Thursday, 2015-04-16

*** mattamizer has quit IRC		00:01
*** markvoelker_ has quit IRC		00:02
*** carlosmarin has quit IRC		00:04
*** drjones has quit IRC		00:21
*** _cjones_ has joined #openstack-keystone		00:21
*** _cjones_ has quit IRC		00:25
*** ozialien has joined #openstack-keystone		00:35
*** topol has joined #openstack-keystone		00:36
*** ChanServ sets mode: +v topol		00:36
*** r-daneel has quit IRC		00:37
*** dims_ has quit IRC		00:40
mfisch	can someone point out where the database migrations live in the source tree?	00:46
mfisch	aha under versions/	00:47
*** lhcheng has quit IRC		00:48
openstackgerrit	Merged openstack/keystone: Use correct LOG translation indicator for warnings https://review.openstack.org/167124	00:54
dstanek	mfisch: got it?	00:55
dstanek	so our catalog unit tests are all sorts of bad - no isolation and the templated tests don't actually run	00:56
*** ozialien has quit IRC		01:06
*** jeffDeville has joined #openstack-keystone		01:07
*** tqtran has quit IRC		01:07
*** markvoelker has joined #openstack-keystone		01:07
*** jeffDevi_ has joined #openstack-keystone		01:09
*** jeffDeville has quit IRC		01:09
*** sigmavirus24 is now known as sigmavirus24_awa		01:11
*** browne has quit IRC		01:12
*** jeffDevi_ has quit IRC		01:18
*** alexsyip has quit IRC		01:22
dstanek	ayoung: when you are not busy https://review.openstack.org/#/c/169169/2/keystone/assignment/core.py	01:26
*** markvoelker has quit IRC		01:30
*** jeffDeville has joined #openstack-keystone		01:30
*** jeffDeville has quit IRC		01:31
*** _cjones_ has joined #openstack-keystone		01:33
*** dims has joined #openstack-keystone		01:40
ayoung	dstanek, you mean, what should that method raise?	01:42
*** trey has quit IRC		01:42
*** erkules_ has joined #openstack-keystone		01:45
*** trey has joined #openstack-keystone		01:46
*** dims has quit IRC		01:47
*** erkules has quit IRC		01:47
*** jeffDeville has joined #openstack-keystone		01:47
*** harlowja is now known as harlowja_away		02:05
*** browne has joined #openstack-keystone		02:13
*** sdake_ has joined #openstack-keystone		02:16
*** sdake__ has joined #openstack-keystone		02:19
*** sdake has quit IRC		02:19
*** sdake_ has quit IRC		02:22
*** jeffDeville has quit IRC		02:29
*** Ephur has quit IRC		02:30
*** davechen has joined #openstack-keystone		02:30
*** Ephur has joined #openstack-keystone		02:31
*** Ephur has quit IRC		02:33
*** _cjones_ has quit IRC		02:33
*** davechen1 has joined #openstack-keystone		02:36
*** davechen has quit IRC		02:37
*** davechen has joined #openstack-keystone		02:44
*** davechen1 has quit IRC		02:45
*** tqtran has joined #openstack-keystone		02:46
*** dims has joined #openstack-keystone		02:48
*** tqtran has quit IRC		02:50
*** dims has quit IRC		02:53
*** richm has quit IRC		03:07
*** lhcheng has joined #openstack-keystone		03:25
*** ChanServ sets mode: +v lhcheng		03:25
*** _kiran_ has joined #openstack-keystone		03:47
*** _kiran_ has quit IRC		03:53
*** _cjones_ has joined #openstack-keystone		04:00
*** rushiagr_away is now known as rushiagr		04:10
*** vilobhmm1 has joined #openstack-keystone		04:39
*** _cjones_ has quit IRC		04:43
*** afazekas has quit IRC		04:51
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache https://review.openstack.org/174194	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove retry parameter https://review.openstack.org/174195	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache https://review.openstack.org/174196	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking https://review.openstack.org/174197	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Move project included validation https://review.openstack.org/174198	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building https://review.openstack.org/174199	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Base use webob https://review.openstack.org/174200	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function https://review.openstack.org/174201	04:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env https://review.openstack.org/174202	04:56
*** stevemar has joined #openstack-keystone		05:02
*** ChanServ sets mode: +v stevemar		05:02
*** rushiagr is now known as rushiagr_away		05:02
*** vilobhmm1 has quit IRC		05:02
*** vilobhmm1 has joined #openstack-keystone		05:05
*** telemonster has quit IRC		05:12
*** telemonster has joined #openstack-keystone		05:13
*** topol has quit IRC		05:16
*** vilobhmm1 has quit IRC		05:29
*** ajayaa has joined #openstack-keystone		05:33
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins https://review.openstack.org/141267	05:40
*** stevemar has quit IRC		05:40
*** stevemar has joined #openstack-keystone		05:40
*** ChanServ sets mode: +v stevemar		05:40
*** dims has joined #openstack-keystone		05:45
*** kiran_ has joined #openstack-keystone		05:47
*** kiran_ is now known as kiranr		05:50
*** dims has quit IRC		05:50
*** kiranr is now known as kiran-r		05:50
*** rushiagr_away is now known as rushiagr		05:51
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/172624	06:06
*** ajayaa has quit IRC		06:16
*** browne has quit IRC		06:18
*** _cjones_ has joined #openstack-keystone		06:21
*** lhcheng has quit IRC		06:22
*** lhcheng has joined #openstack-keystone		06:22
*** ChanServ sets mode: +v lhcheng		06:22
*** stevemar has quit IRC		06:25
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove retry parameter https://review.openstack.org/174195	06:32
*** ParsectiX has joined #openstack-keystone		06:35
*** ajayaa has joined #openstack-keystone		06:38
*** henrynash has joined #openstack-keystone		06:46
*** ChanServ sets mode: +v henrynash		06:46
*** viktors\|afk is now known as viktors		06:53
viktors	ayoung: thanks!	06:53
viktors	dstanek: still around?	06:53
*** ParsectiX has quit IRC		06:53
*** stevemar has joined #openstack-keystone		06:54
*** ChanServ sets mode: +v stevemar		06:54
*** ParsectiX has joined #openstack-keystone		06:56
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env https://review.openstack.org/174202	06:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function https://review.openstack.org/174201	06:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Base use webob https://review.openstack.org/174200	06:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building https://review.openstack.org/174199	06:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Move project included validation https://review.openstack.org/174198	06:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking https://review.openstack.org/174197	06:57
