Thursday, 2015-11-19

*** NM has quit IRC		00:03
*** exploreshaifali has quit IRC		00:15
*** lhcheng has quit IRC		00:20
*** lhcheng has joined #openstack-keystone		00:21
*** ChanServ sets mode: +v lhcheng		00:21
*** mylu has quit IRC		00:26
*** mylu has joined #openstack-keystone		00:26
*** gildub_ has joined #openstack-keystone		00:29
*** mylu has quit IRC		00:30
*** mylu has joined #openstack-keystone		00:36
*** mylu has quit IRC		00:42
*** mylu has joined #openstack-keystone		00:42
*** mylu_ has joined #openstack-keystone		00:43
*** mylu has quit IRC		00:43
openstackgerrit	Merged openstack/keystone: Updating sample configuration file https://review.openstack.org/247107	01:05
*** jbell8 has quit IRC		01:12
*** mylu_ has quit IRC		01:12
*** mylu has joined #openstack-keystone		01:12
*** EinstCrazy has joined #openstack-keystone		01:12
*** mylu has quit IRC		01:17
*** jasonsb has quit IRC		01:22
*** fawadkhaliq has joined #openstack-keystone		01:26
*** shaleh has quit IRC		01:27
openstackgerrit	zouyee proposed openstack/keystone-specs: update attribute in Policy section https://review.openstack.org/242827	01:40
*** LZ has joined #openstack-keystone		01:41
openstackgerrit	Sean Perry proposed openstack/keystone: Use new_policy_ref consistently https://review.openstack.org/247257	01:41
*** notmorgan has quit IRC		01:45
*** notmorgan has joined #openstack-keystone		01:48
*** notmorgan has quit IRC		01:48
*** notmorgan has joined #openstack-keystone		01:49
*** ChanServ sets mode: +v notmorgan		01:49
*** notmorgan has quit IRC		01:49
*** notmorgan has joined #openstack-keystone		01:50
*** notmorgan is now known as Guest50373		01:50
stevemar_	yo bknudson_ we've got a whole chain of patches for extension moving that need your final seal of approval :) https://review.openstack.org/#/c/214775/34	01:51
*** Guest50373 is now known as morganfainberg		01:51
*** morganfainberg has joined #openstack-keystone		01:52
*** ChanServ sets mode: +v morganfainberg		01:52
*** morganfainberg is now known as notmorgan		01:52
*** jasonsb has joined #openstack-keystone		01:53
*** gyee has quit IRC		01:55
*** jasonsb has quit IRC		01:56
*** topol has joined #openstack-keystone		01:57
*** ChanServ sets mode: +v topol		01:57
*** fawadkhaliq has quit IRC		01:57
*** topol has quit IRC		01:59
*** topol has joined #openstack-keystone		01:59
*** ChanServ sets mode: +v topol		01:59
*** jbell8 has joined #openstack-keystone		02:00
*** notmorgan has quit IRC		02:01
*** topol has quit IRC		02:04
*** notmorgan has joined #openstack-keystone		02:06
*** ChanServ sets mode: +v notmorgan		02:06
*** notmorgan has quit IRC		02:06
*** notmorgan has joined #openstack-keystone		02:08
*** dims has joined #openstack-keystone		02:09
*** notmorgan has joined #openstack-keystone		02:10
*** notmorgan is now known as Guest14115		02:10
*** dims_ has quit IRC		02:13
*** Guest14115 has quit IRC		02:13
*** notmorga1 has joined #openstack-keystone		02:15
*** notmorga1 has quit IRC		02:15
*** notmorga1 has joined #openstack-keystone		02:16
*** notmorga1 is now known as morganfainberg		02:16
*** morganfainberg has joined #openstack-keystone		02:17
*** ChanServ sets mode: +v morganfainberg		02:17
*** morganfainberg is now known as notmorgan		02:17
openstackgerrit	Sean Perry proposed openstack/keystone: Use new_trust_ref consistently https://review.openstack.org/247270	02:18
*** notmorgan has quit IRC		02:18
*** notmorgan has joined #openstack-keystone		02:18
*** notmorgan has quit IRC		02:18
*** notmorgan has joined #openstack-keystone		02:18
*** ChanServ sets mode: +v notmorgan		02:18
*** openstack has joined #openstack-keystone		02:25
stevemar_	thanks ayoung!	02:25
*** lhcheng has joined #openstack-keystone		02:25
*** ChanServ sets mode: +v lhcheng		02:25
*** jasondotstar has joined #openstack-keystone		02:25
*** stevemar_ changes topic to "Review Specs!! https://gist.github.com/stevemart/46d664e486e2edce4972"		02:25
*** redrobot has joined #openstack-keystone		02:25
*** redrobot is now known as Guest62841		02:25
*** gsilvis has joined #openstack-keystone		02:25
*** bigjools has joined #openstack-keystone		02:25
*** bigjools has joined #openstack-keystone		02:25
*** anteaya has joined #openstack-keystone		02:25
*** haneef has joined #openstack-keystone		02:25
ayoung	stevemar_, I just reviewed all of the "move extension to core" reviews. They all look good,but I found a minor typo in the first one, so you will need to fix and rebase all of them, which will reset the +2s.	02:28
ayoung	Or I just +2Aed them all	02:29
*** mylu has joined #openstack-keystone		02:29
*** jbell8 has quit IRC		02:30
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Map keystoneclient exceptions to keystoneauth https://review.openstack.org/243869	02:35
*** stevemar_ has quit IRC		02:42
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Add domain and trust details to user plugin https://review.openstack.org/244987	02:43
*** stevemar_ has joined #openstack-keystone		02:43
*** ChanServ sets mode: +o stevemar_		02:43
stevemar_	ayoung: what's the typo?	02:52
ayoung	stevemar_, heh	02:52
ayoung	stevemar_, just trying to turn you prematurely gray, Not typo	02:52
stevemar_	:P	02:52
ayoung	I +Aed the stack of them. Since I wrote a good chunk of those	02:52
ayoung	I figured I should look at them.	02:52
stevemar_	i'll need to write release notes for them, but i'll tack that on with the ones i'm writing now	02:53
ayoung	extensions in their own repos and the code setup was my doing. I figure I should be the one to take them out behind the woodshed and give them the old-yeller	02:53
stevemar_	ayoung: fwiw, it was the right move at the time	02:55
stevemar_	but this is just easier now if things are there by default	02:55
stevemar_	we just need to state at the beginning what APIs are experimental and what's stable	02:55
ayoung	stevemar_, I would have preferred to keep the migrations in separate repos. If there are no FK constriants, having them in a single repo just means we have numberinmg conflicts.	02:56
ayoung	putting filter in with catalog is awesome, and that is the kind of merge I am happy to see	02:56
ayoung	and amakarov is going to need the oauth and trusts code all together to do unified delegation	02:56
ayoung	so..all told, I was very happy to see this	02:56
stevemar_	ayoung: plus, not to sound stubborn, but i can't see our feature set growing all that much in the future	02:58
ayoung	stevemar_, the problem was that we called the extensions. If they had been components, the directory structure would have held up better over time, and we could movde identiyt, policy etc into components instead of putting them all at the top of the namespace	02:58
ayoung	stevemar_, true	02:58
ayoung	stevemar_, With unified delegation, the code should shrink a good bit.	02:58
ayoung	with implied roles, I think we get the major step we finally need	02:59
ayoung	even if we do more with policy, that module already exists and stays in place	02:59
stevemar_	ayoung: yep, and with the deprecating we'll do this release, in +2 we'll have shed a whole lot more weight	02:59
ayoung	federation and identity should merge	02:59
ayoung	stevemar_, Oh, hey, idea for you	02:59
ayoung	so...I can't quite get mod_authn_dbd to work for mysql but...	03:00
stevemar_	hmm>	03:00
ayoung	for ldap we can use mod_auth_ldap, and with basic_auth, we can turn that part into a Federated call, too	03:00
stevemar_	ayoung: yup, mr nash wants that long term, too	03:01
ayoung	for mod_authn_dbd, we need to get some more support for hashing, to match what we use for passwords	03:01
ayoung	I wonder if we could build the piece we need for SQL in a middleware, and let that be the only thing we don;'t get from Apache.	03:01
ayoung	stevemar_, then...if we want, we could work towards tokenless operations everywhere	03:02
ayoung	that is what https://review.openstack.org/#/c/245588/ is about	03:02
ayoung	and, by everywhere, I mean beyond just the openstack services like Nova and Sahara	03:02
ayoung	but we could actually make something that could be consumed by the applications running in the cloud. We'd provide the mapping from whatever IdP they bring to what our cloud says that they can do	03:03
stevemar_	the umbrella / shadow user spec would help this a lot	03:04
ayoung	stevemar_, yeah. And it would let us consume those unified usersids in the cloud	03:04
ayoung	in the upper applications, I should say...whatever the right term is. RDO just sole overcloud from me damnit	03:04
*** tjcocozz has quit IRC		03:14
*** bapalm has quit IRC		03:15
*** richm has quit IRC		03:17
*** tjcocozz has joined #openstack-keystone		03:21
*** bapalm has joined #openstack-keystone		03:21
openstackgerrit	Jamie Lennox proposed openstack/keystone: Use our own request in base wsgi class https://review.openstack.org/244472	03:27
openstackgerrit	Merged openstack/keystone: Move federation extension into keystone core https://review.openstack.org/214775	03:28
openstackgerrit	Merged openstack/keystone: Move federation sql migrations to common https://review.openstack.org/234537	03:29
*** csoukup has joined #openstack-keystone		03:32
*** dims has quit IRC		03:32
*** mylu has quit IRC		03:34
*** mylu has joined #openstack-keystone		03:35
*** jerrygb has quit IRC		03:35
openstackgerrit	Merged openstack/keystone: Move oauth1 extension into core https://review.openstack.org/234598	03:38
openstackgerrit	Merged openstack/keystone: Move oauth1 sql migrations to common https://review.openstack.org/235121	03:38
openstackgerrit	Merged openstack/keystone: Move revoke extension into core https://review.openstack.org/235704	03:38
openstackgerrit	Merged openstack/keystone: Move revoke sql migrations to common https://review.openstack.org/235712	03:38
*** jamielennox is now known as jamielennox\|away		03:45
*** mylu has quit IRC		03:46
*** mylu has joined #openstack-keystone		03:48
ayoung	jamielennox\|away, Oh I like https://review.openstack.org/#/c/244472/3/keystone/common/request.py,cm	03:55
*** ayoung is now known as ayoung_Zzz		03:55
*** jamielennox\|away is now known as jamielennox		03:57
*** stevemar_ has quit IRC		04:01
*** stevemar_ has joined #openstack-keystone		04:02
*** ChanServ sets mode: +o stevemar_		04:02
*** lhcheng has quit IRC		04:03
*** mylu has quit IRC		04:04
*** mylu has joined #openstack-keystone		04:04
*** mylu has quit IRC		04:05
*** mylu has joined #openstack-keystone		04:05
*** bill_az has quit IRC		04:10
*** jerrygb has joined #openstack-keystone		04:14
*** mylu has quit IRC		04:15
*** wuhg has joined #openstack-keystone		04:21
notmorgan	stevemar_: ping [this is a test, a simple pong should be good]	04:25
stevemar_	notmorgan: pong	04:25
notmorgan	stevemar_: once more	04:26
stevemar_	notmorgan: pong	04:26
notmorgan	hm.....	04:26
notmorgan	ok... why is this not working... again plz?	04:27
stevemar_	notmorgan: pong	04:27
notmorgan	huh	04:27
*** fawadkhaliq has joined #openstack-keystone		04:28
notmorgan	notmorgan: test	04:29
notmorgan	grumble...	04:29
stevemar_	notmorgan: pong	04:29
stevemar_	:)	04:29
notmorgan	i'm not getting any noise from the screen session / any bell notification	04:30
*** mylu has joined #openstack-keystone		04:31
*** mylu has quit IRC		04:32
*** csoukup has quit IRC		04:32
*** mylu has joined #openstack-keystone		04:33
*** mylu has quit IRC		04:34
*** mylu has joined #openstack-keystone		04:34
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add release notes for mitaka thus far https://review.openstack.org/246749	04:46
*** mylu has quit IRC		04:48
*** mylu has joined #openstack-keystone		04:50
*** chirag has joined #openstack-keystone		04:51
chirag	Hello Keystone team can anyone help me with keystone error ==keystone.token.controllers [-] User 050ce8abbfe24c82be59778e9155a9c9 is unauthorized for tenant service==	04:51
*** aj2 has joined #openstack-keystone		04:53
*** lhcheng has joined #openstack-keystone		04:53
*** ChanServ sets mode: +v lhcheng		04:53
notmorgan	chirag: that is saying the user doesn't have a role on the service tenant	04:54
notmorgan	chirag: and the user is using an already issued token	04:55
notmorgan	chirag: vs. a username/password	04:55
notmorgan	chirag: a bit more context might help to know when you're seeing this	04:55
chirag	I have defined admin role to the user. But still all request failed	04:55
chirag	I am executing glance image-list	04:57
chirag	glance --debug --os-username=glance --os-password=nec000 --os-tenant-name=service --os-auth-url=http://10.34.81.169:35357/v2.0 image-list The request you have made requires authentication. (HTTP 401) (Request-ID: req-34a64b92-5876-4f05-b692-6c8d631f3a5e)	04:58
notmorgan	the glance service user might be at fault here..	04:58
chirag	Yes we suspect the same but unable to find teh root cause	04:58
chirag	any idea?	04:58
notmorgan	glance service user doesn't have access to the service tenant? or somehow wedged	04:58
*** stevemar_ has quit IRC		05:00
*** mylu has quit IRC		05:00
*** stevemar_ has joined #openstack-keystone		05:00
*** ChanServ sets mode: +o stevemar_		05:00
chirag	root@keystonekilo-virtual-machine:~# keystone user-get glance +----------+----------------------------------+ \| Property \| Value \| +----------+----------------------------------+ \| email \| \| \| enabled \| True \| \| id \| 050ce8abbfe24c82be59778e9155a9c9 \| \| name \| glance \| \| tenantId \| 0dd1b9ffdecf4d0	05:00
