Thursday, 2015-04-09

« Wednesday, 2015-04-08 Index Friday, 2015-04-10 »
*** sdake_ has quit IRC00:00
openstackgerritLin Hua Cheng proposed openstack/keystone: WebSSO should use remote_id_attribute by protocol  https://review.openstack.org/17188900:03
morganfainbergjamielennox, heh00:04
*** topol has joined #openstack-keystone00:19
*** ChanServ sets mode: +v topol00:19
openstackgerritMerged openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013200:25
*** chlong has joined #openstack-keystone00:25
openstackgerritMerged openstack/python-keystoneclient: Update sample data with audit ids  https://review.openstack.org/17102800:26
jamielennoxmorganfainberg: so import keystoneclient_kerberos gives Exception: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed? on a new venv00:26
jamielennoxany idea what's happening there?00:26
jamielennoxdamn,00:29
lifelessjamielennox: do you have git installed ?00:29
*** Ephur has joined #openstack-keystone00:29
jamielennoxlifeless: heh, yes, but it's from pip00:29
jamielennoxi think i found it00:30
*** _cjones_ has quit IRC00:33
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-kerberos: Use the package name when looking up version  https://review.openstack.org/17189800:36
jamielennoxmorganfainberg: there are no other reviews for ksc-kerberos, can we do a 0.1.4 with ^ ?00:38
morganfainbergsure00:38
jamielennox(there is a global reqs bump that i don't see any point in doing for a point release)00:38
jamielennoxlet's see if i have the perms...00:39
lifelessjamielennox: its a bit of a bug that that didn't barf locally before you pulled it down from pip00:43
jamielennoxlifeless: yea, i was thinking that - i don't know how it got set that way in the first place00:43
lifelessjamielennox: (the bug would be on pbr)00:43
jamielennoxbut i guess it's doing the right thing by falling back on git and there's no way for it to know if there should be a dist-info or not00:44
lifelesswe can build an egg-info if there isn't one from git00:44
lifelessand cross check the package name00:44
jamielennoxthat sounds like a unit test rather than a PBR runtime thing though?00:45
*** samueldmq has joined #openstack-keystone00:47
*** bknudson has joined #openstack-keystone00:48
*** ChanServ sets mode: +v bknudson00:48
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Increase minimum token life required  https://review.openstack.org/16994700:48
*** angular_mike has joined #openstack-keystone00:51
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file  https://review.openstack.org/17186000:56
openstackgerritBrant Knudson proposed openstack/keystone: Refactor common function for loading drivers  https://review.openstack.org/16662800:56
openstackgerritBrant Knudson proposed openstack/keystone: Refactor MemcachedBackend to not be a Manager  https://review.openstack.org/16661500:56
openstackgerritBrant Knudson proposed openstack/keystone: Tests don't override default config with default  https://review.openstack.org/16663100:56
openstackgerritBrant Knudson proposed openstack/keystone: Use stevedore  https://review.openstack.org/16654300:56
openstackgerritBrant Knudson proposed openstack/keystone: Use short names for drivers  https://review.openstack.org/16662200:56
*** alexsyip has quit IRC01:16
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins  https://review.openstack.org/14126701:16
bknudsonwhat do you think about removing this deprecated behavior: https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L6401:23
*** tqtran has quit IRC01:23
bknudson'Loading auth-plugins by class-name is deprecated.'01:23
bknudsonI'm changing this code to use stevedore so was wondering if I can remove this complication.01:24
bknudsonwas deprecated Jul 17, 201401:25
*** davechen has joined #openstack-keystone01:25
bknudsonin Juno01:26
bknudsonso it was deprecated all of kilo... I think that's ok to remove in L.01:26
jamielennoxmorganfainberg: do you want to approve https://review.openstack.org/#/c/171898/ and i'll see if i can push a tag?01:33
jamielennoxbknudson: that seems reasonable to me01:33
jamielennoxbknudson: ideally we'd change those to use stevedore anyway01:34
bknudsonthat's what I'm working on.01:34
jamielennoxmaybe just have don't use the common loader for auth plugins because you'll need to check whether the param exists in the conf file01:34
jamielennoxthat sentence doesn't really work but i think i got the meaning across01:35
bknudsonit didn't01:35
bknudsoncommon loader?01:35
jamielennoxyou might just have to write a custom loading function for auth plugins rather than use the stevedore driver loading that the keystone drivers will use01:36
bknudsonit looks like we want to use this pattern: http://docs.openstack.org/developer/stevedore/patterns_loading.html#extensions-many-names-many-entry-points01:36
bknudsonI'm not quite sure how that's going to happen.01:37
bknudsoncrap, this is all sorts of broken already.01:38
jamielennoxi expect so01:38
jamielennoxi haven't actually done one like that with stevedore, though i would think it's the default arrangement01:38
bknudsonauth_plugins.UserAuthInfo.create(auth_payload, METHOD_NAME) -- why does this take method name?01:39
bknudsonthe method name is supposed to be whatever they picked in the config file, right?01:39
jamielennoxah, maybe not, ExtensionManager looks like it will invoke all of the plugins defined on the system01:39
bknudsoncan you disable some extensions?01:40
bknudsonin a config file or something01:40
bknudsonI was planning to use the regular driver loader, where the namespace is like keystone.auth.password01:40
bknudsonso you'd have keystone.auth.password =01:41
jamielennoxbknudson: yea, there is a list of enabled auth extensions in the config file01:41
jamielennoxmaybe this: http://docs.openstack.org/developer/stevedore/managers.html#namedispatchextensionmanager01:41
bknudson  keystone = keystone.auth.plugins.password01:41
bknudsonand then the config file would have password = keystone01:42
bknudsonhmmm... that looks interesting too.01:42
bknudsonwe want to support different "password" plugins01:42
jamielennoxdo we?01:42
jamielennoxugh01:43
jamielennoxyea, ok01:43
bknudsony, I want to use the default keystone password or my custom password01:43
bknudsonwe could go back to where the extension itself provides its method01:43
bknudsonbut that's the thing that was deprecated and I'm planning to remove.01:44
jamielennoxi don't see why we'd want that, auth plugins have an abc base class, they should follow a pattern01:45
jamielennoxi don't really like the idea of having multiple keystone.auth.password but it would seem to be the best fit01:45
bknudsonwell, you can't have multiple passwords, you can pick one of many implementations01:46
jamielennoxunfortunately then you still need an option though for which password to use01:46
bknudsonright01:46
jamielennoxi guess we have that already now01:46
openstackgerritBrant Knudson proposed openstack/keystone: Remove support for loading auth plugin by class  https://review.openstack.org/17190601:48
bknudson^ this is what I was asking about removing01:48
jamielennoxoh, hmm, and you rely on stevdore to make sure the right thing is loaded?01:50
jamielennoxi mean you could do that now i guess, give it the password plugin for the external01:50
bknudsonlet me implement the stevedore part then you'll see it.01:50
bknudsony, you could give it the password plugin for external.01:51
bknudsonprobably wouldn't be very happy with the result01:51
jamielennoxbut the response would say method == 'password' i think - i don't know if that's better or worse01:51
*** erkules_ has joined #openstack-keystone01:56
*** dims has quit IRC01:56
*** erkules has quit IRC01:58
jamielennoxnevermind, i'm wrong, name is determined from config02:00
openstackgerritBrant Knudson proposed openstack/keystone: Use [] where a value is required  https://review.openstack.org/17190702:01
*** zzzeek_ has quit IRC02:02
*** harlowja is now known as harlowja_away02:03
*** samueldmq has quit IRC02:04
*** browne has quit IRC02:07
*** stevemar has joined #openstack-keystone02:12
*** ChanServ sets mode: +v stevemar02:12
*** iamjarvo has joined #openstack-keystone02:21
openstackgerritLin Hua Cheng proposed openstack/keystone: WebSSO should use remote_id_attribute by protocol  https://review.openstack.org/17188902:27
*** iamjarvo has quit IRC02:29
*** browne has joined #openstack-keystone02:38
openstackgerritMerged openstack/python-keystoneclient-kerberos: Use the package name when looking up version  https://review.openstack.org/17189802:51
*** lhcheng has quit IRC02:51
*** richm has quit IRC02:52
*** alex_xu has quit IRC03:08
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core  https://review.openstack.org/17191603:15
jamielennoxmorganfainberg: so, i actually think that ^ would be sufficient03:17
jamielennoxi can't see a way in which you could have ran the migration once and have it be executed again03:17
morganfainbergjamielennox, and i think we need to drop db control03:18
morganfainbergjamielennox, but uhm... haven't tried that03:18
jamielennoxmorganfainberg: i looked at that - i don't think we can03:18
morganfainbergversioning_api has a dropcontrol03:19
