Monday, 2016-04-18

*** roxanaghe has quit IRC00:02
stevemarmorgan: yay! i'll have bknudson look at it again00:06
*** sdake has joined #openstack-keystone00:06
*** mylu has quit IRC00:07
*** mylu has joined #openstack-keystone00:13
*** stingaci has quit IRC00:14
*** mylu has quit IRC00:19
*** mylu has joined #openstack-keystone00:21
*** ekarlso has quit IRC00:32
*** mylu has quit IRC00:44
*** ekarlso has joined #openstack-keystone00:44
*** mylu has joined #openstack-keystone00:47
dimsmorgan : keystoneauth, keystonemiddleware, pycadf look good.00:58
morgandims: yay00:58
*** sdake_ has joined #openstack-keystone01:14
*** sdake has quit IRC01:18
*** EinstCrazy has joined #openstack-keystone01:18
*** edtubill has joined #openstack-keystone01:23
*** stingaci has joined #openstack-keystone01:26
morganstevemar: you know what is going to be sad.. If Windows with bash runs keystone unit tests better than OS X...01:39
*** roxanaghe has joined #openstack-keystone01:46
*** browne has joined #openstack-keystone01:46
*** EinstCra_ has joined #openstack-keystone01:49
*** roxanaghe has quit IRC01:50
*** EinstCrazy has quit IRC01:52
*** mylu has quit IRC02:10
*** timonwong has joined #openstack-keystone02:18
*** alex_xu has quit IRC02:18
*** alex_xu has joined #openstack-keystone02:22
*** timonwong has quit IRC02:23
*** timonwong has joined #openstack-keystone02:23
*** browne has quit IRC02:26
*** timonwong has quit IRC02:30
*** timonwong has joined #openstack-keystone02:32
stevemarmorgan: i wouldn't be too optimistic02:33
morganWell. *shrug*02:34
*** zqfan has joined #openstack-keystone02:47
openstackgerritKylin CG proposed openstack/keystone: Typo fix in tests
*** EinstCra_ has quit IRC02:54
*** EinstCrazy has joined #openstack-keystone03:03
*** sdake_ has quit IRC03:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** ekarlso has quit IRC04:27
*** sdake has joined #openstack-keystone04:28
*** timonwong has quit IRC04:28
*** timonwong has joined #openstack-keystone04:37
*** ekarlso has joined #openstack-keystone04:40
*** links has joined #openstack-keystone04:41
*** mylu has joined #openstack-keystone05:03
*** rcernin has joined #openstack-keystone05:04
openstackgerritMerged openstack/keystone: Typo fix in tests
*** mylu has quit IRC05:11
*** e0ne has joined #openstack-keystone05:15
*** e0ne has quit IRC05:18
*** roxanaghe has joined #openstack-keystone05:22
*** stingaci has quit IRC05:22
*** mylu has joined #openstack-keystone05:24
*** Nirupama has joined #openstack-keystone05:25
*** roxanaghe has quit IRC05:26
*** mylu has quit IRC05:29
morganayoung: please either close this or triage this.05:48
openstackLaunchpad bug 1469847 in keystoneauth "authenticating with kerberos (via openstack token issue) reports Error with "Success" followed by non-ascii chracters" [Undecided,New] - Assigned to Adam Young (ayoung)05:48
morganyolanda: just requires an update to global-requirements05:51
openstackLaunchpad bug 1569811 in keystoneauth "keystonauth betamax fixture shall consume latest betamax release" [Undecided,Invalid]05:51
morganyolanda: should be an easy fix to propose :) and the proposal bot will handle getting it into keystoneauth.05:52
openstackgerritSrushti Gadadare proposed openstack/keystone: Provide user friendly messages for db_sync
openstackgerritSrushti Gadadare proposed openstack/keystone: Provide user friendly messages for db_sync
*** edtubill has quit IRC06:07
*** zzxwill has joined #openstack-keystone06:14
*** jaosorior has joined #openstack-keystone06:24
openstackgerritColleen Murphy proposed openstack/keystoneauth: Make version optional for auth_url
*** alex_xu has quit IRC06:40
*** alex_xu has joined #openstack-keystone06:41
*** henrynash has joined #openstack-keystone07:07
*** ChanServ sets mode: +v henrynash07:07
*** jaosorior has quit IRC07:11
*** zzxwill has quit IRC07:15
*** pcaruana has joined #openstack-keystone07:15
*** jed56 has joined #openstack-keystone07:16
*** e0ne has joined #openstack-keystone07:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** odyssey4me_ is now known as odyssey4me07:38
*** rha_ is now known as rha07:43
*** rha has joined #openstack-keystone07:43
*** alex_xu has quit IRC07:49
*** pnavarro has joined #openstack-keystone07:50
*** alex_xu has joined #openstack-keystone07:51
*** vgridnev has joined #openstack-keystone07:54
*** jaosorior has joined #openstack-keystone07:55
*** vgridnev has quit IRC07:56
*** jaosorior has quit IRC07:56
*** pnavarro has quit IRC08:08
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c
*** daemontool has quit IRC08:17
*** jistr has joined #openstack-keystone08:21
*** pnavarro has joined #openstack-keystone08:22
*** stian_ has joined #openstack-keystone08:24
stian_Where can I find detailed documentation about keystone_authtoken ? Cant find any information on auth_url.08:35
*** henrynash has quit IRC08:35
*** naresht has joined #openstack-keystone08:41
*** henrynash has joined #openstack-keystone08:48
*** ChanServ sets mode: +v henrynash08:48
*** roxanaghe has joined #openstack-keystone08:58
morganyolanda: you might need to adjust upper-constraints as well08:59
yolandamorgan, 0.6.0 is not ok?09:00
yolandait's set to 0.6.0 in upper constraints09:00
morganoh is that already in u-c?09:00
morganthat makes it easy09:00
morganno need to change then09:00
yolandayep, it was set to 0.6.0. Not sure why, because this version didn't exist09:00
morgan(wish i could +2)09:01
yolandalet's see if that is reviewed fast09:01
yolandaanyway, i'm still finishing work with keystoneauth patch09:02
*** roxanaghe has quit IRC09:03
*** tesseract has joined #openstack-keystone09:03
yolandai will depend on JSONSerializer instead of PrettyJSONSerializer, so we can drop that dependency09:03
*** tesseract is now known as Guest3039409:03
yolandathe extra feature provided by PrettyJSONSerializer is already on my serializer anyway09:03
*** jistr has quit IRC09:05
*** sdake has quit IRC09:07
*** sdake has joined #openstack-keystone09:07
*** jistr has joined #openstack-keystone09:12
*** sheel has joined #openstack-keystone09:15
openstackgerritJames Pic proposed openstack/keystone: Typo in sysctl command example Edit
openstackgerritJames Pic proposed openstack/keystone: Typo in sysctl command example Edit
openstackgerrityolanda.robla proposed openstack/keystoneauth: Create custom serializer for keystoneauth and betamax
*** timonwong has quit IRC09:34
*** timonwong has joined #openstack-keystone09:35
*** vnogin1 has quit IRC09:39
*** vnogin has joined #openstack-keystone09:40
*** EinstCrazy has quit IRC10:09
*** andreykurilin has quit IRC10:10
*** timonwong has quit IRC10:36
*** daemontool has joined #openstack-keystone10:38
openstackgerritSrushti Gadadare proposed openstack/keystone: Provide user friendly messages for db_sync
openstackgerrityolanda.robla proposed openstack/keystoneauth: Create custom serializer for keystoneauth and betamax
*** toddnni_ has joined #openstack-keystone11:01
*** zhiyan_ has joined #openstack-keystone11:02
*** andreykurilin___ has joined #openstack-keystone11:02
*** haneef__ has joined #openstack-keystone11:03
*** wxy_ has joined #openstack-keystone11:03
*** ktychkova_ has joined #openstack-keystone11:03
*** orzel_ has joined #openstack-keystone11:04
*** krotscheck_ has joined #openstack-keystone11:04
*** jgriffith_ has joined #openstack-keystone11:04
*** lbragstad_ has joined #openstack-keystone11:04
*** tristanC_ has joined #openstack-keystone11:04
*** topol_ has joined #openstack-keystone11:04
*** BAKfr_ has joined #openstack-keystone11:04
*** rodrigods has quit IRC11:04
*** kfox1111_ has joined #openstack-keystone11:04
*** jaosorior has joined #openstack-keystone11:05
*** arunkant_ has joined #openstack-keystone11:05
*** rodrigods has joined #openstack-keystone11:05
*** dmellado_ has joined #openstack-keystone11:05
*** jasondotstar_ has joined #openstack-keystone11:05
*** hugokuo_ has joined #openstack-keystone11:05
*** nkinder_ has joined #openstack-keystone11:05
*** clayton_ has joined #openstack-keystone11:05
*** BAKfr has quit IRC11:05
*** andreykurilin__ has quit IRC11:05
*** wxy has quit IRC11:05
*** timburke has quit IRC11:05
*** jgriffith has quit IRC11:05
*** orzel has quit IRC11:05
*** dtroyer has quit IRC11:05
*** lbragstad has quit IRC11:05
*** topol has quit IRC11:05
*** jasondotstar has quit IRC11:05
*** baffle has quit IRC11:05
*** kinrui has quit IRC11:06
*** serverascode has quit IRC11:06
*** zhiyan has quit IRC11:06
*** harlowja has quit IRC11:06
*** krotscheck has quit IRC11:06
*** hugokuo has quit IRC11:06
*** dmellado has quit IRC11:06
*** ianw has quit IRC11:06
*** haneef_ has quit IRC11:06
*** arunkant has quit IRC11:06
*** jdennis has quit IRC11:06
*** toddnni has quit IRC11:06
*** tristanC has quit IRC11:06
*** nkinder has quit IRC11:06
*** ktychkova has quit IRC11:06
*** kfox1111 has quit IRC11:06
*** clayton has quit IRC11:06
*** BAKfr_ is now known as BAKfr11:06
*** jgriffith_ is now known as jgriffith11:06
*** serverascode_ has joined #openstack-keystone11:06
*** toddnni_ is now known as toddnni11:06
*** wxy_ is now known as wxy11:06
*** jasondotstar_ is now known as jasondotstar11:06
*** jgriffith is now known as Guest7277211:06
*** jdennis has joined #openstack-keystone11:06
*** andreykurilin___ is now known as andreykurilin__11:06
*** timburke has joined #openstack-keystone11:06
*** hugokuo_ is now known as hugokuo11:06
*** krotscheck_ is now known as krotscheck11:06
*** clayton_ is now known as clayton11:07
*** lunarlamp is now known as mariusv11:07
*** dtroyer has joined #openstack-keystone11:07
*** ianw has joined #openstack-keystone11:08
*** zqfan has quit IRC11:09
*** zhiyan_ is now known as zhiyan11:10
*** rcernin has quit IRC11:12
*** serverascode_ is now known as serverascode11:12
*** kinrui has joined #openstack-keystone11:17
*** zqfan has joined #openstack-keystone11:18
*** baffle has joined #openstack-keystone11:18
*** mugsie_ is now known as mugsie11:19
*** samueldm1 has quit IRC11:22
*** samueldmq has joined #openstack-keystone11:22
*** EinstCrazy has joined #openstack-keystone11:23
*** rcernin has joined #openstack-keystone11:23
*** ChanServ sets mode: +v samueldmq11:24
samueldmqmorning keystone11:24
