Thursday, 2019-03-14

*** jamesmcarthur has joined #openstack-keystone00:13
*** jamesmcarthur has quit IRC00:16
*** erus has quit IRC00:16
*** jamesmcarthur has joined #openstack-keystone00:16
*** erus has joined #openstack-keystone00:16
*** xek has joined #openstack-keystone00:23
*** dklyle has quit IRC00:31
*** dklyle has joined #openstack-keystone00:31
*** jamesmcarthur has quit IRC00:31
*** gyee has quit IRC00:39
*** dklyle has quit IRC00:46
*** jamesmcarthur has joined #openstack-keystone00:57
*** jamesmcarthur has quit IRC00:57
*** jamesmcarthur has joined #openstack-keystone00:57
*** jamesmcarthur has quit IRC01:23
*** jamesmcarthur has joined #openstack-keystone01:24
*** jamesmcarthur has quit IRC01:26
*** jamesmcarthur has joined #openstack-keystone01:27
*** adriant has joined #openstack-keystone01:33
*** whoami-rajat has joined #openstack-keystone02:02
*** jamesmcarthur has quit IRC02:47
*** dave-mccowan has joined #openstack-keystone02:49
*** dave-mccowan has quit IRC02:54
*** hoonetorg has quit IRC02:59
*** erus has quit IRC02:59
*** erus has joined #openstack-keystone03:00
*** hoonetorg has joined #openstack-keystone03:12
*** jamesmcarthur has joined #openstack-keystone03:13
*** jamesmcarthur has quit IRC03:17
*** vishakha has joined #openstack-keystone03:56
*** lbragstad has quit IRC05:00
vishakhalbragstad: Could you elaborate about
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add role assignment test coverage for domain members
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add role assignment test coverage for domain admins
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add role assignment testing for project users
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add role assignment testing for project users
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json
*** markvoelker has quit IRC07:19
*** pcaruana has joined #openstack-keystone08:07
*** awalende has joined #openstack-keystone08:08
*** pcaruana has quit IRC08:11
*** tkajinam__ has quit IRC08:13
openstackgerritChason Chan proposed openstack/keystone master: Fix the incorrect release name of project guide
*** erus has quit IRC08:18
*** erus has joined #openstack-keystone08:19
cmurphyrm_work: thanks for looking, responded and will fix if necessary08:23
rm_workkk :)08:23
*** pcaruana has joined #openstack-keystone08:23
*** hoonetorg has quit IRC08:32
*** hoonetorg has joined #openstack-keystone08:45
rm_workcmurphy: the commit you quoted is the wrong one09:20
cmurphyrm_work: oh, I see I was confusing Rocky with ROCKY09:24
rm_workthx :)09:27
*** pcaruana has quit IRC09:48
openstackgerritPavlo Shchelokovskyy proposed openstack/keystone master: DNM test bootstrap under more sec-comp
pas-hastrange, hangs in 'Ready to Submit' with +2+W o_0 should I probably rebase it? it is based on not latest patchset of the parent change in a series10:11
pas-hacmurphy: can you take a look?10:11
cmurphypas-ha: i think you'll have to rebase it, it's based on ps1 of
pas-hayep, will do now10:13
openstackgerritPavlo Shchelokovskyy proposed openstack/keystone master: Mention allow_expired_window in fernet FAQ
*** erus has quit IRC10:14
pas-hathanks :-)10:14
*** erus has joined #openstack-keystone10:14
openstackgerritMerged openstack/keystone master: Mention allow_expired_window in fernet FAQ
*** pcaruana has joined #openstack-keystone11:32
*** dave-mccowan has joined #openstack-keystone11:46
*** erus has quit IRC11:46
*** erus has joined #openstack-keystone11:46
*** raildo has joined #openstack-keystone12:39
*** jamesmcarthur has joined #openstack-keystone12:47
*** breton has quit IRC12:59
*** dklyle has joined #openstack-keystone13:01
*** vishakha has quit IRC13:24
*** lbragstad has joined #openstack-keystone13:26
*** ChanServ sets mode: +o lbragstad13:26
*** jamesmcarthur has quit IRC13:27
efriedHello people, especially those like mordred and cmurphy who know things about service catalogs!13:36
ayoungUh oh13:38
efriedI see this:13:38
efried{"endpoints": [{"url": "", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "291bd0b6757442e5a85194c0cd4ea1af"}], "type": "baremetal", "id": "d199b74eb26e4309be92c89d08188fdb", "name": "ironic"}], "user": {"password_expires_at": null, "domain": {"id": "default", "name": "Default"}, "id": "a5235b0353dc4ceb8866e40224c3ad89", "name": "tempest-BaremetalBasicOpsAndRescue13:38
