Tuesday, 2015-03-31

*** sigmavirus24 is now known as sigmavirus24_awa00:09
*** iamjarvo has quit IRC00:10
jamielennoxbknudson: right, i only figured it out when i tried to restrict an operation on the client side if there wasn't a sufficient api version00:16
bknudsonyou can do that?00:16
jamielennoxbknudson: yep, implemented that a while ago for exactly this reason - doesn't help if the server doesn't advertise it though :(00:19
jamielennox.get('/auth/projects', endpoint_filter={'service_type': 'identity', 'interface': 'public', 'version': (3, 3)})00:19
jamielennoxwill raise EndpointNotFound or something similar00:20
bknudsonso we can put that in the auth manager, too?00:20
jamielennoxif keystone wasn't advertising 3.0 for the last 2 years00:21
*** ncoghlan has joined #openstack-keystone00:21
bknudsonwe've also got JSON Home, but there's no client support for it yet.00:21
jamielennoxyea, i think we can do that with like get(resource='jsonhomeid', ...) instead of url, just haven't implemented it yet00:22
bknudsonwhere does the JSON Home document live?00:24
bknudsonclient, session?00:24
jamielennoxi expect we'd treat it like we do with discovery now, cache it on both the client and the session00:25
jamielennoxit's a fairly static page00:25
*** dims has joined #openstack-keystone00:27
*** Tahmina has quit IRC00:27
*** iamjarvo has joined #openstack-keystone00:30
*** iamjarvo has quit IRC00:30
*** iamjarvo has joined #openstack-keystone00:30
openstackgerritMerged openstack/keystone: Bump advertised API version to 3.4  https://review.openstack.org/16877100:41
*** zzzeek has quit IRC00:44
*** lhcheng has quit IRC00:57
*** spandhe has quit IRC01:18
*** henrynash has quit IRC01:21
*** henrynash has joined #openstack-keystone01:21
*** ChanServ sets mode: +v henrynash01:21
*** mitz has quit IRC01:26
*** nkinder has joined #openstack-keystone01:30
*** mitz has joined #openstack-keystone01:36
*** stevemar has joined #openstack-keystone01:39
*** ChanServ sets mode: +v stevemar01:39
*** tqtran has quit IRC01:45
*** erkules has quit IRC01:49
*** erkules_ has joined #openstack-keystone01:49
*** edmondsw has quit IRC01:55
*** samueldmq has quit IRC01:56
*** jacer_huawei has quit IRC01:59
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517102:02
*** dims has quit IRC02:07
*** dims has joined #openstack-keystone02:08
ayoungjamielennox, we're getting close: https://review.openstack.org/#/c/151842/3502:11
ayoungNeed Lin to push that one in02:11
ayoungOr Mattias02:12
jamielennoxyep, the DOA part we can handle seperately, just need the horizon forms02:13
jamielennoxthe breakup is kinda dumb here, why the assets are handled by horizon and the routes by DOA - but whatever02:13
*** dims has quit IRC02:14
ayoungjamielennox, I was all ready to start hacking on the sssd thing we were talking about yesterday, but then I showed the devstack one working to nkinder and he said "don't touch it, I need it for a demo."02:18
*** _cjones_ has joined #openstack-keystone02:30
*** ccard_ has joined #openstack-keystone02:32
*** _cjones_ has quit IRC02:33
*** _cjones_ has joined #openstack-keystone02:33
*** ccard__ has quit IRC02:35
*** lhcheng has joined #openstack-keystone02:41
*** jacer_huawei has joined #openstack-keystone02:46
*** iamjarvo has quit IRC02:58
stevemarayoung, hehe03:05
stevemarthat would be a funny convo03:05
stevemarjamielennox, btw, i tossed up new versions of the saml/ecp patches03:06
jamielennoxstevemar: ok03:06
*** harlowja_ is now known as harlowja_away03:07
ayoungstevemar, DOA patche?03:07
*** henrynash has quit IRC03:07
stevemarayoung, naw, client03:09
stevemarhttps://review.openstack.org/#/c/159022/ and https://review.openstack.org/#/c/168678/ if you're interested03:09
ayoungstevemar, I realized that as I parsed ECP03:09
ayoungI am...looks good03:09
*** henrynash has joined #openstack-keystone03:09
*** ChanServ sets mode: +v henrynash03:09
stevemarayoung, think it's worth adding support in the client for getting saml metadata?03:10
ayoungI've looked at it before,  but the real issue is that I won't really be able to evaluate it with out a functioning ECP setup.03:10
ayoungstevemar,  no idea03:10
ayoungwhat is it needed for?03:10
ayoungI was looking at the one on my Ipsilon box, and that was where I noticed the hostname != the IPadress03:11
ayoungbut beyond that...  why would we not have support for the metadata?  Isn't it kindof required to know where to go to get the assertion?03:11
*** bknudson has quit IRC03:16
*** iamjarvo has joined #openstack-keystone03:41
*** ayoung has quit IRC03:48
*** iamjarvo has quit IRC03:51
*** topol has joined #openstack-keystone03:52
*** ChanServ sets mode: +v topol03:53
*** ajayaa has joined #openstack-keystone03:56
*** krtaylor has quit IRC04:11
*** jasondotstar has quit IRC04:12
*** krtaylor has joined #openstack-keystone04:14
*** jasondotstar has joined #openstack-keystone04:14
*** _cjones_ has quit IRC04:15
*** _cjones_ has joined #openstack-keystone04:15
*** drjones has joined #openstack-keystone04:16
*** ajayaa has quit IRC04:19
*** _cjones_ has quit IRC04:20
*** drjones has quit IRC04:21
*** spandhe has joined #openstack-keystone04:21
*** spandhe_ has joined #openstack-keystone04:24
*** spandhe has quit IRC04:26
*** spandhe_ is now known as spandhe04:26
*** lhcheng_ has joined #openstack-keystone04:39
*** _cjones_ has joined #openstack-keystone04:41
*** lhcheng has quit IRC04:42
*** _cjones_ has quit IRC04:44
bretonmorning, keystoneers05:19
openstackgerrithenry-nash proposed openstack/keystone: Refactor identity driver internal clean-up method names  https://review.openstack.org/16916905:26
*** topol has quit IRC05:47
*** markvoelker has quit IRC05:48
stevemarjamielennox, if you have a minute, could you look at: https://review.openstack.org/#/c/159022/6/keystoneclient/v3/contrib/federation/saml.py06:01
jamielennoxstevemar: what headers would you be wanting from that?06:03
jamielennoxcause i agree, i would expect to just get a string06:03
stevemarjamielennox, http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#generate-a-saml-assertion06:04
stevemarin the response, there are also 2 headers that are useful06:04
jamielennoxstevemar: and you expect to use those?06:05
stevemarjamielennox, well, they are accessible via the service_provider manager06:05
stevemarso i guess they aren't super necessary06:05
jamielennoxi just assumed that you would have provided those06:06
stevemaryeah, when the service provider is created06:06
jamielennoxmaybe provide both06:07
jamielennoxdo get_saml_assertion_details or something return a  named tuple with all the elements, provide another method which just returns the body06:07
