Friday, 2015-05-01

*** emagana has quit IRC00:08
*** Rockyg has quit IRC00:14
morganfainbergjamielennox: did a +2/+A run on a bunch of ksa stuff00:23
morganfainbergjamielennox: all the chopping block things is what i'm looking at atm00:23
jamielennoxmorganfainberg: excellent, thanks00:23
jamielennoxyea, accessinfo and service catalog are really the only really old parts that are getting copied across and also the worst interfaces00:23
jamielennoxat the moment i'm kind of trying for a reset00:24
jamielennoxat the end of that review chain i remove the dict subclass - and i expect we may want it back at some point00:24
morganfainbergyeah i'm at that one00:24
morganfainberggoing to let the others land before i +2/A that one00:24
morganfainbergbut eh00:24
morganfainbergthat one is just a bit more to look at00:24
morganfainbergbut it looks sane00:24
morganfainbergat a glance00:24
*** samueldmq has quit IRC00:25
*** samueldmq has joined #openstack-keystone00:25
jamielennoxmorganfainberg: i've been trying to keep them small but at some point you need to make a big change00:26
morganfainbergthe exceptions one is particularly big :P00:26
morganfainbergok just pushed through all but dict subclass and exceptions00:27
jamielennoxthe exceptions one i'm particularly keen on though00:27
morganfainbergyeah i just need to look more closely at it00:27
jamielennoxhaving that out of oslo is going to be great00:27
morganfainbergit's not a rubber-stamp thing00:27
morganfainbergmost of the others were super easy to +2/A because it was removing interfaces that we didn't need anymore00:28
jamielennoxmorganfainberg: want me to break up exceptions into smaller pieces?00:29
morganfainbergtbh: we probably could stop the neutron ds-gate for KSA until we do a release.00:29
morganfainbergjamielennox: nah00:29
morganfainbergjamielennox: i just need to spend more time looking at it than "oh yeah easy"00:29
jamielennoxit's mostly just moving stuff around00:29
jamielennoxbut i did add like some new base classes - they won't make much difference to the API just organization change00:30
morganfainbergso i'd like to revisit ayoung's accessinfo change for KSA00:30
morganfainbergif we're changing things... lets do it right.00:30
ayoungKonfederate States of Amerika!00:30
morganfainbergayoung: told you i'd circle back on that changeset ;)00:31
ayoungmorganfainberg, paciencia y fey00:31
morganfainbergayoung: we might just include it as the KSA cut over.00:31
morganfainbergayoung: since we're ripping things out of ksc changing over to KSA00:31
ayoungmorganfainberg, sounds good to me00:31
ayoungneed me to port it?00:31
morganfainbergayoung: well we have jamielennox here. what any concerns with this change jamielennox ? anything we need to address with it00:32
morganfainbergbefore work is expended on moving it to the new repo00:32
ayoungmorganfainberg, I think he needed to grok the follow on changes to AccessInfo and figure out if the approach would work for existing uses00:32
morganfainbergayoung: right.00:32
jamielennoxayoung: and i have been fighting it out - i still think it's mostly unnecessary00:32
ayoungone moment, I need to report a bug,'ll never belive what RDO packaging does with config....00:32
morganfainberglhcheng: is going to need some love for sure [from lots of people]00:33
ayoungmorganfainberg, you sell jamielennox on the concept.  I'm gonna go bugzilla something00:33
morganfainbergjamielennox: so lets go over where you sit and what I see as needed afterwards.00:33
morganfainbergjamielennox: then we can find out where things should move towards (Target wise)00:33
jamielennoxalright, so i understand the need for an interface but i have a number of concerns00:34
morganfainberglhcheng: re - priorities that don't have clear owners yet00:34
jamielennox1. i see no need to include ways to marshal data in the client, AccessInfo already provides this for v2 and v3 tokens. I don't want to give people the functionality to build tokens from client and i'm not sure the new format buys us anything over accessinfo00:35
jamielennox2. I understand the strict Immutable etc stuff from a server side perspective, but it doesn't apply on client. If we get stuff we don't understand then we should make the best of it - it's really bad python form to start enforcing all this type checking, and again i don't want to be able to build a token00:35
morganfainbergjamielennox: see i disagree from the token standpoint here. we really should not be allowing random crap in tokens - strictly control what is there and available for anyone/thing to use00:36
jamielennox3. There is nothing additionally exposed that i see we want, and there is a whole heap of stuff like turning dictionaries into arrays by iterating over __dict__ that i just don't see the advantage of from client00:37
morganfainbergjamielennox: the "well you can just kindofgrab whatever" aspect has led to "Well we'll put it in the token" and knowing what part of the token things live in and what people expect/see is icky00:37
jamielennoxmorganfainberg: right, but that's a server side problem - i specifically don't want the ability to build a token from client (except the test fixture we have)00:37
morganfainbergjamielennox: sortof. it should be controlled on both sides.00:37
morganfainbergjamielennox: if someone gets something magical into the token body, it shouldn't "appear" from the client side just as much as it shouldn't happen server side00:38
lhchengmorganfainberg: cool, I can work on that.  Will review the spec when I get home.00:38
jamielennoxmorganfainberg: AccessInfo is a completely read only interface, and now you merged that patch the user doesn't even have access to the underlying dictionary00:38
morganfainbergjamielennox: I also am concerned about having code duplicated (effectively)00:39
morganfainbergjamielennox: i'd like the same interface to be in server as it is in client, in server we also access/deal with data from the token00:39
morganfainberglhcheng: awesome00:39
jamielennoxmorganfainberg: great i'd love that - i propsed when arguing with adam00:40
morganfainbergjamielennox: i also expect us to eventually decouple auth from CRUD APIs in keystone.00:40
morganfainbergjamielennox: so we may not be V2/V3 tokens we might be v2/v3/v4/v5/v1000:40
jamielennoxmorganfainberg: right, i think bringing in domain and project etc objects hurts that more than helps00:40
morganfainbergbut that *could* be underlying implementation that changes... my concern is that the interface would *again* need to be changed to support that00:41
ayoungmorganfainberg, jamielennox bug 1217663 in openstack-keystone "Overridden default for TOken Provider points to non-existent class" [Unspecified,New] - Assigned to nkinder00:41
ayoungle sigh00:41
morganfainbergsince we didn't start from having that in mind.00:41
morganfainbergjamielennox: so - there are my reasons for wanting it to be all the same.00:41
morganfainbergayoung: really?! really?? :(00:42
morganfainbergayoung: i do like that we can see RH bugzilla in irc like that though :P00:42
ayoungmorganfainberg, I think it might be the IRC default for Bugzilla to go to RH00:42
morganfainbergayoung: nope mozilla works too00:42
ayoungyeah...the big ones are all registered00:42
morganfainbergayoung: among others. it knows the RH bugzilla's url and grabs it.00:43
jamielennoxmorganfainberg: i agree with wanting it the same, all i want in the client though is the read only portions of this code and i think it's easier to work with the interface i proposed in that review than the object one00:43
ayoungjamielennox, only for client00:43
morganfainbergjamielennox: so where does the marshalling code go? in server?00:43
ayoungfor other code, no, it is not easier to work with, and even on the client, I'd argue we should be using straight python and not the dictionary interface00:43
jamielennoxayoung: ksc is not a dumping ground for keystone problems in the same way it's not a dumping ground for other services00:43
morganfainbergjamielennox: and now do we have some weird hybrid of locations to change things if we update?00:43
jamielennoxthat's what got us so screwed up last time00:44
jamielennoxmorganfainberg: yep, marshalling all goes on server side00:44
morganfainbergjamielennox: i'm fine with things being in logical places, as long as we are smart about it so we're not painting ourselves into a corner00:44
ayoungjamielennox, the KC code should be changed regardless.  I take back that it is easier in the is never more correct to use a dictionary when you have a true class model.00:44
jamielennoxayoung: ksa does not have a dictionary00:45
ayoungjamielennox, it has a thin wrapper aroujnd the parsed json an is used in most placed via the dictionary interface00:45
jamielennoxit backs onto a given dictionary because we have to because that's what we get from a request00:45
ayoungthis is not a dumping ground. All of our code is wrong.  Havintg a strong domain model for marshalling on both sides of the wire just implies that it needs to be defined once and only once00:46
ayoungsince KC is importated into Server, it needs to be at least in KC..and now we are splitting that, it needs to be in a place available to both client and server00:46
morganfainbergjamielennox: i'm still of the opinion a strongly defined class model is better.00:47
ayoungjamielennox, what if we change the marshalling format?  What if we go to SAML everywhere?00:47
ayoungOr JWT00:47
morganfainbergjamielennox: mostly because it eliminates some magic of "well whats in the JSON"00:47 name it00:47
morganfainbergayoung: that was my point of decoupling auth.00:47
ayoungyou don't tie your business logic to uyou marshalling format00:47
jamielennoxayoung: right i realize ksa is the logical place - however i'm not arguing the backing format, that's a big reason i wanted to remove the dict accessors from accessinfo00:48
ayoungmorganfainberg, I am with you.00:48
morganfainbergayoung: but w/o calling out changing the serialization format. forgot it.00:48
ayoungjamielennox, ah...can we get away with removing them?00:48
morganfainbergayoung: yep.00:48
morganfainbergayoung: we just did.00:48
ayoungthat would be cool00:48
morganfainbergayoung: for KSA00:48
morganfainbergayoung: it *is* part of the conversion to KSA from KSC00:49
jamielennoxwhat i'm arguing is the interface and i'm quite happy to have that flat rather than do a bunch of marshalling around00:49
ayoungmorganfainberg, I thought the other projects might depend on that format00:49
morganfainbergayoung: when we move to usign KSA, we fix that if they are00:49
morganfainbergbecause that is wrong.00:49
morganfainbergand we're now providing a good interface for them to use00:49
morganfainbergthat can even be statically analyzed00:49
jamielennoxi'm stuck with the majority of the AccessInfo structure - that's just how it is, but in general it's not bad once you remove the dict00:49
morganfainbergvs. "uhh things in a dict"00:49
jamielennoxlooking at