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache https://review.openstack.org/174196	06:57
*** stevemar has quit IRC		07:00
*** jaosorior has joined #openstack-keystone		07:01
openstackgerrit	Dave Chen proposed openstack/keystone: Remove assigned protocol before removing IdP https://review.openstack.org/173696	07:02
*** henrynash has quit IRC		07:05
*** _cjones_ has quit IRC		07:13
*** krykowski has joined #openstack-keystone		07:15
*** pnavarro has joined #openstack-keystone		07:18
*** chlong has quit IRC		07:40
*** jistr has joined #openstack-keystone		07:43
*** pnavarro has quit IRC		07:50
*** unixlike has joined #openstack-keystone		07:56
unixlike	Hi there !	07:56
unixlike	sorry for my english in advance	07:56
unixlike	Is it possible to use MongoDB as db-backend instead of MySQL ?	07:57
*** pnavarro has joined #openstack-keystone		08:04
*** ParsectiX has quit IRC		08:09
*** ParsectiX has joined #openstack-keystone		08:09
*** lhcheng has quit IRC		08:13
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Run SQL migration tests on PostgreSQL and MySQL https://review.openstack.org/171115	08:19
*** c0m0 has joined #openstack-keystone		08:31
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Run SQL migration tests on PostgreSQL and MySQL https://review.openstack.org/171115	08:34
*** sdake__ has quit IRC		08:36
*** sdake has joined #openstack-keystone		08:39
*** mestery has joined #openstack-keystone		08:40
*** mestery_ has quit IRC		08:43
*** jimbaker has quit IRC		08:53
*** jimbaker has joined #openstack-keystone		08:55
*** jimbaker has quit IRC		08:56
*** jimbaker has joined #openstack-keystone		08:56
*** ParsectiX has quit IRC		09:09
*** rm_work is now known as rm_work\|away		09:13
*** dims has joined #openstack-keystone		09:19
*** dims has quit IRC		09:24
*** aix has joined #openstack-keystone		09:44
*** ishant has joined #openstack-keystone		09:45
*** afazekas has joined #openstack-keystone		09:47
*** davechen has quit IRC		09:52
*** tqtran has joined #openstack-keystone		10:01
*** dims has joined #openstack-keystone		10:06
*** jsheeren has joined #openstack-keystone		10:11
*** tqtran has quit IRC		10:27
*** topol has joined #openstack-keystone		10:30
*** ChanServ sets mode: +v topol		10:30
*** topol has quit IRC		11:01
*** aix has quit IRC		11:17
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Migrate_repo init version helper https://review.openstack.org/137640	11:24
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	11:24
*** henrynash has joined #openstack-keystone		11:25
*** ChanServ sets mode: +v henrynash		11:25
dstanek	ayoung: yeah, that's all i was wondering	11:41
dstanek	viktors: i am now	11:41
*** aix has joined #openstack-keystone		11:45
*** jamielennox is now known as jamielennox\|away		11:47
*** fhubik has joined #openstack-keystone		11:49
viktors	dstanek: hi! I've un-wiped yesterday's patch with migration tests - https://review.openstack.org/#/c/171115/ Feel free to review it.	11:53
dstanek	viktors: great thanks	11:54
openstackgerrit	David Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware https://review.openstack.org/153296	11:54
*** ishant has quit IRC		11:56
*** joesavak has joined #openstack-keystone		11:56
samueldmq	dstanek, ping - I've got a question regarding tokens and middleware :-)	11:57
samueldmq	ayoung, cc ^	11:57
dstanek	samueldmq: what's the question?	11:58
samueldmq	once keystonemiddleware validates the token and enfoces the policy, it needs to pass the token info to the service (eg nova)	11:58
samueldmq	dstanek, right?	11:58
samueldmq	dstanek, how is that info? is that what we call AccessInfo ?	11:58
samueldmq	dstanek, I am trying to figure out what the hard-coded checks in the services would look like (which make them to not work with v3 properly)	11:59
dstanek	samueldmq: so other services don't work when keystone is using v3 tokens?	12:00
samueldmq	dstanek, I think there are hard-coded checks which do not allow it to work 100%	12:00
dstanek	samueldmq: for all services or do you know of one specifically that is broken?	12:01
samueldmq	dstanek, I am starting to investigate	12:01
samueldmq	dstanek, I was talking to morganfainberg and jogo yesterday	12:01
samueldmq	dstanek, basically I am going to deploy a fresh devstack and remove v2 completely, and see what broken	12:02
samueldmq	dstanek, morgan also agree with me that may exist hard-coded checks into the services	12:02
samueldmq	dstanek, so then I am trying to figure out how the keystonemiddleware passes the token info for the service	12:03
samueldmq	dstanek, to understand how those hard-coded look like	12:03
dstanek	samueldmq: i'm pretty sure it's all environment variables	12:04
dstanek	i don't think it's different between v2 and v3 tokens	12:04
dstanek	samueldmq: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n67	12:04
samueldmq	dstanek, ah makes sense, that's how dolphm validates different tokens on his keystone-deploy tests	12:06
dstanek	samueldmq: i don't understand the relationship between v2 and v3 tokens as compared to v2 and v3 api	12:06
samueldmq	dstanek, https://github.com/dolph/keystone-deploy/blob/master/test_exercises.py#L219-L226	12:06
samueldmq	dstanek, yeah, I need to have a look at both formats as well	12:06
dstanek	i don't think the format will matter for this because i think the same info gets stuck in the env	12:07
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Add server_default to relay_state_prefix in service_provider model https://review.openstack.org/168947	12:08
samueldmq	dstanek, k so what you mean by "i don't understand the relationship between v2 and v3 tokens as compared to v2 and v3 api"	12:08
dstanek	samueldmq: i think they are orthogonal things, but i'm not sure	12:10
dstanek	i think they just happen to have the same name, which is unfortunate	12:10
samueldmq	dstanek, well, I agree that if the same env vars are loaded independently of the version, everything should work pretty well	12:11
samueldmq	dstanek, yes, was re-reading the logs from yesterday ... everything should work, but we may expect minor errors in the services due to hard-coded	12:14
samueldmq	dstanek, so the approach is to try and see what breaks :-)	12:14
*** dims has quit IRC		12:14
dstanek	samueldmq: the last time i tried (quite a while ago) some services had trouble talking to the v3 api	12:15
*** dims__ has joined #openstack-keystone		12:17
samueldmq	dstanek, nice, I will dig on it a bit more.. I will keep you updated if you want :)	12:19
