Monday, 2015-12-21

*** markvoelker has quit IRC		00:04
*** chlong has joined #openstack-keystone		00:05
*** gildub_ has joined #openstack-keystone		00:05
*** hogepodge has quit IRC		00:16
*** hogepodge has joined #openstack-keystone		00:22
*** hogepodge has quit IRC		00:27
*** tiny-hands has joined #openstack-keystone		00:28
*** hogepodge has joined #openstack-keystone		00:43
*** dims has joined #openstack-keystone		00:43
openstackgerrit	Merged openstack/keystoneauth: Add some documentation about migrating from ksc https://review.openstack.org/259256	00:44
*** dims has quit IRC		01:02
*** sdake_ has joined #openstack-keystone		01:03
*** sdake has quit IRC		01:04
*** markvoelker has joined #openstack-keystone		01:05
*** tiny-hands has quit IRC		01:06
*** EinstCrazy has joined #openstack-keystone		01:06
*** markvoelker has quit IRC		01:10
*** dims has joined #openstack-keystone		02:07
*** jasonsb has joined #openstack-keystone		02:07
*** jasonsb has quit IRC		02:07
*** jasonsb has joined #openstack-keystone		02:09
*** markvoelker has joined #openstack-keystone		02:36
*** woodster_ has quit IRC		02:36
*** markvoelker has quit IRC		02:40
*** jmccrory has quit IRC		02:41
*** jmccrory has joined #openstack-keystone		02:43
*** sdake_ has quit IRC		02:47
*** dave-mccowan has quit IRC		02:51
*** jasonsb has quit IRC		03:01
openstackgerrit	ChangBo Guo(gcb) proposed openstack/keystone: Use the oslo.utils.reflection to extract the class name https://review.openstack.org/241494	03:22
*** wanghua has quit IRC		03:23
*** links has joined #openstack-keystone		03:26
*** dims has quit IRC		03:32
*** agireud has quit IRC		04:03
*** Guest55431 is now known as _RA		04:26
*** markvoelker has joined #openstack-keystone		04:37
*** markvoelker has quit IRC		04:41
*** markvoelker has joined #openstack-keystone		05:10
*** GB21 has joined #openstack-keystone		05:24
*** Nirupama has joined #openstack-keystone		05:27
*** urulama has quit IRC		06:00
*** urulama has joined #openstack-keystone		06:00
*** oomichi has joined #openstack-keystone		06:06
*** _RA has quit IRC		06:17
*** oomichi has quit IRC		06:30
openstackgerrit	henry-nash proposed openstack/keystone: Add support for strict url safe option on new projects and domains https://review.openstack.org/257376	06:49
*** oomichi has joined #openstack-keystone		06:53
*** gildub has quit IRC		07:03
*** gildub_ has quit IRC		07:03
*** wanghua has joined #openstack-keystone		07:08
*** chlong has quit IRC		07:13
*** markvoelker has quit IRC		07:21
*** markvoelker has joined #openstack-keystone		07:25
*** steveng has joined #openstack-keystone		07:38
steveng	Hey keystoners.. I want to know whether it is possible to fetch users from different OU's in LDAP..	07:38
*** GB21 has quit IRC		08:07
*** steveng has quit IRC		08:19
*** GB21 has joined #openstack-keystone		08:26
*** steveng has joined #openstack-keystone		08:29
steveng	src/infra/ansible/roles/connet/files/usr/share/openstack-dashboard-ubuntu-theme/static/themes/ubuntu/ubuntu.png	08:29
steveng	Hey keystoners.. I want to know whether it is possible to fetch users from different OU's in LDAP.	08:30
*** chlong has joined #openstack-keystone		08:31
*** roxanaghe has joined #openstack-keystone		08:43
*** steveng has quit IRC		08:46
*** steveng has joined #openstack-keystone		08:47
*** pnavarro has joined #openstack-keystone		08:51
*** daemontool has joined #openstack-keystone		09:00
*** steveng has quit IRC		09:10
*** mhickey has joined #openstack-keystone		09:17
*** markvoelker has quit IRC		09:25
*** openstack has joined #openstack-keystone		15:35
*** openstackstatus has joined #openstack-keystone		15:35
*** ChanServ sets mode: +v openstackstatus		15:35
*** jsavak has quit IRC		15:39
*** jsavak has joined #openstack-keystone		15:40
bknudson_	the keystone gate jobs should be fixed now... I'll try rechecking.	15:43
