Thursday, 2015-07-02

« Wednesday, 2015-07-01 Index Friday, 2015-07-03 »
*** ankita_wagh has quit IRC00:09
*** bjornar has quit IRC00:10
*** bjornar has joined #openstack-keystone00:11
*** mylu has quit IRC00:13
jamielennoxvery simple review: https://review.openstack.org/#/c/196950/2 if we can merge that we can debate the next one which is significant00:14
*** mylu has joined #openstack-keystone00:15
*** csoukup has quit IRC00:20
*** mylu has quit IRC00:27
*** mylu has joined #openstack-keystone00:27
*** Rockyg has quit IRC00:29
*** kfox1111 is now known as kfox1111_away00:32
*** albertom has quit IRC00:32
*** albertom has joined #openstack-keystone00:39
*** ankita_wagh has joined #openstack-keystone00:40
*** zzzeek has quit IRC00:40
*** zzzeek has joined #openstack-keystone00:45
*** zzzeek has quit IRC00:47
*** tqtran has quit IRC01:01
*** albertom has quit IRC01:02
*** trey has joined #openstack-keystone01:02
*** albertom has joined #openstack-keystone01:09
*** mylu has quit IRC01:09
*** slberger has left #openstack-keystone01:11
*** mylu has joined #openstack-keystone01:14
*** mylu has quit IRC01:18
*** dims_ has quit IRC01:19
bigjoolsFolks, is there a better description of the mapping rules than here? https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#mappings01:20
*** stevemar has joined #openstack-keystone01:21
*** stevemar has quit IRC01:24
*** ankita_wagh has quit IRC01:30
*** ankita_wagh has joined #openstack-keystone01:31
*** mylu has joined #openstack-keystone01:35
*** dsirrine_ has quit IRC01:37
*** dims has joined #openstack-keystone01:39
*** sigmavirus24 is now known as sigmavirus24_awa01:40
*** mylu has quit IRC01:43
*** mylu has joined #openstack-keystone01:44
*** wuhg has joined #openstack-keystone01:52
*** richm has quit IRC01:55
*** mylu has quit IRC02:01
openstackgerritliusheng proposed openstack/keystone: Remove the unused config_files parameter of service entry  https://review.openstack.org/18698702:04
*** jecarey has joined #openstack-keystone02:04
*** piyanai has joined #openstack-keystone02:12
*** mylu has joined #openstack-keystone02:20
*** mylu has quit IRC02:22
ayoungbigjools, not really02:22
bigjoolsayoung: damn. Ok, I'm struggling to map remote users to local ones, I keep getting an error "Unable to find valid groups while using mapping", is there anything I can look at?02:23
ayoungbigjools, my blog?02:23
bigjoolsheh02:23
ayoungbigjools, you doing Kerberos?02:23
bigjoolssaml02:23
bigjoolsI am using the MAPPING_LOCAL_USER_LOCAL_DOMAIN test fixture as inspiration02:23
ayoungbigjools, you need groups defined in the Keystone backend02:23
bigjoolsyeah, did that02:24
bigjoolsadded the local user to it02:24
ayoungso the groups are in the saml assertion, but not getting matched to the ones in the backend?  Can you paste your mapping?02:24
bigjoolsyes one sec02:24
bigjoolshttp://paste.ubuntu.com/11807870/02:25
bigjoolshmmm wait up, what do you mean by groups in the saml assertion?02:26
bigjoolsThe test fixture seems to suggest that you don't need that02:27
bigjoolsand that other doc says: "If the user has domain specified, the user is treated as existing in the backend, hence the server will fetch user details (id, name, roles, groups)."02:27
*** mylu has joined #openstack-keystone02:30
*** lhcheng has quit IRC02:43
*** darrenc is now known as darrenc_afk02:45
*** stevemar has joined #openstack-keystone02:47
*** mylu has quit IRC02:50
*** mylu has joined #openstack-keystone02:53
*** mylu has quit IRC03:07
*** davechen has joined #openstack-keystone03:11
*** davechen1 has joined #openstack-keystone03:14
*** davechen has quit IRC03:17
*** piyanai has quit IRC03:17
*** mylu has joined #openstack-keystone03:21
*** dims has quit IRC03:22
*** jecarey has quit IRC03:27
*** richm has joined #openstack-keystone03:28
*** mylu has quit IRC03:31
*** richm has quit IRC03:34
*** juvenn has joined #openstack-keystone03:35
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Remove oslo-incubator specific code  https://review.openstack.org/19782703:36
*** mylu has joined #openstack-keystone03:40
juvennhi, I'm trying curl to Keystone api, and encountered a problem:03:44
*** mylu has quit IRC03:44
juvennmy domain scoped password auth fails with "401: Unauthorized" error, while the same one with project scope auth succeeds.03:44
*** mylu has joined #openstack-keystone03:44
juvennI noticed on the keystone.log warning: assignment.get_domain() is deprecated as of kilo in favor of resource.get_domain() and may be removed in M.03:46
juvennI suppose domain scoped password auth should succeed, isn't it?03:47
juvennI also find there are none domain-scoped auth test in keystone unit test ….03:49
*** mylu has quit IRC03:52
jamielennoxwhy do you need a remote_id to associate with an identity provider?03:54
juvennjamielennox: remote_id? I'm sorry, do you mean in my /etc/keystone/keystone.conf?03:56
*** mylu has joined #openstack-keystone03:57
jamielennoxno i mean https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#identity-providers03:57
jamielennoxremote_ids is an optional list of remote_ids, is it a validation?03:58
jamielennoxwhat is it validating? that only certain idps go through there? but that would be something that apache handled03:59
jamielennoxwhat's it for?03:59
*** mylu has quit IRC04:01
jamielennoxfor anyone interested this is the spec: https://github.com/openstack/keystone-specs/blob/master/specs/kilo/idp-id-registration.rst04:03
jamielennoxi would still expect this to be an apache setting though04:03
*** kiran-r has joined #openstack-keystone04:09
*** ianbrown has quit IRC04:11
lifelessjamielennox: morganfainberg: https://review.openstack.org/19777304:12
lifelessyou might want to merge that sooner rather than later04:12
morganfainberglifeless: +2/+A04:20
*** juvenn has quit IRC04:21
*** woodster_ has quit IRC04:21
ayoungmorganfainberg, +2...but why'd you not wait for a second +2 t +A?  Is there something burning that needs that?04:21
morganfainbergayoung: requirements fix. mostly this is a manual update of waht proposal bot would be doing.04:22
morganfainbergayoung: treated the same as any requirements update.04:22
*** juvenn has joined #openstack-keystone04:22
ayoungmorganfainberg, so more of a "get it done so we don't forget about it later" than a "oh crap we need this now" thing?04:23
morganfainbergyep04:23
morganfainbergjust like any requirements update04:23
morganfainbergif they linger...they cause issues04:23
morganfainbergnot an "add to requirements" but really an update thing (and this is the restructure to be no more pyXX versions). if it lingers it is likely to cause splody in bad ways down the line04:24
ayoungand I should go to bed04:25
morganfainberggo sleep then ;)04:26
*** davechen1 has quit IRC04:27
*** davechen has joined #openstack-keystone04:27
*** vilobhmm has joined #openstack-keystone04:29
bigjoolsjamielennox: I thought remote_ids was so that a remote IdP can be associated with an internal once04:32
bigjoolsone*04:32
jamielennoxbigjools: that's very strongly implied by apache right?04:33
bigjoolsjamielennox: the remote id is passed through request variables from Apache04:33
bigjoolsI don't *think* there's any other way of knowing04:34
jamielennoxbigjools: but there's no way you could request those urls without going through apache04:35
bigjoolsright04:35
jamielennoxi'm just not sure what the point is04:35
bigjoolsyou need to know which IdP is in use so that the right mapping can get used04:35
jamielennoxbigjools: it's part of the url04:36
stevemarjamielennox: it was for the use case where you had one keystone IdP entry used to represent 100s of actual idps04:37
stevemarbigjools: ^04:37
bigjoolsyeah, I was guessing that might be the case04:37
stevemarso you wanted to create a keystone entry called CERN_IdPs, and they all have the same mapping04:37
stevemarbut you have 100 universities, and rather than manage 100 entries in apache, just use the same one, and each has a different remote-id04:38
jamielennoxstevemar: that seems kind of wrong04:38
stevemarthe folks from cern + infn04:40
stevemar... were pushing it04:40
bigjoolsI can truly understand wanting a simple Apache config04:41
stevemarit also helps in the SSO case, since we don't know what the idp is, we only list protocols04:41
bigjoolsIs there a trick to getting remote users mapped to local users? I am using this as mapping http://paste.ubuntu.com/11807870/ but it complains there's no group. The local user is in a group.04:44
*** janonymous has quit IRC04:44
*** crc32 has quit IRC04:44
stevemarbigjools: that "type: local" bit looks wrong04:44
bigjoolsstevemar: I lifted it from MAPPING_LOCAL_USER_LOCAL_DOMAIN in the test fixtures04:45
stevemarbigjools: fwiw, we're trying to improve the docs atm, https://review.openstack.org/#/c/192850/ refer to doc/source/mapping_combinations.rst04:45
bigjoolshttps://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#mappings04:45
bigjoolsyeah the docs are a bit lacking :)04:46
bigjoolsonce I understand everything fullu, happy to help fill in04:46
bigjoolsfully*04:46
bigjoolswhat should it be instead of local then?04:46
* stevemar looking it up04:48
bigjoolsooo didn't know about "keystone-manage mapping_engine", that's useful04:48
jamielennoxbigjools: i'm currently going through pretty mcuh the exact same setup, trying to figure out mapping rules04:48
jamielennoxdocs are short04:48
bigjoolsyeah04:48
stevemarbigjools: yeah, we wanted to make things a bit easier for folks to test out *before* having to do a huge setup04:49
