Monday, 2017-01-09

« Sunday, 2017-01-08 Index Tuesday, 2017-01-10 »
*** jlk has quit IRC00:35
*** jamielennox is now known as jamielennox|away00:41
*** jamielennox|away is now known as jamielennox00:58
*** erlon has quit IRC01:12
*** breton has quit IRC01:12
*** med_ has quit IRC01:12
*** kukacz_ has quit IRC01:12
*** delaf has quit IRC01:12
*** comstud has quit IRC01:12
*** kfox1111 has quit IRC01:12
*** mgagne has quit IRC01:12
*** mordred has quit IRC01:12
*** DinaBelova has quit IRC01:12
*** jhesketh has quit IRC01:12
*** dims has quit IRC01:12
*** darrenc has quit IRC01:12
*** Daviey has quit IRC01:12
*** kfox1111 has joined #openstack-keystone01:12
*** kukacz has joined #openstack-keystone01:12
*** breton has joined #openstack-keystone01:12
*** Daviey has joined #openstack-keystone01:12
*** med_ has joined #openstack-keystone01:12
*** delaf has joined #openstack-keystone01:12
*** mordred has joined #openstack-keystone01:12
*** darrenc_ has joined #openstack-keystone01:12
*** comstud has joined #openstack-keystone01:12
*** DinaBelova has joined #openstack-keystone01:12
*** med_ is now known as Guest3422001:13
*** jhesketh has joined #openstack-keystone01:13
*** Guest96631 has joined #openstack-keystone01:13
*** darrenc_ is now known as darrenc01:14
*** dims has joined #openstack-keystone01:14
*** erlon has joined #openstack-keystone01:16
*** liujiong has joined #openstack-keystone01:21
*** briancurtin has quit IRC01:23
*** dhellmann has quit IRC01:23
*** knikolla has quit IRC01:23
*** jistr has quit IRC01:23
*** kamal___ has quit IRC01:23
*** morgan has quit IRC01:23
*** lbragstad has quit IRC01:23
*** zigo has quit IRC01:23
*** antwash has quit IRC01:23
*** jmccrory has quit IRC01:23
*** dstanek has quit IRC01:23
*** chris_hultin|AWA has quit IRC01:23
*** dtroyer has quit IRC01:23
*** melwitt has quit IRC01:23
*** redrobot has quit IRC01:23
*** zigo has joined #openstack-keystone01:23
*** lbragstad_ has joined #openstack-keystone01:23
*** jmccrory_ has joined #openstack-keystone01:23
*** melwitt has joined #openstack-keystone01:23
*** dstanek has joined #openstack-keystone01:24
*** ChanServ sets mode: +v dstanek01:24
*** melwitt is now known as Guest8661901:24
*** antwash has joined #openstack-keystone01:24
*** redrobot has joined #openstack-keystone01:24
*** redrobot is now known as Guest5979201:24
*** jistr has joined #openstack-keystone01:24
*** jmccrory_ is now known as jmccrory01:25
*** dhellmann has joined #openstack-keystone01:25
*** jlk has joined #openstack-keystone01:26
*** jlk has quit IRC01:26
*** jlk has joined #openstack-keystone01:26
*** kamal___ has joined #openstack-keystone01:27
*** dtroyer has joined #openstack-keystone01:28
*** chris_hultin|AWA has joined #openstack-keystone01:28
*** chris_hultin|AWA is now known as chris_hultin01:28
*** briancurtin has joined #openstack-keystone01:28
*** morgan has joined #openstack-keystone01:36
*** thorst has joined #openstack-keystone01:39
*** guoshan has joined #openstack-keystone01:39
*** dtroyer has quit IRC01:43
*** dstanek has quit IRC01:43
*** dstanek has joined #openstack-keystone01:43
*** ChanServ sets mode: +v dstanek01:43
*** thorst has quit IRC01:44
*** dtroyer has joined #openstack-keystone01:45
*** thorst has joined #openstack-keystone01:56
*** nkinder has quit IRC02:05
*** Trident has quit IRC02:08
*** thorst has quit IRC02:09
*** lamt has quit IRC02:14
*** lamt has joined #openstack-keystone02:15
*** hyakuhei has quit IRC02:19
*** hyakuhei has joined #openstack-keystone02:22
*** dave-mccowan has joined #openstack-keystone02:42
*** samueldmq has quit IRC02:42
*** jraim has quit IRC02:42
*** erlon has quit IRC02:42
*** samueldmq has joined #openstack-keystone02:43
*** ChanServ sets mode: +v samueldmq02:43
*** zigo has quit IRC02:43
*** erlon has joined #openstack-keystone02:43
*** sudorandom has quit IRC02:43
*** ayoung has quit IRC02:44
*** ayoung has joined #openstack-keystone02:45
*** ChanServ sets mode: +v ayoung02:45
*** sudorandom has joined #openstack-keystone02:46
*** zigo has joined #openstack-keystone02:48
*** jraim has joined #openstack-keystone02:49
*** edmondsw has joined #openstack-keystone02:53
*** david-lyle has quit IRC02:55
*** edmondsw has quit IRC02:57
*** chris_hultin has quit IRC02:58
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Add python-memcached to requirements  https://review.openstack.org/28531503:03
*** dtroyer has quit IRC03:03
*** esp has joined #openstack-keystone03:06
*** dtroyer has joined #openstack-keystone03:06
*** chris_hultin|AWA has joined #openstack-keystone03:06
*** chris_hultin|AWA is now known as chris_hultin03:07
*** nkinder has joined #openstack-keystone03:12
*** esp has quit IRC03:12
*** sudorandom has quit IRC03:16
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Add python-memcached to requirements  https://review.openstack.org/28531503:17
*** sudorandom has joined #openstack-keystone03:19
*** Guest86619 is now known as melwitt03:27
*** jdennis has quit IRC03:29
*** nkinder has quit IRC03:49
*** jdennis has joined #openstack-keystone03:54
*** guoshan has quit IRC03:58
*** nkinder has joined #openstack-keystone04:01
*** links has joined #openstack-keystone04:02
*** sheel has joined #openstack-keystone04:11
*** dikonoor has joined #openstack-keystone04:20
*** dave-mccowan has quit IRC04:28
*** udesale has joined #openstack-keystone04:29
openstackgerritSteve Martinelli proposed openstack/keystone: Set connection timeout for LDAP configuration  https://review.openstack.org/39094805:03
openstackgerritSteve Martinelli proposed openstack/keystone: Add anonymous bind to get_connection method  https://review.openstack.org/40756105:03
stevemarcrinkle_: o/05:04
stevemarcrinkle_: let me know if https://review.openstack.org/#/c/390948/ is any better05:04
*** edtubill has joined #openstack-keystone05:05
*** adriant has quit IRC05:12
openstackgerritSteve Martinelli proposed openstack/keystone: listing revoke events should be admin only  https://review.openstack.org/41684105:19
*** teju has joined #openstack-keystone05:24
stevemartriaged a bug: https://bugs.launchpad.net/keystoneauth/+bug/1654847 pretty simple fix, but will need tests05:33
openstackLaunchpad bug 1654847 in keystoneauth "Full service token is shown in logs" [Critical,Triaged]05:33
