Friday, 2015-08-21

*** jasonsb has joined #openstack-keystone00:06
*** dims_ has quit IRC00:12
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** mylu has quit IRC00:23
*** dramakri has left #openstack-keystone00:26
*** dramakri has quit IRC00:26
*** mylu has joined #openstack-keystone00:34
*** fangzhou has joined #openstack-keystone00:34
*** _cjones_ has quit IRC00:47
*** richm has quit IRC01:01
*** zzzeek has joined #openstack-keystone01:03
*** dims has joined #openstack-keystone01:04
*** qiaowei has joined #openstack-keystone01:04
*** shoutm has joined #openstack-keystone01:08
*** bapalm has quit IRC01:12
*** lhcheng has quit IRC01:14
*** bapalm has joined #openstack-keystone01:14
*** browne has quit IRC01:18
*** bapalm has quit IRC01:21
*** zzzeek has quit IRC01:29
*** dave-mccowan has quit IRC01:32
*** bapalm has joined #openstack-keystone01:33
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements
*** bapalm has quit IRC01:38
*** mylu has quit IRC01:41
*** bapalm has joined #openstack-keystone01:44
*** davechen has joined #openstack-keystone01:44
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: Remove references to keystone.openstack.common
*** bapalm has quit IRC01:51
*** topol has quit IRC01:52
*** topol has joined #openstack-keystone01:52
*** ChanServ sets mode: +v topol01:52
*** bapalm has joined #openstack-keystone01:56
*** ankita_w_ has quit IRC01:58
*** mylu has joined #openstack-keystone02:01
*** bapalm has quit IRC02:03
*** piyanai has joined #openstack-keystone02:05
*** bknudson has left #openstack-keystone02:05
*** bapalm has joined #openstack-keystone02:10
*** ankita_wagh has joined #openstack-keystone02:14
*** tonyb has joined #openstack-keystone02:15
*** bapalm has quit IRC02:15
tonybjamielennox: ping?02:15
*** ankita_wagh has quit IRC02:15
*** ankita_wagh has joined #openstack-keystone02:16
openstackgerritMerged openstack/keystone: Enhance tests for saml2 signing exception logging
*** ankita_wagh has quit IRC02:18
qiaoweican anyone help review the patch it have gotten one "+2".02:18
*** ankita_wagh has joined #openstack-keystone02:19
*** mylu has quit IRC02:21
*** mylu has joined #openstack-keystone02:21
*** bapalm has joined #openstack-keystone02:23
*** mylu has quit IRC02:26
*** bapalm has quit IRC02:30
*** bapalm has joined #openstack-keystone02:33
*** mylu has joined #openstack-keystone02:37
openstackgerritMerged openstack/keystone: Update 'doc/source/setup.rst'.
*** bapalm has quit IRC02:40
*** piyanai has quit IRC02:42
*** bapalm has joined #openstack-keystone02:42
*** nkinder has joined #openstack-keystone02:45
*** ankita_w_ has joined #openstack-keystone02:47
*** ankita_wagh has quit IRC02:50
*** hakimo_ has joined #openstack-keystone02:52
*** bapalm has quit IRC02:52
*** hakimo has quit IRC02:54
*** bapalm has joined #openstack-keystone02:55
*** dims has quit IRC02:55
*** woodster_ has quit IRC02:59
*** bapalm has quit IRC03:04
*** gyee has quit IRC03:09
*** bapalm has joined #openstack-keystone03:10
jamielennoxtonyb: hey03:10
*** shoutm_ has joined #openstack-keystone03:11
*** dave-mccowan has joined #openstack-keystone03:11
tonybjamielennox: So ar Pycon you gave a lighning talk about using client sessions rather than hand rolled auth (exucse me if I get the jargon wrong)03:11
*** shoutm has quit IRC03:12
jamielennoxtonyb: yep03:12
tonybjamielennox: Is that in anyway dpenedant on v3?03:12
tonybjamielennox: all the examples I see use v3 but that's not the same thing?03:12
jamielennoxtonyb: no, v2 works just fine that way, the idea is then that we can swap out the plugin without changing the code03:12
*** samleon has quit IRC03:12
jamielennoxi use v3 examples just because we want to get people over to v303:12
jamielennoxthe examples would generally show a v3.Password object, if you use v2.Password that's essentially the standard auth most people use now03:14
tonybjamielennox: So if I took the code from and s,v3,v2, that would be valid and an improvment over keystone_client.Client() with all the options?03:14
tonyb,cm is the change I'm looking at03:14
tonybclearly I'm not a keystone guy but if I can make things suck less then that's a thing I shoudl do03:15
jamielennoxtonyb: the options change a bit between v2 and v3, because they have to
*** lhcheng has joined #openstack-keystone03:15
*** ChanServ sets mode: +v lhcheng03:15
*** qiaowei has left #openstack-keystone03:16
jamielennoxbut otherwise yes, that applies03:16
jamielennoxi'm not sure what this @args syntax is relying upon, but if it was argparse we have helpers for CLI
jamielennoxso that it registers all the options it expects, and you just get a plugin out that you can use03:17
jamielennoxand that way the user can supply there own auth info with whatever version makes sense for them03:17
tonybjamielennox: Cool thanks.  I'll make some grubling on that review.  I may get told to pull my head in but we'll see03:20
jamielennoxtonyb: that would be great, as with all these things eventually everything will need to be cleaned up, but anything we can fix now we don't have to worry about deprecating later03:21
tonybjamielennox: Cool.  I might try to get some time with you and a few others in Tokyo to see what is reasonable to get into Mitaka by way of cleanups etc03:22
tonyb.... I mean into (nova) Mitaka just for clarity03:22
jamielennoxtonyb: that would be awesome, people look at what nova does for precendence in these things03:23
tonybjamielennox: Well nova is the best ;P03:23
jamielennoxtonyb: that's the word i'd have used too03:24
tonybjamielennox: LOL03:24
*** tiny-hands has quit IRC03:25
*** browne has joined #openstack-keystone03:26
*** fangzhou has quit IRC03:31
*** dave-mcc_ has joined #openstack-keystone03:43
*** piyanai has joined #openstack-keystone03:44
*** dave-mccowan has quit IRC03:45
*** piyanai has quit IRC03:50
*** shoutm has joined #openstack-keystone03:52
*** shoutm_ has quit IRC03:54
*** shoutm_ has joined #openstack-keystone03:55
*** shoutm has quit IRC03:57
*** shoutm has joined #openstack-keystone03:58
*** shoutm_ has quit IRC03:59
*** dave-mccowan has joined #openstack-keystone04:11
*** dave-mcc_ has quit IRC04:13
*** rm_work|away is now known as rm_work04:14
*** ankita_w_ has quit IRC04:15
*** ankita_wagh has joined #openstack-keystone04:16
*** ankita_wagh has quit IRC04:17
*** dave-mccowan has quit IRC04:18
*** ankita_wagh has joined #openstack-keystone04:18
*** ayoung has quit IRC04:22
*** shoutm_ has joined #openstack-keystone04:39
*** bapalm has quit IRC04:39
*** shoutm has quit IRC04:41
*** bapalm has joined #openstack-keystone04:41
*** mylu has quit IRC04:41
*** jdennis has quit IRC04:45
*** bapalm has quit IRC04:46
*** bapalm has joined #openstack-keystone04:47
*** bapalm has quit IRC04:54
*** bapalm has joined #openstack-keystone04:56
*** jdennis has joined #openstack-keystone05:00
*** bapalm has quit IRC05:03
*** jdennis has quit IRC05:05
*** kiran-r has joined #openstack-keystone05:05
*** bapalm has joined #openstack-keystone05:07
*** kiran-r has quit IRC05:07
*** geoffarnold has joined #openstack-keystone05:09
*** geoffarnold is now known as geoffarnoldX05:09
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** geoffarnoldX is now known as geoffarnold05:10