jamielennoxprefer you didn't return a raw response06:07
jamielennoxi've no idea how you expect them to be used as to what information you need from the request - maybe you only want to provide the method that returns the object06:10
stevemarjamielennox, let me mull it over06:11
jamielennoxmost managers return a resource, i don't think you want a resource here, but some form of object is normal06:12
stevemarjamielennox, the more i think about, i don't think it's necessary to return the headers (saml details as you put it)06:18
jamielennoxstevemar: whatever you think06:18
stevemaryeah, if someone wants it, we can revisit it06:19
*** markvoelker has joined #openstack-keystone06:19
stevemarso you would be against returning `resp.content`, you want it in some sort of an object?06:19
openstackgerrithenry-nash proposed openstack/keystone: Remove unnecessary .driver. references in assignment manager  https://review.openstack.org/16918606:20
openstackgerrithenry-nash proposed openstack/keystone: Refactor assignment driver internal clean-up method names  https://review.openstack.org/16916906:23
*** markvoelker has quit IRC06:26
*** spandhe has quit IRC06:36
*** ParsectiX has joined #openstack-keystone06:38
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token  https://review.openstack.org/15902206:43
jamielennoxstevemar: not against resp.content if it makes sense06:46
stevemarjamielennox, cool - i think it does, latest PS should be good06:47
jamielennoxresp.text probably what you want06:47
*** lhcheng_ has quit IRC06:48
stevemarjust rebasing the later one, i'll go back and fix up the earlier one in 2 seconds06:48
*** jamielennox is now known as jamielennox|away06:49
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867806:49
*** erkules_ is now known as erkules06:49
*** erkules has quit IRC06:49
*** erkules has joined #openstack-keystone06:49
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token  https://review.openstack.org/15902206:56
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867807:00
*** stevemar has quit IRC07:16
*** markvoelker has joined #openstack-keystone07:22
*** markvoelker has quit IRC07:27
*** jaosorior has joined #openstack-keystone07:28
*** rushiagr_away is now known as rushiagr07:30
*** jistr has joined #openstack-keystone07:43
*** rushiagr is now known as rushiagr_away07:47
*** Ephur has quit IRC08:01
*** ncoghlan has quit IRC08:11
*** pnavarro|off has quit IRC08:22
*** markvoelker has joined #openstack-keystone08:23
*** lhcheng has joined #openstack-keystone08:24
*** markvoelker has quit IRC08:27
*** rushiagr_away is now known as rushiagr08:34
-openstackstatus- NOTICE: CI Check/Gate pipelines currently stuck due to a bad dependency creeping in the system. No need to recheck your patches at the moment.08:53
*** ChanServ changes topic to "CI Check/Gate pipelines currently stuck due to a bad dependency creeping in the system. No need to recheck your patches at the moment."08:53
*** viktors has joined #openstack-keystone08:56
*** rushiagr is now known as rushiagr_away08:57
*** rushiagr_away is now known as rushiagr08:58
*** krykowski has joined #openstack-keystone09:05
*** afazekas has joined #openstack-keystone09:11
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764009:11
openstackgerritVictor Sergeyev proposed openstack/keystone: Share engine between migration helpers.  https://review.openstack.org/13777809:11
openstackgerritVictor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763909:11
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table.  https://review.openstack.org/13763709:11
*** markvoelker has joined #openstack-keystone09:23
*** markvoelker has quit IRC09:28
*** lhcheng has quit IRC09:36
*** jamielennox|away is now known as jamielennox09:41
*** jamielennox is now known as jamielennox|away09:47
*** dims has joined #openstack-keystone10:03
*** topol has joined #openstack-keystone10:20
*** ChanServ sets mode: +v topol10:20
*** pnavarro|off has joined #openstack-keystone10:21
*** markvoelker has joined #openstack-keystone10:24
*** henrynash has quit IRC10:27
*** markvoelker has quit IRC10:29
*** samueldmq has joined #openstack-keystone10:35
*** lhcheng has joined #openstack-keystone10:37
*** lhcheng has quit IRC10:41
boris-42jamielennox|away: ping10:59
boris-42anybody knows how to check is current user admin or not?10:59
boris-42just checking is it in admin project with admin role doesn't sound good=)10:59
samueldmqboris-42, well, what gives the user the ability to do something is the *role* he has and how this role is used across the services' policies :)11:05
boris-42samueldmq: ya that creates issues =)11:06
boris-42samueldmq: if you don't want allow admin user to run some code11:06
samueldmqboris-42, so basically you may have the admin role assigned to a user on a project/domain, and what makes him able to do anything is how you configure your policy11:06
boris-42samueldmq: ya I know11:06
samueldmqboris-42, k, what's the problem you're trying to solve?11:07
boris-42samueldmq: I am working on Rally cleanup mechanism11:07
boris-42samueldmq: that works in next way list() resources -> delete all listed11:07
boris-42samueldmq: the issue is that we would like to support benchmarking from existing users (that passed end user, and not created by Rally)11:08
samueldmqboris-42, so list any created projects, users, etc ...11:08
boris-42samueldmq: if user pass admin instead of non-admin it will list everything=)11:08
boris-42samueldmq: and will clean whole cloud=)11:08
samueldmqboris-42, yes so you need to make sure what operations you required for your benchmarking11:08
samueldmqboris-42, lets say for an specific one you need to CRUD users, ok?11:08
samueldmqboris-42, before starting your benchmarking, make sure the user being used can do every operation you need11:09
boris-42samueldmq: so in such case we just use special names11:09
boris-42samueldmq: the most important thing that I would like to cover is cleanup step11:09
boris-42samueldmq: if some becnhamrk doesn't work because of policies it's not a big deal11:10
boris-42samueldmq: if I delete whole cloud that's the issue=)11:10
samueldmqboris-42, ah, you get everything inside a domain when you list projects, users, etc ...11:10
boris-42samueldmq: yep if I list VMs from admin I will get all VMs from all tenants11:10
samueldmqboris-42, so I'd say you crete a new domain to create resources in, and then after that you just delete the whole domain, makes sense?11:10
boris-42samueldmq: hm domain?)11:10
boris-42samueldmq: any how to?)11:11