ayoungmorganfainberg, we need this:
*** _cjones_ has quit IRC00:50
morganfainbergayoung: we probably need to put the marshalling code at least in server00:50
morganfainbergayoung: what i don't like is assuming json was the transport. but honestly we own KSA00:50
jamielennoxi've already got for example auth_ref.project_domain_id this feels like i'm going to get and i see no benefit in that over the original00:50
ayoungmorganfainberg, that is not marshalling code.  The patch I linked to is the adapter for using the AccessInfo model in the dictionary form00:50
morganfainbergwe could change the underlying impl as needed.00:50
jamielennoxand i need to maintain the old interface so i'm going to be maintaining all those links00:51
morganfainbergayoung: oh uh we will move to the KSA one00:51
morganfainbergayoung: so check w/ jamielennox  on if we need that code00:51
ayoungmorganfainberg, hold on...let me clarify what I did00:51
ayoung1  I wrote the model a stand alone patch .  2  I modified the tests so that they would pass with both the old and new access info.  3 I modifeidthe esxisting access info useage to be based on the model00:52
ayoungthat is the safeest way to go, and I'd like to keep something like that00:52
ayoungthe existing access info is our contract00:52
ayoungas jamielennox points out, we can't break that due to backwards compat issues, at least not yet00:53
morganfainbergayoung: oh i see what you're doing00:53
morganfainbergyeah we likely will still need that00:53
morganfainbergor somthing similar00:53
ayoungso, if we move the model to ksa,  we should probably m ove this too, otherwise we have a libraray sync issue00:53
ayoungI'd rather get it in to KC before we split00:53
ayoungeven if it never gets released00:53
ayoungbut so we can test the hell out of it00:54
morganfainbergjamielennox: we might not land a single one of these changes..00:54
morganfainbergjamielennox: tempest might be borked00:54
jamielennoxyea, i saw the first one failed on tempest00:54
jamielennoxwhich we're not in :p00:54
ayoungjamielennox, this needs to happen.  While domain is slightly annoying to have as an object, we have two domains per token, and we could conceivably have more.  IAs an extensible model, it is the right approach.  same thing with project.  If we were ever forcved to support mutliple projects on one token, my approach would support that.  And it onluy changes implementation, not interface.00:56
jamielennoxso let's step back a little bit, i agree with "it would be nice to have a unified model" but the current reason we _need_ a unified model is because of the revocation events that defines its own models00:56
ayoungjamielennox, and policy00:57
jamielennoxayoung: the model would have exactly the same problem, you'd need to add a list in there somehow00:57
ayoungKeystone server has code that is worse for enforcing policyh00:57
jamielennoxadding a new accessor for a new object is no harder than adding new properties for the same thing00:57
jamielennoxright and policy that was going to be my next question - what else00:58
jamielennoxdo we need a model for?00:58
ayoungtokenless operations00:58
morganfainberghonestly most objects we have will need one00:58
morganfainbergbecause we eventually are going to decouple backends from the in-memory representations00:58
jamielennoxalso remember this is only because we don't have a way for keysotne to consume auth_token middleware yet00:59
morganfainbergit's the only way to support rolling upgrades w/ a single datastor00:59
ayoungpolicy is the big one, though.  I plan on using policy for endpoint bindings and token constraints00:59
ayoungjamielennox, this is a prereq to server consume keystonemiddleware00:59
ayounghaving a unified accss info, it, I mean.00:59
jamielennoxayoung: that assumption could also be satisfied by keystone using the new AccessInfo object01:00
jamielennoxie the one in ksa01:00
jamielennoxor the existing AccessInfo object and just ignoring the dict bit01:00
ayoungjamielennox, yes, any format could be made to work.01:01
jamielennoxayoung: so can we use the one we already have please?01:01
ayoungjamielennox, the one we have on the client is not good code.  It is the wrong abstraction to start from01:01
ayoungthere is a reason I made an object modle and a builder01:02
ayoungbecause that pattern is the most useful and extensible for all implementations01:02
ayoungthe server side is much more complex01:02
ayoungfor example, we did not have a good means to convert a v2 token to b34 format or the reverse01:02
ayoungwiuth a cannonical format we can do that01:03
ayoungv2->cannonical ->v301:03
morganfainbergjamielennox: ^^ that is the other point / reason for the object model01:03
ayoungv3->v2 is doabble assuming the token fits constraints01:03
morganfainbergv3->v2 has bitten us quite a few times01:03
morganfainbergand vice-versa01:03
morganfainbergextra data leaking into the token01:03
jamielennoxayoung: i completely get that, but you could implement all that on the server side, satisfy interface and i don't need to maintain two implementations of the same thing on client01:04
jamielennoxpolicy, revoke functions are just written against that interface01:04
jamielennoxi have no reason to do v3->v2 or vice-versa functionality in client01:05
morganfainbergjamielennox: don't we already do some of that for SC parsing?01:05
morganfainbergor has that code all disappeared01:06
jamielennoxi agree with all your points on this stuff - right up to the point where i want to give all this to every consumer of ksc01:06
morganfainbergjamielennox: i don't see why someone who is consuming KSA wouldn't want to do data marshalling for v2->v301:07
jamielennoxmorganfainberg: in auth_token i have to convert a v3 catalog to a v2 catalog because not doing so breaks compatibility, that's just a porely defined interface01:07
morganfainbergwhat if their app needs v3?01:07
morganfainbergthis is meant to be used outside of ksm too01:07
jamielennoxwhy would a user need to change token formats?01:07
morganfainbergwe tell them to go ask keystone for the v3 version of the data01:07
morganfainbergjamielennox: because their app understands one version of data01:07
morganfainbergso why not give them the cannonical version?01:07
jamielennoxthis is the point of AccessInfo, it abstracts the differences01:08
*** browne has quit IRC01:08
ayoungjamielennox, and you will not have two implementations. I ported access info to use the model. One implementation01:08
ayoungthat is what  is all about01:08
morganfainbergjamielennox: the issue i see is you're asking us to support 2 versions01:08
morganfainbergjamielennox: whats in ksa and what is in server01:08
jamielennoxmorganfainberg: the alternative is client supporting 2 versions - and more people get pissed off when we change that interface01:09
*** alexsyip has quit IRC01:09
jamielennoxlooking at for example: all the way down there are things like:01:10
morganfainbergjamielennox: or we shim layer it, convert the clients over and put a deprecated message in saying "this isn't used by openstack proper, use new interface" like many libs do01:10
morganfainbergand document the "old way" as deprecated at the get-go [just no warning messages until we have people / clients /etc converted]01:10
jamielennox    @property01:10
jamielennox    def expires(self):01:10
jamielennox        return self.token.expires_at.value01:10
ayoungmorganfainberg, there might be a problem with that patch.  I thought the neutron error was spurous, but it is sticking around in rechecks.  I wonder if neutron modifies the dictionanry01:11
morganfainbergayoung: there is also a potential issue with pbr and tempestlib01:11
ayoungmorganfainberg, yep01:11
jamielennoxthat could just as easily exist on the server side and have things written against the AccessInfo properties01:11
jamielennoxif anything self.token.expires_at is much more bound to the v3 format than auth_ref.expires is01:13
morganfainbergjamielennox: so let me distil my 3 reasons for this (in order of priority as i see it): 1) V2/V3 is making broad assumptions on incoming data. I want to see us support more than this-very-specific-format-of-json-data, 2) I don't want 2 implementations of a model that we need to work with, 3) The object model is much better for static analysis/introspection than scrping things out of json (and less likely to be carrying cruft01:14
morganfainberg around because it slipped through).01:14
morganfainbergthe well defined interfaces, etc seem to be a non-contentious part01:14
morganfainbergso i left that out.01:14
morganfainbergand part 1 is because looking forward, we will have new types of auth that wont be tied to V3-crud-interface [so to speak]01:15
jamielennoxI agree with all this, but you seem to be under the assumption that AccessInfo is a token model01:16
jamielennoxit's not it's an interface with multiple implementations01:16
morganfainbergjamielennox: if it looks like a duck... quacks like a duck... it's clearly a platypus01:16
ayoungjamielennox, AccessInfo is the good name.  A token is a pointer to AccessInfo01:17
jamielennoxi agree the implementations sucked but we've just got rid of the dict accessors - so it's purely an interface01:17
ayoungjamielennox, you don'01:17
morganfainbergor would a dropbear be more correct? *shiftyeyes*01:17
*** bknudson has joined #openstack-keystone01:17
*** ChanServ sets mode: +v bknudson01:17
ayoungjamielennox, you don't want to make an interface around a domain model01:17
ayoungthe domain model is the contract, not an abstraction01:17
jamielennoxdropbear was the name of first redhat openstack deployment01:17
jamielennoxalways hated they changed that01:17
ayoungI thought it just died under its own weight?  It was a good name.01:18
morganfainbergtoo bad we long since passed the 'D' release of OpenStack and it wasn't in Aus.01:18
morganfainbergdiablo is fine... dropbear would have been better01:18
ayoungOr B.  I'd want to call that Bunyip01:18
ayoungMaybe S in Sidney?01:18
jamielennoxayoung: that's when 3 or 4 other internal clouds got brought up with better funding01:18
jamielennoxnext asia is 2 years, so that might be about right01:19
*** richm has quit IRC01:19
jamielennoxnah - i can't count01:19
ayoungmorganfainberg, have you seen
morganfainbergjamielennox: anyway so my view is that this is really a model - even if we are in denial about it01:19
jamielennoxmorganfainberg: what is a model?01:20
ayoungt is the 20th letter of the alphabet. J is 10.   I have that much memorized.  I think.01:20
jamielennoxAccessInfo is not a model01:20
morganfainbergjamielennox: what is being provided via KSA01:20
ayoungyes it is01:20
ayoungit is the primary reason for keystone to exist01:20
*** richm has joined #openstack-keystone01:20
ayoungUsers and Domains and ROles and all that crap exists so we can make access control decisions01:20
morganfainbergwhat is on the wire just happens to be the dehydrated form of the object - this is no different than the nova RPC.01:21
