Monday, 2015-06-29

bknudsonwith service users in the default domain in sql there's no need to use v3 there.00:00
bknudsonI don't know when the multi-domain support went into horizon...00:01
kfox1111I want to say I tried that a few times and couldn't make it work because of the nova -> neutron code not working.00:01
kfox1111its in juno. I got it all working except vm launching.00:01
bknudsonwho cares about launching vms.00:02
kfox1111heh. our users unfortunatly. ;)00:03
*** stevemar has quit IRC00:10
*** stevemar has joined #openstack-keystone00:10
*** trey has quit IRC00:10
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Update README.rst and remove ancient reference
stevemarbknudson: jamielennox ^00:12
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Remove keystoneclient CLI references in README
Kennanbknudson: there?00:16
*** trey has joined #openstack-keystone00:16
*** stevemar has quit IRC00:19
jamielennoxstevemar: i'm slowly getting through my auth_token changes, want to have a look at
*** stevemar has joined #openstack-keystone00:20
*** miguelgrinberg has quit IRC00:26
*** darrenc is now known as darrenc_afk00:26
*** jamielennox is now known as jamielennox|away00:26
*** jamielennox|away is now known as jamielennox00:30
morganfainbergstevemar: how many bloody ways do we need to represent "roles" in a token?!00:30
stevemarat least 4?00:30
morganfainbergi think i'm up to needing to copy roles into 3 distinct places in a v2 token00:30
morganfainbergthis is stupid00:30
morganfainberg"lets just stick this crap here, and here, and here, and here"00:30
jamielennoxwhy did the fernet provider need stuff so different?00:31
stevemarsize issues i guess00:31
jamielennoxsize is just the initial info, like the user_id and project_id00:31
jamielennoxroles etc come out of the db and it should share that code with initial token creation00:32
*** trey has quit IRC00:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
morganfainbergjamielennox: because instead of trying to make the generic provider work in a way that would support fernet, fernet was developed on the side00:43
morganfainbergjamielennox: so i'm now chasing down a bunch of this trying to fix that we have ... totally different code paths *again* for token types00:44
jamielennoxmorganfainberg: there's a lot of refactoring needed, i was hoping it would come as we pushed things onto flask/pecan00:44
morganfainbergthis is below where flask will help00:44
jamielennoxthere would be like the old code and new folders so you start moving across only the sane stuff00:44
morganfainbergbut when i'm done with this chain, all v2 tokens will be issued as v3 tokens and then converted00:45
morganfainberglike fernet tokens are00:45
morganfainbergthat way you really only have 1 way to issue tokens.00:45
jamielennoxmorganfainberg: yes and no, the way controllers and such are laid out it'd be difficult to get a model based flow in there00:45
morganfainbergit also collapses the token data helpers00:45
jamielennoxhaving "v3 tokens" at that level is wrong already00:45
morganfainbergthe stuff with flask - like i said this is below the controllers00:45
morganfainbergwhat it does provide is a simple way to life the model up00:46
morganfainbergsince you need a consistent issue token method anywa00:46
morganfainbergjamielennox: aaaannnnd a bunch of this has to be backported to kilo00:46
morganfainbergjamielennox: because fernet tokens are broken in kilo in not-so-uncommon edge cases00:47
jamielennoxoslo.cache? does that mean it's available and we can use it for auth_token and ditch the memcache dependency?00:47
morganfainbergjamielennox: well sortof.00:47
jamielennoxmorganfainberg: hmm, need to be careful of what's a patch then and what's a refactor or backporting will be painful00:47
morganfainbergjamielennox: you're going to run into memory bloat issues if you use the in-memory one w/o a custom backend00:47
* jamielennox is not sure why he's stating the obvious00:47
morganfainbergjamielennox: thats why i'm doing the refactoring into common pipeline pre-flask00:48
morganfainbergat least the code structure is the same this way and i can resolve the conflicts00:48
morganfainbergthe worst of the bugs is the first in my chain ^^00:48
openstackgerritMerged openstack/python-keystoneclient: Remove unused images from docs
morganfainbergjamielennox: also interestingly it looks like we can't test "TestAuthWithTrust" in isolation, it can't load policy.json00:49
morganfainbergand i have no clue why00:49
morganfainbergstevemar: ^ cc00:49
morganfainbergwell crap00:56
morganfainbergit's actually a lot of our tests are failing for me in isolation00:56
morganfainbergunable to load policy.json00:56
morganfainbergi don't get it00:56
morganfainbergsomeone screwed something up in a weird way00:57
morganfainbergtox -epy27 keystone.tests.unit.test_auth00:58
*** darrenc_afk is now known as darrenc00:58
*** piyanai has quit IRC01:03
*** davechen has joined #openstack-keystone01:09
*** davechen1 has joined #openstack-keystone01:12
*** davechen has quit IRC01:15
*** miguelgrinberg has joined #openstack-keystone01:28
*** ankita_wagh has joined #openstack-keystone01:29
*** markvoelker has joined #openstack-keystone01:30
*** markvoelker has quit IRC01:35
*** vilobhmm has quit IRC01:35
*** jasondotstar has joined #openstack-keystone01:40
*** vilobhmm has joined #openstack-keystone01:49
*** iamjarvo_ has joined #openstack-keystone02:01
*** stevemar has quit IRC02:07
*** stevemar has joined #openstack-keystone02:08
*** piyanai has joined #openstack-keystone02:12
*** stevemar has quit IRC02:30
*** stevemar has joined #openstack-keystone02:31
*** iamjarvo_ has quit IRC02:43
*** iamjarvo has joined #openstack-keystone02:44
*** juvenn has joined #openstack-keystone03:09
*** tobe has joined #openstack-keystone03:12
juvennHi all, I'm working on keystoneclient bug 1433306, which will support domain config ext in keystoneclient, and later in openstackclient:
openstackLaunchpad bug 1433306 in python-keystoneclient "support domain config ext in keystoneclient" [Undecided,In progress] - Assigned to Juvenn Woo (juvenn)03:12
jamielennoxjuvenn: have you seen
*** sigmavirus24_awa is now known as sigmavirus2403:15
juvennjamielennox: no, I didn't find that, I'll look at it!03:16
juvennthank you03:17
*** markvoelker has joined #openstack-keystone03:19
*** markvoelker has quit IRC03:23
*** piyanai has quit IRC03:25
juvennhenrynash: glad to see you're doing it in client as well, I'll see what could I help03:29
*** jasondotstar has quit IRC03:32
*** jasondotstar has joined #openstack-keystone03:33
*** vilobhmm has quit IRC03:34
*** sigmavirus24 is now known as sigmavirus24_awa03:38
*** sigmavirus24_awa is now known as sigmavirus2403:39
*** liusheng has joined #openstack-keystone03:40
juvennjamielennox: shall I re-assign bug 1433306 to henrynash instead?03:42
openstackbug 1433306 in python-keystoneclient "support domain config ext in keystoneclient" [Undecided,In progress] - Assigned to Juvenn Woo (juvenn)03:42
*** sigmavirus24 is now known as sigmavirus24_awa03:49
*** tobe has quit IRC03:55
*** tobe has joined #openstack-keystone03:56
*** tobe has quit IRC03:56
*** rushiagr_away is now known as rushiagr03:57
*** tobe has joined #openstack-keystone03:59
*** rushiagr is now known as rushiagr_away04:03
*** stevemar has quit IRC04:03
*** stevemar has joined #openstack-keystone04:04
*** tobe has quit IRC04:13
*** browne has joined #openstack-keystone04:22
*** kiran-r has joined #openstack-keystone04:23
*** ankita_wagh has quit IRC04:26
*** rm_work|away is now known as rm_work04:36
*** juvenn has quit IRC04:40
*** ankita_wagh has joined #openstack-keystone05:03
*** kiran-r has quit IRC05:03
*** markvoelker has joined #openstack-keystone05:08
*** markvoelker has quit IRC05:12
*** dramakri has joined #openstack-keystone05:13
*** spandhe has joined #openstack-keystone05:36
*** mabrams has joined #openstack-keystone05:38
*** iamjarvo has quit IRC05:39
*** jasondotstar has quit IRC05:53
*** iamjarvo has joined #openstack-keystone05:54
*** tobe has joined #openstack-keystone05:56
*** tobe has quit IRC05:58
*** tobe_ has joined #openstack-keystone05:58
*** iamjarvo has quit IRC06:02
*** juvenn has joined #openstack-keystone06:05
*** arunkant_ has joined #openstack-keystone06:06
*** arunkant__ has quit IRC06:10
*** spandhe has quit IRC06:13
openstackgerritMorgan Fainberg proposed openstack/keystone: Convert issue_v2_token to always issue a v3_token and convert
*** stevemar has quit IRC06:16
*** stevemar has joined #openstack-keystone06:16
marekdmorganfainberg: hi. I saw there were some problems with fernet code. IS there already any bug reported so I can get familiar what's wrong?06:23
morganfainbergmarekd: mostly it's minor things06:24
marekd this?06:24
openstackLaunchpad bug 1469563 in Keystone liberty "Fernet tokens do not maintain expires time across rescope (V2 tokens)" [High,In progress] - Assigned to Morgan Fainberg (mdrnstm)06:24
morganfainbergmarekd: yeah06:24
marekdthat's all or there is more?06:24
stevemarmorganfainberg: marekd hello and goodnight06:24
marekdstevemar: hello and goodnight :-)06:24
morganfainbergmarekd: but there is a real mess i'm running into because fernet code is totally separate from the rest of the token code06:24
morganfainbergmarekd: so if you look i'm working on unifyin the issue_token paths - this will eliminate these bugs.06:25
stevemarmarekd: any last minute patch review requests?06:25
marekdstevemar: no at the moment.06:25
marekdmorganfainberg: the chaing starts here , right?06:26
marekdstevemar: or..06:26
marekdyou may actually want to take a look at this
morganfainbergthats the start06:26
marekdstevemar: and see if you spot sth suspicius in requirements.txt06:26
marekdstevemar: i basically copied the line from jamielennox's patch and it worked for him :(06:27
stevemarmorganfainberg: i know you've had a super long day but...