*** ajayaa has joined #openstack-keystone05:10
openstackgerritGang Wei proposed openstack/keystone-specs: fix a simple typo "ì" -> "i"
*** geoffarnold has quit IRC05:15
*** bapalm has quit IRC05:16
*** geoffarnold has joined #openstack-keystone05:16
*** urulama has joined #openstack-keystone05:18
*** bapalm has joined #openstack-keystone05:20
*** jdennis has joined #openstack-keystone05:20
*** bapalm has quit IRC05:34
*** bapalm has joined #openstack-keystone05:35
*** mylu has joined #openstack-keystone05:42
*** bapalm has quit IRC05:44
*** lhcheng has quit IRC05:46
*** dims has joined #openstack-keystone05:47
*** mylu has quit IRC05:47
*** dims has quit IRC05:52
*** bapalm has joined #openstack-keystone05:56
*** topol has quit IRC05:59
*** dims has joined #openstack-keystone06:01
*** rm_work is now known as rm_work|away06:01
*** Nirupama has joined #openstack-keystone06:02
*** rm_work|away is now known as rm_work06:05
*** dims has quit IRC06:05
*** vivekd has joined #openstack-keystone06:11
*** urulama has quit IRC06:12
*** urulama has joined #openstack-keystone06:12
*** bapalm has quit IRC06:15
*** browne has quit IRC06:15
*** bapalm has joined #openstack-keystone06:16
*** bapalm has quit IRC06:20
*** ankita_wagh has quit IRC06:24
*** sateesh has joined #openstack-keystone06:27
*** Charlie has joined #openstack-keystone06:32
CharlieHello everyone.06:33
Charliei recently tried to install the kilo in a VM. but we are facing some issues at keystone config.06:34
Charlieis anyone here who would help us out?06:34
Charliecurl \   | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin06:35
Charliethis was the command in the official documentation [kilo installation in ubuntu 14.04]06:35
*** afazekas has joined #openstack-keystone06:35
Charliebut the output we get as "network unreachable".06:36
*** vivekd has quit IRC06:38
*** vivekd has joined #openstack-keystone06:41
*** mflobo has left #openstack-keystone06:48
*** lhcheng has joined #openstack-keystone06:52
*** ChanServ sets mode: +v lhcheng06:52
davechenCharlie: You can just copy from that file from the git repo.06:54
davechenCharlie: I tried the command you use, it's okay for me, I suspect it's the issue of your network.06:55
*** lhcheng has quit IRC06:56
Charliewe opened the page and it was a python script. so we just need to copy that script ?06:58
Charlieto davechen06:58
davechenCharlie: yes, just that file.06:58
davechenCharlie: keystone.py06:59
openstackgerritAndrey Pavlov proposed openstack/keystone: Add S3 signature v4 checking
Charlieokay. so where should i place it?06:59
davechenCharlie: copy that file and put that file to the place where your httpd config is located.07:00
*** hrou has quit IRC07:00
Charliewe dont need to run that script.. do we?07:01
davechenCharlie: no, when keystone service is started, this file need to be readed.07:02
davechenCharlie: automatically, needn't run it manually.07:02
davechenCharlie: which doc are you refer?07:03
Charlie:davechen Thanks for the help dave.07:03
davechenthis one?07:03
*** shoutm has joined #openstack-keystone07:03
*** shoutm_ has quit IRC07:05
davechenCharlie: np, pls mind the dir is not necessary /var/www/cgi-bin/, but varies from your deployment.07:05
Charlieits this link i am trying.
Charlieunder identity service --> install and configure --> WSGI components07:09
davechenCharlie: I saw that, thanks. Good luck! :)07:12
*** henrynash has joined #openstack-keystone07:14
*** ChanServ sets mode: +v henrynash07:14
marekdGood morning.07:18
*** Charlie has quit IRC07:19
davechenmarekd: Good afternoon. :)07:23
davechenhenrynash: Just answer your quesiton about the show idp, currently, OSC doesn't support to show IDP by optional arguments.07:26
henrynashdavechen: although can you specify for osc, on an entity-by-entity basis, which attribute “show” uses?07:27
davechenThat means the url for show idp is GET /identity_providers. so, there will be no issue with list command in the OSC.07:28
davechenhenrynash: yes, show users is supported with some filter, but idp doesn't support any filter.07:28
henrynashdavechen: so we could get show to user ID as a filter, if we supported that?07:29
*** shoutm has quit IRC07:29
henrynash(show to use ID as a filter…)07:30
davechenhenrynash: but there is only three attribute in the IDP (enable, id, and desc)07:30
*** lsmola has joined #openstack-keystone07:31
henrynashdavechen: yeah, it’s back to my original point….IDP entities don’t look standard.  So IF we can configure osc so that for show IDP it filter on ID (instead of name), AND we add support for filtering IDPs by ID, then it woudl work….It’s a bit convoluted, however07:32
henrynashdavechen: seems to me we must have a discussion about what the expectations are between osc and the entities it can interface with…i.e. must there always be a name?  Or just some attribute you can filter on to geta unique object, etc?07:34
davechenhenrynash: yes, I agree, this should be have wider discussion.07:34
davechenhenrynash: fiter by ID is okay with list command, but still not work with show command.07:36
henrynashdavechen: well it woudl be ok if ID is unque (which I assume it is)07:36
davechenhenrynash: I am working on adding the support in the IDP in the service side since IDP currently doesn't support filtering at all.07:36
davechenhenrynash: I will prepare some materials about this, and would you pls help to cover me to talk a little bit about it in our meeting?07:37
henrynashdavechen: sure07:38
davechenhenrynash: get some commetns from others and how to handle this both in osc and service side.07:38
davechenhenrynash: thanks a lot! just beacuse the timeslot is so bad for me :(07:39
henrynashdavechen: np07:39
*** mylu has joined #openstack-keystone07:43
*** mylu has quit IRC07:48
*** shoutm has joined #openstack-keystone07:48
*** ajayaa has quit IRC07:51
*** LukeHinds has joined #openstack-keystone07:55
*** pnavarro has joined #openstack-keystone07:55
*** fhubik has joined #openstack-keystone07:55
*** shoutm_ has joined #openstack-keystone08:11
*** shoutm has quit IRC08:13
*** doug-fish has joined #openstack-keystone08:18
*** fhubik is now known as fhubik_brb08:19
*** fhubik_brb is now known as fhubik08:19
*** doug-fish has quit IRC08:23
openstackgerritMarek Denis proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe
*** jistr has joined #openstack-keystone08:30
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Depend on keystoneauth
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Standardize federated auth token scoping
*** ajayaa has joined #openstack-keystone08:35
*** shoutm_ has quit IRC08:40
*** lhcheng has joined #openstack-keystone08:41
*** ChanServ sets mode: +v lhcheng08:41
*** lhcheng has quit IRC08:46
davechenhenrynash, marekd, hi,08:55
