#openstack-meeting log

18:02:20 <dolphm> #startmeeting keystone
18:02:21 <openstack> Meeting started Tue Aug 13 18:02:20 2013 UTC and is due to finish in 60 minutes.  The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:22 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:24 <openstack> The meeting name has been set to 'keystone'
18:02:36 <dolphm> #topic FeatureProposalFreeze
18:02:37 <ayoung> I sent him email, but he is in the Ukraine, so it is pretty late in the day for him
18:02:48 <dolphm> #link http://lists.openstack.org/pipermail/openstack-dev/2013-August/013278.html
18:02:53 <dolphm> #link https://wiki.openstack.org/wiki/FeatureProposalFreeze
18:03:12 <dolphm> hopefully this isn't a surprise because i already spammed everyone about this, but read the above if you haven't ^
18:03:29 <ayoung> Looks good here.
18:03:36 <topol> hi
18:03:37 <morganfainberg> makes sense to me
18:03:46 <ayoung> dolphm, format date is...?
18:03:51 <fabiog> hi
18:03:51 <ayoung> formal
18:03:52 <dolphm> i don't expect any surprises, but wanted to bring everyone's attention to it again anyway :)
18:03:57 <stevemar> dolphm: i think the people who need to know about it, know about it
18:04:11 <bknudson> we're already drowned in code reviews
18:04:15 <dolphm> bknudson: ++
18:04:18 <dolphm> #topic morganfainberg
18:04:25 <dolphm> thankfully we have a new core reviewer to help with that :)
18:04:29 <morganfainberg> yay!
18:04:31 <bknudson> awesome!
18:04:32 <lbragstad> +1
18:04:33 <dolphm> official welcome to morganfainberg :)
18:04:33 <henrynash> congrats!
18:04:34 <morganfainberg> i've been trying. :)
18:04:35 <stevemar> +1
18:04:37 <morganfainberg> thanks
18:04:41 <fabiog> congrats!
18:04:47 <ayoung> dolphm, is there some other launchpad setting he needs in order to assign bugs to people?
18:05:01 <topol> congrats!!! Very wel deserved
18:05:15 <gyee> morganfainberg, you are buying beer on the next summit?
18:05:21 <dolphm> morganfainberg: ayoung: not sure, poke me after the meeting if something is wrong with lp
18:05:23 <morganfainberg> gyee… hrmm… we shall see.
18:05:29 <dolphm> yay
18:05:36 <dolphm> #action morganfainberg to buy everyone beer
18:05:40 <gyee> ha
18:05:43 <dolphm> #topic critical issues
18:05:54 <dolphm> #link https://bugs.launchpad.net/keystone/+bug/1210590
18:05:57 <uvirtbot> Launchpad bug 1210590 in keystone "Split backend crashes with AttributeError" [Critical,Confirmed]
18:06:01 <dolphm> #link https://bugs.launchpad.net/keystone/+bug/1211445
18:06:03 <uvirtbot> Launchpad bug 1211445 in keystone "deleting an unassigned role causes 500" [Critical,Confirmed]
18:06:10 <dolphm> these are two nasty ones on v3 that i've seen reported a couple times
18:06:25 <henrynash> dolphmL I can't seem to reproduce…tried what you di and it worked
18:07:19 <henrynash> dolphm: at least could not reproduce #link https://bugs.launchpad.net/keystone/+bug/1210590
18:07:19 <dolphm> henrynash: hmm... i'll try to reproduce once more
18:07:21 <uvirtbot> Launchpad bug 1210590 in keystone "Split backend crashes with AttributeError" [Critical,Confirmed]
18:07:33 <henrynash> dolphm: is you db migrated or new?
18:07:56 <dolphm> henrynash: brand new
18:08:03 <henrynash> dolphm: hmmm
18:08:10 <ayoung> henrynash, let me know if you want a hand with either
18:08:21 <dolphm> henrynash: i have the steps to repro mostly scripted for a different bug
18:08:26 <henrynash> dollphm: and we unit test exactly the url you tried
18:08:50 <henrynash> dolphm: ok…if you can shed any more light…I'll get in and debug
18:08:55 <dolphm> henrynash: will do
18:09:08 <bknudson> the role exists but it's not assigned?
