Monday, 2014-10-27

« Sunday, 2014-10-26 Index Tuesday, 2014-10-28 »
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove endpoint_substitution_whitelist config option  https://review.openstack.org/13100700:03
*** david-lyle has joined #openstack-keystone00:03
*** lhcheng has joined #openstack-keystone00:04
*** lhcheng_ has joined #openstack-keystone00:05
*** david-lyle has quit IRC00:08
*** arif-ali has quit IRC00:09
openstackgerritA change was merged to openstack/python-keystoneclient: Prevent AttributeError if no authorization  https://review.openstack.org/10071400:20
*** mitz_ has joined #openstack-keystone00:40
*** HenryG has quit IRC00:41
*** jacer_huawei has quit IRC00:45
*** cjellick has joined #openstack-keystone00:45
*** HenryG has joined #openstack-keystone00:46
*** cjellick has quit IRC00:50
openstackgerritBrant Knudson proposed a change to openstack/keystone: Move eventlet server options to a config section  https://review.openstack.org/13096200:51
*** jacer_huawei has joined #openstack-keystone00:57
*** diegows has quit IRC01:05
*** diegows has joined #openstack-keystone01:10
*** shikui_ has joined #openstack-keystone01:12
*** Kui has quit IRC01:15
openstackgerritwanghong proposed a change to openstack/keystone: remove implemented TODO in catalog/backends/sql.py  https://review.openstack.org/12983001:18
*** BAKfr has quit IRC01:18
*** HenryG has quit IRC01:24
*** BAKfr has joined #openstack-keystone01:27
*** HenryG has joined #openstack-keystone01:32
*** ncoghlan is now known as ncoghlan_afk01:39
*** lihkin has joined #openstack-keystone01:41
*** ncoghlan_afk is now known as ncoghlan01:44
*** cjellick has joined #openstack-keystone01:46
*** cjellick has quit IRC01:51
*** tellesnobrega_ has joined #openstack-keystone02:16
*** david-lyle has joined #openstack-keystone02:19
*** ncoghlan is now known as ncoghlan_afk02:20
*** david-lyle has quit IRC02:24
*** dimsum_ has quit IRC02:31
*** dimsum_ has joined #openstack-keystone02:33
*** dimsum_ has quit IRC02:33
*** chrisshattuck has joined #openstack-keystone02:37
*** dimsum_ has joined #openstack-keystone02:41
*** cjellick has joined #openstack-keystone02:47
*** alex_xu has joined #openstack-keystone02:49
*** dimsum_ has quit IRC02:51
*** cjellick has quit IRC02:52
*** KanagarajM has joined #openstack-keystone02:58
*** KanagarajM has quit IRC03:03
*** KanagarajM has joined #openstack-keystone03:05
*** ncoghlan_afk is now known as ncoghlan03:10
*** tellesnobrega_ has quit IRC03:14
*** lihkin has quit IRC03:15
*** alex_xu has quit IRC03:18
*** alex_xu has joined #openstack-keystone03:19
*** david-lyle has joined #openstack-keystone03:21
*** david-lyle has quit IRC03:25
*** jeffrey4l has joined #openstack-keystone03:30
*** cjellick has joined #openstack-keystone03:48
*** dimsum_ has joined #openstack-keystone03:51
*** cjellick has quit IRC03:53
*** dimsum_ has quit IRC03:57
*** lhcheng has quit IRC04:01
*** lhcheng_ is now known as lhcheng04:01
*** ncoghlan is now known as ncoghlan_afk04:01
*** lhcheng_ has joined #openstack-keystone04:02
*** david-lyle has joined #openstack-keystone04:19
*** david-lyle has quit IRC04:24
*** lhcheng_ has quit IRC04:27
*** ncoghlan_afk is now known as ncoghlan04:37
*** ncoghlan is now known as ncoghlan_afk04:48
*** cjellick has joined #openstack-keystone04:49
*** cjellick has quit IRC04:53
*** lhcheng has quit IRC05:01
*** bknudson has quit IRC05:13
*** david-lyle has joined #openstack-keystone05:20
*** chrisshattuck has quit IRC05:23
*** david-lyle has quit IRC05:25
*** diegows has quit IRC05:35
*** cjellick has joined #openstack-keystone05:49
*** bknudson has joined #openstack-keystone05:53
*** cjellick has quit IRC05:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13092906:06
*** arif-ali has joined #openstack-keystone06:14
*** k4n0 has joined #openstack-keystone06:18
*** afazekas is now known as _afazekas06:20
*** arif-ali has quit IRC06:31
*** arif-ali has joined #openstack-keystone06:36
*** dimsum_ has joined #openstack-keystone06:44
*** dimsum_ has quit IRC06:49
*** cjellick has joined #openstack-keystone06:50
*** cjellick has quit IRC06:55
*** KanagarajM has quit IRC06:59
*** ukalifon1 has joined #openstack-keystone07:01
*** bknudson has quit IRC07:12
*** bknudson has joined #openstack-keystone07:18
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: fallback to online validation if offline validation fails  https://review.openstack.org/13103607:19
*** cjellick has joined #openstack-keystone07:51
*** cjellick has quit IRC07:56
*** marekd|away is now known as marekd08:00
*** jeffrey4l has left #openstack-keystone08:07
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use new ksc features in User Token Plugin  https://review.openstack.org/13104808:35
*** ncoghlan_afk is now known as ncoghlan08:38
*** jistr has joined #openstack-keystone08:49
*** cjellick has joined #openstack-keystone08:52
*** cjellick has quit IRC08:56
*** bknudson has quit IRC08:56
*** bknudson has joined #openstack-keystone09:05
*** ncoghlan has quit IRC09:07
*** alex_xu has quit IRC09:24
*** andreaf has joined #openstack-keystone09:44
*** cjellick has joined #openstack-keystone09:53
*** cjellick has quit IRC09:58
*** jaosorior has joined #openstack-keystone10:04
*** tellesnobrega_ has joined #openstack-keystone10:16
*** dimsum_ has joined #openstack-keystone10:19
*** dimsum_ has quit IRC10:23
*** jacer_huawei has quit IRC10:30
*** Guest31651 is now known as amakarov10:37
*** tellesnobrega_ has quit IRC10:41
*** jacer_huawei has joined #openstack-keystone10:45
*** tellesnobrega_ has joined #openstack-keystone10:51
*** cjellick has joined #openstack-keystone10:54
*** tellesnobrega_ has quit IRC10:57
*** cjellick has quit IRC10:59
*** dimsum_ has joined #openstack-keystone10:59
*** afaranha has quit IRC11:04
*** diegows has joined #openstack-keystone11:36
*** topol has joined #openstack-keystone11:45
*** afazekas has joined #openstack-keystone11:51
*** cjellick has joined #openstack-keystone11:55
*** cjellick has quit IRC12:00
*** pc-m has joined #openstack-keystone12:00
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/13089712:16
*** openstackgerrit has quit IRC12:19
*** openstackgerrit has joined #openstack-keystone12:19
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13112212:21
*** shikui_ has quit IRC12:25
*** vhoward has joined #openstack-keystone12:32
*** miqui has joined #openstack-keystone12:34
*** openstackgerrit has quit IRC12:34
*** openstackgerrit has joined #openstack-keystone12:34
*** vejdmn has joined #openstack-keystone12:41
*** aix has joined #openstack-keystone12:50
*** topol has quit IRC12:51
*** diegows has quit IRC12:54
*** radez_g0n3 is now known as radez12:55
*** cjellick has joined #openstack-keystone12:56
*** cjellick has quit IRC13:00
*** bknudson has quit IRC13:02
*** gordc has joined #openstack-keystone13:03
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Split up assignments, making role-assignments pluggable.  https://review.openstack.org/12939713:04
openstackgerrithenry-nash proposed a change to openstack/keystone: Split up assignments and make the assignments piece pluggable  https://review.openstack.org/13095413:06
*** raildo has joined #openstack-keystone13:07
*** sigmavirus24_awa is now known as sigmavirus2413:09
jamielennoxanyone home? I'm just looking at https://review.openstack.org/#/c/102958 which is to bring audit over to keystonemiddleware repo. Change looks fine - but was there a decision that we wanted to do this rather than keep it's own repo?13:11
*** nkinder has quit IRC13:11
*** thiagop has joined #openstack-keystone13:16
*** ayoung has joined #openstack-keystone13:18
openstackgerrithenry-nash proposed a change to openstack/keystone: Split up assignments and make the assignments piece pluggable  https://review.openstack.org/13095413:19
*** bknudson has joined #openstack-keystone13:23
*** dimsum_ has quit IRC13:25
*** dimsum_ has joined #openstack-keystone13:26
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use correct name of oslo debugger script  https://review.openstack.org/13004613:27
*** joesavak has joined #openstack-keystone13:38
gordcjamielennox: i added this spec a few months back: http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/audit-middleware.html13:41
gordcjamielennox: i can't speak for whether or not the plan has changed since... just working on it since no one has told me otherwise13:42
*** k4n0 has quit IRC13:51
*** cjellick has joined #openstack-keystone13:56
*** richm has joined #openstack-keystone13:57
lbragstadmorganfainberg: that snippet looks good14:00
*** afaranha has joined #openstack-keystone14:01
*** radez is now known as radez_g0n314:01
*** cjellick has quit IRC14:01
openstackgerritA change was merged to openstack/python-keystoneclient: Use oslo_debug_helper and remove our own version  https://review.openstack.org/12010414:01
*** lihkin has joined #openstack-keystone14:05
*** joesavak has quit IRC14:06
jamielennoxgordc: ok - i don't see why things would have changed i was just wondering14:06
*** nkinder has joined #openstack-keystone14:09
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/11668214:10
