Friday, 2015-03-20

« Thursday, 2015-03-19 Index Saturday, 2015-03-21 »
*** raildo has quit IRC00:20
*** stevemar has joined #openstack-keystone00:23
*** ChanServ sets mode: +v stevemar00:23
*** mhu has quit IRC00:27
*** mhu has joined #openstack-keystone00:28
*** markvoelker has quit IRC00:37
*** _cjones_ has quit IRC00:41
stevemargyee, around?00:46
*** ncoghlan has joined #openstack-keystone00:46
gyeestevemar, yes sir00:47
gyeefound the issue00:47
stevemargyee, yeah, thanks for that, i initially dismissed that prefix00:47
gyeeI think we'll need to make relaystate part of service_provider00:47
stevemardid you try it out?00:47
gyeestevemar, yes00:47
stevemaroh okay, i was going to ask if you wanted me to put up a new patch so you could try it out00:48
gyeeI changed text='ss:mem:' + uuid.uuid4().hex00:48
gyeeand it works fine00:48
stevemargyee, so just another attribute for sp_ref, which can be nullable... new column for sql00:48
gyeeright00:48
gyeeif it's null assuming relaystate is configured as 'cookie' at the SP side00:49
stevemarthen when we do the lookup for token -> ecp, we can fetch the sp_ref00:49
gyeeright00:49
stevemargyee, okay, that shouldn't be hard at all00:50
gyeestevemar, thanks, that's good work!00:50
gyeewe need that ecp patch00:50
gyeemake it much easier on the clients00:50
stevemargyee, i was also wondering.... whats the deal with the samlec:GeneratedKey value in rodrigos stuff00:50
stevemarhttp://paste.openstack.org/show/193677/00:50
gyeestevemar, I don't know, I haven't look into that one00:50
gyeelooks like your patch works with it00:51
stevemargyee, the pysaml2 library doesn't seem to have much support for that one00:51
stevemari didn't include it in the patch at all00:51
gyeestevemar, don't worry about it for now, I don't think we need it00:51
stevemaryeah00:51
stevemarokay, i'll make a new patch for the new attribute00:51
gyeethanks!00:51
*** bknudson has joined #openstack-keystone00:51
*** ChanServ sets mode: +v bknudson00:51
stevemari was thinking about setting it on the idp keystone side, but that won't make sense00:51
gyeewe can't00:52
gyeebecause we support multiple SPs00:52
gyeeso relaystate could be different from SP to SP00:52
*** edmondsw has quit IRC01:01
*** dims has joined #openstack-keystone01:08
stevemaryah, good point01:10
*** diegows has quit IRC01:11
*** markvoelker has joined #openstack-keystone01:17
*** iamjarvo has quit IRC01:20
*** iamjarvo has joined #openstack-keystone01:21
*** iamjarvo has quit IRC01:22
*** markvoelker has quit IRC01:22
*** iamjarvo has joined #openstack-keystone01:22
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient  https://review.openstack.org/14424801:26
jamielennoxbknudson: when you get some time i'd appreciate thoughts on this middleware spec: https://review.openstack.org/#/c/164582/01:27
jamielennoxgyee: stevemar, morganfainberg: as well^01:30
bknudsonjamielennox: if we have x509 for service -> keystone then there isn't a service token.01:30
jamielennoxbknudson: right, was talking to gyee about that - and the only answer i've got is "it's not a compulsary field"01:30
jamielennoxif there is no token then you can't have a service token01:30
jamielennoxbut i think long term with policy we'll want that01:31
bknudsony... wonder how we could solve that?01:31
jamielennoxbecause service tokens is how swift, barbican and i think others will eventually handle dual ownership situations01:31
jamielennoxi know other services have this problem, i can't remember the details01:31
bknudsonwe also have to ensure somehow that the service token isn't expired... how do we do that?01:32
jamielennoxbut where a service creates a resource on behalf of a user01:32
jamielennoxbknudson: so that one should be ok, because a plugin will re-authenticate as required, so whether that happens in auth_token or .get_token() doesn't get called until later that's ok01:33
jamielennoxand a service-token should never be forwarded so it's only got to last for this one request01:33
jamielennoxi'm excited that it could make token binding feasible again01:33
openstackgerritMerged openstack/python-keystoneclient: Deprecate keystone CLI  https://review.openstack.org/16566901:34
bknudsonjamielennox: I got a request from dims to put Nova's RequestContext processing into middleware -- https://github.com/openstack/nova/blob/master/nova/api/auth.py#L11101:36
jamielennoxthe point is though that i want the plugin that middleware passes down to services to be consumed, that should be how service->service communication happens - is it reasonable to do all this on behalf of a service?01:36
jamielennoxbknudson: excellent! i'm working towards that01:36
bknudsonis the plugin consumed already?01:36
bknudsonwe don't need to wait for this for the plugin to be used?01:37
* dims waves01:37
jamielennoxi want https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_user_plugin.py#L109 and context to be synonymous01:37
jamielennoxyou can construct a context directly from the plugin, you can construct a plugin from the context01:37
jamielennoxwhat i'm really missing there is the ability to serialize that plugin01:38
bknudsonthe NovaKeystoneContext ? or something else?01:38
bknudsonI mean the context.RequestContext01:38
bknudsonthis is actually from, oh, it's nova.context...01:39
jamielennoxwell most of context is shuffling around auth information, if we have the plugin available then we don't need to reach for headers or anything we can construct directly from the plugin01:39
bknudsonbut I guess there's an oslo context, too?01:39
jamielennoxthere is, it's thankfully fairly limited01:39
bknudsonit's used for oslo.policy... the request context.01:39
jamielennoxand it's used for oslo.messaging which is why they had to extract a common library01:40
jamielennoxi'm hoping the plugin and oslo.context can deeply integrate01:40
bknudsonin the call to "def enforce(self, rule, target, creds, do_raise=False,"01:41
bknudsonI guess the context would be the creds.01:41
jamielennoxthis is largely why i want the g-r bump for middleware for kilo, so for liberty we can start relying on the plugin being available01:41
jamielennoxbknudson: te plugin can be the creds, probably not the context01:41
bknudsonwell, the creds is going to need more than just the user?01:42
jamielennoxif the plugin is the creds then keystone owns both the inputs and the processing for policy - which is what i want01:42
*** samueldmq has quit IRC01:42
bknudsoninteresting.01:42
bknudsonyou need to blog this stuff.01:42
jamielennoxit has all this:  https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_user_plugin.py#L16 for both user and the service token if available01:43
jamielennoxyea, i always find it weird blogging ideas - i'm happy to write it all up at the end so people can use it, but the ideas don't always work out then there's bad info people can find01:43
bknudsonso you were planning to update policy to take the plugin, or change the plugin to be a dict so it can be used with polciy?01:44
jamielennoxi think for compatibility it will be a case of having helper functions for both01:45
jamielennoxso oslo.policy will have enforce_from_plugin or something01:45
bknudsonthere's nothing weird in nova's RequestContext that isn't in the plugin you pointed to.01:45
jamielennoxand plugin will probably have a .to_policy_dict() function or something01:46
*** harlowja_ is now known as harlowja_away01:46
bknudsonand it's already got the user_auth_plugin.01:46
jamielennoxthat's probably best handled from policy itself actually01:46
jamielennoxbknudson: i've been working towards this for a while :)01:46
bknudsonso what's the point of oslo.context ?01:47
jamielennoxbknudson: i talked to dhellmann about stopping it01:47
bknudsonlol01:47
jamielennoxhowever oslo.messaging relies heavily on a context as does logigng01:47
*** browne has quit IRC01:48
jamielennoxa context dict is deeply ingrained in how RPC works01:48
bknudson.to_dict01:48
bknudson... why not just support __item__?01:48
jamielennoxso context will hopefully have a plugin object and i can hook it plugin serialization in to_dict01:48
bknudsonor whatever it is. I'm no expert.01:49
jamielennoxlots of this is historical01:49
bknudsonyou need to work together with dims and others pushing oslo.context.01:50
jamielennoxcontext being an actual dict is a requirement in odd places01:50
bknudsonalthough seems like they're both moving things in the right direction at least.01:50
jamielennoxbknudson: yep, nova, neutron, heat and glance all have some form of context_to_plugin function01:50
jamielennoxjust the context is different in all those places so it's not the same01:51
bknudsonjamielennox: so you don't want keystonemiddleware to provide an oslo.context RequestContext, too?01:51
*** iamjarvo has quit IRC01:52
jamielennoxevery service current has some form of customization on the standard context object01:52
jamielennoxi think that's too hard a battle initially01:52
bknudsondims will fight that battle with you.01:52
bknudsonactually, it's only dhellmann that has commits to oslo.context.01:52
