allow the domain_id to accept names or ids for calls like 'list users'?	17:47
morganfainberg	nkinder, in what context?	17:47
morganfainberg	nkinder, from the REST API or in the client or???	17:47
nkinder	morganfainberg: It would need to be API. Here's the scenario...	17:47
nkinder	When I use OSC with domains and the v3 policy, my domain admin needs to manage users, groups, and projects within their domain	17:48
nkinder	A domain admin is not able to look up the domain objects themselves	17:48
nkinder	If I have an 'ipa' domain, I can't do 'openstack user list --domain ipa', as names aren't accepted	17:48
*** vejdmn has joined #openstack-keystone		17:49
nkinder	I need to know my domain id and remember/write it down	17:49
nkinder	I also can't look up my domain id	17:50
nkinder	That's only allowed by the cloud admin (not domain admin)	17:50
nkinder	morganfainberg: So this is really a usability issue with domains, and it would be much nicer if we had a way to just specify the domain by name in the REST API	17:51
morganfainberg	nkinder, can't you do a get domain by name already?	17:51
morganfainberg	and why is get domain by name only available to cloud admin?	17:51
nkinder	morganfainberg: there may be a client bug there (it uses list domains to look it up instead of just doing a get)	17:51
morganfainberg	ah	17:51
nkinder	morganfainberg: confirming that in the policy now...	17:52
morganfainberg	i think keystoneclient has some of this logic already	17:52
nkinder	The client should be fixed to not use 'list_domain'	17:52
jamielennox	hmm?	17:52
morganfainberg	but honestly haven'tl loo... oh hi jamielennox !	17:52
nkinder	I fixed a bunch of those issues in OSC last week, but not for domain show	17:52
jamielennox	i have an irc alert for keystoneclient - i sometimes think i should turn it off	17:52
morganfainberg	jamielennox, kindof like i have one for "keystone" ;)	17:53
nkinder	morganfainberg: still, wouldn't it be a better experience to allow just specifying the name instead of making two calls?	17:53
jamielennox	morganfainberg: ah, that would get annoying	17:53
morganfainberg	nkinder, it should be a separate call	17:53
morganfainberg	nkinder, what if I have a domain called asdfasdf1234	17:53
morganfainberg	and somehow the uuid ended up looking the same	17:53
morganfainberg	ooor i used uuid.uuid4().hex to generate a name for the domain	17:54
nkinder	morganfainberg: there's nothing wrong with that	17:54
morganfainberg	how do you know if it's an id or a name then?	17:54
openstackgerrit	Jamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin https://review.openstack.org/115857	17:54
morganfainberg	if the REST api has to guess	17:54
nkinder	morganfainberg: so you're worried about collisions between name and id?	17:54
morganfainberg	nkinder, basically i don't want the API to have to guess which one you mean	17:54
jamielennox	anything i can help with- otherwise i'm out	17:54
nkinder	morganfainberg: to avoid collisions, we would need a separate parameter in the REST calls (domain_id and domain_name)	17:55
morganfainberg	jamielennox, nah we're good.	17:55
morganfainberg	nkinder, that would be fine.	17:55
jamielennox	alright	17:55
*** jamielennox has quit IRC		17:55
morganfainberg	nkinder, unless there is already a way to accomplish this. (i'd need to look)	17:55
*** jamielenz is now known as jamielennox		17:55
morganfainberg	nkinder, while the end user expeirence is not as simple, the overall design and consistency is better if you know what you're asking for	17:56
morganfainberg	if you know your domain name, ask for the information via the name, don't ask via the ID feild and hope you get something useful back	17:56
*** aix has quit IRC		17:56
morganfainberg	simlilar thoughts on the inverse	17:56
nkinder	morganfainberg: makes sense	17:57
nkinder	morganfainberg: the corner case to watch out for is when someone specifies both id and name. We would want to reject that	17:57
morganfainberg	nkinder, likely this needs to be a separate API call.	17:57
morganfainberg	GET domain/{domain_id} is for ids	17:57
morganfainberg	not sure what the by-name version looks like	17:58