*** stevemar has joined #openstack-keystone		12:21
*** ChanServ sets mode: +v stevemar		12:21
*** henrynash has quit IRC		12:24
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy https://review.openstack.org/173424	12:25
dstanek	samueldmq: sure	12:27
*** gordc has joined #openstack-keystone		12:28
*** fhubik is now known as fhubik_afk		12:29
*** gordc has quit IRC		12:31
*** raildo has joined #openstack-keystone		12:32
*** gordc has joined #openstack-keystone		12:38
*** jsavak has joined #openstack-keystone		12:43
*** joesavak has quit IRC		12:46
*** mattamizer has joined #openstack-keystone		12:50
*** bknudson has joined #openstack-keystone		12:52
*** ChanServ sets mode: +v bknudson		12:52
*** fhubik_afk is now known as fhubik		13:02
*** nkinder has quit IRC		13:09
*** richm has joined #openstack-keystone		13:14
*** fhubik is now known as fhubik_afk		13:19
*** fhubik_afk is now known as fhubik		13:20
*** davidckennedy has joined #openstack-keystone		13:25
*** sdake_ has joined #openstack-keystone		13:26
*** davidckennedy has quit IRC		13:27
*** jamie_h has joined #openstack-keystone		13:29
*** sdake has quit IRC		13:29
*** markvoelker has joined #openstack-keystone		13:30
*** davidckennedy has joined #openstack-keystone		13:33
*** unixlike has quit IRC		13:33
*** unixlike has joined #openstack-keystone		13:33
*** afaranha has joined #openstack-keystone		13:37
*** rushil has joined #openstack-keystone		13:42
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Fix mysql_engine and FK in project_endpoint_group table https://review.openstack.org/174388	13:44
*** mattfarina has joined #openstack-keystone		13:47
*** fhubik is now known as fhubik_afk		13:47
*** topol has joined #openstack-keystone		13:56
*** ChanServ sets mode: +v topol		13:56
*** sigmavirus24_awa is now known as sigmavirus24		13:56
*** zzzeek has joined #openstack-keystone		13:56
*** fhubik_afk is now known as fhubik		14:02
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Recursive deletion https://review.openstack.org/148730	14:05
*** nkinder has joined #openstack-keystone		14:06
*** ayoung has quit IRC		14:09
*** HenryG_ is now known as HenryG		14:11
*** markvoelker_ has joined #openstack-keystone		14:16
*** davechen1 has joined #openstack-keystone		14:19
*** markvoelker has quit IRC		14:19
openstackgerrit	Dave Chen proposed openstack/keystone: Update Get API version Curl example https://review.openstack.org/174404	14:19
*** markvoelker has joined #openstack-keystone		14:23
*** unixlike has quit IRC		14:23
*** ajayaa has quit IRC		14:24
*** markvoelker_ has quit IRC		14:26
*** kiran-r has quit IRC		14:27
*** sdake has joined #openstack-keystone		14:29
*** sdake_ has quit IRC		14:33
*** markvoelker has quit IRC		14:34
*** davechen1 has left #openstack-keystone		14:36
openstackgerrit	Alexander Makarov proposed openstack/keystone: Make memcache client reusable across threads https://review.openstack.org/170835	14:37
openstackgerrit	Merged openstack/keystone: Refactor sql filter code for clarity https://review.openstack.org/164362	14:39
*** jsheeren has quit IRC		14:41
*** ajayaa has joined #openstack-keystone		14:41
openstackgerrit	Merged openstack/keystone: Don't provide backends from __all__ in persistence https://review.openstack.org/172783	14:41
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy https://review.openstack.org/173424	14:42
mfisch	stevemar: you around this morning?	14:50
stevemar	mfisch, yessir	14:55
mfisch	stevemar: I was looking more into the CADF stuff this morning. Is there a simple path to have something on my keystone node consume audit events and dump them into a log file? Without using rabbit and ceilometer	14:56
morganfainberg	stevemar: that shady fellow stevemar2 isn't though.	14:56
*** fhubik is now known as fhubik_afk		14:56
stevemar	mfisch, change the notification_driver option to 'log'	14:57
mfisch	thats it?	14:57
stevemar	yep	14:57
mfisch	is so thats all I need then	14:57
stevemar	and set notification_format = cadf	14:57
stevemar	if you want fancy cadf events	14:57
mfisch	do I need to enable the audit middleware?	14:57
stevemar	not on keystone, no	14:57
mfisch	good	14:57
stevemar	the audit middleware can only be used in the same spot as the keystonemiddleware	14:58
mfisch	I think basic is all I need	14:58
mfisch	CADF is way too standardsy	14:58
mfisch	which means more info than I need	14:58
stevemar	mfisch, sure. give it a shot if you can :D it has some good info	14:59
mfisch	will so	14:59
mfisch	do	14:59
stevemar	like who actually did the request	14:59
stevemar	and what project they did it under	14:59
mfisch	the main request was stemmed from "when was project X deleted?" a question from someone here and we had no way to find out	14:59
stevemar	yeah, basic would suffice for that	15:00
*** fhubik_afk is now known as fhubik		15:00
mfisch	I'll reply to my own -dev posting once I try this	15:00
stevemar	eventually that question will turn into, "when project X was deleted, who did it?"	15:00
mfisch	who can we fire!	15:00
stevemar	gah, my filters must have missed that post	15:00
stevemar	i didn't see a post from you in the last few days	15:00
mfisch	can I make notifications get set to warnings?	15:01
stevemar	mfisch, nope, just info	15:01
stevemar	that's hardcoded somewhere in keystone/notifications.py	15:01
mfisch	oh I sent this one to operators	15:01
stevemar	ah	15:01
mfisch	try to start there first	15:01
mfisch	http://lists.openstack.org/pipermail/openstack-operators/2015-April/006755.html	15:01
mfisch	so with INFO i just need to find out how to get my LB checks to stop logging in the eventlet	15:02
stevemar	good luck with that :\	15:03
mfisch	after looking at teh code for 5 mins I have no idea where it comes from	15:03
*** pnavarro is now known as pnavarro\|mtg		15:04
*** markvoelker has joined #openstack-keystone		15:04
*** jsheeren has joined #openstack-keystone		15:05
*** ajayaa has quit IRC		15:09
mfisch	stevemar: looks like notification_format is a Kiloism?	15:10
*** markvoelker has quit IRC		15:11
*** rushiagr is now known as rushiagr_away		15:12
*** rushil has quit IRC		15:12
*** rushil has joined #openstack-keystone		15:15
*** rushil has quit IRC		15:16
*** rm_work\|away is now known as rm_work		15:18
*** browne has joined #openstack-keystone		15:21
stevemar	mfisch, yes sir	15:26
