Wednesday, 2015-06-03

« Tuesday, 2015-06-02 Index Thursday, 2015-06-04 »
*** hemna is now known as hemnafk00:01
*** lhcheng has joined #openstack-keystone00:02
*** ChanServ sets mode: +v lhcheng00:02
*** browne has joined #openstack-keystone00:03
*** dsirrine has quit IRC00:07
openstackgerritAlan Pevec proposed openstack/keystone: Run WSGI with group=keystone  https://review.openstack.org/18780000:21
*** dsirrine has joined #openstack-keystone00:22
*** Sayaji has quit IRC00:22
*** ncoghlan has joined #openstack-keystone00:24
openstackgerritAlan Pevec proposed openstack/keystone: disable admin_token by default  https://review.openstack.org/18546400:31
openstackgerritAlan Pevec proposed openstack/keystone: disable admin_token by default  https://review.openstack.org/18546400:33
*** gokrokve has quit IRC00:54
*** gokrokve has joined #openstack-keystone00:55
*** csoukup has joined #openstack-keystone00:55
*** gokrokve has quit IRC00:59
*** Raildo_ has joined #openstack-keystone01:02
*** Raildo has quit IRC01:04
*** _cjones_ has quit IRC01:06
*** samueldmq has joined #openstack-keystone01:08
dstanekgyee: did you get your answer?01:12
*** spandhe has quit IRC01:13
gyeedstanek, no, need your Python expertise01:14
dstanekgyee: what are you having trouble with?01:14
*** gokrokve has joined #openstack-keystone01:14
gyeedstanek, trying to lookup the package version from the code01:14
gyeedstanek, https://review.openstack.org/#/c/180769/10/keystonemiddleware/auth_token/__init__.py01:15
gyeeI was trying to help out Roxana01:15
*** ayoung has joined #openstack-keystone01:15
*** ChanServ sets mode: +v ayoung01:15
gyeebut I have no idea how to construct this string "{project}/{project_version} ksv.auth_token/{ksm_version}"01:15
gyeedstanek, I was thinking popen('pip freeze ...') but I thought better of it :)01:16
dstanekgyee: ah, ok. looking01:16
*** Raildo_ has quit IRC01:18
dstanekgyee: i was hoping that pbr had a new magic way to do it01:23
gyeedstanek, that would be awesome if it can01:23
dstanekwe can use the old standby of pkg_resources01:24
gyeeyou mean open the file and parse the content?01:24
dstaneksomething like pkg_resources.get_distribution('python-keystoneclient').version01:24
dstaneknot sure how you can get the distribution for the module you are currently in though01:25
gyeeyeah, if the package is not installed by pip, it won't help either01:27
gyeedstanek, ya think we have rpm for python-keystoneclient?01:28
gyeeor debian01:28
gyeemaybe we'll just make user-agent string configurable and let the config tools fill in the blank?01:29
*** alanf-mc has quit IRC01:31
*** browne has quit IRC01:31
*** tobe has joined #openstack-keystone01:33
dstanekgyee: not sure yet01:34
dstanekmorganfainberg: you commented about passing in the project name somehow. any ideas on how to do that?01:51
morganfainbergdstanek: hmm?01:55
morganfainbergoh.01:55
morganfainberguhhhhhhhhhh01:55
morganfainberghow do we pass the options for swift and other non-oslo-conforming projects?01:56
dstanekmorganfainberg: ah, yeah, sorry - no context for you01:56
morganfainbergthere was a review up about that01:56
dstanekapart from the useragent one?01:56
morganfainberglooking01:59
morganfainbergdstanek: what https://review.openstack.org/#/c/143063/ is trying to do02:00
morganfainbergdstanek: not rely on the global conf02:00
*** fangzhou has quit IRC02:00
dstanekoslo.config == make things hard/let's not worry about software design!02:01
dstanekmorganfainberg: that's just getting about the lack of registration - i need to find a way for the called to pass in some additional args02:02
dstanekmaybe just in the constructor of the middleware02:02
morganfainbergyeah02:02
morganfainbergthat is probably how it needs to work02:02
morganfainbergte whole "conf.project" thing seems specious02:03
*** dsirrine has quit IRC02:04
lifelessmorganfainberg: review 167194 might terrify you02:06
morganfainbergreally...02:07
morganfainbergwhy would you do that to me:P02:07
morganfainberglifeless: that is really frightening02:08
lifelessbecause you deserve it :)02:08
morganfainberglifeless: hah.02:09
morganfainbergthere are reasons i like my little world of identity02:09
morganfainberg*shiftyeyes*02:09
*** rushiagr_away is now known as rushiagr02:09
dstaneklifeless: very nice; that's pretty bad because it shows function arguments and those case can all kinds of secret data02:22
lifelessdstanek: yes :)02:23
lifelessdstanek: thus my -2 banhammer02:23
*** Kennan2 has joined #openstack-keystone02:37
*** davechen_afk is now known as davechen02:37
*** Kennan has quit IRC02:38
*** rushiagr is now known as rushiagr_away02:40
*** lhcheng_ has joined #openstack-keystone02:47
*** lhcheng has quit IRC02:47
*** Kennan2 is now known as Kennan02:49
*** dims__ has quit IRC02:56
openstackgerritguang-yee proposed openstack/keystone: Unable to list role assignments in Project  https://review.openstack.org/18084602:57
*** richm has quit IRC02:58
*** gyee is now known as operator9903:00
*** samueldmq has quit IRC03:03
*** nkinder_ has joined #openstack-keystone03:09
*** gokrokve_ has joined #openstack-keystone03:17
*** alanf-mc has joined #openstack-keystone03:21
*** gokrokve has quit IRC03:21
*** gokrokve_ has quit IRC03:21
*** alanf-mc has quit IRC03:25
*** spandhe has joined #openstack-keystone03:36
*** kiran-r has joined #openstack-keystone03:38
*** spandhe_ has joined #openstack-keystone03:42
*** spandhe has quit IRC03:43
*** spandhe_ is now known as spandhe03:43
*** markvoelker has quit IRC03:44
*** iamjarvo has joined #openstack-keystone03:49
openstackgerritDave Chen proposed openstack/keystone: Add testcases to test DefaultDomain  https://review.openstack.org/18585503:53
*** browne has joined #openstack-keystone03:55
openstackgerritDivya K Konoor proposed openstack/pycadf: Add api_audit_map.conf for Ceilometer project  https://review.openstack.org/18759304:11
*** topol has joined #openstack-keystone04:29
*** ChanServ sets mode: +v topol04:29
*** spandhe has quit IRC04:41
*** spandhe has joined #openstack-keystone04:45
*** markvoelker has joined #openstack-keystone04:45
*** _cjones_ has joined #openstack-keystone04:48
*** markvoelker has quit IRC04:50
*** lhcheng_ has quit IRC04:54
*** _cjones_ has quit IRC04:55
*** stevemar has quit IRC04:58
*** kiran-r has quit IRC04:59
*** mabrams has joined #openstack-keystone05:33
*** henrynash has joined #openstack-keystone05:37
*** ChanServ sets mode: +v henrynash05:37
*** henrynash has quit IRC05:37
*** topol has quit IRC05:38
*** lhcheng has joined #openstack-keystone05:46
*** ChanServ sets mode: +v lhcheng05:46
*** dguerri`away has quit IRC05:55
*** dguerri`away has joined #openstack-keystone05:57
*** dguerri`away is now known as dguerri05:57
*** iamjarvo has quit IRC05:58
*** josecastroleon has joined #openstack-keystone05:59
openstackgerritDave Chen proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual  https://review.openstack.org/18786906:00
*** woodster_ has quit IRC06:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/18627906:05
*** kiran-r has joined #openstack-keystone06:10
*** csoukup has quit IRC06:17
*** henrynash has joined #openstack-keystone06:20
*** ChanServ sets mode: +v henrynash06:20
*** belmoreira has joined #openstack-keystone06:26
openstackgerritMerged openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419606:33
*** markvoelker has joined #openstack-keystone06:34
*** markvoelker has quit IRC06:38
*** spandhe has quit IRC06:57
*** browne has quit IRC07:02
*** ncoghlan has quit IRC07:02
*** sudorandom has quit IRC07:16
*** Nakato has quit IRC07:16
*** pnavarro has joined #openstack-keystone07:17
openstackgerritguang-yee proposed openstack/keystone: Unable to list role assignments in Project  https://review.openstack.org/18084607:17
*** sudorandom has joined #openstack-keystone07:18
*** Nakato has joined #openstack-keystone07:18
*** bradjones has quit IRC07:20
*** bradjones has joined #openstack-keystone07:22
*** rlt_ has joined #openstack-keystone07:23
bretonmorning07:26
*** henrynash has quit IRC07:27
*** chlong has quit IRC07:37
*** belmoreira has quit IRC07:42
*** belmoreira has joined #openstack-keystone07:46
davechenlhcheng: ping?07:48
davechenlhcheng: Lin, do you know where is policy files used in the horizon?07:49
davechencan we edit or read it directly from the dashboard?07:49
evrardjpgood morning07:50
*** jistr has joined #openstack-keystone07:51
*** tobe has quit IRC07:52
*** henrynash has joined #openstack-keystone07:54
*** ChanServ sets mode: +v henrynash07:54
lhchengdavechen: horizon got a copy of the policy file in https://github.com/openstack/horizon/tree/master/openstack_dashboard/conf07:55
lhchengnot the ideal way,  would have utilized the policy api for this. But other projects didn't populate the policy api, so this is the best we can do so far.07:57
davechenlhcheng: yep, I found these files in the source, do you know where it used?07:57
lhchengdavechen: no, it can't be edited or viewed from the dashboard07:57
lhchengdavechen: it is used for all of the panels.07:57
*** dims_ has joined #openstack-keystone07:58
lhchengfor example: in Identity -> User table, available action displayed are based on the policy file.07:58
davechenlhcheng: okay.  so, when service API called, we need these file for policy enforcement?07:59
davechenlhcheng: got you.07:59
davechenlhcheng: many thanks, l will have a try.07:59
lhchengdavechen: one example: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/tables.py#L5008:00