*** amcrn has joined #openstack-keystone		17:58
morganfainberg	get domain/{domain_id_but_really_a_name}?query_by_name is equally bad imo	17:58
nkinder	morganfainberg: I'm thinking more GET v3/users	17:58
nkinder	morganfainberg: that has a 'domain_id' param	17:58
morganfainberg	nkinder, ah sure.	17:59
morganfainberg	domain anmes are unique	17:59
morganfainberg	that is a fine place to have either/or	17:59
nkinder	we would just need to add a 'domain_name' optional param	17:59
morganfainberg	and if both are specified yeah, 400	17:59
nkinder	morganfainberg: ok, cool. I'm assuming this needs a spec?	17:59
morganfainberg	nkinder, yes, if it changes the API it absolutely needs a spec	17:59
nkinder	morganfainberg: cool, I'll work on writing one up	17:59
nkinder	morganfainberg: I'll also fix OSC to not do a 'list domains' when you try to show a domain	18:00
morganfainberg	good plan	18:01
morganfainberg	if that doesn't have an option, we might need to add a way to get domain by name	18:01
morganfainberg	domain is a special case since both name and id are unique (comared to say projects, or users)	18:01
*** jamielennox has quit IRC		18:01
nkinder	morganfainberg: though we have this - "identity:get_domain": "rule:cloud_admin"	18:01
afaranha	Did anyone notice this bug in the policy rules? In the v3 policy I replaced this rule: "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner" for this "admin_or_owner": "(role:admin and domain_id:%(target.token.user.domain.id)s) or rule:owner" and then got an error running keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token	18:02
nkinder	morganfainberg: so I guess it's pointless to avoid the 'list domains' unless we change policy	18:02
afaranha	before this I didn't get this error	18:02
morganfainberg	nkinder, ugh. we HAVE to get to a smarter policy	18:02
nkinder	morganfainberg: I think show domain should be allowed for an 'admin' of the matching domain	18:03
*** afaranha has left #openstack-keystone		18:03
nkinder	morganfainberg: yet another fix I can propose...	18:03
*** afaranha has joined #openstack-keystone		18:03
stevemar	af<tab> left the channel before i could answer :(	18:03
nkinder	morganfainberg: I better shut up before my to-do list gets any longer... :)	18:03
nkinder	stevemar: you have a second chance.... :)	18:04
stevemar	afaranha, there you are	18:06
stevemar	afaranha, you changed it from rule:admin_required to role:admin	18:07
notmyname	the the keystone v3 API new in juno, or did it exist in icehouse? (in a prod-ready sense, not a preview)	18:07
*** dims has quit IRC		18:07
notmyname	morganfainberg: ^	18:07
morganfainberg	notmyname, Keystone V3 has been available and workable since i think Grizzly or Havana	18:08
stevemar	the testTokenRevokeSelfAndAdmin sounds like it uses the Admin token to revoke tokens, but the admin token carries no role data with it	18:08
notmyname	morganfainberg: ah, ok. thanks	18:08
*** dims has joined #openstack-keystone		18:08
stevemar	so it would fail that policy check, afaranha ^	18:08
morganfainberg	notmyname, juno has been the big push to get everyone moved over to using it	18:08
*** afaranha has quit IRC		18:08
morganfainberg	notmyname, and similar for Kilo, we want to deprecate V2.0 keystone api	18:08
notmyname	ah, interesting	18:08
morganfainberg	notmyname, the v3 api solves a lot of issues the v2 api couldn't solve w/o breaking the contract	18:09
morganfainberg	notmyname, if all goes well, we'll have full v3 support across the board in Kilo, and we can mark V2 api as deprecated, with planed obsolescence around 2 cycles out. removal pending "when we think we can without riots"	18:10
notmyname	good luck with that ;-)	18:11
*** jogo has left #openstack-keystone		18:11
notmyname	thanks for the info :-)	18:12
morganfainberg	notmyname, if everything is using V3 say in K, and we deprecate, by M we should likely be able to say "guys... stop using this, no really we mean it... we aren't maintaining it - you should have moved to v3 2 cycles ago"	18:12
