Thursday, 2015-04-02

« Wednesday, 2015-04-01 Index Friday, 2015-04-03 »
*** obedmr has quit IRC00:14
lhchenglbragstad: how does keytonemiddleware validate the fernet token? Looking for the commit where that is added.00:21
jamielennoxlhcheng: fernet tokens are validated just the same as a UUID token00:21
bknudsonthere's nothing in auth_token middleware for fernet tokens...00:23
bknudsonluckily they don't start with MII00:23
morganfainbergthere shouldnt be anything specific in auth_token for fernet (except if we add revocation event support)00:24
bknudsonhow would auth_token even know it was a fernet token?00:24
lhchengjamielennox: UUID token is looked up in the DB while fernet should not, wondering how would middleware validate the fernet token00:24
morganfainbergbknudson, wouldn't matter, revocation event support is universal benegit00:24
morganfainbergbenefit*00:24
bknudsonlhcheng: auth_token doesn't do lookup in the DB.00:25
morganfainbergthat could be considered something for fernet tokens that we finished for them.00:25
jamielennoxlhcheng: that's a server side problem, as far as auth_token is concerned it can't validate it locally and it just asks keystone to do it00:25
morganfainberglhcheng, keystone rebuilds the token when it validates a fernet token00:25
morganfainberglhcheng, vs. where uuid does the lookup00:25
morganfainberglhcheng, to the DB.  middleware doesn't care if it's uuid or fernet or anything (except PKI)00:26
lhchengbknudson: oops I mean middleware have to make a keystone call to validate if the UUID is in the DB00:26
bknudsonmiddleware make a keystone call to validate fernet tokens, too.00:26
lhchengbknudson: ah!00:27
lhchengthat's what I am missing00:27
bknudsonthere's no new code in auth_token since that's the default behavior.00:28
bknudsonany token that doesn't start with MII gets sent to the server.00:28
lhchengbknudson: cool, I get the big picture now00:28
lhchengduring the initial fernet spec, I thought the non-persistent token validation would be done in middleware00:30
lhchengbut I guess the user info still needs to be fetch from the db00:30
*** htruta has joined #openstack-keystone00:31
bknudsonI thought there might be something that could be done in middleware, too.00:31
jamielennoxfernet tokens are essentially the same as a signed cookie in the web world, still need to get back to the server for unpacking00:32
bknudsony, but if you can tell it's wrong just by looking at it then no need to bother the server.00:33
lhchengcan't it be unpacked/validated on the middleware?  that would reduce the load on keystone00:34
morganfainberglhcheng, there isn't enough data in the token to know all the token body info00:34
morganfainberglhcheng, PKI can, but PKI tokens are HUGE00:34
bknudsonyou could validate something if you had the key.00:34
jamielennoxthat would be signed & hashed, but you would get into key distribution00:35
lhchengjamielennox: so it is more of key distribution the reason why we don't want to validate in the middleware?00:35
jamielennoxlhcheng: what you're asking for with middleware validation is PKI tokens, even if we unpacked a fernet token on the middleware all we could validate would be the expiry time00:36
jamielennoxyou would still need to ask keystone for everything else00:36
lhchengmorganfainberg: yeah, I understand that after unpacking it still need to fetch some data in the backend. we really can't get away not going back to keystone. but just thinking the middleware can do some pre-filtering of valid tokens00:37
morganfainberglhcheng, well you can't know if the token is valid unless you validate the HMAC signature00:38
morganfainberglhcheng, we don't trust an endpoint with the fernet key (this is symmetrical crypto)00:38
morganfainberglhcheng, because then the endpoint could issue tokens. keystone doesn't want that to happen00:39
morganfainberglhcheng, so the only option is: ask keystone if it's valid00:39
jamielennoxlhcheng: the security issues that come with validating enough to read the expiry issue don't make it worth it to only check expiry, the cache will remember expiry for future so it'll only be one call00:39
jamielennoxmorganfainberg: i haven't actually looked at the implementation is it GCM or some sort of hmac as well?00:39
morganfainbergjamielennox, HMAC(Creation_time, AES(Payload))00:39
morganfainbergjamielennox, afaik00:40
morganfainbergand the fernet-key is 2 keys, one for signing, one for AES00:40
lhchengmorganfainberg: good point. yeah, we don't want the keys on the endpoint.  security won't be happy.00:40
lhchengjamielennox: I see, we don't really get much improvement then.00:41
morganfainberglhcheng, not storing the token in SQL/Memcache/Redis > performance of end-point validation00:41
morganfainberglhcheng, we can crank caches up to avoid issues with heavy DB calls. we can't really deal with ~1MM-100MM tokens in active storage.00:42
morganfainberglhcheng, or more.00:42
lhchengmorganfainberg: when I generated the fernet key in fernet-keys directory, there is a 0 and 1 file00:42
lhchengwhich one is used for signing and encrypyting?00:42
morganfainberglhcheng, i think 0 is staging and 1 is active. 2 would be rotated but not removed00:43
morganfainberglhcheng, i *think*00:43
morganfainberglhcheng, i'd need to go re-look at the implementation for that00:43
bknudsonthe key is split into 2 parts.00:43
lhchengbknudson: so one file actually contain two keys?00:43
morganfainberglhcheng, yes.00:44
morganfainberglhcheng, one for the HMAC signing, one for the AES encryption of the payload00:44
bknudsonit's 1 long string that's 2 parts.00:44
*** diegows has joined #openstack-keystone00:44
bknudsonthis is documented in the fernet spec.00:44
lhchengah, have to re-read the spec again00:46
lhchengbknudson: thanks00:46
lhchengI think I got all my questions answered. thanks morganfainberg bknudson jamielennox !00:48
lhchengwill test it out more in a bit00:50
*** devlaps has joined #openstack-keystone00:50
*** lhcheng is now known as lhcheng_afk00:50
dstanekbknudson: is it possible to get an attribute error on https://review.openstack.org/#/c/163322/10/keystone/identity/core.py ?00:54
bknudsondstanek: could get a KeyError since it's a dict.00:55
bknudsonthat codepath isn't tested.00:56
dstanekyeah, that's what i put in a review comment00:57
dstaneknot about the testing, but about the exception type00:57
dstaneki'm assuming that we want to fix that before merging00:58
bknudsonmight as well00:58
bknudsonthis approach seems to have bigger problems.00:58
dstanekbknudson: like what?01:02
dstaneki haven't thought through all of the boolean logic yet01:03
morganfainbergdstanek, cached configs + reload across processes for 101:03
bknudsondstanek: if there's an update in 1 thread and a read in another thread they'll pick up random values01:03
bknudsoneach config option is written in a separate transaction01:03
morganfainbergbknudson, we should be able to figure a way to bundle config updates together.01:04
bknudsony, it would actually be easier.01:04
bknudsonfor some reason the code was written to be as complicated as possible.01:04
dstanekjob security01:07
bknudsondstanek: don't even joke about that ... I've seen it work01:08
dstanekwould differences across processes be a big deal? seem no different than multiple keystone instance01:08
morganfainbergdstanek, it could01:08
morganfainbergesp. if values such as "password" and "connect string" changed independently01:08
bknudsonI just don't like random behavior01:09
morganfainbergdstanek, it should be possible to bundle the update into a single transaction that guarantees atomicity for a bigger update than a single element01:09
dstanekif we got inconsistent reads within greenlets because only half the data is loaded...well there would be some unreproducible and undebuggable bug reports01:09
morganfainbergdstanek, yes.01:09
bknudsonI like unreproducable.01:09
bknudsonclose it.01:09
morganfainbergbknudson, lol01:09
dstaneklol01:09
morganfainbergdstanek, i think the right answer is also to force a cache reload on a fixed window for this type of stuff. Aka "cache for X seconds on a mod 30" or something like that, so any/all processes would pickup the change at the same time01:10
morganfainbergdstanek, rather than typical "Cache for X seconds" where X starts at "whenever" x was first read01:10
dstanekone problem i ran into at my previous employer was when we have config values and depended on each other. we would reload a config and if you hit the wrong time you would get inconsistent results.01:12
morganfainbergdstanek, yeah. thats exactly this problem01:12
dstanekthat was not fun to figure out01:12
bknudsondstanek: how did you fix it?01:12
morganfainbergi think we can solve it by allowing the config to be uploaded and/or all options to be updated in a single transaction.01:13
openstackgerritMerged openstack/oslo.policy: Avoid reloading policy files in policy.d for every call  https://review.openstack.org/16953501:13
morganfainbergif someone changes each option individually, we can't stop them from breaking things01:13
