Thursday, 2013-10-03

*** faramir1 has joined #openstack-dev		00:01
*** MaxV has quit IRC		00:04
*** sheeprine has joined #openstack-dev		00:04
*** thomasm has joined #openstack-dev		00:04
*** dperaza has quit IRC		00:05
*** SumitNaiksatam has quit IRC		00:09
*** troytoman is now known as troytoman-away		00:12
*** bswartz has joined #openstack-dev		00:14
*** sheeprine has quit IRC		00:15
*** salv-orlando has quit IRC		00:19
*** cfriesen has quit IRC		00:19
*** nati_ueno has quit IRC		00:21
*** nati_ueno has joined #openstack-dev		00:21
ayoung	jamielennox, I suspect that what gyee will end up with will look a lot like the basic auth middleware I posted to github	00:27
jamielennox	umm, i'm sure i've seen this but which one?	00:28
ayoung	they'll end up sticking a token in a secure cookie or something and using it for additional roundtrips	00:28
ayoung	link coming up	00:28
ayoung	jamielennox, https://github.com/admiyo/keystone/commit/05d68559b548c6722a1d928e13919fe74ba5e13f	00:29
ayoung	branch is here	00:29
ayoung	https://github.com/admiyo/keystone/commits/cookies-basic-auth	00:29
ayoung	there are three commits there that are all stand alone, I think	00:29
ayoung	jamielennox, by the by...wanted to tell you good job on this release, and say thanks for your help.	00:30
ayoung	rc-1 is not the same as finished, but...it sure is close	00:30
*** FatDarrel has quit IRC		00:31
*** matsuhashi has joined #openstack-dev		00:32
jamielennox	heh, feel like i've been out of it for a while	00:33
jamielennox	need to get back onto server side where the cool kids play :)	00:34
*** dstanek has quit IRC		00:34
*** colinmcnamara has joined #openstack-dev		00:35
*** sheeprine has joined #openstack-dev		00:35
*** colinmcnamara has quit IRC		00:35
*** bdpayne has quit IRC		00:35
ayoung	jamespage, so one of the RHers has an IPA server running in AWS	00:40
*** colinmcnamara has joined #openstack-dev		00:40
ayoung	Been working on trying to get the dual-ip address thing working	00:40
ayoung	argy	00:41
ayoung	jamielennox, ^^	00:41
ayoung	jamielennox, turns out the hack seems to be to have two host entries.	00:41
jamielennox	just using the script you had earlier or did you figure out a nova hook?	00:41
ayoung	Haven;t quite closed the loop on it yet	00:41
*** vuil has quit IRC		00:42
ayoung	so..I'm still researching	00:42
ayoung	I think that we'll have to put something into Nova eventually	00:42
*** sheeprine has quit IRC		00:42
ayoung	jamielennox, ideally, the same process will kick off the VM geneneration and the OTP/host regsistry, from inside of the nova context	00:42
*** tanisdl has quit IRC		00:43
ayoung	we can get a notification from Nova that a new VM is on the way...but no way then to get the OTP back to that instance	00:43
jamielennox	i get the idea, i don't know enough about nova to know how or where that would go	00:43
ayoung	the notifications stuff is like what bknudson is working on for Keystone. So..really all we need is a simple hook to generate a file with the OTP, and stick it inside the vm instance...and also tack it into the notification	00:44
jamielennox	ignoring that for the time being is the internal vs external ip thing in IPA going to work out?	00:44
ayoung	I think so\	00:44
ayoung	bascially, you need two principal	00:44
ayoung	s	00:44
ayoung	one for int one for ext	00:44
ayoung	you get that by making two host entries	00:44
ayoung	then, the vm call ipa-client-install as the int one	00:44
ayoung	once that is up it fetches the keytab for ext	00:45
ayoung	the two keystabs get merged in /etc/krb5.conf	00:45
ayoung	jamielennox, its along the lines of ipa-getkeytab -s ident.infra.lamourine.org -k /etc/krb5.keytab -p host/node1.lamourine.org	00:46
*** jasdeepH has joined #openstack-dev		00:46
ayoung	you need to run that as root to have access to the krb5.keytab or perform some other trick, and also have a valid ticket for a user with admin privs	00:46
jamielennox	is this something that is kerberos specific - or is it possible we could get changes to IPA to allow IP aliases?	00:47
ayoung	so the internal name for that one is node1.infra.lamourine.org and the external will be node1.lamourine.org	00:47
jamielennox	or host aliases i guess	00:47
ayoung	Kerberos needs host names for the principals to align	00:47
ayoung	nothing IP addressy about it	00:47
ayoung	when the client machine gets the service ticket, it gets it for the principal host/node1.lamourine.org	00:48
ayoung	if the host itself only has keys for node1.infra.lamourine.org it can't decrypt the key in the service ticket	00:48
*** thomasm has quit IRC		00:49
ayoung	so the problem is not really IPA, so much as it is Amazon only giving out non-routables...and OpenStack doing the same thing. With split horizon, yeah, we could do it with a single host name	00:50
jamielennox	ok, but it seems that if there was support for such a thing in kerberos there would be nothing preventing the same keys being returned for each alias of a host - i just don't know the security implications or whether that's something that would be supported	00:50
ayoung	jamielennox, good point. I'm trying to do this within what IPA supports now, but there are a couple ways we could go in the future that might make is a lot cleaner.	00:51
ayoung	I think that multiple DNS entries is fine. It would be nice, though, if the host entry did allow for multiple DNS names associated with it, and multiple principals	00:52
jamielennox	ok, that was the question - not necessarily impossible, but not supported	00:52
ayoung	Yeah....once we can work out exactly what we need to make it happen, we can figure out how to streamline it. I think that having a primary hostname<->A record and then multiple CNAMEs or alternative A records might be a valid approach	00:53
ayoung	jamielennox, It would make sense for virtual hosts in apache, too	00:54
jamielennox	ayoung: playing devils advocate though, if i'm actually making use of an internal vs external network then i want the principals remaining seperate	00:55
