Thursday, 2017-04-06

samueldmqlbragstad: nice! looks to be a nice city00:00
antwashsamueldmq: it is!! very nice city00:02
openstackgerritAnthony Washington proposed openstack/keystone master: Move group policies to DocumentedRuleDefault  https://review.openstack.org/44923700:02
samueldmqantwash: cool, hopefully I'll get approval to go :-)00:03
*** shuyingya has joined #openstack-keystone00:14
*** dikonoor has joined #openstack-keystone00:18
*** shuyingya has quit IRC00:19
*** shuyingya has joined #openstack-keystone00:20
*** lucasxu has joined #openstack-keystone00:24
*** shuyingya has quit IRC00:24
*** Shunli has joined #openstack-keystone00:28
openstackgerritSam Yaple proposed openstack/keystone master: DONOTMERGE - LOCI zuul-cloner test  https://review.openstack.org/45393300:30
*** thorst has joined #openstack-keystone00:30
*** zhurong has joined #openstack-keystone00:32
*** brenttang has joined #openstack-keystone00:38
*** harlowja has quit IRC00:39
*** thorst has quit IRC00:39
*** ediardo has quit IRC00:52
*** gagehugo has quit IRC00:57
*** lucasxu has quit IRC01:01
*** liujiong has joined #openstack-keystone01:07
*** gagehugo has joined #openstack-keystone01:10
openstackgerritMerged openstack/keystone master: Move and refactor test_by_domain_domain  https://review.openstack.org/45280101:14
openstackgerritMerged openstack/keystone master: Move and refactor project_and_user_and_role  https://review.openstack.org/45290801:14
openstackgerritMerged openstack/keystone master: Move and refactor test_revoke_by_audit_chain_id  https://review.openstack.org/45322901:14
*** stingaci has quit IRC01:15
*** stingaci has joined #openstack-keystone01:16
*** shuyingya has joined #openstack-keystone01:21
*** shuyingya has quit IRC01:21
*** shuyingya has joined #openstack-keystone01:21
*** harlowja has joined #openstack-keystone01:26
*** harlowja has quit IRC01:26
*** ediardo has joined #openstack-keystone01:34
*** thorst has joined #openstack-keystone01:40
*** thorst has quit IRC01:45
*** shuyingya has quit IRC01:59
*** shuyingya has joined #openstack-keystone01:59
*** jamielennox is now known as jamielennox|away02:05
*** jamielennox|away is now known as jamielennox02:19
*** Shunli has quit IRC02:26
*** Shunli has joined #openstack-keystone02:27
*** Shunli has quit IRC02:32
*** thorst has joined #openstack-keystone02:41
*** stingaci has quit IRC02:45
*** aojea has joined #openstack-keystone02:54
*** aojea has quit IRC02:59
*** thorst has quit IRC03:00
*** brad[] has quit IRC03:09
*** edmondsw has joined #openstack-keystone03:11
*** lamt has joined #openstack-keystone03:13
*** stingaci has joined #openstack-keystone03:14
*** edmondsw has quit IRC03:16
*** nicolasbock has quit IRC03:20
*** brad[] has joined #openstack-keystone03:24
*** links has joined #openstack-keystone03:45
*** dave-mccowan has quit IRC03:46
*** rderose_ has joined #openstack-keystone03:48
*** ravelar has quit IRC03:51
*** rderose has quit IRC03:51
*** thorst has joined #openstack-keystone03:57
*** thorst has quit IRC04:01
*** erhudy_ has joined #openstack-keystone04:03
*** thiagolib_ has joined #openstack-keystone04:03
*** dikonoor has quit IRC04:05
*** evrardjp_ has joined #openstack-keystone04:09
*** thiagolib has quit IRC04:10
*** erhudy has quit IRC04:10
*** evrardjp has quit IRC04:10
*** erhudy_ is now known as erhudy04:10
*** jlopezgu_ has quit IRC04:12
*** ediardo has quit IRC04:42
*** rderose_ has quit IRC04:44
*** lamt has quit IRC04:45
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258505:04
*** dikonoor has joined #openstack-keystone05:07
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258505:10
*** dikonoor has quit IRC05:26
*** stingaci has quit IRC05:27
*** richm has quit IRC05:43
*** thorst has joined #openstack-keystone05:59
*** thorst has quit IRC06:03
*** jaosorior_away is now known as jaosorior06:16
*** aojea has joined #openstack-keystone06:30
*** voelzmo has joined #openstack-keystone06:41
*** voelzmo has quit IRC06:47
*** voelzmo has joined #openstack-keystone06:47
*** edmondsw has joined #openstack-keystone06:48
*** edmondsw has quit IRC06:52
*** thorst has joined #openstack-keystone06:59
*** pcaruana has joined #openstack-keystone07:02
*** thorst has quit IRC07:04
*** tesseract has joined #openstack-keystone07:04
*** rcernin has joined #openstack-keystone07:09
*** rcernin has quit IRC07:10
*** rcernin has joined #openstack-keystone07:10
*** belmoreira has joined #openstack-keystone07:13
*** aojea has quit IRC07:29
*** brenttang has quit IRC07:42
*** Shunli has joined #openstack-keystone07:50
*** shuyingya has quit IRC07:50
*** adriant has quit IRC07:50
*** shuyingya has joined #openstack-keystone07:51
*** shuyingya has quit IRC07:56
*** shuyingya has joined #openstack-keystone07:57
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** thorst has joined #openstack-keystone08:00
*** shuyingy_ has joined #openstack-keystone08:05
*** shuyingya has quit IRC08:08
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Imported Translations from Zanata  https://review.openstack.org/44948408:16
*** thorst has quit IRC08:19
*** bjornar_ has joined #openstack-keystone08:26
*** markvoelker has quit IRC08:26
*** stingaci has joined #openstack-keystone08:28
*** stingaci has quit IRC08:32
*** alex_xu has quit IRC08:41
*** alex_xu has joined #openstack-keystone08:42
*** aojea has joined #openstack-keystone08:46
*** aojea_ has joined #openstack-keystone08:47
*** aojea has quit IRC08:50
*** rocky has joined #openstack-keystone09:03
*** rocky has quit IRC09:06
*** rocky has joined #openstack-keystone09:07
*** liujiong has quit IRC10:03
*** liujiong_lj has joined #openstack-keystone10:03
*** nicolasbock has joined #openstack-keystone10:03
*** liujiong_lj has quit IRC10:12
*** richm has joined #openstack-keystone10:13
*** thorst has joined #openstack-keystone10:17
*** thorst has quit IRC10:22
*** markvoelker has joined #openstack-keystone10:27
*** markvoelker has quit IRC10:31
*** links has quit IRC10:39
*** mvk has quit IRC10:40
*** evrardjp_ has quit IRC10:45
*** evrardjp has joined #openstack-keystone10:45
*** links has joined #openstack-keystone10:55
*** shuyingy_ has quit IRC10:57
*** shuyingya has joined #openstack-keystone10:57
*** dave-mccowan has joined #openstack-keystone11:06
*** voelzmo has quit IRC11:24
*** voelzmo has joined #openstack-keystone11:25
samueldmqmorning keystone11:29
*** thorst has joined #openstack-keystone11:32
cmurphymorning samueldmq11:33
samueldmqcmurphy: o/11:33
samueldmqcmurphy: there is a review in need of an operator view, if you don't mind ...11:34
samueldmq:-)11:34
*** mvk has joined #openstack-keystone11:35
samueldmqcmurphy: https://review.openstack.org/#/c/441549 my point is that if it's okay to change info -> debug just like that11:36
cmurphysamueldmq: hmm I don't really have any opinion11:39
cmurphyI've never used that parameter11:39
samueldmqcmurphy: that's okay thank you :)11:40
lbragstado/12:13
*** shuyingya has quit IRC12:21
*** shuyingya has joined #openstack-keystone12:21
*** Aqsa has joined #openstack-keystone12:25
*** shuyingy_ has joined #openstack-keystone12:25
*** markvoelker has joined #openstack-keystone12:28
*** shuyingya has quit IRC12:28
*** edmondsw has joined #openstack-keystone12:30
*** stingaci has joined #openstack-keystone12:30
*** shuyingy_ has quit IRC12:32
*** markvoelker has quit IRC12:32
*** stingaci has quit IRC12:35
*** voelzmo has quit IRC12:38
*** voelzmo has joined #openstack-keystone12:38
*** voelzmo has quit IRC12:40
*** voelzmo has joined #openstack-keystone12:41
*** lamt has joined #openstack-keystone12:41
*** zhurong has quit IRC12:42
*** ayoung has joined #openstack-keystone12:52
*** jaosorior has quit IRC12:52
*** jaosorior has joined #openstack-keystone12:53
*** spilla has joined #openstack-keystone12:53
*** Shunli has quit IRC13:02
*** catintheroof has joined #openstack-keystone13:05
andymccrlbragstad: i reworked that patch would love your input when you get a second - the integration with keystone gate bit may require a bit more work to figure out what is exactly needed: https://review.openstack.org/#/c/432449/13:08
