Tuesday, 2015-11-17

« Monday, 2015-11-16 Index Wednesday, 2015-11-18 »
jamielennoxPUT /projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited is an ugly url00:00
*** hrou has joined #openstack-keystone00:04
*** mylu has joined #openstack-keystone00:05
openstackgerritBrant Knudson proposed openstack/keystoneauth: Switch saml2 from lxml to built-in xml  https://review.openstack.org/24251200:08
*** tqtran is now known as tqtran-afk00:10
*** lhcheng_ has joined #openstack-keystone00:13
*** lhcheng has quit IRC00:14
*** lars1 has quit IRC00:15
roxanaghestevemar_, lhcheng for WebSSO using oidc - I have the situation where only one user can login at once. Is there a special config for auth_openidc apache module to allow multiple user sessions?00:17
roxanaghestevemar_, lhcheng it seems strange to me that only one user can login, but all the other attempts get a 401. have you seen that before?00:18
*** EinstCrazy has quit IRC00:19
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_user_ref consistently  https://review.openstack.org/24387700:20
*** lars1 has joined #openstack-keystone00:29
*** agireud has quit IRC00:37
*** gildub_ has quit IRC00:38
*** jerrygb has quit IRC00:40
*** jerrygb has joined #openstack-keystone00:42
*** jerrygb has quit IRC00:42
openstackgerritSteve Martinelli proposed openstack/keystone: Add testcases to check cache invalidation in endpoint filter extension  https://review.openstack.org/24563300:48
jamielennoxlbragstad: https://review.openstack.org/#/c/245629/ <-- the common policy spec00:48
stevemar_roxanaghe: that's interesting...00:50
stevemar_can you paste details about the mapping you used, and any log output?00:50
stevemar_i think lhcheng_ and i had a setup where we both logged in at once00:50
stevemar_bknudson_: regarding https://review.openstack.org/#/c/245633/ - should we wait until we are calling the driver and not making REST calls?00:52
bknudson_stevemar_: I don't think we should wait.00:52
bknudson_that's going to be a pretty major overhaul00:53
stevemar_bknudson_: cool, i'll +A then, it looked fine otherwise00:53
stevemar_bknudson_: while i have you around... https://review.openstack.org/#/c/245549/ (backport)00:54
stevemar_bknudson_: i was gonna start making the liberty release notes with reno00:55
stevemar_looks like it's one release note per BP00:55
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Update middlewarearchitecture for paste config  https://review.openstack.org/23821700:55
stevemar_nice patch ^00:56
bknudson_we already wrote liberty release notes00:57
*** aginwala has joined #openstack-keystone00:57
roxanaghestevemar_ http://paste.openstack.org/show/479073/01:00
roxanaghestevemar_ I need to take off, I will bug you and lhcheng tomorrow again if I can't figure it out01:01
lhcheng_roxanaghe: I think that is expected.. horizon only supports one user per browser session01:03
shalehlhcheng_, but it failed from multiple hosts01:04
*** EinstCrazy has joined #openstack-keystone01:04
shalehlhcheng_, I did not get a chance to dig into roxanaghe's config though01:04
lhcheng_shaleh: hmm probably horizon is not configured to share user session between hosts.01:04
roxanagheyes, multiple hosts and trying with different users01:04
shalehlhcheng_, that was my suspicion as well01:05
roxanagheis that a config option in horizon?01:05
roxanaghelhcheng_ ^^01:05
lhcheng_roxanaghe: http://docs.openstack.org/developer/horizon/topics/deployment.html#database01:06
lhcheng_either memcache or database should work01:06
roxanaghelhcheng ok thx will try it tomorrow :)01:08
stevemar_lhcheng_: oh that's weird01:08
roxanagheI am a little bit surprised such a capability is not enabled by default01:09
lhcheng_the default config is more developer friendly rather than production friendly :P01:10
lhcheng_roxanaghe: sure, good luck01:10
jamielennoxlhcheng_, stevemar_: https://bugs.launchpad.net/keystoneauth/+bug/151684001:17
openstackLaunchpad bug 1516840 in keystoneauth "Cookies persists between all calls through a session" [Undecided,New]01:17
jamielennoxi made it public security as i don't think there is any problem yet01:18
jamielennoxlhcheng_: does it affect horizon if i just remove all cookie handling01:18
jamielennox?01:18
*** aginwala has quit IRC01:19
*** aginwala has joined #openstack-keystone01:20
lhcheng_jamielennox: horizon does not depend on any cookie value when using the python-clients01:20
jamielennoxlhcheng_: right - i didn't think it would01:20
jamielennoxbecause all the cookies horizon is using are between user/horizon01:21
*** X-Istence is now known as x5801:21
lhcheng_django has it own session and request objects..  horizon should be fine.01:22
lhcheng_I can test out the patch when you have it ready01:22
stevemar_lhcheng_: so by default, horizon can't handle any multiple users being logged in?01:23
lhcheng_stevemar_: it can, but not multiple user on the same browser instance01:23
*** aginwala has quit IRC01:25
lhcheng_jamielennox: sadly, regression on  the python-clients can be catched until it is released, our gate doesn't catch that. :(01:25
lhcheng_can -> **can't01:25
lhcheng_I'll have to manually patch local horizon to consume the new code to test it out.01:26
jamielennoxlhcheng_: yea - i think it will be fine, it's only when you are communicating with the services that you use session01:26
lhcheng_yup01:26
*** mylu has quit IRC01:33
stevemar_bknudson_: not sure why the release notes are going into current release01:33
*** mylu has joined #openstack-keystone01:33
*** ninag has joined #openstack-keystone01:33
*** mylu has quit IRC01:34
*** mylu has joined #openstack-keystone01:34
*** aginwala has joined #openstack-keystone01:36
stevemar_bknudson_: i think it might be a weird thing when it's built in dev env.01:36
bknudson_I sure hope it is.01:36
stevemar_bknudson_: neutron seems to do it fine: https://review.openstack.org/#/c/242223/ and https://review.openstack.org/#/c/243256/01:36
stevemar_and it's here: http://docs.openstack.org/releasenotes/neutron/liberty.html01:37
*** markvoelker has joined #openstack-keystone01:37
*** shaleh has quit IRC01:38
*** ninag has quit IRC01:38
stevemar_bknudson_: i'll put up a patch with the release notes and see what the generated build says01:38
*** roxanaghe has quit IRC01:38
stevemar_lhcheng_: if you have a second, it's already 2x+2 https://review.openstack.org/#/c/244343/01:39
lhcheng_stevemar_: sure, checking..01:41
*** mylu has quit IRC01:44
*** aix has quit IRC01:46
*** yangyapeng has joined #openstack-keystone01:49
openstackgerritayoung proposed openstack/keystone-specs: Implied  Roles  https://review.openstack.org/12570401:53
*** btully has quit IRC01:53
*** richm has quit IRC01:54
*** gyee has quit IRC01:55
*** jmccrory has joined #openstack-keystone02:05
*** fawadkhaliq has joined #openstack-keystone02:05
ayoungjamielennox, got a moment to talk https://review.openstack.org/#/c/245588/  ?02:07
*** alejandrito has joined #openstack-keystone02:08
*** alejandrito has quit IRC02:08
*** alejandrito has joined #openstack-keystone02:08
*** pece has quit IRC02:10
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/24392502:11
*** alejandrito has quit IRC02:21
*** alejandrito has joined #openstack-keystone02:33
jamielennoxayoung: yea i'm here02:35
ayoungjamielennox, OK,  so, the idea is this:02:39
ayoungIf we do federation somehwere, we need some way of getting the post-mapped roles.  This is not just for Nova, but also for the overcloud02:40
*** aginwala has quit IRC02:40
ayoungThe services can configure for Federation, but they don't know the Keystone part.  THat is really the mapping.  So, either we pass the mapping to the remote services, or we marshall the pre-mapped values to Keystone.02:41
