#openstack-meeting log

18:03:16 <morganfainberg> #startmeeting Keystone
18:03:17 <openstack> Meeting started Tue Mar 24 18:03:16 2015 UTC and is due to finish in 60 minutes.  The chair is morganfainberg. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:03:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:03:21 <openstack> The meeting name has been set to 'keystone'
18:03:21 <morganfainberg> Hi everyone!
18:03:25 <stevemar> howdy
18:03:29 <ayoung> morganfainberg, what was that?  a salute?  o]
18:03:36 <morganfainberg> ayoung, maybe
18:03:41 <rodrigods> o/
18:03:44 <ayoung> or "you must be this tall to enter the meeting..."
18:03:47 <htruta> o-
18:03:54 <htruta> ayoung: :(
18:03:54 <bknudson> we're all here ooooooooooooo
18:03:55 <morganfainberg> as stated we have results of FFEs
18:04:00 <raildo> o/
18:04:04 <marekd> Hello
18:04:05 <samueldmq> hello
18:04:06 <morganfainberg> #topic FFE Results
18:04:26 <morganfainberg> #info Domain-SQL FFE Granted, please complete the work by end of week (this week)
18:04:28 <ayoung> (^-^)ゝ
18:04:35 <morganfainberg> I'll be unblocking the reviews after the meeting
18:04:53 <morganfainberg> #info IDP Registration FFE Granted, please complete this work by EOW
18:04:59 <dstanek> hiya
18:05:11 <morganfainberg> #info ECP Wrap FFE Granted, Please complete this work by next meeting
18:05:28 <marekd> morganfainberg: thanks
18:05:43 <morganfainberg> #info Reseller FFE - deferred until liberty. Risk based on restructuring of domains and scope of work is the reason for the delay.
18:06:08 <morganfainberg> just going to move quickly through the start of the meeting
18:06:13 <morganfainberg> most of it is just nnouncements
18:06:17 <morganfainberg> or reminders
18:06:18 <stevemar> all sounds good to me
18:06:35 <morganfainberg> #topic Use kilo-rc-potential tag for triage
18:06:50 <morganfainberg> If a bug is a nice to have (not a blocker) use the 'kilo-rc-potential' tag, do not assign it to the milestone
18:06:56 <morganfainberg> if it is a blocker put it on the milestone
18:07:11 <morganfainberg> #topic REMINDER: Feature Freeze and String Freeze in Effect.
18:07:15 <bknudson> we can merge bug fixes either way?
18:07:22 <morganfainberg> #undo
18:07:23 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0x8b4f090>
18:07:26 <morganfainberg> bknudson, yes.
18:07:36 <morganfainberg> bknudson, as long as the bug isn't risky to fix
18:07:44 <morganfainberg> or introduces violations of string freeze
18:07:45 <morganfainberg> etc
18:07:57 <morganfainberg> and once merged go ahead and tag it to the milestone
18:08:03 <morganfainberg> the tag is just for triage
18:08:13 <morganfainberg> #topic REMINDER: Feature Freeze and String Freeze in Effect.
18:08:16 <morganfainberg> #link https://wiki.openstack.org/wiki/StringFreeze
18:08:31 <morganfainberg> please be aware of string freeze when approving code.
18:08:50 <morganfainberg> annnd thats it for my quick announcement stuff
18:09:01 <morganfainberg> on to the meat
18:09:11 <morganfainberg> #topic Log working group liasion
18:09:14 <morganfainberg> bknudson, o/
18:09:30 <bknudson> there's a log working group that has held a couple of meetings
18:09:42 <bknudson> they're looking for a liaison from each project.
18:09:42 <gyee> wiki?
18:10:05 <ayoung> Its Log Its log Its Log Its log its heavy its made out of wood
18:10:05 <bknudson> #link https://wiki.openstack.org/wiki/Meetings#OpenStack_Log_Working_Group_Meeting
18:10:26 <morganfainberg> ayoung, better than bad, it's good!
18:10:29 <bknudson> anyways, if someone wants to sign up to be the liaison for keystone then sign up.
18:10:41 <bknudson> if you love log
18:10:46 <ayoung> bknudson, I nominate Topol
18:10:52 <lbragstad> bknudson: does it require sync responsibilities?
18:10:53 <ayoung> logs are kindof like audit
18:10:54 <bknudson> works for me.