bknudsonthe database provides a distributed lock.01:13
morganfainbergbut we can make it so that the options are sane.01:13
*** harlowja is now known as harlowja_away01:14
bknudsonI'm going to use mongodb for my configs.01:14
morganfainbergand then for caching we just do some math to ensure all options are reloaded on the same window for all processes/threads/greenlets/whatever01:14
bknudsonwebscale01:14
dstanekdoes this review need to get in for K?01:14
dstanekbknudson: yup01:14
morganfainbergbknudson, i... i'll give you a pass cause it's april 1 and you've been dealing with clippy01:14
morganfainbergbknudson, :)01:14
morganfainbergdstanek, we can bounce this out. the API is already experimental.01:14
morganfainbergdstanek, it means a keystone restart is still needed to pickup changes, but that at least is a known quantity01:15
morganfainbergdstanek, vs. random behavior01:15
bknudsonthe whole feature is experimental01:15
morganfainbergbknudson, yes01:15
bknudsonso I'm not going to get too hung up on it01:16
bknudsonas long as users know what they're getting in to01:16
morganfainbergthis will need some cleanup in L01:16
morganfainbergactually probably a lot of cleanup.01:16
*** stevemar has joined #openstack-keystone01:16
*** ChanServ sets mode: +v stevemar01:16
dstanekwe actually decided that controlled restarts where better anyway - we made sure the config could vary across nodes and just bounced them01:16
bknudsonhopefully we can get some functional tests for it.01:16
dstanektake X at a time out of the LB and restart. easy peasy01:17
dstanekalso yesterday i decided to take thurs and fri off to take the kids on a road trip to NC so i won't be around much during the day01:19
bknudsonspring break!01:19
*** mattfarina has joined #openstack-keystone01:19
bknudsonyou can see topol01:20
*** edmondsw has quit IRC01:20
morganfainbergdstanek, i think it might be sanest to not do automatic reloads of this feature to start.01:20
morganfainbergwe can poke henrynash about that - it at least keeps behavior consistent vs. wildly inconsistent01:21
*** _cjones_ has quit IRC01:21
morganfainbergbut i'm not going to get too crazy since we know it has issues we have said it's experimental and we can fix in L01:21
morganfainbergor work on fixing in L01:21
morganfainbergbknudson, actually even now we might end up with wierd issues.. since mod_wsgi will startup new workers at random times.. it might mean a worker is broken for it's lifespan01:22
morganfainbergbknudson, ick :(01:22
bknudsonit would have to be a short lifespan... what's the cache timeout?01:24
morganfainberglooks ocnfigurable, but checking01:25
bknudsonI assume caching is turned off by default.01:26
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L124401:26
morganfainberguses the @memoize decorator mechanism01:26
morganfainbergso yeah01:26
morganfainbergit'll be off by default meaning we reload *every* request.01:27
bknudsonneeds a big warning.01:27
stevemardstanek, and topol hanging out in NC01:30
bknudsonwhat's NC famous for... basketball? they'll play bball.01:31
*** mattfarina has quit IRC01:31
bknudsonand eat bbq01:31
bknudsonwe could have the mid-cycle there sometime.01:32
openstackgerritMerged openstack/python-keystoneclient: Add support to create SAML assertion based on a token  https://review.openstack.org/15902201:32
bknudsonI hear they're going to have the nova midcycle here in rochester01:32
bknudsona little angry bird told me.01:32
*** tqtran is now known as tqtran_afk01:35
dstanekbknudson: that would be a nice little road trip for me. i'd love to see how they do it01:40
openstackgerritMerged openstack/python-keystoneclient: Add support to create ECP assertion based on a token  https://review.openstack.org/16867801:44
*** erkules has quit IRC01:49
*** erkules_ has joined #openstack-keystone01:50
*** dims_ has joined #openstack-keystone01:52
ayounghttps://review.openstack.org/#/c/163322/10/keystone/identity/core.py,cm  morganfainberg shouldn;t we say that we only support LDAP, as opposed to saying we don;'t support LDAP? We really don;t want a dogpile based driver there either, do we?01:56
morganfainbergayoung, a dogpile based driver should be fine if someone wanted it01:57
morganfainbergayoung, the issue with SQL is shared connection strings etc01:57
morganfainbergayoung, iirc01:57
ayoung"should be" is one thing,  but shouldn't we minimize scope on this01:57
ayoungdo we need it for anything other than LDAP?01:57
openstackgerritMerged openstack/python-keystoneclient: Don't autodoc the test suite  https://review.openstack.org/16252501:58
morganfainbergayoung, i am fine with it being LDAP only to start.01:59
ayoungI would like to revisit the "externalize SQL configs" at the L summit.01:59
ayoungEspecailly since they have passwords in them01:59
morganfainbergsure02:03
*** dims_ has quit IRC02:03
*** dims_ has joined #openstack-keystone02:04
*** dims_ has quit IRC02:08
ayoungmorganfainberg, I think, though, that I am going to stay out of that review unless there is something seriously wrong.  It looks good at a first approx.02:09
ayoungjamielennox, I wonder if there is a hack to make Apache HTTPD respond on a domain socket?02:19
jamielennoxhttpd on a socket? why02:20
ayoungjamielennox, your proxy idea...for an all in one deployment02:20
ayoungNova talks to Keystone via domain socket02:20
jamielennoxwhy would we put that on apache?02:20
ayoungCuz we still need to expose Keystone as an  API02:20
jamielennoxwait you want to talk to the PEP or you want to talk to keystone over the socket02:21
ayoungjamielennox, any of the nova calls that would have to go to Keystone such as local token validations,  fetching policy ,etc02:21
*** lhcheng_afk has quit IRC02:22
ayoungbascially, the degenerate case:  all in one, make the code the same as it would be for a remote TCP based call02:22
jamielennoxayoung: i wasn't thinking of this as a generic proxy object, i was thinking you'd configure auth token with these02:22
jamielennoxi don't think there's much point in putting HTTP between these points02:23
ayoungjamielennox, you should know by now that you have tobe careful when you set me off thinking02:23
jamielennoxthere are only some things i think it is worth proxying and i think that the way you query it would be different02:24
openstackgerritMerged openstack/keystone: Remove unnecessary .driver. references in assignment manager  https://review.openstack.org/16918602:24
openstackgerritMerged openstack/keystone: Fix for migration 062 on MySQL  https://review.openstack.org/16800302:24
jamielennoxfor example policy, you'd ask a yes or no question02:24
openstackgerritMerged openstack/keystone: More content in the guide for core components' migration  https://review.openstack.org/16418802:24
jamielennoxthe advantage of http/httpd in general here is some marshalling and auth, and i don't think you should need to auth to the PEP02:25
openstackgerritMerged openstack/keystone: Correcting the name of directory holding dev docs  https://review.openstack.org/16960102:26
lbragstadbknudson: dolphm was working on a keyless fernet thing to determine if a fernet token was valid or not without decrypting it02:35
ayoungjamielennox, I'm not disagreeing...lets take the policy examples.  If We set it up to do from an all in one...we'd need the same interface for a non-all in one, HTTP or not.  In the Not HTTP case, we can skip all of the auth stacges.  I suspect that we could talk wsgi direct to the python code, and skip all the HTTPD setup, and probably a good chunk of the middleware02:41
*** darrenc is now known as darrenc_afk02:42
jamielennoxayoung: it sounds like you're talking about starting with the existing keystone code and replacing backends02:44
morganfainbergayoung, docker02:45
morganfainbergayoung, >.>02:45
morganfainbergayoung, isolate keystone and other competing services in the "all-in-one" case.02:46
morganfainbergmake it look like production-like02:46
ayoungjamielennox, nah, I want to start with the routers02:46
ayoungmorganfainberg, explain?02:46
morganfainbergayoung, containers, give ips to the containers, keystone, ipa, etc all talk TCP, single "real" host, but virtualized02:47
morganfainbergi wouldn't try and make things talk on domain sockets for the all-in-one02:47
ayoungmorganfainberg, kindof the opposite of what I was thinking02:47
morganfainbergayoung, i know.02:48
ayoungfor the all in once case, we can put everytjhing in one HTTPD server ,just trying to lighten the touch for things that need to be served from Keystone02:48
ayoungand make the non-all-in-one case just have performance for thos calls...and then look at a proxy on the remote server to deal with performance02:49
jamielennoxayoung: i don't think we want to replicate anything like the full keystone routers space02:50
* morganfainberg glares at corporate travel website.02:50
ayoungjamielennox, but it wouldn;'t be replcated...I think.  What if we could talk WSGI directy to the opython code from Keystone client....call it local mode02:51
jamielennoxi was thinking like dbus for communication to the PEP02:51
