Tuesday, 2015-12-08

*** pgbridge has quit IRC00:00
*** jerrygb has quit IRC00:00
*** jerrygb has joined #openstack-keystone00:02
*** tonytan4ever has joined #openstack-keystone00:02
*** jamielennox|away is now known as jamielennox00:05
openstackgerritSean Perry proposed openstack/keystone: Use new_policy_ref consistently  https://review.openstack.org/24725700:07
openstackgerritMerged openstack/keystone-specs: Shadow users: unified identity  https://review.openstack.org/24059500:09
*** aginwala has quit IRC00:11
*** aginwala has joined #openstack-keystone00:17
*** jerrygb has quit IRC00:18
*** jerrygb has joined #openstack-keystone00:18
notmorganzigo: hey man, sometime this week we need to have a chat about some.debconf stuff being done in the packages.00:19
zigonotmorgan: Go ahead! :)00:19
notmorganzigo: I think we need to discuss some philosophy here :)00:19
notmorganI'm about o hop on a plane. So maybe tomorrow?00:19
zigoOk.00:19
zigoHave a good flight then.00:19
* notmorgan is headed from NYC back to home. :)00:20
notmorganThnx. Talk with ya tomorrow :)00:20
*** gildub has joined #openstack-keystone00:21
*** gordc has quit IRC00:22
*** jerrygb has quit IRC00:23
*** tonytan4ever has quit IRC00:23
*** gildub has quit IRC00:28
*** gildub has joined #openstack-keystone00:29
openstackgerritSteve Martinelli proposed openstack/keystone: Use assertDictEqual instead of assertEqualPolicies  https://review.openstack.org/25148200:33
jamielennoxnotmorgan: still here? 2 fairly easy review00:38
notmorganjamielennox: really laggy atm00:38
jamielennoxhttps://review.openstack.org/#/c/253999/ and https://review.openstack.org/#/c/251687/00:38
jamielennoxah - nvm then, no ruhs00:38
*** aginwala has quit IRC00:39
notmorganjamielennox: give me a few mins...00:41
notmorganmight not be able to preboarding00:41
openstackgerritSean Perry proposed openstack/keystone: Refactor test use of new_*_ref  https://review.openstack.org/23720500:41
shalehbknudson: I just rebased it for you ^^00:41
jamielennoxnotmorgan: not a rush, i can find someone else around00:41
shalehgah, jenkins is failing due to package versions00:41
jamielennoxshaleh: awww, it's going to be one of those days00:42
shalehjamielennox: yeah, one of the oslo libs00:43
notmorganjamielennox: the saml one i can't load due to lag00:43
notmorganbut the other one +2/A00:43
jamielennoxnotmorgan: thanks00:45
jamielennoxnotmorgan: also - any idea when morgan is coming back?00:45
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and sessions  https://review.openstack.org/11708900:45
shalehjamielennox: so what is the plan for the keystone auth review involving password prompting?00:45
notmorganjamielennox: never00:45
notmorganjamielennox: because mor<tab> was getting old.00:45
*** alejandrito has quit IRC00:46
shalehnotmorgan: it better reflects your non-positive energy anyways :-)00:46
notmorganthis way i only collide with notmyname and you know what, we overlap in fewer channels than mordred and I do00:46
jamielennoxshaleh: so at the moment there is going to be a callback function you can use via os-client-config, that will let openstackclient do the special casing it does now00:46
notmorganjamielennox: ++00:46
shalehjamielennox: I suspected that would end up being the solution00:46
notmorganjamielennox: mordred needs some tests in his patch and it's pretty good looking00:46
jamielennoxshaleh: in future we probably want the getpass attribute on the opts to allow it to be a bit more generic00:47
notmorganjamielennox: i was planning on rolling tests tomorrow if he doesn't00:47
jamielennoxnotmorgan: yea, it was fairly easy when it came down to it00:47
notmorganok time to board soon.00:47
jamielennoxshaleh: but for now the problem i'm trying to solve is on the OSC/OCC boundary so if that solves the current issue we'll worry about future stuff when appropriate00:47
*** jasonsb has quit IRC00:47
shalehjamielennox: yeah. Like I mentioned, cleanliness aside, do the prompting from there made L10N hard.00:48
jamielennoxyea, that was only going to matter in a very few scenarios00:48
jamielennoxbut the load_from_argparse stuff existed before os-client-config, at the moment it's pretty much deprecated in favour of using os-client-config00:49
shalehyay, die old code :-)00:49
jamielennoxnot officially - if you want to use it go ahead, but most of what it was trying to solve is accomplished better by occ00:49
notmorganayoung: I am turning a corner on some ideas you had a year ago.00:50
notmorganFyi00:50
shalehjamielennox: unrelated, where do we see passing around some form of list of current tokens. perhaps a parameter to KSA's Session?00:51
*** aginwala has joined #openstack-keystone00:53
*** aginwala has quit IRC00:55
*** EinstCrazy has joined #openstack-keystone00:56
jamielennoxshaleh: list? where are you seeing the need for a list00:56
*** RichardRaseley has quit IRC00:56
jamielennoxshaleh: so a while ago i was thinking of having a session have multiple auth plugins and then you could select the one you wanted by name00:56
jamielennoxinstead i went that you can pass an auth plugin directly to the request() functions00:56
jamielennoxso it's not so much a list as there is one session and you can pass the auth into it00:57
openstackgerritCristian Sava proposed openstack/keystone: Related-Bug: 1479569  https://review.openstack.org/25445600:57
openstackbug 1479569 in python-openstackclient "Output from "role assignment list" is not useful" [Medium,In progress] https://launchpad.net/bugs/1479569 - Assigned to Lin Hua Cheng (lin-hua-cheng)00:57
shalehjamielennox: playing with some MOC federation stuff. I can easily have 3 or more active tokens. It might be nice to move some of the complexity of handling it into a lib somewhere. I was wondering if you had put any thought to it. My plan is to play around with various POC scenarios and see if an obvious refactor presents itself.00:59
jamielennoxso my thought has been, create one session object, create as many plugins as active tokens you have on the go00:59
jamielennoxthen when you create a client do Client(session=session, auth=auth) for a specific auth00:59
jamielennoxthen have multiple client objects that are authenticated with different things01:00
jamielennoxhow you wrap that is really going to depend on what you want to do01:00
jamielennoxbut because there's no auth on load creating a client is fairly cheap01:00
shalehjamielennox: that matches what I was going to implement up front01:00
jamielennoxso you can do a Context() object or similar that creates clients as required01:01
jamielennoxso context.glance('usera').images.list() or whatever01:01
jamielennox'usera' depending on how you're managing plugins01:01
jamielennoxglance() just does01:02
jamielennoxreturn glanceclient.Client(2, session=self.session, auth=self.plugins[ident])01:02
jamielennoxprobably have to manage some region stuff there as well01:02
shalehjamielennox: yup, matches what I was thinking01:04
shalehjamielennox: thanks01:04
jamielennoxany time01:05
*** andrewbogott has joined #openstack-keystone01:05
shalehfinally down to 2 open reviews. Yay.01:07
*** andrewbogott has quit IRC01:08
*** andrewbogott has joined #openstack-keystone01:08
shalehtime to head out. Gotta sit through a holiday recital. !Yay.01:09
*** shaleh has quit IRC01:09
*** lhcheng has joined #openstack-keystone01:22
*** ChanServ sets mode: +v lhcheng01:22
*** tonytan4ever has joined #openstack-keystone01:24
*** yangyapeng has joined #openstack-keystone01:27
*** lhcheng has quit IRC01:27
*** links has joined #openstack-keystone01:27
*** tonytan4ever has quit IRC01:28
*** yangyapeng has quit IRC01:33
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25408801:38
*** yasu has joined #openstack-keystone01:39
*** aginwala has joined #openstack-keystone01:39
*** tqtran_ has quit IRC01:41
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/25446201:41
*** r-daneel has quit IRC01:43
ayoungnotmorgan, what ideas were those?01:43
*** wangqun has joined #openstack-keystone01:44
openstackgerritMerged openstack/keystoneauth: Cleanups to K2K plugin  https://review.openstack.org/25168702:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/25444402:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25408802:06