*** briancurtin has joined #openstack-dev		00:55
*** dolphm has joined #openstack-dev		00:55
ayoung	jamielennox, well, they both are going to map to the same machine, so I think you would want them linked.	00:56
ayoung	the host principal is really more like a service, and we should be able to link service keys to hosts other than the one that maps one-to-one with the hostname	00:57
*** lbragstad has quit IRC		00:57
jamielennox	alright, later problem i was just thinking it was a posibility	00:57
*** angdraug has quit IRC		00:58
ayoung	jamielennox, yeah. it is going to be weird because we will have a host with allocated keytab, but then no IPA-client will enroll it...just fetch the keytab	00:58
*** SumitNaiksatam has joined #openstack-dev		01:03
*** nosnos has joined #openstack-dev		01:04
*** nermina has joined #openstack-dev		01:05
*** alop has quit IRC		01:06
*** dolphm has quit IRC		01:07
*** jayg is now known as jayg\|g0n3		01:09
*** jaypipes has quit IRC		01:11
*** chenxu has quit IRC		01:11
*** armax has quit IRC		01:13
*** jasdeepH has quit IRC		01:17
*** markwash has joined #openstack-dev		01:18
*** cjellick has quit IRC		01:19
*** sheeprine has joined #openstack-dev		01:23
*** melwitt has quit IRC		01:25
*** erkules has quit IRC		01:30
*** sthaha has joined #openstack-dev		01:34
*** schwicht has quit IRC		01:36
*** fandikurnia01 has joined #openstack-dev		01:36
*** erkules has joined #openstack-dev		01:47
*** shinylasers has quit IRC		01:49
*** nati_ueno has quit IRC		01:51
*** gordc has joined #openstack-dev		01:52
*** nermina has left #openstack-dev		02:06
*** neelashah has joined #openstack-dev		02:06
*** mlavalle has joined #openstack-dev		02:07
*** mlavalle has quit IRC		02:08
*** Mandell has joined #openstack-dev		02:09
*** faramir1 has quit IRC		02:10
*** fandikurnia01 has quit IRC		02:12
*** fandikurnia01 has joined #openstack-dev		02:12
*** jasdeepH has joined #openstack-dev		02:19
*** oubiwann has joined #openstack-dev		02:24
*** oubiwann has quit IRC		02:24
*** oubiwann has joined #openstack-dev		02:25
*** oubiwann has quit IRC		02:25
*** erfanian has joined #openstack-dev		02:30
*** shinylasers has joined #openstack-dev		02:35
*** shinylasers has joined #openstack-dev		02:36
*** pixelb has quit IRC		02:38
*** dropped has quit IRC		02:41
*** oubiwann has joined #openstack-dev		02:48
*** oubiwann has quit IRC		02:48
*** oubiwann has joined #openstack-dev		02:54
*** asalkeld is now known as asalkeld_lunch		02:57
*** dperaza has joined #openstack-dev		02:58
*** paragan has joined #openstack-dev		02:59
*** zhiyan has joined #openstack-dev		03:02
ayoung	jamielennox, now that Icehouse is open for business....time to rethink KDS. https://review.openstack.org/#/c/40692/	03:04
ayoung	That doc needs a lot of love	03:04
jamielennox	are you taking that one up without simo now?	03:05
ayoung	jamielennox, yep	03:05
ayoung	unless you want it?	03:05
jamielennox	maybe	03:05
ayoung	jamielennox, I was thinking that I really should understand it better	03:06
jamielennox	i've been thinking what i want to get done in Icehouse and i've got an ok idea	03:06
ayoung	I'll continue to own it, but feel free to take a heavy hand in it	03:06
jamielennox	but KDS seems like it would be one of those areas you just have to immerse yourself in, and it is interesting	03:06
ayoung	Well, yeah, but the issues are not so much crypto as "how do we expose this to the world" REST type issues	03:07
ayoung	simo already did all the fun stuff	03:07
jamielennox	yea i noticed, and he's got the crypto into oslo as well	03:07
*** radsy has quit IRC		03:07
jamielennox	i'm still not sure if that base64 thing was the right way to go but it does make sense	03:08
*** dguitarbite has joined #openstack-dev		03:08
ayoung	see...there are so many design decisions in there. I really don't want to have to justifyt them without understanding them myself	03:09
jamielennox	that was why i only questioned the API at the time	03:10
jamielennox	honestly i'm still of the opinion that symmetric keys are the wrong fit here	03:10
ayoung	and, if they are the right fit, we should be using Kerberos and not reimplementing it	03:11
jamielennox	but he fought so hard for it	03:11
ayoung	well...he's right in that symetric crypto is much more efficient	03:11
jamielennox	yep	03:11
ayoung	what if we said "you only get symmetric crypto if you use kerberos"?	03:12
ayoung	would that fly?	03:12
jamielennox	but there are reasons for doing key exchange and stuff	03:12
jamielennox	the problem is this is not a keystone decision	03:12
ayoung	none of this really belongs in Keystone, does it	03:12
jamielennox	i've only got an overview of messaging in general OS	03:12
jamielennox	it's one thing for me to say this is how i want the API to look	03:13
jamielennox	but things like 'only for kerberos' need to get run all the way around the project	03:13
ayoung	jamielennox, just think of the stuff hidden away behind the Nova facade that all hangs off the message queue. Keystone knows none of those things	03:13
jamielennox	keystone and me both :)	03:13
ayoung	http://b6c82e5bf05bb57d5fd7-e4def687b494c6d4f892965970fc9f39.r37.cf2.rackcdn.com/openstack-arch-grizzly-logical-v2.jpg	03:13
ayoung	if there are 1000s of compute nodes, each with a unique identity, we need some place to store that. But Keystone is not the right place	03:14
jamielennox	so i'm not sure - i don't think keystone is right, but i don't know if barbican is right either	03:14
ayoung	I wonder if nova conductor is more correct	03:15
jamielennox	i liked the idea of the guy who suggested GPG, but that got shut down pretty quick	03:15
ayoung	meh	03:15
ayoung	GPG is still asymmetric. If we do asym, we do X509	03:15
jamielennox	it makes sense, the problem with x509 is the distribution - web of trust is a better fit for those types of services interaction	03:16
*** markmcclain has quit IRC		03:16
ayoung	what if...the kds hung off the queue itself and was not a web service	03:16
ayoung	X509 is a solved problem	03:16
ayoung	and we already do X509 lets not complicate things there	03:17
ayoung	you enjoy pushing those hot buttons, don't you?	03:17
