#openstack-meeting log

18:02:50 <dolphm> #startmeeting keystone
18:02:51 <openstack> Meeting started Tue Mar  4 18:02:50 2014 UTC and is due to finish in 60 minutes.  The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:52 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:55 <openstack> The meeting name has been set to 'keystone'
18:02:57 <dolphm> boris-42: success!
18:03:04 <dolphm> ayoung, bknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, topol, marekd, lbragstad, joesavak, shardy, fabiog, fmarco76: ping
18:03:06 <boris-42> dolphm ou nice=)
18:03:11 <ayoung> w00t
18:03:13 <gyee> dolphm's got the magic command :)
18:03:31 <dolphm> #topic Reminder: Icehouse feature freeze today! (features must be merged)
18:03:53 <dolphm> at this point we've only got one open bp: https://review.openstack.org/#/c/55908/
18:03:53 <stevemar> dolphm, i thought it was the 6th :O
18:04:16 <dolphm> and one high priority bug fix: https://review.openstack.org/#/c/75727/
18:04:30 <dolphm> stevemar: i3 is cut today
18:04:34 <dolphm> stevemar: it's released on the 6th
18:04:39 <stevemar> dolphm, ah okay
18:04:53 <dolphm> stevemar: pretty sure our meeting agenda has said march 4th for a long while :)
18:04:58 <stevemar> i gave topol the wrong info yesterday :)
18:04:59 <topol> dolphm so after today can there still be bug fixes or no?
18:05:07 <dolphm> topol: absolutely
18:05:19 <dolphm> topol: bug fixes only for the next few weeks
18:05:22 <topol> dolphm, ok cool
18:05:27 <stevemar> bug fixing is encouraged
18:05:44 <dolphm> i've already started laying out our blockers to shipping icehouse:
18:05:45 <dolphm> #link https://launchpad.net/keystone/+milestone/icehouse-rc1
18:05:47 <bknudson> looks like march 27 is start of release candidates
18:06:11 <dolphm> once we cut an RC1, master will be re-opened for Juno features
18:06:42 <ayoung> 55908 now has the record for the most revisions on a single review.  80 as of now
18:06:48 <stevemar> 81*
18:06:55 <dolphm> and we'll have a milestone-proposed branch to backport further bug fixes to (RC2 bugs, if any)
18:06:55 <ayoung> HA!
18:07:59 <ayoung> stevemar, the thing that scares me is it still hasn't gotten the bknudson treatment.
18:08:15 <stevemar> ayoung, i always fear the bknudson treatment
18:08:49 <bknudson> it would take me so long to review the change I wouldn't get done until next week
18:09:03 <morganfainberg> bknudson, hehe
18:09:07 <bknudson> the only feedback I could give on it now is that it's too complicated for me to understand it
18:09:13 <ayoung> Well, it got it back on revision 23
18:09:16 <gyee> merge 55908 and call it experimental feature :)
18:09:45 <gyee> if we have to do it EOB today that is
18:10:04 <ayoung> dstanek, did I get your changes?
18:10:32 <dolphm> gyee: considering it's a security feature, that's not really acceptable
18:10:32 <dstanek> ayoung: i think so - was going over it before this meeting
18:10:56 <dolphm> we have enough silly vulnerabilities on our track record as it stands
18:10:59 <gyee> dolphm, but there's a kill switch
18:11:00 <ayoung> dstanek, yeah...just did the 80-81 diff
18:11:04 <gyee> I mean its an extension
18:11:08 <ayoung> its disabled by default
18:11:18 <morganfainberg> gyee, but security extension == scary
18:11:32 <stevemar> is there a dire need for it?
18:11:36 <gyee> morganfainberg, security is a process, software is a tool
18:11:40 <ayoung> it means it can be QA'ed before it is tested
18:11:45 <dolphm> ayoung: speaking of, you should definitely add SecurityImpact to the commit message
18:11:47 <ayoung> I think it needs to be in, experimental
18:11:58 <ayoung> dolphm, is there one if it in not enabled?
18:12:07 <dolphm> ayoung: ?
18:12:20 <morganfainberg> gyee, if it opens us up to security bugs, it doesn't matter if could cause a lot of headaches.
18:12:22 <ayoung> I mean, I'll do it, but there should be no impact until we tell people : go ahead an use it
18:12:29 <morganfainberg> gyee, not saying we shouldn't merge it.