*** jsavak has quit IRC		15:45
*** sdake_ has joined #openstack-keystone		15:53
*** dave-mccowan has quit IRC		15:53
*** tonytan4ever has joined #openstack-keystone		15:55
*** vgridnev has quit IRC		15:56
openstackgerrit	Navid Pustchi proposed openstack/keystone: Forbid disabling the default domain https://review.openstack.org/260067	15:57
*** sdake has joined #openstack-keystone		16:00
*** vgridnev has joined #openstack-keystone		16:00
*** sdake_ has quit IRC		16:02
*** vgridnev has quit IRC		16:05
*** dave-mccowan has joined #openstack-keystone		16:07
stevemar_znc	bknudson_: thanks for fixing the gate	16:12
bknudson_	I'm the one who broke it.	16:13
bknudson_	in my previous job that would get you an award (fixing a critical problem you created)	16:13
openstackgerrit	Haneef Ali proposed openstack/keystone: Fix 500 error when no fernet token is passed https://review.openstack.org/259563	16:18
*** nodir has joined #openstack-keystone		16:20
*** pnavarro has quit IRC		16:22
stevemar_znc	bknudson_: can't fix a critical problem without creating one in the first place	16:27
zao	Practice makes perfect.	16:28
*** stevemar_znc is now known as stevemar		16:28
nodir	Hello all	16:31
nodir	I'd like to ask for your advice	16:31
nodir	I want to use OpenLDAP as a backend for keystone	16:32
nodir	And apply password policy using OpenLDAP password policies	16:32
stevemar	nodir: you can have a variety of backends for users, one backend per "domain"	16:33
nodir	In keystone configuration I indicated rootdn as a user	16:33
nodir	The problem is the following: when a user is changing the password on dashboard, request to change the password is sent using rootdn credentials	16:34
nodir	OpenLDAP ignore password policy when the request comes from rootdn account	16:35
nodir	So, password policy doesn't really get applied to keystone	16:35
nodir	Maybe somebody has faced this issue and knows what I might be doing wrong?	16:35
*** gyee has joined #openstack-keystone		16:37
*** ChanServ sets mode: +v gyee		16:37
bknudson_	typically when you do LDAP it's read-only. as in, you can't modify user passwords through keystone	16:38
bknudson_	you modify the user password by going to the LDAP directory directly	16:38
bknudson_	but if you want keystone to work differently open a bug and provide a fix.	16:39
nodir	Yes, read-only - that's an option	16:39
nodir	But I wanted to give the user an option to change the password, thanks for the advice bknudson_	16:41
*** markvoelker has joined #openstack-keystone		16:43
*** diazjf has joined #openstack-keystone		16:43
notmorgan	stevemar: did you see my comment re bootstrap?	16:43
stevemar	notmorgan: yes, late start today, just getting caught up, but it makes sense	16:46
stevemar	notmorgan: i'll change my -1 back to +2, and change up my devstack patch	16:46
*** diazjf1 has joined #openstack-keystone		16:48
notmorgan	stevemar: long term we can improve the ux	16:48
notmorgan	and eliminate the silly catalog is empty error	16:48
*** markvoelker has quit IRC		16:48
stevemar	notmorgan: agreed, that should be fixed.	16:48
notmorgan	even when specifying an end-point explicitly	16:48
notmorgan	but, that can come later	16:48
*** diazjf has quit IRC		16:50
*** vgridnev has joined #openstack-keystone		16:50
*** rderose has joined #openstack-keystone		17:00
*** pwp has joined #openstack-keystone		17:08
*** woodster_ has quit IRC		17:16
notmorgan	stevemar: uhmm.	17:23
notmorgan	should this be "Fixed Released"? https://bugs.launchpad.net/keystoneauth/+bug/1502232	17:23
openstack	Launchpad bug 1502232 in keystoneauth "Loads of unit test failures in Python 3.5: OrderedDict mutated during iteration" [High,Fix released] - Assigned to Corey Bryant (corey.bryant)	17:23
*** roxanaghe has quit IRC		17:26
*** rderose has quit IRC		17:27
*** fawadkhaliq has quit IRC		17:30
navidp	hi, how can i log keystone client	17:31
navidp	any help	17:31