jamielennoxif we push plugin <-> context interop then we will get most of the way there over the next cycle or two, then look at having a single context01:53
dimsbknudson: i switched nova to fully adopt oslo_context's RequestContext01:53
bknudsondims: where?01:53
jamielennoxdims: oslo_context's context is really basic though01:53
dimssee nova.context01:53
jamielennoxactually it contains a lot of stuff i wish would die, but it doesn't have any auth data01:53
bknudsonhttps://github.com/openstack/nova/blob/master/nova/context.py01:54
dimsy01:54
bknudsongot their own plugin.01:54
bknudsonclass RequestContext(context.RequestContext):01:55
dimsy01:55
jamielennoxnooooo, they added some auth data to oslo.context01:55
jamielennoxwtf do they care about project_domain for ....01:55
bknudsonyou knew it was going to happen!01:55
*** _cjones_ has joined #openstack-keystone01:56
*** _cjones_ has quit IRC01:56
jamielennoxlast i spoke i still didn't have enough pieces in place to really have an alternative though01:56
jamielennoxi'm kind of only just there now01:56
dimsoslo context needs it so that i can store info needed by oslo.log01:56
bknudsonso nova is going to extend context.RequestContext its way and neutron is going to extend context.RequestContext for what it needs.01:57
dimsin the default formats01:57
bknudsonjamielennox: that doesn't sound like it's getting closer to your dream, really.01:57
*** tqtran has quit IRC01:58
bknudsontoo much inheritance.01:58
dimswhat did you have in mind jamielennox?01:58
bknudsonnova sure has a lot of stuff in its context... way more than a user plugin!01:59
jamielennoxbknudson: right01:59
jamielennoxdims: so you have a basic understanding of what we're trying to do with auth plugins?01:59
bknudson'instance_lock_checked' ??01:59
bknudsonI can put that in my policy... instance_lock_checked: true02:00
dimsjamielennox: no, honestly02:00
jamielennoxergh - yea they're throwing all this info at policy as well so i can't override the context there02:00
bknudsonsounds like a summit jamboree.02:00
jamielennoxdims: np, essentially we have too many credential types now, we have a session object which does transport and we have an auth plugin which handles everything auth related02:01
dimsjamielennox: all i want was that nova should not have to figure out which http header etc which ones are deprecated or not etc02:01
jamielennoxso services are transparent to the actual auth being used02:01
dimsok02:01
jamielennoxfor service->service communication we pass down an auth plugin out of auth_token middleware, so same story, all you do when communicating to another service is use that plugin and all the setting of headers is done for you02:02
dimsok02:03
bknudsonif middleware generates a context.RequestContext, how is that going to turn into a nova RequestContext? pull it apart and put it back together?02:03
bknudsonor do you want nova to pass in the factory function to auth_token?02:03
dimsbknudson: i could pass a class which you can pass args, kwargs02:03
bknudsonright.02:03
dimsy02:03
jamielennoxthat plugin we pass down is essentially the total of all the ENV headers that auth_token used to pass and the services would rebuild into a context - so my argument is that essentially they are the same thing, with the addition of whatever service considers unique to their context02:04
bknudsonhow is the service going to add stuff to the plugin?02:04
jamielennoxbknudson: right, which is why i can't see how auth_token could hand down a context, and i'm looking at how to build a context from a plugin and vice versa02:05
jamielennoxplugin and context are going to have to be complimentary02:05
bknudsonit's not composition or inheritance? they have to be convertable?02:05
dimsjamielennox: if you can show me how you can build a oslo.RequestContext from it, i can come up with ideas on to build a nova.RequestContext from it :)02:06
dimsover a period of time we can get rid of nova.RequestContext02:06
dimsit's just a crutch right now because of lack of time02:07
bknudsonif the service is passing in a function, then it could create whatever it wants... this is essentially just changing the env vars to function args.02:07
bknudsonauth_token doesn't care what the function generates.02:07
bknudsonand we could handle that by just providing a utility in middleware that takes the env and calls a function.02:08
bknudsonwell, maybe it's easier to handle in middleware anyways.02:08
bknudsonjust doesn't seem to be buying much.02:09
jamielennoxbknudson: you need to implement the right interface for a plugin, i think it's ok for them to be seperate options02:09
jamielennoxs/options/objects02:10
bknudsonwe've got to_dict to make the context serializable?02:11
bknudsonit needs to be sent over rpc?02:11
jamielennoxyes02:11
jamielennoxwe don't have plugin .to_dict though is the big stopper at the momment02:11
bknudsonyou don't want your plugin to be sent over rpc? what's the point of that?02:11
jamielennoxi do want02:12
jamielennoxit's just not written yet02:12
bknudsonso someone sends a token to nova-api, they send it to nova-compute or scheduler and it can ... make a request as the user?02:12
jamielennoxi was trying to write it as part of ksc, then the ksm plugin could do something standard - but generic serialization is hard02:12
jamielennoxbknudson: it does now02:12
bknudsonfor what?02:12
jamielennoxtalk to glance, cinder, neutron02:13
jamielennoxn-api tells compute to start a machine, compute asks for volumes and images etc all using the user token02:13
bknudsonwow... I guess that makes sense.02:13
*** sigmavirus24 is now known as sigmavirus24_awa02:14
jamielennoxbknudson: openstack security is.. interesting02:14
bknudsonhow were you going to make an auth plugin serializable? to_dict?02:14
jamielennoxessentially02:14
bknudsonthis means that everything in a plugin needs to be serializable too.02:14
dimsto_dict / from_dict02:14
jamielennoxthe problem is there are competing needs for plugin serialization02:14
dimsRequestContext has both02:14
jamielennoxOSC has been wanting it for ages so that it can cache tokens between requests02:15
bknudsona token plugin is easy enough.02:15
jamielennoxi have some POC stuff up for review02:15
bknudsonI mean serializing a plugin that all it has is a token02:15
bknudsonbut I'm worried that there's some type of plugin where serializing won't make any sense.02:15
jamielennoxkind of, they have here is all the cred data, then generate a unique id from that and if it matches what i have in cache then load up the AccessInfo object02:16
jamielennoxand other plugins i expect you never want to serialize sensitive data02:16
jamielennoxso yes, doing this generically is why it's not done yet02:16
bknudsonis it really only this UserAuthPlugin that needs to be serializable to begin with?02:17
jamielennoxfor where i want to go with policy and context i think i just need UserAuthPlugin, OSC needs general, i just don't want to end up with something incompatible between the two02:17
*** markvoelker has joined #openstack-keystone02:18
bknudsonif it's just to_dict/from_dict that's going to be compatible...02:18
*** erkules_ has joined #openstack-keystone02:19
bknudsonand osc can getattr('to_dict') to find out if it's serializable.02:19
*** erkules has quit IRC02:21
*** browne has joined #openstack-keystone02:21
bknudsonDepends-On worked! https://review.openstack.org/#/c/131435/02:22
*** markvoelker has quit IRC02:22
openstackgerritSteve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider  https://review.openstack.org/16607802:25
*** lhcheng has joined #openstack-keystone02:26
ayoungjamielennox, done02:27
jamielennoxbknudson: i have https://review.openstack.org/#/c/149175/ for OSC and https://review.openstack.org/#/c/113163/ for general - both WIP - i'm just looking for some way to combine the two02:28
jamielennoxand preferably without adding a hundred new methods to plugins (though that's not really a problem)02:28
jamielennoxayoung: cool, thanks02:29
jamielennoxayoung: i've got one review left for DOA... i think it will make kilo02:31
*** jamielennox is now known as jamielennox|lunc02:32
*** jamielennox|lunc is now known as jamielennox|food02:32
morganfainbergWow. Being on central time makes lots of stuff happen while I'm getting food.02:34
stevemarmorganfainberg, where you at now?02:36
morganfainbergAustin02:36
stevemarmorganfainberg, sounds like fun02:37
openstackgerritayoung proposed openstack/oslo.policy: Convert Exceptions to failures.  https://review.openstack.org/16590802:37
morganfainbergstevemar: always02:37
stevemarmorganfainberg, we might need an FFE for the ecp stuff, it involves an API change :(02:38
stevemara minor one... but one nonetheless02:38
morganfainbergstevemar: doh!02:50
morganfainbergstevemar: :(. Did I -2 those? I think I did.02:51
morganfainbergstevemar: anyway. Yeah.02:51
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286602:58
*** greghaynes has quit IRC02:58
stevemargyee, ^^02:59
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286603:01
*** jamielennox|food is now known as jamielennox03:01
gyeestevemar, jamielennox, ack03:05
gyeecode review night for me03:05
jamielennoxhmm, load up gyee with reviews...03:05
