Friday, 2019-03-01

*** itlinux_ has quit IRC		00:13
*** mvkr has joined #openstack-keystone		00:14
*** itlinux has joined #openstack-keystone		00:18
*** erus has joined #openstack-keystone		00:31
*** itlinux has quit IRC		00:44
*** erus has quit IRC		00:55
*** whoami-rajat has joined #openstack-keystone		01:04
*** itlinux has joined #openstack-keystone		01:09
*** itlinux has quit IRC		01:11
*** itlinux has joined #openstack-keystone		01:12
*** itlinux has quit IRC		01:18
*** itlinux has joined #openstack-keystone		01:19
*** jamesmcarthur has joined #openstack-keystone		01:32
*** jamesmcarthur has quit IRC		01:35
*** jamesmcarthur has joined #openstack-keystone		01:36
*** itlinux has quit IRC		01:51
*** itlinux has joined #openstack-keystone		01:52
*** itlinux has quit IRC		01:58
openstackgerrit	Merged openstack/keystoneauth master: Add support for client-side rate limiting https://review.openstack.org/605043	01:58
*** jamesmcarthur has quit IRC		02:01
*** tkajinam has quit IRC		02:02
*** tkajinam has joined #openstack-keystone		02:03
*** jamesmcarthur has joined #openstack-keystone		02:04
*** tkajinam_ has joined #openstack-keystone		02:05
*** tkajinam has quit IRC		02:07
*** tkajinam_ has quit IRC		02:10
*** tkajinam has joined #openstack-keystone		02:10
*** jamesmcarthur has quit IRC		02:11
*** jamesmcarthur has joined #openstack-keystone		02:12
*** jamesmcarthur has quit IRC		02:20
*** jamesmcarthur has joined #openstack-keystone		02:20
*** Dinesh_Bhor has joined #openstack-keystone		02:21
*** markvoelker has quit IRC		02:26
*** jamesmcarthur has quit IRC		02:39
*** gyee has quit IRC		02:42
*** awalende has joined #openstack-keystone		03:06
*** awalende has quit IRC		03:10
*** dave-mccowan has joined #openstack-keystone		03:17
*** markvoelker has joined #openstack-keystone		03:27
*** sapd1 has joined #openstack-keystone		03:47
sapd1	Hi, I'm trying to setup keystone federate with goole (using openid). I have success deploy with SSO website (using horizon). But I would like to use command line. I don't see any guide for this.	03:48
*** markvoelker has quit IRC		04:00
*** dave-mccowan has quit IRC		04:04
*** vishakha has joined #openstack-keystone		04:20
openstackgerrit	Vishakha Agarwal proposed openstack/python-keystoneclient master: Drop py35 jobs https://review.openstack.org/639910	04:23
openstackgerrit	Vishakha Agarwal proposed openstack/keystonemiddleware master: Drop py35 jobs https://review.openstack.org/639913	04:26
openstackgerrit	Vishakha Agarwal proposed openstack/keystoneauth master: Drop py35 jobs https://review.openstack.org/639915	04:29
*** Dinesh_Bhor has quit IRC		04:29
openstackgerrit	Vishakha Agarwal proposed openstack/oslo.limit master: Drop py35 jobs https://review.openstack.org/639917	04:32
*** fiddletwix has quit IRC		04:46
*** Dinesh_Bhor has joined #openstack-keystone		04:50
*** shyamb has joined #openstack-keystone		04:53
*** markvoelker has joined #openstack-keystone		04:57
*** prashkre_ has joined #openstack-keystone		05:13
*** shyamb has quit IRC		05:24
*** markvoelker has quit IRC		05:31
*** shyamb has joined #openstack-keystone		05:40
*** wxy-xiyuan has quit IRC		05:41
*** Dinesh_Bhor has quit IRC		05:59
*** Dinesh_Bhor has joined #openstack-keystone		06:02
*** shyamb has quit IRC		06:05
*** shyamb has joined #openstack-keystone		06:12
*** shyamb has quit IRC		06:24
*** shyamb has joined #openstack-keystone		06:24
*** markvoelker has joined #openstack-keystone		06:28
*** itlinux has joined #openstack-keystone		06:33
*** itlinux_ has joined #openstack-keystone		06:37
*** itlinux has quit IRC		06:40
*** lbragstad has quit IRC		06:49
*** markvoelker has quit IRC		07:00
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718	07:04