*** aimeeU has joined #openstack-keystone11:29
*** henrynash has quit IRC11:29
*** henrynash has joined #openstack-keystone11:31
*** ChanServ sets mode: +v henrynash11:31
henrynasheven morning11:31
samueldmqbreton: henrynash: howdy11:34
henrynashsamueldmq: hi11:34
samueldmqhenrynash: you going to Austin again ?11:34
henrynashsamueldmq: yep…you?11:34
samueldmqhenrynash: yes :)11:34
henrynashsameuldmq: excellent11:35
*** gordc has joined #openstack-keystone11:35
morgani think windows with beta ubuntu bash does a better job of running keystone unit tests than OS X does.11:40
* morgan might be running this now11:40
*** EinstCrazy has quit IRC11:40
morganthough the terminal does a really bad job of handling curses.11:40
samueldmqmorgan: gegege11:43
morganhehe :)11:44
*** dave-mccowan has joined #openstack-keystone11:44
morganand it looks like mosh doesn't work :(11:45
*** josecastroleon has joined #openstack-keystone11:46
*** henrynash has quit IRC11:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Improve docs for v3 users
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add users functional tests
*** iurygregory has joined #openstack-keystone12:02
*** mtreinish has joined #openstack-keystone12:03
*** tellesnobrega is now known as tellesnobrega_af12:05
*** EinstCrazy has joined #openstack-keystone12:07
morganugh. sooooo close12:07
morganso close.12:07
*** trown|outtypewww is now known as trown12:09
*** clenimar has joined #openstack-keystone12:11
*** raildo-afk is now known as raildo12:12
*** henrynash has joined #openstack-keystone12:13
*** ChanServ sets mode: +v henrynash12:13
*** mylu has joined #openstack-keystone12:15
morgansamueldmq: hows it going today?12:16
*** markvoelker has joined #openstack-keystone12:19
henrynashmorgan: Hi…any chance you could give you blessing to: - adding tests to expose an bug that is in the process of being fixed12:24
patchbothenrynash: patch 288403 - keystone - Expose not clearing of user default project on pro...12:24
amakarovmorgan, we've just discovered a problem with memcache: if revocation tree grows larger 1M it can't be memoized due to memcached restrictions12:25
morganamakarov: this isn't exactly new info.12:25
morganamakarov: welcome to slab-size issues :(12:25
morganamakarov: this has been the same issue we've battled for many many many releases when dealing with memached12:25
*** mylu has quit IRC12:26
*** edmondsw has joined #openstack-keystone12:26
morganamakarov: this is why we need to drastically reduce the size of the tree... actually... we need to just kill the whole revoke tree completely12:26
amakarovmorgan, thanks :) can we do some workaround like "don't actually cache anything larger than..."12:26
morganamakarov: sortof. though if you are hitting that you're better off just turning off revoke tree caching12:27
morganamakarov: for the immediate use. long term, we'll kill the revoke tree and go with a much simpler SQL query that says "YES" or "NO" to the token being revoked.12:27
amakarovmorgan, that'll be interesting, is there a bp for that?12:28
morgannope. not yet. i figured it was a convo i needed to have with ayoung12:28
morganamakarov: the alternatve if to make the @memoize decorator smart enough to split the data structure up and chain it together. [another alternative i've played with in the past]12:29
morgannot a good idea.12:29
morganit is super fragile.12:29
ayounglets focus on reducing the number of revocation events12:30
*** ChanServ sets mode: +v topol_12:30
*** topol_ is now known as topol12:30
ayoung  in progress12:30
patchbotayoung: patch 285134 - keystone - Remove unneeded revocation events12:30
ayoungI thought the tree had been removed at one point and then re-added12:31
ayoungbut going to the sql query will be both simpler and faster with fewer events12:31
*** TxGVNN has joined #openstack-keystone12:32
*** mylu has joined #openstack-keystone12:33
*** roxanaghe has joined #openstack-keystone12:34
morganayoung: ++12:35
morganhenrynash: 'll take a look in a couple minutes, waiting for a very slow run of keystone unit tests to finishi12:35
henrynashmorgan: thanks, no worries12:35
*** mylu has quit IRC12:39
*** roxanaghe has quit IRC12:39
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information
amakarovmorgan, ayoung: can we reach some consensus about the level where delegations should be unified? On mid-cycle I was told I can't touch managers, but I can't do some things (reach role_api for ex.) in the driver.12:41
morganmanagers acan cross talk12:42
morgandrivers may not talk to managers12:42
samueldmqmorgan: ++12:42
morganput the logic at the manager level12:43
samueldmqamakarov: what morgan said12:43
morganif it needs to reach into multiple backends. or back out.12:43
morganalso.. lesson learned, CORE-M Processor doesn't like to do anything but run unit tests (even web pages... ugh)12:43
amakarovmorgan, run tests in 1 thread then...12:44
*** ninag has joined #openstack-keystone12:50
ayoungamakarov, what morgan said is right: one driver should not call another driver, but one manager can call multiple drivers.  Business logic belongs in the driver12:51
morganamakarov: lol, it's just very very slow - i think running full keystone test is hitting ~30min so far12:51
amakarovayoung, In the manager maybe?12:51
morganamakarov: but...12:52
ayoungah right12:52
ayoungtypo "in the driver"12:52
ayoungBusines logic "does not belong in the driver"12:53
amakarovayoung, so should I change existing managers then or write my own and call it a driver?12:54
ayoungBusiness logic belongs in the *Manager*12:54
*** pauloewerton has joined #openstack-keystone12:55
ayoungamakarov, change existing Managers12:55
* morgan leaves that direction to ayoung.12:55
ayoungyou can make helper classes if needs12:55
amakarovayoung, should the unification be revertible?12:56
amakarovi.e. if my changes alter the manager logic how can it be used with old drivers?12:57
amakarovamakarov, or work that around with 'if's?12:57
ayoungamakarov, example?12:57
amakarovayoung, looking for ancestor to create a delegation12:58
amakarovthis part is completely incompatible with existing assignment logic12:58
ayoungamakarov, so you mean we need a transition plan....12:58
amakarovayoung, good idea )12:58
*** ninag_ has joined #openstack-keystone12:58
ayoungamakarov, definite summit planning discussion12:59
*** ninag__ has joined #openstack-keystone13:00
amakarovayoung, well, I've added it to etherpad13:00
ayoungamakarov, good.  I'll try to come with some good ideas to get it rolling13:01
amakarovayoung, I'll prepare some code too13:01
*** ninag has quit IRC13:02
*** ninag_ has quit IRC13:03
morganayoung: lol ouch13:07
morganthat is a slow processor13:07
morganbut windows just leapfrogged over OS X as a viable OSS development platform13:08
morgansince you get at least 14.04 versions of dev libraries...vs... uhm... 7 year old bitrotting ones13:08
*** kinrui is now known as fungi13:09
* ayoung sticks with Fedora13:10
*** ninag has joined #openstack-keystone13:16
*** ninag_ has joined #openstack-keystone13:17
*** ninag__ has quit IRC13:19
*** ninag has quit IRC13:21
morganthats fine, but the fact that i can run windows and still do openstack dev is pretty nice. :)13:25
*** erhudy has joined #openstack-keystone13:25
morganalso because the current laptop can't do linux... because the kernel doesn't support SPI devices :(13:25
openstackgerritMerged openstack/keystone: Expose not clearing of user default project on project delete
*** andreykurilin has joined #openstack-keystone13:26
samueldmqmorgan: is that a simple 'tox -e py27' or something like that ?13:30
morgansamueldmq: yeah running on the preview of windows 10 with the ubuntu native system installed13:30
morgansamueldmq: basically, i did the normal apt-get for all the tools you'd install on 14.04, and then ran tox (and pip installed tox/venv)13:31
morgansamueldmq: but this machine is very slow. so.. the test run was very slow13:31
samueldmqmorgan: ++13:32
samueldmqmorgan: I was particularly looking at skipped tests13:32
samueldmq~25% of all tests look a lot13:32
morganpretty standard13:32
samueldmqmorgan: is that okay ? looks like we need to restructure tests for sql/ldap13:33
samueldmqmorgan: I think most of that is cuz ldap is not domain aware; then maybe we could separate such tests in another class , and not inherit them in LDAP test classses13:34
morgansamueldmq: keep restructuring tests to be better13:34
samueldmqmorgan: just have lots of things to do there :)13:35