bigjoolstoo late :)04:49
jamielennoxstevemar: so what i'm about to write (and would be useful if it's something people already have) is a way to print out all the values that are coming in via fedreation04:51
stevemaryou mean from the apache modules?04:52
jamielennoxessentially put <?php phpinfo(); ?> behind the OS-FEDERATION/x/protocols/y/auth04:52
jamielennoxso i can figure out what inputs i have to the mapping to work with04:52
stevemarthose should be in the logs fwiw (with debug on)04:52
jamielennoxthis is not hard to write, but if we're looking for helpers for federation04:52
*** juvenn has left #openstack-keystone04:53
bigjoolsoh darn, is mapping_engine not in kilo?04:53
jamielennoxbigjools: no04:53
stevemarbigjools: in liberty :(04:53
bigjools:'(04:53
stevemarbigjools: https://github.com/openstack/keystone/blob/675a1cff0c007f749cf4a1fe6dc30d209bdbc179/keystone/auth/plugins/mapped.py#L121-L12404:53
*** jk|osx has joined #openstack-keystone04:54
jamielennoxbigjools: however it's a test script so you can probably run it against trunk to refine the mapping and then put it back04:54
stevemarlooks like it sets the user id to the direct mapping value, so make sure you're using the id?04:54
bigjoolsstevemar: I've been digging into code and literally just got to those lines04:54
stevemarlol04:54
bigjools:)04:54
bigjoolsuser ID is fine, but it complains:04:54
stevemarso you have the users already in keystone db or ldap, you just want to expose it via federation?04:55
bigjoolsUnable to find valid groups while using mapping ...04:55
*** dobson has quit IRC04:55
bigjoolsok I have a complex situation, so let me explain04:55
bigjoolsI want to do k2k websso, but that doesn't exist yet, so I'm using a sneaky feature of the shibboleth SP that lets you specify an IdP directly04:56
bigjoolswe have users in LDAP already, and we can use the LDAP backend of an IdP to do SSO, but if we map the user to the internal one (which uses the same LDAP) then it'll be smoother04:57
bigjoolsanyway, in that code, if the user is not ephemeral it's not obvious where it sets the group_ids04:59
*** darrenc_afk is now known as darrenc05:00
*** amit213 has joined #openstack-keystone05:00
*** ajayaa has joined #openstack-keystone05:00
stevemarjamielennox: if you have a minute, i'd appreciate keystone eyes on https://review.openstack.org/#/c/177620/05:02
*** dobson has joined #openstack-keystone05:02
dstanekstevemar: you're up pretty late05:02
jamielennoxstevemar: whoa, i just mentioned something like that05:02
stevemardstanek: so are you...05:02
stevemardstanek: i'm surprised *you* haven't looked at https://review.openstack.org/#/c/177620/05:03
stevemarit's up your alley05:03
stevemarbigjools: yeah, it's not obvious where it sets the group id05:03
bigjoolsstevemar: I'm not sure it does05:04
dstanekstevemar: oh, neat05:04
bigjoolsand then some later code blows up05:04
stevemarbigjools: i don't think it necessarily needs group IDs at that point yet, yeah - its going on and blowing up somewhere else05:04
stevemarbigjools: have logs?05:05
bigjoolsI do!05:05
bigjoolsapache log?05:05
bigjoolsthere's no a lot of info in it, tbh05:05
stevemarmeh, whatever logs05:05
bigjoolsI can see that group_ids is never set05:05
stevemarjust want to see the exact error message05:05
bigjoolshttp://paste.ubuntu.com/11808328/05:06
bigjoolsbottom of there05:06
stevemarjamielennox: also.. https://review.openstack.org/#/c/196413/05:07
stevemarand https://review.openstack.org/#/c/196416/05:07
bigjoolsthe only place I can see that might generate that error is in handle_scoped_token05:08
jamielennoxstevemar: that ones at the end of a chain05:08
stevemarjamielennox: it is, true. my bad05:09
jamielennoxi mean i can +2 it but meh05:09
stevemarwas more of a heads up05:09
jamielennoxstevemar: as penance https://review.openstack.org/#/c/196950/05:10
jamielennoxdstanek: https://review.openstack.org/#/c/196950/ as well, then bknudson and i can debate the one after that which actually does something05:10
jamielennox(other people may debate as well, just we've been going back and forth on these a lot)05:12
*** vilobhmm has quit IRC05:13
*** jk|osx has quit IRC05:13
*** vilobhmm has joined #openstack-keystone05:13
stevemarbigjools: so silly question, is 'student' in the 'default' domain in any groups?05:16
bigjoolsshould be, yes, let me double check05:16
bigjoolsstevemar: http://paste.ubuntu.com/11808351/05:18
openstackgerritMerged openstack/keystone: Update requirements by hand.  https://review.openstack.org/19777305:19
stevemarbigjools: yep, thats a group05:20
stevemarbigjools: bah, the rule processor is killing you before it can create the auth context05:21
bigjoolsthat sounds positive, yet negative :)05:22
stevemardstanek: neat is what i was going for05:22
dstanekstevemar: just tried parts of the script locally and things generally looked like they would work05:23
stevemardstanek: yep, i tried it myself05:23
stevemarthe only catch is that the "author" aka bot, can only have 1 active patch per project05:23
stevemarif it has >1, it dies05:24
stevemarbut that same logic is used for the requirements updates05:24
stevemarso i don't feel too bad05:24
stevemarthe only bit i want, but couldn't figure out is, how to get what branch the job is running on05:24
stevemarmight need to bug infra ppl on that one05:25
stevemarmaybe as a follow-on patch, not sure how often we expect to generate new configs for stable branches05:25
dstanekstevemar: you just need to get the current branch of the working copy?05:25
stevemardstanek: yessum05:25
dstanekstevemar: i use something like: git branch | grep '*' | awk '{print 2}'05:27
dstanekoops --- typo05:27
dstanekthat last part should be $205:27
dstanekthere probably is a better git way though05:28
*** histrio has joined #openstack-keystone05:28
histrioHello, everyone!05:28
dstanekstevemar: and 'man git' leads me to 'git rev-parse --abbrev-ref HEAD'05:29
dstanekhistrio: hello05:29
histrioRecently, I've got version conflict in devstack installation https://bpaste.net/show/d98d6ff8019905:30
histriodevstack - stable/kilo05:30
histriokeystone - stable/kilo05:31
histrio/opt/stack/requirements/global-requirements.txt:pycadf>=0.8.0,<0.9.005:31
bigjoolsstevemar: so is that something I can fix in config or is it a bug?05:31
histrioI dont't know yet)05:31
stevemarbigjools: i think it's dying here: https://github.com/openstack/keystone/blob/675a1cff0c007f749cf4a1fe6dc30d209bdbc179/keystone/auth/plugins/mapped.py#L15205:33
stevemarbut it shouldn't be going there if you have local set05:33
bigjoolsright05:33
bigjoolslet me throw some debugging in and confirm05:34
bigjoolsit's not going to be in handle_scoped_token() above there is it?05:34
stevemarbigjools: ughhhhhhhh05:35
bigjoolshttps://github.com/openstack/keystone/blob/675a1cff0c007f749cf4a1fe6dc30d209bdbc179/keystone/auth/plugins/mapped.py#L9105:35
stevemarbigjools: add the "type": "local" IN the "user" key05:35
stevemarnot in th local key05:35
bigjoolsrargh!05:35
stevemarhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/mapping_fixtures.py#L675-L68105:35
stevemaryours is on the same level05:35
stevemarhaha05:35
stevemari was gonna be so pissed if it regressed05:36
stevemarokay, pretty sure your problem is solved :P05:36
bigjoolsshouldn't schema validation catch that?05:36
*** fangzhou_ has quit IRC05:36
* bigjools tries it out05:36
stevemarbigjools: nah, the validation on the local side is weak, since we don't know what properties we wanted to map to05:37
bigjoolsok05:37
stevemarbut yeah, that one should be validate-able05:37
bigjoolsthis is a bit of a minefield.... but thanks for spotting that05:37
stevemarbigjools: open a bug to improve schema validation for "local" attributes?05:37
stevemari got a guy who can work on it05:37
bigjoolsyou bet05:37
dstanekhistrio: that's odd. it looks like a good version does exist: https://pypi.python.org/simple/pycadf/05:38
bigjoolsstevemar: and it worked \o/05:38
stevemarbigjools: \o/05:38
bigjoolsthanks *so much*05:38
histriodstanek: yep, `pip install` does work05:38
stevemardstanek: thats the version specified in GR for kilo, https://github.com/openstack/requirements/blob/stable/kilo/global-requirements.txt#L9805:38
bigjoolsI thought I had checked that... I'm obviously more tired than I realised05:39
dstanekstevemar: it looks like it should be found ok05:39
stevemarbigjools: it's all good :)05:39
dstanekhistrio: did you pip install with the version constraint?05:39
bigjoolsI am filing that bug *right now* :)05:39
stevemarthat's what keystone says too pycadf>=0.8.0,<0.9.005:40
stevemarbigjools: thanks!05:40
stevemari'll get diazjf to work on it05:40
stevemardstanek: jamielennox have fun holding down the fort05:42
stevemari'm off for another day or two05:42
stevemarsee y'all05:42
stevemarbigjools: good luck05:42
jamielennoxstevemar: see ya05:42
*** stevemar has quit IRC05:42
histriodstanek: I tried with same constraint and it succeed05:42
*** ayoung has quit IRC05:42
histrioManual installation works, but devstack fail with it05:43
*** dima__ has quit IRC05:51
openstackgerritMerged openstack/python-keystoneclient: Remove keystoneclient CLI references in README  https://review.openstack.org/19641305:54
openstackgerritMerged openstack/python-keystoneclient: Remove keystoneclient CLI references in README  https://review.openstack.org/19641305:54
histrioI suppose, I found a problem06:09
*** mabrams has joined #openstack-keystone06:09
histrioDuring devstack installation ceilometermiddleware installs before keystone.06:11
