Monday, 2016-02-15

*** chlong has joined #openstack-keystone00:05
*** chlong has quit IRC00:12
*** chlong has joined #openstack-keystone00:13
*** erlarese has joined #openstack-keystone00:24
*** mylu has quit IRC00:27
*** erlarese has quit IRC00:35
*** sdake has quit IRC00:42
*** gildub has joined #openstack-keystone00:45
*** mylu has joined #openstack-keystone00:51
*** markvoelker has joined #openstack-keystone00:55
*** shoutm_ has joined #openstack-keystone00:56
*** sdake has joined #openstack-keystone00:58
*** shoutm has quit IRC00:58
*** markvoelker has quit IRC01:00
*** chlong has quit IRC01:06
*** mylu has quit IRC01:07
*** mylu has joined #openstack-keystone01:09
*** mylu has quit IRC01:10
*** mylu has joined #openstack-keystone01:10
*** davechen has joined #openstack-keystone01:12
*** davechen1 has joined #openstack-keystone01:17
*** mylu has quit IRC01:19
*** mylu has joined #openstack-keystone01:19
*** davechen has quit IRC01:19
*** davechen has joined #openstack-keystone01:23
*** davechen1 has quit IRC01:25
*** sdake_ has joined #openstack-keystone01:34
*** sdake has quit IRC01:36
*** sdake_ has quit IRC01:53
*** shoutm_ has quit IRC01:53
*** shoutm has joined #openstack-keystone01:56
*** erlarese has joined #openstack-keystone02:05
*** chlong has joined #openstack-keystone02:09
*** erlarese has quit IRC02:10
*** mylu has quit IRC02:19
*** sdake has joined #openstack-keystone02:31
*** shoutm has quit IRC02:42
*** mylu has joined #openstack-keystone02:43
*** shoutm has joined #openstack-keystone02:44
*** su_zhang has quit IRC02:46
*** mylu has quit IRC02:47
*** markvoelker has joined #openstack-keystone02:56
*** markvoelker has quit IRC03:00
*** mylu has joined #openstack-keystone03:27
openstackgerritDave Chen proposed openstack/keystone: Create V9 version of catalog driver interface
openstackgerritDave Chen proposed openstack/keystone: Service Providers and Projects associations
openstackgerritDave Chen proposed openstack/keystone: Service Providers Group CRUD operations.
openstackgerritDave Chen proposed openstack/keystone: Service providers groups associations
*** dave-mccowan has quit IRC04:00
*** stevemar changes topic to "14 more days til mitaka-3 feature freeze - please prioritize reviews accordingly! | Mitaka-3:"04:21
*** dims has joined #openstack-keystone04:28
*** dims has quit IRC04:30
*** mdnadeem has joined #openstack-keystone04:34
*** markvoelker has joined #openstack-keystone04:56
*** sdake has quit IRC04:57
*** hideme has joined #openstack-keystone05:00
*** hideme has quit IRC05:00
*** markvoelker has quit IRC05:00
*** watch_the_log has joined #openstack-keystone05:04
*** watch_the_log has quit IRC05:05
*** spring has joined #openstack-keystone05:07
*** spring is now known as Guest7874405:07
*** Nirupama has joined #openstack-keystone05:11
*** Guest78744 is now known as guest_monitor05:13
*** su_zhang has joined #openstack-keystone05:16
*** david-lyle has quit IRC05:21
*** jaosorior has joined #openstack-keystone06:07
*** mdnadeem has quit IRC06:10
*** sdake has joined #openstack-keystone06:25
openstackgerritDave Chen proposed openstack/keystone: Service Providers and Projects associations
openstackgerritDave Chen proposed openstack/keystone: Service Providers Group CRUD operations.
openstackgerritDave Chen proposed openstack/keystone: Service providers groups associations
*** aginwala has joined #openstack-keystone06:38
*** sdake has quit IRC06:39
*** aginwala has quit IRC06:43
*** jasonsb has quit IRC06:43
*** vgridnev has joined #openstack-keystone06:45
*** mylu has quit IRC06:52
*** markvoelker has joined #openstack-keystone06:57
*** markvoelker has quit IRC07:02
*** x58 has quit IRC07:03
*** rha has quit IRC07:03
*** mordred has quit IRC07:03
*** sileht has quit IRC07:03
*** dulek has quit IRC07:03
*** krotscheck has quit IRC07:03
*** ktychkova_ has quit IRC07:03
*** marekd has quit IRC07:03
*** andreaf has quit IRC07:03
*** tjcocozz has quit IRC07:03
*** mancdaz has quit IRC07:03
*** mordred has joined #openstack-keystone07:04
*** tjcocozz has joined #openstack-keystone07:04
*** andreaf has joined #openstack-keystone07:04
*** ktychkova has joined #openstack-keystone07:04
*** gildub has quit IRC07:04
*** rha has joined #openstack-keystone07:04
*** krotscheck has joined #openstack-keystone07:04
*** sileht has joined #openstack-keystone07:05
*** mhickey has joined #openstack-keystone07:05
*** x58 has joined #openstack-keystone07:14
*** chlong has quit IRC07:30
*** su_zhang has quit IRC07:38
*** mhickey has quit IRC07:44
*** henrynash has joined #openstack-keystone07:51
*** ChanServ sets mode: +v henrynash07:51
*** jaosorior has quit IRC08:09
*** subscope has joined #openstack-keystone08:13
*** pnavarro has joined #openstack-keystone08:15
*** pnavarro has quit IRC08:19
*** pnavarro has joined #openstack-keystone08:19
*** marekd has joined #openstack-keystone08:27
*** jaosorior has joined #openstack-keystone08:33
*** rcernin has joined #openstack-keystone08:34
*** shoutm has quit IRC08:35
*** k-ishii_ has joined #openstack-keystone08:51
*** k-ishii_ has quit IRC08:51
*** hoge has joined #openstack-keystone08:53
*** ChanServ sets mode: +v marekd08:54
*** hoge has quit IRC08:54
marekdi see some code changes08:54
marekdit was a rebase?08:54
marekddavechen: yeah, looks like a rebase.08:55
*** markvoelker has joined #openstack-keystone08:58
*** markvoelker has quit IRC09:03
*** fhubik has joined #openstack-keystone09:03
*** dulek has joined #openstack-keystone09:04
davechenmarekd: hi,09:04
davechenmarekd: yeah, all code were rebased.09:05
davechenmarekd: 1) address dstanek's comments and 2) due to some change in py34, we need tweak about the testcase a little.09:05
*** fhubik has quit IRC09:06
*** fhubik has joined #openstack-keystone09:07
*** chlong has joined #openstack-keystone09:09
*** pnavarro has quit IRC09:17
*** pnavarro has joined #openstack-keystone09:17
*** rcernin has quit IRC09:17
*** rcernin has joined #openstack-keystone09:17
*** fhubik has quit IRC09:17
*** fhubik has joined #openstack-keystone09:17
*** fhubik is now known as fhubik_brb09:27
*** crinkle_ has joined #openstack-keystone09:27
*** Guest10807 has quit IRC09:28
*** crinkle has quit IRC09:28
*** wasmum has quit IRC09:28
*** bapalm has quit IRC09:28
*** Nakato has quit IRC09:28
*** mvk has quit IRC09:28
*** subscope has quit IRC09:29
*** mvk has joined #openstack-keystone09:29
*** Nakato has joined #openstack-keystone09:29
*** bapalm has joined #openstack-keystone09:29
*** tsymanczyk has joined #openstack-keystone09:30
*** wasmum has joined #openstack-keystone09:30
*** tsymanczyk is now known as Guest7405809:31
*** subscope has joined #openstack-keystone09:37
*** fhubik_brb is now known as fhubik09:43
*** lhcheng has quit IRC09:52
*** davechen has left #openstack-keystone09:54
*** e0ne has joined #openstack-keystone09:59
*** bjornar has joined #openstack-keystone10:05
*** GB21 has joined #openstack-keystone10:10
*** shoutm has joined #openstack-keystone10:21
*** henrynash has quit IRC10:26
*** amakarov_away is now known as amakarov10:35
*** mhickey has joined #openstack-keystone10:41
openstackgerritMerged openstack/keystone: Expand implied roles in trust tokens
*** chlong has quit IRC10:56
*** jsavak has joined #openstack-keystone10:57
*** markvoelker has joined #openstack-keystone10:59
*** jsavak has quit IRC11:02
*** subscope has quit IRC11:02
*** markvoelker has quit IRC11:04
*** fhubik is now known as fhubik_brb11:04
*** fhubik_brb is now known as fhubik11:12
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone
*** dgonzalez has joined #openstack-keystone11:26
*** subscope has joined #openstack-keystone11:30
*** clenimar has joined #openstack-keystone11:31
*** iurygregory has joined #openstack-keystone11:33
*** rodrigod` has quit IRC11:35
*** rodrigods has joined #openstack-keystone11:35
*** fhubik is now known as fhubik_brb11:42
*** fhubik_brb is now known as fhubik11:42
*** fhubik is now known as fhubik_brb11:42
*** GB21 has quit IRC11:47
*** shoutm has quit IRC11:52
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf
*** GB21 has joined #openstack-keystone12:13
*** pauloewerton has joined #openstack-keystone12:15
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone
*** raildo-afk is now known as raildo12:17
*** raildo is now known as raildo-afk12:18
*** raildo-afk is now known as raildo12:18
*** chlong has joined #openstack-keystone12:20
*** sdake has joined #openstack-keystone12:21
*** fhubik_brb is now known as fhubik12:23
*** openstackgerrit_ has joined #openstack-keystone12:27
*** markvoelker has joined #openstack-keystone12:29
*** shoutm has joined #openstack-keystone12:32
*** markvoelker has quit IRC12:34
*** GB21 has quit IRC12:36
samueldmqmorning keystoners12:38
*** dims_ has joined #openstack-keystone12:42
*** daemontool has joined #openstack-keystone13:00
*** subscope has quit IRC13:10
*** dave-mccowan has joined #openstack-keystone13:14
*** subscope has joined #openstack-keystone13:17
*** markvoelker has joined #openstack-keystone13:30
*** edmondsw has joined #openstack-keystone13:31
*** dims_ has quit IRC13:33
*** dims has joined #openstack-keystone13:33
*** su_zhang has joined #openstack-keystone13:34
*** markvoelker has quit IRC13:35
*** doug-fish has joined #openstack-keystone13:45
dstanekgood morning13:49
