Tuesday, 2015-04-21

jamielennoxmorganfainberg: infra patch is supposed to have a Depends-On: the governance patch00:00
morganfainbergjamielennox, feel free to add it if you want, i'll circle back on it tonight00:00
morganfainberglaptop is about to die and i need food.00:00
jamielennoxmorganfainberg: ok, i just did a few infra ones recently00:01
jamielennoxthis is really simple: https://review.openstack.org/#/c/174195/ - can we +a it so maybe gerrit will let me rebase the rest of the chain00:02
jamielennoxgerrit freaked out by reorganizing a patch set00:03
*** bknudson has joined #openstack-keystone00:05
*** ChanServ sets mode: +v bknudson00:05
*** alexsyip has quit IRC00:07
*** openstackgerrit has quit IRC00:22
*** openstackgerrit has joined #openstack-keystone00:22
*** _cjones_ has quit IRC00:26
*** _cjones_ has joined #openstack-keystone00:28
*** arif-ali has joined #openstack-keystone00:33
*** _cjones_ has quit IRC00:34
*** openstack has joined #openstack-keystone00:35
*** spandhe has quit IRC00:43
*** gyee has quit IRC00:46
*** tqtran has quit IRC00:53
*** browne has quit IRC00:59
*** zzzeek has quit IRC01:01
*** wangh has joined #openstack-keystone01:29
*** _cjones_ has joined #openstack-keystone01:29
*** _cjones_ has quit IRC01:34
*** erkules_ has joined #openstack-keystone01:39
*** erkules has quit IRC01:41
*** browne has joined #openstack-keystone01:42
*** thedodd has quit IRC01:53
*** _cjones_ has joined #openstack-keystone02:31
*** _cjones_ has quit IRC02:35
*** harlowja is now known as harlowja_away02:35
*** harlowja_away is now known as harlowja02:37
*** stevemar has joined #openstack-keystone02:39
*** ChanServ sets mode: +v stevemar02:39
*** lhcheng has quit IRC02:54
stevemarmorganfainberg, o03:19
stevemarmorganfainberg, o/03:19
morganfainbergstevemar, o/03:20
stevemarmorganfainberg, want to review a slide deck? :P03:20
morganfainbergi'd love to >.>03:20
*** lhcheng has joined #openstack-keystone03:22
*** ChanServ sets mode: +v lhcheng03:22
*** _cjones_ has joined #openstack-keystone03:37
*** _cjones_ has quit IRC03:42
*** ajayaa has joined #openstack-keystone03:54
*** harlowja is now known as harlowja_away03:56
openstackgerritMerged openstack/keystonemiddleware: Remove retry parameter  https://review.openstack.org/17419503:57
*** ajayaa has quit IRC04:08
*** ayoung_ has quit IRC04:10
*** iamjarvo has joined #openstack-keystone04:14
*** lhcheng has quit IRC04:21
*** ishant has joined #openstack-keystone04:26
*** spandhe has joined #openstack-keystone04:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420204:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420104:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420004:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419904:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419804:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419704:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419604:29
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache  https://review.openstack.org/17419404:29
*** _cjones_ has joined #openstack-keystone04:38
*** richm has quit IRC04:38
*** _cjones_ has quit IRC04:44
*** spandhe has quit IRC04:55
*** rm_work|away is now known as rm_work04:59
*** lhcheng has joined #openstack-keystone05:07
*** ChanServ sets mode: +v lhcheng05:07
*** ajayaa has joined #openstack-keystone05:25
*** lhcheng_ has joined #openstack-keystone05:26
*** lhcheng has quit IRC05:29
*** wangh has quit IRC05:30
*** wangh has joined #openstack-keystone05:31
*** iamjarvo has quit IRC05:31
*** afazekas has quit IRC05:31
*** wangh has quit IRC05:33
*** iamjarvo has joined #openstack-keystone05:37
*** _cjones_ has joined #openstack-keystone05:41
*** lhcheng_ has quit IRC05:52
*** iamjarvo has quit IRC05:54
*** ishant has quit IRC06:05
*** lhcheng has joined #openstack-keystone06:18
*** ChanServ sets mode: +v lhcheng06:18
*** _cjones_ has quit IRC06:19
*** afazekas_ has joined #openstack-keystone06:21
*** krykowski has joined #openstack-keystone06:29
*** jamielennox is now known as jamielennox|away06:34
*** mabrams has joined #openstack-keystone06:41
*** lhcheng has quit IRC06:51
*** mestery has quit IRC07:03
*** browne has quit IRC07:06
*** pcaruana has quit IRC07:11
*** arif-ali has quit IRC07:20
*** arif-ali has joined #openstack-keystone07:21
*** jaosorior has joined #openstack-keystone07:22
*** amerine has joined #openstack-keystone07:23
*** unixlike has quit IRC07:27
*** unixlike has joined #openstack-keystone07:27
*** afazekas_ has quit IRC07:32
*** henrynash has joined #openstack-keystone07:34
*** ChanServ sets mode: +v henrynash07:34
*** afazekas_ has joined #openstack-keystone07:36
*** henrynash has quit IRC07:38
*** jamielennox|away is now known as jamielennox07:43
*** henrynash has joined #openstack-keystone07:45
*** ChanServ sets mode: +v henrynash07:45
*** mestery has joined #openstack-keystone07:46
*** jistr has joined #openstack-keystone07:47
*** stevemar has quit IRC07:49
*** erkules_ is now known as erkules07:53
*** erkules has joined #openstack-keystone07:53
*** amerine has quit IRC07:58
bretonhello, keystoneers08:24
*** marekd has joined #openstack-keystone08:29
*** ChanServ sets mode: +v marekd08:29
marekdGood morning!08:29
openstackgerritDhriti Shikhar proposed openstack/python-keystoneclient: Fixes example code in Using Sessions page  https://review.openstack.org/17513508:47
openstackgerritDhriti Shikhar proposed openstack/python-keystoneclient: Fixes example code in Using Sessions page  https://review.openstack.org/17513508:48
*** fhubik has joined #openstack-keystone08:50
openstackgerritDhriti Shikhar proposed openstack/python-keystoneclient: Fixes example code in Using Sessions page  https://review.openstack.org/17513508:50
*** unixlike has quit IRC08:52
*** unixlike has joined #openstack-keystone08:52
*** f13o has joined #openstack-keystone08:54
*** pnavarro has joined #openstack-keystone08:55
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767509:03