lbragstadandymccr awesome - thanks!13:08
*** links has quit IRC13:09
*** cristicalin has joined #openstack-keystone13:12
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258513:16
*** shuyingya has joined #openstack-keystone13:21
*** knangia has quit IRC13:21
*** stradling has joined #openstack-keystone13:21
*** ravelar has joined #openstack-keystone13:22
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused revocation check in revoke_models  https://review.openstack.org/45145213:24
*** shuyingya has quit IRC13:25
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323513:27
bjornar_What is causing the "Could not load memcache" error when using token backend memcache?13:27
*** spzala has joined #openstack-keystone13:30
openstackgerritRichard Avelar proposed openstack/keystone master: Add setup to test classes and private method  https://review.openstack.org/45325413:31
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323513:31
*** chlong has joined #openstack-keystone13:31
*** shuyingya has joined #openstack-keystone13:32
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323513:33
openstackgerritRichard Avelar proposed openstack/keystone master: Add setup to test classes and private method  https://review.openstack.org/45325413:40
*** Shunli has joined #openstack-keystone13:45
lbragstadbjornar_ do you have a trace? what release are you using?13:46
dstanekbjornar_: i would guess that the client library isn't installed13:46
lbragstadwe also removed the kvs backend for token storage in pike13:46
lbragstadhttps://github.com/openstack/keystone/blob/stable/ocata/keystone/token/persistence/backends/kvs.py#L40-L4313:47
dstaneklbragstad: that's a very good point. it's not a great backend for persisting data13:47
*** jistr is now known as jistr|afk13:47
*** Shunli has quit IRC13:48
lbragstadhttps://github.com/openstack/keystone/blob/stable/ocata/setup.cfg#L161-L163 was in ocata13:48
openstackgerritRichard Avelar proposed openstack/keystone master: Add setup to test classes and private method  https://review.openstack.org/45325413:49
lbragstadbjornar_ https://github.com/openstack/keystone/commit/b8b1e189306539007b6afa052b6c9f909cad41a0 might be related13:50
lbragstadbjornar_ unless you're hitting something else13:50
*** jaosorior is now known as jaosorior_away13:55
openstackgerritRichard Avelar proposed openstack/keystone master: Add setup to test classes and private method  https://review.openstack.org/45325413:55
bjornar_I am trying to debug this, and what seems to happen is the following: oslo_utils/importutils.py:44 import_str == "memcache", so far so good, I think, but then: oslo_utils/importutils.py:30 (mod_str, _sep, class_str = import_str.rpartition('.')) .. mod_str == '', and __import__(mod_str) fails.. I have no clue what is supposed to be happening here, but I use it as documented!13:56
dstanekbjornar_: first i would say that you probably don't want to use memcache as a token backend13:57
lbragstadbjornar_ do you have the client library installed (via pip for example)?13:57
dstanekbjornar_: do you have a stack trace at all?13:57
bjornar_yeah, if I did not want to use memcache, I would not have configured it13:58
bjornar_lbragstad, the memcache [cache] is working, and py-memcache and python-memcached is instal.ed13:59
lbragstadbjornar_ which release are you using?13:59
dstanekbjornar_: just note that you may have excessive token expirations13:59
dstanekbjornar_: what version of keystone are you running?14:00
dstanekthe backend was deprecated in M and removed in O14:00
*** lamt has quit IRC14:00
bjornar_https://pastebin.com/raw/0Xq4GkDk14:01
bjornar_dstanek, why does it say nothing about that in: https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html14:01
bjornar_lbragstad, ocata14:01
lbragstaddstanek looks like it was removed in pike - https://github.com/openstack/keystone/commit/b8b1e189306539007b6afa052b6c9f909cad41a014:02
bjornar_https://docs.openstack.org/ocata/config-reference/tables/conf-changes/keystone.html14:02
bjornar_it does not list even as deprecated14:02
openstackgerritRichard Avelar proposed openstack/keystone master: Add setup to test classes and private method  https://review.openstack.org/45325414:03
bjornar_dstanek, why would one want to store temporary volatile data in db anyway?14:03
bjornar_(like a uuid token)14:04
dstanekbjornar_: i'm not sure where they got that from14:04
dstanekbjornar_: well, the problem with that backend is that it was impossible to control token expiration. so we kept getting lots of bugs about tokens no longer being valid before their expiration14:05
dstanekbjornar_: nowadays we have tokens that don't need to be stored in the DB14:05
*** chris_hultin|AWA is now known as chris_hultin14:05
bjornar_dstanek, ? .. its quite easy to control expiry in a database that support expiration....14:05
*** melwitt has quit IRC14:05
*** melwitt has joined #openstack-keystone14:05
*** melwitt is now known as Guest4891014:06
bjornar_dstanek, Yeah, I know you have fernet, but I dont like it, too complex of a maintainance/rollover and so on.14:06
*** chris_hultin is now known as chris_hultin|AWA14:06
*** jraim has quit IRC14:06
*** agrebennikov has joined #openstack-keystone14:06
*** jraim_ has joined #openstack-keystone14:06
dstanekbjornar_: it's hard to control it in memcache, not the DB14:06
*** lbragstad has quit IRC14:07
bjornar_you dont need to control it, memcache expires it and its gone14:07
*** spzala has quit IRC14:07
dstanekbjornar_: but if it's gone before the user expects then we get bug reports14:07
bjornar_anyway. The problem now is just that the documentation is not only misleading, but plain wrong, it seems.14:07
*** lbragstad has joined #openstack-keystone14:08
bjornar_dstanek, why should it be gone before user expects?14:08
dstanekbjornar_: memcache eviction14:08
bjornar_I mean only if you run out of memory or your server is killed, its ok for me that you need to relogin then.14:09
*** ChanServ sets mode: +o lbragstad14:09
*** chris_hultin|AWA is now known as chris_hultin14:09
dstanekbjornar_: since generated tokens are about the same size they fit into the same slabs. this means that you won't fully use all of your memcached memory like you would expect and evictions happen14:09
dstanekfor example, if you have 8g for memcache then you have only have 128m for tokens14:09
bjornar_yeah, yeah.. I have some gigs, and I am not worried. For all I care it beats storing this in sql14:10
bjornar_dstanek, wth do you say that?14:10
bjornar_Back to where we started: where does it say that memcache backend is depricated/removed, and is this also true for for example redis?14:11
*** dougshelley66 has quit IRC14:11
dstanekbjornar_: memcahce divides it's memory into slabs (iirc based on powers of 2) so object 32k-64k would be put into the same slab. slab fill up independent of other slabs14:11
bjornar_dstanek, sounds crazy unlikely to be true, but if it is its insanity14:12
dstanekbjornar_: i believe redis can be configured to persist to disk14:12
bjornar_dstanek, yeah it can14:12
*** portdirect has quit IRC14:12
dstanekbjornar_: it's true. that's how it has the scaling properties that it has14:12
*** portdirect has joined #openstack-keystone14:13
dstanekbjornar_: just google for memcached slabs and you'll see lots of descriptions of how they work14:13
*** odyssey4me has quit IRC14:13
*** chris_hultin is now known as chris_hultin|AWA14:14
bjornar_I dont believe that is true for a bit, but I'll check it out14:15
dstanek https://github.com/openstack/keystone/commit/564c414:16
bjornar_problem right now is why does the ocata documentation mention _nothing_ about deprecation or removal of this driver if it is already removed14:16
*** odyssey4me has joined #openstack-keystone14:16
dstanekbjornar_: i wouldn't lie to you :-)14:17