18:12:48 <morganfainberg> gyee, just making sure we're aware what we're getting into
18:13:07 <ayoung> lets merge it with an eye to getting tempest support up to speed, the client using it, and a general shake out
18:13:15 <gyee> morganfainberg, sure, call it experimental would cover our asses
18:13:31 <bknudson> I don't think experimental will mean we don't have to provide security fixes for it.
18:13:44 <ayoung> I think we need to start doing that for new, big features.  Its part of the reason for doing it as an extension
18:13:46 <dolphm> ayoung: let's focus on *reviewing* it for now, not *merging* it
18:13:49 <bknudson> i.e., we will have to fix any security problems found whether it's experimental or not
18:13:50 <ayoung> ++
18:13:55 <dolphm> bknudson: ++
18:13:56 <morganfainberg> bknudson, ++
18:13:57 <gyee> bknudson, that's not what I mean, we'll have to fix whatever that is needed
18:14:18 <ayoung> dolphm, in general, though, we need an "experimental" track.
18:14:44 <ayoung> especially when changes need to be made both in server and client, and then tempest tests on top
18:14:50 <bknudson> maybe if we put in a big warning to not use this if you care about security??
18:14:53 <dolphm> ayoung: i've actually prototyped an @experimental decorator to complement the @deprecated one
18:14:53 <ayoung> ephemeral will be in the  same boat
18:14:57 <ayoung> ++
18:14:59 <bknudson> since there's lots of things you could do if you don't care about security
18:15:07 <morganfainberg> ayoung, actually, i hope ephemeral will be J1
18:15:16 <ayoung> morganfainberg, experimental in J1....
18:15:24 <morganfainberg> ayoung, so more drive time to get things in. last minute on merge day is hard to get in experimental or not
18:15:35 <ayoung> and GA in Juna GA
18:15:57 <ayoung> morganfainberg, you are right, I should have started this earlier.  Like back in Essex
18:15:59 <morganfainberg> ayoung, dolphm, i like the idea we work on reviewing.
18:16:11 <morganfainberg> if everything is looking good, we can hit +A
18:16:20 <morganfainberg> if not, we have something that can land J1
18:16:30 <dolphm> morganfainberg: ++
18:16:37 <morganfainberg> first review (after some sqlalchemy etc administativa if we're doing that)
18:17:05 <morganfainberg> and yes, i would target this as the absolute first feature of J1 if it pushes
18:17:29 <dolphm> morganfainberg: we said that about i2 -> i3, but the patchset more than doubled in size since then
18:17:41 <morganfainberg> dolphm, it's a big change. no doubt.
18:18:10 <morganfainberg> dolphm, but i don't see it doubling or even growing much at this point beyond "cleanup"
18:20:20 <ayoung> morganfainberg, so, I have tested the sql change to do it as an integer instead of a UUID and it looks right
18:20:30 <morganfainberg> ayoung, ++ cool
18:20:34 <ayoung> dolphm, wanted me to hold of on any more churn on the patch, though
18:20:50 <morganfainberg> fair enough.
18:20:50 <ayoung> I could potentially do it as a migration if desired
18:20:59 <morganfainberg> we should do that, but no need to lump it in
18:21:02 <ayoung> I'm going to post it WIP so you guys can see
18:21:44 <dolphm> i'd like to spend as much time as possible today reviewing code, so going to move on...
18:21:48 <morganfainberg> ayoung, ++
18:22:09 <dolphm> #topic Fixing multi-backend LDAP with composite user/group IDs
18:22:20 <dstanek> my biggest concern is that i don't know if i have the whole picture in my head about how this impacts security
18:22:29 <gyee> dolphm, beside that one, are there any other review that is high priority for today?
18:22:37 <ayoung> https://review.openstack.org/#/c/77954/
18:22:44 <ayoung> ^^ is the WI{P for SQL
18:22:45 <dolphm> gyee: https://review.openstack.org/#/c/55908/77 https://review.openstack.org/#/c/75727/ https://review.openstack.org/#/c/77215/
18:22:47 <ayoung> not a priority
18:22:51 <gyee> k
18:23:15 <dolphm> henrynash: shall we defer this conversation until we're open for juno?