bknudsonmy goal with is to eventually be able to have a much smaller set of tests in test_backends13:35
patchbotbknudson: patch 291950 - keystone - Define identity interface - easy cases13:35
openstackgerritKalaswan Datta proposed openstack/keystone: Create V9 driver for identity backend
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information
samueldmqbknudson: ++, just voted there, it's looking great13:38
bknudsonhere's another part of the effort -
patchbotbknudson: patch 283822 - keystone - Move resource manager tests out of test_backend13:39
bknudsonalthough I haven't been keeping up with the merge conflicts there, just pointing it out as another thing to do13:39
samueldmqbknudson: so next step is basically move test cases from test_backends to identity/backends/ ?13:39
samueldmqbknudson: and remove duplicates13:39
bknudsontest_backends tests the managers which are in subsystem/ , so they're moved to test_core.py13:40
*** BigWillie has joined #openstack-keystone13:41
samueldmqbknudson: got it, that's what you do in patch 28382213:41
patchbotsamueldmq: - keystone - Move resource manager tests out of test_backend13:41
samueldmqbknudson: while patch 291950 cretes the tests for the drivers themselves13:41
patchbotsamueldmq: - keystone - Define identity interface - easy cases13:41
samueldmqbknudson: that's great13:41
bknudsonright, rather than trying to test the drivers by writing tests against the managers, test the drivers directly13:42
samueldmqbknudson: ++13:42
samueldmqbknudson: I am doing that for endpoint_policy and policy subsystems13:42
samueldmqbknudson: in patch 212006 and patch 21295713:42
patchbotsamueldmq: - keystone - Create unit tests for endpoint policy drivers13:42
patchbotsamueldmq: - keystone - Create unit tests for the policy drivers13:42
samueldmqbknudson: I just need to restructure the subsystem's code themselves (putting a module called, as we have for identity)13:43
samueldmqso the files called I created there will make sense13:43
bknudsonis there a review for creating
samueldmqbknudson: not yet13:44
*** martinus__ has quit IRC13:46
*** martinus__ has joined #openstack-keystone13:46
andreykurilinhi all!13:47
samueldmqandreykurilin: hi13:47
andreykurilinI'm working on novaclient and want to deprecate our custom HTTPClient and use Keystone session always13:48
amakarovandreykurilin, I thought you were about nova channel )13:48
andreykurilinamakarov: I have issues not at nova side:)13:49
amakarovandreykurilin, here is the common way to use sessions:
amakarovandreykurilin, do you have client lib?13:49
andreykurilinamakarov: keystoneclient lib?13:50
*** richm has joined #openstack-keystone13:50
amakarovandreykurilin, that depends which service you want to use13:51
raildoandreykurilin: you have to use keystoneauth session13:51
samueldmqraildo: ++13:51
raildoandreykurilin: we are doing a similar work on other services like swift, ironic13:51
andreykurilinraildo: one moment please)13:51
andreykurilinok, let me share a patch  :)
patchbotandreykurilin: patch 304035 - python-novaclient - WIP: Create Session instance if possible13:52
andreykurilinI already able to create keystone session for most cases13:52
raildoandreykurilin: awesome :)13:52
andreykurilinbut I don't know how to transfer several novaclient's arguments to keystoneauth13:52
andreykurilinsee L696-69713:53
andreykurilinamakarov: ^13:53
raildoandreykurilin: right, I suggest take a look ont hsi patch
patchbotraildo: patch 298968 - python-swiftclient - Adding keystoneauth sessions support13:53
raildoandreykurilin: we made a similar work, since you have to get the service_type, interface, token from the session13:54
*** Nirupama has quit IRC13:55
andreykurilinraildo: thanks, will look at it13:55
amakarovandreykurilin, what exactly the problem there?13:55
*** andrewbogott_ is now known as andrewbogott13:57
*** andrewbogott has quit IRC13:57
*** andrewbogott has joined #openstack-keystone13:57
andreykurilinamakarov: I do not know how to create keystone session with existing token13:57
raildoandreykurilin: np, if you have any others doubts, I suggest ping pauloewerton, he was the guy who made this work :D13:57
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information
*** links has quit IRC13:57
amakarovandreykurilin, Session(token=token)?13:58
andreykurilinamakarov: and bypass_url (Use this API endpoint instead of the Service Catalog. Defaults to env[NOVACLIENT_BYPASS_URL])13:58
amakarovandreykurilin, look at this method:
*** sigmavirus24_awa is now known as sigmavirus2414:03
amakarovandreykurilin, not sure what do you want with service catalog14:04
*** ametts has joined #openstack-keystone14:04
andreykurilin__amakarov: just use specific url to communicate with Nova instead of asking keystone to return endpoint for Nova14:04
amakarovandreykurilin__, should it be keystone session parameter rather than nova client's ?14:06
andreykurilin__amakarov: yes14:06
*** dstanek has joined #openstack-keystone14:07
*** ChanServ sets mode: +v dstanek14:07
dstanekwell, that was fun. my znc server went crazy and i couldn't connect to freenode14:07
dstanekdolphm: lbragstad_: <- quick hack14:09
*** TxGVNN has quit IRC14:10
amakarovandreykurilin__, ksa session doesn't do such complex logic like fetching endpoints by itself. It just provides REST client...14:12
jaosoriorandreykurilin__: Wouldn't that be the endpoint_override option? You could have that available if you're using keystoneauth1's adapter module
*** naresht has quit IRC14:14
andreykurilin__jaosorior: yes, we use it:) I think it is a correct parameter14:16
jaosoriorandreykurilin__: Awesome. So that should do the trick14:17
*** tellesnobrega_af is now known as tellesnobrega14:18
*** TxGVNN has joined #openstack-keystone14:20
*** wasmum has quit IRC14:23
lbragstad_dstanek nice!14:30
*** slberger has joined #openstack-keystone14:30
*** wasmum has joined #openstack-keystone14:31
*** lbragstad_ is now known as lbragstad14:31
*** Guest11043 is now known as redrobot14:40
*** tellesnobrega is now known as tellesnobrega_af14:41
*** phalmos has joined #openstack-keystone14:43
*** edtubill has joined #openstack-keystone14:47
*** pumaranikar has joined #openstack-keystone14:47
*** rderose has joined #openstack-keystone14:54
*** mhickey has joined #openstack-keystone14:59
*** doug-fish has joined #openstack-keystone15:06
dolphmdstanek: are those time in CT?15:08
dolphmdstanek: it also needs to be re-generated ... there's been schedule changes not reflected here15:09
dstanekdolphm: i'm not sure what the times are's straight out of their json. thanks for the heads up. i'll regenerate15:16
dolphmdstanek: looks like CT, just wanted to double check15:16
*** real56 has joined #openstack-keystone15:17
*** spzala has joined #openstack-keystone15:18
*** links has joined #openstack-keystone15:19
*** pnavarro has quit IRC15:22
dstanekdolphm: that's what i figured15:22
dstanekdolphm: updated15:23
stevemardstanek: hehe nice15:23
*** phalmos has quit IRC15:28
*** Guest72772 is now known as jgriffith15:28
dolphmstevemar: i backported dims patches to stable/liberty and stable/mitaka,n,z but also wondering why dims didn't do the same? the patch certainly fixes the issue there for me. dims?15:30
* dolphm drops mic and runs to meeting15:30
dimsdolphm : was wanting to chase a better fix15:30
stevemardims: was it even affecting master branches?15:31
stevemarerrr stable*15:31
stevemari guess we'll see if passes15:31
patchbotstevemar: patch 307254 - keystone (stable/mitaka) - Updated from global requirements15:31
openstackgerritMerged openstack/keystone-specs: Include blacklist and whitelist to mappings docs
*** woodster_ has joined #openstack-keystone15:34
*** roxanaghe has joined #openstack-keystone15:34
*** e0ne has quit IRC15:34
*** Guest15381 is now known as medberry15:35
*** medberry is now known as med_15:35
*** Kimmo_ has quit IRC15:38
*** gyee has joined #openstack-keystone15:43
*** ChanServ sets mode: +v gyee15:43
*** navidp has joined #openstack-keystone15:43
*** roxanaghe has quit IRC15:45
*** navidp has quit IRC15:48
*** TxGVNN has quit IRC15:56
*** stingaci has joined #openstack-keystone15:57
*** navidp has joined #openstack-keystone15:59
*** tqtran has joined #openstack-keystone16:00
*** links has quit IRC16:01
*** csoukup has joined #openstack-keystone16:02
*** raddaoui has joined #openstack-keystone16:04
*** Guest30394 has quit IRC16:05
*** raginbajin has quit IRC16:05
*** gyee has quit IRC16:06
dolphmstevemar: yes, i found out about the issue because i got stable maintenance build failures over the weekend16:08
stevemardolphm: wunderbar!16:09
stevemardolphm: i made a comment on the patch, i think you have to remove the changes to reqs.txt16:09
*** raginbajin has joined #openstack-keystone16:10
*** BjoernT has joined #openstack-keystone16:13
*** trown is now known as trown|lunch16:18
mancdazstevemar I found your response on the ML regarding support for TOTP. Is the current option for enabling 2fa with keystone essentially limited to totp with a sql back end?16:20
stevemarmancdaz: you got it16:20
stevemarmancdaz: hoping we have something cooler for newton16:21
mancdazstevemar did anything else land in mitaka? or was that it?16:21
*** pcaruana has quit IRC16:21
mancdazanything in liberty?16:21
stevemarmancdaz: that was it for mitaka; liberty had nothing like that16:21