bjornar_What a fucking ugly commit. Removing functionahlity without mentioning anywhere in docs. Wth do you let that kind of commits through?!14:17
ayoungstevemar, can you see if https://review.openstack.org/#/c/290253/ now meets your standards?  I think I addressed your questions.14:18
ayoungbjornar_, I would totally lie to you.  I lie to everyone.14:18
dstanekbjornar_: take it easy. i don't think we mention it anywhere in our docs anymore14:18
bjornar_dstanek, I just pointed you to ocata docs..14:19
*** chris_hultin|AWA is now known as chris_hultin14:19
ayoungbjornar_, the problem was revocations.  You revoke a token and it was recorded in the token backend.  Restart the token backed (and flush) and you unrevoke tokens.14:19
dstanekbjornar_: we don't control those14:19
ayoungbjornar_, that particular problem is no longer a problem14:20
ayoungbut at the same time, we moved to Fernet tokens14:20
ayoungwhich are not persisted at all14:20
ayoungrevocations are dumb anyway14:20
ayoungbjornar_, but that is neither here nor there.  Any reason you can't move over to Fernet?14:21
dstaneki am curious why i didn't see it mentioned in the generated release notes14:21
lbragstaddstanek https://docs.openstack.org/releasenotes/keystone/ocata.html#deprecation-notes14:22
dstaneklbragstad: yeah, i just found the source in removed-as-of-ocata.....14:23
lbragstaddstanek looks like it rendered properly14:23
bjornar_ayoung, I can, but I just dont like it, and that I need to manage rollover and so on in a cluster with master/slave topoplogy and distribution and what not14:24
dstaneklbragstad: that says deprecated...there is a release note file for it being removed14:24
ayoungbjornar_, so don't14:24
lbragstaddstanek yeah - that was merged in Pike14:24
ayoungbjornar_, set up the keys once and forget them14:25
dstanekbjornar_: if you trust UUID tokens then i don't thing you need to rotate keys14:25
ayoungkey rotation is highly over rated14:25
dstanekbjornar_: it would be more secure, but i think you can by with rotating only after a known issue14:25
dstanekayoung: ++ over rated14:26
ayoungbjornar_, I assume you don't want to spend your life full time supporting keystone.  Neither do we.  THere is a metric ton of stuff in Keystone that should die in a fire.14:27
ayoungTokens in general are a poor proxy for authentication14:27
ravelardolphm14:27
ayoungso, yeah, we are going to remove things.14:27
dstaneklbragstad: it was burried "The memcache and memcache_pool token persistence backends have been removed in favor of using Fernet tokens (which require no persistence)."14:27
ayoungWritable LDAP14:28
ayoungPKI Tokens14:28
ayoungAll of Keystone?14:28
ayoungin my dreams, maybe14:28
ayoungbottom line, Memcache backend for Tokens have been on the chopping block for a while.14:28
ayoungAnd I suspect UUID tokens will get there eventually, too14:28
*** markvoelker has joined #openstack-keystone14:29
bjornar_The main problem is not that it is removed. Its that its still live and well in your own docs!14:30
dstanekayoung: bjornar_: uuid is already deprecated in pike https://github.com/openstack/keystone/commit/5896d841dfa1e8ab2e3179991b1b5c70f54f2ed114:30
bjornar_And also, I think its sad that "you" allow commits that break functionality, but does not update documentaion in the same  commit14:30
bretoncould you please remind me why uuid tokens in sql are bad?14:30
bjornar_dstanek, we are not talking about pike here.14:31
bjornar_breton, because its volatile, and sql is persistent14:31
bjornar_..basically14:31
bjornar_no reason to "stress" sql with volatile data imhp14:31
dstanekbjornar_: ayoung mentioned that they may evenually go away. i was pointing out that they will go away.14:31
bjornar_dstanek, yeah, sure -- I was thinking on this: https://github.com/openstack/keystone/commit/564c414:32
bretoni mean, i don't understand why we didn't manage to fix them. Tokens are basically cookies. Cookies are often stored in the database. And cookies work fine for browsers and sites.14:32
dstanekbjornar_: this is already a done deal for the reasons that i've outlined. the question is how the docs team got that sample config14:32
bretonexcept these cookies have 1h expiration time14:32
bjornar_dstanek, probably because the commit above did nothing to document the changes!14:32
bretonor even better -- sessions14:33
bretondjango stores sessions in the database by default afaik14:33
dstanekbjornar_: it's in our release notes...so there was a commit to document it14:33
ayoungbjornar_, look deeper.  If the keystone team is anything, it is detail oriented.  I'm not, but the rest of the team is.14:33
dstanekbjornar_: do they actually document that the memcache backend is usable? or is it just in the sameple config?14:34
bjornar_dstanek, the problem is that this information is not "available" to everyone.14:34
bretonso, how has facebook and other web applications managed to work with cookies and we haven't?14:34
dstanekbjornar_: what do you mean by available?14:34
lbragstadbjornar_ it was tracked under the same branch with a series of commits accomplishing the same goal - https://review.openstack.org/#/c/375914/14:34
bjornar_Are you guys seriously suggesting that one should not look at the official documentation, but the commit-logs?!14:35
*** markvoelker has quit IRC14:35
lbragstadbjornar_ that's not what we're suggesting, but we do render formal release notes for changes like that as a way to communicate these kinds of things to operators and users14:35
dstanekbjornar_: no. not at all.14:35
dstanekbjornar_: do they actually document that the memcache backend is usable? or is it just in the sameple config?14:35
bjornar_dstanek, as longs as its in the sample config, and not in deprecations and so on, I would believe it is usable, unless otherwise documented (as for example kvs is)14:36
dstanekbjornar_: ok, so i'm trying to help and figure out what went wrong. i'm not looking to blame anyone keystone, docs team  or you.14:37
ravelardolphm Happy Birthday!14:37
dolphmravelar: shh14:37
dstanekbjornar_: so the only place you've seen it mentioned is the sample config?14:37
dstanekdolphm: happy b-day!14:38
bjornar_dstanek, yeah, I mean. So far thats where I have looked..14:38
bjornar_There and in "new outdated and deprecated"..14:38
bjornar_not mentioned there14:38
bretonwhat's not mentioned?14:38
*** cristicalin has quit IRC14:38
bjornar_the deprecations14:38
dstanekbjornar_: it wasn't deprecated in O it was removed14:39
bjornar_it should still be mentioned, right?14:39
bretonit was mentioned for 2 releases14:39
bretonin warnings14:40
bjornar_and it should probably not be in sample config14:40
bjornar_breton, 2 releases ago does not really mean much for new deployers14:40
bjornar_Is it anything to discuss? The documentaion is wrong, and this is what people use as a reference mostly14:40
bretonwell, fix it14:41
dstanekbjornar_: yes, absolutely useful to discuss. it would be nice to figure out what happened and fix it14:41
bjornar_dstanek, imho what happened was that the commit that removed the functionality did nothing to update any documentation regarding it.14:42
*** Guest48910 is now known as melwitt14:42
dstanekbjornar_: the docs you keep pointing to are not under our control14:42
bjornar_dstanek, so, perhaps you should have some better rules for what a commit that changes functionality needs to include14:42
*** aojea_ has quit IRC14:43
dstanekbjornar_: that link's source isn't from the same repo either14:43
bjornar_dstanek, then thats the problem, where is this information rendered from -- you cant really blame me for reading it, can you? Its basically the official documentation, right?14:43
dstanekhttps://docs.openstack.org/ocata/config-reference/identity/token-provider.html is wrong as well because i belive we remvoved pki in O as well14:43
dstanekbjornar_: nobody is blaming you. we are trying to understand where you saw it so that we can get it fixed.14:44
dstaneki've said this a few times14:44
bretoni think it's a good opportunity to file a bugreport for some project14:44