samueldmqboris-42, yes users/groups/projects are created in a domain11:11
samueldmqboris-42, ah this is for keystone, that means you can list usres/projects/groups for an specific domain11:12
samueldmqboris-42, for other resources (instances, etc) I am not sure, but I think you can list instances per project11:12
samueldmqboris-42, makes sense?11:12
boris-42samueldmq: ya I think this is a good step of protection11:14
samueldmqboris-42, yeah, if you're running in an existing cloud, I think it's better to create a new domain11:14
samueldmqboris-42, to not mess up with the existing cloud11:15
samueldmqboris-42, so if something unexpected occurs, it will be easy to do a manual cleanup11:15
*** tsufiev_ has joined #openstack-keystone11:15
samueldmqboris-42, gotta to go afk for a bit, I hope this helps :)11:15
boris-42samueldmq: thank you11:15
samueldmqboris-42, np11:16
*** markvoelker has joined #openstack-keystone11:25
*** hogepodge has quit IRC11:27
*** markvoelker has quit IRC11:29
*** ccard__ has joined #openstack-keystone11:32
*** jistr is now known as jistr|english11:32
*** jistr|english is now known as jistr|class11:33
*** ccard_ has quit IRC11:35
*** rushiagr is now known as rushiagr_away11:42
*** tsufiev_ is now known as tsufiev11:42
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Review RC Blocking Reviews. | RC Milestone: https://launchpad.net/keystone/+milestone/kilo-rc1"11:49
-openstackstatus- NOTICE: Check/Gate unstuck, feel free to recheck your abusively-failed changes.11:49
*** rushiagr_away is now known as rushiagr11:54
*** pnavarro|off has quit IRC12:01
*** iamjarvo has joined #openstack-keystone12:08
*** iamjarvo has quit IRC12:08
*** raildo|away is now known as raildo12:11
*** pnavarro|off has joined #openstack-keystone12:14
*** markvoelker has joined #openstack-keystone12:17
*** dims has quit IRC12:25
*** dims has joined #openstack-keystone12:25
*** lhcheng has joined #openstack-keystone12:26
*** lhcheng has quit IRC12:30
*** bknudson has joined #openstack-keystone12:42
*** ChanServ sets mode: +v bknudson12:42
*** gordc has joined #openstack-keystone12:50
*** jistr|class is now known as jistr12:58
*** hogepodge has joined #openstack-keystone13:05
samueldmqdolphm, hi - you around?13:08
samueldmqdolphm, I am getting some sentences from http://dolphm.com/hierarchical-multitenancy/, ok?13:08
*** nkinder has quit IRC13:12
*** ayoung has joined #openstack-keystone13:23
*** ChanServ sets mode: +v ayoung13:23
*** blinky_ghost_ has joined #openstack-keystone13:26
blinky_ghost_hi all, I'm trying to run command "keystone-user list" and I get this error: WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token. This happens If I try to use username, password and tenant. If I use token the command will work. What I'm doing wrong? Thanks13:28
*** rushiagr is now known as rushiagr_away13:29
*** Ephur has joined #openstack-keystone13:29
blinky_ghost_it's workking now my mistake :)13:42
samueldmqblinky_ghost_, keystone user-list ?13:43
*** topol has quit IRC13:44
*** topol has joined #openstack-keystone13:45
*** ChanServ sets mode: +v topol13:45
*** zzzeek has joined #openstack-keystone13:57
*** nkinder has joined #openstack-keystone13:58
*** sigmavirus24_awa is now known as sigmavirus2413:59
*** rushiagr_away is now known as rushiagr13:59
openstackgerritCyril Roelandt proposed openstack/python-keystoneclient: Print an error message when no tenant is specified  https://review.openstack.org/14830514:02
*** ayoung has quit IRC14:05
*** gokrokve has joined #openstack-keystone14:06
*** ParsectiX has quit IRC14:16
*** henrynash has joined #openstack-keystone14:18
*** ChanServ sets mode: +v henrynash14:18
*** ayoung has joined #openstack-keystone14:18
*** ChanServ sets mode: +v ayoung14:18
*** timcline has joined #openstack-keystone14:21
*** henrynash has quit IRC14:22
*** timcline has quit IRC14:24
*** timcline has joined #openstack-keystone14:24
*** timcline_ has joined #openstack-keystone14:26
*** viktors has quit IRC14:30
*** timcline has quit IRC14:30
*** carlosmarin has joined #openstack-keystone14:36
*** mattfarina has joined #openstack-keystone14:36
raildomorganfainberg, morning :)14:38
*** jeffDeville has joined #openstack-keystone14:38
raildomorganfainberg, hey, I have a doubt.  I want  to propose a feature to inherited roles assignments below subdomains, I need to create a spec for this or just a blueprint can be enough to explain this?14:40
morganfainbergBased on what you just described, I'd say spec14:46
raildomorganfainberg, ok :)14:47
htrutaoff-topic: hey, american guys... do you know if I need a US visa to make just a stop in the US?14:47
amakarov_awaymorganfainberg, hi! I wonder if something ever use keystone middleware at all: revocation logic there is still rely on revoked token list - it looks... ancient :)14:49
*** amakarov_away is now known as amakarov14:50
*** openstackgerrit_ has joined #openstack-keystone14:50
morganfainberghtruta: as in a layover? Don't take this as legal advice from me on this, but I think you don't need one for a layover/travel through airspace of the U.S.  But let me do a quick search to see if I can help.14:51
*** ayoung has quit IRC14:51
morganfainberghtruta: if you're doing more than a layover and having to switch terminals and/or go through customs to do so, it depends on where you're from on the visa requirement.14:52
htrutamorganfainberg: I think it's not a layover, since I won't change the airplane14:52
morganfainbergOh airplane is landing and you just wait on the plane?14:52
htrutamorganfainberg: yes... that's it14:53
amakarovhtruta, I'm not an american guy, although afaik is you don't leave transit zone you don't cross US border14:54
htrutaI know that if I was going to switch terminals, I'd need at least the transit visa14:54
morganfainberghtruta: http://travel.stackexchange.com/questions/4859/do-i-need-a-us-visa-to-change-planes-in-an-american-airport again don't assume legal advice14:54
htrutaamakarov, morganfainberg: ok. I think I'll contact the US consular to be sure14:56
morganfainbergamakarov: the old code in ksm is for the token revocation list (list of all tokens revoked) and it is used for pki tokens.14:56
htrutathank you guys14:57
*** Ephur has quit IRC14:57
morganfainberghtruta: it'll probably be a silly short convo and they'll say what that link says. But never hurts to ask them :)14:57
morganfainbergamakarov: you should sync with jamielennox|away on the revocation event code that needs to go in ksm14:58
amakarovmorganfainberg, does this change need a spec?14:58