*** thedodd has quit IRC		18:12
*** gokrokve has quit IRC		18:12
*** _cjones_ has quit IRC		18:15
*** _cjones_ has joined #openstack-keystone		18:15
*** afaranha has joined #openstack-keystone		18:17
*** radez is now known as radez_g0n3		18:18
afaranha	stevemar: but the rule:admin_required is defined as "role:admin", so its the same, isn't it?	18:18
openstackgerrit	Nathan Kinder proposed a change to openstack/keystone: Allow domain admin to show their own domain https://review.openstack.org/130298	18:19
stevemar	afaranha, nah, "admin_required": is "role:admin or is_admin:1",	18:19
stevemar	using the ADMIN_TOKEN from your config file sets is_admin to true :)	18:19
afaranha	stevemar: not in v3cloudsample https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L2	18:19
stevemar	i don't think that is used in the tests	18:20
*** _cjones_ has quit IRC		18:20
afaranha	In this test it uses it, because I'm replacing the v3cloudsample to a new one, and I'm changing the v3 policy to pass the tests	18:21
vsilva	hey stevemar, we were discussing (real) federation tests and I remember you were wishing for those. What's your take on how it should be done? Functional along with a new testing "framework" or integrated with tempest?	18:22
*** nellysmitt has joined #openstack-keystone		18:22
vsilva	There should be a discussion about that on the summit, I'm just gathering some info beforehand	18:23
stevemar	afaranha, then we need to evaluate if we want ADMIN_TOKEN to be able to revoke stuff	18:23
afaranha	stevemar, I got this error when I was changing the policy sample, but I just adjust the rule to: "admin_or_owner": "rule:owner or (role:admin and domain_id:%(target.token.user.domain.id)s)" and it works, just replacing the orders of the rules	18:23
stevemar	vsilva, i was going to put up a keystone-spec for that, it might be a bit general	18:23
*** nellysmi_ has quit IRC		18:24
stevemar	vsilva, so i don't know too much about how the 3rd party CI tests run	18:25
stevemar	and i'm not convinced that tempest is the right spot	18:25
stevemar	maybe it is	18:25
stevemar	but we might want to just make a functional test suite that is fired off against a devstack cloud, the only problem is the idp setup	18:26
stevemar	in short, i don't know :(	18:26
vsilva	stevemar, I was going to work on that but since we still don't have that decision I figured I could at least put up a doc comparing the two approaches. Any other pros/cons you see in any?	18:27
vsilva	morganfainberg, marekd ^	18:27
*** thedodd has joined #openstack-keystone		18:28
stevemar	i like the functional test idea, simply because i've already done that with openstackclient	18:28
morganfainberg	stevemar, i'm thinking that functional iss where it's going to need to go	18:28
morganfainberg	but... i am willing to discuss more at the summit since we need to address how all of our testing is done.	18:28
morganfainberg	3rd party CI is also acceptable, but i think there are other cases 3rd party ci will make more sense. k2k and federation (in general) should be something that we have tests showing it works in-tree (or at least in the functional grouping)	18:29
nkinder	morganfainberg: ok, turns out OSC is doing the correct thing with 'domain show' - https://bugs.launchpad.net/python-openstackclient/+bug/1384371	18:29
uvirtbot	nkinder: Error: Could not parse data returned by Launchpad: _ssl.c:489: The handshake operation timed out	18:29
morganfainberg	nkinder, so maybe we should provide an interface to get domain by name	18:29
nkinder	morganfainberg: so there's just the policy change I proposed a patch for, and then the other API changes I need to write a spec for	18:30
nkinder	morganfainberg++	18:30
*** __TheDodd__ has joined #openstack-keystone		18:30
nkinder	morganfainberg: might be a bit tricky for RBAC	18:30
*** jamielennox has joined #openstack-keystone		18:30
nkinder	morganfainberg: we'd need to look up the id by name, then compare it to the domain id in the token before returning anything	18:31
morganfainberg	nkinder, we have a lot of that capability already	18:31
morganfainberg	the @protected decorator (or is it filterprotected) is pretty smart	18:31
