Tuesday, 2015-02-17

« Monday, 2015-02-16 Index Wednesday, 2015-02-18 »
*** afazekas has quit IRC00:01
*** markvoelker has joined #openstack-keystone00:04
*** lhcheng has quit IRC00:05
*** carlosmarin has quit IRC00:08
*** markvoelker has quit IRC00:09
dstanekhenrynash: sorry...catching up00:17
henrynashdstanek: np…I think I got it worked out...00:18
dstanekhenrynash: is this related to that blueprint?00:18
henrynashdstanek: the one on splittingup the tests for resoruce/assignmenet etc….yes00:18
henrynashdstanek: I’m particualarly interested in splittup up our 6000 line backend.py file!!!!00:19
dstanekthat would be a good thing00:19
dstanekthis was pitched at the last meeting https://blueprints.launchpad.net/keystone/+spec/backends-tests-restructuration00:19
henrynashdstanek: yep, was there….I’m just about ready to propose a first patch that shows a structure for doingthis…I’ll do that and let you and others review00:20
henrynashdtsanek: if we all hate it, np, we’ll try something else :-)00:20
dstanekthat sounds good to me00:21
*** dims_ has quit IRC00:27
*** dims__ has joined #openstack-keystone00:30
openstackgerrithenry-nash proposed openstack/keystone: Move backend role tests into their own module  https://review.openstack.org/15642300:33
atiwarimorganfainberg, yt?00:36
stevemarcould i get a non-ibm to +A this patch: https://review.openstack.org/#/c/152699/22 (before i have to rebase things :) )00:36
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Use single quotes consistently  https://review.openstack.org/15640400:37
*** nellysmitt has joined #openstack-keystone00:38
*** nellysmitt has quit IRC00:43
*** bknudson has joined #openstack-keystone00:48
*** ChanServ sets mode: +v bknudson00:48
*** jaosorior has quit IRC00:51
atiwaristevemar, how did you add ascii flow in the spec?01:05
*** markvoelker has joined #openstack-keystone01:05
stevemaratiwari, you just prefix it with a double-colon (::), then indent everything with 4 spaces, you can see the raw source here: http://specs.openstack.org/openstack/keystone-specs/_sources/specs/juno/keystone-to-keystone-federation.txt01:10
atiwarilet me see01:10
atiwarithanks01:11
stevemaror here: http://specs.openstack.org/openstack/keystone-specs/_sources/specs/kilo/websso-portal.txt01:11
stevemarnp01:11
*** markvoelker has quit IRC01:11
atiwariso this flow was hand drafted?01:11
atiwarihttp://asciiflow.com/#0B4HXCa0rdYenSlRYYXJNY0VjMk001:11
atiwariI am trying to add above in my spec01:12
atiwarithere is no way to cut it and paste01:12
*** jamielennox is now known as jamielennox|away01:16
*** zzzeek has quit IRC01:21
*** zzzeek has joined #openstack-keystone01:23
*** henrynash has quit IRC01:29
*** jamielennox|away is now known as jamielennox01:31
wanghongMorning and Happy Spring Festival! :)01:34
*** samueldmq has joined #openstack-keystone01:36
*** amerine has joined #openstack-keystone01:37
*** zzzeek has quit IRC01:39
stevemaratiwari yeah it was hand-drafted, didn't even know asciiflow.com existed01:40
stevemaratiwari, there is a button on the top-right, its the second one from the left, it allows for copy/paste01:41
*** jamielennox is now known as jamielennox|away01:41
atiwarihmm01:41
openstackgerritIan Cordasco proposed openstack/oslo.policy: Fix minor spelling issues in oslo.policy  https://review.openstack.org/15640501:41
stevemarwanghong, good morning and happy spring festival :)01:42
wanghongstevemar, aha, from tomorrow I will have a seven-day holiday. So, see you 7 days later:)01:43
*** ncoghlan has joined #openstack-keystone01:45
mfischI just toyed around with LDAP connection pools in my virtual env and it's 3x faster when authing against AD01:51
stevemarmfisch, sounds like a good blog post :D01:51
mfischI need this to land first01:51
mfischhttps://review.openstack.org/#/c/156402/01:51
mfischpuppet ^01:51
stevemarwanghong, sounds great! i hope not to see you online :D01:52
mfischI'm puppet-openstack core now but its not good form to approve yourself01:52
stevemarmfisch, for sure01:52
mgagnemfisch: +2 your change, lgtm01:54
mfischoh yay01:54
*** avozza is now known as zz_avozza01:56
*** amerine has quit IRC02:01
atiwaristevemar, seems I don't have those buttons. which browser you are using?02:03
stevemaratiwari, one sec, i'll share02:04
stevemaratiwari, http://imgur.com/WENrFJT02:06
*** markvoelker has joined #openstack-keystone02:08
*** _cjones_ has quit IRC02:09
*** jamielennox|away is now known as jamielennox02:09
*** richm has quit IRC02:12
*** markvoelker has quit IRC02:13
*** lhcheng has joined #openstack-keystone02:20
*** DaveChen has joined #openstack-keystone02:23
*** lhcheng has quit IRC02:25
*** erkules_ has joined #openstack-keystone02:29
*** erkules has quit IRC02:31
*** bknudson has quit IRC02:37
*** nellysmitt has joined #openstack-keystone02:39
*** dims__ has quit IRC02:40
*** nellysmitt has quit IRC02:44
*** darrenc is now known as darrenc_afk02:56
*** amerine has joined #openstack-keystone03:01
*** tqtran has quit IRC03:02
morganfainbergstevemar, for "Federated" domain it's going to need to be a config option03:02
mfischstevemar: with curls I see a 5x speedup, wow03:03
morganfainbergmfisch, 5x speedup with what?03:03
mfischldap connection pools03:03
morganfainbergyeah they're good03:03
mfischjust pulling 500 tokens03:03
morganfainbergnow if we could only get our LDAP backend to be less chatty, even better03:04
stevemarmorganfainberg, yeah, i figured that was the case, dammit03:04
mfischstevemar made me do a blog post so I'm about to post it03:04
stevemarmfisch, i didn't realize i had the power to make you do things :P03:04
morganfainbergstevemar, *core powers*03:04
morganfainbergstevemar, ;P03:04
morganfainbergstevemar, jk03:04
stevemargood point03:05
stevemarnow to wield them inappropriately03:05
morganfainbergit's like wonder twins...03:05
morganfainbergbut less wierd03:05
stevemarlike a green lantern wearing a power ring?03:05
morganfainbergthere you go, i just ruined it didn't i?03:05
morganfainbergnope. def. wonder twins03:05
morganfainbergor aquaman03:05
morganfainbergstevemar, so ayoung ran across an issue w/ per-domain backends03:06
morganfainbergchicken-egg03:06
morganfainbergstevemar, how do you grant a role to someone who hasn't logged in yet... or a group that hasn't been referenced yet?03:06
morganfainbergstevemar, we need to bake a way into the API to solve that03:07
mfischstevemar: http://www.mattfischer.com/blog/?p=62403:07
mfischperhaps you guys could explain why I never had more than 4 connections03:07
morganfainbergmfisch, behind apache?03:07
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437003:07
morganfainbergor in eventlet?03:07
mfischmorganfainberg: unsure what my virtual dev node has lemme look03:08
mfischeventlet I think03:08
mfischI just run it with keystone-all03:08
morganfainbergyeah. so, under apache i'd expect way less benefit03:08
morganfainbergkeystone-all == eventlet03:09
mfischfeel free to add that comment on my blog ;)03:09
mfischyep03:09
morganfainbergso, you're probably running into limiations of the workers + eventlet yielding03:09
mfischapache is a debbie downer03:09
*** markvoelker has joined #openstack-keystone03:09
morganfainberghow many workers do you have configured under eventlet?03:09
mfischthats it03:09
mfischthis is a vbox, probably 403:09
mfischI have 4 yep03:10
mfisch64 on real h/w03:10
mfischso duh03:10
morganfainbergyep. and python-ldap is c-bindings so it doesn't yield03:10
morganfainbergif it was pure python it would be able to yield03:10
morganfainbergso you're less bound up, because the workers are a bit smarter03:10
morganfainbergyou don't need to spin up/spin down connections03:11
mfischdefault must be 2x cpu03:11
morganfainbergbut you're still limited per worker things03:11
stevemarmfisch, solid blog write up +103:11
morganfainbergif we isolated LDAP/SQL to a conductor03:11
mfischpuppet wont let you change worker count yet, dorman is working on it03:11
morganfainbergwe could in theory handle more connections based upon scaling the conductor out03:11
morganfainbergsince the majority of the time is in blocking calls that really aren't an issue for the CPU to context switch out of03:12
morganfainbergbut python and especially eventlet python cannot optimise outof03:12
morganfainbergso the 3-5x improvement is purely not needing to spinup/down the sockets/connections to LDAP03:12
mfischmorganfainberg: as PTL what really makes this a great feature is that someone took the time to document the config03:13
openstackgerritMerged openstack/keystone-specs: Deprecate keystone CLI  https://review.openstack.org/15515903:13
morganfainbergmfisch, we try to make sure config options/mechanisms are documented03:13
morganfainbergreally we do03:13
*** samueldmq has quit IRC03:13
morganfainbergwe miss the mark sometimes though03:13
morganfainberg*cough* middleware *cough*03:13
mfischmorganfainberg: I think it's improved03:13
mfischwhen I first did LDAP I documented part of it while doing the work03:14
morganfainbergthat reminds me...03:14
morganfainbergi need to send an email to your blog to a buddy now03:14
mfischbig opers who have 10 guys doing keystone may not need it but small and mid-size do03:14
*** markvoelker has quit IRC03:14
morganfainbergbig opers still need the docs03:14
morganfainbergtrust me ;)03:14
mfischsure, but its easier when you have full time focused guys03:15
mfischafter this I'm back to working on ovs and heat tomorrow03:15
*** darrenc_afk is now known as darrenc03:17
morganfainbergmfisch, hehe03:20
morganfainbergoh crap i need to do laundry...03:20
mfischmorganfainberg: I updated to note your comment on apache, thx03:20
morganfainbergit'll still benefit apache, just at a lesser level03:20
morganfainbergyou still avoid the need to spin up/down the LDAP connections for each request03:20
mfischwell I quoted you, shall I change it?03:21
mfisch According to the Keystone PTL, Morgan Fainberg, “under apache I’d expect way less benefit”03:22
morganfainbergno03:22