histriohttps://bpaste.net/show/0c4da7258fda06:12
histrioIt fetch pycadf 1.006:12
histriokeystone requirements differs https://bpaste.net/show/5375c543302606:14
histrioAnd devstack fails https://bpaste.net/show/d98d6ff8019906:16
histrioSorry for my English06:16
*** roxanaghe has quit IRC06:19
*** ankita_wagh has quit IRC06:30
*** browne has quit IRC06:36
ajayaajamielennox, Can I add support for "/v3/users/<user_id>/credentials/OS-EC2" in python-keystoneclient?06:42
*** stevemar has joined #openstack-keystone06:42
*** belmoreira has joined #openstack-keystone06:44
ajayaaWould it be something which can be accepted upstream?06:44
*** vilobhmm has quit IRC06:45
*** stevemar has quit IRC06:46
*** belmoreira has quit IRC06:47
*** belmoreira has joined #openstack-keystone06:58
*** belmoreira has quit IRC06:58
*** lufix has joined #openstack-keystone06:59
*** belmoreira has joined #openstack-keystone06:59
*** _kiran_ has joined #openstack-keystone07:03
*** kiranr has joined #openstack-keystone07:04
*** _kiran_ has quit IRC07:05
*** kiran-r has quit IRC07:07
*** kiranr has quit IRC07:08
*** fifieldt has quit IRC07:09
*** hrou has quit IRC07:13
jamielennoxajayaa: is that a thing?07:14
jamielennoxwe added support for ec2 to keystoneclient, but i don't remember it being there07:15
ajayaaIf you added then it should be there, I think.07:16
ajayaaFrom what I can see right now, it is there in keystoneclient.v2, not in keystoneclient.v307:16
ajayaaI want to add it in keystoneclient.v3 too.07:16
jamielennoxajayaa: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/ec2.py07:16
jamielennoxajayaa: i only added that recently because we needed it in devstack, but it's in at least the most recent release07:17
jamielennoxoh, that is the URL for EC2 i thought it had it's own top level07:17
ajayaajamielennox, Thanks. That is helpful. I will find out which release is that and use that.07:17
jamielennoxajayaa: np07:18
ajayaajamielennox, Why are there two ways to create ec2 credential?07:18
ajayaaone is v3/credential api and the other is /v3/users/<user_id>/credentials/OS-EC2.07:19
jamielennoxajayaa: my understanding is essentially it's a mistake07:19
jamielennoxOS-EC2 is middleware, and at some point it was added to the v3 pipeline as well as the v2 pipeline07:20
*** rharwood has quit IRC07:20
jamielennoxso we ended up with this interface which probably shouldn't exist being turned on in deployments by default07:20
jamielennoxthere are a few changes07:20
ajayaaMy understanding is that, it should not have been added to v3 pipeline.07:20
jamielennoxin OS-EC2 it will generate keys for you07:20
jamielennoxand if you deal with credentials directly you need to submit ec2 credentials in a specific json format which is very ugly from a CLI07:21
ajayaajamielennox, yes. That should be done even in /v3/credential api.07:21
jamielennoxajayaa: it should be done client side07:21
ajayaajamielennox, agreed.07:22
ajayaaI struggled to get the json right while creating credential using curl.07:22
jamielennoxajayaa: yep, i experimented with that as well07:22
ajayaaAre there plans to drop one of these in future?07:22
jamielennoxno, they will both survive for a while, credentials is the more general interface, hopefully one day that will be offloaded to barbican07:23
jamielennoxbut we are stuck with them both for v307:23
*** rharwood has joined #openstack-keystone07:23
jamielennoxdevstack relies on OS-EC2 which is why we added it to keystoneclient and openstackclient07:24
*** aix has joined #openstack-keystone07:24
ajayaajamielennox, Thanks. Are there people who store certs in keystone?07:24
ajayaaI feel like it's something which does not fit into the problem Keystone is trying to solve.07:25
jamielennoxajayaa: i'm not sure what people do with credentials in large deployments, i know there was the expectation that certs and ssh keys were the other credentials07:25
*** fhubik has joined #openstack-keystone07:28
*** fhubik is now known as fhubik_afk07:28
*** ankita_wagh has joined #openstack-keystone07:30
*** ankita_wagh has quit IRC07:43
*** jistr has joined #openstack-keystone07:48
*** stevemar has joined #openstack-keystone07:49
*** fhubik_afk is now known as fhubik07:49
*** kiran-r has joined #openstack-keystone07:49
*** stevemar has quit IRC07:53
*** _kiran_ has joined #openstack-keystone07:53
*** kiran-r has quit IRC07:57
*** lhcheng has joined #openstack-keystone07:57
*** ChanServ sets mode: +v lhcheng07:57
ajayaaHey jamielennox, I am using python-keystoneclient to create projects and users. I get a warning every time I create a user or project. This looks like "WARNING keystoneclient.utils [-] create takes at most 1 positional argument (2 given)"08:01
ajayaaIt's really annoying. This looks ugly with my otherwise beautiful test results.08:01
*** afazekas has joined #openstack-keystone08:01
ajayaaI tried digging into the code, but could not find a good reason for this.08:02
*** _kiran_ is now known as kiran-r08:03
ajayaaI am using keystoneclient version 1.6.008:03
*** rwsu has quit IRC08:13
*** rwsu has joined #openstack-keystone08:15
*** jamielennox is now known as jamielennox|away08:20
*** amaretskiy has joined #openstack-keystone08:21
marekdodyssey4me: i am here.08:25
marekdgsilvis: hi, ping me when you are available.08:26
*** henrynash has joined #openstack-keystone08:33
*** ChanServ sets mode: +v henrynash08:33
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when creating service without request body  https://review.openstack.org/19542908:33
*** jamielennox|away is now known as jamielennox08:41
*** yottatsa has joined #openstack-keystone08:41
jamielennoxajayaa:08:42
jamielennoxajayaa: so that means it's wanting you to pass something as a keyword argument but you pass it as a positional argument08:42
jamielennoxit's handled by @utils.positional on functions08:42
jamielennoxso you'd need to figure out what you're calling08:43
*** abhishekk has joined #openstack-keystone08:46
*** henrynash has quit IRC08:48
*** aix has quit IRC08:50
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided  https://review.openstack.org/19590308:51
*** ajayaa has quit IRC08:53
*** afazekas has quit IRC08:54
*** viktors has joined #openstack-keystone09:03
*** afazekas has joined #openstack-keystone09:09
*** openstackgerrit has quit IRC09:19
*** openstackgerrit has joined #openstack-keystone09:20
*** henrynash has joined #openstack-keystone09:23
*** ChanServ sets mode: +v henrynash09:23
*** afazekas has quit IRC09:24
*** dims has joined #openstack-keystone09:24
*** henrynash has quit IRC09:26
*** bradjones has quit IRC09:33
*** aix has joined #openstack-keystone09:34
*** bradjones has joined #openstack-keystone09:35
*** bradjones has quit IRC09:35
*** bradjones has joined #openstack-keystone09:35
*** e0ne has joined #openstack-keystone09:36
*** stevemar has joined #openstack-keystone09:38
*** yottatsa has quit IRC09:39
*** afazekas has joined #openstack-keystone09:39
*** stevemar has quit IRC09:42
*** e0ne is now known as e0ne_09:46
*** davechen has left #openstack-keystone09:55
*** ajayaa has joined #openstack-keystone09:55
ekarlsojamielennox: hey, is there a reason why one can't pass down a timeout to Adapter() ?10:04
*** e0ne_ is now known as e0ne10:05
*** federico3 has joined #openstack-keystone10:06
*** lhcheng has quit IRC10:12
openstackgerritmasato nakagawa proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742710:16
*** yottatsa has joined #openstack-keystone10:17
ekarlsoany other guys here that know ?10:22
*** piyanai has joined #openstack-keystone10:27
*** histrio has quit IRC10:28
*** rushiagr_away is now known as rushiagr10:42
*** yottatsa has quit IRC10:47
*** hakimo has joined #openstack-keystone10:56
*** fhubik is now known as fhubik_afk11:02
samueldmqmorning11:17
*** amakarov_away is now known as amakarov11:17
*** stevemar has joined #openstack-keystone11:27
*** kiran-r has quit IRC11:27
*** stevemar has quit IRC11:30
*** toddnni has quit IRC11:31
*** e0ne is now known as e0ne_11:34
*** pawel_ has quit IRC11:35
*** e0ne_ is now known as e0ne11:36
openstackgerritMerged openstack/oslo.policy: Remove oslo-incubator specific code  https://review.openstack.org/19782711:41
*** toddnni has joined #openstack-keystone11:46
*** dguerri` is now known as dguerri11:49
*** fhubik_afk is now known as fhubik11:57
*** e0ne is now known as e0ne_12:06
*** e0ne_ is now known as e0ne12:11
*** bdossant has joined #openstack-keystone12:15
*** fhubik is now known as fhubik_afk12:15
*** gordc_af1 is now known as gordc12:33
*** yottatsa has joined #openstack-keystone12:35
*** fhubik_afk is now known as fhubik12:36
odyssey4memarekd can you unfathom how the rule mapping works for keystone fderation?12:37
*** yottatsa_ has joined #openstack-keystone12:37
rodrigodsodyssey4me, hi... there is a doc (under review) that explains very well the mappings: https://review.openstack.org/#/c/192850/12:39
odyssey4methanks rodrigods :)12:40
*** dsirrine_ has joined #openstack-keystone12:40
*** yottatsa has quit IRC12:41
*** edmondsw has joined #openstack-keystone12:42
odyssey4methat helps massively, I think - let me try it out12:45
*** radez_g0n3 is now known as radez12:46
marekdodyssey4me: everything clear?12:55
odyssey4memarekd yeah, that's a good doc addition!12:55
marekdodyssey4me: pretty much12:55