18:09:17 <ayoung> dolphm, suspect that the differenc might be the LDAP backend.  THe unicode thing leads me to think it might be a Directory server issue
18:09:37 <dolphm> bknudson: yeah, new user, new project, new role ... and create a role assignment of the three -> 500
18:09:42 <morganfainberg> dolphm ayoung: wasn't there a recent unicode relate ldap thing?
18:09:53 <dolphm> morganfainberg: i'm not aware of one?
18:10:02 <morganfainberg> dolphm: i might be thinking internal code
18:10:04 <henrynash> bknduson: so I made a change where the list of roles for a user/probject pair became a list of dicts instead
18:10:08 <morganfainberg> dolphm: i'll check
18:10:11 <bknudson> spzala had a work in progress for unicode
18:10:21 <morganfainberg> bknudson: ah that might be what i saw.
18:10:29 <henrynash> my guess is that I missed something somewhere and something is still returning an old style list
18:10:33 <ayoung> morganfainberg, yes, there is a well known issue.
18:10:50 <ayoung> https://bugs.launchpad.net/keystone/+bug/1172106
18:10:53 <uvirtbot> Launchpad bug 1172106 in keystone "Live LDAP tests fail on unicode names" [Medium,In progress]
18:10:54 <dolphm> could use some LDAP-expert feedback on bug 1211643
18:10:56 <uvirtbot> Launchpad bug 1211643 in keystone "Update user name failed with LDAP back end by CLI" [Undecided,In progress] https://launchpad.net/bugs/1211643
18:11:07 <dolphm> maybe that needs to be configurable
18:11:09 <spzala> yep, it's specific to the LDAP though
18:11:32 <bknudson> it's strange we don't allow change name in ldap backend.
18:11:35 <spzala> ayoung: thanks for the bug link
18:11:50 <bknudson> since it's not like you can't change the name attribute in an entry.
18:12:28 <ayoung> dolphm, assign any ldap bugs to me
18:13:06 <gyee> you should be able to update user name
18:13:20 <gyee> sounds like a bug in the code
18:13:52 <gyee> unless your LDAP ACL is configure to have it read only
18:13:54 <bknudson> let them try to change the name and if the ldap server doesn't like it it can reject the request.
18:14:03 <dolphm> gyee: it was expected behavior when it was implemented
18:14:09 <dolphm> gyee: i'd be careful about suddenly allowing it
18:14:48 <dolphm> bknudson: hmm... that's probably a safe approach
18:15:02 <bknudson> sql could do the same thing
18:15:14 <gyee> dolphm, you mean we don't allow updating user name?
18:15:19 <bknudson> maybe ldap doesn't check for duplicates?
18:15:20 <ayoung> username is typically modifiable, so long as the userid is immutable.  Should be enforced by ACLs.
18:15:22 <dolphm> gyee: historically, no
18:15:26 <ayoung> so, yeah, lets allow it.
18:15:30 <morganfainberg> bknudson: depends on schema
18:15:45 <morganfainberg> bknudson: and acls
18:16:17 <ayoung> dolphm, is that a general rule across all backends?  If so, then the bug can be closed notabug
18:16:26 <dolphm> continue this discussion in the bug / review?
18:16:29 <gyee> ok then, we need to distinguished what we can do versus what LDAP can do
18:16:37 <ayoung> dolphm, agreed
18:16:47 <dolphm> this isn't high priority, just wanted to bring some attention to it
18:16:51 <dolphm> #link https://review.openstack.org/#/c/41603/
18:17:04 <dolphm> #topic pagination
18:17:20 <gyee> :)
18:17:30 <dolphm> #link http://lists.openstack.org/pipermail/openstack-dev/2013-August/013493.html
18:17:32 <henrynash> ok, so quite lively ML discussion going on
18:17:42 <ayoung> So I think we need pagination short term, but we should be wary of depending on it over the long.  LDAP and pagination is a bad mix
18:17:57 <ayoung> listing all users is also a bad practice.
18:17:59 <morganfainberg> ayoung: +1
18:18:09 <gyee> lets pass the query parameters into the drivers and let the drivers optimize
18:18:45 <henrynash> so it's worth reading the ML trail
18:18:54 <ayoung> dolphm, I opened a handful of related wishlist items  yesterdat.