*** markvoelker has joined #openstack-keystone		17:44
*** mhickey has quit IRC		17:47
*** e0ne has quit IRC		17:49
*** markvoelker has quit IRC		17:49
*** ayoung has quit IRC		17:51
*** gyee has quit IRC		17:51
*** aix has quit IRC		17:58
*** jsavak has joined #openstack-keystone		18:03
*** jsavak has quit IRC		18:07
*** jsavak has joined #openstack-keystone		18:08
*** jsavak has quit IRC		18:13
*** Guest95009 is now known as jgriffith		18:15
*** mfedosin has quit IRC		18:15
*** ayoung has joined #openstack-keystone		18:18
*** ChanServ sets mode: +v ayoung		18:18
*** urulama has quit IRC		18:20
*** urulama has joined #openstack-keystone		18:20
*** electrichead is now known as redrobot		18:21
*** gyee has joined #openstack-keystone		18:22
*** ChanServ sets mode: +v gyee		18:22
*** tonytan4ever has quit IRC		18:24
*** gyee has quit IRC		18:25
openstackgerrit	Merged openstack/keystone: Fix use of TokenNotFound https://review.openstack.org/227004	18:25
openstackgerrit	Merged openstack/keystone: Enable os_inherit of Keystone v3 API https://review.openstack.org/257580	18:26
openstackgerrit	Merged openstack/keystone: Common arguments for fernet payloads assembly https://review.openstack.org/230165	18:27
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/258703	18:28
*** woodster_ has joined #openstack-keystone		18:30
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/258703	18:32
openstackgerrit	Brant Knudson proposed openstack/keystone: Parameter to return audit ids only in revocation list https://review.openstack.org/260153	18:33
*** pwp has quit IRC		18:34
*** e0ne has joined #openstack-keystone		18:34
*** spotz_zzz is now known as spotz		18:40
*** petertr7_away is now known as petertr7		18:51
*** gyee has joined #openstack-keystone		18:53
*** ChanServ sets mode: +v gyee		18:53
*** tonytan4ever has joined #openstack-keystone		18:59
*** petertr7 is now known as petertr7_away		19:02
*** tonytan4ever has quit IRC		19:03
*** urulama has quit IRC		19:06
*** urulama has joined #openstack-keystone		19:07
*** agireud has joined #openstack-keystone		19:09
openstackgerrit	Brant Knudson proposed openstack/keystone: Parameter to return audit ids only in revocation list https://review.openstack.org/260153	19:23
*** doug-fish has quit IRC		19:29
*** pwp has joined #openstack-keystone		19:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Parameter to return audit ids only in revocation list https://review.openstack.org/260153	19:33
openstackgerrit	Morgan Fainberg proposed openstack/keystoneauth: Add betamax to test-requirements.txt https://review.openstack.org/260183	19:34
notmorgan	stevemar: ^ testing for ksa, but if it requires a major version increase i'm backing it out and doing a conditional import in the test	19:36
*** diegows has quit IRC		19:38
*** markvoelker has joined #openstack-keystone		19:45
*** markvoelker has quit IRC		19:50
*** diegows has joined #openstack-keystone		19:50
*** diegows has quit IRC		19:52
*** pwp has quit IRC		19:53
*** maxabidi has joined #openstack-keystone		20:00
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Get revocation list with only audit ids https://review.openstack.org/260196	20:00
openstackgerrit	Haneef Ali proposed openstack/keystone: Fix 500 error when no fernet token is passed https://review.openstack.org/259563	20:19
*** e0ne has quit IRC		20:25
*** pwp has joined #openstack-keystone		20:28
*** e0ne has joined #openstack-keystone		20:29
*** e0ne has quit IRC		20:34
*** maxabidi has quit IRC		20:35
*** pwp has quit IRC		20:36
*** pwp has joined #openstack-keystone		20:38
*** e0ne has joined #openstack-keystone		20:38
*** mfedosin has joined #openstack-keystone		20:42
*** e0ne has quit IRC		20:45
navidp	bknudson_, about disabling default domain, what do you think I should change?	20:46
bknudson_	navidp: what administrative actions are evaluated against the default domain?	20:48