nkinder	morganfainberg: I thought someone recently mentioned that we don't look up the target from the database before RBAC	18:32
nkinder	morganfainberg: I was under the impression we did from reading the code a little while back though	18:32
morganfainberg	we can do that with callbacks	18:32
nkinder	morganfainberg: I'll investigate when I write the spec	18:32
morganfainberg	it's possible to say match <thing> from context against <returned ref>	18:33
*** thedodd has quit IRC		18:33
rodrigods	is there a reason for keystonemiddleware to try parsing everything to json?	18:34
morganfainberg	rodrigods, what other format would middleware use?	18:34
morganfainberg	since mostly it's only caring about the token, which is JSON serialized	18:34
rodrigods	morganfainberg, hmm GET OS-FEDERATION/saml2/metadata for example	18:35
rodrigods	it has a XML body	18:35
morganfainberg	but keystonemiddleware doesn't interact with that	18:35
morganfainberg	keystonemiddleware only sits in front of non-keystone endpoints.	18:35
morganfainberg	(this is auth_token)	18:36
rodrigods	morganfainberg, not keystonemiddleware, sorry. Middleware core from keystone =)	18:36
morganfainberg	if you're talking about keystone.middleware.core, the auth_context middleware (keystone server specific)	18:36
morganfainberg	ah	18:36
morganfainberg	because we don't support XML directly (except in some limited special usecases). with Federation/SAML2 we rely on mod_shib to do most of the heavy lifting in decoding/handling the xml, for issuing the XML body there is a special case	18:37
rodrigods	morganfainberg, this seems one of those limited special usecases	18:38
rodrigods	can you give an example? So I can figure out how to fix it.... The issue is causing the SP to never receive the Keystone IdP metadata, unless we copy it manually	18:39
morganfainberg	rodrigods, we might need to exempt that call specifically if it doesn't work.	18:39
morganfainberg	special case as in, we make it a special case if needed ;)	18:40
rodrigods	morganfainberg, should I start by reporting a bug?	18:40
morganfainberg	rodrigods, if it's a legitmate bug, yes.	18:41
rodrigods	morganfainberg, looks like one to me	18:41
morganfainberg	then yep, report a bug :)	18:41
rodrigods	cool	18:41
afaranha	stevemar, I reported a bug detailing the problem, could you check?	18:45
afaranha	https://bugs.launchpad.net/keystone/+bug/1384377	18:45
uvirtbot	Launchpad bug 1384377 in keystone "Policy rule position errors" [Undecided,New]	18:45
*** amakarov is now known as amakarov_away		18:45
stevemar	afaranha, sure dude, morganfainberg cc ^	18:45
gordc	stevemar: in https://review.openstack.org/#/c/102958/, which docs are you referring to?	18:48
afaranha	stevemar, thanks :)	18:48
*** gabriel-bezerra has joined #openstack-keystone		18:48
rodrigods	morganfainberg, stevemar https://bugs.launchpad.net/keystone/+bug/1384382	18:49
uvirtbot	Launchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,New]	18:49
stevemar	gordc, these: http://docs.openstack.org/developer/pycadf/middleware.html	18:50
gordc	stevemar: cool cool. will do	18:50
gordc	stevemar: in a separate patch?	18:53
stevemar	gordc, sure	18:53
gordc	stevemar: also, i added a question	18:53
stevemar	gordc, 42	18:53
*** _cjones_ has joined #openstack-keystone		18:53
gordc	stevemar: i've never seen that movie... or book... or whatever it comes from.lol	18:54
gordc	jackie robinson?	18:54
stevemar	hitchhikers guide	18:54
gordc	he broke the colour barrier. :)	18:54
stevemar	you're out in left field, pun intended	18:54
gordc	lol	18:55
stevemar	gordc, http://en.wikipedia.org/wiki/Phrases_from_The_Hitchhiker's_Guide_to_the_Galaxy#Answer_to_the_Ultimate_Question_of_Life.2C_the_Universe.2C_and_Everything_.2842.29	18:55
gordc	stevemar: http://en.wikipedia.org/wiki/Jackie_Robinson	18:56
stevemar	gordc, yes i'm aware of that lol	18:56
gordc	i don't know how to link in wikipedia but you get the point	18:56
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: add context to keystonemiddleware https://review.openstack.org/130312	19:01