*** thorst has joined #openstack-keystone05:38
*** phalmos has quit IRC05:39
*** adrian_otto has joined #openstack-keystone05:40
*** thorst has quit IRC05:43
*** adrian_otto has quit IRC05:53
*** itisha has quit IRC06:22
*** stingaci has joined #openstack-keystone06:27
*** stingaci has quit IRC06:31
*** jvarlamova has joined #openstack-keystone06:34
*** hoonetorg has quit IRC06:38
*** edtubill has quit IRC06:39
*** richm has quit IRC06:41
*** stingaci has joined #openstack-keystone06:42
*** stingaci has quit IRC06:45
*** rcernin has joined #openstack-keystone07:08
*** tesseract has joined #openstack-keystone07:12
openstackgerritTin Lam proposed openstack/keystoneauth: X-Serivce-Token should be hashed in the log  https://review.openstack.org/41776507:16
*** voelzmo has joined #openstack-keystone07:24
*** voelzmo has quit IRC07:29
*** voelzmo has joined #openstack-keystone07:38
*** thorst has joined #openstack-keystone07:39
*** pcaruana has joined #openstack-keystone07:41
*** thorst has quit IRC07:43
*** namnh has joined #openstack-keystone07:59
*** thorst has joined #openstack-keystone08:00
*** namnh has quit IRC08:00
*** namnh has joined #openstack-keystone08:00
*** pepperingranivor has joined #openstack-keystone08:03
*** d0ugal_ has quit IRC08:03
*** d0ugal has joined #openstack-keystone08:03
*** d0ugal has quit IRC08:03
*** d0ugal has joined #openstack-keystone08:03
*** thorst has quit IRC08:04
*** hoonetorg has joined #openstack-keystone08:07
*** pepperingranivor has quit IRC08:10
*** pepperingranivor has joined #openstack-keystone08:15
*** openstackgerrit has quit IRC08:18
*** hoonetorg has quit IRC08:25
*** openstackgerrit has joined #openstack-keystone08:35
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947208:35
*** agrebennikov has joined #openstack-keystone08:37
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947208:40
*** agrebennikov has quit IRC08:42
*** flaper87 has joined #openstack-keystone08:55
*** flaper87 has joined #openstack-keystone08:55
*** rha has joined #openstack-keystone08:59
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** jrist has quit IRC09:30
*** jrist has joined #openstack-keystone09:42
*** AlexeyAbashkin has joined #openstack-keystone09:44
*** jrist has quit IRC09:59
*** thorst has joined #openstack-keystone10:00
*** thorst has quit IRC10:07
*** jrist has joined #openstack-keystone10:13
*** mvk has joined #openstack-keystone10:20
*** namnh has quit IRC10:24
*** jerrygb has joined #openstack-keystone10:26
*** liujiong has quit IRC10:39
*** asettle has joined #openstack-keystone10:41
*** hyakuhei has quit IRC10:49
*** hyakuhei has joined #openstack-keystone10:49
*** hyakuhei has quit IRC10:49
*** hyakuhei has joined #openstack-keystone10:49
*** udesale has quit IRC10:58
*** nicolasbock has joined #openstack-keystone11:04
*** richm has joined #openstack-keystone11:11
*** nicolasbock has quit IRC11:11
*** jerrygb_ has joined #openstack-keystone11:18
*** jerrygb has quit IRC11:21
*** nicolasbock has joined #openstack-keystone11:23
*** aloga has quit IRC11:41
*** aloga has joined #openstack-keystone11:41
*** jerrygb_ has quit IRC12:07
*** dikonoo has joined #openstack-keystone12:09
*** teju has quit IRC12:09
*** jerrygb has joined #openstack-keystone12:14
*** jerrygb has quit IRC12:20
*** thorst has joined #openstack-keystone12:24
*** thorst has joined #openstack-keystone12:25
*** nklenke has joined #openstack-keystone12:39
*** catintheroof has joined #openstack-keystone12:42
*** jerrygb has joined #openstack-keystone12:49
*** edtubill has joined #openstack-keystone12:54
*** jerrygb_ has joined #openstack-keystone13:07
*** jerrygb has quit IRC13:08
*** nklenke has quit IRC13:09
*** jerrygb has joined #openstack-keystone13:10
*** nklenke has joined #openstack-keystone13:11
*** jerrygb_ has quit IRC13:12
*** jerrygb_ has joined #openstack-keystone13:12
*** pepperingranivor has quit IRC13:13
*** jerrygb has quit IRC13:15
*** lamt has quit IRC13:19
*** jerrygb_ has quit IRC13:24
*** edmondsw has joined #openstack-keystone13:25
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove comment from previous migration  https://review.openstack.org/41745513:26
*** pepperingranivor has joined #openstack-keystone13:30
*** asettle has quit IRC13:35
*** asettle has joined #openstack-keystone13:36
*** jamielennox is now known as jamielennox|away13:39
*** edtubill has quit IRC13:41
*** thorst has quit IRC13:45
*** thorst has joined #openstack-keystone13:46
openstackgerritRodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk  https://review.openstack.org/41590613:46
*** thorst has quit IRC13:50
*** knikolla has joined #openstack-keystone14:00
*** jerrygb has joined #openstack-keystone14:01
openstackgerritRodrigo Duarte proposed openstack/keystone: Cascade delete federated_user fk  https://review.openstack.org/41590614:02
*** thorst has joined #openstack-keystone14:05
*** aleph1 is now known as agarner14:18
*** lbragstad_ is now known as lbragstad14:19
*** jerrygb has quit IRC14:22
*** jerrygb has joined #openstack-keystone14:22
*** jerrygb has quit IRC14:23
*** jaosorior has joined #openstack-keystone14:23
*** dikonoo has quit IRC14:27
*** jaosorior has quit IRC14:31
*** dikonoor has quit IRC14:33
*** dave-mccowan has joined #openstack-keystone14:34
*** jerrygb has joined #openstack-keystone14:35
*** jaosorior has joined #openstack-keystone14:35
*** jerrygb_ has joined #openstack-keystone14:41
*** jerrygb has quit IRC14:43
knikollao/14:47
knikollaback from vacations14:47
*** edtubill has joined #openstack-keystone14:48
*** links has quit IRC14:50
*** lamt has joined #openstack-keystone14:56
*** mvk has quit IRC15:03
openstackgerritLance Bragstad proposed openstack/keystone: [api-ref] Clean up OS-EP-FILTER association docs  https://review.openstack.org/41753315:09
lbragstadknikolla o/ hopefully it was relaxing15:09
lbragstadstevemar gagehugo thanks for the doc reviews &15:09
lbragstads/&/^/15:09
*** jerrygb has joined #openstack-keystone15:11
*** jerrygb_ has quit IRC15:13
stevemarlbragstad: np!15:15
*** jerrygb has quit IRC15:15
*** mvk has joined #openstack-keystone15:18
*** jerrygb has joined #openstack-keystone15:23
*** markvoelker has joined #openstack-keystone15:24
*** aloga has quit IRC15:24
*** aloga has joined #openstack-keystone15:24
*** knikolla has quit IRC15:29
*** asettle has quit IRC15:29
*** knikolla has joined #openstack-keystone15:30
*** asettle has joined #openstack-keystone15:30
*** phalmos has joined #openstack-keystone15:37
*** jistr is now known as jistr|biab15:40
*** jistr|biab is now known as jistr15:43
ayoungstevemar, so, the change to add is_admin_project to Keystone falls down on Tempest testing.15:43
ayoungSAme kind of problem we saw with Nova, I think;15:44