morganfainbergit should be safe to use iirc03:19
jamielennoxwhen you do drop it calls: https://github.com/stackforge/sqlalchemy-migrate/blob/master/migrate/versioning/schema.py#L5903:20
morganfainberglame03:20
jamielennoxwhich wipes out the migrate_version table03:20
jamielennoxwhich i learnt the hard way03:20
morganfainbergfor all tables03:20
morganfainbergweird03:20
morganfainbergit's like no one ever thought you'd uncontroll a sub-schema03:21
jamielennoxthinking about it though its kind of a protection03:21
morganfainbergmeaning i think the subschema use-case is well.. not designed03:21
jamielennoxit's a very small thing to leave hanging around in the database03:21
morganfainbergsure03:21
*** rushiagr_away is now known as rushiagr03:22
jamielennoxi'll file a bug against sqlalchemy-migrate but i don't think its worth worrying about03:23
*** gyee has quit IRC03:27
*** lhcheng has joined #openstack-keystone03:33
*** ChanServ sets mode: +v lhcheng03:33
*** _cjones_ has joined #openstack-keystone03:34
*** ozialien has joined #openstack-keystone03:35
*** rushiagr is now known as rushiagr_away03:36
*** _cjones_ has quit IRC03:38
*** topol has quit IRC03:41
*** topol has joined #openstack-keystone03:41
*** ChanServ sets mode: +v topol03:41
*** alexsyip has joined #openstack-keystone03:42
*** angular_mike has quit IRC03:43
*** lhcheng_ has joined #openstack-keystone03:45
*** dims has joined #openstack-keystone03:45
*** lhcheng has quit IRC03:48
*** dims has quit IRC03:50
openstackgerritMerged openstack/keystone: Update openstack-common reference in openstack/common/README  https://review.openstack.org/17170603:52
*** iamjarvo has joined #openstack-keystone03:54
jamielennoxmorganfainberg: it's a thursday, but i don't think anyone uses ksc-kerberos enough to worry if we push a release03:54
morganfainbergYeah that's fine.03:57
morganfainbergStill wed night here.03:57
morganfainberg:)03:57
morganfainbergAnyway.03:57
*** rushiagr_away is now known as rushiagr04:02
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core  https://review.openstack.org/17191604:05
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint policy into keystone core  https://review.openstack.org/17144804:05
*** rodrigods has quit IRC04:08
*** browne has quit IRC04:10
*** spandhe has quit IRC04:11
*** rodrigods has joined #openstack-keystone04:12
*** rushiagr is now known as rushiagr_away04:12
ayoung-mtgmorganfainberg, how do I tag something as RC potential?04:17
ayoung-mtghttps://bugs.launchpad.net/keystone/+bug/144182704:17
openstackLaunchpad bug 1441827 in Keystone "Cannot set per protocol remote_id_attribute" [High,In progress] - Assigned to Lin Hua Cheng (lin-hua-cheng)04:17
morganfainbergIn the bug "tags" add kilo-rc-potential04:18
stevemarayoung-mtg, it's been tagged i believe04:18
stevemarwe need to backport that one04:18
stevemartopol, quit working so late!04:19
ayoung-mtgstevemar, yep.  I just +2aed and tested on live04:19
morganfainbergRc2 should open next week04:19
morganfainbergThen we do the mad backport dash04:19
stevemarsounds good04:20
lhcheng_ayoung: yup, that's already tagged :)04:20
morganfainbergIf you propose it against the rc branch (doable now) I need to -2 it, but happy to have that happen.04:20
morganfainbergWhatever is easiest for you04:21
*** lhcheng_ is now known as lhcheng04:21
*** ChanServ sets mode: +v lhcheng04:21
morganfainbergBut the bug tag is the really important part.04:21
lhchengokay, I can propose it to rc when the patch gets merged.04:23
ayoung-mtglhcheng, thanks.  I think that one would have been nasty had we not caught it now.  Good fix.04:24
lhchengayoung-mtg: thanks for finding the bug!  we'll have websso, but can only support one protocol.  that's awful  :P04:26
ayoung-mtglhcheng, I'll have a live demo of two side by side...probably tomorrow04:28
lhchengayoung-mtg: awesome, good luck! I hope there won't be any more hickups.04:30
*** ayoung-mtg is now known as ayoung04:30
ayounglhcheng, I've done each separately,  just not the two together04:31
*** topol has quit IRC04:31
*** topol has joined #openstack-keystone04:31
*** iamjarvo has quit IRC04:31
*** ChanServ sets mode: +v topol04:31
*** raginbajin has quit IRC04:32
stevemarjamielennox, does KSC have keyring support?04:34
*** raginbajin has joined #openstack-keystone04:35
stevemarlhcheng, hehe04:35
jamielennoxstevemar: it used to, it won't work with session and i wouldn't trust it anyway04:35
lhchengstevemar: I am remember asking that before04:35
lhcheng:P04:35
stevemarOSC definitely does not have keyring support04:35
jamielennoxstevemar: right - you need that review to land04:35
stevemarjamielennox, what review? the documentation one?04:35
jamielennoxi was going to try and write support on the osc side, haven't yet04:35
lhchengKSC, it doesn't.  remember jamielennox mentioend something about being flaky :P04:36
jamielennoxhttps://review.openstack.org/#/c/149175/04:36
jamielennoxi mean you could always do it manually from OSC, but ^ is better04:36
stevemaroh that guy04:37
stevemari meant this guy: https://review.openstack.org/#/c/163503/204:37
jamielennoxoh, nfi04:37
jamielennoxi haven't tested support from the CLI for a long time04:38
jamielennoxit probably still works, it's just pretty horrible04:38
lhchengjamielennox: oh, we actually use the keyring support!  someone from our team was planning to submit the patch to fix that.04:40
* lhcheng looking for the bug report04:41
jamielennoxlhcheng: fix what?04:41
lhchengjamielennox: keyring in KSC04:41
jamielennoxlhcheng: the problem with keyring support (one of) is that when it was written there was still the assumption that the only point of the library was a backend for a CLI04:41
jamielennoxlhcheng: the keyring support does horrible things like insert keyring entries for everything that keystoneclient does04:42
jamielennoxwell if you set use_keyring=True, so i guess that's not surprising - but still04:43
lhchenghttps://bugs.launchpad.net/python-keystoneclient/+bug/135756704:43
openstackLaunchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,In progress] - Assigned to Shraddha Pandhe (shraddha-pandhe)04:43
jamielennoxlhcheng: hmm, i think password every time is normal04:43
jamielennoxbut i can't remember04:43
jamielennoxit's not about preventing you from entering a password, it's to prevent it from having to talk to keystone every time - but again i'd need to look up the exact flow again04:44
lhchengI think the shell have to lookup the keyring first before prompting for password. I can't remember exactly the details of the bug and fix.04:45
jamielennoxno, because the keyring code is in the client part, all the shell does is pass through a use_keyring flag04:45
*** browne has joined #openstack-keystone04:46
*** rushiagr_away is now known as rushiagr04:47
*** iamjarvo has joined #openstack-keystone04:48
lhchengjamielennox:  you're right, the shell checks if clients already have the token: https://review.openstack.org/#/c/151478/2/keystoneclient/shell.py04:48
*** iamjarvo has quit IRC04:48
*** iamjarvo has joined #openstack-keystone04:49
lhchengwe can circle back to it later,  I'll check tomorrow if she's still going to work on it.04:51
*** spandhe has joined #openstack-keystone04:54
*** stevemar has quit IRC04:57
*** spandhe_ has joined #openstack-keystone04:57
jamielennoxlhcheng: sounds good - in general i don't think i'd bother, send it to OSC instead04:57
*** rushiagr is now known as rushiagr_away04:58
*** spandhe has quit IRC04:59
*** spandhe_ is now known as spandhe04:59
lhchengjamielennox: I agree, hopefully I can convince folks here to consume OSC on our next internal upgrade.04:59
*** iamjarvo has quit IRC05:00
*** ozialien has quit IRC05:06
*** spandhe has quit IRC05:09
*** chlong has quit IRC05:09
openstackgerritMerged openstack/keystone: WebSSO should use remote_id_attribute by protocol  https://review.openstack.org/17188905:10