*** dims has quit IRC13:53
*** dims has joined #openstack-keystone13:57
*** dims has quit IRC14:00
*** vgridnev has quit IRC14:02
*** dims has joined #openstack-keystone14:02
*** henrynash has joined #openstack-keystone14:05
*** ChanServ sets mode: +v henrynash14:05
*** vgridnev has joined #openstack-keystone14:06
*** GB21 has joined #openstack-keystone14:08
*** Bl5-bl4d3 has joined #openstack-keystone14:09
*** fawadkhaliq has joined #openstack-keystone14:10
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles
amakarovdolphm, hi! Will you restore this backport: ?14:11
*** su_zhang has quit IRC14:13
amakarovIt's bug is marked as fix released for kilo: and it doesn't seem so14:13
openstackLaunchpad bug 1488208 in OpenStack Identity (keystone) kilo "Revoking a role assignment revokes unscoped tokens too" [Medium,Fix released] - Assigned to Dolph Mathews (dolph)14:13
*** jaosorior has quit IRC14:14
*** Nirupama has quit IRC14:14
*** jaosorior has joined #openstack-keystone14:15
*** jaosorior has quit IRC14:15
*** jaosorior has joined #openstack-keystone14:17
*** doug-fish has quit IRC14:20
*** fawadk has joined #openstack-keystone14:21
*** henrynash_ has joined #openstack-keystone14:23
*** ChanServ sets mode: +v henrynash_14:23
*** spring_ has joined #openstack-keystone14:23
*** rodrigod` has joined #openstack-keystone14:23
*** edmondsw_ has joined #openstack-keystone14:24
*** fawadk has quit IRC14:24
*** fawadkhaliq has quit IRC14:24
*** henrynash has quit IRC14:24
*** edmondsw has quit IRC14:24
*** dave-mccowan has quit IRC14:24
*** rodrigods has quit IRC14:24
*** wasmum has quit IRC14:24
*** guest_monitor has quit IRC14:24
*** henrynash_ is now known as henrynash14:24
*** fawadkhaliq has joined #openstack-keystone14:24
*** dave-mccowan has joined #openstack-keystone14:24
*** Bl5-bl4d3 has quit IRC14:25
*** fawadkhaliq has quit IRC14:26
*** fawadkhaliq has joined #openstack-keystone14:26
*** wasmum has joined #openstack-keystone14:27
*** dims has quit IRC14:28
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade update
htrutasamueldmq, henrynash: would you mind taking a look at this: ?14:35
henrynashhtruta: sure14:35
henrynashhtruta: just finishing off anyother path, then will take a look14:36
*** doug-fish has joined #openstack-keystone14:36
htrutahenrynash: awesome14:36
*** dims has joined #openstack-keystone14:36
*** doug-fish has quit IRC14:40
*** daemontool has quit IRC14:43
samueldmqhtruta: will look, finishing expense reports  ... /(14:43
*** ninag has joined #openstack-keystone14:44
*** superdan is now known as dansmith14:46
bknudson_amakarov: restored ( dolphm )14:48
amakarovbknudson_, thanks! What about bug? I can't set it to confirmed state14:49
bknudson_ is fix released already14:50
openstackLaunchpad bug 1488208 in OpenStack Identity (keystone) kilo "Revoking a role assignment revokes unscoped tokens too" [Medium,Fix released] - Assigned to Dolph Mathews (dolph)14:50
openstackgerritHenrique Truta proposed openstack/keystone: API support for project cascade update
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade update
bknudson_amakarov: I switched it to in progress14:50
bknudson_for stable/kilo14:51
amakarovbknudson_, great!14:51
*** sigmavirus24_awa is now known as sigmavirus2414:52
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade update
openstackgerritHenrique Truta proposed openstack/keystone: API support for project cascade update
*** dims has quit IRC14:59
*** sdake has quit IRC15:02
*** doug-fish has joined #openstack-keystone15:08
*** GB21 has quit IRC15:10
*** fawadkhaliq has quit IRC15:10
*** dims has joined #openstack-keystone15:10
*** fawadkhaliq has joined #openstack-keystone15:11
dimsstevemar : bknudson_ : i sent an email with details on the pycryptodome problem -
bknudson_dims: do we need to make a change in keystone code for this?15:13
*** doug-fish has quit IRC15:13
bknudson_we have pysaml2 code in keystoneauth15:14
dimsbknudson_ : i've tested keystoneauth/keystonemiddleware and those are fine AFAICT. barbican/kite/kiteclient are still problematic15:14
*** GB21 has joined #openstack-keystone15:15
*** dmsimard has joined #openstack-keystone15:15
dmsimardHello Keystone-loving people15:16
*** shoutm has quit IRC15:17
dmsimardRecently the following merged: and as a result admin_token_auth was removed from the pipeline which is shipped untouched in RDO land15:17
*** trown has joined #openstack-keystone15:18
dmsimardadmin_token_auth was used until now by, amongst other things, puppet-keystone so this broke every installer and CI using puppet modules.15:18
trown for reference15:18
openstackLaunchpad bug 1545761 in OpenStack Identity (keystone) "admin_token_auth 'deprecation' actually removes it from the pipelines" [Undecided,New]15:18
dmsimardIs this intended ?15:18
trownsubmitting a patch15:18
openstackgerritMorgan Fainberg proposed openstack/keystone: Default caching to on for request-local caching.
bknudson_I think it is intended to not have the admin_token_auth middleware in the default pipeline15:19
trownbknudson_: that is not a deprecation then15:19
trownwhy not just remove it15:20
*** daemontool has joined #openstack-keystone15:20
bknudson_The admin_token_auth middleware is deprecated whether it's in the default pipeline or not.15:20
trownyep deprecated in M removed in O15:21
trownso if you remove it from the default pipelines and break all the users, why not just remove it15:21
trownalso, the comment seems to indicate this is a mistake "# Use `keystone-manage bootstrap` and remove this from the pipelines below."15:21
trownthat makes no sense if it is already removed15:22
openstackgerritMorgan Fainberg proposed openstack/keystone: Allow project domain_id to be nullable at the manager level
*** ngupta has quit IRC15:25
bknudson_you can add it to the pipeline.15:25
*** doug-fish has joined #openstack-keystone15:25
*** ngupta has joined #openstack-keystone15:26
*** PsionTheory has joined #openstack-keystone15:26
openstackgerritJohn Trowbridge proposed openstack/keystone: Add admin_token_auth back to default pipelines
trownbknudson_: right, but it is a breaking change15:26
trownwhy have a deprecation at all if it is ok to break all the users15:27
trownayoung: any thoughts on this?
openstackLaunchpad bug 1545761 in OpenStack Identity (keystone) "admin_token_auth 'deprecation' actually removes it from the pipelines" [Undecided,In progress] - Assigned to John Trowbridge (trown)15:30
*** doug-fish has quit IRC15:30
*** doug-fish has joined #openstack-keystone15:30
*** subscope has quit IRC15:30
*** jorge_munoz has joined #openstack-keystone15:31
*** GB21 has quit IRC15:32
bknudson_trown: I'm fine with adding it back to the default pipeline15:34
trownbknudson_: cool, thanks!15:34
*** doug-fish has quit IRC15:35
trownbknudson_: otherwise we (RDO) would have to fix it in packaging, and then other distros that use the puppet modules for install would also be broken15:35
trownwhich seems like a big mess that could just be avoided by removing it in O15:35
*** notmorgan has joined #openstack-keystone15:36
*** ChanServ sets mode: +v notmorgan15:36
*** ChanServ sets mode: +o notmorgan15:37
bknudson_the puppet modules should be adding and removing the admin token middleware if they need it or not.15:38
notmorganbknudson_: there was a proposed fix up for puppet to do that15:39
notmorganbknudson_: fwiw15:39
dmsimardThey do not currently manage the pipeline, the default is expected to work15:39
dmsimardnotmorgan: there is ?15:39
notmorgandmsimard: yes there was. or at least there was one to remove auth_token15:39
notmorgandmsimard: by crinkle_ iirc15:39
dmsimardnotmorgan: I actually went through to see if there was anything to manage the pipeline or efforts towards using bootstrap instead15:39
notmorgandmsimard: admin_auth_token15:40
*** jorge_munoz has quit IRC15:40
notmorgandmsimard: much better direction to go :)15:40
notmorgandmsimard: use bootstrap15:40
notmorgandmsimard: if it is available.15:40
dmsimardyeah, I know, I'm filing a bug against puppet-keystone right now to get it supported15:40
trownat the very least, this comment makes no sense if the admin_auth_token is removed in the pipelines already
notmorgandmsimard: i believe there is an effort being working on, but i don't know where it stands.15:40
trownnotmorgan: ya I agree that the puppet modules should move to bootstrap, my bug is around deprecation15:41
notmorgantrown: the comment is incorrect. that is needed for testing support15:41
*** subscope has joined #openstack-keystone15:41
notmorgantrown: since we dont have code to manage adding filters in keystone's tests15:41
trowndeprecation != removal15:41
bknudson_trown: existing deployments may or may not have admin token15:41
bknudson_in the pipeline15:41
*** diazjf has joined #openstack-keystone15:42
notmorgantrown: was a lot more work to fix that. the paste-ini is config [as i've been told over and over], we have not removed admin_auth_token, we have just removed it from the efault pipeline15:42
notmorgantrown: you can add it back in and it will work.15:42
notmorgantrown: it wont be "removed" from the code base until at least O, if not later15:42
trownindeed, but I bet RDO is not the only distro to use that as is15:42
trownnotmorgan: ok so you are saying "go fix it in packaging" and let other distros fend for themselves?15:43
notmorgantrown: frankly, i expect distros to change config files. paste-ini is config15:43
trownzigo: do you guys ship the keystone pipelines as is, or change them?15:43