*** shyamb has quit IRC		07:06
*** shyamb has joined #openstack-keystone		07:34
*** shyamb has quit IRC		07:36
*** shyamb has joined #openstack-keystone		07:36
*** itlinux_ has quit IRC		07:37
*** itlinux has joined #openstack-keystone		07:39
*** itlinux has quit IRC		07:55
*** markvoelker has joined #openstack-keystone		07:57
*** Dinesh_Bhor has quit IRC		08:01
*** Dinesh_Bhor has joined #openstack-keystone		08:08
*** awalende has joined #openstack-keystone		08:11
*** tkajinam has quit IRC		08:18
*** markvoelker has quit IRC		08:31
*** yan0s has joined #openstack-keystone		08:58
*** shyamb has quit IRC		09:03
*** markvoelker has joined #openstack-keystone		09:28
*** shyamb has joined #openstack-keystone		09:36
*** markvoelker has quit IRC		10:01
*** eandersson has quit IRC		10:20
openstackgerrit	Colleen Murphy proposed openstack/keystoneauth master: Drop py35 jobs https://review.openstack.org/639915	10:33
openstackgerrit	Colleen Murphy proposed openstack/python-keystoneclient master: Drop py35 jobs https://review.openstack.org/639910	10:35
openstackgerrit	Colleen Murphy proposed openstack/keystonemiddleware master: Drop py35 jobs https://review.openstack.org/639913	10:37
*** vishakha has quit IRC		10:39
*** prashkre_ has quit IRC		10:52
*** shyamb has quit IRC		10:53
*** markvoelker has joined #openstack-keystone		10:58
*** shyamb has joined #openstack-keystone		11:02
*** Dinesh_Bhor has quit IRC		11:24
*** markvoelker has quit IRC		11:30
*** raildo has joined #openstack-keystone		11:33
openstackgerrit	Merged openstack/ldappool master: Drop py35 jobs https://review.openstack.org/639924	11:38
cmurphy	sapd1: we have some guidance here https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#get-a-scoped-token but it's unfortunately specific to saml2 not openid connect, unfortunately i think there's still an open bug about the oidc plugin for the cli https://bugs.launchpad.net/python-openstackclient/+bug/1648580	11:49
openstack	Launchpad bug 1648580 in python-openstackclient "v3oidcpassword federated login error (argument count)" [Undecided,New]	11:49
cmurphy	sapd1: what you could do if your openstack is >=queens is use horizon to create an application credential, and then use the cli with that https://docs.openstack.org/keystone/latest/user/application_credentials.html	11:49
sapd1	cmurphy: In fact, I would like to integrate exist openstack environment with other idp.	11:58
mordred	cmurphy, kmalloc: \o/	12:00
cmurphy	sapd1: I understood that, my suggestion is compatible with using an external idp	12:01
cmurphy	hi mordred	12:01
*** rafaelweingartne has joined #openstack-keystone		12:03
rafaelweingartne	Hello Keystone folks, I am having some issues to work with App credentials	12:04
rafaelweingartne	let's say I have a user that does not have any role per se	12:04
rafaelweingartne	but this user is added to a group that has permissions (roles) to both a domain and a project	12:04
rafaelweingartne	should I be able to create an app credentials for this user?	12:04
cmurphy	rafaelweingartne: ideally yes but actually no :( https://bugs.launchpad.net/keystone/+bug/1773967	12:06
openstack	Launchpad bug 1773967 in OpenStack Identity (keystone) "Application credentials can't be used with group-only role assignments" [High,Confirmed] - Assigned to Vishakha Agarwal (vishakha.agarwal)	12:06
rafaelweingartne	:(	12:06
cmurphy	rafaelweingartne: it's high priority to fix but it's a somewhat hard problem, we started a spec for it https://review.openstack.org/604201 but ran out of time this release cycle	12:08
sapd1	cmurphy: So that bug is too old. and It has not been fixed yet.	12:09
rafaelweingartne	this is a huge problem for us.. as we are using Identity federations, ans users do nto have explicity assigments	12:09
rafaelweingartne	what is the problem? I mean, I checked the code to create the app credentials, and it does not care about the user group	12:10