davechenhenrynash, marekd, I have a trouble to share the google doc, so just use paste instead. (
henrynashdavechen: hi08:55
davechenhenrynash: my explaination is not correct enough, what i meant is list command instead of show command, idp list command doest support any optional arguments as the filter.08:57
marekddavechen: henrynash is the problem constained only to federation entities?08:57
marekdor it also exists somewhere else?08:57
marekdi found it for idps but maybe there are other places like that?08:57
davechenyes, it's not limited to idp.08:58
davechenthis is why i ask the question to henry to potionally change the design a little bit.08:58
henrynashdavechen, marekd: so first up we need to decide if all first class entities need to have a name atttribute.  This used to be the requirement.  This needs a keystone-wide discussion08:58
davechenhenrynash: other table donest have 'name' column, such as   service_provider .08:59
marekdhenrynash: used to be a req? So it no longer is?08:59
henrynashdavechen, marked: If the answe to teh above is NO, then we need to chaneg the design of osc to allow the “show attrbute” to be specified on an entity-by-entity basis08:59
henrynashmarked: I thought it still was…but I think we kinda of forgot this was a requirement!!!09:00
marekdhenrynash: uh09:00
marekdhenrynash: since idp,protocol, mapping have user specified id09:00
davechenhenrynash: agree, entity-by-entity basis sound good.09:01
marekdhenrynash: we can only duplicate data09:01
henrynashdavechen, marekd: the issue about what happens if you specify an unsupported filter to a list command is totally separate…and should be discussion outside of the context of this issue (I actually liek the current fucntionality, but could be persuaded to support a different view!)09:02
davechenmarekd, the table schema is designed by you?09:02
marekddavechen: it was, but with quorum from rest of keystone team.09:02
marekddavechen: afair it was not my idea to put id as user defined.09:02
marekddavechen: have you discussed it on the keystone meeting? (i missed last two)09:03
davechenmarekd: i saw steve's comment about this, seems like this is a agreed design.09:03
davechenmarekd: sorry, no.09:03
henrynashmarekd: yeah, that’s what I mean we kind of forgot about this…traditioanlly teh ID was generted and the name was the user defined thing (often unique)09:03
marekdhenrynash: so i am pretty sure for this case it was done on purpose (not skipping name column, rather user defined id)09:04
henrynashmarekd, davechen: we’re all equally guilty!09:04
davechenmarekd:  henry may help talk about this in the coming meeting.09:04
davechen:) I am not guilty.09:06
davechenhenrynash, marekd, thanks both (boss), let's see what others will say about this.09:07
marekddavechen: yeah09:07
henrynashdavechen: true, I’ll give you that!09:07
davechenhenrynash, marekd: my weekend is coming, and happy weekend to you! :)09:08
henrynashdavechen: u209:08
marekddavechen: sure, have a nice weekend!09:08
*** davechen has left #openstack-keystone09:13
*** lhinds_ has joined #openstack-keystone09:14
*** urulama has quit IRC09:15
*** urulama has joined #openstack-keystone09:16
*** aix has joined #openstack-keystone09:19
*** shoutm has joined #openstack-keystone09:30
*** fhubik is now known as fhubik_brb09:44
*** shoutm has quit IRC09:45
*** fhubik_brb is now known as fhubik09:45
*** fhubik is now known as fhubik_brb09:46
openstackgerritMarek Denis proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe
openstackgerritMerged openstack/keystone: Add necessary executable permission
*** dims has joined #openstack-keystone10:05
*** aix has quit IRC10:10
*** yottatsa has joined #openstack-keystone10:12
*** yottatsa has quit IRC10:12
*** aix has joined #openstack-keystone10:22
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config
openstackgerrithenry-nash proposed openstack/keystone: Remove unused code in domain config checking
*** sateesh has quit IRC10:26
*** lhcheng has joined #openstack-keystone10:30
*** ChanServ sets mode: +v lhcheng10:30
marekdopilotte: hi, i think your patch is fine, but i would like to ask you for proper documentation update, and then we will approve both. For doc update you should work on )10:33
*** lhcheng has quit IRC10:34
*** henrynash has quit IRC10:41
*** yottatsa has joined #openstack-keystone10:42
*** fhubik_brb is now known as fhubik10:43
*** lhcheng has joined #openstack-keystone10:53
*** ChanServ sets mode: +v lhcheng10:53
*** piyanai has joined #openstack-keystone10:55
*** lhcheng has quit IRC10:58
*** LukeHinds has quit IRC11:14
*** yottatsa_ has joined #openstack-keystone11:22
*** yottatsa has quit IRC11:23
*** yottatsa has joined #openstack-keystone11:41
*** yottatsa has quit IRC11:42
*** mylu has joined #openstack-keystone11:44
*** yottatsa_ has quit IRC11:44
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces
*** mylu has quit IRC11:49
*** yottatsa has joined #openstack-keystone11:54
*** ChanServ sets mode: +o dolphm11:55
*** yottatsa has quit IRC12:05
*** Nirupama has quit IRC12:08
*** yottatsa has joined #openstack-keystone12:10
*** yottatsa has quit IRC12:10
*** sigmavirus24_awa is now known as sigmavirus2412:11
*** claudiub has joined #openstack-keystone12:11
*** petertr7_away is now known as petertr712:12
*** yottatsa has joined #openstack-keystone12:15
*** yottatsa has quit IRC12:17
*** sigmavirus24 is now known as sigmavirus24_awa12:18
*** yottatsa has joined #openstack-keystone12:19
*** alejandrito has joined #openstack-keystone12:20
dolphmmfisch: ping me when you have a minute12:22
*** vivekd has quit IRC12:26
*** kiran-r has joined #openstack-keystone12:29
*** edmondsw has joined #openstack-keystone12:31
*** piyanai has quit IRC12:36
gordcdolphm: if for some reason you feel passionate about wsgi middleware:
dolphmgordc: =)12:40
gordcdolphm: different strokes. who am i to judge.12:41
*** tjcocozz__ has joined #openstack-keystone12:43
*** abhirc has joined #openstack-keystone12:44
*** kiran-r has quit IRC12:49
*** kiran-r has joined #openstack-keystone12:50
*** piyanai has joined #openstack-keystone12:52
*** tiny-hands has joined #openstack-keystone12:54
*** chlong has joined #openstack-keystone12:58
*** tiny-hands has quit IRC13:00
*** yottatsa has quit IRC13:02
*** yottatsa has joined #openstack-keystone13:03
*** yottatsa has quit IRC13:04
*** yottatsa has joined #openstack-keystone13:04
*** tjcocozz_ has joined #openstack-keystone13:04
*** jecarey has joined #openstack-keystone13:06
*** yottatsa has quit IRC13:06
*** chlong has quit IRC13:07
*** tjcocozz__ has quit IRC13:07
*** dave-mccowan has joined #openstack-keystone13:08
*** shoutm has joined #openstack-keystone13:08
*** nkinder has quit IRC13:09
*** yottatsa has joined #openstack-keystone13:10
*** jecarey has quit IRC13:12
*** doug-fish has joined #openstack-keystone13:12
openstackgerritMarek Denis proposed openstack/keystone: Respect federated user name in tokens.