jamielennox	heh, i feel i just missed a lot of those early decision making processes - i would like to see the justification for some of this stuff, i'm sure it exists	03:18
ayoung	ok... Ideally, KDS would be a separate endpoint, not Keystone	03:19
jamielennox	and i'm better at picking apart my arguments than making them	03:19
jamielennox	right	03:19
jamielennox	barbican is not the right place, barbican should be somewhat user orientated as i understand it	03:19
ayoung	any reason at all that it shouold be in Keystone	03:19
ayoung	yeah, agree	03:19
ayoung	this is not the barbican use case at all	03:20
jamielennox	the argument i guess is simply that it is a user credential - we already somewhat handle that stuff, the fact that it is a service user shouldn't matter	03:20
ayoung	except that keystone really is for end users of the OpenStack APIs and this is not	03:21
ayoung	the closest analogue is token validation	03:21
*** dperaza has quit IRC		03:21
*** vkmc has quit IRC		03:22
*** dperaza has joined #openstack-dev		03:22
ayoung	and even that is going to to made possible to be done by end users	03:22
jamielennox	but particularly with OOO the distinction between user/service is blurring	03:22
ayoung	the thing is, this is all redundant with the SASL and GSSAPI security around AMQP. We really should just use that, and use it right	03:22
ayoung	so NIH...	03:23
jamielennox	but rabbit or one of those doesn't support it	03:23
*** novas0x2a\|laptop has quit IRC		03:24
ayoung	so you are saying that if people use an insecure product for implementation we need to provide a custome solution to secure it? I don't buy it. We don't have the focus to do it right	03:24
ayoung	You want message security, use a messaging system that provides security and use it correctly	03:25
* ayoung is lazy that way		03:25
jamielennox	i'm not saying anything, let's put the fix into 0mq or rabbit or whatever	03:25
ayoung	OK...so I guess that this will allow you to do message signing over multiple hops	03:25
jamielennox	GSSAPI isn't going to fly for everyone though	03:25
jamielennox	true, but why is message passing doing hops?	03:26
*** yjiang5 has joined #openstack-dev		03:26
ayoung	yeah, I guess its transport layer versus application layer encryption all over again, same issues as HTTPS	03:26
ayoung	Well, I don't know that it is...just a theoretical observation	03:26
jamielennox	i'm going to re-read his wiki page	03:27
jamielennox	https://wiki.openstack.org/wiki/MessageSecurity	03:27
ayoung	You know I tend toward thinkg and talking in design patterns. http://www.eaipatterns.com/PipesAndFilters.html	03:28
ayoung	there are a lot of things you can do if you start thinking about composing message processing in multiple steps	03:28
ayoung	http://www.eaipatterns.com/MessageRouter.html	03:29
ayoung	if you want to make a custom piece of code to do logic like that, it has to read from a queue, and write to a queue. Even if it doesn't morph the message, you lose that guarantee that the messaage was not modified during processing unless you do the kind of thing simo proposes	03:30
jamielennox	so i'm inclined to think that the solution should be use PKI and have an undercloud barbican instance	03:30
jamielennox	more CMS :)	03:31
jamielennox	and if you don't like it then secure your infrastructure	03:31
*** aditirav has joined #openstack-dev		03:36
*** vipul has quit IRC		03:37
*** vipul has joined #openstack-dev		03:37
ayoung	jamielennox, well, that makes sense for low quantity messages to large groups of people. But for high volume, symmetric makes more sense.	03:40
jamielennox	ayoung: this is interesting speculation, but i don't think it's our fight - there were competing proposals, i think we open it back up	03:42
*** asalkeld_lunch is now known as asalkeld		03:42
ayoung	jamielennox, nah, I think we should finish up the KDS stuff...it make sense	03:42
jamielennox	security definetly within our purview but i don't think this is a keystone issue	03:43
ayoung	I just need to understand the details a little better. Like why he duplicated the signature. I know it was because we were looking to have a uniuqe identifier for REST purposes	03:43
ayoung	OK...getting late...need to sleep.	03:44
jamielennox	the KDS is not the end of it though, it's like step 2 or 3	03:44
ayoung	yeah	03:44
jamielennox	it's not KDS i'm worried about, it's everything after that	03:44
ayoung	I'd suggest jdennis take it but it wouldn't make it in to icehouse. He's too deliberate for that.	03:45
*** neelashah has quit IRC		03:45
ayoung	and we need the nss stuff done	03:45
ayoung	they need it to build on to it	03:45
ayoung	so it needsto go in quick, before the summit	03:45
jamielennox	before this summit?	03:45
ayoung	bascially, take simo's proposal and clean it up	03:45
jamielennox	wow	03:45
ayoung	yeah	03:45
ayoung	the assumption was that it was OK to delay it until I1 because no one would be building on it	03:46
jamielennox	hmm, yea i remember that	03:46
ayoung	if we delay it any further it is going to impact other people's work	03:46
jamielennox	ayoung: i would suggest hitting up someone in nova - saying if we finish of the KDS who is going to push it from the nova/OSLO end	03:47
ayoung	I kind of think we need to strongarm simo back until we get it in	03:47
ayoung	I'll ask him when he's back from PTO	03:47
jamielennox	lol, yea, not sure how he pulled that exit	03:47
*** colinmcnamara has quit IRC		03:47
ayoung	He's Italian. He did it with flair. Operatic, almost.	03:47
ayoung	gnight	03:47
jamielennox	night	03:47