18:19:04 <gyee> would be hard to standardize if drivers don't speak the same language
18:19:10 <dolphm> ayoung: use google as an example :) you can't go to google.com and see "all search results" with a blank query string
18:19:17 <henrynash> Jay certainly advocating we support the same thing that other projects do, i.e. limit/marker
18:19:22 <ayoung> dolphm, good point
18:19:47 <bknudson> I think it would be best if we followed what other OS projects are doing.
18:19:58 <henrynash> Is there a reason we WOULDN'T do what the other projects have done?
18:20:06 <morganfainberg> bknudson: at the very least it makes it easier for developers to interact with keystone then
18:20:19 <ayoung> http://bit.ly/168qd2d
18:20:27 <bknudson> should be able to use shared code to do paging.
18:20:29 <ayoung> those are new and wishlist bugs
18:20:33 <dolphm> sort key and sort order are particularly important to have consistent, even if we don't expose that to the api yet
18:20:43 <gyee> bknudson, we don't follow, we lead :)
18:20:50 <henrynash> Here's my most recent ML post:
18:20:51 <ayoung> https://bugs.launchpad.net/keystone/+bug/1211582
18:20:51 <henrynash> 1) Support 'limit' and 'marker' (as opposed to 'page', 'page_szie', or anything else).  These would be standard, independent of what backing store keystone was using.  If neither are included in the url, then we return the first N entires, where N is defined by the cloud provider.  This ensures that for at least smaller deployments, non-pagination aware clients still work.  If either 'limit' or 'marker' are specified, then we pagi
18:20:51 <henrynash> down into the driver layer wherever possible to ensure efficiency (some drivers may not be able to support pagination, hence we will do this, inefficiently, at a higher layer)
18:20:52 <henrynash> 2) If we are paginating at the driver level, we must, by definition, be doing all the filtering down there as well (otherwise it all gets mucked)
18:20:53 <henrynash> 3) We should look at supporting the other standard options (sort order etc.), but irrespective of that, by definition, we must ensure that we any driver that is paginating must be getting is entries back in a consistent order (otherwise, again, pagination doesn't work reliably)
18:20:54 <uvirtbot> Launchpad bug 1211582 in keystone "Filter user list by partial attributes" [Wishlist,New]
18:21:27 <bknudson> btw - the identity API spec doesn't have page / page_size anymore... I submitted a change to remove them since they weren't implemented.
18:21:52 <bknudson> can always add them back in again.
18:21:59 <henrynash> bknudson…has that gone in…I checked earlier today and they were still there...
18:22:04 <morganfainberg> yeah, better to add them when we have support.
18:22:04 <ayoung> let me, once again, reiterate the LDAP specific concerns,  1)  limit the number of entries returnsed.  2) LDAP does not guarantee order, which means paging requires a cursor.  3) Cursors don't scale
18:22:15 <bknudson> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md doesn't have them
18:22:20 <dolphm> #link https://review.openstack.org/#/c/39828/
18:22:37 <bknudson> ldap servers can have their own limit on results anyways
18:22:56 <henrynash> ayoung: so that's fine, we just return N items as I describe
18:23:02 <bknudson> I think Active Directory has paging of member attribute.
18:23:28 <ayoung> bknudson, yeah, but we should also allow Keystone to specify the limit.  See the problem with the HP ED taking an hour+ to return
18:24:14 <henrynash> ayoung: agreed, we should have a keystone limit
18:24:16 <gyee> ayoung, that's because HP ED is miss configured :)
18:24:24 <gyee> misconfigured
18:24:27 <ayoung> --sizeLimit 200
18:24:41 <ayoung> option value for all LDAP queries, I think?
18:24:43 <dolphm> lol
18:24:48 <morganfainberg> gyee: right, but regardless, we should limit (or optionally be able to provide a limit) to solve that.
18:25:12 <gyee> sure, I am fine with having limit on the client-side
18:25:15 <morganfainberg> s/solve/make keystone better regardless of misconfiguration
18:25:18 <morganfainberg> of the server
18:25:25 <gyee> LDAP servers usually don't take hours and return you thousands of entries
18:25:35 <gyee> if configured correctly
18:25:44 <henrynash> so are there any objections to my most recent proposal…it does seem to cover all the above issues?
18:25:50 <ayoung> on paging, there was some question about the implementation.  Are we just punting on it?
