Friday, 2014-11-14

« Thursday, 2014-11-13 Index Saturday, 2014-11-15 »
*** dgonzalez has joined #openstack-keystone00:01
*** alex_xu has joined #openstack-keystone00:02
*** soulxu_ has joined #openstack-keystone00:04
*** alex_xu has quit IRC00:07
*** soulxu_ is now known as alex_xu00:08
*** chrisshattuck has quit IRC00:09
*** dgonzalez has quit IRC00:12
*** packet has quit IRC00:12
*** RichardRaseley has joined #openstack-keystone00:29
*** david-lyle is now known as david-lyle_afk00:31
*** tellesnobrega_ has quit IRC00:31
*** patrickeast has quit IRC00:34
RichardRaseleyI'm having a strange issue after installing Keystone 2014.1.2.1-1.el7 (RDO) via Puppet (stackforge/puppet-keystone module). I am seeing an 'invalid option' error when trying to act against the API. Output from /var/log/keystone.log is https://gist.github.com/richardraseley/ce83920227cdb012f4d5.00:36
RichardRaseleyLooks like there is an 'i3' opt being passed somewhere, but I am unable to locate it. Where should I be looking based on this output?00:37
*** alex_xu has quit IRC00:49
*** RichardRaseley has quit IRC00:58
jamielennoxekarlso: still here? (public holiday here but looking in anyway)01:06
*** david-lyle_afk has quit IRC01:08
*** Viswanath has joined #openstack-keystone01:09
*** Viswanath has quit IRC01:12
*** jacorob has joined #openstack-keystone01:14
*** dims_ has joined #openstack-keystone01:14
*** tellesnobrega_ has joined #openstack-keystone01:14
*** dims has quit IRC01:17
*** rwsu has quit IRC01:18
telemonsterDoes anyone have icehouse working with Active Directory authentication?01:19
*** tellesnobrega_ has quit IRC01:19
*** zzzeek has quit IRC01:19
*** dims_ has quit IRC01:21
*** RichardRaseley has joined #openstack-keystone01:21
*** dims has joined #openstack-keystone01:22
*** tellesnobrega_ has joined #openstack-keystone01:28
*** lhcheng_ has quit IRC01:33
*** marcoemorais has quit IRC01:37
*** marcoemorais has joined #openstack-keystone01:37
*** gyee has quit IRC01:43
*** stevemar has joined #openstack-keystone01:50
morganfainbergjamielennox, oooh i see you!01:50
* morganfainberg goes back to typing up summit summary01:51
morganfainberg*phe*01:51
jamielennoxmorganfainberg: no you dont01:51
morganfainbergjamielennox, lies!01:51
jamielennoxmorganfainberg: these are not the jamielennox's you are looking for01:51
morganfainbergThese are not the jamielennox you are loo..Hey wait a minute!01:51
jamielennoxmorganfainberg: we are spending to much time together01:52
morganfainberghaha01:52
jamielennoxalright, going to enjoy the sunshine01:53
morganfainbergoh right... spring / summer there01:53
morganfainberg:P01:54
jamielennoxyea, and after a few weeks of europe it feels hot01:55
*** amcrn has quit IRC02:08
*** tellesnobrega_ has quit IRC02:13
*** tellesnobrega_ has joined #openstack-keystone02:16
*** marcoemorais has quit IRC02:16
*** _cjones_ has quit IRC02:23
*** alex_xu has joined #openstack-keystone02:23
*** RichardRaseley has quit IRC02:26
*** tellesnobrega_ has quit IRC02:28
*** chrisshattuck has joined #openstack-keystone02:37
ayoungtelemonster, was that you that posted to the list about the AD issues?03:06
*** david-lyle has joined #openstack-keystone03:07
morganfainbergayoung, when did Dolph become PTL?03:09
morganfainbergessex?03:09
morganfainbergfolsom?03:10
ayoungIt wasn't essex03:10
david-lylemorganfainberg: havana03:10
david-lyleIIRC03:10
david-lyleportland03:10
*** dims has quit IRC03:11
morganfainbergdavid-lyle, thanks.03:11
ayoungLet's see.  I joined 3 years ago, Joe Heck became PTL...was it for a bout a year...gave it up  In december 2 years ago03:11
david-lyledolph was 3 cycles I believe03:11
*** dims has joined #openstack-keystone03:11
david-lyleH, I, J03:11
ayoungSounds right03:12
*** RichardRaseley has joined #openstack-keystone03:12
morganfainbergkk03:12
*** edmondsw has quit IRC03:18
*** david-lyle is now known as david-lyle_afk03:18
*** wwriverrat has joined #openstack-keystone03:21
*** kobtea has joined #openstack-keystone03:23
*** kobtea has quit IRC03:28
*** wwriverrat has quit IRC03:29
*** chrisshattuck has quit IRC03:31
*** tellesnobrega_ has joined #openstack-keystone03:34
*** richm has quit IRC03:42
*** wwriverrat has joined #openstack-keystone03:45
*** d0ugal has quit IRC03:45
*** anteaya has quit IRC03:46
*** dvorak has quit IRC03:46
*** cyeoh has quit IRC03:47
*** dvorak has joined #openstack-keystone03:47
*** cyeoh has joined #openstack-keystone03:48
*** d0ugal has joined #openstack-keystone03:48
*** d0ugal is now known as Guest3255603:48
*** anteaya has joined #openstack-keystone03:50
openstackgerritMerged openstack/keystone: Fix project federation tokens for inherited roles.  https://review.openstack.org/13329903:58
*** tellesnobrega_ has quit IRC04:02
openstackgerritMerged openstack/keystone: Improve testing of exclusion of inherited roles.  https://review.openstack.org/13333204:05
openstackgerritMerged openstack/keystone: Exclude domains with inherited roles from user domain list.  https://review.openstack.org/13333304:07
telemonsterayoung - yes, thanks for the reply :-)04:09
ayoungtelemonster, so, I'm guessing that the service user was the same.  OK, ready for the big guns?04:18
ayoungrpdb04:19
ayoungI'm headed to bed now, but the rough steps are:04:19
ayoungpip install rpdb04:19
ayounggo to the point in the code where the authentication happens:  the password plugin under  keystone/auth/plugins for V3, or the controller in keystone/token/controllers for v204:20
ayounginsert04:20
ayoungimport rpdb; rpdb.set_trace()04:20
ayounghit the keystone server with a token request04:20
ayoungtelnet to port 4444 and you are in a debugger session04:21
telemonstersweet04:23
telemonsterThere was some discussion/questioning weather there was something else that was supposed to be happening with tokens that isnt, but I assume the token is granted upon successful authentication similar to web sessions04:24
telemonsterI'll try to get that working tomorrow. I tried strace including threads against the root but it didn't yield much. My coworkers went to redhat training for this stuff its not my main thing but Im helping due to the severity04:26
telemonstermuch thanks for your help!04:26
openstackgerritSteve Martinelli proposed openstack/keystone: Add WSGIPassAuthorization to OAuth docs  https://review.openstack.org/13438804:57
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: OAuth headers are missing  https://review.openstack.org/13436404:58
*** jacorob has quit IRC05:03
*** gokrokve has joined #openstack-keystone05:09
*** kobtea has joined #openstack-keystone05:09
*** RichardRaseley has quit IRC05:10
*** zzzeek has joined #openstack-keystone05:11
*** zzzeek has quit IRC05:12
stevemarmorganfainberg, your blog post needs more federation mentions :)05:13