morganfainbergdon't quote me like that :P03:22
morganfainberg"less benefit"03:22
mfischok03:22
morganfainbergnot "way less" ;)03:22
mfischdone03:22
stevemarmfisch always with the libel and slander03:23
morganfainbergi would expect to still see noticeable improvements though03:23
morganfainbergso 2-3x [no you can't quote me on this] vs 3-5x03:23
mfischI don't think it's libel if it's a quote03:23
morganfainbergwould be the numbers i pull out of thin air03:23
mfischlet me update the blog again03:23
mfisch"I eat moose everyday for breakfast" - Steve Martinelli03:23
morganfainbergno quoting me on that03:23
morganfainbergmfisch, he is canadian03:24
morganfainbergmfisch it might be true03:24
mfischa colleague's parents live on an island in Canada and I now have a legit moose tenderloin in the freezer03:24
morganfainbergi hear Moose-jerky is good03:25
morganfainbergfrom a friend who hunts.03:25
morganfainbergunfortunately they live waaaay far away and shipping moose jerky via mail is... suspect03:26
stevemarmorganfainberg, only if you're not doing it correctly03:30
morganfainbergno the whole shipping meat internationally issue03:31
morganfainbergless the "it'll spoil" issue03:31
*** ccard_ has joined #openstack-keystone03:31
stevemarughhh my lazy day off is ending, back at it tomorrow03:34
*** ccard has quit IRC03:34
*** lhcheng has joined #openstack-keystone03:38
openstackgerritMerged openstack/keystone: Use oslo.log instead of incubator  https://review.openstack.org/15269903:40
*** dims__ has joined #openstack-keystone03:40
stevemar\o/03:40
morganfainbergstevemar, you should fix the federation domain one so we can merge that too03:45
morganfainbergstevemar, >.>03:45
*** dims__ has quit IRC03:45
*** amerine has quit IRC03:46
stevemarmorganfainberg, yesss, doing that now/soon, just added https://review.openstack.org/15645603:47
morganfainberg;)03:47
stevemarmorganfainberg, i have so much to review03:48
stevemari took 2 days off and i'm super behind03:48
morganfainbergstevemar, no weekedns for you! :P03:48
morganfainberg>.>03:48
stevemarand those days were 1) a weekend, and 2) a stat holiday03:48
stevemarha03:48
stevemarfeels that way sometimes :)03:48
stevemarmorganfainberg, you want it in a subsequent patch so we can merge the first one?03:49
morganfainberguhm. *shrug*03:49
stevemarthis way you can +3 the first one in the chain03:49
stevemarwith proof that it's fixed03:49
stevemarjust cause Henry already +2ed it03:49
morganfainbergor i can +2 and marekd can +2/+A early tomorrow03:51
*** ccard_ has quit IRC03:53
*** ccard_ has joined #openstack-keystone03:57
*** lhcheng has quit IRC04:00
mfischmorganfainberg: I see that public_workers and admin_workers = CPU count (by default)04:01
mfischI have 2 CPUs, so 4 total workers04:01
mfischwould each thread be doing LDAP?04:01
mfischshould only be public workers right since I'm just getting tokens04:01
morganfainbergwell admin/public are really v2 only constructs04:01
morganfainbergv3 is the same pipeline04:01
mfischI'm using v2 for my test04:02
mfischI'd expect the # connections to max at 204:02
morganfainbergpool might also do a spare?04:02
morganfainbergi'd need to re-look at the code04:02
mfischis there a way to tell which type from ps?04:03
morganfainberguhm04:03
morganfainbergnot really04:03
mfischk04:03
*** markvoelker has joined #openstack-keystone04:10
*** markvoelker has quit IRC04:16
*** ccard_ has quit IRC04:31
openstackgerritSteve Martinelli proposed openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646104:35
stevemarmorganfainberg, ^04:35
*** ccard_ has joined #openstack-keystone04:36
openstackgerritSteve Martinelli proposed openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646104:38
*** nellysmitt has joined #openstack-keystone04:40
*** nellysmitt has quit IRC04:45
morganfainbergstevemar a couple nits on that new patch04:47
*** ccard__ has joined #openstack-keystone04:48
morganfainbergstevemar and you need a followup sample config update04:48
stevemarmorganfainberg, thanks, yeah, we are in need for a regen for sample_config04:49
stevemarespecially since oslo.log landed, need to make sure we didn't lose anything04:49
*** ccard_ has quit IRC04:50
*** radez is now known as radez_g0n305:01
*** _cjones_ has joined #openstack-keystone05:10
*** lhcheng has joined #openstack-keystone05:11
openstackgerritSteve Martinelli proposed openstack/pycadf: Additional doc clean up  https://review.openstack.org/15646305:12
*** markvoelker has joined #openstack-keystone05:12
*** _cjones_ has quit IRC05:14
*** ccard__ has quit IRC05:15
*** devlaps has quit IRC05:16
*** ccard__ has joined #openstack-keystone05:16
*** markvoelker has quit IRC05:17
*** lhcheng has quit IRC05:18
*** rushiagr_away is now known as rushiagr05:23
*** ccard__ has quit IRC05:24
*** ccard__ has joined #openstack-keystone05:24
*** _cjones_ has joined #openstack-keystone05:26
openstackgerritSteve Martinelli proposed openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646105:27
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Provide a means to get all installed plugins  https://review.openstack.org/15646605:29
*** ajayaa has joined #openstack-keystone05:33
openstackgerritMerged openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085805:36
openstackgerritMerged openstack/keystone: Fix nits from patch #110858  https://review.openstack.org/15615805:42
*** pcaruana has quit IRC05:47
openstackgerritMorgan Fainberg proposed openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646105:52
*** _cjones_ has quit IRC05:53
*** henrynash has joined #openstack-keystone06:03
*** ChanServ sets mode: +v henrynash06:03
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437006:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15647606:05
openstackgerritrajiv proposed openstack/python-keystoneclient: No keystone Endpoint now gives a valid Error Message  https://review.openstack.org/15526006:06
crinklestevemar: why does `openstack network create` not accept a tenant as a parameter?06:07
stevemarcrinkle, my network knowledge is close to 0 :(06:08
crinkleit's making it hard to replicate `neutron net-create` for a tenant that the admin user doesn't have a role in06:08
crinklehmm06:08
stevemarcrinkle, I think (hope) we say that network support is limited at best06:09
stevemarwe haven't really found anyone proficient enough with networking to add a bunch of commands06:09
*** henrynash has quit IRC06:10
crinkledamn, okay06:10
stevemarcrinkle, how important is it? do you just need net-create parity?06:11
stevemarare there any other network related commands?06:12
stevemar(that you need)06:12
*** ccard_ has joined #openstack-keystone06:13
*** markvoelker has joined #openstack-keystone06:13
*** ccard__ has quit IRC06:14
crinklestevemar: we also need port-create, subnet-create, router-create, and router-interface-add06:16
crinkleafaict06:16
crinkleI've only just started looking at it06:16
morganfainbergstevemar, updated the high priority reviews... i think we're going to be punting a lot of things out of kilo06:16
morganfainberg:(06:16
stevemarmorganfainberg, i figured that was going to happen06:16
morganfainbergcrinkle, Hi! :)06:16
crinklemorganfainberg: o/06:16
* morganfainberg waves like an insane person at crinkle :)06:17
crinkle:D06:17
morganfainbergcrinkle, if you have a moment to throw something at nibalizer, be sure to do it. cause... why not06:17
morganfainberg:)06:17
stevemarcrinkle, whats the timeline on it?06:18
morganfainbergthat is whenever you have a moment to do so.06:18
stevemarif i can deliver it after feature freeze, is that too late?06:18
crinklestevemar: we were hoping before kilo06:18
crinklebut I don't think it's dire06:18
* morganfainberg needs to swing through PDX again to bug people.06:18
*** markvoelker has quit IRC06:19
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Be ready to punt Kilo targeted specs, the "high priority" has been updated and looks scary now."06:20
stevemarcrinkle, file a bug with a list of the commands you need, hopefully me/dean/terry can get it in06:20
crinklestevemar: thanks, will do06:20
stevemarmorganfainberg, did you want to go through them?06:20
morganfainbergstevemar, not yet, but in a week yes06:20
morganfainbergseriously look at the list06:20
stevemarmorganfainberg, technically functional testing can go in past FF06:21
morganfainbergyes06:21
morganfainbergas can a few others06:21
morganfainbergbut not many06:21
stevemarCADF everywhere is done, just needs eyes06:21
morganfainbergstevemar, look at the BP cound for k3: https://launchpad.net/keystone/+milestone/kilo-306:21
morganfainbergit's rough06:21
stevemarlooking at it now06:22
morganfainbergmy guess is provider cleanup = punted06:22
morganfainbergx509 auth is likley punted06:23
morganfainbergi don't want to see it punted, but Domain configs in sql hasn't been started afaict06:23
stevemarit has not06:23
morganfainberga bunch of henry's reviews aren't even tagged to the BPs they need to be06:23
morganfainbergfor the assignment split06:24
stevemarkilo approved specs http://specs.openstack.org/openstack/keystone-specs/ is super long06:24
morganfainbergstevemar, i'm going to open specs for L at the k3 milestone06:24
morganfainbergand i think i want all specs approved by L106:24
morganfainbergl2 will be too late and get us in the same boat we're in now06:24
morganfainbergs/all specs/all feature specs06:25
stevemarmorganfainberg, we're not in *that* bad shape06:25
stevemarproposed by L1, approved by end of L2 :D06:25
morganfainbergstevemar, no but we're cramming everything into the 2nd half of milestone306:25
morganfainbergi would rather have all features landed by L206:25
morganfainberggives us a whole milestone to slip06:25
morganfainbergif anything slips in the list now we're pretty much not going to land it06:25
stevemartheres always that slow start for some reason06:25
morganfainbergL2 is a better place to freeze features06:26
morganfainbergi think we're going to have an unfun release this cycle tbh06:26