chirag	0dd1b9ffdecf4d0fb1134312f9162416 is my service tenant id	05:01
openstackgerrit	ayoung proposed openstack/keystone: Implied Roles https://review.openstack.org/242614	05:01
*** jasonsb has joined #openstack-keystone		05:04
openstackgerrit	ayoung proposed openstack/keystone: Implied Roles https://review.openstack.org/242614	05:08
*** mylu has joined #openstack-keystone		05:09
chirag	@notmorgan ???	05:09
notmorgan	chirag: so you need to know if the glance user has the appropriate role on the service tenant	05:10
chirag	Yes I am sure my glance user has both "admin" , "_member_" roles	05:11
notmorgan	chirag: what version of OpenStack are you urnning and what version of keystonemiddleware?	05:12
notmorgan	this is sounding an awful lot like the glance user has an expired token	05:12
notmorgan	and is not re-authenticating	05:12
notmorgan	was this ever workings?	05:13
notmorgan	or never has worked?	05:13
chirag	I am actually clueless . . and it has never worked	05:13
chirag	But everything is working fine with my other users	05:13
notmorgan	so you can glance image-list with another user?	05:14
notmorgan	just not with the glance user?	05:14
chirag	Yes we tried the same but failed . but I am using glance user for cinder list and it is working good . .	05:16
*** jbell8 has joined #openstack-keystone		05:16
openstackgerrit	Lin Hua Cheng proposed openstack/keystoneauth: Address hacking check H405 https://review.openstack.org/243889	05:18
notmorgan	chirag: unfortunately, I am not sure how to help much more. this is sounding like a config issue maybe in the glance service?	05:18
*** jasonsb has quit IRC		05:20
*** dave-mccowan has quit IRC		05:20
*** LZ has quit IRC		05:25
* notmorgan looks at H405 and rolls eyes.		05:27
* lhcheng hopes it won't require more than patch set 10		05:30
notmorgan	lhcheng: see my comment	05:30
notmorgan	lhcheng: consider my +2 a +a if jenkis passes	05:31
lhcheng	awesome, thanks :)	05:31
notmorgan	so id say +a it yourself unless stevemar_ says you cant :)	05:31
stevemar_	lhcheng: of for gods sake just merge it :P	05:32
lhcheng	with this type of patch, it can go very long since it is mostly subjective :P	05:32
stevemar_	lhcheng: i don't want to see another H405 patch	05:32
lhcheng	LOL	05:32
stevemar_	lhcheng: review the specs in the channel topic :)	05:33
stevemar_	lhcheng: oh, if you really quickly want to approve some OSC patches, there are 3 that are ready to go	05:33
lhcheng	I did a first pass of the specs last night, haven't got through the newer specs from ayoung though.	05:34
stevemar_	lhcheng: eventually we have to make a cut off and decide what's going into mitaka and what's not	05:34
notmorgan	shadow users????	05:35
stevemar_	notmorgan: what about shadow users?	05:35
notmorgan	looking at the spec...	05:35
lhcheng	stevemar_: so MFA is something that might come up soon	05:35
*** itlinux has joined #openstack-keystone		05:35
notmorgan	name just makes my skin crawl	05:35
notmorgan	it isnt as bad as i thought	05:36
lhcheng	ebay have their own implementation of MFA, trying to help them out to upstream it	05:36
lhcheng	rackspace is kinda interested too on the MFA feature	05:36
openstackgerrit	Steve Martinelli proposed openstack/keystone: remove use of magic numbers in sql migrate extension tests https://review.openstack.org/247302	05:36
lhcheng	we're also interested in it, something we'll need in the long term	05:36
lhcheng	we (yahoo)	05:37
openstackgerrit	Steve Martinelli proposed openstack/keystone: remove useless config option in endpoint filter https://review.openstack.org/247303	05:39
stevemar_	notmorgan: it's a sensible spec	05:40
stevemar_	lhcheng: i agree MFA is going to come up soon	05:40
stevemar_	and i don't really have a plan for it :(	05:40
openstackgerrit	Merged openstack/keystone: Move endpoint filter into keystone core https://review.openstack.org/183377	05:42
lhcheng	stevemar_: the MFA specs likely will not be up til M-2, I think it is expected we won't be able to get this in M.	05:42
*** LZ has joined #openstack-keystone		05:43
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	05:43
openstackgerrit	Steve Martinelli proposed openstack/keystone: always enable endpoint-policy extension https://review.openstack.org/247305	05:45
*** jasonsb has joined #openstack-keystone		05:46
*** jay-lau-513 has joined #openstack-keystone		05:51
jay-lau-513	Does keystone support hierarchical tenant now? If so, how can I create hierarchical tenant?	05:52
stevemar_	lhcheng: you have an MFA idea?	05:52
jay-lau-513	stevemar_ can you help my question? :-)	05:54
lhcheng	stevemar_: no idea yet how will it be implemented, I imagine we just need to provide the ABC driver that operators would implement to plugin their security system.	05:55
stevemar_	jay-lau-513: you just supply the parent project ID when you create a new project	05:56
lhcheng	gyee may have tried to PoC MFA.	05:56
stevemar_	i'm actually on my way to bed	05:56
stevemar_	zZzzzzzZ	05:56
stevemar_	lhcheng: calling it "early" tonight	05:56
stevemar_	:)	05:56
*** stevemar_ has quit IRC		05:57
lhcheng	stevemar_: sure, me too	05:57
jay-lau-513	stevemar_ I did not get any help from keystone help	05:57
jay-lau-513	root@db06b03:/opt/devstack# keystone tenant-create	05:58
jay-lau-513	'python-keystoneclient.', DeprecationWarning)	05:58
jay-lau-513	usage: keystone tenant-create --name <tenant-name>	05:58
jay-lau-513	[--description <tenant-description>]	05:58
jay-lau-513	[--enabled <true\|false>]	05:58
jay-lau-513	keystone tenant-create: error: argument --name is required	05:58
lhcheng	jay-lau-513: project hierarchy is a keystone v3 feature	05:58
lhcheng	python-keystoneclient only supports keystone v2	05:58
lhcheng	jay-lau-513: you have to use osc for creating project hierarchy	05:59
jay-lau-513	lhcheng how can I enable this feature, any document?	05:59
lhcheng	https://github.com/openstack/python-openstackclient/blob/master/doc/source/command-objects/project.rst	05:59
lhcheng	it should be enabled by default, if the release you're running have it..	05:59
jay-lau-513	lhcheng thanks, will have a try	06:00
lhcheng	jay-lau-513: sure, good luck!	06:00
jay-lau-513	root@db06b03:/opt/devstack# openstack project create	06:01
jay-lau-513	usage: openstack project create [-h]	06:01
jay-lau-513	[-f {html,json,json,shell,table,value,yaml,yaml}]	06:01
jay-lau-513	[-c COLUMN] [--max-width <integer>]	06:01
jay-lau-513	[--noindent] [--prefix PREFIX]	06:01
jay-lau-513	[--description <description>]	06:01
jay-lau-513	[--enable \| --disable]	06:01
jay-lau-513	[--property <key=value>] [--or-show]	06:01
jay-lau-513	<project-name>	06:01
jay-lau-513	openstack project create: error: too few arguments	06:01
jay-lau-513	no lucky, seems the openstack client also do not have the options to create	06:01
lhcheng	you might be running an older version of openstackclient	06:01
jay-lau-513	lhcheng I was using devstack with latest version	06:03
jay-lau-513	also I see the document is using "os project create" but it should be "openstack project create"?	06:03
lhcheng	run openstack --version	06:03
jay-lau-513	root@db06b03:/opt# openstack --version	06:03
jay-lau-513	openstack 1.8.0	06:03
lhcheng	ah you have to set the identity version to 3	06:04
openstackgerrit	Merged openstack/keystone: Move endpoint_filter migrations into keystone core https://review.openstack.org/186988	06:04
lhcheng	export OS_IDENTITY_API_VERSION=3	06:04
lhcheng	I can't recall why os vs openstack, but assume for now that's openstack :)	06:05
jay-lau-513	so its a bug now?	06:05
jay-lau-513	that the openstack project create does not work? :-)	06:06
lhcheng	did you set the version to v3?	06:06
chirag	@lhcheng Hi! can you help me with keystone error ==keystone.token.controllers [-] User 050ce8abbfe24c82be59778e9155a9c9 is unauthorized for tenant service==	06:06
jay-lau-513	root@db06b03:/opt# export OS_IDENTITY_API_VERSION=3	06:07
jay-lau-513	root@db06b03:/opt# openstack project create	06:07
jay-lau-513	Could not determine a suitable URL for the plugin	06:07
lhcheng	jay-lau-513: see bottom part of : https://github.com/openstack/python-openstackclient/blob/1.8.0/doc/source/authentication.rst	06:08
jay-lau-513	lhcheng great, its working	06:09
lhcheng	chirag: if notmorgan can't help you, I don't think I can help you more. he's the expert :)	06:09
jay-lau-513	root@db06b03:/opt# openstack project create	06:09
jay-lau-513	usage: openstack project create [-h]	06:09
jay-lau-513	[-f {html,json,json,shell,table,value,yaml,yaml}]	06:09
jay-lau-513	[-c COLUMN] [--max-width <integer>]	06:09
jay-lau-513	[--noindent] [--prefix PREFIX]	06:09
jay-lau-513	[--domain <domain>] [--parent <project>]	06:09
jay-lau-513	[--description <description>]	06:09
jay-lau-513	[--enable \| --disable]	06:09
jay-lau-513	[--property <key=value>] [--or-show]	06:09
jay-lau-513	<project-name>	06:09
jay-lau-513	openstack project create: error: too few arguments	06:09
jay-lau-513	thanks lhcheng	06:09
lhcheng	jay-lau-513: great!	06:09
lhcheng	chirag: sounds like the user don't have an assignment on service tenant?	06:10
lhcheng	or maybe using expired token	06:10
*** urulama has joined #openstack-keystone		06:10
lhcheng	you can try getting a token for 050ce8abbfe24c82be59778e9155a9c9 to service tenant	06:11
lhcheng	see if doing that manually works	06:11
chirag	lhcheng: I have tried everything but nothing is working from glance server	06:11
chirag	Same user works fine with cinder	06:11
lhcheng	likely glance config issue then	06:13
lhcheng	see if the auth middleware config is correct	06:13
chirag	Yes, I ahve takedn default config file and changed the urls & password	06:14
*** mylu has quit IRC		06:15
chirag	I have same config file as on http://docs.openstack.org/kilo/config-reference/content/section_glance-api.conf.html	06:16
*** Nirupama has joined #openstack-keystone		06:17
*** itlinux has quit IRC		06:23
*** rcernin has joined #openstack-keystone		06:23
lhcheng	chirag: try the example here: https://github.com/openstack/keystonemiddleware/blob/stable/kilo/doc/source/middlewarearchitecture.rst	06:24
*** jasonsb has quit IRC		06:30
openstackgerrit	Merged openstack/keystoneauth: Refactored AccessInfo.project_scoped accessor https://review.openstack.org/235616	06:32
*** lhcheng has quit IRC		06:35
*** jasonsb has joined #openstack-keystone		06:38
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	06:43
*** jasonsb has quit IRC		06:50
*** jasonsb has joined #openstack-keystone		06:52
breton_	morning o/	06:53
*** jasonsb has quit IRC		06:57
*** breitz has quit IRC		07:01
*** breitz has joined #openstack-keystone		07:01
*** gildub_ has quit IRC		07:04
*** urulama has quit IRC		07:09
openstackgerrit	zouyee proposed openstack/keystone: notifications.Audit.created parameter wrong https://review.openstack.org/247324	07:09
*** urulama has joined #openstack-keystone		07:09
openstackgerrit	zouyee proposed openstack/keystone: notifications.Audit.created parameter wrong https://review.openstack.org/247324	07:12
*** chirag has quit IRC		07:13
*** roxanaghe has quit IRC		07:17
*** tyagiprince has joined #openstack-keystone		07:18
tyagiprince	hey keystoners.. I was reading about configuring ldap using keystone.. I want to understand what the schema means..	07:19
tyagiprince	An example Schema for OpenStack would look like this:	07:19
tyagiprince	dn: dc=openstack,dc=org	07:19
tyagiprince	dc: openstack	07:19
tyagiprince	objectClass: dcObject	07:19
tyagiprince	objectClass: organizationalUnit	07:19
tyagiprince	ou: openstack	07:19
tyagiprince	dn: ou=Projects,dc=openstack,dc=org	07:19
tyagiprince	objectClass: top	07:19
tyagiprince	objectClass: organizationalUnit	07:19
tyagiprince	ou: groups	07:19
tyagiprince	dn: ou=Users,dc=openstack,dc=org	07:19
tyagiprince	objectClass: top	07:19
tyagiprince	objectClass: organizationalUnit	07:19
openstackgerrit	zouyee proposed openstack/keystone: Capital letters https://review.openstack.org/247328	07:21
openstackgerrit	Merged openstack/keystoneauth: Address hacking check H405 https://review.openstack.org/243889	07:21
*** zouyee has joined #openstack-keystone		07:22
*** roxanaghe has joined #openstack-keystone		07:24
*** roxanaghe has quit IRC		07:24
tyagiprince	why do one need a kerberized keystone?	07:31
*** pnavarro has joined #openstack-keystone		07:33
tyagiprince	and is keystone going to implement s4u2proxy for authentication? since it will diminish the load on keystone.	07:37
*** jerrygb has quit IRC		07:40
*** jerrygb has joined #openstack-keystone		07:40
*** jaosorior has joined #openstack-keystone		07:43
*** jerrygb has quit IRC		07:44
openstackgerrit	zouyee proposed openstack/keystone: add some punctuation marks https://review.openstack.org/247336	07:49
*** jvarlamova has quit IRC		07:50
*** e0ne has joined #openstack-keystone		07:54
*** fhubik has joined #openstack-keystone		07:58
*** fhubik is now known as fhubik_brb		07:58
*** belmoreira has joined #openstack-keystone		08:00
*** markvoelker has quit IRC		08:00
*** jbell8 has quit IRC		08:04
*** fhubik_brb is now known as fhubik		08:05
*** henrynash has joined #openstack-keystone		08:12
*** ChanServ sets mode: +v henrynash		08:12
*** tyagiprince has quit IRC		08:14
*** tyagiprince has joined #openstack-keystone		08:20
*** tyagiprince has quit IRC		08:25
*** fawadkhaliq has quit IRC		08:26
*** sborkows has joined #openstack-keystone		08:29
*** clayton has quit IRC		08:35
openstackgerrit	yangweiwei proposed openstack/oslo.policy: Update 'load_json' method in oslo.policy https://review.openstack.org/247347	08:40