*** dave-mccowan has joined #openstack-keystone		12:10
rafaelweingartne	so, if we change that, to accept a specific user group and project via API parameter, would it work? Or, we need to change the "app credentials" authentication method as well?	12:11
rafaelweingartne	to load the permissions from specified group in the app credential	12:11
cmurphy	rafaelweingartne: the problem is that role assignments via group membership are ephemeral and only persist as long as the token is valid, so technically when the token expires the user doesn't have any role assignments. if we made the application credential copy in all effective role assignments from the group membership when it gets created then the application credential's authorization outlives	12:14
cmurphy	the user's actual authorization which is unsafe	12:14
*** dave-mccowan has quit IRC		12:15
rafaelweingartne	ah	12:15
rafaelweingartne	got it	12:15
rafaelweingartne	I just read that in the spec as well...	12:15
rafaelweingartne	sorry for asking something that was already there	12:15
cmurphy	no worries, it was hard for me to grasp on first read	12:16
cmurphy	and very annoying that role assignments via group membership don't just work the same way as direct role assignments	12:17
cmurphy	a workaround is to use the autoprovisioning type of federation mapping to create explicit assignments https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#auto-provisioning but it may not be easy to translate your existing mappings	12:18
rafaelweingartne	you mean, to auto provision a project?	12:20
rafaelweingartne	hmm	12:20
cmurphy	yeah it will create the projects if they don't exist and then create the role assignments	12:21
rafaelweingartne	that might work, but this might affect our business workflow	12:21
cmurphy	yeah	12:21
rafaelweingartne	Let me check if we can hammer it somehow	12:21
rafaelweingartne	thanks for the prompt reply ;)	12:21
cmurphy	you're welcome	12:22
*** shyamb has quit IRC		12:26
*** markvoelker has joined #openstack-keystone		12:28
openstackgerrit	Merged openstack/keystone master: Add domain level limit support - API https://review.openstack.org/622773	12:28
sapd1	cmurphy: I get this error	12:32
sapd1	RESP BODY: {	12:32
sapd1	"error": "unsupported_grant_type",	12:32
sapd1	"error_description": "Invalid grant_type: password"	12:32
sapd1	}	12:32
cmurphy	sapd1: what are you trying to do?	12:33
sapd1	I'm trying issue token using gmail.	12:33
sapd1	`openstack token issue --os-discovery-endpoint https://accounts.google.com/.well-known/openid-configuration --os-auth-type v3oidcpassword --os-client-secret xxxx --os-client-id xxxx`	12:34
rafaelweingartne	by any chance, does anybody here knows where the schema.py that defines the IdP attribute mapping is?	12:37
rafaelweingartne	I have checked it in the past, but now I am not able to find it anymore	12:37
*** shyamb has joined #openstack-keystone		12:39
cmurphy	sapd1: hmm I am not an expert on openid connect but it looks like we hard code grant type to "password" and it looks like google requires it to be "authorization_code" https://developers.google.com/identity/protocols/OpenIDConnect - so the CLI may just be completely incompatible with google right now :/	12:40
rafaelweingartne	never mind, I found it: keystone/federation/utils.py	12:42
cmurphy	rafaelweingartne: was just pulling it up http://git.openstack.org/cgit/openstack/keystone/tree/keystone/federation/utils.py#n55	12:42
rafaelweingartne	ah thanks	12:44
rafaelweingartne	this token mechanism "openstack token issue --os-discovery-endpoint...", how would it work with 2FA?	12:45
rafaelweingartne	I mean, if the IdP implements 2FA, and if it is enabled for the user requesting the token to be issued	12:45