lhchengIt checks the rule "identity:update_user" to determin if Edit User button should be available to the user.08:01
*** rushiagr_away is now known as rushiagr08:02
*** dims_ has quit IRC08:03
davechenlhcheng: yep, this is similar with the actions in the other services.08:03
davechenlhcheng: I am clear, just trying to understand why we need these files in the horizon and a copy of each service.08:04
*** fhubik has joined #openstack-keystone08:06
lhchengdavechen: when we get the rest of the projects to move to the centralized policy file, we can remove the copy here. somewhere down the long road. :)08:06
davechenlhcheng: hope so, the centralized policy is a attractive stuff.08:07
lhchengdavechen: yes, it will solve a lot of problem.08:09
lhchengdavechen: hitting the bed, have a good day!08:10
davechenlhcheng: some guys from nova is also watching at this, let's hope this could be happened in the 'L'08:10
davechenlhcheng: good night08:10
openstackgerritChenhong Liu proposed openstack/keystone: WIP: Add testcases of list_role_assignments of v3 domains  https://review.openstack.org/18789908:10
davechenlhcheng: have a sweet dream. :)08:10
*** Kennan2 has joined #openstack-keystone08:11
*** sudorandom has quit IRC08:11
lhchengdavechen: maybe I'll dream of the dynamic policy already used. hah08:11
*** Kennan has quit IRC08:11
lhchengbye!08:11
*** bdossant has joined #openstack-keystone08:12
davechenlhcheng: bye. :)08:12
*** Nakato has quit IRC08:13
*** henrynash has quit IRC08:13
*** tobe has joined #openstack-keystone08:14
*** Nakato has joined #openstack-keystone08:14
*** sudorandom has joined #openstack-keystone08:19
*** henrynash has joined #openstack-keystone08:19
*** ChanServ sets mode: +v henrynash08:19
*** henrynash has quit IRC08:21
*** markvoelker has joined #openstack-keystone08:22
*** henrynash has joined #openstack-keystone08:23
*** ChanServ sets mode: +v henrynash08:23
*** markvoelker has quit IRC08:27
*** henrynash has quit IRC08:28
*** henrynash has joined #openstack-keystone08:30
*** ChanServ sets mode: +v henrynash08:30
*** henrynash has quit IRC08:31
*** spandhe has joined #openstack-keystone08:31
*** henrynash has joined #openstack-keystone08:39
*** ChanServ sets mode: +v henrynash08:39
*** henrynash has quit IRC08:41
*** henrynash has joined #openstack-keystone08:42
*** ChanServ sets mode: +v henrynash08:42
*** e0ne has joined #openstack-keystone08:46
*** henrynash has quit IRC08:47
*** henrynash has joined #openstack-keystone08:48
*** ChanServ sets mode: +v henrynash08:48
*** henrynash has quit IRC08:52
*** e0ne is now known as e0ne_09:01
*** e0ne_ is now known as e0ne09:01
*** tellesnobrega has quit IRC09:07
*** fhubik is now known as fhubik_afk09:15
*** afazekas has joined #openstack-keystone09:22
*** fhubik_afk is now known as fhubik09:39
*** davechen is now known as davechen_afk09:43
*** e0ne is now known as e0ne_09:55
*** e0ne_ is now known as e0ne09:57
*** davidckennedy has joined #openstack-keystone09:59
*** tellesnobrega has joined #openstack-keystone10:02
*** dims_ has joined #openstack-keystone10:06
*** lhcheng has quit IRC10:07
*** markvoelker has joined #openstack-keystone10:11
*** fhubik is now known as fhubik_afk10:15
*** markvoelker has quit IRC10:15
*** mabrams has quit IRC10:23
*** spandhe has quit IRC10:23
*** samueldmq has joined #openstack-keystone10:23
samueldmqmorning10:32
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Enforce endpoint constraint  https://review.openstack.org/17766110:32
samueldmqayoung, hi, dynamic policies look to be shaking people up10:41
samueldmqayoung, and it's said there is a lot of interest on it o/10:42
samueldmqayoung, that's a lot of motivation :)10:42
*** Dave has joined #openstack-keystone10:44
*** fhubik_afk is now known as fhubik10:53
*** fhubik is now known as fhubik_afk11:15
*** aix has quit IRC11:25
*** rushiagr is now known as rushiagr_away11:25
*** e0ne is now known as e0ne_11:32
*** markvoelker has joined #openstack-keystone11:42
*** e0ne_ has quit IRC11:42
*** woodster_ has joined #openstack-keystone11:44
*** markvoelker has quit IRC11:46
*** tobe has quit IRC11:56
*** Raildo has joined #openstack-keystone11:56
*** mabrams has joined #openstack-keystone11:56
*** tobe has joined #openstack-keystone11:57
*** e0ne has joined #openstack-keystone11:58
*** aix has joined #openstack-keystone12:00
*** fhubik_afk is now known as fhubik12:01
*** markvoelker has joined #openstack-keystone12:01
*** tobe has quit IRC12:02
openstackgerritMarek Denis proposed openstack/keystoneauth: Add default domain to fixture.v3.V3FederationToken  https://review.openstack.org/18751612:07
*** avozza is now known as zz_avozza12:16
*** zz_avozza is now known as avozza12:17
*** iurygregory has joined #openstack-keystone12:22
*** avozza has left #openstack-keystone12:25
*** kiranr has joined #openstack-keystone12:34
*** kiran-r has quit IRC12:34
*** gordc has joined #openstack-keystone12:38
*** henrynash has joined #openstack-keystone12:38
*** ChanServ sets mode: +v henrynash12:38
*** kiranr has quit IRC12:39
*** iurygregory has quit IRC12:40
*** iamjarvo has joined #openstack-keystone12:41
*** iurygregory has joined #openstack-keystone12:45
*** rwsu has joined #openstack-keystone12:54
*** bknudson has joined #openstack-keystone12:56
*** ChanServ sets mode: +v bknudson12:56
*** jistr is now known as jistr|mtg12:57
*** mattfarina has joined #openstack-keystone13:04
*** Raildo_ has joined #openstack-keystone13:04
*** dsirrine has joined #openstack-keystone13:05
dolphmbknudson: i'm happy to +A this now, but wanted to find out if you intended to make another patchset first https://review.openstack.org/#/c/187751/ cc- morganfainberg13:07
*** Raildo has quit IRC13:07
bknudsondolphm: I can try to come up with some comments... not sure what the comment is but I'll try to come up with something13:09
bknudsonI don't think we can switch to isoformat() in any number of steps13:09
dolphmbknudson: agree, unless timeutils is changed first13:10
dolphmi was thinking about adding oslo to bug 1461251 for unacceptable impact13:10
openstackbug 1461251 in Keystone "Stop using deprecated oslo_utils.timeutils.isotime" [Critical,In progress] https://launchpad.net/bugs/1461251 - Assigned to Brant Knudson (blk-u)13:10
*** henrynash has quit IRC13:11
dims_dolphm: i am tending to agree, yes, please13:12
bknudsondolphm: considering the effect of the deprecating it, I agree it would be better for oslo to not deprecated13:12
*** Raildo__ has joined #openstack-keystone13:12
*** pnavarro has quit IRC13:12
dolphmdims_: working on it now13:12
bknudsonIf oslo un-deprecates then we can just abandon my fixes13:12
bknudsonif oslo really wants this function gone then we'll have to figure out something.13:13
dims_bknudson: ack. at least it started the conversation that there are issues with the timeutils and at some point folks have to move up somehow. let's talk to jd__ and un-deprecate it13:13
*** richm has joined #openstack-keystone13:14
dims_bknudson: we rolled back one change in oslo.serialization related to this isotime13:14
*** pnavarro has joined #openstack-keystone13:15
bknudson" YYYY-MM-DDTHH:MM:SS.mmmmmm or, if microsecond is 0, YYYY-MM-DDTHH:MM:SS" -- this is going to be an issue with isoformat -- sometimes it has microseconds and sometimes it doesn't13:15
*** Raildo_ has quit IRC13:15
*** stevemar has joined #openstack-keystone13:17
*** ChanServ sets mode: +v stevemar13:17
dolphmbknudson: it's actually based on non-zero microseconds?13:17
dolphmas in, blatant transient issue...?13:17
bknudsondolphm: yes, whether it includes the microseconds or not13:17
* dolphm *facepalm*13:18
bknudsonright, it's usually going to include the microseconds13:18
bknudsonthe chances are slim of getting 0, but if it happens to you you're going to be confused13:18
dolphmand tempest is going to balk13:19
dolphmthere's probably already a bug report floating around somewhere13:20
dolphmor at least some failed gate jobs that someone blindly rechecked13:20
*** Raildo__ has quit IRC13:21
*** zzzeek has joined #openstack-keystone13:23
bknudsondims_: what was the reason for rolling back the oslo.serialization change? is there a bug?13:26
dims_bknudson: we changed the wireformat and nova cells did not like it13:28
dims_bknudson: not an api change13:28
bknudsonthat's pretty much the same issue we'd have with changing the timestamp format in a token13:28
*** jsavak has joined #openstack-keystone13:32
openstackgerritBrant Knudson proposed openstack/keystone: Switch from deprecated isotime  https://review.openstack.org/18775113:32
bknudsonthat's interesting that isotime has subsecond=False... you'd think we'd usually want subsecond resolution13:34
bknudsoncomputers can do a lot in a second13:34
*** fhubik is now known as fhubik_afk13:34
*** fhubik_afk is now known as fhubik13:35
*** fhubik is now known as fhubik_afk13:35
dims_bknudson: this is the one i mentioned - https://review.openstack.org/#/c/187306/13:35
*** henrynash has joined #openstack-keystone13:36
*** ChanServ sets mode: +v henrynash13:36
bknudsonthe change in the test makes it pretty obvious that it's breaking backwards-compat13:37
bknudsonhttps://review.openstack.org/#/c/187306/2/oslo_serialization/jsonutils.py changed a use of isoformat() to strtime() ... but I thought we were supposed to switch to isoformat13:38
*** iamjarvo has quit IRC13:38
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Listing policies filtered by service endpoint URL  https://review.openstack.org/18676513:39
samueldmqayoung, dolphm ^13:39