*** crinkle has quit IRC05:24
*** crinkle has joined #openstack-keystone05:25
*** spandhe has joined #openstack-keystone05:37
*** ajayaa has joined #openstack-keystone05:38
*** tobberydberg has joined #openstack-keystone05:57
*** browne has quit IRC06:00
*** mflobo1 has joined #openstack-keystone06:15
*** mflobo1 has quit IRC06:16
*** mflobo has quit IRC06:17
*** mflobo has joined #openstack-keystone06:18
*** topol has quit IRC06:31
*** topol has joined #openstack-keystone06:32
*** ChanServ sets mode: +v topol06:32
*** sdake_ has joined #openstack-keystone06:32
*** topol has quit IRC06:37
*** lhcheng has quit IRC06:38
*** alex_xu has joined #openstack-keystone06:40
*** rushiagr_away is now known as rushiagr06:43
*** lhcheng has joined #openstack-keystone06:44
*** ChanServ sets mode: +v lhcheng06:44
*** alex_xu has quit IRC06:47
*** krykowski has joined #openstack-keystone06:51
*** alex_xu has joined #openstack-keystone06:51
*** trey has quit IRC06:53
*** lhcheng has quit IRC06:56
*** trey has joined #openstack-keystone06:58
*** pnavarro has joined #openstack-keystone07:02
*** sdake_ has quit IRC07:05
*** alexsyip has quit IRC07:08
*** alexsyip has joined #openstack-keystone07:11
*** afazekas has joined #openstack-keystone07:13
*** trey has quit IRC07:14
*** jistr has joined #openstack-keystone07:15
*** sdake has joined #openstack-keystone07:18
*** angular_mike has joined #openstack-keystone07:20
*** trey has joined #openstack-keystone07:20
*** alexsyip_ has joined #openstack-keystone07:23
*** sdake_ has joined #openstack-keystone07:25
*** alexsyip has quit IRC07:26
*** alexsyip_ is now known as alexsyip07:26
*** sdake has quit IRC07:26
*** pnavarro has quit IRC07:26
*** fhubik_afk has joined #openstack-keystone07:29
*** sdake_ has quit IRC07:30
*** alexsyip has quit IRC07:41
*** sdake has joined #openstack-keystone07:52
*** jamielennox is now known as jamielennox|away08:01
*** spandhe has quit IRC08:06
*** erkules_ is now known as erkules08:14
*** erkules has joined #openstack-keystone08:14
*** jasondotstar has quit IRC08:20
*** davechen has quit IRC08:41
*** davechen has joined #openstack-keystone08:41
*** rwsu has quit IRC08:41
*** boris-42 has joined #openstack-keystone09:16
*** pcaruana has joined #openstack-keystone09:17
*** angular_mike has quit IRC09:43
*** sdake_ has joined #openstack-keystone09:46
*** sdake_ has quit IRC09:49
*** sdake has quit IRC09:50
*** davechen has left #openstack-keystone09:54
*** f13o has quit IRC09:54
*** pnavarro has joined #openstack-keystone09:59
*** pnavarro has quit IRC10:05
*** krykowski_ has joined #openstack-keystone10:06
*** krykowski has quit IRC10:09
*** dims_ has joined #openstack-keystone10:23
*** jaosorior has joined #openstack-keystone10:31
*** jamielennox|away is now known as jamielennox10:42
*** aix has joined #openstack-keystone10:51
*** topol has joined #openstack-keystone11:33
*** ChanServ sets mode: +v topol11:33
*** fhubik_afk has quit IRC11:34
*** fhubik has quit IRC11:35
*** fhubik has joined #openstack-keystone11:35
*** fhubik is now known as fhubik_afk11:35
*** stevemar has joined #openstack-keystone11:43
*** ChanServ sets mode: +v stevemar11:43
*** hogepodge has quit IRC11:47
*** jamielennox is now known as jamielennox|away11:53
*** stevemar has quit IRC12:02
*** fhubik_afk is now known as fhubik12:03
*** hogepodge has joined #openstack-keystone12:04
*** rodrigods has quit IRC12:06
*** rodrigods has joined #openstack-keystone12:06
*** dims_ has quit IRC12:10
*** dims_ has joined #openstack-keystone12:13
*** bknudson has quit IRC12:20
*** dims__ has joined #openstack-keystone12:23
*** raildo|away is now known as raildo12:25
*** dims_ has quit IRC12:27
*** gordc has joined #openstack-keystone12:37
*** browne has joined #openstack-keystone12:40
*** angular_mike has joined #openstack-keystone12:40
*** bknudson has joined #openstack-keystone12:42
*** ChanServ sets mode: +v bknudson12:42
*** bknudson has left #openstack-keystone12:43
*** bknudson has joined #openstack-keystone12:43
*** ChanServ sets mode: +v bknudson12:43
*** ozialien has joined #openstack-keystone12:43
*** aix has quit IRC12:53
*** aix has joined #openstack-keystone13:03
*** fhubik is now known as fhubik_afk13:04
*** lifeless has quit IRC13:07
*** fhubik_afk is now known as fhubik13:08
*** richm has joined #openstack-keystone13:23
*** dims__ has quit IRC13:28
*** dims_ has joined #openstack-keystone13:28
*** iamjarvo has joined #openstack-keystone13:33
*** dims__ has joined #openstack-keystone13:36
*** iamjarvo has quit IRC13:37
*** dims_ has quit IRC13:37
*** rushiagr is now known as rushiagr_away13:39
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Crating Liberty repository for specs  https://review.openstack.org/17173313:41
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Creating Liberty repository for specs  https://review.openstack.org/17173313:41
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Move reseller spec for Liberty release  https://review.openstack.org/17092613:41
*** davidckennedy has joined #openstack-keystone13:43
davidckennedyI'm trying to run tox in keystonemiddleware but getting complaints "oslo_config.cfg.NoSuchOptError: no such option in group keystone_authtoken: endpoint_id".  Once I've set up the venv shouldn't I just be able to execute tox?13:44
*** stevemar has joined #openstack-keystone13:46
*** ChanServ sets mode: +v stevemar13:46
rodrigodsstevemar, have a moment to discuss https://review.openstack.org/#/c/161751/ ?13:48
*** edmondsw has joined #openstack-keystone13:50
*** openstackgerrit has quit IRC13:53
*** openstackgerrit has joined #openstack-keystone13:53
davidckennedyOK, to answer my own question, yes I should.  It appears that the patch set I've picked up was incomplete so I've more work to do than just babysitting.13:53
stevemarrodrigods, sure13:54
*** jorge_munoz has quit IRC13:54
stevemarrodrigods, i don't know how i want that patch to end up looking13:54
rodrigodsstevemar, yeah :(13:54
rodrigodsstevemar, the thing is... jamielennox|away said the -federation repo is going to change to -saml13:55
rodrigodsuntil than it won't have a release13:55
rodrigodsand the base class should be https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/federated.py#L2513:56
rodrigodsso he suggested to implement in ksc itself13:56
*** _cjones_ has joined #openstack-keystone13:56
rodrigodsbut this FederatedBaseAuth class is for a completely different use case if compared to k2k13:57
stevemarrodrigods, yeah, it's getting a bit tangled13:57
stevemarrodrigods, KSC has some of the saml stuff in it right?13:58
stevemarmaybe propose this to regular KSC13:58
*** markvoelker has quit IRC13:58
stevemari think jamielennox|away just wants to make sure we don't pull in lxml13:59
*** _cjones_ has quit IRC13:59
*** markvoelker has joined #openstack-keystone13:59
rodrigodsstevemar, think the saml2 file was removed13:59
rodrigodsstevemar, but we can always add it back :)13:59
stevemarnaw, not without an alternative13:59
*** krykowski has joined #openstack-keystone14:01
rodrigodsstevemar, so I'll resubmit the patch, but to ksc14:02
*** krykowski_ has quit IRC14:04
*** browne has quit IRC14:05
*** zzzeek has joined #openstack-keystone14:08
*** sdake has joined #openstack-keystone14:10
stevemarrodrigods, ++14:17
*** pcaruana has quit IRC14:17
*** lifeless has joined #openstack-keystone14:18
*** iamjarvo has joined #openstack-keystone14:24
*** iamjarvo has quit IRC14:24
*** iamjarvo has joined #openstack-keystone14:25
*** iamjarvo has quit IRC14:25
*** samueldmq has joined #openstack-keystone14:26
*** iamjarvo has joined #openstack-keystone14:26
*** fhubik has quit IRC14:27
*** afazekas has quit IRC14:29
*** rushiagr_away is now known as rushiagr14:30
gsilvisayoung: In response to one of our conversations yesterday...  It seems that you can list the projects for a user, but only with the v3 API---does this sound right?14:30
ayounggsilvis, as I said, it depends on policy...let me show you14:31
gsilvisI can't even see an appropriate API call in v214:31
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n3814:32
ayoungSo we would want a policy rule that would let a user see their own projectys14:32
gsilvisWhat API call does that correspond to?  See also https://bugs.launchpad.net/keystone/+bug/141519014:32
openstackLaunchpad bug 1415190 in Keystone "list_user_projects method at assignment manager needs to be removed" [Low,Fix released] - Assigned to Samuel de Medeiros Queiroz (samueldmq)14:32
*** topol has quit IRC14:32
ayoungbut...yeah, we would want V3 anyway, so if you can make it work with V3, yiou should be better off anyway14:33
ayounggsilvis, hmmm14:33
ayounglet's start at the router14:33
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/routers.py#n3814:34
*** rushiagr is now known as rushiagr_away14:34
ayoungThat is the only formally supported V2 API from the Public assignment api.14:34
ayoungso  that should be on14:34
*** csoukup has joined #openstack-keystone14:35
ayounghttp://keystone:5000/v2.0/tenants14:35
ayounglet's see what I get on my server...14:35
gsilvisOkay, that API call certainly exists, but I'm not authorized to do it yet.  let's check the policy...14:35
*** browne has joined #openstack-keystone14:36
ayoung$ curl http://$HOSTNAME:5000/v2.0/tenants14:36
ayoung{"error": {"message": "Could not find token:  (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}-sh-4.2$14:36
bknudsonthere's no policy for v2 api except for a couple of calls14:36
*** krykowski has quit IRC14:36
samueldmqgsilvis, ayoung that call was not used anymore14:37
bknudsoncan see https://review.openstack.org/#/c/168521/14:37
*** krykowski has joined #openstack-keystone14:37
ayoungsamueldmq, the call is the V2 supported call,  it has to be there while deprecated and untyil removed14:37
gsilvisbknudson: ooh, I like that mapping file a lot14:37
ayoungget_projects_for_token does not do a policy check14:37
samueldmqayoung, the call at the router/controller exists14:37
samueldmqayoung, but that method in the manager was not being used14:38
openstackgerritAlexander Makarov proposed openstack/keystone: Add redelegation columns to Trust SQL model  https://review.openstack.org/17209014:38
samueldmqayoung, I am talking specifically about that bug ^14:38
ayoungsamueldmq, right14:38
*** amakarov_away is now known as amakarov14:38
ayounggsilvis, so,  you don't need to be admin to get you set of projects14:38