*** fhubik is now known as fhubik_afk09:06
*** krykowski has quit IRC09:09
*** fhubik_afk is now known as fhubik09:30
*** pnavarro has quit IRC09:41
*** _cjones_ has joined #openstack-keystone09:51
*** _cjones_ has quit IRC09:55
*** boris-42 has quit IRC10:05
*** boris-42 has joined #openstack-keystone10:08
*** unixlike has quit IRC10:08
*** davidckennedy has joined #openstack-keystone10:30
*** krykowski has joined #openstack-keystone10:37
*** fhubik is now known as fhubik_afk10:40
marekdmhu: re: https://review.openstack.org/#/c/157821/ Hi. Do you think you want to finish this patch and address bknudson's comments?10:40
mhumarekd, right ! I'll get to it today, sorry for letting this go unattended for so long10:57
*** baffle has joined #openstack-keystone10:58
*** jistr has quit IRC11:02
*** jistr has joined #openstack-keystone11:04
*** f13o has quit IRC11:10
*** jdennis has quit IRC11:16
*** jdennis has joined #openstack-keystone11:19
baffleI'm looking at the policy.json/policy.v3cloudsample.json in git, and I can't understand why identity:create_credential and similar are admin only? Shouldn't they match identity:ec2_list_credentials ? Because this is bascially the same functionality, right?11:36
*** _cjones_ has joined #openstack-keystone11:40
*** _cjones_ has quit IRC11:47
*** jsheeren has quit IRC11:50
*** fhubik_afk is now known as fhubik11:53
*** markvoelker has joined #openstack-keystone12:02
*** markvoelker_ has joined #openstack-keystone12:03
*** markvoelker_ has quit IRC12:04
*** markvoelker_ has joined #openstack-keystone12:05
*** raildo has joined #openstack-keystone12:06
*** markvoelker has quit IRC12:07
*** richm has joined #openstack-keystone12:10
*** aix has joined #openstack-keystone12:21
*** pnavarro has joined #openstack-keystone12:23
*** gordc has joined #openstack-keystone12:34
*** henrynash has quit IRC12:42
*** jistr has quit IRC12:42
*** jistr has joined #openstack-keystone12:43
*** ajayaa has quit IRC12:52
*** bknudson has quit IRC12:53
*** pnavarro has quit IRC13:00
*** jistr is now known as jistr|mtg13:01
*** joesavak has joined #openstack-keystone13:04
*** henrynash has joined #openstack-keystone13:08
*** ChanServ sets mode: +v henrynash13:08
*** kiran-r has joined #openstack-keystone13:11
marekdmhu: ok, thanks13:12
*** richm has quit IRC13:12
*** henrynash has quit IRC13:13
*** bknudson has joined #openstack-keystone13:16
*** ChanServ sets mode: +v bknudson13:16
*** ayoung_ has joined #openstack-keystone13:19
*** richm has joined #openstack-keystone13:23
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: New attributes for SAML assertion  https://review.openstack.org/17446213:27
openstackgerritJulien Danjou proposed openstack/keystone: Revert "Optimization of waiting subprocesses in ProcessLauncher"""  https://review.openstack.org/17585713:30
*** kiran-r has quit IRC13:37
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: New attributes for SAML assertion  https://review.openstack.org/17446213:39
*** zzzeek has joined #openstack-keystone13:39
*** EmilienM has quit IRC13:40
*** EmilienM has joined #openstack-keystone13:41
*** mabrams has quit IRC13:44
*** lhcheng has joined #openstack-keystone13:53
*** ChanServ sets mode: +v lhcheng13:53
*** sigmavirus24_awa is now known as sigmavirus2414:04
*** afazekas_ has quit IRC14:08
raildodstanek, We still having a problem here: https://review.openstack.org/#/c/158720/12 :P because the get_project have the @controller.protected(), so even we raise a ValidationError in the controller, this decorator will raise a 404 before the our validation14:15
*** carlosmarin has joined #openstack-keystone14:16
*** iamjarvo has joined #openstack-keystone14:18
raildodstanek, so I think that we can put a validation(to don't accept None) in the get_project in the manager and raise a ProjectNotFound, and we can think in other solution to raise a ValidationError in the controller14:18
*** iamjarvo has quit IRC14:18
*** iamjarvo has joined #openstack-keystone14:19
*** iamjarvo has quit IRC14:19
*** iamjarvo has joined #openstack-keystone14:20
*** jistr|mtg is now known as jistr14:26
*** browne has joined #openstack-keystone14:30
*** rushil has joined #openstack-keystone14:31
*** iamjarvo has quit IRC14:36
*** iamjarvo has joined #openstack-keystone14:38
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inhrerit roles project calls on keystoneclient v3  https://review.openstack.org/16761314:41
dstanekraildo: really? i guess i need to look into the protected decorator a little bit. that seems off14:45
*** _cjones_ has joined #openstack-keystone14:46
*** iamjarvo has quit IRC14:48
raildodstanek, the protected decorator call this: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L12414:48
raildodstanek, and then here: https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L19714:48
raildodstanek, and this will raise a 40414:49
*** mattfarina has joined #openstack-keystone14:50
*** _cjones_ has quit IRC14:51
openstackgerritDoug Hellmann proposed openstack/keystonemiddleware: Update README to work with release tools  https://review.openstack.org/17591314:55
*** iamjarvo has joined #openstack-keystone14:55
*** stevemar has joined #openstack-keystone14:58
*** ChanServ sets mode: +v stevemar14:58
*** pnavarro has joined #openstack-keystone15:01
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy  https://review.openstack.org/17342415:03
dstanekraildo: I'm confused now. it's OK if get_project returns a 404 for a project that doesn't exist, right?15:09
rodrigodsdstanek, ++ and also if we do get_project(None), it needs to validate the None case and raise a ProjectNotFound as well15:11
*** mestery has quit IRC15:11
rodrigodsso for list_projects* we would add just the get_project()15:12
*** mestery has joined #openstack-keystone15:12
dstanekrodrigods: isn't that what the patch is already doing?15:12
rodrigodsdstanek, almost, in patchset 10 there is an assert method the first validates the None and raises a ValidationError for this case, and then does the get_project()15:13
*** fhubik has quit IRC15:13
*** krykowski has quit IRC15:14
dstanekThe thing I don't like about doing the get_project is that is does yet another query, but if that's the best we can do I don't know another way.15:14
dstaneki think i found a bug in that code15:15
*** amerine has joined #openstack-keystone15:17
*** jsavak has joined #openstack-keystone15:26
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion  https://review.openstack.org/14873015:28