gyees/review/coffee/03:05
*** greghaynes has joined #openstack-keystone03:06
stevemarrichm, the remote_id stuff is in progress https://review.openstack.org/#/c/161302/03:06
stevemarsmacked down your osc bug03:06
*** davechen has joined #openstack-keystone03:12
openstackgerritMerged openstack/keystonemiddleware: Rename requests mock object in testing  https://review.openstack.org/16456503:14
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Add a relay_state_prefix to the service provider resource  https://review.openstack.org/16608603:15
stevemargyee, gotta check the the dependent patch !03:18
*** markvoelker has joined #openstack-keystone03:19
gyeestevemar, my bad03:19
gyeestevemar, just one suggestion03:19
gyeethe ending colon should be part of the prefix03:19
gyeeotherwise, looks good!03:19
*** dims has quit IRC03:20
*** jbonjean has quit IRC03:20
*** markvoelker has quit IRC03:23
stevemargyee, i wasn't sure about that, but i guess we'll do that03:25
gyeestevemar, it'll work as it because of the default03:25
gyeeas is03:25
nkinderstevemar: ah, I just submitted a patch for OSC for --remote-id03:26
nkinderstevemar: I see that we're waiting on adding support for a list of remote ids03:26
openstackgerritSteve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider  https://review.openstack.org/16607803:26
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286603:26
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286603:27
stevemarnkinder, yeppers03:28
nkinderstevemar: ok, so I guess we should wait and see if a FFE is granted...03:28
stevemaryeah, in case we are stuck with just the 103:29
nkindermy patch is just for a single remote_id (the way keystone works now)03:29
stevemaryep03:29
nkinderok, if we get a FFE we can kill mine.  I'll leave it for now03:29
gyeestevemar, I need to be offline for a couple of hours, but I'll do some more reviews later03:29
stevemarnkinder, if you could review the proposed patch that would be good :)03:29
nkinderstevemar: will do now that I know about it ;)03:29
stevemargyee, fair enough, i changed up the colon thingy03:29
*** darrenc is now known as darren_afk03:33
*** omkarjoshi has quit IRC03:34
*** darren_afk is now known as darrenc03:38
*** gyee has quit IRC03:41
morganfainbergstevemar: so tomorrow I will be responding to FFE emails. Hopefully we will have a confirmation of ffe by next meeting on Tuesday.03:42
*** Kennan has joined #openstack-keystone03:46
stevemarmorganfainberg, okie dokie03:58
*** ccard_ has quit IRC03:59
*** ajayaa has joined #openstack-keystone04:01
*** lvh is now known as least_authority_04:02
*** least_authority_ is now known as lvh04:02
*** markvoelker has joined #openstack-keystone04:19
*** markvoelker has quit IRC04:24
*** dims has joined #openstack-keystone04:25
*** omkarjoshi has joined #openstack-keystone04:26
*** dims has quit IRC04:32
*** richm has quit IRC04:38
*** _cjones_ has joined #openstack-keystone04:57
*** _cjones_ has quit IRC05:01
*** sigmavirus24_awa is now known as sigmavirus2405:02
*** chlong has quit IRC05:02
*** rushiagr_away is now known as rushiagr05:07
*** ajayaa has quit IRC05:08
*** ishant has joined #openstack-keystone05:14
*** chlong has joined #openstack-keystone05:19
*** markvoelker has joined #openstack-keystone05:20
*** markvoelker has quit IRC05:25
openstackgerritSteve Martinelli proposed openstack/keystone: Document websso setup  https://review.openstack.org/16401205:35
stevemarlhcheng, ty sir05:36
*** rushiagr is now known as rushiagr_away05:42
*** rushiagr_away is now known as rushiagr05:59
*** chlong has quit IRC06:01
stevemarnkinder, thanks for the review nathaniel06:03
*** ccard_ has joined #openstack-keystone06:12
*** chlong has joined #openstack-keystone06:13
*** dims has joined #openstack-keystone06:18
*** markvoelker has joined #openstack-keystone06:21
*** dims has quit IRC06:24
*** markvoelker has quit IRC06:26
*** ajayaa has joined #openstack-keystone06:27
*** fifieldt has joined #openstack-keystone06:32
*** jamielennox is now known as jamielennox|away06:35
*** ajayaa has quit IRC06:41
*** sigmavirus24 is now known as sigmavirus24_awa06:44
*** ajayaa has joined #openstack-keystone06:53
*** ParsectiX has joined #openstack-keystone06:54
openstackgerritSteve Martinelli proposed openstack/keystone: Document websso setup  https://review.openstack.org/16401206:58
*** Bsony has quit IRC07:01
*** browne has quit IRC07:03
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286607:03
Kennan:+stevemar07:08
Kennancould you help one question?07:08
stevemarKennan, o/07:08
stevemari can try07:08
KennanI tried kubectl pod-create with -f , it said07:09
Kennanpod "redis-master" already exists\07:09
Kennandon't kubenetes support pods with same name?07:09
Kennanfor exmaple, user1 create one pod, it named pod107:10
Kennanuser2 want to create one pod07:10
Kennanhe want to nameis pod1 too07:10
Kennanis it reasonable ?07:10
Kennan+stevemar I didn't find kubernetes support UUID like07:11
Kennanso is it name  used as ID ?07:11
stevemarKennan, i have no knowledge on kubenetes, sorry :(07:11
Kennanok. sorry, in wrong channel. :(07:12
stevemarKennan, yeah, but you are providing me with reading material ;)07:12
stevemarapparently it's to manage containers, neat07:12
stevemarwell, containerized applications*07:12
*** rushiagr is now known as rushiagr_away07:16
*** omkarjoshi has quit IRC07:18
*** lhcheng has quit IRC07:20
*** ajayaa has quit IRC07:21
*** markvoelker has joined #openstack-keystone07:22
*** henrynash has joined #openstack-keystone07:22
*** ChanServ sets mode: +v henrynash07:22
*** markvoelker has quit IRC07:27
*** Ephur has quit IRC07:37
openstackgerritMerged openstack/python-keystoneclient: Rename requests mock object in testing  https://review.openstack.org/16456807:37
*** ajayaa has joined #openstack-keystone07:40
*** omkarjoshi has joined #openstack-keystone07:42
*** Bsony has joined #openstack-keystone07:43
*** henrynash has quit IRC07:45
*** chlong has quit IRC07:45
*** ncoghlan has quit IRC07:46
*** rushiagr_away is now known as rushiagr07:46
*** henrynash has joined #openstack-keystone07:46
*** ChanServ sets mode: +v henrynash07:46
openstackgerritMasaki Matsushita proposed openstack/keystone: Make max_header_line configurable  https://review.openstack.org/16612507:53
*** jistr has joined #openstack-keystone07:58
*** dims has joined #openstack-keystone08:09
*** dims has quit IRC08:18
*** openstackgerrit has quit IRC08:22
*** openstackgerrit has joined #openstack-keystone08:22
*** jaosorior has joined #openstack-keystone08:22
*** markvoelker has joined #openstack-keystone08:22
*** markvoelker has quit IRC08:27
*** ajayaa has quit IRC08:28
*** lsmola has quit IRC08:28
*** ajayaa has joined #openstack-keystone08:28
*** boris-42 has quit IRC08:32
*** Bsony_ has joined #openstack-keystone08:39
*** Bsony has quit IRC08:40
marekdstevemar: Good stuff with that relay_State_prefix08:43
marekdi didn't know that exists08:43
stevemarmarekd, thank gyee for that08:43
marekdi will08:43
marekdbut i also should thank you for quick implementation of that08:44
*** lsmola has joined #openstack-keystone08:44
marekdit's a api change, so touches everything08:44
marekdi will add ksc patch for that now.08:45
stevemarmarekd, yeah, i put up the spec already, and gave morgan a heads up08:45
*** stevemar has quit IRC08:54
*** omkarjoshi has quit IRC08:59
*** ajayaa has quit IRC09:02
*** krykowski has joined #openstack-keystone09:06
*** jamielennox|away is now known as jamielennox09:14
*** ajayaa has joined #openstack-keystone09:15
*** ishant has quit IRC09:15
*** markvoelker has joined #openstack-keystone09:23
*** ishant has joined #openstack-keystone09:26
*** markvoelker has quit IRC09:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add a FederatedBase v3 plugin  https://review.openstack.org/16327109:29
*** mtreinish has quit IRC09:35
*** mtreinish has joined #openstack-keystone09:36
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available  https://review.openstack.org/14486009:42
ccardif I create a domain-specific keystone configuration for the openstack service users, for a domain called services say, do all the openstack services have to be configured to use the keystone v3 api?09:45
*** davechen has left #openstack-keystone09:47
*** erkules_ is now known as erkules10:01
*** erkules has joined #openstack-keystone10:01
jamielennoxccard: yes, you have to have v3 configured to use a services domain10:07
jamielennoxccard: also we aren't at the point where all the services _can_ be configured to use a services domain10:07
*** dimsum__ has joined #openstack-keystone10:11
*** markvoelker has joined #openstack-keystone10:24
*** sluo_laptop has quit IRC10:26
*** markvoelker has quit IRC10:29
ccardjamielennox: thanks. Which services can't be configured at the moment (in Juno)?10:41
jamielennoxccard: umm, most things talking to glance or swift10:41
jamielennox:p10:42
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332210:42
jamielennoxccard: https://trello.com/b/5qivasNp/keystone-v3 is my list, i'd love you to try and configure v3 everywhere and add whatever you find is missing10:42