lbragstad	quick question regarding the resource API refactor. I have keystone deployed from source and I have fatal_deprecations=true, with with resource driver and assignment drivers set. I try getting domain scoped token and it fails because of a deprecation error. I'm wondering if anyone else has this issue http://cdn.pasteraw.com/gv7h1w61onwklmfota5wna14w82inlp	15:30
lbragstad	nevermind... not sure what I did but I fixed my problem...	15:31
*** ozialien has joined #openstack-keystone		15:32
davidckennedy	I was looking at Jamie's patch for password prompt on CLI and I can't see how to make request to v3 api using keystone client. I presume it's never been implemented and will never because it's now in python-openstackclient. Any hints?	15:36
davidckennedy	(keystone client on CLI that is - which is the only place that we'd expect a password prompt).	15:36
*** ozialien has left #openstack-keystone		15:38
*** fhubik has quit IRC		15:43
dtroyer	davidckennedy: I'm not sure why Jamie wants to do that, IMnsHO he's already putting too much CLI/app layer stuff into the plugins…	15:43
*** ihrachyshka has joined #openstack-keystone		15:47
ihrachyshka	hey all! I'm from neutron, and I'm searching for someone involved into oslo.policy that could assess a new feature and/or exposing some of library internals for projects to consume	15:47
stevemar	ihrachyshka, o/	15:48
stevemar	ihrachyshka, myself or ayoung or dstanek or morganfainberg	15:48
*** pnavarro\|mtg is now known as pnavarro		15:49
davidckennedy	dtroyer maybe. But is it so that v2 is the only v supported for the CLI?	15:50
*** jsheeren has quit IRC		15:50
ihrachyshka	cool! so in neutron, we have some neat policy feature that is implemented in-house that allows to introduce additional policies that are appended to "main" rules. see: http://git.openstack.org/cgit/openstack/neutron/tree/neutron/policy.py#n187 and http://git.openstack.org/cgit/openstack/neutron/tree/etc/policy.json#n37	15:50
ihrachyshka	though the syntax is similar to e.g. nova policy rules, the behaviour is a bit different	15:51
ihrachyshka	syntax is target:attr:sub-attr	15:51
ihrachyshka	which means that if action is checked, and target contains an attr set, then we append a rule-check to main action rule, and if a sub-attr should be validated, then, again, another rule-check is appended for sub-attr	15:52
dtroyer	davidckennedy: yes, and IIRC there has been a notice somewhere that even the v2 CLI in KSC was to be deprecated	15:52
ihrachyshka	so we get a complex rule to check against that has multiple entries - for target, for target:attr, and for target:attr:sub-attr, all joined with AndCheck	15:53
ihrachyshka	so neutron builds a more complex rule than those rules written policy.json, and then validate against those complex rules	15:53
*** bknudson has quit IRC		15:53
stevemar	ihrachyshka, and you want to propose to add that logic to oslo.policy?	15:54
ihrachyshka	there are policies of similar syntax in nova xxx:yyy:zzz, but there semicolons do not mean anything, and action code just uses them to have some kind of namespaces for ease and comfort	15:54
ihrachyshka	stevemar, since the syntax in nova does not mean the same as in neutron, I'm not sure we can introduce the feature	15:55
ihrachyshka	since then it would change behaviour for nova (and maybe other projects that follow their lead)	15:55
*** _cjones_ has joined #openstack-keystone		15:55
ihrachyshka	it seems to me that neutron feature overrides default behaviour in a way that would be hard to introduce as a general mechanism	15:55
ihrachyshka	I first thought that I'll be able to introduce it in oslo.policy, but now I'm not sure	15:56
ihrachyshka	and if we are not able to introduce the feature, then we may want to expose policy checks used by neutron to implement the feature	15:56
ihrachyshka	AndCheck and RuleCheck from oslo_policy/_checks.py	15:57
stevemar	ihrachyshka, i think those are exposed today	15:57
stevemar	the checks	15:57
ihrachyshka	(we also have RoleCheck used in other places of neutron policy code, but it seems we will be able to just kill the usage)	15:57
ihrachyshka	stevemar, no, they are not. they are in _checks, meaning private symbols	15:57
ihrachyshka	I asked to introduce them in Kilo, but I was said that neutron should instead work on introducing the feature in oslo.policy	15:58
ihrachyshka	and I originally agreed	15:58
ihrachyshka	but now I'm not confident it's the best way	15:58
*** bknudson has joined #openstack-keystone		15:58
*** ChanServ sets mode: +v bknudson		15:58
*** henrynash has joined #openstack-keystone		15:59
*** ChanServ sets mode: +v henrynash		15:59
stevemar	ihrachyshka, ah right, we just exposed _check.Check	15:59
ihrachyshka	right, so that we can implement custom checks	15:59
davidckennedy	dtroyer OK. Thank you, I'll stop trying to use v3 via the CLI then ;)	15:59
ihrachyshka	(and neutron does it, but that's for rule part, not target)	15:59
ihrachyshka	target seems to be opaque for oslo.policy	16:00
ihrachyshka	stevemar, what's your take as an Expert? ;)	16:04
rodrigods	henrynash, just to confirm, I need a spec for https://review.openstack.org/#/c/172536/ and https://review.openstack.org/#/c/172562/	16:04
rodrigods	right?	16:04
henrynash	rodigods: I think it might be sensible (one spec to cover both, should be fine)….should be short and sweet	16:05
rodrigods	henrynash, thanks... another question, if fixed, there is the possibility to be backported?	16:06
rodrigods	for kilo, I mean	16:06
*** gyee_ has joined #openstack-keystone		16:06
henrynash	sure, we can always suggest backporting……	16:07
*** markvoelker has joined #openstack-keystone		16:08
*** jistr has quit IRC		16:08
rodrigods	henrynash, nice! thx... when raildo is back we are going to ping you again to discuss dual scoped tokens	16:09
rodrigods	:)	16:09
henrynash	ok!	16:09
*** afazekas has quit IRC		16:11
*** markvoelker has quit IRC		16:13
raildo	i'm here :D	16:15
*** rushiagr_away is now known as rushiagr		16:15
*** davidckennedy has quit IRC		16:17
*** mattamizer has quit IRC		16:22
*** _kiran_ has joined #openstack-keystone		16:24
*** tqtran has joined #openstack-keystone		16:24
*** _kiran_ is now known as kiran-r		16:27
*** c0m0 has quit IRC		16:35
*** EmilienM is now known as EmilienM\|afk		16:39
*** gyee_ has quit IRC		16:43
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: New attributes for SAML assertion https://review.openstack.org/174462	16:44
*** kiran-r has quit IRC		16:45
*** afazekas has joined #openstack-keystone		16:47
*** lhcheng has joined #openstack-keystone		16:47
*** ChanServ sets mode: +v lhcheng		16:47
*** kiran-r has joined #openstack-keystone		16:49
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion https://review.openstack.org/172562	16:49
