Wednesday, 2016-06-01

« Tuesday, 2016-05-31 Index Thursday, 2016-06-02 »
*** georgem1 has joined #openstack-keystone00:01
*** georgem1 has quit IRC00:01
*** georgem1 has joined #openstack-keystone00:02
*** tonytan4ever has quit IRC00:04
*** iurygregory_ has joined #openstack-keystone00:04
*** georgem1 has quit IRC00:04
*** wasmum has joined #openstack-keystone00:05
*** henrynash has quit IRC00:07
*** dims has quit IRC00:14
*** dims has joined #openstack-keystone00:19
*** tonytan4ever has joined #openstack-keystone00:23
*** code-R has joined #openstack-keystone00:24
*** furface has joined #openstack-keystone00:27
*** code-R has quit IRC00:29
*** sdake_ has joined #openstack-keystone00:29
*** sdake has quit IRC00:30
*** tonytan4ever has quit IRC00:39
*** Guest66394 has quit IRC00:40
*** maxabidi has quit IRC00:40
*** georgem1 has joined #openstack-keystone00:47
*** georgem1 is now known as 17WAAO0LI00:47
*** spzala has quit IRC00:51
*** 17WAAO0LI has quit IRC00:53
*** georgem1 has joined #openstack-keystone00:55
*** sdake has joined #openstack-keystone00:56
*** sdake_ has quit IRC00:59
*** sdake has quit IRC01:02
*** richm has quit IRC01:06
*** doug-fish has joined #openstack-keystone01:06
*** darosale has joined #openstack-keystone01:06
*** spandhe has quit IRC01:06
*** dan_nguyen has quit IRC01:07
*** doug-fish has quit IRC01:10
*** jbell8 has joined #openstack-keystone01:23
*** julim has joined #openstack-keystone01:24
*** TxGVNN has joined #openstack-keystone01:30
*** julim has quit IRC01:32
*** EinstCrazy has joined #openstack-keystone01:33
*** roxanaghe has joined #openstack-keystone01:38
*** itisha has quit IRC01:40
*** doug-fish has joined #openstack-keystone01:40
*** sdake has joined #openstack-keystone01:41
*** sdake has quit IRC01:43
*** doug-fish has quit IRC01:44
*** sdake has joined #openstack-keystone01:47
*** sdake_ has joined #openstack-keystone01:48
*** sdake has quit IRC01:51
*** jbell8 has quit IRC01:56
*** jbell8 has joined #openstack-keystone01:57
*** tqtran has quit IRC02:10
*** julim has joined #openstack-keystone02:10
*** roxanaghe has quit IRC02:12
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467902:13
*** hogepodge has quit IRC02:13
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428402:15
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements  https://review.openstack.org/32015602:15
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Password strength requirements  https://review.openstack.org/32058602:15
*** hogepodge has joined #openstack-keystone02:17
*** hogepodge has quit IRC02:21
*** agrebennikov has quit IRC02:22
*** eszxy has joined #openstack-keystone02:23
*** code-R has joined #openstack-keystone02:25
*** rderose has quit IRC02:26
*** code-R has quit IRC02:30
*** doug-fish has joined #openstack-keystone02:32
*** darosale has quit IRC02:35
*** amrith is now known as _amrith_02:36
*** gyee has quit IRC02:45
*** lhcheng has quit IRC02:50
*** sheel has joined #openstack-keystone02:51
*** ayoung has quit IRC03:09
*** doug-fish has quit IRC03:11
*** iurygregory_ has quit IRC03:11
*** roxanaghe has joined #openstack-keystone03:16
*** georgem1 has quit IRC03:35
*** zyxes has joined #openstack-keystone03:41
*** eszxy has quit IRC03:45
*** lhcheng has joined #openstack-keystone03:45
*** ChanServ sets mode: +v lhcheng03:45
*** dave-mccowan has quit IRC03:48
*** lhcheng_ has joined #openstack-keystone03:50
*** eszxy has joined #openstack-keystone03:51
*** zyxes has quit IRC03:53
*** lhcheng has quit IRC03:54
*** edtubill has joined #openstack-keystone03:55
*** links has joined #openstack-keystone04:00
stevemarnotmorgan: just reading the meeting minutes now, and i <3 dolphm's solution to the datacentre problem04:02
*** TxGVNN has quit IRC04:04
*** jamielennox is now known as jamielennox|away04:08
*** david-lyle has quit IRC04:21
*** code-R has joined #openstack-keystone04:26
*** code-R has quit IRC04:31
*** darosale has joined #openstack-keystone04:34
*** spandhe has joined #openstack-keystone04:39
*** spandhe_ has joined #openstack-keystone04:40
*** spandhe has quit IRC04:44
*** spandhe_ is now known as spandhe04:44
*** roxanaghe has quit IRC04:47
stevemarjlk: commented on https://bugs.launchpad.net/keystone/+bug/155562904:57
openstackLaunchpad bug 1555629 in OpenStack Identity (keystone) "v3/users reports all users in all domains excepts when domain_specific_drivers_enabled is set to true." [Undecided,New]04:57
*** EinstCrazy has quit IRC05:00
*** furface has quit IRC05:00
*** rcernin has quit IRC05:04
*** GB21 has joined #openstack-keystone05:04
*** EinstCrazy has joined #openstack-keystone05:09
*** david_cu has joined #openstack-keystone05:21
*** jbell8 has quit IRC05:24
*** code-R has joined #openstack-keystone05:28
*** jbell8 has joined #openstack-keystone05:28
*** code-R_ has joined #openstack-keystone05:29
*** guardianJ has joined #openstack-keystone05:30
*** guardianJ has quit IRC05:32
*** code-R has quit IRC05:32
*** spandhe has quit IRC05:34
*** eszxy has quit IRC05:34
*** eszxy has joined #openstack-keystone05:35
*** spandhe has joined #openstack-keystone05:37
*** spandhe has quit IRC05:39
*** edtubill has quit IRC05:40
*** rcernin has joined #openstack-keystone05:43
*** roxanaghe has joined #openstack-keystone05:48
*** pnavarro has quit IRC05:49
*** sdake has joined #openstack-keystone05:52
*** roxanaghe has quit IRC05:52
*** sdake_ has quit IRC05:55
*** spandhe has joined #openstack-keystone05:57
*** darosale has quit IRC05:58
*** woodster_ has quit IRC05:58