jamielennoxit's not complete, just what i'm vaguely working on10:42
*** samueldmq has joined #openstack-keystone10:51
*** henrynash has quit IRC10:53
*** diegows has joined #openstack-keystone10:53
*** Ephur has joined #openstack-keystone10:55
ccardjamielennox: thanks for that. It looks like putting the service users in a non-default domain is probably too risky for us at the moment. But I want to have a separate domain for end users so that we can use an LDAP backend for them. If I create a domain (called users say) for the end users, with a domain-specific configuration pointing at LDAP, should that work ok with Juno? I can see that horizon would need to be configured for the keystone v310:57
ccardapi, so that end users can login, but would any other services need to be configured for v3?10:57
jamielennoxccard: AFAIK, if you have the service users in the default domain then you can put your actual users in another domain and it will all work10:58
ccardjamielennox: thanks10:58
*** rushiagr is now known as rushiagr_away10:58
jamielennoxccard: please tell me if you find this isn't the case10:58
jamielennoxas that was my target for kilo10:59
*** samueldmq has quit IRC11:07
ccardjamielennox: will do11:13
*** krykowski has quit IRC11:28
*** mestery is now known as mestery_afk11:45
*** fifieldt_ has joined #openstack-keystone11:54
*** fifieldt has quit IRC11:54
*** fifieldt__ has joined #openstack-keystone11:58
*** fifieldt_ has quit IRC12:00
*** markvoelker has joined #openstack-keystone12:03
*** krykowski has joined #openstack-keystone12:07
*** richm has joined #openstack-keystone12:14
*** gordc has joined #openstack-keystone12:27
*** bknudson has quit IRC12:29
*** henrynash has joined #openstack-keystone12:36
*** ChanServ sets mode: +v henrynash12:36
*** edmondsw has joined #openstack-keystone12:39
*** samueldmq has joined #openstack-keystone12:40
*** bknudson has joined #openstack-keystone12:54
*** ChanServ sets mode: +v bknudson12:54
*** henrynash has quit IRC12:58
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Improve feedback message in SSL error  https://review.openstack.org/12976913:01
*** angular_mike has quit IRC13:03
*** krykowski has quit IRC13:06
*** davechen has joined #openstack-keystone13:07
*** mattfarina has joined #openstack-keystone13:10
*** samueldmq has quit IRC13:18
*** ishant has quit IRC13:19
*** ishant has joined #openstack-keystone13:20
*** ishant has quit IRC13:25
*** dimsum__ has quit IRC13:27
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient  https://review.openstack.org/14424813:30
*** jamielennox is now known as jamielennox|away13:36
*** cucxabong has joined #openstack-keystone13:38
*** ljfisher has joined #openstack-keystone13:38
*** cucxabong has quit IRC13:46
*** jonxml has joined #openstack-keystone13:46
*** jonxml has quit IRC13:48
*** dimsum__ has joined #openstack-keystone13:51
*** raginbajin has joined #openstack-keystone13:55
*** tqtran has joined #openstack-keystone14:00
*** krykowski has joined #openstack-keystone14:00
*** tqtran has quit IRC14:01
*** csoukup has joined #openstack-keystone14:12
*** iamjarvo has joined #openstack-keystone14:14
*** ParsectiX has quit IRC14:18
*** mestery_afk has quit IRC14:19
*** tqtran has joined #openstack-keystone14:24
*** timcline has joined #openstack-keystone14:25
lbragstadmorganfainberg: when do you want to start adding release blocking reviews to dolphm's gist?14:29
morganfainberglbragstad: can do it now.14:30
morganfainbergK3 is cut.14:30
lbragstadmorganfainberg: ok, I'll go through and start starring rc-1 triaged stuff14:30
morganfainbergSounds good. I'll be tagging things similarly, and going through your bug list.14:31
lbragstadmorganfainberg: I tagged things as 'revisit' if I wasn't sure what to do with them14:32
*** raildo|away has quit IRC14:39
*** gabrielbezerra has quit IRC14:40
ccardjamielennox: I've configured a 'users' domain with an LDAP backend, and configured horizon for the v3 api and multi-domain support.14:41
ccardjamielennox: I can create a user and a project in the domain, and make the user a member of the project, but when I login as this user I get various Unauthorized errors when clicking on the project Compute menu items.14:43
ccarde.g. "Error: Unauthorized: Unable to retrieve instances" when I click on Project->Compute->Instances14:43
*** krykowski has quit IRC14:43
ccardany idea what other configuration I've missed?14:44
*** browne has joined #openstack-keystone14:50
*** gabrielbezerra has joined #openstack-keystone14:52
*** ajayaa has quit IRC14:57
*** raildo has joined #openstack-keystone14:59
*** dimsum__ has quit IRC15:01
*** henrynash has joined #openstack-keystone15:01
*** ChanServ sets mode: +v henrynash15:01
lbragstadmorganfainberg: alright, I have most of what's targeted for rc1 on the gist, if it's in progress.15:01
*** stevemar has joined #openstack-keystone15:02
*** ChanServ sets mode: +v stevemar15:02
lbragstadmorganfainberg: we'll just need to add the "revisited" bugs in launchpad to the gist if they are in progress when triaging15:03
*** jeffDeville has joined #openstack-keystone15:03
*** zzzeek has joined #openstack-keystone15:08
*** _cjones_ has joined #openstack-keystone15:12
*** dimsum__ has joined #openstack-keystone15:14
*** mestery has joined #openstack-keystone15:15
*** dimsum__ has quit IRC15:16
jeffDevilleI'm just getting started with Keystone dev, and it looks like a lot of the specs are failing for me (~166) in both master and stable/juno. Is there something aside from git clone and ./run_tests.sh -V that I should know about?15:16
*** openstackgerrit has quit IRC15:21
*** openstackgerrit has joined #openstack-keystone15:22
*** sigmavirus24_awa is now known as sigmavirus2415:22
openstackgerritDave Chen proposed openstack/keystone: Fix the typo and problematic logic on ec2 signature  https://review.openstack.org/14377215:24
stevemarjeffDeville, i hope you mean tests - not specs :)15:25
marekdjeffDeville: try tox -epy2715:25
stevemarjeffDeville, ^^ yeah, try using tox, avoid run_tests.sh, we're trying to kill it with fire15:26
openstackgerritDave Chen proposed openstack/keystone: Fix the typo and problematic logic on ec2 signature  https://review.openstack.org/14377215:26
jeffDevilleThanks stevemar:, marekd.  Trying that now.15:28
marekdjeffDeville: you have couple of switches you may want to use (all of them with -e opton): py27, pep8, docs, cover15:28
marekdstevemar: should all responses for Service Providers be formatted that there is column "Auth URL" instead of "auth_url" ?15:29
*** ayoung has quit IRC15:30
stevemari'd be cool with that, in the columns header you can put ("Auth URL")15:31
openstackgerritDave Chen proposed openstack/keystone: Fix the typo and problematic logic on ec2 signature  https://review.openstack.org/14377215:31
stevemarmarekd, OSC is smart enough to ignore case and underscores15:31
marekdstevemar: uh15:31
marekdso i am not going to complicate life then.15:32
marekdstevemar: re: https://review.openstack.org/#/c/166078 if the shib has prefix set to '' than it looks like this is non-default setting and  idp admins should reflect this change.15:33
marekdanyway, i am not sure who is actually in chage of this parameter : idp or sp15:33
marekdmaybe it should be us (IdP) who say: hey, world, our asserion use this relay_state prefix15:33
marekdpity Guang is not here.15:34
stevemarmarekd, we write it here: http://docs.openstack.org/developer/keystone/extensions/shibboleth.html15:34
*** nellysmitt has joined #openstack-keystone15:35
*** davechen has left #openstack-keystone15:36
*** dimsum__ has joined #openstack-keystone15:37
marekdbut this is a config for Service Provider setup.15:37
marekdand it's per IdP15:37
marekdso my question is who should dictate the value, idp or sp ?15:37
*** thedodd has joined #openstack-keystone15:37
*** lsmola has quit IRC15:38
marekdstevemar: this would ease the change very much (one extra parameter in the CONF.saml2/CONF.federation)15:39
stevemari thougth that too15:39
stevemari am not sure15:40
marekdwhat/who made you think the other way round? :-)15:40
stevemarmarekd, gyee made me do it!15:40
stevemarwe figured it was set on a per-sp basis15:40
stevemarand one idp can have many SPs15:40
marekdstevemar: i recall a convo with morganfainberg and topol where they I was arguing that "I implemented it because gyee said he liked that feature" :D15:41
stevemargyee - subtly convincing us to do things15:41
marekdhehe15:41
*** mflobo has left #openstack-keystone15:44
*** browne has quit IRC15:46
*** lsmola has joined #openstack-keystone15:48
marekdstevemar: yeah, one idp can have multiple SPs but each SP can configure relay_State per trusted IdP.15:48
marekdand I think it's the idp who builds the assertion15:49
jeffDevilleIssuing SSL Certificate ...15:49
jeffDevilleUsing configuration from signing.conf15:49
jeffDevilledefault is an unsupported message digest type15:49
jeffDeville8999:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/crypto/bio/bss_file.c:126:fopen('./index.txt.attr','rb')15:49
jeffDeville8999:error:2006D080:BIO routines:BIO_new_file:no such file:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/crypto/bio/bss_file.c:129:15:49