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_project_domain to assertion https://review.openstack.org/172536	16:50
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion https://review.openstack.org/172562	16:50
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Refactor _create_attribute_statement IdP method https://review.openstack.org/172647	16:50
*** henrynash has quit IRC		16:56
samueldmq	hi, in our domain-specific documentation we have example ldap urls like : "url": "http://myldap/root"	16:58
samueldmq	but ldap has its own protocol, right ? then it would be something like ldap://	16:58
*** harlowja_away is now known as harlowja		16:58
dstanek	samueldmq: sounds like a patch waiting to happen	17:03
samueldmq	dstanek, nice, will put here on my todo list and submit a patch later today :-)	17:05
samueldmq	thanks	17:05
*** kiran-r has quit IRC		17:10
*** ajayaa has joined #openstack-keystone		17:12
*** markvoelker has joined #openstack-keystone		17:12
*** luminalf1ux has left #openstack-keystone		17:23
*** krykowski has quit IRC		17:26
*** ryanpetrello has joined #openstack-keystone		17:27
*** alexsyip has joined #openstack-keystone		17:27
ryanpetrello	anybody know if there's a way in Keystone to do role assignment with no tenant?	17:30
ryanpetrello	we've been using OpenStack and Keystone for quite some time (since ~Folsom)	17:30
ryanpetrello	and it seems at some point this functionality went away: https://github.com/openstack/keystone/blob/stable/juno/keystone/assignment/controllers.py#L203	17:30
ryanpetrello	is there a sanctioned way to do this sort of thing in present-day Keystone?	17:31
*** j_king_ is now known as j_king		17:31
ryanpetrello	e.g., "User <X> belongs to Role <VIP Customers>"	17:31
samueldmq	ryanpetrello, hi	17:32
samueldmq	ryanpetrello, no, a role assignment is always composed by (actor, target, role)	17:33
amakarov_away	ryanpetrello, aren't groups intended for it?	17:33
samueldmq	ryanpetrello, where actor can be one of (user, group) and target one of (project, domain)	17:33
samueldmq	amakarov_away, no	17:33
samueldmq	amakarov_away, it is not possible to have a role assignments without a target ('tenant' as he described)	17:34
*** amakarov_away is now known as amakarov		17:34
amakarov	samueldmq, but can we mark a user as a group member?	17:35
*** joesavak has joined #openstack-keystone		17:35
amakarov	e.g "User <X> belongs to Group <VIP Customers>"	17:35
samueldmq	amakarov, ryanpetrello well, yeas through grouping we can do something similar	17:35
samueldmq	amakarov, yes, but this is not a role assignment	17:36
samueldmq	amakarov, and we still need to have role assignments for that group on targets	17:36
amakarov	samueldmq, ++	17:36
amakarov	looks like I failed to explain clear )	17:36
samueldmq	ryanpetrello, could you provide more details on how this worked before ? maybe we can find a similar way to get it working today	17:37
samueldmq	amakarov, np :)	17:37
*** jsavak has quit IRC		17:38
*** browne has quit IRC		17:39
*** amerine has joined #openstack-keystone		17:39
*** ihrachyshka has quit IRC		17:40
*** markvoelker has quit IRC		17:43
*** clayton has joined #openstack-keystone		17:43
morganfainberg	ryanpetrello, the answer is no, we don't support global roles at this time	17:43
krotscheck	Is master open yet?	17:43
*** EmilienM\|afk is now known as EmilienM		17:43
ryanpetrello	thanks morganfainberg	17:44
morganfainberg	ryanpetrello, it was a design choice to not so do.	17:44
morganfainberg	krotscheck, yes	17:44
krotscheck	Oh good :)	17:44
morganfainberg	krotscheck, liberty development is open	17:44
ryanpetrello	morganfainberg: any idea when (release-wise) that changed?	17:44
morganfainberg	ryanpetrello, grizzly	17:44
morganfainberg	ish?	17:44
ryanpetrello	okay, thanks	17:44
krotscheck	morganfainberg: I've got a global-requirements patch that's failing on keystone, because stevedore's a couple of versions out of date.	17:44
morganfainberg	krotscheck, fun. sounds like something worth quickly fixing	17:45
morganfainberg	;)	17:45
*** ryanpetrello has left #openstack-keystone		17:45
krotscheck	morganfainberg: Yep, that's why I asked.	17:45
morganfainberg	krotscheck, please file a bug on it for tracking, but feel free to toss a patch up to keystone, and poke at the cores here	17:46
*** amerine has quit IRC		17:46
morganfainberg	krotscheck, should be an easy(no-brainer) thing to get pushed through	17:46
krotscheck	morganfainberg: I	17:46
*** amakarov is now known as amakarov_away		17:46
krotscheck	morganfainberg: Easy for someone familiar with these things I'm sure :)	17:46
morganfainberg	krotscheck: or file the bug and we will circle up on it soon(ish) i hope.	17:46
*** amerine has joined #openstack-keystone		17:46
morganfainberg	krotscheck: things are moving a little slow atm since we're in RC and haven't specc'd work for liberty	17:47
*** jsavak has joined #openstack-keystone		17:47
morganfainberg	krotscheck: bknudson is also working on converting things over to use stevedore in keystone. so he might be a good resource to ask about the bug/fix [he might have fixed it in his patch-series]	17:47
*** jsavak has quit IRC		17:47
krotscheck	morganfainberg: That's good to know :)	17:48
* krotscheck is still trying to figure out how to trace down the _actual_ error in his global-requirement failures.		17:48
*** esp has quit IRC		17:50
*** joesavak has quit IRC		17:51
clayton	for keystone v3, is it required to specify the domain by id in the policy.json cloud_admin rule?	17:53
clayton	or is there a better way to do that?	17:53
openstackgerrit	Doug Hellmann proposed openstack/keystonemiddleware: Uncap library requirements for liberty https://review.openstack.org/174493	17:54
*** EmilienM is now known as EmilienM\|afk		17:55
clayton	having to put the admin domain id in the policy.json file is kind miserable from a deployment standpoint, since I can't anticipate what id will be assigned to a given name	17:57
*** aix has quit IRC		17:57
*** Ephur has joined #openstack-keystone		17:57
*** joesavak has joined #openstack-keystone		17:57
*** sdake_ has joined #openstack-keystone		17:59
*** afazekas has quit IRC		17:59
*** esp has joined #openstack-keystone		17:59
*** sdake has quit IRC		18:02
stevemar	morganfainberg, ^	18:03
openstackgerrit	Doug Hellmann proposed openstack/oslo.policy: Uncap library requirements for liberty https://review.openstack.org/174515	18:07