ayoungdbus is still text02:51
jamielennoxyep02:51
ayoungso, put the json on dbus02:52
*** rushiagr_away is now known as rushiagr02:52
ayoungyou'd still want to hit the router.02:52
jamielennoxdo you have a dependency on glib for dbus?02:52
ayoungI don't know...02:53
ayoungIts a socket, so, lets assume we can work around it if we do02:53
ayoungjamielennox, sssd-dbus does not depend on glib02:55
jamielennoxanyway, doesn't matter, i just mean i don't think for speed reasons you would want to have accesscontrol between the pep and auth_token02:55
ayoungdbus python does require glib02:55
ayoungjamielennox, these kind of use cases are what we have Message Queueing for02:56
ayoungso maybe that is the answer?02:56
jamielennoxayoung: i don't want this stuff on an rpc bus either02:56
jamielennoxalso the point is local02:56
ayoungAny service that needs to query Keystone has to go via AMQP, but that can be a local socket02:57
jamielennoxwe could speed things up today if we were able to talk to keystone over rpc02:57
ayoungI still think policy should be enforced by the process in the webserver, not by asking keystone about it.  That is just one case, though.  And we'd still need a way to query policiy, cache it, and ask for updates, as well as get notified of updates.02:59
*** darrenc_afk is now known as darrenc02:59
jamielennoxayoung: the rejection needs to happen in the web server obviously, it's about somewhere that can be on the bus and store all the state and handle queries03:04
morganfainberghmm03:06
morganfainberglooks like to get to DC i need to fly through MSP03:06
*** htruta has quit IRC03:12
*** spandhe has quit IRC03:12
*** spandhe has joined #openstack-keystone03:12
*** spandhe has quit IRC03:13
*** rushiagr is now known as rushiagr_away03:13
*** htruta has joined #openstack-keystone03:15
morganfainbergbknudson, how is MSP as a layover airport?03:15
*** htruta has quit IRC03:24
*** lhcheng_afk has joined #openstack-keystone03:30
*** rm_work|away is now known as rm_work03:31
*** h_m has quit IRC03:31
*** samueldmq has quit IRC03:36
morganfainbergayoung, mod_openstack_auth?03:37
ayoungmorganfainberg, welll, no.  Not the way I was suggesting it.  But...as a standalone thing, it has some promise...03:38
ayoungI could see the argument for taking most of auth_token middleware and doing it in C as a module for performance and deployment reasons, and also that it would work for other languages03:39
ayoungstack it behind Mod mellon, then have the mod_o_a  do all of the local authorization work aftert that:  fetch the mapping, policy check...03:40
ayoungmorganfainberg, if the APIs had the project_id in the request, we could do policy without fetch objects, and then have a later check that just ensured  the objects project_id matched the one sent in the request03:40
ayounghmmmm03:41
ayoungmaybe we should split that up...03:41
*** h_m has joined #openstack-keystone03:43
*** jamielennox is now known as jamielennox|away03:51
lhcheng_afkmorganfainberg: fernet tokens have some issue with horizon, the problem is on the django_openstack_auth side03:52
*** lhcheng_afk is now known as lhcheng03:52
lhchengmorganfainberg: due to the token hashing done in : https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/user.py#L8203:52
morganfainberglhcheng, makes sense03:52
morganfainbergthe hashing is naive03:52
morganfainbergwe need to fix it03:53
lhchengmorganfainberg: yeah, the hash so happens matches the id in the cache. so it just works by chance :(03:53
morganfainbergwell no03:53
lhchengmorganfainberg: yeah, I'll look at that in L03:53
morganfainbergthe hash is looking for PKI tokens and knows how to hash those03:54
morganfainbergto the unique/short_id03:54
morganfainbergfernet doesn't need that03:54
morganfainbergDOA just needs to be more specific about PKI(Z) hashing03:54
lhchengmorganfainberg: I thought it works because the id is in the middleware cache, so it just assumes its okay?03:54
morganfainbergnope03:54
morganfainbergbecause you can hash pki_id -> short/uuid-looking-id03:54
morganfainbergand we do that inside keystone for the index03:54
lhchenghmm but this works for ans1 too03:55
morganfainbergand you can reference either pki-id or short-hash-of-pki-id when validating a token03:55
morganfainbergPKI(Z) is ASN103:55
morganfainberguuid you don't need to hash03:55
morganfainbergsince it's already a short-token03:55
lhchengmorganfainberg: horizon can't really tell what token format it is looking at03:57
lhchengmorganfainberg: what do you think the long term solution would be?03:57
morganfainbergyou can know if it starts with MII or PKI(Z) you should hash it03:57
morganfainbergelse just use the token03:57
morganfainbergor MIJ orwhatever the other *really big* token prefix ends up being03:57
morganfainbergPKIZ_ and MII is how we do the magic in auth_token middleware03:57
morganfainbergit's fine to use the same "is this a PKI token" logic03:58
lhchengokay, sounds reasonable03:59
lhchengperhaps I should include the fix now, release it with the websso stuff03:59
morganfainbergyes03:59
morganfainbergwe should03:59
lhchengcool, will do that.04:00
lhchengwhat's the default token format in devstack now?04:00
lhchengiirc it was switch to pki at some point04:01
morganfainberguuid04:02
morganfainbergit was pki last release04:02
morganfainbergbut PKI has issues04:02
lhchengwe had to put together that ugly hack due PKI being the default and the horizon cookie backend could not handle it.04:02
*** spandhe has joined #openstack-keystone04:03
lhchengsince it is back to UUI, should be fine to fix DOA then and we won't hit the session overflow.04:03
lhcheng*UUID04:03
lhchengmorganfainberg: btw, the websso patches were merged today \o/04:04
morganfainbergyay04:04
morganfainberglhcheng, you still need to hash if MII/PKIZ04:04
morganfainbergyou can't break that04:04
morganfainbergyou just need to make the choice to hash more specific04:05
lhchengmorganfainberg: yup, I'll look at the magic check in the middleware04:05
morganfainbergjust use smarter "do i hash" logic :)04:05
lhchengto make the check consistent04:05
lhchengayoung: one thing to note about the websso, the user have to explicitly install 1.2.0 version of DOA to use it. That version of DOA won't make the cut in Kilo g-r.04:07
lhchengmorganfainberg: cool, sounds good.  I'll add you as reviewer for that when its ready, just to make sure there is nothing stupid happening. :)04:08
morganfainbergplease do!04:08
*** links has joined #openstack-keystone04:11
*** Bsony has joined #openstack-keystone04:13
*** devlaps has quit IRC04:25
*** devlaps has joined #openstack-keystone04:26
*** rm_work is now known as rm_work|away04:32
*** rushiagr_away is now known as rushiagr04:32
stevemarlhcheng, morganfainberg no way we can bump up the DOA version in g-r?04:36
lhchengstevemar:  g-r is freezed, probably have to get a *super FFE. (shrug)04:37
morganfainberglhcheng, fernet tokens are new, we can add a doc saying "make sure you have DOA XXX"04:45
morganfainbergthat is fine04:45
morganfainbergdon't worry about the g-r update04:46
morganfainbergfernet aren't the default and wont be really used until liberty in the gate04:46
morganfainbergso we're fine :)04:46
*** _cjones_ has joined #openstack-keystone04:47
lhchengmorganfainberg: stevemar's concern is for the websso , but yeah it is a new feature too :)04:48
lhchengmorganfainberg: here's the DOA patch to address the token hashing check: https://review.openstack.org/#/c/169994/04:49
*** _cjones_ has quit IRC04:50
*** _cjones_ has joined #openstack-keystone04:50
*** davechen has joined #openstack-keystone05:04
*** Bsony has quit IRC05:11
*** lhcheng_ has joined #openstack-keystone05:23
*** lhcheng has quit IRC05:25
*** lhcheng_ is now known as lhcheng05:25
*** _cjones_ has quit IRC05:29
openstackgerritDave Chen proposed openstack/keystone: Fix the typo and problematic logic on ec2 signature  https://review.openstack.org/14377205:30
*** _cjones_ has joined #openstack-keystone05:56
*** lhcheng is now known as lhcheng_afk05:58
*** dims_ has joined #openstack-keystone06:00
*** dims_ has quit IRC06:06
*** rushiagr is now known as rushiagr_away06:07
*** rushiagr_away is now known as rushiagr06:10
*** ishant has joined #openstack-keystone06:13
openstackgerritSteve Martinelli proposed openstack/keystone: Document websso setup  https://review.openstack.org/16401206:20
*** lhcheng_afk has quit IRC06:23
*** henrynash has joined #openstack-keystone06:28
*** ChanServ sets mode: +v henrynash06:28
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332206:29
*** rm_work|away is now known as rm_work06:51
openstackgerrithenry-nash proposed openstack/keystone: Expose multiple SQL backend usage validation error  https://review.openstack.org/13811306:51
*** afazekas has joined #openstack-keystone06:54
openstackgerrithenry-nash proposed openstack/keystone: Fix multiple SQL backend usage validation error  https://review.openstack.org/17002206:55