*** jerrygb has joined #openstack-keystone		08:41
*** pnavarro is now known as pnavarro\|afk		08:42
openstackgerrit	yangweiwei proposed openstack/oslo.policy: Update 'load_json' method in oslo.policy https://review.openstack.org/247347	08:44
*** clayton has joined #openstack-keystone		08:44
openstackgerrit	henry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy https://review.openstack.org/208152	08:45
*** jerrygb has quit IRC		08:46
*** sborkows has quit IRC		08:50
*** roxanaghe has joined #openstack-keystone		08:50
openstackgerrit	zouyee proposed openstack/keystone: add sql.conflicts decorator for update_endpoint https://review.openstack.org/247354	08:54
*** tyagiprince has joined #openstack-keystone		08:54
*** roxanaghe has quit IRC		08:55
*** jay-lau-513 has quit IRC		08:56
*** markvoelker has joined #openstack-keystone		09:01
*** kiran-r has joined #openstack-keystone		09:04
*** markvoelker has quit IRC		09:06
openstackgerrit	henry-nash proposed openstack/keystone: Rationalize list role assignment routing https://review.openstack.org/220335	09:13
*** fhubik is now known as fhubik_brb		09:15
*** e0ne has quit IRC		09:18
*** LZ has quit IRC		09:19
*** fhubik_brb is now known as fhubik		09:20
openstackgerrit	henry-nash proposed openstack/keystone: Add API route for list role assignments for tree https://review.openstack.org/220452	09:22
*** fhubik is now known as fhubik_brb		09:26
*** fhubik_brb is now known as fhubik		09:26
*** aix has joined #openstack-keystone		09:26
openstackgerrit	Julien Danjou proposed openstack/keystone: wsgi: fix base_url finding https://review.openstack.org/226464	09:28
*** fhubik is now known as fhubik_brb		09:31
*** fhubik_brb is now known as fhubik		09:32
*** hogepodge has quit IRC		09:34
*** jistr has joined #openstack-keystone		09:35
*** hogepodge has joined #openstack-keystone		09:39
*** daemontool has joined #openstack-keystone		09:42
*** mhickey has joined #openstack-keystone		09:43
*** henrynash has quit IRC		09:46
*** garganubhav has joined #openstack-keystone		09:47
*** daemontool has quit IRC		09:47
*** daemontool has joined #openstack-keystone		09:48
tyagiprince	hey keystoners.. I changed the identity driver to ldap and did some configuration.. but now I am getting unauthorized error	09:49
*** roxanaghe has joined #openstack-keystone		09:51
*** hogepodge has quit IRC		09:54
*** roxanaghe has quit IRC		09:56
*** pnavarro\|afk is now known as pnavarro		09:56
*** openstackgerrit has quit IRC		10:01
*** openstackgerrit has joined #openstack-keystone		10:02
*** hogepodge has joined #openstack-keystone		10:10
*** fawadkhaliq has joined #openstack-keystone		10:14
*** openstack has joined #openstack-keystone		10:18
*** e0ne has joined #openstack-keystone		10:20
*** jordanP has joined #openstack-keystone		10:24
jordanP	guys, are you going to release keystonemiddleware 1.5.3 that includes the cap to python-requests < 2.8 ?	10:25
garganubhav	I am getting this error whoch trying to connect to LDAP Server ... res_errno: 32, res_error: <0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:	10:25
*** gildub_ has joined #openstack-keystone		10:25
openstackgerrit	graingert proposed openstack/python-keystoneclient: Closes-Bug 1517826 remove PBR from requirements.txt https://review.openstack.org/247400	10:25
openstack	bug 1517826 in python-keystoneclient "pbr isn't required at runtime" [Undecided,New] https://launchpad.net/bugs/1517826	10:25
jordanP	dolphm, jamielennox ^^	10:28
jordanP	because atm, keystonemiddleware can pull requests 2.8.1 and that breaks python-glanceclient on juno	10:28
jamielennox	jordanP Why does new requests break glance?	10:29
jordanP	cause requests in capped to < 2.8 on glanceclient	10:29
jordanP	*is	10:29
jamielennox	Do you know why? That should be controlled by global reqs?	10:30
jordanP	jamielennox, on kilo, a new version of glanceclient was released yesterday. This release only supports requests < 2.8. Now if keystonemiddleware 1.5.2 is installed first	10:30
jamielennox	Oh, kilo	10:31
jordanP	it will pull requests 2.8.1 (latests) and that breaks glanceclient	10:31
jordanP	jamielennox, https://github.com/openstack/keystonemiddleware/commit/d56d96c8d33556e35ca2abffed689753ee0be740	10:31
jordanP	it was synced into keystonemiddleware too, but now we need a release on pypi I think	10:31
jordanP	on kilo, yeah sorry	10:32
jordanP	I said juno, but I meant kilo :(	10:32
jamielennox	Talk to stevemar about releases, but if there is a version cap problem like that it should be done	10:32
jamielennox	But it should be auto proposed by the bit	10:32
jamielennox	Bot	10:32
jordanP	a release on pypi ? I though we only had a bot to sync from global-requirements	10:33
*** jyuso1 has joined #openstack-keystone		10:33
jamielennox	Sorry, mixing up messages. You already said it had been merged	10:35
jordanP	yep	10:36
jordanP	jamielennox, one last thing, who is stevemar ? Where can I find him ?	10:36
jamielennox	stevemar is the ptl. He has resisted getting an irc bouncer so he is only online during vaguely Canadian hours	10:41
jordanP	ok, good to know thanks	10:41
jordanP	"canadian hours" I wonder what that is ! :D	10:42
*** jerrygb has joined #openstack-keystone		10:42
*** hogepodge has quit IRC		10:42
jamielennox	I think there's a bugle	10:43
openstackgerrit	zouyee proposed openstack/keystone: add sql.conflicts decorator for update_endpoint https://review.openstack.org/247354	10:44
*** dims has joined #openstack-keystone		10:45
*** jerrygb has quit IRC		10:47
*** hogepodge has joined #openstack-keystone		10:51
*** urulama has quit IRC		10:52
*** roxanaghe has joined #openstack-keystone		10:52
*** urulama has joined #openstack-keystone		10:52
*** henrynash has joined #openstack-keystone		10:54
*** ChanServ sets mode: +v henrynash		10:54
*** roxanaghe has quit IRC		10:56
*** markvoelker has joined #openstack-keystone		11:02
*** henrynash has quit IRC		11:02
*** ekarlso has quit IRC		11:05
*** markvoelker has quit IRC		11:07
*** fhubik is now known as fhubik_brb		11:07
*** EinstCrazy has quit IRC		11:07
*** fhubik_brb is now known as fhubik		11:13
openstackgerrit	zouyee proposed openstack/keystone: notifications.Audit.created parameter wrong https://review.openstack.org/247324	11:15
*** tyagiprince has quit IRC		11:16
*** topol has joined #openstack-keystone		11:17
*** ChanServ sets mode: +v topol		11:17
*** topol has quit IRC		11:18
*** jmccrory has quit IRC		11:20
openstackgerrit	zouyee proposed openstack/keystone: notifications.Audit.created parameter wrong https://review.openstack.org/247324	11:21
*** jmccrory has joined #openstack-keystone		11:22
*** jamielennox is now known as jamielennox\|away		11:22
*** tyagiprince has joined #openstack-keystone		11:24
*** jmccrory has quit IRC		11:26
*** ekarlso has joined #openstack-keystone		11:29
*** jmccrory has joined #openstack-keystone		11:30
*** EinstCrazy has joined #openstack-keystone		11:30
*** fhubik is now known as fhubik_brb		11:31
openstackgerrit	zouyee proposed openstack/keystone: notifications.Audit.created parameter wrong https://review.openstack.org/247324	11:32
*** Nirupama has quit IRC		11:33
openstackgerrit	zouyee proposed openstack/keystone: notifications.Audit.created parameter wrong https://review.openstack.org/247324	11:34
openstackgerrit	zouyee proposed openstack/keystone: add sql.conflicts decorator for update_endpoint https://review.openstack.org/247354	11:41
*** zqfan_AFK is now known as zqfan		11:49
*** fhubik_brb is now known as fhubik		11:51
openstackgerrit	zouyee proposed openstack/keystone-specs: update sample value of Policy blob attribute https://review.openstack.org/242827	11:52
*** roxanaghe has joined #openstack-keystone		11:53
*** dave-mccowan has joined #openstack-keystone		11:53
*** gildub_ has quit IRC		11:55
*** gildub has joined #openstack-keystone		11:55
*** roxanaghe has quit IRC		11:57
*** tyagiprince has quit IRC		11:59
*** garganubhav has quit IRC		11:59
*** rodrigods has quit IRC		11:59
*** rodrigods has joined #openstack-keystone		12:00
*** rodrigods has quit IRC		12:00
*** rodrigods has joined #openstack-keystone		12:00
*** gildub has quit IRC		12:01
*** pnavarro is now known as pnavarro\|lunch		12:09
*** dims has quit IRC		12:16
*** urulama has quit IRC		12:26
*** urulama has joined #openstack-keystone		12:26
*** doug-fish has joined #openstack-keystone		12:29
*** e0ne has quit IRC		12:30
*** markvoelker has joined #openstack-keystone		12:33
*** tellesnobrega is now known as tellesnobrega_af		12:35
*** tellesnobrega_af is now known as tellesnobrega		12:36
*** markvoelker has quit IRC		12:38
*** gordc has joined #openstack-keystone		12:39
*** e0ne has joined #openstack-keystone		12:40
*** jbell8 has joined #openstack-keystone		12:42
*** jerrygb has joined #openstack-keystone		12:43
*** jerrygb has quit IRC		12:49
*** pauloewerton has joined #openstack-keystone		12:50
openstackgerrit	Boris Bobrov proposed openstack/keystone: Fix exposition of bug about limiting with ldap https://review.openstack.org/234226	12:52
openstackgerrit	Boris Bobrov proposed openstack/keystone: Simplify LimitTests https://review.openstack.org/234300	12:52
openstackgerrit	Boris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups https://review.openstack.org/234849	12:52
openstackgerrit	Boris Bobrov proposed openstack/keystone: Make @truncated common for all backends https://review.openstack.org/233069	12:52
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use @truncated in ldap for users https://review.openstack.org/233070	12:52
*** roxanaghe has joined #openstack-keystone		12:54
*** roxanaghe has quit IRC		12:59
*** jbell8 has quit IRC		13:01
*** raildo-afk is now known as raildo		13:03
*** topol has joined #openstack-keystone		13:06
*** ChanServ sets mode: +v topol		13:06
openstackgerrit	zouyee proposed openstack/keystone-specs: Update sample value of Policy blob attribute https://review.openstack.org/242827	13:10
*** topol has quit IRC		13:11
*** tyagiprince has joined #openstack-keystone		13:12
tyagiprince	hey people need help with something..	13:14
tyagiprince	I configured keystone to ldap but when I run the command "openstack user list" it gives the "ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-58fb2f57-f0eb-40bf-8664-aa92ef637bcc)".	13:15
tyagiprince	any one know about configuring ldap	13:18
tyagiprince	??	13:18
*** stevemar_ has joined #openstack-keystone		13:18
*** ChanServ sets mode: +o stevemar_		13:18
openstackgerrit	zouyee proposed openstack/keystone: Add sql.conflicts decorator for update_endpoint https://review.openstack.org/247354	13:20
tyagiprince	hey keystoners!!!! I configured keystone to ldap but when I run the command "openstack user list" it gives the "ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-58fb2f57-f0eb-40bf-8664-aa92ef637bcc)". Does anyone have any idea about this?	13:22
*** stevemar_ has quit IRC		13:22
*** fawadkhaliq has quit IRC		13:22
*** richm has joined #openstack-keystone		13:26
*** stevemar_ has joined #openstack-keystone		13:31
*** ChanServ sets mode: +o stevemar_		13:31
*** openstackstatus has joined #openstack-keystone		13:34
*** ChanServ sets mode: +v openstackstatus		13:34
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	13:34
*** markvoelker has joined #openstack-keystone		13:35
*** ayoung_Zzz is now known as ayoung		13:39
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add missing colon separators to inline comments https://review.openstack.org/247336	13:40
ayoung	tyagiprince, so usually first step is to turn on some logging, and make sure that the LDAP queries are actually going through. THere are a lot of reasons tyou might get an auth failure.	13:44
tyagiprince	ayoung: Yes I already set debug level to 4095	13:45
ayoung	when you as k for a token via LDAP, Keystone will take the password you pass and do a simple bind. It has to have the proper DN for the user. If that succeeds, the admin LDAP user will be used for all follow on queries	13:46
ayoung	that can also fail	13:46
ayoung	tyagiprince, can you get openstack token issue to work?	13:46
tyagiprince	ayoung: No, not even a single command is working.. I guess the problem is in the binding only..	13:47
ayoung	tyagiprince, did you try unscoped?	13:47
ayoung	unset OS_PROJECT_NAME OS_PROJECT_DOMAIN_NAME and OS_DOMAIN_NAME	13:48
tyagiprince	ayoung: do you mean using admin_token_auth in keystone-paste.ini? and setting admin_token	13:49
ayoung	no	13:49
ayoung	tyagiprince, I mean do everything like you are doing, but try to get an unscoped token	13:50
ayoung	tyagiprince, bnecause the issue might be Roll Assignments, so lets rule that out first	13:50
aj2	Hi guys. What is the relation between a github tag and github branches when it comes to keystonemiddleware?	13:50
aj2	When I install Kilo version of glance it requires 1.5.2 version of keystonemiddleware whereas I was expecting it will use Kilo branch of keystonemiddleware.	13:51
tyagiprince	ayoung: Okay I'll try issuing unscoped token.. Will have to read about that..	13:51
ayoung	as I said, unset those variables and try again	13:52