*** jerrygb has joined #openstack-keystone02:14
*** jasonsb has joined #openstack-keystone02:14
*** jerrygb has quit IRC02:16
*** terry_yao has joined #openstack-keystone02:22
*** davechen has joined #openstack-keystone02:27
*** ayoung has quit IRC02:29
*** davechen1 has joined #openstack-keystone02:34
*** davechen has quit IRC02:35
*** browne has quit IRC02:39
*** davechen has joined #openstack-keystone02:42
*** btully has quit IRC02:43
*** davechen1 has quit IRC02:45
*** wanghua has joined #openstack-keystone02:47
*** davechen1 has joined #openstack-keystone02:49
*** davechen has quit IRC02:51
*** spandhe has quit IRC02:58
*** aginwala has quit IRC03:03
*** aginwala has joined #openstack-keystone03:07
*** edmondsw has quit IRC03:07
*** aginwala has quit IRC03:07
*** fangxu_ has joined #openstack-keystone03:10
*** aginwala has joined #openstack-keystone03:11
*** fangxu has quit IRC03:11
*** fangxu_ is now known as fangxu03:11
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261403:18
jamielennoxayoung is not in the channel03:18
*** ayoung has joined #openstack-keystone03:18
*** ayoung has quit IRC03:18
jamielennoxsummoned then gone03:18
jamielennoxayoung03:18
openstackgerritDave Chen proposed openstack/keystonemiddleware: Configuration is outdated  https://review.openstack.org/22054503:20
openstackgerritDave Chen proposed openstack/keystonemiddleware: Configuration is outdated  https://review.openstack.org/22054503:23
*** browne has joined #openstack-keystone03:24
*** gyee has quit IRC03:26
*** ccard__ has joined #openstack-keystone03:31
openstackgerritjaveme proposed openstack/python-keystoneclient: remove the default arguments "[]" or "{}"  https://review.openstack.org/25417503:33
*** ccard_ has quit IRC03:34
*** jerrygb has joined #openstack-keystone03:35
*** terry_yao has quit IRC03:42
*** ccard_ has joined #openstack-keystone03:44
*** ccard__ has quit IRC03:46
*** flwang1 has quit IRC03:55
*** tonytan4ever has joined #openstack-keystone04:05
*** darrenc is now known as darrenc_afk04:06
*** tonytan4ever has quit IRC04:09
*** aginwala has quit IRC04:13
*** timcline has joined #openstack-keystone04:15
*** aginwala has joined #openstack-keystone04:16
*** fangxu has quit IRC04:17
*** timcline_ has joined #openstack-keystone04:17
*** timcline has quit IRC04:17
*** aginwala has quit IRC04:20
*** davechen1 has left #openstack-keystone04:30
openstackgerritDave Chen proposed openstack/python-keystoneclient: remove the default arguments "[]" or "{}"  https://review.openstack.org/25417504:33
*** darrenc_afk is now known as darrenc04:42
*** boris-42_ has quit IRC04:43
*** terryyao_ has joined #openstack-keystone04:47
*** davechen has joined #openstack-keystone04:51
davechenstevemar: still around?04:52
stevemardavechen: yes sir04:52
*** flwang1 has joined #openstack-keystone04:52
*** spandhe has joined #openstack-keystone04:53
davechenstevemar: a quick question, is it possible to call the method from controller layer in the manager layer?04:53
davecheni meant the method in the manager layer call the method from controller layer04:53
davechenit doesnot looks like a good pattern to do in that way04:54
openstackgerritSteve Martinelli proposed openstack/keystone: Pass dict into update() rather than **kwargs  https://review.openstack.org/24811604:54
stevemardavechen: no, you can't call controller functions from manager :(04:55
stevemaror at least, you shouldn't04:55
stevemarbut those methods are static, just helper functions04:55
davechenstevemar: i also think so.04:55
stevemarbrb04:56
davechenso, you meant we could do for those static method04:56
*** spandhe_ has joined #openstack-keystone04:57
*** Nirupama has joined #openstack-keystone04:57
davechenjust call _get_endpoint_groups_for_project() from controller? - https://review.openstack.org/#/c/250032/2/keystone/catalog/core.py04:57
*** spandhe has quit IRC04:58
*** spandhe_ is now known as spandhe04:58
*** davechen1 has joined #openstack-keystone05:00
*** roxanaghe has quit IRC05:00
*** davechen has quit IRC05:02
davechen1properly not, these duplicated are not staticmethod but a private method.05:03
stevemardavechen1: we can call private stuff from the same project05:04
*** davechen1 is now known as davechen05:04
stevemari think we run into trouble when calling private stuff from projects we don't control05:04
davechenstevemar: yeah, i was wrong, i was thinking we cannot call private stuff even within the same project but from differnt module.05:06
stevemardavechen: ideally we shouldn't, but we can control that stuff05:07
stevemarits just a quick refactor fix if we really wanted to clean things up05:07
stevemarbut not necessary05:07
davechenstevemar: looks like i just need remove the duplicated method from manager layer and just call it from the controller, right?05:07
davechenstevemar: i don't like the duplicated method just the same as you. :)05:08
stevemardavechen: i think so!05:09
davechenstevemar: gotcha, i will propose the fix.05:10
stevemardavechen: cool, hows life in TX been?05:10
davechenstevemar: and see what's others thinking about it.05:10
davechenstevemar: basically, all of my time is occupied by training stuff.05:11
stevemardavechen: doesn't sound too bad :)05:11
davechenand it's funny in the weekend.05:11
davechenshooting, shopping, sightseeing.05:12
*** fawadkhaliq has joined #openstack-keystone05:12
davechenstevemar: i think you will be in TX in the near future. :)05:13
*** flwang1 has quit IRC05:13
*** davechen1 has joined #openstack-keystone05:16
stevemarsounds like fun :)05:18
*** davechen has quit IRC05:19
*** davechen1 has left #openstack-keystone05:20
*** roxanaghe has joined #openstack-keystone05:25
*** btully has joined #openstack-keystone05:37
*** aginwala has joined #openstack-keystone05:41
*** jerrygb has quit IRC05:50
*** jaosorior has joined #openstack-keystone05:51
*** dims has quit IRC05:57
*** yangyape_ has joined #openstack-keystone05:59
*** wolsen has quit IRC06:04
*** wolsen has joined #openstack-keystone06:05
bretono/06:14
bretonoh, that web server talk again06:17
*** dims has joined #openstack-keystone06:20
*** timcline_ has quit IRC06:26
stevemarbreton: it's fun times06:28
stevemarremove this, no don't, wait run it this way, i dont want to, now do this06:28
*** yangyape_ is now known as Yangyapeng06:28
*** e0ne has joined #openstack-keystone06:38
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/25446206:41
*** aginwala has quit IRC06:43
*** e0ne has quit IRC06:45
*** aginwala has joined #openstack-keystone06:46
*** e0ne has joined #openstack-keystone06:49
*** e0ne has quit IRC06:52
*** aginwala has quit IRC06:52
*** spandhe_ has joined #openstack-keystone07:01
*** e0ne has joined #openstack-keystone07:02
*** spandhe has quit IRC07:02
*** spandhe_ is now known as spandhe07:02
*** dims has quit IRC07:11
*** fangxu has joined #openstack-keystone07:11
*** e0ne has quit IRC07:20
*** e0ne has joined #openstack-keystone07:21
*** terryyao_ has quit IRC07:21
*** aginwala has joined #openstack-keystone07:25
*** terryyao_ has joined #openstack-keystone07:25
*** spandhe has quit IRC07:27
*** dims has joined #openstack-keystone07:31
*** terryyao_ has quit IRC07:31
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/25444507:33
*** roxanaghe has quit IRC07:39
*** terryyao_ has joined #openstack-keystone07:39
*** fawadkhaliq has quit IRC07:41
*** flwang1 has joined #openstack-keystone07:41
*** fawadkhaliq has joined #openstack-keystone07:42
openstackgerritMerged openstack/oslo.policy: Don't generate doc from test  https://review.openstack.org/25406107:46
*** dims has quit IRC07:52
*** roxanaghe has joined #openstack-keystone07:52
*** btully has quit IRC07:55
*** e0ne has quit IRC07:56
*** gildub has quit IRC07:57
*** jerrygb has joined #openstack-keystone08:06
stevemardolphm: notmorgan, when you guys wake up https://review.openstack.org/#/c/241403/08:10
notmorganJokes on me. Still awake :(08:10
*** jerrygb has quit IRC08:12
marekdstevemar: i can handle this patch, i think :-)08:13
stevemarmarekd: ever better!08:13
marekddone08:13
marekdstevemar: https://review.openstack.org/#/c/188534/ now i don't know what's up with that one. Even if it's not approved I think I will just start coding this so it will be ready for FFE or next cycle.08:14
*** flwang1 has quit IRC08:15
*** henrynash has joined #openstack-keystone08:15
*** ChanServ sets mode: +v henrynash08:15
*** fangxu has quit IRC08:18
stevemarmarekd: why don't you know whats up with it?08:21
marekdstevemar: because the deadline was mitaka-1, i am trying to push it and currently kind of failing.08:22
stevemarmarekd: find 2 cores to champion your spec08:23
marekdi guess you are not on the list anymore due to your PTL responsibilities08:23
stevemarmarekd: i wouldn't say that08:23
stevemarchampion => willing to review patches08:24
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy: Make sure item of policy_dirs is directory  https://review.openstack.org/25460708:25