ayounggsilvis, OK,  so the keystone  CLI calls port 35357.14:40
ayoungso, yeah, that won't work,  as that is the addmin interface14:40
gsilvisoh!!14:40
*** mattfarina has joined #openstack-keystone14:40
samueldmqayoung, https://github.com/openstack/keystone/blob/master/etc/policy.json#L3814:40
gsilviscurl http://localhost:5000/v2.0/tenants -H"X-Auth-Token: <etc>" works, yeah14:41
ayounghttp://docs.openstack.org/developer/keystone/api_curl_examples.html#get-tenants14:41
gsilvisI had been trying 35357 the whole time14:41
ayounggsilvis, and now you know why we are trying to kill the v2 API.14:41
gsilvis:P14:41
samueldmq++14:41
ayounggsilvis, you guys should be targetting v3 only for new dev14:42
*** tobberydberg has quit IRC14:45
ayoungstevemar, {"error": {"message": "Could not find Identity Provider: https://ipa.younglogic.net/idp/saml2/metadata", "code": 404, "title": "Not Found"}}14:50
stevemarayoung, don't scare me now, whats up14:51
ayoungis that mapping from the remote_id_attribute?14:51
ayoungstevemar, I'm setting up SAML with Ipsilong.  REdirect to Ipsilon works,  but coming back the Keystone page errors out ^^14:51
ayounghttp://keystone.younglogic.net:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=http://keystone.younglogic.net/auth/websso/14:52
ayoungnkinder, just suggested I was not matching the remote id14:52
ayounglet's see...14:52
ayoungselect * from idp_remote_ids;14:52
ayoungyep, not in there....14:53
ayoungnkinder, OK,  I think I jknow where it messed uop14:53
ayoungnkinder, https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-federation-setup/vm-post-cloud-init-rdo.sh#L24214:54
ayoungI'm using devstack, so I should not need to do the curl, no?14:54
ayoungstevemar, do we have OSC support for setting the remote_id?14:55
stevemarayoung, you betcha14:56
samueldmq<stevemar> ayoung, don't scare me now, whats up14:56
samueldmqhaha14:56
ayoungstevemar, ah, maybe I have an older client14:56
ayoungnope14:56
stevemarayoung, it's in the master branch, not released yet14:57
ayoungstevemar, I'm working from master14:57
stevemargit pull origin master && python setup.py install14:57
stevemarit shouuuuuld be there14:57
stevemaron identity provider create / set14:57
ayoung$ cat /usr/lib/python2.7/site-packages/python-openstackclient.egg-link14:58
ayoung/opt/stack/python-openstackclient14:58
ayoungstevemar, its not in the help list14:58
*** mflobo has quit IRC14:58
ayoung$ openstack --help 2>&1 | grep remote14:58
ayoung  console url show  Show server's remote console URL14:58
stevemarit wouldn't be in the generic help output14:59
stevemartry $ openstack help identity provider create14:59
ayoungGroup ipausers returned by mapping ipsilon_mapping was not found in the backend.15:03
ayoungOK...good, new error15:03
ayoungGuessing that is a Federated domain issue.  I want to map to the default domain15:04
ayoungmaybe update my mapping?15:05
*** rhagarty_ has quit IRC15:07
*** rhagarty has joined #openstack-keystone15:07
stevemarayoung, thought it wasn't supposed to barf on groups that aren't found?15:08
ayoungstevemar, yep...but I created that group...sort of15:08
ayoungstevemar, I think I'm good...I just needed to get over the remote_id thing15:09
stevemarayoung, okie dokie15:09
*** krykowski has quit IRC15:10
*** topol has joined #openstack-keystone15:11
*** ChanServ sets mode: +v topol15:11
ayoungGAH15:13
ayoung select * from 'group';15:13
ayoungERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''group'' at line 115:13
*** jistr is now known as jistr|mtg15:15
ayoungstevemar, OK,   got it15:16
ayoungI was mapping group id, should have been name15:16
stevemarah15:16
stevemaryeah, we're going for name now!15:16
stevemarscrew those ids15:16
*** samueldmq has quit IRC15:18
ayoungnkinder, what should mod_mellon be producing for the list of groups?  I know there was some issue there with ;  vs :15:22
ayoungwhat is the env var, though?15:22
*** ajayaa has quit IRC15:26
*** jistr|mtg is now known as jistr15:27
morganfainbergstevemar, can i point out that --help not being on stdout is weird?15:30
morganfainbergif 2>&1 is needed to grep15:30
openstackgerritAlexander Makarov proposed openstack/keystone: Add redelegation columns to Trust SQL model  https://review.openstack.org/17209015:32
stevemarmorganfainberg, it does go to stdout, and grep works15:35
morganfainbergok15:35
stevemaropenstack --help | grep 'user'15:35
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329615:38
*** jistr has quit IRC15:40
ayoungstevemar, OK,  I got SAML to wrok along side Kerberos for Horizon websso.15:44
stevemar\o/15:46
ayounghttp://keystone.younglogic.net  should work with SAML.  If you don't have a Kerberos TGT, it will default to Userid and password15:48
ayoungyou  have an account15:48
stevemaryou are right, i do15:49
*** angular_mike has quit IRC15:53
stevemarayoung, i'm on a train, so my connect is pretty awful :)15:54
ayoungheh15:54
ayoungstevemar, OK...when you get settled.15:54
stevemaryour horizon is taking a while to load15:54
morganfainbergFYI we now have stable branches for middleware and keystoneclient15:56
morganfainbergwe will need to do backports for15:56
morganfainbergmiddleware is stable/juno15:56
morganfainbergclient is stable/juno and stable/icehouse15:56
stevemarnice15:56
stevemari am le in15:56
morganfainbergwe will be doing semver backports for security reasons to the version number.Z++ as needed15:56
stevemari see the projects, that's goood15:57
bknudsonI just hope there's no security vulnerabilities in middleware or client!15:57
morganfainbergbknudson, there already is.15:58
bknudsonwe can test the process15:58
morganfainbergbknudson, and we have to go through all advisories and prioritise these fixes and then do a g-r update for the .Z update for juno/icehouse15:58
*** gyee has joined #openstack-keystone15:59
*** ChanServ sets mode: +v gyee15:59
bknudsonmorganfainberg: seems like the cap should have included .Z++?15:59
morganfainbergthe g-r was already there15:59
morganfainbergso we need to propose that fix to g-r for the stables16:00
*** rwsu has joined #openstack-keystone16:02
*** bdossant has joined #openstack-keystone16:04
*** jdennis1 has joined #openstack-keystone16:05
* morganfainberg issued the recheck on the g-r update for ksm16:06
morganfainbergstevemar, bknudson, jamielennox|away, please make sure we get anything we want in the client/ksm for kilo capped version in gate today.16:06
*** jdennis has quit IRC16:06
bknudsonis jenkins still failing everything?16:08
lbragstadbknudson: looks to be that way16:09
morganfainbergfor ksc and ksm the failures should now stop16:09
morganfainberguse https://review.openstack.org/#/c/166438/ as the baseline16:10
morganfainbergwe also have an issue where keystone cannot upgrade in grenade with mod_wsgi deployment16:10
morganfainberg[04/09/2015 -:- 08:48:16]  <sdague>the error you get is that keystone.openstack.common.log doesn't exist16:10
morganfainbergthe fix needs to go into devstack so devstack is smart about tearing down keystone under mod_wsgi16:11
morganfainbergcould someone jump on that grenade right away? if not i'll be looking at it when i get back from my errands across town16:11
morganfainbergbut, i'd rather not have this wait 3-4 hours before someone starts poking at it16:12
morganfainbergsdague in -qa brought this to my attention16:12
morganfainbergstevemar, dstanek, gyee, bknudson, ayoung, lbragstad, dolphm, ^ [or anyone else who loves devstack work]16:12
nkinderayoung: mellon uses a ';', and you need to enable MellonMergeEnvVars for it to create a list16:14
nkinderayoung: that option is only in 0.1016:14
ayoungnkinder, yeah, I think I'm getting one group using MELLO_groups16:15
dolphmmorganfainberg: have a link to the grenade failure?16:15
morganfainbergsec16:15
morganfainbergnope16:16
morganfainbergconfig isn't running anywhere yet16:16
dolphmmorganfainberg: i'm guessing the upgrade process isn't using the newer https://github.com/openstack/keystone/blob/master/httpd/keystone.py16:16
morganfainberggrenade has only been eventlet16:16
*** davidckennedy has quit IRC16:16
morganfainbergdolphm, sdague was tryng to get the uprade testing to work from what i gather16:16
morganfainbergdolphm, it likely copies the file in, then upgrades and fails to copy the new file in16:17
* morganfainberg has to run. errand on the other side of town.16:17
dolphmmorganfainberg: right, that's what i'm thinking16:17
nkinderayoung: the detailf behavior for multiple values is tpo have separate env. vars. with an index number (MELLON_GROUP_0, MELLON_GROUP_1, ...)16:17
nkindererr.... default16:17
morganfainbergdolphm, if no one can jump on it while i'm out, i'll jump on it when back :)16:17
nkinderdamn muscle memory16:18
dolphmmorganfainberg: i'm poking sdague in -dev now16:18
morganfainbergdolphm, thanks.16:18
morganfainbergdolphm, and -qa is good.16:18
morganfainbergif he's less focused in -dev16:18
morganfainbergdolphm, thanks!!16:18
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/17213916:18
*** alexsyip has joined #openstack-keystone16:20
openstackgerritAlexander Makarov proposed openstack/keystone: Add redelegation columns to Trust SQL model  https://review.openstack.org/17209016:20