cmurphy	i don't think openstackclient/keystoneauth is smart enough to handle that at all	12:46
rafaelweingartne	I mean, with google, I don't see a problem as it requires authorization_code	12:47
rafaelweingartne	which is a sort of app credential	12:47
rafaelweingartne	but, if we wanted to generate a token via password authentication, then this can be a problem	12:48
rafaelweingartne	that is actually why we are trying to use app credentials with federated users	12:48
rafaelweingartne	So, they login, and via the UI they can create the credentials after the authentication process in the IdP	12:48
*** markvoelker has quit IRC		13:01
*** prashkre has joined #openstack-keystone		13:07
*** prashkre has quit IRC		13:08
*** shyamb has quit IRC		13:21
*** shyamb has joined #openstack-keystone		13:21
*** shyamb has quit IRC		13:28
*** jmlowe has quit IRC		13:48
*** jamesmcarthur has joined #openstack-keystone		13:51
knikolla	o/	13:55
knikolla	cmurphy: actually the cli uses a different grant type	13:56
knikolla	password is the correct grant, it's just that google doesn't support it.	13:56
knikolla	sapd1: look into this https://developers.google.com/identity/protocols/OAuth2InstalledApp	13:58
knikolla	you will need to get an access token from there and use that directly	13:58
*** markvoelker has joined #openstack-keystone		13:58
sapd1	knikolla: another word is I need get authorization_code and put this code into body when send request to google.	13:59
knikolla	sapd1: yes, and exchange that for a refresh and access token	14:01
knikolla	then use that to talk to keystone	14:01
knikolla	you will need to enable oauth 2.0 in your vhost configuration for keystone	14:01
knikolla	that = access token	14:02
cmurphy	thanks knikolla	14:02
sapd1	knikolla: Could you give me example configuration for keystone ?	14:03
knikolla	sapd1: https://github.com/CCI-MOC/MOCOSPpuppet/blob/317f8fa53ec89ef6e58449aec743d5ebbf275fc9/keystone/templates/wsgi-keystone.erb#L62-L89	14:04
sapd1	knikolla: I have setup openid and google successful, It's working when I use horizon.	14:04
sapd1	Do I need add oauth2 config?	14:04
knikolla	sapd1: yes because that uses openid connect	14:05
knikolla	you can't use openid connect on the cli	14:05
sapd1	yeah. I have already configured these options in my vhost.	14:05
knikolla	one of the locations has "AuthType oauth20" for oauth 2.0	14:06
knikolla	but beside that's it's the same	14:06
sapd1	+1	14:07
knikolla	it's just easier and more convenient to use application credentials	14:07
sapd1	knikolla: I'm trying to configured with our exist IDP, It's working same to Google. So I need make keystone work with Google.	14:08
sapd1	s/our/my	14:09
knikolla	in the google case, the refresh token would work like an application credential. every time a user wants to use the cli, they would have to exchange that with an access token by making a call to google. then make a call to keystone with the access token to get a fernet token.	14:09
*** raildo has quit IRC		14:09
sapd1	knikolla: I need read about openid connect protocol, So I will contact you if I get a problem.	14:12
sapd1	knikolla: Thanks	14:12
knikolla	sapd1: no problem :)	14:12
*** raildo has joined #openstack-keystone		14:14
*** TheJulia is now known as needssleep		14:14
*** cmurphy is now known as cmorpheus		14:17
*** jmlowe has joined #openstack-keystone		14:21
*** markvoelker has quit IRC		14:31
*** lbragstad has joined #openstack-keystone		14:35
*** ChanServ sets mode: +o lbragstad		14:35
*** sc has joined #openstack-keystone		14:37
*** bnemec is now known as beekneemech		14:46
*** awalende has quit IRC		15:00
*** awalende has joined #openstack-keystone		15:00
*** itlinux has joined #openstack-keystone		15:01
*** awalende has quit IRC		15:04
*** rafaelweingartne has quit IRC		15:05
*** lbragstad is now known as elbragstad		15:08
gagehugo	o/	15:10