*** mvk_ has joined #openstack-keystone06:00
*** mvk has quit IRC06:03
*** yolanda_ has quit IRC06:09
*** yolanda has joined #openstack-keystone06:09
*** sdake has quit IRC06:15
*** belmoreira has joined #openstack-keystone06:17
*** yolanda_ has joined #openstack-keystone06:22
*** eszxy has quit IRC06:22
*** yolanda_ has quit IRC06:22
*** yolanda_ has joined #openstack-keystone06:22
*** eszxy has joined #openstack-keystone06:23
*** markvoelker has quit IRC06:24
*** yolanda has quit IRC06:25
*** EinstCrazy has quit IRC06:25
*** yolanda_ has quit IRC06:26
*** yolanda has joined #openstack-keystone06:26
*** hogepodge has joined #openstack-keystone06:31
*** srushti has joined #openstack-keystone06:34
*** spandhe has quit IRC06:38
*** EinstCrazy has joined #openstack-keystone06:42
*** roxanaghe has joined #openstack-keystone06:49
*** roxanaghe has quit IRC06:53
*** tesseract has joined #openstack-keystone07:03
*** zyxes has joined #openstack-keystone07:12
*** eszxy has quit IRC07:16
*** henrynash has joined #openstack-keystone07:20
*** ChanServ sets mode: +v henrynash07:20
*** pcaruana has joined #openstack-keystone07:26
*** daemontool_ has joined #openstack-keystone07:42
*** lhcheng_ has quit IRC07:43
*** code-R_ has quit IRC07:47
*** roxanaghe has joined #openstack-keystone07:49
*** pnavarro has joined #openstack-keystone07:51
*** roxanaghe has quit IRC07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** xek has joined #openstack-keystone08:01
*** jbell8 has quit IRC08:04
*** rmizuno has joined #openstack-keystone08:06
*** raddaoui has quit IRC08:07
*** jaosorior has joined #openstack-keystone08:08
*** lmiccini has quit IRC08:22
*** lmiccini has joined #openstack-keystone08:31
*** markvoelker has joined #openstack-keystone08:37
*** dmk0202 has joined #openstack-keystone08:38
*** markvoelker has quit IRC08:42
*** jed56 has joined #openstack-keystone08:45
*** TxGVNN has joined #openstack-keystone08:48
*** dmk0202 has quit IRC08:48
*** roxanaghe has joined #openstack-keystone08:50
*** roxanaghe has quit IRC08:50
*** daemontool_ has quit IRC08:58
*** daemontool has joined #openstack-keystone08:59
*** jaosorior has quit IRC09:02
*** jaosorior has joined #openstack-keystone09:02
*** aurelien__ has joined #openstack-keystone09:06
*** GB21 has quit IRC09:06
*** daemontool has quit IRC09:11
*** daemontool_ has joined #openstack-keystone09:11
*** mvk_ has quit IRC09:14
*** henrynash has quit IRC09:29
*** henrynash has joined #openstack-keystone09:30
*** ChanServ sets mode: +v henrynash09:30
*** mvk has joined #openstack-keystone09:32
*** TxGVNN has quit IRC09:34
*** TxGVNN has joined #openstack-keystone09:40
*** rmizuno has quit IRC09:44
*** jamielennox|away is now known as jamielennox09:44
srushtisheel: Hi, I want to discuss regarding bug 1586031.09:47
openstackbug 1545736 in OpenStack Identity (keystone) "duplicate for #1586031 keystone role create failed when 4 byte unicode character is provided in name field" [Wishlist,Triaged] https://launchpad.net/bugs/1545736 - Assigned to Sheel Rana (ranasheel2000)09:47
sheelsrushti: yes tell me09:47
srushtiAre you working to implement the specs for unicode support in MySql?09:49
sheelI have one spec for cross component09:50
sheelwhich is still in discussion09:51
*** roxanaghe has joined #openstack-keystone09:51
sheelyou can refer same here: https://review.openstack.org/#/c/280371/09:51
patchbotsheel: patch 280371 - openstack-specs - Support for 4-byte unicode characters in MySQL09:51
srushtiYes I have gone through the specs. It looks good but since it is still in progress and may take some time for implementation.09:54
*** roxanaghe has quit IRC09:55
srushtisheel: And user may still face issue until it is implemented. Why not fix this issue at keystone-side?09:55
*** julim has quit IRC09:55
sheelsrushti: yep, its ok09:56
srushtisheel: I have already fixed this issue and the patch is ready. Should i push it for community review?09:57
sheelsrushti: yep, great.. please go ahead09:58
sheeli will be happy to review it..09:58
srushtisheel: Yes sure.Thank you.09:58
sheelsrushti: np09:58
*** daemontool_ has quit IRC10:00
*** belmoreira has quit IRC10:00
*** julim has joined #openstack-keystone10:03
*** EinstCrazy has quit IRC10:03
*** rmizuno has joined #openstack-keystone10:08
rmizunoHi, i have a question.10:15
rmizunoIn my understanding ,reseller phase 2 will be implemented of the hierarchy of the projects acting as domain.10:16
rmizunoWill it be realized in newton?10:16
*** srushti has quit IRC10:17
henrynash_rmizuno: no, I doubt it10:18
henrynash_rmizuno: …and the reason is that in order to really do it securely, we need a few other things to drop into place, e.g. making sure that admin is scoped properly across all the services, and other things like https://review.openstack.org/#/c/31004810:20
*** yolanda has quit IRC10:22
*** yolanda has joined #openstack-keystone10:23
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Added app for policy enforcement  https://review.openstack.org/31752910:25
rmizunoI see. Is the implementation postponed after ocata?10:28
*** wasmum has quit IRC10:44
*** rmizuno_ has joined #openstack-keystone10:45
*** rmizuno has quit IRC10:47
*** TxGVNN has quit IRC10:48
*** roxanaghe has joined #openstack-keystone10:52
openstackgerritMikhail Nikolaenko proposed openstack/keystone-specs: Alternative policy enforcement  https://review.openstack.org/32379110:55