gyeemorganfainberg, k, since dolphm volunteered16:21
*** ajayaa has joined #openstack-keystone16:21
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/15558416:25
*** bdossant has quit IRC16:25
*** ozialien has quit IRC16:26
*** arunkant_ has joined #openstack-keystone16:32
stevemarayoung, you should do a volume list on the demo project <.<    >.>16:34
*** harlowja_away is now known as harlowja16:35
ayoungSCHAWING!16:35
ayoungstevemar, so, I was messing around with IPAs Host Based Access Control, cuz I don't want web-only users to be able to ssh in to the machine, and I had broken it, and fixed it while you wer playing16:36
ayoungOK...lunch!16:36
*** ayoung is now known as ayoung-lunch16:36
openstackgerritAlexander Makarov proposed openstack/keystone: Add redelegation columns to Trust SQL model  https://review.openstack.org/17209016:39
*** lhcheng has joined #openstack-keystone16:39
*** ChanServ sets mode: +v lhcheng16:39
*** csoukup has quit IRC16:42
*** jdennis1 has quit IRC16:43
*** david8hu has quit IRC16:54
openstackgerritAlexander Makarov proposed openstack/keystone: Add redelegation columns to Trust SQL model  https://review.openstack.org/17209016:57
*** angular_mike has joined #openstack-keystone16:57
*** viktors is now known as viktors|afk17:02
amakarovmorganfainberg, hi! I remember it was discussion about removing 'extra' field from models: is there any blueprint to use?17:13
*** _cjones_ has joined #openstack-keystone17:13
*** _cjones_ has quit IRC17:13
*** _cjones_ has joined #openstack-keystone17:13
*** openstack has quit IRC17:13
*** openstack has joined #openstack-keystone17:13
*** jdennis has joined #openstack-keystone17:16
openstackgerritguang-yee proposed openstack/keystone: make sure we properly initialize the backends before using the drivers  https://review.openstack.org/17186417:20
ayoung-lunchstevemar, we are now at the pint where I am thinking things like:  OK, if the authentication fails via Federation, we need a better error page...we need to know what page in Horizon to redirect the user back to, or how to talk to the Django login mechanism17:25
ayoung-lunchBut I am not really here...I still didn;t make it to lunch17:25
*** ozialien has joined #openstack-keystone17:25
stevemarayoung-lunch, go eat lunch!17:26
stevemarayoung-lunch, we can provide a fail template like we do with the callback template17:27
ayoung-lunchstevemar, nah, we need a redirect to Horizon and let them handle the UI17:27
*** boris-42 has quit IRC17:28
*** zzzeek has quit IRC17:29
*** amakarov is now known as amakarov_away17:29
lhchengmorganfainberg:  for rc-2 backport, I should be proposing the patch to proposed/kilo branch?17:35
*** aix has quit IRC17:37
morganfainberglhcheng: yeah but anything proposed there needs to be -2 unless rc2 window is open and bug appropriately targeted.17:38
morganfainberglhcheng: you might want to wait on the back port to when we open rc2 window.17:38
*** zzzeek has joined #openstack-keystone17:38
* morganfainberg is afk for a couple hours. Bbiab17:38
lhchengmorganfainberg: gotcha, I'll wait for rc2 window then17:39
lhchengayoung-lunch: for websso federation, how about if keystone posting back three fields instead?   token, status_code and message17:39
stevemarlhcheng, now you're cooking with fire!17:40
*** gyee has quit IRC17:40
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/17215517:40
rodrigodsstevemar, ^17:40
lhchengstevemar: first time I heard the expression. :P  is it the other end of the expression  "cooking with gas"?17:44
stevemarlhcheng, sure, or maybe my expression is wrong :P17:44
lhchengcanadian version ? :)17:45
rodrigodslhcheng, raildo available to discuss https://review.openstack.org/#/c/158720/ ?17:45
*** david8hu has joined #openstack-keystone17:45
lhchengbknudson might have some thoughts about error response too ^17:46
bknudsonI like henrynash's suggestion, from a purity point of view.17:47
rodrigodsbknudson, lhcheng ++17:48
rodrigodsme too17:48
bknudsonbut we've already got a mess of managers returning HTTP exceptions, so this isn't something strange.17:48
bknudsonmight as well try it out and then maybe henrynash will +2 it.17:48
bknudsonis that all there was to discuss?17:49
lhchengaside from the controller vs manager17:49
lhchengthere is another question about what to raise for ProjectNotFound, DomainNotFound error17:50
lhchengFor example: when we create a project with parent_id17:50
lhchengwe validate that the parent_id exists17:50
lhchengShould we be translating the ProjectNotFound exception to ValidationError too17:51
lhchengbecause really, we are performing a validation17:51
rodrigodsthe HTTP code makes sense17:51
rodrigodsto be 40017:51
rodrigodsnot 40417:52
raildolhcheng, Do you have see the henrynash's comment here: https://review.openstack.org/#/c/159944/17:53
lhchengraildo: yeah. Seems like going forward, the handling of the error code should be handled in the controller.  I am fine with that too, as long as we'll do it consistently.17:56
rodrigodsright now, we do not convert *NotFound to ValidationError17:59
rodrigods(in other cases, as for creating a user for example)17:59
rodrigodsso I think we need to be consistent here17:59
rodrigodsif the 404 should be turned into a 400, that is a separate discussion, I think17:59
bknudsonPOST /v3/projects should never return a 40418:00
bknudsonbecause the /v3/projects resource exists.18:00
rodrigodsbknudson, sagreeo we have a bug in POST /v3/users18:01
rodrigodsagreed and we have a bug in*18:01
lhchengbknudson: agree, that's kinda weird response18:01
bknudsonI don't think we can fix that... let's try to not mess it up elsewhere.18:01
lhchengrodrigods: yeah, that could be tackled separately to make it consistent18:01
lhchengbknudson: so we keep thing as is? and just make the new API return the correct response?18:02
bknudsonlhcheng: yes.18:02
lhchengbknudson: I am fine with that, I can imagine some consumer that may already relying on that 404 error since we already have it out.18:03
lhcheng++ for not breaking backward compatibility18:04
raildolhcheng, ok, we have to explain this for henrynash later, just to keep everyone updated about this :)18:04
bknudsonraildo: explain what?18:05
bknudsonI thought you were going to do what he suggested.18:05
rodrigodslhcheng, the behavior is not documented https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#create-user and the consumer may be testing for 40*18:05
raildobknudson, about waht he said in this comment: https://review.openstack.org/#/c/158720/10/keystone/resource/core.py18:05
*** sdake_ has joined #openstack-keystone18:05
rodrigodslhcheng, so I believe we can create the bug, update the API spec and fix the return code18:06
bknudsonoh, his suggestion was something different.18:06
raildobknudson, yeap18:06
bknudsonmaybe he just wants a different exception.18:07
*** mestery has quit IRC18:07
*** sdake has quit IRC18:09
rodrigodsbknudson, I think he is concerned about the POST /v3/users behavior, which returns the *NotFound18:09
bknudsonI don't think the API stability requirements allow that change.18:10
rodrigodsbknudson, from 404 to 400? just for the create_user case, right?18:10
*** mestery has joined #openstack-keystone18:10
bknudsonyes, just for the POST /v3/users case, if that's what it did before.18:11
rodrigodsbknudson, even if it is not documented in our API spec?18:11
bknudsonespecially if it's not documented in the API spec.18:11
rodrigodslol18:11
rodrigodsok18:11
bknudsonthe spec should be updated.18:12
rodrigodsit's really strange one call return 400 and another return 404 for the same error :(18:13
bknudsonI agree... someone should have been reviewing these changes and making sure that didn't happen.18:13
*** tqtran has joined #openstack-keystone18:14
rodrigodsbknudson, this is an example of a trade off where I don't know yet what to choose: the correct return breaking the consistency between different calls or the wrong return keeping the consistency18:16
rodrigodsbut seems the first option is the one to go, right?18:16
bknudsonthe first option is the one to choose.18:16
lhchengit is what it is, we have to commit to API stability.18:18
lhchengbknudson: thanks for you inputs, very helpful18:18
rodrigodslhcheng, bknudson ++18:22
*** sdake has joined #openstack-keystone18:25
*** sdake_ has quit IRC18:29
*** ajayaa has quit IRC18:30
*** BAKfr has quit IRC18:40
*** pnavarro has joined #openstack-keystone18:41
*** ozialien has quit IRC18:42
*** BAKfr has joined #openstack-keystone18:44
*** ozialien has joined #openstack-keystone18:44
*** zzzeek has quit IRC18:46
*** aix has joined #openstack-keystone18:55
*** Farhan has quit IRC19:01
gordcis there some unique setting that needs to be set to get pki tokens working in devstack?19:20
*** iamjarvo has quit IRC19:26
*** kr4zy has joined #openstack-keystone19:28
kr4zyCan anyone confirm that caching is available for the identity component using ldap?19:29
*** iamjarvo has joined #openstack-keystone19:30
*** iamjarvo has quit IRC19:31
*** iamjarvo has joined #openstack-keystone19:31
*** iamjarvo has quit IRC19:32
*** iamjarvo has joined #openstack-keystone19:32
*** samueldmq has joined #openstack-keystone19:33
stevemargordc, why are you subjecting yourself to that?19:33