bknudson_	we shouldn't be evaluating any actions against the default domain.	20:48
navidp	by default domain, I mean the domain that is set in conf	20:48
bknudson_	I know what the default domain is	20:49
bknudson_	we shouldn't be treating it in a special way. it's just another domain	20:49
bknudson_	it just happens to be the domain that's used for v2 operations	20:50
*** e0ne has joined #openstack-keystone		20:50
bknudson_	disabling the default domain should thus disable v2 operations, which is fine by me	20:50
navidp	bknudson_, i think and correct me if i am wrong, the admin from default domain is considered as cloud admin	20:51
bknudson_	there doesn't have to even be an admin user in the default domain.	20:51
navidp	if you disable the domain it resides it does not make any issues?	20:51
bknudson_	I can create an admin user in a non-default domain	20:52
*** roxanaghe has joined #openstack-keystone		20:52
bknudson_	I imagine if you disable the domain that's got your only admin user in it that would cause problems, but the domain with your admin user in it might not be the default domain	20:53
navidp	If you create a user in non-default domain then I think they dont have similar rights	20:54
bknudson_	that would be a bug.	20:54
stevemar	bknudson_: hey blku, what are your thoughts on this patch? https://review.openstack.org/#/c/259563/	20:55
bknudson_	stevemar: keystone should never return a 500 error	20:56
stevemar	bknudson_: agreed	20:56
stevemar	bknudson_: just thoughts on using tokenNotFound and then "" as the id	20:56
navidp	maybe i make a mistake but can look at this https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L3	20:56
stevemar	oh it's updated now, yay	20:56
stevemar	"empty or none token is given"	20:57
bknudson_	navidp: that file is a sample. You don't need to use it.	20:57
bknudson_	navidp: you can use any domain for admin_domain_id , it doesn't have to be the default domain id	20:57
bknudson_	stevemar: exception handling in keystone is a mess	20:58
navidp	bknudson_, right now you can not delete fedault domain, dont you agree if you can not delete it then why do you want to be able to disable it>	20:58
bknudson_	navidp: I don't know why you can't delete the default domain. I can see a customer wanting to disable the default so I think they should be able to disable it.	21:00
navidp	they can disable the default as long as they move it from being default, If i may ask why a customer want to disable their default domain, (i dont want to be rude just trying to make my case)	21:01
*** pwp has quit IRC		21:02
bknudson_	why would a customer disable any domain? they want to stop people signing in so they can do some maintenance?	21:02
navidp	correct, then you are right.	21:03
navidp	bknudson_, if the policy.v3cloudsample.json is not used, then i dont think disabling the default domain creates any issues,	21:05
navidp	bknudson_, as long as you have admins which can enable it back again, but with this policy file..	21:06
bknudson_	it would be hard to tell in code if you have admins that can enable it back again?	21:07
bknudson_	you could configure your policy so that another user is the admin	21:07
navidp	yes you are right.	21:08
bknudson_	so maybe there's a problem here where a customer can cause problems for themselves but I'm not sure that just disabling the default domain fixes the problem.	21:11
bknudson_	should have said "disallow disabling the default domain"	21:11
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Support audit_id-only revocation list https://review.openstack.org/260220	21:18
*** petertr7_away is now known as petertr7		21:19
*** marekd has joined #openstack-keystone		21:23
*** ChanServ sets mode: +v marekd		21:23
*** markvoelker has joined #openstack-keystone		21:30
openstackgerrit	Merged openstack/keystone: Normalize fernet payload disassembly https://review.openstack.org/230181	21:31