*** joesavak has quit IRC15:29
*** edmondsw has joined #openstack-keystone15:33
*** pnavarro has quit IRC15:34
*** browne has quit IRC15:35
*** david-lyle has quit IRC15:36
*** gyee has joined #openstack-keystone15:50
*** ChanServ sets mode: +v gyee15:50
*** david-lyle has joined #openstack-keystone16:02
*** haneef has quit IRC16:03
davidckennedygyee Many thanks.  You're going to love my comment on the spec.16:04
gyeeit's *love* Tuesday16:06
davidckennedyWell, it's been *stay awake* Tuesday for me.  But I've succeeded and it's home time now.  Ta ra.16:08
*** davidckennedy has quit IRC16:08
*** _cjones_ has joined #openstack-keystone16:09
*** haneef has joined #openstack-keystone16:09
*** tqtran has joined #openstack-keystone16:13
*** iamjarvo has quit IRC16:20
*** jistr has quit IRC16:21
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion  https://review.openstack.org/14873016:27
*** joesavak has joined #openstack-keystone16:34
*** jsavak has quit IRC16:37
*** iamjarvo has joined #openstack-keystone16:37
openstackgerritMarek Denis proposed openstack/keystone: Correctly handle direct mapping with keywords  https://review.openstack.org/17598016:39
*** browne has joined #openstack-keystone16:43
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Add spec for decoupling auth from API versions to backlog  https://review.openstack.org/17598316:47
raildoCan anyone +A  on this bug? there is already 2 +2 on that. :) https://review.openstack.org/#/c/159944/16:47
*** tqtran has quit IRC16:48
*** harlowja_away is now known as harlowja16:57
gyeeraildo, done16:58
raildogyee, thanks :D16:58
*** joesavak has quit IRC17:01
*** _cjones_ has quit IRC17:04
*** _cjones_ has joined #openstack-keystone17:07
*** david-lyle has quit IRC17:08
*** ayoung_ is now known as ayoung_admiyo17:14
*** ayoung_admiyo is now known as ayoung17:15
*** sdake has joined #openstack-keystone17:28
gordcbknudson: just an fyi, i can't actually create a stable/juno branch for pycadf but i can make a release. might need dhellmann et al to create branch.17:28
*** ajayaa has joined #openstack-keystone17:29
bknudsongordc: I assume you need infra to create it for you.17:30
baffleI'm looking at the policy.json/policy.v3cloudsample.json in git, and I can't understand why identity:create_credential and similar are admin only? Shouldn't they match identity:ec2_list_credentials ? Because this is bascially the same functionality, right? Just v2.0 vs v3?17:31
gordcbknudson: yeah. i know there's a group which allows you to create branches via gerrit... i dont' know what it is though. 'a group that Doug is part of' is all i know.17:34
bknudsonthat guy loves hoarding power.17:35
dhellmanngordc, bknudson : do you need a stable/juno branch of pycadf?17:36
*** rdo has quit IRC17:36
*** tpatil has joined #openstack-keystone17:37
bknudsondhellmann: gordc was thinking that we could modify stable/juno version of pycadf to not have oslo.messaging in requirements.17:37
*** aix has quit IRC17:37
bknudsonor even just have the stable/juno cap of oslo.messaging should work, too.17:37
bknudsonthis is so that stable/juno keystonemiddleware will work.17:38
gordcdhellmann: http://lists.openstack.org/pipermail/openstack-dev/2015-April/062115.html17:38
dhellmannbknudson: what's failing right now?17:38
dhellmanngordc: ah, I haven't opened that thread yet, reading now17:38
bknudsondhellmann: https://review.openstack.org/#/c/173123/17:38
*** rdo has joined #openstack-keystone17:38
gordcdhellmann: it's not the only option (as bknudson mentions) but i assume we'll need a stable/juno for pycadf eventually.17:39
dhellmanngordc, bknudson : ok I think you don't want to move that dependency, because it makes what is a test requirement a runtime requirement17:40
dhellmanngordc, bknudson : let me finish with the library release stuff, and then I'll see if I can help you sort this out.17:41
bknudsondhellmann: since pycadf is a runtime requirement already and pycadf has oslo.messaging as a runtime requirement then it's already a run-time requirement.17:41
bknudsonbut i'm also fine with a change to pycadf.17:41
dhellmannbknudson: yes, true, but it makes a change to the *package* metadata that we should try to avoid if we can17:41
dhellmannbecause adding it as a runtime dependency will mess with our packager's existing workflows, and should technically trigger a version # change that would move the package out of the juno series17:42
bknudsonanother option is to move pycadf from requirements.txt to test-requirements... but that would also be lying.17:43
*** spandhe has joined #openstack-keystone17:43
bknudsonmaybe this repo should be split up17:43
gordcbknudson: pycadf?17:43
*** iamjarvo has quit IRC17:44
gordcah i see... if the oslo.messaging req is the concern i should give a headsup. that functionality is deprecated and i was going to drop it as of 1.0 (assuming everyone is ok with that)17:44
bknudsonit's not oslo.messaging, it's just that the different middleware in keystonemiddleware is really different.17:45
bknudsonauth_token is obviously different than ec2_token and s3_token and audit... they're all going to have different required packages.17:45
bknudsonit's only audit that needs pycadf.17:46
gordcbknudson: i see. yeah, i'll let you guys decide that. :)17:46
bknudsonec2_token and s3_token are actually lightweight for requirements, so maybe not worth it to move those out.17:47
*** Alexander has joined #openstack-keystone17:50
morganfainbergbknudson: splitting it up isn't a bad idea17:51
*** Alexander is now known as Guest4016017:51
morganfainbergbknudson: with the move to middleware releasing with the servers, it is easier to do.17:51
morganfainbergstevemar: ping17:51
*** Guest40160 has quit IRC17:52
*** amakarov_ has joined #openstack-keystone17:52
*** samueldmq has quit IRC17:53
stevemarmorganfainberg, pong17:53
*** samueldmq_ has joined #openstack-keystone17:53
morganfainbergMind chairing the meeting?17:53
*** samueldmq_ is now known as samueldmq17:53
morganfainbergTrying to cram food in before.17:53
morganfainbergI'll be there just hard to type while mobile and run the meeting.17:53
stevemarwhile mobile and eating17:54
morganfainbergI can do it if it's an issue.17:54
morganfainbergI've done it before. Just food was really slow today.17:54
*** lhcheng_ has joined #openstack-keystone17:57
stevemarits cool17:57