*** jaugustine has joined #openstack-keystone15:44
*** mvk has quit IRC15:44
*** d0ugal has quit IRC15:44
*** d0ugal has joined #openstack-keystone15:44
*** d0ugal has quit IRC15:44
*** d0ugal has joined #openstack-keystone15:44
*** d0ugal has quit IRC15:44
*** markvoelker has quit IRC15:44
*** d0ugal has joined #openstack-keystone15:45
*** d0ugal has quit IRC15:45
*** d0ugal has joined #openstack-keystone15:45
*** jerrygb has quit IRC15:46
openstackgerritTin Lam proposed openstack/keystone: Updated docstring for test_sql_upgrade.py  https://review.openstack.org/41764715:47
openstackgerritSteve Martinelli proposed openstack/keystone: listing revoke events should be admin only  https://review.openstack.org/41684115:47
*** jaosorior has quit IRC15:47
*** jerrygb has joined #openstack-keystone15:48
*** phalmos has quit IRC15:49
*** jerrygb has quit IRC15:51
*** ChanServ sets mode: +v lbragstad15:53
*** ravelar has joined #openstack-keystone16:04
*** voelzmo has quit IRC16:05
openstackgerritSteve Martinelli proposed openstack/keystoneauth: X-Serivce-Token should be hashed in the log  https://review.openstack.org/41776516:08
stevemarjamielennox|away: lbragstad ayoung anyone else want to look at https://review.openstack.org/#/c/417765/216:09
stevemarlamt: thanks for the fix!16:09
lamtstevemar : np16:10
ayoungstevemar, sure16:10
*** phalmos has joined #openstack-keystone16:10
stevemarlamt: gonna do the ksc fix? hehe ;)16:10
lamtI got used to typing in slack - those ` vs ``. :(16:10
ayoungstevemar, +2...did not +A cuz it was kindof quick...do you think the testing is sufficient?16:11
stevemarah thats where its from16:11
lamtstevemar : sure - I can make the change in ksc too16:11
stevemarayoung: its a common function used by all our headers, but thats OK, i wanted mattR to look at it too16:11
ayoungstevemar, the test looks like it is sufficient to me:16:12
ayoungfor k, v in security_headers.items():16:12
ayoung            self.assertIn('%s: {SHA1}' % k, self.logger.output)16:12
stevemarayoung: it should be fine, same thing we do with x-auth-token16:12
ayoungstevemar, I'd be very OK with it as is16:12
*** iurygregory has joined #openstack-keystone16:13
*** diazjf has joined #openstack-keystone16:16
*** AlexeyAbashkin has quit IRC16:16
stevemarayoung: i'll own it and push the button16:16
ayoungstevemar, ++16:16
stevemarayoung: expect me to bug you in 2 minutes once lamt pushes the same fix for ksc ;)16:17
ayoungstevemar, Sounds good16:17
openstackgerritIan Cordasco proposed openstack/keystone: Use public interfaces of pep8 for hacking  https://review.openstack.org/41683016:20
stevemarsigmavirus: oh i'm wondering what you cooked up16:21
sigmavirusstevemar: I aim to disappoint16:21
sigmavirusI think that'll be enough to satisfy Adam16:22
sigmavirusOther things will come at a later date =P16:22
*** adrian_otto has joined #openstack-keystone16:22
stevemarsigmavirus: interesting, i would have thought trying to import 'pycodestyle' would be a no-no? since it's not in globalreq?16:23
sigmavirusstevemar: I'm not so certain about that16:24
sigmavirusBut having it there provides better reasoning for including it g-r16:24
stevemarsigmavirus: this is why i'm not reqs core!16:24
stevemarhehe16:24
sigmavirusme either16:24
sigmavirus=P16:24
stevemaro_O16:24
stevemari thought you were16:24
*** phalmos has quit IRC16:24
sigmavirusI dodged that bullet16:24
stevemarthey should really make you do that16:24
stevemarhehe16:24
stevemarok ok16:24
stevemarselect='K' -- will load all the keystone hacks, i assume? since they are all of the form Kxyz16:25
sigmavirusstevemar: correct16:25
stevemarneat16:25
sigmavirusI'm not sure there's a better way to do each one individually though16:25
stevemari may just add a comment in the code that says that16:26
sigmavirusas usual, openstack tests with fixtures can be wonderfully indirect16:26
sigmavirusgopher it16:26
stevemar"Load all keystone hacking checks, they are of the form Kddd, where ddd can from range from 000-999"16:27
stevemarsigmavirus: that sound about right?16:27
sigmavirusyes16:28
sigmavirusAlso pep8/flake8 allow for you to specify a prefix and anything matching that prefix is selected/ignored16:28
sigmavirusAdam read too much pycodestyle source code without knowing very much python and got very confused with how that's implemented16:29
stevemarah16:29
openstackgerritSteve Martinelli proposed openstack/keystone: Use public interfaces of pep8 for hacking  https://review.openstack.org/41683016:30
stevemarsigmavirus: just added comments16:30
stevemardstanek: ^ it's all teed up for you big guy16:30
sigmavirusdstanek: shoot for the moon, hit the stars16:31
*** markvoelker has joined #openstack-keystone16:32
openstackgerritTin Lam proposed openstack/python-keystoneclient: X-Serivce-Token should be hashed in the log  https://review.openstack.org/41796016:32
*** Guest59792 is now known as redrobot16:36
*** pcaruana has quit IRC16:38
*** rcernin has quit IRC16:38
*** jaosorior has joined #openstack-keystone16:41
*** jaosorior has quit IRC16:42
*** jaosorior has joined #openstack-keystone16:43
stevemaryay thanks lamt! ayoung or anyone else ^16:43
ayoungstevemar, +216:44
ayoungdid not A16:44
*** david-lyle has joined #openstack-keystone16:57
*** tesseract has quit IRC16:59
openstackgerritLance Bragstad proposed openstack/keystone: Adds projects mapping to the mapping engine  https://review.openstack.org/41094917:03
lbragstaddstanek that should address our comments ^17:03
*** edmondsw has quit IRC17:04
*** edmondsw has joined #openstack-keystone17:05
*** jaugustine_ has joined #openstack-keystone17:13
*** asettle has quit IRC17:14
openstackgerritTin Lam proposed openstack/keystone: Updated docstring for test_sql_upgrade.py  https://review.openstack.org/41764717:22
dstanekstevemar: nice17:26
dstaneklbragstad: cool, i'll take a look17:26
openstackgerritLance Bragstad proposed openstack/keystone: Adds projects mapping to the mapping engine  https://review.openstack.org/41094917:28
openstackgerritLance Bragstad proposed openstack/keystone: Implement shadow mapping  https://review.openstack.org/41589517:28
*** guoshan has joined #openstack-keystone17:29
*** jaugustine_ has quit IRC17:32
*** guoshan has quit IRC17:33
*** diazjf has quit IRC17:35
*** esp has joined #openstack-keystone17:39
openstackgerritSteve Martinelli proposed openstack/keystone: listing revoke events should be admin only  https://review.openstack.org/41684117:40
*** mvk has joined #openstack-keystone17:42
stevemardstanek: zuul is happy for 416830, shall i push it through?17:42