18:23:31 <henrynash> dolphm: yes, I think so
18:23:37 <dolphm> henrynash: sounds good
18:23:39 <henrynash> I don't think we should ram this in
18:23:40 <dolphm> #topic Reconstruction of V3 tokens from API on validate - breaks some operator use-cases
18:23:42 <dolphm> morganfainberg: o/
18:23:49 <morganfainberg> i can follow up w/ henrynash later w/ what i talked w/ ayoung about last night
18:23:50 <morganfainberg> ok
18:23:56 <henrynash> thx
18:24:08 <ayoung> sorry henrynash
18:24:12 <gyee> morganfainberg, what's the problem? bug?
18:24:15 <topol> bknudson ++++
18:24:23 <henrynash> ayoung: getting it right is more improtant
18:24:27 <morganfainberg> so V3 tokens are reconstructed each time we do a validate - this means you must have a full keystone running to get a token validated. V2 uses data in the persistence
18:24:46 <gyee> no, its it token data
18:24:49 <bknudson> morganfainberg: v2 did it so v3 can't?
18:24:59 <morganfainberg> the issue is something Ryan_lane brought up, some people (g and h) only replicate the token store between sites
18:25:11 <bknudson> morganfainberg: uuid tokens?
18:25:11 <dolphm> (unfortunately Ryan_Lane doesn't seem to be on)
18:25:15 <jamielennox> morganfainberg: i'm not following
18:25:17 <gyee> we only reconstruct on mixing use cases, i.e. validating v2 token using v3 API
18:25:46 <dolphm> wikimedia has a multi-region deployment with a replicated token store across each region ( morganfainberg correct me if i'm wrong )
18:25:50 <ayoung> morganfainberg, let him file a bug
18:26:02 <ayoung> otherwise,  Juno summit fodder
18:26:28 <morganfainberg> gyee, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L309 https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L209 etc
18:26:48 <morganfainberg> ayoung, i brought this up before i asked him to submit a bug.
18:26:49 <morganfainberg> gyee, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L207
18:26:58 <dolphm> ayoung: wikimedia's architecture is something we supported in essex, folsom, and grizzly. we broke it in havana
18:27:11 <henrynash> (My connectivity may go out in a while…if so I'll reconnect later)
18:27:18 <morganfainberg> gyee, we basically need to clean that up and ensure we don't have broken tokens.
18:27:26 <bknudson> so if you asked for ?nocatalog before then when you validate you'll get a different catalog?
18:27:30 <ayoung> ephemeral will solve that, too.
18:27:30 <morganfainberg> bknudson, yep
18:27:34 <dolphm> bknudson: yes
18:27:34 <morganfainberg> ayoung, correct
18:27:49 <morganfainberg> ayoung, but we may want to clean this up as a bug in I, backport to H
18:28:03 <ayoung> that is fine....and I think we can do that
18:28:21 <morganfainberg> ayoung, i wanted a quick consensus from the core team before i had the bug filed
18:28:28 <ayoung> especially now that we support a reddis backend natively, he might be more inclined to participate, too
18:28:40 <morganfainberg> ayoung, and if we think that fixing / backport is good, we'll get the bug filed and tagged
18:28:49 <morganfainberg> it's not a lot of cleanup
18:28:50 <morganfainberg> so i think it's reasonable
18:28:57 <dolphm> morganfainberg: my question is whether it should be an RC blocker?
18:29:01 <ayoung> yeha, reconstitute is wrong.  It means that if we slip and don';t revoke the token when one of the roles or something changem the content of the token is different
18:29:05 <dolphm> morganfainberg: given that it's already a bug in havana, i'd think not
18:29:11 <morganfainberg> dolphm, i think not
18:29:19 <morganfainberg> dolphm, i think if we miss RC we will backport to I
18:29:25 <gyee> morganfainberg, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L633
18:29:34 <gyee> and my comment above that line
18:30:03 <gyee> if token_data is in the ref, we return it as is
18:30:19 <morganfainberg> gyee, well, sortof.
18:30:24 <morganfainberg> gyee, there are a lot of gaps that could call into keystone
18:30:36 <morganfainberg> gyee, we should remove the reconstruct code completely
18:30:49 <morganfainberg> gyee, make sure we only store valid tokens
18:30:51 <gyee> morganfainberg, no, fox mixing use cases
18:31:13 <gyee> unless we abstract the token format
18:31:19 <morganfainberg> gyee, that is my plan
18:31:37 <ayoung> gyee, yeah...convert v2 to v3 and vice-versa should be a tool in the provider, but shoud not go to the backend unless absolutelt necessary to fill in attributes
18:31:52 <gyee> ayoung, problem is that signature
18:32:07 <gyee> for PKI tokens, signature is generate on issuance
18:32:21 <morganfainberg> gyee, we can still return the same data we had before
18:32:25 <ayoung> gyee, for revocation I wanted to convert a v2 to v3 and then have a unified logic
18:32:44 <gyee> sure, if we can do it without breaking the signature, I am all for it
18:32:48 <morganfainberg> gyee, but i expect i can fix the tokens to contain what they need
18:33:22 <topol> how do you not break the signature???