stevemarerr nvm, just read "SSO, Web Portals, and Federation Next Steps will be covered in my next post"05:13
*** kobtea has quit IRC05:14
*** chrisshattuck has joined #openstack-keystone05:14
morganfainbergstevemar: figured that needed its own post.05:17
morganfainbergAnd the current post was already too much.05:18
morganfainbergA blog post with a table of contents :P05:18
stevemaryeah, it was definitely meaty05:20
openstackgerritSteve Martinelli proposed openstack/keystone: Add WSGIPassAuthorization to OAuth docs  https://review.openstack.org/13438805:23
*** _cjones_ has joined #openstack-keystone05:24
stevemarmorganfainberg, also https://review.openstack.org/#/c/133037/ if you'd be so kind :)05:25
*** _cjones_ has quit IRC05:28
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: OAuth headers are missing  https://review.openstack.org/13436405:31
*** amerine has quit IRC05:41
*** amerine has joined #openstack-keystone05:42
*** gokrokve has quit IRC05:49
*** gokrokve has joined #openstack-keystone05:49
*** gokrokve has quit IRC05:54
*** marcoemorais has joined #openstack-keystone06:04
*** marcoemorais1 has joined #openstack-keystone06:05
*** marcoemorais has quit IRC06:08
*** gokrokve has joined #openstack-keystone06:15
*** gokrokve has quit IRC06:17
*** gokrokve has joined #openstack-keystone06:17
*** gokrokve has quit IRC06:22
*** jacorob has joined #openstack-keystone06:37
stevemarnkinder, still have that setup with users in other domains, for testing osc?06:45
*** amirosh has joined #openstack-keystone07:06
*** k4n0 has joined #openstack-keystone07:08
*** amirosh_ has joined #openstack-keystone07:12
*** amirosh has quit IRC07:12
*** amirosh has joined #openstack-keystone07:13
*** amirosh_ has quit IRC07:13
*** amirosh has quit IRC07:16
openstackgerritrajiv proposed openstack/python-keystoneclient: Does not accept blank password for updation  https://review.openstack.org/13445407:17
*** gokrokve has joined #openstack-keystone07:17
*** amirosh has joined #openstack-keystone07:19
*** gokrokve has quit IRC07:22
*** ajayaa has joined #openstack-keystone07:23
*** wwriverrat has quit IRC07:29
*** wwriverrat has joined #openstack-keystone07:30
*** amirosh has quit IRC07:32
*** amirosh has joined #openstack-keystone07:32
*** ajayaa has quit IRC07:33
*** ajayaa has joined #openstack-keystone07:38
*** wwriverrat has quit IRC08:11
*** amirosh_ has joined #openstack-keystone08:12
*** amirosh has quit IRC08:12
*** amirosh has joined #openstack-keystone08:15
*** amirosh_ has quit IRC08:15
*** gokrokve has joined #openstack-keystone08:17
*** gokrokve has quit IRC08:18
*** gokrokve has joined #openstack-keystone08:19
*** amirosh_ has joined #openstack-keystone08:20
*** amirosh has quit IRC08:20
*** gokrokve has quit IRC08:23
*** ajayaa has quit IRC08:28
*** amirosh_ has quit IRC08:37
*** links has joined #openstack-keystone08:38
*** amirosh has joined #openstack-keystone08:38
*** amirosh has quit IRC08:38
*** amirosh has joined #openstack-keystone08:39
*** amirosh has quit IRC08:39
*** amirosh has joined #openstack-keystone08:40
*** ajayaa has joined #openstack-keystone08:41
*** amirosh_ has joined #openstack-keystone08:42
*** amirosh has quit IRC08:42
marekd|awaywhat is the difference between PKI and PKIZ tokens?08:42
*** marekd|away is now known as marekd08:43
*** amirosh_ has quit IRC08:45
ajayaamarekd, PKIZ is compressed version of PKI tokens, I guess!08:45
*** amirosh has joined #openstack-keystone08:45
stevemarajayaa, you are right08:46
stevemarmarekd, so long!08:46
*** kobtea has joined #openstack-keystone08:47
*** amirosh_ has joined #openstack-keystone08:49
*** amirosh has quit IRC08:49
*** amirosh has joined #openstack-keystone08:50
*** amirosh_ has quit IRC08:50
*** amirosh has quit IRC08:51
*** kobtea has quit IRC08:52
*** stevemar has quit IRC08:52
*** henrynash has joined #openstack-keystone08:52
*** amirosh has joined #openstack-keystone08:53
*** amirosh_ has joined #openstack-keystone08:54
*** amirosh_ has quit IRC08:54
*** amirosh has quit IRC08:55
*** gordc has joined #openstack-keystone08:55
*** amirosh has joined #openstack-keystone08:55
*** amirosh has quit IRC08:56
*** amirosh has joined #openstack-keystone08:56
*** amirosh has quit IRC08:59
*** amirosh has joined #openstack-keystone08:59
*** alex_xu has quit IRC09:00
marekdstevemar what long?09:02
*** lhcheng has joined #openstack-keystone09:04
*** amirosh has quit IRC09:05
*** henrynash_ has joined #openstack-keystone09:06
*** henrynash has quit IRC09:06
*** henrynash_ is now known as henrynash09:06
*** amirosh has joined #openstack-keystone09:07
*** amirosh has quit IRC09:08
*** amirosh has joined #openstack-keystone09:09
*** gokrokve has joined #openstack-keystone09:17
*** jistr has joined #openstack-keystone09:19
*** gokrokve has quit IRC09:22
*** amirosh_ has joined #openstack-keystone09:49
*** amirosh has quit IRC09:49
*** amirosh_ has quit IRC09:52
*** amirosh has joined #openstack-keystone09:53
*** nellysmitt has joined #openstack-keystone09:54
*** aix has joined #openstack-keystone09:56
*** amirosh has quit IRC09:57
*** jacorob has quit IRC09:57
*** amirosh has joined #openstack-keystone09:57
*** nellysmitt has quit IRC09:59
*** diegows has joined #openstack-keystone09:59
*** amirosh_ has joined #openstack-keystone10:01
*** amirosh has quit IRC10:01
*** amirosh has joined #openstack-keystone10:04
*** amirosh_ has quit IRC10:04
*** amirosh_ has joined #openstack-keystone10:07
*** amirosh has quit IRC10:07
*** amirosh_ has quit IRC10:09
*** amirosh has joined #openstack-keystone10:10
*** amirosh has quit IRC10:12
*** amirosh has joined #openstack-keystone10:13
*** amirosh has quit IRC10:13
*** amirosh has joined #openstack-keystone10:13
*** Guest32556 is now known as d0ugal10:14
*** d0ugal is now known as Guest9245510:14
*** amirosh has quit IRC10:14
*** Guest92455 is now known as d0ugal10:16
*** d0ugal has quit IRC10:16
*** d0ugal has joined #openstack-keystone10:16
*** gokrokve has joined #openstack-keystone10:17
*** amirosh has joined #openstack-keystone10:18
*** bjornar has quit IRC10:19
*** amirosh_ has joined #openstack-keystone10:21
*** amirosh has quit IRC10:21
*** gokrokve has quit IRC10:21
*** bjornar has joined #openstack-keystone10:22
*** amirosh_ has quit IRC10:23
*** amirosh has joined #openstack-keystone10:24
*** amirosh has quit IRC10:24
*** amirosh has joined #openstack-keystone10:24
*** amirosh_ has joined #openstack-keystone10:26
*** amirosh has quit IRC10:26
*** amirosh has joined #openstack-keystone10:30
*** amirosh_ has quit IRC10:30
*** diegows has quit IRC10:30
*** amirosh_ has joined #openstack-keystone10:33
*** amirosh has