morganfainbergwe just happened to use json01:21
jamielennoxit's an interface with a bunch of implementaions and if saml or some other format comes along then there is no reason we wouldn't write another implementation of it01:21
morganfainbergvs. the object model they used.01:21
ayoungno  saml is marshalling01:21
ayoungwe would parse saml to Accessinfo01:21
ayoungjust another builder01:21
morganfainbergok anyway i need to go to the gym01:22
morganfainbergback in a couple hours01:22
ayoungjust the fact that we had / have test code that checks the Version  of the AccessInfo shows we have a leaky abstraction01:22
openstackgerritMerged openstack/keystonemiddleware: Deprecate auth_token authentication
jamielennoxif when creating AccessInfo i extracted everything out of the dictionary, and stored them as attributes rather than did it at @property time would that make a difference?01:23
jamielennoxother than being a bunch of additional work01:23
*** darrenc is now known as darrenc_afk01:23
morganfainbergjamielennox: all chopping-block looks like it'll merge01:24
ayoungjamielennox, if you started down that path, eventually you would end up with the model I coded01:24
morganfainbergwe might just have been unlucky w/ the utils change01:24
morganfainbergjamielennox: and re: accessinfo - i've voiced my stance and i'll chat more when back from the gym01:24
morganfainbergif you're still around01:24
ayoungjamielennox, your flat format would work until we need to enumerate something.  The service catalog is already not flat01:24
ayoungmy code allows us to share logic between the domain object for the user and the one for the project...maybe that means very little01:25
ayoungbut if you think how it is composed on the server side, first you fgo to the id backend and get the user, then you go get the roles, then the makes sense to have them as separate objects01:25
ayoungand, from a parsing perspective, it is easier as well01:26
ayoungeach of the objects is a contract. Only morph the objects themselves through their methods...usually the objects will be treateed as  immutable01:26
jamielennoxthe service catalog is already an object for exactly this reason and the same could apply to any additional properties01:32
*** darrenc_afk is now known as darrenc01:34
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient
ayoungjamielennox, OK...lets assume two changes hit us.  One, a token can have multiple users.  Two, a token can have multiple projects.  THere are still a default fro each, but also an array.  The default user would be a pointer to token.users[0]  and the default project would be  pointer to tokens.projects[0].  Nothing else would have to change.  If it is flat, we need to rearchitect it.  And that will break code that is assumin01:41
ayoungg things will be flat, or make it that you work with the default objects in a different way from the non default01:41
jamielennoxayoung: it would require we made a new auth_ref.users that returned a list, i agree - but the same defaults apply for the flat as does the nested accessors01:43
jamielennoxand, it does not mean that i can actually get rid of the existing property either way01:43
jamielennoxbesides if we want to play that game what happens if we allow multiple scopes - then we're all screwed01:48
ayoungjamielennox, so...I have to admit, I am kind of surprised by your resistance.  We have a goal of using the same code to represent the object on both sides of the wire.  To you disagree with that goal?01:56
samueldmqmorganfainberg, finally I am testing the keystone v3 only against tempest01:57
samueldmqmorganfainberg, I was having issues in my vs due to nested virt01:57
samueldmqmorganfainberg, I solved this by setting LIBVIRT_TYPE=qemu in my devstack01:58
samueldmqmorganfainberg, tomorrow I will update you with the results of tempest execution01:58
samueldmqjamielennox, cc ^01:58
jamielennoxsamueldmq: nice, what's that involve? running the tempest keystone v3 tests only or having v2 disabled for the whole devstack?01:59
samueldmqjamielennox, the second one, v2 disabled for the whole openstack02:00
samueldmqclarkb helped me today to figure out what was wrong with my env :)02:01
jamielennoxawesome! is this to allow us to test what still relies on v2 by seeing what fails? i'll be very surprised if tempest passes02:01
samueldmqjamielennox, yeah, it is02:02
samueldmqjamielennox, I will set tempest to use v3 auth tokens to make calls to services02:02
samueldmqjamielennox, and disable v202:03
samueldmqjamielennox, actually tempest is OK by just setting tempest to use v3 auth tokens (without disabling v2)02:03
samueldmqjamielennox, but I think some services may be validating v3 tokens in the v2 api (I think it is possible, if we're using the default domain)02:04
samueldmqjamielennox, I will let you know as soon as I have some results02:04
jamielennoxsamueldmq: it is and they doe02:04
samueldmqnice, so disabling v2 will actually tell us if there is something missing02:05
samueldmqjamielennox, great I will let you know02:05
jamielennoxsamueldmq: can you see
*** topol has quit IRC02:06
samueldmqjamielennox, looking02:06
samueldmqjamielennox, how did you get those known issues ? testing manually ?02:07
jamielennoxsamueldmq: yep02:07
jamielennoxi've done a few tempest patches as well02:07
jamielennoxand devstack to disable v3 and start running commands02:07
jamielennoxit's by no means exhaustive like tempest will give02:07
ayoungsamueldmq, good work02:08
samueldmqayoung, thanks, but actually I am just testing the great work jamielennox has been doing around v3 support02:08
* jamielennox blushes02:09
samueldmqjamielennox, ++ agree02:09
samueldmqhehe !:)02:09
jamielennoxsamueldmq: anyway if you find specific things that are v2 only add them to that board and feel free to take on anything you want02:10
jamielennoxbut that's my current list for doing v3 everywhere02:10
samueldmqjamielennox, nice, I will also try to help you by doing the remaining work02:11
samueldmqjamielennox, I was hoping we could have them working by the summit02:11
jamielennoxthe biggest blocker i know at the moment is glanceclient and swiftclient, i've got patches up for glanceclient and i've got WIP patches for nova etc to use updated glanceclient02:11
samueldmqjamielennox, it would be amazing02:11
samueldmqjamielennox, hmm, so tempest should fail .. after failing, we could apply your patches and re-run it02:12
jamielennoxsamueldmq: i'll be honest i'm hoping for liberty and that will still be hard02:12
samueldmqjamielennox, hmmm ... iirc, I ran smoke tests and they passed02:12
samueldmqjamielennox, I need to recheck02:12
samueldmqjamielennox, smoke tests is a smaller set of 'basic' tests for each service  ..02:13
samueldmqjamielennox, let's just not speculate, tomorrow we'll know :)02:13
samueldmqjamielennox, after testing it manually, I am planning to submit the experimental gate jobs02:14
jamielennoxsamueldmq: that would be useful02:14
openstackgerritguang-yee proposed openstack/keystonemiddleware: enforce endpoint constraint
*** gyee has quit IRC02:15
openstackgerritguang-yee proposed openstack/keystonemiddleware: enforce endpoint constraint
*** lhcheng has quit IRC02:26
openstackgerritMerged openstack/keystoneauth: Rename _discover module
ayoungjamielennox, ok, so let's start there.  I need a unified way to enforce policy02:31
ayoungthat has to be the same everywhere02:31
jamielennoxayoung: that does not require a mode, that requires a standard interface - which are related but different concepts02:32
ayoungjamielennox, I need three things to match02:32
ayoung1.  the data from token in all the remote services02:33
ayoung2.  a token in keystone02:33
ayoung3.  tokenless operations02:33
ayoungI don't want to have to work to keep them in sync02:33
ayoungI want to work with a single set of objects.02:33
ayounganything that varies from that is going to introduce complexity and instability02:35
ayoungand this code has been held up for a long time.  A lot is backlogged behind it.02:35
ayoung revocation events need a unified access info.  I've been trying to get that code into a single place, clean, for about a year now02:36
jamielennoxayoung: i'm playing around with how i would write a model and i find myself coming back to having the AccessInfo as the driver02:50
jamielennoxignoring catalog - which is not handled very well in either approach02:50
jamielennoxi could easily create a model from an AccessInfo02:52
jamielennoxI could easily write a new AccessInfo called like ModelAccessInfo that bridges the gap02:52
ayoungjamielennox, what do you define AccessInfo to be?02:53
jamielennoxSo i need AccessInfo to be about 10 @properties otherwise the whole auth plugin system fails, and i don't see any way i can get around that compatibility02:54
jamielennoxthat's what i was showing in the other review02:55
openstackgerritDave Chen proposed openstack/keystone: Refactor: Join multiple criteria together
ayoungjamielennox, so...we need to maintain that.  But I see that as the historical.  Why do you think that should drive the design02:56
jamielennoxAccessInfo is a set of properties you are supposed to define in subclasses, we currently have AccessInfoV2 and AccessInfoV3 - but you are never supposed to query the difference  between those two objects02:56
ayoungI'd split that statement:02:56
ayoungAccessInfo is a set of properties.02:57
ayoungTHe fact that we subclass is an implementation detail.02:57
jamielennoxthat's far02:57
ayoungSo long as we are consistent in providing those properties, we should be compatible.02:58
ayoungOK.  So  our requirements so far:  don't change the accessinfo contract.  Make the data look the same wherever policy or revocation events are enforced.  So far so good?02:59
ayoungOK.   Now, here are some other requirements.  We need to be able to convert from V2 to V3 tokens.  Hopefully that is a short term issue.03:00
ayoungOn the server side, we need to be able to reconsitute the access info for a user either from a token or from an X509 cert03:01
ayoungand then this needs to pass policy03:01
jamielennoxayoung: no we don't need to convert03:01
ayoungjamielennox, in the token provider we do03:01
*** wwwjfy has joined #openstack-keystone03:01
jamielennoxayoung: not a client problem03:02
ayoungif we pass in a v2 token to the v3 api, we should be passing back a v3 format03:02
ayoungI didn;'t say on client03:02
ayoungI meant project wide03:02
ayoungwe have the long standing blueprint for cleaning up the token creation process.03:03
jamielennoxon the server side it is ridiculous that you need to convert between - i completely agree with that, this should be a model and v2/v3 are views on the model03:03
jamielennoxas are saml etc03:03
ayoungjamielennox, ok.  So now you understand where I was coming from when I started this effort.03:03
jamielennoxthis was the driving force behind all that pecan stuff i did before atlanta03:04