*** davechen has joined #openstack-keystone17:58
*** joesavak has joined #openstack-keystone17:59
dstanekis it possible to create a circular reference of projects?17:59
morganfainbergdstanek: should not be possible.18:00
*** lhcheng has quit IRC18:00
dstanekmorganfainberg: that's what i thought. couldn't update the parent_id :-(18:00
dstanekthen i guess it's not a big deal that there is a bug in how to do subtree listings18:01
*** lhcheng_ is now known as lhcheng18:01
*** ChanServ sets mode: +v lhcheng18:01
rodrigodsdstanek, it is not possible18:02
rodrigodswhere is the bug?18:02
dstanekrodrigods: there is two. jas...18:03
*** Ephur_ has joined #openstack-keystone18:04
dstanekbug1: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/backends/sql.py#n9718:04
*** jamesllondon has joined #openstack-keystone18:04
dstanekbug2: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/backends/sql.py#n10918:04
rodrigodsdstanek, hmm18:05
*** Ephur has quit IRC18:05
rodrigodsdstanek, can you explain?18:05
dstanekset('ab') will create set(['a', 'b18:06
dstanekshould be set([project_id])18:06
dstanekand set.union returns a new set; should be set.update()18:06
dstanekrodrigods: we're just Pythoning wrong :-(18:08
rodrigodsdstanek, wow18:08
rodrigodsthanks for that18:08
rodrigodswill add to my "learning python" doc18:09
rodrigodsdid you submit a fix?18:09
*** Ephur_ has quit IRC18:09
*** sdake_ has joined #openstack-keystone18:09
dstaneknot yet because i wasn't sure if we could just delete it18:09
dstaneki created the fix, but i couldn't test because you can't create cycles18:10
bknudsonjamielennox: have you seen this stuff in neutron: http://git.openstack.org/cgit/openstack/neutron/tree/etc/neutron.conf#n340 ?18:10
dstanekdavechen: we talked about the unique constraint yesterday. can't be added18:11
rodrigodsdstanek, the very reason why the bug was merged :(18:11
dstanekshould that code just be deleted then?18:11
jamielennoxbknudson: maybe it needs to regenerate the conf file (though that looks hand crafted) because i'm sure neturon->nova got finished18:11
rodrigodsdstanek, henrynash had a strong preference to have this checks18:12
rodrigodsin the first patchsets we didn't add18:12
rodrigodsI added after henrynash comments18:12
*** sdake has quit IRC18:13
*** jeffDeville has joined #openstack-keystone18:14
*** notmyname has quit IRC18:16
*** notmyname has joined #openstack-keystone18:17
*** jeffDeville has quit IRC18:31
*** jeffDeville has joined #openstack-keystone18:31
*** tqtran has joined #openstack-keystone18:32
*** alexsyip has joined #openstack-keystone18:32
*** openstackgerrit has quit IRC18:37
*** openstackgerrit has joined #openstack-keystone18:37
*** joesavak has quit IRC18:38
*** david-lyle has joined #openstack-keystone18:39
*** pnavarro has joined #openstack-keystone18:42
*** bandwidth has joined #openstack-keystone18:42
*** joesavak has joined #openstack-keystone18:42
bandwidthquick question: I have the OS-FEDERATION extension activated18:43
bandwidthi get an unscoped token, from which i get a scoped token18:43
bandwidthwhen I hit nova, nova is trying to validate the token using v2 api18:43
bandwidthwhich leads to: if (token_ref['token_data']['token']['user']['domain']['id'] !=18:44
bandwidthKeyError: 'domain'18:44
bandwidthI've configured nova to use keystone v3 api, but still, it ends up in: validate_v2_token18:45
bandwidthI also removed all the v2 endpoints, but I still have the same issue18:45
*** david-ly_ has joined #openstack-keystone18:46
*** david-lyle has quit IRC18:46
*** akerr has joined #openstack-keystone18:46
bandwidthis there anything i'm missing?18:47
bandwidthall the documentation I can find talks about configuring keystone with an IdP18:48
bandwidthbut nothing about the other services that needs keystone to validate tokens18:48
stevemarbandwidth, most keystone folks are in the keystone meeting18:48
stevemarjust chill for a bit longer, it's done in 10 minutes :)18:48
akerrIs anyone else seeing conflicting requirements in stable/juno devstack builds?  If i'm reading devstack's log right, keystone wants stevedore <=1.2.0 but keystone_middleware wants stevedore >=1.3.018:49
akerrhere's a link to my logs, the devstacklog.txt.gz file has the interesting bits: http://dcf901611175aa43f968-c54047c910227e27e1d6f03bb1796fd7.r95.cf5.rackcdn.com/09/175909/1/check/cDOT-iSCSI-tempest-openstack/54711c1/18:51
*** jeffDevi_ has joined #openstack-keystone18:51
*** jeffDeville has quit IRC18:52
*** jeffDeville has joined #openstack-keystone18:53
*** jeffDevi_ has quit IRC18:56
*** tqtran has quit IRC18:56
*** bandwidth has quit IRC18:57
anteayamarekd: let's ensure language is inclusive, I'm personally not a fan of swearing18:58
marekdanteaya: sure, sorry.18:58
morganfainberganteaya, hi!! :)19:00
anteayahey there19:00
morganfainbergkeystone-core members:19:00
marekdstevemar: morganfainberg so you want to push this MFA still ?19:00
morganfainbergdoes this need a spec? i'm ok with it as is.19:00
*** jeffDevi_ has joined #openstack-keystone19:01
morganfainbergno spec needed imo19:01
marekdmorganfainberg: ++19:01
*** jeffDeville has quit IRC19:01
morganfainberganyone have complaints about that bp going spec-less?19:02
jamielennoxmorganfainberg: yep, no-spec19:02
gyeeMFA is a concept19:02
morganfainberggyee, dstanek, ayoung, dolphm, lhcheng, stevemar, ^19:03
lhchengmorganfainberg: fine with me, it doesn't impact end user directly19:03
stevemaroh heck no19:03
gyeewhat we talking about MFA support, it needs to be more specific19:03
stevemari mean 'oh heck no complaints'19:03
morganfainbergstevemar, hehe19:03
ayoungMuseum of Fine Arts?19:03
morganfainbergayoung, Master of Fine Arts19:03
stevemarif someone wants to use a new library to make our code better, then no spec needed19:04
*** leonchio_ has joined #openstack-keystone19:04
dolphmmorganfainberg: this change needs to be communicated super well though https://review.openstack.org/#/c/166622/11/keystone/common/config.py19:04
dolphmmorganfainberg: release notes, documentation, etc19:04
morganfainbergdolphm, yes.19:04
dolphmmorganfainberg: the rest of it doesn't matter to end users19:04
morganfainbergdolphm, it does however support the old-style loading as a fallback19:04
ayoungMFA needs a spec19:04
morganfainbergayoung, this was re-stevedore loading, MFA does need a spec19:05