quit IRC10:33
*** amirosh has joined #openstack-keystone10:34
*** amirosh_ has quit IRC10:34
*** amirosh has quit IRC10:34
*** amirosh has joined #openstack-keystone10:35
*** amirosh has quit IRC10:35
*** amirosh has joined #openstack-keystone10:35
*** amirosh_ has joined #openstack-keystone10:37
*** amirosh has quit IRC10:37
*** amirosh has joined #openstack-keystone10:40
*** amirosh_ has quit IRC10:40
*** amirosh has quit IRC10:40
*** amirosh has joined #openstack-keystone10:41
*** amirosh has quit IRC10:45
*** amirosh has joined #openstack-keystone10:46
*** amirosh has quit IRC10:46
*** amirosh has joined #openstack-keystone10:47
*** amirosh_ has joined #openstack-keystone10:48
*** amirosh has quit IRC10:48
*** marcoemorais1 has quit IRC11:01
*** dims has quit IRC11:06
*** dims has joined #openstack-keystone11:06
*** amirosh_ has quit IRC11:13
*** amirosh has joined #openstack-keystone11:13
*** amirosh_ has joined #openstack-keystone11:16
*** amirosh has quit IRC11:17
*** amirosh_ has quit IRC11:17
*** gokrokve has joined #openstack-keystone11:17
*** amirosh has joined #openstack-keystone11:17
*** amirosh has quit IRC11:21
*** amirosh has joined #openstack-keystone11:21
*** gokrokve has quit IRC11:22
*** dims has quit IRC11:25
*** nellysmitt has joined #openstack-keystone11:26
*** amirosh has quit IRC11:29
*** amirosh has joined #openstack-keystone11:29
*** amirosh has quit IRC11:30
*** amirosh has joined #openstack-keystone11:30
*** nellysmitt has quit IRC11:31
*** ajayaa has quit IRC11:34
*** amirosh_ has joined #openstack-keystone11:37
*** amirosh has quit IRC11:37
*** amirosh_ has quit IRC11:38
*** amirosh has joined #openstack-keystone11:38
*** amirosh_ has joined #openstack-keystone11:41
*** amirosh has quit IRC11:41
rodrigodsmarekd, thanks for adding mapping enhancements to the meeting agenda11:46
*** amirosh_ has quit IRC11:49
*** amirosh has joined #openstack-keystone11:49
rodrigodsayoung, there?11:51
*** ajayaa has joined #openstack-keystone11:52
*** amirosh_ has joined #openstack-keystone12:01
*** amirosh has quit IRC12:01
samuelmshenrynash, just left a couple of comments on the 'Split the assignments manager/driver' patch12:01
henrynashsamuelms: just saw them, thx12:01
samuelmshenrynash, you did nice work up there :-)12:02
henrynashsamuelms: thx12:02
*** amirosh_ has quit IRC12:03
*** raildo has quit IRC12:03
*** amirosh has joined #openstack-keystone12:04
*** amirosh has quit IRC12:04
*** amirosh has joined #openstack-keystone12:05
*** amirosh has quit IRC12:07
*** amirosh has joined #openstack-keystone12:07
*** raildo has joined #openstack-keystone12:09
samuelmshenrynash, replied your comment on the etherpad I created for assignment backend language (role-assignment-backend-language)12:15
*** gokrokve has joined #openstack-keystone12:17
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3  https://review.openstack.org/11608112:19
*** gokrokve has quit IRC12:21
*** kobtea has joined #openstack-keystone12:24
*** amirosh_ has joined #openstack-keystone12:26
*** amirosh has quit IRC12:26
*** kobtea has quit IRC12:29
*** tellesnobrega_ has joined #openstack-keystone12:39
*** ajayaa has quit IRC12:40
*** amirosh has joined #openstack-keystone12:41
*** amirosh_ has quit IRC12:41
*** raildo has quit IRC12:41
*** raildo has joined #openstack-keystone12:43
*** amirosh has quit IRC12:46
*** amirosh has joined #openstack-keystone12:46
*** amirosh has quit IRC12:47
*** amirosh has joined #openstack-keystone12:48
*** amirosh has quit IRC12:48
openstackgerrithenry-nash proposed openstack/keystone-specs: Replace the concept of extensions in Keystone.  https://review.openstack.org/13380912:48
*** amirosh has joined #openstack-keystone12:49
*** amirosh has quit IRC12:49
*** amirosh has joined #openstack-keystone12:50
*** amirosh_ has joined #openstack-keystone12:51
*** amirosh has quit IRC12:51
*** amirosh_ has quit IRC12:51
*** amirosh has joined #openstack-keystone12:52
*** russellb is now known as rustlebee13:02
*** gokrokve has joined #openstack-keystone13:17
marekdrodrigods: np13:21
*** gokrokve has quit IRC13:22
*** tellesnobrega_ has quit IRC13:28
*** arunkant has joined #openstack-keystone13:28
ayoungrodrigods, I'm here13:37
marekdmorganfainberg: ping ping ping13:41
ayoungmarekd, don't send Naked pings....just post your question and he'll respond when he can.  russleb had a good post on this...13:44
marekdayoung: i know i know i know13:45
ayounghttp://blogs.gnome.org/markmc/2014/02/20/naked-pings/13:45
ayoungmarekd, also, he's in California.  It is not even 6 AM where he lives.  He's dedicated, but even morganfainberg needs to sleep sometimes13:45
ayoungeven if it is in a Coffin...13:45
marekdayoung: you are right.13:48
*** radez_g0n3 is now known as radez13:56
*** sigmavirus24_awa is now known as sigmavirus2414:01
*** amirosh has quit IRC14:08
*** amirosh has joined #openstack-keystone14:08
*** amirosh has quit IRC14:11
*** nkinder has quit IRC14:11
*** amirosh_ has joined #openstack-keystone14:11
*** amirosh has joined #openstack-keystone14:14
*** amirosh has quit IRC14:14
*** amirosh_ has quit IRC14:14
*** amirosh has joined #openstack-keystone14:15
*** amirosh has quit IRC14:15
henrynashayoung: you’re comment about ‘resource’….have a look at my response on the patch: https://review.openstack.org/#/c/130954/14:15
ayoungYou are accusing me ogf Bike shedding!14:16
ayoungHeh14:17
ayounghenrynash, yeah, I debated with the -1 on that, just wanted to make sure we had the conversation14:17
henrynashayoung: understand....14:17
*** gokrokve has joined #openstack-keystone14:17
*** amirosh has joined #openstack-keystone14:18
ayounghenrynash, language is important.  If resource is the right name, we should go with it.  I think that you agree it is not the right name, but that maybe there is no right name14:18
*** amirosh has quit IRC14:18
ayoungand....14:18
ayoungI'd probably agree with you14:18
*** amirosh has joined #openstack-keystone14:18
henrynashayoung: resoruce was the best we could agree on….14:19
ayoungThe thing is ... everything is a resource.  It would be like naming it "objects"14:19
ayoungand...it isn't.  It is the namespace for containers that we provide to other services to put their resources inside14:19
henrynashayoung: well, and roles too14:19
ayoungdirectory?14:20
ayoungI'm not going to hold this up14:20
ayoungjust...hmmm14:20
ayoungI like assignment.  Its clear.14:21
ayoungdomains and projects are the directory...roles are labels14:21
ayoungbut then, all these are labels14:21
*** amirosh has quit IRC14:21
*** gokrokve has quit IRC14:21
*** marg7175 has joined #openstack-keystone14:21
rodrigodsayoung, https://bugs.launchpad.net/keystone/+bug/1392685 related to tying an IdP to a domain, right?14:21