morganfainbergi think work towards RC is going to be ugly based upon things being crammed in at the last minute06:26
stevemarmorganfainberg, anything not started by friday is punted?06:27
stevemari think if you announce that you will see lots of people starting stuff :P06:27
morganfainberganything not in progress by next IRC meeting (the one follows tomorrow) will be punted06:27
morganfainbergin progress with real work shown06:28
* morganfainberg is travelling until saturday and doesn't want to have to play "cleanup" on friday/weekend06:28
stevemarmorganfainberg, yeah tokenless auth with x509 and configs in SQL are definitely on the chopping block06:29
stevemarmaybe even the remove metadata thing06:30
stevemarfunctional testing andreaf enabled non-sqlite dbs can land post FF06:30
morganfainbergyep06:31
*** zz_avozza is now known as avozza06:31
stevemarmorganfainberg, bump reseller and abfab06:31
morganfainbergok added announcement for spec proposals and a notice that if things aren't started by 2/24 we're punting them06:31
morganfainbergto the agenda06:31
morganfainbergi'll send the email to the ML once we cut K3 about spec proposals being opened (doesn't need to be announced until it happens)06:32
stevemarfair enough06:32
stevemari'm going to make a list of bps that haven't been started06:32
morganfainbergty06:32
stevemarso the authors know to either start coding or bump it themselves to L06:32
morganfainbergdo it as a list of BPs not started / in jeapordy due to scope without corresponding code06:32
morganfainbergit's easy to see which ones are in jeapordy06:33
stevemari'll announce the BPs during the meeting06:33
morganfainberg++06:33
stevemaryes, all the links are there06:33
morganfainbergthanks for running this meeting06:33
morganfainbergi'll prob be there shortly into it, but you know how it goes with travel06:33
stevemarmorganfainberg, if you want to review https://review.openstack.org/#/c/125521/ we can close a blueprint :P06:35
morganfainbergstevemar, has a -1 from henry fwiw06:36
morganfainbergand henry is right: https://bugs.launchpad.net/keystone/+bug/1417451 is likely an issue06:37
openstackLaunchpad bug 1417451 in Keystone "SQL User & Group entities still have FK to domain" [Medium,Confirmed] - Assigned to Henry Nash (henry-nash)06:37
stevemarblah06:38
* stevemar is trying to think of the implications of just dropping the FK....06:39
morganfainbergzero afaik06:39
morganfainbergexcept a domain delete *could* orphan users/groups06:39
morganfainbergbut.. that is the risk we've always had06:39
morganfainbergstevemar, aslo https://blueprints.launchpad.net/keystone/+spec/kilo-sql-squash06:41
*** nellysmitt has joined #openstack-keystone06:41
morganfainbergthat can be done post K306:41
stevemarmorganfainberg, yep, that isn't even targeted to anything06:42
morganfainbergi just registered it06:42
morganfainberg:P06:42
stevemarmorganfainberg, i guess we will have to have a new db migration to remove the FK06:45
morganfainbergyep06:45
*** nellysmitt has quit IRC06:45
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available  https://review.openstack.org/14486006:56
openstackgerritSteve Martinelli proposed openstack/keystone: Drop foreign key (domain_id) from user and group tables  https://review.openstack.org/15648806:58
stevemarmorganfainberg, ^06:58
morganfainbergstevemar, i see06:58
stevemarjust a first swing at it06:58
* morganfainberg is tempted to say that downward migrations stop being supported in keystone regardless of the x-project spec06:59
morganfainbergbut i'll wait until this meeting and bring up that the people who said they'd add more details on what they want to hear before the spec is approved, have yet to do so06:59
*** MasterPiece has joined #openstack-keystone07:01
openstackgerritMarek Denis proposed openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646107:03
morganfainbergmarekd, aha thanks.07:04
stevemarha07:04
marekdmorganfainberg: stevemar no problem. Just fixed small typo07:05
stevemarmorganfainberg, you caused my patch to go nuclear07:05
*** lhcheng has joined #openstack-keystone07:06
marekdmorganfainberg: stevemar so, how about enforcing "Federated" name in the code?07:07
marekddomain_name = CONF.federation.federated_domain or 'Federated'07:08
stevemarmarekd, what do you mean?07:08
openstackgerritDave Chen proposed openstack/keystone: Check token provider's configuration  https://review.openstack.org/14399007:08
morganfainbergoh if it's a None or ""07:08
morganfainbergyeah07:08
morganfainbergthat would be fine07:08
stevemarmarekd, it already defaults to that07:08
*** lhcheng has quit IRC07:08
stevemaroh07:08
marekdbut deeeeeeeeeeefaults in the CONF07:08
marekdso if you make conf with value ""07:08
stevemar:)07:08
morganfainbergmarekd, yeah good enhancement07:08
marekdit will use "" value07:08
morganfainbergand "" domain would be badddddd07:08
morganfainbergmmmmkay07:08
morganfainberg;)07:08
* marekd drugs are bad, mmmkay07:09
stevemarmarekd, since you already tossed the last patch, mind adding that bit?07:09
marekdstevemar: not at all.07:09
stevemaryou can bring back the constant in federation.core07:09
stevemarty sir07:09
marekdi think i will start coming to work earlier, so nice to meet alive people here :P07:09
marekdstevemar: not a problem at all, boss07:10
stevemarmorganfainberg, how can i give voice to marekd :P07:10
morganfainbergstevemar, only dolph and I can07:10
morganfainbergor the -infra team07:10
stevemarmorganfainberg, give the man some voice07:11
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412407:11
*** ChanServ sets mode: +v marekd07:11
stevemar\o/07:11
marekd\o/07:11
marekdtanks!07:11
marekdthanks!07:11
stevemari will also take any tanks you have07:11
marekdstevemar: you must have huge condo...or a parking spot.07:12
stevemarmorganfainberg, hey the timestamp spec doens't have a bp07:13
marekdstevemar: you were off recently, right? Some public holiday or "just because" ?07:13
stevemarmarekd, just for today, public holiday "family day"07:13
stevemarbut since i have no children, i slept in til 1pm07:13
morganfainbergstevemar, if it's approved feel free to add the BP07:13
morganfainbergand target it07:14
morganfainbergbefore targeting besure to set priority07:14
morganfainbergAND implementation status to whatever is correct07:14
morganfainbergif you try and target a BP w/o priority it'll auto untarget07:14
morganfainbergbecause of an awesome script ttx runs07:14
marekdLOL07:14
morganfainbergsince only cores can set priority07:15
morganfainbergit stops people from tagging BPs to random milestones07:15
stevemarmorganfainberg, done07:15
*** markvoelker has joined #openstack-keystone07:15
morganfainbergmarekd / stevemar, feel free to +A this https://review.openstack.org/#/c/156461/ once jenkins passes it07:16
marekdmorganfainberg: i am adding that enhancement now.07:17
*** dims__ has joined #openstack-keystone07:18
*** henrynash has joined #openstack-keystone07:20
*** ChanServ sets mode: +v henrynash07:20
*** markvoelker has quit IRC07:21
*** mzbik has joined #openstack-keystone07:21
*** dims__ has quit IRC07:23
morganfainbergmarekd, FYI, openstack proposal bot, feel free to single core +2/+A them as long as they aren't broken/breaking things07:23
morganfainbergthat'd be transifex and global req updates from the bot07:23
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Be ready to punt Kilo targeted specs, the "high priority" has been updated and looks scary now. | Reminder: Triage Bugs"07:24
morganfainbergmarekd, and if you need/want to update the channel topic: /msg chanserv topic #openstack-keystone <new topic>07:25
morganfainbergmarekd, all cores have access to do so07:25
marekdmorganfainberg: ok, thanks :-)07:26
morganfainbergstevemar, i've re-ordered the meeting topics a bit07:27
openstackgerritrajiv proposed openstack/python-keystoneclient: No keystone Endpoint now gives a valid Error Message  https://review.openstack.org/15526007:28
morganfainbergstevemar, just so there is the higher likelyhood i'll be online by the time the SPFE topics come up07:28
stevemarmorganfainberg, cool07:28
*** stevemar has quit IRC07:38
*** marg7175 has quit IRC07:51
*** ncoghlan has quit IRC07:56
*** rm_work is now known as rm_work|away07:57
*** ajayaa has quit IRC08:06
*** fifieldt has joined #openstack-keystone08:09
*** chlong has quit IRC08:11
*** lhcheng has joined #openstack-keystone08:12
*** pnavarro|afk has joined #openstack-keystone08:16
*** markvoelker has joined #openstack-keystone08:17
*** markvoelker has quit IRC08:22
openstackgerritMarek Denis proposed openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646108:23
*** pnavarro|afk has quit IRC08:25
*** pnavarro has joined #openstack-keystone08:26
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15647608:27
*** ajayaa has joined #openstack-keystone08:27
marekdwanghong: thanks for the review08:37
marekdI am going to add new patch08:37
*** nellysmitt has joined #openstack-keystone08:42
*** ajayaa has quit IRC08:44
openstackgerritMarek Denis proposed openstack/keystone: Add ``service_providers`` in Service Catalog  https://review.openstack.org/15265908:44
*** lhcheng has quit IRC08:44
marekdwanghong: ^^08:46
*** nellysmitt has quit IRC08:46
*** nellysmitt has joined #openstack-keystone08:47
*** jistr has joined #openstack-keystone08:51
*** _cjones_ has joined #openstack-keystone08:54
openstackgerritMarek Denis proposed openstack/keystone-specs: Add ``service_catalog`` in /auth/catalog response.  https://review.openstack.org/15650908:55