*** roxanaghe has quit IRC10:56
*** alexander__ is now known as amakarov10:58
*** henrynash has quit IRC11:10
*** henrynash has joined #openstack-keystone11:12
*** ChanServ sets mode: +v henrynash11:12
*** henrynash has quit IRC11:12
*** raildo-afk is now known as raildo11:15
*** _amrith_ is now known as amrith11:27
*** dave-mccowan has joined #openstack-keystone11:27
*** TxGVNN has joined #openstack-keystone11:30
*** rodrigods has quit IRC11:32
*** rodrigods has joined #openstack-keystone11:32
*** gordc has joined #openstack-keystone11:32
*** links has quit IRC11:34
*** zqfan has quit IRC11:43
*** links has joined #openstack-keystone11:47
*** pnavarro is now known as pnavarro|lunch11:48
*** roxanaghe has joined #openstack-keystone11:53
*** roxanaghe has quit IRC11:58
*** wasmum has joined #openstack-keystone12:04
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystonemiddleware: Support local config options  https://review.openstack.org/32188212:05
*** openstackgerrit has quit IRC12:18
*** openstackgerrit has joined #openstack-keystone12:18
samueldmqraildo: hi, see my comment in patch 25443612:19
patchbotsamueldmq: https://review.openstack.org/#/c/254436/ - keystone - Adding role assignment lists unit tests12:19
samueldmqraildo: feel free to pick that up and submit the test for the negative case12:20
*** eszhangzxy has joined #openstack-keystone12:23
*** markvoelker has joined #openstack-keystone12:24
*** zyxes has quit IRC12:26
*** pauloewerton has joined #openstack-keystone12:30
*** zqfan has joined #openstack-keystone12:30
*** henrynash has joined #openstack-keystone12:32
*** ChanServ sets mode: +v henrynash12:32
*** gcb has quit IRC12:35
samueldmqstevemar: morning, about patch 322086, could you take a look at my comments, specially the one about keystone.conf.sample being copied as it is (rather than as keystone.conf)12:40
patchbotsamueldmq: https://review.openstack.org/#/c/322086/ - keystone - Simplify & fix configuration file copy in setup.cfg12:40
*** henrynash has quit IRC12:51
*** dave-mccowan has quit IRC12:52
*** roxanaghe has joined #openstack-keystone12:54
*** georgem1 has joined #openstack-keystone12:56
*** henrynash has joined #openstack-keystone12:57
*** ChanServ sets mode: +v henrynash12:57
*** roxanaghe has quit IRC12:58
*** richm has joined #openstack-keystone12:59
*** zyxes has joined #openstack-keystone13:07
*** dave-mccowan has joined #openstack-keystone13:07
*** eszhangzxy has quit IRC13:09
*** sdake has joined #openstack-keystone13:09
*** aurelien__ has quit IRC13:11
*** ayoung has joined #openstack-keystone13:12
*** ChanServ sets mode: +v ayoung13:12
*** aurelien__ has joined #openstack-keystone13:14
*** rderose has joined #openstack-keystone13:15
rderosestevemar rodrigods lbragstad henrynash dstanek For shadowing LDAP users, I decided to break this up into two patches, one for the refactoring I was doing and the other for the new functionality.  Unfortunately, I was having trouble doing this with git and ended just having to abandon the old patch and create new ones:13:23
rderosehttps://review.openstack.org/#/c/323602/13:23
rderoseI apologize for the inconvenience.  I believe I've responded to all of your comments, however let me know if you have any questions.13:23
patchbotrderose: patch 323602 - keystone - Shadow LDAP and custom driver users13:23
rodrigodsrderose, sure... will take a look tonight13:28
rderoserodrigods: cool, thx13:29
*** sdake has quit IRC13:34
*** henrynash has quit IRC13:45
*** edmondsw has joined #openstack-keystone13:49
*** links has quit IRC13:52
*** gagehugo has joined #openstack-keystone13:52
*** roxanaghe has joined #openstack-keystone13:54
*** sdake has joined #openstack-keystone13:55
*** ametts has joined #openstack-keystone13:58
*** roxanaghe has quit IRC13:59
knikollamorning! o/14:02
*** woodburn has quit IRC14:03
*** martinus__ has quit IRC14:04
*** BjoernT has joined #openstack-keystone14:08
*** dan_nguyen has joined #openstack-keystone14:10
*** aurelien__ has quit IRC14:12
lbragstado/14:13
*** pushkaru has joined #openstack-keystone14:24
*** d0ugal has quit IRC14:25
*** raddaoui has joined #openstack-keystone14:26
*** edtubill has joined #openstack-keystone14:28
andreafHi - I have an issue with v3 credentials when used to get tokens from a v2 endpoint - someone familiar with that that could help me?14:28
*** ametts has quit IRC14:28
andreafUsing v3 pre-provisioned creds in a v2 run breaks a number of x-user tests in tempest, such as create server with one user and delete it with another one, which succeeds but it's not supposed to - the same test works fine when executed pure v2 or pure v314:29
andreafbut I don't understand why - so I'm looking for any hint that might help14:29
*** jbell8 has joined #openstack-keystone14:33
*** d0ugal has joined #openstack-keystone14:35
*** dan_nguyen has quit IRC14:36
*** KevinE has joined #openstack-keystone14:36
*** aurelien__ has joined #openstack-keystone14:41
*** ametts has joined #openstack-keystone14:42
*** d0ugal has quit IRC14:48
*** mfisch has joined #openstack-keystone14:48
*** d0ugal has joined #openstack-keystone14:48
*** mfisch has quit IRC14:48
*** mfisch has joined #openstack-keystone14:48
*** d0ugal has quit IRC14:48
*** d0ugal has joined #openstack-keystone14:49
*** timcline has joined #openstack-keystone14:52
*** spandhe has joined #openstack-keystone14:53
*** diazjf has joined #openstack-keystone14:53
stevemarsamueldmq: for https://review.openstack.org/#/c/322086/3/setup.cfg are you referring to the logging and v3cloud policy being copied over?14:54