clayton	and I'll apologize in advance, I don't know all that much about domains. I'm trying to convince myself that domain_id in this case is actually the name, not a uuid	18:07
mfisch	stevemar: can I tweak whats getting into the notifications?	18:08
stevemar	mfisch, not unless you tweak the code	18:08
stevemar	you also can't tweak which notifications you get	18:08
mfisch	The auth notification is gonna be chatty	18:09
lhcheng	clayton: unfortunately yes, you have to put the domain_id where the cloud admin would be.	18:09
clayton	I'm starting to feel a little ill	18:10
lhcheng	clayton: could update the policy.json on the deployment script, shouldn't be too bad.	18:10
clayton	sure, if I could know what uuid would be assigned ahead of time	18:10
mfisch	stevemar: is there a reason that only IDs are logged and not names? I'm thinking of wanting to review a log 3 months later about a project deletion, a project for which I may no longer have the ID	18:11
openstackgerrit	Doug Hellmann proposed openstack/pycadf: Uncap library requirements for liberty https://review.openstack.org/174525	18:11
stevemar	mfisch, there in lies the deficiencies of the 'basic' format	18:12
mfisch	okay so cadf solves all my problems ;)	18:12
stevemar	the 'basic' format was used for what you're trying to do now, and for triggering events, like a callback function	18:12
stevemar	the thinking was "IDs are unique, so that's all we'll ever need"	18:12
clayton	stevemar: sure, if you keep the logs forever :)	18:13
openstackgerrit	Doug Hellmann proposed openstack/python-keystoneclient: Uncap library requirements for liberty https://review.openstack.org/174534	18:13
mfisch	I'll get the cadf format when we upgrade	18:13
openstackgerrit	Doug Hellmann proposed openstack/python-keystoneclient-federation: Uncap library requirements for liberty https://review.openstack.org/174535	18:13
stevemar	and "ids are enough to know that if a project is deleted, i can delete the tokens that are scoped to the project"	18:13
openstackgerrit	Doug Hellmann proposed openstack/python-keystoneclient-kerberos: Uncap library requirements for liberty https://review.openstack.org/174536	18:13
stevemar	mfisch, yeah, cadf will have the name :)	18:13
mfisch	so it was more to notify other services in this format	18:13
*** sdake has joined #openstack-keystone		18:13
stevemar	yeppers	18:13
mfisch	a user was made, you may want to do something	18:13
stevemar	let me double check that it has the name, i'm 99% sure it does	18:14
stevemar	right	18:14
mfisch	I started to read the CADF slides but it looks like something I could spend the rest of my career on	18:14
lhcheng	clayton: maybe a script (using admin_token) to query all the domain and fetch one that matches the domain name?	18:15
mfisch	thanks for the info stevemar	18:15
stevemar	mfisch, gah, no it doesn't have the name, i lied	18:15
lhcheng	clayton: I know it's painful :(	18:15
mfisch	stevemar: hmm ok	18:15
stevemar	mfisch, it has the user's name (the guy who did the request)	18:16
mfisch	thats not as useful for my case but then at least I'd know who to ask about a deletion	18:16
stevemar	liberty feature/bug? (add the name and domain name/id)	18:16
dstanek	just out of curiosity, what is the added value of having the name?	18:17
stevemar	mfisch, http://docs.openstack.org/developer/keystone/event_notifications.html#example-notification-project-create	18:17
*** sdake_ has quit IRC		18:17
mfisch	so I can look in a log 3 months later and do some correlations	18:17
mfisch	dstanek: "when was project X deleted?"	18:17
mfisch	and by whom	18:17
dstanek	mfisch: if you have the project id and user id, don't you get that?	18:18
mfisch	you do	18:18
mfisch	is that info still avail after the deletion?	18:18
mfisch	I'll admit I didnt check the DB	18:18
dstanek	the actual record?	18:18
mfisch	yeah	18:18
mfisch	where would I still have that info is my question	18:18
dstanek	i doubt it would be in the database	18:19
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/172139	18:19
mfisch	dstanek: so there's my case, unless I have that info saved off somewhere	18:19
bknudson	openstack role list: error: unrecognized arguments: --group 785034808b2740db825218b9cec511f5 -- not sure why I'm getting this when running devstack.	18:19
dstanek	mfisch: so your use case is someone about what happened to a project (by name only) so only logging the id won't help	18:19
mfisch	yes	18:20
bknudson	I've got the latest python-openstackclient.	18:20
stevemar	bknudson, theres a bug in devstack	18:20
bknudson	ah	18:20
stevemar	bknudson, this should fix it: https://review.openstack.org/#/c/171979/	18:20
dstanek	mfisch: but over time you may have multiple ids for the same name	18:20
stevemar	i may have introduced it	18:20
bknudson	must not be a very bad bug if the gate's still passing.	18:20
stevemar	yeah, it's not a set_or_die thing	18:21
mfisch	dstanek: what do you mena?	18:21
mfisch	mean	18:21
dstanek	mfisch: i create a project 'awesome' and then delete it - a while later the same thing happens - how do you answer the question about who deleted 'awesome'?	18:23
stevemar	mfisch, he means you can create project 'x', it has an ID, delete it; then create project 'x', it has another ID, then delete it - repeat	18:23
mfisch	ah ok	18:23
mfisch	so thats in theory, but would not happen in my environment, but I get your point	18:23
*** browne has joined #openstack-keystone		18:23
*** mhu has quit IRC		18:26
dstanek	really for a 'true' audit log you really have to attach the entire record in the case of a delete/add or the before and after records for an update	18:26
mfisch	sure	18:26
mfisch	My basic use case is that "user dstanek was deleted by mfisch on April 16" ends up in a log that I can send to splunk. That's it. I am not doing compliance auditing, I am not going to spend 3 months on some crazy solution. These notifications seemed like a simple path	18:27
*** vilobhmm1 has joined #openstack-keystone		18:27
openstackgerrit	David Stanek proposed openstack/keystone: Removes KVS catalog backend https://review.openstack.org/158442	18:28
openstackgerrit	David Stanek proposed openstack/keystone: Adds proper isolation the templated catalog tests https://review.openstack.org/174556	18:28
*** vilobhmm11 has joined #openstack-keystone		18:29
morganfainberg	stevemar, we should support domain name in the policy file.	18:29
dstanek	mfisch: yes, i agree. notifications would be good for you.	18:29
morganfainberg	stevemar, that should be in the context actually	18:30
morganfainberg	stevemar, and domain names are (today) unique	18:30