mancdazstevemar ok great thanks16:21
*** mariusv has quit IRC16:22
*** mariusv has joined #openstack-keystone16:23
*** stingaci has quit IRC16:25
*** stingaci has joined #openstack-keystone16:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
kfox1111_ayoung: you coming to the instance user session?16:32
*** kfox1111_ is now known as kfox111116:32
ayoungkfox1111, yes and bringing friends16:32
kfox1111awesome. thanks. :)16:32
kfox1111I couldn't attend nova's last meeting, but they discussed it and still don't think its their problem.16:33
kfox1111some nova folks will attend, but it sounds like no ptl or cores. :/16:33
andreykurilin__stevemar: hi! Could you look at my novaclient's change and say your opinion from keystone side?16:33
kfox1111I'm hoping that if we can get enough non nova folks there, those from nova will realize it really is a real problem and bring that knowlege back to the nova team.16:34
*** jistr has quit IRC16:39
*** tqtran has quit IRC16:40
*** itlinux has joined #openstack-keystone16:42
*** rcernin has quit IRC16:43
stevemarandreykurilin__: link?16:43
patchbotandreykurilin__: patch 304035 - python-novaclient - WIP: Create Session instance if possible16:45
stevemarandreykurilin__: ty, will review16:46
*** EinstCrazy has quit IRC16:49
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Functional testing setup
*** martinus__ has quit IRC16:51
*** vgridnev_ has joined #openstack-keystone16:52
edtubillHi, I'm trying to setup keystone to keystone federation with Mitaka. I can get an ECP wrapped SAML assertion from the idp, but when I try to send it to the sdp I shibd tells me "unable to locate compatible SSO service for provider". Can someone help me?16:52
*** martinus__ has joined #openstack-keystone16:52
rodrigodsedtubill, breton, i think knikolla (mylu) was having the same issue but only with manual testing16:54
rodrigodsusing keystoneauth plugin it seems to work16:55
*** mhickey has quit IRC16:57
edtubillrodrigods, breton: thx, so is that a client plugin?16:57
rodrigodsedtubill, yep... :) don't have a "ready" example here though16:58
rodrigodsi should update my blog with it sometime16:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Restructure endpoint policy abstract driver
edtubillrodrigods: cool, yeah I've been looking at your blogs. they've been very helpful :). I'll go look for the docs and look through the code.16:59
rodrigodsglad that it helps17:01
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model
rodrigodsamakarov, ping... do you have a strong position about this ?17:02
patchbotrodrigods: patch 303471 - keystone-specs - Add note about service provider fields17:02
rodrigodsdstanek, ping ... would be nice to have your feedback at (and the follow up patches) whenever you have some time17:04
patchbotrodrigods: patch 302299 - keystone - Add identity providers integration tests17:04
amakarovrodrigods, hi! I believe the positive form is easier to understand: you want reader to do things right after all )17:04
ayoungkfox1111, OK, so we had an internal team meeting right when you asked17:05
amakarovrodrigods, if you provide an example of bad practice - this is usually done after the right way17:05
ayoungand that was one of the topics of conversation17:05
ayoungkfox1111, so, rcrit is working on a BP for an automatic registration of a nova server with an identity provider, and hes' going for a driver based approach17:06
ayoungthe result from the driver will be an additional secret pushed in to the VM via config drive17:06
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Restructure policy abstract driver
samueldmqbknudson: I've created the for the policy and endpoint policy abstract drivers17:07
samueldmqbknudson: so my tests start making sense17:07
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers
*** phalmos has joined #openstack-keystone17:08
*** tqtran has joined #openstack-keystone17:10
*** harlowja has joined #openstack-keystone17:11
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers
*** trown|lunch is now known as trown17:13
rodrigodsamakarov, hmm ok17:14
rodrigodswill try to rephrase that17:14
openstackgerritMerged openstack/keystone: Test list project hierarchy is correct for a large tree
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c
samueldmqhenrynash: hi17:19
samueldmqhenrynash: re: abstract drivers in endpoint policy17:20
henrynashsamueldmq: hi17:20
samueldmqhenrynash: so, endpoint policy driver doesn' inherit form abstract driver defined in core.py17:21
morganhenrynash: ok i am awake now.17:21
morganhenrynash: i can take a look at that patch17:21
samueldmqhenrynash: I fixed that, but there are 2 methods (get_policy_for_endpoint, list_endpoints_for_policy) that the driver doesnt' implement17:21
morganhenrynash: but... i'll trade you ;)17:22
samueldmqhenrynash: and it doesn't need to, because the manager doesn't call them17:22
henrynashmorgan: no  problems…ayoung did it for you!17:22
harlowjaayoung morgan so who is bringing the rope next week, me i think right?17:22
harlowjai just wanna check :-P17:22
henrynashmorgan: but still happy to trade17:22
samueldmqhenrynash: question is: do I need to create a new version just for removing those 2 useless methods?17:22
patchbotmorgan: patch 249486 - keystone - Remove eventlet support17:22
morganhenrynash: it's a beastly one17:22
morganbut it needs eyes (and a bknudson glance as well)17:22
morganbut more eyes on that is good.17:22
morganhenrynash: and the followup to it17:23
henrynashmorgan: ok, np, will look at it afte rdinner!17:23
morganperfect :)17:23
morganhenrynash: i am excited at the prospect of keystone sans eventlet17:23
henrynashmorgan: ’tis time indeed17:23
morganstevemar: i hate to be the bearer of bad news... but17:24
morgan isn't this a breaking change? not api compat?17:24
patchbotmorgan: patch 294822 - keystone - remove fallback to default domain id17:24
henrynashsamuedlmq: so if the manager never called them….i.e. it wouldn’t have mattered wether a 3rd party version of the driver implemented them or not, then I’ll say it’s OK to do the change within the current version17:25
*** sigmavirus24 is now known as sigmavirus24_awa17:26
morganayoung: ^ cc on that patch being api incompat17:26
morganayoung: as *much* as I dislike the fallback17:26
morgancc henrynash ^ as well17:26
stevemarmorgan: it was deprecated for 2 cycles17:27
stevemarwe can keep it in, i was just doing clean up17:27
morganstevemar: but it's still a public facing API - we shouldn't break behavior at all (without something like microversions)17:27
morganstevemar: except in the case where we have the buyin to kill V217:28
stevemarmorgan: danke17:28
morganstevemar: /me says this with the TC hat on.17:28
stevemarmorgan: damn your new hat17:28
*** sigmavirus24_awa is now known as sigmavirus2417:28
stevemarmorgan: this change merged, but not as big of a deal:
patchbotstevemar: patch 295492 - tempest - include domain_id when creating groups (MERGED)17:29
morganstevemar: and that is a reasonable change since tempest17:29
morganin fact tempest testing that is correct. we should however not break API behavior *ever*17:30
morganexcept in extreme cases (or experimental apis)17:30
morganso, sorry -2 on yours :(17:30
stevemarmorgan: alright. we should change the deprecation message then17:30
henrynashmorgan, stevemar: so we live with the sins of thr father for apis marked as stable17:30
morganhenrynash: pretty much17:30
henrynashmorgan: I hadn’t thought of it that way, but I find it hard to argue against17:31
morganhenrynash: we got special dispensation to delete v2.0 when the general view changed from deprecation cycle to "don't break behavior"17:31
morganhenrynash: we should TOTALLY have an awesome deprecation message *and* we should clearly say the behavior is deprecated17:31
morganstevemar: i'll un -2 it when the patch changes from removal to other thing.17:32
BjoernTdolphm: ping17:33
dolphmBjoernT: o/17:34
BjoernTI probably know why I get the 401 , {"auth": {"scope": {"domain": {"name": "domain1"}}, "identity": {"password": {"user": {"domain": {"id": "default"}, "password": "test1", "name": "test1"}}, "methods": ["password"]}}} looking at this the token is scoped to different domains, although I only set OS_DOMAIN_NAME17:34
BjoernTseems like I have to set OS_USER_DOMAIN_NAME17:35
BjoernTat least along with OS_DOMAIN_NAME17:35
*** timcline has joined #openstack-keystone17:36
patchbotsamueldmq: patch 277198 - keystone - Default caching to on for request-local caching.17:39
morgansamueldmq: yes?17:39
samueldmqmorgan: this is the only way we have to do it (currently), right?17:40
*** orzel_ has quit IRC17:40
morgansamueldmq: today. until oslo.cache supports set_Defaults17:40
morganit's fine to say wait and do fixes there.17:40
morgani just pulled it forward as a thing we should do17:40
*** stevemar has quit IRC17:41
BjoernTdolphm: I probably know why I get the 401 , {"auth": {"scope": {"domain": {"name": "domain1"}}, "identity": {"password": {"user": {"domain": {"id": "default"}, "password": "test1", "name": "test1"}}, "methods": ["password"]}}} looking at this the token is scoped to different domains, although I only set OS_DOMAIN_NAME , seems like I have to set OS_USER_DOMAIN_NAME at least along with OS_DOMAIN_NAME17:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Default caching to on for request-local caching.