18:11:10 <morganfainberg> best part is topol isn't here
18:11:12 <bknudson> they might ask about making changes in keystone.
18:11:25 <dstanek> ++ for Uncle Brad
18:11:33 <henrynash> (I’m actually Ok volunteeding if Topol is too bust)
18:11:33 <bknudson> to support whatever they're working on... e.g., request IDs
18:11:40 <henrynash> or busy even
18:11:52 <morganfainberg> ok so henrynash please cicleup w/ topol and figure out which (or both) will do it
18:12:03 <henrynash> morganfainberg: will do
18:12:20 <ayoung> henrynash, we can't spare you
18:12:26 <dstanek> henrynash: isn't that really late for you?
18:12:41 <lbragstad> 20:00 UTC
18:12:46 <bknudson> maybe we need to redo the meeting time.
18:13:15 <marekd> bknudson: this one or the log-working-group ?
18:13:25 <bknudson> the log working group
18:13:31 <morganfainberg> henrynash if the time doesn't work out for you, please let me/keystone group know
18:13:36 <morganfainberg> henrynash, we can look for another liason
18:13:42 <henrynash> (aaah  and if its 20:00 UTC then I may withdraw my application :-) )
18:14:41 <henrynash> topol & I will chat
18:14:43 <marekd> it's beer time for henrynash :-)
18:14:45 <bknudson> ok, that was it. if you're interested attend the meeting.
18:14:48 <morganfainberg> henrynash, sounds good.
18:15:02 <dstanek> if we don't have any other volunteers i will do it - henrynash let me know if you/topol can't
18:15:03 <morganfainberg> on the topic of logs
18:15:05 <bknudson> logging in keystone is not the best.
18:15:09 <morganfainberg> #topic Drop curl notation in logs (especially server-side logs)
18:15:13 <bknudson> you might have noticed.
18:15:36 <morganfainberg> The request came that we should adjust the logging from KSC to not be "curl" debugging. you can't use the line anymore due to the obfuscation of the token
18:15:54 <morganfainberg> this is really more relevant from the session object itself not KSC.
18:16:01 <bknudson> what do they want that's so much better?
18:16:02 <marekd> morganfainberg: but you see how to call this line if you need to...
18:16:11 <morganfainberg> give the important information but not wrap it in curl
18:16:17 <morganfainberg> thats all that was being asked
18:16:21 <morganfainberg> i said we'd bring it up at the meeting
18:16:22 <ayoung> systemd and journald  of course!
18:16:26 <morganfainberg> didn't say anything else.
18:16:31 <bknudson> make it an option
18:16:38 <jamielennox> i like the curl command, i have used it a number of times - though i must say it's a pain that we obsfucated the token
18:16:48 <morganfainberg> bknudson, i think it's fair that we offer a logging format
18:16:50 <lbragstad> jamielennox: ++
18:17:02 <bknudson> they can always mock it.
18:17:12 <bknudson> my answer to everything now.
18:17:27 <morganfainberg> bknudson, if we just make it an option - a simple formatter that has known replacements i think that is sufficient
18:17:40 <morganfainberg> and again this is session
18:17:43 <morganfainberg> not ksc proper
18:18:09 <morganfainberg> the complaint comes from running nova in debug and seeing curl debug lines talking to neutron
18:18:19 <gyee> use log filters?
18:18:25 <morganfainberg> anyway. nothing to be done yet, please mull it over when thinking about logging
18:18:33 <morganfainberg> and logging enhancements
18:18:40 <bknudson> that definitely isn't very handy to have curl lines there, and I assume it's a lot shorter to not use it.
18:19:13 <gyee> bkundson, some of us still using curl for troubleshooting
18:19:18 <morganfainberg> bknudson, i would agree we could be more terse in that case. it's one place our logging is good just in a not-that-useful format
18:20:07 <jamielennox> is there a different log level we could emit it on?
18:20:08 <morganfainberg> we can circle up on that as we have more logging discussion
18:20:09 <bknudson> it'll still have all the info
18:20:13 <jamielennox> trace3 or something?
18:20:25 <morganfainberg> jamielennox, once trace is a thing again, yes
18:20:32 <marekd> jamielennox: or maybe even try to separate curl logging and store in different file?!
18:20:33 <morganfainberg> jamielennox, or something like that
18:20:33 <ayoung> morganfainberg, sounds like a spec is required there.  If we are going to be picky about log formats, we should actually design  them
18:20:45 <morganfainberg> ayoung, yeah. it's something to revisit in L.