*** dims has quit IRC13:16
*** dims has joined #openstack-keystone13:17
*** richm has joined #openstack-keystone13:18
*** doug-fish has quit IRC13:19
marekdlbragstad: re: so you had some question on why i removed parse.unquote() operation . I answered it, however now i made a chain of patches so it should be all even more clear. Can you revisit the patch (as well as underlying) and vote again?13:19
*** yottatsa has quit IRC13:19
lbragstadmarekd: sure thing, thanks for respinning!13:19
*** petertr7 is now known as petertr7_away13:21
*** hrou has joined #openstack-keystone13:21
marekddolphm: lbragstad: what happens if the optional field is empty - is it going to still going to use a space in the fernet payload?13:23
*** _kiran_ has joined #openstack-keystone13:24
*** urulama has quit IRC13:24
*** urulama has joined #openstack-keystone13:25
*** kiran-r has quit IRC13:26
*** _kiran_ has quit IRC13:29
samueldmqdstanek,  you around ?13:33
dstaneksamueldmq: does the sun shine?13:33
samueldmqdstanek, does that imply in a "sure" ? :-)13:34
dstaneksamueldmq: more of an "of course"!13:34
samueldmqdstanek, hehe13:35
samueldmqdstanek, did you see a couple of messages I left to you yesterday ?13:35
samueldmqdstanek, regarding the policy distribution thing13:35
*** piyanai has quit IRC13:36
*** piyanai has joined #openstack-keystone13:37
lbragstadmarekd: I believe so, but I'd have to double check13:37
dstaneksamueldmq: pms?13:37
marekdlbragstad: i read the log from irc meeting when the bug was discussed.13:38
openstackLaunchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis)13:38
*** piyanai has quit IRC13:39
marekdlbragstad: so i am gonna fix this eventually but may do some optimizations wherever possible. Also, I am wondering if there is any contract saying user must have id and name specified.  cc/ dolphm morgan_254913:39
samueldmqdstanek, no, basically I am tending to agree that starting simple, and accept small inconsistencies when updating policies would be ok13:39
samueldmqdstanek, at least for starting .. if they ask for improvements, we know how to do it already13:40
dolphmmarekd: absolutely, all resources in v3 have an ID, and names are required attributes of users:
marekddolphm: ok, that explains everything.13:42
marekdso i am starting to work on a patch for names and fernet.13:42
dolphmmarekd: that sounds like no fun13:42
marekdincreasing fernet payload size is not fun at all.13:43
dstaneksamueldmq: what gave you the change in heart?13:43
dolphmmarekd: you can't hang a reference to that off the mapping table?13:43
dolphmmarekd: the users themselves don't need to be non-persistent13:43
dolphmmarekd: err, sorry not federation mapping table... the user-domain mapping table13:44
samueldmqdstanek, honestly, this test
*** jecarey has joined #openstack-keystone13:44
samueldmqdstanek, we would need to put the 'valid_to' in the endpoint table, because we are distributing based in endpointds, so the validity should be stored there13:44
marekddolphm: so local users are local users - then we issue standard fernet tokens and don't bother with groups, names etc.13:45
marekdstrictrly federated tokens are (as of now)  ephemeral users.13:45
samueldmqdstanek, we'd be adding this 'valid_to' in the endpoint table + a new table for copies, I think this is kind of messing our model up for making keystone do a task that it isn't designed for13:46
samueldmqdstanek, i.e, be a cms13:46
marekddolphm: which table are you referring now, btw?13:46
dolphmmarekd: the one that maps user IDs to domains13:46
samueldmqdstanek, or something like that .. that's why I think we could start simpler, and make improvements later if requested13:46
dolphmmarekd: maybe it's time to investigate the consequences of not having a user identity in openstack at all? what services would break if there was no X_USER_ID X_USER_NAME header presented to them, etc?13:47
dolphmmarekd: are there ways around those cases, etc13:47
samueldmqdstanek, if you are looking at the test code, what I said is related to the @wip there13:47
marekddolphm: probably most of the service would survive without user_name, whereas none would be fine without user_id13:48
dolphmmarekd: i think there's value in "reducing" the identity of a user to be merely a token -- however, that's difficult when you're using bearer tokens, because you're "identity" is trivial to outright steal13:48
marekddolphm: what about billing and security areas?13:48
dolphmmarekd: those are the good questions :)13:48
*** yottatsa has joined #openstack-keystone13:49
*** browne has joined #openstack-keystone13:49
dolphmmarekd: auditing comes back to keystone, i don't think other services have any real need for user IDs for security purposes (if they do, i'd love to know about it). billing should come back to tenancy, not individual users13:49
marekddolphm: well, unless there is something i am missing (like some tables i am not aware of) i think as a bug fix i can only extend (once again) fernet payload with the users name and start investigaing ideas you just presented.13:50
dstaneksamueldmq: why would you put caching data in our entity models? it should be separate concerns13:50
*** abhirc has quit IRC13:50
marekddolphm: so you'd like to see tokens with just a set of roles and scoped project?13:51
marekdwithou identity part?13:51
samueldmqdstanek, in the case of policy (the implemeted solution today) we need a copy to make the distribution consistent13:51
dstaneksamueldmq: i totally agree. do the bare minimum needed by HP public cloud to deploy to production13:51
dstaneksamueldmq: any copies for caching purposes should not change our existing models13:52
samueldmqdstanek, and we then need a validity (cache control?) to realize if the copy is expired13:52
samueldmqdstanek, if we accept the small incosistency, we won't have changes in the model at all13:52
samueldmqdstanek, yes, I will check with gyee the minimum needed for them13:53
dstaneksamueldmq: and get the % likely hood that they'll deploy it. he should get a commitment from those folks too. i don't want to rush something through if nobody is going to use it anyway13:54
samueldmqdstanek, it shouldn't be a silver-bullet, and can't13:54
dstaneksamueldmq: once you decide you want to cache stuff then you have to accept some level of eventual consistency. that's just how it is13:54
dolphmmarekd: i think it'd be a super interesting experiment, yes13:55
samueldmqdstanek, yes, and trying to reduce it as much as we could with that solution isn't worth it (at least for now)13:55
*** Kiall has left #openstack-keystone13:56
dolphmmarekd: if it truly can't be done, i'd like to know why (i'm not aware of any hard technical blockers, just preconceptions and conventions that must be broken)13:57
*** thiagop_afk has joined #openstack-keystone13:59
*** thiagop_afk is now known as thiagop13:59
*** fhubik has quit IRC13:59
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF
samueldmqdolphm, quick question .. what's the advantage of a token with some information in comparison to uuid tokens ?13:59
samueldmqdolphm, if one needs to check the token's validity against keystone anyway14:00