morganfainbergamakarov: I think we have an approved spec for it already.14:58
htrutamorganfainberg: I'm just trying to convince myself that I don't need one. hehe. But I think I got nowhere to run.14:58
amakarovmorganfainberg, good, thanks for direction14:59
amakarovjamielennox|away, hi! :) ^^ Can you please point me to the spec?14:59
morganfainbergamakarov: I'm looking for the spec now ;)15:00
amakarovmorganfainberg,  me too :)15:00
bknudsonspec for using revocation events in auth_token?15:00
morganfainbergamakarov: I thought we had one. I think I am wrong15:01
morganfainbergbknudson: yeah15:01
bknudsonrevocation events in keystone were done before we were even using specs.15:01
morganfainbergAh right.15:02
morganfainbergamakarov: yep a spec is going to be needed if one hasn't been lingering in gerrit.15:02
*** joesavak has joined #openstack-keystone15:03
*** ayoung has joined #openstack-keystone15:04
*** ChanServ sets mode: +v ayoung15:04
*** dims has quit IRC15:05
morganfainbergbknudson: for the domain configs in sql, we should probably just enforce that the sql driver can't be used in per-domain setups. I don't see a real benefit to it. Since then your default is not domain aware. You could just override the default domains' config to be ldap instead of default everything to ldap except domain X15:05
*** Ephur has joined #openstack-keystone15:05
*** dims_ has joined #openstack-keystone15:08
bknudsonmorganfainberg: seems like if you want to use sql at all you'd want it for your "base" domains and not the per-domains...15:08
bknudsonsince ldap doesn't support multiple domains and sql does15:08
morganfainbergbknudson: exactly.15:09
morganfainbergbknudson: that would solve the per-domain issue you highlighted in Henry's review.15:09
bknudsonmorganfainberg: yes, mostly.15:10
bknudsonstill think you could get parts of an update in a different thread.15:10
morganfainbergNot the reload issue itself. But at least the weird explode-y issues n15:10
bknudsonjust won't allow having 2 sql15:10
morganfainbergOh you totally could get updates in different threads. You need to use optimistic db locking (same thing we do for the decrement of trust consumptions)15:11
morganfainbergbknudson: but subqueries with optimistic locking won't work afaik15:12
*** jsavak has joined #openstack-keystone15:18
openstackgerritayoung proposed openstack/keystone-specs: certmonger  https://review.openstack.org/13409915:19
*** joesavak has quit IRC15:21
*** zigo__ is now known as zigo15:23
lbragstadayoung: have you done anything with dolphm's keystone-deploy stuff on Centos/Fedora/RH?15:25
ayounglbragstad, no15:25
ayounglbragstad, What I tend to do, beyond Devstack, is RDO related15:26
ayoungusually packstack15:26
lbragstadayoung: ok, well in case you want to test it out, I attempted to add support for it https://github.com/dolph/keystone-deploy/pull/715:26
ayounglbragstad, I have worked through deploying using Puppet in a manual (non installer driven approach)15:26
ayoungvery cool15:26
lbragstadayoung: it seems to work on Centos 715:27
ayounglbragstad, what does it use as the base?  Git checkout from tag?15:27
lbragstadayoung: but it will need some work still if dolphm wants to incorporate the "daily" build into the README.md results15:27
lbragstadayoung: yes, it deploys from source15:27
lbragstadayoung: straight up vanilla/default15:28
ayoungplaybooks...is that Ansble?15:28
lbragstadayoung: yep15:28
ayounglbragstad, I might just have to mess around with that myself...15:28
ayoungit will be much more stable than  devstack15:29
lbragstadayoung: please do an feel free to leave comments15:29
*** krykowski has quit IRC15:29
ayounghow does this align with the Ansible OpenStack efforts?15:29
*** stevemar has joined #openstack-keystone15:29
*** ChanServ sets mode: +v stevemar15:29
*** spandhe has joined #openstack-keystone15:30
lbragstadayoung: the os-ansible-deployment https://github.com/stackforge/os-ansible-deployment ?15:31
ayounglbragstad, TBH, I would love to be able to replace devsatck with ansible....15:31
lbragstadayoung: not real sure, I know we have a bunch of people here at Rax that work with it15:31
lbragstadayoung: they all hangout in #openstack-ansible15:32
*** spandhe_ has joined #openstack-keystone15:33
*** spandhe has quit IRC15:34
*** spandhe_ is now known as spandhe15:34
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in further token validation in v3_auth tests  https://review.openstack.org/16402615:34
*** atiwari has joined #openstack-keystone15:35
morganfainbergayoung: added comments to your policy check.15:37
ayoungmorganfainberg, thanks.  I was just reading them.  I'll try to make the code as clear as possible.15:38
morganfainbergayoung: I think it is good but I'd like one more test to clearly show an expected behavior.15:38
morganfainbergSome comments I think would clear the rest of the stuff up.15:38
morganfainbergIt wasn't too bad. And I think gerrit is rendering indent issues that aren't there :(15:39
*** jeffDeville has quit IRC15:40
*** thedodd has joined #openstack-keystone15:40
*** henrynash has joined #openstack-keystone15:44
*** ChanServ sets mode: +v henrynash15:44
*** mestery has quit IRC15:45
*** jeffDeville has joined #openstack-keystone15:46
dstanekayoung: lbragstad: my new dev environment used their ansible playbooks instead of devstack15:55
lbragstaddstanek: ++15:56
lbragstaddstanek: I'm using dolphm's keystone-deploy stuff exclusively if I don't need any other services.15:56
bknudsonwhy would anybody need anything other than keystone?15:57
raildohenrynash, hey, I answered your question in the reseller patches :)15:57
raildodstanek, for you too https://review.openstack.org/#/c/158720/ :)15:57
*** bdossant has joined #openstack-keystone15:58
dstanekraildo: responded inline15:59
*** samueldmq_ has joined #openstack-keystone16:03
*** mestery has joined #openstack-keystone16:03
*** lhcheng has joined #openstack-keystone16:03
*** _cjones_ has joined #openstack-keystone16:05
raildodstanek, thanks :)16:06
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Revocation events for keystonemiddleware  https://review.openstack.org/16939916:07
*** lhcheng has quit IRC16:08
*** jistr has quit IRC16:09
amakarovmorganfainberg, ^^. What if spec is to implement completed blueprint? https://blueprints.launchpad.net/keystone/+spec/revocation-events16:09
amakarovIs blueprint needs to be reopened somehow?16:10
*** bdossant has quit IRC16:18
*** jeffDeville has quit IRC16:29
samueldmqmorganfainberg, updated the keystone meeting page with a topic for hierarchical projects on horizon16:30