jamielennoxi want to turn keystone into a proper model / view setup03:04
jamielennoxwell model/controller i guess03:04
ayoungah.  I saw that you refreshed those patches.  I took a quick look but hadnt' finished reviewing03:04
ayoungM-V-C?  Yeah.  I'm with you there03:04
jamielennoxpecan's not all that good at what we want to do - but it's the only approved one from TC AFAIK03:05
openstackgerritDave Chen proposed openstack/keystone: Refactor: Join multiple criteria together
jamielennoxand i want to get rid of the home grown one03:05
jamielennoxi agree, i argued that stuff for a long time03:05
jamielennoxstill do03:05
ayoungjamielennox, so your objection is limited to it moving into the client?03:06
jamielennoxyes, essentially03:06
*** richm has quit IRC03:07
ayoungBut if you add up everything we said above, can you see why I would want to have it in the client?03:07
jamielennoxi can absolutely see why you want it in client, but spin your perspective and explain why I would want it in client - what does it buy the client?03:07
jamielennoxrule of thumb - it needs to be reused in at least 3 places to be useful to be in a library03:08
ayoungjamielennox, well, here are the three places03:08
ayoung1.  keystone server03:08
ayoung2.  Remote services like Nova03:08
ayoung3.  Horizon03:09
jamielennoxnova - why?03:09
ayoungpolicy enforcement03:09
ayounghorizon does the reverse...reads a token and figures out what to show based on policy03:09
jamielennoxthose are both things they do today03:09
ayoungjamielennox, but every service has its own view of policy.03:10
ayoungWe want the common policy file..or at least common rules03:10
jamielennoxi agree03:11
ayoungso I don;'t want subtle differences in how they interpret policy due to each having its own model03:11
jamielennoxagain i agree - this is your saviour:
ayoungthat doesn't cover the Serve cases of building the token from the backend.  So I still have two03:12
jamielennoxno - that's 103:13
ayoungno,  to use that, I would need to convert from the Python model to a dictionary03:13
ayoungand...that is an abstract base class, so I can still have differences in how it is implemented.03:13
jamielennoxayoung: so in that user plugin i very explicitly hid access to the AccessInfo because i didn't want people getting confused by the dict methods03:14
jamielennoxthe user plugin has 2 _TokenData objects, one for the X-Auth-Token and one for the X-Service-Token03:15
jamielennox_TokenData is a _very strictly_ read only format that gives you information about the token03:15
ayoungThat is fine.  Not a hard abstraction to cover03:15
ayoungso is mine03:15
jamielennoxmy plan was to have oslo.policy construct a dictionary from those two _TokenData objects03:16
ayoungit is the builder that lets you morph it, but you don't do any reading until it is all done and built03:16
jamielennoxbecause oslo.policy requires a dict03:16
jamielennoxi thought that better that having a .to_policy_dict() on the plugin03:16
jamielennoxthis is what we talked about 6 moths ago when i said i want keystone team to handle both the supply and enforcement of policy03:18
ayoungso..I plan on using these classes in the other parts of Keystone.  Identity will create a User object.  Assignment will create Role objects. And so on03:18
ayoungthere are elements of that in the code already03:18
jamielennoxall the service should ever need to do is pass through the _UserPlugin object and then the object that want to enforce upon03:18
ayoungthen to create a token,  you create a builder, and the directory gets the objects from each of the backends, and when it is done, build, and you get the model version of the AccessInfo03:19
*** davechen has joined #openstack-keystone03:19
ayoungthen a dictionary is a wrapper around that.03:19
ayoungand that operates like your code03:19
ayoungwe're not that far apart, I'm just driving it by the server use cases03:20
ayoungwhich are the more complex03:20
jamielennoxI'm not doubting it's a good model - your justifications are all keystone server cases03:20
ayoungjamielennox, the client can use the same model classes03:20
ayoungwhen you do openstack project list, it should internally be a list of the project objects from the model03:21
ayoungsame with domains, groups, roles, role assignments, and so on03:21
ayoungone set of objects for the core domain model03:21
ayoungensuring consistency03:21
jamielennoxi think you bring in more complexity there than you save03:21
jamielennoxthe requirements are too different03:21
ayoungit means that you alwasy have the same object everywhere.  That was the intention of keystone/common/model in the first opkace03:24
morganfainbergjamielennox: confirmed failures for tempestlib fixed recheckking choppingblock03:24
jamielennoxnote that i want that plugin to replace context as well which is the point of which even though it is in merge conflict is still unreviewed as are the two underlying patches03:24
jamielennoxayoung: that's kind of cool - ok we could use that03:25
*** fifieldt has joined #openstack-keystone03:25
ayoungjamielennox, wuh?03:25
*** lhcheng has joined #openstack-keystone03:25
*** ChanServ sets mode: +v lhcheng03:25
ayoungjamielennox, but we don't.  We do this instead...03:26
jamielennoxayoung: but those are really trivial classes03:26
jamielennoxi mean they're more of a template than a model03:26
ayoungthey are keys03:27
jamielennoxayoung: July 3, 2013: - i'm with you buddy i get the advantages of common models03:28
ayoungjamielennox, yes, but you coded it backwards03:29
ayoungthe model does not depend on the API.  It is the other way around03:29
jamielennoxthat model doesn't depend on the api03:30
jamielennoxthe controller converts from api to model and back03:30
jamielennoxthe model is an abstraction of the self.credential_api to make it object orientated03:31
ayoungjamielennox, ok...we need to have a serious design discussion about this.  We both want the same things.03:31
ayoungJust have different approachees to get there03:31
ayoungthe SQL code is the culprit03:31
ayoungit combines the python object you get from the DB with the code to fetch it03:31
ayoungthese need to be split03:32
*** zzzeek has quit IRC03:32
jamielennoxabsolutely, i would have much prefered to write that so the SQL code depended on the model - you're right that part is backwards, but it was unfeasible at that time, my goal was once everything had a model we could invert it03:32
ayoungand this is why I really did not support the KSL rewrite.   That is when that code was introduced.03:33
ayoungand I've been living with it ever since03:33
ayoungI in I am making a lot of changes I gone!!!!!03:33
jamielennoxi wanted to do the same thing with either pecan or falcon, i was just going to do it slower03:34
jamielennoxand probably not disapear03:34
ayoungso lets start by getting the domain model right.  And the client code is the most dilligent in testing things.03:35
ayoungHeh.  No you have proven your tenacity03:35
jamielennoxcan't believe that code was 2 years ago, if i'd stuck it out then we might have a model based system already03:36
lifelessnow I want a millenium falcon with keystone server built-in03:36
ayoungThis time we will.  We have a consensus03:36
morganfainberglifeless: uhm.03:36
ayounglifeless, we're home.03:36
morganfainberglifeless: ok!03:36
lifelessmorganfainberg: because it would be model based :)03:36
*** josecastroleon has joined #openstack-keystone03:36
lifeless(boom tish, and apologies for the side-track)03:37
morganfainberglifeless: i was going to opt for camelot (but it's a silly place) instead03:37
ayoungThis new learning astounds me sir morganfainberg .03:37
lifelessmy daughter is watching a bubble guppies episode with knights right now...03:38
lifelessmy brain is... melting :)03:38
ayounglifeless, my kids are asleep...thankfully so03:38
*** dims has quit IRC03:38
ayoung20 minutes to midnight, and I squandered my grownup time arguing on IRC03:38
ayoungThough we're tough and able.  Quite in de fa ti gable.03:39
*** stevemar has joined #openstack-keystone03:39
*** ChanServ sets mode: +v stevemar03:39
*** josecastroleon has quit IRC03:39
jamielennoxright - i've got pretty much nothing done today03:39
jamielennoxayoung, morganfainberg: so could this be solved by making keystone consume auth_token somehow?03:41
jamielennoxbecause everything you're asking for i haev a solution for every other service03:41
jamielennoxand i've been pushing it for a while03:42
ayoungjamielennox, if we push this into keystoneauth, then I think we are there03:42
jamielennoxusing auth_token or the common solutions03:43
ayoungjamielennox, so, yes, the whoe goal of this excercize has been to get keystone to consume keystonemiddleware, as that is where we are targetting the policy enforcement as well03:47
ayoungand we are targetting having middleware use the client for its operations, so it should be handing over one of the common objects when validating a token03:48
jamielennoxayoung: it seems like you're fighting backwards then03:48
jamielennoxeverything you're talking about already uses AccessInfo03:49
ayoungand I maintained the access info interface for just that reason03:49
jamielennoxright, but the other solution was for the server to implement the accessinfo interfaces03:49
jamielennoxand we're back to 3 hours ago....03:49
*** _cjones_ has joined #openstack-keystone03:50
ayoungand its bed time03:53
jamielennoxayoung: night03:55
*** _cjones_ has quit IRC03:55
jamielennoxmorganfainberg: have you looked at the reaosn those reviews are failing? is infra on it? is it known?03:56
morganfainbergjamielennox: was an issue with tempestlib03:56
morganfainbergshould be resolved03:56
jamielennoxok - i'll go through and recheck them03:56
morganfainbergjamielennox: already did03:56
jamielennoxo - thanks03:56
stevemarmorganfainberg, when is the hackathon?03:58
morganfainbergstevemar: email will be sent tomorrow but plan is July 15, 16, 1703:58
stevemarjust need to input it in the calendar03:58
morganfainbergand i checked. doesn't look like we have a holiday around then03:59
*** fifieldt has quit IRC03:59
*** samueldmq has quit IRC03:59
*** tqtran has joined #openstack-keystone04:00
*** topol has joined #openstack-keystone04:07
*** ChanServ sets mode: +v topol04:07
*** tqtran has quit IRC04:14
morganfainbergoh look it's a topol04:22
topolmorganfainberg, sorry I have been traveling   :-(04:24
morganfainbergtopol: lies - you're not sorry :)04:24
*** topol has quit IRC04:34
*** dims has joined #openstack-keystone04:39
*** dims has quit IRC04:45
stevemarmorganfainberg, as quickly as he appears, he then disappears04:55
stevemarthe ways of the ninja04:55
*** winggundamth has joined #openstack-keystone04:56
winggundamthhi everybody. I having problem on openstack --insecure COMMAND after follow Kilo install-guide but try to make https self signed instead of normal one05:01
winggundamthSSLError: SSL exception connecting to
winggundamthfull verbose and debug here
winggundamthis it related to this bug?