notmorgan	jamielennox: ping	21:32
notmorgan	jamielennox: need to ask you a question re plugin discovery	21:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/258703	21:33
*** dims_ has quit IRC		21:33
*** dims has joined #openstack-keystone		21:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Parameter to return audit ids only in revocation list https://review.openstack.org/260153	21:35
*** markvoelker has quit IRC		21:36
*** mfedosin has quit IRC		21:37
*** vgridnev has quit IRC		21:42
*** dims has quit IRC		21:43
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Get revocation list with only audit ids https://review.openstack.org/260196	21:45
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Support audit_id-only revocation list https://review.openstack.org/260220	21:46
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Support audit_id-only revocation list https://review.openstack.org/260220	21:47
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Support audit_id-only revocation list https://review.openstack.org/260220	21:47
*** dims has joined #openstack-keystone		21:49
navidp	bknudson_, thanks i will update it	22:03
*** petertr7 is now known as petertr7_away		22:05
openstackgerrit	Brant Knudson proposed openstack/keystone: De-duplicate fernet payload tests https://review.openstack.org/230193	22:07
*** dims_ has joined #openstack-keystone		22:08
*** dims has quit IRC		22:08
*** dims has joined #openstack-keystone		22:12
*** dims_ has quit IRC		22:13
*** simondodsley has joined #openstack-keystone		22:15
*** sdake has quit IRC		22:21
openstackgerrit	Brant Knudson proposed openstack/keystone: Cleanup tox.ini py34 tests https://review.openstack.org/260231	22:22
*** dims has quit IRC		22:29
*** e0ne has quit IRC		22:35
*** markvoelker has joined #openstack-keystone		22:46
jamielennox	bknudson_: nice job on the oslo.config generator fix, i had played with fixing it on the ksa side and it makes way more sense there	22:50
bknudson_	jamielennox: based on the docs ksa was using it correctly	22:50
bknudson_	so the fix was just to stop warning for valid uses	22:50
bknudson_	... maybe the idea was that you were actually supposed to use the config opt classes.	22:51
bknudson_	not sure if you want to enhance ksa to use those	22:51
*** markvoelker has quit IRC		22:51
jamielennox	i think you are, but that would need us to have a dependency on oslo.config	22:51
jamielennox	which is why we got away from using those types in the first place	22:52
bknudson_	well, unless you didn't define the symbols unless oslo.config was available	22:52
bknudson_	or switched somehow. It would be ugly. And I'm not sure how much better the result is	22:52
jamielennox	the options are needed for CLI and other methods that config	22:52
jamielennox	so it gets funky	22:53
jamielennox	anyway, because we are using the python types str(opt.type) should be pretty good and if not we can enhance oslo.config to recognize a few of those	22:54
bknudson_	y, that would be another enhancement	22:54
bknudson_	I'll admit I didn't look to see what the output is in either case	22:54
jamielennox	stevemar: doing a meeting tomorrow?	22:58
bknudson_	ldap3 is not even close to python-ldap	23:04
*** woodster_ has quit IRC		23:06
*** roxanaghe has quit IRC		23:13
*** dims has joined #openstack-keystone		23:21
*** dims has quit IRC		23:30
*** spotz is now known as spotz_zzz		23:31
*** dims has joined #openstack-keystone		23:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/260252	23:41
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/260253	23:41
*** gordc has quit IRC		23:42
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/260265	23:45
*** sdake has joined #openstack-keystone		23:45
*** gildub has joined #openstack-keystone		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!