*** aginwala has joined #openstack-keystone02:41
ayoungI had been thinking "fetch and cache" of the mapping data for so long, but, since we are doing Fernet, I started thinking along the lines of "how can we keep things down to a single call"02:41
ayoungIt was based on a request from someone in the field, asking about Kerberos in front of services, and it kicked off the whole thought process02:42
ayoungjamielennox, It also would let us standardize how to do "I have REMOTE_USER for Idp=AD, Protocol =kerberos.  Tell me what my User_ID would be.02:43
jamielennoxi'm just not sure if you were going to go to the hassle of doing an externally authenticated cloud like that whether you'd even bother with putting keystone in th emix02:44
*** aginwala has quit IRC02:44
*** tqtran-afk has quit IRC02:44
*** aginwala has joined #openstack-keystone02:44
ayoungjamielennox, Heh, well, I'm all for killing Keystone, but we still need something to serve out the service catalog02:45
*** mylu has joined #openstack-keystone02:45
jamielennoxi'm just not sure you want it02:46
jamielennoxlike ok, tokenless auth02:46
jamielennoxbut do i want my tokenless auth to back via federation?02:46
jamielennoxSSL/kerberos/whatever can be made to provide an ID without too much trouble02:46
ayoungI've long thought that Federation should be the only way to do Auth In Keystone systems.  Expanding it to other services seems to make sense02:47
jamielennoxhmm, doesn't work with the shadow users thing02:47
jamielennoxayoung: right, but you generally want to push out things like your id then02:47
ayoungSo, let the services confirm authN via whatever, but then hand what it gets over to Keystone to do the last mile02:47
jamielennoxlike i'd be fine with just doing the entire of openstack as a per-service saml or oauth or whatever system02:47
jamielennoxbut then you definitely push that data02:47
ayoungjamielennox, is your primary object the amorphous form of the attributes sent to Keystone?02:48
*** aginwala has quit IRC02:48
jamielennoxobjection?02:48
ayoung"I am still good with passing the combination of user_id, project_id/domain_id/trust_id and getting back a token but i'm not a fan of passing the ENV around."  from your review02:49
ayoungyeah, objection02:49
jamielennoxno i was thinking of the service token thing where we were saying you should be able to use service-token, user_id, project_id rather than the user token02:49
*** woodster_ has quit IRC02:49
jamielennoxso at the point of user_id - things that keystone understand02:49
jamielennoxi've gotten over it02:50
jamielennoxi'm not sure i want to pass apache ENV vars through post02:50
*** btully has joined #openstack-keystone02:50
*** aginwala has joined #openstack-keystone02:51
*** agireud has joined #openstack-keystone02:52
ayoungI think it really is the better option.  It lets the service do the crypo-authN, and then asks Keystone :"OK, I know who this Bozo is.  What can he do?"02:53
ayoungits really no different than Kerberos + LDAP02:53
ayoungWIth Keystone playing the role of LDAP.  I think Keystone would play that role in drag....02:54
jamielennoxso i can see that you essentially turn keystone into middleware02:54
ayoungjamielennox, yes.02:55
jamielennoxlike middleware -> sssd does mapping etc -> returns something that makes it look like auth_token02:55
*** btully has quit IRC02:55
ayoungjamielennox, and in doing so, makes Keystone's reach much, much wider02:55
ayoungExactly02:55
jamielennoxwell it makes keysotne mod_auth_identity02:55
ayoungyes it does02:58
jamielennoxlookup_identity02:58
ayoungI am not origianal02:58
jamielennoxi'm just not sure i'd bother putting keystone in that mix02:58
ayoungWell, we already have it in the mix for OpenStack.02:59
*** gildub_ has joined #openstack-keystone03:00
ayoungBut we could do a mod_lookup_identity call to Keystone.03:00
ayoungjamielennox, you really dead set against it?03:00
jamielennoxi don't know if it would work with the shadow user thing, but if you could generate the user_id from apache module that would be fine03:00
jamielennoxayoung: not really, i would need to think through it some more03:01
*** spandhe has quit IRC03:01
jamielennoxit just feels wrong03:01
ayoungthe shadow user would be generated by Keystone and returned after the mapping03:01
jamielennoxlike i get why you need it, but you're exposing the ENV directly to keystone03:01
ayoungNot secrets or keys, just REMOTE_USER and REMOTE_GROUP type values03:02
jamielennoxright, but it means you can't figure out the id from middleware cause there is no relation there03:02
ayoungjamielennox, that is really the crux of the whole thing.  THe same is true from Keystone itself.  Once you map, you need to record that mapping03:04
ayoungIt why I am alittle worried about the shadow user approach.  If we do it wrong, the accounts will not be easily linkable03:05
*** bapalm has quit IRC03:06
*** tellesnobrega is now known as tellesnobrega_af03:06
jamielennoxi'm not sure that's a big problem03:07
*** tjcocozz_ has quit IRC03:07
ayoungjamielennox, let me see if I can find the discussion.  I have it in a hardcover book03:07
ayoungjamielennox, I can't do it justicem, but, the example is: a person comes in to the hospital unconscious.  Who are they?  Do you start a new user record for them?  What happ[ens if you identify them as Joe Snuffy?  SHould you link the observations tyou make to the origianl Joe Snuffy's records?03:10
ayoungand so on...what if you realize it is the wrong Joe Snuffy....which observations go where...03:11
ayoungNow, that is life or death, but we have similar issues with "linking two different auth methods implicitly"03:11
*** EinstCrazy has quit IRC03:11
jamielennoxi got the theory, and if you link there is the user_id change03:11
*** EinstCrazy has joined #openstack-keystone03:12
jamielennoxi don't think i have a real care about the link case though03:12
jamielennoxi'm very happy with make federation user a local user03:12
ayoungI'm not saying it is impossible, just that it is tough to do right.  Not sure if dolphm realizes what he has bitten off there.03:12
*** EinstCra_ has joined #openstack-keystone03:12
ayoungI need the simpler case, where we can force Password, Kerberos, and SAML to all have the same identifier03:12
*** mylu has quit IRC03:15
*** EinstCrazy has quit IRC03:16
*** jasonsb has joined #openstack-keystone03:18
*** jasonsb has quit IRC03:18
*** jasonsb has joined #openstack-keystone03:18
*** haneef has quit IRC03:18
*** albertom has quit IRC03:18
*** arunkant has quit IRC03:18
*** haneef has joined #openstack-keystone03:19
*** arunkant has joined #openstack-keystone03:19
openstackgerritLin Hua Cheng proposed openstack/keystoneauth: Address hacking check H405  https://review.openstack.org/24388903:19
*** mylu has joined #openstack-keystone03:22
*** lhcheng_ has quit IRC03:23
*** albertom has joined #openstack-keystone03:23
ayoungjamielennox, can you not -1 it, then,but leave an actionable comment?  I'd like to get the discussion started, and a -1 effectively says "I don't want this to go forward."03:26
ayoungI'll see if I can get a better set of use cases together03:27
jamielennoxayoung: done03:27
ayoungjamielennox, cool.  This is a Noname or Ortiz Spec anyway...just want to get the discussion started.  I think that the part you brought up (Service user + user ID for internal validations) would need to happen first for this to be viable.  Can't work without tokens without that03:31
*** aginwala has quit IRC03:31
*** aginwala has joined #openstack-keystone03:32
*** aginwala has quit IRC03:36
*** btully has joined #openstack-keystone03:51
* notmorgan has internet again03:53