openstackLaunchpad bug 1447704 in python-openstackclient "token issue fails for keystone v2 if OS_PROJECT_DOMAIN_NAME or OS_USER_DOMAIN_NAME are set" [Low,Triaged] - Assigned to Dean Troyer (dtroyer)05:04
stevemarwinggundamth, they don't seem related05:06
winggundamthhow about this one?
openstackLaunchpad bug 1447784 in python-openstackclient "--insecure is ignored if OS_CACERT env var is set" [Low,Confirmed]05:07
winggundamthjust wonder SSL error that I got. Is it happens because of self signed?05:08
stevemarwinggundamth, same thing - i don't think that error is related either, that bug is fairly harmless05:10
stevemarwinggundamth, try using keystoneclient? the old CLI.05:10
stevemarkeystone user-list --insecure and see if that works05:10
winggundamthlet me try it05:10
openstackgerritDave Chen proposed openstack/keystone: Refactor: Join multiple criteria together
*** henrynash has quit IRC05:13
*** henrynash has joined #openstack-keystone05:13
*** ChanServ sets mode: +v henrynash05:13
winggundamthstevemar: it shows no error but still don't list the user05:16
winggundamthbut user doesn't list maybe another problem05:17
winggundamthoh. it listed now. I forget to put OS_TENANT_NAME var05:18
winggundamthstevemar: so I think it's the openstack bug that doesn't respect --insecure right?05:19
stevemarwinggundamth, gah05:19
stevemarokay, i guess we really need to fix the osc bug05:20
stevemarcan you comment on the bug? and say it's impacting you05:20
stevemarit helps to remind us to be less lazy05:20
winggundamthnice :)05:20
winggundamthsure I'll do it now05:20
winggundamthwhich bug that you want me to comment. both?05:21
stevemaryeah, mention that you had to resort tot he using the old keystone CLI, that'll raise the priority05:21
stevemarthe one that says it ignores --insecure05:21
winggundamthok sure05:21
openstackgerritMerged openstack/keystoneauth: Remove cli functions from utils
openstackgerritMerged openstack/keystoneauth: Remove management_url from AccessInfo
*** henrynash has quit IRC05:27
winggundamthstevemar: this is done.
openstackLaunchpad bug 1447784 in python-openstackclient "--insecure is ignored if OS_CACERT env var is set" [Low,Confirmed]05:27
*** henrynash has joined #openstack-keystone05:27
*** ChanServ sets mode: +v henrynash05:27
winggundamthnever heard you guys lazy before lol05:27
winggundamthanother question. when the new kilo build that's not rc1 coming on this? will the openstackclient build is 1.1.0 too? because I got nova sth deprecated warning so that I have to manual install with pip05:31
*** emagana has joined #openstack-keystone05:31
stevemarwinggundamth, hmm, that one i'm not sure about05:33
winggundamthok thanks. hope I can write python in some day so could help you guys :)05:38
stevemarwinggundamth, that parts not hard :)05:40
stevemarwinggundamth, docs, bugs, specs, code, translations ... everything helps05:40
winggundamthtrying to hack your code right now so at least override insecure to all case lol05:41
*** markvoelker has quit IRC05:48
*** emagana has quit IRC05:48
*** browne has joined #openstack-keystone05:58
winggundamthsurprise me that openstackclient 1.2.0 just out06:00
winggundamthwhile I see only 1.1.0 in launchpad06:00
*** lhcheng has quit IRC06:01
stevemarwinggundamth, yep, came out today06:01
stevemarwinggundamth, the debian/ubuntu packagers are usually a bit behind06:02
stevemarmaybe if we can fix the insecure bug then we can release a 1.2.1 client for you06:02
*** emagana has joined #openstack-keystone06:03
*** rm_work|away is now known as rm_work06:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** emagana has quit IRC06:09
*** emagana has joined #openstack-keystone06:10
*** emagana has quit IRC06:14
*** chlong has quit IRC06:21
*** _cjones_ has joined #openstack-keystone06:25
*** _cjones_ has quit IRC06:25
*** _cjones_ has joined #openstack-keystone06:26
*** chlong has joined #openstack-keystone06:35
*** davechen has left #openstack-keystone06:57
*** chlong has quit IRC07:02
*** _cjones_ has quit IRC07:04
*** lhcheng has joined #openstack-keystone07:08
*** ChanServ sets mode: +v lhcheng07:08
*** lhcheng has quit IRC07:10
*** lhcheng has joined #openstack-keystone07:11
*** ChanServ sets mode: +v lhcheng07:11
*** stevemar has quit IRC07:20
*** chlong has joined #openstack-keystone07:26
*** browne has quit IRC07:34
*** chlong has quit IRC07:37
*** henrynash_ has joined #openstack-keystone07:37
*** ChanServ sets mode: +v henrynash_07:37
*** henrynash has quit IRC07:39
*** henrynash has joined #openstack-keystone07:42
*** ChanServ sets mode: +v henrynash07:42
*** henrynash_ has quit IRC07:42
*** henrynash_ has joined #openstack-keystone07:46
*** ChanServ sets mode: +v henrynash_07:46
*** henrynash has quit IRC07:47
*** henrynash has joined #openstack-keystone07:48
*** ChanServ sets mode: +v henrynash07:48
*** chlong has joined #openstack-keystone07:49
*** henrynash_ has quit IRC07:50
*** ncoghlan has quit IRC07:52
*** henrynash_ has joined #openstack-keystone07:52
*** ChanServ sets mode: +v henrynash_07:52
*** henrynash has quit IRC07:53
*** chlong has quit IRC07:53
*** chlong has joined #openstack-keystone07:55
*** henrynash has joined #openstack-keystone07:55
*** ChanServ sets mode: +v henrynash07:55
*** henrynash_ has quit IRC07:57
openstackgerritMerged openstack/keystoneauth: Remove auth_url property from AccessInfo
openstackgerritMerged openstack/keystoneauth: Remove region_name from catalog
openstackgerritMerged openstack/keystoneauth: Remove the AccessInfo Factory
openstackgerritMerged openstack/keystoneauth: Remove region_name from service catalog
*** chlong has quit IRC08:01
*** henrynash_ has joined #openstack-keystone08:04
*** ChanServ sets mode: +v henrynash_08:04
*** henrynash has quit IRC08:06
*** henrynash has joined #openstack-keystone08:08
*** ChanServ sets mode: +v henrynash08:08
*** henrynash_ has quit IRC08:09
*** henrynash_ has joined #openstack-keystone08:12
*** ChanServ sets mode: +v henrynash_08:12
*** henrynash has quit IRC08:13
*** henrynash_ is now known as henrynash08:13
*** boris-42 has joined #openstack-keystone08:13
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** henrynash_ has joined #openstack-keystone08:16
*** ChanServ sets mode: +v henrynash_08:16
*** henrynash has quit IRC08:18
*** henrynash_ is now known as henrynash08:18
*** chlong has joined #openstack-keystone08:18
*** winggundamth has quit IRC08:38
*** chlong has quit IRC08:40
*** e0ne has joined #openstack-keystone08:55
*** e0ne has quit IRC08:58
*** henrynash_ has joined #openstack-keystone09:07
*** ChanServ sets mode: +v henrynash_09:07
*** henrynash has quit IRC09:08
*** henrynash_ is now known as henrynash09:08
*** henrynash_ has joined #openstack-keystone09:27
*** ChanServ sets mode: +v henrynash_09:27
*** henrynash has quit IRC09:28
*** henrynash_ is now known as henrynash09:28
*** markvoelker has joined #openstack-keystone09:29
*** lhcheng has quit IRC09:41
*** dguerri is now known as _dguerri09:57
*** topol has joined #openstack-keystone09:59
*** ChanServ sets mode: +v topol09:59
*** _dguerri is now known as dguerri10:00
*** mflobo has quit IRC10:00
*** josecastroleon has joined #openstack-keystone10:09
*** topol has quit IRC10:10
*** mflobo has joined #openstack-keystone10:14
*** chlong has joined #openstack-keystone10:14
*** ayoung has quit IRC10:25
*** ayoung has joined #openstack-keystone10:37
*** ChanServ sets mode: +v ayoung10:37
*** josecastroleon has quit IRC10:37
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver
*** chlong has quit IRC11:01
*** chlong has joined #openstack-keystone11:04
*** dguerri is now known as _dguerri11:15
*** chlong has quit IRC11:15
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog
*** _dguerri is now known as dguerri11:21
*** markvoelker has quit IRC11:30
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Enforce endpoint constraint
*** ctina_ has joined #openstack-keystone11:50
*** markvoelker has joined #openstack-keystone12:01
*** markvoelker has quit IRC12:06
*** markvoelker has joined #openstack-keystone12:12
*** jlbhshluekg has joined #openstack-keystone12:16
jlbhshluekgdid usa intelligence supply isis with weapons like they did with al-qaeda to justify creating wars?12:16
jlbhshluekgdid usa excute the creative mess in the middle east like they said they will, does the creative mess include explosions with uncertain responsibles to create wars?12:16
jlbhshluekgplz, send my qs to help limiting usa & israel aggression against others& may then lessen number of people killed in the middle east.12:16
jlbhshluekg.did usa intelligence supply isis with weapons like they did with al-qaeda to justify creating wars?12:16
*** jlbhshluekg has quit IRC12:16
*** jlbhshluekg has joined #openstack-keystone12:16
*** jlbhshluekg has joined #openstack-keystone12:17
*** jlbhshluekg has left #openstack-keystone12:17
*** henrynash_ has joined #openstack-keystone12:29
*** ChanServ sets mode: +v henrynash_12:29
*** henrynash has quit IRC12:31
*** henrynash_ is now known as henrynash12:31
*** davidckennedy has joined #openstack-keystone12:38
*** richm1 has joined #openstack-keystone12:46
davidckennedyAnybody have any clue why jenkins applies -1 when all tests show SUCCESS?  See -
*** zzzeek has joined #openstack-keystone12:53
lbragstadmarekd: do you want me to create another blueprint for this guy?