notmorgantrown: i disagree with it being config, also leaving admin_auth_token in is a huge security hole.15:43
notmorgana static string that requires a restart of keystone that conveys full admin access15:44
trownseems like at least 90% of current openstack deployments would have that "huge" security hole, so maybe it deserves a CVE then15:44
zigotrown: I don't change anything provided by upstream, except stuff like lock_path and such for which the default is obviously wrong.15:45
notmorganit's documented as being insecure15:45
notmorganand sure, issue a CVE, but it'd be informational. iirc it's already been an OSSN/OSSA15:45
trownzigo: cool I didnt think so, you will be interested in for mitaka15:45
openstackLaunchpad bug 1545761 in OpenStack Identity (keystone) "admin_token_auth 'deprecation' actually removes it from the pipelines" [Undecided,In progress] - Assigned to John Trowbridge (trown)15:45
trownzigo: since we are being told to "fix it in packaging"15:46
notmorgantrown: or use bootstrap.15:46
trownnotmorgan: right, use the thing that was just created in december... that is not how deprecation is supposed to work15:47
notmorgantrown: so like i said, paste-ini is config.15:47
*** su_zhang has joined #openstack-keystone15:47
zigoHow to bootstrap auth without the admin_ath_token then????15:47
notmorganzigo: keystone-manage bootstrap15:48
zigoNot good !!! :(15:48
notmorganzigo: it injects the data needed/creates the basic project/role/user in the DB15:48
notmorganzigo: it does NOT use the rest api15:48
notmorganzigo: same basic mechanism as db_syc15:48
trownya, I am pretty annoyed by this response I must say... the point of deprecation is to not break users15:48
trownwhy not just remove it15:48
zigoPlease remove it in newton, not for Mitaka then.15:49
notmorganzigo: the code is still there,15:49
*** slberger has joined #openstack-keystone15:49
notmorganzigo: it still works.15:49
zigoThis will break lots of things for me.15:49
dmsimardzigo: do you happen to know if UCA also ships these as-is ?15:49
*** phalmos_ has joined #openstack-keystone15:50
zigoI *DO NOT* work for Canonical, and they have their own packages, so I can't tell what they do.15:50
zigoThey didn't even ship Mitaka b2 yet ...15:50
trownnotmorgan: why not have the defaults actually work for the majority of users, and do deprecation properly?15:50
dmsimardyup, I knew that :)15:50
zigoSo, if I change the pipleline, then the admin_auth_token will continue working?15:50
notmorgantrown: specifically because warning "OMG DEPRECATED" out of the door is not sane defaults for config15:50
notmorgantrown: so if we revert this back we revert the deprecation and fight this next cycle15:51
zigoWhat's the deal?15:51
notmorganzigo: yep, just add it back in15:51
zigoOk, easy enough then.15:51
notmorganzigo: it works exactly as today, it just throws a deprection warning15:51
trownzigo: ya the filter is there, I actually tested that just adding it works, but then that is a packaging fix15:51
bknudson_do you typically ship the sample config file in /etc/, or is it copied there?15:51
notmorganzigo: we wont remove the filter itself from the code base until O or later15:51
zigoWhere's that located?15:52
zigoIn keystone.conf ?15:52
trownbknudson_: for RDO we actually ship the paste.ini in /usr/share, and the service is configured to use it from there15:52
notmorganzigo: paste-ini15:52
*** mylu has joined #openstack-keystone15:52
zigoGot it.15:52
zigoadmin_token_auth there.15:52
bknudson_trown: so RDO doesn't really "support" modifying paste.ini?15:52
notmorganzigo: the pipeline needs "admin_token_auth" added back in to mirror today's functionality15:52
trownbknudson_: exactly...15:53
zigonotmorgan: Yup, got it.15:53
zigoThanks a lot guys for letting me know.15:53
notmorganzigo: :) we aren't trying to "break" you.15:53
zigoThis saves LOTS of my time.15:53
trownzigo: no problem :)15:53
zigoFYI, I usually try to ship config files as close as possible from what upstream provides.15:53
notmorganzigo: we're trying to ship the best possible default as an example. anything that is in keystone/etc is effectively example15:53
trownzigo: thought of you when it became evident this will be a packaging fix... which I disagree with15:53
bknudson_you definitely want to allow deployers to remove the admin token middleware.15:53
zigoThough sometimes (like in this case), I have to add-in a few pathches or fixes.15:53
zigoTypically, lock_path, and such...15:54
zigoThe only big exception is Neutron, where the default config really doesn't work by default.15:54
bknudson_zigo: do you modify the file when you copy it from sample to /etc/?15:54
notmorganzigo: and please do for Newton move to bootstrap.15:54
zigoWill do.15:54
zigoThough the issue isn't Keystone itself here.15:54
notmorganzigo: but if you miss newton, like i said, wont be removed until O.15:54
bknudson_I assume if the file already exists in /etc it asks if you want to overwrite15:55
notmorganbknudson_: that is typical "deb" packaging behavior afaik.15:55
zigoThe thing is, for every API servers on all OpenStack services, I have an automatic keystone catalogue registration system which uses the admin_token.15:55
zigoI'll have to switch that to use the admin credentials instead.15:55
notmorganzigo: so the way this will change is you'll bootstrap and then use admin creds.15:55
zigoThat's using debconf, and it's totally optional.15:55
notmorganzigo: not a giant shift.15:55
zigoThough I use it heavily for my packaging CI.15:55
zigoNot a huge deal...15:55
bknudson_we could support a keystone-manage command for catalog update15:56
zigoJust I will prefer to take my time and do it not in a hurry for Newton, rather than for Mitaka.15:56
notmorganbknudson_: we probably should make bootstrap able to do that15:56
notmorganbknudson_: catalog basics are almost a bootstrap-thing15:56
bknudson_zigo: did you generate a unique string for the admin token?15:56
bknudson_hopefully you're not using DEFAULT15:57
notmorganbknudson_: or "ADMIN" :P15:57
notmorgantrown: ^ cc15:57
notmorgantrown: i hope you'e generating a unique token as well.15:57
trownnotmorgan: ya tripleo generates a unique string, and that is what I deploy with in RDO15:57
zigoIf the user doesn't enter anything, I use this to generate the password:15:58
zigodd if=/dev/random bs=64 count=1 2>|/dev/null | md5sum15:58
notmorganzigo: cool15:58
zigoThat's IMO strong enough! :)15:58
notmorganyeah thats fine15:58
notmorganyou could also do python -muuid 'uuid.uuid4().hex'15:58
notmorganor similar15:58
notmorganwhatevet the syntax is.15:59
zigoI can't, I only have shell scripts available in Debian maintainer scripts.15:59
zigoIf only python-minimal was set as an essential package, that would help me so much ...15:59
bknudson_switch to sha512sum15:59
notmorganzigo: hehe15:59
notmorganbknudson_: evil15:59
notmorganbknudson_: :P15:59
notmorganbknudson_: at least bootstrap should inject the keystone catalog entry (optionally)16:00
zigoYup, I could use a different hash, but that wouldn't be any better.16:00
notmorganbknudson_: would make bootstrapping even easier16:00
zigoWhat counts is what gets out of /dev/random, and if that is wrong, then we're fucked anyway! :)16:00
notmorganzigo: hmm. you might want to use urandom, /dev/random has weird entropy/blocking issues at times16:01
notmorganzigo: but this is a small enough data set it shouldbe ok16:01
zigoUsing /dev/urandom *IS* a source of huge issues.16:01
zigoDon't use it.16:01
*** trown is now known as trown|meeting16:02
zigoBlocking is fine when doing apt-get install, it just gets stuck until the system gathers entropy.16:02
*** mrhillsman has quit IRC16:02
bknudson_VMs can have a hard time getting entropy16:02
zigoAnd 64 bytes, that's nothing ...16:02
notmorganzigo: i've seen systems hang on package install specifically VMs ike that16:02
notmorganbut like i said 64 bytes is prob. not going to be an issue16:02
zigoTo my experience, it's not indeed.16:03
zigoMy CI runs on a Xen VM without even the necessary stuff to get entropy from the host OS, and it never gets stuck there.16:04
zigoIt usually gets stuck when trying to generate PGP keys ! :)16:04
notmorganzigo: it it was more than 64bytes or so i'd be worried. i've had someone require a lot more random data on package install [custom software needed a random seed] and it hung for a loooooong time on install16:04
notmorganmoving to urandom got the software installed, then CMS would deploy a sane seed - but for testing urandom was sufficient16:05
notmorganzigo: long ago, in a galacy far far away...16:05
*** henrynash has quit IRC16:05
zigoIf only computer makers didn't care about spending 2$ more for a random generator ... :/16:05
notmorganzigo: they care about spending $0.15 on quality capacitors16:06
notmorganzigo: so $2 is a big added cost :P16:06
stevemardolphm: notmorgan: bknudson_ ayoung dstanek today is a holiday up north, so i won't be online much16:07
notmorganstevemar: slacker16:07
notmorganstevemar: :P16:07
notmorganstevemar: PTLs don't get holidays (j/k) - enjoy the day man16:07
bknudson_stevemar: president's day?16:08
*** mylu has quit IRC16:08
stevemarnotmorgan: i need a day, i dreamt that i missed the keystone meeting and folks were upset16:08
notmorganbknudson_: See i KNEW canada was really just part of the US16:08
zigonotmorgan: Eventually, will we get the admin_token_auth feature completely removed from keystone?16:08
stevemarbknudson_: "family day"16:08