*** davechen has joined #openstack-keystone03:53
*** davechen1 has joined #openstack-keystone04:02
*** davechen has quit IRC04:05
*** dims has quit IRC04:06
*** mylu has quit IRC04:14
*** alejandrito has quit IRC04:16
*** topol has quit IRC04:17
*** topol has joined #openstack-keystone04:18
*** ChanServ sets mode: +v topol04:18
*** mylu has joined #openstack-keystone04:20
*** lhcheng has joined #openstack-keystone04:23
*** ChanServ sets mode: +v lhcheng04:23
*** davechen1 has left #openstack-keystone04:28
*** spandhe has joined #openstack-keystone04:38
*** woodster_ has joined #openstack-keystone04:40
*** spandhe_ has joined #openstack-keystone04:41
*** spandhe has quit IRC04:42
*** spandhe_ is now known as spandhe04:42
*** dave-mccowan has quit IRC04:45
*** lhcheng has quit IRC04:48
*** Nakato_ has joined #openstack-keystone04:55
*** baffle has joined #openstack-keystone04:55
*** telemons1er has joined #openstack-keystone04:57
*** sshen_ has joined #openstack-keystone04:57
*** hrou has quit IRC04:57
*** _d34dh0r53_ has joined #openstack-keystone04:57
*** ayoung_ has joined #openstack-keystone04:58
*** cburgess_ has joined #openstack-keystone04:59
*** rm_work has quit IRC05:00
*** charz has quit IRC05:00
*** dtroyer_zz has quit IRC05:00
*** ryanpetrello has quit IRC05:00
*** dolphm has quit IRC05:00
*** serverascode has quit IRC05:00
*** flaper87 has quit IRC05:00
*** redrobot has quit IRC05:00
*** cloudnull has quit IRC05:00
*** cburgess has quit IRC05:00
*** baffle_ has quit IRC05:00
*** sshen has quit IRC05:00
*** Ephur has quit IRC05:00
*** ayoung has quit IRC05:00
*** d34dh0r53 has quit IRC05:00
*** Nakato has quit IRC05:00
*** jamielennox has quit IRC05:00
*** mgagne has quit IRC05:00
*** wasmum has quit IRC05:00
*** hideme_ has quit IRC05:00
*** afazekas has quit IRC05:00
*** nonameentername has quit IRC05:00
*** david8hu has quit IRC05:00
*** notmyname has quit IRC05:00
*** telemonster has quit IRC05:00
*** stevemar_ has quit IRC05:00
*** david8hu has joined #openstack-keystone05:00
*** rm_work has joined #openstack-keystone05:00
*** wasmum- has joined #openstack-keystone05:00
*** mgagne has joined #openstack-keystone05:00
*** dolphm has joined #openstack-keystone05:01
*** ryanpetrello has joined #openstack-keystone05:01
*** flaper87 has joined #openstack-keystone05:01
*** dtroyer has joined #openstack-keystone05:01
*** jamielennox has joined #openstack-keystone05:01
*** ChanServ sets mode: +v jamielennox05:01
*** redrobot has joined #openstack-keystone05:01
*** jerrygb has joined #openstack-keystone05:01
*** redrobot is now known as Guest2617705:01
*** nonameentername has joined #openstack-keystone05:02
*** afazekas has joined #openstack-keystone05:02
*** Guest86181 has joined #openstack-keystone05:02
*** hideme has joined #openstack-keystone05:02
*** bill_az has quit IRC05:02
*** notmyname has joined #openstack-keystone05:03
*** charz has joined #openstack-keystone05:03
*** jamielennox is now known as jamielennox|away05:06
*** serverascode has joined #openstack-keystone05:06
*** Guest86181 is now known as cloudkiller05:08
*** topol_ has joined #openstack-keystone05:16
*** ChanServ sets mode: +v topol_05:16
*** mylu has quit IRC05:17
*** annasort_ has joined #openstack-keystone05:17
*** zqfan_AFK_ has joined #openstack-keystone05:18
*** lhcheng has joined #openstack-keystone05:22
*** ChanServ sets mode: +v lhcheng05:22
*** sirushti_ has joined #openstack-keystone05:24
*** electrichead has joined #openstack-keystone05:24
openstackgerritSachi King proposed openstack/keystone: Add -constraints for CI jobs  https://review.openstack.org/23828905:24
*** Guest26177 has quit IRC05:25
*** topol has quit IRC05:25
*** arunkant has quit IRC05:25
*** lars1 has quit IRC05:25
*** samueldmq has quit IRC05:25
*** annasort has quit IRC05:25
*** DuncanT has quit IRC05:25
*** andrewbogott has quit IRC05:25
*** zqfan_AFK has quit IRC05:25
*** sirushti has quit IRC05:25
*** sirushti_ is now known as sirushti05:25
*** zqfan_AFK_ is now known as zqfan_AFK05:25
*** DuncanT has joined #openstack-keystone05:26
*** samueldmq has joined #openstack-keystone05:27
*** lars1 has joined #openstack-keystone05:27
*** bill_az has joined #openstack-keystone05:28
*** arunkant has joined #openstack-keystone05:29
*** andrewbogott has joined #openstack-keystone05:29
*** aj_ has joined #openstack-keystone05:33
*** gus has quit IRC05:33
*** gus has joined #openstack-keystone05:34
*** ajaya has joined #openstack-keystone05:34
*** aj_ has quit IRC05:36
*** jerrygb has quit IRC05:38
*** jmccrory has quit IRC05:48
*** jaosorior has joined #openstack-keystone05:50
*** jmccrory has joined #openstack-keystone05:51
*** mylu has joined #openstack-keystone05:54
*** lhcheng has quit IRC05:54
*** aswadr has joined #openstack-keystone05:54
*** lhcheng has joined #openstack-keystone05:55
*** ChanServ sets mode: +v lhcheng05:55
*** mylu has quit IRC05:55
*** mylu has joined #openstack-keystone05:56
*** yangyapeng has quit IRC05:59
*** NM has joined #openstack-keystone06:01
*** topol_ has quit IRC06:05
openstackgerritMerged openstack/keystone: Use new_service_ref instead of manually created dict  https://review.openstack.org/24449906:05
*** topol has joined #openstack-keystone06:05
*** ChanServ sets mode: +v topol06:05
*** topol_ has joined #openstack-keystone06:06
*** ChanServ sets mode: +v topol_06:06
*** ajaya has quit IRC06:08
*** topol has quit IRC06:10
*** topol_ has quit IRC06:11
*** sirushti has quit IRC06:11
*** sirushti has joined #openstack-keystone06:11
openstackgerritMerged openstack/keystone: Make K2K Mapping Attribute Examples more visible  https://review.openstack.org/24263906:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619706:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619706:18
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619706:19
*** ajaya has joined #openstack-keystone06:22
*** rcernin has joined #openstack-keystone06:22
*** aginwala has joined #openstack-keystone06:24
*** zqfan_AFK is now known as zqfan06:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/24620606:29
*** aginwala_ has joined #openstack-keystone06:30
*** aginwala has quit IRC06:32
*** spandhe has quit IRC06:33
*** aginwala_ has quit IRC06:35
*** aginwala has joined #openstack-keystone06:36
*** jerrygb has joined #openstack-keystone06:39
*** jerrygb has quit IRC06:45
*** bill_az has quit IRC06:47
*** woodster_ has quit IRC06:49
*** sileht has joined #openstack-keystone06:50
*** josecastroleon has joined #openstack-keystone06:50
*** aswadr has quit IRC06:55
*** gildub_ has quit IRC07:00
*** dhellmann has quit IRC07:01
*** urulama has quit IRC07:01
*** urulama has joined #openstack-keystone07:01
*** mylu has quit IRC07:02
*** dhellmann has joined #openstack-keystone07:02
*** mylu has joined #openstack-keystone07:03
*** jasonsb has quit IRC07:04
*** mylu has quit IRC07:07
*** jaosorior has quit IRC07:10
*** jaosorior has joined #openstack-keystone07:10
*** jaosorior has quit IRC07:13
*** jaosorior has joined #openstack-keystone07:14
*** btully has quit IRC07:30
*** jasonsb has joined #openstack-keystone07:35
*** jasonsb has quit IRC07:40
*** aginwala has quit IRC07:45
*** aginwala has joined #openstack-keystone07:49
*** henrynash has joined #openstack-keystone07:56
*** ChanServ sets mode: +v henrynash07:56
*** swebb has quit IRC08:06
*** ninag has joined #openstack-keystone08:08
*** ninag has quit IRC08:14
openstackgerritMerged openstack/keystone: Document release notes process  https://review.openstack.org/24434308:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619708:23
*** pnavarro has joined #openstack-keystone08:40
*** jerrygb has joined #openstack-keystone08:40
openstackgerritMerged openstack/keystone: Add S3 signature v4 checking  https://review.openstack.org/21548108:45