uvirtbotLaunchpad bug 1392685 in keystone "With OS-Federation users can get the wrong mapping" [Undecided,New]14:21
*** amirosh has joined #openstack-keystone14:22
*** amirosh has quit IRC14:22
ayounghenrynash, OK...I'm sure I'll regret this, but I'll let it go.  I know that, in about a week, I will wake up at 2 AM with the "right" name...or, more likely, a week after code freeze14:22
henrynashayoung: yep, I know….although having already done one massive rename from ‘base ’ (my first, albeit, poor idea)…to ‘resource’ across the 3 dependant patches…now that the spec is agreed with ‘resrouce’, I’m kinds of trying to avoid another crunchthrough renaming unless others really obkect14:22
ayoungI hear yah14:22
ayoungtoo much churn14:22
henrynashayoung: and if you do…and we all agree….(for a small beer)…I’ll do a rename…14:23
ayoungis that the size of the vessel containing the beer or a beer type?14:23
*** amirosh has joined #openstack-keystone14:23
*** richm has joined #openstack-keystone14:24
henrynashayoung: :-)14:24
*** amirosh has quit IRC14:24
ayounghenrynash, think you probably deserve something better than a small vessel of small beer14:24
*** amirosh has joined #openstack-keystone14:24
ayounghttp://en.wikipedia.org/wiki/Small_beer14:25
henrynashayoung: ha, had not heard of that use to describe low alc beer!14:25
ayoungrodrigods, looking14:26
ayoungrodrigods, I want to say "yes, that is related to tying an IdP to a domain"  but I think it is more problematic than that.  I think that he is actually saying a user can get the wrong mapping, which is regardless of domain.14:30
ayounghenrynash, I know we have "assign policy for an endpoint" but what happens if an endpoint request its policy file and there is no policy explicitly linked to it?14:32
*** amirosh has quit IRC14:32
ayoungdo we have a way of specifying "return this default policy file"14:32
*** amirosh has joined #openstack-keystone14:33
henrynashayoung: if there’s nothing for that endpoint, we look for the service type14:33
*** amirosh has quit IRC14:34
*** amirosh has joined #openstack-keystone14:34
*** amirosh has quit IRC14:34
ayounghenrynash, and if there is nothing for the service type?14:34
henrynashayoung: and maybe the service type in the that region first, I’l have to check14:34
henrynashayoung: then we return an error14:35
ayoungIts ok, I can look14:35
*** amirosh has joined #openstack-keystone14:35
ayounghenrynash, OK,  so I'm going to add a spec that allows for a single default policy file14:35
henrynashayoung: yep, taht sounds good14:36
*** amirosh has quit IRC14:37
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Enable support for IETF ABFAB as a federation protocol.  https://review.openstack.org/13454914:37
*** amirosh has joined #openstack-keystone14:37
*** edmondsw has joined #openstack-keystone14:37
*** amirosh_ has joined #openstack-keystone14:38
*** amirosh has quit IRC14:38
*** amirosh_ has quit IRC14:39
*** amirosh has joined #openstack-keystone14:39
*** zzzeek has joined #openstack-keystone14:42
*** gokrokve has joined #openstack-keystone14:46
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095414:48
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263414:49
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352514:50
henrynashayounng: thx for dropping the -1, could also do that on: https://review.openstack.org/#/c/132634/14:51
*** elynn_ has joined #openstack-keystone14:54
telemonsterayoung - coworker noticed that there is no dash database on the new install, while the old install had one. So he is implementing that14:56
openstackgerritayoung proposed openstack/keystone-specs: IETF ABFAB federation protocol.  https://review.openstack.org/13454914:57
telemonsterI pulled both debug dumps (console output) from havana (works) and icehouse (doesnt work) into Apple Opendiff and looked through it all. There is this sequence that happens in the ldap process where it does a get value len, get next attrib in a loop over and over. Failing one fails right after that, working one finishes then moves on to do another ldap query (my guess is to start narrowing down groups and such)14:57
*** richm has quit IRC14:57
telemonsterI bet the loop of get/length is password comparison or something14:57
*** dnalezyt has quit IRC14:58
*** nkinder has joined #openstack-keystone14:58
rodrigodsayoung, hmm... requires stevemar and marekd eyes too, I guess15:07
*** amirosh has quit IRC15:07
*** amirosh has joined #openstack-keystone15:07
ayoungtelemonster, ?15:07
ayoungtelemonster, dash?15:07
*** richm has joined #openstack-keystone15:09
lbragstadhenrynash: nice write up on the extensions blueprint15:09
ayounghenrynash, am I wrong to want to call the new backend the Tenant backend?15:09
henrynashayoung: aahhhhh….where’s that cliff...15:09
ayoungHeh15:10
ayoungDover, I think.15:10
henrynashlbragstad: thx15:10
henrynashayoung: too far, damnit15:10
*** thiagop has joined #openstack-keystone15:10
ayoungMoher, actually15:10
ayounghttp://en.wikipedia.org/wiki/Cliffs_of_Moher15:10
*** thiagop has quit IRC15:10
telemonsterayoung - Dashboard I suppose. Coworker is trying one more thing then I think they're moving to rebuild havana over icehouse15:11
ayoungShouldn't be horizon.15:11
ayoungtelemonster, I wonder if it has to do with a change we made to avoid fetching all of the attributes,15:12
ayoungit was breaking if there were binary attributes being fetched15:12
ayoungI thought that change was in Juno, but maybe it got backported.  Let me check15:12
ayoungtelemonster, https://review.openstack.org/#/c/91883/15:14
telemonstercehcking15:14
ayoungtelemonster, did you see my comment last night about rpdb?15:14
telemonsterHMMMM15:15
telemonsteryea I have it in place, I figured out (c)ontinue to run but past that not sure what to do, Im pretty sure you can set a point to stop then look at the values of variables but past that?15:15
telemonsteris there a way to make it print tons of debugging real time?15:16
telemonsterthis bug/fix sounds exactly like the thing that could be causing the issue :-)15:17
telemonsterI'm going to figure out how to get the pre-changes version and see if it is easy to sub15:19
ayoungtelemonster, you can do  break  filename:line15:19
ayoungtelemonster, it is basically pdb...let me see if I can find a tutorial link15:20
*** henrynash has quit IRC15:23
morganfainbergMorning.15:23
*** chrisshattuck has quit IRC15:26
*** thedodd has joined #openstack-keystone15:28
*** chrisshattuck has joined #openstack-keystone15:29
*** stevemar has joined #openstack-keystone15:29
marekdrodrigods: what's up?15:29