ayoungsamueldmq, um...13:40
*** mabrams has left #openstack-keystone13:40
ayoungwe probably need to merge that to a single policy.  Is that how it  works now?  returns multiple?13:40
*** gokrokve has joined #openstack-keystone13:41
samueldmqayoung, the return of /policies is a list13:41
*** e0ne is now known as e0ne_13:41
*** e0ne_ is now known as e0ne13:41
samueldmqayoung, although a call closer to /policy?endpoint_url=<...> would make more sense13:41
samueldmqayoung, since (at least for now) we have only a policy per endpoint13:42
*** fhubik_afk is now known as fhubik13:42
ayoungsamueldmq, yeah.  that was my intention here13:42
ayoungoh, well, this is probably right....I need to think about it.13:43
*** dan_ has joined #openstack-keystone13:43
*** dan_ is now known as Guest8367913:43
samueldmqayoung, ok13:45
*** henrynash has quit IRC13:46
samueldmqayoung, also I need to talk to you regarding the unified policy thing, although I need to go in a bit13:46
*** geoffarnold_ is now known as geoffarnold13:47
samueldmqayoung, did you see sdague's comment in the ML ?13:47
ayoungsamueldmq, yeah, unified is going to take some work.  But it will be worth it in the long run.13:47
openstackgerritMerged openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419713:48
samueldmqayoung, basically, policies change in different timings for different projects, unifying them may be a trap when services changes its their APIs13:48
samueldmqayoung, services versions would be very dependent on the new policy management service version13:49
samueldmqayoung, people shoudl be free from having to do lock step upgrades of everything all at once, not make them have to do more of that13:49
samueldmqayoung, I think this point is fair, and we really need to consider it13:49
ayoungsamueldmq, let me catch up...they are all good points.13:49
samueldmqayoung, yes, I had a conversation earlier with sdague in the nova channel, you can take a look there later if you want13:50
*** dsirrine has quit IRC13:50
*** fhubik is now known as fhubik_afk13:53
samueldmqayoung, I need to go afk for a bit, back soon (time to you to catch up) :)13:53
*** henrynash has joined #openstack-keystone13:54
*** ChanServ sets mode: +v henrynash13:54
*** sigmavirus24_awa is now known as sigmavirus2413:54
*** gokrokve has quit IRC13:57
*** gokrokve has joined #openstack-keystone13:58
*** jistr|mtg is now known as jistr13:59
*** topol has joined #openstack-keystone13:59
*** ChanServ sets mode: +v topol13:59
*** dsirrine has joined #openstack-keystone14:02
*** csoukup has joined #openstack-keystone14:02
*** Kennan2 has quit IRC14:02
*** Kennan has joined #openstack-keystone14:03
lbragstadhenrynash: around? wondering if this has something to do with the sql domain stuff -- https://bugs.launchpad.net/keystone/+bug/146129914:04
openstackLaunchpad bug 1461299 in Keystone "Failure on list users when using ldap domain configuration from database" [Undecided,New] - Assigned to Roxana Gherle (roxana-gherle)14:04
henrynashlbragstad: looking14:05
rodrigodsmarekd, stevemar what was the conclusion regarding the mapping lib?14:07
rodrigodscouldn't attend the meeting yesterday14:07
marekdrodrigods: stays in keystone14:07
rodrigodshmm14:07
henrynashlbragstad: I’ve asked for a debug log….sicne can’t really tell from the initial info where the problem lies14:09
openstackgerritDivya K Konoor proposed openstack/pycadf: Add api_audit_map.conf for Ceilometer project  https://review.openstack.org/18759314:09
*** blewis has joined #openstack-keystone14:09
lbragstadhenrynash: yeah, it seemed a little vague, but want to check with you if it seemed like it was on that path14:09
henrynashlbragstad: sounds lile some error we are throwing that is badly formatted….coul dbe in teh domain config stuff, yes14:11
dstaneklbragstad: henrynash: looks like someone is using str() on one of the object returned by the i18n helpers14:12
*** samuel-dmq has joined #openstack-keystone14:12
lbragstaddstanek: ++14:12
*** fhubik_afk is now known as fhubik14:12
*** triggerz is now known as tobasco14:14
*** blewis has quit IRC14:18
bknudsonour team in china has the DB2 CI running again -- http://dal05.objectstorage.softlayer.net/v1/AUTH_58396f85-2c60-47b9-aaf8-e03bc24a1a6f/cilog/51/187751/1/only-comments/ibm-db2-ci-keystone/c58ba2b/14:18
bknudsonthey're wondering if they can get approval to start posting results for all change sets14:18
bknudsonI'll add it to the meeting agenda, but would be nice to not have to wait a week14:19
*** blewis has joined #openstack-keystone14:19
dstanekbknudson: why was the time function deprecated in oslo?14:20
samuel-dmqbknudson, it runs keystone tests against DB2, right ?14:20
*** blewis` has joined #openstack-keystone14:20
samuel-dmqbknudson, I remember to already have seen this in the past14:20
bknudsondstanek: here's the review that deprecated it: https://review.openstack.org/#/c/182602/14:22
bknudsonsamuel-dmq: the DB2 CI sets up a system with DB2 and runs some tempest tests... so it goes through the migration and exercises some functions14:23
bknudsonsamuel-dmq: it was turned off after it started posting failures for no reason. The team in china has been working to fix the problems and they say it's working now.14:23
*** henrynash has quit IRC14:24
*** blewis has quit IRC14:24
samuel-dmqbknudson, nice, I think it would be great to have it back14:24
samuel-dmqbknudson, although I think it would be non-voting so them we can ensure it is working well again14:24
*** david-lyle has quit IRC14:25
bknudsonsamuel-dmq: y... I don't think it's possible to make external CI jobs voting.14:25
samuel-dmqbknudson, nice, makes sense14:26
*** timcline has joined #openstack-keystone14:27
*** rwsu has quit IRC14:31
*** henrynash has joined #openstack-keystone14:31
*** ChanServ sets mode: +v henrynash14:31
*** henrynash has quit IRC14:32
*** iamjarvo has joined #openstack-keystone14:32
*** iamjarvo has quit IRC14:32
*** iamjarvo has joined #openstack-keystone14:33
*** pnavarro has quit IRC14:34
*** raildo has joined #openstack-keystone14:39
*** afazekas has quit IRC14:43
*** henrynash has joined #openstack-keystone14:44
*** ChanServ sets mode: +v henrynash14:44
*** henrynash has quit IRC14:44
*** henrynash has joined #openstack-keystone14:45
*** ChanServ sets mode: +v henrynash14:45
davidckennedyHad me worried there for a second ayoung until I realised I'd already pushed https://review.openstack.org/#/c/153296/ into the canal.14:48
*** fhubik is now known as fhubik_afk14:49
ayoungdavidckennedy, heh15:01
ayoungdavidckennedy, you happy with the direction we are headed with endpoint binding?15:01
ayoungdavidckennedy, btw, gyee is wrong in his comment15:02
ayoung"It should use the "default" rule if global target is not defined in policy.json."  no it should not.  That rule will be enforced later on.15:03
*** kiran-r has joined #openstack-keystone15:05
*** henrynash has quit IRC15:08
*** henrynash has joined #openstack-keystone15:09
*** ChanServ sets mode: +v henrynash15:09
*** HT_sergio has joined #openstack-keystone15:10
*** iamjarvo has quit IRC15:10
*** bdossant has quit IRC15:11
*** kiran-r has quit IRC15:13
*** iamjarvo has joined #openstack-keystone15:14
*** mestery_ has joined #openstack-keystone15:17
*** rwsu has joined #openstack-keystone15:19
*** mestery has quit IRC15:20
marekdgyee, stevemar: please look at it https://review.openstack.org/#/c/187516/315:24
*** fhubik_afk is now known as fhubik15:25
openstackgerritMarek Denis proposed openstack/keystoneauth: Add protocol docstring in FederationBaseAuthPlugin  https://review.openstack.org/18761015:28
*** fhubik has quit IRC15:30
*** mestery_ is now known as mestery15:30
*** henrynash has quit IRC15:32
*** e0ne is now known as e0ne_15:32
*** kiran-r has joined #openstack-keystone15:35
*** e0ne_ is now known as e0ne15:35
*** david-lyle has joined #openstack-keystone15:39
*** hemnafk is now known as hemna15:41
*** david-lyle has quit IRC15:47
*** david-lyle has joined #openstack-keystone15:53
*** radez_g0n3 is now known as radez16:01
*** davidchep has joined #openstack-keystone16:03
*** rushiagr_away is now known as rushiagr16:03
*** samuel-dmq has quit IRC16:05
*** belmoreira has quit IRC16:07
*** _cjones_ has joined #openstack-keystone16:07
*** jistr has quit IRC16:11
*** gokrokve_ has joined #openstack-keystone16:12
*** afazekas has joined #openstack-keystone16:12
*** kiranr has joined #openstack-keystone16:14
*** kiran-r has quit IRC16:14
*** gokrokve has quit IRC16:14
*** dims_ has quit IRC16:18
*** dims_ has joined #openstack-keystone16:18
*** SaintAardvark has joined #openstack-keystone16:19
*** gordc is now known as gordc_afk16:19
*** dims__ has joined #openstack-keystone16:20
*** jamielennox is now known as jamielennox|away16:21
*** david-lyle has quit IRC16:22
*** spandhe has joined #openstack-keystone16:22
*** gyee has joined #openstack-keystone16:23
*** ChanServ sets mode: +v gyee16:23
*** alanf-mc has joined #openstack-keystone16:24
*** dims_ has quit IRC16:24
*** spandhe has quit IRC16:27
*** lhcheng has joined #openstack-keystone16:32
*** ChanServ sets mode: +v lhcheng16:32
ayoungdavid8hu, davidckennedy samueldmq, davechen_afk I'm going to push for having policy based discussions on openstack-dev for now, to make it more of a Cross project  effort.  Can you guys check in there, please, if you are not already16:33
*** kiranr has quit IRC16:36
*** _kiran_ has joined #openstack-keystone16:36
david8huayoung, yes, I do subscribe to openstack-dev mailing list.  I think it is a good idea since it gets a lot more exposure.16:36