ayoung if it is doing something keystone specific19:05
stevemardolphm, morganfainberg is there a way to still support the old values?19:05
gyeepassword + blood test19:05
morganfainbergstevemar, the code already does.19:05
stevemarthen we're good19:05
ayoungstevedore is ok, I think19:05
morganfainbergstevemar, it tries loading stevedroe and fails back to loading old style import19:05
morganfainbergstevemar, which is deprecated and will warn19:05
*** amakarov_ has quit IRC19:05
morganfainbergstevemar, in M we can remove that old code path19:05
morganfainbergno more fallback19:05
*** davechen has left #openstack-keystone19:06
morganfainbergbknudson, ^ I think we're good then. please update the BP and reference this eavesdrop.19:06
morganfainbergbknudson, move forward w/o a spec.19:06
bknudsonmorganfainberg: ok, thanks.19:06
morganfainberg2 more no-spec items:19:06
openstackLaunchpad bug 1442343 in Keystone "Mapping openstack_project attribute in k2k assertions with different domains" [Wishlist,In progress] - Assigned to Rodrigo Duarte (rodrigodsousa)19:06
morganfainbergand https://bugs.launchpad.net/keystone/+bug/144278719:06
openstackLaunchpad bug 1442787 in Keystone "Mapping openstack_user attribute in k2k assertions with different domains" [Wishlist,In progress] - Assigned to Rodrigo Duarte (rodrigodsousa)19:06
morganfainbergif one needs a spec, so does the other19:07
*** sdake has joined #openstack-keystone19:07
*** ajayaa has quit IRC19:07
morganfainbergoh ha19:07
morganfainbergwe have a spec: https://review.openstack.org/#/c/174462/19:07
morganfainbergok going to drop these from the list.19:07
morganfainbergplease review that spec^19:08
stevemarwill review19:08
*** _cjones_ has quit IRC19:09
*** jeffDevi_ has quit IRC19:10
marekdmorganfainberg: so i think the change is not that hard, spec can help the visibility19:10
*** iamjarvo has joined #openstack-keystone19:10
*** iamjarvo has quit IRC19:10
morganfainbergmarekd, right19:10
morganfainbergmarekd, since the spec was proposed we'll run with it.19:11
marekdmorganfainberg: ok19:11
*** iamjarvo has joined #openstack-keystone19:11
*** sdake_ has quit IRC19:11
*** jeffDeville has joined #openstack-keystone19:11
*** jeffDevi_ has joined #openstack-keystone19:15
stevemarayoung, is nkinder afk this week?19:16
ayoungstevemar, conference I think19:16
*** jeffDeville has quit IRC19:16
david8huayoung, I like to contribute to dynamic policy, and started to review other specs that dynamic policy dependeds on.19:17
ayoungdavid8hu, awesome19:17
jamielennoxmarekd: https://github.com/openstack/python-keystoneclient-saml2 is open for business (even though the governance review hasn't passed), i'll look at cleaning it up to use the base class in ksc19:17
ayoungdavid8hu, biggest impact is, I think on figuring out how to cache and fetch policy files19:17
*** david-ly_ has quit IRC19:18
david8huayoung,  my thoughts exact, and how we can make it robust.19:18
marekdjamielennox: so the repo is python-keystoneclient-saml2 but the headline in README says it's python-keystoneclient-federation (which is imho more accurate name)19:19
ayoungdavid8hu, there is a general caching issues, and if we get it right here, it can have broader impacts19:19
jamielennoxmarekd: we need to change it over for the rename19:19
ayoungit means that we can cache naythiung we weould go back to keystone to query.  There is some prior art in the PKI certs and revocation lists19:19
marekdjamielennox: so, what's the proper name eventually? I remember there was a p-k-federation repo already.19:20
jamielennoxmarekd: the point is to limit the repo to just the saml plugins, federation is too broad as it's becoming a catch all term for anything that auths via /OS-FEDERATION19:20
jamielennoxmarekd: this is a rename, -federation -> -saml219:20
david8huayoung, any pointers to this general caching issue?19:20
marekdjamielennox: roger that.19:20
marekdjamielennox: i personally would squeeze all the plugins there, however there some votes that 'whatever doesnt need lxml can go directly to ksc'. What's your opinion on that?19:21
ayoungdavid8hu, nope.19:21
ayoungunless you want to look inside my head\19:21
ayoungdavid8hu, actaully..yes19:21
ayoungdavid8hu, http://adam.younglogic.com/2014/10/who-can-sign-for-what/19:21
ayoungdavid8hu, but...there is a twist19:21
david8huayoung,  please dump your brain, and forward the dump to me in an email :)19:21
marekdjamielennox: also, if somebody comesup with oidc plugin are we going to squeeze it in the ksc? or create p-k-oidc repo?19:21
ayoungso ^^ talks about doing in the middleware a lot of what is done in Keystone. Any one of those queries could be cached19:22
jamielennoxmarekd: i don't want a repo for everything, but if it has new dependencies i don't want to put them in ksc19:22
ayoungit was based on PKI tokens, but we could do something even with Fernet19:22
jamielennoxmarekd: with stevedore it really makes no difference where it's coming from, so if we end up with 10 ksc-plugin repos i don't care19:22
*** gyee has quit IRC19:23
david8huayoung, my question is how does cache now that it data is dirty if it is caching http fetch.19:23
bknudsonjamielennox: is that because of session? that's moving to its own repo.19:23
marekdjamielennox: ok, i understand.19:23
ayoungdavid8hu, certs are nevere "dirty"  and revocation list is fetched on time based interval19:23
*** jeffDevi_ has quit IRC19:24
ayoungpolicy.json is not fetched, but rather handled by puppet etc19:24
jamielennoxbknudson: the session repo keystoneauth (ksa) is going to be really light, as few deps as possible19:24
marekdjamielennox: so, https://review.openstack.org/#/c/172155/ should rather go to p-k-saml2 repo, right?19:24
*** jeffDeville has joined #openstack-keystone19:24
jamielennox... crap should ksc-saml2 have been ksa-saml2?19:24
bknudsonwhat's in it?19:25
bknudsonan auth plugin?19:25
jamielennoxbknudson: yep19:25
bknudsonksa makes more sense then19:25
jamielennoxwe started the rename before ksa was ready to go - even now i don't know if it's got a repo yte19:25
david8huayoung, interesting.19:25
marekdksa - keystone authentication?19:26
*** jamesllondon has quit IRC19:26
marekdjamielennox: ^^19:26
jamielennoxmarekd: keystoneauth specifically but yes19:26