*** amcrn has quit IRC		19:01
*** joesavak has joined #openstack-keystone		19:07
*** david-lyle_ has joined #openstack-keystone		19:07
*** jsavak has quit IRC		19:08
*** david-lyle has quit IRC		19:09
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/127765	19:11
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/130320	19:11
*** _cjones_ has quit IRC		19:12
*** _cjones_ has joined #openstack-keystone		19:13
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Use correct name of oslo debugger script https://review.openstack.org/130045	19:15
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/pycadf: Updated from global requirements https://review.openstack.org/130329	19:16
*** _cjones_ has quit IRC		19:17
*** david-lyle_ is now known as david-lyle		19:18
openstackgerrit	Steve Martinelli proposed a change to openstack/keystonemiddleware: Use correct name of oslo debugger script https://review.openstack.org/130046	19:19
*** tellesnobrega has joined #openstack-keystone		19:19
*** _cjones_ has joined #openstack-keystone		19:22
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Use oslo_debug_helper and remove our own version https://review.openstack.org/120104	19:22
*** dims has quit IRC		19:29
*** dims has joined #openstack-keystone		19:30
*** dims has quit IRC		19:34
*** jamielennox has quit IRC		19:36
*** pc-m has quit IRC		19:39
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware https://review.openstack.org/102958	19:49
*** dims has joined #openstack-keystone		19:57
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware https://review.openstack.org/130344	20:07
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: add context to keystonemiddleware https://review.openstack.org/130312	20:09
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware https://review.openstack.org/130344	20:12
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware https://review.openstack.org/102958	20:12
*** meker12_ has quit IRC		20:12
openstackgerrit	gordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware https://review.openstack.org/130344	20:12
gordc	stevemar: i just realised i never created a bp even though spec got merged: https://blueprints.launchpad.net/keystonemiddleware/+spec/audit-middleware	20:13
stevemar	gordc, shit, i'ma -2 everything of yours now	20:17
stevemar	get that paper work done!	20:17
gordc	lol	20:21
gordc	well the spec is in	20:21
gordc	stevemar: it just didn't autocreate a bp i guess	20:21
gordc	use your approve powers	20:22
gordc	https://github.com/openstack/keystone-specs/blob/master/specs/keystonemiddleware/audit-middleware.rst	20:22
*** r1chardj0n3s_afk is now known as r1chardj0n3s		20:24
bknudson	do we actually need 2 +2 for OpenStack Proposal Bot's Updated from global requirements ?	20:25
*** amcrn has joined #openstack-keystone		20:26
*** amcrn has quit IRC		20:26
gordc	bknudson: give it a try and see if someone starts yelling. :)	20:32
morganfainberg	bknudson, no	20:32
morganfainberg	bknudson, 1x+2 is enough	20:32
morganfainberg	same for translations	20:32
*** amcrn has joined #openstack-keystone		20:33
*** gokrokve has joined #openstack-keystone		20:35
breton	morganfainberg: hey	20:38
morganfainberg	breton, pong	20:38
breton	morganfainberg: what about approach on https://blueprints.launchpad.net/keystone/+spec/alembic ?	20:38
morganfainberg	breton, you're working on it :), it is just a "how do we get from here to there"	20:39
morganfainberg	my comment was because i was sweeping up the BPs, making sure i knew i had looked at/addressed that one	20:39
breton	oh, ok. I also wondered whether someone could asign the bp to me	20:40
*** meker12 has joined #openstack-keystone		20:40
morganfainberg	i think you can assign the bp to yourself.	20:40
morganfainberg	i think	20:41
breton	I can't	20:41
morganfainberg	are you logged into LP?	20:41
morganfainberg	and more importantly, what is your LP account [i'm happy to assign it over]	20:41
breton	I am. It's bbobrov	20:42
morganfainberg	assigned	20:42
breton	cool, thanks	20:42