*** dand has joined #openstack-keystone16:38
*** dand has left #openstack-keystone16:38
dstanekmorganfainberg, bknudson, gyee: this is what i was thinking for the useragent fix - http://paste.openstack.org/show/259856/16:38
gyeeayoung, I am confused by your policy fetch interval email16:38
dstaneki just don't like how we get project, but i don't know what would be the right way16:38
*** dand has joined #openstack-keystone16:38
gyeethought we only fetch on the needed basis16:39
gyeedstanek, looking16:39
ayounggyee, fetch and cache, hold for 1 minute (or 5)16:39
ayoungif the cache is invalid, refetch16:39
gyeeayoung,  no, I thought we are going with burning the policy hash in the token16:39
*** marzif_ has joined #openstack-keystone16:39
ayounggyee, not this go-round16:39
gyeeand fetch only if the policy version is not found in the cache16:39
bknudsondstanek: that's neat.16:39
ayounggyee, maybe long term...but I was not proposing that yet16:40
gyeeayoung, why not?16:40
gyeelets do this right16:40
bknudsondstanek: seems like anything is better than what we've got16:40
dstanekbknudson: there isn't any tests on the original review so i have to get a few of those before i resubmit16:40
ayounggyee, write up the spec.  I have no problem with it....that I can think of off the top of my head.16:40
gyeeas sean mentioned, we want to avoid roundtrips to keystone as much as possible16:40
bknudsontests? what for?16:40
bknudsonthat just slows us down16:41
gyeeayoung, sure16:41
dstanekcan i quote you on that?16:41
ayounggyee, it will increas token payload, but only a little bit...woud not need to be in the signed portion of the fernet tokens...I think?16:41
stevemarmorganfainberg, are we doing a point release of ksc to release jamielennox's? ec2 stuff?16:41
*** _kiran_ has quit IRC16:41
ayoungin fact...we would not want it in the signed portion16:42
gyeeayoung, exactly16:42
gyeebecause fernet tokens are constructed on validation16:42
gyeedstanek, that works only if the package is installed via pip right?16:43
ayounggyee, what would we do about PKI?  Just leave the old policy in place?16:43
gyeeayoung, sure, default policy is a fallback16:43
gyeebut it should be configurable16:43
gyeethat's how it works today I think16:44
dstanekgyee: pip or distutils16:44
ayoungrevoke by policyid?16:45
ayoungheh16:45
gyeedstanek, I am afraid if the package is installed via rpm, debian, etc, this won't work16:45
dstanekgyee: i'll test, but it should16:45
gyeeayoung, actually, revoke by policy ain't bad16:46
gyeedstanek, that would be awesome if its package agnostic16:46
*** gokrokve has joined #openstack-keystone16:46
stevemarmorganfainberg, can someone else release keystoneclient? cc dou.. dh.. dammit16:46
dstanekgyee: checking on debian now16:48
ayounggyee, so...getting the policy ID into the token would be, I think, after a fetch and cache strategy.  We need to go incremental here, but we can certainly get that spec written and prioritized.16:48
*** gokrokve_ has quit IRC16:49
*** gokrokve has quit IRC16:51
morganfainbergstevemar: jamielennox|away can. I just didn't push the tag. Will be done this morning.16:53
gyeeayoung, agree, baby steps I suppose16:55
gyeedstanek, thanks!16:55
*** afazekas has quit IRC16:55
*** belmoreira has joined #openstack-keystone16:58
dstanekgyee: success16:59
dstanekgyee: on a virgin debian 7 boxen http://paste.openstack.org/show/259868/16:59
gyeedstanek, nice! U DA MAN!17:00
dstanekgyee: i may test fedora just for fun17:01
*** dand has quit IRC17:03
*** spandhe has joined #openstack-keystone17:03
gyeelet me get an HP monkey to test hLinux17:03
gyeestevemar, bknudson, you guys buying bluebox :)17:04
*** roxanaghe has joined #openstack-keystone17:05
gyeeroxanaghe, say hi to dstanek17:08
stevemargyee, not me personally, but apparently yes17:09
*** afazekas has joined #openstack-keystone17:09
roxanaghehaha17:09
roxanaghehi dstanek, looking forward for your patch :)17:09
gyeeroxanaghe, dstanek like his thanks in the form of beer17:10
gyeeI think17:10
dstanekhi roxanaghe17:10
dstanekgyee: who wouldn't?17:10
roxanaghethat can be arranged of course17:10
roxanagheanything for an expert patch17:11
*** jsavak has quit IRC17:11
*** radez is now known as radez_g0n317:11
*** david-lyle has joined #openstack-keystone17:13
*** david-lyle has quit IRC17:13
*** josecastroleon has quit IRC17:14
*** dand has joined #openstack-keystone17:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18693217:15
*** david-lyle has joined #openstack-keystone17:15
*** dguerri is now known as dguerri`away17:15
*** rushiagr is now known as rushiagr_away17:15
openstackgerritMerged openstack/pycadf: Add api_audit_map.conf for Ceilometer project  https://review.openstack.org/18759317:16
dstanekgyee: centos is a pain, but it works17:16
*** e0ne has quit IRC17:17
gyeedstanek, centos using apt-get right?17:18
dstanek?17:18
gyeewhat's centos's package management? apt-get?17:19
dstanekyum, it's based on RHEL17:19
*** spandhe has quit IRC17:22
roxanaghedstanek, for the user-agent patch - do you think we also need a code change in swift - in order to pass a project='swift' type of value ?17:23
roxanagheI've been looking to see if there is any good configuration value set for swift that we can use in keystonemiddleware.auth_token..17:24
roxanaghebut I didin't find one yet17:24
*** iamjarvo has quit IRC17:24
*** iamjarvo has joined #openstack-keystone17:26
dstanekroxanaghe: the way i have it coded make it unnecessary, but it would be nice to somehow know it's switf17:27
dstanekroxanaghe: did you see the paste i created?17:28
*** david-lyle has quit IRC17:28
roxanagheyup, gyee forwarded it to me17:28
roxanaghebut with that code you still won't have a user-agent for swift17:29
roxanaghedstanek ^^17:29
*** lihkin has joined #openstack-keystone17:30
openstackgerritMerged openstack/keystoneauth: Add default domain to fixture.v3.V3FederationToken  https://review.openstack.org/18751617:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18693217:33
*** geoffarnold has quit IRC17:35
dstanekroxanaghe: not the correct user-agent at leaset17:35
*** samleon has joined #openstack-keystone17:38
*** henrynash has joined #openstack-keystone17:38
*** ChanServ sets mode: +v henrynash17:38
*** gordc_afk is now known as gordc17:39
*** iamjarvo has quit IRC17:39
*** kiran-r has joined #openstack-keystone17:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18693217:44
*** radez_g0n3 is now known as radez17:46
*** iamjarvo has joined #openstack-keystone17:52
gyeehenrynash, for the list role assignment for subtree spec, I have a mockup impl here https://review.openstack.org/#/c/180846/17:53
*** dguerri`away is now known as dguerri17:59
*** RichardRaseley has joined #openstack-keystone18:00
*** lihkin has quit IRC18:01
RichardRaseleyPardon the possibly incorrect terminology, but is the Keystone v3 API a requirement for us to use a 'split identity' configuration? For example, I want my OpenStack services accounts (and role assignments) in the SQL backend, but integrate with LDAP for user identities.18:01
*** kiran-r has quit IRC18:02
*** belmoreira has quit IRC18:02
*** lihkin has joined #openstack-keystone18:02
*** tqtran has joined #openstack-keystone18:04
gyeeRichardRaseley, yes, domain-specific backend is a V3 feature only18:05
openstackgerritAlexander Makarov proposed openstack/keystone: Revocation engine refactoring  https://review.openstack.org/18813118:06
RichardRaseleygyee: Thank you, that helps tremendously.18:06
bknudsonv2 doesn't support domains, it only works with "default" domain18:06
*** afazekas has quit IRC18:07
*** spandhe has joined #openstack-keystone18:07
bretonmemcache_pool is terrible.18:09
*** amakarov_away is now known as amakarov18:09
*** rlt_ has quit IRC18:10
amakarovbreton, it gets all it can out of the horrible python-memcached :)18:10
dstanekbreton: in  other apps i've worked on i've never had a need for anything like it18:11
bretonyeah, python-memcached is terrible too.18:12
bretonwe rewrite more and more portions of it to make it scalable and HA18:13
dstanekpython-memcached will probably be replaced by one of the alternatives soon - there is already a plan for it18:17
*** amakarov is now known as amakarov_away18:18
*** marzif_ has quit IRC18:19
*** marzif_ has joined #openstack-keystone18:19
zzzeekhey keystone, is “DeprecationWarning: Using function/method 'oslo_utils.timeutils.isotime()' is deprecated in version '1.6' and will be removed in a future version: use datetime.datetime.isoformat()” something you are all dealing with or is my specific test environment (I run a subset of Keystone tests against SQLAlchemy master) needing changes ?18:21
dstanekzzzeek: yes, bknudson has a fix to disable the error18:21
bknudsonzzzeek: the fix is working it's way through the gate -- https://review.openstack.org/#/c/187751/18:21
zzzeekdstanek: ok great :)18:21
zzzeekbknudson: thanks18:21
*** elmiko has joined #openstack-keystone18:31
elmikodolphm: hey, do you have a minute to talk about the api-wg ?18:31
dolphmelmiko: what's up?18:31
elmikonot much, i'm just doing some outreach to the listed liaisons to raise some awareness of a few docs that currently in the works18:31
dolphmelmiko: hit me!18:32
elmikoone is a set of proposed merge guidelines for the wg process; https://review.openstack.org/#/c/186836/18:32
elmikothe other is some liaison responsibilities that the nova folks have put together to experiment with; https://wiki.openstack.org/wiki/Nova/APIWGLiaisons18:32