notmorganzigo: yes in O or later16:08
zigoOk, fine to me.16:08
dstanekstevemar: enjoy16:08
notmorganstevemar: sleep through the meeting a couple times.16:08
notmorganstevemar: it's good for your mental health16:08
stevemarnotmorgan: that'll be tough to do at 1pm, but i think i can do it!16:09
*** phalmos_ has quit IRC16:09
notmorganstevemar: i have faith in you!16:09
dstanekstevemar: sounds like a challenge to me16:10
notmorgandstanek: god. OS X gets worse each time i use it16:11
*** doug-fish has joined #openstack-keystone16:11
zigoHow does "keystone-manage boostrap" work?16:11
dstaneknotmorgan: yep16:11
notmorganzigo: you pass it a couple arguments --username, --role-name, etc16:11
zigonotmorgan: Is there a doc about it somewhere?16:11
notmorganzigo: and it populates the database with a project, role, user, and the user with that role on the project16:11
notmorganzigo: yep. let me find it.16:11
dstaneknotmorgan: if i have the time to do some research i'm going to get a new laptop this month16:11
ayoungnotmorgan, BTW, deprecation of admin_token does not mean removing from the pipeline.  We broke at least 2 differnt projects with that16:12
zigoIn Debian, the package (optionally) prompts the user about what admin user/email/password/tenant should be.16:12
*** sdake has joined #openstack-keystone16:12
zigoI'll have to rewrite that part.16:13
notmorganayoung: paste-ini is config. if we're going to argue it's code fine, but shipping a default that screams "OMG DEPRECATED" is wrong.16:13
notmorganayoung: so we need to pick which one it is.16:13
zigoI always wonder, by the way: the only thing that maters is that the role is called "admin" to get admin rights, right?16:13
notmorganzigo: just default in the policy.json, with v2 it's a bit more hard-coded16:14
notmorganayoung: and if it's code. it isn't something we support changing.16:14
zigoGot it.16:15
ayoungnotmorgan, notmorgan Deprecation should have preceded the change, though16:15
notmorganayoung: except shipping a default that says "THIS IS DEPRECATED" is not correct.16:15
notmorganayoung: it's a config file16:15
openstackgerritRaildo Mascena proposed openstack/keystone: Avoid "non-Pythonic" method names
notmorganayoung: it can be added back in.16:15
ayoungnotmorgan, add it back in.  People have had the shake up16:15
notmorganayoung: just like anything else packaging does. we did not remove the filter and we didn't remove the code16:16
zigoSo if I change, in policy.json: "admin_required": "role:admin or is_admin:1" by "admin_required": "role:foobar or is_admin:1", then I'll need to have role foobar to be admin?16:16
notmorganayoung: then un-do the deprecation16:16
ayoungnotmorgan, unh uh16:16
ayoungthis was a change made without warning16:16
notmorganayoung: do not ship something by default that says it is deprecated16:16
ayoungand paste is way too core to be treated as pure config16:16
notmorganayoung: then we undo the deprecation and hit this newton 116:16
*** vgridnev has quit IRC16:17
*** SamYaple has joined #openstack-keystone16:17
zigoOh also, I wanted to ask: could we please keep the keystoneclient auth fragment in?16:17
notmorganzigo: huh?16:17
notmorganzigo: which keystoneclient auth fragment?16:18
ayoungnotmorgan, paste is not a config file.  We might like to believe that, and I wish it were ,but it is not.  Without it being tightly managed, all of Keystone goes kablooey16:18
notmorganayoung: so i made that argument and was told it was config16:18
zigoIt's a way easier to just read or write hostname / port / etc, in separate fields than it is to use auth_uri= and parse the content in / out.16:18
edmondsw_zigo, you can leave policy.json as is, or if you're going to edit that line wait until you no longer use admin_auth_token and then remove the "or is_admin:1"16:18
ayoungnotmorgan, by whom>?16:18
bknudson_if you mess up your keystone.conf file keystone won't start, too16:18
notmorganayoung: a number of people16:18
notmorganbknudson_: ++16:18
notmorganayoung: there is a cettain point where we need to say "seriously this is a config file".16:19
zigoedmondsw_: I was just trying to know where the role "admin" was hard-coded...16:19
notmorganzigo: it's i think in v2 based on the is_admin rule16:19
notmorganzigo: but i'd need to check, i haven't looked recently16:19
edmondsw_zigo, ah, ok16:19
notmorganzigo: but it's hard coded to use a specific rule iirc in v216:19
*** Ephur has joined #openstack-keystone16:19
notmorganzigo: an icky-behavior :(16:19
edmondsw_notmorgan, simple answer there... don't use v2! ;)16:19
notmorganedmondsw_: tell your friends!16:20
ayoungnotmorgan, look, this just was not something that the other projects would expect or know to look at.  Making a change to the initial system configuration for all the tool out there is going to break them.  I'm usually a purist, but on this one, I have to admit that there approach we did here was not fair16:20
notmorganedmondsw_: :)16:20
edmondsw_I do!16:20
notmorganayoung: so, like i said, i am in support of your stance, undo the deprecation warning16:20
notmorganayoung: or leave it out of the pipeline16:20
notmorganayoung: i'm not blocking what you're asking for. i'm saying i wont let us ship something by default that screams deprecated if i can stop it16:21
notmorganwhich, in this case i can16:21
* notmorgan is not trying to be obstructionist here.16:21
edmondsw_ayoung, folks should not be relying on paste or conf defaults for things to work. That's their bug. If they need something to be in the paste, they should make sure it's there16:21
notmorgani'm trying to be clear on what would put it back in the pipeline16:21
notmorganedmondsw_: i agreee with you. but i wont hold up if this is a real issue ayoung is willing to undeprecate the filter for16:22
zigonotmorgan: Did you find that doc around keystone-manage bootstrap ?16:22
ayoungnotmorgan, so, the Kolla folks re-added it to the pipeliene, and then were working on getting the -bootstrap to work.  THat is the pattern we are going to see, and across projects both inside and outside the big tent16:22
edmondsw_notmorgan, if we undo the deprecation, we just delay this discussion... it doesn't solve anything16:22
notmorganzigo: looking. we have it in our docs, i have the manpage16:22
dmsimardzigo: I guess it would be here
zigodmsimard: Thanks a lot !16:23
notmorganzigo: and that dmsimard pasted16:23
notmorgandmsimard: thanks, sorry hard to search the web and type in IRC at the same time16:23
edmondsw_unless we're going to go find and address as many places as we can and then redo the deprecation... that what you mean?16:23
zigoThis will be on my plate for next week then.16:23
notmorganedmondsw_: oh i was figuring we'd just call paste-ini code and never change it. :P or actually just drop the config option, mark it as deprecated and default it to None and make it so if it is None it doesn't work16:24
notmorganedmondsw_: i don't care how we slice it actually, just as long as we don't throw deprecation warnings with what we ship by default if at all possible16:24
*** daemontool_ has joined #openstack-keystone16:25
notmorganayoung: so - i've given you the choice on what i'll support. I am simply saying if we have it in by default, we don't thrown deprecation warnings.16:25
zigoIMO, for security reasons, a big warning should be printed when using --bootstrap-password (ie: it shows in /proc or using ps).16:25
notmorganayoung: so undeprecate it, find a new way to deprecate it.16:25
edmondsw_I agree with not throwing dep warnings with defaults, and with not having admin_auth_token work by default16:25
zigoI'd be even for not allowing it at all.16:26
notmorganzigo: we added OS_PASSWORD and env options for that reason16:26
zigo(or have it prompted)16:26
zigoYup, I saw it.16:26
ayoungnotmorgan, so,  Kolla is adding back in the pipeline.  Tripleo/RDO is asking if they can do the same16:26
notmorganzigo: but we have ksc and other CLI things support password on the CLI16:26
notmorganzigo: and those don't really warn16:26
ayoungiour stance is "its dprecated, so if you want to add it back in temporarily, go dfor it, its deprecated and bewer?"16:26
*** daemontool has quit IRC16:26
SamYapleif I can weigh in from the Kolla side, I agree with the deprecation. In fact I was on board with this a while ago16:26
*** daemontool_ has quit IRC16:27
notmorgani bet we could muck with the execline to hide the password.16:27
zigonotmorgan: Oh, so in ksc, I can use OS_PASSWORD env var to change password?16:27
notmorganzigo: ^ other things do it16:27
notmorganzigo: use openstackclient :P16:27
zigoI didn't know.16:27
zigoYup, I do ! :)16:27
notmorganzigo: but i think it can use OS_PASSWORD16:27
notmorganzigo: iirc that is how the openrc files work16:27
zigoI've switched ALL of the OpenStack services to use openstackclient and v3 ! :)16:27
notmorganSamYaple: thanks for weighing in.16:27
bknudson_zigo: you are the greatest.16:28
notmorganayoung: pretty much.16:28
notmorganzigo: also thanks for pushing on v3! much appreciated16:28
zigoBut I still use passwords on the command line, which really, is bad.16:28
SamYaplenotmorgan: if you need more "weighing in" here is a snippet from back when shade was starting and Kolla started using it
zigoI'll try to fix that too.16:28
notmorganSamYaple: ++ i can't agree more16:28
notmorganSamYaple: this was the whole reason i finally did bootstrap16:29
SamYapleglad to see it too16:29