gordcstevemar: apparently it don't work for ceilometer. i'm debugging. i think it might be how we configure it in devstack.19:37
rodrigodsstevemar, if I have two projects with the same name (in different domains), we may have a problem in k2k mapping, right?19:38
*** pnavarro has quit IRC19:39
*** iurygregory has joined #openstack-keystone19:40
*** _cjones_ has quit IRC19:48
dolphmnkinder: ayoung-lunch: what's ipsilon?19:49
andreafmorganfainberg: hi - I implemented bp to make tempest capable to work on an identity v3 only cloud - and I have this bp https://blueprints.launchpad.net/tempest/+spec/keystone-v3-jobs about setting up CI for it - however I need a identity v3 only devstack to actually verify my work - do you think it's something feasible right now?19:50
*** dims__ is now known as dims19:50
rodrigodsdolphm, https://fedorahosted.org/ipsilon/19:50
morganfainbergandreaf: devstack can't do that today but it is on the list of what I'm hoping to see this cycle. And get everything else able to work in that mode.19:51
dolphmrodrigods: thanks!19:51
morganfainbergSo we can gate on it.19:51
andreafmorganfainberg: oh, is that a limit of devstack only or is it the services who cannot all talk v3?19:52
bknudsonyou'd need to remove v2 from the paste pipeline.19:53
morganfainbergandreaf: most services don't care v3 or otherwise. We don't have a mode where devstack can deploy v2 keystone disabled atm, so we aren't testing it.19:53
morganfainbergandreaf: devstack is limited, therefore other testing has been "as we find things that don't play nice"19:54
morganfainbergLike I said, target for liberty.19:55
*** zzzeek has joined #openstack-keystone19:55
rodrigodsmorganfainberg, stevemar, ayoung-lunch, can you check bug #1442343?19:55
openstackbug 1442343 in Keystone "Mapping openstack_project attribute in k2k assertions with different domains" [Undecided,New] https://launchpad.net/bugs/144234319:55
andreafmorganfainberg: ok - let me know if you find any issue on tempest side when working on that19:55
*** ayoung-lunch is now known as ayoung19:55
ayoungrodrigods, you need to clean up the language on that bug.   I can't tell what you are saying is wrong/20:00
ayoungdolphm, ipsilon is a project for doing SAML from existing IdPs20:00
ayounghttps://fedorahosted.org/ipsilon/20:00
ayoungdolphm, its basically an attempt to make it easier to add SAML and other SSO techs on to LDAP20:01
nkinderayoung: correction.  Ipsilon is a multi-protocol IdP20:01
nkinderCurrently SAML, OpenID, and Persona20:01
nkinderOpenID Connect is in progress20:01
dolphmayoung: nkinder: cool20:01
bknudsonkeystone can generate saml assertions from LDAP, too.20:02
ayoungdolphm, since it can back to PAM, one potential is to use if for Testing Fedration in devstack with not LDAP or any other external20:02
nkinderbacked by things like FreeIPA, PAM, Kerberos, generic LDAP, or other IdPs20:02
*** angular_mike has quit IRC20:03
*** ozialien has quit IRC20:03
rodrigodsayoung, better?20:05
ayoungrodrigods, yes.  THat is kindof a big limitation....20:06
rodrigodsayoung, is there a problem if we pass the domain in the assertion as well?20:07
ayoungrodrigods, I've been ignoring K2K thus far.  I'm not really the driver for it.20:08
rodrigodsayoung, the problem is even bigger if we introduce the project naming constraints planned in Reseller20:08
rodrigodsayoung, ok :(20:08
rodrigodsayoung, neither stevemar, marekd or gyee here, so...20:08
ayoungrodrigods, I think K2K needs some rethinking anyway20:09
ayoungI think it will end up being split into two distinct things20:09
ayoungone is the Keystione IdP, which20:10
ayoungwill let companies continue to use their existing user databases....20:10
morganfainbergayoung, the main usecase for k2k is many aggregate IDPs and then sub-clouds20:10
morganfainbergayoung, where accepting identity from all the IDPs for every sub-cloud (aka vendor) becomes a real orchestration headache20:11
ayoungmorganfainberg, um...sure20:11
ayoungor we can make it not be a headache20:11
morganfainbergayoung, i have vendors in italy, canada, and california who need access to my swift store(s), they supply their own IDPs. i can then manage their access to my outside cloud vendors aka bluebox20:11
ayoungbut that is leading in to the design of Federation20:12
morganfainbergayoung, how do you make that *not* a headache20:12
ayoungmorganfainberg, first off, we make the FEderation mapping such that you don;'t need to be All powerful to make changes20:12
morganfainbergevery time you add another designated cloud you ask the endpoints to generate saml for them?20:12
morganfainbergno.20:12
ayoungYes20:12
ayoungthat is like, 10120:12
morganfainberggod enterprises are going to kill you20:13
morganfainbergi've already had to fight this battle twice20:13
raildolol20:13
*** _cjones_ has joined #openstack-keystone20:13
ayoungHeh20:13
morganfainbergand asking it every time "oh now do it for X, and then Y and then Z"20:13
morganfainbergthe answer is "yep, we don't want this anymore"20:13
*** Ephur_ has joined #openstack-keystone20:13
ayoungmorganfainberg, I tried to beg off the questions...20:13
*** Ephur has quit IRC20:14
morganfainbergthey want to be able to access the *aaS thing and let that be wherever it needs to be with the central place they've authed20:14
ayoungmorganfainberg, and what doees it mean by " the central place they've authed?"20:14
morganfainbergayoung, the base keystone20:14
morganfainbergthe one *I* as the principle contact controls20:14
morganfainbergauth here, access where needed.20:15
*** jlk has joined #openstack-keystone20:15
morganfainbergassuming the remote sites are not controlled by the same keystone (Cannot be due to different orgs)20:15
*** iamjarvo has quit IRC20:15
morganfainbergand multi-signer doesn't work either. you need a full blown token for the remote side since only that remote side can control it's resources20:15
morganfainbergso you need a way to S4u2proxy but for keystone20:16
ayoungKeystones of Unusual size?  I don't think they exist20:16
morganfainberganyway20:16
morganfainbergwe'll just have to agree to disagree20:16
ayoungNO,  I'll have to agree that I don;'t understand WTF you are talking about20:16
morganfainbergk2k is a real thing20:16
morganfainbergand useful20:16
ayoungYOu blogged this at one point?20:16
jlkmorganfainberg: howdy. When we talked, you had mentioned a couple things I needed to do in haproxy, for SP. Was it session affinity (via SERVERID cookie) and was there one other thing?20:17
morganfainbergjlk, uhmm..... brain distracted20:17
jlkhehe20:17
morganfainbergjlk, guang has that right away... dang where did he go20:17
morganfainbergjlk, i think it was that.20:17
morganfainberguhm.20:17
morganfainbergthe request-uri20:17
jlkand making sure we don't re-write the url20:17
morganfainbergyeah20:17
morganfainbergthat sounds like the two things gyee said.20:18
jlkI don't see any rewrite rules, but I'm not sure if haproxy does that by default.20:18
morganfainbergjlk, yeah not sure.20:18
jlkWe add a header, X-Forwarded_proto:\ https20:18
jlkbut that's about it20:18
morganfainbergshould be ok from my understanding20:19
jlkalright, I'll add the cookie to keep things going to the same session20:19
morganfainberglet me see what i can do to summon a gyee to the convo20:19
morganfainbergjlk, and the meta xml thing, that turned out to be a red herring for what we're working on right?20:19
jlkI think so20:19
morganfainbergjlk, cool.20:20
jlkI was worried about any redirection the SSO stuff might do, but maybe we can worry about that when trying to actually /do/ things20:20
morganfainbergjlk, for the k2k case it's IDP initiated SAML20:20
morganfainbergjlk, so you don't do the normal: SP -> IDP -> SP dance20:21
morganfainbergjlk, you do IDP -> SP20:21
jlknod20:21
morganfainbergredirects should be minimal20:21
morganfainbergif at all20:21
*** ayoung has left #openstack-keystone20:21
morganfainbergayoung, i'm including some of this in the presentation i'm giving on thursday next week20:21
*** ayoung has joined #openstack-keystone20:22
morganfainbergand he left.20:22
morganfainbergayoung, and he's back20:22
*** jaosorior has quit IRC20:22
ayoungmorganfainberg, heh, so I somehow managed to put this chat in its own window20:22
morganfainbergayoung, i'm including some of this stuff in the authn/authz presentation i'm doing next week. hope i can get it a bit more clear then20:22
ayoungI don;'t jknow how to join other than to close the window and reopen in the main one20:22
morganfainbergayoung, xchat?20:22
ayoungmorganfainberg, OK...let's start by defining your terms here.20:22
morganfainbergayoung, cause that was a reason i disliked xchat20:22
ayoungyeah xchat20:23
morganfainbergayoung, so here we go: Company - I use openstack for an application - it's my openstack20:23
ayounghold it right there20:23
morganfainbergnotably i consume swift.20:23
ayoung"it's my openstack"  you mean private, in house cloud...this is just your starting pioint20:23
morganfainbergyes private in-house20:24
jlkDo y'all have pre-written tool to help validate unscoped tokens?20:24