*** mhu has joined #openstack-keystone		18:30
morganfainberg	stevemar, it might just work today	18:30
morganfainberg	stevemar, today = kilo	18:30
morganfainberg	clayton, ^	18:30
dstanek	i don't know if this is frowned upon, but it may be possible to create your own middleware has callbacks that log to the log. or...it may not be possible	18:30
clayton	morganfainberg: having to specify the domain by uuid in the policy.json makes supporting automation of this with Puppet dramatically more horrible. If it's supported in Kilo that would be great to know	18:31
clayton	I've been trying to dig through the code to figure that out, but I'm just not familiar enough with the codebase to tell for sure	18:31
morganfainberg	clayton, i think domain name would work in the policy file since it would be in the auth context	18:31
*** vilobhmm11 has left #openstack-keystone		18:31
morganfainberg	but i'd need to setup a test environment to figure it out	18:31
clayton	yeah, that's what I was trying to avoid myself :)	18:31
morganfainberg	clayton, unfortunately, that wont be this week [stuck in lots of meetings]	18:31
clayton	I was hoping I could find out where in the code domain_id was populated and see if the name was there also	18:32
morganfainberg	clayton, but i'd like to say we could support either.	18:32
dstanek	morganfainberg: you may need to talk me off a ledge. i'm considering submitting a review to 'git rm keystone/catalog'	18:32
morganfainberg	dstanek, no	18:32
stevemar	do it. do it do it	18:32
morganfainberg	dstanek, step back from the letdge	18:32
morganfainberg	ledge*	18:32
*** vilobhmm1 has quit IRC		18:32
morganfainberg	dstanek, talk us through the issue.	18:32
dstanek	morganfainberg: take a look at https://review.openstack.org/#/c/174556/	18:32
morganfainberg	dstanek, and i might have an answer already	18:32
morganfainberg	dstanek, so i think we really need the templated catalog to go die	18:33
morganfainberg	and not be "based on KVS"	18:33
stevemar	dstanek, i can submit one for `git rm keystone\policy\not rules`	18:33
morganfainberg	at the very least	18:33
stevemar	yes please	18:33
dstanek	morganfainberg: i've fixed that issue (the kvs one)	18:33
morganfainberg	second	18:33
*** EmilienM\|afk is now known as EmilienM		18:33
morganfainberg	i don't see how we can make the templated catalog ever really match the DB schema one clearly unless we totally change how it works	18:34
morganfainberg	and move to a DSL-like construct to define the catalog	18:34
bknudson	yaml	18:34
*** rdo has quit IRC		18:34
bknudson	I guess JSON would make more sense, then could just return it as-is.	18:35
morganfainberg	basically we've given people a very short rope and it's likely they can hang themselves	18:35
morganfainberg	since it reads arbitrary templates from disk	18:35
morganfainberg	bknudson, i'd say yaml or json with validatable structure, and we expand it	18:36
morganfainberg	with the extra stuff	18:36
dstanek	i'm ok with deprecating it and not worrying about the lack of testing - i had to strategies in mind to fix, but if we'll deprecate it then i won't bother wasting my day today	18:36
morganfainberg	dstanek, put that on the list to discuss on tuesday	18:36
morganfainberg	don't worry about it today	18:36
dstanek	otoh, if it's used by more that mfisch maybe it should stay around	18:36
morganfainberg	(the etherpad for "tech debt paydown"_	18:36
morganfainberg	i think we need to keep it, but we can make a better templated catalog	18:36
*** rdo has joined #openstack-keystone		18:36
morganfainberg	so people like mfisch can not hate us.	18:37
dstanek	this is where i removed kvs and implemented the read methods: https://review.openstack.org/#/c/158442/	18:37
*** ayoung has joined #openstack-keystone		18:37
*** ChanServ sets mode: +v ayoung		18:37
* mfisch better catch up		18:37
morganfainberg	dstanek, it might be simple declarative description of the elements vs. the kludge-y current template	18:38
morganfainberg	dstanek, and then we apply the same kind of "transform" we do from the SQL db.	18:38
morganfainberg	just read that data from disk instead.	18:38
dstanek	morganfainberg: cool, we can discuss that in more detail at the summit	18:38
morganfainberg	dstanek, exactly	18:38
morganfainberg	dstanek, but the templated catalog needs love. and people do like it. so lets deprecate the bad version and give it love and make it supportable	18:39
bknudson	Looks like devstack gives nova admin role on the service project rather than service: \| admin \| nova \| \| service \| \|	18:39
dstanek	for testing i wanted to break up the CatalogTests class into CatalogCrud and CatalogReadOnly	18:39
bknudson	\| service \| cinder \| \| service \| \|	18:39
bknudson	most of them have service role on service project	18:39
dstanek	and then have a subclass for each backend - that's easy and logic IMO	18:39
morganfainberg	dstanek, hm. sure.	18:39
morganfainberg	dstanek, makse sense to me	18:40
mfisch	dstanek: we're not using the templated catalog so rm -rf away	18:40
morganfainberg	mfisch: lots of people do use it though	18:40
dstanek	the problem comes with the RO - our typical testing is uuids everywhere so that means i'd have to do magic in the templated subclass to make a fake file to be read	18:40
morganfainberg	mfisch: even if you don't	18:40
mfisch	I was just responding to making me not hate you ;)	18:40
morganfainberg	mfisch, haha	18:41
dstanek	mfisch: nice, i thought you still were	18:41
morganfainberg	dstanek: i'd expect you'll need to do that or put it in the same kind of way we do some legacy conf-file testing	18:41
dstanek	or i keep a hard coded catalog on disk and change use hardcoded 'RegionOne' ids in the test class	18:41
*** markvoelker has joined #openstack-keystone		18:42
*** bernardo-silva has joined #openstack-keystone		18:46
*** rdo has quit IRC		18:49
*** rdo has joined #openstack-keystone		18:51
*** bernardo-silva has quit IRC		18:54
openstackgerrit	Eric Brown proposed openstack/keystone: Update developer doc to reference Ubuntu 14 https://review.openstack.org/174563	18:54
lhcheng	clayton: this is what you're looking for: https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L61	18:55
lhcheng	clayton: don't see the domain_name being set	18:55
morganfainberg	lhcheng, so we might need to add it ot the context	18:58
clayton	lhcheng: well, that's unfortunate, but I really appreciate that you dug it up :)	18:58
*** ozialien has joined #openstack-keystone		18:59
lhcheng	morganfainberg: yup, should be easy since the name is already in the token.	19:01