18:33:26 <morganfainberg> gyee, ayoung, dolphm, i think the consensus is we can fix this, bug filed, and see what we can do
18:33:27 <gyee> morganfainberg, the tricky part is the signature
18:33:37 <dolphm> morganfainberg: ++
18:33:43 <dolphm> #topic open discussion
18:33:46 <gyee> topol, don't temper that data
18:33:54 <bknudson> add the right random data to the end of the token data and you can get the same signature
18:34:02 <morganfainberg> bknudson, hehe
18:34:19 <morganfainberg> I have one more topic!
18:34:20 <morganfainberg> :)
18:34:22 <morganfainberg> SQL migrate collapse
18:34:26 <bknudson> there's been some discussion in OSSG about doing a thread analysis...
18:34:27 <ayoung> bknudson, I think calculating that data is NP Hard
18:34:36 <bknudson> oops
18:34:39 <bknudson> threat analysis
18:34:54 <morganfainberg> I am working on collapsing down migrations to start with havana for icehouse (like how nova does it)
18:34:59 <ayoung> the thread of threats?  The threat of threads?
18:35:05 <morganfainberg> any concerns? i think it's generally a positive move
18:35:07 <ayoung> morganfainberg, +++++++++
18:35:25 <morganfainberg> i expect to have this in before RC, it's not too complex a change
18:35:26 <ayoung> morganfainberg, just do it from the bottom up,  and keep the interim tests if possible
18:35:36 <bknudson> see https://docs.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit for the thread modeling process
18:36:01 <bknudson> here's the a keystone-specific one: https://docs.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit
18:36:03 <gyee> and static source code analysis
18:36:05 <gyee> pen testing
18:36:09 <morganfainberg> ayoung, i'm working to ensure the schema is the same from 036_havana as 036_token_somethingsomething.py
18:36:24 <morganfainberg> ayoung, if the schema lands the same, i'm happy, if not... ick
18:36:32 <bknudson> morganfainberg: collapsing the migrations would be good... I suspect it would speed up the tests significantly
18:36:43 <bknudson> although there's probably other ways to speed up the tests too.
18:36:48 <morganfainberg> ayoung, testing will be mucked with (sql update) once i'm sure the schema is good
18:36:58 <morganfainberg> bknudson, i think it's important to make it easier to maintain migrations
18:37:00 <ayoung> morganfainberg, we want the interim tests in the migrations that check columns and such...the migrations can probably be dropped
18:37:09 <morganfainberg> ayoung, ++ yep
18:37:33 <morganfainberg> ayoung, the "has X changed from Y" checks will need to go esp where they check before/after
18:37:41 <ayoung> ++
18:37:45 <ayoung> sounds like you are on track
18:37:52 <morganfainberg> ayoung, it'll resduce sql upgrade complexity
18:37:57 <morganfainberg> reduce even
18:38:19 <morganfainberg> bknudson, a minor speedup will be a side benefit
18:38:28 <morganfainberg> ok thats all from me :)
18:38:46 <bknudson> and I just wanted to bring up the threat analysis if anyone was interested.
18:38:52 <morganfainberg> bknudson, ++
18:39:46 <topol> I'll just pad a few extra chars to the end of the  threat analysis doc until I decide I like it
18:39:49 <gyee> bknudson, we've done some threat analysis and pen testing internally
18:40:07 <morganfainberg> gyee, any fuzz testing?
18:40:10 <gyee> lemme talk to our security folks to see if they want to contribute
18:40:20 <gyee> no fuzz testing :)
18:40:31 <morganfainberg> gyee, i'd love to see fuzz testing against our APIs
18:40:33 <gyee> choas monkey testing, yes
18:40:41 <morganfainberg> it might be super interesting results
18:41:03 <bknudson> I think we know already that keystone does no input validation.