*** ayoung has quit IRC		03:48
*** CaptTofu has quit IRC		03:51
*** jasdeepH has quit IRC		03:51
*** CaptTofu has joined #openstack-dev		03:51
*** dperaza has quit IRC		03:54
*** trey_h has quit IRC		03:54
*** trey_h has joined #openstack-dev		03:55
*** dperaza has joined #openstack-dev		03:55
*** aditirav has quit IRC		03:58
*** jeevan_u1las is now known as jeevan_ullas		03:58
*** jeevan_ullas has joined #openstack-dev		03:58
*** trey_h has quit IRC		03:59
*** Samos123_ has joined #openstack-dev		04:00
*** dstanek has joined #openstack-dev		04:01
*** aditirav has joined #openstack-dev		04:01
*** Samos123 has quit IRC		04:03
*** Samos123_ is now known as Samos123		04:03
*** dguitarbite has quit IRC		04:04
*** Samos123 has joined #openstack-dev		04:04
*** zhiyan has quit IRC		04:04
*** zhiyan has joined #openstack-dev		04:06
*** aeperezt has quit IRC		04:07
*** gordc has quit IRC		04:08
*** aeperezt has joined #openstack-dev		04:09
*** spzala has quit IRC		04:09
*** Samos123_ has joined #openstack-dev		04:10
*** jasdeepH has joined #openstack-dev		04:12
*** noorul has joined #openstack-dev		04:12
*** sarob has joined #openstack-dev		04:17
*** aeperezt has quit IRC		04:25
*** briancurtin has quit IRC		04:26
*** sridevi has joined #openstack-dev		04:27
*** mtreinish has quit IRC		04:28
*** anteaya has quit IRC		04:30
*** cjellick has joined #openstack-dev		04:32
*** aditirav has quit IRC		04:33
*** aditirav has joined #openstack-dev		04:33
*** chandankumar has joined #openstack-dev		04:34
*** rods` has quit IRC		04:35
*** paragan has quit IRC		04:39
*** alunduil has joined #openstack-dev		04:40
*** AlexF has joined #openstack-dev		04:40
*** edmund has quit IRC		04:41
*** mtreinish has joined #openstack-dev		04:42
*** rods has joined #openstack-dev		04:43
*** vuil has joined #openstack-dev		04:46
*** zhiyan1 has joined #openstack-dev		04:50
*** zhiyan has quit IRC		04:51
*** zhiyan1 has quit IRC		04:55
*** zhiyan has joined #openstack-dev		04:55
*** SergeyLukjanov has joined #openstack-dev		04:56
*** ArcTanSusan has joined #openstack-dev		04:58
*** zaitcev has quit IRC		05:01
*** aditirav has quit IRC		05:06
*** aditirav has joined #openstack-dev		05:07
*** vartom19 has joined #openstack-dev		05:07
*** henrynash has joined #openstack-dev		05:08
*** sarob has quit IRC		05:12
*** sarob has joined #openstack-dev		05:12
*** jasdeepH has quit IRC		05:13
*** vartom19 has quit IRC		05:14
*** sarob has quit IRC		05:16
*** cjellick has quit IRC		05:20
*** cjellick has joined #openstack-dev		05:20
*** AlexF has quit IRC		05:22
*** markwash has quit IRC		05:22
*** sushils has joined #openstack-dev		05:29
*** AlexF has joined #openstack-dev		05:34
*** rushiagr has joined #openstack-dev		05:34
*** sushils has quit IRC		05:34
*** sumanthns has joined #openstack-dev		05:35
*** davidhadas has quit IRC		05:35
*** diogogmt has quit IRC		05:37
*** shardy is now known as shardy_afk		05:37
*** jasdeepH has joined #openstack-dev		05:37
*** sushils has joined #openstack-dev		05:38
*** AlexF has quit IRC		05:38
*** jaypipes has joined #openstack-dev		05:39
*** openfly has quit IRC		05:40
*** markwash has joined #openstack-dev		05:41
*** sushils has quit IRC		05:42
*** yjiang5 has quit IRC		05:43
*** cjellick1 has joined #openstack-dev		05:44
*** cjellick has quit IRC		05:44
*** sushils has joined #openstack-dev		05:44
*** vuntz has quit IRC		05:46
*** cjellick1 has quit IRC		05:49
*** cjellick has joined #openstack-dev		05:49
*** paragan has joined #openstack-dev		05:53
*** vuntz has joined #openstack-dev		05:53
*** prekarat has quit IRC		05:54
*** nshaikh has joined #openstack-dev		06:00
*** gsilvis has quit IRC		06:02
*** sergmelikyan has quit IRC		06:02
*** Max_ has joined #openstack-dev		06:03
*** gsilvis has joined #openstack-dev		06:04
*** vartom19 has joined #openstack-dev		06:05
*** comay has quit IRC		06:07
*** yolanda has joined #openstack-dev		06:08
*** neoXsys has quit IRC		06:09
*** cjellick has quit IRC		06:10
*** tvb has joined #openstack-dev		06:14
*** tvb has quit IRC		06:14
*** tvb has joined #openstack-dev		06:14
*** comay has joined #openstack-dev		06:15
*** zbitter has joined #openstack-dev		06:15
*** Shaan7 has quit IRC		06:16
*** Max_ has quit IRC		06:17
*** SergeyLukjanov has quit IRC		06:17
*** MaxV has joined #openstack-dev		06:18
*** zaneb has quit IRC		06:18
*** henrynash has quit IRC		06:19
*** henrynash has joined #openstack-dev		06:20
*** rwsu is now known as rwsu-away		06:21
*** davidhadas has joined #openstack-dev		06:21
*** MaxV has quit IRC		06:22
*** sarob has joined #openstack-dev		06:23
*** mkoderer_ is now known as mkoderer		06:26
*** sgran has quit IRC		06:27
*** sarob has quit IRC		06:28
*** bvandenh has joined #openstack-dev		06:29
*** terriyu has joined #openstack-dev		06:30
*** terriyu has quit IRC		06:31
*** jasdeepH has quit IRC		06:35
*** bashok has joined #openstack-dev		06:39
*** SergeyLukjanov has joined #openstack-dev		06:41
*** xga has joined #openstack-dev		06:41
ekarlso	Samos123_: here ?	06:41
ekarlso	samalba: ...	06:41
*** SergeyLukjanov has quit IRC		06:42
*** jasdeepH has joined #openstack-dev		06:42
*** bvandenh has quit IRC		06:43
*** eglynn has joined #openstack-dev		06:44
*** odyssey4me has joined #openstack-dev		06:48
*** eglynn has quit IRC		06:49
*** sgran has joined #openstack-dev		06:51
*** ifarkas has joined #openstack-dev		06:52
*** vuntz has quit IRC		06:57
*** reidrac has joined #openstack-dev		06:57
*** yeylon_ has joined #openstack-dev		06:59
*** rohit has joined #openstack-dev		07:02
*** rohit is now known as Guest34931		07:03
*** rohitk has joined #openstack-dev		07:03
*** sushils has quit IRC		07:04
*** jcoufal has joined #openstack-dev		07:08
*** rushiagr has quit IRC		07:10
*** afazekas has joined #openstack-dev		07:11
*** jtomasek has joined #openstack-dev		07:11
*** rohitk has quit IRC		07:11
*** rohitk has joined #openstack-dev		07:12
*** bashok_ has joined #openstack-dev		07:12
*** rohitk has quit IRC		07:13
*** Ryan_Lane has joined #openstack-dev		07:14
*** bashok has quit IRC		07:15
*** shardy_afk has quit IRC		07:16
*** flaper87\|afk has quit IRC		07:17
*** flaper87\|afk has joined #openstack-dev		07:18
*** AlexF has joined #openstack-dev		07:18
*** flaper87\|afk is now known as flaper87		07:18
*** rushiagr has joined #openstack-dev		07:21
*** prekarat has joined #openstack-dev		07:21
*** shardy_afk has joined #openstack-dev		07:22
*** paragan has quit IRC		07:24
*** prekarat has quit IRC		07:26
*** Ryan_Lane has quit IRC		07:26
*** dperaza has quit IRC		07:27
*** bvandenh has joined #openstack-dev		07:28
*** giulivo has joined #openstack-dev		07:28
*** flaper87 has quit IRC		07:30
*** flaper87 has joined #openstack-dev		07:30
*** corXi