samueldmqmorgan: ^ just added something to the comment to make it clearer, and +A17:42
morgansamueldmq: /me nods.17:43
morgansamueldmq: sounds good.17:43
*** Kimmo_ has joined #openstack-keystone17:43
*** stevemar has joined #openstack-keystone17:44
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Add note about service provider fields
morgansamueldmq: can i ask you a huge favor?17:47
morgansamueldmq: actually... nvm17:47
samueldmqmorgan: yes you can if you still want17:47
morgansamueldmq: nah, i can do it.17:48
samueldmqmorgan: as you wat :)17:48
*** timcline has quit IRC17:50
*** pumaranikar has quit IRC17:53
*** navidp has quit IRC17:56
*** henrynash has quit IRC17:57
*** lhcheng has joined #openstack-keystone17:59
*** ChanServ sets mode: +v lhcheng17:59
dolphmBjoernT: are you getting a 401 in response to that auth request?18:00
dolphmBjoernT: or getting a 401 trying to use the subsequent token?18:00
BjoernTdolphm: without the OS_USER_DOMAIN_NAME yes18:00
dolphmBjoernT: i'm not sure i understand -- is the test1 user actually in the 'default' domain?18:01
BjoernTdolphm: no the user is inside the domain1 domain18:02
dolphmBjoernT: "the token is scoped to different domains" <-- you don't have a token yet, so i assume you're referring to the two different domain references in the auth request?18:02
dolphmBjoernT: so, you need to set OS_USER_DOMAIN_NAME=domain118:02
dolphmBjoernT: and that should get you a different auth request, right?18:02
*** jaosorior has quit IRC18:03
BjoernTdplphm: Yes I did set OS_DOMAIN_NAME and OS_USER_DOMAIN_NAME and it worked, the auth request looked ok to me18:03
BjoernTdolphm: {"auth": {"scope": {"domain": {"name": "domain1"}}, "identity": {"password": {"user": {"domain": {"name": "domain1"}, "password": "test1", "name": "test1"}}, "methods": ["password"]}}}18:03
dolphmBjoernT: and the user has a role assignment on domain1?18:04
dolphmBjoernT: whatever role name policy requires (cloud_admin? admin?)18:04
BjoernTdolphm: yes on domain level and on project level for that domain. I created a custom role similar to cloud admin like "role:user_admin_role and (token.is_admin_project:True or domain_id:%(domain_id)s)"18:05
BjoernTdolphm: that domain_id:%(domain_id)s) fills in any domain submitted in the request right ?18:05
*** gyee has joined #openstack-keystone18:07
*** ChanServ sets mode: +v gyee18:07
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support
stevemarmorgan: henrynooooobouncer i fixed the nits here ^18:08
samueldmqstevemar: I will propose fixing the comment in
samueldmqstevemar: as a follow up then18:11
samueldmqstevemar: I am fine with the change as it is, and given morgan and hen<tab><tab><tab> (no bouncer) +2s I think I can pull the trigger18:12
*** roxanaghe has joined #openstack-keystone18:12
morganstevemar: my +2 stands.18:12
ayoungharlowja, if you can, great.18:12
harlowjaayoung okie dokie18:13
harlowjajust gotta remember, ha18:13
ayoungharlowja, I've been working on getting back on lead. Still no where near my high water mark, but at least I can complete a climb now18:13
ayoungharlowja, I have a 60m18:13
samueldmqbye eventlet support18:13
ayoungI can bring it if needed18:14
harlowjaayoung  well pranesh (another openstack guy) will also be there, he can lead like 10a, and i can lead mostly everything < 12a (working on making that <= 12a) so we'll be good18:14
harlowjajust don't fall18:17
ayoungharlowja, took my latest lead test with someone I outweighed by 60 lbs.   It was a fun fall.18:18
*** tellesnobrega_af is now known as tellesnobrega18:18
ayoungharlowja, used to climb with my Wife.  Same ratio (roughly)  so you get used to it.18:19
*** ninag_ has quit IRC18:25
morganharlowja: 60lb difference... that falls into "here let me set an anchor up for you..."18:26
* morgan also prefers climbing outdoors.18:26
ayoungmorgan, the first clip stops the belayer.  Now, with Trad gear, you better have a directional18:26
*** ninag has joined #openstack-keystone18:27
morganayoung: pretty much.18:27
morganor you don't fall ;)18:27
morganthat is always a good plan too.18:27
ayoungmorgan, Maybe in Catalonia....18:27
morgani mean, i wouldn't rely on it.18:27
morganbut it's def. a better plan to not fall.18:27
harlowjaya, just don't fall, lol18:28
morganwith bolts and/or gym, yeah first clip will catch the belayer... but it wont be fun for either party usually ;)18:29
*** ninag has quit IRC18:29
harlowjaya, depending on weight imbalance, u might not be in for a good time, lol18:29
harlowjaespecially around first or second clips, lol18:29
harlowjaor third18:30
morganharlowja: at 60lbs i really would consider an anchor in outdoor climbing18:30
morganat least for the 1st pitch. after that18:30
morganmeh, you're anchored anyway.18:30
harlowjaso when we all going outdoors, lol18:30
harlowjaopenstack rock-club18:30
morgangod.. i dunno if i could do a 5.9 now :(18:30
morgani might top out at like 5.718:31
harlowjaok, ummm, might need to work on that, lol18:31
morganand def. in no shape to lead.18:31
harlowjai end up leading most of the stuff, so i'm used ot it18:31
dolphmBjoernT: so, you assigned the "user_admin_role" to the test1 user on the test1 domain? i'm not sure what you mean by "and on project level"18:31
morganit's been ~10yrs since i was on the rock18:31
harlowjaya, drug-free, +218:31
morgani get my adrenaline from cycling...18:32
dolphmBjoernT: i'd appreciate seeing the entire policy file you have, so i understand the context & consequences of your change18:32
harlowjaya, still need to mountain-bike when u around18:32
morganit's amazing how fast ~50mph is on the road.18:32
morganharlowja: i need to get a MTB18:32
morgani have my CX bike here in portland18:32
harlowjaya, i don't like to go ~50mph on a road on a MTB18:32
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Remove comments mentioning eventlet
samueldmqmorgan: stevemar ^18:32
harlowjawheels don't work to well at that speed on a MTB18:32
morganyah for sure18:33
arunkant_stevemar: Hi..can you look into this audit middleware change .18:33
patchbotarunkant_: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...18:33
morganharlowja: so yosemite?18:33
ayoungMeh...falling is part of the sport.  Took an intentional fall yesterday to try and get my head straight18:33
arunkant_stevemar: dims, has already removed his objection and code has been adjusted with oslo.messaging changes18:33
harlowjaayoung agreed18:34
morganayoung: fall practice is important18:34
morganthe thing is... i don't like gym climbing.18:34
ayoungI need to get up Cannon this summer.18:34
harlowjathere is an easy half-dome one that i was gonna try to do this year18:34
ayoungharlowja, Snake dike>?18:34
harlowjaya that one18:34
morganharlowja: i am actually wanting to do mountaineering... ice climbing ;)18:34
stevemarsamueldmq: thank you!18:34
harlowjaice climbing in the summer might be hard, lol18:34
samueldmqstevemar: my pleasure18:35
morganharlowja: just in general18:35
harlowjaya, also that, lol18:35
morgango to the southern hemisphere18:35
harlowja seems reasonable18:35
harlowjaand this other guy i go with i think can do it18:35
ayoung  Its a highway18:35
harlowjaits 5.7 (R) but i think the R is prob ok18:35
morgan5.7R hm.18:36
harlowjai don't mind a little R18:36
harlowjaayoung ya, that's expected, ha18:36
ayoungThe 5.7 and the R are separate18:36
morganit should be ok-ish on 5.718:36
harlowjaR == runout18:36
ayoungOne bolt in the center of a 5.4 pitch?18:36
harlowjathat's all u need right18:36
* morgan needs to go do again.18:37
ayoungJust bring a water filter.  THere is water up high, but you will go through a lot...long hike18:37
harlowjaayoung agreed18:37
ayoung   That is the majority of the climbing...a ladder18:37
*** navidp has joined #openstack-keystone18:38
harlowjashould be easy, minus the R part which i don't like, but will deal with, lol18:38
*** ninag has joined #openstack-keystone18:39
ayoungharlowja, You hear about the Regular Route?18:39
harlowjamorgan  i have a guy i know that does alot of the mountainerring stuff, if u want me to connect u18:40
harlowjahe's more of the mountainer guy, lol18:40
morganharlowja: i need to get back into shape first18:40
morgangoing to start running again post summit18:40
harlowjahe wanted to do18:40
harlowjaI'd like to attempt this crazy hike on June 25th/26th (or 18th/19th alternatively).  It's a point to point hike along the highest ridge in the San Bernardino mountains.  It tags 9 summits including Mount San Gorgonio, the highest peak in Southern California.18:40
harlowjaTotal stats are 27miles, +8500ft."18:40
morganthen i can start looking at building the strenght up for that stuff.18:41
harlowjaand i'm like,holy crap, lol18:41
dolphmBjoernT: also, "that domain_id:%(domain_id)s) fills in any domain submitted in the request right ?" yes, but i'm skeptical you'd actually want that behavior in this case18:41
morganharlowja: holy crap.18:41
morganalso SB mountains = where i grew up ;)18:41
*** ryanpetrello has left #openstack-keystone18:41
*** ninag has quit IRC18:41
harlowjaya, it doesn't seem to crazy, but 27miles, i'm not sure i can do that18:41
harlowja*especially in 1 day18:42
morganharlowja: also june is going to be MISERABLE weather there18:42
morganlike ~100+18:42
morganin the valleys18:42
morganand upper 80s/low 90s on the hills.18:42
*** roxanagh_ has joined #openstack-keystone18:43
morganharlowja: the climb i want to do :)18:43
*** jed56 has quit IRC18:43
harlowjamorgan ya, damn, 100+ ummm18:44
openstackgerritMerged openstack/keystone: Remove comment from D202 rule
harlowjai don't wanna die, lol18:44
openstackgerritMerged openstack/keystone: Moved name formatting (clean) out of the driver
harlowjamorgan  nice, let's do it :-P18:45
morganharlowja: it's a fun series of (mostly) cracks.. and then the chimney.18:45
*** roxanagh_ has quit IRC18:45
morgan8 pitches though. and i think a 1.5hr approach and 2hr walk off18:45
harlowjaya, early wake, and late-finish18:47
harlowjaget er' headlamps, lol18:47
BjoernTdolphm: Yes I need to find out what the customer really wants, in worst case we lock it to the domain the user is in or to a fixed it. Locking to the user assigned domain would be ?18:48