marekdstevemar: yeah, i know what that mean :-) Anyway, would you take a look at this spec again? Guang had some questions about inheritance and domains, but I'd give it a baby steps pace and start with projects only. Later we can add more.08:26
stevemardefinitely projects at first08:26
marekdstevemar: and this is main goal on what I want to do.08:27
stevemarmarekd: give me 5 minutes, just reviewing something i am cooking up08:27
marekdstevemar: whenever you have time08:27
*** roxanaghe has quit IRC08:28
*** gildub has joined #openstack-keystone08:32
*** lhcheng has joined #openstack-keystone08:37
*** ChanServ sets mode: +v lhcheng08:37
*** fhubik has joined #openstack-keystone08:39
*** miyagishi_t has quit IRC08:39
stevemarjamielennox: PM your gmail addy08:41
stevemarlhcheng: you too08:41
*** aginwala has quit IRC08:49
*** aginwala has joined #openstack-keystone08:53
*** links has quit IRC08:55
*** browne has quit IRC08:56
*** aginwala has quit IRC09:01
openstackgerritMarek Denis proposed openstack/keystone-specs: Expand endpoint filters to service providers  https://review.openstack.org/18853409:01
*** aginwala has joined #openstack-keystone09:01
*** fhubik is now known as fhubik_brb09:02
*** e0ne has joined #openstack-keystone09:03
*** fhubik_brb is now known as fhubik09:08
*** links has joined #openstack-keystone09:09
*** aginwala_ has joined #openstack-keystone09:10
*** pnavarro has joined #openstack-keystone09:10
*** aginwala has quit IRC09:14
*** aginwala_ has quit IRC09:15
openstackgerritMerged openstack/keystone: Cleans up code for `is_admin` in tokens  https://review.openstack.org/25439109:15
notmorganmarekd: https://review.openstack.org/#/c/253999/ could use your eyes09:17
notmorganmarekd: and can you comment on what the error with the internal LXML impl is on bknudson's patch?09:17
notmorganmarekd: i'd like to drop LXML asap from ksa09:17
marekdnotmorgan: i will get back to that lxml. debugging with adfs is not the funniest thing to do :/ esp that i don't have direct access to or servers.09:18
marekds/or/our/09:19
stevemarnotmorgan: thanks for responding09:19
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/25374509:19
marekdnotmorgan: but im gonna ping whoever is needed09:19
openstackgerritMerged openstack/keystone: Fix for GET project by project admin  https://review.openstack.org/24889209:19
notmorganmarekd: aye09:19
openstackgerritMerged openstack/keystone: Improve comments in test_catalog  https://review.openstack.org/24884609:19
notmorganmarekd: figured just saw you here so ping :)09:20
openstackgerritMerged openstack/keystone: Remove invalid TODO in extensions  https://review.openstack.org/25355209:20
notmorganstevemar: home...09:20
openstackgerritMerged openstack/keystone-specs: Online schema migration  https://review.openstack.org/24518609:20
notmorganstevemar: but... doing laundry so i can sleep :(09:20
notmorganwaiting on the stupid dryer09:20
marekdnotmorgan: i was ping? :P I am afraid you need to explain that joke :P09:20
marekdpink/ping ? :P09:20
stevemarnotmorgan: ah, i often play that waiting game09:21
notmorganmarekd: no, i totally just suck at typing at ~4:20am [time i feel like it is]09:21
stevemarnotmorgan: thats my real time09:21
notmorganmarekd: just landed back on the west coast after a couple weeks on the NYC09:21
stevemarso i go sleep09:21
stevemareven though i'm not sleepy09:21
marekdnotmorgan: oh :(09:21
notmorganmarekd: already missing brooklyn, but <3 Portland09:21
notmorganalso have some fantastic music to listen to atm09:22
marekdnotmorgan: ah yes, you moved to Portland!09:22
notmorganmarekd: yes!09:22
*** tonytan4ever has joined #openstack-keystone09:22
marekdnotmorgan: what are you listening to now?09:22
stevemarnotmorgan: glad to hear you're all set up in portland :)09:22
notmorganmarekd: right now: https://www.youtube.com/watch?v=Njkl6qSp6Eg#t=19309:22
marekdnotmorgan: i approved jamies patch.09:22
notmorganmarekd: also https://play.google.com/music/m/Bpnvnmk5kvgeuovmjbhklkpt6wu?t=Lifetime_Ago_-_Greg_Laswell09:23
notmorganmarekd: ^ that one is AMAZING.09:23
marekdnotmorgan: checking.09:23
*** gildub has quit IRC09:25
notmorganstevemar: https://review.openstack.org/#/c/253792/ failures make me sad09:25
notmorganstevemar: so close09:25
*** chenke_ has joined #openstack-keystone09:26
*** tonytan4ever has quit IRC09:26
notmorganmarekd: the google music link i just pasted is wonderful stuff. it's like solidly in the "yes. this is the music i want to listen to all the time" type stuff09:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:28
openstackgerrithenry-nash proposed openstack/keystone: Create new version of assignment driver interface  https://review.openstack.org/24285309:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:30
openstackgerrithenry-nash proposed openstack/keystone: Create V9 Role Driver  https://review.openstack.org/24780509:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:31
openstackgerrithenry-nash proposed openstack/keystone: Use list_role_assignments to get projects/domains for user  https://review.openstack.org/24251309:31
notmorganmarekd: also... i almost have a working POC with all the services sub-url mounted ;)09:31
notmorganwheeeeee productive couple of weeks09:31
marekdnotmorgan: i saw some tweets :-)09:32
marekdnotmorgan: i didn't dive too much into that tbh, what do you mean by suburl mounted services?09:32
notmorganhttps://api.tempusfrangit.org/identity https://api.tempusfrangit.org/compute https://api.tempusfrangit.org/image https://api.tempusfrangit.org/volume etc09:33
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:33
marekdnotmorgan: oh,this. cool!09:33
notmorganmarekd: yah09:33
notmorganmarekd: also working on offloading auth so service to service never hits keystone09:33
notmorganmarekd: and user->service is handled at the edge09:33
notmorganhave a lua version of KSM (demo) working so haproxy can validate the tokens09:34
notmorganmarekd: it's been fun.09:34
openstackgerritMerged openstack/keystone-specs: Expand endpoint filters to service providers  https://review.openstack.org/18853409:34
notmorganhave a massive "this is what is broken" etherpad too09:34
notmorgan:P09:34
notmorganstevemar: if you're in NYC you should totally go do http://sleepnomore.com/#share09:35
notmorganstevemar: it was one of the most fun theatre experiences i've ever done09:35
marekdnotmorgan: NYC is on my trips list for 2016 so if I go there I will definitely look for some "you will not find it in a guide" kind of places :-)09:36
*** mhickey has joined #openstack-keystone09:38
notmorganmarekd: sleepnomore is amazing.09:40
notmorganIt's dark. But amazing09:40
notmorganI blame mordred for talking up sleep no more so much ;)09:41
*** terryyao_ has quit IRC09:41
marekdhehe09:42
bretonnotmorgan: how does it validate fernet? It has the keys?09:50
*** fhubik is now known as fhubik_brb09:52
*** woodster_ has quit IRC09:56
*** fhubik_brb is now known as fhubik09:58
*** gildub has joined #openstack-keystone09:59
*** aix has joined #openstack-keystone10:01
samueldmqmorning keystoners10:12
xekmorning :)10:13
*** lhcheng has quit IRC10:14
*** jistr has joined #openstack-keystone10:14
marekdhey10:16
*** fawadkhaliq has quit IRC10:21
*** aix has quit IRC10:21
*** fawadkhaliq has joined #openstack-keystone10:21
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Implements base classes for functional tests  https://review.openstack.org/25397110:23
openstackgerritMerged openstack/keystone: Split resource tests from assignment tests  https://review.openstack.org/25268410:27
*** fangxu has joined #openstack-keystone10:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463310:28
*** fangxu has quit IRC10:31
*** aix has joined #openstack-keystone10:33
jamielennoxstevemar: like you want my gmail?10:33
*** pnavarro has quit IRC10:34
*** links has quit IRC10:37
*** dikonoor has joined #openstack-keystone10:48
*** dikonoor has quit IRC10:48
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25408810:51
openstackgerritMerged openstack/keystoneauth: Extract SAML fixtures into templates  https://review.openstack.org/25399910:51
openstackgerritMerged openstack/keystone: Deprecate ldap Role  https://review.openstack.org/25266910:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463310:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/25444410:56
*** links has joined #openstack-keystone10:58
*** Yangyapeng has quit IRC10:58
*** EinstCrazy has quit IRC10:59
*** openstackgerrit has quit IRC11:02
*** openstackgerrit has joined #openstack-keystone11:02
marekdjamielennox: pretty much11:02