jeffDeville8999:error:0E078072:configuration file routines:DEF_LOAD:no such file:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/crypto/conf/conf_def.c:197:15:49
stevemarmarekd, it would also make my life easier15:49
jeffDevilleFailed! rc=115:49
jeffDevilleBailing ...15:49
jeffDevillemarekd: & stevemar: I got a similar number of errors with tox. Dug a bit deeper and it looks like it might be pki related. So I ran gen_pki.sh, which died here ^15:49
marekdjeffDeville: which os ?15:50
jeffDevilleosx yosemite15:50
*** _cjones_ has quit IRC15:52
*** _cjones_ has joined #openstack-keystone15:52
marekdjeffDeville: heard rumours that keystone doesn't work on osx.15:54
stevemarmarekd, jeffDeville osx is definitely not supported :) it'll work for *most* things15:56
jeffDevilleMmmm...  that's a shame.  :-)  Ok, what dev os would you recommend?15:56
marekdubuntu15:56
stevemarjeffDeville, ubuntu!15:56
marekdjeffDeville: i have it running on Debian too15:56
stevemarjeffDeville, maybe dolphm or lbragstad can help you?15:56
marekdsome RedHat folks will have Fedora up and running.15:56
stevemarthey are our resident OSXers15:56
* marekd wants to have Mact too15:57
bknudsonwhatever system I was using I'd just set up an ubuntu vm.15:57
stevemarmarekd, i'll keep my brick15:57
* marekd has grown up and doesn't have more time to play with his configuration15:57
jeffDevilleAight.  Thanks guys.  I guess I'll head that direction after I try recompiling openssl w/ cms support15:57
dolphmjeffDeville: the version of openssl bundled with OS X is far too old15:57
lbragstadjeffDeville: I'm currently doing most of my things on debian or ubuntu with vagrant or a cloud server.15:58
marekddolphm: do they patch it?15:58
bknudsonI hope they patch it!!15:58
dolphmjeffDeville: brew install openssl ( http://brew.sh/ )15:58
dolphmmarekd: bknudson: when they feel like it?15:58
lbragstadlol15:58
jeffDevilledolphm: that's what I'm using.  But apparently cms is not enabled by default anymore15:58
bknudsonconsidering the security problems in openssl they better be patching it frequently.15:59
marekddolphm: you are using tox on  OSS or using some VM ?15:59
marekdOSX15:59
dolphmmarekd: debian wheezy15:59
lbragstadmarekd: I tried tox on OSX once... it blew up and I wasn't feeling ambitious enough to figure out why,16:00
marekddolphm: why OSX btw? prefer it for daily tasks?16:00
lbragstadmarekd: but it blows up on the python2.7 environment, not pep816:00
bknudsonmarekd: he's also got the watch.16:01
marekdlbragstad: it must be sad to spend whole days working on a VM :P so much of CPU is wasted locally :P16:01
bknudsoniwatch16:01
marekdbknudson: dolph?16:01
bknudsonwears a black turtleneck everywhere.16:01
*** iamjarvo has quit IRC16:01
marekdi am far beyond all those tech toys :(16:02
dolphmmarekd: it's the most reliable and least fussy OS i've tried for desktop use16:02
lbragstadmarekd: ++, expect when you hose your dev environment and your thankful it wasn't hosted locally ;)16:02
*** dimsum__ has quit IRC16:02
lbragstads/expect/except/16:02
lbragstad*cough* dolphm *cough*16:03
marekdhose?16:03
dolphmmarekd: break16:03
marekddolphm: thanks16:03
lbragstadhose == screw up beyond repair16:03
dolphmmarekd: i ran dist-upgrade on my dev box to downgrade from debian testing to debian stable, and it didn't go so well.16:04
dolphmmarekd: quickest solution from there was to delete the vm and build a new oen16:04
marekdi sometimes need to run dist-upgrade on my laptop, imagine my fear then.16:04
lbragstadhaha16:04
marekdas much as i like (and i am used to) tiling managers, i think i will try osx one day.16:05
bknudsoncan a region's ID be changed through modify?16:05
*** lsmola has quit IRC16:05
lbragstadmarekd: what do you use?16:05
marekddebian testing.16:05
marekdwell, i have 3 machines. one is ubuntu lts, and two are debian testing.16:06
dolphmbknudson: i don't think so16:06
marekdmy VMs are usually ubuntus, as they are purely for devstack and stuff thing.16:06
lbragstadmarekd: gotcha16:06
bknudsonI'll give it a shot but doesn't seem like it since it's the id.16:06
lbragstadbknudson: and that's specified on the URL, right?16:06
lbragstadbknudson: or it can be16:07
bknudsonhttp://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#update-region16:07
bknudsony, it's in the URL.16:07
*** _cjones_ has quit IRC16:09
*** _cjones_ has joined #openstack-keystone16:10
bknudsonwhen you create a region using POST /regions, it's given a random region name?16:13
bknudsonthat seems weird.16:13
morganfainbergsooooo hi all!16:14
*** ayoung has joined #openstack-keystone16:15
*** ChanServ sets mode: +v ayoung16:15
*** sigmavirus24 is now known as sigmavirus24_awa16:17
*** sigmavirus24_awa is now known as sigmavirus2416:20
stevemarbknudson, i regions have names?16:21
bknudsonstevemar: the ID is displayed everywhere.16:22
bknudsonas the name.16:22
bknudsonsince you need to call it something.16:22
*** dimsum__ has joined #openstack-keystone16:23
*** jeffDeville has quit IRC16:23
openstackgerritMark T. Voelker proposed openstack/keystone: Specify time units for default_lock_timeout  https://review.openstack.org/16630416:23
openstackgerritMark T. Voelker proposed openstack/keystone: Specify time units for default_lock_timeout  https://review.openstack.org/16630416:25
ayoungstevemar, you sure we dont need a chat room specific to olso policy?  Heh16:31
stevemarayoung, we could use -oslo :)16:31
ayoungstevemar, anyway, I think I'm good.16:31
stevemarglad to hear16:31
openstackgerritMark T. Voelker proposed openstack/keystone: Specify time units for default_lock_timeout  https://review.openstack.org/16630416:32
ayoungThe check I'm wokring on will  make sure that if the domain id matches, it is the same for any of the fields that potentially can match16:32
*** browne has joined #openstack-keystone16:35
*** ayoung has quit IRC16:37
*** ljfisher has quit IRC16:37
*** jeffDeville has joined #openstack-keystone16:40
*** EmilienM is now known as EmilienM|afk16:41
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: extract and rename unique_id method  https://review.openstack.org/16276616:42
openstackgerritDavid Stanek proposed openstack/keystone: Simplify injection testcase setup  https://review.openstack.org/16276716:42
openstackgerritDavid Stanek proposed openstack/keystone: Isolate injection tests  https://review.openstack.org/16276816:42
*** lhcheng has joined #openstack-keystone16:45
*** iamjarvo has joined #openstack-keystone16:48
morganfainbergstevemar, bleh. phone... bleh16:49
*** david-lyle_ has joined #openstack-keystone16:50
*** david-lyle_ has quit IRC16:51
*** harlowja_away is now known as harlowja_16:51
stevemarmorganfainberg, :(16:52
*** sigmavirus24 is now known as sigmavirus24_awa16:53
morganfainbergstevemar, uhh16:57
morganfainbergstevemar, sorry https://review.openstack.org/#/c/166010/ -216:57
morganfainbergstevemar, i missed that one.16:57
morganfainbergstevemar, oh this was proposed post FF16:59
rodrigodshenrynash, replied your comment in https://review.openstack.org/#/c/159944/17:01
*** _cjones_ has quit IRC17:06
stevemarmorganfainberg, oops17:08
*** _cjones_ has joined #openstack-keystone17:13
morganfainbergstevemar, all good. i caught it with the -217:13
morganfainbergit wont merge17:13
*** jistr has quit IRC17:19
*** openstackgerrit has quit IRC17:21
*** openstackgerrit has joined #openstack-keystone17:21
*** jeffDeville has quit IRC17:25
*** Bsony_ has quit IRC17:25
*** jeffDeville has joined #openstack-keystone17:25
*** ljfisher has joined #openstack-keystone17:27
*** gyee has joined #openstack-keystone17:27
*** ChanServ sets mode: +v gyee17:27
morganfainberglbragstad, https://bugs.launchpad.net/keystone/+bug/1433311 this is not wishlist17:33
openstackLaunchpad bug 1433311 in Keystone "Fernet tokens current don't support token bind" [Medium,Triaged]17:33
morganfainberglbragstad, this is much higher priority as token binding is a current feature of other tokens.17:33
morganfainberglbragstad, and is an RC bug17:33
*** nellysmitt has quit IRC17:37
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Add parent_id to GET /projects  https://review.openstack.org/16632617:39
rodrigodsmorganfainberg, noticed an API bug ^17:39
rodrigodsmorganfainberg, it was also missing the tests: https://review.openstack.org/#/c/158314/17:40
*** jbonjean has joined #openstack-keystone17:42
marekdgyee: you here?17:46
gyeemarekd, yes sir17:47
marekdgyee: wanted to ask about https://review.openstack.org/#/c/166078/217:47
marekdand my last comment there17:47
stevemargordc, is there a reason why the audit events are 'audit.http.request' now instead of 'http.request' cc edmondsw17:47
stevemarlooks like they were renamed here: https://review.openstack.org/#/c/102958/21/keystonemiddleware/audit.py17:48
gyeemarked, service_providers is utilized by IdP keystone only17:48
gyeeIdP Keystone needs to know how to generated the ECP wrap17:49
marekdgyee: yes, but what does it change?17:49
gyeemarekd, yes, each SP could configure relaystate differently17:49
marekdgyee: the question is whether they should conform, or us (IdP)17:49