*** chlong has quit IRC06:55
*** mhu has quit IRC06:58
*** ParsectiX has joined #openstack-keystone07:00
*** ParsectiX has quit IRC07:06
*** ParsectiX has joined #openstack-keystone07:07
*** Bsony has joined #openstack-keystone07:10
*** jistr has joined #openstack-keystone07:13
*** boris-42 has quit IRC07:18
*** stevemar has quit IRC07:30
*** mhu has joined #openstack-keystone07:35
*** _cjones_ has quit IRC07:37
*** _cjones_ has joined #openstack-keystone07:37
*** tqtran_afk has quit IRC07:46
*** Bsony has quit IRC07:58
*** henrynash has quit IRC08:08
*** krykowski has joined #openstack-keystone08:11
*** erkules_ is now known as erkules08:12
*** erkules has quit IRC08:12
*** erkules has joined #openstack-keystone08:12
*** bdossant has joined #openstack-keystone08:14
*** devlaps has quit IRC08:15
*** markvoelker has quit IRC08:18
*** ParsectiX has quit IRC08:24
*** krykowski has quit IRC08:36
*** davidckennedy has joined #openstack-keystone08:36
*** krykowski has joined #openstack-keystone08:39
*** mhu has quit IRC08:40
*** markvoelker has joined #openstack-keystone08:49
*** dims_ has joined #openstack-keystone08:50
*** jacer_huawei has quit IRC08:51
*** henrynash has joined #openstack-keystone08:52
*** ChanServ sets mode: +v henrynash08:52
*** markvoelker has quit IRC08:55
*** dims_ has quit IRC08:55
*** davechen has left #openstack-keystone08:57
*** Bsony has joined #openstack-keystone08:58
*** mhu has joined #openstack-keystone09:00
*** Bsony has quit IRC09:03
*** _cjones_ has quit IRC09:04
*** krykowski has quit IRC09:12
*** krykowski has joined #openstack-keystone09:13
*** jistr has quit IRC09:26
*** jistr has joined #openstack-keystone09:44
*** dims_ has joined #openstack-keystone09:52
*** dims_ has quit IRC09:52
*** dims__ has joined #openstack-keystone09:56
*** dims__ has quit IRC10:03
*** ptoohill has quit IRC10:03
*** ptoohill has joined #openstack-keystone10:04
viktorshi folks! Con somebody +2A a simple patch https://review.openstack.org/#/c/137637 (Fix index name the assignment.actor_id table) ? This blocked already approved patch in chain. Thanks!10:07
*** dims has joined #openstack-keystone10:09
*** jaosorior has joined #openstack-keystone10:19
*** ishant has quit IRC10:28
*** ishant has joined #openstack-keystone10:29
*** markvoelker has joined #openstack-keystone10:52
*** davidckennedy has quit IRC10:55
*** samueldmq has joined #openstack-keystone10:56
*** henrynash has quit IRC10:56
*** markvoelker has quit IRC10:57
samueldmqmorning10:59
*** henrynash has joined #openstack-keystone10:59
*** ChanServ sets mode: +v henrynash10:59
*** henrynash has quit IRC11:13
*** ParsectiX has joined #openstack-keystone11:37
*** markvoelker has joined #openstack-keystone11:53
mfloboquestion about keystoneclient11:56
mflobowe already have implemented endpoint_filter https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/contrib/endpoint_filter.py11:56
mflobobut, is it available in the CLI?11:56
*** markvoelker has quit IRC11:58
*** boris-42 has joined #openstack-keystone12:00
*** _cjones_ has joined #openstack-keystone12:05
*** _cjones_ has quit IRC12:09
*** ParsectiX has quit IRC12:10
*** dims has quit IRC12:25
*** dims has joined #openstack-keystone12:26
*** markvoelker has joined #openstack-keystone12:29
*** spandhe has quit IRC12:31
*** bknudson has quit IRC12:32
*** gordc has joined #openstack-keystone12:33
ayoungmflobo, you know how to find out?12:36
ayoungThe CLI is the common cli now, not keystone...so look in python-openstackclient12:37
mflobook, i'll take a look to the common CLI12:39
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Add subjectAltName to generated ssl cert  https://review.openstack.org/15407412:41
viktorsayoung: hi! Con you please look at patch https://review.openstack.org/#/c/137637 (Fix index name the assignment.actor_id table) ? Thanks!12:52
ayoungviktors, sure12:52
*** ParsectiX has joined #openstack-keystone13:00
*** amakarov_away is now known as amakarov13:00
*** chlong has joined #openstack-keystone13:01
ayoungviktors, what is the basic problem with the name in https://review.openstack.org/#/c/137637/15  ?13:03
ayoungWhere does it mess things up?13:03
* viktors trying to remember13:04
*** ParsectiX has quit IRC13:04
*** rushiagr is now known as rushiagr_away13:11
*** bknudson has joined #openstack-keystone13:13
*** ChanServ sets mode: +v bknudson13:13
viktorsayoung: it seems to be, that I forget something, because my answer is  `fixes bug`. Let me run some tests for this to get more details13:13
ayoungviktors, add the real problem to the bug report, please.13:13
ayoungThe patch looks good, just don't want to approve without understanding13:13
*** joesavak has joined #openstack-keystone13:15
viktorsayoung: firstly this patch was uploaded in November by Ilya Pekelny so I can miss original issue. Or maybe this issue was gone since that time :)13:15
ayoungviktors, can you find out?  I'd hate to drop it if we had a real problem13:16
viktorsayoung: ok, I'll try13:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994413:23
*** davechen has joined #openstack-keystone13:31
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog  https://review.openstack.org/14486013:31
*** mattfarina has joined #openstack-keystone13:34
*** henrynash has joined #openstack-keystone13:35
*** ChanServ sets mode: +v henrynash13:35
ayounghenrynash, I suspect this is where we should be headed.  Or at least thinking about it.     https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/13:35
henrynashayoung: looking13:36
ayoungStandard for the messages we send around;  use the JWT format for Keystone tokens, use the signing mechanism for messages on the Bus13:37
*** zigo has quit IRC13:38
henrynashayoung: yes, makese sense to me13:40
*** zigo_ is now known as zigo13:41
ayounghenrynash, I thought he laid it out pretty clearly13:41
ayoungseems to fit in with the rest of the OpenStack approach13:41
henrynashayoung: agreed, good article13:41
*** chlong has quit IRC13:47
*** gordc has quit IRC13:48
*** diegows has quit IRC13:52
*** rushiagr_away is now known as rushiagr13:56
henrynashbknudosn, dstanek: if you haev time, I think https://review.openstack.org/#/c/163322/ is ready to go in (bknduson, you +2’d the previous version)…only chnage was to trap KeyError, rather than AttributeError14:00
*** sigmavirus24_awa is now known as sigmavirus2414:01
*** Bsony has joined #openstack-keystone14:04
*** gordc has joined #openstack-keystone14:04
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994414:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742714:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635414:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185414:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376314:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers  https://review.openstack.org/16593614:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837214:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839814:06
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137814:06
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418014:06
viktorsayoung: it seems to be, that this was made to sync DB state of table assignment to it's SQLA model - see a difference without this patch - http://paste.openstack.org/show/197916/14:07
ayoungPostgreSQL14:08
ayoungviktors, was that test skipped?14:08
davechenhenrynash, hi14:09
henrynashdavechen: hi14:09
viktorsayoung: no, this test is only going to be implemented in https://review.openstack.org/#/c/80630/14:09
ayoungah14:09
davechenhenrynash: how about say it "ignore the URL which intends to replace 'tenant_id' with None" in the comments?14:10
*** iamjarvo has joined #openstack-keystone14:10
*** iamjarvo has quit IRC14:10
*** iamjarvo has joined #openstack-keystone14:11
*** iamjarvo has quit IRC14:11
*** Bsony has quit IRC14:11
ayounghenrynash, what happens if someone specifies that the domain-specific-driver is memcached?14:11
henrynashayoungL hold on14:12
ayounghenrynash, no rush14:12
*** iamjarvo has joined #openstack-keystone14:12
*** davidckennedy has joined #openstack-keystone14:12
*** iamjarvo has quit IRC14:12
henrynashdavechen: how about simply:  "ignore the URL when there is no 'tenant_id' to substitute”?14:12
*** iamjarvo has joined #openstack-keystone14:13
*** iamjarvo has quit IRC14:13
henrynashayoung: we don’t have a memcahced identity backend, do we?14:13
ayoungI thought we did.  We used to14:13
davechenhenrynash: I am not native english speaker, I think both is okay, but I decide to adopt your proposal, just mins :)14:13
ayounghenrynash, I +2aed it anyway14:14
*** iamjarvo has joined #openstack-keystone14:14
henrynashayoung: you mean a kvs one?14:14
*** iamjarvo has quit IRC14:14
henrynashayoung: I think we nixed them all14:14
henrynashayoung: (thanks)14:14
ayoungAh,...its gone14:14
ayoungonly sql and ldap no0w14:14
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends14:14
henrynashayoung: yeo14:14
*** iamjarvo has joined #openstack-keystone14:14
henrynashayoung: yep14:14
henrynashdavechen: ok, sounds good, no worries14:15
henrynashdavechen: can be difficult I know, you’re doing great14:15