*** wangqun has quit IRC11:03
*** john5223 is now known as zz_john522311:06
*** EinstCrazy has joined #openstack-keystone11:24
*** Nirupama has quit IRC11:27
*** gildub has quit IRC11:33
*** yasu has quit IRC11:47
*** lhcheng has joined #openstack-keystone12:02
*** ChanServ sets mode: +v lhcheng12:02
*** e0ne has quit IRC12:03
*** esp has quit IRC12:05
*** esp has joined #openstack-keystone12:06
*** lhcheng has quit IRC12:07
*** jerrygb has joined #openstack-keystone12:09
*** e0ne has joined #openstack-keystone12:11
*** jerrygb has quit IRC12:13
*** fawadkhaliq has quit IRC12:14
*** fhubik is now known as fhubik_brb12:29
*** gordc has joined #openstack-keystone12:31
*** EinstCra_ has joined #openstack-keystone12:35
*** links has quit IRC12:36
*** fawadkhaliq has joined #openstack-keystone12:37
*** EinstCrazy has quit IRC12:37
*** fawadkhaliq has quit IRC12:40
*** jaosorior has quit IRC12:40
*** fawadkhaliq has joined #openstack-keystone12:40
*** jaosorior has joined #openstack-keystone12:42
*** arunkant has quit IRC12:43
*** tsymancz1k has quit IRC12:46
*** yangyapeng has joined #openstack-keystone12:59
*** tsymanczyk has joined #openstack-keystone13:04
*** tsymanczyk is now known as Guest7663513:05
*** tonytan4ever has joined #openstack-keystone13:10
*** tonytan4ever has quit IRC13:14
*** dims has joined #openstack-keystone13:16
*** fhubik_brb is now known as fhubik13:18
*** pauloewerton has joined #openstack-keystone13:21
openstackgerritJin Nan Zhang proposed openstack/keystone: Replace warnings.warn to LOG.warn  https://review.openstack.org/25475213:24
*** arunkant_ has quit IRC13:29
*** edmondsw has joined #openstack-keystone13:31
*** topol has joined #openstack-keystone13:31
*** ChanServ sets mode: +v topol13:31
*** arunkant has joined #openstack-keystone13:35
*** terryyao has joined #openstack-keystone13:42
*** jerrygb has joined #openstack-keystone13:44
*** lhcheng has joined #openstack-keystone13:52
*** ChanServ sets mode: +v lhcheng13:52
*** topol has quit IRC13:53
*** topol has joined #openstack-keystone13:54
*** ChanServ sets mode: +v topol13:54
*** lhcheng has quit IRC13:57
*** fhubik is now known as fhubik_brb14:07
lbragstadstevemar is there a limit to the number of champions a spec has?14:15
*** breitz has quit IRC14:18
*** breitz has joined #openstack-keystone14:19
*** petertr7_away is now known as petertr714:21
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Assignments in Apache Fortress  https://review.openstack.org/25478214:29
*** lhcheng has joined #openstack-keystone14:30
*** ChanServ sets mode: +v lhcheng14:30
*** miyagishi_t has joined #openstack-keystone14:31
*** richm has joined #openstack-keystone14:32
*** lhcheng_ has joined #openstack-keystone14:34
*** lhcheng has quit IRC14:37
openstackgerritMerged openstack/keystone: More useful message when using direct driver import  https://review.openstack.org/24140314:40
*** ayoung has joined #openstack-keystone14:40
*** ChanServ sets mode: +v ayoung14:40
*** tonytan4ever has joined #openstack-keystone14:41
*** tonytan4ever has quit IRC14:45
*** fawadkhaliq has quit IRC14:45
*** fawadkhaliq has joined #openstack-keystone14:46
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463314:47
*** edmondsw has quit IRC14:48
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261414:50
ayoungHow to properly handle delegation:  http://www.questionablecontent.net/view.php?comic=310714:51
*** dims_ has joined #openstack-keystone14:52
*** dims has quit IRC14:55
ayoungsamueldmq, care to +1 this one.  You gave it a pretty thorough review, and I think follow on reviewers would want to see that you've approved of the changes made: https://review.openstack.org/#/c/242853/2915:01
*** yangyapeng has quit IRC15:01
samueldmqayoung: yeah, sure, was on my todo, but a bit overflooded this week :)15:05
samueldmqayoung: thanks for the heads up15:05
ayoungsamueldmq, get used to it15:05
*** sigmavirus24_awa is now known as sigmavirus2415:06
samueldmqayoung: :-)15:06
samueldmqayoung: done, implied roles is next15:09
*** jerrygb has quit IRC15:09
*** jerrygb has joined #openstack-keystone15:10
samueldmqayoung: I have 6-hour workshop next week, and still a lot of material to prepare :)15:10
ayoungsamueldmq, there is one in between15:10
ayoungsamueldmq, lets focus on the prereqs...15:10
samueldmqayoung: which one ?15:10
ayoungah, you go0t them both...thanks15:10
samueldmqayoung: yeah, v9 role15:11
*** davechen has joined #openstack-keystone15:12
ayoungdstanek, marekd can one of you guys prioritize looking at https://review.openstack.org/#/c/242853/29  and https://review.openstack.org/#/c/247805/11  which are the pre-reqs for implied roles.  I think implied roles is going to be the killer feature this release, and I'd like to get it in before X-Mas break if possible.15:12
marekdayoung: i will take a look!15:12
ayoungthanks15:13
marekdayoung: let me just finish something.15:13
*** edmondsw has joined #openstack-keystone15:13
*** topol has quit IRC15:13
*** jerrygb has quit IRC15:15
*** fawadkhaliq has quit IRC15:16
*** timcline has joined #openstack-keystone15:20
dstanekayoung: i can't promise today, but i'll bump it near the top of my Trello list; just started working on the one Henry gave to me yesterday15:24
*** jerrygb has joined #openstack-keystone15:24
ayoungdstanek, thanks...it is a Henry review.  I've a;ready +2ed, and samueldmq has +1ed.  If Marek gets it, it is good to go\15:24
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking cross-version migrations compatibility  https://review.openstack.org/24160315:26
*** slberger has joined #openstack-keystone15:33
ayoungsamueldmq, yep...thought I had15:34
*** btully has joined #openstack-keystone15:35
samueldmqayoung: nice15:35
ayoungsamueldmq, I really just want the pre-reqs merged so I don't have more rebase issues as I work on the implied roles patch15:36
*** erhudy has joined #openstack-keystone15:36
samueldmqayoung: makes sense, and those should be ready to go already15:36
erhudywith keystone running under mod_wsgi, has anyone seen a situation where workers will start to die with the error "Fatal Python error: PyEval_AcquireThread: NULL new thread state", until every WSGI worker on the host has died and apache needs to be restarted?15:37
erhudythings start out okay after restarting apache but within 15-30 minutes it seems to degrade back to non-functionality15:37
* breton hasn't15:40
*** terryyao has quit IRC15:40
bknudsonwe've got products here that run keystone under apache and I'm sure they would have complained15:42
erhudythis is a pretty recent development, i'm trying to find out if anything might have changed recently15:42
dstanekerhudy: are you running master?15:43
marekdCERN also runs keystone w/ apache and we don't suffer from anything like that.15:43
erhudyno, kilo 2015.1.015:43
erhudyit looks like mod_python was enabled, killing that and restarting15:43
*** tonytan4ever has joined #openstack-keystone15:43
*** jistr is now known as jistr|mtg15:43
bretonI read about issues when mod_python runs along mod_wsgi15:44
erhudyyeah, i found something like that a moment ago15:44
*** andrewbogott has quit IRC15:46
openstackgerritMarian Horban proposed openstack/python-keystoneclient: Remove lock object from BaseIdentityPlugin  https://review.openstack.org/24652115:46
*** alvipet has joined #openstack-keystone15:50
*** topol has joined #openstack-keystone15:51
*** ChanServ sets mode: +v topol15:51
tjcocozzping stevemar15:52
*** fhubik_brb is now known as fhubik15:53
*** pgbridge has joined #openstack-keystone15:55
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327315:57
*** gokrokve has joined #openstack-keystone15:59
erhudyyeah, looks like it was probably mod_python sneaking back in15:59
erhudyeasy fix at least15:59
*** lhcheng has joined #openstack-keystone16:00
*** ChanServ sets mode: +v lhcheng16:00
*** lhcheng_ has quit IRC16:00
ayoungerhudy, Sneaking *back* in?16:01
erhudymore like an oversight on our part to not disable it in the first place, just never noticed16:02
*** petertr7 is now known as petertr7_away16:06
*** aix has quit IRC16:08
breton²16:08
*** ninag has joined #openstack-keystone16:09
*** ninag has quit IRC16:09
notmorganbreton: it talks to keystone. But, the other services don't have to.16:09
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591616:12
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project delete cascade  https://review.openstack.org/24414916:12
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424816:12
*** fawadkhaliq has joined #openstack-keystone16:12
*** browne has joined #openstack-keystone16:16
*** pumaranikar has joined #openstack-keystone16:22
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327316:28