lhcheng	morganfainberg: I can add that if anyone haven't started	19:01
lhcheng	clayton: yeah. something to look forward to for L :)	19:02
clayton	We'll probably have to solve the problem before then :/	19:04
gyee	what's the problem?	19:06
*** jamie_h has quit IRC		19:08
*** rushiagr is now known as rushiagr_away		19:08
*** markvoelker has quit IRC		19:14
clayton	gyee: in Kilo, configuring cloud_admin requires hard coding the uuid of the admin domain into the policy.json file	19:21
clayton	specifically the issue is that it's a uuid that keystone is going to generate randomly, there isn't any apparent way to specify that you want a specific one	19:26
clayton	puppet does all of it's templating on the server side, and there is no easy way to retrieve that information from keystone once the domain is generated	19:27
dstanek	clayton: i thought you could have a snippet of code call out to keystone to get the info	19:28
clayton	so, custom functions can be used in templates, but they run server side	19:32
clayton	before the domain will have been created	19:32
richm	dstanek: The folks on #puppet-openstack tell me that's not possible to do in this case	19:32
*** nkinder has quit IRC		19:32
dstanek	richm: that's unfortunate.	19:33
*** ajayaa has quit IRC		19:43
-openstackstatus- NOTICE: gerrit has been restarted to clear a problem with its event stream. any gerrit changes updated or approved between 19:14 and 19:46 utc will need to be rechecked or have their approval reapplied for zuul to pick them up		19:47
*** amerine has quit IRC		20:04
*** amerine has joined #openstack-keystone		20:04
ayoung	morganfainberg, "the templated catalog needs love." I think it needs the Lenny treatment from "Of Mice and Men"	20:09
*** markvoelker has joined #openstack-keystone		20:12
breton	noce, sqlalchemy 1.0 released	20:13
breton	*nice	20:13
breton	zzzeek: congrats	20:13
*** topol has quit IRC		20:17
*** pnavarro has quit IRC		20:24
*** joesavak has quit IRC		20:30
*** joesavak has joined #openstack-keystone		20:32
*** jsavak has joined #openstack-keystone		20:34
*** henrynash has joined #openstack-keystone		20:35
*** ChanServ sets mode: +v henrynash		20:35
*** pnavarro has joined #openstack-keystone		20:36
*** joesavak has quit IRC		20:37
*** ozialien has quit IRC		20:38
*** markvoelker has quit IRC		20:44
*** nkinder has joined #openstack-keystone		20:45
*** cburgess_ has quit IRC		20:58
*** cburgess has joined #openstack-keystone		20:58
*** gyee_ has joined #openstack-keystone		21:11
*** harlowja is now known as harlowja_away		21:11
*** EmilienM is now known as EmilienM\|afk		21:13
*** dims__ has quit IRC		21:23
*** pnavarro has quit IRC		21:28
*** mattfarina has quit IRC		21:31
*** jamielennox\|away is now known as jamielennox		21:39
*** stevemar has quit IRC		21:39
*** markvoelker has joined #openstack-keystone		21:42
*** henrynash has quit IRC		21:54
*** EmilienM\|afk is now known as EmilienM		21:55
*** jdennis has quit IRC		21:55
jamielennox	mm, gerrit completely screwed up handling of my ksm patch chain	21:58
*** lhcheng has quit IRC		22:03
*** mattfarina has joined #openstack-keystone		22:03
*** mattfarina has quit IRC		22:05
*** dims__ has joined #openstack-keystone		22:08
*** lhcheng has joined #openstack-keystone		22:10
*** ChanServ sets mode: +v lhcheng		22:10
*** gordc has quit IRC		22:10
*** lhcheng has quit IRC		22:11
*** lhcheng has joined #openstack-keystone		22:11
*** ChanServ sets mode: +v lhcheng		22:11
*** sigmavirus24 is now known as sigmavirus24_awa		22:12
*** harlowja_away is now known as harlowja		22:13
*** markvoelker has quit IRC		22:13
*** Raildo_ has joined #openstack-keystone		22:16
*** Raildo__ has joined #openstack-keystone		22:16
*** Raildo__ has quit IRC		22:17
*** sdake_ has joined #openstack-keystone		22:28
*** jsavak has quit IRC		22:31
*** sdake has quit IRC		22:31
*** sdake_ has quit IRC		22:33
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Expose domain_name in the context for policy.json https://review.openstack.org/174633	22:39
*** EmilienM is now known as EmilienM\|afk		22:40
*** bknudson has quit IRC		22:43
*** markvoelker has joined #openstack-keystone		22:48
*** markvoelker_ has joined #openstack-keystone		22:49
*** dims__ has quit IRC		22:50
*** markvoel_ has joined #openstack-keystone		22:50
*** markvoe__ has joined #openstack-keystone		22:51
*** markvoelker has quit IRC		22:53
*** gyee_ has quit IRC		22:53
openstackgerrit	David Stanek proposed openstack/keystone: Removes KVS catalog backend https://review.openstack.org/158442	22:53
openstackgerrit	David Stanek proposed openstack/keystone: Adds proper isolation the templated catalog tests https://review.openstack.org/174556	22:53
*** markvoelker_ has quit IRC		22:54
*** markvoel_ has quit IRC		22:55
*** jdennis has joined #openstack-keystone		22:55
*** nkinder has quit IRC		22:59
*** chlong has joined #openstack-keystone		23:02
*** jdennis has quit IRC		23:02
*** Raildo_ has quit IRC		23:04
*** zzzeek has quit IRC		23:07
lhcheng	dstanek: for https://review.openstack.org/#/c/174633/ are you looking for new unit tests token_to_auth_context() ?	23:07
lhcheng	dstanek: tried to look for existing one before submitting, but didn't find any.	23:08
dstanek	lhcheng: i'd be happy with anything that prevents a regression - probably a new one in this case	23:08
dstanek	there are several tests in test_auth.py that exercise that method, but maybe not in the way that we need	23:08
*** gyee_ has joined #openstack-keystone		23:09
lhcheng	hmm maybe it is exercised indirectly.. anyway, I can add unit tests that invoke token_to_auth_context() directly	23:10
dstanek	lhcheng: i'd have to take a look, but i think it's called in the setup of some tests	23:10
dstanek	i don't remember why though	23:10
*** EmilienM\|afk is now known as EmilienM		23:10
lhcheng	dstanek: it's okay. I'll look it up.	23:11
lhcheng	dstanek: thanks for the revie	23:11
lhcheng	*review	23:11
dstanek	ma pleasure	23:11
*** jaosorior has quit IRC		23:12
*** stevemar has joined #openstack-keystone		23:12
*** ChanServ sets mode: +v stevemar		23:12
*** stevemar has quit IRC		23:17
*** rdo has quit IRC		23:20
*** rdo has joined #openstack-keystone		23:22
*** dguerri is now known as _dguerri		23:23
*** _dguerri is now known as dguerri		23:24
*** sdake has joined #openstack-keystone		23:34
*** browne has quit IRC		23:46
*** sdake_ has joined #openstack-keystone		23:55
*** markvoe__ has quit IRC		23:58
*** sdake has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!