*** aix has joined #openstack-keystone14:18
*** edmondsw has joined #openstack-keystone14:18
*** aix has quit IRC14:19
*** aix has joined #openstack-keystone14:20
*** jorge_munoz has quit IRC14:23
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog  https://review.openstack.org/14486014:24
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994414:25
*** links has quit IRC14:26
*** stevemar has joined #openstack-keystone14:26
*** ChanServ sets mode: +v stevemar14:26
*** krykowski has left #openstack-keystone14:26
raildohenrynash, ^ last rebase removed the last change, I fixed in the version :)14:27
davechenhenrynash: Done, your help is really matter, pls check it at your convenience.14:27
henrynashok, will look14:27
henrynashdavechen: will do14:27
*** Bsony has joined #openstack-keystone14:30
*** topol has joined #openstack-keystone14:32
*** ChanServ sets mode: +v topol14:32
viktorsstevemar: around?14:34
stevemarviktors, sort of?14:35
stevemarviktors, doing a few things at once14:36
viktorsstevemar: I want to ask you about the patch https://review.openstack.org/#/c/168947/ (Add server_default to relay_state_prefix in service_provider model). Please ping me, when you'll have a time14:37
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog  https://review.openstack.org/14486014:41
*** ishant has quit IRC14:43
*** raildo has quit IRC14:45
*** zzzeek has joined #openstack-keystone14:48
*** devlaps has joined #openstack-keystone14:49
stevemarviktors, k, why did you write you hate oslo.config :)14:53
openstackgerritDave Chen proposed openstack/keystone: Fix errors in ec2 signature logic checking  https://review.openstack.org/14377214:54
*** Bsony has quit IRC14:55
*** Bsony has joined #openstack-keystone14:57
viktorsstevemar: it always brings issues. At that patch it causes `docs` test failure (14:59
rhagarty_hello - I'm new to keystone. Was wondering if there is a way to simply store and retrieve a user/pwd from the keystone service?15:00
*** obedmr has joined #openstack-keystone15:01
*** bdossant has quit IRC15:02
*** davechen has left #openstack-keystone15:03
*** davechen has joined #openstack-keystone15:05
*** davechen has left #openstack-keystone15:05
stevemarviktors, maybe try setting CONF = cfg.CONF after the imports15:06
stevemarand call CONF when trying to get the default15:06
boris-42ayoung: ping15:06
openstackgerritMerged openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332215:06
viktorsstevemar: I have a doubts, that this will work, but I'll try15:06
ayoungboris-42, fire away15:07
boris-42ayoung: so recently I made one more tool for making python apps/libs better15:07
boris-42ayoung: https://github.com/boris-42/profimp15:08
boris-42ayoung: it allows you to trace imports and optimize them15:08
ayounginteresteing15:08
boris-42ayoung: so we can tune "import keystoneclient" with it15:08
ayoungOK15:08
boris-42ayoung: it doesn't require any changes in kyestoneclient (like osprofiler) so it can be easily used15:08
viktorsstevemar: still the same error (15:09
ayoungbut this is just for imports, right, not an overall profilier?15:09
stevemarviktors, :(15:09
boris-42ayoung: yep15:09
boris-42ayoung: it measures how long it takes to run "import .." and where time is consumed15:09
ayoungneat15:10
ayoungboris-42, any insights?15:10
boris-42ayoung: so what I think is that I will finish HTML report that will simplify work with long long traces15:11
boris-42ayoung: after that we can think about tuning imports of keystoneclient15:11
boris-42ayoung: so put some of them into lazy mode15:11
ayoungsounds good boris-4215:12
*** Bsony has quit IRC15:13
openstackgerritSteve Martinelli proposed openstack/keystone: Update sample config file  https://review.openstack.org/17016515:17
lbragstadquick python 3 question for the channel, what seems like a realistic date for keystone to be running on python 3?15:22
stevemarlbragstad, HAHAHA15:22
*** thedodd has joined #openstack-keystone15:24
bknudsonlbragstad: dropping eventlet should help.15:26
lbragstadjust curious15:26
viktorsbknudson: eventlet already announced py3 support15:27
bknudsonok... then I don't know what's stopping us.15:27
bknudsonpython-ldap?15:28
viktorsbknudson: by the way, can you please make a quick look at https://review.openstack.org/#/c/168987/1/keystone/contrib/federation/migrate_repo/versions/007_add_remote_id_table.py - I've answered to your note there15:32
bknudsonviktors: it's on my list.15:32
viktorsbknudson: got it, thanks15:33
*** h_m has quit IRC15:34
*** henrynash has quit IRC15:38
*** arunkant_ has joined #openstack-keystone15:42
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Add subjectAltName to generated ssl cert  https://review.openstack.org/15407415:47
*** packet has joined #openstack-keystone15:52
davidckennedylbragstad henrynash bug/1410543 is it really a blocker for kilo-rc1? - I have no idea.  I'm just trying to fix it :D15:54
*** iamjarvo has quit IRC15:59
*** davidckennedy has quit IRC16:00
*** _cjones_ has joined #openstack-keystone16:03
*** aix has quit IRC16:07
openstackgerritVictor Sergeyev proposed openstack/keystone: Add server_default to relay_state_prefix in service_provider model  https://review.openstack.org/16894716:07
*** afazekas has quit IRC16:16
*** iamjarvo has joined #openstack-keystone16:16
*** Bsony has joined #openstack-keystone16:19
*** jistr has quit IRC16:23
*** Bsony has quit IRC16:24
*** spandhe has joined #openstack-keystone16:32
*** lhcheng_afk has joined #openstack-keystone16:34
*** lhcheng_afk is now known as lhcheng16:34
*** Bsony has joined #openstack-keystone16:41
*** harlowja_away is now known as harlowja16:42
*** tqtran_afk has joined #openstack-keystone16:56
*** EmilienM is now known as EmilienM|afk17:01
*** devlaps1 has joined #openstack-keystone17:02
*** devlaps has quit IRC17:03
*** iamjarvo has quit IRC17:10
*** tqtran_afk is now known as tqtran17:11
*** iamjarvo has joined #openstack-keystone17:11
*** iamjarvo has quit IRC17:11
*** iamjarvo has joined #openstack-keystone17:12
openstackgerritAlexander Makarov proposed openstack/keystonemiddleware: Validate tokens against revocation events  https://review.openstack.org/16943817:18
openstackgerritAlexander Makarov proposed openstack/keystonemiddleware: Validate tokens against revocation events  https://review.openstack.org/16943817:20
*** obedmr has quit IRC17:22
*** obedmr has joined #openstack-keystone17:24
*** iamjarvo has quit IRC17:29
*** spandhe has quit IRC17:30
*** spandhe has joined #openstack-keystone17:32
*** henrynash has joined #openstack-keystone17:36
*** ChanServ sets mode: +v henrynash17:36
openstackgerritRodrigo Duarte proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872017:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872017:50
*** jaosorior has quit IRC17:52
morganfainbergayoung: https://bugs.launchpad.net/keystone/+bug/140192617:54
openstackLaunchpad bug 1401926 in Keystone "Role revocation invalidates tokens on all user projects" [Medium,In progress] - Assigned to Adam Young (ayoung)17:54
morganfainbergayoung: https://bugs.launchpad.net/keystone/+bug/143095117:55
openstackLaunchpad bug 1430951 in Keystone "Revocation causes duplicate (and overly broad?) events in revocation table" [High,Triaged] - Assigned to Adam Young (ayoung)17:55
morganfainbergAre these kilo targets or liberty now?17:55
*** obedmr has quit IRC17:55
ayoungmorganfainberg, second one is liberty17:55
morganfainbergOk17:55
ayoungmorganfainberg, get feedback from the people consuming revocation events if we need to up the priority17:56
ayoungI think the fix is going to be invasive17:56
morganfainbergBooted it to l117:56
*** obedmr has joined #openstack-keystone17:56
ayoungcheck with dolphm if that is cool17:57
ayoungI can up the priority if they really need it17:57
morganfainbergdolphm: is out.17:57
ayounguntil when?17:57
morganfainbergNext week? Week after?17:57
ayoungah...17:57
morganfainbergWe can backport to kilo if it is needed17:57
ayoungI was thinking that, but if the change is as invasive as I suspect, we won't want to17:58
ayoungbut...17:58
morganfainbergWe may also cherry-pick the best parts to soften the impact.17:58
morganfainbergAnyway, L1. It has been broken for a while now.17:58
ayoungproblem is that we deliberate call the notifications twice17:58
ayoungone of them has to go17:58
ayoungso, if we leave the old call, we have to make it look like the new one.17:59
ayoungor carry the same information17:59
morganfainbergYep.17:59
ayoungI'll take another look later on today, after I finish up some federation things18:00
ayoungif I can yabnk the explicit revoke_api calls, and move everything into the origianl notify, it should be OK18:00
ayoungyank18:00
morganfainbergIt can be moved back to rc1 if you change your mind. Remember though we are cutting rc next week18:00
ayoung"origianl"  meaning the one you added after everythign else, of course18:00
morganfainbergSo we need to get the last of these bugs closed out quickly here.18:01
morganfainbergI have a couple more bugs I can boot to l1, but would rather have the better ux they bring to the table.18:01