*** hoonetorg has joined #openstack-keystone17:44
*** browne has joined #openstack-keystone17:46
*** Guest96631 is now known as mgagne17:51
*** mgagne has quit IRC17:51
*** mgagne has joined #openstack-keystone17:51
*** esp has quit IRC17:56
*** itisha has joined #openstack-keystone17:58
*** esp has joined #openstack-keystone18:02
*** diazjf has joined #openstack-keystone18:05
*** woodster_ has joined #openstack-keystone18:06
*** spzala has joined #openstack-keystone18:08
knikollaayoung: heard that you might be mentoring a course project18:11
ayoungknikolla, yes I am.  Submitted the description last week to Ata Turk18:11
ayoungknikolla, its the RBAC stuff I've been championing.18:11
ayounghttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/role-check-from-middleware.html18:11
*** chris_hultin is now known as chris_hultin|AWA18:12
knikollaayoung: great!18:13
ayoungknikolla, waiting to hear who the students are that are going to be taking part18:13
knikollaayoung: you think one semester is enough to get the RBAC merged?18:15
knikollawill be cool to have the students get free tickets to the Boston summit also18:15
ayoungknikolla, I think it is enough to get an end-to-end POC written18:15
ayoungprobably too late for Boston18:16
openstackgerritEric Brown proposed openstack/oslo.policy: Remove references to Python 3.4  https://review.openstack.org/41800618:17
ayoungknikolla, I'll see what we can do to get people in, but the talk is already submitted...hard to add speakers when I don't even know who is working on it.  I wonder if there are studend passes?18:17
dstanekstevemar: i don't see why not18:18
*** gyee has joined #openstack-keystone18:24
*** jaugustine_ has joined #openstack-keystone18:28
*** diazjf has quit IRC18:29
*** guoshan has joined #openstack-keystone18:30
*** thorst has quit IRC18:30
knikollaayoung: i know there's an academic discount, but it doesn't reduce the price to free.18:30
*** thorst has joined #openstack-keystone18:31
*** harlowja_ has joined #openstack-keystone18:31
*** harlowja has quit IRC18:31
ayoungknikolla, Is the CFP still open?  I'm willing to add people to the talk proposal if it makes sense.18:31
ayoungThe is bnot ATC for the summit this time around, thouhg18:32
*** jaugustine_ has quit IRC18:32
knikollaayoung: deadline for presentations is feb 618:33
*** guoshan has quit IRC18:34
knikollaayoung: oh, i see. so even if students get code in they won't get a code :/18:34
ayoungknikolla, ++  you going to work on the project, or just aware that it is happening?  Its for Okreig's class18:34
*** jaugustine_ has joined #openstack-keystone18:35
ayoungknikolla, right, not for BOS, but they would for the next PTG18:35
*** thorst has quit IRC18:35
knikollaayoung: i thought of mentoring a project where they implemented some spec in keystone, which is what you ended up doing. i dropped it for lack of spec ideas and time to write the proposal.18:35
ayoungknikolla, join me!18:36
knikollaayoung: if you need some help mentoring though, i'm available.18:36
ayoungknikolla, I'll tell Ata Turk18:36
knikollaayoung: great!18:36
*** erlon is now known as erlon_pto18:39
ayoungknikolla, done18:39
*** chris_hultin|AWA is now known as chris_hultin18:46
ayoungSamYaple, you have an idea how to do Fernet Key management in a containerd world?18:49
*** thorst has joined #openstack-keystone18:49
ayoungSamYaple, no pressure, but since you asked me about it before, thought you might know better than I how to make a docker image useful when we need secure symmetric keys for Fernet18:49
SamYapleproduction vs testing is the question. in production there needs to be a way to sync these keys around (or host the keys outside the container and sync with rsync/cronjob)18:50
SamYapletesting is simple, just generate them when you initial start up18:50
ayoungSamYaple, right...so the problem is if we pre-can keys for development, people end up using those keys in production, and hackery ensues18:50
SamYaplewell pre-can is the wrong term18:50
SamYapleyour entrypoint/startup script would generate them on first start18:50
ayoungSamYaple, Ah, so it is OK if the container writes to /etc/keystone/<subdir>?18:51
SamYapleinside the container itself, yes18:51
SamYaplebut those wont exist on the host18:51
ayoungSamYaple, that is OK18:51
*** tqtran has joined #openstack-keystone18:51
ayoungso long as a development deployment can kick it off...18:51
SamYaplethen a simple AIO, non-production keystone fernet deploy is easy18:51
SamYaplein the docker world it would get extended by other images to provide more robust config and key management using 'FROM <soruce image>'18:52
ayoungSamYaple, koolio. I'll let you get back to work. We can discuss when/if I get to that stage18:52
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987418:52
SamYapleso <source image> would be enough to do a simple AIO with reasonable default, and prod tools would need to extend that, if it makes sense18:52
SamYapleayoung: while ive got you, someone just pinged me and asked me about 2FA with keystone, is there a page with most up-to-date info on that? (if its implemented which I dont know)18:54
*** jaugustine_ has quit IRC19:02
*** jaugustine_ has joined #openstack-keystone19:03
*** jaugustine_ has quit IRC19:07
*** jaugustine_ has joined #openstack-keystone19:08
openstackgerritMerged openstack/python-keystoneclient: X-Serivce-Token should be hashed in the log  https://review.openstack.org/41796019:11
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389819:11
*** jaugustine_ has quit IRC19:12
ayoungSamYaple, someone else here is working on it.  morgan was reviewing, and fairly critical last we talked.  It is supposed to get into Ocata.  stevemar ?19:13
stevemarSamYaple: what ayoung said; we had a design for pike from adriant, but morgan basically -2'ed it and proposed a redesign. it did not make Ocata. we still have some runway but i'm not optimistic19:15
*** rcernin has joined #openstack-keystone19:15
morganayoung: ?19:16
morganreading up19:16
morganstevemar, SamYaple: yes i am working on it, but i have a higher priority thing i must hit for shade19:17
*** phalmos has joined #openstack-keystone19:17
morganas soon as i address this context manager I'll be back on it.19:17
openstackgerritSteve Martinelli proposed openstack/keystone: listing revoke events should be admin only  https://review.openstack.org/41684119:19
*** edmondsw_ has joined #openstack-keystone19:20
stevemarmorgan: you had that context manager thing for ksa cooking, you still want it in?19:20
morganstevemar: yeah. need to bug mordred for the exmaple19:21
morganmake sure it in-face works.19:21
*** edmondsw has quit IRC19:22
tqtranhello, quick question. if i have multi-domain on, and i authenticate into one of those domain and ask for a list of projects. i get a list of projects only for that domain right?19:22