*** sigmavirus24 has left #openstack-keystone15:31
*** amirosh has quit IRC15:35
*** Lupul has joined #openstack-keystone15:36
*** jacorob has joined #openstack-keystone15:36
morganfainbergmarekd: got your email. Will address shortly.15:38
marekdmorganfainberg: sure.15:39
Lupulhello, how long should a POST to /v2.0/tokens take ? (idle, baremetal node)15:42
rodrigodsmarekd, this bug https://bugs.launchpad.net/keystone/+bug/139268515:43
uvirtbotLaunchpad bug 1392685 in keystone "With OS-Federation users can get the wrong mapping" [Undecided,New]15:43
*** kobtea has joined #openstack-keystone15:44
*** gokrokve has quit IRC15:45
*** gokrokve has joined #openstack-keystone15:45
Lupulis 200ms - 400ms  a normal response time ?15:46
*** kobtea has quit IRC15:48
gordcstevemar: how do i fix this: http://lists.openstack.org/pipermail/openstack-dev/2014-November/050350.html15:49
stevemargordc, i've been looking at that since it was announced, but i'm confused since openstack CI works15:50
stevemargordc, i think it might be installing from pypi instead of pulling master branch?15:51
stevemargordc, like this post says: http://lists.openstack.org/pipermail/openstack-dev/2014-November/050357.html15:51
gordcstevemar: no idea. first time i've been running stuff since before summit.15:51
gordci just did a git pull of everything and now it's all broke.15:51
stevemargordc, reclone15:51
stevemarhmm15:51
gordcstevemar: does it work for you locally?15:52
stevemaryep15:52
stevemarit's what the openstack CI uses15:52
gordcstevemar: did you pull in all the latest?15:52
gordcpython-openstackclient==0.4.1.78.gfa9cdef15:54
telemonsterayoung - I think I got past the auth issue by cramming in a core.py that is much older15:56
ayoungtelemonster, that is horrible15:56
stevemargordc, sec, let me check15:57
*** lhcheng_ has joined #openstack-keystone15:58
*** nkinder is now known as nkinder_afk16:01
*** lhcheng has quit IRC16:01
lbragstadmorganfainberg: when we were talking about the ae-token stuff at the summit, you'd mentioned some clean up for the token api. Did you want that proposed as a spec?16:01
morganfainberglbragstad: I proposed it.16:02
*** chrisshattuck has quit IRC16:02
lbragstadmorganfainberg: ah, gotcha16:02
lbragstadthis guy?16:02
lbragstadhttps://review.openstack.org/#/c/134314/16:02
morganfainbergYep16:03
lbragstadmorganfainberg: awesome, thanks!16:03
lbragstadI'll review16:03
*** packet has joined #openstack-keystone16:03
stevemargordc, what is your localrc?16:04
telemonsterayoung - is juno the same keystone code as this icehouse version?16:04
gordcstevemar: i think it works now. i just pip uninstalled all the clients16:04
telemonsteror same functionality (I'm trying to think if Juno would also have issues with our AD servers)16:04
gordcstevemar: still want to see my localrc16:04
stevemargordc, okay, reply back to the thread if you can, i'll dig into this a bit more16:05
*** marg7175 has quit IRC16:05
*** marg7175 has joined #openstack-keystone16:06
ayoungtelemonster, so, if you ran Juno, yes, your Icehouse servers could work with it...if that is what you are asking16:07
gordcsudo pip freeze16:07
gordcf16:07
ayoungcan we not do ae tokens.  Please?16:07
telemonsterayoung - no, if we were using juno would the codebase for keystone be similar to icehouse current and thus not work with our AD server16:07
ayoungtelemonster, I suspect we could make this work with your AD server in Juno or Icehouse16:08
ayoungwe don't know yet what the problem is.  It might be something new, or something already fixed16:08
*** chrisshattuck has joined #openstack-keystone16:08
telemonsterdo you think it's a utf-8 issue or something? we're runnign 0.9.0 keystone16:08
*** jacorob has quit IRC16:08
telemonsterI think16:08
telemonsterlet me diff the zero day keystone core.py ldap module against our latest16:09
telemonsterooo16:11
stevemargordc, wrong window dude!16:11
telemonsterooo latest works16:12
telemonsternow it's issues of users being authorized for projects (cloudadmin not authorized for any projects).16:13
marekd survey: the best way to cache my tokens between cli calls? some super simplified memcache-like mechanism?16:14
marekdkeyring seems to keep asking for a password everytime I trie to get data from it.16:15
*** henrynash has joined #openstack-keystone16:16
gordcstevemar: someone needs to implement proper eyetracking window switching ASAP.16:16
gordcstevemar: the tech has existed for years.16:16
stevemarmarekd, export my_password=blahblah - done, totally secure16:18
marekdstevemar: ??16:18
stevemarmarekd, (was a bad joke, sorry)16:18
marekdaaaaa, you are referring to my question, right?16:18
stevemaryes16:18
marekdsorry, didnt' get it at first16:19
marekd:-)16:19
marekdi can store it in files16:21
marekdbut that's well...prehistoric?16:21
ayoungtelemonster, "latest works" meaning Juno?  Master?16:24
ayoungmarekd, well, not always16:24
ayoungmarekd, for example, passing passwords on command lines means that passwords are recoverable from /proc16:24
ayoungputting it in a file and passing the file name might be better.16:25
telemonstersorry, I used this: https://github.com/openstack/keystone/blob/9c15b73f8361ce8606a531b5765c94b3927d99c4/keystone/common/ldap/core.py16:25
*** agireud has joined #openstack-keystone16:25
telemonsterNow battling this:  User OpenStack Admin is unauthorized for tenant c559b2ddf24d4ebc816:25
openstackgerritSteve Martinelli proposed openstack/keystone: Update federation docs to point to specs.o.org  https://review.openstack.org/13459016:26
henrynashstevemar, lbragstad: looking for two brave soles to push the button and get the split rolling: https://review.openstack.org/#/c/130954/16:26
henrynashstevemar: only change from last patch is doc change and removal of one out of date copyright notice16:27
stevemarhenrynash, ohhhh boy16:28
lbragstad:)16:28
rodrigodshenrynash, just gave my +1 =)16:29
henrynashrodigods: thank ya kindly16:29
stevemarhenrynash, i'll give it another once over16:30
*** dtturner has quit IRC16:30
stevemarthis is a huge amount of code, but mostly moving things around16:30
stevemars/mostly/completely16:30
marekdayoung: storing them in env means the same.16:30
henrynashstevemar: just about….with a bit more pulled up to the manager where you need to speak to both types of backend16:31
*** wwriverrat has joined #openstack-keystone16:31
*** wwriverrat has left #openstack-keystone16:31
ayoungmarekd, yes16:32
ayoungmarekd, there are really no failsafe options16:32
henrynashlbragstad: just making sure I get the right one….you comment is about the tenant name being cleared, yes?16:33
lbragstadyeah, just the validation step that we have there.16:34
lbragstadI think that validation stuff from keystone/clean.py was from V2.0 stuff?16:34