aj2	I am assuming that 1.5.2 from pypi corresponds to 1.5.2 tag of git repo.	13:52
tyagiprince	ayoung: still getting the same error	13:53
tyagiprince	ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500)	13:53
ayoung	tyagiprince, no that is a different error	13:53
ayoung	500 menas the server is misconfigured	13:53
ayoung	go look at the Keystone log and see what it reports. SHould be a stack trace	13:53
*** ninag has joined #openstack-keystone		13:54
tyagiprince	ayoung: ERROR keystone.common.wsgi [-] {'info': '000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data 0\\n', 'desc': 'Operations error'}	13:55
*** roxanaghe has joined #openstack-keystone		13:55
*** zouyee has quit IRC		13:56
aj2	ayoung, stevemar, dstanek ^^	13:57
ayoung	aj2, at what are you pointing?	13:57
aj2	I am pointing at 1.5.2 from pypi.	13:58
aj2	Kilo branch of glance requires keystonemiddleware<1.6.0,>=1.5.0	13:59
ayoung	aj2, go fix glance, then, as that is drainbead	13:59
*** jerrygb has joined #openstack-keystone		14:00
*** roxanaghe has quit IRC		14:01
aj2	ayoung, What is the relation between tags and branches in git when it comes to keystonemiddleware?	14:01
openstackgerrit	Olivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain https://review.openstack.org/210581	14:01
dstanek	aj2: yeah, not much we can do about that. also note that the libraries are released using a different schedule than the services	14:01
dstanek	aj2: i'd have to assume the tag matches the release	14:01
tyagiprince	ayoung: Cause of 5012 error is : User could not be found. Most likely due to DN settings in the User Search tab or the suffix or prefix fields in the Settings tab.	14:02
tyagiprince	I will try fixing this..	14:02
aj2	dstanek, agreed. Thanks. If we follow a different model for the libraries then what's the point in doing branching?	14:03
aj2	I am just trying to understand how this works. I am not questioning anything. :)	14:03
*** pnavarro\|lunch is now known as pnavarro		14:04
dstanek	aj2: not sure, but i assume it's the last version released in that cycle	14:04
*** jerrygb has quit IRC		14:05
*** daemontool_ has joined #openstack-keystone		14:08
openstackgerrit	Brant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling https://review.openstack.org/198931	14:09
*** daemontool has quit IRC		14:09
dstanek	aj2: basically 1.5.x is kilo and may see new releases for bug fixes (x +1).	14:10
openstackgerrit	zouyee proposed openstack/keystone: notification.Audit.update needed to be changed from service_id to ref['id'] https://review.openstack.org/247324	14:11
*** petertr7_away is now known as petertr7		14:13
*** jerrygb has joined #openstack-keystone		14:14
openstackgerrit	Brant Knudson proposed openstack/keystone: Config option for insecure responses https://review.openstack.org/207226	14:16
*** daemontool_ has quit IRC		14:16
*** daemontool_ has joined #openstack-keystone		14:17
*** dims has joined #openstack-keystone		14:27
*** zouyee has joined #openstack-keystone		14:27
aj2	dstanek, Thanks a lot. So right now since Kilo is a bit ahead of 1.5.2(latest in 1.5.x) version, we should expect a 1.5.2+ in near future.	14:29
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/247113	14:29
openstackgerrit	Brant Knudson proposed openstack/keystone: Merge keystone.config into keystone.common.config https://review.openstack.org/237209	14:30
*** agireud has quit IRC		14:31
jordanP	stevemar_, ping ?	14:33
jordanP	do you plan to release a keystonemiddleware 1.5.3 for Kilo ?	14:33
xek	lbragstad, dolphm, mfisch, clayton, can I join on the effort of eventlet removal by proposing a patch?	14:33
stevemar_	jordanP: we could, what's wrong with the current? is there a bug?	14:34
jordanP	that would include the cap to python-requests < 2.8 ? (synced from global-requirements yesterday)	14:34
xek	lbragstad, dolphm, mfisch, clayton, I added a bug for this https://bugs.launchpad.net/keystone/+bug/1517929	14:34
openstack	Launchpad bug 1517929 in OpenStack Identity (keystone) "Eventlet removal" [Undecided,New]	14:34
*** jyuso1 has quit IRC		14:34
*** aj2 has quit IRC		14:35
jordanP	yeah, so, now keystonemiddleware on Kilo has no upper bound for python-requests. So it can pull python-requests 2.8.1. But since yesterday glanceclient requires python-requests < 2.8	14:35
jordanP	so if you try to install keystonemiddleware then glanceclient (Kilo), glance complains	14:35
*** dave-mccowan has quit IRC		14:35
jordanP	glanceclient I mean	14:35
*** agireud has joined #openstack-keystone		14:37
jordanP	I am far from an expert in these dependency issues, but imo you should tag 1.5.3 with the update from global requirements from yesterday and publish it to pypi	14:37
jordanP	maybe I am wrong though :)	14:38
stevemar_	jordanP: so these are the differences in ksm that you'll get https://github.com/openstack/keystonemiddleware/compare/stable/kilo	14:38
stevemar_	and yes, you are right, it would pull down 2.8.1 of requests	14:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Use [] where a field is required https://review.openstack.org/246617	14:38
jordanP	stevemar_, I am only interested in https://github.com/openstack/keystonemiddleware/commit/d56d96c8d33556e35ca2abffed689753ee0be740	14:39
stevemar_	jordanP: yeah, but you'll get them all :)	14:39
jordanP	I mean, this is what's blocking me now	14:39
*** edmondsw has joined #openstack-keystone		14:39
stevemar_	jordanP: strange that the CI passed for glanceclient	14:39
stevemar_	jordanP: file a bug with glanceclient and keystonemiddleware and we can release a new version	14:40
jordanP	maybe there's an ordering thing that saves us, i.e requests < 2.8 is first pulled by something else than ksm	14:40
jordanP	already a bug in glanceclient here: https://bugs.launchpad.net/keystonemiddleware/+bug/1476770	14:41
openstack	Launchpad bug 1476770 in python-glanceclient "_translate_from_glance fails with "AttributeError: id" in grenade" [High,In progress] - Assigned to Flavio Percoco (flaper87)	14:41
dstanek	jordanP: yes, that sounds likely	14:41
stevemar_	jordanP: awesome	14:42
stevemar_	dhellmann: ^^^ suggest you read scroll up	14:42
stevemar_	jordanP: the only catch is that we typically don't release on thursday/friday	14:43
jordanP	sure, I think it can wait as it's not hitting in the gate. But I do reproduce in my internal CI	14:43
openstackgerrit	Steve Martinelli proposed openstack/keystone: deprecate `enabled` option for endpoint-policy extension https://review.openstack.org/247305	14:48
jordanP	stevemar_, this is what you will actually get : https://github.com/openstack/keystonemiddleware/compare/fd12825acb92db08aea588522f9a91d7091f3a32...stable/kilo (the diff between 1.5.2 and stable/kilo)	14:49
jordanP	the global-requirements has already landed in branch stable/kil	14:50
stevemar_	jordanP: yep, the other stuff in my link was since we started kilo	14:50
jordanP	yep	14:50
*** erhudy has joined #openstack-keystone		14:50
samueldmq	stevemar_: ping - could you revisit #239948 , per you last comment, we need a decision on whether to go with that or not	14:52
stevemar_	samueldmq: that the roles in token one?	14:54
samueldmq	stevemar_: yes, to restrict the number of role a usre can be assigned	14:54
stevemar_	samueldmq: i thought i was clear on that :)	14:54
stevemar_	maybe i was just clear in my mind	14:54
stevemar_	link me bro	14:55
stevemar_	!	14:55
samueldmq	stevemar_: if we go with that, the default must be "no limit", to be compatible with ALL the existing deployments	14:55
samueldmq	stevemar_: https://review.openstack.org/#/c/239948/	14:55
stevemar_	jordanP: https://review.openstack.org/247553	14:56
samueldmq	stevemar_: that was clear to me too, and given your feedback, I'd suggest discussing that in a meeting	14:56
*** roxanaghe has joined #openstack-keystone		14:57
samueldmq	stevemar_: before putting more effort in imlementation, and mainly in reviews	14:57
jordanP	stevemar_, awesome, thanks !	14:57
samueldmq	stevemar_: perhaps a -2 is more appropriate to make things clearer :p	14:58
*** pumaranikar has joined #openstack-keystone		14:59
tyagiprince	ayoung: hey adam... do I need to kerberize me keystone in order to use ldap?	14:59
*** breitz has quit IRC		15:00
*** roxanaghe has quit IRC		15:01
*** ninag has quit IRC		15:02
*** davechen has joined #openstack-keystone		15:03
*** ninag has joined #openstack-keystone		15:03
*** rcernin has quit IRC		15:03
*** ninag has quit IRC		15:03
*** ninag has joined #openstack-keystone		15:04
*** jasonsb has joined #openstack-keystone		15:04
*** breitz has joined #openstack-keystone		15:04
ayoung	tyagiprince, no, but it can't hurt...well, of course it can. I'd actually recommend it, but then...depends on how far you are willing to take it	15:06
*** dave-mccowan has joined #openstack-keystone		15:07
openstackgerrit	Steve Martinelli proposed openstack/keystone: remove useless config option in endpoint filter https://review.openstack.org/247303	15:08
openstackgerrit	Steve Martinelli proposed openstack/keystone: remove useless config option in endpoint filter https://review.openstack.org/247303	15:08
*** dave-mcc_ has joined #openstack-keystone		15:08
openstackgerrit	Steve Martinelli proposed openstack/keystone: deprecate `enabled` option for endpoint-policy extension https://review.openstack.org/247305	15:08
*** ninag has quit IRC		15:09
*** dave-mccowan has quit IRC		15:12
*** slberger has joined #openstack-keystone		15:12
samueldmq	stevemar_: thanks!	15:12
*** jdennis has quit IRC		15:13
davechen	stevemar_: I understand the extension like endpoint_filter and other extensions should remove the config directly, question is why should only deprecate endpoint-policy?	15:13
stevemar_	davechen: it was released in liberty :(	15:14
davechen	what's the difference i didn't see?	15:14
davechen	ha, see it.	15:14
*** breitz has quit IRC		15:15
openstackgerrit	Steve Martinelli proposed openstack/keystone: deprecate `enabled` option for endpoint-policy extension https://review.openstack.org/247305	15:15
*** tyagiprince has quit IRC		15:17
*** tyagiprince has joined #openstack-keystone		15:17
davechen	so, it's better to show this message in yaml file, then it will not be suprised for us.	15:17
stevemar_	davechen: yeah, and it serves as a reminder for us to remove it in O	15:17
*** davechen1 has joined #openstack-keystone		15:19
davechen1	stevemar_: i think it's has already enabled by default, the word may change a little, or just blame on my poor english.	15:19
*** tyagiprince has quit IRC		15:20
*** tonytan4ever has joined #openstack-keystone		15:21
*** davechen has quit IRC		15:21
*** jaosorior has quit IRC		15:22
*** jaosorior has joined #openstack-keystone		15:22
*** zouyee has quit IRC		15:23
*** tyagiprince has joined #openstack-keystone		15:24
openstackgerrit	Monty Taylor proposed openstack/python-keystoneclient: Swap the order of username deprecation https://review.openstack.org/247574	15:25
*** timcline has joined #openstack-keystone		15:25
openstackgerrit	Monty Taylor proposed openstack/python-keystoneclient: Swap the order of username deprecation https://review.openstack.org/247574	15:26
mordred	stevemar_: ^^ see conversation in -infra - the above patch is to deal with a pile of deprecation warning spam in log files, which also tells people to change option names to a thing which actually does not work	15:27
*** KarthikB has joined #openstack-keystone		15:29
*** kiran-r has quit IRC		15:30
*** jimbaker has quit IRC		15:31
*** tyagiprince has quit IRC		15:33
stevemar_	mordred: fantastical	15:34
stevemar_	dstanek: another easy one: https://review.openstack.org/#/c/247302/	15:35
stevemar_	mordred: "because literally nothing has migrated to using keystoneauth yet"	15:36
*** test has joined #openstack-keystone		15:36
stevemar_	sadness	15:36
*** test has quit IRC		15:36
*** roxanaghe has joined #openstack-keystone		15:39
edmondsw	mordred, I'd opened a bug for that a while ago... https://bugs.launchpad.net/python-keystoneclient/+bug/1498247	15:39
openstack	Launchpad bug 1498247 in python-keystoneclient "incorrect deprecation warning for v3 username conf setting" [Medium,Triaged]	15:39
edmondsw	can you update the commit to Closes-Bug ?	15:40
openstackgerrit	ayoung proposed openstack/keystone-specs: converted implied_roles url segments https://review.openstack.org/247586	15:40
*** jimbaker has joined #openstack-keystone		15:40
*** jimbaker has quit IRC		15:40
*** jimbaker has joined #openstack-keystone		15:40
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/247113	15:46
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/247603	15:46
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth-saml2: Updated from global requirements https://review.openstack.org/247604	15:46
*** jimbaker has quit IRC		15:46
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/243925	15:46
*** fawadkhaliq has joined #openstack-keystone		15:47
openstackgerrit	Kent Wang proposed openstack/keystone: Add Trusts unique constraint to remove duplicates https://review.openstack.org/239114	15:48
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Swap the order of username deprecation https://review.openstack.org/247574	15:48
stevemar_	edmondsw: updated mordred's bug	15:48