efried["MU18vYw5SAycqg1UwAJDsQ"], "issued_at": "2019-03-13T00:10:34.000000Z"}13:38
efried...which looks to me like the ironic API isn't producing proper versioned endpoint data13:38
cmurphyefried: you mean in the service catalog?13:39
efriedcmurphy: I... think so?13:39
cmurphythat endpoint is set by the operator13:39
cmurphyit should be okay for it to be unversioned13:39
efriedIt's hard for me to tell. I don't have a way to set this up locally, so I'm trying to piggback on a CI job.13:40
cmurphyefried: where do you see it?13:40
efriedhere's a bit of the backstory:13:42
efriedI'm trying to get rid of ironicclient13:42
efriedSo I wrote something that, for one particular API call, bypasses ironicclient and goes directly through the ksa adapter:
efriedI'm getting EndpointNotFound()13:42
lbragstaddid you pull that snippet from the token body?13:43
cmurphyefried: that endpoint "url": "" is set by devstack so it should be correct13:43
efriedso I went and looked at the configs, which... seem fine? (The only weirdness I noticed was that nova.conf's ironic section is using admin creds instead of service creds - not sure if that's significant)13:43
lbragstad introductory doc for devs consuming service catalogs13:43
efriedlbragstad: the snippet comes from me searching the devstack log for 'catalog' and finding a json dump of what looks like a service catalog? At least, the other services listed in there seem to have versioned endpoints listed.13:44
efriedlooking at where that EndpointNotFound is coming from, it looks like get_endpoint, which would be odd, because the nova path that *works* - the one that's feeding an already-determined endpoint to ironicclient - is using get_endpoint to do it.13:46
*** jamesmcarthur has joined #openstack-keystone13:46
cmurphywith the discovery mechanism in ksa it should be okay for it to be unversioned, ksa will figure out the right thing13:46
cmurphyso you must be circumventing that somehow13:46
*** vishakha has joined #openstack-keystone13:47
efriedheh, my whole purpose in life right now is to *stop* circumventing it, which is what the ironicclient business does in various convoluted ways.13:48
efriedthat's the thing - the way the ironicclient is working, we may have been doing stuff wrong service catalog-wise for years and covering it up.13:48
efriedthough it's surely more likely to be my eff up.13:48
efried        CONF, confgrp, session=ksa_session, auth=ksa_auth,13:49
efried        min_version=min_version, max_version=max_version, raise_exc=False)13:49
efried...where the session and the auth are the same ones ironicclient is using.13:49
*** erus has quit IRC13:49
efriedold path: we take that adapter and do get_endpoint() on it, and then pass that endpoint into ironicclient construction13:50
vishakhalbragstad: Could you elaborate about As I need also need to see for domain reader failing for assignments13:50
*** erus has joined #openstack-keystone13:50
lbragstadvishakha sure - i can take a look13:51
vishakhalbragstad: Thanks.13:52
vishakhalbragstad: needs one more +2.13:53
* cmurphy reads nova code13:53
mordredefried: looking13:53
cmurphyoh good mordred is here13:54
efriedcmurphy: couple years ago I (with help from mordred) reworked the way nova talks to ironic so we could import all the ksa conf options and *sort of* use them.13:56
mordredyeah. that was some fun13:56
efriedso before that, the conf just had a direct API endpoint in it; and now we're trying to use the service catalog in some way13:56
mordredI keep wanting to followup on that and get you some code that just makes you an sdk connection object13:56
efriedbut the ironicclient was still in the way, so basically we're now constructing a whole ksa adapter, getting the endpoint from it, and then throwing the rest of it away. The endpoint gets passed down into ironicclient which constructs a whole nother ksa adapter with it.13:57
efriedI'm trying to unwind that mess and go direct through the ksa adapter, starting with
mordredoh weird ... you're getting endpoint not found in catalog.13:59
* mordred is still coffeeing - may take a few minutes to come all the way up to speed here13:59