samueldmqmorganfainberg, I added a new section 3/31, since the agenda from the last meeting has not been cleaned up yet16:31
morganfainbergYeah sounds good.16:31
morganfainbergamakarov: need one for keystone middleware.16:32
morganfainbergShould be straightforward.16:32
amakarovmorganfainberg, I'll file a new blueprint with a link to completed one16:32
*** spandhe has quit IRC16:35
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Revocation events for keystonemiddleware  https://review.openstack.org/16939916:39
*** jeffDeville has joined #openstack-keystone16:41
*** jeffDeville has quit IRC16:42
*** henrynash has quit IRC16:42
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token  https://review.openstack.org/15902216:43
*** harlowja_away is now known as harlowja_16:45
*** jeffDeville has joined #openstack-keystone16:46
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867816:47
*** lhcheng has joined #openstack-keystone16:51
*** dims_ has quit IRC16:51
*** dims_ has joined #openstack-keystone16:51
openstackgerritMerged openstack/keystone: Update configuration documentation for domain config  https://review.openstack.org/16575417:01
stevemar12 bugs and 1 bp left!17:05
*** tqtran has joined #openstack-keystone17:09
*** haneef has joined #openstack-keystone17:17
openstackgerritayoung proposed openstack/oslo.policy: Lists for Generic Checks  https://review.openstack.org/16904517:20
*** carlosmarin has quit IRC17:24
dstanekstevemar: stupid jenkins!17:25
openstackgerritAlexander Makarov proposed openstack/keystonemiddleware: Validate tokens against revocation events  https://review.openstack.org/16943817:27
*** carlosmarin has joined #openstack-keystone17:29
*** henrynash has joined #openstack-keystone17:29
*** ChanServ sets mode: +v henrynash17:29
rodrigodsayoung, just a couple of nits there ^17:30
openstackgerritayoung proposed openstack/oslo.policy: Lists for Generic Checks  https://review.openstack.org/16904517:36
ayoungmorganfainberg, for dyanmic policy, since there are so many subordinate specs, does it make sense to have one blueprint, and then each of the pieces set as to_do items  on it?  Top level spec is the overview?  Or do you need on BP per spec for tracking reasons?17:41
stevemardstanek, it should be all better now, no?17:42
dstanekstevemar: i'm hopig17:42
*** ayoung is now known as hopig17:43
hopigno I'm hopig@17:43
*** hopig is now known as ayoung17:43
stevemarhue hue17:43
ayoungPretty sure hopig is a pokemon17:44
ayoungI'll ask my son17:45
morganfainbergayoung: I think we need a bp-per spec for release tracking purposes.17:45
ayoungmorganfainberg, OK.  Will do17:45
morganfainbergstevemar: we should be ready to cut rc next week. So we need to crank on the bugs.17:45
rodrigodsayoung, there is another extra space after a dot17:46
ayoungmorganfainberg, since we graduated oslo to a library on an oslo BP, should I repurpose this one for just the "fetch from keystone" part https://blueprints.launchpad.net/keystone/+spec/policy-enforcement-library17:46
ayoungrodrigods, ignore those please for the love of ....17:46
morganfainbergSure. Or create a new one and mark that superseded.17:46
morganfainbergayoung: whatever is easiest for you on that front.17:46
ayoungmorganfainberg, that one was trying to do too much...I repurpose.17:46
rodrigodsayoung, I'll think about it...17:46
raildoayoung, for the love of rodriGODS17:46
morganfainbergayoung: I still see a test I'd like to see with policy. I'll post up the test in a paste and get feedback.17:47
ayoungmorganfainberg, sure.  more testst gooder17:48
morganfainbergayoung: comments make it a lot easier to see what you are doing. I don't like the token fixture being copied in there. We might want to rely on ksc as a test-requires? And use the common fixture (or we need to get the token fixture someplace sane we don't have to remember to updat everywhere)17:49
ayoungmorganfainberg, Nah.  I just wanted a non-trivial fixture.  In KSC, it reads from JSON etc.17:49
morganfainbergBut making olso rely on ksc for a test would be bad.17:49
ayoungReally, we should be working to make policy non-keystone specific.  Just this shows an application of it17:49
ayoungI'd love to get rid of the role check as a specific check, and use the generic in its place17:50
morganfainbergayoung: sure. Just the copy/paste token implies that is the right way to do it.17:50
morganfainbergOh. We could move role check to keystone. Neutron has a custom check they define.17:50
*** iamjarvo has joined #openstack-keystone17:50
ayoungmorganfainberg, link?17:51
ayoungI'll find it...17:51
morganfainbergWill go hunting post meeting.17:51
ayoung OwnerCheck17:52
ayoungThose are good things...and it almost seems like they should go into Oslo17:52
ayoungThere are also some scary things in their policy.py17:53
bknudsonI might have asked neutron folks to try to get these things into oslo.policy.17:53
bknudsoncame up in an oslo meeting17:54
ayoungbknudson, ++17:54
bknudsonlooks like they haven't switched to oslo.policy yet.17:54
bknudsonstill using from neutron.openstack.common import policy17:55
ayoungNot sure I can unsee some of that17:57
bknudsonyou can't un-see it.17:57
bknudsonnever know what you'll see when you look into the abyss.17:57
*** spandhe has joined #openstack-keystone17:59
*** timcline_ has quit IRC18:01
*** timcline has joined #openstack-keystone18:01
*** topol has quit IRC18:04
*** jamielennox|away is now known as jamielennox18:04
morganfainbergbknudson: I *may* have know what I was sending ayoung to go look at *evilgrin*18:08
*** edmondsw has joined #openstack-keystone18:17
sigmavirus24yeah morganfainberg I saw that previously as well18:18
morganfainbergsigmavirus24: :P18:18
*** packet has joined #openstack-keystone18:24
stevemari think they are intending to move to oslo.policy in L right?18:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16643718:32
openstackgerritayoung proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185418:34
*** samueldmq_ has quit IRC18:40
*** afazekas has quit IRC18:43
stevemarayoung, if you're using devstack, DOA isn't cloned from master, it installs the latest release18:50
jamielennoxstevemar: so is the hockey still going to be running in Vancouver by summit time?18:51
ayoungstevemar, I know, I cloned and python setup.py develop18:51
ayoungjamielennox, it is Canada.  The Hocky is everlasting18:51
jamielennoxi *think* he's joking18:52
*** jaosorior has quit IRC18:52
bknudsondon't start calling everyone a canuck.18:52
jamielennoxdamn, finished before summit18:53
*** stevemar has quit IRC18:54
ayoung'Token' object has no attribute 'is_federated'18:54