*** itlinux has quit IRC		15:12
elbragstad	hola	15:15
*** markvoelker has joined #openstack-keystone		15:28
*** itlinux has joined #openstack-keystone		15:29
*** itlinux has quit IRC		15:36
*** chason_ has quit IRC		15:36
*** itlinux has joined #openstack-keystone		15:38
*** jistr is now known as jistr\|mtg		15:38
*** chason has joined #openstack-keystone		15:41
*** chason has quit IRC		15:46
*** chason has joined #openstack-keystone		15:52
*** yan0s has quit IRC		15:59
*** markvoelker has quit IRC		16:01
*** jistr\|mtg is now known as jistr		16:02
*** kmalloc is now known as needscoffee		16:22
needscoffee	o/	16:28
*** sapd1 has quit IRC		16:32
*** itlinux has quit IRC		16:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add service developer documentation for scopes https://review.openstack.org/638563	16:53
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add service developer documentation for scopes https://review.openstack.org/638563	16:56
*** markvoelker has joined #openstack-keystone		16:58
*** gyee has joined #openstack-keystone		17:04
*** markvoelker has quit IRC		17:31
*** erus has joined #openstack-keystone		17:50
elbragstad	needscoffee are you caffeinated?	17:54
elbragstad	at least partially?	17:54
elbragstad	do you know why we use two different policy enforcers there? https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_policy.py#n239	17:56
elbragstad	one uses the rbac_enforcer code path, which loads the defaults registered in code	17:56
elbragstad	the other (which tests the policy.v3cloudsample.json policy) builds the enforcer object using oslo.policy directly	17:57
elbragstad	fwiw - i'm respinning https://review.openstack.org/#/c/622589/1	17:57
elbragstad	but it looks like the second enforcer, from oslo.policy, isn't loading the defaults	17:57
elbragstad	this is what that instance looks like https://pasted.tech/pastes/c80b1ba6c34480b02dd74854a2885d671a98044f.raw	17:58
*** raildo has quit IRC		18:00
*** mvkr has quit IRC		18:02
*** jaosorior has quit IRC		18:04
*** mvkr has joined #openstack-keystone		18:06
*** raildo has joined #openstack-keystone		18:07
*** irclogbot_1 has joined #openstack-keystone		18:10
elbragstad	aha	18:17
elbragstad	figured it out	18:17
*** jamesmcarthur has quit IRC		18:20
*** jamesmcarthur has joined #openstack-keystone		18:20
needscoffee	hold on	18:22
needscoffee	elbragstad: so what was going on?	18:22
elbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_policy.py#n260 doesn't register the defaults	18:23
elbragstad	but that test case uses two different instances of Enforcer()	18:23
elbragstad	one uses the defaults in code	18:23
elbragstad	the other attempts to load everything for v3cloudsample.json	18:23
elbragstad	but it doesn't register the defaults	18:23
elbragstad	so the test case is actually relying on the fact policy.v3cloudsample.json is copy/pastad	18:24
elbragstad	instead of generating common defaults	18:24
elbragstad	and only loading the delta	18:24
*** jamesmcarthur has quit IRC		18:24
*** markvoelker has joined #openstack-keystone		18:28
*** Chealion has joined #openstack-keystone		18:43
openstackgerrit	Merged openstack/python-keystoneclient master: Drop py35 jobs https://review.openstack.org/639910	18:47
*** markvoelker has quit IRC		19:01
*** awalende has joined #openstack-keystone		19:03
*** awalende_ has joined #openstack-keystone		19:05
openstackgerrit	Lance Bragstad proposed openstack/keystone master: DRY: Remove redundant policies from policy.v3cloudsample.json https://review.openstack.org/622589	19:08
*** awalende has quit IRC		19:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add service developer documentation for scopes https://review.openstack.org/638563	19:18
needscoffee	oh	19:22