lbragstadwe have a process for that14:44
dstaneki can't find where those docs are actually stored14:45
lbragstaddstanek https://github.com/openstack/openstack-manuals/tree/master/doc/config-reference/source/identity14:45
*** rderose has joined #openstack-keystone14:45
dstaneklbragstad: ah, manuals. i kept searching the page for docs14:45
lbragstadopen a bug against openstack manuals and keystone, it's what we use to make sure all the details that need to be capture in the docs repo are communicated properly14:45
bretonhttps://github.com/openstack/openstack-manuals/blob/master/doc/config-reference/source/identity/samples/keystone.conf.rst14:46
breton?h=stable/newton14:46
bretonnice :)14:46
*** knangia has joined #openstack-keystone14:48
dstanekbreton: that'll do it14:49
dstanekbreton: it looks like the ocata branch is fine. they their link should be adjusted14:50
bretonhttps://bugs.launchpad.net/openstack-manuals/+bug/168049114:51
openstackLaunchpad bug 1680491 in openstack-manuals "keystone.conf is shown for newton" [Undecided,New]14:51
*** voelzmo has quit IRC14:51
*** spzala has joined #openstack-keystone14:51
*** voelzmo has joined #openstack-keystone14:51
*** voelzmo has quit IRC14:52
*** voelzmo has joined #openstack-keystone14:53
*** jistr|afk is now known as jistr14:53
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744114:53
dstanekbreton: thanks14:53
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744114:56
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323514:57
bretonbjornar_: https://review.openstack.org/#/c/454223/ this should solve your issue14:58
bretonbjornar_: please file bugreports as soon as you see something wrong or inconsistent14:58
*** markvoelker has joined #openstack-keystone14:59
bjornar_another question you might be able to answer.. how can I force the openstack cli to use the internal endpoint url for the services?14:59
openstackgerritRichard Avelar proposed openstack/keystone master: Add federated support for get user  https://review.openstack.org/44873015:01
dstanekravelar: did my comment if your setup review make sense?15:02
dstanekbjornar_: according to 'openstack --help' you might be able to use --os-interface. i've never tried myself15:04
*** TravT has joined #openstack-keystone15:05
bjornar_ok..15:05
bjornar_dstanek, that worked! thanks... nice documentaion on that option as well ;)15:06
*** voelzmo has quit IRC15:07
dstanekbjornar_: that's a whole other team :D15:07
*** shuyingya has quit IRC15:11
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258515:13
*** ravelar has quit IRC15:15
*** ravelar has joined #openstack-keystone15:17
knikollao/15:21
dstanekravelar: you need to use more branches so that you don't push up so many revisions of the same changes15:23
*** pcaruana has quit IRC15:28
*** mvk has quit IRC15:33
dolphmdstanek: talking about his revocation refactor series?15:38
*** belmoreira has quit IRC15:39
*** voelzmo has joined #openstack-keystone15:44
openstackgerritRon De Rose proposed openstack/keystone-specs master: App Keys  https://review.openstack.org/45041515:45
openstackgerritRon De Rose proposed openstack/keystone-specs master: App Keys for application authentication  https://review.openstack.org/45041515:46
*** zhurong has joined #openstack-keystone15:47
*** zhurong has quit IRC15:49
dstanekdolphm: that's what drove the thought, but generally speaking too15:49
*** jlopezgu_ has joined #openstack-keystone15:50
notmorgandstanek: we should revisit keeping a sample config at all15:51
notmorgandstanek: and we should simply ensure we render in the docs instead of a sample cnfig in tree15:51
*** bjornar_ has quit IRC15:51
notmorganlbragstad: ^15:51
notmorganthat way we *never* have an out-of-date sample config15:51
notmorganor similar confusion15:52
*** Aqsa has quit IRC15:52
lbragstadnotmorgan yeah - that's not a bad idea15:52
lbragstadnotmorgan something to close that gap would be nice15:52
notmorganalso the concern bjornar had was related to options being used for more than one thing15:53
notmorganalso, wasn't bjornar banned for being abusive to the team at one point?15:53
notmorganfrom IRC.15:53
notmorgandolphm: so... i hear it's your birthday.15:54
dstaneknotmorgan: that wouldn't surprise me15:54
*** ravelar1 has joined #openstack-keystone15:58
*** ravelar1 has quit IRC15:59
dolphmnotmorgan: technically16:00
notmorgandolphm: hehe16:00
notmorgandolphm: well... happy technically birthday16:01
*** lxnch_ has quit IRC16:01
*** lxnch has joined #openstack-keystone16:01
*** voelzmo has quit IRC16:02
*** voelzmo has joined #openstack-keystone16:08
*** jaosorior_away has quit IRC16:14
*** jaosorior has joined #openstack-keystone16:15
gagehugodolphm: happy birthday!16:15
*** browne has joined #openstack-keystone16:16
*** voelzmo has quit IRC16:16
*** chris_hultin is now known as chris_hultin|AWA16:31
*** chris_hultin|AWA is now known as chris_hultin16:31
*** mvk has joined #openstack-keystone16:37
*** voelzmo has joined #openstack-keystone16:39
*** jaosorior is now known as jaosorior_away16:48
*** voelzmo has quit IRC16:49
*** tesseract has quit IRC16:50
*** harlowja has joined #openstack-keystone17:23
*** chris_hultin is now known as chris_hultin|AWA17:39
*** rajpatel has joined #openstack-keystone17:59
*** chlong has quit IRC18:04
*** bjornar_ has joined #openstack-keystone18:05
*** clenimar has quit IRC18:18
*** chlong has joined #openstack-keystone18:19
*** stingaci has joined #openstack-keystone18:21
*** lucasxu has joined #openstack-keystone18:22
*** TravT has quit IRC18:24
*** rajpatel has quit IRC18:24
*** aojea has joined #openstack-keystone18:25
lbragstaddstanek you were just playing with devstack recently, weren't you?18:38
lbragstaddstanek you didn't hit https://bugs.launchpad.net/keystone/+bug/1680525 did you?18:40
openstackLaunchpad bug 1680525 in OpenStack Identity (keystone) "keystone-manage fails with "ImportError: No module named 'memcache'"" [Undecided,New]18:40
*** voelzmo has joined #openstack-keystone18:41
dstaneklbragstad: nope, i play with devstack all the time. i've not seen that yet18:44
*** MasterOfBugs has joined #openstack-keystone18:46
*** rajpatel has joined #openstack-keystone18:46
lbragstaddstanek hmmm - seems like something merged recently that broke it?18:46
lbragstador maybe a change in devstack?18:46
*** chris_hultin|AWA is now known as chris_hultin18:47
dstaneklbragstad: that should be installed by our tox.ini18:47
lbragstaddstanek i thought that was an optional dependency18:47
dstanekerrr wait\18:47
dstanekthey don't use that. maybe devstack no longer installs it?18:48
dstaneklbragstad: it's optional and up to the deployer to install18:48
lbragstadright - that's what i thought, too18:48
dstaneklbragstad: i just asked the quesiton on the bug18:51
lbragstaddstanek lol so did I18:55
*** ayoung is now known as ayoung_admode18:55
*** ayoung_admode is now known as ayoung_dadmode18:55
* lbragstad steps away for a run18:55
dstanekravelar: did you see my question from earlier?18:56
ravelardstanek no, what about?18:57
bjornar_why can't I put fernet tokens in database?18:59
dstanekravelar: i was asking about my comment if your setup patch18:59
dstanekbjornar_: they are not stored in the database19:00
bjornar_?19:00
*** rajpatel has quit IRC19:00
bjornar_dstanek, are they not stored in filesystem? ey_repository = /etc/keystone/fernet-keys/19:00
*** rajpatel has joined #openstack-keystone19:00
ravelardstanek oh the review?19:00
bjornar_dstanek, ofcorse I mean keys, not tokens19:00
dstanekbjornar_: ah, keys. there i currently no backend to store them in the database. it's been talked about, but didn't get any traction AFAICR19:02
bjornar_Its just so obvious I am dazzled19:03
dstanekit's modeled more or less on apache certs19:03
bjornar_You basically have a single storage engine that needs to be distributed, sql.. and "you" choose to place keys that needs to be distributed in ... the only _not_ distributed place there is basically, the local fs19:04