*** jerrygb has quit IRC08:46
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy: Remove Python 2.6 classifier  https://review.openstack.org/24625908:49
*** lhcheng has quit IRC09:00
*** exploreshaifali has joined #openstack-keystone09:02
*** xek has joined #openstack-keystone09:03
openstackgerritChangBo Guo(gcb) proposed openstack/pycadf: Remove Python 2.6 classifier  https://review.openstack.org/24626509:06
*** btully has joined #openstack-keystone09:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619709:16
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666109:17
*** ekarlso has quit IRC09:22
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666109:24
*** bdossant has joined #openstack-keystone09:28
*** openstackgerrit has quit IRC09:31
*** openstackgerrit has joined #openstack-keystone09:32
*** gb21_ has quit IRC09:33
*** aginwala has quit IRC09:34
*** ajaya has quit IRC09:36
*** ekarlso has joined #openstack-keystone09:37
*** ekarlso has quit IRC09:38
*** ekarlso has joined #openstack-keystone09:38
*** exploreshaifali has quit IRC09:47
*** e0ne has joined #openstack-keystone09:48
*** ajaya has joined #openstack-keystone09:49
*** belmoreira has joined #openstack-keystone09:52
*** ekarlso has quit IRC09:57
*** tobasco has joined #openstack-keystone09:57
tobascohitting the error in keystone/middleware/core.py on line 310 when running "openstack user list" what does it mean?09:58
tobascoi just upgraded from kilo to liberty btw09:58
*** markvoelker has quit IRC10:05
*** e0ne has quit IRC10:07
*** daemontool has joined #openstack-keystone10:12
*** daemontool has quit IRC10:14
*** daemontool has joined #openstack-keystone10:15
*** EinstCra_ has quit IRC10:18
*** exploreshaifali has joined #openstack-keystone10:27
*** openstackgerrit has quit IRC10:31
*** openstackgerrit has joined #openstack-keystone10:32
*** ekarlso has joined #openstack-keystone10:36
*** pnavarro has quit IRC10:37
*** ekarlso has quit IRC10:39
*** btully has quit IRC10:40
*** jerrygb has joined #openstack-keystone10:43
*** jerrygb has quit IRC10:47
*** lhcheng has joined #openstack-keystone10:48
*** ChanServ sets mode: +v lhcheng10:48
*** topol has joined #openstack-keystone10:53
*** ChanServ sets mode: +v topol10:53
*** lhcheng has quit IRC10:54
*** e0ne has joined #openstack-keystone10:57
*** topol has quit IRC10:57
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/24609310:58
*** tyagiprince has joined #openstack-keystone10:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619711:03
*** markvoelker has joined #openstack-keystone11:06
*** dims has joined #openstack-keystone11:08
*** henrynash has quit IRC11:09
*** daemontool has quit IRC11:11
*** markvoelker has quit IRC11:11
*** daemontool has joined #openstack-keystone11:11
*** gildub_ has joined #openstack-keystone11:16
*** tellesnobrega_af is now known as tellesnobrega11:21
*** daemontool has quit IRC11:23
*** gildub_ has quit IRC11:23
*** EinstCrazy has joined #openstack-keystone11:23
*** daemontool has joined #openstack-keystone11:24
*** daemontool has quit IRC11:25
*** daemontool has joined #openstack-keystone11:26
*** flaper87 has quit IRC11:27
*** flaper87 has joined #openstack-keystone11:27
*** josecastroleon has quit IRC11:36
*** tyagiprince has quit IRC11:39
*** tyagiprince has joined #openstack-keystone11:40
samueldmqmorning keystoners11:42
*** Guest72509 is now known as amakarov11:43
*** NM has quit IRC11:47
*** tellesnobrega has quit IRC12:01
*** tellesnobrega has joined #openstack-keystone12:02
*** stevemar_ has joined #openstack-keystone12:06
*** ChanServ sets mode: +o stevemar_12:06
*** josecastroleon has joined #openstack-keystone12:07
*** links has joined #openstack-keystone12:12
*** links has quit IRC12:12
*** ajaya has quit IRC12:17
*** henrynash has joined #openstack-keystone12:22
*** ChanServ sets mode: +v henrynash12:22
*** fawadkhaliq has quit IRC12:26
*** fawadkhaliq has joined #openstack-keystone12:27
*** NM has joined #openstack-keystone12:28
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666112:29
*** fawadkhaliq has quit IRC12:31
*** jerrygb has joined #openstack-keystone12:31
openstackgerritMerged openstack/oslo.policy: Remove python 2.6 and cleanup tox.ini  https://review.openstack.org/24548212:37
*** markvoelker has joined #openstack-keystone12:37
*** lhcheng has joined #openstack-keystone12:37
*** ChanServ sets mode: +v lhcheng12:37
*** markvoelker has quit IRC12:42
*** lhcheng has quit IRC12:42
*** alejandrito has joined #openstack-keystone12:42
openstackgerritMerged openstack/oslo.policy: Remove Python 2.6 classifier  https://review.openstack.org/24625912:45
*** pauloewerton has joined #openstack-keystone12:46
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable retrieval of default values of domain config options  https://review.openstack.org/18565012:50
*** exploreshaifali has quit IRC12:59
*** tyagiprince has quit IRC12:59
*** tyagiprince has joined #openstack-keystone12:59
*** ayoung_ has quit IRC13:01
*** doug-fish has joined #openstack-keystone13:02
*** lhcheng has joined #openstack-keystone13:02
*** ChanServ sets mode: +v lhcheng13:02
openstackgerritJulien Danjou proposed openstack/keystone: wsgi: fix base_url finding  https://review.openstack.org/22646413:05
*** lhcheng has quit IRC13:07
*** pnavarro has joined #openstack-keystone13:08
*** csoukup has joined #openstack-keystone13:11
*** dave-mccowan has joined #openstack-keystone13:12
*** gordc has joined #openstack-keystone13:16
*** ff has joined #openstack-keystone13:17
*** ff has quit IRC13:18
*** cloudkiller is now known as cloudnull13:26
*** topol has joined #openstack-keystone13:27
*** ChanServ sets mode: +v topol13:27
*** markvoelker has joined #openstack-keystone13:27
*** raildo-afk is now known as raildo13:28
*** peter-hamilton has joined #openstack-keystone13:29
*** ninag has joined #openstack-keystone13:29
*** csoukup has quit IRC13:31
*** jdennis has quit IRC13:40
*** jdennis has joined #openstack-keystone13:40
*** diegows has joined #openstack-keystone13:49
*** bill_az has joined #openstack-keystone13:52
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666114:00
*** ekarlso has joined #openstack-keystone14:01
*** mylu has joined #openstack-keystone14:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve Development Environment Docs  https://review.openstack.org/24640014:04
*** tjcocozz has joined #openstack-keystone14:05
*** richm has joined #openstack-keystone14:05
samueldmqdstanek: bknudson_ this is a first attemp to improve that documentation14:05
samueldmq^^14:06
samueldmqI'd appreciate your feedbacks on that14:06
dstaneksamueldmq: nice, i'll take a look in a bit14:06
samueldmqhenrynash: you too if you have some time :) ^14:06
samueldmqdstanek: nice, thanks!14:07
*** mylu has quit IRC14:08
henrynashsamueldmq: sure14:12
*** thiagop has joined #openstack-keystone14:12
henrynashdstanek: oh, and while youā€™re in review mode, could I ask that you take a look at: https://review.openstack.org/#/c/242853/14 since Iā€™d like to get your view of how Iā€™m creating a new versioned drive14:13
*** tjcocozz has quit IRC14:15
*** tjcocozz has joined #openstack-keystone14:15
*** swebb has joined #openstack-keystone14:19
*** richm has quit IRC14:21
*** tjcocozz has quit IRC14:23
*** tjcocozz has joined #openstack-keystone14:24
dstanekhenrynash: will do14:25
henrynashdtsanek: thx14:26
*** tyagiprince has quit IRC14:26
*** tjcocozz has quit IRC14:26
*** tjcocozz has joined #openstack-keystone14:27
*** tjcocozz has quit IRC14:27
*** tjcocozz has joined #openstack-keystone14:29
*** ayoung_ has joined #openstack-keystone14:33
*** hrou has joined #openstack-keystone14:33
*** breitz has quit IRC14:36
*** breitz has joined #openstack-keystone14:36
*** ekarlso has quit IRC14:40
*** henrynash has quit IRC14:41
*** doug-fish has quit IRC14:42
openstackgerritMerged openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/24620614:47