*** atiwari has joined #openstack-keystone16:29
stevemarlbragstad: no limit, really, it's just saying "i promise to review this"16:33
stevemarnotmorgan: i did see 'sleep no more!'16:33
stevemartjcocozz: hola16:33
tjcocozzstevemar, just was having some problems trying to figure out what you and cristian were talking about here https://review.openstack.org/#/c/249958/16:34
kfox1111has anyone tested k2k and sahara, trove, or heat?16:35
kfox1111do they all work ok?16:35
*** reed has quit IRC16:36
bknudsonwith k2k you get a regular keystone token which you can send to sahara, trove, or heat.16:36
stevemarkfox1111: presumably... i think most folks tried it with nova/glance/cinder/neutron16:36
kfox1111yeah, but those don't need trusts or use the users credentials in the vm's.16:36
stevemartjcocozz: right, so for that patch, we should try to optimize the SQL backend to get the info all in one shot16:37
stevemarinstead of doing a fetch N times16:37
tjcocozzstevemar, but isnt the info in different backends?16:38
*** reed has joined #openstack-keystone16:38
stevemartjcocozz: yep! that's why in cristians patch he does a join16:38
openstackgerritDavid Stanek proposed openstack/keystone: Remove invalid comment about LDAP domain support  https://review.openstack.org/25364316:39
ayoungdstanek, marekd thanks...good catch on the test question, I missed that.16:40
dstanekayoung: if you agree with my 1 letter commit message change you can +2+A samueldmq's review ^16:40
dstanekayoung: np16:40
ayoungdstanek, nice.16:41
kfox1111do trusts work with k2k?16:41
ayoungkfox1111, what do you mean?\16:41
tjcocozzstevemar, for some reason i thought you could some things in  ldap backend and others in sql at the same time.16:41
tjcocozzstore ^16:41
stevemartjcocozz: no no, it's one or the other16:42
stevemarunless it's identities, in which case we have that funky mapping table16:42
kfox1111say I login with a keystone idp, go to a region maintained with a sp, then launch a heat stack, which creates a trust in the sp gainst the federated user, for future use.16:42
kfox1111does that work properly?16:43
tjcocozzstevemar, oh that clears some stuff up.  i guess.  what is the problem with the mapping table?16:43
*** boris-42_ has joined #openstack-keystone16:44
kfox1111yeah, it looks like sahara as of liberty still doesn't support trusts properly. :/16:46
*** fhubik has quit IRC16:46
kfox1111so I think k2k is also a dead end for us for now. :_(16:46
*** openstackgerrit has quit IRC16:47
*** openstackgerrit has joined #openstack-keystone16:47
stevemartjcocozz: also, only optimize the SQL backend16:48
stevemarthe LDAP backend will be removed/deprecated16:48
stevemarkfox1111: that stinks16:48
tjcocozzstevemar, how did you know i was looking into the ldap backend?   lol I will focus on the sql backend, thanks for the heads up16:49
stevemartjcocozz: magic ptl powers, duh16:49
stevemar:)16:49
notmorgantjcocozz: don't ask too many questions16:49
notmorganit's secret PTL powers ;)16:50
tjcocozzstevemar, haha it must be.16:50
*** alejandrito has joined #openstack-keystone16:55
kfox1111stevemar: yeah. we were really hoping to have one keystone to rule all of our regions.16:59
kfox1111I don't think there's away to do that curently. :/16:59
kfox1111sahara's one of our most commonly used services so its gota work. :/16:59
kfox1111looks like mitaka+ may support it.16:59
*** gyee has joined #openstack-keystone17:00
*** ChanServ sets mode: +v gyee17:00
*** alex_xu has quit IRC17:04
*** rderose has joined #openstack-keystone17:05
*** davechen has quit IRC17:05
odyssey4mestevemar is the LDAP backend being removed entirely... or just the writable access to LDAP?17:05
bretonoh gawd, you merged https://review.openstack.org/#/c/240762/17:05
*** pauloewerton has quit IRC17:06
stevemarbreton: hit the revert button ;)17:06
stevemarbreton: i realized this yesterday, a few days after merging it17:06
stevemarodyssey4me: so LDAP backend for projects/domains/role assignments ==> will be removed17:07
stevemarodyssey4me: LDAP backend for identity (user and groups) ==> will be read only17:07
odyssey4mestevemar entirely, wow... is it deprecated now, if so when was that done? and when do you think it'll be removed?17:08
stevemarodyssey4me: we've had deprecation warnings for projects/domains/role assignments for 2 releases17:08
*** petertr7_away is now known as petertr717:08
stevemarhttps://github.com/openstack/keystone/blob/master/keystone/assignment/backends/ldap.py#L35-L38 and https://github.com/openstack/keystone/blob/master/keystone/resource/backends/ldap.py#L36-L39 (this was branched from another that's why it says liberty)17:09
*** pgbridge has quit IRC17:09
stevemardoes it impact you?17:09
mtreinishlbragstad: you asked me about this test once before right? http://status.openstack.org/openstack-health/#/test/tempest.api.identity.admin.v3.test_services.ServicesTestJSON.test_create_update_get_service17:09
*** ayoung has quit IRC17:10
lbragstadmtreinish checking17:10
mtreinishlbragstad: I'm just showing the page off :)17:10
lbragstadmtreinish it's *very* flashy17:10
*** alex_xu has joined #openstack-keystone17:10
stevemarmtreinish: oh *that* test17:10
odyssey4mestevemar well, I'm wondering what the alternative is for a global cluster where you need a common set of project ID's and project/domain/role assignments across regions17:11
odyssey4methere is, of course, replicating your DB17:11
stevemarodyssey4me: you were using ldap for that?17:11
stevemaryeah, that's the other option17:12
mtreinishlbragstad: it is, I'm just going through my irc logs finding everyone who asked me for a test perf graph at somepoint and pointing them to the dashboard now :)17:12
mtreinishstevemar: heh, yep17:12
lbragstadmtreinish nice, i remember you sending me some metrics on test times once17:12
lbragstadI want to say it was around race-conditions17:12
mtreinishlbragstad: I think it was a fernet thing17:12
mtreinishit's always a fernet thing :)17:12
lbragstadmtreinish yes, i think so17:12
odyssey4mestevemar in this particular case I'm looking at a swift cluster, so all I need is common account ID's... that with federation will do the trick (as with federation I can map the user to the domain, group and role)17:13
odyssey4mes/account id/project id/17:13
lbragstadmtreinish lol apparently!17:13
odyssey4meswift uses the project id as the container id for objects17:13
lbragstadspeaking of fernet17:14
stevemarodyssey4me: yep, i know all about swift using project id as the account id, which stores containers17:14
* lbragstad leaves https://review.openstack.org/#/c/249863/ on the table next to mtreinish 17:14
stevemarodyssey4me: hmm, maybe dolphm has a clever answer for you17:14
odyssey4mestevemar so the answer is effectively db replication at this point17:15
odyssey4mealright, thanks17:15
stevemarodyssey4me: you're the first person to actually say you want to keep the project backend for LDAP around in about a year :)17:16
stevemarodyssey4me: we'll find a solution for you, and if push comes to shove, i won't remove it if it causes you significant pain17:16
mtreinishlbragstad: ugh, more magic sleeps... +217:16
lbragstadmtreinish yep17:17
*** davechen_bot has joined #openstack-keystone17:17
*** pgbridge has joined #openstack-keystone17:17
*** RichardRaseley has joined #openstack-keystone17:17
odyssey4mestevemar I'll see if we can work out another alternative, or whether DB sync will be suitable. Thanks!17:18
*** petertr7 is now known as petertr7_away17:18
*** jistr|mtg is now known as jistr17:21
*** henrynash has quit IRC17:24
*** henrynash has joined #openstack-keystone17:25
*** ChanServ sets mode: +v henrynash17:25
*** ayoung has joined #openstack-keystone17:25
*** ChanServ sets mode: +v ayoung17:25
*** davechen has joined #openstack-keystone17:30
openstackgerritBoris Bobrov proposed openstack/keystone: Verify that attribute `enabled` equals True  https://review.openstack.org/25488117:30
*** rderose has quit IRC17:30
*** tonytan4ever has quit IRC17:31
*** ayoung has quit IRC17:31
openstackgerritBoris Bobrov proposed openstack/keystone: Verify that attribute `enabled` equals True  https://review.openstack.org/25488117:31
*** jdennis has quit IRC17:34
stevemarbreton: thanks for the patch17:34
notmorganmtreinish: woo magic sleep17:34
henrynashdstanek: ping17:34
dstanekhenrynash: pong17:35
henrynashdtsanek: re your comment on the V9 assignment patch, I would expect tox -e Legacy_drivers to fail with your change17:35
henrynashdstanek: but tox -e py27 would still pass since it doesn;t run the legacy tests17:36