needscoffee	yeah we should fix that	19:22
*** dmellado has quit IRC		19:44
*** dmellado has joined #openstack-keystone		19:45
*** irclogbot_1 has quit IRC		19:50
*** markvoelker has joined #openstack-keystone		19:58
*** erus has quit IRC		19:58
*** erus has joined #openstack-keystone		19:59
*** irclogbot_1 has joined #openstack-keystone		20:02
elbragstad	needscoffee done in https://review.openstack.org/622589	20:11
*** erus has quit IRC		20:11
*** erus has joined #openstack-keystone		20:11
*** raildo has quit IRC		20:16
elbragstad	anyone else feel like giving https://review.openstack.org/#/c/638309/6 a good look?	20:20
* elbragstad has a super crisp high-five for anyone who reviews it		20:20
*** raildo has joined #openstack-keystone		20:23
* cmorpheus will cash in on high-five offer		20:24
cmorpheus	elbragstad: i made it to https://review.openstack.org/639718 and not sure what i think yet	20:24
gagehugo	elbragstad: same	20:29
*** markvoelker has quit IRC		20:31
elbragstad	yeah - me either =/	20:34
elbragstad	i don't think i'd mind a project admin being able to view assignments on the project they have admin on	20:35
elbragstad	but i haven't really come up with a good use case for why a member or reader would need to know that information	20:35
elbragstad	i mean - i typically think of project admins as being the people that can clean up instances or volumes, things like that	20:35
elbragstad	not role assignments	20:35
elbragstad	(a lot of identity related management seems to stop at the domain layer)	20:36
*** erus has quit IRC		20:38
*** erus has joined #openstack-keystone		20:39
*** jmlowe has quit IRC		20:41
cmorpheus	i think... given that a user is either a system-level or domain-level thing, a role assignment has to be too. project reader/member/admin shouldn't be able to see information about a user, including their role assignments	20:46
elbragstad	so - a project admin shouldn't be able to call the /v3/role_assignments?scope.project.id=$project API?	20:48
cmorpheus	i think not, because that would list user ids	20:49
elbragstad	correct, for users with role assignments on the project	20:50
cmorpheus	a project admin doesn't have any ability to create or show another user, so they shouldn't be able to get the user's id either imo	20:51
*** erus has quit IRC		20:51
* elbragstad this feels like the /v3/projects API		20:51
elbragstad	er - the position we took with project users on that API	20:51
*** erus has joined #openstack-keystone		20:51
cmorpheus	did we take the same position?	20:51
cmorpheus	i hope i'm not flip flopping	20:51
elbragstad	i believe we did exactly what you're describing	20:52
cmorpheus	ok	20:52
cmorpheus	then let's be consistent	20:52
elbragstad	https://review.openstack.org/#/c/624221/4/keystone/tests/unit/protection/v3/test_projects.py	20:54
elbragstad	https://review.openstack.org/#/c/624221/4/keystone/tests/unit/protection/v3/test_projects.py@897	20:55
elbragstad	discovered a bug in the test name	20:55
cmorpheus	heh	20:56
elbragstad	weird...	20:56
elbragstad	https://review.openstack.org/#/c/624221/4/keystone/common/policies/project.py,unified@76	20:57
cmorpheus	hmm well i think it's fine for a user to get their own project, that's not exposing another user's userid and role	20:57
elbragstad	i think that policy works for https://review.openstack.org/#/c/624221/4/keystone/common/policies/project.py@104 but not https://review.openstack.org/#/c/624221/4/keystone/common/policies/project.py@76	20:59
*** erus has quit IRC		20:59
elbragstad	but the test - which is inaccurately named, asserts that a user with a project-scoped token can't call /v3/projects/$project_id	20:59
*** erus has joined #openstack-keystone		20:59
elbragstad	hmm - i think i need to smooth that out	21:00