marekdif it takes more than 60 secs, just leave it and go to bed.06:28
marekdstevemar: ^^06:28
jamielennoxmarekd: hey, i was ignoring your PM as i was on leave and i've lost it06:28
marekdjamielennox: no worries.06:28
jamielennoxmarekd: did you get it figured out06:29
marekdjamielennox: THB I cannot remember what was it about :(06:29
marekdjamielennox: was it this maybe?06:29
*** stevemar has quit IRC06:30
jamielennoxmarekd: so it didn't just work for me06:30
marekdhow come?06:30
marekdhah ...06:30
marekdi didn't see that patch, now it makes sense.06:31
marekdjamielennox: so you are going to unwind this change after ksa is released?06:31
jamielennoxwe would need to get keystoneauth into requirements before we could merge it back into keystoneclient06:31
marekdjamielennox: i am going to push similar change for ksa-saml206:33
*** ankita_wagh has quit IRC06:35
*** ankita_wagh has joined #openstack-keystone06:35
juvennhi all, I'm looking at, where henrynash implemented domain config for keystoneclient. But it seems stuck at Jenkins "Patch in Merge Conflict". Shall I work on it and move forward from there?06:36
*** lufix has joined #openstack-keystone06:37
*** ankita_wagh has quit IRC06:40
*** browne has quit IRC06:43
*** liusheng has left #openstack-keystone06:53
*** markvoelker has joined #openstack-keystone06:56
henrynashjuvenn: Hi, so I’ll be picking that up again and moving it forward in the next few days….although I still have a question on whether i should be using raw mode for the config structure being returned….be happy for you and others to comment on this if you have a view06:57
juvennhenrynash: hi, great to see all your work about domain config along the way from blueprints! Regarding config structure response, I may look into it.07:00
*** rlt_ has joined #openstack-keystone07:01
*** markvoelker has quit IRC07:01
juvennhenrynash: I have a question though about REST API, that why isn't there a LIST operation available?07:01
henrynashjuvenn: at first glance you think there should be, but I’m not sure it would be very useful…I can’t really imagine a UI that would make use of such a call07:03
*** spandhe has joined #openstack-keystone07:06
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support domain-specific configuration management
*** ccard_ has quit IRC07:09
juvennhenrynash: hmm, I'll think about it harder :)07:11
*** dramakri has quit IRC07:14
*** fhubik has joined #openstack-keystone07:14
*** dramakri has joined #openstack-keystone07:17
*** spandhe has quit IRC07:22
*** lsmola has joined #openstack-keystone07:26
*** juvenn has quit IRC07:28
*** stevemar has joined #openstack-keystone07:30
*** jistr has joined #openstack-keystone07:32
*** arunkant__ has joined #openstack-keystone07:32
*** stevemar has quit IRC07:33
*** juvenn has joined #openstack-keystone07:34
*** arunkant_ has quit IRC07:36
openstackgerritMerged openstack/keystone: Relax the formats of accepted mapping rules for keystone-manage
*** kfox1111 has quit IRC07:40
*** kiran-r has joined #openstack-keystone07:42
*** juvenn has quit IRC07:48
*** pnavarro|off has joined #openstack-keystone07:50
*** dramakri has quit IRC07:50
*** pnavarro|off has quit IRC07:51
*** pnavarro has joined #openstack-keystone07:52
*** fhubik has quit IRC08:07
*** fhubik has joined #openstack-keystone08:08
*** fhubik_afk has joined #openstack-keystone08:09
*** juvenn has joined #openstack-keystone08:14
*** arunkant__ has quit IRC08:20
*** dguerri` is now known as dguerri08:23
jamielennoxhenrynash: i've meant to ask you about that in the past08:24
jamielennoxi don't so much mind the domain specific config but it seems weird you need the raw mode stuff08:24
jamielennoxmaybe i need to have a better look at the APIs and see what you're doing08:25
*** juvenn has quit IRC08:30
*** markvoelker has joined #openstack-keystone08:45
*** markvoelker has quit IRC08:50
*** afazekas_ has joined #openstack-keystone08:56
*** juvenn has joined #openstack-keystone08:57
Kennanhi any keystone cores here online ?08:57
henrynashjamielennox: so I don’t like that either08:58
henrynashKennan: hi08:58
Kennanhi henrynash:08:58
KennanI hit one question about keystone_authtoken08:58
KennanI think keystone guys know much about it08:58
Kennanin some projects08:58
henrynashjamielennox: looking for some advice on that….the reason I did it that way was since the stucture being returned is not fixed….i.e. the attributes vary depending on what has been set08:59
Kennanlike nova. glance. neutron [keystone_authtoken]08:59
Kennanhave username and password08:59
henrynashKennan: ok08:59
Kennanbut in some other projects08:59
Kennanit is admin_username and admin_password08:59
KennanI am confused by that08:59
Kennanwhat's the difference ?08:59
Kennanheanrynash: could you help explain that to me?09:00
Kennanhere is devstack09:00
Kennan iniset $conf_file $section username $admin_user09:01
Kennan iniset $conf_file $section password $SERVICE_PASSWORD09:01
henrynashKennan: this is in waht the conf file?09:01
Kennanit is /etc/nova/nova.conf09:01
Kennanor glance-api.conf09:01
Kennanor neutron.conf09:02
henrynashwell $admin_user is a env variable that has been set I assume?09:03
henrynashsorry, I’m a bit unsure about which bit you are confused about09:04
KennanI remembered, in keystone_authtoken section09:05
Kennanwe usually use admin_user09:05
jamielennoxKennan: so some of those are deprecated and some services do the wrong things and use those variables09:06
Kennandid you notice this before?09:06
jamielennoxso the way devstack mostly does this is auth_plugin=password09:06
henrynashKennan: So not sure how nova is using that, but I assume that sets the credentias to be used when trying to talek to keystone as admin09:06
jamielennoxand then username= password= auth_url= and others09:06
jamielennoxthis is the newest way because you can use a different auth_plugin in future to do things like kerberos or SSL auth from auth_token09:06
jamielennoxthe older way only supports keystone v2 api09:07
jamielennoxand involves admin_user admin_password etc09:07
jamielennoxif you specify auth_plugin they'll be ignored09:07
Kennanjamielennox: you means09:07
Kennanadmin_user  and username can both exist in [keystone_authtoken] ?09:08
jamielennoxthe reason a few services still user the old admin_user etc is  because that service is reading those values (they shouldn't) and so we've been unable to move them to the newer options09:08
*** jaosorior has joined #openstack-keystone09:08
jamielennoxKennan: if auth_plugin is set yes it will ignore admin_user09:08
Kennanwhere is auth_plugin?09:09
Kennanjamielennox: could you give me a link about that change? like git commit code?09:10
Kennanfor change from admin_user to username09:10
*** belmoreira has joined #openstack-keystone09:10
Kennansome projects worried about that, because they auth user should have admin role09:11
Kennanso they think admin_user is better09:11
Kennanjamielennox: like heat did or ironic09:11
KennanI think09:11
jamielennoxright - this is because those projects use admin_user for there own purposes09:12
jamielennoxthey shouldn't - that's a bug09:12
Kennanjamielennox: what do you think the proper change for that ?  just rename admin_user to username ?09:13
Kennanor some other fix?09:13
Kennanfor those projects09:13
*** stevemar has joined #openstack-keystone09:20
*** stevemar has quit IRC09:22
*** fhubik has quit IRC09:24
*** fhubik_afk has quit IRC09:24
*** fhubik_afk has joined #openstack-keystone09:24
*** fhubik has joined #openstack-keystone09:24
*** fhubik_afk has quit IRC09:24
*** fhubik has quit IRC09:24
*** fhubik has joined #openstack-keystone09:25
openstackgerrityangxurong proposed openstack/keystone-specs: enable cross-sites KeyStone HA
*** henrynash has quit IRC09:30
*** juvenn has quit IRC09:39
jamielennoxKennan: no, for those projects if they need their own username and password, firstly - why, and then they manage their own credentials09:45
jamielennoxotherwise whenever we go and change options in auth_token people get broken09:45
*** aix has joined #openstack-keystone09:53
*** openstackgerrit has quit IRC09:53
*** davechen1 has left #openstack-keystone09:53
*** openstackgerrit has joined #openstack-keystone09:54
*** uschreiber_ has joined #openstack-keystone10:03
*** uschreiber_ has quit IRC10:05
*** henrynash has joined #openstack-keystone10:26
*** ChanServ sets mode: +v henrynash10:26
henrynashjamielennox: ping10:32
*** juvenn has joined #openstack-keystone10:33
*** mabrams has quit IRC10:34
*** markvoelker has joined #openstack-keystone10:34
*** lufix has quit IRC10:35
jamielennoxhenrynash: yup10:36
*** mabrams has joined #openstack-keystone10:37
henrynashjamielennox: so wanted to pick up on your (valid) question about the raw mode stuff10:37
*** dims has joined #openstack-keystone10:37
*** lufix has joined #openstack-keystone10:37
jamielennoxhenrynash: right - so let me have a look at the API10:38
jamielennoxi'm just wondering why this is so different a situation10:38
jamielennoxthe resource thing is fairly flawed anyway10:38
henrynashjamielennox: the config structure you return is not fixed…i.e. it only contains those attributes that have been set...hence I did the raw mode thing….although would10:38
*** juvenn has quit IRC10:39
jamielennoxhenrynash: this is the API:
*** markvoelker has quit IRC10:40
jamielennoxhmm, yea that's tough when you can ask for specific option values10:40
*** henrynash has quit IRC10:42
*** fhubik is now known as fhubik_afk10:45
*** henrynash has joined #openstack-keystone10:47
*** ChanServ sets mode: +v henrynash10:47
*** jistr_ has joined #openstack-keystone10:49
*** afazekas__ has joined #openstack-keystone10:49
*** fhubik_lunch has joined #openstack-keystone10:49
*** jistr has quit IRC10:51
*** fhubik_afk has quit IRC10:52
*** afazekas_ has quit IRC10:53
jamielennoxhenrynash: god i hate that resource class10:53
jamielennoxis there a known list of things that may be returned there?10:53
henrynashjamielennix: :-)10:53
*** freerunner has joined #openstack-keystone10:53
*** fhubik_meeting has joined #openstack-keystone10:54
*** fhubik_meeting is now known as fhubik_afk10:54
*** jistr_ has quit IRC10:54
*** fhubik_lunch has quit IRC10:54
henrynashjamielennox: so yes, there is a known set, this is controlled by code in the server (for security reasons, so someone doesn’t exposes somethig without being deliberate)10:54
*** afazekas__ has quit IRC10:54
henrynashjamielennox: it’s a big set (like 55 items)10:55
jamielennoxhenrynash: at top level?10:55
jamielennoxhenrynash: like "identity" and "ldap"10:55
jamielennoxi assume sql is also valid10:55
henrynashjamielennox: of which I would say 95% of the time will never be included, while maybe 3 or 4 of the options will be the ones taht will be set10:55
henrynashjamielennox: identity and ldap are the only two top levels we support right now10:56
henrynashjammielennox: since you can’t (yet) have more than one sql driver, we don’t support settings its detailed params yet via this API10:56
henrynashjammielennox: the “identity” top level item will only ever have one attribute within it, the “ldap” has 5 or so items thet *could* be set10:57
jamielennoxok, so we can do a resource fairly easily that way and just {'identity': {}, 'ldap': {}}.merge(resp.json()) because the attributes will only be top level10:57
jamielennoxbut that doesn't help us do the inner levels10:58
*** hogepodge has quit IRC10:58
henrynashjammelennox: agreed10:58
henrynashjamielennox: correction to my earlier statement: the “identity” top level item will only ever have one attribute within it, the “ldap” has 55 or so items thet *could* be set10:59
*** hogepodge has joined #openstack-keystone11:00
jamielennoxhenrynash: yea, i was thinking of it from like top level, not being able to drill down to individual values11:00
jamielennoxhenrynash: is there any way we could end up with a depth of more than two?11:00
jamielennoxgroup=None, option=None11:00
jamielennoxthat *args might be useful11:00
henrynashjamielennox: so I don’t think we support multiple group levels do we in oslo.config?11:01
jamielennoxhenrynash: screw it - keep it with dictionaries, skip the return_raw path and go direct to the self.client11:01
jamielennoxif you're not building resource_class objects then the helpers don't do anything useful11:02
henrynashjamielennox: ok, that will mean I kill the patch that enable raw mode for the other http methods11:03
jamielennoxhenrynash: yea - i think that's just kinda messy and you don't really use any of the helper parts of the functions11:04
henrynashjamielennox: will mull on it for a day or so more, before implementing in case we change our minds…but it felt like I was pushing a square peg into the infamous round hole11:04
jamielennoxi *guess* you could have a resource_class for if option and group are None - but i don't mind either way11:04
jamielennoxhenrynash: no worries - let me know11:05
jamielennoxi'm out for the night11:05
henrynashjamielennox: will do, thanks….go!11:05
*** samueldmq has joined #openstack-keystone11:05
*** jistr_ has joined #openstack-keystone11:06
samueldmqgood morning! :)11:07
*** afazekas__ has joined #openstack-keystone11:07
samueldmqmorganfainberg: samueldmq: there are 2 hard things in computer science, cache coherency and naming things.11:18
*** henrynash has quit IRC11:18
samueldmqI am trying to find a good name for the oslo.policy spec/blueprint for policy overlay :)11:18
*** dguerri is now known as dguerri`11:28
*** Kiall has quit IRC11:35
*** Kiall has joined #openstack-keystone11:35
*** markvoelker has joined #openstack-keystone11:35
samueldmqI think dynamic-policy-overlay sounds good11:36
samueldmqmordred: ^11:36
samueldmqmordred: oh, I meant morganfainberg, sorry :)11:36
samueldmqmordred: morning11:37
*** markvoelker has quit IRC11:40
*** iamjarvo has joined #openstack-keystone11:40
*** fhubik_afk is now known as fhubik_meeting11:41
*** dguerri` is now known as dguerri11:48
*** tobe_ has quit IRC11:49
*** markvoelker has joined #openstack-keystone11:55
*** hogepodge has quit IRC11:56
*** fhubik_meeting is now known as fhubik_afk12:00
*** hogepodge has joined #openstack-keystone12:02
*** iurygregory has joined #openstack-keystone12:07
*** iurygregory has quit IRC12:13
*** iurygregory has joined #openstack-keystone12:15
*** bknudson has quit IRC12:16
*** g2` has quit IRC12:17
*** raildo has joined #openstack-keystone12:25
*** edmondsw has joined #openstack-keystone12:27
*** dguerri is now known as dguerri`12:28
openstackgerritHenrique Truta proposed openstack/keystone-specs: API changes for Reseller
*** tellesnobrega has joined #openstack-keystone12:30
*** dguerri` is now known as dguerri12:32
*** csoukup has joined #openstack-keystone12:34
*** bknudson has joined #openstack-keystone12:36
*** ChanServ sets mode: +v bknudson12:36
*** mtreinish has quit IRC12:40
*** mtreinish has joined #openstack-keystone12:40
*** kiran-r has quit IRC12:44
*** iamjarvo has quit IRC12:52
*** piyanai has joined #openstack-keystone12:52
*** jsavak has joined #openstack-keystone12:53
*** ajayaa has joined #openstack-keystone12:56
*** henrynash has joined #openstack-keystone12:56
*** ChanServ sets mode: +v henrynash12:56
*** stevemar has joined #openstack-keystone12:57
ajayaaHi guys. What does this rule mean? "domain_admin_for_grants": "role:admin and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",12:57
*** radez_g0n3 is now known as radez12:57
*** josecastroleon has quit IRC12:57
ajayaa"domain_admin_for_grants": "role:admin and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",12:57
ajayaaDoes this mean I should be able to use a domain scoped token to list role assignments in a project owned by that domain?12:58
*** blewis has joined #openstack-keystone12:59
*** jasondotstar has joined #openstack-keystone13:00
*** hogepodge has quit IRC13:00
*** stevemar has quit IRC13:00
*** iamjarvo has joined #openstack-keystone13:00
*** iamjarvo has quit IRC13:01
*** hogepodge has joined #openstack-keystone13:02
*** dsirrine has joined #openstack-keystone13:02
*** fhubik_afk is now known as fhubik_meeting13:05
*** fifieldt has joined #openstack-keystone13:06
*** hogepodge has quit IRC13:11
*** hogepodge has joined #openstack-keystone13:12
*** gordc_ is now known as gordc13:14
*** jasondotstar has quit IRC13:20
*** henrynash has quit IRC13:21
*** jasondotstar has joined #openstack-keystone13:27
*** josecastroleon has joined #openstack-keystone13:28
*** richm has joined #openstack-keystone13:29
samueldmqajayaa: hello, this is a rule defined into the v3 cloud sample policy, right ?13:29
ajayaasamueldmq, yes13:29
samueldmqajayaa: where is this rule used ? which API ?13:29
samueldmqajayaa: ok, so ... to list grants, you must have either13:31
samueldmqajayaa: i) "role:admin and domain_id:%(domain_id)s":  admin role in the domain you are listing grants13:32
*** iamjarvo has joined #openstack-keystone13:33
*** edmondsw has quit IRC13:33
samueldmqajayaa: ii) "role:admin and domain_id:%(target.project.domain_id)s": admin role in the domain of the user's project you are trying to list grants for13:33
samueldmqajayaa: I think target there means users...13:33
samueldmqajayaa: however I don't know what project target.project maps to .. since a user may have access to multiple projects ?13:34
ajayaaWhat is an 'user's project'?13:34
samueldmqajayaa: so that's the part I wonder as well :-)13:34
ajayaaCurrently in my setup, I am trying to use a domain scoped token to list the assignments for a project in that domain.13:34
ajayaaBut the above mentioned rule does not work.13:35
samueldmqajayaa: what api are you using to list assignments ?13:35
ajayaaone sec. I had suspended my vm already. I am brining it up.13:35
samueldmqajayaa: you can list assignments with
samueldmqajayaa: that list_grants api will only give you back a list of roles13:36
samueldmqajayaa: list role asssignments api will give you the associations (target, actor, role)13:37
samueldmqajayaa: where target can be (project, domain) and actor can be (user,group) :-)13:37
ajayaaGET /v3/role_assignments?