*** topol has joined #openstack-keystone14:10
openstackgerritA change was merged to openstack/python-keystoneclient: Doc cleanup, make concepts links  https://review.openstack.org/12769014:10
openstackgerritA change was merged to openstack/python-keystoneclient: Correct typos in using-sessions  https://review.openstack.org/12768614:10
openstackgerritA change was merged to openstack/keystonemiddleware: BaseAuthTokenMiddlewareTest.setUp call super normally  https://review.openstack.org/12227914:10
*** radez_g0n3 is now known as radez14:17
openstackgerritA change was merged to openstack/keystonemiddleware: Improve help strings  https://review.openstack.org/11804814:19
*** russellb is now known as drumkilla14:20
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct Session docstring  https://review.openstack.org/12780514:20
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct documenting constructor parameters  https://review.openstack.org/12781214:20
*** drumkilla is now known as russellb14:20
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct Session docstring  https://review.openstack.org/12780514:25
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct documenting constructor parameters  https://review.openstack.org/12781214:25
samuelmsdstanek, ping14:27
dstaneksamuelms: pong14:27
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct documenting constructor parameters  https://review.openstack.org/12781214:28
samuelmsdstanek, regardind your comment on review #116682 (Improve list role assignments performance)14:29
samuelmsdstanek, s/regardind/regarding :)14:29
nkinderayoung: I was able to get automation for setting up a few keystone scenarios using 100% freely available bits - https://github.com/nkinder/rdo-vm-factory14:29
samuelmsdstanek, I agree with you on the point of splitting  controller/manager roles ..14:29
nkinderayoung: There's keystone+FreeIPA with it all set up for kerberos14:30
samuelmsdstanek, but I'd prefer to address that in a second patch ..14:30
nkinderayoung: also keystone+AD for LDAP identity14:30
ayoungnkinder, nice14:30
ayoungvery nice14:30
nkinderayoung: I changed the way we configured kerberos a bit14:30
nkinderayoung: I avoided using hte deprecated LegacyDomain plug-in and switched to KerberosDomain14:30
ayoungnkinder, so if I want to do a setup against a pre-existing IPA server, but let it do all the other provisioning, what do I do?14:30
nkinderayoung: that required setting REMOTE_DOMAIN in the httpd config and using the local user mapping14:31
nkinderayoung: look at https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-kerberos-setup/vm-post-cloud-init-rdo.sh14:31
dstaneksamuelms: this would be a good things for others to chime in on because it does add quite a bit of code14:31
*** vejdmn has quit IRC14:31
nkinderayoung: that's all post cloud-init, so it's packstack and everything after for the RDO system14:31
*** chrisshattuck has joined #openstack-keystone14:31
nkinderayoung: that assumes that IPA already exists on another system14:31
*** vejdmn has joined #openstack-keystone14:32
bknudsondstanek: samuelms: this was the point of the search hints, so that the backend can implement the search more efficiently14:33
samuelmsbknudson, in this case, passing hints as arguments to manager, right?14:35
bknudsonlike list_users: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n60714:36
samuelmsbknudson, to apply 'effective' option, in this case (cannot be applied by the driver)14:36
dstaneksamuelms: my point was that none of the filtering or helpers should be in the controller14:37
samuelmsdstanek, ++ I agree  .. for me the only thing the controller should do is to check options/filters and the combination of them ..14:38
ayoungnkinder, so it runs on the local machine?14:38
samuelmsdstanek, business logic, like 'effective' should always be applied at manager level14:38
nkinderayoung: if you run setup.sh, it creates two VMs on the local system (one for FreeIPA, one for RDO)14:39
nkinderayoung: the vm-post-cloud-init-* scripts are what get copied to the VMs to do post-installation config14:39
ayoungnkinder, I want to set something up on the dreamhost public demo, which is Openstack14:39
nkinderayoung: so you could take that and run the pieces you want on a local system14:39
ayoungI assume I create the two VMs by hand then?14:39
ayoungOK,  let me give it a try.14:40
ayoungnkinder, did you try Horizon yet?14:40
nkinderayoung: I haven't kerberized horizon yet14:40
ayoungnkinder, lets focus on that now.  I want to make sure we iron out any issues before we fly14:41
ayoungI've been working on the damned thing all release.  Would be a pity not to show it next week.14:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change tenant to project  https://review.openstack.org/12706614:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Correct tests to use strings in conf  https://review.openstack.org/12865514:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options  https://review.openstack.org/12865614:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change admin user to service user.  https://review.openstack.org/12707514:42
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Change occurrences of keystone to identity server  https://review.openstack.org/12706214:42
*** joesavak has joined #openstack-keystone14:43
jamielennoxayoung: have you tried the changes i made to keystoneclient-kerberos?14:43
ayoungjamielennox, yep.  No problem14:43
jamielennoxayoung: cool, didn't think i changed anything important14:43
ayoungjamielennox, from D-Openstack-auth it is just a slightly different string used to create the plugin14:44
ayoungjamielennox, https://review.openstack.org/#/c/123614/14:45
ayoungjamielennox, that needs much work over time to use the session/auth plugin stuff the way we discussed, but it should work for now14:45
ayoungsorry, wrong link14:46
ayounghttps://review.openstack.org/#/c/115463/14:46
openstackgerritThiago Paiva Brito proposed a change to openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only)  https://review.openstack.org/11577014:46
jamielennoxayoung: not sure what you're directing me to there14:48
ayoungjamielennox, that was the updated patch. You can diff to the previous version to see14:48
ayoungalthough it did require a rebase14:48
jamielennoxother that why are you using stevedore directly?14:48
*** chrisshattuck has quit IRC14:49
jamielennoxayoung: ^ is there some reason not to use the helpers in ksc?>14:51
*** lihkin has quit IRC14:51
ayoungjamielennox, what helpers?14:51
jamielennoxayoung: actually i guess it's mostly just ksc.auth.get_plugin_class if you're not using the config or CLI stuff14:52
*** radez is now known as radez_g0n314:53
ayoungjamielennox, so the Kerberos plugin might not be installed14:53
jamielennoxget_plugin_class('v3kerberos')14:53
ayoungah14:53
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/base.py#L4414:53
ayoungjamielennox, so...I'm less concerned with this, than somehow figuring out that the AUTH_URL is supposed to be the Kerberized one.  We really have no way of advertising auth mechanisms14:54
jamielennoxayoung: yep - known issue, will come up at summit i think14:54
jamielennoxhowever when initializing a v3plugin you should give it the correct URL14:55
ayoungthe tie in between DOA and the config object from Horizon is going to make it annoying to do "build auth plugin from conf file"14:55
jamielennoxso '.../v3/kerb/ or whatever14:55
jamielennoxayoung: yea, but that shouldn't matter because that would only work for when your auth is stored in a file somewhere - that's not the case for horizon14:56
jamielennoxhorizon could iterate through the available plugins - but it's going to have to know how to construct the appropriate boxes and stuff so i think it's best that it handles that manually14:56
*** lihkin has joined #openstack-keystone14:57
ayoungtrue.14:57
jamielennoxi don't think just by installing a library on the server you should instantly get horizon auth via that method14:57
ayoungand that is how it is done now.  It looks to see if the Kerberos specific variable is set14:57
ayoungCCACHE14:57
jamielennoxyep, that works for horizon, how it wants to manage all it's auth mechanisms is completely up to horizon and they can just back onto the appropriate keystone plugin14:58
ayoungjamielennox, I was trying to keep from having to modify Horizon as well as everything else...too many moving pieces14:58
ayoungSo if the admin wants to Kerberize horizon, but not run the S4U2Proxy stuff, they could drop the kerber plugin to KC and then it would just do Kerb on top of UserID Password14:58
ayoungdon;t know why you would want to, but it is possible14:59
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228115:00
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token tests create temp cert directory  https://review.openstack.org/12228015:00
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240315:00
*** jorge_munoz has joined #openstack-keystone15:03
jamielennoxoh yes nova tests, i'm sure everything will work just fine if we don't have a service catalog....15:04