marekdsamueldmq: like fernet vs uuid ?14:00
marekdsamueldmq: you don't need to query potentially huge token tables14:00
samueldmqmarekd, yeah, anyone vs uuid14:00
marekdso my understanding is that it;s still better to rebuild the identity by quering user/project/domain/roles (fernet case)  table rather than humongous token tables (uuid case). dolphm correct me if i am wrong.14:01
lbragstadmarekd: correct, and you also have to think about replication issues with uuid tokens if you have a distributed keystone deployment14:02
marekdlbragstad: another good reason.14:03
samueldmqand how does validation occur ?14:03
marekdI think it was Ken Savich giving a numbers of reqs/minut. It was roughly 1 user change per minute to 10s or 100s of token related reqs/minute.14:03
lbragstadas long as you do your fernet key rotation properly, you'll always have zero wait time validating tokens across regions14:03
samueldmqin the uuid case, it looks in the table14:03
samueldmqfor fernet, it checks using the fernet keys ?14:04
lbragstadsamueldmq: when keystone gets a fernet token, it uses a set of keys to decrypt the payload14:04
dolphmsamueldmq: never having to make a write when you issue a token14:04
lbragstadsamueldmq: then the payload is reconstructed to build token data14:04
lbragstad^ yet another good reason14:04
samueldmqsounds like N-birds with a single stone14:05
dolphmsamueldmq: it's quite similar to PKI, but having learned the lessons of PKI, they're as small as possible14:05
dolphmsamueldmq: validation is a matter of verifying & unpacking the fernet token, rebuilding the authorization context from scratch, verifying the revocation state, and you're done14:06
dolphmsamueldmq: whereas with UUID, it's a single read from the database. "does this token exist?" if so, you've got the authorization context and you know it hasn't been revoked14:07
dolphmsamueldmq: with PKI[z], it's verifying & unpacking the token, verifying the revocation state, and returning the unpacked contents14:08
samueldmqdolphm, verifying & unpacking implies on the tokne is valid (usign the proper keys to do so), after that, check is it's revoked, that's all right14:08
dolphmsamueldmq: so, both UUID and PKI[z] are faster to validate... but we're hoping to minimize the difference by optimizing our cache usage14:08
openstackgerritNikita Konovalov proposed openstack/python-keystoneclient: Fix logging of binary contentent in request
lbragstaddolphm: speaking of the cache thing, I dug into that last night14:09
lbragstadspecifically the roles part14:10
samueldmqdolphm, lbragstad do fernet tokens contain identity information ?14:10
marekdsamueldmq: yes14:11
samueldmqhmm, so identity info would only be needed for authn in the identity crud (user/group), but that's in keystone anyway, and we could retrieve that easily (I think)14:12
samueldmqfor example, one can only update user if it is himself14:12
*** geoffarnold has quit IRC14:15
dolphmlbragstad: ooh, yes?14:15
*** petertr7_away is now known as petertr714:15
marekddolphm: i am thinking about what you had proposed and -in the end it doesn't really matter if I steal your token with attribute "user_id: dolph" present in the token or not. Eventually you will pay for that as i will be utiliing your resources.14:21
marekddolphm: now i am thinking about keeping the same level of traceability - here some kind of link between a token and a cadf event (or notification) would be required.14:22
marekddolphm: cause even as a manager who runs some workloads on public cloud i want to be able to trace who in my team spinned so many VMs so i need to pay for this no".14:22
marekdprobably we could then swtich from 'identity' part to 'audit_id' and that could be a link and a way to determine ownership14:24
*** topol has joined #openstack-keystone14:25
*** ChanServ sets mode: +v topol14:25
samueldmqdolphm, lbragstad no db read, but it needs to read the keys form the disk anyway, right ?14:28
*** mylu has joined #openstack-keystone14:28
dolphmsamueldmq: no db read when?14:29
samueldmqdolphm, token validation14:29
samueldmqdolphm, still talking about fernet :)14:29
dolphmmarekd: and yes, we read keys from disk on every validate. i wrote a patch to keep them in memory but there was no performance difference, and the difference in behavior isn't totally desirable during live rotation14:29
dolphmsamueldmq: in what scenario are you asking about no db reads?14:29
samueldmqdolphm, fernet token validation (as you said above)14:30
dolphmsamueldmq: there are plenty of db reads during validation14:30
dolphmmarekd: ++14:30
lbragstaddolphm: yeah, (got distracted)14:30
dolphmlbragstad: squirrel!14:30
lbragstaddolphm: exactly14:30
dolphmlbragstad: what's the scoop on role assignment caching?14:31
dimsfolks, fyi, fuel folks were working on moving from keystone+eventlet (in stable/juno) to keystone+apache (in stable/kilo) and we had to run a bunch of test scenarios to find the right configuration that would work for us. summary email is on the dev list -
lbragstaddolphm: from the token provider API, we call get_roles_for_user_and_domain and get_roles_for_user_and_project14:32
samueldmqdolphm, what if we stored a keystone-manage generated hash_key in the bd, and the fernet keys would be generated based on that, so even ha installations would have keystones generating the same keys, without the need to get them from disk14:32
lbragstadI'm not sure where we call the get_user_roles methods with all the kwargs we talked about yesterday14:32
samueldmqdolphm, if that makes sense14:32
lbragstaddolphm: regardless, I put caching on those two calls and a bunch of stuff broke14:32
rodrigodseasy review for anyone with review slots available
dolphmlbragstad: broken implementation, or broken tests?14:33
lbragstaddolphm: broken tests14:33
*** mylu has quit IRC14:33
*** piyanai has joined #openstack-keystone14:33
dolphmlbragstad: disable caching in the tests?14:33
dolphmlbragstad: you can do it just for assignments14:34
lbragstaddolphm: which I assume is because we don't do .invalidate() calls on role assignments14:34
dolphm[assignments] should_cache = false or something14:34
lbragstaddolphm: I added a utility for tests here -
dolphmsamueldmq: you want to store the source of encryption keys that are used for creating and validating tokens, in plaintext in the database?14:35
*** mylu has joined #openstack-keystone14:35
samueldmqdolphm, how is that today ? isn't the database expected to be "safe" ?14:36
dolphmsamueldmq: ha14:36
dolphmsamueldmq: i think anyone who watches the news will tell you that no information stored in a database is safe14:36
samueldmqdolphm, :(14:38
samueldmqdolphm, but if it was the case, that would be a good improvement, wouldn't it ?14:38
*** mylu has quit IRC14:38
dolphmsamueldmq: an improvement on what problem, exactly?14:39
*** piyanai has quit IRC14:39
samueldmqdolphm, avoiding to read the keys from disk14:39
dolphmsamueldmq: why is that a problem?14:39
samueldmqdolphm, hmm, I'm problem mixing disk hit vs db hit concerns14:40
samueldmqdolphm, disk hit isn't expensive, db hit is14:41
samueldmqis that right ?14:41