*** rdo has quit IRC18:03
henrynashmorgainfainberg: could you make sure https://review.openstack.org/#/c/170022/ is “starred” for rc1, it’s the fix for https://review.openstack.org/#/c/138113/8 (which is already starred)18:04
*** rdo has joined #openstack-keystone18:04
*** henrynash has quit IRC18:05
*** thedodd has quit IRC18:15
*** iamjarvo has joined #openstack-keystone18:16
*** joesavak has quit IRC18:17
*** iamjarvo has quit IRC18:17
*** iamjarvo has joined #openstack-keystone18:18
iamjarvoso it seems that when i find a user using the keystone client it has an id but it is not the public_id from the id_mapping table18:22
iamjarvothis is causing things to be mismatched when doing role_assignments18:22
ayoungiamjarvo, Federated user?18:24
ayoungor multidomain backedn18:25
iamjarvoldap with multidomain18:25
iamjarvousing the patch18:26
ayoungand the userid is the value out of LDAP instead of the mapped value?18:26
iamjarvoso to my understanding when you use ldap the user is stored in an id_mapping table and the column public_id is a sha of somethings from ldap18:27
ayoungyes...18:27
*** joesavak has joined #openstack-keystone18:27
iamjarvoso the public_id and user.id is not matching18:27
iamjarvo keystone.users.find(domain_id="default", name=user_name)18:27
ayoungare you getting the value from ldap instead18:27
iamjarvolet me open the ldap manager18:28
ayoungyou can;'t tell/18:28
ayoungI use the uid as the user_id field18:28
ayoungyou can't tell just by looking?18:28
*** larsks has left #openstack-keystone18:28
ayoungit should be a human readable string instead of a sha25618:28
ayoungwhat value comes through for user_id18:29
iamjarvo"id=afb8f9e54352898fad14199fffffd2991aa38c9b25449c68a78a00c0e3d82133"18:29
iamjarvoso a sha and i can see the uid in ldap18:30
*** EmilienM|afk is now known as EmilienM18:30
ayoungiamjarvo, OK, that looks like a sha256, but it doesn't match what you get in the mapping table?18:31
ayoungthe value in id_+mapping is the sha256 of the value from ldap and the domain id:18:31
iamjarvoayoung i think i know what's wrong. there are two entries for this user in id_mapping and it's scoping to the wrong one :(18:37
ayounginteresting18:37
iamjarvodue to the code always scoping to default18:38
*** alexsyip has joined #openstack-keystone18:51
alexsyipHi all, I have a question about using keystone client.18:51
ayoungstevemar,  when I do a mapping with REMOTE_USER_GROUPS set to multipl cvalues, I end up with18:56
ayoung(Pdb) print group18:56
ayoung{u'domain': {u'name': u'Default'}, u'name': u"['admins', 'ipausers', 'wheel']"}18:56
ayoungwhich is  not right18:57
ayoungI suspect I am doing somethjing wrong in the mapping18:57
*** amakarov is now known as amakarov_away18:57
ayounghere is my mapping18:57
ayounghttp://paste.openstack.org/show/197972/18:57
stevemarwhat are you expecting it to be?18:58
stevemarupdating sample config (for what should be the last time) needs another core https://review.openstack.org/#/c/170165/119:00
ayoungah I found it19:00
ayounggroups not goup19:00
ayounggroup19:01
stevemar++19:01
stevemarayoung, that would have taken me a while to find, glad you found it instead19:01
ayoungstevemar, I was actually comparing to the known good one in the test19:02
stevemarayoung, yeah, i need to create a bunch of example and put them up on docs.o.org/keystone19:03
ayoungstevemar, I'll have something pretty cool to show here shortly, I think.19:05
ayoungstevemar, um19:06
ayoung{"error": {"message": "An unexpected error prevented the server from fulfilling your request: (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near \\': \"\\'[\\\\\\\\\\'admins\\\\\\\\\\', \\\\\\\\\\'ipausers\\\\\\\\\\', \\\\\\\\\\'wheel\\\\\\\\\\']\\'\"} AND `group`.domain_id = \\'defa\\' at line 3') 'SELECT `group`.19:06
ayoungid AS group_id, `group`.name AS group_name, `group`.domain_id AS group_domain_id, `group`.description AS group_description, `group`.extra AS group_extra \\nFROM `group` \\nWHERE `group`.name = %s AND `group`.domain_id = %s' ({u'name': u\"['admins', 'ipausers', 'wheel']\"}, 'default') (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}19:06
ayoungsomething didn't split the group names properly19:06
ayoungprint assertion['REMOTE_USER_GROUPS']19:09
ayoungadmins;ipausers;wheel19:09
ayoungstevemar, is there something I can set in the mapping to tell  it to split on ;  instead of whatever else it splits on?19:10
*** kr4zy has joined #openstack-keystone19:11
stevemarayoung, there is a setting in most apache plugins to pick a delimiter19:11
ayoungstevemar, yeah, yeah19:11
kr4zyI am currently using keystone icehouse on CentOS with assignment using mysql and ldap for user and password. I want to know if it is possible to enable caching for ldap.19:11
ayoungkr4zy, no19:12
ayoungthere is no LDAP caching in any of Keystone19:12
kr4zyayoung: any future plans?19:12
ayoungkr4zy, yes.  get rid of LDAP, use SSSD, and let that cache for you19:12
ayounghttp://adam.younglogic.com/2015/03/key-fed-lookup-redux/19:13
ayoungstevemar, what do we expect the separator to be?  a colon :  ?19:13
stevemarayoung, i thought it was a semi-colon19:15
kr4zyayoung: thanks for the pointers. but when you said "yes", you mean there are plans for caching ldaps in future keystone release or people will be using SSSD?19:15
ayoungstevemar, that is what I had the first time, and : gave a different error.  hmmm19:15
morganfainbergkr4zy, we cache certain things in keystone, but it is unlikely we will do anything that is specific to ldap19:15
morganfainbergkr4zy, if it is caching for the generic case, it would affect LDAP as well.19:16
morganfainbergkr4zy, just like we don't do specific SQL caching19:16
*** thedodd has joined #openstack-keystone19:16
ayoungstevemar, checkit!19:19
ayoung$ curl   --negotiate -u:   horizon.cloudlab.freeipa.org:5000/v3/OS-FEDERATION/identity_providers/sssd/protocols/kerberos/auth19:19
ayoung{"token": {"methods": ["kerberos"], "expires_at": "2015-04-02T20:19:20.223906Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "sssd"}, "protocol": {"id": "kerberos"}, "groups": [{"id": "482eb4e6a0c64348845773b506d1db77"}, {"id": "6da803796a4540d48a0aff3b3185edad"}, {"id": "f0bf681ae2e84d1580a7ff54ea49bf27"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "ayoung", "name": "ayoung"}, "audi19:19
ayoungt_ids": ["eFvsNvBRQPO3L51nhYlLdw"], "issued_at": "2015-04-02T19:19:20.223941Z"}}[cloud-user@horizon keystone]$19:19
*** __TheDodd__ has joined #openstack-keystone19:19
stevemarayoung, thats actually pretty neat19:20
stevemarwhat did you have to change?19:20
morganfainbergstevemar, ping19:20
stevemarmorganfainberg, pong, in -meeting19:20
morganfainbergstevemar, i want to confirm, the new domain-sql thing, the default behavior is to use file-backed configs right?19:20
stevemarmorganfainberg, henry's stuff?19:21
morganfainbergstevemar, yeah19:21
*** thedodd has quit IRC19:21
stevemari thought the default is to use the REST apis now?19:21
morganfainbergwhelp we now have a new RC bug19:21
morganfainbergwe can't do that19:21
stevemarah no19:21
stevemari am wrong19:21
morganfainbergwe will break anyone currently using per-domain configs.19:21
stevemardomain_configurations_from_database = false19:21
morganfainbergah phew19:21
*** joesavak has quit IRC19:22
morganfainbergstevemar, i was digging but wanted to be sure.19:22
morganfainbergfigured you read it more recently than I did19:22
ayoungstevemar, once I got the mapping right?   Nothing19:22
stevemaroh, what was the deal with the mapping?19:22
stevemarpaste your final mapping :P19:22
ayoungstevemar, I'm working on a write up, but I think I can use the Federation code to get a Kerberized token without SAML19:22
ayoungstevemar, http://paste.openstack.org/show/197976/19:23
ayoungstevemar, OK, we havea Feederated domain now, right?  And, without explicit mapping, users should go in there?  I wonder how that is going to work for Groups.  The admin can't create that domain etc...19:25
stevemarayoung, yeah, admins create create or update a domain named 'federated'19:26
kr4zymorganfainberg: my ldap query is very slow that's why I asked whether it is possible to cache it to speed it up.19:26
stevemarand yes, any user that doesn't exist in the backend is "assigned" that domain. the domain isn't actually created19:27
kr4zymorganfainberg: I see the openstack guide said caching is only available for token, resource, and role. Is this updated?19:27
ayoungstevemar, what if the Admin creates that domain?  Can we then put groups in there?19:28
ayoungAnd it will map correctly?   Nothing actually stops the admin from creating that domain, right?19:28
kr4zymorganfainberg: I am using the dogpile.cache.memcached module. Looking through the source code. seems like only token import the cache module.19:28
stevemarayoung, the admin is prevented from creating that domain19:28
ayoungEven though the help string in the config implies that theuy do19:28
ayoungstevemar, so...no groups?19:28
ayoungthat sux19:28