elmikoi think in the next few weeks we will start to ramp up our messaging on the ml about upcoming guidelines18:33
elmikothe biggest change is our effort to get more inclusion of the liaisons in the final guideline merge process18:33
*** david-lyle has joined #openstack-keystone18:33
elmikoso, i'm just making the rounds and saying hi to everyone, passing the links on =)18:33
dolphmelmiko: cool, i'll review/read both18:34
elmikoand of course, if you have any questions or concerns we're usually hanging out in openstack-api, and i'm mostly pingable18:34
elmikodolphm: cool, thanks for your time =)18:34
*** spandhe has left #openstack-keystone18:35
dolphmelmiko: ooh, another channel to join!18:35
elmikohehe18:35
*** gokrokve has joined #openstack-keystone18:39
morganfainbergstevemar, jamielennox|away: python-keystoneclient 1.6.0 released18:39
bknudsonon to 2.0!18:39
morganfainbergstevemar, jamielennox|away: cna one of you send the release notes to the ML for me?18:39
morganfainbergi need to duck into another meeting18:39
*** aix has quit IRC18:39
morganfainbergbknudson: ^ cc18:39
* morganfainberg forgot to push the tag last night or it would have already been sent18:40
*** elmiko has left #openstack-keystone18:48
*** spandhe has joined #openstack-keystone18:49
lifelessbknudson: hai18:50
bknudsonlifeless: hi18:50
lifelessbknudson: if you have time to talk about the multiple requirements file thing, I'd like that18:50
lifelessbknudson: as in, why are there multiple test requirements files for keystone18:50
bknudsonlifeless: sure.18:50
lifelesswhat triggers adding new ones18:51
bknudsonthere's one for py26, one for py3318:51
bknudsonone for -bandit18:51
bknudsonone for functional tests18:51
bknudsonI think that's it18:51
lifelessthe py26 and 33 ones will go away entirely with environment markers, which should be usable with the next image that infra successfully build18:51
openstackgerritMerged openstack/keystone: Switch from deprecated isotime  https://review.openstack.org/18775118:52
lifelesswhats in the bandit and functional ones ? what drove creating dedicated files?18:52
bknudsony, and once we get all our deps working with py34 then we'll only need the one18:52
lifelesscould you expand on that? With marks you should be able to have just one right now18:52
lifeless'markers'18:53
bknudsonlifeless: for the functional tests, we had the requirements in tox.ini18:53
bknudsonlifeless: do you have docs on using markers? <-- dstanek18:53
bknudsonlifeless: since the reqs were in tox.ini, they weren't updated automatically by the tool so they were out of date18:53
lifelesshttp://docs.openstack.org/developer/pbr/#environment-markers18:54
dstanekoh, neat18:54
lifelessI'm doing the work to make update.py update setup.cfg atm18:54
dstanekusing that for functional tests is a good idea18:54
lifelessso I don't see anything problematic in test-requirements-functional18:54
lifelesscan't it just be in test-requirements?18:55
*** mordred has quit IRC18:55
*** mordred has joined #openstack-keystone18:55
lifelesshuh, keystone still uses nose18:55
lifelessI thought everyone had migrated18:56
lifelessanyhow no matter, ignore my squirrel there :)18:56
dstaneklifeless: nose is for py3 tests18:56
lifelessdstanek: why?18:56
dstaneklifeless: so we can list the files to be tested - this may have already changed, but not everything was importable in Py318:57
*** marzif_ has quit IRC18:57
lifelessdstanek: I mean, I'm confused. You can do the same with testtools (and by extension testr) - you don't have to use discovery18:58
lifelessif its not straight forward we can certainly add a thing to do what you need without switching runner18:58
* lifeless focuses back on the first thing18:58
dstaneklifeless: i was told that it was not possible and followed the lead of a few other projects18:58
lifelessdstanek: noone spoke to upstream about it at all :(18:59
bknudsonI don't have a problem with putting test-requirements-functional in test-requirements.19:00
bknudsonas I said they were in tox.ini before so that wasn't going to work19:01
*** RichardRaseley has quit IRC19:01
bknudsonI can propose that, or if dstanek has a minute?19:01
lifelessbandit too seems unobjectionable19:01
bknudsonthe annoying thing with mixing bandit with all the other test reqs is that it will slow down the bandit run19:02
dstanekbknudson: propose a change to use markers? i can do it if you don't have the time right now19:02
bknudsonall bandit requires is bandit19:02
lifelessbknudson: really?19:02
lifelessbknudson: let me do a couple timing runs19:03
bknudsonkeystone test-requirements has lxml19:03
*** alanf-mc has quit IRC19:03
bknudsondstanek: y, if you want to try using markers that would be neat, otherwise just merge test-requirements-functional into test-requirements19:04
lifelessbknudson: yes but that caches now19:05
lifelessbknudson: just setting up a throwaway container19:05
*** timcline has quit IRC19:05
*** alanf-mc has joined #openstack-keystone19:07
bknudsonreal    0m32.121s vs real    0m24.196s19:07
bknudsonthat's on my dev system.19:07
bknudsonso having a separate test-requirements-bandit is probably not worth it.19:08
bknudsonconsidering how often I plan on running it.19:08
lifelesshmm, I think we want wheel in virtualenv these days. I'll chase dstufft on that :)19:09
lifelessahha already there19:10
lifelessfirst run, seeding stuff - 1m38 to create-and-run19:12
lifelesssecond run 26s to create-and-run19:13
lifelesscached wheels FTW19:13
lifelessbknudson: ^19:13
*** e0ne has joined #openstack-keystone19:13
bknudsonwhen the tox env was already primed it real    0m15.590s19:14
openstackgerritBrant Knudson proposed openstack/keystone: Move bandit requirements into test-requirements.txt  https://review.openstack.org/18815219:17
openstackgerritlifeless proposed openstack/keystone: Consolidate test-requirements files.  https://review.openstack.org/18815419:17
lifelesshah19:18
lifelessbknudson: sorry for overlapping19:18
lifelessbknudson: I did both in my patch FWIW, but happy to abandon or rebase on yours or wahtever19:18
bknudsonlifeless: is there some trick with env markers that can be used here?19:18
bknudsonI think dstanek was looking into that.19:19
bknudsonl already abandoned mine.19:19
lifelessbknudson: there's a couple things we could do if it it matters. We can in principle[not tested] specify a custom variable to test against and use that to filter19:19
bknudsonbandit probably should have a fixture that can be loaded for unit tests.19:19
lifelessbknudson: but since the deps in the split out files were so uninteresting, I don't think there's any point19:19
bknudsonlet's keep it simple.19:22
dstaneklifeless: bknudson: i think that looks good19:29
openstackgerritDolph Mathews proposed openstack/keystone: Run WSGI with group=keystone  https://review.openstack.org/18780019:29
lifeless42s to create-and-run with cached wheels19:31
lifeless10s to run with a cached venv19:31
lifelessso it seems entirely feasible any which way to me; the build of the install time is in keystone itself19:31
*** iamjarvo has quit IRC19:39
htrutamorganfainberg, henrynash, ayoung: did you see David's suggestion on how to solve the delimiter problem in reseller?19:48
raildo^ http://www.mail-archive.com/openstack-dev@lists.openstack.org/msg54582.html19:49
*** timcline has joined #openstack-keystone19:51
*** timcline has quit IRC19:52
*** alanf-mc has quit IRC19:55
dstanekhtruta: question about your delimiter email19:59
dstanekhtruta: what domain_id does the 'is_domain' project have?20:00
htrutait has its id20:00
*** geoffarnold has joined #openstack-keystone20:00
*** iamjarvo has joined #openstack-keystone20:00
htrutadstanek: is_domain project with id A has domain_id A20:00
*** geoffarnold has quit IRC20:01
dstanekso that is_domain project can't have the same name as its children right?20:01
raildodstanek, a is_domain project can have the same name then a not is_domain project that its your children,20:02
*** tqtran has quit IRC20:02
*** tqtran has joined #openstack-keystone20:03
raildoin other way, I can have a project with the same name then a domain (project with is domain flag enabled)20:03
dstanekso the domain_id of the child is a real domain and not the is_domain project20:03
dstanek?20:03
*** alanf-mc has joined #openstack-keystone20:03
htrutadstanek: there won't be any "real domains"20:03
raildodomain is the is_domain project.20:04
htrutathe is_domain projects will be the domains, and the domain_id of the child will be that one20:04
raildoin the htruta example, we have A (is_domain=true)-> B -> A (is_domain=false)20:04
htruta^these three projects have the same domain_id, which is A's id20:05
dstanekin each of those projects what is the domain_id set to?20:05
dstanekbut don't we have a unique constraint on domain_id/name?20:05
htrutadstanek: we've changed the constraint20:06
htrutait now is domain_id, name, is_domain20:06
raildodstanek, https://review.openstack.org/#/c/158372/20:06
*** topol has quit IRC20:06
htrutaI guess that's because we won't break some v3 contract the allows creating a project inside a domain with the domain name20:06
dstanekah, that review is what i was missing20:08
dstanekhtruta: do we actually need to use a delimiter instead of just specifying a list?20:08
*** lihkin has quit IRC20:09
*** e0ne is now known as e0ne_20:09
htrutathat's what morganfainberg has been saying...20:10
dstanekunless we need it in a url i don't see the need20:10