ayoungnotmorgan, So...I don't think that any of the other projects I'm looking at treat paste as a config file, per se.  The RPM approach is to put it in /usr/share16:29
notmorganSamYaple: it's something we've talked about for... uhhhhh... 3 cycles? 4?16:29
SamYaplewhile i understand both sides here, I am firmly landing in the `keystone-manage bootstrap` camp16:29
ayoungI think you can reset the config file option to pouibnt to /etc/keystone, but that is not thedefault16:29
notmorganSamYaple: yay!16:29
*** Ephur has quit IRC16:29
ayoungso, this does end up being a bigger deal than just a change of a config file option16:29
ayoungdmsimard, EmilienM please chime in in here16:30
notmorganayoung: so i'll 100% support un-deprecating it and finding another way to meet the same goal(s)16:30
ayoungthe conversaiont in #rdo is not reaching the people that it needs to16:30
bknudson_I thought ayoung ran things16:30
dmsimardI can sort of re-iterate what I was saying over there16:30
ayoungdmsimard, so, once the various RDO installers are up and running, do you remove ADMIN_TOKEN from the pipeline?16:31
* notmorgan views paste-ini as config because there are things that absolutely should be removed (admin_token_auth) when bootstrap is complete16:31
* zigo goes to sleep, it's past midnight over here, bye everyone!16:31
notmorganayoung: ddoubtful, as the CMS tools avoids doing that.16:31
dmsimardI'm sort of torn about the statements that were said here saying nothing should be shipped that screams deprecation, deprecation should indeed scream so that users/consumers/installers have time to transition16:32
dmsimardWhat was done here was to deprecate something but also remove it from the pipeline so that the deprecation notices don't show -- except in the config file comments and the release notes16:32
notmorgandmsimard: i'm a fan of telling users it's deprecated when it's used. but if it's the default - it should not be deprecated16:32
ayoungnotmorgan, I think a deprecation warning at startup of ADMIN_TOKEN in the pipeline is wise.  Then again, I think that any time ADMIN_TOKEN is in the auth path, we should scream anyway16:32
*** jasonsb has joined #openstack-keystone16:33
*** jed56 has quit IRC16:33
bknudson_keystone should warn if admin_token is in the pipeline.16:33
ayoungit should not be left in place by default, and I will take the blame for not being vigorous enough in pushing for us to get it out of the normal path16:33
notmorganayoung: i am going to just disagree with you if we ship our paste with it by default.16:33
ayoungbknudson_, exactly16:33
ayoungdeprecation or not, it is for bootstrap only16:33
notmorgani'm not a fan of deprecation warnings16:33
notmorganby default16:33
notmorganit's the wrong message16:33
notmorganif we don't deprecate admin_auth_token and just say "HEY THIS IS NOT FOR PRODUCTION USE"16:34
notmorganthat is not a deprecation warning.16:34
ayoungnotmorgan, how about a fan of "ADMIN_TOKEN in PIPELINE! THIS IS A SEC VIOATION"16:34
ayoungor seomthing like that16:34
notmorganit's a "don't use this warning"16:34
*** jorge_munoz has joined #openstack-keystone16:34
ayoungregardless of whether it is a deprecation warning or not16:34
notmorganand we completely un-do the deprecation16:34
ayoungI want to avoid them putting it back in the pipeline and leaving it there16:34
notmorganok, so how about this:16:34
dstaneknotmorgan: ayoung: way late in the discussion, but the only reason you could reasonably say paste.ini is not a config is because we use it incorrectly by putting non-optional things into it16:35
notmorgan1) undeprecate [revert the deprecation warning and reno, don't change the test changes]16:35
ayoungdstanek, let good point, but let him finish this thought16:35
notmorgan2) change the default option to be NONE not "ADMIN" and make it short circut if option is unset16:35
notmorgan3) WARN if it is in the pipeline [not deprecation] that it is there at all and should only be use for bootstrapping and keystone-manage bootstrap is more correct16:36
ayoungnotmorgan, that feels right in my first read16:36
notmorgan4) add it back into the pipeline16:36
notmorganby default16:36
notmorgan5) make devstack rip it out16:36
notmorganor not #516:37
notmorganbut whatever.16:37
ayoungI think #5 is a good one16:37
ayoungshowing people how to make it work in Devstack covers the "disseminate how"16:37
notmorganbut something like that. i'll support that, and even +2 all of it except devstack (i can't +2 that)16:37
notmorgandevstack already uses bootstrap16:37
notmorganso, yay16:38
ayoungdmsimard, will that plan work for you?16:38
notmorgandstanek: and i don't disagree, but lets just not go down that path16:38
notmorgandstanek:  today :P16:38
ayoungI think the only risky one is "change the default option to be NONE not "ADMIN" and make it short circut if option is unset"  but I can't help but think that it must be explicitly set today anyway16:39
notmorganayoung: we could OSSA that one easily16:39
*** daemontool has joined #openstack-keystone16:39
notmorganayoung: "THIS WAS A BAD THING OMG INSECurE Out THE DOOR" and have VMT issue a warning/we fix16:39
dstaneknotmorgan: i have no dog in this fight :-) i was just pointing out that it is a config and we are doing it wrong16:39
*** mylu has joined #openstack-keystone16:39
dmsimardayoung: It honestly does not make much difference one way or the other either packaging or installers will have to adapt16:39
ayoungdmsimard, should not have to adapt16:40
ayoungnot to a first round16:40
ayoungadmin_token = fe1e36dbcac7028b619e0c6b9994e161049778dd16:40
notmorgandstanek: and i totally agree. i'm just only willing to fight for "don't emit deprecation warnings by default"16:40
ayoungif that gets removed, it will be16:40
notmorgandstanek: on this front16:40
ayoungadmin_token = None16:40
ayoungand thus disabled16:40
ayoungI think that is proper behavior anyway16:40
dmsimardayoung: so I probably misunderstood then .. let me read again16:40
notmorganayoung: ok i'm going to go open a public security bug on this so we can have VMT team issue OSSA on the config option16:40
ayoungand the fact that tripleo is not doing that (at least for the undercloud) is wrong regardless16:41
openstackgerritRaildo Mascena proposed openstack/keystone: Avoid `None` as a redundant argument to dict.get()
ayoungnotmorgan, ++16:41
dmsimardayoung: yes, I think everyone can agree that admin_auth_token should be removed once bootstrap is done anyway16:41
dmsimardayoung: and installers are wrong for not doing it16:41
*** PsionTheory has quit IRC16:41
dolphmmarekd: ping me if you have time to discuss a pysaml sp in keystone, i.e. picking up
ayoungnotmorgan, to make #2 more explicit:  "if ADMIN_TOKEN is set to None, it will never be accepted, but normal tokens will work just fine"  right?16:42
*** subscope has quit IRC16:42
ayoungand we make the default None16:42
notmorganayoung: ++16:42
ayoungnotmorgan, ok, you going to drive this? I'd like to rever the ADMIN_TOKEN in paste thing now16:43
ayoungas it break RDO, and I will help shepherd through all the changes necessary to do this right.16:43
edmondsw_notmorgan, so we if go through those 5 steps, how/when would admin_auth_token ever be deprecated? Because certainly long term that needs to die, right?16:44
*** jsavak has joined #openstack-keystone16:45
edmondsw_and didn't we already have an OSSA for admin_auth_token?16:45
openstackLaunchpad bug 1545789 in OpenStack Identity (keystone) "keystone ADMIN_TOKEN set by default can lead to default insecure deployment" [Medium,Triaged]16:46
edmondsw_hmm... not seeing an OSSA in a quick search16:46
*** subscope has joined #openstack-keystone16:46
ayoungnotmorgan, I'll grab the assignment16:46
notmorganayoung: sounds good16:46
notmorganedmondsw_: i don't think we did16:47
notmorganedmondsw_: i looked :(16:47
edmondsw_yeah, can't find one either16:47
*** rcernin has quit IRC16:48
notmorganedmondsw_: the admin token would never really get deprecated in those 5 steps16:48
notmorganedmondsw_: though we could make it yell if you set the option16:48
notmorganthat using it is deprecated16:48
edmondsw_notmorgan then I don't think that's good enough. It needs to die16:48
notmorganedmondsw_: i agree, but i'm willing to defer as long as the default is "secure"16:48
edmondsw_it can be a 6th step (or 7th...) but eventually16:49
openstackgerritMerged openstack/keystonemiddleware: Split oslo_config and list all opts
*** jsavak has quit IRC16:49
edmondsw_maybe we put out that OSSA now, and then put back your change to deprecate and remove from paste in newton... in the meantime reaching out to folks we know are using it to stop16:50
notmorganedmondsw_: /me shrugs16:50
edmondsw_ayoung, what do you think?16:51
ayoungedmondsw_, yeah.  notmorgan to start can you remove your -2 from
ayoungWe'll use that to track the revert16:52
notmorganayoung: and def. don't undo the fixes to the tests - the tests don't rely on admin_auth_token, so it's going to be a hand-revert (sorry)16:52
notmorganayoung: after the fix.16:52
ayoungOK, so let's see...16:53
ayoung1) undeprecate [revert the deprecation warning and reno, don't change the test changes]  that is in the Middleware right?16:53
notmorganayoung: deprecation warning is in keystone.middleware.core16:53
notmorganand reno in releasenotes16:53
notmorganannnnd pipeline in pipeline-ini16:53
*** mylu has quit IRC16:54
ayoungWow.  I think this is my only single revision merge evar!