*** roxanagh_ has joined #openstack-keystone18:50
morganbknudson: maybe we should look at making fernet keys live in the mysql db?18:52
morgancc lbragstad ^18:52
lbragstadmorgan why's that?18:52
morganby default. it would make it easier to "auto" create the fernet keys without worrying about having mis-matched keys if we make fernet the default18:53
morganover uuid in keystone itself18:53
*** browne has joined #openstack-keystone18:54
morganand that way fernet keys are implicitly shared within a cluster.18:54
morganlowers rotation overhead/headaches.18:54
bknudsonmorgan: one of the concerns with having keystone create the keys is that then the keystone user can write them.18:54
*** roxanagh_ has quit IRC18:54
morganbknudson: agreed18:54
lbragstadbut then we have keys used to encrypt token stored in plaintext in the database18:54
morganbknudson: i really don't like that. but i am pretty much against having fernet be the default in keystone because it isnt a "sane" default18:55
morganin devstack and in documentation recommending deploys, it would be the recommended way18:55
morganbut keystone should *just work* (mostly) out of the box18:55
morganand fernet keys are like the pki signing certs, more worrysome.18:55
morganiirc devstack overrode for PKI default18:56
bknudsony, but keystone isn't going to just work because it needs keystone-manage db_sync, too.18:56
morgankeystone still maintained uuid18:56
morganbknudson: right, but the DB is shared amongst cluster members18:56
morganbknudson: distiniction in operational overhead18:56
morganas *much* as i want UUID tokens to die...18:56
morgan(not sometime post PKI)18:57
bknudsonI suppose the fernet keys have a default lifetime?18:57
lbragstadbknudson what do you mean?18:57
bknudsonso if keystone did create them they'd just expire.18:57
morganbknudson: nope18:57
morganbknudson: fernet keys exist until rotated18:57
lbragstadkey rotation is an operator thing18:57
bknudsonoh, it's based on the rotation. so not a problem.18:57
lbragstadand the fernet keys don't enforce ttl of the actual key18:57
openstackgerritMerged openstack/keystone: Avoid name repetition in equality comparisons
bknudsonother than apparently it's a security hole if you don't rotate18:57
lbragstader fernet spec*18:57
morganit just comes down to adding some level of shared vs not shared signing secrets/encryption secrets18:58
* morgan kindof votes we make devstack override to start18:58
morganand then we work to improve fernet things18:58
lbragstadwhat's the problem we're hitting?18:59
morganit's just the setting a default in keystone18:59
* morgan is catching up on ML topics18:59
*** ametts has quit IRC19:00
bknudsonI don't have a problem with allowing fernet keys to be in the db.19:02
morganbknudson: i would like them to be non-wriatable by keystone though. wonder if we could do something like that (the running keystone that is)19:03
morganbknudson: it's so many layers of security/best practices concerns.19:03
bknudsonif someone wants non-writable by keystone then use the filesystem driver19:03
morganbknudson: yeah19:03
morganbknudson: and i'd say we document that as *the* best approach19:03
lbragstadok - i missed something19:03
morganknowing no one will do it except for folks like you19:03
lbragstadwhy are we going to put them in the database?19:04
morganand nate burton.19:04
bknudsonprint out a warning if the db is used.19:04
morganlbragstad: if we put them in the DB we could eliminate uuid tokens19:04
lbragstadmorgan how?19:04
morganlbragstad: because keystone could auto-create the keys19:04
morganand keys are shared across the cluster by default19:04
dolphmBjoernT: by publicly, i meant outside of a PM19:05
morgandolphm: i'm thinking of BBQ in austin. kindof excited fwiw19:05
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver
lbragstadwhat's wrong with using the tools like what OSA does for cluster syncing?19:05
bknudsonnot everybody uses OSA19:06
morganlbragstad: if you require OSA or something to sync the keys, i don't feel comfortable saying fernet is a sane default in keystone19:06
dolphmmorgan: if you're going to the core reviewer party (somehow i never got a confirmation email?), then you'll have the arguably best brisket in the world19:06
lbragstadno - bknudson it's an example19:06
morganlbragstad: it may be the best choice.19:06
morgandolphm: except i.. hold on. will send you a PM19:06
morganlbragstad: but like PKI tokens you have operational overhead to manage keys (or signing certs)19:07
lbragstadthey've automated a way to sync key repositories across a deployment19:07
bknudsonthe core reviewer party was full when I tried to RSVP. So I'll get my BBQ elsewhere.19:07
stevemarbknudson: i like how that is full, but exclusive invites, wut19:08
stevemardolphm: lbragstad i like morgan's argument about fernet. maybe default isn't the right answer, we keep UUID default and assume some config management needs to happen19:09
lbragstadwasn't there a conversation about adding some logic to keystone to check if the repository was created or not?19:10
lbragstadand if not - keystone would do a fernet_setup for you?19:10
morganlbragstad: then i'm voting for an in-db driver for the keys19:10
dolphmstevemar: there are silly things we can have fernet do if you don't do setup yourself19:11
morganlbragstad: as the default. and a filesystem based one for real production19:11
amakarovayoung, the best idea I have to right now to lift logic to the manager:
patchbotamakarov: patch 291318 - keystone - Unified delegation assignment driver19:11
stevemardolphm: like?19:11
lbragstadhmm this seems like a cluster management problem19:11
dolphmstevemar: like have keystone attempt to write to fernet-keys/ itself, automatically, with appropriate locking19:11
bknudsonI can see morgan's point about having it shared in the db by default. Having separate keystones create their own directories would be pretty confusing to a deployer19:12
dolphmstevemar: it'd be a mess, and it'd only work for AIO's19:12
morgandolphm: and i don't want to engineer for AIO19:12
morganin fact that seems silly to me19:12
dolphmstevemar: and it'd probably cause problems for freshly deployed clusters (or freshly deployed nodes in existing clusters)19:12
dolphmmorgan: ++19:12
rodrigodsbknudson, updated :) thanks for reviewing this19:13
patchbotrodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests19:13
morgandolphm: so if we make fernet the token driver in keystone, it's worth using a shared store (by default) for the keys if keystone is auto-creating them. right now that is the db19:13
rodrigodslbragstad, ping... can you take a second look at ?19:13
patchbotrodrigods: patch 294201 - keystone - Add conflict validation for idp update19:13
morgani'm 100% ok with uuid being default in keystone and fernet being the default for devstack19:13
dolphmmorgan: if you put them in the database, they can't be in plain text, and then you have a whole 'nother configuration challenge to deal with. what do we encrypt our encryption keys with? "ADMIN" ?19:13
morgandevstack is opinionated19:13
morgandolphm: i'd make it a driver and warn up and down this is not the correct deployment for real cases.19:14
dolphmmorgan: i'm okay with that in the interim, but i see no reason to support uuid if that's the only reason we keep it around19:14
dolphmmorgan: it'll become the next kvs driver19:14
morgandolphm: if we do the in-db thing... and support passing an encruption key if wanted19:14
morgani mean i can engineer this in a couple hours.19:14
dolphmmorgan: if wanted?19:15
*** sheel has quit IRC19:15
morganits just i feel like we should hash out the right way to share keys19:15
morganwe *could* implement some rudementary RAFT capabilities in keystne19:15
dolphmmorgan: so by default, we're going to hash user passwords in the db, and also by default, store fernet token encryption keys in plaintext in the db?19:15
dolphmmorgan: that's not a very production-friendly default, either19:15
morganand the primary keystone could share the keys19:15
dolphmmorgan: raft?19:15
*** raginbajin has quit IRC19:16
morganlike percona bootstrapping.19:16
dolphmmorgan: let's keep that in the *could* column :P19:16
morgani don't like it.19:16
stevemardolphm: morgan bknudson are we down with releasing 3.0.0 for KSC today? :)19:16
dolphmmorgan: yes it would solve the problem by creating a new problem :P19:16
morgani think the best option *today* is devstack fernet, keystone uuid19:16
morganand we hash out how to solve the fernet default in keystone19:17
bknudsonstevemar: no responses from your email?19:17
morganstevemar: i'm ok with breaking people :)19:17
stevemarbknudson: nope19:17
morganlesss dooo eeet19:17
*** ametts has joined #openstack-keystone19:17
dolphmmorgan: generate a key in memory? :D19:17
bknudsonok, try it and see.19:17
morgandolphm: ahahahahahaha19:17
stevemarbknudson: there isn't much of a try and see here :)19:18
stevemarnot much wiggle room for reverting :)19:18
morganstevemar: sure there is. 4.0.019:18
morganstevemar: :P19:18
stevemarrevert 1000+ lines :)19:18
morgantagged at the same point as 2.x.x was19:18
bknudsonI'm pretty sure we'll revert it. Since even smaller changes have been reverted.19:18
morganpre 3.0.0 release19:18
morganstevemar: ask sdague19:19
morganstevemar: before doing it19:19
morganand mtreinish19:19
stevemarbknudson: right? we can't seem to ship a new ksc without reverting something19:19
dolphmmorgan: it'll work great for single threaded AIO's, and the more threads and processes and nodes you add, the more 401's you'll get and the more lines you'll get in your log files about how you forgot to actually configure fernet. it's like a self-scaling misconfiguration warning system19:19
* dolphm goes to write the release notes19:19
morgandolphm: i.. i.. you brilliant person you19:20
morgandolphm: anyway so short term: devstack turns fernet on by default, we work out details aroud the keys (even if it is stupid amounts of documentation)?19:20
morganand then look at killing uuid as the default in keystone once we've addressed that?19:21
dolphmmorgan: ++19:21
morganlbragstad, bknudson: ^19:21
*** raginbajin has joined #openstack-keystone19:21
morganand we can look at all the options *including* db stored keys19:21