*** fawadkhaliq has joined #openstack-keystone14:48
*** ajaya has joined #openstack-keystone14:50
*** doug-fish has joined #openstack-keystone14:54
*** doug-fish has quit IRC14:57
*** richm has joined #openstack-keystone14:58
*** slberger has joined #openstack-keystone14:58
*** doug-fish has joined #openstack-keystone14:59
*** doug-fish has quit IRC14:59
*** doug-fish has joined #openstack-keystone15:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619715:00
*** doug-fish has quit IRC15:01
openstackgerritMerged openstack/keystone: Exclude old Shibboleth options from docs  https://review.openstack.org/24186315:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/24619715:09
*** jaosorior has quit IRC15:10
*** jaosorior has joined #openstack-keystone15:11
*** pumaranikar has joined #openstack-keystone15:15
*** Guest80875 is now known as mfisch15:16
*** mfisch is now known as Guest2059415:17
*** akanksha_ has joined #openstack-keystone15:17
*** btully has joined #openstack-keystone15:17
*** Guest20594 is now known as mfisch15:18
*** mfisch has quit IRC15:18
*** mfisch has joined #openstack-keystone15:18
*** doug-fish has joined #openstack-keystone15:21
*** adelia has joined #openstack-keystone15:21
*** urulama has quit IRC15:23
*** urulama has joined #openstack-keystone15:23
openstackgerritayoung proposed openstack/keystone-specs: Implied  Roles  https://review.openstack.org/12570415:24
*** davechen has joined #openstack-keystone15:24
*** davechen has quit IRC15:26
*** tonytan4ever has joined #openstack-keystone15:28
*** doug-fish has quit IRC15:29
*** doug-fish has joined #openstack-keystone15:30
*** davechen has joined #openstack-keystone15:30
*** doug-fis_ has joined #openstack-keystone15:31
*** davechen has quit IRC15:31
*** timcline has joined #openstack-keystone15:32
*** doug-fi__ has joined #openstack-keystone15:33
*** doug-fi__ has quit IRC15:33
*** doug-fi__ has joined #openstack-keystone15:34
*** doug-fish has quit IRC15:34
*** daemontool has quit IRC15:34
*** tjcocozz has quit IRC15:35
*** doug-fis_ has quit IRC15:36
*** tjcocozz has joined #openstack-keystone15:40
*** bill_az has quit IRC15:44
*** henrynash has joined #openstack-keystone15:45
*** ChanServ sets mode: +v henrynash15:45
*** opilotte has joined #openstack-keystone15:47
*** aj1 has joined #openstack-keystone15:47
*** diegows has quit IRC15:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve Development Environment Docs  https://review.openstack.org/24640015:56
*** daemontool has joined #openstack-keystone15:57
samueldmqmordred: thanks for your comments there ! just submitted another patch ^15:57
*** EinstCrazy has quit IRC15:57
aj1Hi guys. Can I take this patch up? https://review.openstack.org/#/c/12743315:57
samueldmqmordred: hopefully that doc looks better now :)15:58
aj1It seems that no one is working on this patch anymore. It needs addressing of bknudson's comments.15:58
mordredwhat did I do?15:59
*** daemontool has quit IRC15:59
mordredsamueldmq: neat!15:59
*** daemontool has joined #openstack-keystone15:59
*** davechen has joined #openstack-keystone16:03
*** diegows has joined #openstack-keystone16:04
*** rcernin has quit IRC16:04
*** diegows has quit IRC16:04
*** aj1 has quit IRC16:07
*** belmoreira has quit IRC16:13
lbragstaddolphm spec related to a discussion we had at the summit - https://review.openstack.org/#/c/244694/16:15
*** ajaya has quit IRC16:17
lbragstaddstanek ayoung_ samueldmq have I addressed your comments here - https://review.openstack.org/#/c/215715/ ?16:21
*** _d34dh0r53_ is now known as d34dh0r5316:22
ayoung_lbragstad, I +2ed that already.  So ..... sure!16:23
*** zqfan has quit IRC16:26
lbragstadayoung_ thanks!16:27
*** ayoung_ is now known as ayoung16:29
Anticimexwho owns the "auth_plugin" that neutron requires, on my nova-api node's nova.conf's [neutron] section? (kilo)16:32
Anticimex5 min into googlign and finding nothing of value in terms of reference docs or even examples :]16:32
Anticimexah.. python-keystoneclient?16:33
samueldmqlbragstad: I will take another look on that16:33
*** josecastroleon has quit IRC16:33
samueldmqlbragstad: still today, thanks for updating16:33
lbragstadsamueldmq ok16:34
*** gokrokve has joined #openstack-keystone16:35
*** jbell8 has joined #openstack-keystone16:40
*** e0ne has quit IRC16:41
*** browne has joined #openstack-keystone16:42
davechenstevemar_: Got a chance to see your book, I am wondering why I cannot find the price anywhere from the book. :)16:42
*** jasonsb has joined #openstack-keystone16:43
*** doug-fi__ is now known as doug-fish16:43
openstackgerritMerged openstack/pycadf: Remove python 2.6 and cleanup tox.ini  https://review.openstack.org/24549216:45
*** jaosorior has quit IRC16:46
*** jbell8 has quit IRC16:46
*** jaosorior has joined #openstack-keystone16:47
*** jasonsb has quit IRC16:48
*** e0ne has joined #openstack-keystone16:53
*** gyee has joined #openstack-keystone16:55
*** ChanServ sets mode: +v gyee16:55
*** jbell8 has joined #openstack-keystone16:56
*** topol has quit IRC17:03
*** topol has joined #openstack-keystone17:03
*** ChanServ sets mode: +v topol17:03
*** daemontool has quit IRC17:04
*** ayoung has quit IRC17:04
*** daemontool has joined #openstack-keystone17:04
Anticimexbest doc found this far is http://superuser.openstack.org/articles/how-to-use-keystoneclient-sessions-150b5992-f17e-4ece-9008-1e4eac068fd217:08
Anticimexit's a bit confusing why nova should have hardcoded passwords, i obviously want the neutron api calls nova executes on behalf of a user to be guided by the endusers authz17:10
Anticimexincluding project and domain, since that will vary17:10
Anticimexbut my assumption may be wrong of course, maybe users can have nova do things with network on their behalf w/o having the authz themselves17:11
Anticimexbut then nova needs to be able to create things regardless of what domain the user is in17:13
*** e0ne has quit IRC17:13
*** topol has quit IRC17:13
*** topol has joined #openstack-keystone17:14
*** ChanServ sets mode: +v topol17:14
*** bdossant has quit IRC17:19
*** topol has quit IRC17:19
*** ayoung has joined #openstack-keystone17:20
*** ChanServ sets mode: +v ayoung17:20
*** e0ne has joined #openstack-keystone17:21
*** rcernin has joined #openstack-keystone17:36
openstackgerritMarian Horban proposed openstack/python-keystoneclient: Remove lock object from BaseIdentityPlugin  https://review.openstack.org/24652117:38
*** zqfan has joined #openstack-keystone17:38
*** zqfan is now known as zqfan_AFK17:38
*** petertr7 is now known as petertr7_away17:39
*** tjcocozz has quit IRC17:40
*** jmccrory has quit IRC17:44
*** mylu has joined #openstack-keystone17:45
*** e0ne has quit IRC17:46
*** browne has quit IRC17:47
*** e0ne has joined #openstack-keystone17:49
*** urulama has quit IRC17:50
*** urulama has joined #openstack-keystone17:50
*** mylu has quit IRC17:51
*** lhcheng has joined #openstack-keystone17:52
*** ChanServ sets mode: +v lhcheng17:52
*** mylu has joined #openstack-keystone17:55
*** markvoelker_ has joined #openstack-keystone17:57
*** urulama_ has joined #openstack-keystone17:57
*** jmccrory has joined #openstack-keystone17:58
stevemar_reminder that the keystone meeting time has changed for those of you that observe day light savings17:59
*** baffle has quit IRC17:59
stevemar_as in ... it's starting now17:59
*** richm has quit IRC17:59
*** urulama has quit IRC17:59
*** agireud has quit IRC17:59
stevemar_courtesy ping for ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek17:59