has joined #openstack-dev		07:31
*** prekarat has joined #openstack-dev		07:31
*** gmurphy has quit IRC		07:34
*** eglynn has joined #openstack-dev		07:35
*** jistr has joined #openstack-dev		07:35
*** martyntaylor has joined #openstack-dev		07:37
*** JordanP has joined #openstack-dev		07:37
*** openfly has joined #openstack-dev		07:37
*** boris-42 has joined #openstack-dev		07:38
*** xqueralt has joined #openstack-dev		07:39
*** safchain has joined #openstack-dev		07:44
*** aditirav has quit IRC		07:44
*** ArcTanSusan has quit IRC		07:48
*** colinmcnamara has joined #openstack-dev		07:48
*** mkerrin has quit IRC		07:48
*** MaxV has joined #openstack-dev		07:50
*** feleouet has joined #openstack-dev		07:51
*** colinmcnamara has quit IRC		07:52
*** o_petit has joined #openstack-dev		07:52
*** athomas has joined #openstack-dev		07:54
*** jprovazn has joined #openstack-dev		07:54
*** DinaBelova has joined #openstack-dev		07:54
*** fbo_away is now known as fbo		07:55
*** vuntz has joined #openstack-dev		07:56
*** salv-orlando has joined #openstack-dev		07:59
*** rushiagr has quit IRC		07:59
*** AlexF has quit IRC		07:59
*** AnilV4 has joined #openstack-dev		08:00
*** johnthetubaguy has joined #openstack-dev		08:00
*** davidhadas_ has joined #openstack-dev		08:02
*** odyssey4me has quit IRC		08:03
*** davidhadas has quit IRC		08:04
*** SergeyLukjanov has joined #openstack-dev		08:04
*** boden has joined #openstack-dev		08:04
*** tkammer has joined #openstack-dev		08:05
*** davidhadas_ has quit IRC		08:05
*** paragan has joined #openstack-dev		08:05
*** xqueralt has quit IRC		08:06
*** davidhadas has joined #openstack-dev		08:07
*** DinaBelova has quit IRC		08:09
*** locke105 has joined #openstack-dev		08:10
*** locke1051 has quit IRC		08:10
*** odyssey4me has joined #openstack-dev		08:11
*** vuil has quit IRC		08:12
*** martyntaylor has quit IRC		08:12
*** xga has quit IRC		08:13
*** iartarisi has joined #openstack-dev		08:14
*** xga has joined #openstack-dev		08:14
*** mkerrin has joined #openstack-dev		08:15
*** dstanek has quit IRC		08:17
*** xqueralt has joined #openstack-dev		08:18
*** yassine has joined #openstack-dev		08:23
*** galstrom_zzz has quit IRC		08:24
*** aditirav has joined #openstack-dev		08:26
*** galstrom_zzz has joined #openstack-dev		08:27
*** galstrom_zzz is now known as galstrom		08:27
*** aditirav_ has joined #openstack-dev		08:27
*** martyntaylor has joined #openstack-dev		08:29
*** aditirav has quit IRC		08:31
*** aditirav_ is now known as aditirav		08:31
*** rushiagr has joined #openstack-dev		08:33
*** sushils has joined #openstack-dev		08:34
*** jpich has joined #openstack-dev		08:38
*** zhiyan has quit IRC		08:40
*** shardy_afk is now known as shardy		08:41
*** aditirav has quit IRC		08:43
*** aditirav has joined #openstack-dev		08:44
*** danpb has joined #openstack-dev		08:46
*** rushiagr has quit IRC		08:50
*** xga has quit IRC		08:50
*** lucasagomes has joined #openstack-dev		08:51
*** qba73 has joined #openstack-dev		08:54
*** DinaBelova has joined #openstack-dev		08:54
*** AlexF has joined #openstack-dev		08:54
*** paragan has quit IRC		08:54
*** tkammer has quit IRC		08:56
*** rushiagr has joined #openstack-dev		08:56
ekarlso	BobBall: here mate ?	08:56
BobBall	I am indeed	09:00
*** matsuhashi has quit IRC		09:01
*** pixelb has joined #openstack-dev		09:05
ttx	release branches were cut for nova, neutron, heat and horizon. Will publish RC1s soon	09:06
BobBall	What does that mean in relation to bug fixes ttx? Does that mean they have to be critical fixes or can we still get important fixes in?	09:06
ttx	BobBall: you get any fix you want in master (and any feature). Specific bugfixes may be backported if we decide they warrant a RC2 window	09:07
BobBall	But there is unlikely to be an RC2 without it being a critical fix?	09:07
ttx	BobBall: there should at least be a critical fix to "trigger" the window	09:08
ttx	then we can bundle a few less-critical ones into it	09:08
BobBall	that's what I feared	09:08
ttx	We track candidates for backporting using the havana-rc-potential tag	09:08
*** matsuhashi has joined #openstack-dev		09:09
BobBall	I've got a fix I _really really_ want in Havana due to long term supportability but nothing is actually broken without the fix - unless people mess up their config in the ways they typically do :/	09:09
ttx	BobBall: in Neutron ?	09:10
BobBall	nova	09:10
BobBall	It's XenAPI - people keep getting their plugin versions out of sync with the nova version	09:10
BobBall	and it's a PITA to track down when they get it wrong	09:11
ttx	BobBall: I woul dbe pretty surprised if we didn't do a RC2 for Nova. So plead your case to Russell	09:11
BobBall	so we added some versioning to the interface between nova	09:11
BobBall	ok - will do	09:11
BobBall	thanks :)	09:11
*** vartom19 has quit IRC		09:13
*** prekarat has quit IRC		09:16
*** prekarat has joined #openstack-dev		09:17
*** salv-orlando_ has joined #openstack-dev		09:19
*** salv-orlando has quit IRC		09:19
*** salv-orlando_ is now known as salv-orlando		09:19
*** mkollaro has joined #openstack-dev		09:22
*** johnthetubaguy1 has joined #openstack-dev		09:24
*** johnthetubaguy has quit IRC		09:24
*** johnthetubaguy has joined #openstack-dev		09:26
*** johnthetubaguy1 has quit IRC		09:28
ekarlso	BobBall: any news on when packages for ubuntu will work ?	09:28
*** DinaBelova has quit IRC		09:28
*** xga has joined #openstack-dev		09:29
*** paragan has joined #openstack-dev		09:31
*** DinaBelova has joined #openstack-dev		09:36
*** AlexF has quit IRC		09:36
*** tvb has quit IRC		09:36
*** djoreilly has joined #openstack-dev		09:37
*** davidhadas has quit IRC		09:38
*** salv-orlando has quit IRC		09:38
*** davidhadas_ has joined #openstack-dev		09:38
*** Shaan7 has joined #openstack-dev		09:39
*** gmoro has joined #openstack-dev		09:40
*** tvb has joined #openstack-dev		09:40
*** derekh has joined #openstack-dev		09:44
*** DinaBelova has quit IRC		09:45
*** matiu has quit IRC		09:45
BobBall	the bloke working on the ubuntu packages is on vacation - it'll be a few weeks before we have a blog post out	09:46