*** yottatsa_ has quit IRC12:57
*** hrou has joined #openstack-keystone13:00
*** piyanai has quit IRC13:05
*** stevemar has joined #openstack-keystone13:09
*** jsavak has joined #openstack-keystone13:11
*** jsavak has quit IRC13:11
*** jsavak has joined #openstack-keystone13:12
*** mylu has joined #openstack-keystone13:13
*** zzzeek has joined #openstack-keystone13:18
*** yottatsa has joined #openstack-keystone13:22
*** zzzeek has quit IRC13:22
*** bdossant_ has joined #openstack-keystone13:23
*** bdossant_ has quit IRC13:24
*** ninag has joined #openstack-keystone13:25
*** bdossant has quit IRC13:26
*** ninag has quit IRC13:26
*** lastops has joined #openstack-keystone13:26
*** abhishekk has quit IRC13:26
*** e0ne is now known as e0ne_13:29
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300713:30
*** zzzeek has joined #openstack-keystone13:32
*** bdossant has joined #openstack-keystone13:34
*** piyanai has joined #openstack-keystone13:35
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300713:35
stevemarbump: asking for keystone reviews on an infra patch: https://review.openstack.org/#/c/177620/13:36
*** r-daneel has joined #openstack-keystone13:36
*** richm has joined #openstack-keystone13:36
*** piyanai has quit IRC13:40
*** e0ne_ is now known as e0ne13:43
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion  https://review.openstack.org/14873013:46
*** jsavak has quit IRC13:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: WIP: Dynamic Policies Delivering Mechanism  https://review.openstack.org/19798013:48
*** fhubik is now known as fhubik_afk13:49
stevemarsamueldmq: oh no, i took a look :(13:51
*** fhubik_afk is now known as fhubik13:52
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion  https://review.openstack.org/14873013:52
stevemar#noregrets13:52
*** topol has joined #openstack-keystone13:52
*** ChanServ sets mode: +v topol13:52
samueldmqstevemar: shh .. :(13:52
samueldmqstevemar: sorry, I am referencing that in another spec, and I wanted a link :)13:52
stevemarsamueldmq: all good :)13:53
samueldmqstevemar: let' not talk about it, otherwise people will get curious :)13:53
samueldmqhehe13:53
*** fifieldt has joined #openstack-keystone13:53
stevemartalk about what? <.< >.>13:53
samueldmqstevemar: I have no idea what you're talking about13:53
* samueldmq is going back to writing dynamic policy specs o/13:54
*** jecarey has joined #openstack-keystone13:55
*** bdossant has quit IRC13:56
*** sigmavirus24_awa is now known as sigmavirus2413:56
*** jsavak has joined #openstack-keystone13:57
*** bdossant has joined #openstack-keystone13:59
*** mylu has quit IRC14:00
*** rlt has joined #openstack-keystone14:04
*** mylu has joined #openstack-keystone14:05
*** jsavak has quit IRC14:05
*** jsavak has joined #openstack-keystone14:05
*** fhubik is now known as fhubik_afk14:08
*** browne has joined #openstack-keystone14:11
openstackgerritLance Bragstad proposed openstack/keystone: Add unit test for fernet provider  https://review.openstack.org/19764914:12
*** fhubik_afk is now known as fhubik14:13
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided  https://review.openstack.org/19590314:15
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided  https://review.openstack.org/19799614:15
*** jaosorior has joined #openstack-keystone14:19
*** dims has quit IRC14:19
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies with Custom IDs  https://review.openstack.org/19800014:20
samueldmqstevemar: ^14:20
stevemaro/14:20
samueldmqstevemar: this one is a very simple, but has reference to others in 'Dependencies' section14:20
stevemarah14:21
*** aix has quit IRC14:21
samueldmqstevemar: reading this one you can get a very good idea of the whole thing :)14:21
stevemargood good14:21
samueldmqdstanek: the spec for what we were discussing yesterday about policy with custom ids14:21
samueldmqmorganfainberg: cc ^14:21
samueldmqstevemar: now I am going to update the last one: Dynamic Policies Delivering Mechanism14:22
samueldmqstevemar: before sending the FFE email for dynamic policies later today o/14:22
dstaneksamueldmq: which one?14:24
samueldmqdstanek: Dynamic Policies with Custom IDs https://review.openstack.org/19800014:24
*** mabrams has quit IRC14:26
*** tsufiev has left #openstack-keystone14:27
*** hogepodge has quit IRC14:28
dstanekstevemar: i though you were out for the next couple of days14:29
*** ajayaa has quit IRC14:29
*** e0ne is now known as e0ne_14:30
*** e0ne_ is now known as e0ne14:32
*** rm_work is now known as rm_work|away14:37
*** mylu has quit IRC14:37
*** mylu has joined #openstack-keystone14:38
*** dims has joined #openstack-keystone14:38
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies with Custom IDs  https://review.openstack.org/19800014:40
*** jsavak has quit IRC14:41
brownegeneral question, if i'm running two keystones behind a load balancer, and my keystones are using fernet tokens.  do the fernet keys generated from fernet_setup have to be the same on each keystone?14:41
*** jsavak has joined #openstack-keystone14:41
*** fhubik is now known as fhubik_afk14:42
dstanekbrowne: yes14:42
dstanekbrowne: you probably want to generate on one machine and sync to the other14:42
brownedstanek: short and sweet.  thanks!14:42
*** mylu has quit IRC14:42
dstanekor generate them offlne and sync to them both14:42
*** dims has quit IRC14:44
*** mylu has joined #openstack-keystone14:45
*** dims has joined #openstack-keystone14:49
*** rlt has quit IRC14:50
*** rletrocquer has joined #openstack-keystone14:50
*** henrynash has joined #openstack-keystone14:54
*** ChanServ sets mode: +v henrynash14:54
*** piyanai has joined #openstack-keystone14:56
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764714:57
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/19770614:57
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method  https://review.openstack.org/19769914:57
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687714:57
*** bradjones has quit IRC14:57
*** fhubik_afk is now known as fhubik14:58
*** fhubik is now known as fhubik_afk14:58
*** bradjones has joined #openstack-keystone14:58
*** bradjones has quit IRC14:58
*** bradjones has joined #openstack-keystone14:58
*** hogepodge has joined #openstack-keystone15:01
*** fhubik_afk is now known as fhubik15:01
*** fhubik is now known as fhubik_afk15:04
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688315:04
*** dims has quit IRC15:06
*** Guest42148 has joined #openstack-keystone15:07
*** slberger has joined #openstack-keystone15:07
*** dguerri is now known as dguerri`15:07
*** afazekas has quit IRC15:08
*** diazjf has joined #openstack-keystone15:08
*** Guest42148 is now known as dims_15:09
*** belmoreira has quit IRC15:10
*** rm_work|away is now known as rm_work15:14
openstackgerritIoram Schechtman Sette proposed openstack/keystone-specs: API spec for managing Attribute hierarchies in the Policy database  https://review.openstack.org/18492615:21
*** jsavak has quit IRC15:21
*** jsavak has joined #openstack-keystone15:22
*** yottatsa has quit IRC15:22
*** chlong has quit IRC15:23
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300715:23
*** woodster_ has joined #openstack-keystone15:23
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300715:24
*** yottatsa has joined #openstack-keystone15:24
*** hrou has quit IRC15:26
*** jsavak has quit IRC15:26
*** bdossant has quit IRC15:27
*** jsavak has joined #openstack-keystone15:28
*** anhhuynx has joined #openstack-keystone15:28
*** lufix has quit IRC15:29
*** kfox1111_away is now known as kfox111115:31
*** yottatsa has quit IRC15:35
*** jk|osx has joined #openstack-keystone15:37
*** ankita_wagh has joined #openstack-keystone15:38
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285015:43
*** ankita_wagh has quit IRC15:48
*** stevemar has quit IRC15:48
*** mylu has quit IRC16:00
*** mylu has joined #openstack-keystone16:01
*** mylu has quit IRC16:01
*** mylu has joined #openstack-keystone16:02
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722516:02
*** jsavak has quit IRC16:02
*** jistr has quit IRC16:02
*** jason10258 has joined #openstack-keystone16:04
*** jsavak has joined #openstack-keystone16:04
*** __afazekas is now known as afazekas16:08
*** Lactem has joined #openstack-keystone16:10
*** piyanai has quit IRC16:11
LactemWouldn't I check if a user is admin with 'keystone ec2-credentials-get --access <access>?'16:12
*** stevemar has joined #openstack-keystone16:13
*** stevemar has quit IRC16:14
*** fhubik_afk is now known as fhubik16:14
*** ayoung has joined #openstack-keystone16:15
*** ChanServ sets mode: +v ayoung16:15
openstackgerritBrant Knudson proposed openstack/keystone: Federation API provides method to evaluate rules  https://review.openstack.org/19630816:16
openstackgerritBrant Knudson proposed openstack/keystone: Change mapping model so rules is dict  https://review.openstack.org/19629316:16
*** piyanai has joined #openstack-keystone16:18
*** _cjones_ has joined #openstack-keystone16:18
LactemDoes anyone know how to check if a user can update/view his/her ec2 credentials?16:21
myluHi guys I'm seeing a very weird error. when I try to do a get method to /v3/OS-FEDERATION/projects I see "keystone.middleware.core [-] Auth token not in the request header" But I definitly specified headers = {'X-Auth-Token': 'abcdetiuhjvjio'}16:21
*** mylu has quit IRC16:23
*** mylu has joined #openstack-keystone16:25
*** jkomg has joined #openstack-keystone16:26
*** lufix2 has joined #openstack-keystone16:28
*** jsavak has quit IRC16:30
*** jk|osx has quit IRC16:30
samueldmqayoung: morganfainberg hi, could you please take a look at 'Dynamic Policies with Custom IDs' https://review.openstack.org/19800016:30