efriedmordred: But I'm getting EndpointNotFound at *request* time14:00
efriedapparently the get_endpoint we did before constructing the ironicclient *worked*14:01
efried(I just added a debug log to verify that; but there's no other way the ironicclient construction would be working.)14:01
mordredefried: yeah. I mean ... ??what??14:01
efriedheh. which part what?14:02
mordredall of it :)14:02
efriedmordred: In this PoC I'm just trying to swap out *one* of the API calls to go direct vs through the ironicclient.14:02
mordredactually - ironicclient could be running discovery14:02
efriedSo I'm still building the ironicclient with the same session and auth as are going into the ksa adapter14:03
efriedthat ironicclient is built with an endpoint_override - which we get by doing get_endpoint() from the ksa adapter we (previously) threw away14:03
mordredthat session is going to have that auth plugin attached to it, which means it'll have catalog/auth_url in it - so it's possible the get_endpoint is failing, triggering that exception, but falling through you get ironic_url = None and then ironicclient does something different14:04
efriedif ironic_url = None, it should blow up. But that's why I'm logging it to make sure.14:04
efriedwe'll know in a bit, once that job runs.14:04
mordredit still doesn't explain why the adapter wouldn't work when you use it :)14:04
mordredefried: I put in an autohold so we can poke on the node when it fails14:07
mordredefried: because that's ... very strange14:07
efriedmordred: ooo, what's an autohold? That sounds... magical.14:09
efriedis it a special power that only you have?14:09
mordredefried: well, I'm not the only one - but we can tell zuul that if a job fails, don't delete the node it ran on14:09
efriedand then like log into it somehow14:10
efriedthat ^ is a power I don't have afaik14:10
mordredefried: useful sometimes for debugging extra strange things where otherwise one might be just submitting new print statements over and over again in a loop and waiting 3 hours14:10
efriedyeah, that was the bit I wanted to avoid14:10
mordredefried: yah - once we've got the node, I'll put your ssh key on it14:10
*** ksavich has joined #openstack-keystone14:12
*** rcernin has quit IRC14:17
* kmalloc is very interested in the result from the ironic-ksa node14:41
brtknrwhats the fastest way to get valid keystone token? I've implemented this which does it in 50ms: but I'd like to beat the go client which does it in 14ms...14:46
cmurphybrtknr: using keystoneauth would be faster than going through openstacksdk
*** erus has quit IRC14:48
cmurphynot sure anything in python is going to beat go though14:48
*** erus has joined #openstack-keystone14:49
brtknrcmurphy: thanks :) i'll give that a shot14:49
ayoungbrtknr, Rust and direct HTTP calls14:50
brtknrOooh nice, been meaning to dive into rust14:51
*** mordred has quit IRC14:51
ayoungbrtknr, but the real thing you want to do is reduce any additional calls.  Python/Java whateve is going to kill you at start up, but after that it is a wash, and the real thing to look for is places where clients do negotiation of versioning.  If you know you are going with the v3 api, password based auth, you can do the direct call via curl14:52
ayoungnothing is going to be faster than that.  Then the trick is to optimize on the server side14:52
ayoungthat is CLI, and thus has to parse data, which you should be able to inline14:53
ayoungalso, drop the service catalog, and make sure that the user only has direct assigned tokens, is not a member of any groups, anything that can optimize the data fetched on the server side14:54
ayounghell, to really cheat, ask for an unscoped token14:54
ayoungbrtknr, make sense?14:54
brtknrayoung: yeah im trying to digest what youve said14:56
*** mordred has joined #openstack-keystone14:57
*** awalende has quit IRC14:59
*** awalende has joined #openstack-keystone14:59
*** awalende has quit IRC15:04
*** awalende has joined #openstack-keystone15:04
*** awalende has quit IRC15:09
*** mordred has quit IRC15:23
*** mordred has joined #openstack-keystone15:29
openstackgerritPavlo Shchelokovskyy proposed openstack/keystone master: DNM test bootstrap under more sec-comp