*** NM has quit IRC		20:43
*** meker12 has quit IRC		20:43
*** nellysmitt has quit IRC		20:44
*** meker12 has joined #openstack-keystone		20:44
*** jistr has quit IRC		20:46
*** NM has joined #openstack-keystone		20:47
*** NM has quit IRC		20:48
morganfainberg	stevemar, is it possible to make http://specs.openstack.org/openstack/keystone-specs/ have the sections collapsible, (e.g. so we can make the "implemented" and/or "past" releases all collapsed.	20:51
stevemar	thats a good question	20:52
morganfainberg	or even maybe move to "past" specs where we have the past specifications listed etc	20:52
morganfainberg	you know, make the UX better (no rush on it, but just was thinking)	20:52
morganfainberg	especially with the API specs now being in there	20:53
*** vejdmn has quit IRC		20:53
stevemar	morganfainberg, lemme dig into it	20:53
morganfainberg	stevemar, my thought is we probably want to make implemented specs a separate page which would contain links for each past release and the list for middleware/client. the collapse a section would be a nice add, but not as important if done like that	20:54
*** zzzeek has joined #openstack-keystone		20:54
bknudson	nkinder: I heard back from our product team. They're using user_additional_attribute_mapping , and only using it for description.	20:58
nkinder	bknudson: ok, thanks for checking. I haven't looked, but did you add an explicit option for mapping description?	20:58
nkinder	bknudson: it would be nice to use that instead of an additional mapping	20:59
bknudson	nkinder: no, why add an explicit option when there's additional_attribute_mapping?	20:59
*** boris-42 has quit IRC		21:00
*** tellesnobrega has quit IRC		21:04
*** meker12 has quit IRC		21:06
*** boris-42 has joined #openstack-keystone		21:06
nkinder	bknudson: why have explicit mappings for any of the other items either then?	21:08
bknudson	nkinder: legacy	21:09
bknudson	it was already there	21:09
*** david-lyle_ has joined #openstack-keystone		21:10
*** david-lyle has quit IRC		21:11
*** joesavak has quit IRC		21:14
*** nkinder has quit IRC		21:24
*** mrmoje has quit IRC		21:26
*** packet has quit IRC		21:30
*** david-lyle_ is now known as david-lyle		21:31
openstackgerrit	A change was merged to openstack/pycadf: Updated from global requirements https://review.openstack.org/130329	21:35
*** marcoemorais has quit IRC		21:43
*** marcoemorais1 has joined #openstack-keystone		21:43
*** marcoemorais1 has quit IRC		21:45
*** marcoemorais has joined #openstack-keystone		21:45
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: remove XML middleware from default paste config https://review.openstack.org/130371	21:53
morganfainberg	dolphm, :( my first world problem is making me sad.	21:56
morganfainberg	dolphm, i'm too used to retina displays now.	21:56
*** thiagop has quit IRC		21:56
dolphm	morganfainberg: what, did you go antique shopping?	21:56
stevemar	he bought a thinkpad	21:57
stevemar	self-burn!	21:57
morganfainberg	dolphm, no the thunderbolt display looks icky compared to the retina display on the MBPr	21:57
dolphm	oh just sit back	21:57
morganfainberg	dolphm, and i was playing with a iMac 5k when i was getting the key caps on my laptop replaced due to chipping.	21:57
dolphm	i still use a thunderbolt at work :P	21:57
dolphm	morganfainberg: oh well then you've been scarred	21:57
dolphm	that's not reversible	21:57
morganfainberg	i just dusted my thunderbolt display off after ... uh... i joined HP ~6mo ago	21:57
dolphm	wha	21:58
morganfainberg	2x thunderbolt displays have been gathering dust since i changed jobs	21:58
morganfainberg	just never set them up when i moved all my stuff back home from the office	21:58
morganfainberg	and i have a 30" dell monitor too in a box somewhere (the photo calibrated one)	21:59
morganfainberg	i should sell off some of this gear :P	21:59
dolphm	ooh which dell	22:00
dolphm	U3011?	22:00
morganfainberg	let me check it's a u30XX something	22:00
morganfainberg	yep a u3011	22:01
morganfainberg	been in a box for... 2yrs now? 2.5 yrs?	22:01
openstackgerrit	A change was merged to openstack/keystone: Updated from global requirements https://review.openstack.org/127765	22:02
morganfainberg	since i moved from santa monica so 2.5years or so just gathering dust.	22:02