*** DaveChen has quit IRC08:56
*** fifieldt has quit IRC08:56
*** ajayaa has joined #openstack-keystone08:57
*** _cjones_ has quit IRC08:58
*** karimb has joined #openstack-keystone09:00
*** markvoelker has joined #openstack-keystone09:18
*** aix has quit IRC09:21
*** ajayaa has quit IRC09:21
*** markvoelker has quit IRC09:23
*** avozza is now known as zz_avozza09:26
*** henrynash has quit IRC09:34
*** ajayaa has joined #openstack-keystone09:36
*** ajayaa has quit IRC09:43
*** karimb has quit IRC09:45
*** aix has joined #openstack-keystone09:48
*** marg7175 has joined #openstack-keystone09:51
*** zz_avozza is now known as avozza09:55
*** marg7175 has quit IRC09:56
*** arif-ali has joined #openstack-keystone10:00
*** aix has quit IRC10:05
*** avozza is now known as zz_avozza10:06
*** amakarov_away is now known as amakarov10:14
*** aix has joined #openstack-keystone10:17
*** henrynash has joined #openstack-keystone10:18
*** ChanServ sets mode: +v henrynash10:18
*** markvoelker has joined #openstack-keystone10:19
*** afazekas has joined #openstack-keystone10:23
*** markvoelker has quit IRC10:24
*** zz_avozza is now known as avozza10:26
*** wanghong has quit IRC10:30
*** krykowski has joined #openstack-keystone10:38
*** ajayaa has joined #openstack-keystone10:39
*** pnavarro has quit IRC10:41
*** henrynash has quit IRC10:56
*** pnavarro has joined #openstack-keystone11:09
*** ajayaa has quit IRC11:12
*** markvoelker has joined #openstack-keystone11:20
*** markvoelker has quit IRC11:25
*** ajayaa has joined #openstack-keystone11:30
*** dims__ has joined #openstack-keystone11:32
*** marg7175 has joined #openstack-keystone11:52
*** marg7175 has quit IRC11:58
*** krykowski has quit IRC11:58
*** krykowski has joined #openstack-keystone11:58
*** avozza is now known as zz_avozza12:14
*** marg7175 has joined #openstack-keystone12:17
*** markvoelker has joined #openstack-keystone12:21
*** markvoelker has quit IRC12:26
*** mzbik_ has joined #openstack-keystone12:31
*** mzbik has quit IRC12:33
*** MasterPiece has quit IRC12:36
*** pnavarro has quit IRC12:39
*** rushiagr is now known as rushiagr_away12:41
*** marg7175 has quit IRC12:44
*** marg7175 has joined #openstack-keystone12:44
*** markvoelker has joined #openstack-keystone12:52
openstackgerritMerged openstack/pycadf: cleanup documentation  https://review.openstack.org/15633312:54
*** henrynash has joined #openstack-keystone13:02
*** ChanServ sets mode: +v henrynash13:02
*** zz_avozza is now known as avozza13:05
*** avozza is now known as zz_avozza13:07
*** zz_avozza is now known as avozza13:15
*** gordc has joined #openstack-keystone13:34
*** bjornar has quit IRC13:36
*** ajayaa has quit IRC13:37
*** samueldmq has joined #openstack-keystone13:38
*** afazekas has quit IRC13:40
*** HenryG has left #openstack-keystone13:47
*** marg7175 has quit IRC13:48
*** radez_g0n3 is now known as radez13:56
samueldmqhenrynash, ping - I left some comments on the data-driven tests chain ...14:02
samueldmqhenrynash, nothing related to the approach itself, just minor corrections14:03
samueldmqhenrynash, I didn't know that approach but I did liked it :)14:03
samueldmqhenrynash, complex test cases become really easy to understand14:03
henrynashsamueldmq: yep, thanks…haev seen teh comments - agree with them and will be uploading new patches14:04
*** avozza is now known as zz_avozza14:04
samueldmqhenrynash, great thanks14:05
openstackgerritKonstantin Maximov proposed openstack/keystone: Improved policy setting in the 'v3 filter' tests  https://review.openstack.org/15659714:05
*** ayoung has joined #openstack-keystone14:12
*** ChanServ sets mode: +v ayoung14:12
*** bknudson has joined #openstack-keystone14:20
*** ChanServ sets mode: +v bknudson14:20
*** joesavak has joined #openstack-keystone14:23
*** richm has joined #openstack-keystone14:24
*** pnavarro has joined #openstack-keystone14:29
*** rushiagr_away is now known as rushiagr14:37
*** ajayaa has joined #openstack-keystone14:38
*** mzbik_ has quit IRC14:40
*** zz_avozza is now known as avozza14:56
*** jaosorior has joined #openstack-keystone15:00
*** dims__ has quit IRC15:03
*** dims__ has joined #openstack-keystone15:04
*** dims__ has quit IRC15:04
*** dims__ has joined #openstack-keystone15:05
*** joesavak has quit IRC15:09
openstackgerritMatthew Treinish proposed openstack/keystone: Add oslo request id middleware to keystone paste pipeline  https://review.openstack.org/15590115:11
*** marg7175 has joined #openstack-keystone15:13
*** pnavarro has quit IRC15:15
*** marg7175 has quit IRC15:16
*** marg7175 has joined #openstack-keystone15:17
*** rm_work|away is now known as rm_work15:18
*** timcline has joined #openstack-keystone15:24
*** joesavak has joined #openstack-keystone15:25
*** carlosmarin has joined #openstack-keystone15:26
*** stevemar has joined #openstack-keystone15:28
*** ChanServ sets mode: +v stevemar15:28
*** pnavarro has joined #openstack-keystone15:38
morganfainbergmorganfainberg:15:40
ayoungmorganfainberg, did you just ping yourself?  Not in public, please...15:46
ayoungdolphm, does this not support what you want to do with AE tokens  https://cryptography.io/en/latest/fernet/  ?15:47
ayounghttps://cryptography.io/en/latest/hazmat/primitives/mac/hmac/  lbragstad   same question15:48
morganfainbergayoung:15:49
morganfainbergHah15:49
ayoungmorganfainberg, do you know why the KLWT impl was looking to use keyczar instead of cryptogrphy.py?15:50
*** zzzeek has joined #openstack-keystone15:51
dolphmayoung: it's probably been since atlanta since i looked at that API, but yes i think so. albeit, lbragstad was seeing less overhead using signatures rather than encryption, so i was tempted to pursue signatures further15:51
*** rdo has quit IRC15:51
morganfainbergayoung: I thought cryptography would meet their needs.15:51
dolphmayoung: we'd also have to implement our own key persistence in that case15:51
dolphmmorganfainberg: lbragstad talked to redrobot about the use case; i imagine he would have pointed him to cryptography if it was a better alternative?15:52
morganfainbergBut I figure that question is part of the spfe bit for the meeting today15:52
morganfainbergdolphm: sure.15:52
ayoungdolphm, lets talk to the cryptography.py team.  I'm almost willing to carry the code in Keystone kindof like we would do with an Oslo approach:  make sure it works and don't hold up our development, then move it to the real library.15:52
dolphmmorganfainberg: ayoung: i'm certainly interested in trying an implementation using cryptography15:53
*** rdo has joined #openstack-keystone15:53
morganfainbergayoung: I think lbragstad did talk to them. I just wasn't paying attention to the convo. So I was planning to ask at the meeting today.15:53
morganfainbergdolphm: ^^15:53
dolphmmorganfainberg: they might have talked in meatspace, they sit right next to each other15:53
morganfainbergyeah. Some irc chatter happened too.15:54
morganfainbergBut like I said, wasn't really looking at it.15:54
*** r-daneel has joined #openstack-keystone15:54
dolphmmorganfainberg: ayoung: i have a few little things to knock out this morning, and i'll try to get a PoC going with cryptography before the meeting15:54
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493415:55
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow.  https://review.openstack.org/15630815:55
*** marg7175 has quit IRC15:55
morganfainbergdolphm: sure. Even if not I told lbragstad to have a backup because key czar might not make the cut for global reqs. So spec ammend might be needed anyway.15:55
ayoungdolphm, that is fine.  Also,  We should make the impl such that we can swap the signing mechanism.  I can see arguments for both symmetric and asym, and I'd like to be able to use either.  If the symmetric stuff gets held up, we can still support asym with the existing, and  move to symmetric as soon as we have a good solution.15:56
ayoungI think that symmetric will likely be the default most people want15:56
ayoungbut I think that will require us getting Kite up to speed for key sharing.15:57
dolphmmorganfainberg: i'm not a fan of keyczar's docs. i also opened a security-related bug with patch and it has sat for 4 days so far15:57
dolphmayoung: i don't see a reason to block a kilo implementation on flexibility we're not going to use in kilo though15:58
morganfainbergdolphm: it is lightly maintained at best. It also locks us into sha115:58
ayoungdolphm, yeah,  no reason to block...I'm  more concerned with making sure we have something that we can use15:58
morganfainbergdolphm: since it doesn't do more secure digests.15:58
ayoungI'm sorry if I cam off as unsupportive15:58
ayoungI really like the idea.15:59
morganfainbergSo likely we need to either get fixes in *or* use something better long term.15:59
ayoungWe do have to be aware the adding crypto libraries is more of a burden to the distros than adding regular libraries.15:59
morganfainbergThe only big concern with keyczar is if we use it, and decide to change we have to potentially migrate the "repo".16:00
*** marg7175 has joined #openstack-keystone16:01
ayoungIf we need to drive work in a separate library, I'd rather focus efforts on cryptography.py16:01
morganfainbergAside from potential security / major bugs and lack of clear maintenance.16:01
morganfainbergayoung: I agree for sure on that front.16:01
*** marg7175 has quit IRC16:01
*** marg7175 has joined #openstack-keystone16:02
amakarovif we have crypto system pluggable why not use any or even all of them?16:02
ayoungmorganfainberg, let's see if nkinder is up (he's recovereing from Pewmonia)  as this kind of key management is what the rest of his (my) team does.  We might be able to throw some weight behind getting a long term solution  ready16:03
ayoungamakarov, the issue, I think, is symmetric key storage16:03
ayoungamakarov, in SSL, the symmetric keys are kept in memory only.  If you are going to stoar a symmetric key for archival, there is a whole heavyweight handshake16:03
morganfainbergayoung: pyasn1 is interesting.16:04
ayoungamakarov, I'm not an expert on this, so I am not sure what the right answer is for persisting a symmetric key for sharing between Apache/WSGI  worker threads16:04
morganfainbergayoung: slightly related to crypto stuff.16:04
ayoungmorganfainberg, you mean as a message digest format?  Yeah.  Its more of a standard, but would be slightly more overhjead than the message pack approach16:05