lbragstadcc morganfainberg ^12:56
lbragstadand register it to
openstackgerritLance Bragstad proposed openstack/keystone: Switch the token provider to use strict_abc
openstackgerritLance Bragstad proposed openstack/keystone: StrictABC Implementation
*** afaranha has quit IRC13:06
*** iamjarvo_ has joined #openstack-keystone13:07
*** mattfarina has joined #openstack-keystone13:10
*** iamjarvo_ has quit IRC13:11
*** richm1 is now known as richm13:16
*** sigmavirus24_awa is now known as sigmavirus2413:28
*** dims has joined #openstack-keystone13:30
*** joesavak has joined #openstack-keystone13:33
*** wwwjfy_ has joined #openstack-keystone13:38
*** wwwjfy has quit IRC13:38
*** packet has joined #openstack-keystone13:39
*** zzzeek has quit IRC13:42
*** henrynash has quit IRC13:43
*** henrynash has joined #openstack-keystone13:44
*** ChanServ sets mode: +v henrynash13:44
davidckennedybknudson I got it.13:44
davidckennedyIt's the oslo.config version specified in the requirements, but why that causes, er, nothing to go wrong I don't know.13:46
*** packet has quit IRC13:48
*** henrynash has quit IRC13:49
*** packet has joined #openstack-keystone13:49
*** henrynash has joined #openstack-keystone13:49
*** ChanServ sets mode: +v henrynash13:49
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Enforce endpoint constraint
*** openstackgerrit has quit IRC13:51
*** wwwjfy_ has quit IRC13:51
*** wwwjfy has joined #openstack-keystone13:51
*** openstackgerrit has joined #openstack-keystone13:52
marekdlbragstad: i think morganfainberg and bknudson are better to ask here. Code submits without existing and active bps were always subject to -1 so i think this situation is somehow similar.13:57
bknudsonlbragstad: nobody's going to stop you from creating a blueprint.13:57
lbragstadbknudson: marekd ok, I'll create one for it13:58
marekdlbragstad: sure, and then i will be happy to positively vote on the code patch!13:58
marekdor rather +A13:59
marekdlbragstad: let me know when it's ready13:59
lbragstadmarekd: ++ will do13:59
marekdlbragstad: thanks13:59
*** gordc has joined #openstack-keystone14:01
openstackgerritLance Bragstad proposed openstack/keystone: Implement validation on the Identity V3 API
lbragstadmarekd: bknudson ^14:03
*** samueldmq has joined #openstack-keystone14:03
*** iamjarvo has joined #openstack-keystone14:04
*** iamjarvo has quit IRC14:05
*** iamjarvo has joined #openstack-keystone14:05
bknudsonlbragstad: marekd: morganfainberg: I approved the blueprint.. I'm assuming this is ok since there are 4 cores involved already.14:09
lbragstadbknudson: works for me14:09
lbragstadmarekd: thanks!14:10
bknudsonis there other validation work going on this release?14:10
lbragstadbknudson: not that I am aware of14:10
*** markvoelker has quit IRC14:10
lbragstadbknudson: to the best of my knowledge, the identity api was the only validation that didn't make it into Juno.14:10
bknudsonlbragstad: you can finally report that this is completed in your pbc results14:10
lbragstadbknudson: \o/14:10
lbragstadbknudson: finally!14:11
morganfainbergbknudson: ++14:11
*** markvoelker_ has joined #openstack-keystone14:14
*** samueldmq has quit IRC14:15
*** markvoel_ has joined #openstack-keystone14:15
*** henrynash_ has joined #openstack-keystone14:16
*** ChanServ sets mode: +v henrynash_14:16
*** samueldmq has joined #openstack-keystone14:16
*** henrynash has quit IRC14:16
*** henrynash_ is now known as henrynash14:16
*** markvoelker_ has quit IRC14:19
samueldmqbknudson, lbragstad are you talking about the schema validations ?14:29
samueldmq I 've added an idea to that brainstorming etherpad14:29
samueldmq<samueldmq> basically we could enforce FKs by adding them at keystone/common/ an then would enforce them at manager level with annotations14:29
lbragstadsamueldmq: around schema validation?14:29
samueldmq(looks like I am having connection issues)14:29
bknudsonthis is validation of inputs using JSONSchema14:29
samueldmqlbragstad, this one I described ? ^ (fks validation)14:30
bknudsonwe have a security-related initiative here and one of the requirements is input validation.14:30
samueldmqlbragstad, could be done using schemas ?14:30
ayoungsamueldmq, don't count on keystone/common/models.py14:31
ayoungthat is going to get replaced by unified accessinfo14:31
ayoungjdennis, you live!14:31
ayounghow are the new digs?14:31
ayoungjdennis, I realize you are digging out from under rought 3.5Ge  (that is Giga-emails)14:32
*** stevemar has joined #openstack-keystone14:47
*** ChanServ sets mode: +v stevemar14:47
ayounglifeless, someone was taking pictures of your bedroom:
*** dims is now known as dimsum__14:58
jdennisayoung: yes, I'm alive, exhausted, and connected. Trying to catch up, 5,000 emails to wade through, if there is something important to draw my attention to please do, especially interested in where we stand with the ECP work15:03
*** emagana has joined #openstack-keystone15:05
samueldmqayoung, maybe approve this ( ?15:06
bknudsonsamueldmq: approving doesn't do much good since it depends on another review that isn't approved15:07
samueldmqbknudson, oh sure, didnt pay attention on the chain , thx15:07
*** emagana has quit IRC15:09
*** dimsum__ has quit IRC15:31
*** henrynash_ has joined #openstack-keystone15:31
*** ChanServ sets mode: +v henrynash_15:31
*** dimsum__ has joined #openstack-keystone15:31
*** henrynash has quit IRC15:33
*** henrynash_ is now known as henrynash15:33
*** iamjarvo has quit IRC15:38
*** gyee has joined #openstack-keystone15:42
*** ChanServ sets mode: +v gyee15:42
openstackgerritArvind Tiwari proposed openstack/keystone-specs: spec for cloud namespaces
*** iamjarvo has joined #openstack-keystone15:48
*** lhcheng has joined #openstack-keystone15:51
*** ChanServ sets mode: +v lhcheng15:51
*** henrynash has quit IRC15:52
openstackgerritMerged openstack/keystone-specs: Deprecations
*** zzzeek has joined #openstack-keystone15:58
*** henrynash has joined #openstack-keystone16:01
*** ChanServ sets mode: +v henrynash16:01
*** browne has joined #openstack-keystone16:04
openstackgerritMerged openstack/keystone-specs: Add spec for 'stable keystone driver interfaces'
*** henrynash_ has joined #openstack-keystone16:11
*** ChanServ sets mode: +v henrynash_16:11
*** henrynash has quit IRC16:12
*** henrynash_ is now known as henrynash16:12
stevemarlbragstad, yesssss laance16:12
stevemarthis patch has bit-rotted
stevemarthis guy and his downgrades16:12
lbragstadstevemar: yeah, doesn't look like its been touched in a while16:13
*** davidckennedy has quit IRC16:13
ayoungjdennis, ok, so here is where we stand.  Your last message implied we were doing IdP initiated only.  marked (in Europe so home for the weekend I assume) disagreed.  We ened to figure out what to do too get the keystone client talking ECP to get a token16:16
bknudson -- easy one has +216:17
*** wwwjfy has quit IRC16:18
bknudsonayoung: -- the auth_token to use keystoneclient change you +2d earlier. I made a change based on jamielennox's feedback.16:20
ayoungbknudson, looking16:20
ayoungbknudson, just this, right,cm16:20
*** wwwjfy has joined #openstack-keystone16:20
bknudsonayoung: yes, he asked to use the discover API16:21
ayoungI think that is the better approach, yes16:21
bknudsonayoung: thanks! progress! liberty!16:22
ayoungequality! fraternity!16:22
*** iamjarvo has quit IRC16:23
*** gokrokve has joined #openstack-keystone16:25
*** gokrokve has quit IRC16:26
*** gokrokve has joined #openstack-keystone16:27
*** alexsyip has joined #openstack-keystone16:33
*** iamjarvo has joined #openstack-keystone16:47
*** henrynash has quit IRC16:47
*** gokrokve has quit IRC16:51
*** HenryG is now known as floccinaucinihil16:54
*** floccinaucinihil is now known as HenryThe8th16:55
*** emagana has joined #openstack-keystone16:59
*** markvoel_ has quit IRC16:59
*** markvoelker has joined #openstack-keystone17:00
*** _cjones_ has joined #openstack-keystone17:00
*** _cjones_ has quit IRC17:00
*** _cjones_ has joined #openstack-keystone17:00
*** josecastroleon has joined #openstack-keystone17:06
samueldmqjamielennox, morganfainberg I have good news on the keystone v3 only tempest run17:10
morganfainbergsamueldmq: it mostly just works?17:10
samueldmq - Passed: 88117:11
samueldmq - Skipped: 15817:11
samueldmq - Expected Fail: 017:11
samueldmq - Unexpected Success: 017:11
samueldmq - Failed: 917:11
stevemarsamueldmq, you didn't get injured when it blew up?17:11
morganfainbergnot bad17:11
samueldmqstevemar, no hehe17:11
stevemarnot bad at all17:11
samueldmqmorganfainberg, and this time v2.0 is disabled, for sure :)17:12
samueldmqmy current env is:17:12
morganfainbergsamueldmq: i'll push up a WIP review to devstack for the changes to get v3-only setup going17:12