dolphmsamueldmq: they are magnitudes different, yes14:41
*** piyanai has joined #openstack-keystone14:42
samueldmqdolphm, cool, I was solving a problem that doesn't exist14:42
dolphmsamueldmq: if we were talking about a scenario with zero database reads, a disk read *might* end up being your most expensive I/O, but we're far from that situation in this case14:42
*** piyanai has quit IRC14:43
samueldmqdolphm, k so what db hits we do in a token validation, for example14:43
dolphmsamueldmq: and then throw in solid state storage with 350-3000+ MB/s read throughput, and it's even less of a problem14:44
dolphmsamueldmq: gathering the list of roles that belong in a token, for example14:44
samueldmqdolphm, do we need to re-check the role assignments ? if keystone encrypted and decrypted, that could be taken as something true, i.e no need to check in the db again if it was me that generated14:44
samueldmqdolphm, if a role assignment was deleted in the meantime, just wait the token to expire14:45
*** mylu has joined #openstack-keystone14:45
dolphmsamueldmq: you're welcome to convince users that's how it should work, but token revocation events solve that problem quite elegantly14:45
samueldmqdolphm, like : "I am giving you this token and it's valid until it's expiry date" :)14:46
samueldmqits expiration date*14:46
dolphmsamueldmq: "but i deleted the role assignment, why is the token still valid? this is a security vulnerability. what if i'm being attacked by a malicious user? how do i mitigate?"14:47
samueldmqdolphm, kill him14:48
*** mylu has quit IRC14:48
lbragstaddolphm: this is the path that I was on yesterday with the role caching -
dolphmlbragstad: ++14:49
dolphmlbragstad: you also need to invalidate get_roles_for_user_and_domain and get_roles_for_user_and_project directly14:50
samueldmqdolphm, yes and revocation events are in db.. but we don't hit db for both i) role assignment checking & ii) revocation events check, do we ?14:52
lbragstaddolphm: AttributeError: 'function' object has no attribute 'invalidate'14:52
*** mylu has joined #openstack-keystone14:52
samueldmqdolphm, I'd expect to only do ii) revocation events check, since role assignment deletion should generate a recocation event already14:52
dolphmsamueldmq: revocation events are cached today14:53
dolphmlbragstad: ? but you memoized it...14:53
*** piyanai has joined #openstack-keystone14:53
lbragstad -- dolphm14:54
lbragstaddolphm: yeah, looks like some ground work might be missing for grants to use .invalidate?14:54
* lbragstad is a cache noob14:54
*** mylu has quit IRC14:54
dolphmlbragstad: if domain_id: self.get_roles_for_user_and_domain.invalidate(self, user_id, domain_id)14:55
dolphmlbragstad: if user_id and domain_id: **14:55
*** jorge_munoz has joined #openstack-keystone14:55
*** mylu has joined #openstack-keystone14:55
samueldmqdolphm, nice, thanks for the explanations14:55
samueldmqdolphm, too many things to learn in keystone14:55
dolphmsamueldmq: it's complicated :(14:55
samueldmqdolphm, no fun if it was easy (implies in solving easy problems)14:56
*** zzzeek has joined #openstack-keystone14:57
*** mylu_ has joined #openstack-keystone14:58
*** mylu_ has quit IRC14:59
*** mylu has quit IRC14:59
*** henrynash has joined #openstack-keystone15:00
*** ChanServ sets mode: +v henrynash15:00
*** geoffarnold has joined #openstack-keystone15:00
*** petertr7 is now known as petertr7_away15:02
*** r-daneel has joined #openstack-keystone15:02
lbragstaddolphm: ok, so for reference, with @memoize (in the diff I just pasted), I get 41 failed tests, rerunning the with lines you suggested above15:02
*** e0ne has joined #openstack-keystone15:03
*** samueldmq has quit IRC15:03
dolphmlbragstad: fwiw, anything you wrap with @MEMOIZE will try to hit a cache keyed by that function and those arguments. so whenever you do something that affects the state of the database (or whatever the source of truth is), you have to invalidate *all* applicable caches (which gets super convoluted very quickly if you're caching all the things.15:04
lbragstadahh, yeah.. I can see that.15:04
lbragstaddolphm: running tests against to see how much it helps my 41 failed tests.15:05
dolphm"There are only two hard problems in distributed systems: 2. Exactly-once delivery 1. Guaranteed order of messages 2. Exactly-once delivery" -- Mathias Verraes15:07
*** e0ne has quit IRC15:07
lbragstaddolphm: 41 fails went to 38 fails #progress15:07
*** narengan has joined #openstack-keystone15:08
*** e0ne has joined #openstack-keystone15:08
*** pgbridge has quit IRC15:08
dolphmlbragstad: if we actually run with caching enabled everywhere in tests, we must have pretty good cache invalidation right now15:08
lbragstaddolphm: actually, i think that breaks tests?
lbragstadjust digging into one of the arbitrary errors
dolphmlbragstad: "role not found" is broken speak for "role assignment not found" btw15:11
lbragstadoh, that's good to know15:12
lbragstadthat makes sense, since i'm invalidating grants15:12
dolphmlbragstad: the exception RoleNotFound is overloaded for both uses15:12
*** csoukup has joined #openstack-keystone15:12
*** geoffarnold is now known as geoffarnoldX15:13
*** geoffarnoldX has quit IRC15:14
lbragstaddolphm: hmm, so the strange part is that test fails *before* the delete_grant call happens15:14
openstackgerritMarek Denis proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe
*** geoffarnold has joined #openstack-keystone15:17
dolphmlbragstad: then you probably need to invalidate the cache somewhere else, too15:17
dolphmlbragstad: what's it calling earlier that would affect the results of the newly cached calls?15:18
dolphmlbragstad: debug by removing one of the @MEMOIZE at a time15:18
openstackgerritMarek Denis proposed openstack/keystone: Respect federated user name in tokens.
marekdlbragstad: ^^ for ya15:18
lbragstadmarekd: first patch looks good, thanks for the quick turn around15:19
marekdlbragstad: sure15:19
*** ngupta has joined #openstack-keystone15:19
lbragstaddolphm: there must be something in the trust chain that invalidates it15:20
*** ngupta has quit IRC15:20
*** urulama has quit IRC15:20
*** urulama has joined #openstack-keystone15:21
marekddstanek: - care for a review? I feel you may have something to say in that matter (esp. implementation)15:21
*** bapalm has joined #openstack-keystone15:21
marekddolphm: lbragstad BTW - where dis magic upper boundary for fernet size - 255 bytes comes from?15:22
dolphmmarekd: experience15:23
*** ngupta has joined #openstack-keystone15:23
marekd+ the closest power of 2 (well, almost 256) ? :-)15:23
*** mylu has joined #openstack-keystone15:25
* dolphm ahh, the smell of pizza at 10:25am15:25
*** geoffarnold is now known as geoffarnoldX15:26
*** geoffarnoldX is now known as geoffarnold15:26
*** geoffarnold has quit IRC15:26
*** petertr7_away is now known as petertr715:28
*** e0ne has quit IRC15:29
dstanekmarekd: shore15:31
dolphmmarekd: dstanek: i helped too15:31
dstanekdolphm: don't cry :-)15:33
lbragstaddolphm: pizza?!15:37
lbragstaddolphm: are you at castle!?15:37
dolphmlbragstad: no lol15:37
*** ankita_wagh has joined #openstack-keystone15:38
dstaneklbragstad: pizza? food truck pizza?15:42