henrynashlbragstad: ok, I’ll add a comment for that…..yeah, that was all copied unmodified16:34
lbragstadjust wanting to make sure we don't lose the fix for that later on since it has been determined to do the validation stuff in the manager/controllers16:35
*** _cjones_ has joined #openstack-keystone16:36
lbragstadhenrynash: thanks for adding that16:36
henrynashlbragstad: I’ll add it to the ldap driver as well16:36
lbragstadhenrynash: perfect16:37
ayounghenrynash, lbragstad works for me16:38
openstackgerritSteve Martinelli proposed openstack/keystone: Update keystone readme to point to specs.o.org  https://review.openstack.org/13459516:39
stevemarnooo ayoung - i wanted to +A it :(16:39
ayoungstevemar, Heh16:39
stevemarhenrynash, i was too slow16:39
stevemarapologies sir16:39
ayoungstevemar, the +A rush is mine16:39
marekdayoung: and you aware ofsome super simple key value store that could be used for the keystoneclient ?16:40
ayoungmarekd, heh...so if you look at the direction Kerberos went, the credentials ended up in the Kernel keyring16:40
ayoungmarekd, one reason to move toward Kerberos and/or X509 certificate authentication is to avoid these issues16:41
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095416:41
ayoungif someone cares enough about security to worry about these, they will have more secure mechanisms in place.  We just need to support them16:41
ayoungwe need an X509 story16:41
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263416:42
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352516:42
*** gyee has joined #openstack-keystone16:42
henrynashlbragstad: done16:44
*** dims has joined #openstack-keystone16:47
*** dims has quit IRC16:49
*** ayoung_ has joined #openstack-keystone16:50
marekdayoung: kernel keyring has some affiliation with gnome-keyring (and hence python-keyring) ?16:51
ayoung_ah, henrynash are we going to break people using the LDAP assignments by splitting the resource backend off of it?  The default needs to match the assignment backend16:51
ayoung_marekd, I think all three are separate16:51
ayoung_but probably the devs know about each other16:51
marekdok16:52
marekdi will google16:52
henrynashayoung: so I did speak to Joe Savek about this….and I pointed him at the change…he seemed not too concerend….but it IS a change16:53
*** ayoung_ has quit IRC16:54
*** ayoung_ has joined #openstack-keystone16:54
*** marcoemorais has joined #openstack-keystone16:55
ayoung_henrynash, it is cern that I would be concerned about. ... marekd ?16:57
henrynashayoung: ah, ok….16:57
henrynashmarekd: see: https://review.openstack.org/#/c/13095416:59
*** comstud is now known as bearhands16:59
ayoung_henrynash, so to avoid breaking things last time around, we had a nasty hack:17:00
ayoung_if the driver for the identity backend was LDAP, and no assignment driver was set, assume assignment should use LDAP17:01
ayoung_need the same logic here17:01
henrynashayoung_: I have included that!17:01
ayoung_ah...that is what you mean by the identity driver chooses17:02
ayoung_but it should be the assignment driver now17:02
henrynashayoung_: …so if you just have identity set to LDAP, both resource and assignment will pick that up17:02
ayoung_I thought we dropped the hack in recent versions17:02
ayoung_henrynash, it is unfortunate we have no analoge for the sql migrations in the LDAP case.17:03
henrynashayoung_: …no, it’s still there, if resource has no bacend set, it calls identity…and if assignment as no bacend set, it calls resource17:03
ayoung_ah, ok...17:03
*** gokrokve has quit IRC17:06
ayoung_henrynash, OK,  I think that covers my concern17:07
*** david-lyle_afk is now known as david-lyle17:07
ayoung_ conCERN.  Ugh.17:07
henrynashayoung_: ha ha17:08
ayoung_henrynash, I keep seeing that termie suggestion:  # TODO(termie): turn this into a data object and move logic to driver17:10
ayoung_I wanna do that, too17:11
henrynashayoung_: does he mean driver or manager?17:11
ayoung_driver...it is LDAP specific17:11
*** elynn_ has quit IRC17:12
openstackgerritMerged openstack/keystone: Move test_pemutils.py to unit test directory  https://review.openstack.org/13423317:27
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: IETF ABFAB federation protocol.  https://review.openstack.org/13454917:28
*** _cjones_ has quit IRC17:29
*** _cjones_ has joined #openstack-keystone17:29
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Cache unscoped SAML tokens locally  https://review.openstack.org/13460617:32
*** harlowja has joined #openstack-keystone17:35
*** henrynash has quit IRC17:35
*** harlowja has quit IRC17:37
*** harlowja has joined #openstack-keystone17:37
*** links has quit IRC17:37
*** rharwood has quit IRC17:38
*** rwsu has joined #openstack-keystone17:38
*** gokrokve has joined #openstack-keystone17:45
*** thedodd has quit IRC17:45
*** dims has joined #openstack-keystone17:47
*** _cjones_ has quit IRC17:52
*** dims is now known as dimsum__17:52
*** _cjones_ has joined #openstack-keystone17:55
*** patrickeast has joined #openstack-keystone18:02
rodrigodsmorganfainberg, addressed your concerns at https://review.openstack.org/#/c/117786/18:04
*** marcoemorais has quit IRC18:04
morganfainbergrodrigods: thanks! Will look it over post coffee.18:04
*** marcoemorais has joined #openstack-keystone18:05
rodrigodsmorganfainberg, regarding parents/subtree visibility we will need to discuss the correct approach to it =)18:05
morganfainbergRight.18:05
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: IETF ABFAB federation protocol.  https://review.openstack.org/13461218:05
*** marcoemorais has quit IRC18:05
*** marcoemorais has joined #openstack-keystone18:06
*** jistr has quit IRC18:07
*** dimsum__ has quit IRC18:12
*** marcoemorais has quit IRC18:14
*** marg7175 has quit IRC18:21
*** dimsum__ has joined #openstack-keystone18:22
*** dimsum__ has quit IRC18:31
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: Enable support for IETF ABFAB as a federation protocol.  https://review.openstack.org/13454918:33
*** gordc has quit IRC18:34
*** Lupul has quit IRC18:34
*** marcoemorais has joined #openstack-keystone18:35
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: IETF ABFAB federation protocol.  https://review.openstack.org/13454918:39
*** topol has joined #openstack-keystone18:40
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: IETF ABFAB federation protocol.  https://review.openstack.org/13454918:40
*** amcrn has joined #openstack-keystone18:40
*** topol has quit IRC18:43
*** saipandi has joined #openstack-keystone18:44
*** Lupul has joined #openstack-keystone18:54
*** harlowja is now known as harlowja_away18:58
*** gokrokve has quit IRC18:59
*** gokrokve has joined #openstack-keystone18:59
david-lyleif I have a role on a project in a domain, I don't automatically have a role on the domain, correct? That is to say, if I can obtain a project scoped token, does that mean I can also obtain a domain scoped token on that domain just based on that project role?19:02