ayoungjamielennox, that is the NHL.  So, yeah, that will be over18:54
iamjarvoso i am trying to use the authtoken based flow and I am getting an unauthorized error. http://pastie.org/private/lmzsuxopkw1ptxdt8lyw the users find is failing18:54
ayoungiamjarvo, not TOKEN18:55
ayoungyou was Service token18:55
*** henrynash has quit IRC18:55
ayoungThe way you are calling it, it is tryijng to use a keystone token issued from the server, but 'exit' is ADMIN_TOKEN form your conf file, no?18:55
iamjarvoyea exit is the token in the conf18:56
jamielennoxayoung: he's using endpoint= though - i think that would acutally work18:56
jamielennoxbut i can't remember, old options are hard18:56
iamjarvoold options?18:56
morganfainbergayoung: I'm going to make bootstrap a keystone-manage thing here next cycle. Admin-token causes weird side effects.18:56
jamielennoxiamjarvo: not using session/plugin - the equivalent would be18:57
ayoungiamjarvo, https://review.openstack.org/#/c/82687/20/examples/scripts/initialize_keystone.py,cm18:57
jamielennoxfrom keystoneclient.auth import token_endpoint18:57
jamielennoxfrom keystoneclient import session18:57
jamielennoxa = token_endpoint.Token(token=TOKEN, endpoint=ENDPOINT)18:57
ayoungYou are correct:18:57
ayoung endpoint_plugin = token_endpoint.Token(18:57
ayoung        endpoint=OS_SERVICE_ENDPOINT,18:57
ayoung        token=OS_SERVICE_TOKEN)18:57
jamielennoxs  = session.Session(auth=a)18:57
jamielennoxc = client.Client(session=s)18:58
*** amakarov is now known as amakarov_away18:58
ayoungmorganfainberg, ++  agreed, but we can't kill it since so much automation depends on it.18:59
ayoungGetting the EOL papers filed though would be good.18:59
*** _cjones_ has quit IRC19:00
jamielennoxmorganfainberg, bknudson: so i was trying to resurrect the pecan patch, jsonhome makes an absolute mess and i don't know if i can replicate it exactly19:02
bknudsonjamielennox: does pecan support GET /v3 ?19:03
bknudsonwhat's the issue?19:03
iamjarvoayoung jamielennox  tried this and getting  The request you have made requires authentication.19:03
iamjarvohere is the pastie http://pastie.org/private/beraj210768kty2ixn6jw19:03
jamielennoxbknudson: so pecan uses thread locals for everything, i can't make the GET / issue a GET /v3 call because it trashes the local state19:03
ayoungiamjarvo, did you modify keystone-paste.ini?  There is a middleware piece in there that is enabled by default to let in the admin token. If it is removed, it disables ADMIN_TOKEN login19:04
jamielennoxthere is also a test there that says "if the accept type isn't known you should just return json" which i can probably get around but is just a bug IMO19:04
*** stevemar has joined #openstack-keystone19:04
*** ChanServ sets mode: +v stevemar19:04
bknudsonjamielennox: probably don't need to have GET / call GET /v3... the resources all have to be registered, so maybe GET / reads the registry like GET /v3 does.19:04
jamielennoxbknudson: the problem is that middleware is expanding the references19:05
bknudsonif the accept type isn't known the server should respond with 406 Not Acceptable19:05
jamielennoxso the main controller adds the routers it knows about and then each piece of middleware expands them as it goes out19:05
jamielennoxit's ugly - but clever19:05
iamjarvolooks like its there http://cl.ly/image/3k1i151x1d0U19:06
iamjarvoit was working at one point19:06
bknudsonjamielennox: one of the reasons JSON home was written the way it was because of extensions, and if we don't have that anymore we can just hard-code JSON Home doc.19:07
jamielennoxbknudson: yep, i want to fix that test to be a 406 and generally make the server enforce content types better - this is one of the pecan advantages IMO19:07
jamielennoxbknudson: sure, but that involves ripping up a lot of the paste pipeline19:07
jamielennoxwhich i think is a great idea, just not the relatively subtle change i was hoping this first patch to be19:08
*** stevemar has quit IRC19:08
*** stevemar has joined #openstack-keystone19:08
*** ChanServ sets mode: +v stevemar19:08
iamjarvoi am using ldap if that makes a diff19:11
*** diegows has joined #openstack-keystone19:11
bknudsonjamielennox: HTTP doc actually says servers are allowed to sent back a response that doesn't match the accept.19:13
*** spandhe has quit IRC19:13
bknudsonso 406 is not required.19:13
jamielennoxbknudson: that's annoying, i'm sure there must be a way around that part anyway, pecan is actually fairly strict on what it will let you do in terms of http violations19:14
*** rushiagr is now known as rushiagr_away19:14
jamielennoxbknudson: so i would like this to be a start of us moving all those extensions into config rather than paste pipeline, i just need a way around the jsonhome stuff for now19:15
jamielennoxmaybe i just drop it all as a static blob with a FIXME on it for now19:16
*** jsavak has quit IRC19:16
*** blinky_ghost_ has quit IRC19:19
dstanekis anyone working on https://bugs.launchpad.net/keystone/+bug/1435174 ?19:22
openstackLaunchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,Triaged]19:22
stevemardstanek, i took a look at it, not much else19:23
dstaneki was planning on seeing if i could reproduce, but i didn't want to waste the time if someone was already working on it19:24
*** spandhe has joined #openstack-keystone19:28
jamielennoxhttps://etherpad.openstack.org/p/from-zero-to-atc keystone is on the "Small and lean" project list :p19:29
iamjarvoayoung jamielennox any tips on debugging?19:29
jamielennoxiamjarvo: sorry, i wasn't following i though ayoung had you - where did you get up to19:30
iamjarvoso i tried the pastie http://pastie.org/private/beraj210768kty2ixn6jw and verified the keystone.ni had the auth stuff19:30
jamielennoxiamjarvo: so the picture you posted ealier is just a pointer to where the middleware lives, you need to ensure that admin_token_auth is in the pipeline19:33
jamielennoxbut it is by default so i assume that's ok19:33
jamielennoxiamjarvo: what is the keystone log telling you?19:34
*** spandhe has quit IRC19:35
iamjarvobottom of log "2015-03-31 19:36:50.494388 17431 WARNING keystone.common.controller [-] Invalid token found while getting domain ID for list request19:37
iamjarvo2015-03-31 19:36:50.496410 17431 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication."19:37
iamjarvoi see this 2015-03-31 19:36:50.437095 17431 WARNING keystone.common.controller [-] RBAC: Bypassing authorization19:37
stevemardstanek, the SSL bug seemed like an issue with an external lib19:38
dstanekstevemar: that's what i was figuring - lot of SSL churn recently19:39