*** rohitk has joined #openstack-dev		09:46
BobBall	ekarlso: but they mostly-work today from what I understand. If you wanted to have a play and build them yourself then we would very much appreciate any feedback	09:46
*** vartom19 has joined #openstack-dev		09:47
BobBall	ekarlso: because you should be able to run it, start VMs and so on - so if you don't there is something we need to fix and it'd be great to fix it before the blog post :)	09:47
*** salv-orlando has joined #openstack-dev		09:47
*** salv-orlando_ has joined #openstack-dev		09:48
*** hugokuo has quit IRC		09:49
*** bswartz1 has joined #openstack-dev		09:49
*** sthaha has quit IRC		09:49
*** hugokuo has joined #openstack-dev		09:49
*** sthaha has joined #openstack-dev		09:50
*** sthaha has joined #openstack-dev		09:50
*** bswartz has quit IRC		09:50
*** paragan has quit IRC		09:51
*** salv-orlando has quit IRC		09:51
*** salv-orlando_ is now known as salv-orlando		09:51
*** paragan has joined #openstack-dev		09:51
*** paragan has quit IRC		09:51
*** paragan has joined #openstack-dev		09:51
*** AlexF has joined #openstack-dev		10:00
*** tvb has quit IRC		10:02
*** mmagr has joined #openstack-dev		10:04
*** DinaBelova has joined #openstack-dev		10:07
*** MaxV has quit IRC		10:07
*** MaxV has joined #openstack-dev		10:08
*** henrynash has quit IRC		10:08
*** Oneiroi has joined #openstack-dev		10:10
*** o_petit has quit IRC		10:10
*** AlexF has quit IRC		10:12
*** toabctl has joined #openstack-dev		10:13
*** vartom19 has quit IRC		10:14
*** vartom19 has joined #openstack-dev		10:15
*** boris-42 has quit IRC		10:18
*** MaxV has quit IRC		10:18
*** AlexF has joined #openstack-dev		10:21
*** schwicht has joined #openstack-dev		10:29
*** aditirav has quit IRC		10:32
*** tvb has joined #openstack-dev		10:33
*** tvb has quit IRC		10:33
*** tvb has joined #openstack-dev		10:33
*** bvandenh has quit IRC		10:37
*** AlexF has quit IRC		10:39
*** AlexF has joined #openstack-dev		10:40
*** flaper87 is now known as flaper87\|afk		10:40
*** tvb has quit IRC		10:41
*** dropped has joined #openstack-dev		10:44
*** tvb has joined #openstack-dev		10:45
*** bauzas has quit IRC		10:47
*** romcheg1 has joined #openstack-dev		10:50
*** rushiagr has quit IRC		10:54
*** morazi has joined #openstack-dev		10:54
*** nosnos has quit IRC		10:56
*** jruzicka has joined #openstack-dev		10:56
*** matsuhashi has quit IRC		10:57
*** nil1511 has joined #openstack-dev		10:57
*** rkukura has quit IRC		10:59
*** nil1511 has quit IRC		10:59
*** dprince has joined #openstack-dev		11:00
*** henrynash has joined #openstack-dev		11:05
*** DinaBelova has quit IRC		11:06
*** aditirav has joined #openstack-dev		11:06
*** AnilV4 has quit IRC		11:06
*** AlexF has quit IRC		11:07
*** Shaan7 has quit IRC		11:08
*** markmc has joined #openstack-dev		11:09
*** romcheg has quit IRC		11:12
*** DinaBelova has joined #openstack-dev		11:13
*** rohitk has quit IRC		11:14
*** AlexF has joined #openstack-dev		11:15
*** romcheg1 is now known as romcheg		11:15
*** boris-42 has joined #openstack-dev		11:15
*** rushiagr has joined #openstack-dev		11:18
*** jistr has quit IRC		11:18
*** athomas has quit IRC		11:18
*** tvb has quit IRC		11:19
*** jistr has joined #openstack-dev		11:19
*** garyk has joined #openstack-dev		11:21
garyk	salv-orlando: ping	11:21
*** ifarkas has quit IRC		11:22
*** jprovazn has quit IRC		11:22
*** MaxV has joined #openstack-dev		11:22
*** AnilV4 has joined #openstack-dev		11:23
*** tellesnobrega has joined #openstack-dev		11:24
*** dprince has quit IRC		11:24
*** jtomasek_ has joined #openstack-dev		11:24
ekarlso	anyone know what dumb_member in keystone does ?	11:24
*** adalbas has joined #openstack-dev		11:25
*** pfreund has joined #openstack-dev		11:26
*** jtomasek has quit IRC		11:26
*** CaptTofu has quit IRC		11:27
*** CaptTofu has joined #openstack-dev		11:27
*** tsufiev has joined #openstack-dev		11:32
tsufiev	amotoki, lcheng, david-lyle, please take a look at https://review.openstack.org/#/c/49130/	11:33
*** alexpilotti has joined #openstack-dev		11:33
*** paragan has quit IRC		11:34
*** rohitk has joined #openstack-dev		11:35
*** AlexF has quit IRC		11:37
*** rushiagr has quit IRC		11:37
*** Alexei_987 has joined #openstack-dev		11:38
*** eharney has joined #openstack-dev		11:39
*** rohitk has quit IRC		11:39
*** Shaan7 has joined #openstack-dev		11:41
*** pcm_ has joined #openstack-dev		11:41
*** rushiagr has joined #openstack-dev		11:43
*** dropped has quit IRC		11:43
*** rpodolyaka has left #openstack-dev		11:44
*** jpich has quit IRC		11:44
*** jprovazn has joined #openstack-dev		11:44
*** jpich has joined #openstack-dev		11:44
*** avishayb has joined #openstack-dev		11:45
*** polfilm has joined #openstack-dev		11:46
*** Shaan7 has quit IRC		11:46
jd__	ttx: what about creating a rc2 milestone?	11:47
markmc	jpich, here's the link: https://etherpad.openstack.org/disable-lazy-translation	11:49
markmc	jpich, original patch/discussion: https://review.openstack.org/#/c/26982/	11:51
*** rohitk has joined #openstack-dev		11:52
*** adalbas has quit IRC		11:58
*** bashok_ has quit IRC		11:59
*** thomasm has joined #openstack-dev		11:59
*** xga_ has joined #openstack-dev		12:02
*** CaptTofu has quit IRC		12:03
*** CaptTofu has joined #openstack-dev		12:03
*** flaper87\|afk is now known as flaper87		12:04
*** xga has quit IRC		12:05
*** READ10 has joined #openstack-dev		12:06
*** xga_ has quit IRC		12:07
*** xga_ has joined #openstack-dev		12:07
*** sridevi has quit IRC		12:07
*** CaptTofu has quit IRC		12:08
*** fandikurnia01 has quit IRC		12:10
*** jcoufal_ has joined #openstack-dev		12:13
*** kincl has quit IRC		12:13
*** jcoufal has quit IRC		12:16
*** sandywalsh has joined #openstack-dev		12:19
*** dstanek has joined #openstack-dev		12:19
*** xga__ has joined #openstack-dev		12:23
*** aditirav has quit IRC		12:26
*** xga_ has quit IRC		12:26
*** sgordon has joined #openstack-dev		12:29
*** sgordon has joined #openstack-dev		12:29
*** bswartz1 is now known as bswartz		12:33
*** YorikSar has quit IRC		12:35
*** vladikr has joined #openstack-dev		12:35
*** tvb has joined #openstack-dev		12:39
*** tvb has quit IRC		12:39
*** tvb has joined #openstack-dev		12:39
ttx	jd__: only when/if you hit a critical bug	12:40