*** marcoemorais has quit IRC19:02
*** marcoemorais has joined #openstack-keystone19:02
david-lyleor do both have to be explicitly granted19:02
*** marcoemorais has quit IRC19:03
*** marcoemorais has joined #openstack-keystone19:04
*** lhcheng_ has quit IRC19:06
*** marcoemorais has quit IRC19:06
*** marcoemorais has joined #openstack-keystone19:07
ayoung_david-lyle, your initial statement is correct19:07
*** marcoemorais has quit IRC19:07
*** marcoemorais has joined #openstack-keystone19:07
david-lyleayoung_: so I can obtain a project scoped token, but be unable to obtain a domain scoped token on that domain based on whether I have a role on the domain19:07
ayoung_do you mean19:08
ayoung_"I can obtain a project scoped token, but be unable to obtain a domain scoped token on that domain based on whether I have a role on a project in the domain"19:08
ayoung_david-lyle, so, yeah, this is confusing19:08
ayoung_with Hierarchical projects, it is going to get mildly more so, but I think it will eventually shake out19:09
*** amirosh has joined #openstack-keystone19:09
ayoung_so  since project is under domain, getting a role on a project does not give you a role (implicit or explicit) on the domain19:09
david-lyleok that makes sense19:09
ayoung_david-lyle, with hierarchical multi-tenancy, that pattern is going to be expanded19:09
*** nellysmitt has joined #openstack-keystone19:10
ayoung_role assignments will be (possibly) inherited down the tree, but not up19:10
david-lyleso I need a role on any entity that I want to get a scoped token to19:10
raildoayoung, ++19:10
david-lylein both directions19:10
david-lylefor now19:10
ayoung_yes19:10
david-lyleI understand inherited roles could change that19:10
raildodavid-lyle, in hierarchical project, you have to grant a inherited role, to get a token for all the projects in the hierarchy19:11
david-lyletrying to write up the bp to start the horizon work to at least support what's there now19:11
*** harlowja_away is now known as harlowja19:11
david-lylewe'll cover the hierarchical tenants once that's solidified19:11
*** nellysmitt has quit IRC19:14
david-lyleayoung_, raildo: thanks!19:14
raildonp :)19:15
*** thedodd has joined #openstack-keystone19:15
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Fix enable/disable projects behaviour for HM  https://review.openstack.org/13462919:19
rodrigodsmorganfainberg, ayoung, ^^19:20
rodrigodsnoticed that have described the wrong behavior there19:20
*** kobtea has joined #openstack-keystone19:21
*** marg7175 has joined #openstack-keystone19:22
*** kobtea has quit IRC19:26
*** jacorob has joined #openstack-keystone19:30
*** lhcheng has joined #openstack-keystone19:53
ayoung_+219:57
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Token Provider Cleanup Spec  https://review.openstack.org/13431420:03
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Kilo version of non-persistent token specification  https://review.openstack.org/12973620:03
morganfainbergrodrigods, +320:04
*** topol has joined #openstack-keystone20:05
morganfainberglbragstad, https://review.openstack.org/#/c/133783/ I responded to your comment20:05
openstackgerritMerged openstack/keystone-specs: Fix enable/disable projects behaviour for HM  https://review.openstack.org/13462920:05
lbragstadmorganfainberg: awesome, thanks20:06
morganfainberglbragstad, but basicaly not specified for a reason.20:06
lbragstadmorganfainberg: fair enough20:06
*** packet has quit IRC20:09
openstackgerritMerged openstack/keystone-specs: Add small comment for partially implemented specs in backlog  https://review.openstack.org/13378320:10
*** jacorob has quit IRC20:11
*** nellysmitt has joined #openstack-keystone20:12
*** _cjones_ has quit IRC20:15
*** thedodd has quit IRC20:18
morganfainberglbragstad, any reason i shouldn't +A the changes following that comment (the spec repo comments / project info / etc)20:22
morganfainberglbragstad, i noticed you +2'd some of them, but before I go through and +A just making sure it wasn't a reason you held back20:22
lbragstadmorganfainberg: I just waited for your response to the question I had on the first patch, I'll kick them through20:23
morganfainbergk20:23
morganfainbergthanks20:23
lbragstadmorganfainberg: no problem,20:23
openstackgerritMerged openstack/keystone-specs: Add project documentation links to index  https://review.openstack.org/13381020:25
openstackgerritMerged openstack/keystone-specs: Add warning about milestone 2 deadline  https://review.openstack.org/13381320:26
*** jacorob has joined #openstack-keystone20:29
*** sigmavirus24 has joined #openstack-keystone20:30
*** marcoemorais has quit IRC20:33
*** marcoemorais has joined #openstack-keystone20:33
stevemarmorganfainberg, re: you last comment about the assignment split20:44
morganfainbergi saw it20:44
stevemardo we really support 3rd party code? as in we need a proxy / function for deprecation?20:44
stevemarthat seems ... outside the scope, it's something we only expose internally20:44
morganfainbergwe do.20:45
morganfainbergi've had operators come and say "OMG WHERE DID THIS ALL MOVE TO!?"20:45
stevemarhmph, okay20:45
morganfainbergbecause they wrote an extension that relies on 'identity_api'20:45
stevemari suppose20:45
stevemargood to know for next time i guess20:46
morganfainberghenry did put the scafolding in for that proxy20:46
morganfainbergnow... he didn't mark them as @deprecated though :P20:46
* morganfainberg is still reading the code. but it's a beastly patch.20:47
morganfainbergthe bigest concern i have is options moving and not doing the same thing they used to20:47
morganfainbergand not having deprecated options.20:47
rodrigodsjust -1d a patch where I'm author, am I crazy? (just waiting for more eyes on it before sending another patch)20:50
morganfainberghehe20:51
morganfainbergyou'll see us do that every now and again20:51
*** henrynash has joined #openstack-keystone20:52
rodrigodsphew... had the feeling that without the -1, I'd forget to fix the issue20:52
raildorodrigods, i work with you, so yes, I think you are a little crazy hahaha20:53
rodrigodsraildo, =(20:53
*** jacorob has quit IRC20:54
ayoung_morganfainberg, I think I want to change the spec.  We should make bullet points for a lot of the stuff in paragraphs:  CI impact, configuriation options , upgrade,20:58
*** _cjones_ has joined #openstack-keystone21:00
ayoung_I want to change the spec *template* that is21:02