patchbotstevemar: patch 322086 - keystone - Simplify & fix configuration file copy in setup.cfg14:54
*** roxanaghe has joined #openstack-keystone14:55
*** spandhe has quit IRC14:57
*** yolanda_ has joined #openstack-keystone14:58
*** jaosorior has quit IRC14:59
*** roxanaghe has quit IRC15:00
*** yolanda has quit IRC15:00
*** darosale has joined #openstack-keystone15:00
*** yolanda_ is now known as yolanda15:01
*** gagehugo has quit IRC15:01
samueldmqstevemar: yes, and also keystone.conf.sample was copied as keystone.conf15:03
samueldmqstevemar: but with that patch it will be copied to /etc/keystone.conf.sample ; and consequently keystone server won't find /etc/keystone.conf15:04
raildosamueldmq: hey, sorry, I was afk. sure I'll do that :)15:04
*** pcaruana has quit IRC15:04
samueldmqraildo: sure, np; thanks15:04
*** rcernin has quit IRC15:09
*** d0ugal has quit IRC15:10
*** diazjf has quit IRC15:10
*** d0ugal has joined #openstack-keystone15:12
*** diazjf has joined #openstack-keystone15:13
*** zyxes has quit IRC15:13
*** agrebennikov has joined #openstack-keystone15:14
*** yolanda_ has joined #openstack-keystone15:14
*** yolanda has quit IRC15:14
*** yolanda_ is now known as yolanda15:16
stevemarsamueldmq: alright, want to revert the suggestions to the previous patch set?15:18
stevemarlooks like i was out voted on this one15:18
*** aurelien__ has quit IRC15:18
*** tesseract has quit IRC15:18
notmorganstevemar: what were you out voted on?15:18
*** aurelien__ has joined #openstack-keystone15:18
*** aurelien__ has quit IRC15:19
stevemarnotmorgan: https://review.openstack.org/#/c/322086/315:19
patchbotstevemar: patch 322086 - keystone - Simplify & fix configuration file copy in setup.cfg15:19
*** aurelien__ has joined #openstack-keystone15:19
*** amrith is now known as _amrith_15:23
*** dan_nguyen has joined #openstack-keystone15:24
*** jbell8 has quit IRC15:26
*** jbell8 has joined #openstack-keystone15:26
*** dan_nguyen has quit IRC15:30
*** diazjf has quit IRC15:32
*** permalac has joined #openstack-keystone15:32
permalachello guys.15:33
permalacI have the admin and swift password of a keystone I have to use to federate, but I do not know the tenantID.15:34
permalacis there any way to get the tenantID with just this?15:34
*** TxGVNN has quit IRC15:35
samueldmqstevemar: no worries. overall I don't think there is too much we can do in that patch15:39
*** henrynash has joined #openstack-keystone15:40
*** ChanServ sets mode: +v henrynash15:40
samueldmqstevemar: event the 1st patchset was removing the rename, which is necessary15:40
samueldmqnotmorgan: have you looked at it ? what do you think ?15:40
jlkstevemar: thanks, I responded.15:40
notmorgansamueldmq: no i have not yet15:40
samueldmqstevemar: so the big issue was not with your suggesiton (include * in etc/keystoen), but what the patch does since the beggining :)15:42
edmondswis there a way to tell the GET /v3/users API to return the response in pages of a given size, rather than all in one response?15:42
notmorganedmondsw: pagination is a real issue with things bavked to ldap15:44
notmorganbasically, no not reliabky especially if you use ldap bexause ldap is weird15:44
edmondsw:(15:44
notmorganthe answer is "use filteroing"15:44
*** diazjf has joined #openstack-keystone15:44
edmondswit's LDAP that I was thinking about15:44
edmondswnotmorgan what filtering? you mean in the conf?15:45
edmondswgroup and user filter in the conf?15:45
notmorganthe issue is ldap queries are different order every time and you bave to maintain an acyice cursor to go tk the next page15:45
notmorganit isnt strictky ordered like sql can be15:45
edmondswyeah15:45
notmorganfiktering on the query itself to users15:45
edmondswnotmorgan doesn't look like much filtering is supported there... just a) domain, b) usrename, c) enabled15:46
edmondswor is the api documentation out of date there?15:46
notmorganthere are some query strings15:46
notmorganbut i need to get off the phone to really look15:46
notmorganhard to do on this tiny screen15:47
notmorganedmondsw: henrynash_ might know more off the top of his head15:47
*** agrebennikov has quit IRC15:47
notmorganedmondsw: but in short pagination ux is hard to do right. we might have more luck once the rest of shadow users lands15:48
henrynashwhat;s the question?15:49
edmondswtx15:49
edmondswhenrynash talking about filtering users... the API docs only say you can filter GET /v3/users by a) domain, b) username, c) enabled... are there more options?15:50
edmondswhenrynash or other ways to limit response sizes when you've got a lot of users in LDAP15:50
edmondswe.g. set user and group filter in conf15:50
edmondswand I see a list_limit conf setting that I haven't played with... looks like that will cause the list to be truncated if it goes over?15:51
henrynashedmondsw: yes, you can limit the number of entries being returned15:51
*** _amrith_ is now known as amrith15:51
notmorganbut that is just truncating15:52
edmondswhenrynash how? with list_limit conf setting, or is there an API query param?15:52
henrynashnotmorganL : yes15:52
henrynashedmondsw: I *think* it;s just a config limit15:52
notmorganhenrynash: it is15:52
notmorganthe filtering qs is i think what edmondsw is looking for15:53
edmondswis there any indication in the API response that it was truncated?15:53
henrynashedmondsw: yes, there is  a “truncated” flag added to the collection15:53
edmondswok, tx for the info15:53
*** jbell8 has quit IRC15:53
knikollastevemar: thanks for reviewing the devstack plugin. :)15:54