ttx	jd__: in the mean time you can fix things in master and tag candidates for backport as havana-rc-potential	12:41
jd__	ttx: ok, so we just backport things as we got using tags?	12:41
*** sridevi has joined #openstack-dev		12:41
jd__	yeah I've already started backporting a couple of things tagged :)	12:41
ttx	jd__: do noyt backport until we decide that we have an issue that warrants a respin	12:41
ttx	or at least, do not approve those bckports just yet :)	12:42
*** nermina has joined #openstack-dev		12:43
*** CaptTofu has joined #openstack-dev		12:44
*** jprovazn has quit IRC		12:44
*** mjfork has joined #openstack-dev		12:44
ttx	jd__: does it make sense ?	12:45
jd__	ttx: I don't know, can't we have a few bug fixes between rc1 and final? do we have to wait for 2013.2.1 to backport these?	12:45
ttx	jd__: The idea is to not change the RC1 (which gets tested) unless there is a good reason to	12:46
*** ifarkas has joined #openstack-dev		12:47
ttx	jd__: If you just change the RC continuously under testers, you won't get any testing	12:47
ttx	jd__: so we proceed using "windows" that are opened when a critical mass is reached	12:47
ttx	better release with a few known bugs than with an unknown regression	12:48
*** o_petit has joined #openstack-dev		12:48
jd__	fair enough, though I am still not really clear about how it is much better to backport these patches in 2013.2.1, since this is what it means IIUC :)	12:48
ttx	jd__: that said if you already have a release-critical bug, we can look at it	12:48
*** jtomasek_ has quit IRC		12:48
jd__	ttx: I don't these are release critical, no	12:49
jd__	there are small fixes nice to have	12:49
ttx	jd__: the difference is that the release can't afford an embarassing regression	12:49
ttx	jd__: but then if you don't do an RC2 htat would be a first	12:50
ttx	we always find some embarassing issue that needs to be fixed in a RC2 anyway	12:50
jd__	ttx: when's the rc2 window opened btw?	12:50
jd__	yeah probably :)	12:50
ttx	but then we select the bugs we backport as low-regression-risk	12:51
*** athomas has joined #openstack-dev		12:51
jd__	ack	12:51
ttx	it's opened whenever you and I agree that one of the bugs fixed in master is release-critical	12:51
jd__	I'll wait for a bug then :-)	12:51
ttx	doesn't have to be a "critical" bug. Can be a missing file :)	12:51
*** flaper87 is now known as flaper87\|afk		12:52
*** nermina has quit IRC		12:53
*** dkranz has quit IRC		12:54
*** rfolco has joined #openstack-dev		12:54
*** psedlak\|afk is now known as psedlak		12:56
*** bpokorny has joined #openstack-dev		12:56
*** dprince has joined #openstack-dev		13:00
*** jtomasek_ has joined #openstack-dev		13:02
dhellmann	ttx, do translations follow the same process?	13:03
ttx	dhellmann: we usually refresh the translation as we push a new rc	13:03
*** burt has joined #openstack-dev		13:03
ttx	dhellmann: but that's why we usually ask htat translatoins are complete by the end of the month	13:03
ttx	(i.e. rc1)	13:04
*** pfreund has quit IRC		13:04
*** neelashah has joined #openstack-dev		13:04
dhellmann	yeah, we just received a big changeset this morning https://review.openstack.org/#/c/49473/	13:04
jd__	ttx: do you know if Transifex targets milestone-proposed too?	13:04
ttx	jd__: I have no idea	13:05
jd__	ah, the mysteries of the translation process :)	13:05
ttx	jd__: good question I guess	13:05
*** flaper87\|afk is now known as flaper87		13:06
*** davidhadas_ has quit IRC		13:06
*** jprovazn has joined #openstack-dev		13:07
*** AnilV4 has quit IRC		13:08
*** davidhadas has joined #openstack-dev		13:08
*** gordc has joined #openstack-dev		13:09
*** vartom19 has quit IRC		13:10
*** dvarga has joined #openstack-dev		13:14
*** noslzzp has joined #openstack-dev		13:15
*** michchap has quit IRC		13:16
*** michchap_ has joined #openstack-dev		13:16
*** fbo is now known as fbo_away		13:16
*** AnilV4 has joined #openstack-dev		13:19
*** nermina has joined #openstack-dev		13:21
*** jecarey has joined #openstack-dev		13:23
*** alunduil has quit IRC		13:25
*** fbo_away is now known as fbo		13:25
*** rkukura has joined #openstack-dev		13:25
*** kbringard has joined #openstack-dev		13:26
*** dperaza has joined #openstack-dev		13:27
*** radez_g0n3 is now known as radez		13:28
*** troytoman-away is now known as troytoman		13:28
*** davidhadas_ has joined #openstack-dev		13:29
*** athomas has quit IRC		13:29
*** tellesnobrega has quit IRC		13:30
*** athomas has joined #openstack-dev		13:30
*** jayg\|g0n3 is now known as jayg		13:30
*** prekarat has quit IRC		13:31
*** davidhadas has quit IRC		13:31
*** vkmc has joined #openstack-dev		13:34
*** vkmc has quit IRC		13:34
*** vkmc has joined #openstack-dev		13:34
sandywalsh	russellb: ping?	13:34
russellb	sandywalsh: hi there	13:37
sandywalsh	hey!	13:38
sandywalsh	so, question about oslo.messaging	13:38
* russellb hasn't worked on oslo.messaging at all :(		13:38
sandywalsh	will routing_key and queue still be tied 1:1 as it is with rpc?	13:38
sandywalsh	russellb: oh, I thought that was your bag?	13:38
russellb	markmc mainly	13:38
sandywalsh	sorry, my bad.	13:38
russellb	all good!	13:39
russellb	i just feel bad because I wish I had put more time into it	13:39
russellb	but yeah, markmc is your guy	13:39
sandywalsh	well, me too :) sorry for the interruption	13:39
russellb	no worries, have you seen https://wiki.openstack.org/wiki/Oslo/Messaging ?	13:39
russellb	not sure if it answers your question ..	13:39
*** davidhadas has joined #openstack-dev		13:40
*** changbl has quit IRC		13:40
*** adalbas has joined #openstack-dev		13:40
sandywalsh	yeah, I'll reread, but didn't see it explicitly mentioned	13:40
*** markmcclain has joined #openstack-dev		13:40
russellb	ok, i wasn't sure	13:40
markmc	sandywalsh, there's no changes planned to how the kombu driver actually works	13:40
markmc	sandywalsh, oslo.messaging is just about putting a better API abstraction on it	13:40