samueldmqayoung: morganfainberg I'd like to have your toughts on that approach, which is what I was discussing yesterday with gyee and dstanek16:31
*** jsavak has joined #openstack-keystone16:33
ayoungsamueldmq, I don't think so16:35
ayoungsamueldmq, I would like to keep the ID generation inside of Keystone, as I really want that to move to a hash16:35
ayoungsamueldmq, but I see what you are getting at....what if....16:36
samueldmqayoung: policy id could be a hash of the url, or whatever16:36
samueldmqayoung: and we can advice that, actually .. .:)16:36
*** ankita_wagh has joined #openstack-keystone16:36
samueldmqayoung: sure go ahead16:36
ayoungwe create policy nicknames, and fetch by nicknames.  You upload a new policy file for a nickname, it still gets an ID, but the ID is assigned to the nickname16:36
*** rm_work is now known as rm_work|away16:37
*** roxanaghe has joined #openstack-keystone16:37
ayoungthe nickname could be the URL  etc16:37
ayoungsamueldmq, the policy files themselves should be uniquely identifyable, separate from "fetch me the right one"16:37
ayoungsamueldmq, that might support david8hu 's request to fetch policy for a specific project16:38
samueldmqayoung: ids would still be unique, even if customizable16:38
samueldmqayoung: I see what you mean, that could be just like policy's name16:39
samueldmqayoung: the idea of using id was to fetch it directly in the URL, without needing to use filters16:39
david8huayoung, samueldmq, I am multitasking multiple things today :)16:39
samueldmqayoung: so we would have GET /policies/my-own-policy, as opposed to GET /policies?name=my-own-policy16:40
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Add is_domain field to v3 token  https://review.openstack.org/19806216:40
samueldmqayoung: if that makes sense16:40
ayoungdavid8hu, either form is OK16:40
samueldmqdavid8hu: that's good :)16:40
samueldmqayoung: you meant me ?16:40
david8huayoung, trying to get things done b4 the long weekend :)16:41
ayoungsamueldmq, yes, you.  I misread.  the goal is to be able to have complex rules on the "decide which one te fetch' side inside keystone16:41
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Add is_domain field to v3 token  https://review.openstack.org/19806216:41
ayoungnot that it is "store a policy, fetch only that same policy"16:41
samueldmqayoung: so you ok with custom ids ?16:42
ayoungsamueldmq, no16:42
samueldmqayoung: hmm, so you don't like the idea of : download policy my-own-policy in the endpoints ..16:42
ayoungsamueldmq, calling them ids confuses thing. Labels or names is better16:42
ayoungsamueldmq, I like the concept. But naming is hard16:42
ayoungwe want to fetch policy by critera16:43
ayoungwe don't want to store by criteria16:43
samueldmqayoung: from a REST POV, could I ask /entities/<entity_name_instead_of_id_if_name_is_unique>16:43
ayoungsamueldmq, In the simplest case, we would have a unified policy file.  All of the services, when asking for policy, would get that same file16:43
ayoungnow, if we want to vary from endpoint to endpoint...we still may want to share the policy file between some endpoints, but not all16:44
samueldmqayoung: yes, so a single id for them all to download16:44
samueldmqayoung: in that case, you update the middleware config in the endpoints you want to vary16:44
samueldmq?16:44
ayoungsamueldmq, no updating of config16:44
ayoungmiddleware says "this is who I am.  Give me the right file"16:45
ayoungKeystone decides which is the right file16:45
samueldmqayoung: so the association still happens in the server16:45
ayoungabsolutely16:45
samueldmqayoung: and how the endpoint says: 'this is who I am' ?16:45
ayoungsamueldmq, by URL16:45
samueldmqayoung: by URL doesn't work, since different interfaces can have different URLs16:46
ayoungI don't care16:46
ayoungthat is stupid and not something we really should give any credence to16:46
samueldmqayoung: internal keystone can be '10.0.0.1:5000' and public '152.165.15.42:5000'16:46
ayoungand they should still have the same policy16:46
*** janonymous_ has joined #openstack-keystone16:46
samueldmqayoung: oh I agree they should be the same policy, but we have to deal with the fact of URL doesn't uniquely identify an endpoint16:47
ayoungbut that is fine16:47
ayoungit is the other case that is a problem16:47
ayoungwhere the same URL means two or more endpoints.16:47
ayoungI don't care about that, either16:47
ayoungtwo URLS getting the same endpoint-policy-file is the norm16:47
samueldmqayoung: if we don't care about that, it's bad to UX for some deployers16:47
ayoungno it is not16:48
ayoungthey don16:48
samueldmqayoung: gyee for example have different URLs for different interfaces16:48
ayoungwe are so far ahead of them16:48
ayoungand wants different polciy for them?  That is supported16:48
*** arunkant has joined #openstack-keystone16:48
samueldmqayoung: no he doesn't, but what URL should he use?16:48
ayoungwants the same policy for them?  THat is supported too16:48
samueldmqayoung: this question shows bad UX, doesn't it ?16:48
ayoungwhich ever one he wants16:48
ayoungsamueldmq, what we have is broken, badle, and we are discussing nitnoid details.  Fetch by URL is good enough, by a lonbg shot16:49
ayoungfor all the needs16:49
ayoungif we need to do something more, the tools are in place16:49
ayoungsamueldmq, maybe what we do i something like this:16:50
dstanekusing URL is too confusing16:50
*** ankita_w_ has joined #openstack-keystone16:50
ayoungdstanek, give me any reasonable alternative16:50
*** yottatsa has joined #openstack-keystone16:51
dstaneki like the arbitrary ids that samueldmq was pitching - even if you call them names/labels or whatever16:51
ayoungdstanek, that is not a full solution16:51
dstanekwhat's missing?16:51
ayoungdstanek, you are thinking "every time I install a new endpoint, I upload my policy file"16:52
ayoungthat is not the case16:52
ayoungIf it is an arbitraty label, I need to map that back to the entities I have16:52
*** Lactem has quit IRC16:52
ayounglike Endpoints and services16:52
ayoungthe idea is that policy should be global, bu maybe we need to do one policy file per service to dela with name clashes between nova and neutron16:53
ayoungso we need to say "I need th eright policy foir the service"16:53
ayoungbut we are not going to go and change the config file when we finally straighten things out, and have both nova and neutron use a unified policy file16:53
ayoungwe want to manage that in keystone16:53
ayoungwe want the hierarchical roles16:53
*** ankita_wagh has quit IRC16:54
ayoungall the node tells is is "this is who I am"  and the keystone server determines "this is the policy file you get"16:54
dstanekhaving a URL in the service config seems artibtrary. if could be any string. URL is not significant in the use cases I have seen16:54
ayoungif we make it an arbitraty label, we still need to map that to something16:54
ayoungdstanek, URL maps to endpoint...close enough for our needs16:54
ayoungwe can fudge things a little, by doing partial url mappings and whatever16:55
*** mestery has quit IRC16:55
dstanekbut my point is that the string can be arbitrary - it could be service_ha_region_iad16:55
ayoungif we store  policy by  https://nova/  and fetch via https://nova/v316:55
ayoungdstanek, that decision should be made in keystone, not in Nova16:55
ayoungKeystone can provide the grouping./16:55
ayoungNova endpoint does not select which policy to fetch16:56
*** henrynash has quit IRC16:56
ayoungit only says its own Identity ,and Keystone selects the right policy16:56
dstanekif you want hierarchical policies we should document that in the spec16:56
*** piyanai has quit IRC16:56
ayoungdstanek, I've written a hundred docs16:56
ayoungI've had this all laid out, and torn it apart, and...lets stop the discussion and just do the absolute minimum to move things along16:57
ayoungwe already have fetch by endpoint id16:57
ayoungthat was the reason for it16:57
ayoungwe are just trying to make things easier on the deployer by giving them a way to identify the node without having to call Keystone register endpoint first16:57
dstanekright, and with that use case an arbitrary ID works fine16:58
samueldmqayoung: and for that we need something that uniquely identify an endpoint16:58
gsilvismarekd: Thirty minutes from now?16:58
samueldmqi.e an id16:58
dstanekthere are too many different policy specs to see a clear vision of what we are trying to do16:58
dstanekright now it seems like "here is a bunch of random stuff"....."go"16:59
*** amaretskiy has quit IRC16:59
samueldmqdstanek: I am finishing the last one on the set of 4 defining the scope for L, I'll be sending the FFE email today16:59
dstaneksamueldmq: 4 different specs?16:59
samueldmqdstanek: it will contain the propsoed scope for L17:00
samueldmqdstanek: yes17:00
samueldmqdstanek: well 5 with the alternative of assigning by custom ID, as ayoung prefers17:00
samueldmqayoung: dstanek I think we should consider both options and put that on the table next meeting17:00
samueldmqayoung: dstanek looks fair, right ? so we get more eyes on this and take a decision17:01
*** gyee has joined #openstack-keystone17:01
*** ChanServ sets mode: +v gyee17:01
ayoungdstanek, how do Imap arbitrary Id to Endpoint? I need another API to do that17:01
*** piyanai has joined #openstack-keystone17:02
ayoungdstanek, I had a fucking overview spec.  It go "not a spec" on it17:02
*** mylu has quit IRC17:02
ayoungI am really not happy now.17:02