*** mylu has joined #openstack-keystone16:54
*** daemontool has quit IRC16:54
ayoungDid not expect that.16:55
notmorganayoung: crap, i meant to -1 that JUST to make sure you had another revision :P16:55
openstackgerritBrant Knudson proposed openstack/keystone: Allow project_id in catalog substitutions
notmorganayoung: :P16:55
rodrigod`ayoung, lol i don't remember having one16:56
ayoungnotmorgan, I actually don't love the code in that revision, but its all internal and can be refactored.  Suspect it will when amakarov 's unified delegation reviews start hitting16:56
notmorganayoung: probably16:56
ayounganyway...back to admin-token16:56
*** pushkaru has joined #openstack-keystone16:56
*** pushkaru has quit IRC16:57
*** pnavarro has quit IRC16:57
ayoungnotmorgan, so you want to remove the deprecation warning in the init method there:  any thing else?16:57
notmorganthat shiould be it16:58
notmorganyou can remove the init method16:58
openstackgerritAlexander Makarov proposed openstack/keystone: Enable support for posixGroups in LDAP
notmorganand make sure to remove the addition of oslo_log.version_utils16:58
notmorganin import16:58
notmorganiirc that was added16:58
notmorganayoung: and likely i18n import was also added16:59
ayoungnotmorgan, ++ I'll get pep8 to pass16:59
notmorganbut -epep8 should notify you of that16:59
ayoungnotmorgan, would you be OK, instead of a revert, to just put the warning in place right there?17:00
amakarovdolphm, Jenkins is ok with your cherry-pick
ayoungJust chane the langue from "Deprecated" to "remove after the system is initialized"17:00
notmorgandon't use version_utils17:00
notmorganit's not a deprecation17:00
notmorgando we want to warn that it is in the pipeline or that it is enabled [option set] and in the pipeline?17:01
*** vgridnev has joined #openstack-keystone17:01
* notmorgan prefers the "this is in the pipeline" but thinks warning on default shipped things is again "not the best choice"17:01
notmorganayoung: i'll leave to your discresion there, but less scary warnings with what we ship by default = better imo17:02
*** EinstCra_ has joined #openstack-keystone17:03
*** dims_ has joined #openstack-keystone17:03
*** phalmos has joined #openstack-keystone17:03
*** EinstCrazy has quit IRC17:03
*** dims has quit IRC17:04
*** baffle has quit IRC17:05
notmorganedmondsw_ (cc dstanek): maybe we revisit the roll all of the middleware into a single element in our paste-ini, including auth_admin_token17:07
SamYapleayoung: the "remove after the system is initialized" affects deployments tools (and theyll probably just ignore it and leave a big security hole) like theyve been doing17:07
notmorganand then we deprecate the admin_token stuff17:07
SamYaplei think whenever this change happens people will get up in arms17:07
notmorganSamYaple: this is why we'll at least make the default "sane"17:07
notmorganSamYaple: and secure compared to today17:07
notmorganSamYaple: but yeah =/17:08
ayoungSamYaple, we'll start by at least trying to do it right17:08
SamYaplei like what we have in master right this second. but ive said that once already :)17:08
notmorganayoung: ^ cc the thing i said to dstanek and edmondsw_17:08
notmorganSamYaple: i'm 100% in your camp... fwiw.17:08
ayoungSamYaple, its going to break catch a lot of people unaware17:08
SamYapleayoung: it already caught kolla unaware17:08
edmondsw_notmorgan, not following17:09
SamYaple5 minutes it was fixed17:09
SamYaplebut i get your point17:09
notmorganedmondsw_: instead of "json_body, build_auth_context, admin_auth_token", etc17:09
SamYaplenotmorgan: oh no! this is your camp. i wont be a fall guy!17:09
notmorganedmondsw_: we make it one entry17:09
notmorganSamYaple: HAHA17:09
*** doug-fish has quit IRC17:09
dstaneknotmorgan: all that manager tracing make debugging much harder17:09
edmondsw_notmorgan but why?17:09
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update
notmorgandstanek: hmm? oh, feel free to yank that code out if it sucks too much17:10
dstaneknotmorgan:  i have to think about it for a bit, but it adds like 5 or 6 frames to the stack17:10
notmorgandstanek: yep it would and the change to local request caching would add another 2-3 frames17:11
dstanekedmondsw_: everything in the paste.ini should be optional exception for the application. using middleware like we do isn't correct17:11
ayounglbragstad, this is the same kind of firedrill I am expecting with trusts/v2.0  but at least we are warning people as best we can there17:11
dstaneknotmorgan: yeah, dogpile also makes it suck17:11
notmorgandstanek: so dogpile, no good answer for [in fact, it probably wont change]17:12
notmorgandstanek: maybe revisit the hooks for the debug trace thing we talked about17:12
notmorgandstanek: where it's an extrenal entrypoint17:12
notmorgandstanek: sucks to be weird AST stuff, but would make it truely optional17:12
notmorganor even in-tree but something that needs to be enabled with the special hook thing like your dashboard17:13
dstaneknotmorgan: i don't want to make any changes yet until i have a change to think about it. i suspect there are not too many others routinely using pdb17:13
edmondsw_dstanek, I agree with that. I'm not sure that equates to dumping admin_auth_token (which should be optional) in with other things that shouldn't be. Or did I misunderstand what is proposed?17:13
notmorgandstanek: except we have backed ourselves into a corner-ish thing with the middleware doing work that hits the DB before the app hits the db17:13
bknudson_who needs pdb when you have unit tests?17:13
notmorgandstanek: and that people add "custom routers" and "filters" in that rely on what auth_context does17:14
openstackgerritayoung proposed openstack/keystone: Re-enable and undepreate admin-token
notmorgandstanek: soooo yay paste... :( [i want it to die]17:14
dstaneknotmorgan: yet, we did it wrong :-)17:14
ayoungdmsimard, notmorgan ^^17:14
*** trown|meeting is now known as trown17:14
ayoungand now I am in a meeint. Will monitor17:14
notmorganayoung: i think it's LOG.warn()17:15
notmorganayoung: .WARN i think is the WARN level value17:15
* notmorgan thinks17:15
*** doug-fish has joined #openstack-keystone17:15
notmorganayoung: and consider if we really want scary warning in what we default ship.17:15
*** e0ne has quit IRC17:16
notmorganayoung: -1 for not fixing reno, but otherwise code is good. commented as such17:17
openstackgerritMerged openstack/keystonemiddleware: Use load_from_options_getter for auth plugins
*** csoukup has joined #openstack-keystone17:19
*** doug-fish has quit IRC17:19
*** phalmos has quit IRC17:21
*** phalmos_ has joined #openstack-keystone17:21
*** alejandrito has joined #openstack-keystone17:22
*** rcernin has joined #openstack-keystone17:24
openstackgerritBrant Knudson proposed openstack/keystone-specs: oslo.policy file in YAML
notmorganbknudson_: you going to also do json-shcema in yaml for kjeystone cause... +++ loved it17:25
edmondsw_ayoung, in addition to notmorgan's comments, several typos and I think we can improve the warning. Commented accordingly17:26
notmorganedmondsw_: ++17:26
ayoungedmondsw_, notmorgan thanks17:26
bknudson_notmorgan: I started on it but ran into some questions...
dmsimardnotmorgan, bknudson_, ayoung & al, thanks for your open-mindedness on this whole topic17:26
notmorganbknudson_: cause i'm a HUGE fan of the yaml json schema17:26
bknudson_not sure how to document the schema for a whole API in 1 file (if that's even possible)17:27
bknudson_we should be able to share a bunch of the defintions across schemas (if we have separate schema for each operation)17:27
bknudson_I guess you can reference an external file17:28
bknudson_also, not sure how to ship "resource"-type files in python17:28
bknudson_I think it's do-able and would be pretty handy to have the schema described in yaml17:28
*** fhubik has quit IRC17:28
bknudson_might be able to use it as part of swagger api docs17:28
notmorganah fair enough17:29
notmorganand ++ swagger if that can be leveraged17:29
notmorganYAML can include external files iirc17:30
notmorganso we should use that17:30
notmorganand resource files in python land --- hmm --- we might need to summon mordred, lifeless, and/or dhellmann for input on that17:30
notmorganthough at least a couple of them of offset by significant tz shifts atm17:31
*** aginwala has joined #openstack-keystone17:32
notmorgandmsimard: i may have very strong opinions about things in keystone, but it usually revolves around things that are just poor practice vs "lets break the world"17:32
*** markvoelker has joined #openstack-keystone17:32
*** subscope has quit IRC17:33
dmsimardnotmorgan: fwiw there has been a lot of backwards-compat breaking changes recently across several projects in the mitaka cycle, sometimes they are downright shovelled in our yard (or installers'). We pick our battles when we feel things could be done differently.17:34
notmorgandstanek: fwiw, i try and use pdb fairly often, but i find it pretty unwieldly (and i am a fan of gdb).17:34
notmorgandmsimard: part of the issue is paste-ini for at least keystone is terrible17:34
notmorgandmsimard: we did it so very wrong.17:35
dmsimardnotmorgan: I'll let you be the judge of that :p17:35
notmorgandmsimard: it's been a lot of digging us out of the hole we put ourselves in. I made it one of my missions to do when i took over as PTL. thakfully some things imo are btter17:35
notmorgandmsimard: but now not being PTL i can just throw code at the wall and see what sticks ;)17:36
*** _cjones_ has joined #openstack-keystone17:36
notmorgandmsimard: but basically we made paste-ini somewhere between deployer configurable and not17:36
*** markvoelker has quit IRC17:37
notmorgandmsimard: and it is both poor architecture and lead to deployers relying on it in strange ways.17:37
notmorgandmsimard: in a perfect world, i'd delete paste-ini from keystone.17:37
*** doug-fish has joined #openstack-keystone17:38
notmorganstevemar: are you running the meeting or deciding to sleep today?17:39
notmorganstevemar: cause i support the latter ;)17:40
*** crinkle_ is now known as crinkle17:40
stevemarnotmorgan: it's monday today?17:40
notmorganstevemar: oh is it?17:41
notmorganstevemar: i can't keep track of days17:41
stevemarnotmorgan: yup17:41
notmorganstevemar: you should sleep in tomorrow to like 2pm then17:41
stevemarhmm, hard but doable17:43