ajayaamy bad. it's list_role_assignment.13:38
samueldmqajayaa: great so the rule protectign this api is list_role_assignment13:38
ajayaaWARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:list_role_assignments.13:38
*** afazekas__ has quit IRC13:38
samueldmqajayaa: so you were customizing in the wrong place ?13:38
ajayaaIt seems so. :)13:39
ajayaasamueldmq, Thanks.13:39
ajayaaLet me change list_role_assignments and see13:39
*** hogepodge has quit IRC13:39
samueldmqajayaa: np, please come back whenever you have questions13:39
ajayaaI am wondering though, what is list_grants then?13:39
samueldmqajayaa: sure ..13:39
ajayaaThese two are very similar in functionality.13:40
samueldmqajayaa: list_grants will only return the roles, and list_role_assignments will return assignment entities, as I described above13:40
samueldmqajayaa: yes they're very similiar in functionality13:40
ajayaasamueldmq, got it. missed your earlier comments.13:40
ajayaaThanks for your help.13:41
*** hogepodge has joined #openstack-keystone13:41
*** jasondotstar has quit IRC13:41
samueldmqajayaa: we introduced list_role_assignments later as a separate API because we didn't want to break backwards compability13:41
samueldmqajayaa: np, glad to help13:41
*** jasondotstar has joined #openstack-keystone13:42
*** edmondsw has joined #openstack-keystone13:44
openstackgerritMerged openstack/oslo.policy: Add tox target to find missing requirements
ajayaasamueldq, nah, it still does not work.13:51
ajayaasamueldmq, ^^13:51
ajayaaI think domain_id of the project is not available to the policy engine.13:51
ajayaaNeed to debug it and see though.13:51
samueldmqajayaa: what do you want to be able to do ?13:53
ajayaaI want to be able to use a domain scoped token to list assignments for a project that lies in that domain.13:54
ajayaaseems fair?13:54
ajayaasamueldmq ^^13:55
samueldmqajayaa: why not use a project scoped token to list assignments on that specific project ?13:55
samueldmqajayaa: I mean, a token scoped to projects for project-specific worflows13:55
samueldmqajayaa: you should be able to do so with what you have defined there (
ajayaaSince a domain is a customer for us and usually there is a single admin for a domain. I want him to be able to list assignments for projects inside his domain.13:56
samueldmqajayaa: however ... to do what you want, we should be able to define something like : rule:admin_required and domain_id:%(scope.project.domain_id)s13:57
ajayaaOtherwise if he has 100 projects in a domain, he needs to assign himself role on 100 projects.13:57
samueldmqajayaa: hehe do you know inherited role assignments ?13:57
ajayaa 94     "domain_admin_for_grants": "rule:tenant_admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s or domain_id:%(scope.project.domain_id)s)",13:58
*** sigmavirus24_awa is now known as sigmavirus2413:58
ajayaaThis is how my rule looks like now.13:58
ajayaaBut still no luck.13:58
*** jasondotstar has quit IRC13:58
samueldmqajayaa: if you assign an inherited role assignment in a domain, and that role will be applied to all projects in that domain instead13:58
samueldmqajayaa: what is rule:tenant_admin_required ?13:58
*** boris-42 has joined #openstack-keystone13:59
ajayaasamueldmq, role:admin13:59
ajayaaWe are using Kilo and the api was experimental in Kilo afaik.13:59
samueldmqajayaa: hmm13:59
*** jsavak has quit IRC14:00
ajayaaBut if there is no other option we might be inclined to use it though.14:00
samueldmqajayaa: try : "admin_on_project_filter" : "rule:admin_required and (project_id:%(scope.project.domain_id)s or project_id:%("14:01
*** jsavak has joined #openstack-keystone14:02
samueldmqajayaa: I am assumming you are providing filter in your request14:02
samueldmqajayaa: I defined two possible ways to get the domain id from the project ... scope.project.domain_id and scope.project.domain.id14:02
ajayaasamueldmq, Tried with both, but didn't work.14:03
samueldmqajayaa: so I guess we can't get to the project's domain that way14:04
ajayaasamueldmq, Yes.14:04
samueldmqajayaa: when you provide the filter in the request, we still haven't access to its domain at this level14:05
ajayaasamueldmq, Yes. That seems to be the case.14:05
dimscores, fyi 1.1.1 pythonkeystoneclient on its way from stable/juno based on request from fungi (
openstackLaunchpad bug 1468395 in python-keystoneclient "Versions of oslo.i18n higher than 1.17.0 cause ImportError" [Undecided,Confirmed]14:05
samueldmqajayaa: however consider assigning an inherited role assignment in the domain14:06
samueldmqajayaa: and getting project scoped tokens when listing assignments on that domain14:06
samueldmqajayaa: that's one possiblity, however I think we should provide enough flexibitity to allow you to do the other way14:07
*** blewis` has joined #openstack-keystone14:08
ajayaasamueldmq, Yes. Even I think the same way. We should be able to do this without using work-around. By work-around I mean different feature altogether. I am not trying to undermine the inherited role assignment feature in any way.14:09
ajayaamaybe I will file a bug report in launchpad.14:09
*** nkinder has joined #openstack-keystone14:09
ajayaaWhat do you think, samueldmq?14:10
*** fhubik_meeting is now known as fhubik_afk14:10
samueldmqajayaa: just found this : bug #143740714:10
openstackbug 1437407 in Keystone "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,In progress] - Assigned to Guang Yee (guang-yee)14:10
samueldmqajayaa: looks to be exactly what you want ..14:10
*** blewis has quit IRC14:11
ajayaasamueldmq, Thanks for digging that out.14:14
samueldmqajayaa: np14:14
ajayaaFrom the gerrit patches it seems that this feature will land in L cycle and may not go to Kilo.14:15
ajayaasamueldmq ^^14:16
samueldmqajayaa: yes, if we merge that, it will certainly land in L14:16
*** g2` has joined #openstack-keystone14:16
ajayaaThe graph led me to the above spec.14:16
ajayaasamueldmq ^^14:16
samueldmqajayaa: yes, I agree that spec will be bringing the solution for you requirement :-)14:18
*** stevemar has joined #openstack-keystone14:19
*** r-daneel has joined #openstack-keystone14:19
*** dims has quit IRC14:21
*** henrynash has joined #openstack-keystone14:23
*** ChanServ sets mode: +v henrynash14:23
ajayaasamueldmq, The weird thing is, this discussed rule works while doing create_grant. But not in list_role_assignments.14:24
*** dims has joined #openstack-keystone14:24
*** jasondotstar has joined #openstack-keystone14:24
samueldmqajayaa: the spec talks about list_role_assignemtns14:25
*** fhubik_afk is now known as fhubik_meeting14:25
ajayaasamueldmq, agreed. But from a user's POV this thing is very very weird. There could be hundred reasons for this feature not working.14:26
ajayaaIf you ask someone who doesn't have experience working in Openstack, he will consider it a bug.14:27
samueldmqajayaa: yes we recognize this as being a lack in keystone14:29
*** fhubik_meeting is now known as fhubik_afk14:29
samueldmqajayaa: that's the reason we are addressing that, as a spec, since we are adding a new capability14:29
ajayaabackports? samueldmq14:30
samueldmqajayaa: the way we're addressing that we can't backport14:30
ajayaaI mean, what about people who are not running master?14:30
samueldmqajayaa: they'll get it in the next release14:31
ajayaasamueldmq, :(14:31
samueldmqajayaa: backporting it would be addressed if we allowed to do so with the existing domain_id checks14:31
samueldmqajayaa: (as described in the Alternatives seciton of that spec)14:31
samueldmqs/would be/could be14:32
*** henrynash has quit IRC14:32
samueldmqajayaa: well, you can talk to other people and see what the possibilities are .. to have a backportable solution14:32
samueldmqajayaa: henrynash is the right guy .. I didn't see he was here (just left) :(14:33
samueldmqajayaa: he's the one proposing that spec14:33
ajayaasamueldmq, I will just put it on the next meeting agenda and see what everyone has to say.14:33
samueldmqajayaa: sounds good .. get familiar to that spec to understand what is being proposed though :)14:34
ajayaasamueldmq, agrees. That's the first thing on my todo list.14:34
samueldmqajayaa: nice :)14:35
*** ayoung has joined #openstack-keystone14:38
*** ChanServ sets mode: +v ayoung14:38
*** piyanai has quit IRC14:42
*** jasondotstar has quit IRC14:42
*** amakarov_away is now known as amakarov14:43
*** mabrams has left #openstack-keystone14:46
*** HT_sergio has joined #openstack-keystone14:46
*** piyanai has joined #openstack-keystone14:47
*** piyanai has quit IRC14:47
*** jasondotstar has joined #openstack-keystone14:47
*** piyanai has joined #openstack-keystone14:47
*** jasondotstar has quit IRC14:48
*** ajayaa has quit IRC14:49
*** timsim has left #openstack-keystone14:49
*** piyanai has quit IRC14:52
*** piyanai has joined #openstack-keystone14:52
*** piyanai has quit IRC14:52
dstaneksimple review anyone?