*** tonytan4ever has joined #openstack-keystone15:54
*** sdake has quit IRC15:54
*** roxanaghe has joined #openstack-keystone15:55
*** KarthikB has joined #openstack-keystone16:01
*** woodster_ has joined #openstack-keystone16:02
*** GB21 has joined #openstack-keystone16:02
*** dan_nguyen has joined #openstack-keystone16:03
*** amilling has joined #openstack-keystone16:05
openstackgerritKristi Nikolla proposed openstack/keystone: Devstack plugin for Federation  https://review.openstack.org/32062316:07
*** gyee has joined #openstack-keystone16:09
*** ChanServ sets mode: +v gyee16:09
*** itisha has joined #openstack-keystone16:10
*** lucas__ has joined #openstack-keystone16:12
*** jbell8 has joined #openstack-keystone16:14
*** sdake has joined #openstack-keystone16:19
*** sdake has quit IRC16:23
*** nisha_ has joined #openstack-keystone16:23
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467916:25
*** pnavarro|lunch has quit IRC16:26
nisha_hey all!16:26
*** amilling has quit IRC16:26
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467916:27
KevinEI've got a question. For things like rally testing, there are all of the tests organized by keystone/authenticate/neutron etc. How do I make the call that I want to add a category (what are those called? Services?) and then put some tests in it16:29
*** sdake has joined #openstack-keystone16:32
*** lhcheng has joined #openstack-keystone16:33
*** ChanServ sets mode: +v lhcheng16:33
*** amrith is now known as _amrith_16:34
*** _amrith_ is now known as amrith16:35
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467916:38
*** GB21 has quit IRC16:39
*** spandhe has joined #openstack-keystone16:42
*** aurelien__ has quit IRC16:42
*** wasmum has quit IRC16:49
*** georgem1 has left #openstack-keystone16:49
*** diazjf has quit IRC16:52
*** diazjf has joined #openstack-keystone16:55
*** nisha__ has joined #openstack-keystone16:56
*** nisha_ has quit IRC16:56
*** GB21 has joined #openstack-keystone16:57
*** gyee has quit IRC16:58
*** diazjf has quit IRC16:58
*** links has joined #openstack-keystone17:02
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467917:03
amakarovrderose, you must be hating me already, sorry for that :)17:07
*** mou has quit IRC17:07
rderoseamakarov: no, not at all.  I like improving things :)17:08
amakarovrderose, I'm writhing a patch based on this one right now :)17:09
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467917:09
rderoseamakarov: ah, nice :)17:10
rderoseamakarov: just set the default to 1800 seconds17:10
*** nisha__ is now known as nisha_17:10
amakarovrderose, great! +1 and I'll rebase on it in minutes!17:11
rderoseamakarov: do you know if anyone is working on that keystone-coverage-db error?17:11
*** tonytan4ever has quit IRC17:11
amakarovrderose, no. wandering that too :)17:12
rderoseamakarov: okay :)17:12
*** nisha_ has quit IRC17:12
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Add failed auth attempts logic to meet PCI-DSS  https://review.openstack.org/32402917:16
*** agrebennikov has joined #openstack-keystone17:17
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Add failed auth attempts logic to meet PCI-DSS  https://review.openstack.org/32402917:17
amakarovrderose, a draft for failed attempts ^17:17
amakarovcan you please review and comment on the concept?17:18
rderoseamakarov: sure.  in the middle of something now, but will look at this soon.17:18
rderoseamakarov: and thank you for helping out with this17:18
amakarovrderose, It'll be really good to know I'm doing that in right place :) I'm introducing a new manager & driver there...17:20
rderoseamakarov: okay.  do we really need a driver for this?  I mean, do we really see clients creating their own custom driver for auto lockout?17:21
rderoseamakarov: I don't think so17:21
rderoseamakarov: I think this should be like a library and only implemented in sql17:21
rderoseamakarov: so you need a backend, I just don't think it needs to be implemented in a way that allows a custom driver.17:24
rderoseamakarov: anyway, I'll take a closer look later and give you feedback.17:25
*** pushkaru has quit IRC17:32
*** gagehugo has joined #openstack-keystone17:35
*** links has quit IRC17:36
*** wasmum has joined #openstack-keystone17:42
*** mvk has quit IRC17:48
*** tqtran has joined #openstack-keystone17:48
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/32389317:50
*** GB21 has quit IRC17:53
knikollarderose: quick question off the top of my head. account disabling when a password expires applies to the admin too?17:56
rderoseknikolla: yes, it would apply to admins17:58
*** notmorgan has quit IRC17:58
*** notmorgan has joined #openstack-keystone17:59
*** notmorgan has quit IRC17:59
*** notmorgan has joined #openstack-keystone17:59
*** notmorgan has quit IRC17:59
knikollarderose: so there exists a specific case where database surgery is required to unlock admins.18:00
knikollarderose: in the case where no admin can do the unlocking.18:00
knikollarderose: this was just a random thought.18:01
bknudsonyou could unlock the admin user but they'd just get locked again by the attacker18:01
*** gagehugo has quit IRC18:01
rderoseknikolla: database surgery :)  hmm...  another admin would have to change the password.  or, if all admin passwords were expired, then yeah, they would have to either change the password created_at date directly in the database18:03
rderoseknikolla: or disable the password expires feature18:03