*** amirosh has quit IRC21:02
*** rustlebee is now known as russellb21:03
*** amirosh has joined #openstack-keystone21:03
morganfainbergsure21:06
morganfainbergdo it21:06
morganfainberg:)21:06
*** amirosh has quit IRC21:07
*** nkinder_afk is now known as nkinder21:08
stevemarayoung, i'm down for bullet points21:09
ayoung_will do21:09
stevemari struggle to make complete sentences, let alone paragraphs.21:09
ayoung_straightening out all my  policy specs first21:09
*** fifieldt has quit IRC21:10
*** jacorob has joined #openstack-keystone21:10
*** raildo has quit IRC21:11
*** radez is now known as radez_g0n321:22
*** fifieldt has joined #openstack-keystone21:23
*** dimsum__ has joined #openstack-keystone21:32
*** marcoemorais has quit IRC21:34
*** dims_ has joined #openstack-keystone21:35
*** dimsum__ has quit IRC21:37
*** klrmn has joined #openstack-keystone21:41
klrmnafter teaching keystone to run as a service with the —debug flag, i discover that *something* is sending keystone a SIGINT almost right after it starts. is this something it might be doing to itself, or do i need to look for an external cause?21:42
morganfainbergklrmn, i would hope we're not sending keystone a SIGINT internally21:43
morganfainbergklrmn, and you're running keystone as a service under eventlet?21:43
morganfainbergklrmn, i strongly recommend using mod_wsgi instead.21:43
klrmnmorganfainberg: this is for a test server to prove interoperability rather than a production server, so if this is a scalability issue….21:46
*** marcoemorais has joined #openstack-keystone21:46
morganfainbergklrmn, in general mod_wsgi is *always* a better deployment method. but eventlet is fine for very very basic testing21:47
klrmnmorganfainberg: *nod* the person who set this up for me originally is on the other side of the planet, and presumably sleeping. i figured i'd ask rather than put it on a back-burner til monday21:47
*** topol has quit IRC21:52
openstackgerritayoung proposed openstack/keystone-specs: Hierarchical Roles  https://review.openstack.org/12570421:55
openstackgerritayoung proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381421:55
openstackgerritayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient  https://review.openstack.org/13348021:55
openstackgerritayoung proposed openstack/keystone-specs: Fetch policy.json from server  https://review.openstack.org/13465521:55
openstackgerritayoung proposed openstack/keystone-specs: unified policy file  https://review.openstack.org/13465621:55
openstackgerritayoung proposed openstack/keystone-specs: Default Policy  https://review.openstack.org/13465721:55
*** htruta_ has joined #openstack-keystone21:57
stevemarayoung, morganfainberg question for y'all22:02
stevemari think we all agree that we need a publicly available endpoint to list public idps22:03
stevemarshould that be available on the client side? or are we just going to tell someone to do a requests.GET call?22:03
rodrigodsayoung_, already working in the oslo.policy spec (following this template: https://github.com/openstack/oslo-specs/blob/master/specs/graduation-template.rst) plan to send it to review this weekend or monday22:03
morganfainbergstevemar, it likely should be available on client side.22:04
stevemarmorganfainberg, okay the how do we create a client with no credentials :)22:04
ayoung_stevemar, we don't22:04
ayoung_stevemar, its going to be like discovery22:05
morganfainbergayoung_, ++22:05
*** marcoemorais has quit IRC22:05
*** marcoemorais1 has joined #openstack-keystone22:05
ayoung_now that I said that, I have to think what it means22:05
*** marcoemorais1 has quit IRC22:06
*** marcoemorais has joined #openstack-keystone22:06
ayoung_damnit, why won't my alternate nickname time out22:06
stevemarayoung, elaborate?22:07
*** marg7175 has quit IRC22:07
morganfainbergayoung_, ghost it?22:07
morganfainbergayoung_, or is it a you need to issue a ... uh .. release on it?22:08
*** marg7175 has joined #openstack-keystone22:11
ayoung_morganfainberg, I managed to torque up the password on it.  I sent in a reset, and the password should have been reset, but the ghost command is not working22:14
morganfainbergayoung_, use "release"22:14
*** ayoung is now known as Guest3208822:15
ayoung_morganfainberg, ok...so far so good.22:15
*** marg7175_ has joined #openstack-keystone22:21
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: IETF ABFAB federation protocol.  https://review.openstack.org/13454922:23
*** ayoung_ is now known as ayoung22:23
*** marg7175 has quit IRC22:24
*** dgonzalez has joined #openstack-keystone22:27
*** Viswanath has joined #openstack-keystone22:42
ayoungmorganfainberg, release followed  by regain....22:44
*** edmondsw has quit IRC22:44
morganfainbergayoung, ah22:44
morganfainbergayoung, there ya go22:45
*** Viswanath has quit IRC22:45
stevemarmorganfainberg, so whats going to happen with uuid tokens when non-persistent goes int22:46
stevemardies in n+2 releases ? (or stays alive by popular demand)22:46
morganfainbergstays alive until we don't want to support it anymore +222:47
morganfainbergi don't expect it to go away unless something like AE-Token takes it's spot22:47
*** marcoemorais1 has joined #openstack-keystone22:47
morganfainbergUUID is a nice *easy* to understand provider22:47
stevemarcool22:48
morganfainbergPKI wont need to persist, (will definitly go non-persistent) and other providers ???22:48
*** aix has quit IRC22:48
stevemarmorganfainberg, i'm really happy that we all learned how to create better specs22:49
stevemarremoving the cruft from the template help22:49
stevemarand it seems like the growing pains are over22:49
stevemarIIRC, we were meeting in SAT (mid cycle) to finalize specs last time :( so late to the game22:50
*** klrmn has left #openstack-keystone22:50
*** marcoemorais has quit IRC22:51
*** dgonzalez has quit IRC22:51
*** jacorob has quit IRC22:52
*** kobtea has joined #openstack-keystone22:59
*** sigmavirus24 is now known as sigmavirus24_awa22:59
*** kobtea has quit IRC23:03
*** marg7175_ has quit IRC23:05
*** agireud has quit IRC23:08
*** zzzeek has quit IRC23:09
*** _cjones_ has quit IRC23:09
*** _cjones_ has joined #openstack-keystone23:09
*** saipandi has quit IRC23:10
*** htruta_ has quit IRC23:13
*** stevemar has quit IRC23:16
*** gyee has quit IRC23:36
*** marcoemorais1 has quit IRC23:38
*** marcoemorais has joined #openstack-keystone23:38
*** nkinder has quit IRC23:40
*** lhcheng has quit IRC23:47
*** henrynash has quit IRC23:49
*** marcoemorais has quit IRC23:57
*** marcoemorais has joined #openstack-keystone23:57
*** marg7175 has joined #openstack-keystone23:59
« Thursday, 2014-11-13 Index Saturday, 2014-11-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!