efriedmordred, kmalloc, cmurphy, lbragstad: (let me know if you want to be untagged from this topic) following the ksa->ironic thingy15:47
efriedFirst thing, my debug log shows that ksa_adp.get_endpoint() worked:15:47
efriedMar 14 14:26:48 ubuntu-bionic-ovh-gra1-0003816856 nova-compute[14692]: ERROR nova.virt.ironic.client_wrapper [None req-09e1aeeb-4daf-4433-bf9b-ce3485658e78 None None] EFRIED: endpoint:
efriedwell, it worked for the thing that happened before we got into doing the real request.15:48
efriedhaven't gotten any further yet.15:48
efried(I didn't instrument ksa itself)15:48
kmallocHm. It looks sane so far.15:49
efriedstill got the same EndpointNotFound later on15:49
kmallocLike... It should be working...but it is doing something odd.15:49
efriedwhich isn't surprising.15:49
openstackgerritPavlo Shchelokovskyy proposed openstack/keystone master: DNM test bootstrap under more sec-comp
mordredefried: yeah. my AWESOME was sarcasm15:51
mordredefried: you're getting a different error in that patch15:55
efriedI am?15:55
mordredMar 14 14:27:47.473168 ubuntu-bionic-ovh-gra1-0003816856 nova-compute[14692]: ERROR nova.virt.ironic.driver [None req-23cfa410-9926-4c9f-90e9-bcbd0a56461f None None] An unknown error has occurred when trying to get the list of nodes from the Ironic inventory. Error: StrictVersion instance has no attribute 'version'15:55
efriedmordred: oh, that was happening before too, seems to do that while everything is still coming up.15:55
mordredok. cool15:56
mordredyeah - there's your traceback15:56
efriedmordred: sooo ... is get_endpoint() only supposed to work once?15:59
mordredno - it should always work16:00
mordredhowever ...16:00
mordredhang on - checking something16:00
*** ksavich has quit IRC16:06
*** jmlowe has quit IRC16:07
efriedmordred: I may be doing stuff wrong, but (in an ipython session) when I follow the exact steps to construct auth, session, and adapter from conf, that guy's get_endpoint() returns None.16:07
mordredbut it prints one in the test16:08
efriedso why does it, like, work the first time, but not the second time?16:08
mordredefried: can you put the thing you did in ipython into a file so I can look at it?16:08
efriedmordred: /tmp/f16:09
efriedmordred: you can see I tried a couple of different tacks16:13
efriedmordred: here's an interesting thing: when I take the min/max microversion out of the ask, I get an endpointable adapter.16:17
efriedIn [36]: adap3 = utils.get_ksa_adapter('baremetal')16:17
efriedIn [37]: adap3.get_endpoint()16:17
efriedOut[37]: u''16:17
mordredoh - yeah16:17
mordredI mean16:18
mordredwait - you mean the min/max version16:18
efriedIn [38]: utils.get_ksa_adapter('baremetal').get_endpoint()16:19
efriedOut[38]: u''16:19
efriedIn [39]: utils.get_ksa_adapter('baremetal', min_version=(1,46), max_version=(1, float('inf'))).get_endpoint()16:19
efried(that second thing returns None)16:19
efriedwhich still totally doesn't explain why tf my debug log worked.16:19
efriedbecause the adapter that's being constructed there *does* include those version kwargs16:19
mordredyeah. I feel like we're missing something fundamental here16:21
* efried tries something new...16:22
mordredefried: so - I think passing (1,46) to min_version of the adapater constructor is an error16:24
mordredefried: since that's min_version for the major api version - not for microversion16:24
mordredbut ... that doesn't explain why the print worked16:24
efriedmordred: then how tf is it working for the ir... yeah16:24
mordredthat should just be min_version=1, max_version=1, float(inf)16:24
mordredsince we're looking for version 116:24
mordredor - we could just elide those altogether16:25
efriedwhich I've demonstrated works in my session.16:25
mordredbut min_version 1.46 really won't match id=v116:25
efriedIn [8]: utils.get_ksa_adapter('baremetal', min_version=(1,0), max_version=(1, float('inf'))).get_endpoint()16:26
efriedOut[8]: u''16:26
efriedwhich took quite a long time to run, compared to the other bits16:26
efriedassume because it was going to the service and doing some real discovery, where the other things weren't.16:26
efriedbut notably, there's now a v1 in there16:26
efriedunless you've been twiddling the catalog?16:26
mordrednope. I mean - that's what the endpoint of the v1 service is16:27