*** geoffarnold has joined #openstack-keystone20:10
htrutahe said that we've already caused too much headache to ourselves, by allowing the user to user any character20:10
*** lihkin has joined #openstack-keystone20:10
htrutaas a remember, since the beginning of HMT, we've been postponing this hierarchy representation20:11
htrutawhich I think is the most logical one20:11
htrutaBTW, we don't even need to pass the whole hierarchy. I'd be fine with something like: "A.A" means the is_domain project, no matter which level it is20:12
htrutasorry, the is_domain=False project20:12
htrutawhile passing only name="A" would mean the is_domain project, when a conflict happens20:13
*** alanf-mc has quit IRC20:13
htrutathat would be good because the is_domain=false project would not need to know the whole hierarchy until the is_domain A20:13
*** e0ne_ is now known as e0ne20:14
*** alanf-mc has joined #openstack-keystone20:14
geoffarnoldWouldn't that mean that Tempest tests would have to be aware of is_domain setting? Sounds like an interoperability nightmare20:14
*** e0ne has quit IRC20:14
geoffarnoldBy the way, this is not the first time this problem (the  "oh bleep, we let people use any character in a name" problem) has occurred20:15
*** alanf-mc has quit IRC20:16
geoffarnoldunder POSIX, filenames could include any character, even slash20:17
geoffarnoldthis made slash-separated paths a bit of a problem, so the "FS1" environment variable was introduced to override slash as the default path separator20:18
*** gokrokve has quit IRC20:18
htrutageoffarnold: I see... wouldn't this be a good time to stop having these problems?20:18
geoffarnoldand the icing on the cake was to allocate a special unicode character which could only be used for that purpose20:18
geoffarnoldyes indeed20:18
htrutageoffarnold: that has some intersections with david chadwick's suggestion of each domain having a local delimiter20:19
geoffarnoldyup20:19
dstanekhtruta: so if the current domain abstraction goes away, what is A exists in 10 different projects (is_domain or not)20:21
geoffarnoldgiven a time machine, i'd go back, ban the use of ".", ".." and "/", and then we could use normal POSIX path syntax (with FS1/FS2/FS3 overrides for crazies20:21
geoffarnoldwhat do you mean by "goes away"? not dynamically?20:22
htrutadstanek: I'm not sure if I get your point...20:22
geoffarnoldif I have an existing HMT tree, duplicate names in different branches are fine20:23
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds URL filter for GET /policies  https://review.openstack.org/18687420:25
samueldmqayoung, ^20:25
openstackgerritayoung proposed openstack/keystone-specs: unified policy file  https://review.openstack.org/13465620:26
dstanekhtruta: won't you always have to specify a fully qualified name?20:27
ayoungsamueldmq, +2 from me.  THanks20:27
geoffarnoldhtruta, +dstanek - i apologize for jumping into a long-running conversation without adequate background reading20:27
ayounggeoffarnold, I never apologize for that myself20:28
htrutadstanek: you mean, in the creation of the project? if so, we do not need20:28
dstanekgeoffarnold: no need to apologize20:28
geoffarnoldintuitively, this feels like a very familiar problem that's been solved several times before20:28
dstanekhtruta: get_project_by_name or anything that operates on name instead of Id20:29
htrutaif you're talking about on the token request...we might need it20:29
raildodstanek, you just need to use domain_id (or name) and parent_id20:29
samueldmqayoung, great, thanks :)20:29
ayoungsamueldmq, so...on the "fetch" side, I think I can provide a little more insight20:30
htrutageoffarnold: no need to apologize at all20:31
ayoungsamueldmq, we want the same "Enforcer" object like you see here:  http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/policy.py#n31220:31
raildodstanek, sorry, in the get_project_by_name, it's just the domain_id. And now we add the is_domain flag.20:31
ayoungI kind of think that the number of command line params it takes is wrong...it does too much, but so what20:31
htrutabtw, geoffarnold, dstanek, we could definitely use your opinion on the ML thread as well20:31
geoffarnoldI'd like to understand why (if we assume we can solve the separator character issues) this doesn't simply reduce to relative and absolute pathnames with explicit or implicit chroot's when imposing domain scope20:32
*** alanf-mc has joined #openstack-keystone20:33
ayoungsamueldmq, so...I would leave the Enforcer object as the proxy, and allow the user to swap out implementations of it.  Kindof a bridge pattern20:33
dstanekraildo: so the only case where we need to specify a hierarchy is when a parent and child have the same name?20:34
geoffarnoldand the problem of back-mapping from project ID to full path is just like the old Unix puzzle of reconstructing a path from an indoor number - tedious, but tractable (and eminently catchable)20:34
ayoungSo,  we extract out most of the logic of the existing enforcer into "StaticEnforcer"  which is what you get loaded via stevedore by default, but then Keystonemiddleware  registres adifferent enforcer class that does the fetch.20:34
geoffarnoldwhy then, +dstanek?20:35
geoffarnoldor have we overloaded something?20:35
htrutageoffarnold: we won't need absolute pathnames... only the relatives, once, at the worst case, I'd only need to know my subtree until my domain20:35
raildodstanek, hum... for now, this is the only case that I see. because the other requests you can use domain_id (or name) and parent_id, since the project_name is unique in a domain.20:35
htrutadstanek: more specific than that... not a parent and a child. But an is_domain project AND a not is_domain project inside that is_domain project20:36
geoffarnoldUnique in a domain? I can't have two projects, A and B, each with subprojects X and Y?20:36
raildogeoffarnold, nope. today a project name is unique in a domain, and we want to stay with this behavior.20:38
geoffarnoldDoesn't that make blue-green releases tricky? http://martinfowler.com/bliki/BlueGreenDeployment.html20:38
geoffarnoldAh.20:39
*** pnavarro has joined #openstack-keystone20:39
geoffarnoldI foresee a lot of subdomain creation to work around that20:39
*** davidchep has quit IRC20:41
dstanekraildo: i thought you said that domains are going away20:41
raildodstanek, Domain will be a feature of project, we can create a project and add this feature enabling this "is_domain" flag. but we want to keep with the domain concept20:42
dstanekraildo: so keeping the current domain table instead of replacing it with is_domain projects?20:43
geoffarnoldService federation depends on the ability to associate policy (esp. IDM, but also quotas and some RBAC) with a node in the hierarchy, and to be able to effectively "chroot" to that node. I thought that was what you got by tagging a project as a domain20:43
dstanekso today: (X: domain) -> (Y: project)20:45
raildodstanek, when we wrote the reseller spec, we find some problems in keep with two hierarchies, like domain hierarchy in domain table, and the same for project table.20:45
dstanekfuture? (X: project<is_domain=True>) -> (Y: project)20:45
*** timcline has joined #openstack-keystone20:45
htrutadstanek: exactly20:46
raildodstanek, yes20:46
dstanekso in the future why would a project<is_domain=True> ever be returned by get_project_by_name?20:47
htrutageoffarnold: you're right. The subdomains will cover that use case20:47
geoffarnoldso given that, how should I interpret "a project name is unique in a domain"?20:47
htrutadstanek: this is_domain project is an usual project with domain superpowers20:47
geoffarnoldIn my example, do I need to tag A and B as domains, so that X and Y don't clash in the parent?20:47
dstanekhtruta: is there a reason for that?20:48
htrutawe'll be able to create vms in it, for example20:48
geoffarnoldSo here's a reductio ad absurdum...  why wouldn't I simply tag every project as a domain, thus avoiding namespace clashes?20:49
dstanekwas there a rationale for that since it is what seem to be causing the need to specify the hierarchy?20:49
raildodstanek, domain just working in Keystone, it's more easier handle with projects in the other services, and handle with this "domain power" in keystone20:49
raildogeoffarnold, domains and subdomains names, will be unique too.20:50
geoffarnoldin what scope?20:50
raildogeoffarnold, in the cloud20:51
geoffarnoldone reason to introduce hierarchical name spaces is to get away from the uniqueness required by a flat namespace20:51
*** stevemar has quit IRC20:51
dstanekraildo: is there a patch already to get right of Domain and Project.domain_id?20:51
samueldmqayoung, looking, sorry was afk20:52
ayoungsamueldmq, no problem.  You are allowed to be AFK, and, with evesdrop, IRC is forever20:52
samueldmqayoung, o/20:52
raildodstanek, in this patch we add this is_domain flag: https://review.openstack.org/#/c/157427/20:53
ayoungsamueldmq, I think what we want to do is make sure that the services can work with the same contract once we get them all using the oslo.policy library.20:53
dstanekraildo: right, but domains are going away as we know them right?20:53
raildodstanek, and here, we change all the domain operations to the project side: https://review.openstack.org/#/c/143763/20:53
ayoungSo that means we have to identify the limits of the contract, which I would state as being they've called  policy.Enforcer()20:54
raildodstanek, and later, we remove all the domain references: https://review.openstack.org/#/c/165936/20:54