jlkor even before that, for adding IdPs to the SP?20:24
morganfainbergjlk, no pre-canned tool afaik :(20:24
morganfainbergjlk, one of the rough edges.20:24
jlkalright.20:24
jlkI'm reading through http://blog.rodrigods.com/playing-with-keystone-to-keystone-federation/ and cribbing20:24
morganfainbergjlk, sorry! :(20:24
morganfainbergyeah rodrigods blog is fantastic20:25
jlk*shrug* earlyadopterprobs20:25
rodrigodsnot it is not :)20:25
rodrigodsKilo version on its way20:25
ayoungmorganfainberg, ok...so inhouse os instance ,swift... go on20:25
morganfainbergayoung, so my private in-house cloud. with my swift. [lets stick with swift for now, other services make this complex as hell]20:25
morganfainbergayoung, i place data in swift., i use federated identity to manage who [my customers] can access the swift data20:26
morganfainbergi am now out of capacity.20:26
ayoungok, so my OS instance is hosting web services open to my customer, and they use swift API to fetch data,20:26
morganfainberginstead of spinning up more swift locally (not an option for business reasons)20:26
*** ozialien has joined #openstack-keystone20:26
ayounghold on20:26
morganfainbergcorrect20:27
ayoungare we saying that people are using Swift API to be able to write to my cloud?  They don't need it to read20:27
morganfainbergmore read than write20:27
ayoungread is a Web call.20:27
morganfainbergbut it is a secured call.20:27
morganfainbergneeding a token20:27
morganfainbergit's not public read, it's authenticated read20:27
ayoungand we arwe using project assignments to say who can read what?20:27
morganfainbergit somewhat works like that.20:28
morganfainbergproject assignments are used20:28
morganfainbergso, when i run out of capacity20:28
morganfainbergand can't spin up more locally [many many reasons for this]20:29
morganfainbergi contact jlk over at bluebox20:29
morganfainbergand they give me swift20:29
morganfainbergwith federated identity20:29
morganfainbergassume i have many customers [and adding more every day]20:29
morganfainbergevery time i add a customer i need to have bluebox configure *that* swift to allow the new idp?20:30
morganfainbergas well as mine20:30
morganfainbergas well as any other vendor (or alternate bluebox deployment)20:30
morganfainbergjlk, sorry using you as a stawman here20:30
jlktotes fine20:30
ayoungmorganfainberg, ok...swift is wierd, because it really is an *aaS, unlike glance and so forth20:30
ayoungIs it really swift driving this use case?20:31
morganfainbergayoung, no. there are other apps that rely on OpenStack that are *aaS20:31
morganfainbergit just happens that working even with a PaaS layered on openstack it makes this a lot easier20:31
ayoungmorganfainberg, so, what you are saing is we are talking about Keystone being used more by the cloud consuemrs than by the infrastructure here.20:31
morganfainbergayoung, already is a case that occurs20:32
ayoungWe will expect more and more apps to be able to consume Keystone authentication20:32
morganfainbergayoung, because we allowed it - swift was really the first.20:32
morganfainbergayoung, yep.20:32
morganfainbergayoung, and it's not an unreasonable thing to do with keystone for your *aaS stuff related to OpenStack20:32
morganfainbergi initially argued we should have an infrastructure keystone and a XaaS keystone20:33
morganfainbergbetter design20:33
ayoungWe still could....nothing precludes that20:33
morganfainbergbut it *still* doesn't change what we are supporting20:33
morganfainbergXaaS with keystone auth20:33
morganfainbergIaaS is the easy case.20:33
ayoungOK...so If a customer needs to go to bluebox, they have 3 different rediectes?  SAML from their home station, keystone token from me, keystone token from bluebox?20:34
morganfainbergayoung, home -> me -> Bluebox20:34
morganfainbergbluebox never would be back to <local>, they are an external SP in this strawman20:34
ayoungso do we have client code to handle that?20:34
*** ozialien has quit IRC20:34
morganfainbergayoung, we have the server code to. client code is actively being worked on20:35
morganfainbergit's a liberty target to be fair20:35
morganfainbergayoung,but we needed server support to do client work20:35
morganfainbergand 6mo cycles means some things are rough and then get smoother as more support happens20:36
morganfainbergayoung, the way i see it is k2k is orthogonal to the pure federation case.20:36
morganfainbergit's supporting a clear use-case that exists today20:36
morganfainbergit doesn't eliminate what you're trying to do20:36
ayoungSo...for my inhouse cloud,  whenever I burst to another provider...am I going to add that provider to my serivce catalog?20:37
morganfainbergit in-fact just leverages some of the same underpinnings (the SP doesn't know it's a keystone or anything else, it just knows it gets SAML)20:37
morganfainbergayoung, yep.20:37
morganfainbergayoung, and the business relationship/rates/billing etc is all on the remote cloud20:38
ayoungmorganfainberg, but it shows up as a separate region, cuz bluebox nova can't talk to my inhouse neutron20:38
morganfainbergthere is one other rough edge we *should* try and solve long term20:38
morganfainbergayoung, not even a region20:38
morganfainbergayoung, as an SP20:38
morganfainbergSP is a top-level concept in the catalog20:38
morganfainbergayoung, mucking SP and region together was messy.20:38
ayoungregion is lower than SP?20:38
morganfainbergayoung, correct.20:39
morganfainbergayoung, region is a local keystone construct "I own regions"20:39
ayounggsilvis, you catching this?20:39
morganfainbergyou *might* have mirrored regions in the SP.20:39
morganfainbergbut its not guaranteed20:39
ayoungmorganfainberg, ok,  so for the user, the flow is something like:20:40
ayounggot to home keystone list projects,  requrest token for project that has Service catalog in remote clode20:41
ayoungclient is smart enough to take that token to remote Keystone20:41
morganfainbergclient allows you to take it to remote keystone.20:42
morganfainbergyou *might* also have capacity locally.20:42
morganfainbergyou might only have SPs20:42
morganfainbergbut yes20:42
ayoungand get a scoped token in the public cloud.  SInce everything in now done with SC, that is going to be done once.  We need token cacthing to keep this from being painful20:42
morganfainbergayoung, the piece we need to also solve to smooth out the experience is "what can SP provide me"20:42
ayoungand we are saying that a given project can only point at one SC, right?20:42
ayounger SP20:42
morganfainbergayoung, a project could have many SPs20:42
morganfainbergSPs are like endpoints, filterable20:42
*** iamjarvo has joined #openstack-keystone20:43
ayoungthen if I do Nova listm, which do I talk to?20:43
gsilvisayoung: I hadn't been paying attention---how far back should I scroll?20:43
morganfainbergi might have SPs for the project in EU, AUS, and US20:43
morganfainbergayoung, nova list is your current scoped token20:43
morganfainbergayoung, this is where we need to work on the UX and discovering what the remote SPs can provide20:44
morganfainbergtoday we're at "we can support the workflow"20:44
morganfainbergwhich is the raw "can i use my identity here to burst into an SP over there"20:44
morganfainbergthere are 3 cases this is aiming to solve long term: 1) pure burst capacity20:45
morganfainberg2) services i *never will* support in my local cloud, but should be integrated (sahara) for my cloud consumers20:45
morganfainbergaka $SP provides sahara install, but i don't want to run a hadoop thing locally20:46
ayoungmorganfainberg, why do we insist on doing this all in one project?20:46
morganfainbergand least important [but useful] 3) regional deployments (likely short-lived)20:46
ayoungThe rest of it I get20:46
morganfainbergayoung, this can spin out into the ability to tier keystone into multiple things20:47
morganfainbergayoung, which might be the long term solution20:47
morganfainbergayoung, but it starts with what we have.20:48
morganfainbergsmoothing out the "what can cloud X do for me" might be where that splits.20:48
ayoungmorganfainberg, I haven't given this the attention it deserves, but there is something in it that I want to think more about...20:49
morganfainbergayoung, please do.20:49
ayoungI don't want to hold things up, which is why it has been eaiser for me to ignore it20:49
morganfainbergayoung, the k2k bits were also almost free since we had federation already built20:49
morganfainbergthey are very small compared to the lifting we did to consume the data20:50
morganfainbergthe #1 reason we went SAML vs just shipping a keystone token over was a political issue20:50
ayoungbut...I'm just afraid we are once again headed in a direction where we are doing thing s in Keystone that are better handled using other technologies...and that is why I have said nothing...cuz I haven;t done my homework yet20:50
morganfainbergi don't want to explain why the keystone token made sense.20:50
ayoungYeah, the SAML part I get. It actually is using the Protocol for what it is designed to do20:51
morganfainbergputting this in the SAML spec allowed us to pass the "does the framework pass muster"20:51