*** david-lyle has joined #openstack-keystone15:05
richmIs there a way to add an existing user to a tenant?  Or perhaps that should be the other way around - is there a way to add a tenant to an existing user?  Not sure about the terminology.15:13
richmThis is the problem - I have an existing LDAP server that I want to use with a new keystone deployment15:13
richmpuppet-keystone wants to use user-create to add the user and set the tenant15:14
richmthen, wants to add the new user to a role15:14
richmbut if the user already exists, user-create won't be called, so the tenant operation will be skipped15:14
jamielennoxrichm a user is in a project if it has a role on the project15:15
jamielennoxso you just need to define a role relationship15:15
richmtenant == project?15:15
jamielennoxrichm: yes, we're trying to bring people to use project15:15
richmok - puppet uses tenant everywhere15:15
richmjamielennox: so, user-role-add?15:15
jamielennoxrichm: that sounds right15:16
richmpuppet uses that, but it does that only to add the user to the role - it assumes the user has already been assigned to a project/tenant15:17
richmI could probably do that, but then I would have to rewrite every single puppet module everywhere :-(15:17
richmWhat I'm looking for is a way to "fake out" the puppet keystone_user create call, to just assign the existing user to a project/tenant15:18
morganfainbergmornin15:18
richmbecause that's the point at which I know what project/tenant is associated with the user15:19
jamielennoxrichm: so i think your terminology is kind of wrong there15:19
richmok15:19
*** cjellick has joined #openstack-keystone15:19
richmI'm sure it is15:19
jamielennoxhaving the role is what makes a user part of a tenant15:19
jamielennoxyou have users, you have tenants, roles is the M:M relationship15:19
*** thedodd has joined #openstack-keystone15:20
richmkeystone user-create --name $name --tenant $tenant --pass $pass --email $email --enabled true15:20
jamielennoxyep, it gives the __member__ role or something like that15:20
richmah, so it assigns a default role15:20
*** chrisshattuck has joined #openstack-keystone15:21
jamielennoxyes15:22
morganfainbergjamielennox, i'm going to be sweeping through the keystoneclient blueprints today trying to cleanup/deprioritize ones that have been lingering15:23
morganfainbergmight bug you if i have anyquestions15:23
jamielennoxmorganfainberg: np - there's a lot of crap in there15:23
*** cjellick has quit IRC15:24
jamielennoxrichm: so if i do user-role-list on my devstack i can see the _member_ role15:24
richmso to duplicate what user-create does, without the actual user creation part, I need to do something like keystone user-role-add --user cinder --role $default_role --tenant services15:24
jamielennoxyep15:24
morganfainbergjamielennox, are we going to do i18n stuff in keystoneclient?15:25
morganfainberg(ever)15:25
*** ukalifon1 has quit IRC15:25
jamielennoxrichm: i can't remember but i think _member_ is a devstack defined thing, i don't know if you can always assume it's there - you just need to add some role relationship15:26
jamielennoxmorganfainberg: i don't know how python i18n works in libraries15:26
morganfainbergjamielennox, and i think https://blueprints.launchpad.net/python-keystoneclient/+spec/uber-plugin is the wrong direction.15:26
jamielennoxmorganfainberg: it's fine for servers because you have an obvious entrypoint where it can set things up - but i've not seen any of the other OS libraries do i18n and i haven't really looked into generally how it's done15:27
morganfainbergok i'm going to just leave the i18n bp as is15:27
jamielennoxyea, looked at that one today - i misread his patch thinking  he wanted a plugin for the CLI, but i don't know what the point of that plugin would be15:28
jamielennoxi don't know why you would submit both15:28
jamielennoxi left some comments on the code, otherwise i thought i'd talk to him at summit15:28
richmjamielennox: ok - is the intention with keystone that there should always be some sort of default role that all users have?15:29
richmI see in the default packstack install that there is a _member_ role15:29
*** dimsum_ has quit IRC15:29
*** andreaf has quit IRC15:30
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228115:30
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240315:30
jamielennoxrichm: it's not defined by keystone at all, I expect you will need to have some role like that to link users/tenants but what you call it and what permissions you attach could be deployment specific15:31
*** dimsum_ has joined #openstack-keystone15:31
jamielennoxrichm: more i think i would expect that any deployment mechanism would have a role set up like that, devstack/packstack/ i would expect even the raw puppet modules would have to define something like that15:31
richmjamielennox: ok - I need to figure how where packstack creates the _member_ role - it's not in the puppet-keystone keystone specific puppet modules15:32
richmwill keystone user-role-add --user $user --role _member_ --tenant $tenant ADD the role _member_ if it does not exist?15:36
morganfainbergjamielennox, didnt https://blueprints.launchpad.net/python-keystoneclient/+spec/keystoneclient-from-config merge with the session changes recently?15:37
jamielennoxmorganfainberg: wow, that's a year and i'm still working on almost exactly that :(15:37
jamielennoxyea, it can probably be marked off as part of the auth plugins and session stuff15:37
*** diegows has joined #openstack-keystone15:38
morganfainbergand https://blueprints.launchpad.net/python-keystoneclient/+spec/plugin-params15:38
jamielennoxfrom the ksc side it's done15:38
jamielennoxrichm: no idea, i would think now15:38
jamielennoxmorganfainberg: yep, done15:39
jamielennoxreleased 0.11 maybe 0.1015:39
bknudsonmorganfainberg: I think we can do i18n in keystoneclient and keystonemiddleware now15:40
morganfainbergbknudson, we should then ^_^15:40
morganfainbergjamielennox, https://blueprints.launchpad.net/python-keystoneclient/+spec/session-propagation15:41
morganfainbergjamielennox, and https://blueprints.launchpad.net/python-keystoneclient/+spec/session-retries15:41
morganfainberg(sorry just trying to do the quick cleanup here)15:42
jamielennoxmorganfainberg: wow, that's generic15:42
morganfainbergjamielennox, yeah15:42
jamielennoxretries done, released 0.1115:42
ayoungnkinder  is this for F20 as well:  https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-kerberos-setup/vm-post-cloud-init-rdo.sh15:43
jamielennoxmorganfainberg: you can probably close out propagation. I can mark it as the adapter stuff so 0.1015:43
ayoungnkinder, specifically:  # RDO requires EPEL15:43
ayoungyum install -y http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm15:43
ayoungyum-config-manager --enable epel15:43
ayoungrichm, _member_ was a porting thing when we went from users being owned by tenants to users being assigned roles in projects15:44
*** lihkin has quit IRC15:44
ayoungsince there might have been a Member role already assigned by Horizon, but we could not be certain15:44
morganfainbergjamielennox and https://blueprints.launchpad.net/python-keystoneclient/+spec/version-independant-plugins15:44
nkinderayoung: what are you trying to run on F20?  RDO?15:44
ayoungand we need to make something that worked in upgrade and downgrade15:44
*** lihkin has joined #openstack-keystone15:44
ayoungnkinder, F2015:44
ayoungnkinder, dreamhost doesn't have Centos7 yet,15:45
nkinderayoung: I haven't tried RDO on F2015:45
ayoungI could probably upload an image ,but going to start with F2015:45
jamielennoxmorganfainberg: release 0.1115:45
nkinderayoung: so you can try, but I don't know how it works there.  You can disable the EPEL part since it doesn't apply.15:45
ayoungk15:45
ayoungstarting with yum install -y https://rdo.fedorapeople.org/openstack-juno/rdo-release-juno.rpm15:45
*** gyee has joined #openstack-keystone15:46
morganfainbergjamielennox, https://blueprints.launchpad.net/python-keystoneclient looking better15:48
jamielennoxmorganfainberg: https://blueprints.launchpad.net/python-keystoneclient/+spec/endpoint-version-query pretty much done as well15:49
morganfainbergk will mark as implemented15:49
richmayoung: ok15:50
richmayoung: so where is the _member_ role defined/added?15:51
morganfainbergjamielennox, we have 6 BPs to classify / mark for needing spec in client15:51
ayoungrichm, the _member_ role is no longer needed, and it might not even be something we create in a migration anymore15:51
morganfainbergthat is quite reasonable.15:51
ayoungrichm, we might have dropped it when we collapsed the migrations for.. Icehouse?15:51
richm"create in a migration" - do you mean the database migrations?15:51
richmI'm using the latest juno code from rdo15:51
ayoungrichm, yep15:51
richmand _member_ is just automagically there15:52
ayoungrichm, if keystone-manage db_sync puts it there15:52
ayounglook in keystone/common/sql....15:52
morganfainbergjamielennox, and middleware https://blueprints.launchpad.net/keystonemiddleware15:52
ayoungsomething version something15:52
*** cjellick has joined #openstack-keystone15:54
jamielennoxmorganfainberg: pluggable-auth strongly under way15:54
jamielennoxi looked at gordc review to include audit15:55