*** phalmos has quit IRC19:22
SamYaplethanks for the info ayoung stevemar and morgan19:25
tqtrandavid-lyle, stevemar ^----19:27
*** diazjf has joined #openstack-keystone19:28
stevemartqtran: depends on which API you call19:28
*** david-lyle has quit IRC19:28
stevemartqtran: we have a call /auth/projects that lists which projects *you* can access19:28
stevemartqtran: theres another API, /projects which lists ALL projects everywhere19:29
lbragstaddstanek about the shadow mapping stuff we were talking about earlier19:29
lbragstaddstanek when we create or update a mapping, do we expect the validation of the project object in the mapping to ensure the roles for the project exist, too?19:29
stevemarif you want, you can call /projects with a query parameter, /projects&domain_id=your_domain_id to filter by domain19:29
tqtranstevemar: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L35419:31
tqtranim looking specifically at that method19:31
tqtranseems like you only get back list of projects within that domain? wanted to verify first.19:31
openstackgerritMerged openstack/keystone: Remove comment from previous migration  https://review.openstack.org/41745519:33
stevemartqtran: seems like you get back ALL projects if running keystone 2; and you get the projects *you* have authorization for in the 3rd case19:34
tqtranah ok, thanks for clarification19:35
*** jaugustine_ has joined #openstack-keystone19:35
tqtranstevemar: https://review.openstack.org/#/c/417221/ is the reason why im asking19:36
stevemardolphm ayoung dstanek bknudson jamielennox|away samueldmq rodrigods lbragstad morgan i'm releasing libs this week and probably next week again (in case there is fall out or we want another bug fix in)19:37
lbragstadstevemar awesome - anything you need help with?19:37
lbragstadstevemar or just a friendly heads up>?19:37
bknudsonnice.19:37
stevemarfriendly heads up19:37
lbragstadomg... a bknudson19:37
stevemarlbragstad: oh damN!!19:38
stevemarbknudson: we've missed you19:38
lbragstad++19:38
bknudsonI'll get back to it someday19:39
rodrigodscool19:40
samueldmqstevemar: kk I'll take a better look at library bugs, thanks19:45
*** phalmos has joined #openstack-keystone19:47
*** diazjf has quit IRC19:49
*** pcaruana has joined #openstack-keystone19:50
knikollaanybody has a moment to help me understand some things about federation mappings?19:59
*** diazjf has joined #openstack-keystone20:02
samueldmqstevemar: https://review.openstack.org/#/c/418074/1/keystone_tempest_plugin/tests/api/identity/base.py20:03
dstanekstevemar: sounds good20:03
dstanekknikolla: what's the question?20:03
samueldmqstevemar: why is it needed to add self.auth_client ?20:03
stevemarsamueldmq: *shrug* it was in master20:03
knikolladstanek: i'm trying to map a remote user, to a local user with the same name on the default domain.20:04
knikolladstanek: this is my attempt at the mappings http://paste.openstack.org/show/3OsxhggEHYTsLz5Ifgg4/20:04
knikollaexpected output: maps to already existing user with same name and on the default domain.20:05
*** voelzmo has joined #openstack-keystone20:05
samueldmqstevemar: it was already present in master, not related to that fix20:05
samueldmqstevemar: not sure it is necessary20:05
stevemarsamueldmq: *shrug* you can remove it20:05
knikollaactual output: gets mapped to user with same name, no domain, and for whatever reason, admin role :/20:05
knikollaand the blacklist is ignored.20:06
*** phalmos has quit IRC20:06
*** phalmos has joined #openstack-keystone20:06
dstanekknikolla: domain doesn't work well yet with mappings. i don't actually know if it works at all without the work currently going on20:06
samueldmqstevemar: done ,thanks20:07
dstanekknikolla: can you post you mapping though?20:07
knikolladstanek: i linked to it above, but here's it again http://paste.openstack.org/show/3OsxhggEHYTsLz5Ifgg4/20:07
dstanekknikolla: oops missed it. my client has terrible link color and no underline. i messed up my theme over the weekend :-(20:08
knikolladstanek: no worries20:08
dstanekknikolla: does you use have the admin role via assignments?20:08
knikolladstanek: no. and actually, i've blacklisted the username admin and it still goes through when i do k2k with the admin user :/20:11
knikollathis is in two newton devstacks.20:12
knikolladstanek: with that mapping, it mapped me to the local nova user :/ i'm utterly confused20:13
knikollabut that explains the admin permissions20:13
dstanekknikolla: can you see that values from the environment that are being passed into the mapper?20:14
knikolladstanek: how do i do that?20:15
*** phalmos has quit IRC20:15
dstanekknikolla: the environment should be logged. maybe in debug mode20:15
*** bknudson has left #openstack-keystone20:16
*** phalmos has joined #openstack-keystone20:16
knikolladstanek: wait, my bad. it didn't map me to the 'nova' user. was looking at the wrong json. It mapped me to a user it created automatically, named "[]", with domain None. Checking the role assignments on its user id returned nothing.20:18
knikollayet somehow its able to scope to admin and do a user list20:19
dstanekknikolla: that's really scarry20:20
knikolladstanek: hopefully i'm doing something wrong.20:20
dstanekknikolla: if you turn on debugging you should be able to see into what the mapper is doing20:21
knikolladstanek: here's the logs http://paste.openstack.org/show/eW6ng4S18oggNB4VkYnY/20:26
*** bknudson has joined #openstack-keystone20:26
*** ChanServ sets mode: +v bknudson20:26
rderoseknikolla: (ron eavesdropping), so it looks like the user was given the default domain, right?20:28
*** iurygregory has quit IRC20:28
rderoseknikolla: actually, with newton, you should be given the "Federated" domain20:29
knikollarderose: the user is given the None domain.20:29
rderoseknikolla: from the token?20:30
rderoseknikolla: mapped_properties: {'group_ids': [], 'user': {u'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'[]'}, 'group_names': []}20:30
rderoseknikolla: that's from the log20:30
knikollarderose: oh ok. i saw none from openstack user list, thats why.20:30
knikollaubuntu@kristi-sp1:~$ openstack user show 333ce86480284ee0b4afc4c5298c790a20:30
knikolla+---------------------+----------------------------------+20:30
knikolla| Field               | Value                            |20:30
knikolla+---------------------+----------------------------------+20:30
knikolla| domain_id           | None                             |20:30
knikolla| enabled             | True                             |20:30
knikolla| id                  | 333ce86480284ee0b4afc4c5298c790a |20:30