*** aginwala has joined #openstack-keystone17:36
henrynashdstanek: that’s how I got round (I hope) avoiding the multiple models problem17:36
dstanekhenrynash: how are you excluding the legacy tests?17:37
*** jdennis has joined #openstack-keystone17:37
henrynashtox -elegacy_drivers17:37
henrynashsorry17:37
*** spandhe has joined #openstack-keystone17:37
henrynashdtsanekL sorry (now read youquestion): by not having test in the name of teh file17:37
dstanekhenrynash: that only add a target to specifically run them. it doesn't stop them from running with tox -e py2717:38
dstanekdo they not run under normal circumstances?17:38
henrynashdstanek: I ensured the name of the test file does not contain the word ‘test'17:38
dstanekhenrynash: is that how testtools does it's discovery? i know that what nose used to do17:39
henrynashdstanek: that’s why the legacy test  is called ‘sql.py” not “test_sql.py"17:39
henrynashdtsanek: I believe so….it certainly seems to (i.e. if you search for V8 in the output of a py27 run, those tests have not been execute17:40
dstanekhenrynash: let me experiment a little more17:40
henrynashdtsanek: thanks, really appreciate it17:40
*** aginwala has quit IRC17:42
*** tqtran has joined #openstack-keystone17:42
*** ayoung has joined #openstack-keystone17:44
*** ChanServ sets mode: +v ayoung17:44
samueldmqhenrynash: so you brought role groups back to life again ?17:45
*** aginwala has joined #openstack-keystone17:45
*** haneef_ has joined #openstack-keystone17:45
*** ctina_ has joined #openstack-keystone17:46
openstackgerritBoris Bobrov proposed openstack/keystone: Verify that attribute `enabled` equals True  https://review.openstack.org/25488117:46
henrynashsamueldmq: well only so people could compare - I personally prefer the API that has merged, but not everyone agrees - so I though the best way was to actually show what the alternate API would look like (all 800 lines of it)17:46
samueldmqhenrynash: but creating role-groups is very similar to creating implied roles, isn't it ?17:48
samueldmqhenrynash: a rle group contains one or more roles, and a implied role does too17:48
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327317:48
henrynashsamueldmq: yes…and that;s teh point…it was raised (gyee) that a better way of doing Domain Specific Roles would be to actual do role-grousp and NOT do them as implied roles. I personally don’t share that view, but in order to compare I wanted to show how mush we would have to do for role groups17:49
*** e0ne has quit IRC17:50
odyssey4mestevemar apologies for what may be a dumb question - is the assignments LDAP back-end read-only, or read-write?17:51
stevemarodyssey4me: currently read-write17:51
*** HoloIRCUser3 has joined #openstack-keystone17:51
*** HoloIRCUser3 has quit IRC17:51
*** HoloIRCUser1 has joined #openstack-keystone17:51
*** roxanaghe has joined #openstack-keystone17:53
samueldmqhenrynash: sure, that makes complete sense to bring this up to discusion17:53
samueldmqdiscussion*17:53
odyssey4mestevemar how about an option to switch that drive to be read-only... it should simplify the code somewhat, but still be useful - the responsibility for assignments and management would be entirely outside of Keystone, and Keystone would just be a consumer17:54
stevemarodyssey4me: i'd prefer to not make any changes to it :P17:55
odyssey4mestevemar horrible spaghetti, yeah? ;)17:56
stevemarunless this is someting you really want to stick with17:56
odyssey4mestevemar simply exploring options here17:56
stevemarodyssey4me: understood17:57
stevemarall the courtsey pings! ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek, MaxPC, tjcocozz17:59
*** rderose has joined #openstack-keystone18:00
*** jaosorior has quit IRC18:00
ayoungWeeee!18:02
*** jistr has quit IRC18:05
*** Guest76635 is now known as tsymanczyk18:06
*** stevemar changes topic to "~45 days until mitaka-2 is released! see blueprints and bugs at: https://launchpad.net/keystone/+milestone/mitaka-2"18:07
*** tqtran_ has joined #openstack-keystone18:10
*** diazjf has joined #openstack-keystone18:11
*** tonytan4ever has joined #openstack-keystone18:16
*** jbell8 has joined #openstack-keystone18:16
*** jasonsb has quit IRC18:17
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327318:18
*** richm has quit IRC18:19
*** alejandrito has quit IRC18:19
*** alejandrito has joined #openstack-keystone18:19
*** tonytan4ever has quit IRC18:21
bknudsonjamielennox: we have a test for a challenge-response auth plugin : http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_auth_plugin.py#n6818:23
*** gokrokve has quit IRC18:24
jamielennoxbknudson: cool, didn't know that, but yea i didn't think it'd be all that hard to do18:24
bknudsonI don't know if anybody's actually used this feature.18:25
*** gokrokve has joined #openstack-keystone18:25
*** mhickey has quit IRC18:26
*** pumaranikar has quit IRC18:29
*** gokrokve has quit IRC18:30
*** dims_ has quit IRC18:30
*** shaleh has joined #openstack-keystone18:31
*** gokrokve has joined #openstack-keystone18:31
*** gokrokve has quit IRC18:33
*** gokrokve has joined #openstack-keystone18:34
*** tonytan4ever has joined #openstack-keystone18:35
*** fangxu has joined #openstack-keystone18:36
jamielennoxayoung: on not adding new abstraction levels, i'm going through your implied roles again, why did you add a new concept? why not just make roles  hierarchical18:39
*** jerrygb has quit IRC18:39
ayoungjamielennox, they are!18:39
ayoungimplied roles are hierarchical, but this is a namespacing issue18:39
jamielennoxdid we really need /implied_roles instead of just add it to /roles18:39
*** e0ne has joined #openstack-keystone18:39
jamielennoximplied_roles are real in this case right? like they'll end up in the token?18:40
ayoungjamielennox, oh, that...I started with it in /roles, but the relationship between roles is really a seaprate entity from the roles themselcves18:40
ayoungmany to many relation is easier to reprsent as a table18:40
jamielennoxright, but that's because our role assignment interface sucks18:40
ayoungso, itr really is the rules that is the new entity, and the rules will determin what roles end up in the token18:40
ayoungso, yes18:40
ayoungheh18:40
jamielennoxi dislike long winded PUT /a/{id}/b/{id}/c with no body18:41
jamielennoxPUT /c with ids in body18:41
jamielennoxbut anyway18:41
jamielennoxayoung: so if implied roles don't end up in the token then i'm not sure why we don't just merge it with henrynash's DSR18:41
jamielennoxdomain specific implied roles18:42
jamielennox- and then just call them roles18:42
ayoungjamielennox, the implied roles do end up in the token18:42
ayoungDSRs do not18:42
ayoungDSRs will use the inference rules to put roles in the token18:42
ayoungso DSR IBM/admin can imple global admin, and a user assigned IBM/ADMIN on a project getsth global admin role18:43
*** pumaranikar has joined #openstack-keystone18:43
jamielennoxok, i was expecting them to end up in the tokne18:45
jamielennoxso implied_roles are global DSRs and we just say that global ones go in the token?18:45
*** ctina_ has quit IRC18:46
*** jerrygb has joined #openstack-keystone18:46
*** fangxu has quit IRC18:46
ayounggyee, we can cary on the convo here18:46
ayoungI can multiplex18:46
*** aginwala has quit IRC18:47
jamielennoxah, i gotta run for an hour or so18:47
jamielennoxbut i think it'd be good to merge the concepts somehow18:47
gyeeayoung, sure18:47
ayounggyee, so, what if we split groups off identity18:48
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327318:48
gyeeayoung, in my view, user groups are essential permission templates18:49
gyeepersonas18:49
ayoungwe can say "a users identity comes from one domain, but they can have groups for many.  Only An admin for a domain is capable for setting up how to map users to groups for their domain"18:49
*** david-ly_ has joined #openstack-keystone18:50
ayounggyee, agreed, and I thk that henrynash is using DSRs the same way.  He was forced to DSRs due to groups being hardwired to the domain that the user comes from18:50
*** tqtran_ has quit IRC18:51
ayounggyee, and also the fact that identity is read only, but we already have the idea that groups can be read/write, just that a user only gets groups from their home domain18:51
*** david-ly_ is now known as david-lyle_18:52
gyeeayoung, I agreed we may not to decouple groups from identity, implementation-wise18:52
gyeemay need18:52
gyeesorry about the typo18:53
*** HoloIRCUser1 has quit IRC18:53
*** david-lyle has quit IRC18:54
*** davechen has left #openstack-keystone18:59
*** jasonsb has joined #openstack-keystone19:00
*** rderose has quit IRC19:00
stevemarbknudson: so we are definitely aiming to have the ongoing stuff merge in M19:00