jamielennoxiamjarvo: ah, ok so off the top of my head if you list users without specifying a domain then it lists projects in the same domains as the token is in, because you are using an ADMIN token there is no domain19:39
jamielennox(someone confirm thtat ^ ?)19:40
jamielennoxiamjarvo: what happens if you specify domain='default' in your list()19:41
iamjarvoi think you are correct19:41
jamielennox(assuming the default domain because of devstack)19:41
iamjarvoso like this? c.users.list(domain='default')19:41
jamielennoxiamjarvo: if that works (which it may not if you are using ldap) we'll see if it works with find()19:44
iamjarvojamielennox this passes user = c.users.list(domain='default', name='cloud_admin'); but this fails c.users.find(domain='default', name='cloud_admin')19:45
jamielennoxthe CRUD commands are horrible :)19:45
iamjarvofind raises the auth error19:46
jamielennoxif you turn on debug what URL is it actually hitting?19:46
ayoungmorganfainberg, it was your fault19:46
ayoungthe double revoke of the tokens?19:46
iamjarvojamielennox ^19:49
jamielennoxiamjarvo: it should tell you the whole URL19:49
jamielennoxlike /v3/projects?domain=xx19:50
iamjarvojamielennox ahh sorry how does debug get turned on?19:50
jamielennoxoh, um script19:50
jamielennoxtry logging.basicConfig(level=logging.DEBUG)19:50
jamielennoxiamjarvo: is find or list? i'm just wondering why they are different19:53
morganfainbergayoung, actually i think someone also refactored some of that too19:54
iamjarvothe one that works19:54
jamielennoxso what does find do?19:54
ayoungmorganfainberg, so the issue is that we emit "revoke all tokens for this user" all over the place19:54
morganfainbergayoung, yep. we sure do19:54
iamjarvojamielennox comparison of find and list in the pastie19:55
jamielennoxiamjarvo: oh ok19:55
ayoungmorganfainberg, including places where, with the revoke API, we do explicit revokes19:55
jamielennoxiamjarvo: so list() knows how to handle domains: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L106 and it converts a domain object into a domain_id for you19:56
morganfainbergayoung, it' is partly because of the compat of token revocation list19:56
ayoung  /opt/stack/keystone/keystone/assignment/controllers.py(187)remove_role_from_user()19:56
jamielennoxiamjarvo: so it will rename the domain='default' to domain_id='default'19:56
jamielennoxiamjarvo: if you use find you would need to specify domain_id='default'19:56
morganfainbergayoung, almost all of those were already cases we did revokes, and therefore we needed to continue to issue them :(19:56
iamjarvojamielennox thanks man19:56
iamjarvoso helpful19:57
morganfainbergayoung, it's all part of digging ourselves out of the TRL19:57
iamjarvoi will have to dig into the source some more19:57
jamielennoxiamjarvo: anytime19:57
ayoungthe logic before was "if revoke_by_id"19:57
*** gokrokve_ has joined #openstack-keystone19:57
morganfainbergayoung, yes. we historically did a revoke *ALL* whenever a role changed19:57
morganfainbergbecause scrubbing through the token table to find any token with a given role is a non-starter19:57
morganfainbergsince it's a text search19:57
morganfainbergthose emits were a lot of consolidation.19:58
ayoungmorganfainberg, yeah, but the logic should be to only call that code if token.revoke_by_id.  Which is, I am pretty sure, how I wrote it origianlly19:58
morganfainbergayoung, except we still need the revocation event. what we need is we need the rev. event to grab the role and the TRL to revoke all19:59
morganfainbergso if you turn off one or the other you get sane behavior19:59
*** gokrokve_ has quit IRC19:59
ayoungIf we are doing revoke_by_id, we generate the TRL.  If not, we don't19:59
ayoungbut...if that is too complex, then we need to close this bug "won't fix"19:59
*** gokrokve_ has joined #openstack-keystone19:59
morganfainbergayoung, we still need to revoke for the role (can rev. events handle a specific role revocation?)20:00
ayoungnah, it has to be that, I think, as there are places where we count on the emit_invalidate_user_token_persistence for revoke by user_id20:00
morganfainbergactually i think the logic is still the same20:00
morganfainbergrevoke all tokens for that scope if the role changes20:00
morganfainbergjust not revoke *all* tokens for the user.20:00
*** gokrokve has quit IRC20:00
*** _cjones_ has joined #openstack-keystone20:01
ayoungcan't have it both ways20:01
ayoungthe code tells us to revoke all tokens for the user20:01
morganfainbergayoung, we could include scope info.20:01
ayoungfor TRL?20:01
morganfainbergif scope info is in the emit, we revoke on scope20:01
morganfainbergTRL *and* rev. events can handle scope20:01
ayoungIt does not take any params20:01
ayoungalthough..it must somehow deduce the userid20:01
morganfainbergayoung, we can fix that :P20:01
ayoungbut it is in the identity_api20:02
morganfainbergayoung, there is a case i overloaded how we emit the information20:02
ayoungroles don't belong there20:02
morganfainbergnot role20:02
ayoungaslo not in the id api20:02
morganfainbergif you change a role, you must revoke all tokens for that scope/user/group20:02
ayoungwe need to think this through...not comfortable doing it as a bug fix.20:02
ayoungDefer until Liberty20:02
morganfainbergyeah. lets plan to restructure the internal-callback thingies20:03
morganfainbergand pass real useful information through them20:03
ayoungmorganfainberg, or, we can make the revoke API central, and have it dispatch the logic how to handle an event20:03
ayoungso if we are doing revoke by grant, it can be smart enough to revoke by userid for persisted tokens20:04
ayoungdrop the "emit" part of it, as the revoke API already operates that way20:04
ayoungmake sense?20:04
ayoungand...let's not do it as decorator. It's abusive.20:05
morganfainbergayoung, notice other notifactions for cadf aren't decorators now?20:07
morganfainbergayoung, yeah20:07
morganfainbergthat is dieing.20:07
morganfainbergayoung, i plan on refactoring it as a context manager so you can get success/failure info too20:07
morganfainbergrather than if/else/try/except/finally everywhere20:07
morganfainbergi also want to rip out our policy enforcement decorators20:08
morganfainbergmove to "call enforcement when we want to enforce"20:08
morganfainberghave a decorator that we use that "ensure enforce was called" or similar20:08
morganfainbergso we can be alerted if a call that is meant to be protected isn't, or we can use it as a tracepoint. but enforcement happens where enforcement should happen. it would simplify a lot of things, no more needing wonky callbacks to make enforcement sane20:09