*** topol has joined #openstack-keystone		15:49
*** ChanServ sets mode: +v topol		15:49
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/247140	15:51
*** jimbaker has joined #openstack-keystone		15:51
*** jimbaker has quit IRC		15:51
*** jimbaker has joined #openstack-keystone		15:51
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements https://review.openstack.org/247637	15:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/247154	15:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/247642	15:52
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add release notes for mitaka thus far https://review.openstack.org/246749	15:53
mordred	edmondsw: thanks!	15:54
edmondsw	mordred, stevemar, thank you :)	15:54
*** KarthikB has quit IRC		15:55
*** ankurgupta1 has joined #openstack-keystone		15:55
*** ankurgupta1 has left #openstack-keystone		15:55
*** fhubik has quit IRC		15:55
*** KarthikB has joined #openstack-keystone		15:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/247113	15:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/247603	15:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth-saml2: Updated from global requirements https://review.openstack.org/247604	15:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/243925	15:56
xek	breton_, Hi, can you help with reviewing the spec https://review.openstack.org/#/c/245186/ ?	16:00
dstanek	stevemar_: would you ever really revert that change? what was the motivation to go with user-name over username?	16:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/247140	16:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements https://review.openstack.org/247637	16:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/247154	16:01
*** roxanaghe has quit IRC		16:01
*** exploreshaifali has joined #openstack-keystone		16:02
*** roxanaghe has joined #openstack-keystone		16:02
mordred	dstanek: I'd argue that we should never revert that change, mainly because poking all of the world's operators and asking them to update their config files to say user-name instead of username is ... yeah	16:03
dims	mordred ++	16:03
dstanek	mordred: i would agree	16:03
*** dave-mcc_ has quit IRC		16:05
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add caching to role assignments https://review.openstack.org/215715	16:08
*** exploreshaifali has quit IRC		16:09
*** exploreshaifali has joined #openstack-keystone		16:10
*** csoukup has joined #openstack-keystone		16:12
*** mylu has joined #openstack-keystone		16:14
*** aix has quit IRC		16:14
*** pnavarro is now known as pnavarro\|afk		16:15
openstackgerrit	Kent Wang proposed openstack/keystone: Add Trusts unique constraint to remove duplicates https://review.openstack.org/239114	16:16
notmorgan	mordred: ++	16:16
*** topol_ has joined #openstack-keystone		16:17
*** ChanServ sets mode: +v topol_		16:17
*** mylu has quit IRC		16:17
*** mylu has joined #openstack-keystone		16:17
*** topol has quit IRC		16:19
*** mylu has quit IRC		16:19
*** mylu has joined #openstack-keystone		16:19
*** fawadkhaliq has quit IRC		16:19
*** fawadkhaliq has joined #openstack-keystone		16:20
dstanek	where's the docs for the new release notes tooling?	16:22
*** mylu has quit IRC		16:24
*** mylu has joined #openstack-keystone		16:24
*** ninag has joined #openstack-keystone		16:24
*** petertr7 is now known as petertr7_away		16:25
*** dave-mccowan has joined #openstack-keystone		16:25
*** urulama has quit IRC		16:26
*** urulama has joined #openstack-keystone		16:26
bknudson_	dstanek: http://docs.openstack.org/developer/keystone/developing.html#release-notes	16:28
*** petertr7_away is now known as petertr7		16:28
*** LukeHinds has joined #openstack-keystone		16:28
*** mylu has quit IRC		16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Tests for projects acting as domains https://review.openstack.org/211219	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Manager support for projects acting as domains https://review.openstack.org/213448	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Removes project.domain_id FK https://review.openstack.org/233274	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	16:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	16:28
*** fawadkhaliq has quit IRC		16:29
*** EinstCrazy has quit IRC		16:36
*** mylu has joined #openstack-keystone		16:38
ayoung	rodrigods, can you take another look at https://review.openstack.org/#/c/210600/34 since you and Henrynash are the only ones that have taken the time to understand it yet, I would appreciate you giving it a look over before I tackle it	16:40
*** muralia has quit IRC		16:40
stevemar_	dstanek: yeah, by eventually i meant in 152 years	16:41
*** jbell8 has joined #openstack-keystone		16:41
stevemar_	dstanek: regarding rendered output for releasenotes, you can wait for the job to finish, and pull it down and do `tox -e releasenotes` yourself	16:43
*** tyagiprince has joined #openstack-keystone		16:44
*** jaosorior has quit IRC		16:44
*** jaosorior_ has joined #openstack-keystone		16:44
rodrigods	ayoung, sure! :)	16:44
*** mylu has quit IRC		16:44
*** mylu has joined #openstack-keystone		16:45
stevemar_	dstanek: the 'gate-keystone-releasenotes' has the output	16:46
dstanek	bknudson_: stevemar_: thx	16:46
stevemar_	dstanek: and for future reference, they are eventually ported to here: http://docs.openstack.org/releasenotes/keystone/	16:46
stevemar_	dstanek: a quick tip, the for $reason, the rendered output is always in the 'unreleased' notes, until it gets merged in the right branch	16:47
dstanek	go away for one week and everything changes :-)	16:47
stevemar_	dstanek: yup!	16:47
stevemar_	dstanek: so start making release notes as we go along	16:47
*** tyagiprince has quit IRC		16:48
stevemar_	dstanek: oh btw https://review.openstack.org/#/c/235731/	16:48
stevemar_	bknudson_: hmm, do we need release notes for how keystone is installed with 'extras' ?	16:49
*** mylu_ has joined #openstack-keystone		16:49
*** alejandrito has joined #openstack-keystone		16:49
*** e0ne has quit IRC		16:49
bknudson_	stevemar_: we did that in L	16:50
bknudson_	http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg?h=stable/liberty#n23	16:50
*** mylu has quit IRC		16:50
bknudson_	(although it's still not merged in devstack)	16:50
*** fawadkhaliq has joined #openstack-keystone		16:50
stevemar_	oh for the ldap and bandit bits	16:50
stevemar_	bknudson_: i meant for https://review.openstack.org/#/c/235731/	16:50
*** tonytan4ever has quit IRC		16:50
*** belmoreira has quit IRC		16:51
stevemar_	should we backport a release note for that?	16:51
bknudson_	I don't understand why we're doing https://review.openstack.org/#/c/235731/ -- isn't fernet going to be the default?	16:51
stevemar_	it's not now	16:51
*** mylu_ has quit IRC		16:51
*** gyee has joined #openstack-keystone		16:51
*** ChanServ sets mode: +v gyee		16:51
stevemar_	but i'm not telepathic, so i didn't know you wanted to say that	16:51
dolphm	don't we already use cryptography somewhere?	16:51
*** mylu has joined #openstack-keystone		16:51
lbragstad	bknudson_ yeah, that the idea. but that's what i'm currently working on	16:51
lbragstad	and it's tedious	16:52
stevemar_	dolphm: we do?	16:52
*** mylu has quit IRC		16:52
bknudson_	stevemar_: adding a release note for the extras stuff would be good.	16:52
stevemar_	a wild dolphm appears	16:52
dolphm	i heard a fernet	16:52
*** mylu has joined #openstack-keystone		16:52
bknudson_	dolphm should change his nick to fernet	16:52
lbragstad	we only use fernet in fernet/utils.py and fernet/token_formatters.py	16:53
lbragstad	well, we only use cryptography	16:53
lbragstad	specifically fernet	16:53
dolphm	lbragstad: ah - i'm thinking of whatever we use for creating passwords	16:54
dolphm	lbragstad: don't remember the lib	16:54
lbragstad	hashlib?	16:54
stevemar_	dolphm: lbragstad bknudson_ i'm fine with dropping the patch	16:54
lbragstad	i don't remember either	16:54
lbragstad	stevemar_ bknudson_ dolphm fyi, i have absolutely no idea how didn't fail the gate - https://review.openstack.org/#/c/231191/	16:54
lbragstad	that actually has the time.sleep(1) in the wrong spot :(	16:55
*** mylu has quit IRC		16:55
stevemar_	lbragstad: ruh roh	16:55
lbragstad	yes, i posted a follow on patch	16:55
bknudson_	unless the packages impose some odd stuff like binary libraries I don't think there's a compelling reason to make it optional.	16:55
lbragstad	https://review.openstack.org/#/c/247678/	16:55
bknudson_	or if a packager complains	16:55
bknudson_	did someone complain about the cryptography requirement?	16:56
bknudson_	or msgpack?	16:56
stevemar_	i complain about msgpack	16:56
bknudson_	we should use JSON!	16:56
bknudson_	(or XML?)	16:57
*** tyagiprince has joined #openstack-keystone		16:57
openstackgerrit	Lance Bragstad proposed openstack/keystone: Deprecate the pki and pkiz token providers. https://review.openstack.org/241389	16:57
bknudson_	pickle?	16:57
* stevemar_ stabs bknudson_ with a fish		16:57
stevemar_	lbragstad: thanks!	16:57
dstanek	bknudson_: i love xml	16:57
* stevemar_ slaps dstanek with a porkchop		16:58
stevemar_	keep saying it	16:58
lbragstad	xml	16:58
bknudson_	we're getting all sorts of delicious meats	16:58
* lbragstad hopes to get stabbed with bbq		16:58
* stevemar_ hits lbragstad over the head with prime rib		16:58
lbragstad	yes!	16:58
dstanek	s/yaml\|json/xml/	16:58
* dstanek is hoping for beef jerkey this time		16:58
*** mylu has joined #openstack-keystone		17:00
*** wuhg has quit IRC		17:01
*** mylu has quit IRC		17:01
*** mylu has joined #openstack-keystone		17:02
*** sshen_ is now known as sshen		17:02
lbragstad	dolphm fyi, i think gatewatch.dolphm.com is down?	17:03
*** tonytan4ever has joined #openstack-keystone		17:03
*** arunkant_ has joined #openstack-keystone		17:04
*** mylu has quit IRC		17:07
*** aj2 has joined #openstack-keystone		17:07
*** jistr has quit IRC		17:14
*** stevemar_ has quit IRC		17:14
*** roxanaghe has quit IRC		17:19
*** stevemar_ has joined #openstack-keystone		17:20
*** ChanServ sets mode: +o stevemar_		17:20
stevemar_	gosh dangit, we have a bp targeted to liberty, noooo	17:22
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Optionally return names in the list assignment API. https://review.openstack.org/240466	17:25
*** tonytan4ever has quit IRC		17:25
*** petertr7 is now known as petertr7_away		17:25
*** shardy has quit IRC		17:26
*** doug-fish has quit IRC		17:27
*** doug-fish has joined #openstack-keystone		17:32
openstackgerrit	Monty Taylor proposed openstack/keystoneauth: Add argparse registration from Adapter objects https://review.openstack.org/245304	17:35
openstackgerrit	Monty Taylor proposed openstack/keystoneauth: Put Session options into an option group https://review.openstack.org/247699	17:35
mordred	notmorgan: ^^ now with tests	17:36
notmorgan	mordred: woo	17:36
*** dims has quit IRC		17:36
notmorgan	mordred: looking now	17:36
*** doug-fis_ has joined #openstack-keystone		17:37
*** doug-fish has quit IRC		17:38
dstanek	stevemar_: need a time machine?	17:38
*** erhudy has quit IRC		17:39
*** mhickey has quit IRC		17:40
*** tyagiprince has quit IRC		17:41
*** doug-fis_ has quit IRC		17:42
stevemar_	dstanek: i've got a tardis	17:42
*** tyagiprince has joined #openstack-keystone		17:43
*** shaleh has joined #openstack-keystone		17:43
*** daemontool_ has quit IRC		17:44
*** daemontool_ has joined #openstack-keystone		17:44
notmorgan	mordred: looks good to me	17:45
mordred	woot!	17:45
notmorgan	easy to read tests ftw	17:45
* mordred does a little dance		17:45
notmorgan	and i finally got my hotel expense report done	17:45
dstanek	notmorgan: from tokyo?	17:47
notmorgan	dstanek: yeah	17:47
notmorgan	was having a hard time getting receipt copies	17:47
dstanek	last i looked the charge hadn't come through the Rax system :-(	17:47
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without domain https://review.openstack.org/196942	17:48
*** tonytan4ever has joined #openstack-keystone		17:51
bknudson_	I called the hotel and asked for a receipt to be emailed but didn't get one	17:55
bknudson_	then I checked my luggage and they'd given me a copy.	17:55
*** mylu has joined #openstack-keystone		17:56
tyagiprince	ayoung: still not able to debug that error..	17:57
tyagiprince	ERROR: openstack The request you have made requires authentication. (HTTP 401)	17:57
tyagiprince	when configuring ldap with keystone..	17:58
*** breitz has joined #openstack-keystone		17:58
*** shaleh is now known as shaleh\|away		18:02
*** pnavarro\|afk has quit IRC		18:04
*** pumaranikar has quit IRC		18:05
*** dims has joined #openstack-keystone		18:06
*** lhcheng has joined #openstack-keystone		18:06
*** ChanServ sets mode: +v lhcheng		18:06
*** jaosorior_ has quit IRC		18:07
*** mylu has quit IRC		18:07
*** lhcheng_ has joined #openstack-keystone		18:08
*** jbell8 has quit IRC		18:08
*** mylu has joined #openstack-keystone		18:09
*** jamielennox\|away is now known as jamielennox		18:09
*** lhcheng has quit IRC		18:11
openstackgerrit	Merged openstack/keystone-specs: Optionally return names in the list assignment API. https://review.openstack.org/240466	18:12
*** pumaranikar has joined #openstack-keystone		18:13
*** aj2 has quit IRC		18:18
edmondsw	stevemar... saw you abandoned https://review.openstack.org/#/c/235731/	18:18