*** markvoelker has quit IRC18:00
*** BAKfr has quit IRC18:00
*** xek has quit IRC18:00
*** shaleh has joined #openstack-keystone18:00
*** baffle has joined #openstack-keystone18:00
*** mylu has quit IRC18:01
*** BAKfr has joined #openstack-keystone18:02
*** xek has joined #openstack-keystone18:03
*** agireud has joined #openstack-keystone18:05
*** richm has joined #openstack-keystone18:09
*** topol has joined #openstack-keystone18:15
*** ChanServ sets mode: +v topol18:15
*** mylu has joined #openstack-keystone18:17
*** tonytan4ever has quit IRC18:19
*** mylu has quit IRC18:20
*** mylu has joined #openstack-keystone18:20
*** mylu has quit IRC18:21
*** mylu has joined #openstack-keystone18:21
*** mylu has quit IRC18:24
*** mylu has joined #openstack-keystone18:25
*** fawadkhaliq has quit IRC18:26
*** mylu has quit IRC18:28
*** mylu has joined #openstack-keystone18:29
*** mylu has quit IRC18:31
*** spandhe has joined #openstack-keystone18:31
*** mylu has joined #openstack-keystone18:32
*** ayoung has quit IRC18:32
*** jaosorior has quit IRC18:34
*** tjcocozz has joined #openstack-keystone18:35
*** aj2 has joined #openstack-keystone18:36
*** tyagiprince has joined #openstack-keystone18:37
*** dims has quit IRC18:37
*** daemontool_ has quit IRC18:37
*** jasonsb has joined #openstack-keystone18:38
openstackgerritAjaya Agrawal proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743318:38
*** gokrokve has quit IRC18:40
*** browne has joined #openstack-keystone18:40
*** dims has joined #openstack-keystone18:40
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project delete cascade  https://review.openstack.org/24414918:40
openstackgerritHenrique Truta proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591618:40
*** tonytan4ever has joined #openstack-keystone18:41
*** mylu has quit IRC18:41
*** petertr7_away is now known as petertr718:41
*** mylu has joined #openstack-keystone18:41
*** e0ne has quit IRC18:43
*** pnavarro has quit IRC18:43
*** daemontool has quit IRC18:44
*** tqtran-afk has joined #openstack-keystone18:44
*** ayoung has joined #openstack-keystone18:45
*** ChanServ sets mode: +v ayoung18:45
*** mylu has quit IRC18:46
*** RichardRaseley has joined #openstack-keystone18:46
openstackgerritMarek Denis proposed openstack/keystone-specs: Make keystone fully fledged SAML2 Service Provider  https://review.openstack.org/24469418:46
*** boris-42 has quit IRC18:48
*** EinstCrazy has joined #openstack-keystone18:49
openstackgerritHenrique Truta proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424818:51
*** roxanaghe has joined #openstack-keystone18:52
*** tjcocozz_ has joined #openstack-keystone18:56
*** EinstCrazy has quit IRC18:56
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_user_ref consistently  https://review.openstack.org/24387718:57
*** gokrokve has joined #openstack-keystone18:57
*** tjcocozz has quit IRC18:58
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666118:59
*** gokrokve has quit IRC19:02
*** aj2 has quit IRC19:03
stevemar_davechen: you're in SAT now? since when?19:03
stevemar_davechen: ah, since this? http://www.siliconhillsnews.com/2015/09/10/rackspace-and-intel-open-the-openstack-innovation-center/ ?19:04
*** diegoadolfo_ has joined #openstack-keystone19:04
samueldmqhave we considered adding microversions support for keystone ?19:06
samueldmqas we do have in nova19:06
*** mylu has joined #openstack-keystone19:06
samueldmqhttp://docs.openstack.org/developer/nova/api_microversions.html19:06
samueldmqstevemar_: henrynash: bknudson_: dstanek cc ^19:06
davechenstevemar_: you are sooooo clever.19:07
*** mylu has quit IRC19:07
shalehsamueldmq, sdague explained how there can be at least 3 round trips to properly determine the current version of the API for nova19:07
* davechen go for lunch19:08
shalehnot sure we want that complexity personally19:08
*** davechen is now known as davechen_afk19:08
*** mylu has joined #openstack-keystone19:08
samueldmqshaleh: maybe I should catch more details on that, but could be simpler in keystone ? since we are a simpler project ?19:09
*** andrewbogott has quit IRC19:09
*** andrewbogott has joined #openstack-keystone19:09
samueldmqshaleh: or you mean the negotiation between server - client before using the api effectively ?19:09
bknudson_I don't think anyone's given a compelling reason for microversions19:09
shalehsamueldmq, yes, that is before the API can be used.19:10
bknudson_I'd rather we implemented JSONHome or swagger better19:10
shalehbknudson_, yeah19:10
bknudson_or HATEOS or whatever you want to call it19:10
shalehHATEOS is a concept. JSONHome and swagger build on it19:11
dstanekbknudson_: ++19:11
samueldmqfor example, for inherited role assignments, we are about to change its beahvior19:11
samueldmqbecause it will now need to apply to the project itself too19:11
dstaneksamueldmq: that's the key. existing things should work the same19:12
samueldmqfor that we will be having a new config option to determine what behavior the API will have19:12
samueldmqif we were doing microersions, that would be a new version of the inherited grants api19:12
*** mylu_ has joined #openstack-keystone19:12
samueldmqand that's all ?19:12
*** mylu has quit IRC19:12
dstanekconfig options that change the API behavior are not great because that makes providers incompatible19:12
shalehsamueldmq, what about the people using client code written before microversions?19:12
samueldmqdstanek: yep, need to cehck with henrynash  ? ^19:14
samueldmqshaleh: we should keep the current api as default for some cycles19:14
samueldmqshaleh: similarly to what we do when deprecating things ?19:14
samueldmqshaleh: so people will have time to update their tooling19:15
samueldmqshaleh: makes sense?19:15
shalehsamueldmq, wouldn't we need to bump the major, then implement micros?19:15
*** gokrokve has joined #openstack-keystone19:15
*** jvarlamova has quit IRC19:15
*** jasonsb has quit IRC19:15
samueldmqshaleh: you mean like creating a v4?19:15
*** pushkaru has joined #openstack-keystone19:16
shalehsamueldmq, either that or it has to work with code ignorant of microversions19:16
samueldmqshaleh: yes, tht goes in the default version19:16
*** pumaranikar has quit IRC19:16
samueldmqshaleh: that would be the present version ? as we current do ?19:17
samueldmqshaleh: we just need to ensure the policies for working with microversions don't affect people that don't know about it, or at least have previous warning for when we will be removing support of things (deprecations)19:17
*** gildub_ has joined #openstack-keystone19:20
*** gokrokve has quit IRC19:20
lbragstadstevemar_ want me to start addressing comments on these? https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/move-extensions,n,z19:20
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_user_ref consistently  https://review.openstack.org/24387719:20
*** mylu_ has quit IRC19:21
stevemar_lbragstad: i was gonna do them now!19:21
stevemar_let me feel useful!19:21
lbragstadstevemar_ :) go for it!19:21
*** mylu has joined #openstack-keystone19:21
shalehsamueldmq, perhaps. I remain unconvinced. More complexity is almost always a bad thing. Many people talk to keystone without using the Python client API. We are placing a burden on all of them.19:22
*** ekarlso has joined #openstack-keystone19:24
samueldmqshaleh: and I am not conviced either way yet19:24
samueldmqshaleh: just would like to catch some opinions and think about it19:24
samueldmqshaleh: perhaps I need to read more, and mull it a bit more too19:24
samueldmq:)19:24
shalehsamueldmq, I am of a similar mind.19:25
*** urulama_ has quit IRC19:25
*** mylu has quit IRC19:25
samueldmqshaleh: ++19:26