ayounggyee, look at that diagnostic email link I posted again, and think through what you would want from it.  I think the idea is super powerful19:00
stevemari'm just doing what dolphm and notmorgan did, they had it as "ongoing"19:01
gyeeayoung, when did you send the email19:01
gyee?19:01
ayounggyee, I'll link again19:01
bknudsonongoing makes it sound like it's not targeted for M19:01
amakarovayoung, I'd be nice - my commit chain starts with basic materialized path support that can be used in HMT right now19:01
ayounggyee, https://openstack.nimeyo.com/66396/openstack-dev-keystone-diagnostic-apis-for-keystone19:01
stevemarbknudson: i wouldn't say that19:02
*** openstackgerrit has quit IRC19:02
*** openstackgerrit has joined #openstack-keystone19:02
stevemarbknudson: they are best-effort, and can go in while we are working on M3 or Mitaka-RC period19:02
stevemari'd love for them to be in19:03
*** davechen_bot has quit IRC19:03
ayoungamakarov, I think the best bet is to have it ready to go as soon as N opens.  That alone will be no easy task.  But if the spec reflects the reality, e can merge the spec to backlog as soon as we have it firmed up, then the N dev cycle will run smoother19:03
bknudsonok, they're not in the section "To be completed for Mitaka", so seems like these aren't going to be completed for mitaka.19:03
bknudsonaren't all of these best-effort?19:04
amakarovayoung, interesting. I thought like "no specs after FF"19:04
stevemarbknudson: hmm, you're getting hung up on the wording, but i see your point19:05
ayoungamakarov, specs can always be approved to backlog19:06
lbragstaddstanek nonameentername xek I have my name down as a champion for a spec that you own. Please let me know if there are things you need from me as a reviewer19:06
*** jasonsb has quit IRC19:06
ayoungalways post a spec to backlog until it gets approved, it stays out of the Named subfolder19:07
*** jbell8 has quit IRC19:07
amakarovayoung, well, that's good news19:07
ayoung++  amakarov and it will be more solid if you develop the spec and the code in parallel:  the spec will more closely match reality19:07
* ayoung needs food19:07
*** gokrokve has quit IRC19:08
bknudsonhttps://pypi.python.org/pypi/otpauth/ - a library for otp19:08
bknudson"You can create a QR code for Google Authenticator to scan" -- looking forward to seeing that in horizon19:08
gyeeayoung, so if we good enough INFO logs, diagnostics can be done outside of keystone, i.e. splunk, logger, kibana19:08
bknudson(or in the clouds.yaml ?)19:08
bknudsonhere's another one: https://pypi.python.org/pypi/oath19:08
ayounggyee, nope19:09
ayoungwe are going to want to be able to say "can Gyee execute this api on this resource" a-priori.  Won;t be in a log, until we try19:09
amakarovayoung, my case exactly: the spec follows the code.19:09
stevemarhenrynash: you sure you're gonna manage with all your work? :)19:10
* amakarov goes home19:10
gyeeayoung, interesting, so this is like authorization API wrap in diagnostics?19:10
*** wanghua has quit IRC19:13
*** david-lyle_ is now known as david-lyle19:14
*** fangxu has joined #openstack-keystone19:14
*** aginwala has joined #openstack-keystone19:15
*** gokrokve has joined #openstack-keystone19:16
*** henrynash has quit IRC19:19
ayounggyee, it is an API that could work for both authorization or for diagnostics19:21
*** tqtran has quit IRC19:21
*** jbell8 has joined #openstack-keystone19:26
gyeeayoung, ++, if user can ask meaningful questions like "can I do this with the given token?" that would be awesome19:28
ayounggyee, or "...with an assertion that has these values..."19:29
*** aginwala has quit IRC19:29
gyeeself-service is very much under-represented right now19:29
*** aginwala has joined #openstack-keystone19:30
ayounggyee, I was thinking along the lines of "I have a user coming in to use my resources tomorrow...will he/she be able to do so?"19:30
gyeeayoung, but the scope of your email goes much deeper though, like diagnose misconfigurations19:30
ayoungand, if not...what do I need to do to get there19:30
ayounggyee, right, I could see one step being "get me the username, userid, and groups for a user with assertion that has .... in it19:31
*** diazjf has quit IRC19:31
*** diazjf has joined #openstack-keystone19:31
*** gokrokve has quit IRC19:31
ayoungand then "if a user has ID X group Y, and trys to get a token on project P, what roles will they get.19:31
ayoung^H?19:32
ayoung"19:32
gyeeayoung, but how does that detect misconfigurations?19:33
ayounggyee, it lets you break up the token processing in to steps, and identify which step failed19:34
gyeesay my LDAP filter is wrong, that'll result in user not found19:34
gyeebut we can't say user not found always means my LDAP filter is wrong19:35
*** flwang1 has joined #openstack-keystone19:36
*** harlowja has quit IRC19:38
*** harlowja has joined #openstack-keystone19:38
*** erhudy has quit IRC19:40
gyeehenrynash, ayoung, stevemar, I've responded to https://review.openstack.org/#/c/254139/19:48
*** atiwari has quit IRC19:48
gyeeso we have some closure on this19:48
gyeefor now19:48
*** tqtran has joined #openstack-keystone19:49
notmorganjamielennox: ping19:50
ayounggyee, so...DSRs as experimental will let us play with them.  I think we should explore doing more with the group abstrction.  Want me to write up a spec for that?19:50
ayoungWe can bat it around and, if we come up with something better, provide a migration from DSRs to Groups if we implement...19:50
ayoungnotmorgan, just ask the question...no naked pings!19:50
notmorganayoung: always naked pings19:50
notmorganayoung: ping19:51
notmorgansee19:51
*** atiwari has joined #openstack-keystone19:51
gyeeayoung, it is essentially permission templates that we are after19:54
ayounggyee, can youdefine what you want from a permission template?19:55
*** mhickey has joined #openstack-keystone19:55
gyeeayoung, user groups?19:55
ayounggyee, describe the use case/pattern19:56
ayoungcan be in email19:56
*** petertr7_away is now known as petertr719:58
gyeeayoung, you assign user groups roles for a given scope, whoever is part of that groups *inherit* those permissions20:01
gyeethat model's been around for ages20:01
gyeesimple, easy to use, easy to understand, easy to audit20:01
gyeeyou either part of a group or you don't20:01
*** spandhe has quit IRC20:02
ayounggyee, so...I bet we could even make this work without changing the group API, but the issue is that group names are not scoped to domain20:02
ayoungI suspect we would nee the URL safe approach we were proposing for projects, and then:20:02
gyeeayoung, user groups are owned by domain20:02
ayounggyee, yes, but...20:02
ayoungassume a user might have groups from multiple domains20:02
ayounggyee, http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n467620:04
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n457520:04
*** spandhe has joined #openstack-keystone20:04
ayoungthat already supports users in a different domain20:04
*** aginwala has quit IRC20:05
gyeeayoung, not sure if I understand, we are not returning groups in token response20:05
ayounggyee, not in the token...this would be splitting identity20:05
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n4276  is the key one20:06
ayounggyee, it would work as is20:06
gyeeayoung, but that API returns the group ref, not just the name20:07
ayoungnotmorgan, what would you say to the idea of splitting off groups from identity, such that we could manage group membership in keystone in addition to getting it from the FEderated assertions?20:07
*** lhcheng has quit IRC20:07
gyeenotmorgan, hope you don't have to deal with floods in PDX20:07
ayounggyee, if I ask for a token in domain D, I see what groups  the user is in.  If we properly limit assignment of users to groups, then it shouldnot open up any security holes20:08
ayounggyee, I think that I am going to propose that as an alternative to DSRs20:08
notmorganayoung: i have very little care on that front20:08
ayoungwish henry washere, but I can ask him20:09
ayoungnotmorgan, I know, but you have good kneejerk reactions20:09
ayoungwhat is your gut response to that proposal?20:09
*** aginwala has joined #openstack-keystone20:09
* gyee poke a needle to notmorgan's knees20:09
*** pece has joined #openstack-keystone20:09
notmorganayoung: i have no reaction to it.20:10
notmorganayoung: like... no care one way or another20:10
notmorganayoung: just ask [not deployer experience] what end user experience is impacted if anything20:10