lbragstaddstanek: food truck bbq15:42
lbragstaddstanek: I've been thinking about bbq since about 9...15:42
dolphmlbragstad: i did that chopped brisket sandwich on tuesday...15:43
lbragstaddstanek: I feel like pavlov's dog, but for bbq,15:43
dstaneklbragstad: i love that pizza truck!15:43
lbragstaddolphm: I tried that for the first time last week (glorious)15:43
*** mestery has joined #openstack-keystone15:43
*** mestery is now known as mestery_afk15:44
*** pnavarro has quit IRC15:45
*** gyee has joined #openstack-keystone15:46
*** ChanServ sets mode: +v gyee15:46
lbragstaddstanek: don't you get in this week?15:47
*** _cjones_ has joined #openstack-keystone15:47
*** _cjones_ has quit IRC15:47
*** lhcheng has joined #openstack-keystone15:47
*** ChanServ sets mode: +v lhcheng15:47
*** _cjones_ has joined #openstack-keystone15:47
*** yottatsa has quit IRC15:52
dstaneklbragstad: the 30th i think15:53
lbragstaddstanek: sweet15:53
*** geoffarnold has joined #openstack-keystone15:54
lbragstaddolphm: so caching user/project role assignments is what breaks that test, (I removed the caching and invalidation and the test passed) - digging into the trust stuff15:54
*** abhirc has joined #openstack-keystone15:55
*** narengan_ has joined #openstack-keystone15:55
*** narengan has quit IRC15:58
lbragstaddolphm: and here is where the caching happens -
*** yottatsa has joined #openstack-keystone16:00
*** yottatsa has quit IRC16:01
*** jistr has quit IRC16:05
*** yottatsa has joined #openstack-keystone16:05
*** petertr7 is now known as petertr7_away16:07
*** yottatsa has quit IRC16:08
*** yottatsa has joined #openstack-keystone16:10
*** ankita_wagh has quit IRC16:11
*** thiagop_ has joined #openstack-keystone16:12
*** shaleh has joined #openstack-keystone16:13
*** kiran-r has joined #openstack-keystone16:15
*** kiran-r has quit IRC16:15
_cjones_Question for the keystone folks. How do you get the keystone password to become redacted during oslo_cfg time?16:16
*** esp has left #openstack-keystone16:17
*** henrynash has quit IRC16:18
*** urulama has quit IRC16:19
morgan_2549In the log? And ... Is it not?16:20
*** roxanaghe has joined #openstack-keystone16:21
_cjones_morgan_2549 Correct. In the log, and yes it is. I'm just trying to figure out *how* you did it?16:23
morgan_2549There is an argument "secret" in the option definition (i think)16:23
morgan_2549It happens at opt definition time for sure.16:23
*** yottatsa has quit IRC16:24
_cjones_morgan_2549: Awesome. Quick git grep pulls it up. Thanks.16:26
morgan_2549Happy to help!16:26
*** dims is now known as dimsum__16:26
*** yottatsa has joined #openstack-keystone16:27
*** browne has quit IRC16:29
*** yottatsa has quit IRC16:29
*** yottatsa has joined #openstack-keystone16:30
*** browne has joined #openstack-keystone16:32
*** thiagop_ has quit IRC16:36
*** yottatsa has quit IRC16:40
*** browne has quit IRC16:41
*** AlexeyElagin has quit IRC16:41
*** yottatsa has joined #openstack-keystone16:42
*** ankita_wagh has joined #openstack-keystone16:42
*** woodster_ has joined #openstack-keystone16:43
*** narengan_ has quit IRC16:43
*** baffle__ has joined #openstack-keystone16:48
*** baffle__ has quit IRC16:48
*** ankita_wagh has quit IRC16:49
*** ankita_wagh has joined #openstack-keystone16:50
*** jecarey has quit IRC16:52
*** piyanai has quit IRC16:53
*** ankita_wagh has quit IRC16:54
*** tjcocozz_ has quit IRC16:58
*** esp has joined #openstack-keystone16:59
*** kiran-r has joined #openstack-keystone17:02
openstackgerritLin Hua Cheng proposed openstack/keystone: Add region_id filter for List Endpoints API
*** abhirc has quit IRC17:06
*** shoutm has quit IRC17:08
*** ankita_wagh has joined #openstack-keystone17:08
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments
*** yottatsa has quit IRC17:09
*** ankita_wagh has quit IRC17:09
*** piyanai has joined #openstack-keystone17:11
*** lsmola has quit IRC17:13
*** ankita_wagh has joined #openstack-keystone17:15
*** piyanai has quit IRC17:21
*** piyanai has joined #openstack-keystone17:24
*** browne has joined #openstack-keystone17:26
*** albertom has quit IRC17:26
*** mylu has quit IRC17:27
*** mylu has joined #openstack-keystone17:28
*** albertom has joined #openstack-keystone17:29
*** vivekd has joined #openstack-keystone17:30
*** abhirc has joined #openstack-keystone17:30
*** piyanai has quit IRC17:32
*** mylu has quit IRC17:32
*** mylu_ has joined #openstack-keystone17:33
*** piyanai has joined #openstack-keystone17:34
*** bradjones has quit IRC17:37
*** bradjones has joined #openstack-keystone17:38
*** bradjones has quit IRC17:38
*** bradjones has joined #openstack-keystone17:38
*** vivekd has quit IRC17:43
*** aix has quit IRC17:49
*** annasort has joined #openstack-keystone17:53
*** tjcocozz_ has joined #openstack-keystone17:54
*** ayoung has joined #openstack-keystone18:03
*** ChanServ sets mode: +v ayoung18:03
*** jeffDeville has joined #openstack-keystone18:04
*** ankita_wagh has quit IRC18:08
*** petertr7_away is now known as petertr718:12
*** albertom has quit IRC18:18
*** boris-42 has quit IRC18:20
*** albertom has joined #openstack-keystone18:22
*** pgbridge has joined #openstack-keystone18:22
morgan_2549Mmm friday18:32
*** stevemar has joined #openstack-keystone18:38
*** ChanServ sets mode: +v stevemar18:38
*** stevemar has quit IRC18:38
*** albertom has quit IRC18:39
*** kiran-r has quit IRC18:39
*** stevemar has joined #openstack-keystone18:41
*** ChanServ sets mode: +v stevemar18:41
*** e0ne has joined #openstack-keystone18:43
*** albertom has joined #openstack-keystone18:46
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
*** mpmsimo has joined #openstack-keystone18:52
*** ankita_wagh has joined #openstack-keystone18:53
dstanekthis channel has been dead...18:53
*** henrynash has joined #openstack-keystone18:54
*** ChanServ sets mode: +v henrynash18:54
*** abhirc has quit IRC18:55
raildodstanek: :(18:57
*** tsymanczyk has quit IRC19:02
*** tsymanczyk has joined #openstack-keystone19:04
*** tsymanczyk is now known as Guest2756719:04
*** ngupta has quit IRC19:08
* morgan_2549 dies in the channel19:10
* morgan_2549 stinks up the place decomposing.19:10
*** mpmsimo has quit IRC19:10
raildolet's make a party! \o/19:12
htrutaraildo: go home, you're drunk19:13
raildohtruta: haha unfortunately, i'm not...19:13
*** raildo is now known as raildo-afk19:15
*** e0ne has quit IRC19:18
*** richm has quit IRC19:21
*** e0ne has joined #openstack-keystone19:42
*** alejandrito has quit IRC19:48
dolphmdstanek: that's because it's national poets day19:51
*** e0ne has quit IRC19:53
*** raildo-afk is now known as raildo19:53
*** mylu_ has quit IRC19:55
dstanekthere one was a man from nantucket19:55
dstanekoh wait that a nsfw lymerick...19:56