*** ayoung has joined #openstack-keystone17:49
*** ChanServ sets mode: +v ayoung17:49
morganfainberggyee, i also need to ask if this could break a websso workflow with a browser?17:49
morganfainberggyee, if the SAML is *always* ECP wrapped17:50
marekdmorganfainberg: nt always17:50
marekdnot always17:50
gyeemorganfainberg, no, afaik ecp is for non web browsers17:50
marekdmorganfainberg: and it's k2k case here.17:50
morganfainbergmarekd, but that is what gyee is proposing, k2k always issues ecp wrapped saml17:50
morganfainbergis there ever a desire to use a web browser17:50
gyeemorganfainberg, no always, its a new API17:50
morganfainbergwould there ever be17:50
marekdmorganfainberg: yes, not always.17:50
morganfainberggyee, oh separate from the current API?17:51
gyeeexisting client can still do the wrapping themselves17:51
marekdmorganfainberg: /auth/OS-FEDERATION/saml2 and /auth/OS-FEDERATION/saml2/ecp17:51
morganfainbergoh17:51
morganfainbergmarekd, ahh17:51
gyeewhat he said17:51
marekdmorganfainberg: but still, it's k2k so we are not breaking ourselves wrt websso17:51
morganfainbergright17:51
dstanekfyi. i started working on this yesterday: https://github.com/dstanek/vim-gertty17:52
gyeemarekd, we should not constraint what SP can or cann't do17:52
gyeewe should offer flexibility17:52
marekdgyee: ok, let's make it flexible but be hard in negotiations (actually this is a part for admins who will be configuring it :P)17:53
marekdstevemar: ^^17:53
gyeemarekd, right, but its a one time setup17:53
edmondswgordc, ceilometer/middleware.py is hardcoding "http.request" but keystonemiddleware/audit.py is hardcoding "audit.http.request"... mismatch17:53
marekdstevemar: ok, so i think we should resolve whether relay_state_prefix should be nullable or not. I think not.17:54
marekdgyee: ^^17:54
stevemarprobably not17:54
gyeemarekd, I would agree, but its really a data migration trade-off17:55
marekdgyee: so lets add a default version17:55
gyeesince stevemar have a default there, I am fine with it being nullable17:55
marekdin the backend not in the controller.17:55
gyeemarekd, right, default means data migration17:55
gyeeor adding new data or oppose to just schema17:55
gyeeso its a design tradeoff17:56
gyeeI am fine either way17:56
gordcedmondsw: i know. the payloads are actually different ie. it's full CADF in audit.http* and it's embedded (and possibly non-existent) in http.*17:58
*** Bsony has joined #openstack-keystone17:58
gyeememo to stevemar, if by making it not nullable make marekd a happier man, I would do it in a heartbeat :)17:59
stevemargordc, but it was full CADF before, and on http.* (when a part of pycadf.audit)18:03
*** c_soukup has joined #openstack-keystone18:03
stevemargyee, sure, i'll make the change, just busy atm18:05
gordcno. the payload was a random mismatch of environment variables...and then it might or might not have contained CADF (depending if you were using oslo.messaging notifier middleware or pycadfs audit middleware.18:05
gyeestevemar, thanks18:06
*** csoukup has quit IRC18:06
gyeelets figure out how to get shibd into one of them gates18:06
marekdgyee: what do you mean?18:07
*** spandhe has joined #openstack-keystone18:09
gyeemarekd, I mean is shibboleth part of some jenkins gate?18:10
dstanekgyee: i started down a path to setup shib stuff for functional tests18:12
gyeedstanek, nice!18:12
gyeewe can add ecp tests once we get it working18:12
dstanekgyee: that's what all of that devstack script junk is about18:12
dstanekgyee: are you planning on writing ecp tests? or are you saying that someone should?18:13
gyeesomeone would18:13
dstanekgyee: i was going to say that you didn't have to wait :-)18:14
gyeeI'll have one of guys here do it if I don't have time to get to it18:14
gyeeoh18:14
gyeedstanek, you added to devstack already?18:14
dstanekgyee: no, but if you have a federated installation you could run tests against it18:15
dstanekall of the devstack stuff is still in review and i think still has a few problems18:15
gyeeyes, I have a devstack installation with shibd configured18:15
dstanekgyee: if you have someone to write the tests just let me know and i'll help them with where/how18:16
dstanekit'd be nice to get that stuff moving and get coverage18:17
gyeedstanek, sure, I'll have my cousin get in touch with your cousin18:17
dstaneksounds like a plan :-P18:17
openstackgerritMarek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists  https://review.openstack.org/16479818:19
dstanekgyee: once we get a little further with a couple of things we should be able to get our devstack scripts running in a gate. i ran it by some QA folks and they seemed to think that it was a good idea.18:19
bknudsonwhat's not moving?18:19
gyeeexcellent!18:19
openstackgerritMarek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists  https://review.openstack.org/16479818:19
gyeedstanek, how's your bracket btw, 2 #3s went down on the first day, unreal!18:20
dstanekgyee: i'm too busy for that!18:21
marekddstanek: actually, your functional tests are still WIP, aren't they ?18:21
dstanekmarekd: the devstack configuration is for sure18:21
marekddstanek: federation/saml ?18:21
dstanekmarekd: i was thinking that since all the federation people will be in the same place at he summit that i can use your collective help to fix some configuration isues18:22
marekdi wanted to review some of those patches but they seemed to be slightly put aside.18:22
marekddstanek: sure18:22
stevemardstanek, we can create a brain trust18:22
dstanekthere is one at the beginning of the chain that i need to fix a -1 on and then a few will be ready to merge.18:23
dstaneki have no revisited the devstack scripts in probably a month18:24
edmondswgordc, so is ceilometer/middleware.py meant to be deprecated now? Since that is hardcoded to go with http.request, which comes from pycadf's audit middleware, which is deprecated...18:24
*** omkarjoshi has joined #openstack-keystone18:27
*** iurygregory has joined #openstack-keystone18:27
dstanekanyone have an opinion on the import comments from bknudson on https://review.openstack.org/#/c/158466/2/keystone/tests/functional/shared/test_running.py ?18:27
dstaneki left it in there in case people where not familiar with what Python does when you 'import x.y.z'18:28
*** omkarjoshi has quit IRC18:28
bknudsondstanek: stevemar changed a similar extra import somewhere.18:28
dstanekbknudson: removed it?18:28
dstaneki'm totally fine doing that18:29
marekddstanek: "My mind is broken. This should be renamed because it isn't broken anymore."18:29
dstaneki'll fix up the patch18:29
bknudsondstanek: yes, removed the extra import.18:29
gyeeheh18:29
gyeenothing broken18:29
*** omkarjoshi has joined #openstack-keystone18:29
marekdgyee: ++18:29
stevemarbknudson, dstanek i remove them because i don't like the warning that eclipse shows :P18:29
gordcedmondsw: that will probably be deprecated in Liberty. we're starting to force events to be stored as events rather than meters/samples.18:29
bknudsony, eclipse shows a warning.18:29
dstanekmarekd: that too18:29
stevemargyee, marekd did we agree that the prefix stays in SPs as a property, or as a config option for idp?18:29
bknudsonstevemar: there's some ldap ones you could clean up if you felt like it.18:29
stevemarbknudson, where at?18:30
marekdstevemar: service_provider attribute18:30
bknudsonstevemar: ldap parts.18:30
edmondswgordc, why not go ahead and deprecate it if it only works with something that is already deprecated?18:30
gyeestevemar, if you make it not nullible and fill it with the default18:30
edmondswgordc, and is there any documentation you can point me to on how all this has changed to use events, audit.http.request, etc.?18:31
gordcedmondsw: that was part of what i mentioned above, the http.* 'meters' weren't only coming from audit middleware but also notifier middleware in oslo.messaging...18:31
gordcthe original audit middleware was piggybacking off something else because of resistence to CADF adoption18:31
edmondswgordc, guess I don't follow that part18:32
iurygregorydtroyer, Hello Dean, can you please take a look in this patch https://review.openstack.org/132083 ?18:35
*** dougwig has quit IRC18:39
gordcedmondsw: sorry, had a call. basically when i made the middleware a year+ ago, i couldnt' get support for it as a standalone, but i was able to embed the CADF audit data into another middleware.18:44
gordcwhich is why you'll noticed a bunch of junk associated with the http.* 'meter18:44
gordcyou can look at how to use events here: http://docs.openstack.org/admin-guide-cloud/content/section_telemetry-events.html18:45
edmondswgordc, so why are those pieces getting deprecated piecemeal instead of together?18:45
edmondswgordc, tx for the link18:46
gordcwe added a bit more features in kilo, but basic support is available in juno (icehouse if using sql)18:46
gordcedmondsw: tbh, i'm not sure who uses the oslo.messaging version of middleware (which also outpus http.* meters)... i think it was a requirement from another company.18:47
edmondswgordc, for a product that was using meters and then upgrades to kilo and switches to events... is there a way to migrate the old data to events?18:49