marekddstanek: done.14:55
dstanekmarekd: thx14:55
*** diazjf has joined #openstack-keystone14:58
samueldmqdstanek: just took a look, and learned about %r :_14:59
*** kiran-r has joined #openstack-keystone15:01
*** henrynash has joined #openstack-keystone15:01
*** ChanServ sets mode: +v henrynash15:01
*** jecarey has joined #openstack-keystone15:01
*** jasondotstar has joined #openstack-keystone15:04
*** zzzeek has joined #openstack-keystone15:07
*** fhubik_afk is now known as fhubik_meeting15:09
openstackgerritSteve Martinelli proposed openstack/keystone: Generate new config options for oslo.cache
dstanekstevemar: that oslo.cache unicode error is quite strange15:20
dimsdstanek: without that the py34 tox target fails15:20
ayoungamakarov, do you still need the invitation letter?15:22
*** kiran-r has quit IRC15:22
dstanekdims: is that new behavior in olso.cache?15:23
amakarovayoung, hi! Thanks, I've already received it and even brought to the embassy :)15:23
ayoungamakarov, excellent.  Looking forward to seing you15:23
dimsdstanek: the code was never run with py34 is what i remember15:23
*** e0ne has joined #openstack-keystone15:23
dstanekstevemar: dims: oh, is this what you are currently discussing in #openstack-oslo?15:23
stevemardstanek: yep :)15:24
stevemardstanek: join the club15:24
dimsack :)15:24
amakarovayoung, btw, about unified delegations: it has to include OAuth, right?15:24
*** e0ne is now known as e0ne_15:25
ayoungamakarov, to be clear, it should include the existing OAUTH1 extension, not OAUTH as a federation protocol. But yes.15:25
*** e0ne_ is now known as e0ne15:25
amakarovayoung, is it needed to be convertible to SAML assertion then?15:25
amakarovor it will be done by some other module?15:26
*** kfox1111 has joined #openstack-keystone15:26
*** david-ly_ is now known as david-lyle15:27
ayoungamakarov, I don't think it needs to be convertd to a SAML module.  SAML means two things15:27
ayoungeither Federation or K2K15:27
ayoungunified delegation is more internal15:27
ayoungit is unifying the following:  role assignments, trusts, OAUTH115:28
*** rlt__ has joined #openstack-keystone15:28
*** geoffarnold has quit IRC15:28
ayoungamakarov, So, While Federation would use it, and while K2K would use it, neither are integral to the effort.  Unless I am missing something?15:28
*** rlt_ has quit IRC15:29
*** belmoreira has quit IRC15:29
amakarovayoung, shall we have revocation events?15:31
ayoungamakarov, um...again, orthoganal concern, I think, to unified delegation.15:31
ayoungamakarov, why do you ask that...I hear gears grinding away...15:32
*** jsavak has quit IRC15:32
amakarovayoung, I think delegations will be connected to revocation engine if the latter persist15:32
ayoungamakarov, ah, yes.15:32
*** thedodd has joined #openstack-keystone15:32
amakarovayoung, and it heve to be taken into account15:32
ayoungamakarov, so, yeah, changes in the delegation agreements would trigger revocations15:32
ayoungI don't think it would be radically diffeent from what we have today, but, yeah, any changes in the overall structure could affect new classes of revocations, or at least trigger existing ones in new ways15:33
amakarovayoung, and speaking of revocation engine: what are you planning to do with this:
ayoungdolphm, speaking of were pushing for groups in the tokens, and you were saying you had never seen groups from LDAP.  Do you see a need for User groups as a reusable resource inside of Keystone?15:34
ayoungamakarov, Ha15:35
amakarovayoung, yes? :)15:35
ayoungamakarov, I don't know...I have enough stuff I am juggling, and I kindof feel like other people care more about revocation events than I do.  I don't want to hold people up.15:35
ayoungamakarov, for the moment, I think there is little reason to push revocatin events into the middleware check15:36
*** ajayaa has joined #openstack-keystone15:36
ayoungif we did, it would mean that people could keep using PKI tokens, but I suspect that the number of people that want that is quite small15:36
ayoungI was thinking that before we did any more work this way, we would let the issues with Fernet shake out, then look again at doing something with PKI if we felt there was sufficient justification15:37
amakarovayoung, just today I had a call from the people who use actually them (planing to migrate to Fernet though)15:37
ayoungamakarov, However, K2K removed one of the biggest reasons I was pushing PKI, so I am kindof willing at this point to let it go15:37
*** kiran-r has joined #openstack-keystone15:38
*** lufix has quit IRC15:38
* dstanek pictures ayoung dancing to the theme song of Frozen15:39
ayoungamakarov, I'm guessing that Fernet is good enough for the foreseeable future.  I'd like to work through unified delegation before ever looking at different token formats.  But, before that, I think the highest priority is straightening out policy enforcement15:39
*** jasondotstar has quit IRC15:40
morganfainbergamakarov: I have a chain of patches in active development that is addressing some oddities in fernet.15:41
morganfainbergamakarov: FYI.15:41
amakarovayoung, I wonder if we need delegations at all if policies will be flexible enough...15:41
morganfainbergThere is one relatively large bug. Expiry is not maintained over rescope15:41
kfox1111morganfainberg: A thought. For x509 instance users, we need an authentication error besides 401 or 403. We need a, go get a new cert, your current one's no longer valid?15:42
amakarovmorganfainberg, so any token given away may be maintained to be eternal?15:42
morganfainbergkfox1111: that should be CRL or look at the certs attributes. Not something keystone needs to communicate differently than http (we can add extra data to the error I guess but 401/403 is correct)15:43
morganfainbergamakarov: yes. Rescope changes expiration now with fernet.15:44
kfox1111so the instance would try and talk to keystone, get a 401 or 403, then have to fetch the crl, check that it indeed is bad, then go back to phase 1?15:44
kfox1111I do like the extra data idea. makes it simpler to handle.15:45
morganfainbergkfox1111: you might want to check CRL to start.15:45
morganfainbergIf there is a CRL to check (may not be)15:45
kfox1111more http requests that way. would scale better to just try and on the error case, then recover since that should be much less common.15:46
morganfainbergkfox1111: most clients check the CRL if they care.15:46
morganfainbergI don't really care which way you cut that ;)15:46
*** e0ne has quit IRC15:46
kfox1111I was kind of wondering about the CRL bits... It might get quite large if we don't expire frequently?15:47
*** kiran-r has quit IRC15:47
morganfainbergkfox1111: I suggest reading up on PKI in general15:47
kfox1111I know most of it. I have'nt studied CRL's though.15:47
kfox1111I'll have a look.15:48
*** e0ne has joined #openstack-keystone15:48
*** dsirrine_ has joined #openstack-keystone15:48
morganfainbergLook into CRLs they've been around for a loooong time.15:48
kfox1111with instances coming and going, It may become a scalability issue.15:48
amakarovmorganfainberg, thanks, I'll see it15:49
morganfainbergOnly if you explicitly revoke a cert15:49
*** jasondotstar has joined #openstack-keystone15:49
morganfainbergVs short lived certs15:49
kfox1111which I think you'd want to do when a vm gets deleted?15:49
morganfainbergShort-ish lived.15:49
morganfainbergUp to you. I'm not designing that part. ;)15:49
morganfainbergI'm just pointing out how these things work.15:49
kfox1111yeah. so the tradeoff is, lengh of cert lifetime vs crl length?15:50
morganfainbergOf if you care about revoking certs at all15:50
*** dsirrine has quit IRC15:50
*** jasondotstar has quit IRC15:50
*** browne has joined #openstack-keystone15:51
kfox1111if you make lifetime short enough you don't care, your almost in the realm of just using keystone tokens as the mechansim somehow... ;)15:51
*** jasondotstar has joined #openstack-keystone15:51
*** e0ne is now known as e0ne_15:53
amakarovmorganfainberg, looks like we don't have regression for token expiration at all if such behaviour is possible.15:54
amakarovregression tests15:54
morganfainbergamakarov: we don't. It is very hard to test that without significant test increases.15:55
*** e0ne_ is now known as e0ne15:55
morganfainbergThe real issue is fernet tokens are a totally separate code path from other token issuance15:55
morganfainbergAnd such display a number of bad edge cases.15:56
morganfainbergIf you look at that chain, the next few patches will solve that and make the fernet tokens issue the same way as normal tokens.15:56
morganfainbergI'm very disappointed that fernet tokens were developed like this.15:56
* morganfainberg is playing janitor.15:56
lbragstadmorganfainberg: for this
openstackLaunchpad bug 1469563 in Keystone liberty "Fernet tokens do not maintain expires time across rescope (V2 tokens)" [High,In progress] - Assigned to Morgan Fainberg (mdrnstm)15:57
lbragstadmorganfainberg:  do you have a link to an existing patch? OpenStack Infra assigned it to you and marked it as "in progess" but didn't link the review15:57
morganfainberglbragstad: if you read scroll back. But sec.15:58
amakarovmorganfainberg, "it already glitches" - is just a stage in software lifecycle :)15:58
lbragstadmorganfainberg: awesome15:58
morganfainbergamakarov: no. This was because fernet created a separate code path that was largely untested.15:58
morganfainbergamakarov: instead of working to keep it in line with the other providers.15:59
kfox1111the issues around the crl are ... unfortunate...15:59
*** jistr_ has quit IRC15:59
kfox1111we maybe solving one issue to turn around and create another. :/15:59
morganfainbergamakarov: and this causes all sorts of edge cases.16:00
*** Akshay00 has joined #openstack-keystone16:00
* amakarov goes to the corner16:00
bknudsonkfox1111: check out anchor --
kfox1111the crl doesn't look to be very scalable? outside of having multiple? then keystone would need to check multiple.16:00
*** gyee has joined #openstack-keystone16:00
*** ChanServ sets mode: +v gyee16:00
*** topol has joined #openstack-keystone16:00
*** ChanServ sets mode: +v topol16:00
morganfainbergamakarov: it is far from anyone's fault. I part I'm having issue with is that there hasn't been an effort to continue the cleanup.16:01
kfox1111bknudson: thakns. any archetectural documentation? that page is rather sparse on detail.16:02
kfox1111it claims to have solved the issue, but not how.16:02
bknudsonkfox1111: there must have been a presentation at the summit, which would have been recorded.16:02
kfox1111does it simply keep certificate lifetime really really short?16:02
bknudsonkfox1111: yes, that's it's trick16:03
kfox1111k. so for instance users, keeping the cert really really short doesn't have much advantage I think over just getting keystone tokens through some other mechanism, since keystone tokens also are very very short lived?16:04
amakarovmorganfainberg, I'll check the rest of your chain then )16:04
morganfainberglbragstad: if you have some cycles I could use some help solving the last bugs or so in that chain.16:04
morganfainberglbragstad: still seeing ~6 failures around trusts.16:04
lbragstadmorganfainberg: sure thing, I'm digging into ^ that one now16:05
morganfainberglbragstad: and the next step is to make it so fernet uses the common provider, just does the Id generation in .get_id16:05
morganfainbergOr whatever that method is.16:05
morganfainbergThen same thing for v3 fernet.16:05
*** ajayaa has quit IRC16:05
lbragstadmorganfainberg: you want to build the fernet.provider into the common.provider?16:06
morganfainbergWe will still need the issue_v*_token method to punt out binds16:06
kfox1111hmm.... wikipedia's crl article metions OCSP as an alternate.16:06
kfox1111has anyone looked at that?16:06
morganfainbergNo, I just want fernet to not reimplement issue_v*_token and validate_v*_token uselessly16:06