knikolla| name                | []                               |20:30
knikolla| password_expires_at | None                             |20:30
knikolla+---------------------+----------------------------------+20:30
rderoseknikolla: yes, that is correct20:31
rderoseknikolla: in newton, when the federated user authenticates, they're giving the 'Federated' domain20:31
rderoseknikolla: this is changing in ocata20:31
rderoseknikolla: the name = [] is not correct though ;)20:32
dstanekknikolla: that's super strange that you get an empty list20:32
knikolladstanek: its strange too. when i tried in the morning i would get the same name as the remote user. but still the same role problems and the federated domain.20:33
rderoseknikolla dstanek: the mapping is expecting the name to be passed in "name": "{0}"20:33
rderoseknikolla: what's the role problems?20:33
knikollarderose: by role problems i mean, this user is somehow getting admin role.20:34
knikollait's also strange that blacklist doesn't work20:35
rderoseknikolla: this user "[]" has the admin role?20:35
knikollarderose: yes20:35
rderoseknikolla: hmm... have you tested other users, where you are seeing them being created?20:36
rderoseknikolla: or, are all users getting this [] user?20:36
*** david-lyle has joined #openstack-keystone20:37
knikollarderose: if i remove the blacklist condition, i get a user with the same name.20:37
knikollarderose: if i include the blacklist condition, even if the username is in the blacklist, i get this [] user.20:38
knikollain both ways, i'm able to scope to the admin project and do a user list.20:38
*** voelzmo has quit IRC20:39
knikolla(by removing blacklist i mean this: [(u'id', u'rules'), (u'keystone-idp-mapping', [{u'local': [{u'user': {u'domain': {u'id': u'default'}, u'name': u'{0}'}}], u'remote': [{u'type': u'openstack_user'}]}])]20:39
rderoseknikolla dstanek: correct, if I'm wrong, but what this mapping is saying is, if a user comes in as openstack_user type, map them to the local user with the same name, right?20:39
rderosethe rule is user is openstack_user type and not admin or demo (blacklist)20:40
knikollarderose: right. i want to map as user to a same named local user.20:40
knikollathis through k2k20:41
rderoseknikolla: so the local user would have to already be created20:41
rderoseright?20:41
knikollarderose: yes.20:41
rderoseokay20:41
rderosehmm...20:41
*** nklenke has quit IRC20:41
dstanekin part sounds like a blacklist bug20:41
rderoseknikolla: and I take the users' don't already have the admin role?20:44
rderosethe condition when you remove the blacklist20:45
knikollarderose: in this case, they were automatically created. and when i do openstack role assignment list —user <id>20:45
knikollanothing is returned20:45
*** jaugustine_ has quit IRC20:46
rderoseknikolla: ah, yeah is through shadow users...20:46
rderoseknikolla: but I would think you would get the roles of the local user20:46
dstanekknikolla: all of your data looks good in that log20:47
*** iurygregory has joined #openstack-keystone20:50
rderoseknikolla: so result of your mapping really is about the roles, you should have gotten a token with the roles for the local user. We create a shadow user for all federated users when they auth and they will automatically be in the 'Federated' domain.20:50
rderoseknikolla: just don't want you to think that when a federated user authenticates, that the local user is returned. that is not how it works.20:51
rderoseknikolla: when we create a shadow user, there will be an entry in the federated_user table20:54
rderoseknikolla: and of course, the user table (user -> federated_user) (1:many)20:54
*** r1chardj0n3s has quit IRC20:55
knikollarderose: thats ok for me. if i get a user in the federated domain with the permissions i need, that works too.20:56
knikollarderose: what i'm actually trying to do is a bit more complicated, so this was an exercise to get myself acquainted with the mapping rules. but the results were utterly confusing for me.20:56
rderoseknikolla: I see20:57
rderoseknikolla: so when you remove the blacklist (taking that out of the equation for now), you are getting a user with the admin role20:57
knikollarderose: yes20:58
rderoseknikolla: and the local user, doesn't have an admin role20:58
rderose?20:58
knikollarderose: the local user no.20:58
knikollarderose: as seen through "openstack role assignments"20:58
*** catinthe_ has joined #openstack-keystone20:59
knikollaand it doesn't seem to be getting that through any groups either.20:59
*** catintheroof has quit IRC21:00
*** jamielennox|away is now known as jamielennox21:00
*** jaosorior has quit IRC21:03
rderoseknikolla: you mean 'openstack role list --user <your local user>'21:03
*** jaosorior has joined #openstack-keystone21:03
rderoseI think that would include roles from groups21:03
knikollarderose: role list —user is actually deprecated in favor of role assignment list21:04
rderose:)21:04
knikollathe output is the same from both though21:04
rderoseokay21:05
knikollabrb in 10 minutes21:05
*** jlk has quit IRC21:06
*** voelzmo has joined #openstack-keystone21:08
*** diazjf has quit IRC21:09
*** voelzmo has quit IRC21:12
openstackgerritSteve Martinelli proposed openstack/keystone: listing revoke events should be admin only  https://review.openstack.org/41684121:12
*** diazjf has joined #openstack-keystone21:14
knikollaback21:14
stevemarwell at least keystoneclient stable gates are fine21:14
stevemarkeystoneauth and keystonemiddleware stable gates are broken21:14
stevemarkeystone mitaka works, keystone newton is broken (patch is up)21:15
*** voelzmo has joined #openstack-keystone21:19
*** diazjf has quit IRC21:20
*** voelzmo has quit IRC21:23
lbragstadravelar hybrid attribute documentation in case you haven't already stumbled across it - http://docs.sqlalchemy.org/en/latest/orm/extensions/hybrid.html#21:26
*** jaugustine_ has joined #openstack-keystone21:28
rderoseknikolla dstanek: I'm not seeing where a federated user would get local user roles (if mapped to a local user):21:30
stevemaranyone know whats going on here:  http://logs.openstack.org/87/418087/1/check/gate-keystoneauth-python27-ubuntu-xenial/05a93c0/console.html#_2017-01-09_20_09_13_026636 ?21:30
rderoseknikolla dstanek: looks like roles only come from groups (I'm probably missing something...)21:30
knikollarderose: so groups are required?21:32
*** adriant has joined #openstack-keystone21:43
rderoseknikolla: just a sec21:44
*** voelzmo has joined #openstack-keystone21:45
rderoseknikolla: I believe so21:46