marekdso, this would be essentially what today is keystoneclient/auth directory?19:26
jamielennoxmarekd, bknudson: https://review.openstack.org/#/c/175596/19:27
david8huayoung, I am going to read http://adam.younglogic.com/2014/10/who-can-sign-for-what/ over lunch.19:27
marekdjamielennox: just out of curiosity, what's the goal in spliting everything?19:27
jamielennoxmarekd: it will contain session auth/ and whatever discover is needed for that19:27
dstanekis there a list somewhere of the preferred software for the different categories (like pecan from web framework)?19:27
bknudsonI think we can assume there's going to be a keystoneauth so keystoneauth-saml2 makes more sense.19:27
morganfainbergyou know...19:27
morganfainbergwe could make all BPs for keystone wishlist bugs...19:28
morganfainbergat it would be less sucky of a UI to deal with19:28
jamielennoxmarekd: it's so that the other clients can depend on ksa without having the full dependencies of ksc19:28
jamielennoxestablish like a base client library19:28
morganfainberghttps://review.openstack.org/#/c/175610/ https://review.openstack.org/#/c/175596/19:29
morganfainbergKSA ^ stuff19:29
morganfainbergto get us into gerrit19:29
ayoungdavid8hu, so, don't get bogged down in the details.  We need to solve policy first and foremost19:30
jamielennoxmorganfainberg: i'm still not sure about ksa not having python- but whatever19:30
ayoungdavid8hu, What I would really love to see is if we could do the git type approach19:30
morganfainbergjamielennox, i am against naming things python-XXXX19:30
ayoungthe hash of the file is the local name, and we could fetch via the hash19:31
jamielennoxmorganfainberg: agreed, but looks funny against the rest19:31
*** _cjones_ has joined #openstack-keystone19:31
morganfainbergjamielennox, so i exercise my "I'm the PTL" rights here ;)19:31
morganfainbergjamielennox, well not so much19:31
morganfainbergjamielennox, think of it more like oslo19:31
morganfainbergor keystonemiddleware19:31
ayoungdavid8hu, but really, the questions is "where should it live"19:31
ayoungits not really middleware, as it needs to be a libraray call...sort of19:31
jamielennoxmorganfainberg: excellent - i'll just quote that if ever asked19:32
bknudsonthere might be other client libs in other languages so putting keystone- in front makes sense.19:32
morganfainbergjamielennox, seriously. you can. you can say PTL said this is the way it goes19:32
ayoungjamielennox, btw,  we are going to have to make the auth plugsin much smarter for K2K19:32
bknudsonwhat about c#-keystoneclient?19:32
*** iamjarvo has quit IRC19:32
bknudson.net-keystoneclient? (it would be invisible)19:32
morganfainbergbknudson, i actually see keystoneauth doing some morphing long term and holding more than python in the repo19:32
morganfainbergbknudson, but shhh don't tell anyone, it might scare them.19:32
*** akerr has left #openstack-keystone19:33
morganfainbergbknudson, there is no reason we can't do more than one language in the repo in a sane way... especially if you change 1 you should change the others19:33
morganfainbergeasier to review all at the same time19:33
morganfainbergrather than having to change it in 15 places.19:33
jamielennoxayoung: the plugin that's up for review is probably smart enough - i just don't like the UX of using it, i want to know if there's a plan that can create the plugin for a user given you need to call ~3 ksc functions to get all the params19:33
ayoungjamielennox, that is exactly what I am talking about19:34
ayoungI have no idea.19:34
jamielennoxmorganfainberg: i came across something in ruby yesterday based on fog, it's still purely v2 auth and hasn't seen an update in a while19:34
morganfainbergjamielennox, yeah i've seen that before19:35
morganfainbergi'd like to actually see keystoneauth house more than python tbh19:35
morganfainbergbut i want to start w/ having a solid python impl people can use19:35
morganfainbergthen we can branch from there.19:35
ayoungI want the whole damn thing to go away!19:36
ayoungOh, wait/19:36
jamielennoxthat would be cool - and i have no idea how that packaging would work or whether people would accept it19:36
morganfainbergjamielennox, lets fight that battle once keystoneauth is good.19:36
morganfainbergjamielennox, :)19:36
ayoungif we couldget the base functionality into libcurl...19:36
morganfainbergjamielennox, at least other p-langs might be easy19:36
morganfainbergjamielennox, java... well easy to test.. not so easy to do "right"19:37
ayoungmorganfainberg, probably want to tie the Java one  in with something like RESTEasy19:37
morganfainbergayoung, again a battle to be fought once we have keystoneauth being a "real boy"^wthing"19:38
marekdmorganfainberg: >> i actually see keystoneauth doing some morphing long term and holding more than python in the repo<< - it'd be like 'language bindings' ?19:38
morganfainbergmarekd, OMG right?!19:38
morganfainbergmarekd, novel concept.19:38
morganfainbergmarekd, hehe19:38
ayoungI'd rather we supported SAML and punted on the rest19:39
*** jeffDevi_ has joined #openstack-keystone19:39
marekdmorganfainberg: i wasn't trying to give any hints, rather was unsure if that was the point.19:39
morganfainbergmarekd, ah19:39
jamielennoxmarekd: so just do it in c and ffi everywhere?19:39
morganfainbergmarekd, the point would be to have language bindings19:39
morganfainbergjamielennox, swig!19:39
morganfainbergjamielennox, use swig! i mean.. no don't19:40
morganfainbergmarekd, the point is we can maintain proper language bindings in a nice way. if we can do it all in gerrit it would be better. and we should control this lib.19:40
morganfainbergin whatever form it takes19:41
*** jeffDeville has quit IRC19:41
dstanekjamielennox: morganfainberg: barbican was forced out of falcon?19:41
jamielennoxdstanek: was just going to bring that convo here19:41
morganfainbergdstanek, i thought that was celery19:41
morganfainbergbut i didn't pay attention19:41
marekdmorganfainberg: right19:41
jamielennoxmorganfainberg: i think it was falcon, i ended up packaging it for fedora and then they went and switched19:42
morganfainbergjamielennox, then we use pecan19:42
dstanekjamielennox: i was planning on doing a falcon poc after talking about it at pycon19:42