*** kiran-r has joined #openstack-keystone16:07
morganfainbergIt makes it hard to maintain the code since you have two distinct code paths.16:07
morganfainberglbragstad: the goal is to make fernet' logic not need to re-implement it. (Ok the v2 token part, yes we're merging most of that over)16:07
*** tqtran has joined #openstack-keystone16:07
lbragstadmorganfainberg: makes sense16:08
*** rwsu has joined #openstack-keystone16:08
morganfainbergMostly fernet can just implement the ID logic in the ._get_token_id method16:08
morganfainbergThe formatters and all that should still be in the fernet only provider16:08
morganfainbergbknudson: anchor looks like a cool project.16:09
*** iamjarvo has quit IRC16:09
*** fhubik_meeting has quit IRC16:09
kfox1111ah... interesting... so nova could provide an OCSP responder as part of the solution. it would simply check against if the vm is marked deleted in the nova db. keystone could then ask nova is the cert valid on request.16:09
kfox1111bknudson: Thanks, I'll take a look.16:10
*** geoffarnold has joined #openstack-keystone16:10
kfox1111then there is no crl or scaling issue. keystone and nova api's would scale together.16:10
kfox1111details here:
*** kiran-r has quit IRC16:11
dimsmorganfainberg: can you please bless as otherwise keystone will break with a oslo.service release this afternoon?16:14
morganfainbergdims: sec16:14
morganfainbergdims: then I'd need to ask you to unpush the release. And we don't want that... +a16:15
openstackgerritRodrigo Duarte proposed openstack/keystone: Refactor: expand_ref() in resource/
*** henrynash has quit IRC16:17
*** dramakri has joined #openstack-keystone16:17
*** jasondotstar has quit IRC16:17
*** dramakri has left #openstack-keystone16:17
dimsthanks morganfainberg!16:18
*** henrynash has joined #openstack-keystone16:19
*** ChanServ sets mode: +v henrynash16:19
bknudsonstevemar: morganfainberg: what do you think about a feature branch for  (oslo.cache use)16:21
bknudsonthe oslo.cache interface isn't going to be stable until 1.016:21
morganfainbergbknudson: if you think it'll make things easier, 100% for it.16:21
bknudsonalso, probably should have done the same for oslo.service. although I don't expect the interface to change as much16:21
morganfainbergbknudson: if you think it'll be not a big win, I'm fine with it staying WIP16:22
bknudsonWIP is probably easier then we don't have to do merges to keep it in sync16:22
bknudsonI'm just not sure how long it's going to take to get to 1.016:23
*** slberger has joined #openstack-keystone16:23
bknudsonand I'd like to see the smaller commits in keystone.16:23
*** kiran-r has joined #openstack-keystone16:25
*** packet has joined #openstack-keystone16:25
stevemarbknudson: i dont think its necessary tbh, i'm okay with maintaining that patch while oslo.cache sorts itself out16:26
kfox1111is keystone using m2crypto or some other library?16:26
*** jsavak has joined #openstack-keystone16:28
*** kiran-r has quit IRC16:30
*** kiran-r has joined #openstack-keystone16:30
*** _cjones_ has joined #openstack-keystone16:32
morganfainbergkfox1111: not m2crypto. That library is pretty much dead16:34
morganfainbergbknudson: let's keep it WIP then.16:34
morganfainbergstevemar: ^ cc16:34
bknudsonok. if it gets too annoying we can create a feature branch.16:35
*** _kiran_ has joined #openstack-keystone16:35
bknudsonthere's going to be a lot of changes to the oslo.cache api16:35
*** henrynash has quit IRC16:35
*** solomondg has joined #openstack-keystone16:36
*** kiran-r has quit IRC16:36
dimsbknudson: the only people working on the api will be the folks here :)16:36
dimsso that should help16:37
*** henrynash has joined #openstack-keystone16:39
*** ChanServ sets mode: +v henrynash16:39
*** dguerri is now known as dguerri`16:40
*** _cjones_ has quit IRC16:43
*** _cjones_ has joined #openstack-keystone16:43
*** woodster_ has joined #openstack-keystone16:44
*** henrynash has quit IRC16:45
*** jasondotstar has joined #openstack-keystone16:46
kfox1111morganfainberg: What's being used then? openssl cli?16:46
morganfainbergIn PKI tokens, yes16:46
*** csoukup has quit IRC16:47
openstackgerritLance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens
*** henrynash has joined #openstack-keystone16:47
*** ChanServ sets mode: +v henrynash16:47
*** jasondotstar has quit IRC16:47
*** _kiran_ has quit IRC16:47
morganfainbergThere are many reasons - this is the least16:47
morganfainbergOf the bad ideas for when pki tokens started out16:47
morganfainberglbragstad: fwiw, we already have a test for that. Just didn't hit fernet tokens16:48
morganfainberglbragstad: because fernet tokens use a different code path.16:48
morganfainbergThe fact that we need a new test16:49
morganfainbergClasse for fernet makes me sad :(16:49
kfox1111ok. cause I wasn't seeing any OCSP code in m2crypto, but the cli seems to support it.16:49
morganfainbergkfox1111: yeah assume m2crypto is dead.16:49
lbragstadmorganfainberg: dolphm and I were looking to consolidating some of the16:50
lbragstadso that we have a single test class that describes the token bahvior16:50
morganfainberglbragstad: well keep chasing my chain and you'll see its headed that way16:50
kfox1111did the validation example I gave make sense? I realized I was asking in the wrong channel, so you might not have sen it.16:50
morganfainbergSince you won't need to have custom tests for "is basic token stuff working"16:51
lbragstadmorganfainberg: here is what I was doing
morganfainberglbragstad: I'd DRY the token provider code first.16:51
morganfainbergIt'll make your drying up the test code easier m16:52
lbragstadmorganfainberg: that's the first stab at trying to consolidate all the test functionality into a single class (DRYing the test code)16:52
*** spandhe has joined #openstack-keystone16:57
*** kfox1111 is now known as kfox1111_away16:58
openstackgerritAlberto Murillo proposed openstack/keystone: disable admin_token by default
samueldmqmorganfainberg, ayoung : I am writing the oslo.policy spec and I've a question ..16:59
ayoungfire away as always samueldmq16:59
*** eandersson has joined #openstack-keystone16:59
*** e0ne has quit IRC16:59
samueldmqdepending on our cache strategy, if (from Keystone) we say to Middleware: 'this is the policy you asked for, but only use it in X seconds'16:59
eanderssonAnyone using Ansible and Keystone V3 here?16:59
stevemareandersson: everyone from rax?17:00
samueldmqit is Middleware job to know the right time to call oslo.policy to do the overlay, right ?17:00
dstanekeandersson: i've been playing with a module do to V3, but not much else17:00
eanderssonWe are looking at using it, but it does not look like V3 is supported yet.17:00
samueldmqand then write to the file17:00
samueldmqayoung: morganfainberg ^17:00
stevemareandersson: go to #openstack-ansible - and ping sigmavirus24 dolphm and lbragstad17:01
eanderssonAwh, dstanek. I was thinking of implementing it, but didnt' want to re-invent the wheel if possible.17:01
samueldmqayoung: morganfainberg in other words, oslo.policy only offers the call to overlay and then write to policy.json17:01
stevemarthey have a ton of playbooks available17:01
dstanekeandersson: you are correct.17:01
eanderssonAwesome! Thanks17:01
*** fangzhou has joined #openstack-keystone17:01
sigmavirus24we're on our way there at least17:01
sigmavirus24I'm working on it specifically right now17:01
dstaneki think sigmavirus24 was talking abouit it this morning17:01
eanderssonBeen looking for some information on this for hours.17:01
sigmavirus24Our current library module for ansible that adds users and such is on v217:01
ayoungeandersson, I don't tihnk the stock playbooks support v3 across the board yet17:01
eanderssonJoin openstack-keystone and bam!17:01
lbragstadeandersson: what are you looking to accomplish?17:01
sigmavirus24But we're adding federation bits so we're converting to v317:02
lbragstadeandersson: playbooks fo days!17:02
stevemarwe are here but to serve17:02
sigmavirus24stevemar: identify and serve ;)17:02
ayoungsamueldmq, processsing....17:02
* lbragstad thinks that should be on a shirt17:02
* sigmavirus24 was heading off to lunch though17:02
ayoungsamueldmq, I think that is right.17:02
eanderssonWe are looking into using it for orchestration (creating new vms etc)17:03
eanderssonbut we are using domain-tokens, so V2 won't cut it :p17:03
ayoungsamueldmq, I really thinkg we are going to need to prototype this out.  I think we are doing things backwards by writing the specs first...and I know how weird it sounds to say that17:03
ayoungeandersson, wanna see something cool?17:03
samueldmqayoung: great, I will be submitting the spec in a bit17:03
samueldmqayoung: I will update the other 2 specs as well (policy fetch and catch + policy by URL)17:04
samueldmqayoung: before sending the FFE email for Dynamci Policies17:04
ayoungeandersson, ^^ is my code fro building dev environments.  I got it to run as an ansible module...its very much a WIP17:04
samueldmqayoung: sounds good ?17:04
ayoungsamueldmq, sounds good17:04
*** spandhe has quit IRC17:05
*** lhcheng has joined #openstack-keystone17:07
*** ChanServ sets mode: +v lhcheng17:07
*** lhcheng_ has joined #openstack-keystone17:08
*** lsmola has quit IRC17:09
*** Akshay00 has quit IRC17:10
lbragstadeandersson: there is also setup stuff here
*** lhcheng has quit IRC17:11
*** RichardRaseley has joined #openstack-keystone17:12
*** Akshay00 has joined #openstack-keystone17:13
eanderssonNice thanks lbragstad17:13
*** ankita_wagh has joined #openstack-keystone17:14
*** jasondotstar has joined #openstack-keystone17:15
*** sigmavirus24 is now known as sigmavirus24_awa17:15
*** HT_sergio has quit IRC17:17
*** afaranha has joined #openstack-keystone17:20
*** afaranha has left #openstack-keystone17:21
openstackgerritMerged openstack/keystone: Use oslo.service ServiceBase when loading from eventlet
*** Akshay00 has quit IRC17:24
*** hogepodge has quit IRC17:26
david8huayoung, samueldmg, we got to look at this from user and service perspective.17:26
samueldmqdavid8hu: hey17:27
*** hogepodge has joined #openstack-keystone17:27
samueldmqdavid8hu: at where to put the caching logic ?17:27
*** browne has quit IRC17:28
ayoungdavid8hu, from the user perspective, it should be invisible17:28
samueldmqdavid8hu: so .. from user perspective it doesn't matter, the feature works the same at the end17:28
samueldmqayoung: ++17:28
ayoungfrom the service standpoint, it should be fetch and cache17:28
david8husamueldmq,  Let me look at the diagram.  It's been couple of days.17:29
ayoungsamueldmq, david8hu my thought was we make a pattern of "fetch before we need it"17:29
ayoungI would love it if fetching the new ... whatever (in this case policy file) is done by a dedicated process, and then put into a tempt file17:29
ayoungthen, activating the new one is done as an atomic rename17:30
samueldmqayoung: yeah, that's where the middleware wait with the policy in hands ("don't use it before X seconds") and calls oslo.policy in the right time17:30
david8huayoung, samueldmq,  Fetch it before it initializes the policy enforcer.17:30
*** WormMan has joined #openstack-keystone17:30
samueldmqayoung: that's synchronized with our solution for multiple processes behind an HAprox17:30
samueldmqdavid8hu: sure, what we're talking about is the mechanism to, based on a dict of custom rules17:31
ayoungI could see a cache-sync process over time that does:  1 write lock file. 2.  fetch policy.  3. write policy to temp dire.  4. remove lock file17:31
samueldmqdavid8hu: overlay the policy.json17:32
*** dontalton has joined #openstack-keystone17:32
samueldmqdavid8hu: this processing is done by oslo.policy17:32
*** ajayaa has joined #openstack-keystone17:32
ayoungthen, if a second process gets kicked off, it sees the lock file and just exists17:32
WormMansigh, ok, I've convinced keystone to auth to ldap. And I think I put one of my ldap users as a member of a project in the default(sql) domain. Now, how on earth do I tell the openstack command line that I want to do a 'server list' with my ldap user for that other project/domain17:32