dstanekit's not necessarily abuot being obvious. it's about not having a stakeholder that wants to commit to doing it or dealing with the related security issues19:04
dstanekbjornar_: do you put your SSL certs for apache in the DB?19:04
bjornar_dstanek, first of all, I dont use apache, I didnt think anyone did anymore. Second, yes, I ofcorse place ssl certificated in database.19:05
*** raildo has quit IRC19:06
dstanekbjornar_: then feel free to submit a patch19:06
*** raildo has joined #openstack-keystone19:06
bjornar_dstanek, I'd rather rewrite keystone from scratch in luajit I think19:06
dstanekbjornar_: i won't stop you19:07
bjornar_its probably exists some sql fuse19:09
dstanekbjornar_: we've accepted a backlog spec to allow for storage backends - https://review.openstack.org/#/c/311268/19:11
notmorganbjornar_: please feel free to rewrite keystone in something else if you so desire. You're also welcome to contribute fixes such as making fernet keys something that can be distributed.19:14
openstackgerritAnthony Washington proposed openstack/keystone master: Move role policies to DocumentedRuleDefault  https://review.openstack.org/44925119:14
notmorganbjornar_: unfortunately we (the developers) cannot do everything and have to gauge interest in features. as dstanek said we proposed distributed backends for fernet keys, it had very little interest as the keys are mostly managed via config-management19:16
*** voelzmo has quit IRC19:16
notmorganat the moment, which was sufficient for operators.19:16
notmorganit was accepted, but when we asked for contribution we didn't have any and most operators discussed it as pretty far down their requirements compared to other bits we've been working on19:17
openstackgerritMerged openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323519:17
bjornar_notmorgan, Yeah, I mean its not a huge problem to do this with ansible, but still -- just a bit frustrated about the design, mostly, that this was not done from day1. I mean -- bootstrap/automatic key rollover and so on and so on could all then just be a part of the cluster-process, not a dependancy on some external "cronjob"19:27
notmorganagain, it's simply not been a consistent requirement we've been asked for as a high priority19:27
notmorganpart of what we did was leaned on cryptography's implementation of fernet19:28
notmorganwhich used on-disk19:28
notmorganas a default/easy behavior.19:28
notmorgansolving the issue in a secure way with a distributed bit in the DB is also challenging / we didn't have as much crypto info for storing the keys (i worry about DB access in general leaking vs FS access leaking remotely).19:29
notmorgananyway, it's something that has been discussed and we're not opposed to it. we need either someone to own it and build it or we need it to rate higher on the requests for feature type surveys/operator feedback19:30
bjornar_notmorgan, I mean seriously, if you are worried about keys leeking out of sql.. hey..19:31
bjornar_notmorgan, so keys are cached in local memory right not, correct?19:32
notmorgani worry that SQL is a larger attack vector from any API (since they all tend to share access) than the FS. it is my job to consider these things. I didn't say i'd block changes to enable the distributed thing you're asking for19:32
notmorgani just gave you another bit to consider.19:33
bjornar_notmorgan, but still, you have to trust sql. Or get rid of it alltogether, with sql access one could do whatever anyway.. so its not really valid to even mention it19:33
notmorganit is valid to mention, the fernet key can allow someone to craft tokens completely offline with other info19:34
notmorganif someone injects user data into the DB, we can see that. tokens in fernet could be valid with no record of issuance.19:35
notmorganand tokens could be created with near unlimited timeframes (in theory)19:36
bjornar_notmorgan, rollover should fix that, and db would allow for fast and automated rollover19:37
notmorganno realistic expiry. with crypto, keys are very important to hold secure. all vectors of attack should be considered. IT doesn't mean halt development efforts. it does mean think before writing code when dealing with IAM.19:37
* notmorgan shrugs.19:38
notmorgani don't know how else to tell you I wouldn't block the development of what you're asking for. As long as it was considered what the attack vectors and implications for securing the keys are (aka, documentation so different models could be weighed by folks deploying keysotne)19:39
notmorganand as long as someone steps up to write it/help maintain it.19:39
bjornar_yeah.. we will probably just do it inhouse to make it happen tomorrow, not next year19:39
*** lwanderley has joined #openstack-keystone19:42
notmorganfeel free to contribute upstream. the spec was accepted, i'm sure (Even if it was dropped) we'd gladly take the code19:42
notmorganthe spec being dropped that is.. it's easy to re-add it if someone is developing it19:42
bjornar_notmorgan, so it's this thing? https://review.openstack.org/#/c/311268/2/specs/keystone/backlog/fernet-key-store.rst19:44
*** openstack has joined #openstack-keystone19:44
notmorganbut it could be re-added/revert the deletion if someone is going to develop it.19:44
notmorganthats a relatively simple process since it was already accepted19:45
notmorganbjornar_: we would need to revert https://review.openstack.org/#/c/439194/19:46
bjornar_notmorgan, Ok, so I see.. so what about encrypting the keys in db with a static key in keystone.conf?19:54
notmorganyou'd need to see how fernet works and if you could do this easily. Second, I'd want to see the documentation on the thread analysis of a setup like that. What are the risks, what are the rewards, etc19:55
notmorganthreat*19:56
notmorgandoesn't need to be crazy detailed, just a solid overview.19:56
notmorganwith that said, I much prefer something that doesn't involve keystone.conf (since that is a restart of keystone service) to change.19:56
*** voelzmo has joined #openstack-keystone19:57
*** voelzmo has quit IRC19:57
*** voelzmo has joined #openstack-keystone19:57
notmorganfor key rotation purposes / static keys. however, I can't say I'd score the idea -1, -2, +1, +2 etc without more detail than "what about X" on irc.19:57
*** chris_hultin is now known as chris_hultin|AWA20:00
*** voelzmo has quit IRC20:01
*** chris_hultin|AWA is now known as chris_hultin20:02
*** harlowja has quit IRC20:03
dstanekbjornar_: now you hitting the 'security considerations' i was talking about earlier20:12
dstanekbjornar_: from my perspective we do not trust the database with secrets.20:12
bjornar_its silly not to trust the database, but perhaps not not to trust the database backups.20:17
dstanekit's absolutely not silly. it's also potentially illegal depending on what is being stored..... this is why passwords are hashed and not stored in plaintext20:22
dstanekbjornar_: i often use this cartoon in security classes: https://xkcd.com/327/20:27
bjornar_dstanek, you are the cartoon in security classes20:27
dstanekbjornar_: um...sure20:28
notmorganbjornar_: not sure if that was implying he was not competant or if we're hitting a language barrier here. I'm going to ask that we keep the channel free of insults (if that was the intent)20:28
bjornar_no insult intended20:29
notmorganok. cool, like i said, wasn't sure.20:29
dstanekbjornar_: it highlights why databases can't be trusted as a secure source of secrets20:29
notmorganand i didn't want anything to feel like an overreaction ^_^. thanks for understanding20:29
dstaneknot enough security controls by itself20:29
bjornar_dstanek, that is just not correct, seriously man20:29
bjornar_dstanek, how can you trust a filesystem when one has rm?20:30
bjornar_how can you trust a computer when it has a power cord20:30
bjornar_..and so on20:30
notmorganyou can do a lot with POSIX and MAC at the kernel level. a lot of those features are harder to implement when an application needs r/w access to the db20:30