*** tonytan4ever has joined #openstack-keystone18:04
knikollarderose: do you think it's worth handling this case with a keystone-manage command? i don't have any strong opinions18:05
*** notmorgan has joined #openstack-keystone18:06
*** notmorgan has quit IRC18:06
*** notmorgan has joined #openstack-keystone18:06
rderoseknikolla bknudson: sorry, I thought you were talking about user failing auth due to passwords expiring18:06
rderoseknikolla bknudson: we could add a feature to allow an admin to unlock a user, this might require a new API18:08
rderoseknikolla: maybe...18:09
rderoseknikolla: amakarov is working on this feature: #link https://review.openstack.org/#/c/324029/18:10
patchbotrderose: patch 324029 - keystone - WIP/DNM Add failed auth attempts logic to meet PCI...18:10
*** pushkaru has joined #openstack-keystone18:11
*** neophy has joined #openstack-keystone18:11
rderoseknikolla: but it's good point, we'll need a way for admins to unlock users18:11
*** notmorgan has quit IRC18:12
*** notmorgan has joined #openstack-keystone18:13
*** diazjf has joined #openstack-keystone18:13
knikollarderose: i'm not sure of any implementation that would prevent abuse of the lockout feature on failed attempts (as bknudson said). so i was talking about expiring password which seems a more solveable issue. :P18:13
*** roxanaghe has quit IRC18:13
rderoseknikolla: :)18:14
*** roxanaghe has joined #openstack-keystone18:17
rderoseknikolla: so yeah, if all admin passwords were expired, they could disable the password expires feature or hack into the db18:17
rderoseknikolla: not a very eloquent way of dealing with it; open to suggestions :)18:18
knikollarderose: suggestions range from: one sentence in the docs about this case and  encouraging people to change admin passwords (even service account for orchestration engines), to a keystone-manage cli command to reset the date or set a new password for an account.18:22
rderoseknikolla: I like the keystone-manage cli idea18:24
rderoseknikolla: I think we do want service account passwords to expire for some use cases, but we may want an option to filter these out so that service account passwords don't expire18:25
*** rdo has quit IRC18:26
*** pushkaru has quit IRC18:28
knikollarderose: i think i'm against filtering.18:28
rderoseknikolla: why?18:29
rderoseknikolla: service accounts don't expire today18:29
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/32390918:30
knikollarderose: sorry, i forgot to clarify. by service accounts i meant puppet,ansible and credentials people may use in their orchestration engines. i agree that nova/cinder/etc. shouldn't require enforcing.18:32
rderoseknikolla: I see18:32
knikollarderose: how will we identity the accounts which don't require enforcing? I don't think there is anything that sets them apart today?18:33
stevemarrderose: i'm wondering if we should have a list of user ids that aren't subject to compliance?18:34
*** darosale has quit IRC18:34
stevemarrderose: random thought while i was out for a walk18:34
knikollastevemar: that's what i was thinking too.18:34
stevemarknikolla: it's not a pretty solution, but it'll work18:35
rderoseknikolla stevemar: currently, we don't have a way to set them apart.  a list of user ids would be an option because you could add your service accounts, as well as specific admin accounts18:35
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/32391718:36
rderoseknikolla stevemar: let me give it some thought, but I kind of like it :)18:36
knikollastevemar: it's actually quite elegant. it's explicit and requires no other assumptions.18:37
*** rdo has joined #openstack-keystone18:39
*** mvk has joined #openstack-keystone18:39
openstackgerritDolph Mathews proposed openstack/keystone-specs: Mapping shadow users into projects and roles  https://review.openstack.org/32405518:40
knikollawill be impossible to prepopulate though, as the id will be different across installations.18:40
knikollaso will require some kind of script18:40
lbragstadrderose amakarov see dolphm's spec ^18:43
lbragstadamakarov that is the spec dolphm owes you from yesterday's meeting :)18:44
*** mvk_ has joined #openstack-keystone18:44
rderoselbragstad: ++18:44
*** lucas__ has quit IRC18:46
*** lucas__ has joined #openstack-keystone18:47
*** mvk has quit IRC18:48
*** lucas__ has quit IRC18:48
*** mvk has joined #openstack-keystone18:48
*** mvk_ has quit IRC18:48
*** lucas__ has joined #openstack-keystone18:50
*** timcline has quit IRC18:51
*** lucas__ has quit IRC18:51
lhchengexit18:51
*** lucas__ has joined #openstack-keystone18:51
lhchengsorry, wrong window :)18:51
*** timcline has joined #openstack-keystone18:51
*** mvk_ has joined #openstack-keystone18:52
*** lucas__ has quit IRC18:55
*** timcline has quit IRC18:56
*** mvk has quit IRC18:56
*** lucas__ has joined #openstack-keystone18:59
*** tqtran has quit IRC19:00
*** tonytan4ever has quit IRC19:00
*** tqtran has joined #openstack-keystone19:00
*** diazjf has quit IRC19:02
*** ebalduf_ has joined #openstack-keystone19:03
*** diazjf has joined #openstack-keystone19:03
*** lucas__ has quit IRC19:04
KevinEagrebennikov: hello!19:04
agrebennikovhi there19:04
KevinEI'm getting an error in the formatting of this Json but I don't know enough to fix it. Can anyone take a look it's small http://pastebin.com/RCqXuCq319:06
bknudsonKevinE: https://jsonformatter.curiousconcept.com/ might hlep19:07
bknudsonhelp19:07
*** timcline has joined #openstack-keystone19:07
KevinEYeah I can see where the error is, between the true and the }, but I just don't know what it wants me to do to fix it19:08