mordredwhich is correct for that adapter to return16:27
efriedokay, but there's no v1 when I ask for get_endpoint with an adap where I didn't specify versions.16:27
efriedi.e. I get the unversioned endpoint.16:28
efriedwhich makes sense intuitively I suppose16:28
mordredyeah. because you didn't ask for versions, so it doesn't do discovery16:28
mordredoh - you know what16:28
efriedplease tell me what16:29
mordrednova.utils.get_ksa_adapter passes raise_exc=False16:29
mordreddoes that cause it to not throw on issues and instead just fallback to the catalog url?16:30
mordredoh - you're using utils.get_ksa_adapter already in your tests here16:30
efriedit causes actual requests to return Response when status >= 400 instead of raising HttpError16:30
mordredblast. yeah16:30
efriedso I think I have a path forward - which is to twiddle that request to use (1, 0) instead of (1, 46) - though that'll remove some of the functionality we're trying to rely on (more on that in a sec) - but that still doesn't explain why my debug log is hitting.16:31
mordredno. it doesn't. and I'd like to figure that out16:32
mordredI believe what you want to do is pass 1.46 to default_microversion to the adapter16:32
mordredto get the thing you're aiming to do16:32
efriedre version negotiation: by specifying min=1.46 we're trying to say the ironic service must be at least capable of a certain level. IIUC that's a nonstarter unless the service catalog exposes versioned endpoints, which it's not doing right now (right??)16:32
mordredit's a non-starter regardless. discovery doesn't work that way16:33
efriedYeah, I don't think I want to say default_microversion. I want to say "blow up if server not capable of at least 1.46"16:33
efriedI thought that was the whole point of discovery16:33
efriedor more gently, "give me the endpoint that's capable of at least 1.46"16:33
mordredno - the whole point of discovery is to find the appropriate major api version. microversion negotiation is a per-call thingm - or you could do get_endpoint_data and then check to see what the min_microversion is16:34
mordredat least - I think that's right. I might also just be stupid16:34
mordredbut for endpoint discovery, the versions being matched are major api versions16:35
mordredyeah. just re-read the docs we wrote way back when16:36
efriedmordred: pushed a new rev where I build the "direct" adapter without the min/max version flaggage.16:36
mordrednone of this explains why your log works though16:36
mordredefried: yeah -then I think for the nova case here we want to add a call to get_endpoint_data() and then do a version match on endpoint_data.min_microversion16:37
efriedright. The args getting passed into ironicclient are getting used by ironicclient to do some manual (i.e. outside of ksa) version negotiation. But they should still be breaking that get_endpoint() call.16:37
mordredand throw an exception if the min_microversion is too low16:37
mordredcompletely agree16:37
mordredmaybe add in some logs/prints to print out the arguments that are being passed - and maybe the adapter itself - is it possible something is getting mutated somewhere?16:38
efriedmordred: um, real nova is monkey patching eventlet, and stuff.16:38
mordredyeah. but it's not like setting things into the adapter after it's been created is it?16:39
mordredefried: I wonder ... maybe ironicclient is mutating the session/auth objects somehow16:39
efriedmordred: It is, almost without question, but we haven't created the ironicclient yet at that point.16:40
mordredyeah. so yeah - still doesn't explain why the first get_endpoint works16:40
*** jamesmcarthur has quit IRC16:42
*** emine__ has quit IRC16:46
*** jamesmcarthur has joined #openstack-keystone16:47
efriedmordred: so where from here? Do you want me to start throwing up interdependent patches that instrument ksa as well as nova? Or is there some way we could put in a breakpoint and attach to the n-cpu process at this point to poke around?16:50
mordredefried: not sure. it's really weird that we can't reproduce the same thing just by hand :(16:52
efriedlast time this kind of weirdness happened, it turned out to be because monkey_patch(eventlet)16:52
efriedand when I say "this kind" I mean "happens in ipython but doesn't happen in nova"16:52