morganfainbergjamielennox, right.15:55
richmayoung: grep _member_ /usr/lib/python2.7/site-packages/keystone/common/sql/migrate_repo/versions/*.py15:55
jamielennoxthat's still a go as far as i know?15:55
richmayoung: that gives nothing - no matches15:55
ayoungrichm, probably read out of the config file15:55
richmayoung: /etc/keystone/keystone.conf?15:56
ayoungrichm, _member_ is defaulted in common/config.py15:56
*** david-lyle has quit IRC15:56
richmok15:56
ayoungrichm, yes you should see the defualt in that, commented out15:56
ayoungnkinder, $mv /usr/lib/python2.7/site-packages/packstack/puppet/modules/packstack/manifests/apache_common.pp /usr/share/openstack-puppet/modules/packstack/manifests15:58
ayoungmv: cannot stat ‘/usr/lib/python2.7/site-packages/packstack/puppet/modules/packstack/manifests/apache_common.pp’: No such file or directory15:58
ayoungis the apache_common supposed to be part of openstack_packstack15:58
richmayoung: not yet15:58
richmayoung: the change was just merged15:58
richmso I doubt it has made it into a rpm yet15:58
nkinderayoung: the patch file included in my repo would add it15:59
ayoungnkinder, I applied that...15:59
ayoungoh, wait,15:59
nkinderayoung: it should have created that file15:59
ayoungheh, patch binary wasn't installed15:59
nkinderayoung: look in rdo.conf to see what packages are expected on the system15:59
ayoungOK  got it15:59
ayoungnkinder, yum groupinstall "Development Tools" seems to work for me16:00
ayoungI already enrolled the machine as an IPA client, though16:00
ayounglemme see if I have the ldap cli16:01
ayoungnkinder, can we please change the RH package name to FreeIPA?  This is annoying16:02
morganfainbergwhoa. that is a weird one: http://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/audit-middleware.html16:02
morganfainbergwem16:04
morganfainbergerm16:04
jamielennoxmorganfainberg: yea, that's the one i meant - are we doing that?16:04
jamielennoxmust have been discussed whilst i was away16:04
morganfainberghttps://bugs.launchpad.net/keystone/+bug/138437716:04
uvirtbotLaunchpad bug 1384377 in keystone "Policy rule position errors" [Undecided,New]16:04
morganfainbergthat one16:04
morganfainbergthat is what i meant.16:04
morganfainbergcopy/paste error16:04
ayoungnkinder, packstack away!  Runs much better once I realized I needed to set RDO_PASSWORD before running sed -i "s/CONFIG_\(.*\)_PW=.*/CONFIG_\1_PW=$RDO_PASSWORD/g" /root/answerfile.txt16:06
*** marcoemorais has joined #openstack-keystone16:06
nkinderayoung: yeah, that would help... :)16:06
*** jimbaker has joined #openstack-keystone16:08
*** marcoemorais has quit IRC16:09
ayoungERROR : Failed to run remote script, stdout: Device em2 does not exist16:09
ayoungnkinder, eth0.  how quaint16:09
*** radez_g0n3 is now known as radez16:11
*** dimsum_ is now known as dims16:13
*** diegows has quit IRC16:13
*** dims is now known as Guest979816:14
*** diegows has joined #openstack-keystone16:15
morganfainbergjamielennox, https://bugs.launchpad.net/keystone/+bug/1377080 so..16:16
uvirtbotLaunchpad bug 1377080 in python-keystoneclient "Stale endpoint selection logic in keystone client" [Wishlist,Opinion]16:16
morganfainbergthis looks like a duplicate of vish's request.16:16
jamielennoxmorganfainberg: i'd like to close it out as opinion - i think it's an error to have multiple values of the same service_type in a catalog16:16
jamielennoxideally we'd enforce that uniqueness in keystone16:17
morganfainbergthis is similar to https://bugs.launchpad.net/keystone/+bug/137693716:17
uvirtbotLaunchpad bug 1376937 in keystone "No way to prevent duplicates in endpoints" [Medium,Confirmed]16:17
morganfainbergbut it's service vs. endpoint16:18
jamielennoxhowever given that it's currently and always has been broken it's a feature request and not something that i think we should do in client16:18
*** david-lyle has joined #openstack-keystone16:18
morganfainbergand yes the keystoneclient one can be closed out as "wont fix"/"invalid" not even opinion16:18
morganfainbergit's not something the client should care abouty16:18
jamielennoxsure16:19
jamielennoxso i don't know from service, you could have service_types distinguished by service_ name i guess16:19
jamielennoxwhich i assume is why the uniqueness constraint isn't there already16:19
morganfainberghm.16:19
*** afazekas has quit IRC16:19
morganfainbergthis *sounds* like abug16:19
morganfainberghonestly16:20
morganfainbergkinda smells like one too16:20
jamielennoxi can tell you that you'd have a rough time trying to do that in practice16:20
morganfainberglets mark this as a real bug then.16:20
morganfainbergthere is some research that needs to be done to see if anyone is doing this in practice16:21
morganfainbergi highly doubt it16:21
morganfainbergi think this is just the other side of the coin for the but ^ that vishy opened16:21
*** marcoemorais has joined #openstack-keystone16:22
*** marcoemorais has left #openstack-keystone16:22
*** lhcheng has joined #openstack-keystone16:22
*** marcoemorais has joined #openstack-keystone16:22
jamielennoxmorganfainberg: i don't think openstack/us has ever properly defined what constraints we put on the service catalog/how we expect it to be populated so there's just a lot of cruft there16:23
morganfainbergjamielennox, yeah :(16:23
morganfainbergjamielennox, and we need to fix that from a UX perspective16:23
morganfainbergthis one is just wierd16:24
morganfainberghttps://bugs.launchpad.net/keystone/+bug/138437716:24
uvirtbotLaunchpad bug 1384377 in keystone "Policy rule position errors" [Undecided,New]16:24
jamielennoxmorganfainberg: that and for sanity16:24
morganfainberganyone have an active keystone running we can validate that rule order is... wonky?16:24
morganfainbergcause that sounds like a bug in oslo-policy16:24
jamielennoxmorganfainberg: and particularly for region handling, the MOC and others are doing some crazy stuff with regions that we don't support in any way i think16:24
morganfainbergjamielennox, https://bugs.launchpad.net/python-keystoneclient/+bug/135756716:25
uvirtbotLaunchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,New]16:25
jamielennoxmorganfainberg: ugh - keyring16:25
morganfainbergcan we make it die16:25
morganfainbergplease16:25
morganfainberg:(16:25
morganfainberg"go use openstackclient" :P16:25
jamielennoxit's in completely the wrong spot so i've just ignored it as much as possible16:26
morganfainbergwell i think it's time to make a call16:26
jamielennoxoo, generic shell as well - this guy's way out on a limb16:26
morganfainberg^ based on that bug16:26
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119916:28
jamielennoxoo, generic shell as well - this guy's way out on a limb16:28
jamielennoxdamnit, alt+tab up+enter16:29
*** _cjones_ has joined #openstack-keystone16:30
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Improves feedback message in SSL error  https://review.openstack.org/12976916:31
*** diegows has quit IRC16:35
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use connection retrying from keystoneclient  https://review.openstack.org/12986816:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Add versions to requests  https://review.openstack.org/13053116:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use an adapter in IdentityServer  https://review.openstack.org/13053016:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955216:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests  https://review.openstack.org/13024716:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin  https://review.openstack.org/11585716:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Split identity server into v2 and v3  https://review.openstack.org/13053416:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Additional discovery changes  https://review.openstack.org/13053316:41
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use real discovery object in auth_token middleware.  https://review.openstack.org/13053216:41
morganfainbergjamielennox, OMG! ;)16:41
*** mikedillion has joined #openstack-keystone16:41
*** mikedillion has quit IRC16:41
jamielennoxmorganfainberg: that's been up for a few days - i just had to rebase it for a full stop added to a doc string beneath the first one16:41
jamielennoxmorganfainberg: i had bknudson +2 on the first 3 if you want to chime in16:42
morganfainbergjamielennox, i am going to go get breakfast here shortly16:43
morganfainbergbut today i plan on doing a bunch of code review / spec reviews16:43
jamielennoxno problem - it's not even that old, however if you pass all those you get devstack with any auth plugin you like16:43
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Kilo version of non-persistent token specification  https://review.openstack.org/12973616:44
morganfainbergjamielennox, also need to start my next blog post ;) got a 3-parter to write up.16:44
jamielennoxi have one i want to do and it's just not quite there16:45
jamielennoxso close16:45
* morganfainberg still needs to fix the favicon and add a banner at the top of the blog.16:45
morganfainbergjamielennox, i moved to octostrap3 from whitespace16:45