*** davidchep has joined #openstack-keystone20:54
dstanekraildo: so what is the other projects would have to change is we treated Project<is_domain=True> the same as we tread Domain today?20:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18693220:55
raildodstanek, hum... i don't get your question... if we need to change something in the current projects?20:57
geoffarnoldraildo: after you've finished the Project<is_domain=True>, let's get back to the uniqueness issue, because it seems to be an independent topic20:57
raildogeoffarnold, I agree. this is not a final decision, it's just a decision to simplify our implementation in this first release.20:58
htrutageoffarnold: seems right20:58
ayoungraildo, can you make the minor changes I suggested in https://review.openstack.org/#/c/157427 and resubmit?  I'd be happy to move that one along.20:58
*** gordc has quit IRC20:58
dstanekraildo: no, if we said that the will behave just like today's domain (not returned in get_project_by_name, etc) - what would the other projects have to do?20:58
raildoayoung, sure, I'll do this today. sorry about that.20:58
dstanekgeoffarnold: it's very similar, because if Project<is_domain=True> was treated like a domain then it would be unique20:59
ayoungraildo, no problem....your English is a heck of a lot better than my Portuguese20:59
*** mattfarina has quit IRC20:59
*** davidchep has quit IRC21:00
htrutaayoung: lol21:00
samueldmqayoung, I will process your message and take a look in a bit, I am about to go home21:00
samueldmqayoung, :)21:00
ayoung++21:00
raildoayoung, thanks, but I  know that I have to improve it :P21:00
*** timcline has quit IRC21:01
ayoungO meu hovercraft está cheio de enguias21:01
htrutadstanek: other projects won't have to do anything21:01
htrutathey won't need to worry about domains21:01
*** timcline has joined #openstack-keystone21:01
samueldmqayoung, lol .. that doesn't have any sense in portuguese21:02
raildohtruta, ++21:02
samueldmqayoung, haha actually it has, but it is strange, and funny21:03
*** geoffarnold_ has joined #openstack-keystone21:03
*** davidchep has joined #openstack-keystone21:04
*** geoffarnold has quit IRC21:04
raildoI have to go know, but I come back in 2 hours, if someone want to discuss more about this :D thank you dstanek, geoffarnold_ for your time.21:05
*** pauloewerton has quit IRC21:05
htrutame too. we may also continue it in the ML, or tomorrow21:06
*** samueldmq has quit IRC21:06
dstanekraildo, htruta : thanks for the info21:06
geoffarnold_ML would be good - also we need to update the wiki21:06
ayoungEu não vou comprar este disco, ele está arranhado.21:07
*** fangzhou has joined #openstack-keystone21:08
morganfainberggeoffarnold_: the issue is we *cannot* break the current API functionality21:08
*** dsirrine has quit IRC21:08
morganfainberggeoffarnold_: removing the uniqueness contraint(s) breaks our API contract21:08
bknudsonyou could break it if you had a config option21:08
bknudsonso it was opt-in21:08
geoffarnold_I understand.21:08
morganfainbergbknudson: lets not do that21:08
morganfainbergplease21:08
morganfainbergplease don't make it bad UX for the end users because someone did a "i want non-unique domains"21:08
morganfainbergit drives us to "every deployment is non-interoperable and a unique snowflake to use" and lots of code in tools like shade21:09
*** dsirrine has joined #openstack-keystone21:09
morganfainbergif we moved to microversions21:09
morganfainberg... we could break the contract21:09
geoffarnold_Implicit scope on existing APIs doesn't break contract, does it?21:09
morganfainbergbut i think the flask work is needed before we do that.21:09
morganfainberggeoffarnold_: implicit scope?21:10
geoffarnold_Adding a new API that effectively chroot's the hierarchy to the current node21:11
geoffarnold_all existing API calls within that context behave as they do today21:12
morganfainberggeoffarnold_: i'd rather move to microversions21:12
geoffarnold_orthogonal issue21:12
morganfainberggeoffarnold_: that seems like a not-great UX21:12
morganfainberggeoffarnold_: but that is just the surface view/gut feeling21:13
geoffarnold_it's great UX if the user doesn't see the chroot; if it's done as a side-effect of logging in21:13
morganfainberguhm21:13
morganfainbergi disagree.21:13
morganfainbergit makes understanding the uri structures for those *not* using the libraries less wonderful21:14
geoffarnold_all OpenStack service calls are scoped by region today21:14
morganfainbergstrictly form the python-keystoneclient lib (etc), we already provide that21:14
*** iamjarvo has quit IRC21:14
morganfainberggeoffarnold_: so - now i need to make http://<host>:5000/v2.0/<tenant|chroot>/<same api as before>21:15
geoffarnold_how is it different for a user if the scope is to a subdomain within a region?21:15
morganfainbergyou can't just make the URL different.21:15
*** pnavarro has quit IRC21:15
morganfainberga lot o the API calls already do that21:16
morganfainbergsome can't because they are administrative21:16
morganfainbergi don't think we can reconsile this nicely w/o again a microversion21:16
morganfainbergit's going to make using the APIs much harder.21:16
geoffarnold_I'm happy to assume that for the moment21:17
morganfainbergit also doesn't really conform to RESt with the resource location concepts.21:17
geoffarnold_but I'm going to test the idea again21:17
morganfainbergif it's "implicit"21:17
morganfainbergit really needs to be explicit21:17
dstanekmorganfainberg: why are Project<is_domain=True> objects not just treated like Domain object and then we won't have this uniqueness problem21:18
geoffarnold_i'm happy with project UUIDs being unique21:18
morganfainberggeoffarnold_: they already are.21:19
geoffarnold_the problem only arises at the name-to-UUID mappings21:19
morganfainbergdstanek: we could do that.21:19
morganfainbergdstanek: there was a reason not to do that IIRC, but i don't remember the original argument now21:19
dstanekthen things act exactly like they are today - nobody has to know where in the hierarchy they are21:20
morganfainbergdstanek: oh that doesn't solve the uniqueness issue though21:20
dstanekmorganfainberg: why not?21:21
morganfainbergdstanek: in a given hierarchy you don't want to block the name "nova" because somewhere someone else created a domain called "nova"21:21
morganfainbergeven outside of your heirarchy21:21
geoffarnold_we wind up with two issues, (1) name-to-UUID mapping with two flavors: old, flat and new, hierarchical; (2) derived semantics from hierarchical relationships of projects21:21
dstanekmorganfainberg: if the uniqueness is driven off of (name, domain_id) then that's not a problem21:21
morganfainbergdstanek: domains are today considered globally unique name-wise.21:22
morganfainbergwe need the namespace specifier thats all21:22
dstanekdomain_id being Project<is_domain=True>.id21:22
geoffarnold_so this isn't really a hierachy21:22
morganfainbergbut you can have A->A->A->A (all domains)21:22
morganfainberggeoffarnold_: the URLs need to be explicit - it isn't implicit in REST21:23
geoffarnold_I'm pretty confident that if you asked developers what they'd expect from a hierarchical namespace, 99.9% would opt for something that looked like DNS or POSIX paths21:23
morganfainberggeoffarnold_: so you can do /<scope_id>/<API>21:23
dstanekthey wouldn't all have the same domain_ids though - to maybe is should start saying parent_id instead of domain_id21:23
dstanekgeoffarnold_: it's not too far off other than directories are also treated like files in our implementation21:24
geoffarnold_well, that's a good thing21:24
geoffarnold_I always felt Ritchie missed that trick21:25
dstanekreally? that's what i want to get rid of21:25
morganfainbergdstanek: in the current impl, but we *could* just avoid the "can turn on VMs" type stuff in the domains21:25
morganfainbergdstanek: yeah.21:25
*** iamjarvo has joined #openstack-keystone21:25
geoffarnold_The canonical namespace for projects is the flat UUID21:26
geoffarnold_text names are used relatively rarely21:27
morganfainberggeoffarnold_: we need a clear unique way to reference an object globally in a deployment21:27
geoffarnold_and needn't be treated as resource paths - their just tokens21:27
morganfainberggeoffarnold_: so we have said *always* the ID is that ID21:28
morganfainbergsimilar to how posix user ids can't be duplicated (without wonkyness) on a given system21:28
geoffarnold_"object"? example?21:28
morganfainbergusers, groups, projects, domains, etc21:28
morganfainbergin each type, the uuid is the unique identifier21:28
morganfainbergthis is the index / reference point where we can audit from etc.21:29
geoffarnold_so the UUIDs provide that unambiguous reference21:29
morganfainbergyes21:29
morganfainbergand we should have an unambiguous reference21:29
morganfainberguuid.uuid.uuid.uuid might be very very bad.21:29
geoffarnold_agreed21:29
morganfainbergok so we're good on that front21:29
ayoungDNS is the cannonical way of doing namespaces21:30
morganfainbergyes the names should be used more often.21:30
geoffarnold_one purpose (apart from readability) for text names is to provide a strong clue about relationships21:30
ayoungperhjaps something in conjunction with DNSSEC is appropriate21:30
geoffarnold_not a bad idea21:30
morganfainbergayoung: no DNS is *not* the canonical way to do namespaces, it is a way to do namespaces21:30
ayoungShow me another that is even close morganfainberg21:31