ayoungWormMan, V2 or V3?17:32
samueldmqayoung: multiple middlewares for the same service process ?17:32
WormManayoung: v317:32
ayoungWormMan, and...try using the openstack common CLI17:33
WormManayoung: exactly.17:33
ayoungah, you are...ok/17:33
ayoungWormMan, OK,  so  I typically havea V3 file.  You need to specify domain for both identity (user) and for assignemtn (project)17:33
ayoungI'll paste a sterilized on... one sec17:33
david8husamueldmq, so, it is the oslo.policy changes you were refering to last Friday.17:33
ayoungWormMan, also, if yoiu were using the Service token before, make sure you unset...17:35
david8huayoung, samueldmq, Why not treat it like how Samba does it.  Opportunistic locking.17:35
samueldmqdavid8hu: exactly17:35
samueldmqdavid8hu: ayoung just a sec17:36
*** jasondotstar has quit IRC17:37
ayoungWormMan, and unset OS_SERVICE_TOKEN17:37
ayoungdavid8hu, yep, something like that17:37
WormManayoung: thanks, obviously I was using the wrong mix of command line options that didn't quite match that17:37
WormManayoung: I'll also point out just how intuitive this whole thing is :)17:37
ayoungWormMan, I tend to put those unset calls right into the .rc17:37
WormManI won't even mention how annoying it is that it seems that the service token can't simply 'do everything' when a v3 policy.json is in place17:38
WormMan(expected, but annoying)17:39
WormMannow, of course, I need to get this whole set of setup into puppet so I can actually replicate it17:41
samueldmqayoung: david8hu morganfainberg 'policy: Dynamic Policies Overlay' (
samueldmq^ first version of the oslo.policy spec17:42
samueldmqcontaining trailing spaces btw :(17:43
ayoungsamueldmq, cool.  You do have some whitespace17:43
samueldmqayoung: done!17:43
ayoungsamueldmq, OK, so we need this to explicitly sate how the overlay is going to work:  the stock policy will be left in polace, but rules that are defined in both stock and overlay will get the overlay version17:45
ayoungsuspect we'll want a flag for leaving the default in place or not, but that can be a different spec17:45
samueldmqayoung: I said that in the task in 'Work Items'17:45
samueldmqayoung: maybe I need to make that explicit earlier17:45
ayoungsamueldmq, looking17:45
*** jaosorior has quit IRC17:46
ayoungyeah, I think in the proposed change portion17:46
samueldmqayoung: ++17:46
samueldmqayoung: please leave a review with any other comments you have, if any :)17:46
samueldmqayoung: so I can fix at once17:47
*** Ephur has joined #openstack-keystone17:47
*** jaosorior has joined #openstack-keystone17:47
samueldmqayoung: always need to google when you guys use abbreviations :-)17:47
david8husamueldmq, I assume the interface to policy will remain the same?17:48
samueldmqdavid8hu: for customizing policies ?17:48
samueldmqdavid8hu: for now yes, we are putting the dynamic fetch/cache in place17:48
david8husamueldmq, yes, I am trying to figure the impact to services like nova.17:48
samueldmqdavid8hu: later we'll improve the way we customize: granularly, hierarchical roles, and so on17:49
samueldmqdavid8hu: nova won't know anything about dynamic policies, it will find the policy.json file there as it does today17:49
samueldmqdavid8hu: we might have updated that when the request came to middleware, i.e ealier in the pipeline :)17:50
*** HT_sergio has joined #openstack-keystone17:52
samueldmqayoung: thanks17:52
david8husamueldmq, I think I understands it now.  The overlay spec is simply to support customized policy on top of stack policy?17:54
david8husamueldmq, I meant s/stack/stock.17:54
samueldmqdavid8hu: yes, it is just how we overlay it :)17:54
samueldmqdavid8hu: and this work is done by oslo.policy17:54
samueldmqdavid8hu: oslo.policy.overlay({'compute:create_server': ''})17:55
samueldmqdavid8hu: oslo.policy knows where the stock policy file is (it's in its configs) :)17:55
david8husamueldmq, There is going to be a lib function or 2 to support this.17:56
samueldmqdavid8hu: yeah, just a single one I think, very simple17:56
samueldmqdavid8hu: isn't it ?17:56
*** jasondotstar has joined #openstack-keystone17:57
*** csoukup has joined #openstack-keystone17:57
david8husamueldmq, How will it know that there is an update to this customized policy?17:57
samueldmqayoung: in the problem description I will introduce what Stock and Dynamic Policies are, just to contextualize17:58
samueldmqdavid8hu: oslo.policy doesn't know, and it doesn't need to17:58
ayoungsamueldmq, thanks.  I think that will be most useful17:58
samueldmqdavid8hu: middleware knows that, and just asks oslo.policy to do the overlay job17:58
samueldmqdavid8hu: basically middleware knows the endpoint_url, and asks keystone for custom policy for that url17:59
david8husamueldmq, It's the caller's job.17:59
samueldmqdavid8hu: very precise sentence man17:59
samueldmqdavid8hu: it's just the code that lives in oslo.policy, as a library that it is18:00
david8husamueldmq, ...and we are not talking about unified policy file...correct? :)18:00
samueldmqdavid8hu: no we aren't, unified would be stored on keystone server, at middleware/oslo.policy we don't care about that at all18:01
*** eandersson has quit IRC18:01
samueldmqdavid8hu: we ask keystone if there is custom rules, it doesn't matter how they're calculated, added, CRUDed, we just want the response18:01
samueldmqdavid8hu: how they're CRUDed is to keystone to know/provide APIs :)18:02
samueldmqdavid8hu: for now our solution doesn't include unified, if that's what you specifically want to know18:02
*** Ephur has quit IRC18:03
*** c_soukup has joined #openstack-keystone18:03
*** janonymous_ has joined #openstack-keystone18:03
*** eandersson has joined #openstack-keystone18:03
*** sigmavirus24_awa is now known as sigmavirus2418:03
dstanekjanonymous_: lots of things happening - don't be surprised if it takes a little while to get reviews through18:05
janonymous_:) sure18:06
david8husamueldmq, I think we need a spec for something like say I am a Nova admin, I want to inject a customized policy.  What is the interface for that.18:06
*** _nonameentername is now known as nonameentername18:06
*** jsavak has quit IRC18:06
*** jsavak has joined #openstack-keystone18:07
samueldmqdavid8hu: so you create a policy in Keystone server, and associate it to them endpoint_urls corresponding to your nova service18:07
samueldmqdavid8hu: that's basically the main workflow, which is described by the wiki (previously overview spec)18:07
*** piyanai has joined #openstack-keystone18:07
*** csoukup has quit IRC18:07
*** mylu has joined #openstack-keystone18:07
samueldmqayoung: should we call it Dynamic Policy or Override Policy, as we called it last week18:09
samueldmqayoung: we need to choose the best naming , to avoid confusing people (still more) about htis18:10
ayoungSounds like a band name18:10
david8husamueldmq, Dyanmic policy customization overlay (DPCO)18:10
samueldmqCustom Policy ?18:10
ayoungDynamic Policy OVERDRIVE!18:10
samueldmqoverdrive? oO18:11
samueldmqI think Custom Policy is simple and direct to what it means18:11
david8husamueldmq, Is it a keystone API call from user perspective?  I don't think there is a spec for that.18:11
samueldmqdavid8hu: there is a policy CRUD on keystone already18:12
*** jasondotstar has quit IRC18:13
*** arunkant has joined #openstack-keystone18:14
*** pnavarro has quit IRC18:14
david8husamueldmq, Levereage /v3/policies/{policy_id} for customize policy?18:15
*** piyanai has quit IRC18:15
*** crc32 has joined #openstack-keystone18:15
david8husamueldmq, But the current interface does not know which stock policy user is overriding.18:17
*** piyanai has joined #openstack-keystone18:17
samueldmqdavid8hu: I agree18:18
samueldmqdavid8hu: that's where policy endpoint association comes18:18
samueldmqdavid8hu: however we need a way to assign based on endpoint_url18:18
samueldmqdavid8hu: which is what ayoung started at 'Policy by URL' (
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet token provider.
*** chrisshattuck has joined #openstack-keystone18:22
*** browne has joined #openstack-keystone18:26
david8husamueldmq, Thx.  I posted a comment for "policy by url"18:29
*** ajayaa has quit IRC18:29
samueldmqdavid8hu: sure, thanks18:29
samueldmqdavid8hu: I will be updating that spec today/tomorrow18:30
*** openstackgerrit has quit IRC18:30
*** openstackgerrit has joined #openstack-keystone18:30
*** amakarov is now known as amakarov_away18:31
*** jasondotstar has joined #openstack-keystone18:32
openstackgerritguang-yee proposed openstack/keystone: Fix for LDAP filter on group search by name
*** mylu has quit IRC18:35
samueldmqayoung: just updated the spec (
samueldmqayoung: I called it 'Dynamic Policy' vs 'Stock Policy' as you suggested18:36
samueldmqayoung: we can change the naming if someone comes with a better suggestion :)18:37
samueldmqayoung: that was a quick +1, thanks !18:40
ayoungsamueldmq, looks good.  I added the oslo.policy core group to the spec...lets see the storm that kicks up18:40
samueldmqayoung: yeah, I was about to ask how a thousand people were added to that18:40
samueldmqayoung: I got scared when I did F518:41
ayoungyou can add people or groups to a review.  I added oso-policy-core18:41
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused setUp for RevokeTests
samueldmqayoung: I didn't know about adding groups, thanks18:41
*** afazekas_ has joined #openstack-keystone18:41
*** mylu has joined #openstack-keystone18:42
*** stevemar has quit IRC18:43
*** stevemar has joined #openstack-keystone18:44
david8husamueldmq, ayoung,  I think we can simplify policy enforcement a bit.  Once we have the policy overlay, services will not need to call keysteon middleware for policy enforcement.  It will be more of keeping oslo policy updated with the latest customize policy.18:44
*** jsavak has quit IRC18:46
*** jsavak has joined #openstack-keystone18:46
*** RichardRaseley has quit IRC18:49
samueldmqdavid8hu: that spec is not for services calling middleware at all18:50
openstackgerritBrant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret
openstackgerritBrant Knudson proposed openstack/keystone: Bandit config updates
samueldmqdavid8hu: the idea is that we could do a part of rule enforcement in the middleware, before the request goes to the service18:50
samueldmqdavid8hu: that part would be the role check18:50
david8huDid I use the wrong url?18:50
*** markvoelker_ has joined #openstack-keystone18:51
samueldmqdavid8hu: we don't have the association between url/policy call outside the service18:51
samueldmqdavid8hu: we would need to expose that somehow18:51
david8husamueldmq, c&p,  1. Nova makes call to enforce policy.  API is identical to the6618:51
david8hu   oslo.policy API, but will be implemented by middleware.18:51
samueldmqdavid8hu: like enforcing policy based on the called /url18:51
samueldmqdavid8hu: that is out-of-date, and is not scoped to L18:51
*** markvoelker has quit IRC18:52
david8husamueldmq, Good to know since it is out-dated.18:52
samueldmqdavid8hu: those 3 tasks require 3 specs, oslo.policy one above, fetch and cache in middleware + policy by URL18:53
samueldmqdavid8hu: I will be updating the 2 others until tomorrow, and the wiki as well18:54
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove domain table references
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint
samueldmqdavid8hu: before sending the FFE request on dynamic policies to the ML18:54
*** Rockyg has joined #openstack-keystone18:55
david8husamueldmq, do you have "fetch and cache in middleware" already?18:55
david8husamueldmq, I mean the draft of the spec itself18:55
samueldmqdavid8hu: yes, just need to update, to reflect a first solution for cache strategy I was discussing with morgan and adam last week18:56