rderoseknikolla: from looking at the code, roles are coming from groups; not a local user21:47
rderoseknikolla: doesn't explain how you are getting the admin role though21:47
knikollarderose: either bug, or my mistake.21:49
rderoseknikolla: yeah, I'll try to reproduce21:49
knikollarderose: i can live with setting permissions through groups. i'll give that a try tomorrow.21:50
rderoseknikolla: cool21:50
*** voelzmo has quit IRC21:50
knikollarderose: what i'm trying to accomplish is some sort of "metaproject", where a user coming from projectX, is mapped to a user/group that has access on projectY only.21:51
knikollamaking projectY an extension of projectX, but on a separate cloud.21:51
*** jlk has joined #openstack-keystone21:51
*** jlk has quit IRC21:51
*** jlk has joined #openstack-keystone21:51
rderoseknikolla: that should totally be possible21:52
rderoseknikolla: you would just map the user to a role that has access to projectY21:52
openstackgerritMerged openstack/keystoneauth: X-Serivce-Token should be hashed in the log  https://review.openstack.org/41776521:52
rderose*map user to a group that has that role21:52
rderoseknikolla: ^21:52
knikollarderose: yep, and get the project name through the openstack_project attribute.21:52
knikollai'll have the project name be part of the username/group of the local user.21:53
*** jaosorior has quit IRC21:53
rderoseknikolla: local user?21:53
rderoseknikolla: if your federated users are mapped to group, you don't need existing local users21:54
rderoseor local users created in advance21:54
knikollarderose: right. true.21:54
knikollarderose: i need to work on my federation terminology.21:54
rderoseknikolla: me too :)21:55
*** richm has quit IRC21:55
stevemarjamielennox: around?21:56
jamielennoxstevemar: meeting, give me 10 minutes21:56
stevemarjamielennox: okay, i'll leave you info here21:56
stevemarjamielennox: actually, i think i figured it out, i need to backport https://review.openstack.org/#/c/388945/121:57
stevemarjamielennox: the short is, stable/mitaka|newton are broken21:57
stevemarfor keystoneauth21:57
stevemardolphm & morgan i need one of you for stable +2'ing22:00
dolphmstevemar: o/22:00
stevemardolphm: okay, let me get a few links together22:01
dolphmstevemar: i can find them -- which repo should i focus on?22:02
stevemardolphm: keystone: https://review.openstack.org/#/c/418074/22:02
stevemardolphm: keystoneauth needs https://review.openstack.org/#/q/I1e09228cff7a0c8136447f07df6864045a6fb849,n,z i think22:03
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389822:03
stevemardolphm: as well as all these: https://review.openstack.org/#/q/status:open+topic:bug/165484722:03
stevemardolphm: and these... https://review.openstack.org/#/q/status:open+topic:bug/165484722:03
stevemarerr22:04
stevemardolphm: wrong one: https://review.openstack.org/#/q/status:open+topic:bug/161610522:04
stevemardolphm: last one: https://review.openstack.org/#/c/418118/22:04
stevemardolphm: or check all my open patches from today: https://review.openstack.org/#/q/owner:s.martinelli%2540gmail.com+status:open :P22:05
dolphmstevemar: lol k22:05
stevemardolphm: considering none of them were authored by me, and our lack of stable cores, i'll be +A'ing them22:06
jamielennoxstevemar: whoa - what's happenign22:08
stevemardolphm: the only catch is keystoneauth is borked but i backported the patch that should fix it22:09
stevemarjamielennox: whats up?22:09
stevemarjamielennox: just backporting fixes, getting ready to wrap up the release22:09
jamielennoxstevemar: i remember that patch, i'm surprised it broke gate though22:09
jamielennoxi don't think i fixed it because of an actual failure22:10
stevemarjamielennox: in the comment it says "fixing ci failure"22:10
*** adrian_otto has quit IRC22:10
stevemarjamielennox: i approved https://review.openstack.org/#/c/417960/ btw, it was a new patch for ksa22:10
jamielennoxstevemar: alrighty then22:10
jamielennoxstevemar: i saw that one and would have +Aed22:11
stevemaryay22:11
stevemari didn't mess up22:11
jamielennoxthe only thing maybe was to look for X-*-Token and blank that22:11
jamielennoxwhich is what i did for that oslo_middleware catcherrors thing22:11
jamielennox... that still doesn't appear to be merged22:11
*** rcernin has quit IRC22:12
stevemarjamielennox: poke harder22:13
stevemareh yeah, X-*-Token is probably smarter22:13
morganjamielennox: hmm22:14
morganyeah aim for x-*-token22:14
stevemardolphm: morgan looks like https://review.openstack.org/#/q/I1e09228cff7a0c8136447f07df6864045a6fb849,n,z will fix ksa gates, if you'd be so kind22:15
stevemaror i will just approve :P22:15
jamielennoxi can22:16
morganstevemar: looking22:16
jamielennoxoh, wait - no i can't22:16
morganstevemar: want me to +A them too?22:16
openstackgerritMerged openstack/oslo.policy: Remove references to Python 3.4  https://review.openstack.org/41800622:17
morganstevemar: tossed +2 on then, but might want to wait for jenkins22:17
stevemarmorgan: zuul is happy with them22:17
openstackgerritMerged openstack/keystone: Updated docstring for test_sql_upgrade.py  https://review.openstack.org/41764722:17
stevemarmorgan: dolphm said he will look, so i'll give him a minute22:17
morganstevemar: okie22:17
* dolphm just got started22:17
stevemarmorgan: you can take a second pass once dolphm goes though? all stable/* patches in my queue: https://review.openstack.org/#/q/owner:s.martinelli%2540gmail.com+status:open22:17
morganstevemar: sure. since i'm blocked on some devstack things for shade22:18
morganstevemar: it's stupid that the "private" module isn't "_" prefixed for testtools22:18
morganfwiw22:18
*** agrebennikov has joined #openstack-keystone22:20
stevemarmorgan: *shrug*22:20
jamielennoxmorgan:  well it's in testtools.tests, we don't do keystoneauth1._tests either22:23
jamielennoxgranted in testtools you might think .tests is public22:23
morganjamielennox: fair. but yeah22:23
*** darrenc is now known as darrenc_afk22:23
morganalso i expect that anyone using keystoneauth1.tests will likely know it might be broken22:23
morganwe may want to explicitly mark it private though... or move tests out of the main tree22:24
jamielennoxi would hope there's nothing in there that's useful22:24
*** catinthe_ has quit IRC22:24
morganjamielennox: right22:25
morganbut we may  want to be explicit22:25
*** edtubill has quit IRC22:25
*** stewie925 has joined #openstack-keystone22:28
stewie925hello guys22:28
dolphmstevemar: why is this only related-bug? https://review.openstack.org/#/c/416260/22:28
dolphmstevemar: it seems to close the issue22:28
stewie925I have been setting up openstack and installed keystone service22:28