elbragstad	i think i need another test case to see if a project user can actually fetch their own project using /v3/project/$project_id	21:01
elbragstad	https://review.openstack.org/#/c/624221/4/keystone/tests/unit/protection/v3/test_projects.py,unified@897 just tests that a user can't get a project within the same domain with a project-scoped token	21:01
elbragstad	i'm getting off on a tangent, but yeah, i do agree that querying role assignments is different than querying projects from the project API	21:03
elbragstad	the point about exposing other user ids is good	21:03
cmorpheus	elbragstad: i think the test is right, except for the name - it's making sure that the user can't GET some random project they aren't a member of	21:05
elbragstad	++ right, but I don't see a test where the user attempts to call GET /v3/projects/$project_id where the token is scoped to $project_id?	21:05
cmorpheus	ah gotcha	21:06
*** jamesmcarthur has joined #openstack-keystone		21:07
*** jamesmcarthur has quit IRC		21:09
*** jamesmcarthur has joined #openstack-keystone		21:10
*** jamesmcarthur has quit IRC		21:14
*** awalende has joined #openstack-keystone		21:21
*** awalende_ has quit IRC		21:21
*** markvoelker has joined #openstack-keystone		21:28
*** jamesmcarthur has joined #openstack-keystone		21:29
openstackgerrit	Merged openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json https://review.openstack.org/619333	21:29
*** irclogbot_1 has quit IRC		21:36
*** erus has quit IRC		21:55
*** erus has joined #openstack-keystone		21:56
*** markvoelker has quit IRC		22:01
*** jamesmcarthur has quit IRC		22:07
*** jamesmcarthur has joined #openstack-keystone		22:08
openstackgerrit	Merged openstack/keystoneauth master: Drop py35 jobs https://review.openstack.org/639915	22:16
*** raildo has quit IRC		22:23
openstackgerrit	Merged openstack/keystone master: Implement system reader for role_assignments https://review.openstack.org/609210	22:29
*** jmlowe has joined #openstack-keystone		22:32
*** awalende has quit IRC		22:36
*** awalende has joined #openstack-keystone		22:36
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add service developer documentation for scopes https://review.openstack.org/638563	22:40
*** awalende has quit IRC		22:40
*** jamesmcarthur has quit IRC		22:40
*** jamesmcarthur has joined #openstack-keystone		22:44
*** odyssey4me_ has joined #openstack-keystone		22:45
*** erus has quit IRC		22:46
*** erus has joined #openstack-keystone		22:46
*** jamesmcarthur has quit IRC		22:48
*** odyssey4me has quit IRC		22:52
*** eglute has quit IRC		22:52
*** lamt has quit IRC		22:52
*** melwitt has quit IRC		22:52
*** NikitaKonovalov has quit IRC		22:52
*** erus has quit IRC		22:52
*** odyssey4me_ is now known as odyssey4me		22:52
*** melwitt has joined #openstack-keystone		22:53
*** erus has joined #openstack-keystone		22:53
*** markvoelker has joined #openstack-keystone		22:59
*** awalende has joined #openstack-keystone		23:02
*** frickler has quit IRC		23:06
*** frickler has joined #openstack-keystone		23:06
openstackgerrit	Merged openstack/keystone master: Reorganize role assignment tests for system users https://review.openstack.org/638309	23:19
openstackgerrit	Merged openstack/keystone master: Add role assignment test coverage for system members https://review.openstack.org/638310	23:20
openstackgerrit	Merged openstack/keystone master: Add role assignment test coverage for system admin https://review.openstack.org/638311	23:20
*** markvoelker has quit IRC		23:31
*** awalende_ has joined #openstack-keystone		23:32
*** sapd1 has joined #openstack-keystone		23:33
*** awalende has quit IRC		23:35
*** awalende_ has quit IRC		23:36
*** awalende has joined #openstack-keystone		23:37
*** awalende has quit IRC		23:41

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!