dstanekbjornar_: so that cartoon uses DROP, but there have lots of DB injection attacks that have allowed attackers to pull out data20:30
bjornar_I hope sql injections are a thing of the pas20:31
dstanekbjornar_: maybe, maybe not. we still have to protect against them20:31
notmorganbjornar_: so do i, we use the ORM, but if there is an issue, it could happen. it is more likely to happen than a read on the FS or even a read out of memory20:31
dstanekyou also mentioned backups. that's a real problems20:31
notmorgandstanek: ++20:31
dstanekwe would be negligent not to hash password. and the same goes for any other secret we store.20:32
bjornar_Is this #paranoid about sql, but codebase crappy as f*** with bugs one can see from miles away?20:32
notmorganbjornar_: ok so, please point out the bugs.20:32
notmorganwe have issues, it is known we have issues, we work on fixing them20:33
bjornar_notmorgan, they are for my own hobby purposes ;)20:33
bjornar_I mean, it impossible to keep a civil and intellectual discussion about anything if people keeps bringing up things like uid's are not safe, sql is not safe, sql-injections (1980) and so on.20:34
dstanekbjornar_: i'm sorry, but i must point out the obvious. as a core part of openstack's security posture we have the responsibility and obligation to follow *all* of the security best practices.20:34
dstanekbjornar_: how so? we've not had complaints about being to secure in the past20:34
notmorganbjornar_: i don't think we're being unreasonable in pointing these out. we have not said in the slightest we can't lean on the DB for secrets.20:34
notmorganwe are saying if we look at that we need to have a clear "what are the risks"20:35
notmorganand a discussion about risks included things such as SQL injection, even with sanitized input... it happens. bugs occur20:35
dstanekwe actually currently have passwords in the DB and a whole credentials subsystem for other types of secrets20:36
notmorgansecurity is important, and as dstanek said, it is important we look at all best practices.20:36
bjornar_Yeah, that I can relate to, but one cannot be a channel full of paranoid schitzoprenics20:36
notmorganwe haven't said "SQL is insecure" we have said "SQL has issues, here are what we see, this is important before we put these types of secrets in the DB"20:37
notmorgani classify the former as paranoid, the latter as realistic approach to technology that has security implications20:37
bjornar_the point is still on a level above, and not related to the keystone project as such20:37
notmorganand there are times to say "yep we know issue X, Y, Z are real issues and if you use this driver, be aware of the exposures"20:38
bjornar_the choice that one trusts sql is done at the above level. After that, its not valid to discuss anymore I think20:38
notmorganand sometimes it's better to say "we can't do that because it is a serious issue"20:38
bjornar_where backups are placed and so on it the users security issue20:38
bjornar_same goes for fs and whatever else20:38
notmorgani can make the same argument about using the FS insead of SQL for the keys20:38
notmorganit's the user's issue to synchronize20:38
dstanekbjornar_: you're missing my point about SQL. if we store secrets there we must enrypt or hash. that's it. we can't trust that the data won't leak.20:39
bjornar_dstanek, one must not20:39
bjornar_dstanek, thats bs.. why should it leak?20:39
bjornar_anymore than a file in ansible?20:39
notmorganit's the same reason sha512_crypt is "Secure" but you don't publish your shadow file for your servers20:40
dstanekbjornar_: yes. it's actually a common problem.20:40
notmorganor even your private SSH key encrypted.20:40
bjornar_I mean how keys are generated one place, copied into ansible localhost's memory and then distributed around is a far bigger security risk20:40
bjornar_and thats what "everyone" does these days20:40
dstanekbackups, interfaces built on top of database, faulty logging, etc....20:40
dstanekso we do our best to protect against real world issues.20:40
notmorganwe have mostly stayed out of the "secure the keys" details where we can. leaving the details for such things in the same tech that say SSL Private Keys are handled for deployment20:41
dstanekwe are not being obstructionists and saying you can't put those things in the database. feel free to write the driver for it20:41
notmorganit's a different scope of security/data distribution.20:41
bjornar_notmorgan, Yeah, please do20:41
bjornar_Completely agree, this has to be secured on a different level20:41
notmorganwe are and have been saying we will accept code for this20:41
notmorganwe're not saying no at all.20:42
dstaneknotmorgan: i actually like that because the problem has already been solved so no reason to solve it again20:42
notmorgandstanek: i also agree20:42
notmorganbut i wouldn't block a driver to put this in the DB as long as the risks are documented20:42
bjornar_I can set a guy on implementing this tomorrow, but I'm just not ready for the whole database is not secure cartoon conversation.20:42
notmorgani'm happy to accept useful code to make people's lives better.20:42
dstaneknotmorgan: the spec i reference earlier was because the deployment tooling someone was using made rotation and distribution hard for some reason20:43
notmorgandstanek: yah.20:43
notmorganand i'm happy to revive the spec honestly20:43
lbragstadwe talked about refining it in the meeting20:43
notmorganbut unless someone is willing to contribute and document the details and risks (so informed decisions can be made when deploying) it wont happen20:44
*** david-lyle has quit IRC20:44
dstanekbjornar_: then make sure the secure the data. it may be as easy as using the same approach that we used for credentials20:44
notmorganbjornar_: we're *really* trying to say we're not blocking you or your people from working on it.20:44
bjornar_thing is one has to trust the db20:44
notmorganand that we'd accept it.20:44
*** rcernin has quit IRC20:44
dstanekbjornar_: no, you have to enrypt your secrets20:44
notmorganbut you'll have to work with us on it.20:44
bjornar_dstanek, I dont want to speak to you anymore, so please be kind and stay out of the rest of this conversation20:45
notmorganbjornar_: then i'm sorry we're kindof at an impass.20:45
notmorgani trust dstanek very much when it comes to this type of stuff20:45
lbragstadbjornar_ as a community we do not tolerate the negativity you've displayed in this conversation. It's unnecessary and counter-productive. I encourage you to read and understand our community guidelines https://www.openstack.org/legal/community-code-of-conduct/20:45
notmorganand his view is important as a core on the project.20:45
dstanekbjornar_: that's fine, but just realize that nothing will merge if it has secrets as plaintext in the database20:45
notmorganand what lbragstad said.20:46
notmorganlbragstad: heh i was looking for that link. thanks.20:46