18:25:59 <gyee> LDAP, by design, is for *fast lookup*
18:26:21 <rcrit> should there be a knob for ldap search time limit though?
18:26:41 <ayoung> rcrit, it can be optional, too
18:26:45 <rcrit> at least with 389-ds there is one, even if the user doesn't set it themself
18:26:52 <ayoung> rcrit, file that as a wishlist bug
18:27:03 <rcrit> I don't wish it, just asking :-)
18:27:08 <ayoung> or tag it on to the limit
18:27:26 <ayoung> rcrit, I know better than that....
18:27:32 <bknudson> why just ldap search? can't sql query take a long time, too?
18:27:49 <ayoung> bknudson, I think because timeout is a standard part of an ldap query
18:28:00 <gyee> bknudson, if an LDAP query takes a long time, something is misconfigured
18:28:06 <ayoung> pretty sure SQL has not such standard
18:28:08 <rcrit> it's a server-side thing.
18:28:17 <rcrit> I think, anyway
18:28:27 <ayoung> ldapsearch --hostname localhost -p 1389 --baseDn 'uid=user.0,ou=people,dc=example,dc=com' \
18:28:27 <ayoung> --searchScope base --sizeLimit 1 --timeLimit 1 '(&)' @inetOrgPerson
18:28:46 <bknudson> keystone doesn't have any control over the ldap server settings.
18:29:05 <ayoung> bknudson, no, but it can chose to use server side controls if they are available
18:29:06 <dolphm> bknudson: but we should totally change that
18:29:15 <dolphm> bknudson: keystone-manage configure_ldap_correctly
18:29:25 <henrynash> proposal: I'll create an etherpad that contains my most recent proposal from the ML (that is essentially to do things the way other projects do), link it to the bp and let others comment?
18:29:27 <gyee> damn straight
18:29:45 <topol> henrynash +1
18:29:51 <ayoung> bknudson, there is already something like that for AD, where it can make use of a control if the server supports it.  I'd have to dig up the commit.  Was probably done by CERN
18:30:02 <dolphm> henrynash: the way other projects do it is a great approach for SQL
18:30:07 <ayoung> henrynash, blueprint, link to the wishlist bugs
18:30:36 <henrynash> dolphm: I believe that my proposal at least ensures that we don't get long delays from LDAP
18:31:05 <henrynash> ayoung: this isn't a wishlst, we are implementing  a solution for H3
18:31:08 <bknudson> ldap.search_ext_s has a timeout= parameter.
18:31:20 <ayoung> henrynash, then up the priority of the bug
18:31:38 <bknudson> and can pass server and client controls if that's an option.
18:32:43 <ayoung> OK, I think we have an approach.Just please add me as a review on any LDAP changes.  I'll try to keep an eye out for them.  make sure LDAP is in the patch description
18:32:53 <gyee> meee 2
18:33:02 <henrynash> ayoung, gyee: ok!
18:33:23 <henrynash> dolphm: probably time for a new topic
18:33:26 <bknudson> what's the marker parameter? a value from the next entry?
18:33:53 <gyee> marker is suppose to be the last entry from the previous batch
18:33:54 <dolphm> henrynash: ++
18:34:01 <topol> henrynash I will be happy to review as well
18:34:03 <bknudson> so like uid?
18:34:09 <henrynash> bknudson: yep
18:34:10 <dolphm> ayoung: skip common client auth?
18:34:15 <ayoung> dolphm, no
18:34:25 <dolphm> #topic common client auth
18:34:25 <ayoung> just want people to know:
18:34:30 <dolphm> #link https://review.openstack.org/#/c/28043/
18:34:38 <henrynash> (ok, I have to duck out….sorry folks…., be back on later)
18:34:43 <ayoung> I submite a revert review for the osl change to auth client
18:34:44 <dolphm> giant patch
18:34:55 <ayoung> https://review.openstack.org/#/c/41578/
18:35:12 <bknudson> who reviewed the original patch in oslo-incubator?
18:35:14 <ayoung> and I talked with aababilov
18:35:24 <ayoung> we are going to work to get this integrated directly into the keystone client
18:35:41 <ayoung> jamielennox is aware and has responded to him as well.  This should be a good approach
18:36:18 <bknudson> I guess we can move it oslo-incubator after it's been used in keystoneclient if that's necessary
18:36:27 <dolphm> ayoung: i'm in favor of the notion... if absolutely nothing else, it's more likely we'll have more security-sensitive eyes on the code that way
18:36:27 <ayoung> bknudson, doesn't really matter.  I don't think they were aware that this was supposed to be a Keystone thing, too
18:36:28 <bknudson> but other clients should be able to import keystoneclient?