samueldmqdavid8hu: to solve the issue where multiple nova processes may be running behind a HAProxy, for example18:56
david8husamueldmq, I can help review and comment :)18:56
*** markvoelker_ has quit IRC18:57
samueldmqdavid8hu: sure, I will be posting updates today/tomorrow (
samueldmqdavid8hu: and
*** markvoelker has joined #openstack-keystone18:57
david8husamueldmq, sounds good.  thx18:57
samueldmqdavid8hu: feel free to review the oslo.policy one I jsut submitted (
samueldmqdavid8hu: no, thank you for reviewing that work :)18:58
david8husamueldmq, just trying to tied everything together in my brain too see if anything make sense :)18:59
samueldmqdavid8hu: :)19:00
*** hogepodge has quit IRC19:02
*** hogepodge has joined #openstack-keystone19:03
*** blewis` has quit IRC19:04
*** dramakri has joined #openstack-keystone19:10
*** boris-42 has quit IRC19:12
*** afazekas_ has quit IRC19:15
*** dguerri` is now known as dguerri19:18
*** tqtran has quit IRC19:19
*** dguerri is now known as dguerri`19:20
*** HT_sergio has quit IRC19:23
*** piyanai has quit IRC19:25
*** piyanai has joined #openstack-keystone19:26
*** piyanai has quit IRC19:26
*** albertom has joined #openstack-keystone19:34
*** ankita_wagh has quit IRC19:34
*** jasondotstar has quit IRC19:36
*** mylu has quit IRC19:40
*** mylu has joined #openstack-keystone19:40
samueldmqayoung: what would be the relationship between associating a policy to an URL and endpoint groups19:40
samueldmqayoung: URL would be representing the  same as an endpoint group containing the URL filter19:40
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller
ayoungsamueldmq, so, all endpoints in a group that share an URL should get that same policy...goal is to make the URL  == the endpoint19:41
samueldmqayoung: I want to make sure we go to something consistent in that aspect as well19:41
*** arunkant_ has joined #openstack-keystone19:41
samueldmqayoung: sure, however I wonder if we could make that consistent with the existing APIs for endpoint groups19:42
samueldmqayoung: that can be used in the endpoint filter extension19:42
ayoungsamueldmq, we'll do the best we can.19:42
samueldmqayoung: or if the endpoint filter extension could be simplified to URLs19:42
*** arunkant_ has quit IRC19:42
samueldmqayoung: of course, that's part of this plan :)19:43
ayoungif setting by ID is ambiguous,  those endpoints that share an endpoint URL are all updatred19:43
*** arunkant_ has joined #openstack-keystone19:43
*** piyanai has joined #openstack-keystone19:44
*** arunkant_ has quit IRC19:44
*** arunkant has quit IRC19:44
*** arunkant has joined #openstack-keystone19:45
freerunner@morganfainberg: Heya! Are u here? ;)19:46
*** slberger1 has joined #openstack-keystone19:47
*** dguerri` is now known as dguerri19:47
*** jasondotstar has joined #openstack-keystone19:48
openstackgerritMerged openstack/python-keystoneclient: Update README.rst and remove ancient reference
*** pnavarro has joined #openstack-keystone19:51
morganfainbergfreerunner: at lunch but here-ish19:52
morganfainbergfreerunner: here ish but at lunch19:52
*** nonameentername has left #openstack-keystone19:53
*** nonameentername has joined #openstack-keystone19:53
openstackgerritBrant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret
openstackgerritBrant Knudson proposed openstack/keystone: Bandit config updates
freerunnermorganfainberg: Bon Appetit =) Can u, please, review this? . This is really needs..19:55
*** jaosorior has quit IRC19:56
*** pnavarro has quit IRC19:56
morganfainbergAh that one is unblocked now? Sure.19:56
*** stevemar has quit IRC19:56
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint
*** stevemar has joined #openstack-keystone19:57
*** jsavak has quit IRC19:57
*** jsavak has joined #openstack-keystone19:58
*** jsavak has quit IRC19:58
samueldmqwhat is the relationship between services and regions ?19:58
*** jsavak has joined #openstack-keystone19:59
freerunnermorganfainberg: Thank you, very much. And the last question. Looks like we have the same situation like in s/juno branch. Can u release the latest code for python-keystoneclient for stable/kilo? There is a problem with oslo.i18n, but this problem is going to be fixed by your +A.19:59
samueldmqI see endpoint have region_id and service_id, but I don't see any direct relation between service and region19:59
samueldmqregions -> services -> endpoints ?20:00
morganfainbergfreerunner: I cannot. You'll need to ask dhellman or a release manager.20:00
samueldmqor services -> regions -> endpoints ?20:00
morganfainbergfreerunner: I'll circle up with them later today / tomorrow.20:00
*** jaosorior has joined #openstack-keystone20:00
freerunnermorganfainberg: Whew. Thank you one more time ;) I think I can ask him tomorrow.20:01
*** ankita_wagh has joined #openstack-keystone20:03
bknudsonlooks like keystone unit tests are busted again with the release of oslo.utils -- some function we're using is deprecated.20:05
dimsbknudson: which one this time?20:05
dimsbknudson: straightforward replacement?20:07
bknudsonit was isotime last time.20:07
bknudsonI'll look at using the alternative mentioned20:07
bknudsonUsing function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead20:07
*** jasondotstar has quit IRC20:08
*** stevemar has quit IRC20:08
*** RichardRaseley has joined #openstack-keystone20:09
*** RichardRaseley has quit IRC20:11
*** RichardRaseley has joined #openstack-keystone20:11
*** stevemar has joined #openstack-keystone20:15
* morganfainberg points out that minor releases should probably not remove interfaces.20:16
morganfainbergI'd say that is a 2.x thing... But that is my opinion.20:16
bknudsonmorganfainberg: it's not removed, it's deprecated20:17
bknudsonso we've got time to stop using it.20:17
morganfainbergbknudson: it says removal in 1.6?20:17
bknudsondeprecated in 1.6, removal in ?20:17
*** solomondg has quit IRC20:19
*** slberger has quit IRC20:22
openstackgerritBrant Knudson proposed openstack/keystone: Switch from deprecated oslo_utils.timeutils.strtime
bknudsonnot much to the fix20:24
*** dontalton has quit IRC20:26
*** jsavak has quit IRC20:26
openstackgerritBrant Knudson proposed openstack/keystone: Switch from deprecated oslo_utils.timeutils.strtime
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet token provider.
*** jsavak has joined #openstack-keystone20:30
*** boris-42 has joined #openstack-keystone20:31
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet token provider.
openstackgerritAlberto Murillo proposed openstack/keystone: disable admin_token by default
*** blewis has joined #openstack-keystone20:35
openstackgerritMerged openstack/oslo.policy: Add six and oslo.utils to requirements
*** blewis` has joined #openstack-keystone20:37
*** thedodd has quit IRC20:38
*** blewis has quit IRC20:41
*** browne has quit IRC20:41
*** edmondsw has quit IRC20:43
*** marzif_ has joined #openstack-keystone20:43
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from deprecated oslo_utils.timeutils.strtime
*** arunkant_ has joined #openstack-keystone20:49
*** stevemar has quit IRC20:49
*** arunkant_ has quit IRC20:50
mordredmorganfainberg: (or other people) - should lissting a domain be a thing I should expect to be able to do?20:50
mordredeven as an end user?20:50
bknudsonmordred: listing users in a domain?20:50
*** stevemar has joined #openstack-keystone20:50
mordrednope. listing domains20:51
mordredso - let me step back 1 sec20:51
*** arunkant_ has joined #openstack-keystone20:51
mordredI have some things in keystone which take {'domain': $somethign}20:51
*** arunkant_ has quit IRC20:51
bknudsonI think that would give away info that deployments would want to keep secret in the general case.20:51
mordredas one of the arguments20:51
bknudsonalthough other deployments would be fine with it20:51
mordredbknudson: any chance you know off the top of your head if that wants a domain id or a domain name - or if maybe it takes both?20:52
*** arunkant_ has joined #openstack-keystone20:52
mordredand if it takes an id, and I have a name, any chance there is a way to get the id?20:52
bknudsonlike the token auth request?20:52
*** arunkant_ has quit IRC20:52
bknudsonauth request takes either id or name.20:52
mordredwell, for instance, create_project takes a domain argumetn20:52
*** arunkant has quit IRC20:52
mordredor, projects.create() to use your api20:53
bknudsonthose are all by id20:53
mordredso - should I just expect that a user will somehow know their domain id?20:53
bknudsonas far as I know20:53
bknudsonthe client APIs typically take an object for those parameters20:53
mordredmeh. object doesn't help me - I'm trying to figure out what information I can reasonably expect an end user to know20:54
mordredand what information I can figure out for them20:54
bknudsonto get a token the user needed to provide their domain name... not sure how they would know their id20:54
mordredbut I have no clouds with keystone v3 - so I have to ask obtuse questions :)20:54
mordredbknudson: I was _hoping_ that list_domains would work and would only show domains that the token the user has is scoped to see20:54
bknudsonthere might be an API for that20:55
*** stevemar has quit IRC20:55
bknudsonthere's also v3/auth/projects that one can use to get the projects they have auth to20:56
bknudsonwhich has the domain of the project20:56
mordredany chance that's exposed in ksc?20:56
* mordred goes to look20:56
*** marzif_ has quit IRC20:58
mordredbknudson: best I can tell that is not exposed in keystoneclietn21:01
bknudsonmordred: I don't remember it's ever being added.21:02
mordredbknudson: however, thank you for showing it to me - it's the thing I've always wanted21:02
mordredbknudson: like, basically, _every_ operation I do on projects or domains from my POV only ever wants lists of them that are related to the scope of the current token21:02
bknudsony, and as I said I don't think a deployment would want to expose the list of all domains.21:03
*** jsavak has quit IRC21:03
*** jsavak has joined #openstack-keystone21:03
mordredbut - a user saying "what is my domain" or "what domains am I allowed to see" - seems TOTALLY sane21:04
mordredbknudson: I'm not 100% how exposing those scoped things in ksc might look ... should I make a keystoneclient/v3/ with an Auth manager that has domains() and projects() methods?21:05
bknudsonmordred: I like it21:05
bknudsonalthough maybe jamielennox would say to put it on the session?21:05
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Switch from deprecated oslo_utils.timeutils.strtime
*** Rockyg has quit IRC21:09
mordredbknudson: so - we had a conversation a little while ago with him and ayoung about just pulling the domain off of the session21:11
mordredbut the suggestion then was that not making the user pass one in would be to much magic and could lead to mistakenly doing things to the wrong domain21:12
mordredwhich I can buy21:12
*** gordc is now known as gordc_21:17
*** gordc_ is now known as gordc_afk21:17
bknudsonmordred: I like having low-level apis, so putting providing the function on keystoneclient makes sense to me.21:22
*** r-daneel has quit IRC21:23
ayoungmordred, so, list domains and list projects should totally be things a user can do with an unscoped token.  jamielennox and I have even discussed whether those things should be returned in the unsoped token response21:24
bknudsoni think these apis were designed for use with unscoped tokens (for federation)21:24
ayoungand the domains are the "list of domains for which a user explicitly has a role assignment"21:24
*** tqtran_ has joined #openstack-keystone21:24
*** browne has joined #openstack-keystone21:25
*** packet has quit IRC21:26
*** piyanai has quit IRC21:27
*** mylu has quit IRC21:30
*** mylu has joined #openstack-keystone21:31
*** topol has quit IRC21:31
*** jsavak has quit IRC21:35
*** mylu has quit IRC21:35
*** jsavak has joined #openstack-keystone21:35
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet token provider.