notmorganand think about people like mordred running things on the clouds20:10
notmorganif it would make those folks' lives bad, don't do it20:10
gyeedeployers get shit from their end users all the time :)20:11
ayoungnotmorgan, all I can do is see how it would make my life better, and I can't see past that...maybe lbragstad or dolphm could chime in....20:11
gyeeif things don't work intuitively20:11
ayounglbragstad, dolphm question:  what if we manged groups separately from users, such that we could assign users from one domain to groups in another20:12
ayoung?20:12
notmorganayoung: right. so, thats what i'm asking you to do. think about running things on top of a cloud you don't have admin on. make sure you don't make that experience worse20:12
notmorganayoung: most of the rest of the stuff is kindof low on my "care-o-meter"20:13
notmorganayoung: because right now i think we need end user happieness more than anything else.20:13
ayoungnotmorgan, so...I *think*this will only increase it.20:13
openstackgerritSean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code  https://review.openstack.org/24671320:14
mordrednotmorgan: what did I do?20:14
notmorganmordred: you run things on clouds20:14
mordredawesome20:15
notmorganmordred: was using you as an example of "don't make peoiple's lives bad when interacting with the clouds"20:15
mordredyes plesae20:16
*** fangxu has quit IRC20:18
*** petertr7 is now known as petertr7_away20:20
*** atiwari1 has joined #openstack-keystone20:30
*** timcline has quit IRC20:32
*** atiwari has quit IRC20:34
*** timcline has joined #openstack-keystone20:37
*** gyee has quit IRC20:40
*** henrynash has joined #openstack-keystone20:43
*** ChanServ sets mode: +v henrynash20:43
*** richm1 has joined #openstack-keystone20:45
openstackgerritBrant Knudson proposed openstack/keystone: Remove keystoneclient tests  https://review.openstack.org/24047420:46
*** davechen has joined #openstack-keystone20:50
*** alvipet has quit IRC20:50
openstackgerritBrant Knudson proposed openstack/keystoneauth: Switch saml2 from lxml to built-in xml  https://review.openstack.org/24251220:53
*** fawadkhaliq has quit IRC20:55
*** gildub has joined #openstack-keystone20:58
stevemarcan someone please approve https://review.openstack.org/#/c/240474/ gyee notmorgan ayoung20:58
ayoungstevemar, looking20:58
notmorganstevemar: +2, no +A cause jenkins.20:59
notmorganstevemar: feel free to +A if you want20:59
ayoungstevemar, heh...I +Aed it anyway20:59
stevemarnotmorgan: whats the harm in +A'ing? it's just less tests, i can't imagine how it's gonna fail21:00
*** petertr7_away is now known as petertr721:00
*** fangxu has joined #openstack-keystone21:02
bretonif it will be +A'd and the tests won't pass, it will break hope.21:04
*** aginwala has quit IRC21:05
samueldmqdstanek: replied your comment on https://review.openstack.org/#/c/253219/21:05
jamielennoxnotmorgan: pong21:07
*** jamielennox has left #openstack-keystone21:07
*** jamielennox has joined #openstack-keystone21:07
*** ChanServ sets mode: +v jamielennox21:07
*** aginwala has joined #openstack-keystone21:09
*** fangxu has quit IRC21:13
*** lhcheng has joined #openstack-keystone21:14
*** ChanServ sets mode: +v lhcheng21:14
*** diazjf has quit IRC21:18
*** diazjf has joined #openstack-keystone21:20
*** topol has quit IRC21:21
*** fangxu has joined #openstack-keystone21:22
*** jasonsb has joined #openstack-keystone21:23
*** jasonsb has quit IRC21:23
*** jasonsb has joined #openstack-keystone21:24
*** pwp has joined #openstack-keystone21:25
*** davechen has quit IRC21:26
*** davechen has joined #openstack-keystone21:27
*** roxanaghe has quit IRC21:28
*** doug-fis_ has joined #openstack-keystone21:30
*** dims has joined #openstack-keystone21:31
*** ayoung has quit IRC21:31
*** doug-fish has quit IRC21:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/25444421:32
*** aginwala has quit IRC21:33
*** petertr7 is now known as petertr7_away21:33
*** petertr7_away is now known as petertr721:34
pwpdolphm: I am looking at implementing this https://bugs.launchpad.net/keystone/+bug/1218682. Appears abandoned. I'm looking at their implementation now to find why it was rejected. I just wanted to make sure no one else was currently working on it.21:35
openstackLaunchpad bug 1218682 in python-keystoneclient "User's email format hasn't been checked" [Wishlist,In progress]21:35
*** mhickey has quit IRC21:49
*** reed has left #openstack-keystone21:50
*** dims has quit IRC21:59
stevemarpwp: you are free to work on it22:00
openstackgerritMerged openstack/keystone: Refactor: Move uncommon entities from setUp  https://review.openstack.org/25269222:01
stevemarpwp: commented22:02
pwpstevemar: Thanks! I know diazjf, so I'll keep you guys updated and use him as a guide for getting used to the community culture! Thanks!22:02
*** spandhe has quit IRC22:03
openstackgerritMerged openstack/keystone: Refactor: Remove use of self where not needed  https://review.openstack.org/25270622:05
*** spandhe has joined #openstack-keystone22:05
*** gokrokve has joined #openstack-keystone22:05
dstanekbknudson:  :-(  found this buried in some gerrit data: http://paste.openstack.org/show/481248/22:06
bknudsondstanek: I've been -1d.22:07
*** gokrokve has quit IRC22:07
*** gokrokve has joined #openstack-keystone22:07
dstanekbknudson: with all the -1s you hand out it was bound to happen22:08
bknudsongoes around comes around22:09
*** david-ly_ has joined #openstack-keystone22:10
dstaneklooks like that's the section of the review data for the people that voted -1 - so it's not targeted toward you after all!22:10
bknudsonit was merged even though I -1d?22:11
bknudsonthat's pretty common22:11
*** henrynash has quit IRC22:11
bknudsonalso, I really need an avatar for gerrit22:12
*** david-lyle has quit IRC22:13
*** david-ly_ is now known as david-lyle22:13
*** davechen is now known as davechen_afk22:16
stevemarpwp: awesomeo22:16
*** jbell8 has quit IRC22:17
*** belmoreira has joined #openstack-keystone22:19
bretonstevemar: re: bug 121868222:19
openstackbug 1218682 in OpenStack Identity (keystone) "User's email format hasn't been checked" [Wishlist,Triaged] https://launchpad.net/bugs/121868222:19
*** diazjf has quit IRC22:19
bretonI thing we decided not to do any validation22:20
bretonand we rejected several patches to that already22:20
stevemarbreton: i'm ok with something super basic22:20
openstackgerritTom Cocozzello proposed openstack/keystone: WIP List assignments with names  https://review.openstack.org/24995822:21
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463322:21
*** lhcheng has quit IRC22:23
*** pwp has quit IRC22:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463322:25
*** e0ne has quit IRC22:26
*** pumaranikar has quit IRC22:35
*** spandhe has quit IRC22:36
*** gokrokve has quit IRC22:39
*** petertr7 is now known as petertr7_away22:40
*** aginwala has joined #openstack-keystone22:42
*** lhcheng has joined #openstack-keystone22:43
*** ChanServ sets mode: +v lhcheng22:43
*** ayoung has joined #openstack-keystone22:43
*** ChanServ sets mode: +v ayoung22:43
*** gokrokve has joined #openstack-keystone22:49
*** lhcheng has quit IRC22:50
*** gokrokve has quit IRC22:50
*** timcline has quit IRC22:52
*** gokrokve has joined #openstack-keystone22:53
*** gokrokve_ has joined #openstack-keystone22:55
*** esp has quit IRC22:56
*** gokrokve has quit IRC22:56
*** samueldmq has quit IRC22:56
*** sigmavirus24 is now known as sigmavirus24_awa22:56
openstackgerritMerged openstack/keystone: Update extensions links  https://review.openstack.org/25358723:00
*** gokrokve_ has quit IRC23:03
*** spandhe has joined #openstack-keystone23:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463323:05
*** davechen_afk has left #openstack-keystone23:07
*** lhcheng_ has joined #openstack-keystone23:10
*** chlong has quit IRC23:10
*** slberger has left #openstack-keystone23:14
*** gildub has quit IRC23:14
*** mkoderer has quit IRC23:15
*** mkoderer has joined #openstack-keystone23:18
*** lhcheng_ has quit IRC23:20
*** edmondsw has quit IRC23:21
*** alex_xu has quit IRC23:36
*** aginwala has quit IRC23:37
*** alex_xu has joined #openstack-keystone23:41
*** gordc has quit IRC23:41
*** pece has quit IRC23:44
*** gildub has joined #openstack-keystone23:54
*** jerrygb has quit IRC23:55
*** aginwala has joined #openstack-keystone23:55
*** jerrygb has joined #openstack-keystone23:56
*** andrewbogott has joined #openstack-keystone23:57
*** andrewbogott has quit IRC23:58
*** andrewbogott has joined #openstack-keystone23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!