18:36:33 <ayoung> bknudson, no
18:36:44 <ayoung> bknudson, other clients should pull in keystone client as a library
18:36:56 <ayoung> won't go into oslo
18:37:13 <ayoung> bknudson, "but other clients should be able to import keystoneclient?" yes
18:37:53 <morganfainberg> much easier to keep it "correct" if keystoneclient owns it and it's not in oslo
18:38:00 <dolphm> ++
18:38:07 <morganfainberg> it means we wont run into projects lagging in sync
18:38:19 <morganfainberg> and causing auth issues.
18:38:21 <lbragstad> morganfainberg: +1
18:38:25 <ayoung> we may decide we want to break up keystone client over time.  I could easily see it as:  command line, keystone common library, keystone client library, and middleware.
18:38:29 <dolphm> morganfainberg: we need to make it stupid easy for other projects to consume us, which is NOT the case today :(
18:38:39 <morganfainberg> dolphm: yes, that is related to the topic.
18:38:40 <bknudson> different installs might have different levels of the client, and now we have to be very careful of backwards compatibility.
18:38:46 <morganfainberg> dolphm: and ++
18:39:08 <dolphm> everything from auth options -> client side token management -> authenticating requests to other services
18:39:12 <morganfainberg> bknudson: i think we are already having to watch closely on that wrt auth_token.
18:39:19 <ayoung> it would be nice if we could build that out of a single git repo.
18:39:39 <gyee> dolphm, like secured by default? which does nothing :)
18:39:42 <cody-somerville> Does shared common client auth also include the service catalog stuff?
18:39:51 <ayoung> cody-somerville, yes
18:40:11 <ayoung> cody-somerville, it is implicit that when you get a token you get the service catalog with it.
18:41:05 <cody-somerville> because it's broken in keystoneclient trunk currently - region_name get passed to AccessInfo (which would pass it on to ServiceCatalog if it was) and thus region_name is ignored.
18:41:28 <cody-somerville> and everyone seems to do things like url_for differently.
18:41:36 <ayoung> cody-somerville, file it in launchpad, or if it is filed, please link the bug
18:41:48 <cody-somerville> I haven't filed it yet but will be doing so today.
18:41:52 <gyee> service catalog needs a bit more work
18:42:03 <dolphm> the way we expose the service catalog is sad
18:42:07 <ayoung> cody-somerville, there was an expired review for region work,  which jaypipes is planing on resubmitting as an extension.
18:42:13 <cody-somerville> oops, I typoed: region_name *does not* get passed to AccessInfo
18:42:15 <ayoung> cody-somerville, thanks
18:42:25 <cody-somerville> +1
18:42:27 <gyee> dolphm, yeah, we need to go back to the drawing board on this one
18:42:45 <gyee> like how to facilitate API versioned urls
18:43:47 <cody-somerville> I'll note that it would probably be much appreciated if you guys kept the heat people appraised of any changes here
18:43:55 <ayoung> cody-somerville, will do
18:44:22 <bknudson> eventually we want all clients to use the common auth stuff
18:44:24 <dolphm> #topic open discussion
18:44:45 <bknudson> which means someone has to go through all the other clients and update them to use common auth
18:44:46 <dolphm> there's some high priority code reviews on the agenda --
18:44:56 <dolphm> #link https://review.openstack.org/#/c/39530/
18:45:02 <dolphm> #link https://review.openstack.org/#/c/38308/
18:45:07 <dolphm> #link https://review.openstack.org/#/c/40692/5
18:45:36 <morganfainberg> Ahh good, KDS has a new patchset.
18:45:39 <JoeHazzers> also, is there anything happening regarding external authentication methods?
18:45:54 <stevemar> #link https://review.openstack.org/#/c/29130/ dolphm, this one too :)
18:46:03 <ayoung> morganfainberg, the API does, yeah.  simo will  sync the code to API once it is clear there is not too much churn
18:46:12 <morganfainberg> ayoung: yep, that was what i meant
18:46:57 <gyee> code reviews from here on out
18:47:04 <ayoung> stevemar, I think oauth is close
18:47:16 <stevemar> ayoung, yay
18:47:22 <morganfainberg> stevemar: yeah, it's looking really good.