*** trown is now known as trown|afk17:44
*** openstackgerrit has quit IRC17:45
*** openstackgerrit has joined #openstack-keystone17:46
*** neophy has joined #openstack-keystone17:46
*** mylu has quit IRC17:47
*** aginwala has quit IRC17:47
*** mylu has joined #openstack-keystone17:49
*** henrynash has joined #openstack-keystone17:55
*** ChanServ sets mode: +v henrynash17:55
*** jaosorior has quit IRC18:01
arunkantstevemar: Can you look into audit middleware review: ..the issue we talked about last week.18:01
samueldmqhmm, py27 job is said to be UNSTABLE in
samueldmqI didn't know about that new status18:06
dstanekarunkant: stevemar likely won't be on much today18:07
dstaneksamueldmq: it's not new. it just doesn't happen very often18:09
arunkantdstanek: okay..thanks for the update. Will appreciate if keystone folks can look into the change and provide review comments.18:09
dstaneksamueldmq: it basically means that the tests ran OK, but i think it couldn't publish the results18:09
dstanekarunkant: i can take a look in a little bit18:09
*** mhickey has quit IRC18:10
dstaneksamueldmq: yep, that's it
*** daemontool has joined #openstack-keystone18:11
samueldmqdstanek: yes, just checked in -infra18:11
samueldmqdstanek: jenkins couldn't finish post tasks, but the job has passed (as you said)18:11
samueldmqdstanek:  :)18:11
*** su_zhang has quit IRC18:12
*** dan_nguyen has joined #openstack-keystone18:13
*** e0ne has joined #openstack-keystone18:13
*** trown|afk has left #openstack-keystone18:13
*** BAKfr has quit IRC18:13
*** mylu has quit IRC18:15
samueldmqhenrynash: hi18:16
henrynashsamueldmq: hi18:17
samueldmqhenrynash: need to talk to you about at we want with versioned drivers :)18:17
samueldmqhenrynash: so we can approve that hmt patch18:17
henrynashsamuedlmq: ah yes....18:17
samueldmqhenrynash: this
*** BAKfr has joined #openstack-keystone18:17
samueldmqhenrynash: so, in terms of upgrade, what's the goal of versioned drivers ?18:17
*** alejandrito has quit IRC18:18
samueldmqhenrynash: does it mean we want to allow someone to upgrade the code and keep using old driver ?18:18
*** dmsimard has left #openstack-keystone18:18
henrynashsamueldmq: so the goal is to allow people to keep using a driver that is written to the previous manager->driver API18:19
*** dan_nguyen has quit IRC18:19
henrynashsamueldmq: but the support for daat upgrading is on their heads, not ours18:19
samueldmqhenrynash: okay, so you may upgrade the keystone and keep using the old driver18:20
henrynashsamueldmq: yes, but we will no longer support any data migration from that old driver18:21
henrynashsamueldmq: we do NOT support our onw V8 driver anymore18:21
samueldmqhenrynash: what I was arguing for was: 'keystone mitaka does support projects pointing to NULL domain, but to use it you also need Mitaka version of the driver'18:21
henrynashsamueldmq: so it’s as if you have written your own18:22
samueldmqhenrynash: yes, someone that has written his own driver18:22
henrynashsamueldmq: I’d love to do that, but I don’t see how we can18:22
samueldmqhenrynash: simply don't support projects having null domain_id in the v9wrapper18:22
henrynashsamueldmq: the manager at Mitaka won’t know how to create “old style domains”18:22
*** ninag has quit IRC18:22
henrynashsamueldmq: how will the manager create a domain?18:23
samueldmqhenrynash: if a project with null domain_id comes, say no, you can't do that, I do not work around that, upgrade your driver18:23
*** ninag has joined #openstack-keystone18:23
samueldmqhenrynash: the newest driver (v9) implement the funcitonality we want (projects with domainid=SPECIAL_NULL)18:23
samueldmqhenrynash: the wrapper don't18:23
samueldmqhenrynash: manager doesn't know about tht18:24
henrynashsamueldmq: I dont know how to ask the quetsion any other way….”HOW DOES THE MANAGER CREATE A DOMAIN?"18:24
openstackgerritayoung proposed openstack/keystone: Re-enable and undepreate admin-token
samueldmqhenrynash: okay, so, manager asks the driver: create_project(domain_id=NULL)18:25
samueldmqwith is_domain=True18:25
henrynashsamueldmq: ok18:25
ayoungEmilienM, I think ^^ will work for you18:25
samueldmqhenrynash: if the driver supports the v9 interface, it will honor that operation18:25
samueldmqhenrynash: if not, it won't18:25
henrynashsamueldmq: so what does the manager do then18:26
*** su_zhang has joined #openstack-keystone18:27
henrynashsamueldmq: it’s been asked to create a domain…it tried to create a project acting as a domain…was told that’s not supproted….what does it do now?18:27
samueldmqhenrynash: what if you go to
*** daemontool_ has joined #openstack-keystone18:27
samueldmqhenrynash: ah, you mean when it catches an exception18:27
EmilienMayoung: thanks18:27
*** ninag has quit IRC18:28
samueldmqhenrynash: it does the same when we add a new function to a new driver version18:28
ayoungnotmorgan, wanted a release not change, didn't you?18:28
samueldmqhenrynash: and the wrapper can't do anything about it for old driver18:28
notmorganayoung: yep18:28
notmorganayoung: needs to fix the reno if we're not deprecating18:28
henrynashsamueldmq: but we can’t stop domain creation just becaues you have a v8 driver (which used to supprot domain crreation in Liberty)18:28
*** daemontool_ has quit IRC18:29
*** daemontool has quit IRC18:29
ayoungnotmorgan, is there a tox test to run for those?18:29
samueldmqhenrynash: I'm thinking ...18:30
notmorgantox -ereleasenotes ?18:30
*** BAKfr has quit IRC18:30
ayoungyes theres is18:30
henrynashsamueldmq: if we really want to go that route, then teh wrapper has to reflect projects as a domain back onto teh domain table18:31
*** BAKfr has joined #openstack-keystone18:32
*** mylu has joined #openstack-keystone18:32
samueldmqhenrynash: in my head, if you want to use an old version of a driver, you are taking the risks of something not being able to operate the same18:32
samueldmqhenrynash: does the database remains the old too ?18:33
henrynashsamueldmq: ageed - NEW fucntionaliy many not be availble, but existing fucntionality should not be removed18:33
henrynashsamueldmq: we do not support teh v8 database scheme18:33
henrynash(at Mitaka)18:33
openstackgerritayoung proposed openstack/keystone: Re-enable and undepreate admin-token
henrynashsamueldmq: i.e.  it is not a requirement for us to support a modified version of our V8 driver that acustomer is using in terms of the database scheme and migration…..they should be using their own tables that we know nothing about18:34
*** BAKfr has quit IRC18:36
henrynashsamueldmq: so I started with exactyly the thoughts you have…and we had a big IRC meeting debate about it a few months a back…and it was explicitely stated that it NOT a goal to support some custoemrs modifed version or our old SQL driver, any more than if they had their own cassandra driver18:37
samueldmqhenrynash: okay, I think I got it18:38
samueldmqhenrynash: just confused about your comment here:
samueldmqhenrynash: L1068 you said "I think these are all OK, since a V8 driver will not have the hidden rows."18:38
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password
*** BAKfr has joined #openstack-keystone18:39
henrynashsamueldmq: so becuase the comment is in the manager (since it is shared by the wrapper driver), i was trying to general….and I meant our own SQL/LDAP drivers18:40
samueldmqhenrynash: however, if I pass a project: {'domain_id': None} to the wrapper of create_project (L1086), it will ad the hidden value for NULL18:40
samueldmqhenrynash: so that new project, when returned, will contain the hidden row18:40
samueldmqhenrynash: makes sense?18:40
henrynashsamueldmq: I don’t think the hidden row will be there (unless I goofed), but we do swap the hidden null value back and forth18:41
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password
samueldmqhenrynash: for example list_project_ids_from_domain_ids(['list_project_ids_from_domain_ids'])18:42
*** baffle has joined #openstack-keystone18:42
henrynashsamueldmq: since I was concerned that otherwise we were changing the definition of one of the column attributes (it used be be non-nullable, and unless I add in the speciial value, it would now be nullable)18:42
samueldmqhenrynash: list_project_ids_from_domain_ids is not wrapped18:42
henrynashsamueldmq: so there are no hidden rows in teh data set of a V8 driver…so I don;t think it needs to be wrapped18:44
*** ninag has joined #openstack-keystone18:44
samueldmqhenrynash: if I call list_project_ids_from_domain_ids(['list_project_ids_from_domain_ids'])18:44
samueldmqhenrynash: the project I created with the wrapped version of create_project will be returned18:45
samueldmqhenrynash: won't it ?18:45
notmorganhenrynash: removed the paragraph from the commit message that wasn't super relevant18:45
henrynashsamueldmq: so doesn’t call just return a lsit of IDs?18:45
henrynashnotmorgan: yep, saw that, thanks…..18:46
samueldmqhenrynash: I don't know :/ let me look18:46
samueldmqhenrynash: how are we in terms of tests for driver signatures ?18:46
notmorganhenrynash: you can see why that was such a wonky commit message, it basically said "we store a null" and "we really don't store a null"18:46
henrynashnotmorgan: that first para was taking at the manager level…but understand why you thought it a bit confusing18:46
henrynashnotmorgan: thx18:47
notmorganand it wasn't clear it was manager level, it was superfluous18:47
henrynashnotmorgan: I’m good with taht change18:47
henrynashsamueldmq: how do you mean?18:47
samueldmqhenrynash: do we have a set of tests that say: 'yes, your driver comply with v9'18:49
henrynashsamueldmq: yes, we run the full test_backend_sql against teh V8 driver….see tests/backend/leagcy_driver18:50
openstackgerritDavid Moreau Simard proposed openstack/keystone: Re-enable and undeprecate admin-token
samueldmqhenrynash: so the same tests of a v9 version of the driver in a v8-wrapped one18:51
henrynashsamueldmq: yes, with a few overridden ones where they are testing new functionality that is nt available with V818:52
ayoungedmondsw_, if you have changes you want in the commit, feel free to make them directly.  Let's get it moving.18:52
edmondsw_ayoung, sure, give me a minute18:52
samueldmqhenrynash: okay, so we should be really carreful to only override the ones that have NEW functionality18:53
henrynashsamueldmq: indeed18:53