18:20:46 <bknudson> use tract now and it'll get logged higher than error
18:20:48 <bknudson> trace
18:21:05 <jamielennox> really? didn't know that
18:21:12 <morganfainberg> bknudson, yeah it has to wait until trace is again a "trace" level not a "traceback" thing
18:21:31 <morganfainberg> lets revisit in L
18:21:37 <morganfainberg> we wont get much done on this in kilo anyway
18:21:37 <jamielennox> marekd: it'd require some sort of filter to seperate becasue other things in session log to debug
18:21:45 <clarkb> whatever you replace it with the general output is super handy
18:21:57 <morganfainberg> with the split of session and common stuff out of ksc coming in L it becomes interesting to consider
18:22:12 <clarkb> just recently used it to discover that keystone was returning an unroutable address to deal with tokens at which of course made nova/neutron fail
18:22:13 <morganfainberg> clarkb, yes, the data needs to stay.
18:22:24 <morganfainberg> clarkb, no question we don't want to eliminate any of the info
18:22:35 <morganfainberg> clarkb, just maybe not add "curl" in the line
18:22:40 <morganfainberg> and curl "flags"
18:22:40 <bknudson> he he
18:22:46 <bknudson> --insecure?
18:22:52 <morganfainberg> bknudson, sigh yeah...
18:23:10 <morganfainberg> that would be one i'd like to *NOT* log
18:23:27 <morganfainberg> anyway
18:23:29 <bknudson> should log a warning every time.
18:23:34 <morganfainberg> bknudson CRITICAL
18:23:43 <morganfainberg> :P
18:23:48 <morganfainberg> ok moooooving on
18:24:01 <morganfainberg> #topic keystoneclient release:  auth-token-use-client
18:24:05 <morganfainberg> bknudson, o/ again
18:24:20 <morganfainberg> #link https://review.openstack.org/#/c/144248/
18:24:22 <bknudson> oh, just wondering if we wanted a release of keystoneclient
18:24:29 <rodrigods> I do :)
18:24:34 <morganfainberg> bknudson, we will have one for sure with RC
18:24:37 <rodrigods> HMT stuff is there
18:24:37 <morganfainberg> we can do another one earlier
18:24:40 <bknudson> then I can make progress on my middleware bp to use keystoneclient.
18:25:01 <morganfainberg> bknudson, i can cut a release today if you want... just remember g-r wont be updated
18:25:07 <morganfainberg> so you can't really rely on the new stuff
18:25:12 <morganfainberg> or g-r might not be updated
18:25:18 <morganfainberg> for a bit? till L?
18:25:26 * morganfainberg isn't sure about the client minimums
18:25:27 <bknudson> I can deal with that.
18:25:34 <jamielennox> i'm pretty sure g-r is frozen for kilo
18:25:39 <amakarov> btw, are we still using keyring in keystoneclient?
18:25:48 <morganfainberg> amakarov, ^ jamielennox
18:25:52 <bknudson> worst that they can do to me is -2
18:25:54 <marekd> amakarov: are we at all using it?
18:26:06 <bknudson> I hope that's the worst they can do.
18:26:09 <marekd> jamielennox: what is g-r
18:26:10 <morganfainberg> bknudson, i'll plan a ksc release today or tomorrow
18:26:14 <morganfainberg> marekd, global requirements
18:26:15 <bknudson> thanks!
18:26:15 <jamielennox> amakarov: it's still there, i'd be 50/50 if it works
18:26:29 <amakarov> marekd, I was asked about it yesterday and found remains of it in the code
18:26:36 <bknudson> keystone CLI is deprecated
18:26:41 <marekd> amakarov: merged or proposed ?
18:26:42 <morganfainberg> #action morganfainberg to release keystoneclient March 24 or 25
18:26:45 <jamielennox> it doesn't work with session and plugins
18:27:06 <morganfainberg> amakarov we can't remove it if people use ksc cli
18:27:08 <amakarov> marekd, I think, just forgotten :)
18:27:10 <morganfainberg> and rely on it
18:27:17 <morganfainberg> but ... ksc's cli is deprecated
18:27:31 <morganfainberg> unless someone finds a security problem we will not be updating/changing it.