morganfainbergsamueldmq: today17:12
*** josecastroleon has quit IRC17:12
samueldmqi) disabled v2 in keystone17:12
samueldmqii) enabled tempest to use v3 tokens17:12
samueldmqiii) skipped tempest tests on specific keystone tests of v2 api ( the tests on api.idenity. etc, not the tests for other services)17:13
samueldmqiv) enabled horizon to use v3 auth17:13
lbragstadstevemar: devstack shrapnel can be dangerous...17:14
samueldmqmorganfainberg, as I executed several times until get this working, I'll unstack/stack to ensure nothing was left in the databases17:15
stevemarlbragstad, lethal17:15
samueldmqmorganfainberg, and any type of trash left is causing tests to fail17:15
samueldmqmorganfainberg, however I still need to enable swift and neutron, I am just using the default devstack conf so far17:16
samueldmqstevemar, cc ^17:16
stevemari'm not sure if swift will cause you issues17:18
*** gokrokve has joined #openstack-keystone17:18
stevemarneutron might not17:18
morganfainbergheat will17:18
stevemarmorganfainberg, why heat?17:18
samueldmqstevemar, god bless your thoughts, I hope too!17:18
morganfainbergat least i think it will17:18
morganfainbergdoes some v2 things still17:19
*** gokrokve_ has joined #openstack-keystone17:20
samueldmqmorganfainberg, hmm, will test it as well17:20
samueldmqhowever I think if we get it working with the core services by the summit it would be amazing17:21
david-lylemorganfainberg: more complicated than that for horizon17:21
samueldmqI will start working on the gate job (actually I started, but I couldn"t commit a code which I didnt test manually)17:21
*** gokrokve has quit IRC17:22
*** gokrokv__ has joined #openstack-keystone17:22
david-lyleneed a session store other than signed cookies due to token size of k v317:22
david-lylethat's why we haven't moved yet17:22
*** gokrokve_ has quit IRC17:22
david-lylewe've debated memcached and sqlite as options17:22
david-lylein memory cache is also an option17:23
david-lylenot a very good solution in general, but fastest bandaid17:23
*** samleon has joined #openstack-keystone17:25
morganfainbergdavid-lyle: this is because the SC is giant?17:25
morganfainbergdavid-lyle: not because the token data itself is bad - but when you couple the SC in ... icky17:25
morganfainbergmaybe we need horizon to be able to grab a complete view of the SC and cache it for a period17:25
david-lylewhich lhcheng is also looking at independently17:25
morganfainbergindependant of the session?17:25
samueldmqmorganfainberg, cache it on horizon ? and transmit only ids on the token17:26
gyeeuh, endpoint filtering?17:26
morganfainbergthen we can distil down the SC in the token to something usable / small17:26
morganfainbergdavid-lyle: not sure how a state like that in a django app would look though17:26
david-lylehe's looking at storing it on the request not the session17:26
samueldmqyeah, just the service ids in the token's catalog, and horizon cahes the whole list17:26
openstackgerritMerged openstack/keystone: Fixes tests to use the config fixture
david-lylebut would require more keystone API calls to retrieve the catalog17:27
gyeedavid-lyle, ajax it!17:27
samueldmqdavid-lyle, yeah but we can do it, right morganfainberg17:27
david-lyleeventually a more complete solution, but this is middle ground17:28
samueldmqdavid-lyle, ++17:28
*** meera has joined #openstack-keystone17:29
gyeemorganfainberg, see if you like this approach
gyeeendpoint constraint enforcement using oslo policy, like we talked about last week17:29
morganfainbergwill look post coffee17:30
samueldmqdstanek, why ldappool does not work with python 3 ?17:30
morganfainbergsamueldmq: nope17:30
samueldmqbknudson, any thought s ? ^17:30
morganfainbergsamueldmq: python-ldap doesn't either17:30
morganfainbergsamueldmq: we need to move to ldap3 library, and re-implement the pool from ldappool17:30
gyeebut python3 can do both17:30
morganfainbergit's not a lot of work17:30
gyeeI mean python3 ldap17:30
samueldmqmorganfainberg, hmm .. so it's because those incompatibilities with zip(), range() and othess?17:30
morganfainbergsamueldmq: no just python-ldap doesn't do it17:31
morganfainberggyee: ldap3 is the new name of the python3 ldap lib17:31
samueldmqmorganfainberg, k, we have this in our roadmap?17:31
morganfainbergsamueldmq: yep17:31
samueldmqmorganfainberg, brainstorming list, etc17:31
morganfainbergsamueldmq: we have a spec on the backlog for this i think17:31
samueldmqmorganfainberg, nice, just to not forget about it17:31
morganfainbergjust need to move it to liberty17:31
gyeeyeah we need some work to transition over to ldap317:32
samueldmqmorganfainberg, ++ will look17:32
gyeeshouldn't be that bad17:32
* samueldmq is happy to be in review mode again17:32
lhchengmorganfainberg: been tinkering with DOA yesterday, and was able to shrink the size of data stored in horizon session17:33
gyeeI remember we had to dance around unicode in our ldap logic, hopefully ldap3 support them natively17:34
lhchengmorganfainberg: stopped storing service catalog in the session and I got this improvements17:34
lhchengmorganfainberg: Keystone V2: 30% decrease,  Keystone V3: 44% decrease17:34
openstackgerritMerged openstack/keystonemiddleware: Change auth_token to use keystoneclient
morganfainberglhcheng: decrease in performance or size?17:39
samueldmqdo we have an experimental gate-keystone-python3 ?17:39
lhchengmorganfainberg: size17:39
morganfainberglhcheng: not bad17:39
morganfainbergsamueldmq: maybe.17:39
morganfainbergsamueldmq: might need to check we used to.17:39
samueldmqmorganfainberg, looking at a patch chain of python3 from dstanek17:40
morganfainberglhcheng: and the 66% is fairly static data, some environments will have massive SCs and might see 80+% decrease17:40
lhchengmorganfainberg: the downside is just an extra keystone call per page reload, which should not be significant for keystone17:40
samueldmqmorganfainberg, would be great if we could run with 'check experimental'17:40
morganfainberglhcheng: i'd like to see that able to be cached17:40
morganfainberglhcheng: as a config option. if someone uses memcache, let them enable it to be cached17:40
morganfainberglhcheng: if it isn't in memcache, fetch.17:41
morganfainberglhcheng: should be a good middle-ground/easy-ish solution17:41
morganfainberglhcheng: and address the extra call to keystone per page reload concern for real deployments17:41
morganfainbergsince most use / have caching infrastructure17:41
lhchengmorganfainberg: likely some more data can be stripped down from the session, I just removed service catalog as of now.17:42
morganfainberglhcheng: lets just start with that and get the SC cachable.17:42
morganfainberglhcheng: we can look at other data as future optimisations17:43
lhchengmorganfainberg: I am thinking the first pass could be just always get from keystone, then the memcache comes as enhancement.17:43
morganfainberglhcheng: yep, i just would like to see that 2nd pass (caching) bit land in liberty if at all possible17:46
morganfainberglhcheng: knowing the operators, that would be a concern we can head off at the pass. optional, but a nice add on17:46
lhchengyeah, should be easy17:46
morganfainbergand not a huge ask :)17:46
lhchengmorganfainberg: agreed17:46
* morganfainberg submits another talk to PyConAU about Keystone.17:47
openstackgerritBrant Knudson proposed openstack/keystone: Implement validation on the Identity V3 API
morganfainberglhcheng: btw: stable driver interfaces landed in backlog17:49
morganfainberglhcheng: we need to move it to liberty now and flesh out a couple details in the spec17:49
morganfainberglhcheng: if you wouldn't mind taking a look at the spec and we'll figure out who all is going to be on the hook for any specifics at the summit17:50
lhchengmorganfainberg: sure, will do.17:50
*** wwwjfy has quit IRC17:52
lhchengmorganfainberg: brb, have to go to meeting.17:53
lhchengmorganfainberg: will ping you later to follow-up on that.17:53
morganfainberglhcheng: no worries17:53
morganfainbergi'm about to run for a bit today17:53
morganfainbergso, whenever17:53
lhchengmorganfainberg: okay :)17:53
openstackgerritMerged openstack/keystoneauth: Base Documentation changes
*** packet has quit IRC17:59
*** spandhe has joined #openstack-keystone17:59
*** dguerri is now known as _dguerri18:01
*** packet has joined #openstack-keystone18:05
*** samueldmq_ has joined #openstack-keystone18:11
*** samueldmq has quit IRC18:11
*** toddnni has joined #openstack-keystone18:20
*** packet has quit IRC18:23
*** e0ne has joined #openstack-keystone18:27
*** samueldmq_ is now known as samueldmq18:29
gyeepacman in 8!18:31
gyeesheet wrong window18:31
*** _cjones_ has quit IRC18:32
bknudsongyee is up for anything!18:33