samueldmqhenrynash: cool, I am more confident now since we have the same tests for them :)18:53
*** Ephur has joined #openstack-keystone18:54
henrynashsamueldmq: good conversation18:54
samueldmqhenrynash: yep, thanks for clarifying18:55
*** subscope has joined #openstack-keystone18:55
openstackgerritBrant Knudson proposed openstack/oslo.policy: Support policy file in YAML
*** doug-fis_ has joined #openstack-keystone18:58
samueldmqhenrynash: you were right, just looked again at that wrapper and it makes sense to me now :)18:58
*** doug-fi__ has joined #openstack-keystone18:59
*** doug-f___ has joined #openstack-keystone19:00
*** ninag has quit IRC19:00
*** doug-fish has quit IRC19:00
*** ninag has joined #openstack-keystone19:01
*** fawadkhaliq has quit IRC19:02
*** lhcheng has joined #openstack-keystone19:02
*** ChanServ sets mode: +v lhcheng19:02
*** doug-fis_ has quit IRC19:03
henrynashsamueldmq: no worries!19:03
*** doug-fi__ has quit IRC19:04
*** vgridnev has quit IRC19:04
*** su_zhang has quit IRC19:04
*** ninag has quit IRC19:05
*** vgridnev has joined #openstack-keystone19:06
*** spzala has joined #openstack-keystone19:12
*** annasort has joined #openstack-keystone19:15
*** doug-f___ has quit IRC19:16
*** doug-fish has joined #openstack-keystone19:16
*** doug-fish has quit IRC19:16
*** doug-fish has joined #openstack-keystone19:17
openstackgerritMatthew Edmonds proposed openstack/keystone: Re-enable and undeprecate admin_token_auth
samueldmqhenrynash: one more question19:17
samueldmqhenrynash: in
samueldmqhenrynash: project's domain_id has a foreign key to domain.id19:18
samueldmqhenrynash: so you needed to create a domain entity right ? besides the is_domain project ?19:19
*** ninag has joined #openstack-keystone19:19
openstackgerritMatthew Edmonds proposed openstack/keystone: Re-enable and undeprecate admin_token_auth
*** ninag has quit IRC19:22
*** ninag has joined #openstack-keystone19:22
*** doug-fish has quit IRC19:26
*** doug-fish has joined #openstack-keystone19:26
*** ninag has quit IRC19:27
*** markvoelker has joined #openstack-keystone19:32
samueldmqhenrynash: oh wait, then how are tests currently passing ?19:36
*** ninag has joined #openstack-keystone19:36
openstackgerritBrant Knudson proposed openstack/oslo.policy: Deprecate load_json() in favor of load()
*** _cjones_ has quit IRC19:37
samueldmqhenrynash: you add both root domain and is_domain project19:37
samueldmqhenrynash: nevermind19:37
*** _cjones_ has joined #openstack-keystone19:37
*** markvoelker has quit IRC19:37
*** alejandrito has joined #openstack-keystone19:41
*** alejandrito has quit IRC19:42
*** alejandrito has joined #openstack-keystone19:42
*** alejandrito has quit IRC19:42
*** alejandrito has joined #openstack-keystone19:42
*** raildo is now known as raildo-afk19:49
*** daemontool has joined #openstack-keystone19:55
*** raildo-afk is now known as raildo19:56
*** e0ne has quit IRC19:56
*** sigmavirus24 is now known as sigmavirus24_awa19:58
*** e0ne has joined #openstack-keystone19:59
*** ninag has quit IRC20:04
*** ninag has joined #openstack-keystone20:05
*** ninag has quit IRC20:10
*** daemontool_ has joined #openstack-keystone20:11
*** raildo is now known as raildo-afk20:11
*** daemontool has quit IRC20:13
openstackgerritBrant Knudson proposed openstack/oslo.policy: Change default behavior for YAML
*** mhickey has joined #openstack-keystone20:16
*** openstackgerrit has quit IRC20:17
*** openstackgerrit_ is now known as openstackgerrit20:17
*** openstackgerrit has quit IRC20:17
*** openstackgerrit_ has joined #openstack-keystone20:17
*** openstackgerrit_ is now known as openstackgerrit20:18
*** openstackgerrit_ has joined #openstack-keystone20:18
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain/redelegation tests
*** rodrigod` is now known as rodrigods20:22
*** pauloewerton has quit IRC20:24
*** sigmavirus24_awa is now known as sigmavirus2420:25
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain tests
*** e0ne has quit IRC20:29
*** ninag has joined #openstack-keystone20:40
*** mhickey has quit IRC20:41
lifelessnotmorgan: hai?20:44
notmorganlifeless: i... had a reson to summon you to our lovely corner of irc...20:44
notmorgannow lets see if i remember20:44
notmorganlifeless: shipping resource files in python packages20:45
notmorganlifeless: for example: having a yaml file define the json schema20:46
notmorganlifeless: what is the correct way to do such a thing?20:46
notmorganif there is a defined way20:46
notmorganbknudson_: ^ cc20:46
notmorganand feel free to say "OMG DONT" too ;)20:46
*** vgridnev has quit IRC20:47
notmorganif there is a good reasons not to.20:47
*** agireud has quit IRC20:50
*** agireud has joined #openstack-keystone20:51
openstackgerritMorgan Fainberg proposed openstack/keystone: Re-enable and undeprecate admin_token_auth
htrutaguys, is there anyway I can see the real uuid of a token when doing openstack --debug <cmd> ?20:58
htrutaseems like the uuids shown in the requests are encrypted20:58
*** clenimar has quit IRC21:01
*** timcline has joined #openstack-keystone21:01
lbragstadjorge_munoz timcline
ayoungnotmorgan, revied your addtions, +1.  If you are OK with the patch, please add a +2 on it.21:03
*** mylu has quit IRC21:03
ayoungnotmorgan, is the _LW the reason for the pep8 failure?21:04
ayounghtruta, that might be deliberate.21:05
notmorganayoung: yep. it's a warning not an exception21:05
htrutaayoung: it is. It's just a devstack21:05
dolphmnonameentername: ping me if you have a minute to discuss
ayounghtruta, look in the client code, might have to modify the client.  Is this something ytou want long term21:06
notmorganayoung: also i'll +1 for now until we have the config option followup. but will comment that you can consisder it a +2 once the followup is posted21:06
notmorgancommented as such21:07
ayoungnotmorgan, ok...let's see what that should look like:  default == None and ...21:07
htrutaayoung: cool. Will see. Just thought that there could be some kind of 'insecure' option for this. thanks21:07
ayoungif ADMIN_TOKEN==None return False logic in the middleware?21:07
notmorganand if the option itsn't set, short-circut out so it doesn't set admin21:07
notmorganfalse/return without doing anything21:07
notmorgansomething like that21:07
*** hockeynut_afk is now known as hockeynut21:07
ayoungnotmorgan, do you think that should all be in one patch?  WOuldmn21:09
ayoungWouldn't argue with you if you did21:09
notmorgani wouldn't say no to it in one patch21:09
notmorganbut i would separate them21:09
notmorganjust so it's clear we are un-deprecating then fixing the bug21:09
ayoungOK...follow on it is...testing now21:13
bknudson_lifeless: y, the question is how to you have "resource" files in a python app... essentially how could I look up a .yaml file that we ship with the product somehow21:15
bknudson_ship with the python code21:15
*** daemontool_ has quit IRC21:18
*** lhcheng has quit IRC21:18
samueldmqhenrynash: you still around ?21:28
samueldmqhenrynash: please take a look at my comment in whenever you have a chance21:29
openstackgerritBrant Knudson proposed openstack/oslo.policy: Deprecate load_json() in favor of load()
openstackgerritBrant Knudson proposed openstack/oslo.policy: Change default behavior for YAML
*** jsavak has joined #openstack-keystone21:32
samueldmqhenrynash:  I am refering to comment in L1164-116521:33
*** markvoelker has joined #openstack-keystone21:33
*** aginwala has joined #openstack-keystone21:34
*** jsavak has quit IRC21:37
*** markvoelker has quit IRC21:38
*** ninag has quit IRC21:39
openstackgerritayoung proposed openstack/keystone: Re-enable and undeprecate admin_token_auth
*** aginwala has quit IRC21:46
*** subscope has quit IRC21:48
*** aginwala has joined #openstack-keystone21:48
*** esp has joined #openstack-keystone21:49
*** alejandrito has quit IRC21:49
*** esp has quit IRC21:56
*** esp has joined #openstack-keystone21:59
*** phalmos_ has quit IRC22:00
*** esp has quit IRC22:04
*** timcline has quit IRC22:06
*** neophy has quit IRC22:14
*** mhickey has joined #openstack-keystone22:21
*** Ephur has quit IRC22:28
*** mhickey has quit IRC22:31
*** doug-fish has quit IRC22:42
openstackgerritSteve Martinelli proposed openstack/keystone: sensible default for secure_proxy_ssl_header
*** doug-fish has joined #openstack-keystone22:48
*** doug-fish has quit IRC22:51
*** doug-fish has joined #openstack-keystone22:52
*** clenimar has joined #openstack-keystone22:53
*** daemontool has joined #openstack-keystone22:54
*** doug-fish has quit IRC22:54
*** doug-fish has joined #openstack-keystone22:55
*** aginwala has quit IRC22:56
*** lbragstad_ has joined #openstack-keystone22:56
*** daemontool_ has joined #openstack-keystone22:58
*** daemontool has quit IRC22:58
*** aginwala has joined #openstack-keystone22:58
*** arif-ali has left #openstack-keystone22:59
*** doug-fish has quit IRC23:00
openstackgerritHenrique Truta proposed openstack/keystone: Fix terms from patch 275706
*** diazjf has quit IRC23:01
*** rcernin has quit IRC23:05
*** daemontool has joined #openstack-keystone23:05
*** daemontool_ has quit IRC23:06
*** clenimar has quit IRC23:07
*** slberger has left #openstack-keystone23:19
openstackgerritBrant Knudson proposed openstack/keystone: Create policy.yaml sample files
openstackgerritBrant Knudson proposed openstack/keystone: Create policy.yaml sample files
*** sigmavirus24 is now known as sigmavirus24_awa23:25
openstackgerritJorge Munoz proposed openstack/keystone: Consolidate TestTrustRedelegation and TestTrustAuth tests
*** mylu has joined #openstack-keystone23:28
*** markvoelker has joined #openstack-keystone23:34
*** csoukup has quit IRC23:35
*** markvoelker has quit IRC23:38
*** dims_ has quit IRC23:41
openstackgerritHenrique Truta proposed openstack/keystone: Add docstring to delete_project
openstackgerritJorge Munoz proposed openstack/keystone: Consolidate TestTrustRedelegation and TestTrustAuth tests
*** _cjones_ has quit IRC23:44
*** henrynash has quit IRC23:46
openstackgerritHenrique Truta proposed openstack/keystone: Add docstring to delete_project
*** jorge_munoz has left #openstack-keystone23:53
*** shoutm has joined #openstack-keystone23:54
*** dims has joined #openstack-keystone23:57
openstackgerritHenrique Truta proposed openstack/keystone: Fixes parameter in duplicate project name creation

Generated by 2.14.0 by Marius Gedminas - find it at!