*** pnavarro has quit IRC16:05
morganfainbergNo the lib16:05
morganfainbergPyasn1 is a python lib.16:05
ayoungmorganfainberg, pyasn1  if for handling the asn1 format16:05
ayoungI can't claim to know it well, but I have worked with it in the CMS code16:05
morganfainbergRight was looking at it possibly for simplifying the OpenSSL call outs.16:05
morganfainbergSince PKI tokens aren't going away anytime soon.16:06
ayoungits not so much crypto as it is a wire format for binary data16:06
lbragstadredrobot: seemed to suggest that as long as we are using digital signatures and a digest attached to the token, we should be fine16:06
ayoungmorganfainberg, so...yeah,  here is what I was origianlly thinkgin16:06
lbragstadcc dolphm ^16:06
ayoungwe get a pki token, undoe the base64, then use pyas1 to pull out the signing info.  With that, we could select which key to use for validation16:07
dolphmlbragstad: well then the only issue is that cryptography probably has better support behind it as a library than keyczar16:07
lbragstaddolphm: probably, but I wouldn't be able to say for sure16:07
dolphmlbragstad: do you have any changes you'd like to make that aren't already in review? i was going to take the latest patchset and convert it to use cryptography in the next couple hours16:07
lbragstadboth signing and encrypting seem to work well for what we're using it for16:08
lbragstaddolphm: tons16:08
lbragstadI'm working on the trust stuff right now...16:08
dolphmlbragstad: o16:08
lbragstadI had to do a refactor for the naming16:08
lbragstadso that touched everything16:08
morganfainbergayoung: so shared keys for Apache. There are three (good) ways you can do it - but it's a headache in all cases. We used one or two of them when j worked on CDN stuff. But in short the wsgi processes need to have access to the keys and so the either need to source them each time or the keys need to be file system accessible.16:08
dolphmlbragstad: i'll just make minimal changes in a separate review then16:08
*** marg7175 has quit IRC16:08
ayoungIdeally, I would like to be able to make all those same mechanisms work with the data inside the AE approach.  The only thing missing in the current KLWT spec is some way of identifying the signer, but I think I don't want to add that yet.  That would be a good add on for a later token format16:09
morganfainbergayoung: direct nss integration is one of them.16:09
lbragstaddolphm: I just need to add some tests for the trust case,16:09
ayoungSo use an nss database for the key?  Yeah, I figured that was one use case.  I'm guessing then that openssl has something comparable.16:09
morganfainbergayoung: afaik, not easily. But this was years ago.16:10
ayounghttp://stackoverflow.com/questions/10472697/how-can-i-save-a-encryption-key-securely-on-a-system-openssl-c16:11
ayounglets see16:11
morganfainbergWe ended up using an ids run, tripwire, and stored keys in a selinux wrapped ram disk location that had triggers to dump the ram if the ids triggered, the cage was opened, the chassis was opened, etc16:11
morganfainbergayoung: ^^ because the alternatives got really icky. And we reran ids stuff a lot to ensure integrity.16:11
morganfainbergBut again, years ago.16:11
ayoungmorganfainberg, the ideal is a hardware security device, but NSS makes that abstraction fairly easy to work with.  I'm guessing that  openssl has had to do the same thing16:13
*** marg7175 has joined #openstack-keystone16:13
morganfainbergayoung: not really feasible for keystone since keystone doesn't control the OS. Though we could do the same thing Apache does - support a couple (basic) ways of getting keys and let the deployer solve it (even if the way most people deploy it is use root/limited access file system). Add in a simple way for someone to use say Barbican etc (plug point)16:14
dolphmlbragstad: i'm going to carry a patch on top of yours; no worries16:14
lbragstaddolphm: thanks!16:14
ayoungmorganfainberg, doesn't have to be the out-of-box solution, just has to be possible.  pkcs1116:14
ayounglooks like there are 3rd party libs for openssl pkcs11 support16:14
ayounghttp://blog.go-lan.net/openssl-hsm-integration/16:15
morganfainbergSure.16:15
* morganfainberg feels so dumb today.16:16
morganfainbergHad to change my flight because I left my prescription at home. Found out as I was getting my boarding pass to go through security.16:17
morganfainberg2hr drive home and a flight at 9pm tonight instead.16:17
amakarovmorganfainberg, please suggest me, what can I do to https://review.openstack.org/#/c/153307/ ? Am I to wait with this patch till we have functional testing or try to figure something out myself?16:23
morganfainbergamakarov: I was waiting to talk to you about that actually.16:24
*** my_rudzha_userna has joined #openstack-keystone16:24
my_rudzha_usernahello?16:24
my_rudzha_usernaif keystone.roles.grant doesn't add roles to users, then what does?16:24
morganfainbergThe patch looks good. Maybe we just need to mock a redis thing to make sure we aren't breaking the lock with changes in the future.16:25
morganfainbergamakarov: ^^. Any thoughts?16:25
amakarovmorganfainberg, I thought almost the same, the idea is to mock redis (or whatever is used as a backend) and make sure that nothing unexpected is called from it16:27
morganfainbergYeah. That is my only real concern. That we know if we broke what we're fixing win your fix for the lock.16:27
morganfainbergI don't expect to actually test redis until functional testing is in place.16:28
*** abhirc has quit IRC16:28
amakarovmorganfainberg, thanks, I'll proceed with it16:28
morganfainbergamakarov: sounds good. Like I said everything looks good there. Just want to make sure we don't regress. But wasn't sure of the best approach (which was why no negative score)16:29
*** marg7175 has quit IRC16:29
*** marg7175 has joined #openstack-keystone16:30
my_rudzha_usernahello?16:31
*** amerine has joined #openstack-keystone16:31
ayoungmy_rudzha_userna, it does add roles to users16:33
my_rudzha_usernano, it didn't for me16:33
ayoungmy_rudzha_userna, specifically, it assigns a role to a user in a project or in a domain16:33
ayoungmy_rudzha_userna, I would need more information to debug16:33
*** rudzha has joined #openstack-keystone16:38
rudzhahello?16:38
rudzhakeystone.roles.grant(role=role_id, user=user_id, project=proj_id)16:38
rudzhais how I pass it the parameters16:38
*** my_rudzha_userna is now known as my_openstack_use16:39
dolphmlbragstad: both TestStandardTokenFormatterWithEncryption and TestStandardTokenFormatterWithSigning use purpose='sign' !!16:39
my_openstack_usebitch16:40
lbragstaddolphm: I already fixed16:40
dolphmlbragstad: k16:40
dolphmlbragstad: you should, you know, push those changes back to gerrit ;)16:41
rudzhasorry, ignore that, colleague saw my pc unattended16:41
lbragstaddolphm: just wrapping up some tests16:41
dolphmrudzha: +1 for being security-minded16:41
dolphmlbragstad: also, i get 188 chars in test_encrypted_token_is_under_255_characters16:41
dolphmlbragstad: using cryptographer.fernet16:41
dolphmlbragstad: how does that compare to sign / encrypt with keyczar?16:42
lbragstaddolphm: chechking16:42
lbragstaddolphm: http://pasteraw.com/lunvuh82rkaxrx722oooyf164jicwyr16:43
lbragstadthe first token prefixed with KLWT0016:43
lbragstadis an unscoped token16:44
lbragstadthe second, prefixed with KLWT01, is a token scoped with a trust16:44
ayoungmy_openstack_use, I'll give you benefit of the doubt that "bitch" was directed at your IRC client or something....16:45
ayoungah...heh16:45
*** Ephur has quit IRC16:46
*** blinky_ghost has joined #openstack-keystone16:46
rudzhaso about that user role granting, does it matter if the ids are unicode strings16:46
*** nellysmitt has quit IRC16:47
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665716:48
blinky_ghosthi all, can anybody explain me how "policy back-end" works in Keystone? Does it use SQL as backend to create rules of access or uses policy.json type files? Or am I confused? :) Thanks16:48
dolphmlbragstad: ayoung: morganfainberg: no persistence or key rotation is implemented, but there you go ^16:48
dolphmblinky_ghost: it's just a db-backed storage mechanism for policy.json-like policy blobs16:49
blinky_ghostdolphm: so I can save the policies on database or in the file, right?16:50
dolphmblinky_ghost: there's no business logic whatsoever, it's just write blob to database, read blob from database. it's designed to support policy.json or XACML or whatever your policy engine wants to read from a central store16:50
*** bknudson has quit IRC16:50
dolphmblinky_ghost: if you want to revise the oslo policy engine to pull policies from it, yes :) no one has upstreamed such a change AFAIK, but that's what it's intended to handle16:51
blinky_ghostdolphm: OK, cool thanks16:52
*** rwsu has joined #openstack-keystone16:52
samueldmqmorganfainberg, ping - would like to talk about keystone gsoc16:55
*** lhcheng has joined #openstack-keystone16:57
*** krykowski has quit IRC17:00
*** Guest31726 is now known as dank_17:01
redrobotlbragstad dolphm morganfainberg sorry I can't really jump into the conversation right now.  We're in the middle of our mid-cycle meetup right now.17:03
*** marg7175 has quit IRC17:04
dolphmredrobot: no worries, already have an implementation running with cryptography :)17:04
lbragstadredrobot: hope you're getting a lot done!17:04
openstackgerritMerged openstack/keystone: add missing API in docstring of EndpointFilterExtension  https://review.openstack.org/14918017:05
*** _cjones_ has joined #openstack-keystone17:10
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531717:13
lbragstaddolphm: tested and pep8'd ^17:13
*** amakarov is now known as amakarov_away17:17
*** marg7175 has joined #openstack-keystone17:19
*** ajayaa has quit IRC17:23
morganfainberglbragstad, i see a lot of code restructure that is needed for the KLWT from your POC17:24
*** jistr has quit IRC17:24
morganfainbergsamueldmq, sure lets talk post meeting17:24