morganfainbergayoung, so if k2k morphs into something way better on top of keystone - thats fine20:51
morganfainbergayoung, think about this. it's really about building composite clouds. not nessicarily hybrid clouds20:52
morganfainbergayoung, it's fine for it to morph and change and become better.20:52
morganfainbergayoung, even if it long term becomes it's own thing.20:52
morganfainbergayoung, the basic workflow lets us build that. and we have a clear "prior" art for spinning things out where it makes sense (nova -> cinder|glance|keystone)20:53
ayoungmorganfainberg, but...what I said at the begining is even more true with all you said.  We need to make the mapping code so it can be managed  by the end users, not by an admin.20:53
morganfainbergayoung, 100%20:53
*** iamjarvo has quit IRC20:53
morganfainbergayoung, that was never a question in my mind20:53
ayoungbluebox needs to let the in house Keystone smartiepants manage it.20:53
morganfainbergi think we even looked at that for kilo iirc20:53
*** sdake has quit IRC20:53
morganfainbergbut came to the conclusion it was too big an ask for kilo cycle20:54
morganfainberg(this was at the midcycle afair)20:54
ayoungrodrigods, to get back to your question:  I think that with HMT we need the whole path, not just domain, in the SAML assertion20:54
morganfainbergnow for liberty. esp. if we can have the details (aka formerly what our midcycle was) hammered out at the summit...20:54
ayoungmorganfainberg, you are a dreamer...20:55
morganfainbergayoung, it becomes a more reasonable ask to make the mapping manageable in that way. or at least in a way that allows the remote keystone admin to limit what the local keystone admin can screw up20:55
ayoungmorganfainberg, what we really need to do is schedule the midcycle for the day after RC120:55
morganfainbergayoung, it might be 2 cycles out20:55
rodrigodsayoung, exactly20:55
ayoungSummit is too late20:55
morganfainbergayoung, no, not if the summit is what our mid cycle has been20:56
morganfainbergsummit is enough time to have some thoughts on liberty20:56
ayoungSummit needs to be what our milestone 2 has been, too20:56
morganfainbergplus add in the etherpad and specs proposed as soon as K3 was cut20:56
morganfainbergshould help20:56
morganfainbergwe've rolled back a lot of things.20:57
morganfainbergas soon as RC is cut we should be ready to discuss priorities for L20:57
morganfainbergso L2 is the 1st line of defence for Feature Freeze20:57
morganfainbergthen we have L2->L3 to smooth out the rest of the things20:58
*** ashleighfarnham has joined #openstack-keystone20:58
*** iamjarvo has joined #openstack-keystone20:58
morganfainbergbut L2 really does need to be where most of the work is being pushed through.20:58
*** stevemar has quit IRC20:58
morganfainbergbut this is also why i want to limit us to ~5 "features"20:58
morganfainbergAPI impacting/major initiatives20:58
*** ashleighfarnham has left #openstack-keystone20:59
ayoungOK...forget swift for the moment...lets talk, say,. Sahara or Hadoop, or something with less legacy than swift.  Something at the app lefvel, that ignores the undercloud should not be talking to blueboxes Keystone20:59
morganfainbergayoung, sahara is a lot like swift, but you're right very little legacy20:59
ayoungIf I am using Keystone, or any other thing, to authorize decisions, and I am running that thing in the cloud, then it doesn't matter which cloud provider I talk to20:59
morganfainberglets just call whatever it is "hadoop as a service"20:59
morganfainbergif HaaS exists locally you can use it21:00
morganfainbergif it doesn't you might need to use the remote SP.21:00
morganfainbergright now we don't know which SP has that (you could name it funny things i guess)21:00
morganfainbergbut that is the next step once the auth flow is smoothed out via client imo21:01
ayoungSo, we are talking about anything where the underlying Openstack layer is exposed?21:01
morganfainbergayoung, I would say that is a reasonable assessment for today21:02
morganfainbergayoung, next week who knows, but lets not think too hard on next week21:02
ayoungLets say my customer is talking to my Hadoop service.  They kick off a job, and my cloud lacks capacity.  We want to burst to another location21:02
ayoungSo my hadoop service needs to allocate the capacity.  And ... its like Heat... we want it done in the users account....21:03
ayoungso we need to kick off a handful of vms, storage ,etc...21:03
gsilvisayoung: I'm going to come back and read this later, by the way---too busy now to really pay attention right now21:03
ayounggsilvis, its all in evesdrop21:03
gsilvisayoung: yup :)21:04
ayoungstart with 2015-04-09T20:10:4421:04
morganfainbergayoung, less autoscaling internally - more i have X quota, and i know i need more than X, so SP is available to do the work at X+Y allocation21:05
morganfainbergthe burst is more a pure compute or swift concept i think :(21:05
ayoungmorganfainberg, so since they are running my HaaS, I will bill them, but they are going to need to spin up resources ... and it is my HaaS that will do that, not their clients21:05
morganfainbergright, and the SP would bill me, and i'd bill my customer21:06
morganfainbergthe biusiness relationship is between <me> and <SP> not <customer> and <sp>21:06
morganfainbergif it was customer and sp, we're out of the loop.21:06
morganfainbergand don't care21:06
ayoungmorganfainberg, I have to check out...I'm going to think through the ramifications21:06
morganfainbergayoung, sure.21:07
morganfainbergayoung, there has been a ton of interest in this type of support. mostly where you may have different services in different deployments - or pure compute burst21:08
morganfainbergayoung, we can keep discussing as needed.21:08
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Move reseller spec for Liberty release  https://review.openstack.org/17092621:10
*** raildo has quit IRC21:12
*** ayoung has quit IRC21:12
*** topol has quit IRC21:15
morganfainbergjamielennox|away, FYI https://review.openstack.org/#/c/127066/ will land once we cut stable/kilo for KSM21:17
*** edmondsw has quit IRC21:17
morganfainbergjamielennox|away, i want to avoid giving spurious errors to deployers where they can't switch auth methods because something re-used auth token's config options21:17
morganfainbergjamielennox|away, liberty target in otherwords.21:17
samueldmqmorganfainberg: we have the patches for fixing that role inheritance bug21:18
samueldmqmorganfainberg:we need reviews21:18
samueldmqmorganfainberg: https://review.openstack.org/#/c/17159621:18
morganfainbergsamueldmq, thanks21:18
samueldmqmorganfainberg:np21:18
samueldmqmorganfainberg:I split the tests exposing the bug vs the fix21:19
morganfainberggood idea21:19
samueldmqI use to do this when we have bugs, but in this case specifically was a suggestion from henry :)21:20
*** dims_ has joined #openstack-keystone21:21
*** pnavarro has joined #openstack-keystone21:21
*** dims has quit IRC21:24
*** dims_ has quit IRC21:26
*** samueldmq has quit IRC21:28
*** r-daneel has joined #openstack-keystone21:31
*** mancdaz has quit IRC21:35
*** rushiagr_away has quit IRC21:35
*** iamjarvo has quit IRC21:37
*** mancdaz has joined #openstack-keystone21:38
*** gyee has joined #openstack-keystone21:41
*** ChanServ sets mode: +v gyee21:41
*** pnavarro has quit IRC21:52
*** kr4zy has quit IRC21:53
*** raildo has joined #openstack-keystone21:54
*** rushiagr_away has joined #openstack-keystone21:54
*** iamjarvo has joined #openstack-keystone22:03
*** sdake has joined #openstack-keystone22:07
*** sdake_ has joined #openstack-keystone22:10
openstackgerritMerged openstack/python-keystoneclient: Increase minimum token life required  https://review.openstack.org/16994722:10
*** Guest77301 has joined #openstack-keystone22:11
*** Guest77301 is now known as dims_22:12
*** ayoung has joined #openstack-keystone22:13
*** ChanServ sets mode: +v ayoung22:13
*** sdake has quit IRC22:14
*** bknudson has quit IRC22:20
*** Ephur_ has quit IRC22:20
*** sdake_ has quit IRC22:47
*** gyee has quit IRC22:51
openstackgerritMerged openstack/keystone: make sure we properly initialize the backends before using the drivers  https://review.openstack.org/17186422:51
*** dims_ has quit IRC22:52
*** gordc has quit IRC22:55
*** ayoung has quit IRC22:59
*** mattfarina has quit IRC23:05
*** zzzeek has quit IRC23:06
openstackgerritMerged openstack/keystone: Update testing docs  https://review.openstack.org/16155323:07
*** r-daneel has quit IRC23:13
*** arunkant_ has quit IRC23:16
*** gyee has joined #openstack-keystone23:16
*** ChanServ sets mode: +v gyee23:16
*** iamjarvo has quit IRC23:22
*** mattfarina has joined #openstack-keystone23:27
*** zzzeek has joined #openstack-keystone23:32
*** dims_ has joined #openstack-keystone23:38
*** mattfarina has quit IRC23:41
*** bknudson has joined #openstack-keystone23:45
*** ChanServ sets mode: +v bknudson23:45
*** edmondsw has joined #openstack-keystone23:56
*** ayoung has joined #openstack-keystone23:58
*** ChanServ sets mode: +v ayoung23:58
« Wednesday, 2015-04-08 Index Friday, 2015-04-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!