stevemargroups can be in any domain you want19:29
stevemaroh, you wanted users and groups to both be in the same spot19:29
morganfainbergkr4zy, which release are you running?19:29
kr4zyicehouse19:29
stevemarit doesn't really matter though, the users don't exist, they'll inherit roles from the group (in whatever domain the group is in)19:29
morganfainbergkr4zy, i think we don't cache users/group queries in icehouse. i know juno and later we have added more caching19:30
ayoungstevemar, I'm wondering how useful this Federated  really going to be without putting groups in there, but, meh, we can always explicitly map the domain, so no big deal19:30
*** packet has quit IRC19:30
morganfainbergkr4zy, for example in master: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L74919:30
morganfainbergkr4zy, assuming you're using LDAP for identity19:31
ayoungOK...so I do I need to hack the KC kerberos plugin to behave like a federated plugin?  I'm thinking no.19:31
*** joesavak has joined #openstack-keystone19:31
*** Bsony has quit IRC19:31
morganfainbergkr4zy, the list_* functions do not memoize because they can have filters applied to them. we can't cache every variation on the filters.19:31
ayoungstevemar, say I was doing ECP.  How would I get a federated token->scoped token from the CLI?19:31
*** topol has quit IRC19:33
*** edmondsw has quit IRC19:33
stevemarthats a matter of using OSC and KSC19:35
stevemargah, where is marek when i need him19:35
morganfainbergdstanek, can we move our hacking from keystone.hacking to keystone.tests.hacking?19:35
stevemarayoung, look at the options for the KSC saml plugin19:35
morganfainbergdstanek, or is there a reason we shouldn't?19:35
*** obedmr has quit IRC19:36
ayoungstevemar, I think I need to do something similar here:  I want to use the Kerberos plugin to get the --negotiate option, but the rest should be the federated work flow19:37
morganfainbergdstanek, and i think we need to shuffle around "policy" to be "the policy backend that serves out json blobs via REST" and "RBAC enforcement"19:37
*** obedmr has joined #openstack-keystone19:38
ayoungmorganfainberg, um..the Keystone policy code actually enforce policy for us, too19:39
ayoungits...wierd19:39
morganfainbergayoung, thats why it should be split up19:40
morganfainbergkeystone's "enforcement"19:40
ayoungIN L19:40
morganfainbergand the REST API thing19:41
morganfainbergyes. in L :)19:41
morganfainbergdstanek, could i trouble you to jump on https://bugs.launchpad.net/keystone/+bug/143517419:41
openstackLaunchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,Triaged]19:41
ayoungmorganfainberg, so, one goal is to get policy enforcement into a library, or better yet, a middleware compoente.   and...I think we can do it, if we just drop the part where policy checks that project matches19:42
morganfainbergthere might be a weird dep we need to figure out what debian jessie is doing; zigo can probably help19:42
ayoungthe problem is that the policy has to be customized for each object19:42
morganfainbergayoung, it's like the i18n stuff19:42
morganfainbergayoung, provide a framework, let them customize specifics19:42
ayoung?19:42
ayoungso...yeah, sort of19:42
ayoungI was thinking like this:19:43
morganfainbergayoung, oslo.i18n provides basic _(), we wrap it to keystone namespace19:43
morganfainbergjust a rough example19:43
ayoungpolicy checks that the role matches, and then the code itself will check that the project matches...19:43
ayoungeither on the request, or on the object iself19:43
morganfainberganyway something to work on for L19:43
ayoungfor create and list, proejct is in the request19:43
morganfainbergwe have RC stuff today to deal with :)19:43
ayoungfor delete and change, have to fetch the obejct out of the database19:44
*** packet has joined #openstack-keystone19:44
ayoungso...if we give a shim that says  "check the project of your object against this value"19:44
ayoungwe can strip policy down to the essentials19:44
*** rushiagr is now known as rushiagr_away19:51
*** rushiagr_away is now known as rushiagr19:53
*** SlickNik has joined #openstack-keystone19:55
openstackgerritMerged openstack/keystone: Deprecate eventlet config options  https://review.openstack.org/16875219:55
SlickNikI had a quick question that someone here might be able to help with.19:56
SlickNikFor keystone v3, how do I specify that the default domain for a user in a tenant is "default", so that I don't have to explicitly specify the domain when authenticating that user / tenant pair?19:56
ayoungstevemar, so...to do websso, I need to set the remote_id right?19:57
stevemarayoung, correct-a-mundo20:00
stevemarayoung, you can review my websso doc patch and follow the steps if you are setting up websso :P20:00
ayoungstevemar, I think nkinder was curling that in before. We have openstack cli support on the way, right?20:00
ayoungah..yes20:00
nkinderayoung: https://review.openstack.org/#/c/161302/20:01
stevemarayoung if you'd be so kind: https://review.openstack.org/#/c/164012/20:01
nkinderthe OSC support merged20:01
ayoungopenstack-config --set /etc/keystone/keystone.conf federation remote_id_attribute MELLON_IDP20:01
stevemaryep, it did20:01
stevemarthe SP support isn't there yet :(20:01
ayoungno longer needed then?20:01
nkinderayoung: you shouldn't need curl20:01
nkinderI need to update my scripts for the remote_ids changes too20:02
ayoungnkinder, we set the value in the config file, and it is global, right?20:02
ayoungand now we can do it useing openstacl cli20:02
nkinderayoung: you can set it per protocol20:02
ayoungI need an updated openstackcli20:02
nkinderayoung: you are asking about remote_id_attribute, right?20:02
ayoungyeah20:02
stevemarayoung, remote_id_attribute can be per-protocol or global. the remote_ids can be set with OSC (you need to use master)20:03
ayoungstevemar, I'm using devstack, so I have master for all the serfgices20:03
ayoungI need an updarte openstack client, as that is pip installed20:03
ayoungI'm guessing..20:03
*** jorge_munoz has joined #openstack-keystone20:03
ayoungand KC?20:03
ayoungcan't hurt to have tip of tree for those, too20:04
nkinderI don't think any KC changes were needed20:04
stevemarayoung, if you're using devstack, be sure to set: LIBS_FROM_GIT=python-keystoneclient,python-openstackclient20:05
stevemarthat ensure you are getting master, and not pip20:05
ayoungah20:05
ayoungnkinder, stevemar I still need to set the value in the conf file?20:10
ayoungI don't see where else the attribute name could get set20:10
stevemarayoung, yep20:11
ayoungstevemar, OPK,  limitation we are going to have to move beyond in the future.  Needs to be set at the Protocol level in L20:11
stevemarayoung, still need to set it, either in the [federation] section or [oidc] or [saml2]20:11
stevemarayoung, it's already there! :)20:12
ayoungstevemar, where?20:12
ayoungIt is not in the tables?20:12
stevemarthe trouble is, protocols are user defined ids, so we can't list them all20:12
ayoung]> select * from federation_protocol;20:13
ayoung+---------------+--------+------------------+20:13
ayoung| id            | idp_id | mapping_id       |20:13
ayoung+---------------+--------+------------------+20:13
ayoung| kerberos      | sssd   | kerberos_mapping |20:13
ayoung| sssd_kerberos | sssd   | kerberos_mapping |20:13
ayoung+---------------+--------+------------------+20:13
stevemarif you create a new section [kerberos] and set remote_id_attribute it'll try that first, and default to the one under [federation] as a last resort20:14
ayounginteresting...I'll try that20:14
*** kr4zy has quit IRC20:14
stevemari think we should probably restrict the protocol IDs to a set, so it's just [oidc, saml2, kerberos, ... ]20:15
stevemarbut... meh20:15
ayoungstevemar, ok...so how do I test this out?20:16
ayoungcurl   --negotiate -u:   horizon.cloudlab.freeipa.org:5000/v3/OS-FEDERATION/websso/kerberos20:17
ayoung40420:17
stevemarayoung, almost.20:20
stevemar horizon.cloudlab.freeipa.org:5000/v3/auth/OS-FEDERATION/websso/kerberos20:20
ayoung  /auth...I knew it20:20
stevemarthis is my guess, everything 404's for me :) you and your intranet20:21
ayoungthis is all internal20:21
ayoungjust a hostname I've co-opted20:21
ayoungI'll get it working on dreamhost before the summit20:22
stevemari expect no less20:22
*** rushiagr is now known as rushiagr_away20:23
morganfainbergstevemar, ayoung, annnnn sent: http://lists.openstack.org/pipermail/openstack-dev/2015-April/060537.html20:33
stevemarwhammy20:34
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Review RC Blocking Reviews. | RC Milestone: https://launchpad.net/keystone/+milestone/kilo-rc1 | PTL Election Season - Send candidacy email if you intend to run!"20:35
morganfainbergwow gmail ate the formatting there :(20:35
* morganfainberg is sad.20:35
ayoungmorganfainberg, you sure you wanna do this?20:36
morganfainbergtoo late now ;)20:36
morganfainbergayoung, yeah.20:36
morganfainbergayoung, unless you want to.20:36
ayoungGlutton20:36
morganfainbergayoung, run if you want! :P20:36