lbragstadmorganfainberg: yeah, I agree with that17:24
ayoungdolphm, that looks about right.  Very cool17:24
stevemarjamielennox, ping for when you are up: this bp isn't targeted to anything: https://blueprints.launchpad.net/keystone/+spec/unscoped-catalog can you verify if it's complete and mark it as such, and associate it with k3 milestone17:25
morganfainberglbragstad, notably checking for the provider string to skip persistence stuff17:25
lbragstadyeah, still working it out17:25
morganfainberglbragstad, all of that needs to be shuffled so the provider can decide if it should call persistence, the manager shouldn't really care. but this is a good POC showing how it works17:25
*** rushiagr is now known as rushiagr_away17:29
ayoungso the baseline would be to store the sym key in a secure file, the way that we do with PKI.  The difference is that PKI we generate the key using a different user, and make sure that the key is readable by the keystone OS user, but probably not writable.  That scheme might work for lightweight,  but it depends on how often we need to or want to regenerate the key17:30
samueldmqmorganfainberg, great!17:30
morganfainbergayoung, something like that17:31
*** ljfisher has joined #openstack-keystone17:31
*** ajayaa has joined #openstack-keystone17:37
openstackgerritMarek Denis proposed openstack/keystone: Add ``service_providers`` in Service Catalog  https://review.openstack.org/15265917:37
marekdbreton: ^^17:37
*** rushiagr_away is now known as rushiagr17:37
*** tqtran has joined #openstack-keystone17:46
*** thedodd has joined #openstack-keystone17:46
bretonthank you, looking17:51
*** gyee has joined #openstack-keystone17:52
*** ChanServ sets mode: +v gyee17:52
*** topol has joined #openstack-keystone17:57
*** ChanServ sets mode: +v topol17:57
*** raildo has joined #openstack-keystone17:58
samueldmqhenrynash, ping - can you take a look at https://blueprints.launchpad.net/keystone/+spec/assignment-manager-cleanup17:58
samueldmqhenrynash, and then I will put it for non-spec status in the meetin17:59
samueldmqg17:59
*** bknudson has joined #openstack-keystone18:01
*** ChanServ sets mode: +v bknudson18:01
*** bernardo-silva has joined #openstack-keystone18:01
openstackgerritArvind Tiwari proposed openstack/keystone-specs: HMAC signature based token  https://review.openstack.org/15380318:04
*** abhirc has joined #openstack-keystone18:05
*** nellysmitt has joined #openstack-keystone18:06
openstackgerritArvind Tiwari proposed openstack/keystone-specs: HMAC signature based token  https://review.openstack.org/15380318:08
*** harlowja_away is now known as harlowja_18:10
*** bknudson has quit IRC18:14
*** bknudson has joined #openstack-keystone18:16
*** ChanServ sets mode: +v bknudson18:16
*** jbonjean has quit IRC18:16
*** jbonjean has joined #openstack-keystone18:17
*** thedodd has quit IRC18:18
*** jbonjean has quit IRC18:21
*** jbonjean has joined #openstack-keystone18:27
*** ajayaa has quit IRC18:30
*** topol has quit IRC18:36
*** pnavarro has joined #openstack-keystone18:37
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665718:39
*** spandhe has joined #openstack-keystone18:40
*** topol has joined #openstack-keystone18:40
*** ChanServ sets mode: +v topol18:40
*** devlaps has joined #openstack-keystone18:40
*** my_openstack_use has quit IRC18:43
*** jasondotstar has joined #openstack-keystone18:45
*** ljfisher has quit IRC18:46
*** devlaps has quit IRC18:49
*** tqtran has quit IRC18:55
anteayaI was passing by and couldn't pass up the opportunity to troll18:58
*** ljfisher has joined #openstack-keystone18:58
morganfainberganteaya, and troll you should!19:00
marekdjamielennox: this patch was eventually just a pure copy from ksc, right?19:01
stevemaranteaya, it was good19:01
stevemarbknudson, don't worry about your config option moving! i'm on that one19:01
ayoungmorganfainberg, ok,  here's the plan with access_info19:02
* morganfainberg moves config options when stevemar and bknudson aren't looking19:02
*** rushiagr is now known as rushiagr_away19:02
ayoungI'm going to submit the model code as a standalong patch, the tests and tie if for the client as a second one19:02
anteaya:)19:03
morganfainbergayoung, ++19:03
ayoungonly the first is needed for the keystone server side, and we can mark the client side model code as experimental19:03
morganfainbergayoung, perfect.19:03
morganfainbergayoung, should make it easier to review that way.19:03
jamielennoxmarekd: yes19:03
ayounggetting it to work with the tests relatively unscathed is, I think going to be necessary for  any sort of compatibility, so at least one more pass there before I split the patch19:03
ayoungmorganfainberg, do we need to still support diablo tokens in the client?19:04
morganfainbergayoung, uh. i want to say no, but... cc dolphm ^ thoughts?19:04
marekdjamielennox: and this can be treated as bug not bp ?19:05
jamielennoxmarekd: honestly i don't think it needs either - we are establishing the new repo with existing code, bug was on request19:06
marekdjamielennox: ok, i am +A19:06
ayoungmorganfainberg, one potential approach is that I can hack out V2 and earlier support in my code.  It means leaving around a larger portion of the existing code.  So only V3 tokens would make use of the unified access info19:06
morganfainbergi really wish we could only issue v3 tokens and have middleware do conversions19:07
morganfainbergbut... i don't think we can do that.19:07
ayoungmorganfainberg, I do have code that converts a V2.0 token to the unified access info, but we don't need to use it.19:08
ayoungI don't have something that will go access_info to V219:08
morganfainbergthats the part we'd need19:09
*** ljfisher has quit IRC19:09
morganfainbergand only in 1 place really.19:09
ayoungand that might break things dependant on deep knowledge of the token response structure19:09
morganfainbergPOST to /v2.0/tokens19:09
ayoungthat can, I think, be a separate patch19:09
morganfainbergor GET on v2.0/tokens19:09
ayoungmorganfainberg, nah,  on the client side, it is more important19:09
morganfainbergno i meant in the case of having less cruft.19:10
ayoungright...that would need to be written anyway19:10
ayoungso....19:10
morganfainbergi'm ok with staging it19:10
morganfainbergv3 tokens first19:10
morganfainbergthen v219:10
ayoungthis patch will start with model.  On the client side, a second patch will use unified for V3tokens only19:10
ayoungthen we work on v2 token generation19:10
ayoungand we could unify based on that19:10
morganfainbergok i need to go get some coffee.19:12
morganfainbergsince i had to change my flight... things have been wonky19:13
marekdbon app19:13
*** samueldmq has quit IRC19:16
raildoayoung: So, we think in broke the reseller implementation in some patches, but the flow is something like: create the constraints ( block the creation of projects and domains whose name contain '/', block the creation of projects and domains whose parent name contain '/')19:16
raildoayoung: this is a ease work...19:16
ayoungsounds aboutright19:16
ayoungok...let me see if I can remember my thinking on domain is a project....19:16
ayoungfor reseller, it makes sense to have domain be an org boundary19:16
ayoungand a domain under a project that is not a domain was problematic19:17
*** abhirc has quit IRC19:17
raildoayoung: after that I'm working now to allow create a project with is_domain flag using the Project API... (I'm finishing this patch) and I'll send this tomorrow19:17
raildoayoung: right19:18
ayoungthe choices were, as recall, keeping domain in its own table of is_domain flag19:18
ayoungthe issue was the potential, and likely, conflict over naming19:18
ayoungright now the "RAILDO" domain can contain the "RAILDO" project19:18
raildoayoung: right...19:19
ayoungeven if we make an exception, the users will get confused19:19
raildoayoung: we just can't have both in the same level...19:19
ayoungI would argue that the intention above is for them to be the same thing, but we've already set the identifiers19:19
ayoungand I think changing the domain_id is probablyt a no-go19:20
*** openstackgerrit has quit IRC19:20
*** openstackgerrit has joined #openstack-keystone19:20
ayoungof all the things to modify, that is probably the safest, though....19:20
ayoungNow, are we saying that project name is unique throught the domain, or just in one nesting level?19:21
*** abhirc has joined #openstack-keystone19:21
ayoungcuz if it is not unique, then we need to be able to refere to a project by its relative name:  in this case RAILDO/RAILDO19:21
*** ajayaa has joined #openstack-keystone19:22
raildoayoung: we can distinguish a project and a domain with the same name, in different levels..19:23
raildoayoung: but if in the same level, we can't distinguish to get a project scoped token using the Name...19:23
ayoungraildo, right19:24
raildoayoung: so, yes we can have something like RAILDO/RAILDO but not other brother RAILDO :P19:24
ayoungwhich will break people that are currrently referring to their project as just RAILDO19:25
openstackgerritLance Bragstad proposed openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005019:25
*** jimbaker has quit IRC19:25
raildoayoung: yes... if you want to get a scoped token using the name, you need to pass the whole hierarchy name.19:26
raildoayoung: so after migrate the domains (your patch)  to the project table, we will change the domains operations in the drive, to referencing the project table...19:28
raildoayoung: and to finish this, we will create some API calls https://review.openstack.org/#/c/153007/19:29
ayoungraildo, so either we break things, or we do the domainid migration.19:29
ayoungwhich also breaks things19:29
raildoayoung: we will just remove the domain table, after the migration and with the domains calls working in the project table.... so we will not break things19:30
ayoungwhat if the domain name matches the project name?19:30