dolphmwhat does keystone do now if you configure it for fernet but fernet-keys/ doesn't exist? it just throws warnings, or does it actually fail to start?19:21
lbragstadso the discussion about keys in the database isn't concluded yet19:21
bknudsonupdate the commit message for
patchbotbknudson: patch 195780 - openstack-dev/devstack - Switch fernet to be the default token provider19:21
morgandolphm: 50019:21
dolphmmorgan: maybe have it fail to start instead?19:22
lbragstadyeah - keystone throws a fit because there isn't any keys19:22
morgandolphm: perhaps.19:22
morgandolphm: worth going over the options.19:22
bknudsonalso we should add a job (or change the existing uwsgi job) to use uuid19:22
morgani am definitely against creating keys on disk (calling keystone-manage from within the running keystone process)19:22
dolphmmorgan: agree19:23
dolphmmorgan: but how else can we share keys across processes? throw them in the cache?19:23
morganbknudson: probably a good initial thing, but if we collapse validation of uuid down to the same data as what is held in fernet, so the validation path is the same just the difference is "look up in db, vs decrypt" i think we can safely avoid tht need19:23
morgandolphm: possibly?19:23
dolphmmorgan: dogpile get or create fernet key19:23
morgandolphm: or make keystone not start - also valid19:24
morganjust a very clear way to force folks to do the right thing.19:24
lbragstadi think ^ that's a good starting point19:24
morganthough i bet we will need to have the keys shared in the db.19:24
dolphmmorgan: what if, and hear me out, we have a default fernet encryption key. that's it. that's the end of my idea. (sorry)19:24
morganthe operators are going to flip if they *have* to do their own syncronization.19:24
morganwith no other options when uuid just fell out of the box working19:25
morgans/shared in the db/shared automatically19:25
lbragstadit would be default so it wouldn't need to be shared because it's shared by config?19:25
morgandolphm: LOL. can we make it super low entropy too?19:25
dolphmmorgan: all zeroes, yo19:25
morgandolphm: PERFECT19:25
morganok so i think we do this:19:26
morgan1. Devstack defaults to fernet19:26
dolphmand then we can all get default fernet key tattoos in austin19:26
morgan2. keystone fixes validation so uuid validation and fernet validation are the same thing19:26
morgan3. we do what dolph just said19:26
morgan4. we profit19:26
lbragstadi think i missed something19:26
morganbasically if we make uuid tokens store exactly the same data as a fernet token would19:27
bknudsonlbragstad: we're all getting tattoos19:27
morganjust with a .query() instead of .decrypt()19:27
lbragstadbknudson oooooo got - makes sense +219:27
morganwe can all get tattoos19:27
morganno no thats not it.19:27
lbragstadi'm gonna get "fernet yo" across my knuckles19:28
morganlbragstad: you need a couple more characters19:28
bknudsonso one just has FERN?19:28
morganbknudson: LOL19:28
morganlbragstad: do we have a bug to make fernet and uuid validate the same way?19:29
lbragstadmorgan somewhere? ayoung ?19:29
morganor... should that be a ... spec?19:29
* morgan shudders.19:29
bknudsonput smiley faces on the pinkies19:29
lbragstadi thought ayoung had something open for that?19:29
morganlbragstad: so.. i think i have a short(er) way of us getting there fwiw19:29
morganlbragstad: but it involves a migration of the token table *sigh*19:30
*** gagehugo has joined #openstack-keystone19:30
morganbasically make a new token table that just is <id>, <data that would go in fernet token>19:30
morganand then just pass it through the fernet validator19:31
*** ninag has joined #openstack-keystone19:31
*** ninag has quit IRC19:31
morganthe only difference is encrypt/fernetify or not.19:31
* morgan goes back to lurking... clearly talking crazy19:31
lbragstadhmm - technically we could get that today but if we got rid of push everything in to the token table in token create19:32
*** timcline has joined #openstack-keystone19:33
* lbragstad we essentially need to fix this -
*** timcline has quit IRC19:33
*** timcline has joined #openstack-keystone19:33
morganharlowja: here is the climb you should do:
harlowjaya, eventually :-P19:34
harlowjaand/or someday, lol19:34
morganEL Cap!19:34
morganthe nose!19:34
morganoh holy crap, i didn't realize it was just 2015 when they did the first free climb of el cap. sweet19:35
harlowjawell that was a certain route19:35
harlowjaya, also one of the hardest routes :-P19:35
morgani know it usually is like A319:35
morganor sketchier19:35
dolphmf = fernet.Fernet(base64.b64encode(chr(False) * 32))  # i hereby propose the default fernet key19:37
dolphm>>> base64.b64encode(chr(False) * 32)19:37
dolphm>>> chr(False) * 3219:38
dolphmi call it the null key19:39
morgandolphm: LOL19:39
harlowjaya, don't fuck up19:42
harlowjathat's what i'm gonna name a route someday19:42
morganharlowja: best route names: Who want's to know19:42
morganharlowja: and "what's it to ya"19:42
harlowjai guess swear words aren't ok ?19:43
bknudsondolphm: might want to rot13-encrypt that.19:43
morganharlowja: i think there are some fantastic innuendos19:44
morganharlowja: why go vulgar when you can imply it all19:44
harlowjafair enough19:44
*** e0ne has joined #openstack-keystone19:52
*** arunkant_ has quit IRC19:54
*** arunkant has joined #openstack-keystone19:55
*** lhcheng has quit IRC20:02
*** ninag has joined #openstack-keystone20:03
*** alex_xu has quit IRC20:04
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Improve docs for v3 users
*** alex_xu has joined #openstack-keystone20:06
*** navidp has quit IRC20:06
*** sdake has quit IRC20:07
*** ninag has quit IRC20:08
*** e0ne has quit IRC20:08
*** ninag has joined #openstack-keystone20:09
*** ninag has quit IRC20:09
*** ninag has joined #openstack-keystone20:10
*** henrynash has joined #openstack-keystone20:10
*** ChanServ sets mode: +v henrynash20:10
*** ninag has quit IRC20:11
*** ninag has joined #openstack-keystone20:11
*** ninag has quit IRC20:13
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests
*** navidp has joined #openstack-keystone20:16
*** maxabidi has joined #openstack-keystone20:17
dstanekdolphm: did you look into the release issue at all?20:20
dolphmdstanek: babel's release?20:21
dstanekdolphm: yeah20:21
dstanekfor the stables20:21
stevemardstanek: dolphm reported that it was affected20:22
dolphmdstanek: yes - i backported dims patch, which fixed py27 tox builds,n,z20:22
dolphmstevemar: i meant to ask, how can i reproduce the requirements build failure without waiting on jenkins?20:22
dolphmstevemar: i know you're correct that it's going to fail, but i have no idea how to run it offline20:23
dstanekdolphm: nice20:23
stevemardolphm: hmm, not sure... i depend on jenkins for that..20:23
dimsdolphm : stevemar : we'll cleanup babel from oslo.* - soon-ish20:23
dolphmstevemar: i always have, too. i'll just upload a new patch20:23
stevemardolphm: just backout your change to reqs.txt.20:23
*** ninag has joined #openstack-keystone20:24
dolphmdims: worth merging your fix to stable/* in the mean time?20:24
stevemardims: nice, we should still fix our stable branches to respect UC anyway20:24
dstanekdolphm: stevemar: can you just manually install the versions you want to test against?20:24
dimsstevemar : true.20:24
stevemardstanek: it's a job that is run that checks the requirements, not sure where it coms from, somewhere from infra land20:25
dimsdolphm : probably yes20:25
dstanekstevemar: ah, i see20:25
dolphmstevemar: i'm running tox -r -e py27 with global reqs compatible babel lines20:25
dolphmstevemar: on both branches20:25
dolphmstevemar: but i think we need to update global requirements instead20:28
dolphmrodrigods: emacs20:28
rodrigods^ always the wrong window20:28
*** rderose has quit IRC20:28
rodrigodsdolphm, lol20:28
*** rderose has joined #openstack-keystone20:28
dstanekrodrigods: at least we know that you're using the correct editor20:30
lbragstadi used visudo on a base 14.04 install yesterday and it put me in nano..20:31
lbragstadI seg fault'd20:31
*** lhcheng has joined #openstack-keystone20:31
*** ChanServ sets mode: +v lhcheng20:31
dolphmEDITOR=vi visudo ?20:31
lbragstadi kept :wq, :wq, :wq! and it wouldn't do anything20:31
rodrigodsctrl + x, right?20:31
lbragstaddolphm yes - that was my solution20:32
*** ninag has quit IRC20:33
*** BigWillie has quit IRC20:34
dolphmlbragstad: i learned vi because i got dropped into it by default. i don't know emacs because i've never been on a system wacky enough to use it by default20:35
rodrigodsi don't like the combos20:36
rodrigodstoo many keys pressed at the same time20:36
*** e0ne has joined #openstack-keystone20:38
dolphmha, i totally forgot about those20:39
dstaneki tried using emacs when i first started using linux. the book i read said to use Meta-X and since i didn't know what Meta was i used ^Z; kill %1 and started the journey with vim20:47
bknudsonI haven't found the undo key for vi so I gave up on it.20:49
lbragstadbknudson are you still rockin eclipse?20:50
bknudsonI've been using atom for a few weeks now.20:50
*** e0ne has quit IRC20:50
bknudsonalthough maybe I'll switch back to eclipse... it does make jumping around files easier most of the time.20:51
lbragstadbknudson I've never used atom20:52
*** ninag has joined #openstack-keystone20:52
*** ninag has quit IRC20:56
*** fawadkhaliq has joined #openstack-keystone20:57
topollbragstad, bknudson I just started using atom.  I like it20:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests
bknudsonit took a little while to get the config the way I wanted.20:59
rodrigodsdstanek, bknudson ^20:59
bknudsonuntil the gate's running I don't think we should add more tests.20:59
*** sdake has joined #openstack-keystone21:00
rodrigodsbknudson, i agree, but i want a feedback regarding the organization and so on...21:02
rodrigodsif possible, of course21:02
*** BjoernT has quit IRC21:03
*** raildo is now known as raildo-afk21:05
*** ametts has quit IRC21:08
*** gagehugo has quit IRC21:10
*** spzala has quit IRC21:14
*** gyee has quit IRC21:17
*** ametts has joined #openstack-keystone21:17
*** trown is now known as trown|outtypewww21:18
openstackgerritNavid Pustchi proposed openstack/keystoneauth: Removing tox ignore D400.