gordcedmondsw: i was going to do that but i didn't get that far. you'll still be able to get them as meters in L cycles... i believe the plan was to turn them off by default in L and possibly remove the logic which builds meters in M or N.18:52
*** _cjones_ has quit IRC18:52
*** _cjones_ has joined #openstack-keystone18:54
edmondswgordc, you mean I should stick with using the pycadf middleware, even though it's deprecated?18:55
*** jeffDeville has quit IRC18:56
gordcedmondsw: you could. alternatively you can just switch over and let ttl expire away the difference, or wait for my migration tool,18:57
gordcedmondsw: is it just the resource_metadata that you're working with?18:58
edmondswgordc yes18:59
gordcedmondsw: kk.19:02
*** tqtran is now known as tqtran_afk19:04
*** EmilienM|afk is now known as EmilienM19:10
*** _cjones_ has quit IRC19:15
*** omkarjoshi has quit IRC19:17
*** _cjones_ has joined #openstack-keystone19:17
iurygregorydtroyer, in this patch there is a pending question for you19:25
*** omkarjoshi has joined #openstack-keystone19:43
*** _cjones_ has quit IRC19:44
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635419:44
openstackgerritJames Page proposed openstack/keystone: Deal with PEP-0476 certificate chaining checking  https://review.openstack.org/14498819:56
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635419:56
nkinderstevemar: you around for a websso question?20:01
stevemarnkinder, yessum20:02
stevemarnkinder, what do i know that you don't?!20:02
*** c_soukup has quit IRC20:02
nkinderstevemar: when I hit /v3/OS-FEDERATION/websso/saml2, it does the redirect dnace and the assertion comes back...20:02
nkinderstevemar: it's trying to find the IdP by the value in remote_id_attribute from the assertion20:02
nkinder...but it fails20:03
nkinderstevemar: let me get you a pastebin20:03
*** csoukup has joined #openstack-keystone20:04
stevemarnkinder, okie20:04
stevemarthe value for the remote_id_attribute (X-Shib-Name or whatever it is) should return the IdP ID20:05
nkinderstevemar: http://paste.openstack.org/show/194025/20:06
nkinderThe error message that I get back shows that it's pulling the IdP ID out of the assertion properly (MELLON_IDP in my case)20:06
nkinderIs it supposed to be the IdP ID, or the remote ID?20:07
stevemarwhats the value of MELLON_IDP?20:07
nkinderstevemar: https://ipa.rdodom.test/idp/saml2/metadata20:08
stevemar404'ed20:08
stevemarrather, DNS lookup failed for host20:09
stevemari think it's on your intranet?20:09
nkinderstevemar: yeah, it's a totally private VM network20:09
nkinderthat URL is my MELLON_IDP value20:09
nkinderI didn't mean for you to try to follow the link :P20:10
stevemaroh lol20:10
stevemarhaha20:10
*** Bsony has quit IRC20:10
stevemarright, so we need to find the idp ID right20:10
stevemarwhich typically won't be in the env.20:10
stevemarsince it's user defined20:10
stevemarthats why i had that note in the steps i was writing up20:10
nkinderSo I thought we take the value of the remote_id_attribute, then do a lookup in Keystone by "remote_id" for a match20:11
stevemarnkinder, step 4 here: http://docs-draft.openstack.org/12/164012/7/check/gate-keystone-docs/d30fec1//doc/build/html/extensions/websso.html20:11
*** Bsony has joined #openstack-keystone20:11
stevemari was just thinking that maybe we should be doing that...20:11
stevemarbut what if more than 1 idp returns back20:11
stevemarnkinder, the big NOTE thing20:12
nkinderstevemar: yeah, I'm doing that (aren't I?)20:12
stevemarah sh*t, i meant to keep it as the `ID of the IdP` not the `remote ID of the IdP`20:12
nkinderah20:13
*** dougwig has joined #openstack-keystone20:13
stevemarif you change `ipsilon` to `https://ipa.rdodom.test/idp/saml2/metadata` as the IdP id, then i'll work...20:13
nkinderwell, that's going to make for a horrible looking URL20:13
stevemarugh you are right20:13
nkindera url-escaped full URL in the normal federation auth URL20:13
stevemarughhhhhhh20:14
*** timcline has quit IRC20:14
stevemari didn't realize they were url escaped20:14
nkinderthat's why I was hoping it would lookup by remote id20:14
stevemarnkinder, that's a quick fix, thankfully20:14
stevemar*now* i see why marco and marekd wanted to make those unique20:14
nkinderafter all, we are taking the "remote_id_attribute", which logically should be looking up the "remote_id"20:14
nkinderit seems strange to compare the value of "remote_id_attribute" to the "id"20:15
stevemarnkinder, you are right20:15
stevemarwe can do a query on all IdP entries to look for that remote_id_attribute and return the distinct idp id20:15
stevemarnkinder, file a bug? :D20:16
nkinderstevemar: sure, coming right up...20:16
stevemarnkinder, can you work around that part of the code for now? i assume you are testing something out20:16
stevemarjust hardcode 'ipsilon' or something as the idp id?20:17
nkinderstevemar: I'll need to see what's possible on the IdP side there20:17
stevemarnkinder, also, i noticed that your trusted_dashboard value is just the hostname, it should be: trusted_dashboard = http://acme.horizon.com/auth/websso20:17
stevemaror i need to make the check smarter to parse for the hostname20:17
nkinderstevemar: I don't even really have the dashboard set up yet :)20:17
stevemarah okay cool20:18
nkinderthat's the next step20:18
nkinderstevemar: https://bugs.launchpad.net/keystone/+bug/143470120:27
openstackLaunchpad bug 1434701 in Keystone "websso should compare remote_id_attribute to remote_id of IdP" [Undecided,New]20:27
nkinderrichm: ^^^ you're probably interested too20:27
richmYou are                              subscribed to all notifications for this bug.20:28
richmI am20:28
*** ccard_ has quit IRC20:32
*** ccard_ has joined #openstack-keystone20:33
*** tqtran_afk is now known as tqtran20:33
*** gabrielbezerra has quit IRC20:34
*** tellesnobrega has quit IRC20:34
*** htruta has quit IRC20:34
*** raildo has quit IRC20:35
*** iurygregory has quit IRC20:35
*** ccard__ has joined #openstack-keystone20:41
*** iurygregory has joined #openstack-keystone20:43
*** ccard_ has quit IRC20:44
*** htruta has joined #openstack-keystone20:44
*** gabrielbezerra has joined #openstack-keystone20:44
*** _cjones_ has joined #openstack-keystone20:44
*** raildo has joined #openstack-keystone20:45
*** tellesnobrega has joined #openstack-keystone20:45
*** timcline has joined #openstack-keystone20:46
*** ccard_ has joined #openstack-keystone20:47
*** ccard__ has quit IRC20:48
stevemarayoung is the first talk of the conference :P20:50
rodrigodsstevemar, results already online?20:51
raildohttps://www.openstack.org/summit/vancouver-2015/schedule/20:51
stevemaryep20:51
*** jaosorior has quit IRC20:52
dimsum__yay for ayoung!20:53
raildoI want to see this talk: http://sched.co/2qcc :)20:54
rodrigodsraildo, \o/20:54
raildo1 PTL , 3 keystone cores and rodrigods  \o/20:55
rodrigods¬¬20:55
stevemarraildo, that'll be a great talk ;)20:57
david-lyleMy favorite talk title so far, "The OpenStack Summit talk selection process is broken"20:57
*** ljfisher has quit IRC20:57
raildodavid-lyle, ++ haha20:58
*** csoukup has quit IRC20:58
*** _cjones_ has quit IRC21:02
*** lhcheng_ has joined #openstack-keystone21:03
stevemardavid-lyle, "lets submit 100000000 talks"21:03
*** raildo has quit IRC21:04
*** _cjones_ has joined #openstack-keystone21:05
*** lhcheng has quit IRC21:06
ayoungSo I guess my talk got approved21:07
ayoungnkinder, first talk of the conference.  So it won't conflict with the development track.  That is convenient21:08
bknudsonI think half the talks are on docker.21:08
ayoungDawkah!21:08
ayoungDawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!Dawkah!21:08
*** lhcheng_ is now known as lhcheng21:11
stevemardock dock dock21:14
ayoungI like the trend, at least in Keystone, of tyhe core presenting to the less technical audiences.21:14
*** mattfarina has quit IRC21:15
stevemarayoung, i don't know how we started that but i'm also happy about it21:15
stevemarit ensures the message is correct, and it lets us branch out a bit21:15
*** timcline has quit IRC21:15
ayoungstevemar, I think it has something to do with Nate Kinder pretty much being the security group21:15
nkinderayoung: I wasn't on the selection board this time around21:16
ayoungAnd these all being somewhat security related21:16
ayoungnkinder, oh no?21:16
ayoungI know bpayne contacted me about the policy one21:16
nkindernope, so you made it in on your own :)21:16
nkinderI think a lot of people want to know more about policy21:16
nkinderstevemar: I cobbled together a patch to search for the IdP by remote_id21:16
ayounghe want an update on policy for the deployment guide.21:16
stevemarnkinder, you are my hero21:17
nkinderstevemar: I have the keystone side of websso working now with mod_mellon21:17
nkinderstevemar: needs some cleanup, but maybe I'll get a WIP posted so you can let me know if I'm going about it the right way21:17
stevemarnkinder, fyi the websso parts are probably not going to land in horizon :(21:17
stevemartheres some push back there21:17
stevemarand it makes me sad21:17