morganfainberghonestly, if we merge all this stuff together like you were working on, changing the routing framework is easier anyway19:42
morganfainbergsome of this work has to be done in either case.19:42
*** bandwidth has joined #openstack-keystone19:43
dstanekyes, there is much refactoring to be done19:43
morganfainbergdstanek, since pecan is a known "good" for openstack19:43
morganfainberglets use it19:43
morganfainbergwe can move to falcon / something else later as needed19:43
ayoungmarekd, what generates the metadata for samle at, for example, http://hostname:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth/mellon/metadata19:44
ayoungis that mellon?  we don't handle that via a controller, right?19:44
*** henrynash has joined #openstack-keystone19:44
*** ChanServ sets mode: +v henrynash19:44
jamielennoxmorganfainberg, dstanek: right, i think there is a lot of overlap to moving towards any other framework in terms of cleanup19:44
morganfainbergoh we also have to do grenade upgrade from eventlet -> mod_wsgi19:44
morganfainbergthis cycle19:44
morganfainbergit's is a requirement19:45
jamielennoxdstanek: if you can get falcon approved by tc i'd be happy to go that way instead19:45
morganfainbergwe can't punt it/skip it/etc.19:45
marekdayoung: metadata for an IdP ?19:45
ayoungmarekd, yeah19:45
ayoungmarekd, I'm debugging na ipsilon setup for ECP testing and not sure which code base to look at19:45
marekdayoung: in keystone-sp case the link is usually specific for a module, in mod_shib that typically be https://host:5000/Shibboleth.sso/Metadata so nothing Keystone specific.19:46
ayoungmarekd, OK19:47
*** jeffDevi_ has quit IRC19:49
dstanekrodrigods: i'm going to make a bug for that thing i mentioned earlier19:50
rodrigodsdstanek, ++19:50
rodrigodsdstanek, would be nice if the fix lands still in kilo19:51
bknudsonmorganfainberg: can we assume grenade starts with mod_wsgi?19:51
bknudsonwhy do we have to transition?19:51
morganfainbergbknudson: we need to do the transition19:51
dstanekrodrigods: i can land it once i know if i need to fake out the tests19:51
morganfainbergbknudson: it's to test the upgrade path for deployments.19:51
*** jeffDeville has joined #openstack-keystone19:51
bknudsonnone of our customers are using grenade to do the upgrade.19:52
morganfainbergbknudson, no, grenade is meant to simulate the upgrade19:52
morganfainbergbknudson, and catch errors / prevent errors. i don't expect a deployer to actually use it.19:52
marekdjamielennox: re p-k-saml2 repository. Can I simply there "from keystoneclient import ...." and assume it will be automatically respolved?19:52
bknudsonI guess I don't see what the errors are it's going to help with.19:53
jamielennoxmarekd: can you import ksc from ksa?19:53
bknudsonyou can run keystone in eventlet or in httpd, and we're running both of those.19:53
morganfainbergbknudson, if we can't describe what the upgrade from eventlet to mod_wsgi works like, how can we expect people to do it19:53
jamielennoxmarekd: or do you mean can you import the ksa plugins from ksc?19:53
morganfainbergbknudson: it really is about ensuring the expected upgrade path to work.19:53
marekdjamielennox: i meant i might need to import few bits from ksc for example in the tests.19:54
bknudsonok. should be easy enough.19:54
morganfainbergbknudson: yeah it shouldn't be hard.19:54
bknudsonI've run both on one system.19:54
*** tqtran has joined #openstack-keystone19:54
bknudsonusing devstack19:54
morganfainbergbknudson: so have I.19:54
jamielennoxmarekd: sure, there will be a dependency on ksc - don't import directly from ksc/tests though19:54
morganfainbergbknudson: it's because all cases of liberty will run mod_wsgi by default [is the hope]19:55
*** jeffDeville has quit IRC19:55
morganfainbergbecause in M release eventlet goes away19:55
marekdjamielennox: ok, looks like i can.19:55
morganfainbergbknudson the only case eventlet should run in liberty is if we have a gate job (pgsql today) that does it.19:55
dstanekrodrigods: https://bugs.launchpad.net/keystone/+bug/144683419:55
openstackLaunchpad bug 1446834 in Keystone "Project tree cycle checking logic is broken" [Undecided,New]19:55
morganfainbergor k -> L in grenade19:55
jamielennoxmarekd: yea, that's fine - there will have to be a dependency there19:56
dstanekanyone have thoughts on that one?19:56
rodrigodsdstanek, nice!19:56
dstanekjust updated the details there too19:57
*** jeffDeville has joined #openstack-keystone19:59
marekdjamielennox: hm, one more question - p-k-saml2 would land in keystoneclient's g-r ?20:01
morganfainbergmarekd, no.20:02
jamielennoxmarekd: the reverse20:02
morganfainbergjamielennox, ++20:02
*** jeffDeville has quit IRC20:08
ayoungstevemar, marekd, OK...I unf)(*&ed my SAML setup...how do I test with ECP?20:09
*** jeffDeville has joined #openstack-keystone20:12
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300720:12
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Recursive deletion  https://review.openstack.org/14873020:12
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Dual Scoped Token  https://review.openstack.org/17605420:12
*** jeffDeville has quit IRC20:15
*** jamesllondon has joined #openstack-keystone20:16
*** jamesllondon has quit IRC20:16
*** jeffDeville has joined #openstack-keystone20:18
*** david-lyle has joined #openstack-keystone20:21
*** jamesllondon has joined #openstack-keystone20:23
*** jamesllondon has quit IRC20:23
*** jeffDeville has quit IRC20:27
*** jeffDeville has joined #openstack-keystone20:27
openstackgerritErickson Filipe Guedes dos Santos proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872020:33
*** iamjarvo has joined #openstack-keystone20:33
*** jeffDeville has quit IRC20:34
openstackgerritDolph Mathews proposed openstack/keystone: Explicitly close non-transactional SQL sessions  https://review.openstack.org/17606320:35
*** jeffDeville has joined #openstack-keystone20:35
*** bandwidth has quit IRC20:40
*** raildo has quit IRC20:43
*** pnavarro has quit IRC20:47
*** jeffDeville has quit IRC20:50
*** jamesllondon has joined #openstack-keystone20:51
*** openstackgerrit has quit IRC20:52
*** openstackgerrit has joined #openstack-keystone20:52
*** Ephur has joined #openstack-keystone20:55
*** bandwidth has joined #openstack-keystone20:58
samueldmqhenrynash, hi20:58