*** ChanServ sets mode: +b *!*@*20:46
*** tlbr was kicked by ChanServ (User is banned from this channel)20:46
*** andrewbogott was kicked by ChanServ (User is banned from this channel)20:46
*** peterstac was kicked by ChanServ (User is banned from this channel)20:46
*** jistr was kicked by ChanServ (User is banned from this channel)20:46
*** redrobot was kicked by ChanServ (User is banned from this channel)20:46
*** briancurtin was kicked by ChanServ (User is banned from this channel)20:46
*** jgrassler was kicked by ChanServ (User is banned from this channel)20:46
*** topol was kicked by ChanServ (User is banned from this channel)20:46
*** cargonza was kicked by ChanServ (User is banned from this channel)20:46
*** kamal___ was kicked by ChanServ (User is banned from this channel)20:46
*** raddaoui was kicked by ChanServ (User is banned from this channel)20:46
*** jamiec was kicked by ChanServ (User is banned from this channel)20:46
*** kevinbenton was kicked by ChanServ (User is banned from this channel)20:46
*** med_ was kicked by ChanServ (User is banned from this channel)20:46
*** zigo was kicked by ChanServ (User is banned from this channel)20:46
*** nonameentername was kicked by ChanServ (User is banned from this channel)20:46
*** serverascode was kicked by ChanServ (User is banned from this channel)20:46
*** sudorandom was kicked by ChanServ (User is banned from this channel)20:46
*** jefrite was kicked by ChanServ (User is banned from this channel)20:46
*** baffle was kicked by ChanServ (User is banned from this channel)20:46
*** Kimmo_ was kicked by ChanServ (User is banned from this channel)20:46
*** hrybacki was kicked by ChanServ (User is banned from this channel)20:46
*** andreaf was kicked by ChanServ (User is banned from this channel)20:46
*** bradjones was kicked by ChanServ (User is banned from this channel)20:46
*** Daviey was kicked by ChanServ (User is banned from this channel)20:46
*** mancdaz was kicked by ChanServ (User is banned from this channel)20:46
*** ctracey was kicked by ChanServ (User is banned from this channel)20:46
*** johnthetubaguy was kicked by ChanServ (User is banned from this channel)20:46
*** Nakato was kicked by ChanServ (User is banned from this channel)20:46
*** martinus__ was kicked by ChanServ (User is banned from this channel)20:46
*** breton was kicked by ChanServ (User is banned from this channel)20:46
*** anteaya was kicked by ChanServ (User is banned from this channel)20:46
*** cburgess was kicked by ChanServ (User is banned from this channel)20:46
*** wolsen was kicked by ChanServ (User is banned from this channel)20:46
*** robcresswell was kicked by ChanServ (User is banned from this channel)20:46
*** spotz was kicked by ChanServ (User is banned from this channel)20:46
*** afazekas was kicked by ChanServ (User is banned from this channel)20:46
*** wasmum- was kicked by ChanServ (User is banned from this channel)20:46
*** mgagne was kicked by ChanServ (User is banned from this channel)20:46
*** comstud was kicked by ChanServ (User is banned from this channel)20:46
*** chris_hultin was kicked by ChanServ (User is banned from this channel)20:46
*** hyakuhei was kicked by ChanServ (User is banned from this channel)20:46
*** g2 was kicked by ChanServ (User is banned from this channel)20:46
*** mjb was kicked by ChanServ (User is banned from this channel)20:46
*** zeus was kicked by ChanServ (User is banned from this channel)20:46
*** EmilienM was kicked by ChanServ (User is banned from this channel)20:46
*** ildikov was kicked by ChanServ (User is banned from this channel)20:46
*** bigjools was kicked by ChanServ (User is banned from this channel)20:46
*** jlvillal was kicked by ChanServ (User is banned from this channel)20:46
*** Anticimex was kicked by ChanServ (User is banned from this channel)20:46
*** asettle was kicked by ChanServ (User is banned from this channel)20:46
*** dims was kicked by ChanServ (User is banned from this channel)20:46
*** Alex_Oughton was kicked by ChanServ (User is banned from this channel)20:46
*** dstanek was kicked by ChanServ (User is banned from this channel)20:46
*** bknudson_ was kicked by ChanServ (User is banned from this channel)20:46
*** dtroyer was kicked by ChanServ (User is banned from this channel)20:46
*** dr_gogeta86 was kicked by ChanServ (User is banned from this channel)20:46
*** yuval was kicked by ChanServ (User is banned from this channel)20:46
*** clayton was kicked by ChanServ (User is banned from this channel)20:46
*** iurygregory was kicked by ChanServ (User is banned from this channel)20:46
*** antwash was kicked by ChanServ (User is banned from this channel)20:46
*** charz was kicked by ChanServ (User is banned from this channel)20:46
*** vaishali was kicked by ChanServ (User is banned from this channel)20:46
*** basilAB was kicked by ChanServ (User is banned from this channel)20:46
*** sirushti was kicked by ChanServ (User is banned from this channel)20:46
*** arturb was kicked by ChanServ (User is banned from this channel)20:46
*** waj334 was kicked by ChanServ (User is banned from this channel)20:46
*** DuncanT was kicked by ChanServ (User is banned from this channel)20:46
*** jmccrory was kicked by ChanServ (User is banned from this channel)20:46
*** david_cu was kicked by ChanServ (User is banned from this channel)20:46
*** Tahvok was kicked by ChanServ (User is banned from this channel)20:46
*** d34dh0r53 was kicked by ChanServ (User is banned from this channel)20:46
*** eglute was kicked by ChanServ (User is banned from this channel)20:46
*** lifeless was kicked by ChanServ (User is banned from this channel)20:46
*** rha was kicked by ChanServ (User is banned from this channel)20:46
*** kencjohnston was kicked by ChanServ (User is banned from this channel)20:46
*** woodburn was kicked by ChanServ (User is banned from this channel)20:46
*** tonyb was kicked by ChanServ (User is banned from this channel)20:46
*** flaper87 was kicked by ChanServ (User is banned from this channel)20:46
*** Administrator_ was kicked by ChanServ (User is banned from this channel)20:46
*** john5223 was kicked by ChanServ (User is banned from this channel)20:46
*** wxy was kicked by ChanServ (User is banned from this channel)20:46
*** aleph1 was kicked by ChanServ (User is banned from this channel)20:46
*** htruta was kicked by ChanServ (User is banned from this channel)20:46
*** eandersson was kicked by ChanServ (User is banned from this channel)20:46
*** jlopezgu was kicked by ChanServ (User is banned from this channel)20:46
*** knikolla was kicked by ChanServ (User is banned from this channel)20:46
*** r1chardj0n3s was kicked by ChanServ (User is banned from this channel)20:46
*** rakhmerov was kicked by ChanServ (User is banned from this channel)20:46
*** samueldmq was kicked by ChanServ (User is banned from this channel)20:46
*** AndyWojo was kicked by ChanServ (User is banned from this channel)20:46
*** timburke was kicked by ChanServ (User is banned from this channel)20:46
*** hugokuo was kicked by ChanServ (User is banned from this channel)20:46
*** dgonzalez was kicked by ChanServ (User is banned from this channel)20:46
*** mnaser was kicked by ChanServ (User is banned from this channel)20:46
*** chrome0 was kicked by ChanServ (User is banned from this channel)20:46
*** raginbajin was kicked by ChanServ (User is banned from this channel)20:46
*** obre_ was kicked by ChanServ (User is banned from this channel)20:46
*** freerunner was kicked by ChanServ (User is banned from this channel)20:46
*** bauruine was kicked by ChanServ (User is banned from this channel)20:46
*** sileht was kicked by ChanServ (User is banned from this channel)20:46
*** nkinder was kicked by ChanServ (User is banned from this channel)20:46
*** openstackstatus was kicked by ChanServ (User is banned from this channel)20:46
*** Guest6666 was kicked by ChanServ (User is banned from this channel)20:46
*** rdo was kicked by ChanServ (User is banned from this channel)20:46
*** dulek was kicked by ChanServ (User is banned from this channel)20:46
*** andreykurilin was kicked by ChanServ (User is banned from this channel)20:46
*** timss was kicked by ChanServ (User is banned from this channel)20:46
*** DinaBelova was kicked by ChanServ (User is banned from this channel)20:46
*** luzC was kicked by ChanServ (User is banned from this channel)20:46
*** jlwhite was kicked by ChanServ (User is banned from this channel)20:46
*** cmurphy was kicked by ChanServ (User is banned from this channel)20:46
*** dobson was kicked by ChanServ (User is banned from this channel)20:46
*** ianw was kicked by ChanServ (User is banned from this channel)20:46
*** dmellado was kicked by ChanServ (User is banned from this channel)20:46
*** Adobeman was kicked by ChanServ (User is banned from this channel)20:46
*** kukacz was kicked by ChanServ (User is banned from this channel)20:46
*** nikhil was kicked by ChanServ (User is banned from this channel)20:46
*** rm_work was kicked by ChanServ (User is banned from this channel)20:46