ayoungstevemar, I want to +2 the ecp changes, but It realluy should get gyees' blessing first21:17
stevemarayoung, i thought we're waiting til after rc1 officially?21:18
stevemarerrr,... til rc1 *starts*21:18
nkinderstevemar: that makes me sad...21:18
ayoungstevemar, that , too21:19
stevemarnkinder, make your case to david-lyle, i made mine (i think he's still mulling it over)21:19
stevemarnkinder, i really don't want CERN using a fork for this, and i really don't want RH to have to manage a fork of it either, or something else21:20
david-lylestevemar: the websso bits are in d-o-a, we can release that as required21:21
ayoungI thought we were there....we really should branch right at the *3 milestone21:21
stevemardavid-lyle, we also have a horizon patch21:21
*** iamjarvo has quit IRC21:21
david-lylethat's unnecessary other than the documentation21:21
stevemardavid-lyle, wha? how is that unnecessary?21:22
david-lylewait, have to look again21:22
*** timcline has joined #openstack-keystone21:22
david-lylea lot of it seemed like scope creep21:22
stevemari thought it was pretty centralized, but i don't know too much about the horizon code base21:23
stevemarhttps://review.openstack.org/#/c/151842/21:23
stevemarthe DOA patch looked good to me too, https://review.openstack.org/#/c/136178/ aside from the bug lin brought up21:25
stevemari would like tests, but the test structure for DOA is damn awful21:25
stevemarsince everything is in 1 file21:26
stevemari mean that in the nicest way possible21:26
david-lyleI didn't write it, I just have to maintain it21:26
stevemar:)21:27
nkinderstevemar: If I add a get_idp_from_remote_id(), do you think it should only return one IdP?21:28
nkinderstevemar: it's possible for two identity providers to have the same remote_id in the database technically...21:28
nkinderso I either make the backend function throw an exception if it gets >1 matches, or it returns a list of IdPs and the caller needs to sort it out.21:29
stevemarnkinder, we can change the remote_id value to be unique21:29
nkinderstevemar: where would that be done?  That would simplify things.21:29
stevemarnkinder, here https://review.openstack.org/#/c/152156/21:30
stevemarnkinder, we can add the sql.unique argument to the backend21:30
nkinderstevemar: ok, in 006_add_remote_id_table.py21:30
stevemaryep21:30
*** iamjarvo has joined #openstack-keystone21:36
morganfainbergdavid-lyle, was going to ping you re: websso21:42
morganfainbergdavid-lyle, looks like you caught up with stevemar already21:43
david-lyleyeah, still looking at it21:43
morganfainbergstevemar, oooh21:43
morganfainbergstevemar, we got a talk accepted21:43
*** EmilienM is now known as EmilienM|PTO21:44
stevemarmorganfainberg, yeah buddy21:45
mfischstevemar: you guys should do a Frenet talk as a brown bag: http://openstack.prov12n.com/vbrownbag-techtalks-in-vancouver/?awesm=awe.sm_p8ZHg21:45
stevemarmfisch, ++ i knew there had to be a way for an impromptu talk21:46
stevemardolphm, lbragstad ^^ do a fernet talk21:46
mfischI'd like one called "Transition to Frenet without pissing off your customers"21:46
*** jamielennox|away is now known as jamielennox21:49
openstackgerritNathan Kinder proposed openstack/keystone: Lookup identity provider by remote_id for websso  https://review.openstack.org/16639121:49
stevemarmfisch, "without pissing off your customers, and deployers"21:50
*** timcline has quit IRC21:50
morganfainbergmfisch, soooooo21:52
morganfainbergmfisch, time to make sure docs on db backups are solid21:52
morganfainbergmfisch, ;)21:52
morganfainbergmfisch, it was all merged.21:52
*** edmondsw has quit IRC21:53
ayoungmorganfainberg, what is the plan for  when we are going to branch?21:53
ayoungtime wise..21:53
morganfainbergayoung, for RC?21:53
morganfainbergor for something else?21:53
ayoungfor RC21:54
morganfainbergRC is slated for April 921:54
ayoungjust wondering if it is long enough to go  put preemptive minuses on reviews that are out,  or if it will be soon enough  to  leave as is21:54
morganfainberghttps://wiki.openstack.org/wiki/Kilo_Release_Schedule21:55
morganfainbergok about to hop on a flight21:55
morganfainbergb ack on when we hit elevation21:55
ayoungmorganfainberg, I mean when are we going to branch the git repo so we can keep doing approvals, but have to explicitl backport for real fixes21:55
morganfainbergayoung, at RC that usually happens21:55
morganfainbergso around apr 921:55
* morganfainberg lost his phone today and will likely be dark until it is replaced tomorrow after the flight lands.21:56
morganfainbergayoung, we're compressed down to ~3wks till RC21:57
ayoungOK21:57
ayoungmorganfainberg, so anything that is not a bug fix gets a preemptive -2?21:57
*** gordc has quit IRC21:58
ayoungstevemar, so https://review.openstack.org/#/c/166391/1  you said to sync with another fix.  Does that have to happen first, or can this one go in as is?21:58
stevemarayoung, https://review.openstack.org/#/c/152156/ << should go in first22:00
ayoungstevemar, does it have to?  Nate'sis a bug fix,22:01
ayoungthe other is a new feature22:01
stevemarayoung, well, if it doesn't then it'll go nathan's fix -> marcos feature -> another fix22:01
ayoungstevemar, I think that is the right sequence22:02
stevemarayoung, malright, i22:02
stevemari'm easy to convince22:02
stevemaras long as work is getting done, i'm happy to re-visit things22:02
stevemarwe'll have to query IdPRemoteIdsModel instead of IdentityProviderModel22:04
*** jamielennox is now known as jamielennox|away22:05
nkinderstevemar: we really need to find out if the remote_idps thing is going to make it in22:05
nkinderI know my patch needs adjusting if that makes it for Kilo22:05
nkinderI wanted to propose something that will work if we don't get the FFE22:06
stevemarnkinder, understandable22:06
stevemarnkinder, marekd has proposed it for FFE and i sponsored it (all on ML)22:06
nkinderyep22:06
stevemarnkinder, morganfainberg hasn't gotten back to us - but it should be a non-issue, i hope22:06
ayoungShould we dogpile on the FFE?22:07
nkinderDOGPILE!!!!22:07
nkinder...sorry, my inner 12 year old couldn't resist22:07
stevemarayoung, naw, give morganfainberg a worry free weekend, we can check this on monday, we have a few weeks of rc122:07
ayounghttp://wac.450f.edgecastcdn.net/80450F/nj1015.com/files/2014/01/Screen-Shot-2014-01-16-at-7.43.19-AM-630x449.png22:07
marekdnkinder: i didn't follow whole convo22:07
nkinderayoung: he said he sent an e-mail yesterday, and he hoped to have an update by next week's meeting22:08
ayoungDOGPILE ON DA RABBIT!22:08
marekdbut remote_id is essentially entityID22:08
marekdstevemar: ^^22:08
nkindermarekd: https://review.openstack.org/#/c/166391/22:08
*** breton has quit IRC22:09
nkinderI need to step away for a bit...22:10
marekdnkinder: o shit...22:10
ayoungmarekd, yep.  ooops.22:12
nkindermarekd: :)  The good news is the rest of websso in keystone is working nicely for me22:12
nkinderok, really stepping away now22:13
*** iamjarvo has quit IRC22:13
*** _cjones_ has quit IRC22:30
*** _cjones_ has joined #openstack-keystone22:34
*** Ephur_ has joined #openstack-keystone22:35
*** Ephur_ has quit IRC22:35
*** Ephur has quit IRC22:36
*** bknudson has quit IRC22:36
marekdstevemar: isn't primary_key assuring uniqueness?22:45
marekdthis is what they tought me long time ago.22:45
marekdstevemar: anyway, commented.22:48
*** lhcheng has quit IRC22:51
*** lhcheng has joined #openstack-keystone22:51
*** lhcheng has quit IRC22:56
*** dimsum__ has quit IRC22:58
*** dimsum__ has joined #openstack-keystone22:59
*** dimsum__ is now known as dims23:00
*** boris-42 has joined #openstack-keystone23:02
morganfainbergstevemar, hi23:02
morganfainbergback23:02
morganfainbergayoung, not bug fixes and not things like test retructure should have a -2 now23:03
morganfainbergayoung, reseller, domain_sql, and uhm... the one from marekd about IDP registration could end up with FFEs23:03
morganfainbergnkinder, stevemar, cc ^23:04
marekdmorganfainberg: come on Morgan, the patch was blocked by a severe bug. Otherwise it would be already in master :-)23:04
*** thedodd has quit IRC23:05
* marekd goes to bed23:07
* marekd bye23:07
morganfainbergmarekd, i expect to have FFE exceptions done by next meeting on tuesday23:12
morganfainbergmarekd, :P23:12
*** Bsony has quit IRC23:18
*** lhcheng has joined #openstack-keystone23:25
morganfainbergstevemar: https://review.openstack.org/#/c/166086/1/api/v3/identity-api-v3-os-federation-ext.rst23:26
morganfainbergstevemar, this looks like something new API wise23:26
morganfainbergright?23:26
*** breton has joined #openstack-keystone23:27
*** _cjones_ has quit IRC23:37
*** samueldmq has joined #openstack-keystone23:39
*** harlowja_ has quit IRC23:41
*** markvoelker has quit IRC23:42
*** harlowja has joined #openstack-keystone23:42
stevemarmorganfainberg, yep, it is23:43
stevemarneeds a FFE23:43
morganfainberg~2hr till home.23:47
*** lhcheng has quit IRC23:54
*** lhcheng has joined #openstack-keystone23:57
*** _cjones_ has joined #openstack-keystone23:57
*** gyee has quit IRC23:59
« Thursday, 2015-03-19 Index Saturday, 2015-03-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!