*** stevemar2 has joined #openstack-keystone21:01
*** ChanServ sets mode: +v stevemar221:01
*** stevemar has quit IRC21:01
*** stevemar2 has quit IRC21:02
*** iamjarvo has quit IRC21:03
*** stevemar has joined #openstack-keystone21:04
*** ChanServ sets mode: +v stevemar21:04
*** iamjarvo has joined #openstack-keystone21:20
*** e0ne_ has joined #openstack-keystone21:25
*** mattfarina has quit IRC21:26
*** e0ne_ has quit IRC21:31
*** sdake_ has joined #openstack-keystone21:31
*** samueldmq has quit IRC21:33
*** sdake has quit IRC21:34
*** sigmavirus24 is now known as sigmavirus24_awa21:35
*** sigmavirus24_awa is now known as sigmavirus2421:35
*** iamjarvo has quit IRC21:38
*** openstackgerrit_ has joined #openstack-keystone21:48
*** sdake has joined #openstack-keystone21:53
*** sdake_ has quit IRC21:57
*** stevemar has quit IRC22:00
*** harlowja is now known as harlowja_away22:00
*** gyee has joined #openstack-keystone22:01
*** ChanServ sets mode: +v gyee22:01
*** harlowja_away is now known as harlowja22:05
*** jaosorior has quit IRC22:22
*** iamjarvo has joined #openstack-keystone22:22
*** akerr has joined #openstack-keystone22:23
*** gordc has quit IRC22:23
*** akerr_ has joined #openstack-keystone22:25
*** henrynash has quit IRC22:25
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687022:27
*** akerr has quit IRC22:28
bknudsonmorganfainberg: what do you think about https://bugs.launchpad.net/oslo-incubator/+bug/1446583 ? keystone should shut down even when it has active connections?22:29
openstackLaunchpad bug 1446583 in Keystone "services no longer reliably stop in stable/kilo" [Critical,In progress] - Assigned to Julien Danjou (jdanjou)22:29
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687022:29
bknudsonI guess I could see what other servers do.22:30
*** akerr_ has left #openstack-keystone22:30
*** samueldmq has joined #openstack-keystone22:31
*** _cjones_ has quit IRC22:33
*** joesavak has quit IRC22:39
*** bknudson has quit IRC22:41
*** _cjones_ has joined #openstack-keystone22:42
*** sigmavirus24 is now known as sigmavirus24_awa22:46
leonchio_someone ... steve, adam, appreciate if you guys can review it again ;-)22:50
*** tpatil has quit IRC23:01
morganfainbergugh, stevemar disappeared when i needed to bug him23:05
morganfainbergdtroyer, ping: do you know if openstack client can function with the admin token?23:05
bigjoolsI've had problems using it with v323:07
gyeemorganfainberg, it can I think, by using the token_endpoint plugin23:08
morganfainbergit must work23:08
gyeeunless jamielennox disagrees23:08
* morganfainberg is glaring at devstack atm.23:08
gyeethought I used it not long ago23:08
* morganfainberg is unhappily glaring at devstack23:08
morganfainbergthis looks to be about 20% done for v3 keystone23:10
gyeeopenstack --os-auth-type token_endpoint23:11
morganfainberglots of things *never* use v3 versions: https://github.com/openstack-dev/devstack/blob/master/functions-common#L742-L74823:11
lhchengmorganfainberg:  osc should work for admin token23:11
morganfainbergso everything needs to learn to do this via v3 API first23:12
morganfainbergi'm going to make this all stop using v2.23:12
jamielennoxyou can use admin token with OSC23:12
morganfainbergv3 only.23:12
jamielennoxi think its --os-url and --os-token23:12
morganfainbergand this looks to be littered all over the place.23:13
gyeegotta love reading the code :)23:14
morganfainbergor some env variable is set somewhere to make it maybe use v3.23:14
gyee--os-identity-api-version 323:14
*** ayoung has quit IRC23:14
lhchengexport OS_IDENTITY_API_VERSION=323:15
dtroyermorganfainberg: osc doesn't use token-endpoint as that still tries to get a scoped token, you need to use —os-token for the admin token and —os-url for the direct endpoint you want to talk to23:15
*** markvoelker_ has quit IRC23:16
dtroyerwe probably should see if it is time for OSC to default to v3…23:16
gyeedtroyer, you mean you don't load that plugin?23:17
dtroyermeaning does the downshift for v2 only clouds work in the popular non-keystone places23:17
gyeeI tried specifying all three and it seem to work fine23:17
dtroyergyee: nope, OSC has its own.  ksc's token-endpoint is not the same thing23:17
dtroyerit uses —os-token and —os-auth-url23:18
dtroyerif you use —os-url at all, you're not using a ksc plugin23:18
gyeebut it will ignore token_endpoint?23:18
gyeeit didn't seem to complain23:18
gyeeso if I specify token_endpoint, --os-token, and --os-url it will just ignore the first one23:19
dtroyerthe first thing OSC does in selecting and endpoint (guessing) is check for os-token and os-url, if both are present nothing else is checked23:19
dtroyereven before looking at os-auth-type23:19
gyeei c23:20
gyeethat explains it23:20
dtroyerwe needed to do this to stay compatible with the original behaviour23:20
*** edmondsw has quit IRC23:21
*** bandwidth has quit IRC23:27
jamielennoxactually it does. If you use --os-url and --os-token it does use the token_endpoint plugin, it's the straight token plugin that rescopes23:30
jamielennoxit just doesn't load the plugin from stevedore23:30
jamielennoxso if you don't do --os-auth-type then it looks at what you provided for some sensible defaults23:30
* jamielennox is on PTO till the end of the week after today - just in case people are looking for me 23:32
*** sdake_ has joined #openstack-keystone23:35
gyeejamielennox, I need your opinion on the endpoint enforcement thingy23:36
gyeeI commended on the spec that supporting service_id may not be good enough as service are also organize by region23:37
gyeeand sub region and so on23:37
gyeeI think we should support all the endpoint group filters23:38
gyeewhich are, endpoint_id, region_id, service_id, and service_type23:38
*** sdake has quit IRC23:38
*** iamjarvo has quit IRC23:40
*** sdake_ has quit IRC23:46
*** ericksonsantos has quit IRC23:48
*** ericksonsantos has joined #openstack-keystone23:49
*** bknudson has joined #openstack-keystone23:54
*** ChanServ sets mode: +v bknudson23:54
*** rwsu has quit IRC23:56
morganfainbergthis looks weird.23:59
morganfainbergis this because v2 is just awful?23:59
bknudsonI got that when I tried to boot an instance once....23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!