morganfainbergi it felt a bit cleaner (though i miss using the css mask-trick I was using for the twitter icons)16:45
jamielennoxmorganfainberg: i spent about 10 minutes on that decision - it looked ok so i grabbed it16:45
rodrigodsmorganfainberg, we need reviews in the HM API patch =(16:46
jamielennoxi hate css16:46
morganfainbergrodrigods, yes we need the spec reviews16:46
jamielennoxalso i haven't linked it to any of the social stuff i'm supposed to16:46
morganfainbergjamielennox, bootstrap is nice cause it makes that decision silly easy16:46
morganfainberghttps://www.morganfainberg.com16:46
rodrigodsmorganfainberg, was hoping to have it merged until the summit... seems the case?16:46
morganfainbergjamielennox, also - cloudflare = free SSL16:46
morganfainbergrodrigods, i still hope so, it's not far off really16:46
morganfainbergrodrigods, if not we can get it done either @ summit or just post.16:47
jamielennoxhmm - i considered going for SSL, but it's a static site with source on github, there really isn't anything to protect16:47
rodrigodsmorganfainberg, could be the case to add a topic to tomorrow's meeting?16:47
morganfainbergrodrigods, please add it to the agenda!16:47
openstackgerritA change was merged to openstack/keystonemiddleware: Remove netaddr package requirement  https://review.openstack.org/13066416:47
rodrigodsmorganfainberg, ++16:47
morganfainbergjamielennox, i figure it's sane to just be nice to people who like SSL-ing everything16:47
*** edmondsw has joined #openstack-keystone16:48
jamielennoxyea, but part of my rationale for using github pages was never having to worry about things like load balancing, then put cloudflare in front16:48
morganfainbergjamielennox, i now need to make the in-line anchors have a little link-y icon.16:48
morganfainbergjamielennox, cloudflare also handles my google analytics, helps with caching (github's pages can be bad) among a few other things16:49
morganfainbergjamielennox, i turn off all the "site protection" stuff.16:49
jamielennoxfair enough, i figure the people who read my stuff see it via planet anyway16:49
jamielennoxalthough i wrote like 5 lines on what some error meant in auth_token and how to fix it, apparently that drives about half my traffic16:50
morganfainberglol16:52
*** Guest9798 is now known as dims__16:55
*** jistr has quit IRC16:55
*** toddnni has joined #openstack-keystone16:56
*** marcoemorais has quit IRC16:58
*** marcoemorais has joined #openstack-keystone16:59
*** marcoemorais has quit IRC16:59
*** marcoemorais has joined #openstack-keystone17:00
jamielennoxbknudson: https://review.openstack.org/131098 - nova->cinder via session17:02
*** marcoemorais has quit IRC17:02
jamielennoxgyee: ^^17:02
jamielennoxwill have a look at neutron tomorrow17:02
*** marcoemorais has joined #openstack-keystone17:02
ayoungmorganfainberg, https://blueprints.launchpad.net/ubuntu/+spec/foundations-t-freeipa17:04
*** _cjones_ has quit IRC17:04
*** toddnni has quit IRC17:10
jamielennoxayoung: so packaged?17:11
*** _cjones_ has joined #openstack-keystone17:11
gyeejamielennox, thanks! I am looking at nova-neutron too17:11
gyeeseem like we need quite a bit of request-mock17:11
ayoungjamielennox, ?17:11
jamielennoxayoung: FreeIPA on debian17:11
ayoungjamielennox, looks like it17:11
jamielennoxgyee: bugger - i was hoping not to stub at that level in nova17:11
jamielennoxgyee: i know you have the review up and that you copied some stuff out of that github branch of mine so i won't start from scratch17:12
jamielennoxjust need to give it a proper try out and see what's holding us up17:12
gyeejamielennox, I am trying to fix the tests right now, hopefully I have a new patch for you to look at sometime today17:12
gyeeI think I've pulled in all your changes, but can you please double check?17:13
morganfainbergayoung, did you ping me?17:14
jamielennoxgyee: yea, i'll spin up a devstack with it all tomorrow17:14
ayoungmorganfainberg, maybe like hours ago17:15
jamielennoxdone for today but17:15
morganfainbergayoung, ok.17:15
ayoungmorganfainberg, ah, the FreeIPA debian thing17:15
jamielennoxgyee: if you start https://review.openstack.org/115857 and work your way through, there are a couple of +2 already. The end of that chain is auth plugins in auth_token middleware17:15
ayoungmorganfainberg, its now in Debian Unstable17:15
morganfainbergayoung, yeah we talked abgout that one :)17:15
* morganfainberg is very happy about that17:16
ayoungmorganfainberg, Timo is doing good work17:16
ayounghttp://anonscm.debian.org/cgit/?q=pkg-freeipa17:16
gyeejamielennox, yes, code review, code review, and code review :)17:16
jamielennoxgyee: np - i think i'm going to have to rebase it again against some of those doc changes17:17
jamielennoxalthough, ayoung rampage on the middleware +2 s17:18
ayoungjamielennox, looked at all of those before17:18
ayoungIts a bulk rebase...17:18
ayoungwith a bunch of +2s from others17:19
*** harlowja has joined #openstack-keystone17:19
*** wolsen|away is now known as wolsen17:20
jamielennoxayoung: do you know how you'd go about doing kerberos in auth_token?17:20
ayoungjamielennox, hmmm17:20
ayoungjamielennox, well, we'd start with your plugin patch17:20
jamielennoxi think all the pieces should be there if you want to give it a shot, but i'm not sure how the user mapping would work17:20
ayoungthe server would have to have a keytab17:20
ayoungand...for an eventlet based one, we'd have to be comfortable using requests-kerberos17:20
ayoungbut that should be OK17:21
jamielennoxhmm, ok17:21
gyeekerberoize it!17:21
ayoungjamielennox, the Kerberos Principal from the Keytab would be identified as the user17:21
jamielennoxwell once all that auth_token stuff merges i want to do a blog post with a mathcing server side and client side auth plugin and using it via auth_token, then we can do an SSL or something post17:21
jamielennoxayoung: yea, but how do you deploy that on devstack when everythings on one machine?17:22
ayoungjamielennox, why should it make a difference?17:22
ayoungIPA would need a service user17:22
ayoungso you create Nova, and then do ipa-getkeytab17:23
jamielennoxayoung: well there are no parameters to the kerberos plugin, it pulls everything from the environment17:23
jamielennoxso you would need like a wrapper around every service that sets up the env before loading the service17:23
ayoungjamielennox, in Horizon I pass the credentials cache from HTTPD17:23
ayoung but we can get away with that there because of the S4U2...17:23
ayoungjamielennox, with GSSAPI, there is a directory that, if you put the Keytab in there, the service is able to get a service ticket on demand17:24
ayoungnkinder, ^^17:24
jamielennoxi think you mentioned this once before like an F21 feature being able to have a service refresh a ticket17:25
ayoungjamielennox, http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation17:25
ayoungI think that is it17:25
jamielennoxi don't think requests-kerberos or the python kerberos stuff is good enough that we could give it a keytab/ticket anyway17:26
ayoung FILE:${localstatedir}/krb5/user/%{euid}/client.keytab.17:26
ayoungjamielennox, we could always cron a kinit -k  bt yuck17:26
jamielennoxayoung: is it implemented?17:26
ayoungyes, has been for a while17:26
jamielennoxwill it work with python-kerberos ?17:27
amakarovayoung, greetings! I've done with tests for https://review.openstack.org/#/c/126897/ Do you have any suggestions who else can provide valuable feedback on this issue?17:27
*** amcrn has joined #openstack-keystone17:27
ayoungamakarov, you are in the right vicinity17:27
ayoungdolphm, morganfainberg bknudson care to review a fairly significant change the trust api?  nkinder you too?17:28
ayounggyee,17:28
jamielennoxalright - i'm out, cya everyone17:28
ayoungamakarov, just added keystone-core to that review17:28
amakarovayoung, cool )17:29
ayoungamakarov, BTW, talked with shardy in #openstack-dev.  He's OK with disabled by default for now, so long as he gets it enabled by default at release17:29
amakarovayoung, I agree this feature may end as a default behavior but now now17:30
amakarovs/now/not/17:30
gyeeayoung, which review, the django one?17:34
ayounggyee, trust re-delegation17:34
ayounggyee, https://review.openstack.org/#/c/126897/17:35
morganfainbergayoung, yes i care to review it :)17:35
gyeeoh k, code review day today17:35
gyeemorganfainberg, course you do :)17:35
morganfainbergayoung, hehe17:35
morganfainbergerm gyee , hehe17:35
gyeemorganfainberg, ya right, keystone test are not happy after Yosemite upgrade17:36
morganfainberggyee, "brew install python"17:36
gyeeah17:36
morganfainbergand you'll need openssl too17:36
morganfainbergi just solved it [but it was some work because i had to make sure python was only installed for *my* user, not globally]17:37
morganfainbergbrew gets wonky when you do that17:37
gyeeI have both python and openssl installed17:37
amakarovayoung, I recall you said about redelegating oauth - direct me please: should I start it with a blueprint?17:37
morganfainbergoh17:37
morganfainbergalso17:37
gyeenow I got some ValueError in ldap17:38
morganfainberggyee, set ARCHFLAGS=-Wno-error=unused-command-line-argument17:38