gyeebknudson, did have fix this sometime ago? DeprecationWarning: Using function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead21:41
gyeelooks like its coming back for some reason21:42
*** crc32 has quit IRC21:42
bknudsongyee: it's a different api. it was isotime last time.21:42
bknudsongyee: see
gyeeoh my21:43
bknudsongyee: it was isoformat() last release of oslo.utils, now it's strtime.21:44
gyeebknudson, lets get that patch merge fast21:45
gyeethe gates are not happy right now21:45
bknudsonhere's for keystonemiddleware:
gyeebknudson, thank you for saving humanity!21:46
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token()
SpamapSjamielennox: around? I'm a bit stumped on how to use the auth_plugin option in nova.conf .. I seem to recall you being an auth plugin expert21:51
kfox1111_awaySpamapS: I tried to lay out the problems in the newest review. Does it explain the situation better?21:52
*** kfox1111_away is now known as kfox111121:52
lbragstadmorganfainberg: took a couple stabs at consolidating the fernet provider if you want to put eyes on it,n,z21:52
SpamapSkfox1111: there's a newest review?21:53
kfox1111submitted it sunday.21:53
SpamapSkfox1111: I'm looking at the sample nova conf in kilo.. and it says not using auth_plugin is deprecated.. but the docs give no indiciation of _how_ one should use auth_plugin.21:53
kfox1111oh. the stuff in the spec would be totally differnt then that.21:54
kfox1111it would be "instance user auth plugins"21:54
SpamapSkfox1111: I'm not talking about that. :)21:54
SpamapSkfox1111: sorry, you confused me entireyl. :)21:54
kfox1111mixing two conversations... instance users review here:
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url
kfox1111SpamapS: I'm not seeing an auth_plugin reference on any of my clouds either. guessing its defaulted to the right values these days?21:56
*** diazjf has left #openstack-keystone21:56
SpamapSkfox1111: I think it comes from keystonemiddleware, which is why it isn't in nova's docs21:58
bknudson passed jenkins (fixes py27 tests with latest oslo.utils)21:59
kfox1111hmm.. but keystonemiddleware is the auth_plugin I thought.22:00
gyeekeystonemiddleware uses auth plugins22:03
kfox1111oh, really? is for different token types maybe?22:03
gyeekfox1111, they are corresponding to --os-auth-type in common CLI22:04
samueldmqbknudson: ayoung what if : asking a project scoped token without specifying the project, get the default project for that user22:05
samueldmqbknudson: ayoung asking a domain scoped token without specifying the domain, assume the user's domain22:05
samueldmqbknudson: ayoung do those defaults make sense to you?22:06
ayoungsamueldmq, list-projects-for-user works that way22:06
samueldmqayoung: didn't get it, I am talking about token scoping in the token request22:07
gyeesamueldmq, can't, not every have a role on the domain22:07
samueldmqayoung: list-projects-for-user is about listing the projects a user has access, before asking for a token right?22:07
*** slberger1 has left #openstack-keystone22:07
*** chrisshattuck has quit IRC22:08
samueldmqgyee: sure, but it would assume that as default, and fail if there is no role on the domain22:08
samueldmqgyee: as it would do if you specified the domain explicitly22:08
gyeesamueldmq, right now the only domain role is the domain admin role22:08
gyeeso it will fail for most users22:09
*** piyanai has joined #openstack-keystone22:09
samueldmqgyee: so most of users can't get a domain scoped token anyway22:09
*** chrisshattuck has joined #openstack-keystone22:09
bknudsongyee: did you add some code to make it so that a user without a role on their default project gets unscoped token?22:09
samueldmqgyee: I just want to have a default, if one does not specify it22:09
*** Rockyg has joined #openstack-keystone22:09
gyeebknudson, yes22:09
samueldmqgyee: that's all, just a good default, that makes a lot of sense for small/medium ? deployments22:10
gyeesamueldmq, well, we decided on "explicit scoping" long time ago :)22:10
gyeeits coming back full circle22:11
gyeesame reason we gotten rid of "global roles"22:11
gyeeproblem is do we want default project scope or default doman scope?22:12
*** Rockyg has quit IRC22:12
*** Rockyg has joined #openstack-keystone22:13
gyeeunless we intend to support something like "user profile"22:13
*** ayoung has quit IRC22:14
samueldmqgyee: yes need to mull it a bit more, and see if we have need of that22:16
samueldmqgyee: got it on the explicit scoping22:16
gyeesecurity folks like explicit unambiguous scope22:17
gyeeUX people, not so much :)22:17
*** bknudson has quit IRC22:20
openstackgerritVictor Morales proposed openstack/keystone: Integrate OSprofiler in Keystone
samueldmqgyee: yes I was looking from an UX pov22:24
*** zzzeek has quit IRC22:26
*** slberger1 has joined #openstack-keystone22:29
morganfainbergUser profile shouldn't be in keystone.22:29
*** slberger1 has left #openstack-keystone22:30
*** slberger1 has joined #openstack-keystone22:30
*** slberger1 has left #openstack-keystone22:30
gyeemorganfainberg, isn't "default project" sorta like user profile?22:33
*** jaosorior has quit IRC22:36
miguelgrinberganybody with knowledge of shibboleth federation that can answer a couple of questions?22:38
*** piyanai has quit IRC22:39
morganfainbergdstanek: ping22:42
morganfainbergdstanek: need some help chasing down a weird bug22:42
morganfainbergin testing22:42
morganfainberggyee: "default project" should die a horrible death22:43
albertomdoes someone knows if there is a fix in progress for22:46
albertom    DeprecationWarning: Using function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead22:46
albertom ?22:46
albertom./ is passing but tox fails22:47
jamielennoxmordred: like ?22:47
jamielennoxi actually thought that had merged it was a while back22:47
jamielennoxgyee: picking on you, can you have a look at
gyeejamielennox, yes sir22:51
dstanekmorganfainberg: pong22:51
gyeemorganfainberg, sure, not disagreeing if we want to keep it consistent with default projects :)22:52
morganfainbergdstanek: so running into this issue22:52
morganfainbergdstanek: on a clean master (with oslo_utils <= 1.5 for the strftime deprecation issue)22:53
morganfainbergdstanek: if you run tox -epy27 test_auth22:53
gyeemorganfainberg, can you A+ this?
gyeeits holding up the gates22:53
morganfainbergdstanek: or anything that isolates a test with a pattern22:53
morganfainbergdstanek: it's baffling me how we're getting "policy.json" vs the full path22:54
dstanekmorganfainberg: so this only happens when you specify the test regex?22:54
morganfainbergdstanek: this is making running tox -epy27 -- --failing for example22:54
morganfainbergdstanek: anything that doesn't do the "full" run of tests afaict, for a number of tests22:54
morganfainbergmeaning we're clearly not overriding the oslo_config/policy_file option22:54
morganfainbergbut i thought that was on the base test-class22:55
morganfainbergdstanek: so some state is being set somewhere that "fixes" these tests22:55
albertomu thanks22:55
*** dims_ has joined #openstack-keystone22:55
dstanekmorganfainberg: ok, i'll try to reproduce now22:56
morganfainbergdstanek: i did clean checkout, install venv for tox22:56
morganfainbergand then downgraded oslo_utils to 1.522:57
morganfainbergjust because ^^ that patch that gyee was asking for +A hadn't landed22:57
morganfainbergdstanek: then ran tox -epy27 test_auth22:57
morganfainbergand boom lots of failures22:57
gyeejamielennox, nice, so that class will be shared by both keystonemiddleware and keystone?22:57
dstanekmorganfainberg: that's odd...i just downgraded and didn't get any errors22:58
morganfainbergdstanek: the oslo_utils downgrade is just so the deprecation warnings don't cause explosion22:58
gyeeif you downgrade you shouldn't get that warning22:58
jamielennoxgyee: yep, there's a few more in that chain to make it more usable22:58
morganfainbergthe oslo_policy unable to load policy.json is really worrying me22:59
jamielennoxgyee: i'm just trying to get things actually merged after bknudson and i have gone through it all22:59
*** dims has quit IRC22:59
morganfainbergdstanek: if i run tox -epy2722:59
morganfainbergand the entire test suite, it all works fine22:59
dstanekmorganfainberg: very strange indeed22:59
dstanekmorganfainberg: i don't have that issue - my current olso versions -
*** dims_ has quit IRC23:00
dstanekthe policy.json should be set in keystone.tests.unit.core using the ETCDIR variable - and that's relative to the so i shouldn't be wrong23:01
dstaneklet me rebuild the venv and try again23:01
dstanekmorganfainberg: you're on the top of master?23:01
morganfainbergdstanek: yes23:02
morganfainbergclean checkout23:02
morganfainberghere is the tox venv23:02
morganfainbergpip freese | grep oslo23:02
morganfainbergyou have an older venv23:02
morganfainbergthis was just built23:02
*** jecarey has quit IRC23:02
morganfainberglooks like some oslo versions have moved forwrd23:03
*** zzzeek has joined #openstack-keystone23:03
morganfainbergand broken something23:03
* morganfainberg sighs23:03
morganfainbergor other dependencies23:03
gyeemorganfainberg, I think I know what your problem is23:04
morganfainberggyee: ?23:04
samueldmqI am messing up again with weechat + tmux + remote connection :(23:04
gyeeI ran into the exact problem when testing endpoint constraint stuff23:04
dstanekmorganfainberg: hmmm...looks like lots of oslo releases today23:05
gyeemorganfainberg, see
gyeeline 3623:05
gyeeyou need to initialize the CONF path first23:05
gyeeit depends on CONF for policy dir discovery23:06
morganfainberggyee: maybe... but that means our test suite is broken23:06
samueldmqmorganfainberg: not sure if this can help anyhow ... but when handling policy file in my fetch & cache patch23:06
morganfainberggyee: we're not initializing it properly in*some* cases but we are in others23:06
samueldmqmorganfainberg: after writting to it, oslo.policy couldn't read it anymore23:06
gyeemorganfainberg, possibly23:06
morganfainberggyee: since not everything fails that way23:06
morganfainberggyee: and it only fails when i run tests in isolation23:07
morganfainberggyee: e.g. "run *that* specific test"23:07
*** jsavak has quit IRC23:07
morganfainbergit is definitely a mroe recent occurance23:07
*** jsavak has joined #openstack-keystone23:07
gyeek, could be different than23:07
dstanekmorganfainberg: this is strange. i don't get a failure at all23:07
morganfainbergdstanek: might be a new oslo lib that is doing something different.23:08
morganfainbergi could try and downgrade to the same ones you have23:08
dstanekmorganfainberg: i'll try a clean checkout23:08
morganfainbergdstanek: sounds good.23:08
dstanekmorganfainberg: i just rebuilt so i have the same versions as you23:08
morganfainbergdstanek: hm and you're running "tox -epy27 test_auth" or similar23:08
dstanekyep, "tox -epy27 -- test_auth"23:10
*** pgbridge has joined #openstack-keystone23:10
morganfainbergno --23:10
dstanekyou think that could be the issue?23:11
morganfainbergtrying it23:11
morganfainbergstill horked for me23:11
morganfainbergi don't know how this can be breaking like this23:11
morganfainbergit just doesn't make sense23:11
morganfainbergwhat version of tox, do you have?23:12
morganfainberg2.0.1 imported from /usr/local/lib/python2.7/dist-packages/tox/__init__.pyc23:12
morganfainbergfor me23:12
dstanek1.9.2 imported from /usr/local/lib/python2.7/dist-packages/tox/__init__.pyc23:12
morganfainbergand which version of python? 2.7.9 here23:13
*** markvoelker has quit IRC23:13
*** spandhe has joined #openstack-keystone23:13
morganfainbergi wonder if something changed in one of those two things23:14
dstanekjust upgraded tox and trying again23:14
*** dguerri is now known as dguerri`23:17
dstanekmorganfainberg: can you check and see what is being set a the policy file in you base test class?23:17
dstanekwhat does that evaluate to?23:17
morganfainbergwhich in this case ends up being /home/mdrnstm/openstack/keystone/etc/policy.json23:18
morganfainbergat least when one of the tests is failing23:18
morganfainbergor at least that is oslo_config/policy_file23:18
dstanekthat makes no sense :-(23:18
dstanekare you using fixtures==1.3.0?23:19
morganfainbergwell let me try with python 2.7.523:19
morganfainbergwhich is what is automatically installed for me23:20
morganfainbergby tox23:20
dstaneki can try on a newer vm23:21
morganfainbergnad my other one i got 1.3.023:21
morganfainbergsame issue23:21
morganfainbergnewer venv23:21
morganfainbergok i'm installing a 14.04 VM now23:21
morganfainberggive me a moment23:21
morganfainbergseeing if it's a 15.04 thing23:22
morganfainbergwhihc would make no sense23:22
dstaneki was on 12.04...building a 14.04 now23:24
morganfainbergdstanek: trying on 14.04 now23:24
*** edmondsw has joined #openstack-keystone23:24
morganfainbergbuilding venv23:24
morganfainberghad a docker file almost ready to go23:24
*** jasondotstar has joined #openstack-keystone23:31
morganfainbergdstanek: seeing it on 14.04 (in a docker container)23:31
morganfainbergfresh build, apt-get update / etc23:31
morganfainbergdstanek: i can try a 12.04 if that helps23:32
*** boris-42 has quit IRC23:32's building the 14.04 venv now23:35
openstackgerritMerged openstack/keystone: Switch from deprecated oslo_utils.timeutils.strtime
morganfainbergdstanek: trying 12.04 now23:43
morganfainbergdstanek: i'm getting the same issue on 12.0423:47
dstanekmorganfainberg: i can reproduce it on 14.04!23:49
morganfainbergdstanek: cool. now lets figure out how to resolve it :)23:49
*** markvoelker has joined #openstack-keystone23:51
*** edmondsw has quit IRC23:51
*** tqtran_ is now known as tqtran-afk23:53
*** topol has joined #openstack-keystone23:54
*** ChanServ sets mode: +v topol23:54
*** RichardRaseley has quit IRC23:55
*** zzzeek has quit IRC23:56
dstanekmorganfainberg: so i think that keystone.policy.backends.rules creates the oslo_policy stuff at import time - so by the time we use the fixture it's already too late23:59

Generated by 2.14.0 by Marius Gedminas - find it at!