18:27:35 <amakarov> morganfainberg, well, but --os-keyring parameter isn't there
18:27:36 <morganfainberg> openstack client is way better
18:27:44 <jamielennox> there's a message and everything now to say deprecated
18:27:50 <morganfainberg> which reminds me of something i need to bug stevemar about...
18:27:56 <morganfainberg> but not here
18:28:14 <clarkb> doesn't openstackclient use keystone client?
18:28:17 <amakarov> morganfainberg, the question was from documentation team and I was a little confused
18:28:17 <morganfainberg> actually
18:28:19 <stevemar> morganfainberg, another time, osc meeting is on thursday
18:28:23 <morganfainberg> clarkb, not the CLI part
18:28:27 <stevemar> clarkb, yeah, but not the CLI parts
18:28:39 <morganfainberg> stevemar, jamielennox, so ran into an issue trying to use OSC for bootstrapping a cloud
18:29:02 <morganfainberg> stevemar, jamielennox, might be an old version of osc, i'll check with some folks and make sure to file appropriate bugs.
18:29:25 <morganfainberg> but it basically errored all over the place when trying to do things w/ the admin token for bootstrap, and we had to use keystone cli to make it work.
18:29:42 <morganfainberg> stevemar, jamielennox, so maybe a doc update is needed.
18:29:49 <morganfainberg> i'll get you guys info on it
18:29:54 <gyee> morganfainberg, the token_endpoint plugin still works for me
18:29:57 <stevemar> morganfainberg, sounds like an old issue, yeah get us info
18:30:00 <bknudson> seems like should use keystone-manage for that and get rid of admin token
18:30:02 <morganfainberg> hey, bknudson - guess what?
18:30:03 <bknudson> too scary
18:30:11 <morganfainberg> bknudson, yes i expect to be proposing that for L
18:30:38 <bknudson> morganfainberg: what?
18:30:40 <morganfainberg> #topic bandit update
18:30:46 <morganfainberg> bknudson, o/ you again
18:30:50 <bknudson> y, so they released bandit today
18:30:52 <bknudson> it's on pypi
18:30:56 <morganfainberg> yay
18:31:04 <bknudson> so the next step is to get an experimental job in infra
18:31:07 <ayoung> What is bandit and why do we care?
18:31:22 <stevemar> ayoung, its pretty neat
18:31:23 <bknudson> bandit is the static code analysis for security issues
18:31:36 <bknudson> we had a presentation at this meeting a few weeks ago
18:31:43 <ayoung> Right...I recall it
18:31:45 <lbragstad> ayoung: #link https://wiki.openstack.org/wiki/Security/Projects/Bandit
18:31:48 <ayoung> forgot the name, though
18:31:53 <morganfainberg> bknudson, +1 on the infra change from me.
18:32:11 <bknudson> and there's a review to add the tox target
18:32:20 <dstanek> bknudson: nice
18:32:25 <marekd> bknudson: how do we use tox + bandit ?
18:32:27 * morganfainberg is excited to see bandit run.
18:32:28 <marekd> tox -ebandit
18:32:33 <morganfainberg> marekd, that is the idea
18:32:33 <lbragstad> bknudson: is there a review already up for the exp. job?
18:32:37 <marekd> and it would analyze the code?
18:32:52 <bknudson> lbragstad: https://review.openstack.org/#/c/157595/
18:32:56 <bknudson> is the infra review
18:33:10 <bknudson> once that merges I'll do recheck experimental a few times to make sure it works
18:33:12 <lbragstad> bknudson: cool, thanks!
18:33:15 <bknudson> then I'll probably update the job to nonvotine
18:33:18 <bknudson> nonvoting
18:33:20 <gyee> hopefully a non-voting gate, I do worry about the false positives
18:33:23 <bknudson> and then update to make it voting.
18:33:32 <bknudson> if people are happy with it.
18:33:38 <marekd> ++
18:33:48 <morganfainberg> gyee, long term voting, but it'll go non-vote first
18:33:50 <bknudson> we can discuss that later.
18:34:06 <bknudson> that was it.
18:34:11 <morganfainberg> bknudson, i assume it'll be a check-only right?
18:34:14 <morganfainberg> even voting?
18:34:14 <bknudson> we'll be the first to get it.
18:34:17 <morganfainberg> vs. gate?
18:34:21 <bknudson> right now it's experimental
18:34:26 <gyee> static code analysis I dealt with in the past tend to give out a ton of false positives
18:34:38 <bknudson> gyee: we've got more control over bandit.