ayoungamakarov, I think I was suggesting you start with looking at unifying oauth and trusts at the backend17:38
ayoungand there is no spec for that yet amakarov17:38
morganfainberggyee in your env, it mighyt not build python-ldap otherwise17:38
ayoungamakarov, so...oauth has the consumer table17:38
gyeemorganfainberg, that's what I am going to try next17:38
gyeethanks for the tip!17:38
ayoungamakarov, a consumer should be a user17:38
morganfainberggyee, this is my brew list: autoconfautomakegdbmlibgpg-errorlibksbalibtoollibyamlmakedependopensslpkg-configpythonreadlinesqlite17:39
*** marcoemorais has quit IRC17:39
morganfainbergmost comes from python17:39
*** marcoemorais has joined #openstack-keystone17:39
*** marcoemorais has quit IRC17:42
*** marcoemorais has joined #openstack-keystone17:42
amakarovayoung, thank you for the point!17:44
*** henrynash has joined #openstack-keystone17:47
morganfainbergayoung, that change needs an API change before it can merge17:49
morganfainberggyee, ^17:50
morganfainbergayoung, formerly identity-api repo17:50
ayoungmorganfainberg, the trust delegation one?17:50
morganfainbergayoung, yes17:50
gyeedid shardy introduced a spec awhile back?17:50
morganfainbergwe have a spec17:50
morganfainbergjust no API doc change17:51
gyeeahh yes indeed17:51
ayoungamakarov, ^^17:52
ayoungamakarov, so we need an update to http://git.openstack.org/cgit/openstack/identity-api/tree/v3/src/markdown/identity-api-v3-os-trust-ext.md  refelcting the new behavior17:52
morganfainbergayoung, amakarov, http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/identity-api-v3-os-trust-ext.rst17:53
morganfainbergnot identity-api repo anymore17:53
morganfainbergidentity-api repo is no longer used.17:53
morganfainbergayoung, you'll like this, it means you can make 1 change and include the spec *and* the API doc change at once.17:54
morganfainbergayoung, no more needing to do it in two places.17:54
lbragstadmorganfainberg: summit question: do we know what session we want to talk about the Keystone functional tests in? Or is that going to be a Friday (hackathon) thing?17:54
gyeemorganfainberg, wonder if we can automate this like javadoc17:54
morganfainberglbragstad, pod/hallway-track/meetup-day17:55
lbragstadmorganfainberg: cool, thanks17:55
morganfainberggyee, i'd be worried about doing that17:55
morganfainberggyee, 1st off, the code is in a separate repo, 2nd changing the code could = spec change then.17:55
ayoungmorganfainberg, my kneejerk reaction was "not another change" and then...slow realization...this is how it should have been from the get go17:55
morganfainbergi'd rather keep the separattion.17:55
morganfainbergayoung, ++ yes!17:55
amakarovmorganfainberg, understood, I'm off to write docs17:55
morganfainbergayoung, we'll get the v2 spec in there too (i think) not too far off. annegentle is workign on thart17:56
morganfainbergayoung, the other projects are going to be encouraged to do the same17:56
morganfainbergayoung, also...17:56
morganfainbergayoung, http://specs.openstack.org/openstack/keystone-specs/api/identity-api-v3-os-trust-ext.html17:56
morganfainbergayoung, we now also officially publish it - you don't have to link to github!17:56
gyeemorganfainberg, seem like much easier to just generate the spec from the code, 100% accurate :)17:56
ayoungmorganfainberg, does this mean we are bleeding keystoneisms in the purity of the identity-api?17:56
gyeethe truth is in the code, did somebody said that?17:57
*** ukalifon1 has joined #openstack-keystone17:57
morganfainberggyee, sure, i'd rather *new* code be written to the spec vs the spec to the code though17:57
morganfainberggyee, stuff that exists we can't fix.17:57
morganfainbergayoung, bleeding keystoneisms?17:58
gyeehaha17:58
ayoungmorganfainberg, I mean the specs are going to have implementation specific stuff in them17:58
morganfainbergayoung, only API documentation, which was a requirement for REST API changes anyway17:58
ayounghaving the keystone specs in the same repo as the identity api specs...17:58
morganfainbergnah, API docs are in /api17:58
morganfainbergand we *did* use identity-api as a specification... that just wasn't published anywhere really... and people could find but didn't match docs.17:59
openstackgerritA change was merged to openstack/keystone: Remove nonexistant param from docstring  https://review.openstack.org/13066017:59
*** ukalifon1 has quit IRC17:59
morganfainbergbasically we keep the spec + REST change coupled this way, easy to tie them together. but we shouldn't need to get into impl details on the rest docs.18:00
morganfainbergnothing on that front changes.18:00
morganfainbergamakarov, i've also commented on the patch.18:01
*** lihkin has quit IRC18:02
amakarovmorganfainberg, thank you for the feedback!18:03
*** harlowja has quit IRC18:03
henrynashmorganfainberg: so are we again requiring api specs as part of the kilo/specs before they can be approved (I thought we decided against that….but maybe I missed something :-) )18:09
morganfainberghenrynash, largely that was because identity-api was a separate repo18:10
*** marcoemorais has quit IRC18:10
morganfainberghenrynash, now you can bundle the change into a single review18:10
*** marcoemorais has joined #openstack-keystone18:10
ayounghenrynash, are you pursuing the endpoint side of "fetch policy for endpoint" yet?18:10
morganfainberghenrynash, it makes sense to tie REST doc changes with the spec.18:10
henrynashmorganfainberg: …so conceptually like teh singel spec…it was just there was storng desire to get approval of teh overall idea before we get into bikeshedding the api18:11
morganfainberghenrynash, i think that was a limitation of needing to submit 2 separate reviews18:11
henrynashmorganfainberg: …at least I thought that’s what folks wanted...18:11
morganfainberghenrynash, having the -spec block on identity-api review and vice-versa18:11
morganfainberghenrynash we can still defer the API spec, no hard-and-fast rule18:12
ayounghenrynash, I see no problem with having both the spec and the api in the same repo18:12
henrynashayoung: nor do I….18:12
ayoungI think that we should be comfortable with multiple submissions for a given change18:12
ayoung1.  Float the idea18:12
ayoung2.  Flesh it out18:12
ayoung3.  API docs18:12
morganfainberghenrynash, if it's something we want to allow, it's acceptible, but i'd push for getting the API spec in the same review *if* possible.18:12
ayoungiterate18:12
* ayoung would love a backlog section first18:13
henrynashand do people approve 1 (or 2) before 3?18:13
morganfainbergbut it still stands that a spec can be changed even after merged... until it's "completed" that is ;)18:13
ayoungyou shouldn't *have* to do a backlog first, but if the idea is contraversial...start there18:13
ayoungmaybe have a change that goes in to indicate it is completed.18:13
morganfainbergayoung, for middleware/keystoneclient we have that18:14
ayoung++18:14
morganfainbergyou move it to the "implemented" page18:14
henrynashayoung, morganfainberg: and are we saying we put the api change sin that actual current spec doc…or in a searpate doc18:14
morganfainbergfor keystone, it's based on the release cycles.18:14
morganfainberghenrynash, identity-api was moved to keystone-specs/api18:14
morganfainbergso you make changes to the *new* location of the identity-api docs18:14
*** toddnni has joined #openstack-keystone18:15
morganfainbergalso, it was changed from markdown to rst18:15
henrynashmorganfainberg: oh, so all you are saying is put it in there…oh, ok18:15
morganfainberghenrynash, yep :)18:15
henrynashmorganfainberg : ok, phew18:15
morganfainberghenrynash, don't put REST API docs/etc *in* the spec doc, but it in the API reference :)18:15
henrynashmorganfainberg: still a bit concerned that this is a recipe for slowing us down (me, I love specs!…..but I thought lots of peopel complained that their boss needed to see some mark of approval before they really got into the details of APIs & code)18:17
morganfainberghenrynash, like i said i'd push for the API docs to go into the spec.18:17
morganfainbergbut we can defer it.18:17
henrynashmorganfainberg: Ok….18:17
morganfainbergthe API docs tend to be easier to justify - as it's part of the specification18:18
*** carlosmarin has joined #openstack-keystone18:18
morganfainberghenrynash, i think it's going to just depend on the spec, some specs we wont know if we like them w/o the API docs.18:18
morganfainberghenrynash, some of them we'll like / not like regardless18:19
henrynashmorganfainberg: ok, let’s run with it….!18:19
*** diegows has joined #openstack-keystone18:20
*** harlowja has joined #openstack-keystone18:22
*** david-lyle has quit IRC18:22
*** amakarov is now known as amakarov_away18:22
*** jaosorior has quit IRC18:23
morganfainberghenrynash, for https://review.openstack.org/#/c/123238/5/specs/kilo/domain-config-ext.rst i am tempted to see how dstanek's session goes / hallway talks18:23
morganfainbergbefore we approve18:23
henrynashmorganfainbgerg: I’m fine with that18:23
morganfainberghenrynash, it should help answer the "extension" or not.18:23
henrynashmorganfainberg: sounds good18:24
morganfainberghenrynash, i think what we decide around "optional dependencies" will change our general direction on extensions18:25