samueldmqayoung: what that spec proposes is to direct say to endpoint: 'fetch policy X'17:02
samueldmqayoung: that's different from 'I am endpoint K, gimme my policy'17:02
dstanek:-) i guess i'm confused why we need so many specs for a single feature17:02
samueldmqayoung: I will consider both and we can discuss it next meeting17:03
dstanekare all of the uses case in one of the specs i do i have to go and find them?17:03
ayoungdstanek, because it touches multiple components, many of which are not keystone.  Because it has to be done infcrementally,17:03
samueldmqayoung: in this specifc topoic17:03
ayoungdstanek, it all starts with 96869617:03
samueldmqayoung: of 'how to identify the policy for an endpoint'17:03
ayoung"admin"17:03
*** Lactem has joined #openstack-keystone17:03
ayoungwe can't just change the default policy because then we break existing deployments17:04
*** kiran-r has joined #openstack-keystone17:04
ayoungin order to allow policy to change in a manageable manner, we have to make it dynamic17:04
dstanekayoung: do any of them lay our the overall vision and end goals or do i have to come up with that i think it is after reading them all?17:04
ayoungdstanek, I don't know.  I had it clearly laid out in the overview spec, and then the biokeshedding began17:05
ayoungsamueldmq, has done a good job trying to keep up with it17:05
dstanekayoung: i assume that was abandoned...do you have a link?17:05
ayoungbut in doing so, we lost the links to the individual tasks...so we are now trying to recreate it on the wiki17:05
ayoungdstanek, yea, one sec17:05
*** mylu has joined #openstack-keystone17:05
*** yottatsa has quit IRC17:06
*** diazjf has left #openstack-keystone17:06
ayoungdstanek, not abandonded yet17:06
*** gokrokve has joined #openstack-keystone17:06
ayounghttps://review.openstack.org/#/c/147651/17:06
ayoungdstanek, let me look back at earlier revisions and tell you which to look at17:07
*** arunkant has quit IRC17:07
*** mylu has quit IRC17:07
dstanekayoung: i'm not for or against any of these ideas...but right now i don't see what they are adding up to17:08
*** arunkant has joined #openstack-keystone17:08
ayoungdstanek, I'm leaning right now to giving a presentation at the midcycle17:08
ayoungI don't think I can explain it piecemeal anymore...its like sweeping sand out of a beachhouse17:08
ayoungdstanek, let me try and write up an endstate document, and then show how we can get there via a series of incrementals.17:09
ayounghttps://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/  probably needs an update17:10
*** arunkant has quit IRC17:11
*** e0ne has quit IRC17:11
*** arunkant has joined #openstack-keystone17:12
*** yottatsa has joined #openstack-keystone17:12
*** crc32 has joined #openstack-keystone17:13
*** crc32 is now known as crc32_lundh17:14
*** crc32_lundh is now known as crc32_lunch17:14
*** stevemar has joined #openstack-keystone17:15
*** yottatsa has quit IRC17:15
*** yottatsa has joined #openstack-keystone17:15
*** piyanai has quit IRC17:16
*** piyanai has joined #openstack-keystone17:17
*** mylu has joined #openstack-keystone17:19
*** stevemar has quit IRC17:19
*** piyanai_ has joined #openstack-keystone17:20
*** piyanai has quit IRC17:21
*** piyanai_ is now known as piyanai17:21
myluHey guys I hit a problem with the python-keystonclient when I try to do client.session.get(url=url, headers=headers, verify=False). I get "keystoneclient.openstack.common.apiclient.exceptions.Unauthorized:" and in keystone.log file I see "keystone.middleware.core [-] Auth token not in the request header" But I set my header to {'X-Auth-Token': '1234567qwert'}17:22
myluCan some one help me with that? or point me a direction for looking?17:23
ayoungWTF is my openstackid?17:24
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Add is_domain field to v3 token  https://review.openstack.org/19806217:24
gsilvismarekd: I'm going to get lunch now, but I'm free for the rest of the day after that (1800-2100 UTC)17:25
edmondswis there any documentation on setting up a project to act as a domain?17:26
morganfainbergayoung: your login to the openstack.org profile pages17:27
*** piyanai has quit IRC17:27
morganfainbergayoung: its the same as it used to be, just with an openid connector now17:27
ayoungmorganfainberg, WHAT IS MY ID?17:27
ayoungIt is nothing I can think of17:27
*** haneef has joined #openstack-keystone17:28
morganfainbergEmail?17:28
ayoungit is not accepting email, it is not accepting launchpad.17:28
morganfainbergMine is my email.17:28
*** piyanai has joined #openstack-keystone17:28
ayoungmorganfainberg, I even did password reset with email17:28
morganfainbergWeird.17:28
ayoungmusthave beeen a delay17:29
morganfainbergGot the email now?17:29
*** arunkant has quit IRC17:30
*** jason10258 has quit IRC17:31
*** jsavak has quit IRC17:31
*** jsavak has joined #openstack-keystone17:31
dstanekit is near impossible to run tests on older versions of keystone. our requirements are too liberal and oslo is too volatile17:31
openstackgerritTheodore Ilie proposed openstack/keystone: Catch exception.Unauthorized when checking for admin  https://review.openstack.org/19807117:32
*** arunkant has joined #openstack-keystone17:33
Lactem:)17:33
morganfainbergdstanek: you mean stuff thst was eol'd?17:35
morganfainbergOr you mean stable branches too?17:35
dims_dstanek: any stable branch breaks?17:35
morganfainbergdims_: haha! You're lurking!17:35
morganfainberg:)17:36
dstaneki'm on master about 1500 revisions back.... i'm doing (or trying) a git bisect to see when a bug got fixed17:36
*** kiran-r has quit IRC17:36
dims_morganfainberg: :)17:36
morganfainbergLol. 1500 revisions17:36
morganfainbergOuch17:36
dstanekmorganfainberg: dims_: the problem i am having is that requirements say >= and the newer versions of oslo are completely different17:36
morganfainbergdstanek: yep. Welcome to *hell*17:38
*** yottatsa has quit IRC17:38
dstaneklol17:38
morganfainbergjust make the >= a =?17:38
dstanekthat's what i'm doing17:38
morganfainbergThat should work and just floor the reqs17:39
*** Lactem has quit IRC17:39
dstanekbut i had to change by bisect script to do that too17:39
morganfainbergIck17:39
morganfainbergWait. What bug are you chasing that youre 1500 revs back?17:39
*** albertom has quit IRC17:39
mfischran into a weird problem today with keystone when (finally) switching to wsgi17:40
*** fhubik has quit IRC17:40
morganfainbergmfisch: ok do tell!17:41
mfischthe prescense of python-secretstorage (package) caused keystone to blow up17:41
mfischit even threw a dbus error17:41
morganfainbergWhat?!17:41
morganfainbergHow... The17:41
dstaneki want to update the commit message on https://review.openstack.org/#/c/196883/ to make is sound less abrasive toward the bug reporter - wanted revisions, but i don't think that's possible17:41
mfischI don't expect to see org.freedesktop in keystone logs17:41
mfischI blew the machines up but I can probably repro and get you a stack.17:41
mfischAfter it happened it refused to load the keystone.py wsgi file17:41
morganfainbergThat is a weird one dude17:41
dstanekmfisch: that's weird17:41
dims_dstanek: there's an effort to do better - see http://git.openstack.org/cgit/openstack/openstack-specs/tree/specs/requirements-management.rst17:42
mfischnobody here knows why that package is installed, its not coming up on clean nodes, so I just removed it17:42
dims_dstanek: larger than oslo17:42
morganfainbergdstanek: i think the commit message really is fine as is.17:42
mfischI'll get some stacks and file a bug17:42
morganfainbergdstanek: but *shrug*17:42
morganfainbergmfisch: dont spend too much time on it. But it would be interesting to know why17:43
mfischyeah probabloy just a bug to warn others17:43
morganfainbergYup17:43
morganfainbergCan we put an anti requirements in?17:43
morganfainberg:P17:43
mfischconflicts:17:43
morganfainberg!python-secretstorage17:43
openstackmorganfainberg: Error: "python-secretstorage" is not a valid command.17:43
morganfainbergopenstack: shush17:44
morganfainberg!17:44
morganfainberg!something17:44
openstackmorganfainberg: Error: "something" is not a valid command.17:44
morganfainbergLol17:44
morganfainberg!help17:44
openstackmorganfainberg: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.17:44
dstanek!rm -rf /17:44
openstackdstanek: Error: "rm" is not a valid command.17:44
dstanekopenstack: now i know you are lying17:45
samueldmqdstanek: what are you trying to do ? LOL17:45
dstanekyeah, lying....time to go back to sleep17:45
samueldmq<.< >.>17:45
morganfainberg!;drop table plugins17:45
openstackmorganfainberg: Error: ";drop" is not a valid command.17:45
morganfainbergI wonder if you can shellcode inject to that interface somehow.17:46
dstanekhaha, i was just thinking that17:46
dstanekor XSS someone's client17:46
dstanekdims_: neat, i'll take a look17:47
dstanekdims_: i'd love to just freeze requirements for a release to exact versions17:47
*** albertom has joined #openstack-keystone17:48
dstanekand then periodically update stable if needed17:48
*** shaleh has joined #openstack-keystone17:49
dims_dstanek: ++ hope to get there. right now we have a g-r in stable/* but we don't have all libraries released from stable branch that do have the specific g-r requirements unfortunately17:49
*** Lactem has joined #openstack-keystone17:51
dims_so this round, the first step is centralized library releases17:51
dstanekdims_: that's a great start17:52