dolphm	i wanted one of those forever - i ended up settling for a higher frequency monitor instead of a high res one	22:04
dolphm	we have a ton of ultrasharps at work, i love them	22:04
dolphm	never owned one myself	22:04
morganfainberg	i got it when i was doing photographic stuff (when i worked for blizzard)	22:05
morganfainberg	was super nice to have a calibrated monitor	22:05
morganfainberg	and since all my camera gear was stolen since i haven't really needed to pull the thing out.	22:05
*** marcoemorais has quit IRC		22:07
*** marcoemorais has joined #openstack-keystone		22:08
stevemar	morganfainberg, so i found something	22:11
morganfainberg	?	22:11
stevemar	a sphinx extension: http://scopatz.github.io/hiddencode/	22:11
stevemar	it's one file: https://github.com/scopatz/hiddencode	22:11
openstackgerrit	werner mendizabal proposed a change to openstack/keystone-specs: This blueprint details the work required for Multi-factor Authentication https://review.openstack.org/130376	22:12
stevemar	morganfainberg, thats about as close as we are going to get for collapsible section	22:12
stevemar	s	22:12
openstackgerrit	werner mendizabal proposed a change to openstack/keystone-specs: This blueprint details the work required for Multi-factor Authentication https://review.openstack.org/130376	22:12
*** sigmavirus24 is now known as sigmavirus24_awa		22:13
morganfainberg	stevemar, what about splitting up to "active" and "implemented/past release cycles"?	22:13
stevemar	morganfainberg, thats the other options	22:14
morganfainberg	might be easier / cleaner?	22:14
stevemar	yeah	22:14
stevemar	i just dug into that to make sure i wasn't missing something, and it was kinda interesting :)	22:14
stevemar	albeit, pointless	22:15
*** gordc has quit IRC		22:16
*** __TheDodd__ has quit IRC		22:17
morganfainberg	dolphm, second question, upgrade to Yosemite -> do you have issues with gdbm not being available for testr?	22:19
dolphm	morganfainberg: i can't get past missing sasl headers	22:19
*** adam_g is now known as adam_g_gone		22:19
morganfainberg	doh!	22:20
dolphm	morganfainberg: apparently mavericks included sasl.h, and yosemite doesn't, but i installed openldap with no luck	22:20
morganfainberg	weird	22:20
dolphm	morganfainberg: anyway, i can't install python-ldap	22:20
morganfainberg	i'm not having that issue.	22:20
dolphm	morganfainberg: so haven't gotten as far as tests	22:20
* morganfainberg shrugs.		22:20
*** marcoemorais has quit IRC		22:20
dolphm	morganfainberg: clean install or upgrade?	22:21
*** marcoemorais has joined #openstack-keystone		22:21
morganfainberg	upgrade.	22:21
morganfainberg	couldn't afford a clean install. too time intensive.	22:21
dolphm	pip install python-ldap http://pasteraw.com/ql2o3s5zv5vz3wux8q1w00on8rnjqc	22:21
morganfainberg	but i also did beta -> GM upgrade.	22:21
morganfainberg	and had beta of xcode for a while.	22:21
dolphm	the "defines: HAVE_SASL" suggests that something is already awry because have NO sasl apparently	22:22
morganfainberg	dolphm, http://paste.openstack.org/show/123326/	22:22
morganfainberg	new VENV	22:22
morganfainberg	and my brew list is: autoconfautomakelibgpg-errorlibksbalibtoollibyamlmakedependopensslpkg-configreadline	22:23
morganfainberg	but i don't thnk i have any linked	22:23
gyee	I am about to upgrade to Yosemite, should I hold off?	22:25
morganfainberg	gyee do you use a VM to run tests?	22:25
morganfainberg	if the answer is "yes" no worries.	22:25
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Create a seperate page for old specs https://review.openstack.org/130379	22:25
morganfainberg	if the answer is "no" you might want to wairt	22:25
dolphm	morganfainberg: hmm, you're python-ldap is built with cc, mine uses clang	22:26
gyee	morganfainberg, my other options is virtualbox	22:26
stevemar	morganfainberg, dolphm https://review.openstack.org/#/c/130379/ ^	22:26
gyee	I have VB running on Mac as well	22:26
morganfainberg	dolphm, ohh	22:26
morganfainberg	dolphm, ARCHFLAGS=-Wno-error=unused-command-line-argument	22:26
*** marcoemorais has quit IRC		22:26
morganfainberg	dolphm, the "fix" for mavericks changed to that	22:26