gyeebknudson, sorry I was talking to my bookie on a wrong channel18:34
bknudsonyou know it's fixed18:35
lhchenggyee: lol18:35
*** iamjarvo has quit IRC18:37
morganfainbergayoung: ping - physics dept at BU right?18:38
ayoungmorganfainberg, sort of18:38
ayoungthe MOC is housed in the Physics dept.  but the meetup will be near there, probably not in that building itself18:38
morganfainbergEh I'll just say BU18:38
morganfainbergThis is just the preliminary email "save the date thing"18:39
ayoungYes,  BU, main Campus is probably the right granularity18:39
morganfainbergMOC is multi <some Things> cloud?18:39
ayoungI don't know if they have any non main campii18:39
ayoungMassachusetts Open Cloud18:39
morganfainbergOk cool.18:39
lifelessayoung: not but wow I wish18:40
ayounglifeless, yours probably looks more like Tatooine18:40
bknudsondoes MOC run openstack?18:40
ayoungbknudson, yes18:41
ayoungbknudson, the guy that kicked it off (this guy  Built vCloud at VMware, and then turned his sights on doing something more open18:42
ayoungopenstack is the basis for what they are pushing, and, in return, they are feeding some interesting ideas in to Keystone et alles.18:42
ayoungbknudson,  he's one of you guys...long time IBMer18:43
bknudsonI see that on the profile... was in research18:44
morganfainbergayoung: email sent. 15, 16, 17.18:45
morganfainbergayoung: I'll start working on hotels and other things like food next week / week after so we have stuff all lined up right after the summit if not before.18:46
*** lhcheng has quit IRC18:46
ayoungmorganfainberg, sounds good.  Let me know when you are ready to plan, won't overload you with details now.18:47
*** lhcheng_ has joined #openstack-keystone18:47
morganfainbergYeah. I want to wait till after next week due to summit planning stuff.18:47
morganfainbergOk off to lunch. Bbiab18:47
*** iamjarvo has joined #openstack-keystone18:50
*** iamjarvo has quit IRC18:50
*** iamjarvo has joined #openstack-keystone18:50
openstackgerritMerged openstack/keystoneauth: Cannot retrieve a token from service catalog
*** omkarjoshi has joined #openstack-keystone18:57
openstackgerritMerged openstack/keystoneauth: Don't save version into the dictionary
*** e0ne has quit IRC19:02
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor certificate fetch functions
*** ankita_wagh has joined #openstack-keystone19:03
*** lhcheng_ is now known as lhcheng19:05
*** ChanServ sets mode: +v lhcheng19:05
openstackgerritMerged openstack/keystoneauth: Remove the factory from service catalog
*** emagana has quit IRC19:10
*** emagana has joined #openstack-keystone19:13
*** _cjones_ has joined #openstack-keystone19:18
*** ankita_wagh has quit IRC19:24
*** ankita_wagh has joined #openstack-keystone19:25
*** ankita_wagh has quit IRC19:29
openstackgerritDoug Hellmann proposed openstack/pycadf: Remove
*** ctina_ has quit IRC19:43
*** samueldmq has quit IRC19:47
*** HenryThe8th has quit IRC19:50
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo
bknudsonayoung: you might find this interesting ^ (WIP)19:52
*** HenryG has joined #openstack-keystone19:54
*** HenryG has quit IRC19:55
*** HenryG has joined #openstack-keystone19:56
*** spandhe has quit IRC20:03
*** HenryG has quit IRC20:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** emagana has quit IRC20:21
*** HenryG has joined #openstack-keystone20:21
*** emagana has joined #openstack-keystone20:23
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
ayoungbknudson, you are right, I find it interesting20:32
*** emagana has quit IRC20:32
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo
*** samleon has quit IRC20:34
*** samleon has joined #openstack-keystone20:34
*** samleon has quit IRC20:35
*** _dguerri is now known as dguerri20:38
openstackgerritMerged openstack/keystoneauth: Make ServiceCatalog take an actual catalog
*** lhcheng has quit IRC20:45
*** lhcheng has joined #openstack-keystone20:46
*** ChanServ sets mode: +v lhcheng20:46
*** lhcheng has quit IRC20:46
*** dguerri is now known as _dguerri20:47
*** lhcheng has joined #openstack-keystone20:49
*** ChanServ sets mode: +v lhcheng20:49
openstackgerritMerged openstack/keystoneauth: AccessInfo is not a dict
*** _dguerri is now known as dguerri20:54
*** spandhe has joined #openstack-keystone20:58
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo
*** emagana has joined #openstack-keystone21:06
*** mattfarina has quit IRC21:07
*** ajayaa has joined #openstack-keystone21:07
*** joesavak has quit IRC21:10
*** sharky1 has joined #openstack-keystone21:10
*** sharky1 has left #openstack-keystone21:12
*** packet has joined #openstack-keystone21:13
*** iamjarvo has quit IRC21:15
*** Ephur has joined #openstack-keystone21:16
*** meera has quit IRC21:16
*** boris-42 has quit IRC21:18
*** browne has quit IRC21:21
*** iamjarvo has joined #openstack-keystone21:21
*** iamjarvo has quit IRC21:21
*** iamjarvo has joined #openstack-keystone21:22
*** packet has quit IRC21:23
sigmavirus24o/ morganfainberg21:28
*** emagana has quit IRC21:28
*** iamjarvo has quit IRC21:28
*** emagana has joined #openstack-keystone21:31
*** stevemar has quit IRC21:49
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo
*** gordc has quit IRC21:53
*** dimsum__ has quit IRC21:56
morganfainbergbknudson: you interested in keystone +2 powers for stable?21:56
morganfainbergbknudson: i'd like to add one more keystone core to stable maint for keystone21:56
*** dimsum__ has joined #openstack-keystone21:56
bknudsonmorganfainberg: sure.21:56
morganfainbergbknudson: mostly because i think you know all the stable policy stuff having dealt with oslo and other things21:57
morganfainbergbknudson: so less explaining :)21:57
morganfainbergbknudson: and well.. python robot!21:57
morganfainbergbknudson: cool i'll add you21:57
bknudsonstable reviews are easy21:57
morganfainbergbknudson: yeah i just feel like a bottleneck with them atm *or* i write them and then need to find other stable folks to +221:58
openstackgerritJamie Lennox proposed openstack/keystoneauth: Don't return default for domain in v2 accessinfo
*** harlowja has joined #openstack-keystone22:17
jamielennoxmorganfainberg: do you have a script you were using for ksa for bringing across files from ksc?22:18
morganfainbergjamielennox: it requires merge commits to do now.22:18
morganfainbergjamielennox: and that gets icky22:19
morganfainbergjamielennox: sort-of.22:19
morganfainbergjamielennox: it was a combination of by-hand and a script to filter-branch22:19
jamielennoxthere's a couple of test files i think you missed, should i just c&p and propose them again?22:19
morganfainbergjamielennox: just c&p22:19
morganfainbergjamielennox: it is a lot less headache, we got most of the history we care about22:19
*** emagana has quit IRC22:21
morganfainbergjamielennox: feel free to +A the default domain change ^^ when jenkins passes22:23
openstackgerritJamie Lennox proposed openstack/keystoneauth: Copy missed test_fixtures from keystoneclient
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add endpoint and service ids to fixtures
*** sigmavirus24 is now known as sigmavirus24_awa22:29
*** ajayaa has quit IRC22:30
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo
morganfainbergbknudson: you are now keystone-stable-maint22:35
morganfainbergbknudson: make sure you've 2x checked stable-maint policies etc. not that they are crazy or not mostly common sense22:36
morganfainbergbknudson: and now i can be less bottle-neck on keystone stable stuff22:36
morganfainbergbknudson: and the whole reason - your +1 here can become a +222:36
morganfainberg(whole reason this topic started)22:37
bknudsonmorganfainberg: y, +222:37
*** emagana has joined #openstack-keystone22:38
mtreinishmorganfainberg: now that he +2'd it do you want me to remove him from the group :)22:38
morganfainberghaha no22:38
bknudsonthat's going to be a lot of mailing list traffic22:39
*** atiwari has joined #openstack-keystone22:43
*** packet has joined #openstack-keystone22:47
*** omkarjoshi has quit IRC22:48
*** markvoelker has quit IRC22:48
*** packet has quit IRC22:56
*** gokrokv__ has quit IRC22:58
*** ankita_wagh has joined #openstack-keystone23:02
*** omkarjoshi has joined #openstack-keystone23:15
*** boris-42 has joined #openstack-keystone23:18
*** lhcheng has quit IRC23:26
*** lhcheng has joined #openstack-keystone23:27
*** ChanServ sets mode: +v lhcheng23:27
*** wwwjfy has joined #openstack-keystone23:27
*** alexsyip has quit IRC23:33
*** browne has joined #openstack-keystone23:34
*** gyee has quit IRC23:35
*** josecastroleon has joined #openstack-keystone23:41
*** josecastroleon has quit IRC23:44
*** emagana has quit IRC23:52

Generated by 2.14.0 by Marius Gedminas - find it at!