bknudsonKevinE: remove the trailing ,19:08
KevinEoh okay easy, thanks! Also is there any difference between True and true?19:09
bknudsonKevinE: here's the spec for JSON: http://www.json.org/19:09
bknudsonTrue is not valid JSON19:09
KevinEbknudson: great thanks for your help19:10
*** lucas__ has joined #openstack-keystone19:13
*** spzala has joined #openstack-keystone19:17
*** clenimar has joined #openstack-keystone19:17
*** jaugustine has joined #openstack-keystone19:26
*** permalac has quit IRC19:30
*** zqfan has quit IRC19:33
openstackgerritSteve Martinelli proposed openstack/keystone: Simplify & fix configuration file copy in setup.cfg  https://review.openstack.org/32208619:33
lbragstadrderose around?19:34
rderoselbragstad: yeah, what's up19:34
lbragstadquick question on https://review.openstack.org/#/c/284943/4519:35
patchbotlbragstad: patch 284943 - keystone - Concrete role assignments for federated users19:35
lbragstadwe previously supported the ability to use groups for role assignment for federated users19:35
lbragstadwe are going to deprecate that in favor or always having concrete role assignments on shadowed users, right?19:36
rderoselbragstad: no, we'll support both, but relax the requirement that a federated user has to be mapped to a group19:37
dolphmlbragstad: why would we need to deprecate it?19:38
lbragstadI was hoping to get rid of https://github.com/openstack/keystone/blob/c90c525aacfb8a46677673d735a1dfec3f9e9c20/keystone/token/providers/fernet/core.py#L84-L13719:38
lbragstadbut if we are going to support role assignment via groups moving forward - then those methods will have to remain in place in order for Fernet to fill that requirement19:39
lbragstadwhich is fine - it was just something I thought about as i was review rderose's patch19:39
notmorganlbragstad: or dolphm ping (testing something in my irc setup)19:39
dolphmnotmorgan: pong19:39
lbragstadnotmorgan pong19:39
lbragstado/19:39
openstackgerritDolph Mathews proposed openstack/keystone-specs: Mapping shadow users into projects and roles  https://review.openstack.org/32405519:40
notmorganhmm ok bell isnt working. will fix soon19:40
rderoselbragstad: we'll drop support for "federated" tokens19:40
notmorganbut for android users: juicessh (mosh protocol) + tmux + weechat, is pretty good19:40
lbragstadrderose hmmmm in order for fernet tokens to work for groups and federation the group ids need to be packed into the fernet payload19:41
rderoselbragstad: I didn't say it was going to be easy :)19:42
lbragstadrderose hah i was looking for easy19:42
rderoselbragstad: yeah, I don't the impact yet, but that is part of the spec to drop support for federated tokens19:42
lbragstadas in not support group membership :)19:42
*** lucas__ has quit IRC19:45
rderoselbragstad: as in removing the group ids from the unscoped token19:45
*** sheel has quit IRC19:45
lbragstadrderose ah - i see what you mean19:46
*** dave-mccowan has quit IRC19:46
lbragstadrderose i'm thinking about removing the Federated payload from the Fernet provider (i.e. getting rid of the fernet token bloat problem)19:46
lbragstadrderose what's the reason for this guy being WIP? https://review.openstack.org/#/c/296639/19:48
patchbotlbragstad: patch 296639 - keystone - WIP - Drop EPHEMERAL user type19:48
*** lucas__ has joined #openstack-keystone19:48
lbragstadis it waiting for other changes to land first?19:48
rderoselbragstad: I started this, but then did sort of reset as it was changing the API.  So I'm sort of backtracking and thinking that this will be some refactoring; trying to get to treating federated users like any other user19:50
rderoselbragstad: but been caught up in the PCI stuff19:50
rderoselbragstad: no, it's not dependent on any other patches19:51
lbragstadrderose gotcah19:51
rderoselbragstad: this one is ready :) #link https://review.openstack.org/#/c/320156/19:53
patchbotrderose: patch 320156 - keystone - PCI-DSS Change password requirements19:53
lbragstadrderose sweet - it's on deck19:53
lbragstadi'll review it next19:53
rderoselbragstad: cool19:53
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408119:57
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408120:00
*** dave-mccowan has joined #openstack-keystone20:04
*** david-lyle has joined #openstack-keystone20:05
SamYapleare subdomains implemented in keystone? I thought they were but this code disagrees... https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L107-11020:06
*** joaotargino has joined #openstack-keystone20:07
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408120:09
*** diazjf has quit IRC20:10
*** diazjf has joined #openstack-keystone20:10
*** joaotargino has quit IRC20:11
*** joaotargino has joined #openstack-keystone20:12
*** lucas__ has quit IRC20:24
*** roxanaghe has quit IRC20:26
*** roxanaghe has joined #openstack-keystone20:26
*** pushkaru has joined #openstack-keystone20:28
*** tonytan4ever has joined #openstack-keystone20:34
dolphmbefore i go dig too deep, anyone know if keystoneclient / keystoneauth request content compression (like accept-encoding: gzip) in requests to keystone?20:37
*** spzala has quit IRC20:43
*** sdake has quit IRC20:49
*** david-lyle has quit IRC20:51
*** iurygregory has quit IRC20:51
*** neophy has quit IRC20:52
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716920:53
*** neophy has joined #openstack-keystone20:53
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408120:53
*** ayoung has quit IRC20:55
openstackgerritRoxana Gherle proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/32228020:59