stevemar	i think it looks better organized now :)	22:27
*** bknudson has quit IRC		22:27
dolphm	what is that the fix for?	22:27
morganfainberg	cli tools doing stupid things other compilers don't do	22:27
morganfainberg	hm. cc = clang for me	22:28
morganfainberg	(VENV)nullptr:work morgan$ cc	22:28
morganfainberg	clang: error: no input files	22:28
dolphm	oh same here	22:28
stevemar	morganfainberg, is this what you were thinking of: http://docs-draft.openstack.org/79/130379/1/check/gate-keystone-specs-docs/fa3779f/doc/build/html/	22:29
*** david-lyle_ has joined #openstack-keystone		22:30
*** david-lyle has quit IRC		22:30
morganfainberg	dolphm, do you ahve /usr/include/sasl ?	22:31
morganfainberg	dolphm, if you do, then it's that ARCHFLAG thing	22:31
morganfainberg	in mavericks i needed ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future	22:31
morganfainberg	stevemar, pretty much spot on	22:32
dolphm	morganfainberg: i have no /usr/include/	22:32
morganfainberg	dolphm, did you reinstall latest xcode and did the whole SDK install?	22:32
morganfainberg	xcode-select --install or whatever it is	22:33
dolphm	i upgraded xcode, i think via app store	22:33
morganfainberg	you need to do some re-install magic on upgrade even from app store	22:33
stevemar	yee haw	22:33
dolphm	morganfainberg: oh alrighty, doing that now	22:33
morganfainberg	dolphm, all sorts of things were somewhat broken when i just upgraded w/o the install	22:34
*** marcoemorais has joined #openstack-keystone		22:35
*** amerine has joined #openstack-keystone		22:37
dolphm	morganfainberg: yay, thanks!	22:39
morganfainberg	dolphm, :)	22:39
*** jorge_munoz has quit IRC		22:40
*** stevemar has quit IRC		22:40
*** jorge_munoz has joined #openstack-keystone		22:41
*** dims_ has joined #openstack-keystone		22:44
*** dims_ has quit IRC		22:45
*** dims_ has joined #openstack-keystone		22:46
*** dims has quit IRC		22:47
*** r-daneel has quit IRC		22:50
*** dims_ has quit IRC		22:50
morganfainberg	dolphm, i'd totally get a iMac 5k, but i don't want to spend 5k on a computer :P	22:51
dolphm	morganfainberg: no worries. they'll make a 5k display soon and then you can spend 4k on a monitor	22:52
morganfainberg	haha	22:53
morganfainberg	i'd need to sell my ~$$$$ in monitors first	22:53
morganfainberg	:(	22:53
dolphm	maybe it'll have a built in last gen apple tv	22:53
morganfainberg	right?!	22:53
morganfainberg	just what i always wanted... an AppleTV in my monitor!	22:53
* morganfainberg should call my buddy who works at Apple... i mean he works on Siri, thats the same thing as AppleTV and Monitors, right?		22:54
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: remove XML middleware from default paste config https://review.openstack.org/130371	22:54
dolphm	morganfainberg: with siri you don't need a monitor, duh	22:54
morganfainberg	right!	22:54
morganfainberg	it's like having closed c aptions on,... and being read to you... by an au.. i'll just see myself out	22:55
dolphm	morganfainberg: i bet he has a lifesize siri	22:55
*** marcoemorais has quit IRC		23:03
*** marcoemorais has joined #openstack-keystone		23:04
*** marcoemorais has quit IRC		23:04
*** marcoemorais has joined #openstack-keystone		23:04
*** marcoemorais has quit IRC		23:06
*** marcoemorais has joined #openstack-keystone		23:07
*** gokrokve_ has joined #openstack-keystone		23:09
*** gokrokve has quit IRC		23:12
*** diegows has quit IRC		23:13
*** lhcheng has quit IRC		23:18
*** marcoemorais has quit IRC		23:19
*** lhcheng has joined #openstack-keystone		23:19
*** henrynash has quit IRC		23:27
*** gokrokve_ has quit IRC		23:27
*** tellesnobrega has joined #openstack-keystone		23:34
*** marcoemorais has joined #openstack-keystone		23:41
*** gokrokve has joined #openstack-keystone		23:43
*** dims has joined #openstack-keystone		23:44
rodrigods	dolphm, just saw your response at ml, do you have some time to take a look at https://bugs.launchpad.net/keystone/+bug/1384382 ?	23:46
uvirtbot	Launchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,New]	23:46
*** gyee has quit IRC		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!