mtreinishmorganfainberg: it looks ok on my mail client. Just a lot of white space :)20:36
morganfainbergmtreinish, yeah the extra whitespace is what happened20:36
morganfainbergmtreinish, it didn't look like that when i wrote it.20:36
mtreinishoh and the stupid unicode ' that all the mac people use by default20:37
morganfainbergmtreinish, HAH20:37
mtreinishwhich I still haven't figured out why it isn't rendered correctly on my laptop20:37
morganfainbergmtreinish, i keep disabling that then it keeps getting re-enabled20:37
morganfainbergmtreinish, it's annoying20:37
*** Bsony has joined #openstack-keystone20:37
ayoungmorganfainberg, I started up a campaign speech.  I started something like "Why do I want to be the PTL?  I don't."20:37
morganfainbergayoung, LOL20:37
morganfainbergmtreinish, yeah it doubled all the new-lines somehow20:38
morganfainbergmtreinish, *shrug* oh well20:38
mtreinishayoung: heh, that reminds me when I ran for school treasurer in high school on a platform of "I can count" :)20:39
mtreinishmorganfainberg: yeah I think it's fine, who even reads them :)20:40
morganfainbergmtreinish, depends on if we hafve more than one person running20:40
morganfainberg:P20:40
morganfainbergayoung, my campaign speech for the M-cycle is likely going to be "I am letting someone else steer this ship"20:44
ayoungWe'll plan accordingly20:44
morganfainbergayoung, yeah i don't want to burn out20:44
morganfainbergi think i can do 2 cycles20:44
morganfainbergbut 3 might be too much20:44
*** atiwari1 has joined #openstack-keystone20:55
*** atiwari2 has quit IRC20:57
*** packet has quit IRC20:58
*** packet has joined #openstack-keystone21:04
ayoungstevemar, "Missing entity ID from environment"21:04
ayoungcalling this way21:04
ayoungcurl   --negotiate -u:   horizon.cloudlab.freeipa.org:5000/v3/auth/OS-FEDERATION/websso/kerberos?origin=http://horizon.cloudlab.freeipa.org/auth/websso/21:05
stevemarayoung, apparently it can't fine your remote_id_attribute in the env21:05
stevemarfind*21:06
ayoungOK,  so it is that21:06
ayoungI have21:06
stevemarjeez i can't type today21:06
ayoungremote_id_attribute = IDP_ID21:06
ayoungand in the httpd conf21:06
ayoung^^ was under federation, although I have the same thing in [kerberos]21:06
*** packet has quit IRC21:07
ayoungAh.21:07
stevemarremote_id_attribute should be something like X-Shib-IdP or MOD_MELLON_IDP one of the env. vars21:07
ayoungstevemar, so, I would need to set that value for the whole Horizon server, not just the kerberized ur;21:07
stevemaryou're losing me now21:07
openstackgerritBrant Knudson proposed openstack/keystone: Fix for notifications for v2 role grant/delete  https://review.openstack.org/16693421:10
*** joesavak has quit IRC21:10
*** atiwari2 has joined #openstack-keystone21:10
ayoungstevemar, I set the value in the apache conf, but in the wrong place21:10
ayoungI ended up putting in in the :5000 section, but outside ther kerberos stanze21:10
ayoung<VirtualHost *:5000>21:11
*** _cjones_ has quit IRC21:11
*** henrynash has joined #openstack-keystone21:11
*** ChanServ sets mode: +v henrynash21:11
ayoung  SetEnv IDP_ID SSSD21:11
*** _cjones_ has joined #openstack-keystone21:11
*** atiwari1 has quit IRC21:13
stevemarayoung, wow, i had no idea you could just do that :(21:13
stevemarTIL...21:13
ayoungstevemar, this blog post should have all the steps in it once I'm done21:13
stevemarayoung, awesome. I was going to do one, maybe i still will /me shrugs21:14
stevemarayoung, have you been using the patch i proposed as a guide?21:14
ayoungstevemar, heh, let me get this one done first, and you can write one that is actually legible21:14
ayoungnah21:14
ayoungI was using nkinder's script21:14
stevemard'oh!21:15
ayoungbut only this little bit overlaps21:15
ayoungmost of it has been the SSSD and Kerberos setup21:15
ayoungwhich is different from what you posted21:15
ayoungonly now am I getting close, but it is still specific to the federation method.21:15
stevemarhehe, that's fair, if you can double check your write up with what's covered in this patch: https://review.openstack.org/#/c/164012/ that would be awesome-o21:15
ayoungstevemar, I knew to set trusted_dashboard21:17
stevemar\o/21:17
ayoungand I will probably use your doc as a checklist once I get to Horizon itself21:18
ayoungright now I get21:18
*** henrynash has quit IRC21:18
ayounghttp://paste.openstack.org/show/197990/  stevemar21:18
ayounglet me make sure the other stuff still works...I bet I need that url under kerberos as well21:19
ayoungand...yuck, I don't think I can do it in one config block in apachje21:19
ayoungstevemar, tell, me,. would the controller at /v3/auth/OS-FEDERATION/websso/kerberos  expect to have the saml assertion?21:20
ayoungif it were saml?21:20
morganfainbergis lance on vacation?21:20
* morganfainberg just noticed he wasn't here.21:20
*** Bsony has quit IRC21:21
ayoungit would, cuz the user would go to that url, and mod_mellon would redirect them, and then ipsilon would direct it back21:21
* morganfainberg goes and gets food and coffee.21:21
*** henrynash has joined #openstack-keystone21:21
*** ChanServ sets mode: +v henrynash21:21
morganfainbergstevemar, going to bug you so we can hammer out the bugs for RC later today/this evening21:21
ayoungstevemar, can we move (or duplicate)  the /auth  to under OS-FEDERATION?21:21
morganfainbergayoung, ^ you too if you're not in dad-mode by then.21:22
ayoungmorganfainberg, get food and coffee>? OK I can do that21:22
morganfainbergayoung, haha yes. but the rc-bug dogpile too21:22
ayoungmorganfainberg, I'll try.21:22
morganfainbergayoung, if not anything lingering we can hit tomorrow morning21:23
morganfainbergayoung, if you're around i'll bug ya, if not, no big deal21:23
ayoungnkinder, do you know how to write an apache path expression that will match both /v3/OS-FEDERATION/identity_providers/sssd/protocols/kerberos/auth  and /v3/auth/OS-FEDERATION/websso/kerberos21:23
stevemarayoung, sorry, got up for a sec21:23
stevemarmorganfainberg, yeah, that fine, bug away21:23
stevemarayoung, should be possible to write that21:24
*** SlickNik has left #openstack-keystone21:24
ayoungstevemar, yeah, I'm RTFM ATM21:25
ayoungRegular expressions can also be used, with the addition of the ~ character. For example:21:25
*** SlickNik has joined #openstack-keystone21:25
*** iamjarvo has quit IRC21:26
*** ayoung has quit IRC21:30
*** topol has joined #openstack-keystone21:30
*** ChanServ sets mode: +v topol21:30
*** mgagne has quit IRC21:33
*** adam_g has quit IRC21:34
*** tqtran_ has joined #openstack-keystone21:34
*** g2` has quit IRC21:34
*** dougwig has quit IRC21:35
*** cyeoh has quit IRC21:35
*** hockeynut has quit IRC21:35
*** crinkle_ has joined #openstack-keystone21:36
*** morganfainberg has quit IRC21:37
*** rm_work has quit IRC21:37
*** morganfainberg has joined #openstack-keystone21:37
*** ChanServ sets mode: +v morganfainberg21:37
*** crinkle has quit IRC21:38
*** crinkle_ is now known as crinkle21:38
*** krtaylor has quit IRC21:38
*** lbragstad has quit IRC21:38
*** comstud has quit IRC21:38
*** tqtran has quit IRC21:38
*** jasondotstar has quit IRC21:38
*** amaurymedeiros has quit IRC21:38
*** gus has quit IRC21:38
*** amauryme` has joined #openstack-keystone21:38
*** henrynash has quit IRC21:39
*** gus has joined #openstack-keystone21:39
*** jasondotstar has joined #openstack-keystone21:39
*** comstud has joined #openstack-keystone21:39
*** lbragstad has joined #openstack-keystone21:39
*** g2` has joined #openstack-keystone21:39
*** hockeynut has joined #openstack-keystone21:39
*** adam_g has joined #openstack-keystone21:40
*** adam_g has quit IRC21:40
*** adam_g has joined #openstack-keystone21:40
*** mgagne has joined #openstack-keystone21:40
*** cyeoh has joined #openstack-keystone21:40
*** atiwari1 has joined #openstack-keystone21:40
*** rm_work has joined #openstack-keystone21:41
*** rm_work has quit IRC21:41
*** rm_work has joined #openstack-keystone21:41
*** krtaylor has joined #openstack-keystone21:41
*** atiwari2 has quit IRC21:42
*** atiwari2 has joined #openstack-keystone21:43
*** henrynash has joined #openstack-keystone21:44
*** ChanServ sets mode: +v henrynash21:44
*** dougwig has joined #openstack-keystone21:45
*** atiwari1 has quit IRC21:46
*** spandhe has quit IRC21:51
*** gordc has quit IRC21:53
*** henrynash has quit IRC21:54
*** spandhe has joined #openstack-keystone21:54
*** gordc has joined #openstack-keystone21:54
*** zzzeek has quit IRC21:59
*** gordc has quit IRC22:04
*** packet has joined #openstack-keystone22:12
*** __TheDodd__ has quit IRC22:19
*** bknudson has quit IRC22:22
*** sigmavirus24 is now known as sigmavirus24_awa22:27
*** packet has quit IRC22:33
*** obedmr has quit IRC23:16
*** ayoung has joined #openstack-keystone23:32
*** ChanServ sets mode: +v ayoung23:32
*** _cjones_ has quit IRC23:34
openstackgerritMerged openstack/keystone: Drop sql.transaction() usage in migration  https://review.openstack.org/16898723:43
*** arunkant_ has quit IRC23:58
« Wednesday, 2015-04-01 Index Friday, 2015-04-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!