18:47:32 <gyee> JoeHazzers, what do you have in mind?
18:47:33 <topol> stevemar +1
18:47:53 <ayoung> I'll give it another look.  I assume no major changes since last I looked.  I withdraw the requests for making access tokensi nto Keystone tokens....although it might be worth revisint that in the future.
18:48:07 <ayoung> revisiting
18:48:08 <gyee> oauth ftw
18:48:19 <dolphm> ayoung: that reminds me... https://gist.github.com/dolph/6198529
18:48:26 <JoeHazzers> gyee: i know someone who wants to integrate kerberos, x509 and other authentication methods with keystone, such that the client and server (if running under say apache) can negotiate and authenticate via other methods than a simple username and password
18:48:44 <ayoung> dolphm, neat
18:48:46 <dolphm> ayoung: my first pass was with PKI-based oauth access_keys ... i switched to AES in the current gist, but will be switching back
18:48:49 <morganfainberg> dolphm: thats cool.
18:48:58 <ayoung> JoeHazzers, already done in Apache HTTPD
18:49:12 <ayoung> JoeHazzers, would not recommend trying to do it in Eventlet
18:49:14 <dolphm> basically the oauth secret is encrypted into the access key along with basic authz attributes
18:49:29 <JoeHazzers> yes, but how does client discovery or knowledge of these methods work?
18:50:02 <dolphm> project_id, role_names, secret = verify_access_key(access_key)
18:50:03 <ayoung> JoeHazzers, we are working on an extension for that.  THe kent federation review is going to split that off into its own extension
18:50:16 <JoeHazzers> okay!
18:51:37 <ayoung> JoeHazzers, the review is here: https://review.openstack.org/#/c/39499/ see the first two items on the list:  listing IdPs and listing protocols supported.
18:52:09 <ayoung> dolphm, should that piece end up part of keystone client?
18:52:35 <ayoung> One other review:   https://review.openstack.org/#/c/41471/
18:53:00 <morganfainberg> ayoung: i am checking on that FK constraint right now
18:53:20 <morganfainberg> I don't see it in the DB, but I'm going to 2x check to see what is going on.
18:54:08 <morganfainberg> trying it from a clean slate.
18:54:18 <dolphm> ayoung: yeah, parts of it
18:54:56 <dolphm> ayoung: keystoneclient doesn't have any business creating access tokens, but keystoneclient should be able to verify them (a la keystoneclient.common.cms.verify_token())
18:55:11 <ayoung> dolphm, yeah, that is what I was thinking
18:55:43 <dolphm> ayoung: keystoneclient.contrib.oauth.verify_access_token() or something?
18:55:48 <dolphm> oauth1*
18:56:52 <ayoung> 4 minutes.  Any last burning topics?
18:58:03 <gyee> who's going to IceHouse summit?
18:58:12 <morganfainberg> I'll be there
18:58:22 <topol> I plan on being there
18:58:24 <ayoung> I'll be there.
18:58:29 <gyee> same here
18:58:33 <stevemar> gyee: hopefully!
18:58:43 <ayoung> jamielennox and simo from RH as well representing IdM
18:58:49 <dolphm> gyee: o/
18:58:55 <topol> ayoung, a much better answer than last time
18:59:07 <ayoung> topol, I even have a book on Cantonese
18:59:21 <topol> ayoung, wow
18:59:21 <gyee> ayoung, I can teach the good stuff :)
18:59:23 <morganfainberg> ayoung: hehe
18:59:35 <ayoung> 我迷路了，請幫我
18:59:39 <topol> Im just gonna follow gyee everywhere
18:59:42 <stevemar> hehe
18:59:47 <stevemar> nice one ayoung
18:59:48 <morganfainberg> topol: that is a good idea
18:59:56 <topol> gyee, where we going to dinner. gyee what is this on the menu
19:00:16 <gyee> topol, I'll let you know what I ordered, after dinner :)
19:00:32 <ayoung> 我的氣墊船鰻魚
19:00:38 <topol> gyee, I've fallen for that before
19:00:55 <dolphm> #endmeeting