stewie925I need to reset the password for the keystoneUser - what is the syntax for it?22:29
dolphmstewie925: keystoneUser?22:29
stewie925oh wait....22:30
stewie925dolphm: think I just found out why... brb22:30
stevemardolphm: looks like there was some confusion about it between logging binary data in request vs response and ksc vs ksa22:30
dolphmstevemar: any reason not to just revise it to Closes-Bug and +2?22:31
dolphmthe master patch merged as Related22:32
stewie925dolphm: thank you hehe - I realized I entered the wrong username :) whew!22:32
stevemardolphm: i didn't open the bug against mitaka/newton yet22:32
dolphmstewie925: lol ++22:32
stevemardolphm: i'm not that critical about using LP to track backported fixes22:32
dolphmstevemar: so, just leave it as is?22:32
stevemardolphm: but i don't mind it if it's bugging you, just saying it won't change anything in LP :P22:33
dolphmstevemar: no worries - i left a comment in gerrit for the sake of posterity if anyone ever wonders22:34
stevemar++22:34
*** spzala has quit IRC22:34
*** richm has joined #openstack-keystone22:41
dolphmstevemar: ?? https://review.openstack.org/#/c/418118/122:41
dolphmstevemar: see inline22:41
*** adrian_otto has joined #openstack-keystone22:42
stewie925I did steps 1 and 2 - and when i tried to run step 3 I got a "type required" error22:51
stewie925hi guys - so i am creating the keystone service for openstack-kilo - following the instructions in http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-services.html22:51
stewie925this is the command :  openstack service create --name keystone --description "OpenStack Identity" identity22:51
stewie925and I got this error:  openstack service create: error: argument --type is required22:52
*** jperry has joined #openstack-keystone22:54
*** edmondsw_ has quit IRC22:55
dolphmsamueldmq: what is application/text, exactly?22:57
*** david-lyle has quit IRC22:59
*** darrenc_afk is now known as darrenc23:00
*** ravelar has quit IRC23:00
*** jperry has quit IRC23:05
*** jaosorior has joined #openstack-keystone23:07
morganstevemar: all users (inc. federated) have entries in the user table, right?23:09
morganoh wait... nvm. i already figured this part out23:10
stevemarmorgan: correct, now, in N or O... can't remember which23:10
dolphmmorgan: yes cc- rderose23:10
stevemardolphm: looks like you figured it out23:10
dolphmstevemar: yeah - and then i ran into "application/text"23:10
stevemardolphm: surprise!23:11
morganstevemar: ok so if i'm adding a new table... do i need to add to both expand and migration repo?23:11
morganor just expand?23:11
dolphmmorgan: yes, you need a migration in all 3 repos, even if they are no-ops23:11
*** asettle has joined #openstack-keystone23:12
morgandolphm: ick23:12
morganwait all three? we have 423:12
dolphmoh, you don't need a migration in the "legacy" migration repo23:12
dolphmjust expand -> migrate -> contract23:12
morganright23:12
dolphmfor new things going forward23:12
morgani figured the other three23:12
morganjust wanted to make sure it was safe to ignore migrate_repo23:12
dolphmit's safe to ignore the old repo - whatever that's called (i swear it's called migrate_repo?)23:13
rderosemorgan: yes, all users have an entry in the user table23:13
dolphmah, yeah ignore migrate_repo23:14
morgandolphm: yep, migrate_repo23:14
dolphmexpand_repo -> data_migration_repo -> contract_repo23:14
morgandolphm: we should make a real effort next cycle to get on alembic23:14
dolphmmorgan: i spent a good chunk of today baffled by glance's approach to switching23:14
morganrderose: i am going to add a table instead of adding a column to the user table so we can use metadata in the mfa-per-user (aka "enabled") type stuff23:15
dolphmmorgan: i might end up tackling a switch to alembic23:15
stevemardolphm: https://www.w3.org/Protocols/rfc1341/7_1_Text.html ?23:15
morganrderose: adding it to the user table might require a lot of extra moving bits.23:15
dolphmstevemar: ?23:15
stevemardolphm: application/text ?23:16
morgandolphm: it should be pretty straight forward, last time i looked it seemed not too crazy23:16
rderosemorgan: hmm... sounds interesting23:16
rderosemorgan 1:1 relationship?23:16
dolphmstevemar: that describes text/*23:16
morganrderose: yeah.23:16
morganrderose: because we store the rules in a json column23:16
dolphmmorgan: ++23:16
rderosemorgan: sounds good23:16
dolphmglance's patches are complicated :(23:17
morganbut we can add "enabled" etc in the new table rather than a ton of new columns in user23:17
rderosemorgan: right, in that case, I think a new table makes sense23:18
morgandolphm: yeah. glance has some more complex stuff we have small number of migrations since we moved to the contract/migrate/expand model23:18
stevemardolphm: right? we only want to log things that have content type application/json or application/text23:18
dolphmstevemar: what uses application/text ??23:18
stevemardolphm: i want to say something in oauth...23:19
dolphmmorgan: ceilometer's switch to alembic did not involve rewriting any migrations23:19
stevemardolphm: maybe this? http://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=create-access-token-detail#id3123:20
stevemardolphm: we also had xml there for a while23:20
morgandolphm: and ours should not require it either23:20
stevemarah, oauth uses https://github.com/openstack/keystone/blob/83bd595b22944d38eff1cdef77b4c07a75af0fdc/keystone/oauth1/controllers.py#L26823:21
stevemarapplication/x-www-form-urlencoded23:21
stevemardolphm: either way, its just an extra case that we can remove if its too chatty?23:21
*** asettle has quit IRC23:22
*** phalmos has quit IRC23:23
*** asettle has joined #openstack-keystone23:23
morganhm23:25
*** asettle has quit IRC23:27
stevemarsamueldmq davechen  when you get a chance: https://review.openstack.org/#/c/416841/23:28
dstanekknikolla: did you get it figured out?23:29
openstackgerritMerged openstack/keystone: Use public interfaces of pep8 for hacking  https://review.openstack.org/41683023:30
*** thorst has quit IRC23:32
*** thorst has joined #openstack-keystone23:32
*** thorst has quit IRC23:37
*** spzala has joined #openstack-keystone23:40
*** harlowja_ has quit IRC23:40
*** jaosorior has quit IRC23:40
*** harlowja has joined #openstack-keystone23:41
*** lamt has quit IRC23:48
dolphmstevemar: there's probably a lot of useless, untested code that we could land and remove later, but that's not a good reason to land it!23:57
*** edmondsw has joined #openstack-keystone23:57
« Sunday, 2017-01-08 Index Tuesday, 2017-01-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!