*** ljfisher has joined #openstack-keystone19:31
openstackgerritSteve Martinelli proposed openstack/keystone: Drop foreign key (domain_id) from user and group tables  https://review.openstack.org/15648819:32
openstackgerritMerged openstack/keystone: Make federated domain configurable  https://review.openstack.org/15646119:32
stevemar\o/19:33
raildoin the migration we don't have this problembecause they are not in the same level,so after that we can't have a subdomain and a project in the same level.19:33
raildo(with the same name)...19:33
marekdjamielennox: re https://review.openstack.org/#/c/150627/6 , http://logs.openstack.org/27/150627/6/gate/gate-python-keystoneclient-federation-requirements/6bb7baf/console.html are we happy with changing requirements python-keystoneclient > 1.0.0. to 1.1.0 ?19:37
*** browne has joined #openstack-keystone19:37
*** blinky_ghost has quit IRC19:37
jamielennoxmarekd: oh - yea, that's not an issue19:37
jamielennoxmarekd: can fix that quickly19:37
marekdjamielennox: OK19:37
raildoayoung: so, for 2/24 I intend to have this implementation ready, we just have to create later the API calls, to list domains and projects using the parent_id... list projects using the "is_domain" flag, and now the recursive deletion19:38
raildoayoung: what do you think?19:38
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062719:39
jamielennoxmarekd: ^19:39
marekdjamielennox: yep, thanks.19:39
stevemarjamielennox, marekd +2d it19:40
stevemarthanks a lot jamielennox19:40
ayoungraildo, so if a domain has the same name as a project, and we do an operation by project name, we get the non-domain one?19:40
marekdstevemar: let's wait for jenkins and then +A19:42
stevemarmarekd, you can +A now, jenkins won't merge it19:43
marekdstevemar: ah, ok.19:43
raildoayoung: we are join the assignments type, right? so, you can get a token for project or domain scoped, for a project with the domain flag enabled, we are just not allow to have a sub-domain and a project in the same level with the same name to have a way to distinguish both.19:44
ayoungraildo, I'm aware that we can make it work mechanically.  I'm not certain that we can do it without confusing the hell out of end users19:45
marekdgyee, ayoung,stevemar: morganfainberg is there even a use case where ephemeral user is a member of non-federated domain?19:45
ayoungmorganfainberg, does this make sense:  if a domain has a project, and the project has the same name, assume that they are supposed to be the same thing, and migrate the domain ID to match the project ID?19:45
marekdi think not19:46
ayoungmarekd, I'd say yes19:46
ayoungmember mean "assigne a role in" and yes, that is a primary use case19:46
dstanekbknudson: when tests fail is there a way i can see the traceback if the output is larger than my scrollback buffer?19:46
raildoayoung: I think that we need to make this clear in the documentation. something like we put here: https://review.openstack.org/#/c/153007/2/api/v3/identity-api-v3.rst line 179119:46
bknudsondstanek: I don't know ... you can run failing tests again with --failing19:47
bknudsonI bet the output is in the .testrepository db somewhere19:47
ayoungstevemar, bknudson, same question I just asked  morganfainberg , does this make sense:  if a domain has a project, and the project has the same name, assume that they are supposed to be the same thing, and migrate the domain ID to match the project ID?19:47
dstanekbknudson: this change may have made it harder to run the tests - does nova actually use this?19:48
*** ljfisher has quit IRC19:49
bknudsondstanek: I copied it from nova -- http://git.openstack.org/cgit/openstack/nova/tree/tox.ini#n2119:49
*** ajayaa has quit IRC19:49
bknudsonalthough it's possible they make all sorts of changes.19:49
stevemarayoung, i dunno about that one... this is for making all domains a project?19:52
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493419:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/15673819:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/15673919:59
raildostevemar: this is about migrate the domains to the project table... Imagine that now, we have a domain "sales" and inside this domains exist a project with the name "sales". In the spec we say that we will migrate this domain sales, creating a new project. So we will have Sales/Sales.19:59
raildoI don't see a huge problem with that, since the users knows (before that migration) that its exists...20:00
raildoThe user create this, not us :P20:00
*** marg7175 has quit IRC20:00
bknudsondstanek: if the pretty_tox isn't working for us then we can revert the change... or work with nova to see if they're seeing the same problems20:00
stevemarraildo, but what if there were role assignment different between domain and project20:01
openstackgerritMerged openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062720:03
raildostevemar: in the role assignment we don't differentiate between both. Since we have domain_admin and project_admin... you can use this roles to distinguish both in the policy. We can distinguish a domain and a project when the user request a token.20:03
*** marg7175 has joined #openstack-keystone20:03
dstanekbknudson: is anyone else complaining for keystone? i usually don't use testr anyway so i'd be ok with leaving it as is if nobody else cares20:04
*** bernardo-silva has quit IRC20:06
bknudsondstanek: I haven't heard any other complaints... I haven't run into the issue you did... I just have a huge scrollback buffer.20:06
*** nellysmitt has quit IRC20:09
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for most resources  https://review.openstack.org/15113720:09
*** nellysmitt has joined #openstack-keystone20:12
stevemarhttps://review.openstack.org/#/c/155982/ << needs a +A from non-ibmer20:13
openstackgerritSteve Martinelli proposed openstack/keystone: Authenticate local users via federated workflow.  https://review.openstack.org/15630820:13
openstackgerritSteve Martinelli proposed openstack/keystone: Publicize region/endpoint/policy/service events  https://review.openstack.org/15177420:14
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notification handling for policy/region/service/endpoint  https://review.openstack.org/15178620:14
openstackgerritSteve Martinelli proposed openstack/keystone: Add a test for create_domain in notifications  https://review.openstack.org/15179120:14
openstackgerritSteve Martinelli proposed openstack/keystone: Revamp the documentation surrounding notifications  https://review.openstack.org/12618020:15
*** _cjones_ has quit IRC20:16
*** _cjones_ has joined #openstack-keystone20:16
openstackgerritArvind Tiwari proposed openstack/keystone-specs: HMAC signature based token  https://review.openstack.org/15380320:23
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665720:26
*** ljfisher has joined #openstack-keystone20:35
openstackgerritLin Hua Cheng proposed openstack/keystone: Made project_id required for ec2 credential  https://review.openstack.org/15597420:40
*** haneef has joined #openstack-keystone20:40
*** ljfisher has quit IRC20:41
ayoungraildo, stevemar sorry...real world interrup there.20:42
*** _cjones_ has quit IRC20:42
ayoungI'm wondering if we really need it, then.  Could we punt on domain is a project, if we are going to have to go through convolutions to make things clear to the end users anyway?20:43
ayoungThe reason for domain-is-a-project was to have a cut point in the hierarchy20:43
ayoungbut...if projects must be under domains, and domains can only be nested under domains, maybe the problem goes away20:44
ayoungI think that is probably the sanest approach:20:44
ayoungdomain can have a parent domain,  user can only be in a domain, and domain's contain projects.  DOesn't that still meet all the requirements of the reseller case?20:45
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove check_role_for_trust from sample policies  https://review.openstack.org/15676320:47
ayounglhcheng, should we maybe leave the public method there, and just have it call the private method?20:48
lhchengayoung, thought of not exposing more than what we need to. more flexibility for us if we need to change the signature later.20:51
ayounglhcheng, that is usually the case for new code, but in this case the function is already public...not that I would expect anything to call that, but...who knows20:51
lhchengayoung, you have a point...20:52
lhchengso change it something like:20:52
lhchengdef check_role_for_trust(self, context, trust_id, role_id):20:52
lhcheng    return self._check_role_for_trust(self, context, trust_id, role_id)20:52
lhchengayoung, that works for you?20:52
ayoungyeah20:53
ayoungneeds to still have the policy wrapper too20:53
lhchengayoung, cool. Thanks for the review!20:53
lhchenggotcha20:53
ayoungraildo, let me review the requirements for reseller again, but I think we have a solution, at least partially.  There might be an issue with Quotas on the Nova side, if Nova doesn't have Domain level quotas, but I suspect they are going to want them anyway20:58
*** marg7175 has quit IRC20:59
raildoayoung: Nova folks are implement nested quotas to coverage our implementation...21:01
raildoayoung: I'm help the guys with this implementation21:01
ayoungraildo, please join #openstack-nova21:02
raildook21:02
ayoungI'm discussing there...21:02
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove check_role_for_trust from sample policies  https://review.openstack.org/15676321:02
*** ljfisher has joined #openstack-keystone21:05
*** _cjones_ has joined #openstack-keystone21:11
*** ljfisher has quit IRC21:13
raildoayoung: a project and a subproject (or a domain and a project) with the same name its ugly, I know it, but imo this is not a huge problem for now, we discuss a lot of this during the spec, we find a lot of options and we decide to keep have a domain and a project with the same name.21:15
ayoungraildo, ok...I'm cautiously optimistic then.21:16