*** EinstCrazy has joined #openstack-keystone		18:18
edmondsw	but even if fernet becomes the default, it's still optional... so this would still be needed	18:18
*** mylu has quit IRC		18:20
edmondsw	i.e., for those still using UUID tokens, don't force them to install cryptography and msgpack-python that are only needed for fernet	18:20
*** mylu has joined #openstack-keystone		18:20
*** gyee has quit IRC		18:20
edmondsw	bknudson ^	18:21
*** mylu has quit IRC		18:25
dstanek	edmondsw: the default should just work out of the box	18:25
*** EinstCrazy has quit IRC		18:26
*** mylu has joined #openstack-keystone		18:26
*** dims has quit IRC		18:26
edmondsw	dstanek, optional dependencies should not have to be installed	18:27
edmondsw	or s/optional dependencies/things that are not going to be used in your config/ if you prefer	18:27
*** pnavarro\|afk has joined #openstack-keystone		18:28
dstanek	it's not really optional if it's the default - by your logic we could make sqlalchemy optional too and probably most stuff	18:28
edmondsw	if there are other things that should be extras because they are also optional, we should address them too	18:30
*** jordanP has left #openstack-keystone		18:30
edmondsw	wouldn't sqlalchemy be required in any config?	18:30
*** mylu has quit IRC		18:31
openstackgerrit	Sean Perry proposed openstack/keystone: Use new_policy_ref consistently https://review.openstack.org/247257	18:34
*** henrynash has joined #openstack-keystone		18:35
*** ChanServ sets mode: +v henrynash		18:35
jamielennox	mordred -1ed your ksa patches :-)	18:38
dstanek	edmondsw: why? you could use all mongo drivers if you wanted to	18:40
dstanek	edmondsw: i think the default should just work without doing any extra steps	18:40
edmondsw	didn't realize we supported mongo	18:41
*** lhcheng_ has quit IRC		18:41
edmondsw	I think it would be great if the default worked without doing any extra steps, but we have two needs in conflict here... is the higher priority making it dummy-proof or giving folks the flexibility to not install things they don't need.	18:42
dstanek	edmondsw: we don't have a mongo driver in-tree for everything, but that doesn't mean that they don't exist	18:44
dstanek	edmondsw: i'd error on the side of installing too much. is it causing a problem?	18:45
*** petertr7_away is now known as petertr7		18:45
edmondsw	in a way, yes... my product doesn't use fernet (today), so we don't need these. And we're legally required to go through all kinds of rigamarole to certify any packages that have crypto in them, like cryptography	18:46
edmondsw	I'd rather not include cryptography, so I don't have to go through that	18:46
*** david-lyle has quit IRC		18:48
edmondsw	why would fernet become the default in mitaka, anyway? As I understand it there is still a lot of work going on there.	18:48
edmondsw	shouldn't we finish that, and then talk about making it the default in N when it's been proven stable?	18:48
edmondsw	we have very few users on fernet today, right? Let's get more users on it to flush out issues before we make it default	18:49
*** jrist has quit IRC		18:49
mordred	jamielennox: awesome!	18:50
mordred	jamielennox: agree on Session -1 patch - fix coming	18:51
jamielennox	Yea, that one's easy. The second one I'm not sure how is going to work	18:51
*** pnavarro\|afk has quit IRC		18:51
*** dims has joined #openstack-keystone		18:52
dstanek	edmondsw: i think we've declare it to have some level of stability and it solves many of the problems people are currently having. dolphm or lbragstad would have to elaborate on the stability though	18:53
*** fawadkhaliq has quit IRC		18:54
dstanek	edmondsw: you don't have to install it with your product if you don't use it	18:54
dstanek	edmondsw: you just have to roll your own wheel (or package)	18:54
edmondsw	I kind of do... the rpms are built based off requirements.txt	18:54
edmondsw	or that	18:55
mordred	jamielennox: yah - writing a reply - but I've got a working patch for python-novaclient that consumes this (it does not look like it works in gerrit due to dependency chain)	18:55
mordred	jamielennox: You may want to take a peek at https://review.openstack.org/#/c/241715/ and https://review.openstack.org/#/c/245200/ for examples of usage.	18:55
jamielennox	Will do	18:55
mordred	jamielennox: I mean, the novaclient patch needs a total rework - I wrote it originally and then reworked both the ksa and occ bits ...	18:56
mordred	but I'm running it locally and it's working well	18:56
*** LukeHinds has quit IRC		18:56
*** ninag has quit IRC		18:56
*** ninag has joined #openstack-keystone		18:57
jamielennox	I've thought for a while there needed to be load_from methods for the clients so I'm good with the idea	18:57
mordred	jamielennox: sweet. that's the most important thing -the rest are details :)	18:58
notmorgan	jamielennox: I also responded to your comment on the adapter bit	18:58
notmorgan	jamielennox: glad you're on board with the load from methods	18:59
openstackgerrit	Merged openstack/keystone-specs: converted implied_roles url segments https://review.openstack.org/247586	19:00
jamielennox	There's been talk of a base oslo.apoclient library which i thought would provide it, i don't know if a BaseClient class should belong to keystoneauyh	19:01
*** ninag has quit IRC		19:01
*** ninag_ has joined #openstack-keystone		19:01
jamielennox	But id be OK with putting it there if no other choice	19:01
mordred	jamielennox: actually, looking at what novaclient is doing - I don't think there is a ton we need to do in a base apiclient	19:02
notmorgan	jamielennox: not sure if distinction between ksa and the base client is worth having a separate package.	19:02
mordred	LegacyJSONAdapter is already in ksa	19:03
mordred	which is the actual interface the rest of novaclient uses	19:03
notmorgan	mordred: true	19:03
*** ayee has joined #openstack-keystone		19:03
mordred	the rest is just arguments from novaclient to various ksa constructors (which we've got taken care of already)	19:03
ayee	Can I point a single domain (Default) to two different LDAP OUs ?	19:03
ayee	for example if I had one OU with People and another with Service accounts?	19:03
mordred	so I really don't know that there is much more for a baseclient to do	19:03
*** e0ne has joined #openstack-keystone		19:04
jamielennox	There's not much, it'd mostly serve to make sure people use it the right way and to provide some load_from style functions	19:05
*** roxanaghe has joined #openstack-keystone		19:05
*** tyagiprince has quit IRC		19:06
jamielennox	Probably the most useful thing to go there would be some documentation on how to subclass it for consistency	19:06
dims	jamielennox : we don't want to do the apiclient thingy anymore	19:07
*** ninag_ has quit IRC		19:09
*** ninag has joined #openstack-keystone		19:10
jamielennox	dims good, there's not much in their worth reusing	19:10
*** ninag has quit IRC		19:12
*** ninag has joined #openstack-keystone		19:12
*** ninag has quit IRC		19:15
jamielennox	Plane, back in a few hours	19:15
*** ninag has joined #openstack-keystone		19:15
openstackgerrit	Fangzhou Xu proposed openstack/keystone: Make getting token revocation list 9x faster on Mysql https://review.openstack.org/239608	19:15
*** jamielennox is now known as jamielennox\|away		19:16
*** jrist has joined #openstack-keystone		19:18
*** jrist has quit IRC		19:18
*** jrist has joined #openstack-keystone		19:18
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add release notes for mitaka thus far https://review.openstack.org/246749	19:18
*** muralia has joined #openstack-keystone		19:18
openstackgerrit	Boris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups https://review.openstack.org/234849	19:21
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use @truncated in ldap for users https://review.openstack.org/233070	19:21
openstackgerrit	Boris Bobrov proposed openstack/keystone: Tests for limiting the output https://review.openstack.org/247749	19:21
*** jasonsb has quit IRC		19:22
breton_	xek: will do tomorrow!	19:22
*** lhcheng has joined #openstack-keystone		19:22
*** ChanServ sets mode: +v lhcheng		19:22
openstackgerrit	Monty Taylor proposed openstack/keystoneauth: Put Session options into an option group https://review.openstack.org/247699	19:22
mordred	jamielennox\|away, stevemar_, notmorgan: I believe that coveres jamielennox\|away's concerned ^^	19:23
notmorgan	looking	19:23
*** ayee has left #openstack-keystone		19:23
notmorgan	much better name there.	19:24
*** doug-fish has joined #openstack-keystone		19:25
*** fangxu has joined #openstack-keystone		19:27
*** gyee has joined #openstack-keystone		19:29
*** ChanServ sets mode: +v gyee		19:29
openstackgerrit	Boris Bobrov proposed openstack/keystone: Enable limiting in ldap for groups https://review.openstack.org/234849	19:30
openstackgerrit	Boris Bobrov proposed openstack/keystone: Limiting for fake LDAP https://review.openstack.org/247749	19:30
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use @truncated in ldap for users https://review.openstack.org/233070	19:30
*** ninag has quit IRC		19:30
*** ninag has joined #openstack-keystone		19:31
*** peter-hamilton has joined #openstack-keystone		19:31
*** ninag has quit IRC		19:33
*** ninag has joined #openstack-keystone		19:33
breton_	gyee: I've tested ^ on live ldap and it worked	19:35
breton_	gyee: please review when the jobs pass	19:35
*** dims has quit IRC		19:36
gyee	breton_, sure	19:38
*** woodster_ has joined #openstack-keystone		19:38
*** jbell8 has joined #openstack-keystone		19:38
*** ninag has quit IRC		19:41
*** ninag has joined #openstack-keystone		19:41
*** ninag has quit IRC		19:41
*** ninag has joined #openstack-keystone		19:42
*** david-lyle has joined #openstack-keystone		19:43
openstackgerrit	Merged openstack/keystone: Capital letters https://review.openstack.org/247328	19:46
*** e0ne has quit IRC		19:46
*** openstackgerrit has quit IRC		19:46
*** openstackgerrit has joined #openstack-keystone		19:47
openstackgerrit	Merged openstack/keystone: remove use of magic numbers in sql migrate extension tests https://review.openstack.org/247302	19:53
openstackgerrit	Merged openstack/keystone: Add missing colon separators to inline comments https://review.openstack.org/247336	19:54
*** pumaranikar has quit IRC		19:55
*** doug-fish has quit IRC		19:56
*** doug-fish has joined #openstack-keystone		19:58
openstackgerrit	Monty Taylor proposed openstack/keystoneauth: Add argparse registration from Adapter objects https://review.openstack.org/245304	19:58
mordred	notmorgan, jamielennox\|away: ^^ updated that a little based the review comments - realized that it's a real usecase to want to register for multiple services (based on my response to jamielennox\|away from the novaclient perspective)	19:59
notmorgan	mordred: ++ that makes sense	20:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	20:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	20:03
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	20:04
*** jbell8 has quit IRC		20:14
*** jbell8 has joined #openstack-keystone		20:17
*** jbell8 has quit IRC		20:18
*** RichardRaseley has joined #openstack-keystone		20:20
*** jbell8 has joined #openstack-keystone		20:21
*** urulama has quit IRC		20:21
*** jbell8 has quit IRC		20:30
*** fangxu has quit IRC		20:31
*** ninag has quit IRC		20:32
*** ninag has joined #openstack-keystone		20:33
*** ninag has quit IRC		20:33
*** ninag has joined #openstack-keystone		20:33
*** ninag has quit IRC		20:36
*** ninag has joined #openstack-keystone		20:36
*** ninag has quit IRC		20:41
*** tyagiprince has joined #openstack-keystone		20:42
*** muralia1 has joined #openstack-keystone		20:44
*** tyagiprince has quit IRC		20:45
*** muralia has quit IRC		20:46
*** ninag has joined #openstack-keystone		20:46
*** jerrygb has quit IRC		20:48
*** jerrygb has joined #openstack-keystone		20:49
*** jerrygb has quit IRC		20:49
*** jerrygb has joined #openstack-keystone		20:50
*** aginwala has joined #openstack-keystone		20:52
henrynash	gyee, ayoung: Had to fix up https://review.openstack.org/#/c/208152/15 since it failed to merge due to other inflight changes to test names…..when you have a mo, perhaps you could reapply your +2/As	20:55
ayoung	henrynash, will do....	20:55
henrynash	ayoung: thx	20:56
ayoung	henrynash, what'd you change to make it merge?	20:56
ayoung	just test names?	20:56
henrynash	ayoung: yes (plus I fixed up two comments that someone has spotted typos in)	20:56
openstackgerrit	henry-nash proposed openstack/keystone-specs: Domain Specific Roles https://review.openstack.org/226661	20:58
ayoung	henrynash, I +2Aed it. Rebase should not require a major rerigging	20:58
henrynash	ayoung: ok, fair enough!	20:58
ayoung	henrynash, so I need to createa V8 Role Driver...the naming is getting out of hand in that directort	20:58
ayoung	we have drivers and role_drivers and now v8_drivers...can we consolidatate somehow?	20:59
henrynash	ayoung: I know! (you mean a V9 role driver)	20:59
ayoung	henrynash, actually, yeah, I need that too. I was just talking pre-reqs to getting there	20:59
*** HenryG has left #openstack-keystone		20:59
*** peter-hamilton has quit IRC		20:59
ayoung	is there any reason to keep role driver separate from the rest of assignment? We are not moving it into its own backend	21:00