*** hrou has joined #openstack-keystone17:53
openstackgerritHenrique Truta proposed openstack/keystonemiddleware: WIP: Handling is_domain token attribute from keystone  https://review.openstack.org/19807617:57
*** ankita_w_ has quit IRC17:58
*** ankita_wagh has joined #openstack-keystone17:59
*** Lactem has quit IRC17:59
*** jake___ has joined #openstack-keystone18:04
*** jsavak has quit IRC18:05
*** jsavak has joined #openstack-keystone18:06
*** piyanai has quit IRC18:08
*** piyanai has joined #openstack-keystone18:09
*** slberger has left #openstack-keystone18:09
ayoungmylu, was about to answer18:12
ayoungmylu, you are doing this from python?18:13
*** ankita_w_ has joined #openstack-keystone18:14
*** jsavak has quit IRC18:14
*** jsavak has joined #openstack-keystone18:14
myluayoung: yes. Did you find my question? I can post it again of not18:14
*** jaosorior has quit IRC18:16
*** ankita_wagh has quit IRC18:16
myluayoung: I also tried using netcat listen to the port to see the request body, X-Auth-Token showed up in the header section18:17
ayoungmylu, what are you trying to do?18:19
*** browne has quit IRC18:20
myluayoung: I was trying to get project lists for federated user. the python call is client.session.get(url=url, headers=headers, verify=False)18:21
myluayoung: when I do it with curl it worked18:21
ayoungclient.session.get   hmmm18:21
*** jsavak has quit IRC18:22
myluclient here is from IdP and I'm using keystone v318:23
ayoungmy to list projects for user you want...18:23
mylufrom keystone.conf file in IdP I see "keystone.middleware.core [-] Auth token not in the request header"18:23
myluayoung: sorry what do you mean?18:24
ayoungmylu, once you have the session, you should not be making deliberate calls onit, but rather on the keystone client...looking for the call18:24
ayoungmylu, so...I'm wroking with some client code, let me send you a link18:25
myluayoung: cool thanks18:26
ayounghttps://github.com/admiyo/ossipee/blob/master/ossipee.py#L20718:26
ayoungmylu, I do a little renaming in the imports, but you see there I create one session and share it among 3 clients18:26
*** rushiagr is now known as rushiagr_away18:26
ayoungso, to list projects for a user it would be ...18:26
ayoungself.keystone.projects.list(user=user)18:27
ayoungor something close to that18:27
*** jake___ has quit IRC18:27
*** lhcheng has joined #openstack-keystone18:29
*** ChanServ sets mode: +v lhcheng18:29
openstackgerritRichard Megginson proposed openstack/keystone: add federation docs for mod_auth_mellon  https://review.openstack.org/19808318:31
*** stevemar has joined #openstack-keystone18:31
myluayoung: Ohh I see what you mean. I think I didn't explain my question well. Let me try again.18:31
myluayoung: so I'm trying to do "curl -s -H "X-Auth-Token: 123456aqwert" http://keystone.sp/v3/OS-FEDERATION/projects | python -mjson.tool" in python18:32
*** r-daneel has quit IRC18:32
mylu"client" here is created by my client class. it has self.session=keystoneclient.session(from keystoneclient)18:34
*** wuhg has quit IRC18:34
*** stevemar has quit IRC18:34
myluI want to get SP's project list for an IdP client can I do that with self.keystone.projects.list()?18:34
ayoungmylu, probably not.18:34
*** packet has joined #openstack-keystone18:34
ayoungBut...try it18:35
ayoungmylu, actually, drop the name=  param18:35
*** tjcocozz has joined #openstack-keystone18:35
*** gokrokve has quit IRC18:35
ayoungand it should try to list projects for the current user.  The Federation token should be OK for that...I think?18:35
*** Lactem has joined #openstack-keystone18:35
ayoungmylu, so,  I am not current myself on the state of Federation support in the client.  I *think* it is all there, but would have to go and dig in the git log18:37
ayounglet's seeee.18:37
*** sp4wnr0ot_ has joined #openstack-keystone18:37
myluI read the code earlier to try to find out why18:37
ayoungmylu, yeah...18:37
mylulooks like the header is not being passed throught to me .... from here => http://docs.openstack.org/developer/keystone/_modules/keystone/middleware/core.html18:37
LactemCan any core dev (besides David) look at my patch if they have a moment? https://review.openstack.org/#/c/19688318:38
myluBecause the error message I found in keystone.log was "Auth token no in the request header18:38
ayoungmylu, commit id is  53e79a30427769b6c9498a502b5f67ca5f71f3ca18:39
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=53e79a30427769b6c9498a502b5f67ca5f71f3ca18:39
ayoung self.client.federation.projects18:39
ayoungmylu so self.keystone.federation.projects.list()18:40
myluis that is devstack kilo?18:40
ayoungmylu, it is in Kilo, yes18:41
ayoungmylu, so, the clients are not part of the integrated release, you will always get the latest from pip etc18:41
ayoungclients can be updated faster than the projects themselves18:41
mylucool I'll try to use that18:42
myluthank you!18:42
ayoungmylu, good luck18:42
*** Lactem has quit IRC18:43
*** e0ne has joined #openstack-keystone18:46
*** stevemar has joined #openstack-keystone18:48
ayoungsamueldmq, I'm putting in a policy presentation for Tokyo.  Would you like to co-present?18:48
samueldmqayoung: sure18:49
*** r-daneel has joined #openstack-keystone18:49
samueldmqayoung: let me take a look at the exact title/description when you have defined :)18:51
samueldmqayoung: let me take a look at the exact title/description when you have defined :)18:51
ayoungsamueldmq, I need a bio for you18:51
samueldmqoh sorry, wanted to re-run the last command in another scren18:51
samueldmqayoung: ^ hehe18:51
samueldmqscreen18:51
*** lhcheng has quit IRC18:52
*** tqtran has joined #openstack-keystone18:52
*** jsavak has joined #openstack-keystone18:53
*** dsirrine_ has quit IRC18:56
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/19727718:57
stevemarmorganfainberg: if you could verify you want to proceed with this: https://review.openstack.org/#/c/177620/ that would be super awesomo18:58
samueldmqayoung: somehting from linkedin ? let me see yours18:59
samueldmqayoung: so I can create mine (I've never did this before)19:00
ayoungsamueldmq, I'm sitting next to another Brazilian RHer, but from Sao Paulo.  We were comparing notes.19:00
morganfainbergstevemar: nope definitely don't want that... no making people's lives better... nope nope nope nope +1 ;)19:00
ayoungsp4wnr0ot_, meet samueldmq19:00
morganfainbergstevemar: lgtm19:00
samueldmqayoung: cool19:00
samueldmqsp4wnr0ot_: olá o/19:00
sp4wnr0ot_samueldmq, e ae cara vc tá famoso por aqui =D19:01
samueldmqsp4wnr0ot_: haha that's funny :)19:01
samueldmqsp4wnr0ot_: I am trying to do some good work with ayoung and keystone guys19:01
morganfainbergstevemar: hope that merges soon(ish)19:01
*** jkomg has quit IRC19:01
stevemarmorganfainberg: thanks :)19:01
stevemarmorganfainberg: bug some of your infra hp folks if you want it merged :P19:02
* morganfainberg goes on holiday hours early...or someting19:02
sp4wnr0ot_samueldmq, that's cool! I'm gonna send you an invite in linkedin just to keep in touch19:02
samueldmqsp4wnr0ot_: sure, let me know whenever you have any question, etc in keystone19:02
samueldmqsp4wnr0ot_: (I am not sure how familiar you are with this project)19:03
ayoungsamueldmq, can you send me a bio, and I'll add you to the presentation as a speaker?19:03
ayoungpresentation proposal, that is19:03
samueldmqsp4wnr0ot_: and I am assuming you will be working here :)19:03
*** ajayaa has joined #openstack-keystone19:03
ayounghttps://www.openstack.org/summit/tokyo-2015/call-for-speakers/manage/3995/summary  samueldmq19:04
*** jkomg has joined #openstack-keystone19:04
*** jsavak has quit IRC19:04
samueldmqayoung: can I see your bio ?19:04
*** jsavak has joined #openstack-keystone19:05
samueldmqayoung: just to see what it looks like .. I've never written one myself :p19:05
*** stevemar has quit IRC19:05
ayoungsamueldmq, sure...let me see if it is public yet19:05
ayounghttp://fpaste.org/239366/43586396/19:06
janonymous_o/19:09
*** dsirrine_ has joined #openstack-keystone19:12
*** tjcocozz has quit IRC19:12
*** ajayaa has quit IRC19:12
*** arunkant_ has joined #openstack-keystone19:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Delivering Mechanism  https://review.openstack.org/19798019:18
samueldmqayoung: morganfainberg ^ this one describes the caching strategy we discussed last week, including avoiding thundering herd, etc19:18
samueldmqayoung: morganfainberg now we have a set of specs that define all we want for L19:19
*** tqtran is now known as tqtran-afk19:19
samueldmqayoung: morganfainberg I am going to write up the FFE email now ... will ask you before sending it19:19
samueldmqI mean ... finally >.> >.> >.> \o/ <.< <.< <.<19:20
*** arunkant has quit IRC19:21
*** ankita_w_ has quit IRC19:22
*** shaleh has quit IRC19:23
*** amerine has joined #openstack-keystone19:25
*** lhcheng has joined #openstack-keystone19:27
*** ChanServ sets mode: +v lhcheng19:27
*** jkomg has quit IRC19:27
*** amakarov is now known as amakarov_away19:28
raildotopol, ping, do you had the opportunity to read the htruta's answers here? https://review.openstack.org/#/c/153007/3619:28
*** rm_work|away is now known as rm_work19:29
*** jsavak has quit IRC19:30
*** janonymous_ has quit IRC19:30
*** amerine has left #openstack-keystone19:31
samueldmqayoung: I don't know my openstack-id19:31
samueldmqayoung: I don't even remember if I have one19:31
*** jsavak has joined #openstack-keystone19:32
topolHi raildo, not yet19:32
raildotopol, ok, just to know if it was clear enough  :)19:34