*** carlosmarin has left #openstack-keystone18:25
henrynashmorganfainberg: yes….getting some clarity here would be good18:25
morganfainbergi'm going to go get a late breakfast now.18:27
openstackgerritA change was merged to openstack/keystone: Fixes aggressive use of translation hints  https://review.openstack.org/12523318:27
*** david-lyle has joined #openstack-keystone18:28
*** thedodd has quit IRC18:28
morganfainberghenrynash, gyee, dolphm, nkinder, lbragstad, anteaya, dstanek, dhellmann, ayoung , stevemar, topol: quick question, do you want me to put links (to the sections of https://www.morganfainberg.com/blog/2014/10/21/openstack-kilo-summit-pre-summit-thoughts/ ) in each sched.org session or just in the etherpads.18:29
morganfainbergi'm trying to give people an opportunity to get up to speed with where we are *before* we walk into the design session18:30
ayoungmorganfainberg, etherpads18:30
ayoungwell...your call18:30
anteayamorganfainberg: did you want my opinion, really?18:30
morganfainbergayoung, i could go either way, thats why i'm asking for opinions :)18:30
morganfainberganteaya, yes18:30
morganfainberganteaya, i trust your view on lots of things :)18:30
gyeemorganfainberg, nice, the policy stuff is intriguing18:30
anteayaI link to the etherpad and the wikipage in http://kilodesignsummit.sched.org/event/9902dac01525691e60ac94bf236569c6# because I know my audience18:31
anteayaI give them no opportunity to tell me they couldn't find the link18:31
ayoungI almost think the etherpads should be linked from the sched.org page, and it all be there18:31
anteayaso it is up to you and your audience18:31
morganfainbergok... how the heck do you get html links in sched.org18:31
anteayathey won't read it anyway18:31
anteayanor with they prepare18:31
anteayabut I did tell them18:31
morganfainberganteaya, ++18:32
morganfainbergi'm *hoping* some people prepare18:32
morganfainbergif it saves us 5 minutes it's a win18:32
anteayaagreed18:32
morganfainbergso, definitely etherpad links.18:32
anteayaand I envy you working with people who actually read documentation and prepare18:33
morganfainbergand post sections definitely in the etherpads.18:33
morganfainbergthe only question is should i double-up and puth the post link in sched.org as well?18:33
morganfainbergexample for the Hierarchical Multitenancy, the link would be https://www.morganfainberg.com/blog/2014/10/21/openstack-kilo-summit-pre-summit-thoughts/#HM18:33
morganfainberg(yay anchors)18:33
morganfainberganteaya, and seriously, how did you get the HTML link in the sched.org description?18:34
anteayaI gave my description to ttx and he did it18:35
anteayattx is magic18:35
morganfainberghaha18:35
anteayasince I only had one to do, he did it for me18:35
anteayaI never asked how and he never told me18:36
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119918:45
*** toddnni has quit IRC18:49
*** toddnni has joined #openstack-keystone18:53
*** joesavak has quit IRC19:00
openstackgerritDolph Mathews proposed a change to openstack/keystone: revise error message for keystone.token.persistence pkg  https://review.openstack.org/13124419:02
*** marcoemorais has quit IRC19:03
*** vejdmn has quit IRC19:03
*** joesavak has joined #openstack-keystone19:03
*** marcoemorais has joined #openstack-keystone19:03
*** jdennis has quit IRC19:03
*** vejdmn has joined #openstack-keystone19:03
*** afazekas has joined #openstack-keystone19:05
*** thedodd has joined #openstack-keystone19:06
morganfainbergdolphm, you don't happen to know if it's possible to embed HTML in the summit session descriptions, do you?19:08
morganfainbergdolphm, specifically HTML-clicky links19:08
dstanekmorganfainberg: not sure if you went ahead and added the links, but it's always good to reference related material19:10
morganfainbergaha it worked this time *weird*19:11
*** aix has quit IRC19:13
*** afazekas is now known as afazekas_pub19:14
*** nellysmitt has joined #openstack-keystone19:16
morganfainbergdolphm, so19:17
morganfainbergdstanek*19:17
morganfainbergdstanek, so19:17
morganfainbergwhat should i call the link to the blurb I wrote?19:17
morganfainberg"Pre session reading" ?19:17
*** harlowja has quit IRC19:19
lbragstadjamielennox: o/ do you have any input here? https://review.openstack.org/#/c/125738/13/keystone/token/controllers.py19:20
*** harlowja has joined #openstack-keystone19:22
*** amcrn has quit IRC19:23
dstanekmorganfainberg: that sounds fine to me19:23
*** diegows has quit IRC19:32
*** thedodd has quit IRC19:39
openstackgerritDolph Mathews proposed a change to openstack/keystone: improve error message when tenant ID does not exist  https://review.openstack.org/13125519:46
*** lufix has joined #openstack-keystone19:51
*** thedodd has joined #openstack-keystone19:51
*** nellysmitt has quit IRC19:51
*** nkinder has quit IRC19:53
*** toddnni has quit IRC19:54
*** nkinder has joined #openstack-keystone19:56
morganfainbergok I've added links and everything to the schedule.19:58
morganfainbergI'm calling the schedule done19:58
*** ChanServ sets mode: +o morganfainberg19:58
*** morganfainberg changes topic to "Blocking reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | See everyone at the summit! Schedule: http://kilodesignsummit.sched.org/overview/type/keystone"19:59
*** nellysmitt has joined #openstack-keystone19:59
*** shikui_ has joined #openstack-keystone20:01
*** thiagop has quit IRC20:01
*** htruta has quit IRC20:02
*** afaranha has quit IRC20:02
*** samuelms has quit IRC20:02
*** raildo has quit IRC20:02
*** gabriel-bezerra has quit IRC20:02
*** marcoemorais has quit IRC20:05
morganfainbergdavid-lyle, for the horizon/keystone x-session, we can use the same etherpad: https://etherpad.openstack.org/p/kilo-keystone-horizon-cli-federation-sso20:05
morganfainbergdavid-lyle, so all the info ends up in one place20:06
david-lylemorganfainberg: sounds good. If we have enough time in the horizon session, we may cover more keystone related topics as well20:09
morganfainbergdavid-lyle, works for me.20:10
morganfainbergdavid-lyle, https://etherpad.openstack.org/p/kilo-keystone-horizon-cli-federation-sso added the information to the etherpad, will update the wiki for therpads for horizon as well20:11
dhellmannmorganfainberg: I added links to the etherpads to the oslo sessions, and then filled the etherpads with relevant info and links20:21
morganfainbergdhellmann, nice20:21
morganfainbergdhellmann, i added the "summary" from my post to both the etherpad adn the sched.org entries20:21
dhellmannmorganfainberg: yeah, I had a summary in the sched content, too20:22
*** fifieldt_ has quit IRC20:22
*** fifieldt__ has joined #openstack-keystone20:22
morganfainbergdhellmann, if you use the <a href .... syntax you can make the sched.org items clicky-links20:22
dhellmannmorganfainberg: oh, I wish I had known that20:22
* dhellmann weighs whether or not to go the extra mile on this one20:23
bknudsondavid-lyle: what's the horizon session?20:23
*** topol has quit IRC20:24
morganfainbergbknudson, it's so we have 2 sessions to cover horizon/keystone cross project chatter20:24
morganfainbergbknudson, it's in the same room even, right after eachother so it works out well.20:24
morganfainberghorizon is just the first of the two sessions20:25
dhellmannmorganfainberg: it looks like I'll have to unschedule all of them to edit them, so I'm going to rely on devs' ability to copy and paste this time20:25
*** afazekas_pub has quit IRC20:25
morganfainbergdhellmann, thats what i just did :(20:25
*** jsavak has joined #openstack-keystone20:25
morganfainbergdhellmann, was a real PITA20:25
dhellmannmorganfainberg: yeah, if we're going to use etherpads again for planning next cycle maybe we can help ttx change this other tool so editing the entries is easier20:26
morganfainbergbut i had to do it anyway to add all the etherpad links20:26
morganfainbergdhellmann, ++20:26
*** ctracey has quit IRC20:26
*** joesavak has quit IRC20:26
bknudsonhttp://kilodesignsummit.sched.org/event/634fefa71bd89ef4c999b4a56c404c2d#.VE6qjUSHM8820:26
dhellmannmorganfainberg: last time we also just had a wiki page with the etherpad links20:27
morganfainbergdhellmann, https://wiki.openstack.org/wiki/Summit/Kilo/Etherpads20:27
*** ctracey has joined #openstack-keystone20:27
morganfainbergwe have that too20:27
dhellmannso much for DRY20:27
morganfainbergdhellmann, in the case of the sched.org stuff i think the links are useful20:28
morganfainbergit means if someone is looking at their schedule they don't need to flop back to the wiki too20:28
bknudsonwe need to make sure that our summit topics are esoterically named so we don't get random people coming in thinking it sounds interesting.20:29
morganfainbergmaybe we can get some yaml doc that generates both the wiki and the links in the sched.org20:29
morganfainbergbknudson, i can rename ours. that is easy20:29
bknudsonmorganfainberg: talk to lbragstad... I think he was working on something like that.20:30
morganfainbergi don't think i've added too much naming detail (the policy one being the exception)20:30
morganfainberghttp://kilodesignsummit.sched.org/type/keystone20:30