18:34:50 <morganfainberg> right but longer view, doesn't need to be gate job, could remain check only
18:34:51 <dstanek> gyee: i've been playing with this for a while and i don't think it'll be too much on an issue
18:34:55 <morganfainberg> anyway
18:35:01 <morganfainberg> uhm...
18:35:13 <morganfainberg> so 2 more quick things.
18:35:43 <morganfainberg> #topic no-spec BP review
18:35:51 <morganfainberg> #link https://blueprints.launchpad.net/python-keystoneclient/+spec/plugin-wrapper
18:36:00 <morganfainberg> #link https://blueprints.launchpad.net/python-keystoneclient/+spec/generic-plugins
18:36:13 <morganfainberg> for the record i'm ok with this not having a spec
18:36:23 <morganfainberg> but please feel free to voice concerns if they need them
18:36:49 * bknudson votes no spec reqd for these.
18:36:54 <gyee> same here
18:37:12 <marekd> me too
18:37:13 <dstanek> i see no reason to require it
18:37:16 <bknudson> although I wouldn't mind one.
18:37:31 <morganfainberg> bknudson, no spec required != no spec provided
18:37:32 <bknudson> since it would be nice to see a code sample
18:37:32 <morganfainberg> ;)
18:37:32 <jamielennox> yea, i don't think they need a spec, they're both reasonably trivial just more of a new feature than a bug
18:37:53 <morganfainberg> ok going onece
18:37:57 <morganfainberg> twice.....
18:38:00 <lbragstad> works for me
18:38:19 <morganfainberg> jamielennox: please update the BPs and provide a link to this meeting notes saying no-spec confimed
18:38:46 <jamielennox> having said that there is a spec out for KSC that i'd like to bring to peoples attention: https://review.openstack.org/164582
18:39:13 <jamielennox> actually it's middleware i guess
18:39:16 <bknudson> jamielennox: for K?
18:39:26 <jamielennox> bknudson: doesn't matter it's client side
18:39:33 <morganfainberg> ah
18:39:42 <bknudson> well, it matters what deployers ship
18:40:01 <morganfainberg> bknudson, right
18:40:10 <morganfainberg> #topic Open Discussion
18:40:11 <bknudson> I mean packagers
18:40:43 <jamielennox> bknudson: i don't mind if we don't merge till L, it won't make g-r for Kilo and there really isn't many services using the auth plugin yet anyway
18:40:53 <lbragstad> I have a question. Does anyone know if other projects build on the bind supplied in the token?
18:41:01 <bknudson> jamielennox: I thought it was in devstack?
18:41:07 <bknudson> auth plugin
18:41:18 <morganfainberg> lbragstad, the bind like krb5 stuff?
18:41:23 <marekd> I just wanted to say that I will be unavailable  next two weeks (actually starting from Friday afternoon), so if you have something you want me to do or talk please let's do this this week.
18:41:33 <ayoung> So...FreeIPA and LDAP testing in Check.  I think it is time
18:41:41 <jamielennox> but it's possibly contentious as it will mean sending an X-Service-Token on every request and taking over control of the X-OpenStack-Request-ID
18:41:42 <ayoung> I think we want to push toward this:
18:41:44 <morganfainberg> ayoung, functional scenarios. yes.
18:41:51 <morganfainberg> ayoung, 100%
18:42:02 <ayoung> infra has an Ipa server that is basically untouched.  We  put a bunch of sample data in it
18:42:06 <jamielennox> bknudson: oh yea, that's in. This is the auth plugin that middleware passes to the services ENV['keystone.token_auth'] i think
18:42:16 <lbragstad> morganfainberg: the bind method that can be supplied on auth
18:42:18 <ayoung> on Gate,  "mount" it as an external domain
18:42:19 <morganfainberg> ayoung, lets circle up on that.
18:42:40 <jamielennox> lbragstad: afaik token binding never really got off the ground
18:42:46 <morganfainberg> ayoung, there are some mechanics about that proposal that wont really fly atm.
18:42:51 <ayoung> morganfainberg, and it will be the live test of henrynash 's domain in db code
18:42:58 <lbragstad> jamielennox: ok, so you're not aware of anyone using it through the client?