efriedspecifically, it was: deepcopy of an object raised an exception when it encountered an attribute that was a lock. But worked fine with eventlet thread patched.16:53
*** jaosorior has quit IRC16:57
*** jaosorior has joined #openstack-keystone16:58
cmurphylbragstad: is done? i don't see any more open changes for it17:05
openstackLaunchpad bug 1805400 in OpenStack Identity (keystone) "The v3 role API should account for different scopes" [High,In progress] - Assigned to Lance Bragstad (lbragstad)17:05
lbragstadum - kind of?17:06
lbragstadi created that bug to contain global roles work *and* domain-specific role work17:06
lbragstadso far, i haven't gotten around to making the domain-specific role code consume scope-types properly17:07
*** gyee has joined #openstack-keystone17:07
cmurphyoh got it17:07
lbragstador default roles =/17:07
cmurphysounds like a no then17:07
lbragstadbut - if you want to reduce scope, close that one, and open another for domain-specific roles, i'm all for it17:07
lbragstadjust depends on how you want to slice it17:07
cmurphynah if it all has to do with roles and roles isn't done then let's keep it the way it is17:08
lbragstadi still need to do a bit of investigation in the domain-specific roles stuff... those policies should be completely redundant when we implement scope checking on that API17:09
lbragstadafaict - scope types makes the entire domain-specific role work irrelevant17:09
cmurphya namespaced role still makes sense for that use case i think17:10
lbragstadyeah - i think the functionality is fine, but it's unfortunate we modified the API to account for it17:12
cmurphyah yeah17:12
lbragstadand afaict - domain-specific roles only make sense if you can open up role implications to domain admins/users17:13
lbragstadotherwise, domain-specific roles are still going to be cut off at the knees because operators need to deploy new policies to incorporate those roles17:14
lbragstadif my time-machine didn't have a broken rotatory-gutter and wasn't out of headlight fluid, i'd fire that bad boy up and go back in time to fix it ;)17:16
cmurphydamn that's some bad luck17:17
lbragstadpsh - you're tellin' me17:17
*** vishakha has quit IRC17:34
kmallocyeah, but we can make implied roles more featureful.18:29
*** jamesmcarthur has quit IRC18:30
*** jamesmcarthur has joined #openstack-keystone18:33
*** gmann is now known as gmann_afk18:51
*** awalende has joined #openstack-keystone19:00
*** awalende has quit IRC19:04
*** mvkr has quit IRC19:10
openstackgerritMerged openstack/oslo.policy master: Corrects tox.ini snippet to point to config file
openstackgerritMerged openstack/keystone master: Fix the incorrect release name of project guide
openstackgerriterus proposed openstack/keystone master: Add new attribute to the federation protocol API
efriedmordred, kmalloc, cmurphy, lbragstad: The ironic job in is passing!20:04
efriedwe still don't know why the first get_endpoint is working, but we have a path forward \o/20:05
kmallocwell then.20:07
kmalloci'll take that as a win20:07
kmalloc.... but weird.20:07
openstackgerritMerged openstack/keystone master: Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic
*** jamesmcarthur has quit IRC20:36
*** erus has quit IRC20:36
*** erus has joined #openstack-keystone20:37
efriedkmalloc: Yeah, there's still something funky going on, but if I can get this effort finished up, it ain't gonna matter.20:38
*** raildo has quit IRC20:58
*** raildo has joined #openstack-keystone21:06
openstackgerritGage Hugo proposed openstack/keystone master: Small refactor for create nonlocal user
*** erus has quit IRC21:06
*** dustinc has joined #openstack-keystone21:07
*** erus has joined #openstack-keystone21:07
*** raildo has quit IRC21:09
*** itlinux has joined #openstack-keystone21:18
*** whoami-rajat has quit IRC21:31
*** erus has quit IRC21:31
*** erus has joined #openstack-keystone21:31
*** erus has quit IRC21:45
*** pcaruana has quit IRC22:21
*** gmann_afk is now known as gmann22:40
*** rcernin has joined #openstack-keystone23:00
*** tkajinam has joined #openstack-keystone23:02
*** mvkr has joined #openstack-keystone23:18
*** gyee has quit IRC23:34

Generated by 2.15.3 by Marius Gedminas - find it at!