18:41:08 <gyee> we also have requirement for FIFS 140-2 certificate, which is insane
18:41:08 <bknudson> except in the few places we've put it in
18:41:10 <lbragstad> ++
18:41:13 <gyee> certification
18:41:24 <gyee> I basically had to tell them to back off
18:41:28 <bknudson> gyee: we've had the same FIPS 140-2 request.
18:41:31 <morganfainberg> bknudson, sure, but it would be cool to have a definitive "here is what we need to fix" target.
18:41:48 <gyee> bknudson, don't go FIPS 140-2 yet, your life will be miserable
18:41:56 <ayoung> I've got a one line change for 55908.  I'm going to post it now
18:42:04 <bknudson> gyee: it has made me miserable already
18:42:10 <ayoung> FIPS!
18:42:21 <dolphm> gyee: have you submitted any vulnerabilities?
18:42:30 <dstanek> i also want to warn everyone about https://blueprints.launchpad.net/keystone/+spec/more-code-style-automation
18:42:49 <gyee> dolphm, one I think, from last release
18:43:00 <gyee> actually, ayoung submitted it for me
18:43:07 <dstanek> i was frustrated over the weekend because it seems like all reviews have a lot of the same problems - no i'm automating some of the common ones
18:43:19 <morganfainberg> dstanek, btw thanks for fixing the comments on ayoung's review, i was too tired to get those in cleanly last night post review
18:43:29 <ayoung> You guys rock...much appreciated
18:43:40 <ayoung> this one was really a team effort, to include YorikSar...
18:43:50 <dstanek> morganfainberg: automation my friend, automation :-)
18:43:55 <gyee> dolphm, I am thinking submitting another one for scoping trust to ec2 key
18:43:56 <morganfainberg> dstanek, ++
18:44:02 <gyee> that's a vulnerability in the making
18:44:22 <dolphm> dstanek: is your goal to get those into hacking?
18:44:54 <dstanek> dolphm: yes, i'm going to get them running for us first though
18:45:09 <bknudson> can we have keystone-specific hacking?
18:45:16 * lbragstad listens...
18:45:19 <dstanek> bknudson: absolutely!
18:45:22 <lbragstad> good question.
18:45:31 <ayoung> can people get  tox -edocs  to run on their local machines?  Am I the only one that has it broken?
18:45:43 <stevemar> dstanek, i like that, i'm gong to add more
18:45:48 <topol> we already have keystone-specific: use single quotes overt double quotes when possible
18:46:04 <topol> its just small
18:46:04 <stevemar> ayoung, it runs just fine
18:46:10 <gyee> topol, that's a keystone thing?
18:46:20 <lbragstad> i pushed up a hacking check for inline comments, but not sure they agree.
18:46:21 <dstanek> bknudson: i only have 3 of the check i was working on running against our code - i'll submit a review for those and the checks shortly after the meeting
18:46:22 <bknudson> ayoung: works for me... might want to rm -r doc/build doc/source/api
18:46:33 <topol> it wa sin keystone hacking last time I looked. and not much else
18:46:49 <dstanek> topol: where is that check?
18:46:52 <ayoung> git clean -xdf doc/  that was probably it
18:46:53 <bknudson> topol: I mean custom automated checks.
18:47:13 <topol> no its not automated... :-)
18:47:19 <lbragstad> dstanek: actually, the one I pushed for review is the first one on your list
18:47:24 <dstanek> topol: oh, you mean documented. i wrote a check for that already too!
18:47:37 <dolphm> topol: but it's not automated
18:47:40 <bknudson> dstanek: you've got one for use ' ?
18:47:41 <topol> yes, our documented list is quite small
18:47:56 <dstanek> bknudson: yes, or " if the string contains a '
18:48:32 <bknudson> dstanek: great!
18:48:43 <dstanek> these are all either separate functions or classes (based on the type of check) and as a group we can decide what to keep and where i went overboard
18:48:45 <bknudson> I assume it hits a lot of existing code.
18:48:58 <topol> bknudson++
18:49:05 <bknudson> we need a pep8 tool that FIXES the problems, not just complains
18:49:15 <dstanek> bknudson: yeah, yesterday i walked through the code and fixed it for a few of the checks
18:49:20 <dstanek> those are the ones i'll submit today
18:49:34 <dstanek> i'll get to more probably tonight
18:49:52 <topol> dstanek anything that keeps the code from getting sloppy via automation is very cool
18:49:56 <bknudson> I'm not sure that we want to add new pep8 checks now...
18:50:18 <bknudson> that could be a lot of churn
18:50:32 <topol> bknudson, wait till juno?