*** mylu has joined #openstack-keystone21:22
*** mylu has quit IRC21:24
*** mylu has joined #openstack-keystone21:25
*** navidp has quit IRC21:28
dstanekrodrigods: nice. i'll take a look at those after dinner21:28
rodrigodsthanks dstanek21:28
*** timcline has quit IRC21:29
*** edtubill has quit IRC21:29
*** nkinder_ has quit IRC21:29
*** zqfan has quit IRC21:32
*** pauloewerton has quit IRC21:33
*** spzala has joined #openstack-keystone21:36
*** spzala has quit IRC21:36
*** spzala has joined #openstack-keystone21:36
*** nkinder_ has joined #openstack-keystone21:41
*** gyee has joined #openstack-keystone21:43
*** ChanServ sets mode: +v gyee21:43
*** edtubill has joined #openstack-keystone21:46
*** real56 has quit IRC21:47
*** aimeeU has quit IRC21:48
*** wasmum has quit IRC21:48
stevemartopol: oh hey! you're alive!21:49
*** BjoernT has joined #openstack-keystone21:51
*** sdake has quit IRC21:51
topolhi stevemar21:52
topolstevemar whatsup21:53
topolstevemar I was busy reading some email where a beloved client disappeared :-)21:54
*** timcline has joined #openstack-keystone21:54
stevemartopol: that dirt keystone cli, who even needs it21:54
*** mylu has quit IRC21:54
topolstevemar Ha Ha21:54
bknudsonapparently lots of projects need it21:54
*** timcline has quit IRC21:55
topolbknudson, the sobering voice of reason21:55
stevemarbknudson: those projects just don't know whats good for them21:55
bknudsonyes, someone needs to tell people that garbage gets thrown out eventually21:56
bknudsonanother case in point
openstackLaunchpad bug 1571833 in python-keystoneclient "Usage example in the README does not work" [Undecided,New]21:56
bknudsonnobody cares about v2 anymore.21:56
topolbkndudson, stevemar are you suggestinga new TV series: Hoarding OpenStack style21:56
bknudsonthat's a good one.21:57
* topol I showed up at grandmas house. I saw puppet scripts and a V2 client in the living room21:57
stevemartopol: there is a lot of that going on, we even have an "attic"21:57
topolstevemar what else is happening21:57
topolstevemar did you need me?21:58
stevemartopol: nothing else, no, just saw you on irc21:58
topolstevemar weird.  perhaps I got disconnected and did not realize it.21:58
topolstevemar I saw bknudson is using atom21:59
topolthats news21:59
bknudsonthere's probably some great atom plugins I'm not using.22:00
*** fawadkhaliq has quit IRC22:00
bknudsonremoving keystone CLI, removing keystone-all... people are going to wonder if there's any code left in keystone.22:00
stevemarbknudson: or the eventlet bit was punted through btw22:01
rodrigodsshould we be able to add a protocol/mapping to a disabled idp?22:01
stevemarrodrigods: theres an argument for yes and no22:02
*** pumaranikar has joined #openstack-keystone22:02
rodrigodscorrect one ^22:02
rodrigodsstevemar, hmm we currently can22:02
stevemarcan we change properties if a project is disabled (like description)?22:02
rodrigodsstevemar, makes sense22:03
rodrigodsi wasn't seeing the protocol/mapping as an idp property22:03
stevemarrodrigods: disabling the idp should just result in not being able to auth via federation22:03
*** phalmos has quit IRC22:04
stevemaryeah, but it's not a usual relationship22:04
rodrigodsstevemar, yeah... we might have several protocols22:04
rodrigodsbut.. makes total sense22:04
rodrigodsit is a property22:04
morgantopol: oh you're alive!22:09
topolmorgan... so I've heard22:11
topolmorgan, stevemar, everyone looking for me to buy them drinks in Austin is happy Im alive22:11
*** gordc has quit IRC22:11
morgantopol: oh so is this on Topol's dime or IBM's? :P22:13
topolmorgan, stevemar its great to be loved22:13
topolmorgan for drinks its irrelevant22:13
morganAwwwwww yessshhhh
patchbotmorgan: patch 249486 - keystone - Remove eventlet support22:13
morganno more eventlet!22:14
stevemarmorgan: :)22:14
stevemarmorgan: it'll land soon enough22:14
*** slberger has left #openstack-keystone22:14
*** ninag has joined #openstack-keystone22:17
topolmorgan, stevemar, wow that brings back memories... It was early 2013 and I remember a heckj telling me how eventlet wasnt the real way to run Keystone but instead to use some poorly  documented apache approach22:17
stevemar3 years later and we're finally there!22:18
*** ninag has quit IRC22:19
*** ninag has joined #openstack-keystone22:19
*** dave-mccowan has quit IRC22:19
topolmorgan, stevemar my have things changed22:19
edtubillHi, I was wondering if the keystone client saml federation plugin worked with keystone as the Idp. The plugin looks like it is using basic auth and I see "There is either no auth token in the request or the certificate issuer is not trusted" in the keystone idp log when it is trying to send the idp saml2 authentication request. Can someone help me?22:20
rodrigodsedtubill, we have a specific plugin for k2k case22:20
*** sigmavirus24 is now known as sigmavirus24_awa22:20
rodrigodsedtubill, see
dstanekmorgan: ++ i love that22:21
dstanekmorgan: i'll rebase my flask stuff on top of that22:21
edtubillrodrigods: oh thanks! I was looking at the wrong plugin. I'll take a look.22:21
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Protocol testing
*** ayoung has quit IRC22:27
*** markvoelker has quit IRC22:28
*** vgridnev_ has quit IRC22:30
*** csoukup has quit IRC22:33
rodrigodsstevemar, we can add a protocol to an idp using an nonexistent mapping - this seemed wrong at first glance22:36
rodrigodsbut we can add the mapping later? since we define the ID22:36
*** pumaranikar has quit IRC22:37
stevemarrodrigods: that is also correct, it's a matter of enforcing steps22:37
stevemari know i've done that... added a non-existent mapping and then created it later22:38
rodrigodsstevemar, it is bad if we forget to add the mapping id22:38
rodrigodsor mistype it (who knows)22:38
*** pumaranikar has joined #openstack-keystone22:39
rodrigodsshould i create a bug to discuss there?22:39
stevemarrodrigods: sure22:40
openstackLaunchpad bug 1571878 in OpenStack Identity (keystone) "Add protocol to identity provider using nonexistent mapping" [Undecided,New]22:43
*** pumaranikar has quit IRC22:44
*** furface has joined #openstack-keystone22:48
*** neophy has joined #openstack-keystone22:53
*** timcline has joined #openstack-keystone22:53
*** timcline has quit IRC22:53
*** pumaranikar has joined #openstack-keystone22:56
*** wasmum has joined #openstack-keystone22:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests
*** doug-fish has quit IRC23:06
*** BjoernT has quit IRC23:14
*** raildo-afk is now known as raildo23:18
*** jaimguer has quit IRC23:20
*** stingaci has quit IRC23:26
*** markvoelker has joined #openstack-keystone23:28
*** stingaci has joined #openstack-keystone23:29
*** markvoelker has quit IRC23:33
*** edtubill has quit IRC23:33
*** pumaranikar has quit IRC23:35
*** BjoernT has joined #openstack-keystone23:51
*** ChanServ sets mode: +o stevemar23:59

Generated by 2.14.0 by Marius Gedminas - find it at!