*** petertr7 is now known as petertr7_away19:27
*** e0ne has joined #openstack-keystone19:27
shalehit would be nice if gerrit had a way to show patchset N _AND_ its comments instead of needing to click click click each file.19:28
stevemar_lbragstad: like 3 changes for 15 comments :P19:29
*** mylu has joined #openstack-keystone19:30
*** davechen_afk is now known as davechen19:30
*** electrichead is now known as redrobot19:31
*** redrobot is now known as Guest9740419:31
stevemar_lbragstad: bknudson_ marekd i'll make release notes for all the extension moving at the end of the patch chain19:32
*** Guest97404 is now known as redrobot19:32
*** tyagiprince has quit IRC19:33
openstackgerritSteve Martinelli proposed openstack/keystone: Move federation extension into keystone core  https://review.openstack.org/21477519:33
davechenstevemar_: start it again :)19:33
*** petertr7_away is now known as petertr719:33
*** josecastroleon has joined #openstack-keystone19:34
*** mylu has quit IRC19:34
*** josecastroleon has quit IRC19:38
openstackgerritSteve Martinelli proposed openstack/keystone: Move federation sql migrations to common  https://review.openstack.org/23453719:39
stevemar_lbragstad: ^19:39
openstackgerritSteve Martinelli proposed openstack/keystone: Move oauth1 extension into core  https://review.openstack.org/23459819:41
*** aginwala has joined #openstack-keystone19:43
openstackgerritSteve Martinelli proposed openstack/keystone: Move oauth1 sql migrations to common  https://review.openstack.org/23512119:44
*** jamielennox|away is now known as jamielennox19:45
*** exploreshaifali has joined #openstack-keystone19:47
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke extension into core  https://review.openstack.org/23570419:49
*** mylu has joined #openstack-keystone19:49
*** e0ne has quit IRC19:50
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571219:50
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571219:50
bknudson_stevemar_: mind if I just update the liberty release notes with the `` for formatting?19:51
*** jamielennox is now known as jamielennox|away19:52
*** mylu has quit IRC19:53
stevemar_bknudson_: sure go ahead19:53
stevemar_i swear i tried that last night and it didn't work for me19:53
stevemar_* definitely doesn't work19:54
stevemar_for Boldness19:54
stevemar_i'm rebasing a bunch of things, so if you update the patch, i'd appreciate it19:54
*** doug-fis_ has joined #openstack-keystone19:57
*** aginwala has quit IRC20:00
*** doug-fish has quit IRC20:00
*** doug-fis_ has quit IRC20:01
*** adelia_ has joined #openstack-keystone20:01
*** doug-fish has joined #openstack-keystone20:01
*** adelia has quit IRC20:05
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_project_ref consistently  https://review.openstack.org/24452320:05
*** davechen has quit IRC20:07
*** davechen has joined #openstack-keystone20:08
*** jamielennox|away is now known as jamielennox20:09
*** aginwala has joined #openstack-keystone20:10
*** shaleh is now known as shaleh|AFK20:10
*** doug-fish has quit IRC20:12
*** doug-fish has joined #openstack-keystone20:12
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke extension into core  https://review.openstack.org/23570420:16
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571220:16
stevemar_lbragstad: we should be good! ^20:16
stevemar_marekd: bknudson_ ^ i think i caught everything, at least for federation/oauth/revoke20:17
marekdstevemar_: thaks, let me check it out tomorrow!20:18
stevemar_marekd: cool!20:18
stevemar_bknudson_: how did you decide to use > in the notes?20:18
bknudson_stevemar_: I put that there when the build failed20:18
stevemar_bknudson_: then magic?20:19
bknudson_stevemar_: y, I just tried random stuff and this worked.20:19
bknudson_http://www.yaml.org/spec/1.2/spec.html#id276084420:19
*** mylu has joined #openstack-keystone20:20
bknudson_you use ** for bold, * is emphasis20:20
*** tqtran-afk is now known as tqtran20:21
stevemar_ah20:22
*** petertr7 is now known as petertr7_away20:26
*** aginwala has quit IRC20:26
*** doug-fish has quit IRC20:27
*** doug-fish has joined #openstack-keystone20:28
*** petertr7_away is now known as petertr720:30
*** ayoung has quit IRC20:33
*** jasonsb has joined #openstack-keystone20:37
*** xek has quit IRC20:38
*** peter-hamilton has quit IRC20:41
*** doug-fish has quit IRC20:41
*** pnavarro has joined #openstack-keystone20:41
*** doug-fish has joined #openstack-keystone20:42
*** davechen has left #openstack-keystone20:44
*** e0ne has joined #openstack-keystone20:44
*** doug-fish has quit IRC20:46
*** e0ne has quit IRC20:47
*** tonytan4ever has quit IRC20:50
*** shaleh|AFK is now known as shaleh20:52
*** pauloewerton has quit IRC20:58
*** dims_ has joined #openstack-keystone21:00
*** aginwala has joined #openstack-keystone21:02
*** dims has quit IRC21:02
*** adelia_ has quit IRC21:04
*** thiagop has quit IRC21:04
*** adelia has joined #openstack-keystone21:05
lhchengstevemar_: do we have a deadline set for the bp proposal?21:05
lhchenglike do we need to get bp approved by M-1 to get the code into M release..21:05
lhchengbp/specs21:05
*** doug-fish has joined #openstack-keystone21:06
*** pnavarro has quit IRC21:06
*** mylu has quit IRC21:06
*** mylu has joined #openstack-keystone21:06
*** mylu_ has joined #openstack-keystone21:09
*** mylu has quit IRC21:09
stevemar_lhcheng: i'll be sending out that info soon21:10
stevemar_we're still a few weeks away i think21:10
stevemar_we used to do: BP/Spec in by M1, and code by M2,21:11
stevemar_but i wonder how effective that was given the 'ask for exception'21:11
*** NM has quit IRC21:12
dolphmstevemar_: poke21:16
stevemar_dolphm: poke back21:16
lhchenghmm I think that's fine, it discourages people from doing everything at milestone 3. :P21:16
lhchengit would be chaos21:16
*** Nakato_ is now known as Nakato21:16
*** mylu_ has quit IRC21:20
*** mylu has joined #openstack-keystone21:21
henrynashdstanek, samueldmq: for new inheritance rules, we are not using a config to change behaviour - it is a new APIā€¦.assignments made with the old (extension) APi will work the old way, assignments made using the new (core) API will work with new way...21:22
*** mylu has quit IRC21:23
*** mylu has joined #openstack-keystone21:24
*** mylu has quit IRC21:24
*** mylu has joined #openstack-keystone21:24
*** aginwala has quit IRC21:29
*** mylu has quit IRC21:33
*** mylu has joined #openstack-keystone21:34
*** mylu has quit IRC21:35
*** mylu has joined #openstack-keystone21:35
*** timcline has quit IRC21:36
*** tonytan4ever has joined #openstack-keystone21:37
*** aginwala has joined #openstack-keystone21:42
*** pushkaru has quit IRC21:42
*** pushkaru has joined #openstack-keystone21:42
openstackgerritSam Leong proposed openstack/python-keystoneclient: Auth plugin for X.509 tokenless authz  https://review.openstack.org/24661521:42
openstackgerritBrant Knudson proposed openstack/keystone: Use [] where a field is required  https://review.openstack.org/24661721:45
openstackgerritBrant Knudson proposed openstack/keystone: Use [] where a field is required  https://review.openstack.org/24661721:48
*** dims_ has quit IRC21:51
shalehwould someone please +A my new_user_ref() review --> https://review.openstack.org/#/c/243877/21:53
*** opilotte has quit IRC21:53
*** dims has joined #openstack-keystone21:57
*** hrou has quit IRC21:59
*** akanksha_ has quit IRC22:10
*** akanksha_ has joined #openstack-keystone22:11
*** tjcocozz_ has quit IRC22:11
*** lhcheng has quit IRC22:14
*** timcline has joined #openstack-keystone22:14
*** timcline has quit IRC22:15
*** timcline has joined #openstack-keystone22:16
*** lhcheng has joined #openstack-keystone22:16
*** ChanServ sets mode: +v lhcheng22:16
*** rcernin has quit IRC22:21
*** petertr7 is now known as petertr7_away22:22
*** ayoung has joined #openstack-keystone22:23
*** ChanServ sets mode: +v ayoung22:23
*** browne has quit IRC22:27
ayounghttps://review.openstack.org/#/c/125704/  gyee marekd care to double down and help me actually get this thing merged?22:29