ayoungAh, wait, I was looking at the grant delete20:09
ayounghe's revoking a token. I bet the code is the same, though.20:09
ayoungWow the revoke_token code has gotten complicated20:12
*** ayoung has quit IRC20:17
*** henrynash has joined #openstack-keystone20:18
*** ChanServ sets mode: +v henrynash20:18
*** jeffDeville has quit IRC20:22
*** _cjones_ has quit IRC20:22
*** henrynash has quit IRC20:30
*** ayoung has joined #openstack-keystone20:33
*** ChanServ sets mode: +v ayoung20:33
*** _cjones_ has joined #openstack-keystone20:33
*** _cjones_ has quit IRC20:40
*** david-lyle has quit IRC20:40
*** bernardo-silva has joined #openstack-keystone20:41
*** _cjones_ has joined #openstack-keystone20:42
rodrigodsayoung, +2 (hope anyone else complain about the extra space)20:42
rodrigodsayoung, https://review.openstack.org/#/c/169045/20:43
ayoungOh, yeah, its policy.  TYVM!20:43
rodrigodsayoung, heh np :)20:44
*** Ephur has quit IRC20:45
dstanekVancouver sounds exciting - http://thefreethoughtproject.com/vancouver-police-officer-smashes-drivers-window-refusing-driver-arrest/20:52
*** ayoung has quit IRC20:54
openstackgerritMerged openstack/keystone: Rename notification for create/delete grants  https://review.openstack.org/16750120:54
*** nkinder has quit IRC20:57
*** arif-ali has joined #openstack-keystone20:57
*** nkinder has joined #openstack-keystone20:57
stevemardstanek, yep, i heard about that20:58
stevemaranother bug down! yay21:02
dstaneki hate that i have to do to each one to see if i've already reviewed it21:03
morganfainbergoh my, PTL election season is upon us.21:05
morganfainbergit's a magical time of year..21:05
morganfainbergor something21:05
rodrigodsare you starting the campaign, morganfainberg ?21:06
morganfainbergnah. not until the time we have to send emails to the ML.21:06
*** ayoung has joined #openstack-keystone21:07
*** ChanServ sets mode: +v ayoung21:07
*** packet has quit IRC21:08
*** packet has joined #openstack-keystone21:10
stevemarmorganfainberg, 4 more years!21:11
morganfainbergi'd probably die21:11
stevemardie a hero though21:11
morganfainbergi think i'll stick with 6 months more at a shot. tyvm21:11
dstanekhaha. seems like PTL is a sink hole21:12
stevemarits something alright21:13
stevemarall the blame, none of the glory21:13
stevemarand no time for code :P21:13
morganfainbergstevemar, c.. co... code? whjat is this C-oh-duh you speak of?21:14
morganfainbergsince topol isn't here, we should make him the PTL :P21:15
morganfainbergoh it's not April 1st yet >.>21:15
stevemarhe is traveling tomorrow, it'll be a surprise for when he lands21:15
*** raildo is now known as raildo|away21:15
morganfainbergi know21:15
morganfainbergtalked w/ him yesterday21:15
stevemarhehe, i could msg him tomorrow saying he is now PTL. it'll be a great april fools day joke21:16
*** david-lyle_ has joined #openstack-keystone21:19
*** henrynash has joined #openstack-keystone21:21
*** ChanServ sets mode: +v henrynash21:21
*** atiwari has quit IRC21:22
*** atiwari has joined #openstack-keystone21:24
*** atiwari has quit IRC21:30
*** atiwari has joined #openstack-keystone21:31
*** samueldmq_ has joined #openstack-keystone21:32
*** samueldmq_ has quit IRC21:33
*** gordc has quit IRC21:34
*** samueldmq has quit IRC21:34
*** samueldmq has joined #openstack-keystone21:35
*** nkinder has quit IRC21:42
*** david-lyle_ is now known as david-lyle21:43
*** stevemar has quit IRC21:51
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/16643721:51
*** mattfarina has quit IRC21:58
openstackgerritMerged openstack/python-keystoneclient: Allow requesting an unscoped Token  https://review.openstack.org/16911121:59
*** david-lyle has quit IRC22:02
*** harlowja_ is now known as harlowja_away22:04
*** harlowja_away is now known as harlowja_22:07
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call  https://review.openstack.org/16953522:18
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call  https://review.openstack.org/16953522:19
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call  https://review.openstack.org/16953522:20
*** harlowja_ has quit IRC22:21
*** bernardo-silva has quit IRC22:23
*** bernardo-silva has joined #openstack-keystone22:24
openstackgerritayoung proposed openstack/keystone-specs: Service Catalog Subsets by ID  https://review.openstack.org/16090922:25
*** harlowja has joined #openstack-keystone22:26
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Deprecate auth_token authentication  https://review.openstack.org/12706622:27
*** bernardo-silva has quit IRC22:28
*** ayoung has quit IRC22:29
jamielennoxwtf - there's a clippy on my gerrit review page22:33
morganfainberg"it looks like you are trying to review some code"22:34
morganfainbergjamielennox, let me guess it's April 1st for you...22:34
bknudsonfor april 1st I'm going to +2 every review.22:35
*** timcline has quit IRC22:35
morganfainbergbknudson, hah22:35
jamielennoxthat would be special22:36
*** packet has quit IRC22:36
*** nkinder has joined #openstack-keystone22:38
*** sigmavirus24 is now known as sigmavirus24_awa22:42
*** iamjarvo has quit IRC22:48
*** devlaps has joined #openstack-keystone22:50
*** packet has joined #openstack-keystone22:50
*** henrynash has quit IRC22:51
*** devlaps1 has joined #openstack-keystone22:53
*** devlaps has quit IRC22:54
*** devlaps1 has quit IRC22:54
*** devlaps has joined #openstack-keystone22:55
*** darrenc is now known as darrenc_afk22:59
*** iamjarvo has joined #openstack-keystone23:02
*** thedodd has quit IRC23:07
*** carlosmarin has quit IRC23:11
*** dims_ has quit IRC23:14
morganfainbergnkinder, ping - I'll be in the bay area the 15/16th. presenting at the meetup in sunnyvale, but will be headed out for some drinks afterwards on the 16th.23:14
morganfainbergnkinder, if you're around that is.23:14
*** atiwari1 has joined #openstack-keystone23:16
nkindermorganfainberg: cool!  I'll be around.23:17
*** dims_ has joined #openstack-keystone23:17
nkindermorganfainberg: keep me updated with the plan as it gets closer23:17
morganfainbergsure thing.23:17
*** atiwari has quit IRC23:18
*** darrenc_afk is now known as darrenc23:22
*** edmondsw has quit IRC23:24
*** bigjools has joined #openstack-keystone23:28
*** lhcheng is now known as lhcheng_afk23:31
*** zzzeek has quit IRC23:38
*** raildo has joined #openstack-keystone23:39
*** iamjarvo has quit IRC23:49
*** iamjarvo has joined #openstack-keystone23:51
*** ayoung has joined #openstack-keystone23:57
*** ChanServ sets mode: +v ayoung23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!