morganfainbergthe rest are pretty generic20:31
*** andreaf has joined #openstack-keystone20:31
r1chardj0n3smorning20:35
r1chardj0n3sayoung: I looked into the kerberos stuff yesterday, but it looks entirely server-side to me, based on a couple of blog posts I found about setting it up20:36
*** vejdmn has quit IRC20:37
*** vejdmn has joined #openstack-keystone20:38
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use oslo.concurrency instead of sync'ed version  https://review.openstack.org/13126820:39
*** lufix has quit IRC20:39
ayoungr1chardj0n3s, OK,  so think of it this way:20:47
ayoungI'm a user., and I need to get atoken from keystone20:47
*** edmondsw has quit IRC20:47
ayoungKerberos is a tool that my openstack setup has available20:47
ayoungI use it as a way to authenticate instead of userid and password20:48
ayoungso, CLI  based,  the first thing I do is talk to the kerberos key distro center  (KDC) and get a service ticket for Keystone, then go to Keystone and get a token  using that service ticket20:48
*** _cjones_ has quit IRC20:48
ayoungr1chardj0n3s, that is what we have working today,  and I've been working on extending that to Horizon20:49
r1chardj0n3sayoung: hm, ok20:49
*** _cjones_ has joined #openstack-keystone20:49
r1chardj0n3sayoung: the problem I have is that I can't find any information on how to do that :)20:49
ayoungso in Horizon,  the user goes to horizon with a kerberos service ticket instead of to Keystone20:49
ayoungand they need to proxy20:49
r1chardj0n3sayoung: "keystone kerberos" in google turns up very little information20:49
ayoungr1chardj0n3s, I have some write ups on my setup20:49
ayounghttp://adam.younglogic.com/category/software/kerberos/20:50
ayoungr1chardj0n3s, the cool thing is, for angboard, you have it easy20:50
ayoungassuming angboard can run in Apache HTTPD, you have to do pretty much nothing20:51
ayoungthe biggest change is that you can drop the thing where you ask the user for their password20:51
ayoungthe keystone server will have enough information to request the token20:51
*** drjones has joined #openstack-keystone20:52
ayoungNow, by going through a proxy, we might have to deal with some of the Kerberos issues designed to protect against a man-in-the-middle attack20:52
*** drjones has quit IRC20:52
ayoungr1chardj0n3s, and that is what I've been working on this past release.20:52
*** drjones has joined #openstack-keystone20:52
r1chardj0n3sayoung: I'll have another read through all those posts and see if it makes more sense today :)20:53
ayoungr1chardj0n3s, I can't put it better than Alexander has written here http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/20:53
*** _cjones_ has quit IRC20:53
ayoungr1chardj0n3s, go to https://ipa.younglogic.net20:53
ayoungPMed you with the password for your account20:54
r1chardj0n3sayoung: that URL is busted :/20:54
ayoung?20:54
*** _cjones_ has joined #openstack-keystone20:54
ayounglet me see20:54
* ayoung was on it earlier today20:55
ayounglet me see20:55
*** radez is now known as radez_g0n320:55
ayoungr1chardj0n3s, nslookup ipa.younglogic.net  gives you what?20:56
r1chardj0n3sayoung: sorry, that works, but http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/ responds with  "The requested URL /en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/ was not found on this server."20:57
*** _cjones__ has joined #openstack-keystone20:57
ayoungr1chardj0n3s, interesting.  OK,  I'll email you a cached version20:57
*** drjones has quit IRC20:57
*** ttw has joined #openstack-keystone20:59
*** _cjones_ has quit IRC20:59
ayoungr1chardj0n3s, once you log in to ipa.younglogic.net, and have changed your password, I can show you how to set up Kerberos to do the same thing.  If you have Something like Firebug, you can look at the actual traffic20:59
*** _cjones_ has joined #openstack-keystone21:01
r1chardj0n3sayoung: ok, password done. I'm just gonna grab some breakfast and then I'll have a poke :)21:03
ayoungjust make one change to a config file first21:04
ayoungyou should have a file named21:04
ayoung/etc/krb5.conf21:04
ayoungadd the following line at the top21:04
ayoungdns_lookup_realm = true21:04
ayoungIt may be there already and set to false21:05
ayoungonce you have that, try21:05
*** _cjones__ has quit IRC21:05
ayoungkinit rjones@YOUNGLOGIC.NET21:05
ayoungyou can do that when you get back from breakfast, and tell me how it went.21:05
ayoungI need to run and go be Dad for a while21:05
ttwHi, did anybody had database issues when upgrading from icehouse to juno ?21:06
ttw something is making a query from colum endpoint.region_id but the actual name is juste 'region'21:06
ttw*query on21:06
*** jsavak has quit IRC21:07
*** ayoung is now known as ayoung-dadmode21:09
*** nellysmitt has quit IRC21:10
dstanekttw: do you have a tracebace to share?21:10
ttwyep21:10
dstanekttw: it's probably worth creating a bug it definitely sounds like there is something we need to look into21:10
ttwhttps://gist.github.com/anonymous/895feaf05b184413074121:12
*** nkinder has quit IRC21:15
*** _cjones_ has quit IRC21:17
*** _cjones_ has joined #openstack-keystone21:17
*** vejdmn has quit IRC21:18
*** vejdmn has joined #openstack-keystone21:18
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119921:18
*** drjones has joined #openstack-keystone21:18
*** _cjones_ has quit IRC21:20
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119921:23
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct noqa for exceptions.py  https://review.openstack.org/13127421:23
openstackgerrithenry-nash proposed a change to openstack/keystone: Split up assignments and make the assignments piece pluggable  https://review.openstack.org/13095421:37
*** dims_ has joined #openstack-keystone21:38
*** henrynash has quit IRC21:40
*** dims_ has quit IRC21:41
dstaneklbragstad: yeah, deciding on warn vs. warning is probably a good idea21:41
*** dims_ has joined #openstack-keystone21:41
*** dims__ has quit IRC21:41
*** andreaf has quit IRC21:43
*** andreaf has joined #openstack-keystone21:43
*** toddnni has joined #openstack-keystone21:50
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: I18n  https://review.openstack.org/13128721:51
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037621:55
*** andreaf has quit IRC21:55
*** andreaf has joined #openstack-keystone21:56
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Correct use of noqa  https://review.openstack.org/13127421:56
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119921:56
*** gordc has quit IRC22:04
*** nkinder has joined #openstack-keystone22:06
openstackgerritBrant Knudson proposed a change to openstack/keystone: Correct use noqa  https://review.openstack.org/13129122:08
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Remove useless log message  https://review.openstack.org/13129422:14
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Cleanup exception logging  https://review.openstack.org/13129522:18
*** andreaf has quit IRC22:20
*** andreaf has joined #openstack-keystone22:21
*** bknudson has quit IRC22:23
*** thedodd has quit IRC22:29
*** gyee has quit IRC22:31
*** amcrn has joined #openstack-keystone22:33
morganfainbergmarekd, email sent w/ all the folks i talked to about CERN CC'd22:42
*** _afazekas is now known as afazekas_drunk22:50
*** lhcheng_ has joined #openstack-keystone22:50
*** lhcheng has quit IRC22:50
*** shikui__ has joined #openstack-keystone22:52
*** chrisshattuck has quit IRC22:52
*** shikui_ has quit IRC22:55
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove token persistence proxy  https://review.openstack.org/12480922:56
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update docs to no longer show XML support  https://review.openstack.org/12575323:01
*** andreaf has quit IRC23:03
morganfainberghm. stevemar is hiding23:05
*** vejdmn has quit IRC23:07
*** topol has joined #openstack-keystone23:09
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Prep to add Identity API v2.0 files  https://review.openstack.org/13057723:10
*** david-lyle has quit IRC23:14
*** jorge_munoz has quit IRC23:16
openstackgerritA change was merged to openstack/keystone-specs: Prep to add Identity API v2.0 files  https://review.openstack.org/13057723:16
*** topol has quit IRC23:20
*** tellesnobrega has joined #openstack-keystone23:23
*** tellesnobrega has quit IRC23:32
*** r1chardj0n3s is now known as r1chardj0n3s_afk23:35
*** tellesnobrega has joined #openstack-keystone23:38
*** david-lyle has joined #openstack-keystone23:45
*** bknudson has joined #openstack-keystone23:45
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy  https://review.openstack.org/13010323:46
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Inherited Roles to Projects  https://review.openstack.org/13027723:47
*** david-lyle has quit IRC23:49
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Cleanup exception logging  https://review.openstack.org/13129523:51
openstackgerritBrant Knudson proposed a change to openstack/keystone: Correct use of noqa  https://review.openstack.org/13129123:54
« Sunday, 2014-10-26 Index Tuesday, 2014-10-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!