geoffarnold_there is no single canonical way, but it would be nice to learn from successful models21:31
ayoungits won21:31
dstaneki think a filesystem is closer to what we are doing than dns21:31
morganfainbergayoung: it is an implementation specific type of namespaces21:31
ayoungall the others are pining for the Fjords21:31
morganfainbergdstanek: ++21:31
morganfainbergayoung: Posix filesystem? ^^21:31
geoffarnold_just no symlinks, please21:31
ayoungdstanek, NFS?21:32
dstanekayoung: only it you don't like your data21:32
geoffarnold_you trying to remind me of how I spent the 1980s?21:32
ayoungmorganfainberg, filesystems are not global namespaces, they are local namespaces21:32
geoffarnold_AFS would disagree21:32
ayoungonly DNS is valid across organizational boundaries21:32
dstanekwe don't need global - we need cloud namespaces21:32
morganfainbergayoung: DNS is not a global namespace either21:33
ayoungdstanek, what about bursting21:33
morganfainbergayoung: it has an implementation people consider "global" most of the time.21:33
morganfainbergexcept where they dont21:33
*** jsavak has joined #openstack-keystone21:33
morganfainbergand it can be overridden / mucked with / changed.21:33
geoffarnold_we need relative namespaces plus a variety of root anchoring models21:33
dstanekgeoffarnold_: what would that actually be used for?21:33
ayoungmorganfainberg, anyway, what I was suggesting is that, if we need a "this name has to be valid across two clouds"  mechanism, we ase *that* on DNS, and enforce using DNSSEC:  you have to own the name you are trying to register...21:34
dstanekayoung: i was thinking that ids would be prefixed or qualified with the cloud21:34
geoffarnold_blue-green deployments, for instance? http://martinfowler.com/bliki/BlueGreenDeployment.html21:34
morganfainbergayoung: we aren't talking about that here.21:34
geoffarnold_turtles all the way down21:34
morganfainbergayoung: we're talking about the hierarchy in a single cloud.21:34
ayoungmorganfainberg, we should be21:35
morganfainbergayoung: sure we could use DNS/DNSSEC for across clouds21:35
morganfainbergayoung: no we shouldn't be talking about that for this issue21:35
morganfainbergayoung: this is below what your advocating21:35
ayoungand then we say "domain names that are not DNS blah"  might get bumped by the real owner if it conflicts21:35
geoffarnold_lets stick to "within a region" for the moment21:35
ayoungthen we state "domain names should be DNS names, or we will provide one for you at no extra cost"21:35
morganfainbergayoung: that is layered above what we need to solve - and none of the recommendations change that ability to layer it on top21:35
dstanekgeoffarnold_: this is all within a cloud or at least a keystone instance21:36
morganfainbergayoung: i disagree.21:36
ayoungso my domain name is either redhat.com  or redhat.dreamhost.com21:36
morganfainbergayoung: but that is a different (again) conversation21:36
morganfainbergayoung: and can be layered above this with any of the proposals21:36
morganfainbergabove = still in keystone21:36
ayoungand then we drop the service catalog and put it all in DNS and make termie happy21:36
morganfainbergayoung: making termie happy is about at the bottom of my list of things to consider at the moment.21:37
ayoungHeh21:37
geoffarnold_I'm thinking of a multi-project Heat deployment; I need to be able to deploy it in a test domain and then in prod21:37
geoffarnold_without changing all the project names21:37
morganfainberggeoffarnold_ dstanek: yes this needs to be focused on "within a single deployment" for the moment21:37
*** Nikkau has joined #openstack-keystone21:37
ayoungmorganfainberg, really, what I am suggesting is that we think in terms of global naming. DNS is obviosuly, not going to work in many cases21:37
morganfainbergayoung: and none of the proposals prevents that. lets not talk about that for the moment21:38
ayoungnames are either global or local.  We need to know which we are dealing with in a specific instance21:38
morganfainbergayoung: we have a lower-levle issue to solve21:38
morganfainbergayoung: stick within a single region/deployment for the moment21:38
geoffarnold_I'm going to try to solve one version of the global problem in Mercador; that's why intra-region is fine for me21:38
dstanekayoung: we are talking local21:38
ayoungFirst is the fact that project names are,right now, forced to be unique across all projects in a domain21:38
ayoungso,  we should probably distinguish between the full qualified project name and the local project name21:39
morganfainbergayoung:  these are all parts of things we're already looking at this is not part of the conversation at hand - we are dealing with that.21:39
ayoung" removing the uniqueness contraint(s) breaks our API contract"21:39
*** dontalton has joined #openstack-keystone21:39
ayoungthat is how the conversation started21:39
morganfainbergayoung: the uniqueness contraint for the domains globally21:40
openstackgerritDan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call  https://review.openstack.org/18818421:40
morganfainbergayoung: it was a very very specific proposal that broke our API contract21:40
morganfainbergayoung: out of context21:40
ayoungmorganfainberg, our API contract should allow for two types of names:  single values or an array.  It needs to be an arry for HMT and for any type of nesting due to the delimeter issue21:41
morganfainbergso we need *a* uniqueness constraint for domains at one level.21:41
morganfainbergayoung: ok i need to duck out for a meeting21:41
morganfainbergwe will need to revisit this convo21:41
dstaneki'm bailing too for a little bit21:41
geoffarnold_indeed...21:41
geoffarnold_ok21:42
*** geoffarnold_ is now known as geoffarnold21:42
ayoungmorganfainberg, I'll write up what I am thinking for the dev list.  It should be simple enough to at least start the convo.21:42
*** samueldmq has joined #openstack-keystone21:44
*** iamjarvo has quit IRC21:49
*** iamjarvo has joined #openstack-keystone21:49
*** iamjarvo has quit IRC21:50
*** blewis` has quit IRC21:58
*** blewis has joined #openstack-keystone22:01
*** HT_sergio has quit IRC22:16
*** henrynash has quit IRC22:18
*** tqtran has quit IRC22:20
*** jamielennox|away is now known as jamielennox22:20
*** lhcheng has quit IRC22:25
*** lhcheng has joined #openstack-keystone22:26
*** ChanServ sets mode: +v lhcheng22:26
*** dguerri is now known as dguerri`away22:29
*** sigmavirus24 is now known as sigmavirus24_awa22:30
*** bknudson has quit IRC22:31
jamielennoxgyee: in light of reply to https://review.openstack.org/#/c/174198/ can i get you to change your mind on https://review.openstack.org/#/c/174198/22:33
jamielennoxgyee: because then we can merge that and the one dependent on it22:34
openstackgerritMerged openstack/keystone: Consolidate test-requirements files.  https://review.openstack.org/18815422:36
gyeejamielennox, k22:42
jamielennoxgyee: i do fix that up somewhere later on22:42
jamielennoxand thansk22:42
gyeeI am fine with another patch to shave off the _token_is_vx() stuff22:42
jamielennoxgyee: can you do the +a on https://review.openstack.org/#/c/174199/ as well - there's 3 +2s22:44
gyeejamielennox, k22:44
gyeeone sec22:44
*** lihkin has quit IRC22:48
*** htruta_ has joined #openstack-keystone22:49
*** dand has quit IRC22:49
*** csoukup has quit IRC22:49
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling  https://review.openstack.org/18038522:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420222:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420122:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420022:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081622:50
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object  https://review.openstack.org/18039422:50
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/18693222:52
*** Raildo_ has joined #openstack-keystone23:03
*** timcline has quit IRC23:05
*** tqtran has joined #openstack-keystone23:07
*** timcline has joined #openstack-keystone23:08
*** jsavak has quit IRC23:11
*** timcline has quit IRC23:12
*** chlong has joined #openstack-keystone23:19
openstackgerritguang-yee proposed openstack/keystone: Unable to list role assignments in Project  https://review.openstack.org/18084623:34
*** dontalton has quit IRC23:37
openstackgerritMerged openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419823:38
*** Raildo_ has quit IRC23:39
*** tellesnobrega has quit IRC23:40
*** rwsu has quit IRC23:41
gyeedtroyer, stevemar, is this the latest common cli doc? http://docs.openstack.org/cli-reference/content/23:45
openstackgerritMerged openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419923:46
gyeejamielennox, ^^23:46
jamielennoxgyee: i've no idea, running "openstack help" is fairly descriptive23:47
openstackgerritMerged openstack/keystoneauth: Add protocol docstring in FederationBaseAuthPlugin  https://review.openstack.org/18761023:50
dtroyergyee: no, it's at http://docs.openstack.org/developer/python-openstackclient/23:51
*** dims_ has joined #openstack-keystone23:51
gyeedtroyer, ty!23:55
*** dims__ has quit IRC23:55
openstackgerritMerged openstack/keystone: Update access control configuration in httpd config  https://review.openstack.org/16451523:55
openstackgerritMerged openstack/keystone: Replace blacklist_functions with blacklist_calls  https://review.openstack.org/18736023:55
gyeejamielennox, corp ppl want a doc, you know how it goes :)23:55
« Tuesday, 2015-06-02 Index Thursday, 2015-06-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!