*** drjones has joined #openstack-keystone21:16
*** _cjones_ has quit IRC21:16
ayoungI think for the Quota sake we need to unify,  so lets drive on.  But can you point me to a link where the converstaion is summarized, or put it in an etherpad or something21:16
raildoayoung: hahaha you will be more optimistic, I believe in that!21:16
ayoungraildo, I  need to be able to point other people at it21:17
raildoayoung: a link with this conversation about have a domain and a project with the same name?21:18
ayoungand how to deal with the clash, or why it doesn't matter, yes21:18
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162321:18
ayoungraildo, it can be a pointer and time hack for the conversation in IRC.  THey are all in evesdrop21:18
raildoayoung: ok, I'll take a look in the conversation logs21:18
ayoungthanks...I'm in a meeting for the next 40 minutes or so...talk to you after that21:19
raildoayoung: I have to go now, later I'll send this to you.21:20
ayoung++21:20
raildoits carnival here, I need to stay a little with my family hahaha21:20
*** aix has quit IRC21:20
lhchengfor triaging and setting priority on bugs, does it have to be core to do that?21:22
*** raildo has quit IRC21:22
ayoungstevemar, Domains for federated users....you actively working on that?  I don't remember seeing it in today's meeting, and I'm about to be grilled on it21:22
stevemarayoung, that was merged just before the meeting21:23
ayoungstevemar, you just made me look good.  First beers on me21:23
*** marg7175 has joined #openstack-keystone21:23
*** marg7175 has quit IRC21:24
stevemarayoung, it'll default to "Federated" but we made it a config option just in case21:24
stevemarin case a deployer already has a domain named federated21:24
*** marg7175 has joined #openstack-keystone21:24
*** marg7175 has quit IRC21:24
ayoungand we can map a user to an existing user in a different domain, or that is a differnt patch and deferred to LizardLoze?21:24
*** marg7175 has joined #openstack-keystone21:25
*** nellysmitt has quit IRC21:25
morganfainbergayoung, that is related to this21:25
morganfainbergayoung, but a separate patch.. i think it should land in kilo iirc21:25
ayoungso what we have now is just that Federated user by default go into the Federated domain21:26
ayoungand the other...outstanding patch on it?21:26
*** drjones has quit IRC21:31
morganfainbergayoung, marekd is working on it. it's part of the same spec21:31
morganfainbergthe one we discussed at the midcycle21:31
*** _cjones_ has joined #openstack-keystone21:31
morganfainbergayoung, iirc. but i'd need to go chase it down to be sure.21:31
* morganfainberg is in meeting atm.21:31
stevemarayoung, yes, you have the right info21:33
stevemarthis is the patch to authenticate local users https://review.openstack.org/#/c/154934/21:33
stevemarand this one... https://review.openstack.org/#/c/156308/21:34
stevemarbut those should be the last pieces to the puzzle21:34
morganfainbergstevemar, thanks.21:34
stevemarnp21:34
openstackgerritSteve Martinelli proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566021:37
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186721:39
*** rm_work is now known as rm_work|away21:44
openstackgerritSteve Martinelli proposed openstack/keystone: Update sample config file  https://review.openstack.org/15678621:46
stevemareasy peasy ^21:46
stevemaralso easy peasy: https://review.openstack.org/#/c/154783/21:47
*** zzzeek has quit IRC21:51
dstanekstevemar: are we allowed to modify the config file now?21:54
stevemardstanek, it's fine to do it in spurts, just *not* part of a patch21:55
stevemarit should ideally be the only change in a patch21:55
stevemarso it doesn't cause rebase issues21:55
*** gyee has quit IRC21:55
stevemari think it's especially important after adopting an oslo library :) to make sure we don't lose any options21:56
dstanekstevemar: cool, i didn't know that21:56
dstanekhmmm...or maybe i did - it appears to be in my notes, but apparently not in my head21:57
stevemardstanek, reset the router between notes and head21:58
stevemar:)21:58
*** bknudson has quit IRC22:00
ayoungmorganfainberg, please release Kerberos!22:05
ayoungLet slip the dogs of....Hades?22:05
morganfainbergI said it would happen today.22:05
*** joesavak has quit IRC22:07
richmjust drink from the river Lethe . . .22:08
*** henrynash has quit IRC22:13
openstackgerritSteve Martinelli proposed openstack/keystone: Add WebSSO support for federation  https://review.openstack.org/13617722:14
*** henrynash has joined #openstack-keystone22:14
*** ChanServ sets mode: +v henrynash22:14
stevemarmarekd, ^22:14
stevemarrodrigods, ayoung could either take a look at: https://review.openstack.org/#/c/156404 and https://review.openstack.org/#/c/156405 they should be the last 2 patches for policy22:17
morganfainbergayoung, jamielennox, python-keystoneclient-kerberos 0.1.0 has been tagged22:17
morganfainberglet me know if there are any issues22:17
ayoungTYVM!22:17
ayoungstevemar, looking22:18
stevemarayoung, they are super minor, but we're just really ironing out everything before tag/release anything22:18
ayoungElide to skip....oh come on!22:18
stevemarayoung, oh wow, that's a word22:19
ayoungYes it is.  Yes it is.22:19
ayoungjson to JSON22:19
ayoungOK.22:19
ayoungThink I can get behind that one22:19
stevemari did it mostly for the elide one, i thought it was slide haha22:19
ayoung+2A on that22:19
ayoungit is ok.  If you thought that, others would too.  Maybe it is not a word in Canada22:20
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/15673822:21
stevemarayoung, i'm totally going to start using elide in everyday scenarios22:21
*** ljfisher has joined #openstack-keystone22:21
stevemarjust to see how many people will look at me funny (more so than usual)22:21
ayoung+2 a on te quotes one22:22
ayoungstevemar, ...22:22
*** jimbaker has joined #openstack-keystone22:23
stevemar:D22:23
stevemarayoung, i'm making bknudson proud22:24
stevemarhenrynash, around?22:28
stevemarhenrynash, nopeee, i'll email you22:29
*** utahcon has quit IRC22:36
henrynashstevemare: yes22:37
*** zzzeek has joined #openstack-keystone22:37
henrynashstevemar: even you22:37
stevemarhenrynash, just emailed you :D22:37
henrynashok22:38
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Create the temporary files needed for tests  https://review.openstack.org/15681122:44
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Change default set of tox environments  https://review.openstack.org/15681222:44
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Fix i18n imports  https://review.openstack.org/15681322:44
*** bknudson has joined #openstack-keystone22:48
*** ChanServ sets mode: +v bknudson22:48
*** gyee has joined #openstack-keystone22:49
*** ChanServ sets mode: +v gyee22:49
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531723:01
*** pnavarro has quit IRC23:02
stevemarah %^&*23:03
stevemaroslo.log broke the build :(23:03
stevemarhttp://logs.openstack.org/77/136177/22/check/check-tempest-dsvm-postgres-full/b415cc4/logs/screen-key.txt.gz#_2015-02-17_22_28_58_16723:03
stevemari think merging this will fix it: https://review.openstack.org/#/c/154783/23:03
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove check_role_for_trust from sample policies  https://review.openstack.org/15676323:04
openstackgerritMerged openstack/oslo.policy: Use single quotes consistently  https://review.openstack.org/15640423:04
openstackgerritMerged openstack/oslo.policy: Fix minor spelling issues in oslo.policy  https://review.openstack.org/15640523:04
stevemarfalse alarm :) my patch is calling out "from keystone.openstack.common import log"23:06
stevemarso anyone else's patch now calling "from keystone.openstack.common import log" will fail23:06
bknudsonstevemar: build is not broken?23:06
stevemarbknudson, no, just any patch that called out the incubated log will fail to build23:07
bknudsonstevemar: good.23:07
stevemarbknudson, that's what i said after analyzing it :P23:07
*** thedodd has joined #openstack-keystone23:07
openstackgerritSteve Martinelli proposed openstack/keystone: Add WebSSO support for federation  https://review.openstack.org/13617723:08
*** chlong has joined #openstack-keystone23:08
stevemarbknudson, if you are feeling up to the task: https://review.openstack.org/#/c/154783/23:09
openstackgerrithenry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module  https://review.openstack.org/15683023:12
openstackgerrithenry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module  https://review.openstack.org/15683023:16
*** topol has quit IRC23:17
*** timcline has quit IRC23:21
openstackgerrithenry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module  https://review.openstack.org/15683023:21
*** ljfisher has quit IRC23:22
*** gordc has quit IRC23:26
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Fix i18n imports  https://review.openstack.org/15681323:27
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Change default set of tox environments  https://review.openstack.org/15681223:28
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Create the temporary files needed for tests  https://review.openstack.org/15681123:28
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Update comments about tox configuration  https://review.openstack.org/15683623:28
*** ljfisher has joined #openstack-keystone23:28
*** deep has joined #openstack-keystone23:29
*** deep has quit IRC23:30
openstackgerrithenry-nash proposed openstack/keystone: Remove duplicated test for get_role  https://review.openstack.org/15684023:32
*** marg7175 has quit IRC23:39
*** _cjones_ has quit IRC23:50
openstackgerritArvind Tiwari proposed openstack/keystone-specs: HMAC signature based token  https://review.openstack.org/15380323:52
*** darrenc is now known as darrenc_afk23:52
*** _cjones_ has joined #openstack-keystone23:53
*** abhirc has quit IRC23:53
*** timcline has joined #openstack-keystone23:57
*** darrenc_afk is now known as darrenc23:59
« Monday, 2015-02-16 Index Wednesday, 2015-02-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!