18:43:03 <morganfainberg> ayoung, but it's just about standup not the test part
18:43:13 <henrynash> ayoung: yippee
18:43:25 <jamielennox> lbragstad: the way services shuffle the token around from service to service means as soon as we started to actually enforce things on binding everything stopped
18:43:31 <ayoung> morganfainberg, ok.  We'll talk After you get your coffee
18:43:41 <jamielennox> lbragstad: i'm not even sure it's exposed via the client
18:43:46 <morganfainberg> jamielennox, i have an idea for L for that
18:43:48 <lbragstad> jamielennox: ok, cool
18:43:56 <jamielennox> morganfainberg: me too
18:44:06 <lbragstad> just because bind will put fernet tokens in the "unbound" case
18:44:07 <morganfainberg> jamielennox, as soon as we get the FFEs done i'll start my write up for some ideas in L
18:44:33 <jamielennox> morganfainberg: it's basically X-Service-Token and if you have something different you should probably -1 that blueprint i just mentioned
18:44:34 <dstanek> have to bail a little early to get my kids - i'll be back in the main channel in a bit
18:44:39 <morganfainberg> lbragstad, it would be nice to have token bind support in fernet - but that *could* land in L when we discuss how we address this.
18:44:43 <jamielennox> lbragstad: ah
18:44:54 <morganfainberg> jamielennox, i have a different idea - slightly but it builds on service tokens
18:45:29 <jamielennox> lbragstad: yea i think your safe, in future i want to get it back, but it should always be optional additional data to the token so we can add it back later
18:45:32 <jamielennox> you're
18:45:47 <lbragstad> morganfainberg: jamielennox yeah, unless when know how we can supply a format for it, it will boat the token. I'm not sure if it would make sense to put bind in the token format if it's only going to bloat it and no one uses it?
18:45:51 <morganfainberg> jamielennox, i'll write up my Liberty thoughts soon. i need to anyway for when i do the PTL election things.
18:46:14 <lbragstad> s/when/we/
18:46:20 <morganfainberg> lbragstad, again it can probably wait till L when we have a direct path to supporting bind or a similar thing.
18:46:31 <morganfainberg> lbragstad, i think it would be useful but it's not critical today
18:46:40 <lbragstad> morganfainberg: ok, so I'll untag that bug for rc1?
18:46:47 <morganfainberg> sure
18:46:51 <lbragstad> and update it with a comment
18:47:01 <morganfainberg> downgrade it to medium if it isn't already
18:47:19 <lbragstad> morganfainberg: cool, it's already medium
18:47:59 <morganfainberg> anything else for the meeting?
18:48:21 <morganfainberg> we can let infra have the channel early it looks like
18:48:30 <amakarov> revocation issue: https://review.openstack.org/#/c/141854/
18:48:35 <morganfainberg> aha
18:48:51 <amakarov> will it be fixed by fernet tokens
18:49:10 <amakarov> or it must to be done something?
18:49:12 <morganfainberg> i think adam is correct, the issue is in the group data not being in the token.
18:49:20 <amakarov> ++
18:50:11 <morganfainberg> i would like to see better revocations
18:50:25 <morganfainberg> so yes this would be a nice-to-have in kilo if we can really solve it
18:50:26 <amakarov> so the solution is: 1) add group to revocation model; 2) wait for fernet?
18:50:52 <amakarov> *rely on fernet (afaik it is complete)
18:51:10 <morganfainberg> amakarov, i think we would need to update the token body format as well
18:51:13 <morganfainberg> to catch PKI tokens
18:51:21 <morganfainberg> we don't want token formats to diverge in functionality too much
18:51:25 <morganfainberg> (at all really)
18:51:31 <morganfainberg> if it's in our tree that is
18:51:50 <morganfainberg> uuid could be solved in much the same way fernet is
18:52:44 <amakarov> can we just add group to existing tokens?
18:52:50 <amakarov> token models
18:53:18 <marekd> amakarov: i think lbragstad and dolphm would start to sharpen their knives for you
18:53:46 <marekd> i hardly survived federation
18:54:03 <amakarov> marekd, thanks for the warning ))
18:54:41 <lbragstad> marekd: :)
18:55:29 <amakarov> well, let us put it this way: I'll propose a change and then we discuss it
18:55:42 <amakarov> I still don't see obvious solution
18:56:10 <morganfainberg> ok i think this conversation can move back to -keystone
18:56:14 <morganfainberg> lets continue there
18:56:22 <morganfainberg> Thanks for coming all!
18:56:25 <morganfainberg> #endmeeting