henrynash	ayoung: If you wnat, I can whip you up a V9 role driver…since I’ve just done teh assignment version!	21:00
ayoung	henrynash, that would be awesome	21:00
*** muralia1 has quit IRC		21:00
henrynash	ayoung: it will be done befoer the night is out and the wolves are a’howlin’	21:00
*** ninag has quit IRC		21:01
*** ninag has joined #openstack-keystone		21:01
*** ninag has quit IRC		21:02
*** ninag has joined #openstack-keystone		21:02
*** roxanaghe has quit IRC		21:02
*** raildo is now known as raildo-afk		21:03
*** pumaranikar has joined #openstack-keystone		21:06
*** e0ne has joined #openstack-keystone		21:08
*** RichardRaseley has quit IRC		21:09
*** pauloewerton has quit IRC		21:09
openstackgerrit	Merged openstack/keystone: Merge keystone.config into keystone.common.config https://review.openstack.org/237209	21:10
*** EinstCrazy has joined #openstack-keystone		21:11
henrynash	ayoung: are you changing any methods in the assignment driver….or just the role driver?	21:12
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	21:15
*** EinstCrazy has quit IRC		21:15
ayoung	henrynash, No changes in the assignment driver.	21:17
henrynash	ayoung: ok	21:17
ayoung	The maanger or higher level calls assignment to get the explicit prior roles, and then the role drive will give the inference rules to get the rest	21:17
ayoung	so, for CRUD operations, that is all roles, and the rest is token creation or assignment listing that uses both	21:18
*** fangxu has joined #openstack-keystone		21:18
*** jerrygb has quit IRC		21:21
*** gwei3 has joined #openstack-keystone		21:25
*** roxanaghe has joined #openstack-keystone		21:27
*** RichardRaseley has joined #openstack-keystone		21:28
*** thiagop has quit IRC		21:29
*** topol_ has quit IRC		21:29
*** e0ne has quit IRC		21:30
*** ninag has quit IRC		21:32
*** muralia has joined #openstack-keystone		21:33
*** ninag has joined #openstack-keystone		21:33
*** muralia1 has joined #openstack-keystone		21:34
*** jerrygb has joined #openstack-keystone		21:35
*** jerrygb has quit IRC		21:35
*** exploreshaifali has quit IRC		21:36
*** muralia has quit IRC		21:37
*** ninag has quit IRC		21:37
*** aginwala has quit IRC		21:38
*** aginwala has joined #openstack-keystone		21:39
*** jasonsb has joined #openstack-keystone		21:40
*** daemontool_ has quit IRC		21:41
*** jbell8 has joined #openstack-keystone		21:42
*** daemontool_ has joined #openstack-keystone		21:42
*** jbell8 has quit IRC		21:43
*** jasonsb has quit IRC		21:45
openstackgerrit	ayoung proposed openstack/keystone: set `is_admin` on tokens for admin project https://review.openstack.org/240719	21:46
*** jbell8 has joined #openstack-keystone		21:47
openstackgerrit	henry-nash proposed openstack/keystone: Create new version of assignment driver interface https://review.openstack.org/242853	21:48
openstackgerrit	henry-nash proposed openstack/keystone: Create V9 Role Driver https://review.openstack.org/247805	21:48
henrynash	ayoung: https://review.openstack.org/#/c/247805/	21:48
ayoung	henrynash, so my change still go in role_drivers?	21:51
ayoung	er role_backends?	21:51
henrynash	ayoung: yes....	21:51
henrynash	there is a V9 role driver…in core	21:51
henrynash	just add you new mthods there…and add something to the release notes that are part of teh patch	21:51
gyee	henrynash, look like ayoung A+ it, sorry I just got back to my desk	21:52
henrynash	gyee: np!	21:53
*** jbell8 has quit IRC		21:53
henrynash	stevemar, dstanek, notmorgan, gyee, bknudson: hoping to get some eyes on https://review.openstack.org/#/c/242853/ - lots building up behind this as the first new V9 driver….	21:57
gyee	looking	21:57
*** jbell8 has joined #openstack-keystone		21:57
henrynash	gyee: thx!	21:58
notmorgan	henrynash: sorry been trying to ease back in. that has been a bit beastly to review (not really your fault)	21:58
dstanek	henrynash: i have already started commenting. just haven't gotten all the way through yet	21:58
dstanek	henrynash: my biggest concern was maintaining multiple versions of the model instead of dealing with the differences in code	21:59
henrynash	dstanek, notmorgan: thanks! Already a V9 role driver done the same way dependant on that one…so if I should be doing it a different way, it would be good to know soon!	21:59
notmorgan	nah. I just have been easing in to avoid revisiting burnout.	21:59
henrynash	dtsanek: yeah, I share that concern….and of course, teh model might have changed, or might not	22:00
dstanek	henrynash: i think we always want a single up to date model. otherwise it'll be hard to reason about what updates may be there when debugging.	22:01
henrynash	dstaneK: I was also trying to be conginsent of the fact that the reason we are doing this is to help peopel with custom drivers….hnce felt the maintainenance of teh complete V8 driver is file was easiest for them	22:01
dstanek	and we'd have to do conditional migrations based on the configured driver	22:02
henrynash	dtsanek: do you mean we’d change a legacy driver to work with a new model?	22:02
*** dims has joined #openstack-keystone		22:03
dstanek	henrynash: we'd only have on Assignment model and if it changes for v9 the v8 driver would get some code to makes the change transparent	22:03
*** ninag has joined #openstack-keystone		22:03
dstanek	otherwise we'd have to know what driver is configured and skip certain migrations	22:03
*** jbell8 has quit IRC		22:04
dstanek	also the operation wouldn't be able to experiment with a newer driver without updating the database	22:04
dstanek	if the DB was always up to date then they could test until their heart is content	22:04
openstackgerrit	ayoung proposed openstack/keystone: Implied Roles https://review.openstack.org/242614	22:04
gyee	henrynash, releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml, that how we name files?	22:05
henrynash	I think I am persuaded! Just trying to see if that would stop us doing certain things…	22:05
ayoung	henrynash, thanks. ^^ is on the V9 interface. That look right?	22:05
henrynash	gyee: that’s what reno genertes	22:05
dstanek	henrynash: yeah, there would definitely be things that would be hard to change	22:05
*** cburgess_ has quit IRC		22:05
*** cburgess has joined #openstack-keystone		22:06
gyee	oh ok, I need to familiarize with the reno stuff	22:06
dstanek	henrynash: post dinner i'll publish my comments on your latest version	22:06
henrynash	ayoung: I think you put them in the Base driver…not in the V9 driver	22:06
henrynash	dtsanek: thanks!	22:07
ayoung	henrynash, I knew it couldn't be that easy	22:07
*** ninag has quit IRC		22:07
*** ninag has joined #openstack-keystone		22:07
henrynash	ayoung: just move the abstarct methods down to the V9 class	22:07
ayoung	OK...	22:07
stevemar_	ayoung: can you review some of the specs?	22:08
stevemar_	specifically... https://review.openstack.org/#/c/241346/	22:08
stevemar_	and https://review.openstack.org/#/c/200434/	22:09
stevemar_	henrynash: aroundish?	22:10
henrynash	stevemar_: a round dish is best for pasta?	22:10
stevemar_	henrynash: i like using bowls for pasta	22:11
stevemar_	henrynash: why is domain_id being treated so funnily here: https://review.openstack.org/#/c/226661/ ?	22:11
henrynash	stevemar_: ..to stop existing apps that list roles from being confused by gettinh back multiple roles iwth the same name	22:12
*** petertr7 is now known as petertr7_away		22:12
henrynash	stevemar_: since domain specific roles could have the same name as a global role	22:12
openstackgerrit	henry-nash proposed openstack/keystone-specs: Move inherited assignments to core, and support new inheritance rules https://review.openstack.org/200434	22:14
*** simondodsley_ has joined #openstack-keystone		22:14
stevemar_	henrynash: so listing roles without the argument (like existing apps do now) should return the roles that are global	22:16
stevemar_	and if domain id is present, it'll only return roles that are in the domain?	22:16
henrynash	stevemar_: yes	22:16
*** tonytan4ever has quit IRC		22:17
stevemar_	henrynash: i'm still not understanding why you have to say it defaults to null, isn't that obvious? rather, shouldn't it just not be there at all unless it's specified?	22:17
openstackgerrit	ayoung proposed openstack/keystone: Implied Roles https://review.openstack.org/242614	22:17
stevemar_	henrynash: the rest of the spec seems fine, i finally understand why you have domain scoped roles \o/	22:18
henrynash	stevemar_: so if you don’t specific a query param, no filtering will happen on that attribute. What I;m trying to say is that by defualt a filert IS present and its domain_id=null	22:19
henrynash	:-)	22:19
ayoung	stevemar_, in order for them to work, we need to work out the nested domain thing.	22:20
ayoung	henrynash, you down with my "url safe" suggestion? If so, I'll write up the spec.	22:20
henrynash	ayoung: not sure that’s true…I think that’ orthogonal (and more relayted to reseller)…	22:20
henrynash	ayoung: I’m going to popose a seperate spec on the url safe thing	22:21
ayoung	henrynash, you want to write it, or shall I?	22:21
henrynash	ayoung: and then teh reslller can be dependant on that	22:21
henrynash	ayoung: I’m happy to do it - will make you co-author	22:21
ayoung	I'd kind of like to give it a first hack	22:21
ayoung	unless you already have it underway.	22:22
henrynash	ayoung: it’s partially wrritten….	22:22
ayoung	henrynash, OK...I'll let you drive on...I assume that means you are OK with the approach. Any gotches of differences I should know about?	22:23
stevemar_	henrynash: i'll quit beating you up on terminology	22:23
henrynash	ayoung: I guess my only concerns is that it enas you must know the path to the root…one idea of resller is you might not know who the real cloud provdier was	22:24
*** gildub has joined #openstack-keystone		22:25
ayoung	henrynash, that can be anonymized, though	22:25
openstackgerrit	Merged openstack/keystone: Enable listing of role assignments in a project hierarchy https://review.openstack.org/208152	22:25
ayoung	henrynash you are going to know the URL of the real cloud provider no matter what. If hiding that information is important, it just means that the reseller domain has to be a top level one. It should all still work	22:27
*** lhinds has joined #openstack-keystone		22:27
henrynash	ayoung: yes, I came to that exact solution…you make teh reseller a top levek domain	22:27
stevemar_	henrynash: i have more dumb questions	22:27
ayoung	henrynash, is your spec going to just address nesting of domains, or will it cover project names as well?	22:27
ayoung	I'd like to get both, even if we implement the domain portion first	22:28
ayoung	and with that...I have to sign off. I'm getting pretty optimistic about this release.	22:28
*** ayoung has quit IRC		22:28
henrynash	ayoung: projects as well…it’sa gernal one to lay the ground work towards relaxing the name uniqueness of projects in general to be only havingto be unique within theor parent	22:29
*** lhcheng has quit IRC		22:29
stevemar_	henrynash: so domain scoped roles map back regular roles at token validation, what's the point of them...	22:29
henrynash	stevemar_: they allow a domain admin to create “roles” they and other project admins in their domain can assign tehor users….roles with names that mean somethin to them…	22:30
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/247304	22:30
stevemar_	henrynash: i get that	22:31
*** lhcheng has joined #openstack-keystone		22:31
*** ChanServ sets mode: +v lhcheng		22:31
stevemar_	henrynash: but now what's the point of those roles, they mean something to them, sure	22:31
henrynash	stevemar_: it menas that their project admins don’t have to understand teh underlying role model published by the cloud provider	22:32
*** jbell8 has joined #openstack-keystone		22:33
henrynash	(i’m probably not understanding you non-undertsanding!)	22:33
stevemar_	henrynash: no, i think i'm just thick :P	22:33
henrynash	stevemar_: that, I doubt!	22:33
stevemar_	henrynash: so if i'm a public cloud, and i have a customer, ACME in domain ACME	22:34
henrynash	yep	22:34
stevemar_	he can create admin and demo roles and developer roles for his domain	22:34
stevemar_	same as me and my over cloud	22:34
henrynash	he is a domain admin of ACME?	22:35
stevemar_	right	22:35
stevemar_	jim, ACME's domain admin goes and creates projects and assigns domain-roles to users ?	22:35
henrynash	yes, as can the doamin admin for THE_HENRY_COMPANY who is also a client of teh same public cloud	22:35
henrynash	yep	22:36
stevemar_	i'm with you so far	22:36
*** jerrygb has joined #openstack-keystone		22:36
stevemar_	and these roles go back into my global keystone roles, via implied roles?	22:36
henrynash	yes	22:36
henrynash	in the limit, imagine teh cloud provider created the one and only policy file for each service with a differnet role for each API	22:37
stevemar_	so i get one benefit: now every domain can have an 'admin' role	22:37
henrynash	now in ACME, a developer can do API a, b, c, and d	22:37
henrynash	but in THE_HENRY_COMPANY a developer can exucte API a thu z	22:38
henrynash	each domain admin can model what meaningful mapping is right for them	22:38
*** mylu has joined #openstack-keystone		22:38
henrynash	or maybe in THE_HENRY_COMAPNY they aren;t developers but music-producers and composers…which needs some set of roels (aka APIs)	22:39