*** SamYaple was kicked by ChanServ (User is banned from this channel)20:46
*** davechen was kicked by ChanServ (User is banned from this channel)20:46
*** aloga was kicked by ChanServ (User is banned from this channel)20:46
*** marekd was kicked by ChanServ (User is banned from this channel)20:46
*** Dave was kicked by ChanServ (User is banned from this channel)20:46
*** frickler was kicked by ChanServ (User is banned from this channel)20:46
*** BlackDex was kicked by ChanServ (User is banned from this channel)20:46
*** jdennis1 was kicked by ChanServ (User is banned from this channel)20:46
*** mfisch was kicked by ChanServ (User is banned from this channel)20:46
*** jrist was kicked by ChanServ (User is banned from this channel)20:46
*** oomichi was kicked by ChanServ (User is banned from this channel)20:46
*** openstackgerrit was kicked by ChanServ (User is banned from this channel)20:46
*** darrenc was kicked by ChanServ (User is banned from this channel)20:46
*** wuyanjun was kicked by ChanServ (User is banned from this channel)20:46
*** Aurelgad1o was kicked by ChanServ (User is banned from this channel)20:46
*** John341 was kicked by ChanServ (User is banned from this channel)20:46
*** NikitaKonovalov was kicked by ChanServ (User is banned from this channel)20:46
*** Guest94155 was kicked by ChanServ (User is banned from this channel)20:46
*** akrzos was kicked by ChanServ (User is banned from this channel)20:46
*** Krenair was kicked by ChanServ (User is banned from this channel)20:46
*** Dinesh_Bhor was kicked by ChanServ (User is banned from this channel)20:46
*** mtreinish was kicked by ChanServ (User is banned from this channel)20:46
*** rvba was kicked by ChanServ (User is banned from this channel)20:46
*** toddnni was kicked by ChanServ (User is banned from this channel)20:46
*** haplo37_ was kicked by ChanServ (User is banned from this channel)20:46
*** slunkad was kicked by ChanServ (User is banned from this channel)20:46
*** szaher was kicked by ChanServ (User is banned from this channel)20:46
*** rodrigods was kicked by ChanServ (User is banned from this channel)20:46
*** andymccr was kicked by ChanServ (User is banned from this channel)20:46
*** raj_singh was kicked by ChanServ (User is banned from this channel)20:46
*** d0ugal was kicked by ChanServ (User is banned from this channel)20:46
*** rarora was kicked by ChanServ (User is banned from this channel)20:46
*** masterjcool was kicked by ChanServ (User is banned from this channel)20:46
*** gsilvis was kicked by ChanServ (User is banned from this channel)20:46
*** masber was kicked by ChanServ (User is banned from this channel)20:46
*** MarkMielke was kicked by ChanServ (User is banned from this channel)20:46
*** toabctl was kicked by ChanServ (User is banned from this channel)20:46
*** smccully was kicked by ChanServ (User is banned from this channel)20:46
*** gus was kicked by ChanServ (User is banned from this channel)20:46
*** jamielennox was kicked by ChanServ (User is banned from this channel)20:46
*** hoonetorg was kicked by ChanServ (User is banned from this channel)20:46
*** gagehugo was kicked by ChanServ (User is banned from this channel)20:46
*** brad[] was kicked by ChanServ (User is banned from this channel)20:46
*** erhudy was kicked by ChanServ (User is banned from this channel)20:46
*** thiagolib_ was kicked by ChanServ (User is banned from this channel)20:46
*** zzzeek was kicked by ChanServ (User is banned from this channel)20:46
*** alex_xu was kicked by ChanServ (User is banned from this channel)20:46
*** rocky was kicked by ChanServ (User is banned from this channel)20:46
*** nicolasbock was kicked by ChanServ (User is banned from this channel)20:46
*** richm was kicked by ChanServ (User is banned from this channel)20:46
*** evrardjp was kicked by ChanServ (User is banned from this channel)20:46
*** dave-mccowan was kicked by ChanServ (User is banned from this channel)20:46
*** thorst was kicked by ChanServ (User is banned from this channel)20:46
*** edmondsw was kicked by ChanServ (User is banned from this channel)20:46
*** ayoung_dadmode was kicked by ChanServ (User is banned from this channel)20:46
*** spilla was kicked by ChanServ (User is banned from this channel)20:46
*** catintheroof was kicked by ChanServ (User is banned from this channel)20:46
*** stradling was kicked by ChanServ (User is banned from this channel)20:46
*** melwitt was kicked by ChanServ (User is banned from this channel)20:46
*** agrebennikov was kicked by ChanServ (User is banned from this channel)20:46
*** jraim_ was kicked by ChanServ (User is banned from this channel)20:46
*** portdirect was kicked by ChanServ (User is banned from this channel)20:46
*** odyssey4me was kicked by ChanServ (User is banned from this channel)20:46
*** rderose was kicked by ChanServ (User is banned from this channel)20:46
*** knangia was kicked by ChanServ (User is banned from this channel)20:46
*** spzala was kicked by ChanServ (User is banned from this channel)20:46
*** markvoelker was kicked by ChanServ (User is banned from this channel)20:46
*** ravelar was kicked by ChanServ (User is banned from this channel)20:46
*** jlopezgu_ was kicked by ChanServ (User is banned from this channel)20:46
*** lxnch was kicked by ChanServ (User is banned from this channel)20:46
*** jaosorior_away was kicked by ChanServ (User is banned from this channel)20:46
*** browne was kicked by ChanServ (User is banned from this channel)20:46
*** mvk was kicked by ChanServ (User is banned from this channel)20:46
*** bjornar_ was kicked by ChanServ (User is banned from this channel)20:46
*** chlong was kicked by ChanServ (User is banned from this channel)20:46
*** stingaci was kicked by ChanServ (User is banned from this channel)20:46
*** lucasxu was kicked by ChanServ (User is banned from this channel)20:46
*** aojea was kicked by ChanServ (User is banned from this channel)20:46
*** MasterOfBugs was kicked by ChanServ (User is banned from this channel)20:46
*** rajpatel was kicked by ChanServ (User is banned from this channel)20:46
*** raildo was kicked by ChanServ (User is banned from this channel)20:46
*** lwanderley was kicked by ChanServ (User is banned from this channel)20:46
*** openstack was kicked by ChanServ (User is banned from this channel)20:46
*** openstack has joined #openstack-keystone22:00
funginow it's back22:00
*** Dave has joined #openstack-keystone22:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/45388122:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/43931822:03
*** darrenc has joined #openstack-keystone22:03
lbragstadfungi sweet - thanks!22:13
*** topol has joined #openstack-keystone22:24
*** asettle has joined #openstack-keystone22:27
*** eandersson has joined #openstack-keystone22:37
*** chrome0 has joined #openstack-keystone22:39
*** tik has joined #openstack-keystone22:39
*** tik has quit IRC22:41
mordredfungi: why didn't I get kicked from the channel?22:46
fungimordred: i think it must not kick anyone with certain flags (maybe in the chanserv access list?)22:48
morganmordred: +r/+e i think is safe22:48
morganmordred: infra, and a couple of us (ptl/ex-ptls) are set that way22:48
morganmordred:     +e - Exempts from +b and enables unbanning self.22:49
morganmordred: and the fat finger was +b *!*@* :P22:49
fungi(more or less anyway)22:50
mordredah. this makes sense22:50
*** rajpatel is now known as Raj_zzz22:54
*** chris_hultin is now known as chris_hultin|AWA23:02
*** Raj_zzz is now known as rajpatel23:05
*** rajpatel is now known as rajpatel_away23:05
*** spzala has joined #openstack-keystone23:22
*** rajpatel_away has quit IRC23:32
*** adriant has joined #openstack-keystone23:37
*** thorst has joined #openstack-keystone23:43
*** david-lyle has joined #openstack-keystone23:48
*** thorst has quit IRC23:48
*** lwanderley has joined #openstack-keystone23:50
*** lwanderley has quit IRC23:53
*** lwanderley has joined #openstack-keystone23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!