*** julim has quit IRC21:00
openstackgerritRoxana Gherle proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/32228021:01
*** david-lyle has joined #openstack-keystone21:01
*** raildo is now known as raildo-afk21:03
*** diazjf has quit IRC21:05
*** neophy has quit IRC21:05
*** diazjf has joined #openstack-keystone21:06
*** jbell8 has quit IRC21:06
henrynashdolphm: hi21:11
*** jaugustine has quit IRC21:12
*** pushkaru has quit IRC21:18
notmorgandolphm: afaik it doesn't support that yet(now).21:24
notmorgandolphm: i'd totally be for adding that21:24
*** jbell8 has joined #openstack-keystone21:31
*** pauloewerton has quit IRC21:32
*** KarthikB has quit IRC21:34
*** KarthikB has joined #openstack-keystone21:37
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408121:40
*** KarthikB has quit IRC21:41
stevemarrderose: yay for rm driver versioning!21:44
*** brad_behle has joined #openstack-keystone21:44
rderosestevemar: ++21:44
stevemarrderose: it's become burdensome21:45
rodrigods+100021:45
rderosestevemar: yeah, totally. I just don't like the approach and wonder if it's actually helping anyone21:45
stevemarrderose: yeah, i really question it's usefulness *shrugs*21:46
*** edmondsw has quit IRC21:50
*** sdake has joined #openstack-keystone21:50
*** jbell8 has quit IRC21:53
lhchengstevemar: did operators found it not useful? or no feedback at all?21:56
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408121:57
*** henrynash has quit IRC21:58
*** sdake_ has joined #openstack-keystone22:01
*** david-lyle has quit IRC22:01
rderoselhcheng: see Dolph's comment #link https://review.openstack.org/#/c/324081/22:01
patchbotrderose: patch 324081 - keystone-specs - Drop Support for Driver Versioning22:01
*** sdake has quit IRC22:03
*** KevinE_ has joined #openstack-keystone22:04
*** KevinE_ has quit IRC22:05
*** JayF has left #openstack-keystone22:08
*** KevinE has quit IRC22:08
*** diazjf has quit IRC22:09
*** ebalduf_ has quit IRC22:10
*** tonytan4ever has quit IRC22:11
*** edtubill has quit IRC22:12
*** KarthikB has joined #openstack-keystone22:15
*** david-lyle has joined #openstack-keystone22:16
*** KarthikB has quit IRC22:18
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning  https://review.openstack.org/32408122:18
*** KarthikB has joined #openstack-keystone22:19
jamielennoxdolphm: it will default to whatever requests does, but you can pass that through headers if you need it somewhere22:20
*** sdake_ has quit IRC22:21
rderoseamakarov: I didn't get a chance to review your patch today, I'll do it first thing tomorrow morning (San Antonio time that is) :)22:23
lhchengrderose: interesting, thanks!22:27
rderoselhcheng: np22:29
*** ametts has quit IRC22:30
*** sdake has joined #openstack-keystone22:31
*** darrenc is now known as darrenc_afk22:32
*** darrenc_afk is now known as darrenc22:39
*** jbell8 has joined #openstack-keystone22:39
*** jbell8 has quit IRC22:43
*** jbell8 has joined #openstack-keystone22:45
*** timcline has quit IRC22:48
*** timcline has joined #openstack-keystone22:49
*** timcline has quit IRC22:53
*** iurygregory has joined #openstack-keystone23:00
*** KarthikB has quit IRC23:01
*** roxanaghe has quit IRC23:03
*** tqtran has quit IRC23:03
*** roxanaghe has joined #openstack-keystone23:10
*** zqfan has joined #openstack-keystone23:16
notmorganstevemar: it was far more useful/important when we had many folks doing custom drivers23:16
notmorganstevemar: it seems that we have reduced that number by existing longer than the BUs doing custom backend drivers.23:16
notmorganlhcheng: operators *cough* HP *cough* found it useful23:17
lhchengnotmorgan:  lol I have the same *cough* :P23:19
lhchengadded guang in the patch23:19
*** roxanaghe has quit IRC23:25
openstackgerritMerged openstack/keystone: Add .mo files to MANIFEST.in  https://review.openstack.org/31852723:29
*** roxanaghe has joined #openstack-keystone23:33
*** roxanaghe has quit IRC23:33
*** gordc has quit IRC23:33
jamielennoxdidn't we only just do versioned drivers?23:43
bknudsonjamielennox: we've had versioned drivers for a couple of releases23:44
jamielennoxa couple now? ok23:44
notmorganjamielennox: yeah since... kilo?23:45
notmorganjamielennox: i think.23:45
jamielennoxyea, i guess that sounds right, just still felt kind of new to be killing it :)23:46
notmorganjamielennox: well if it isn't providing value *shrug*23:46
jamielennoxoh, yea, if no one wants them scrap it23:47
bknudsonwho was asking for it to begin with?23:47
bknudsonit's part of keystone's interface so seems like it should be stable just like other interfaces23:47
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/32389423:51
*** afazekas has quit IRC23:52
*** agrebennikov has quit IRC23:53
*** sdake_ has joined #openstack-keystone23:54
*** afazekas has joined #openstack-keystone23:56
stevemarjamielennox: oh, you gonna tag a keystone release?23:57
jamielennoxstevemar: i have had no contact from people on that23:58
jamielennoxwhen's it due?23:58
*** sdake has quit IRC23:58
stevemarjamielennox: it's this week, bunch of other projects have already tagged stuff: https://review.openstack.org/#/q/project:openstack/releases23:58
*** david-lyle has quit IRC23:59
* jamielennox failing like the only job 23:59
stevemarjamielennox: i meant to bug you about that earlier... :P23:59
stevemarhehe23:59
stevemarno worries23:59
« Tuesday, 2016-05-31 Index Thursday, 2016-06-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!