*** ankita_w_ has joined #openstack-keystone19:56
*** mylu has joined #openstack-keystone19:56
*** mylu has quit IRC19:56
*** ankita_w_ has quit IRC19:56
*** ankita_w_ has joined #openstack-keystone19:57
*** mylu has joined #openstack-keystone19:57
*** Guest27567 has quit IRC19:57
*** ankita_w_ has quit IRC19:57
*** ankita_w_ has joined #openstack-keystone19:58
*** boris-42 has joined #openstack-keystone19:58
*** ankita_w_ has quit IRC19:58
*** ankita_w_ has joined #openstack-keystone19:59
*** ankita_wagh has quit IRC19:59
*** ankita_w_ has quit IRC19:59
*** ankita_wagh has joined #openstack-keystone19:59
*** narengan has joined #openstack-keystone20:01
*** iurygregory has quit IRC20:03
*** petertr7 is now known as petertr7_away20:05
*** kiran-r has joined #openstack-keystone20:06
*** lhcheng has quit IRC20:14
*** tsymanczyk has joined #openstack-keystone20:20
*** tsymanczyk is now known as Guest5801220:20
openstackgerritHenrique Truta proposed openstack/keystone: Unit tests for is_domain field in project's table
htrutahenrynash: here you go20:24
*** richm has joined #openstack-keystone20:26
htrutahenrynash: did you know that rodrigods left us? :(20:27
*** iurygregory has joined #openstack-keystone20:27
_cjones_dstanek: Who kept all his cash in a bucket.20:27
*** Guest58012 has quit IRC20:31
openstackLaunchpad bug 1487600 in python-openstackclient "add support for 'is_domain' for keystone projects" [Undecided,New]20:33
*** albertom has quit IRC20:34
htrutastevemar: cool. this was in my todo list20:34
htrutastevemar: btw, is this a bug?20:34
htrutaps: rodrigods is not working with is_domain related stuff anymore :/20:35
stevemarhtruta: i had to open it because it was breaking the osc gate :)20:35
stevemarwell, i didn't want to open blueprints for both ksc and osc20:35
stevemarwhere is linnnnn20:36
stevemarlhcheng nooo20:36
*** tsymancz1k has joined #openstack-keystone20:36
htrutastevemar: but how does it break the gate? we don't allow the creation os is_domain=True projects20:37
htrutanot through the api20:37
stevemar and20:37
stevemarit still gets printed when you return a project20:37
stevemarprobably in list too20:38
htrutastevemar: hm. got it20:38
stevemaryou guys aren't filtering it out20:38
stevemarwait a tick, rodrigods left?!20:38
htrutarodrigods won't work with openstack anymore20:38
htrutatoday was his last day20:39
iurygregorysad day for us htruta =/20:39
stevemaroh noes20:39
*** lhcheng has joined #openstack-keystone20:39
*** ChanServ sets mode: +v lhcheng20:39
stevemarsad day for us all :(20:39
stevemarhe graduate?20:39
htrutastevemar: not that sad... we asked him if he'd miss us... and he said he won't20:39
stevemar"screw you all"20:40
htrutahe was already graduated20:40
htrutahe was just tired of us all heh20:41
iurygregoryhe was promoted20:41
raildoIt's not easy work with htruta haha20:41
*** albertom has joined #openstack-keystone20:42
iurygregoryraildo, ++20:42
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains
htrutastevemar: so, any is_domain/reseller stuff, you can address to me20:44
htrutacc henrynash20:44
raildohtruta: to us :)20:44
htrutayep :-)20:44
stevemaryou guys are funny :P20:45
stevemari'm outta here for now, going to hide offline20:45
*** stevemar has left #openstack-keystone20:45
*** stevemar has quit IRC20:45
*** _kiran_ has joined #openstack-keystone20:47
*** kiran-r has quit IRC20:48
*** ankita_wagh has quit IRC20:48
*** _kiran_ is now known as kiran-r20:49
*** ankita_wagh has joined #openstack-keystone20:49
*** ankita_w_ has joined #openstack-keystone20:50
*** ankita_wagh has quit IRC20:50
*** thiagop has quit IRC20:53
*** topol has quit IRC20:55
*** topol has joined #openstack-keystone20:57
*** ChanServ sets mode: +v topol20:57
*** pnavarro has joined #openstack-keystone20:58
*** mylu has quit IRC21:00
*** topol has quit IRC21:01
*** raildo is now known as raildo-afk21:01
*** pnavarro has quit IRC21:03
*** jeffDeville has quit IRC21:12
*** piyanai has quit IRC21:15
*** pnavarro has joined #openstack-keystone21:16
*** piyanai has joined #openstack-keystone21:16
*** mylu has joined #openstack-keystone21:28
*** Raildo has joined #openstack-keystone21:29
morgan_2549dstanek: I think I have a pass [running tests etc] to move away from needing FakeLDAP21:32
morgan_2549dstanek: unfortunatly it replaces the need for the python code with py4j21:32
*** annasort has quit IRC21:33
morgan_2549dstanek: but that isn't awful it does mean tests need java runtime, but end of the world hardly and our LDAP code will be tested against an enforcing backend21:33
morgan_2549ooooor not21:34
*** edmondsw has quit IRC21:34
*** tsymancz1k has quit IRC21:34
*** narengan has quit IRC21:36
*** tsymanczyk has joined #openstack-keystone21:38
*** tsymanczyk is now known as Guest5706821:38
*** piyanai has quit IRC21:38
*** henrynash has quit IRC21:38
lhchenggyee: should we  trigger cadf notification whenever tokenless x509 is used too?  similar to what we have whenever a user authenticates.21:40
*** r-daneel has quit IRC21:42
*** bradjones has quit IRC21:42
*** bradjones has joined #openstack-keystone21:43
*** bradjones has quit IRC21:43
*** bradjones has joined #openstack-keystone21:43
*** btully has joined #openstack-keystone21:44
*** abhirc has joined #openstack-keystone21:45
*** csoukup has quit IRC21:49
*** piyanai has joined #openstack-keystone21:49
*** ankita_wagh has joined #openstack-keystone21:51
*** ankita_w_ has quit IRC21:51
*** csoukup has joined #openstack-keystone21:52
gyeelhcheng, yes we should, talking to Sam, he mentioned we've done it during mapping validation21:53
gyeeI am not sure if we need to emit multiple CADF and aggregate them into a single event21:54
*** hrou has quit IRC21:54
gyeeI need to pick the brains of our enterprise security folks to see how CADF is utilized in the field21:55
*** geoffarnold is now known as geoffarnoldX21:56
*** gordc has quit IRC21:58
*** ajayaa has quit IRC22:01
*** Raildo has quit IRC22:02
*** zzzeek has quit IRC22:02
*** kiran-r has quit IRC22:07
*** geoffarnoldX is now known as geoffarnold22:14
*** ngupta has joined #openstack-keystone22:19
*** piyanai has quit IRC22:20
*** ngupta has quit IRC22:21
*** ngupta has joined #openstack-keystone22:21
*** pnavarro has quit IRC22:22
*** tjcocozz_ has quit IRC22:23
*** _cjones_ has quit IRC22:30
*** ankita_w_ has joined #openstack-keystone22:31
*** ankita_wagh has quit IRC22:34
*** csoukup has quit IRC22:35
*** ngupta has quit IRC22:42
*** alejandrito has joined #openstack-keystone22:46
*** jasonsb has quit IRC22:49
*** mylu has quit IRC22:53
*** mylu has joined #openstack-keystone22:54
*** mylu has quit IRC22:58
*** Guest57068 has quit IRC23:00
lhchenggyee: cool. we can check with stevemar too when he's around.23:04
*** woodster_ has quit IRC23:09
*** abhirc has quit IRC23:12
*** shaleh has quit IRC23:17
*** abhirc has joined #openstack-keystone23:24
*** lhcheng has quit IRC23:25
*** ankita_w_ has quit IRC23:27
*** lhcheng has joined #openstack-keystone23:31
*** ChanServ sets mode: +v lhcheng23:31
*** claudiub has quit IRC23:31
*** lhcheng has quit IRC23:31
*** lhcheng has joined #openstack-keystone23:32
*** ChanServ sets mode: +v lhcheng23:32
*** ankita_wagh has joined #openstack-keystone23:34
*** mpmsimo has joined #openstack-keystone23:36
*** mylu has joined #openstack-keystone23:36
*** tsymanczyk has joined #openstack-keystone23:40
*** tsymanczyk is now known as Guest3923323:41
*** geoffarnold has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!