*** petertr7_away is now known as petertr722:31
shalehayoung: did something happen to the commit message?22:32
ayoungshaleh, on https://review.openstack.org/#/c/125704  ?22:33
shalehayoung: yes22:33
ayoungIts a spec...commit messages there are usually short22:33
shalehit looks clipped or something.22:33
gyeeayoung, looking22:35
*** ninag has quit IRC22:37
*** gordc has quit IRC22:40
*** topol has quit IRC22:41
openstackgerritDan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call  https://review.openstack.org/18818422:45
*** mylu has quit IRC22:46
*** mylu has joined #openstack-keystone22:47
*** slberger has left #openstack-keystone22:49
*** aginwala has quit IRC22:49
*** mylu has quit IRC22:52
*** jasonsb_ has joined #openstack-keystone22:53
*** jasonsb has quit IRC22:54
*** aginwala has joined #openstack-keystone22:54
openstackgerritBrant Knudson proposed openstack/keystone: Fix inaccurate debug mode response  https://review.openstack.org/23863622:54
*** mylu has joined #openstack-keystone22:58
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke extension into core  https://review.openstack.org/23570422:59
openstackgerritSteve Martinelli proposed openstack/keystone: Move revoke sql migrations to common  https://review.openstack.org/23571222:59
*** dims has quit IRC23:00
stevemar_ayoung: don't rush to merge the specs, please23:00
*** dims has joined #openstack-keystone23:01
*** timcline has quit IRC23:01
gyee+1.523:01
stevemar_gyee: help shaleh out https://review.openstack.org/#/c/243877/23:01
samueldmqhenrynash: nice, thnaks for clarifying :)23:02
gyeestevemar_, I can do A+ right?23:02
gyeesince we both from the same organization, that the rule?23:02
stevemar_gyee: for shaleh's patch? sure, why not?23:02
gyeeour paycheck signed by the same employer23:02
stevemar_gyee: yeah, the rule only applies if: author, reviewer and approver are all same org23:02
stevemar_last i checked, i don't work for hpe23:03
gyeestevemar_, alrighty then, thanks for the clarification23:03
*** dims_ has joined #openstack-keystone23:04
*** aginwala_ has joined #openstack-keystone23:05
*** dims has quit IRC23:07
*** aginwala has quit IRC23:08
*** aginwala_ has quit IRC23:09
*** aginwala has joined #openstack-keystone23:09
*** exploreshaifali has quit IRC23:10
*** gokrokve has joined #openstack-keystone23:11
ayoungstevemar_, define rush?23:11
stevemar_ayoung: i'd like at least half the keystone-specs-core at least be *aware* of the patch23:12
ayoungstevemar_, have I ever been accused of undercommunicating?23:12
stevemar_ayoung: nope, but unfortunately, i can't force people to review :(23:13
ayoungstevemar_, implied roles was origianlly submitteed Oct 2, 2014 12:38 PM.  That is not even hasty by Ent standards23:13
stevemar_i wish i could23:13
stevemar_ayoung: also, it's targeted to backlog :)23:14
*** tonytan4ever has quit IRC23:14
ayoungstevemar_, plus, it is only submitted for backlog right now.  Still need another to move it to Mitaka23:14
*** gokrokve has quit IRC23:15
stevemar_ayoung: i'll be reviewing the specs soon (again)23:15
ayoungstevemar_, I have a working patch that implements it, but I don't want to rewrite it again until we have the spec at least somewhat approved.  henrynash  and I were the prime discussants on this, but there have been input from most of the team.  Henry gave it jhs blessing, and he has a spec that depends on it , too.23:15
shalehit matches what we talked about at the summit23:15
shalehlike mr. nash, I am not certain of the one user, one role rule23:16
ayoungshaleh, it needs to be "possible" not "required" to do that23:16
shalehayoung: not how the spec reads currently23:16
ayoungTYes it does...reread it23:16
stevemar_i just want consensus from the core team, but that is looking hard to get23:16
ayoungI wrote that very deliberately23:16
ayoung"To minimize the burden on the  adminstators, users' explicit  role assignments must be limitable to one role per user per project."23:17
ayoungWith the current setup, you can't say that a user may have only one role on a project and still have fine grained control23:18
ayoungNot that the system has to enforce that a user cannot be assigned multiple roles23:18
shalehayoung: the implication is this spec moves to the one user, one role.23:18
shalehayoung: because the rest of the text says what must happen23:19
ayoungshaleh, that will be the normal set up. This spec allows for it23:19
*** gokrokve has joined #openstack-keystone23:19
ayoungOne explicit role:  you get made a manager, or a release engineer, whatever23:19
ayoungThat is what henrynash is pushing towards with his domain specific roles:23:19
ayoungthe role you get is organizationally specific23:20
shalehayoung: I get the purpose, just not sold on the language.23:20
gyeeayoung, the spec is very close, just a couple of questions23:20
shalehayoung: I have dealt with too many rule lawyers in my day :-)23:20
gyeewhat does revocation look like if one of them implied roles in the chain has changed23:21
*** mylu has quit IRC23:24
*** mylu has joined #openstack-keystone23:24
*** lhcheng has quit IRC23:25
*** wuhg has joined #openstack-keystone23:26
*** lhcheng has joined #openstack-keystone23:27
*** ChanServ sets mode: +v lhcheng23:27
*** doug-fish has quit IRC23:30
*** aginwala_ has joined #openstack-keystone23:31
*** alejandrito has quit IRC23:31
*** aginwal__ has joined #openstack-keystone23:32
*** petertr7 is now known as petertr7_away23:32
*** aginwala has quit IRC23:34
*** aginwala_ has quit IRC23:35
ayounggyee, it actually does not matter with Fernet.  Remeber that discussion?  We are over-revoking.23:36
ayounggyee, if an inference rule changes,  only PKI tokens would have bad data.  For a UUID token, we should rebuild the role set on each validation anyway23:37
ayoungI wish that all the effort we put in to specs was somehow translated to end-user documentation23:38
*** EinstCrazy has joined #openstack-keystone23:39
gyeeayoung, yeah, with fernet, we may not have to worry about role assignment changes23:43
*** josecastroleon has joined #openstack-keystone23:45
*** EinstCrazy has quit IRC23:48
*** gokrokve has quit IRC23:51
ayounggyee, since PKI does not work with the revocation events, I think it is a non issue.23:51
gyeeagreed23:51
*** adelia has quit IRC23:53
ayounggyee, I do think we need to rework UUID tokens to be consistant with Fernet:  rebuild the token every time23:53
*** adelia has joined #openstack-keystone23:54
ayoungWow...I just fuigured out Spell chcking in emacs...they put the word at the top of the page...I never even thought to look there.   Time to start drinking23:55
gyeeayoung, yeah, reason we didn't rebuild was to optimize performance23:55
ayounggyee, as I recall, you origianlly did rebuild, and termie got on your case for it23:55
*** adelia has quit IRC23:55
ayoungturns out you were right....23:55
*** adelia has joined #openstack-keystone23:55
gyeebut since we do client-side caching, that argument may not hold much value23:56
gyeewith dogpile enabled, we are really not gaining anything anymore23:58
shalehayoung: I use flyspell. Incorrect words are flag inline.23:58
shalehayoung: way more sensible UX for spell checking. It now works like most other modern text engines.23:59
« Monday, 2015-11-16 Index Wednesday, 2015-11-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!