*** gwei3 has quit IRC		22:40
*** jerrygb has quit IRC		22:41
*** ninag has quit IRC		22:41
*** navid_ has joined #openstack-keystone		22:42
openstackgerrit	Merged openstack/keystone: remove useless config option in endpoint filter https://review.openstack.org/247303	22:45
*** mylu has quit IRC		22:46
stevemar_	henrynash: i think i'm getting hung up on how this policy file looks like	22:46
stevemar_	henrynash: you're assuming it'll have or conditions with lots of roles?	22:46
henrynash	stevemar_: in the future we’ll have more roles I believe, but not cuased by this patch… this patch uses that fact	22:47
RichardRaseley	Is it expected that I would not be able to do a `keystone endpoint-list` (more specifically the results are blank - no error) with a user who is assigned an admin role in the admin tenant (named openstack in my case)? If I auth with the admin token there is no such issue.	22:47
RichardRaseley	(using python-keystoneclient)	22:48
mordred	what's a 'normal' token expiry time?	22:48
RichardRaseley	(version 1.8.1)	22:48
*** jbell8 has quit IRC		22:48
*** jbell8 has joined #openstack-keystone		22:49
stevemar_	mordred: 1 hour?	22:49
henrynash	stevemar_:…dropping off…may be back on later	22:49
*** henrynash has quit IRC		22:49
mordred	k. hrm.	22:50
mordred	I'm pondering how to isolate token refreshes from graphs I have of API response times	22:50
mordred	since ksa magically does it for me behind the scenes	22:50
*** shaleh\|away is now known as shaleh		22:53
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/247113	22:53
shaleh	RichardRaseley: depends on what policy says for listing endpoints	22:54
*** pgbridge has joined #openstack-keystone		22:54
gyee	and try not to use keystone cli, use openstack cli instead	22:54
gyee	I don't think keystone cli can handle v3 catalog	22:55
RichardRaseley	shaleh : How would I go about looking at / modifying that policy? I am mainly having this issue as there is a bug in python-neutronclient which prevents me from using the admin token.	22:55
RichardRaseley	gyee : Not possible in this case, as I am using python-neutronclient which uses python-keystoneclient	22:55
shaleh	RichardRaseley: python-keystoneclient is an API. The shell program (cli) should not be used from it. Use 'openstack' not 'keystone' from the shell.	22:56
RichardRaseley	shaleh : Please see my previous comments.	22:56
shaleh	RichardRaseley: the Python API from python-keystoneclient is used by other projects. That is fine.	22:57
shaleh	neutronclient is not executing the other program.	22:57
RichardRaseley	shaleh : Well, it uses it in some way, as it is a dependency of neutronclient.	22:57
shaleh	RichardRaseley: as for checking policy, it is in /etc/keystone on the server where keystone is installed.	22:58
*** breitz has quit IRC		22:59
RichardRaseley	shaleh : Let me restate the issue. If I want to do anything in neutronclient, and I attempt to do so authenticating a user with an admin role in my admin tenant, I receive a 'The service catalog is empty' error. I was testing keystoneclient to see if I got the same error with the same user. I did. However, with keystoneclient I had success enumerating the service catalog when I authenticated with the admin token. However, there	23:00
RichardRaseley	is a bug in neutronclient (https://bugs.launchpad.net/ceilometer/+bug/1455848) which prevents me from passing the admin token to it, hence my question about expected behavior, and your answer about policy.	23:00
openstack	Launchpad bug 1455848 in openstack-manuals "CentOS 7 kilo,ceilometer meter-list with error:The service catalog is empty." [Undecided,Invalid]	23:00
*** lhcheng has quit IRC		23:00
*** mylu has joined #openstack-keystone		23:01
*** jerrygb has joined #openstack-keystone		23:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Replace DateTime with BigInteger for Revocation Events https://review.openstack.org/243742	23:01
RichardRaseley	shaleh : Can you imagine any undesirable consequences from letting a 'standard' user enumerate the service catalog?	23:01
shaleh	RichardRaseley: there is a difference between what is in your service catalog and a general endpoint list.	23:02
*** csoukup has quit IRC		23:02
RichardRaseley	shaleh : I thought the service catalog was just the collection of endpoints available?	23:02
RichardRaseley	Can you correct my misunderstanding?	23:02
shaleh	RichardRaseley: internally endpoint list calls https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#endpoints-v3endpoints	23:04
RichardRaseley	I am using v2 across the board (so far as I can help it, tell) - is it any different in v2?	23:05
*** jbell8 has quit IRC		23:06
shaleh	RichardRaseley: outside my knowledge. Sorry. /me started in v3 and has not needed to look back	23:06
*** jbell8 has joined #openstack-keystone		23:06
RichardRaseley	shaleh : So a service catalog is a combination of the listing of services and their associated endpoints?	23:06
gyee	there used to be a bug where if endpoints are created using v3, you can't list them using v2	23:06
gyee	so when you do 'openstack endpoint list', can you tell if its using v3?	23:07
gyee	can you enable debug?	23:07
RichardRaseley	gyee : Sure, one sec.	23:08
shaleh	catalog_list = openstackclient.identity.v2_0.catalog:ListCatalog vs. endpoint_list = openstackclient.identity.v2_0.endpoint:ListEndpoint	23:09
shaleh	in OSC	23:09
*** exploreshaifali has joined #openstack-keystone		23:10
RichardRaseley	shaleh : The code is mostly lost on me, unfortunately.	23:10
*** navid_ has quit IRC		23:10
RichardRaseley	gyee: Let me clean up my output and pastebin	23:11
shaleh	RichardRaseley: openstack --debug will show you the actual REST calls made. Helpful when wondering why two seemingly similar commands return different data.	23:11
*** alejandrito has quit IRC		23:11
*** jbell8 has quit IRC		23:12
*** jbell8 has joined #openstack-keystone		23:12
*** pumaranikar has quit IRC		23:13
*** lhcheng has joined #openstack-keystone		23:13
*** ChanServ sets mode: +v lhcheng		23:13
*** timcline has quit IRC		23:13
gyee	RichardRaseley, just to give you some context, https://review.openstack.org/#/c/215870/	23:14
RichardRaseley	gyee and shaleh : Here is the output of invoking openstackclient with the debug flag, and authing as my user who is an admin role in my admin tenant (named 'openstack'), followed by an endpoint-list http://paste.openstack.org/show/479502/	23:14
RichardRaseley	gyee: Thank you for that context.	23:15
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Enable retrieval of default values of domain config options https://review.openstack.org/185650	23:16
*** mylu has quit IRC		23:18
*** mylu has joined #openstack-keystone		23:19
notmorgan	mordred: i think we can add a <token refresh> marker somewhere in there you can enable for graph/profiling purposes	23:20
notmorgan	mordred: in fact... that wouldn't be an awful thing to do in eneral.	23:20
notmorgan	mordred: it would at the very least allow us to see what amount of sink goes into the token refreshes	23:20
*** mylu has quit IRC		23:20
notmorgan	maybe just an STDERR <token_refresh start>/<end>	23:21
notmorgan	or maybe this lands into the proper use of the TRACE log level	23:21
*** mylu has joined #openstack-keystone		23:21
notmorgan	(not to be confiused with tracebacks)	23:21
gyee	RichardRaseley, from pastebin, you appear to be using an unscoped token "openstack openstack --debug --os-username richard.raseley --os-password [REDACTED] --os-auth-url http://openstack-test.domain.local:35357/v2.0"	23:21
*** dims_ has joined #openstack-keystone		23:22
RichardRaseley	gyee: You mean unscoped in terms of project or project domain (which I still don't grok)?	23:24
*** dims has quit IRC		23:24
*** KarthikB has quit IRC		23:25
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: Enable retrieval of default values of domain config options https://review.openstack.org/185650	23:26
shaleh	RichardRaseley: if I read the paste correctly, you authenticate as yourself and are able to get an endpoint list. This is _NOT_ your catalog. What does 'catalog list' show with all of the same parameters?	23:27
RichardRaseley	shaleh: One sec.	23:28
mordred	notmorgan: wellllllll	23:30
mordred	notmorgan: so, I should tell you about the TaskManager interface at some point	23:30
*** jbell8 has quit IRC		23:30
notmorgan	mordred: oooh	23:30
mordred	notmorgan: but what I _really_ want is the ability to pass in a TaskManager to ksa	23:30
notmorgan	mordred: i'll support this actually.	23:31
mordred	notmorgan: so that all of the requests interactions directly go through it	23:31
mordred	woot!	23:31
*** jbell8 has joined #openstack-keystone		23:31
RichardRaseley	shaleh : Here is the output http://paste.openstack.org/show/479507/	23:31
notmorgan	explain taskmanager and let me hack on it hwne i get to NYC	23:31
mordred	notmorgan: I will	23:31
mordred	notmorgan: (tl;dr - it's a concept from nodepool that we extracted optionally into shade)	23:31
notmorgan	i think it is totally reasonable to have a consistent interface for these things that we can hook into for KSA. not on unless you say "hey here is a thing"	23:31
*** ninag has joined #openstack-keystone		23:31
notmorgan	but useful	23:31
notmorgan	and if nodepool and/or shade is doing it i see no reason KSA shouldn't	23:32
notmorgan	since i mean... useful :)	23:32
shaleh	RichardRaseley: that is with 100% exact same parameters are previous run, yes?	23:32
RichardRaseley	shaleh : I didn't even drop out of the openstackclient shell, so yes.	23:33
*** darrenc is now known as darrenc_afk		23:33
RichardRaseley	I entered the shell with all those params, then issued the two commands one after the other (with several minute gap)	23:33
RichardRaseley	brb	23:33
mordred	notmorgan: yah. that's what I'm thinking. the way we do it in shade it's a noop, unless you pass in a taskmanager	23:33
notmorgan	mordred: fantastic	23:33
mordred	notmorgan: but then, in nodepool, the taskmanager we define is threaded and keeps track of quotas	23:34
notmorgan	mordred: like... i am actually excited for this, i see it reaching into areas of session	23:34
mordred	notmorgan: so it ratelimits all interactions for us	23:34
mordred	proactively	23:34
notmorgan	ooh, nifty	23:34
mordred	(this is how nodeopool does not crash public clouds)	23:34
shaleh	RichardRaseley: now can you show the failing neutronclient invocation? Because clearly you have a catalog defined for that user.	23:34
notmorgan	which reminds me... i have some scripting to do to try and break clouds >.>	23:34
notmorgan	of course not to be malicious...but like breaking security things down... cause yeah... i think i see some gaping holes we should fix	23:35
*** slberger has left #openstack-keystone		23:36
*** ninag has quit IRC		23:36
RichardRaseley	shaleh: Sure, one moment.	23:41
RichardRaseley	shaleh : http://paste.openstack.org/show/479509/	23:44
gyee	env \| grep OS_TENANT	23:46
gyee	env \| grep OS_PROJECT	23:47
RichardRaseley	gyee : Is that directed at me? If so, I am setting auth options on the CLI at this point so that would return nothing. I didn't explicitly set project in that last set of commands.	23:47
gyee	RichardRaseley, yes, so you are essentially getting an unscoped token, with no service catalog	23:48
gyee	if you don't set a scope, that's the expected behavior	23:48
mordred	notmorgan: I recommend running a script in a loop that creates and then deletes servers as fast as their API rate-limiting will let you	23:49
shaleh	RichardRaseley: in the two commands using 'openstack' I see a project id in your output. Where did it come from? --> 'project_id': 'd0064a4d07594a4fb93bfe7b15fbdfef'	23:50
shaleh	RichardRaseley: as gyee says, no project_id no scope. No scope and you are seeing expected behavior.	23:51
RichardRaseley	gyee shaleh : If I add a the --os-project-id argument to my previous neutronclient command, I still get the same error "The service catalog is empty".	23:51
RichardRaseley	shaleh: I am guessing openstackclient is inferring it somehow?	23:51
notmorgan	mordred: haha that is totally not how i plan to break people... we need someone to start really focusing on pen testing of openstack... and i think we'll be frightened	23:52
mordred	notmorgan: heh	23:52
notmorgan	thankfully the ORM solves more injection/low barrier to entry issues	23:52
notmorgan	most*	23:53
RichardRaseley	shaleh gyee : So the status now is that even when I am scoping my user with a project ID, neutronclient is still returning that "The service catalog is empty." error. We have show that the user does in fact have a service catalog it can access. Does scoping include the need to define a project domain?	23:54
*** roxanaghe has quit IRC		23:55
gyee	RichardRaseley, no, project_id is global, no need to specific domain	23:56
*** darrenc_afk is now known as darrenc		23:56
*** gordc has quit IRC		23:57
gyee	RichardRaseley, which project id did you specify? d0064a4d07594a4fb93bfe7b15fbdfef?	23:57
RichardRaseley	gyee : Thank you. I am only testing keystoneclient because I know neutronclient uses some of its bits, but the behavior is the same between keystoneclient and neutronclient (versions 1.8.1 and 3.1.0 respectively)	23:58
RichardRaseley	gyee: That is correct.	23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!