topolraildo, so how do folks distinguish between the two projects if they have the exact same name?19:36
topolwhats different between the two?  Are they nested under different projects19:36
topolraildo^19:37
*** jkomg has joined #openstack-keystone19:37
ayoungOn HMT, have we made any effort to define how a user can assign roles?19:37
ayoungraildo, htruta like, in order to assign a role on this project, I must be an admin on this project?  And made sure that was enforced?19:39
topolraildo I added more comments19:41
ayoungdstanek, I'll give you and example of why this Dynamic policy stuff is tricky19:41
ayoungone thing that we want to do is let end operators over ride the policy.  But in doing so, they could easily break things so that either too many people can execute the API, or too few19:42
raildotopol, I was answering from here, but I think that can be better if I put in the spec19:42
ayoungwhen enforcing policy, there are two pieces:  role and scope19:42
ayoungrole is not even checked for most things right now, but lets assume that is what people are going to want to customize19:42
ayoungone the other side is scope:  I want to make sure the project as specified in the token matches the project as specified on the resource:  VM, block device, whatever.19:43
ayoungI'd actually like to split policy down the middle here, and say the role  part can be customized, but  not the scope check.  Scope check should be determined by the Nova engineers19:44
raildoayoung, we don't changed anything about this, so we will follow the policy.v3cloudsample behaviour (cloud, domain and project admin, will be able do grant roles assignments)19:44
ayoungdoes that get files as a Keystone spec, and oslo,policy spec, or a nova spec19:44
ayoungraildo, we should test that...19:45
myluayoung: Hi a quick update on the problem I bumped into......so the correct header should be 'x-auth-token' instead of 'X-Auth-Token'.......It would be nice if it can be fixed? All the documentation refers to 'X-Auth-Token'19:46
raildoayoung, ++ I'll put it in my todo list19:46
*** jk|osx has joined #openstack-keystone19:46
ayoungmylu, really?  Strange that is has not come up before.19:47
ayoungplease file it as a bug in launchpad19:47
myluayoung: Yeah I'm not quite sure why it pops up. and will do. Thanks for the help! :)19:48
*** topol has quit IRC19:48
samueldmqayoung: morganfainberg please take a look at this draft of the ffe email and give me some feedback :)19:49
samueldmqayoung: morganfainberg https://etherpad.openstack.org/p/dynamic-policies-liberty-ffe19:49
*** jkomg has quit IRC19:50
*** jecarey has quit IRC19:50
*** shaleh has joined #openstack-keystone19:52
*** Lactem has joined #openstack-keystone19:54
*** e0ne has quit IRC19:55
*** tqtran-afk is now known as tqtran19:56
morganfainbergsamueldmq: will look after lunch.19:56
samueldmqmorganfainberg: great thanks, btw bon apetit19:57
morganfainbergsamueldmq: also keep in mind it is independance day for us here in the us tomorrow (observed) so might be getting quiet for those on eastern time (its almost 4pm)19:57
morganfainbergWith a 3 day weekend pending.19:58
*** piyanai has quit IRC20:00
*** packet has quit IRC20:01
*** sp4wnr0ot_ has quit IRC20:01
iurygregorycould any of the cores that a look at 'add federation docs for mod_auth_mellon' (https://review.openstack.org/#/c/198083/) in order to get it approved20:03
iurygregoryit has a +2 already20:03
iurygregorydstanek, marekd, cc ^20:03
Lactemiurygregory: I'm trying to get a second +2 also. :D20:03
iurygregorynice Lactem ^^20:04
LactemI'll just put the link here. https://bugs.launchpad.net/keystone/+bug/109856420:04
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,In progress] - Assigned to Theodore Ilie (theoilie-ti)20:04
LactemOoops that's the bug, not the patch. https://review.openstack.org/#/c/19688320:04
samueldmqmorganfainberg: hmm, yes .. :) independence day o/20:05
*** piyanai has joined #openstack-keystone20:05
*** jsavak has quit IRC20:05
*** jsavak has joined #openstack-keystone20:05
*** stevemar has joined #openstack-keystone20:05
*** stevemar has quit IRC20:09
*** boris-42 has quit IRC20:12
*** edmondsw has quit IRC20:14
*** lastops has quit IRC20:14
*** e0ne has joined #openstack-keystone20:15
*** ayoung has quit IRC20:15
*** browne has joined #openstack-keystone20:16
*** hogepodge has quit IRC20:17
*** hogepodge has joined #openstack-keystone20:18
*** csoukup has joined #openstack-keystone20:32
*** shaleh has quit IRC20:33
*** jsavak has quit IRC20:35
*** TheIntern has joined #openstack-keystone20:53
*** stevemar has joined #openstack-keystone21:07
*** Rockyg has joined #openstack-keystone21:08
*** Lactem has quit IRC21:09
*** stevemar has quit IRC21:09
*** r-daneel has quit IRC21:11
*** e0ne has quit IRC21:20
*** Lactem has joined #openstack-keystone21:24
LactemAny core devs around?21:24
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/19770621:25
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind_authentication method  https://review.openstack.org/19769921:25
dstanekLactem: yup21:26
dstanekwhat's up?21:26
Lactemdstanek: You already reviewed my patch. : P21:26
*** piyanai has quit IRC21:26
dstanekLactem: ah, yeah there are lots and lots of patches to review - it might take a while for another to come across it21:26
dstanekplus people are probably preparing for the holiday and the upcoming mid-cycle21:27
LactemAlright I'll be patient. I'm just excited to be this close to a merge.21:27
LactemHaha yeah I'm going for holidays in a couple hours, too.21:27
dstaneknot if brant gets his hands on it! he pickier than me :-)21:27
lbragstadLactem: do you have a link?21:27
LactemI'll try to advertise to someone other than Brant. lol21:28
Lactemhttps://review.openstack.org/#/c/19688321:28
*** rletrocquer has quit IRC21:30
*** Rockyg has quit IRC21:31
*** piyanai has joined #openstack-keystone21:32
Lactemlbragstad: Do you want me to review anything of yours?21:34
lbragstadLactem: sure! https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider,n,z21:34
*** mylu has quit IRC21:35
LactemI would -1 to make 2 minor grammar/spelling changes to your commit message, but you already have a +2 and x2 +1s.21:36
Lactemlbragstad: Hey you're on patch set 8 like me.21:37
lbragstadLactem: you can go ahead and make the comments, it's nice to have a reminder to catch those in case I respin for other comments21:37
dstaneklbragstad: i'm intending to go through all of your fernet stuff tonight21:37
lbragstaddstanek: ++21:37
lbragstaddstanek: awesome,21:37
*** piyanai has quit IRC21:39
LactemDavid is the best reviewer for me.21:39
*** piyanai has joined #openstack-keystone21:39
*** piyanai has quit IRC21:40
Lactemlbragstad: So that doesn't close any bug or anything? Shouldn't you submit a bug report so that you can use that patch to close it?21:41
LactemI reviewed you by the way. <321:42
LactemIRC hearts look weird to me.21:42
Lactemlbragstad: Feel free to review mine as well if you'd like.21:43
dstanekLactem: not everything requires a bug report; especially a refactoring21:44
lbragstadLactem: we could have a bug report I suppose, but it's more of less clean up. I can open one if people want to see one filed for it.21:44
*** lastops has joined #openstack-keystone21:44
LactemOh okay.21:44
LactemI thought it would be wishlist or something.21:44
*** lastops has quit IRC21:48
*** boris-42 has joined #openstack-keystone21:49
*** csoukup has quit IRC21:53
*** TheIntern has quit IRC21:56
*** marzif_ has joined #openstack-keystone21:58
Lactemlbragstad: I replied to your comment.21:59
*** crc32_lunch has quit IRC22:00
*** Kennan2 has joined #openstack-keystone22:03
*** lhcheng has quit IRC22:03
*** Kennan has quit IRC22:03
*** r-daneel has joined #openstack-keystone22:04
*** rwsu has quit IRC22:05
*** csoukup has joined #openstack-keystone22:09
*** marzif_ has quit IRC22:10
*** shaleh has joined #openstack-keystone22:11
*** arunkant__ has joined #openstack-keystone22:14
*** csoukup has quit IRC22:14
*** arunkant_ has quit IRC22:17
*** roxanaghe has quit IRC22:17
*** chlong has joined #openstack-keystone22:18
*** gordc is now known as gordc_afk22:19
*** arunkant_ has joined #openstack-keystone22:22
*** arunkant__ has quit IRC22:25
*** dsirrine_ has quit IRC22:31
*** briancurtin has quit IRC22:36
*** briancurtin has joined #openstack-keystone22:39
*** amit213 has quit IRC22:42
*** mancdaz has quit IRC22:43
*** mancdaz has joined #openstack-keystone22:44
*** hrou has quit IRC22:47
*** lhcheng has joined #openstack-keystone23:00
*** ChanServ sets mode: +v lhcheng23:00
*** rharwood has quit IRC23:01
*** rharwood has joined #openstack-keystone23:04
*** Lactem has quit IRC23:05
*** jk|osx has quit IRC23:06
*** r-daneel has quit IRC23:09
openstackgerritVictor Stinner proposed openstack/keystone: Fix tox -e py34  https://review.openstack.org/19816523:12
*** raildo_ has joined #openstack-keystone23:20
*** hrou has joined #openstack-keystone23:23
*** zzzeek has quit IRC23:33
*** chlong has quit IRC23:36
morganfainbergsamueldmq: email looks good-ish to me23:37
*** anhhuynx has quit IRC23:39
*** zzzeek has joined #openstack-keystone23:42
morganfainberghuh, adam is gone for the weekend i guess.23:43
morganfainbergi had something that might make his policy stuff easier... ah well23:44
*** browne has quit IRC23:51
bigjoolsmorganfainberg: does the ldap backend create ephemeral users?23:56
« Wednesday, 2015-07-01 Index Friday, 2015-07-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!