18:50:37 <ayoung> topol, PyCharm is pretty good for that
18:50:40 <bknudson> I'd prefer to wait until juno
18:50:50 <topol> me too
18:51:28 <bknudson> depends on the changes required to add it.
18:52:09 <dstanek> the first few there were not a ton of changes...but it'll also make patches failed that are already passing in the review process
18:52:38 <gyee> ayoung, https://review.openstack.org/#/c/77215/4/keystoneclient/middleware/auth_token.py, why are we still using v2.0 to fetch the cert? Didn't jamielennox added the API for v3?
18:52:52 <stevemar> dstanek, i added a few, i really like the idea, and appreciate the effort
18:53:03 <ayoung> gyee, yeah, and we need to update the client
18:53:11 <jamielennox> gyee: there is server side support, there isn't client side
18:53:19 <ayoung> gyee, that was just a bug fix change.
18:53:22 <dstanek> this all started when i was thinking about creating a project called nit-picker that would use git-review to pull patches locally and run the checks
18:53:25 <dolphm> bknudson: i'd be happy to see stylistic consistency changes land anytime, even during the push to RC. i'd argue that it will make backporting from master to icehouse later on a bit easier
18:53:32 <ayoung> jamielennox, he's talking about the atomic write change
18:53:34 <gyee> so should we it in the same patch or a separate one?
18:53:49 <ayoung> separate
18:53:52 <jamielennox> gyee, ayoung: sorry haven't been watching
18:53:55 <morganfainberg> dstanek, i think a lot of that can be moved into hacking eventually.
18:54:01 <stevemar> dstanek, some may not be automatable, but i wanted to add stuff i commonly have to mention in reviews
18:54:05 <dstanek> morganfainberg: i hope so
18:54:28 <gyee> ayoung, maybe a separate patch, but enabling an options to store the certs in memcache would be nice too
18:54:35 <ayoung> gyee, this is for writing the file, makes no change to fetching it.  We can do one for using V3 on top of it, but we need to support both v2 and v3 for a while
18:54:36 <dstanek> stevemar: add whenever you can think of - if we can't automate then at least we have a list to point to for newcomers
18:54:48 <stevemar> dstanek, rgr that
18:54:55 <gyee> ayoung, k
18:54:56 <ayoung> gyee, memcache does us no good, as we need them in the FS in order to call openssl
18:55:23 <bknudson> we have a review checklist already: https://wiki.openstack.org/wiki/ReviewChecklist
18:55:43 <ayoung> bknudson, AH...reminds me
18:55:53 <ayoung> can we generate the sample conf using setup.py?
18:56:06 <ayoung> if it is generated code, it should not really be checked in
18:56:07 <gyee> ayoung, yeah, need to figure out how to do this in-process, popen is expensive
18:56:52 <gyee> https://review.openstack.org/#/c/77215 looks good, I am going to push the button, unless there are objections
18:56:54 <bknudson> on a patch earlier today the pep8 check for the sample failed... I think it was because my version of oslo.messaging didn't match the current one
18:56:55 <ayoung> gyee, it may be, but not in the way you think.  popen can be fairly light weight
18:56:56 <topol> ayoung, didnt we have a similar conversation to what gyee suggested at the diner at the hackathon???
18:57:12 <bknudson> they released a new version of the library and that caused the help strings to change!
18:57:15 <dolphm> topol: (gyee wasn't at the hackathon)
18:57:32 <gyee> topol, must be my evil twin brother
18:57:32 <topol> dolphm, I know, but ayoung and I disucssed this
18:57:36 <dolphm> topol: oh the conversation with ayoung as at the hackathon, got it
18:57:42 <dolphm> topol: misread
18:57:46 <topol> :-)
18:58:22 <dolphm> ayoung: the goal of checking keystone.conf.sample into the repo is to provide documentation
18:58:51 * dolphm 2 minutes, ish
18:58:58 <dstanek> gyee: it looks ok, i think the comment may in inaccurate though
18:59:35 <gyee> dstanek, you mean the encoding comment?
18:59:48 <morganfainberg> dolphm, ayoung , https://review.openstack.org/#/c/77789/ https://review.openstack.org/#/c/77790/
19:00:03 <dstanek> gyee: yes, https://review.openstack.org/#/c/77215/4/keystoneclient/middleware/auth_token.py
19:00:26 <dolphm> #endmeeting