markmc	sandywalsh, we can of course talk about changes	13:40
markmc	sandywalsh, but it's no different a discussion to if we were just adding something new to the rpc code	13:41
sandywalsh	markmc: gotcha .. it would be great to get a proper separation there. We end up creating many queues when we don't need to	13:41
markmc	sandywalsh, what's the use case?	13:41
sandywalsh	(specifically around notifications)	13:41
markmc	ok, the use case is a notifications listener/client?	13:41
markmc	yes, we need to design an oslo.messaging notifications client API	13:42
markmc	and when we have that, we can make the drivers be smart for that case	13:42
*** davidhadas_ has quit IRC		13:42
sandywalsh	cool ... have there been any efforts down that road yet?	13:42
markmc	nope :)	13:42
sandywalsh	k, I'll reread that wiki page and try to pull together some usecases	13:43
markmc	this bp was meant to track it: https://blueprints.launchpad.net/oslo/+spec/messaging-api-notifications-client	13:43
markmc	i.e. I could imagine a oslo.messaging.NotificationsListener class	13:44
sandywalsh	yup, that does what we need now, but there are still some things we can improve	13:44
sandywalsh	we're getting into situations now where there are more than one downstream notification consumer	13:44
markmc	right, the rpc code has the infrastructure	13:44
markmc	it's the API design that we need for oslo.messaging	13:44
sandywalsh	k, I'll see what I can contribute ... stay tuned.	13:45
sandywalsh	thanks	13:45
markmc	if you think you'll have an API proposal for the summit, could add a session proposal	13:45
markmc	otherwise we can just touch on it in http://summit.openstack.org/cfp/details/151	13:45
sandywalsh	ok, great ... I'll make sure I make that.	13:47
*** mdenny has joined #openstack-dev		13:48
*** lbragstad has joined #openstack-dev		13:48
*** oubiwann has quit IRC		13:49
*** nil1511 has joined #openstack-dev		13:49
*** sridevi has quit IRC		13:49
*** oubiwann has joined #openstack-dev		13:49
*** zhiyan has joined #openstack-dev		13:50
*** amotoki_ has joined #openstack-dev		13:52
*** venkatesh has joined #openstack-dev		13:54
*** polfilm has quit IRC		13:57
*** prad has joined #openstack-dev		13:57
*** rohitk has quit IRC		13:59
*** rushiagr has quit IRC		13:59
*** litong has joined #openstack-dev		13:59
*** paragan has joined #openstack-dev		14:00
*** paragan has joined #openstack-dev		14:00
*** davidhadas_ has joined #openstack-dev		14:00
*** ygbo has joined #openstack-dev		14:01
*** rushiagr has joined #openstack-dev		14:01
*** dkranz has joined #openstack-dev		14:02
*** xqueralt has quit IRC		14:03
*** davidhadas has quit IRC		14:03
*** xqueralt has joined #openstack-dev		14:03
*** briancurtin has joined #openstack-dev		14:03
*** amotoki has quit IRC		14:03
*** amotoki_ is now known as amotoki		14:04
*** yeylon_ has quit IRC		14:05
*** ayoung has joined #openstack-dev		14:05
*** chenxu has joined #openstack-dev		14:05
*** comay has quit IRC		14:05
*** Shaan7 has joined #openstack-dev		14:06
*** radez is now known as radez_g0n3		14:07
*** DennyZhang has joined #openstack-dev		14:07
*** rwsu-away is now known as rwsu		14:07
*** troytoman is now known as troytoman-away		14:08
*** jtomasek_ is now known as jtomasek		14:09
*** avishay has quit IRC		14:10
*** trey_h has joined #openstack-dev		14:10
*** rohitk has joined #openstack-dev		14:12
*** MaxV has quit IRC		14:13
*** MaxV has joined #openstack-dev		14:13
*** sileht has quit IRC		14:14
*** thedodd has joined #openstack-dev		14:14
*** jimfehlig has joined #openstack-dev		14:15
*** sileht has joined #openstack-dev		14:16
*** sthaha has quit IRC		14:16
*** DinaBelova has quit IRC		14:18
*** thedodd has quit IRC		14:19
*** thedodd has joined #openstack-dev		14:21
*** tvb has quit IRC		14:22
*** shakayumi has joined #openstack-dev		14:22
*** terriyu has joined #openstack-dev		14:23
*** avishay has joined #openstack-dev		14:23
*** yeylon_ has joined #openstack-dev		14:27
*** dolphm has joined #openstack-dev		14:27
*** FunnyLookinHat has joined #openstack-dev		14:27
*** FunnyLookinHat has joined #openstack-dev		14:27
*** edmund has joined #openstack-dev		14:27
dolphm	dstanek: o/	14:27
dstanek	dolphm: hi	14:28
*** anteaya has joined #openstack-dev		14:28
*** mrodden has joined #openstack-dev		14:29
*** markwash has quit IRC		14:29
*** troytoman-away is now known as troytoman		14:29
dstanek	dolphm: so i'm looking at http://api.openstack.org/api-ref-identity.html#identity-v2.0-ext; specifically "Adds a users"; would you expect that example to work?	14:30
*** dolphm has quit IRC		14:30
*** nil1511 has left #openstack-dev		14:30
*** spzala has joined #openstack-dev		14:30
*** cfriesen has joined #openstack-dev		14:30
*** grapsus__ has quit IRC		14:31
*** chenxu has quit IRC		14:31
*** dolphm has joined #openstack-dev		14:32
dstanek	dolphm: did you see my question above?	14:33
dolphm	dstanek: yes, sorry... plugged into a monitor and my laptop decided that it'd rather be turned off	14:34
*** o_petit has quit IRC		14:34
dstanek	dolphm: np, didn't want to repeat if you saw it	14:34
dolphm	dstanek: yes, that request should work, but neither the "username" attribute and "OS-KSADM:password" attribute would be recognized / used for auth, and you'd probably get a 400 for missing "name"	14:35
dstanek	dolphm: i fixed the username issue in a patch that's currently under review :-)	14:36
dolphm	dstanek: i saw, i'd like to get that in soon	14:36
dstanek	dolphm: but i don't think OS-KSADM is treated like a password	14:36
dolphm	dstanek: i don't believe that it is	14:36
*** aeperezt has joined #openstack-dev		14:37
dstanek	dolphm: but it should be right?	14:37
*** jvrbanac has joined #openstack-dev		14:37
dolphm	dstanek: yes	14:37
dolphm	dstanek: i'd like a similar approach to how you handled username / name	14:37
*** Max__ has joined #openstack-dev		14:37
*** MaxV has quit IRC		14:37
dstanek	dolphm: i'll make it so	14:38
dolphm	dstanek: so, "password" should continue to be the canonical attribute in our implementation, but we should recognize "OS-KSADM:password" if that's the only thing provided, and return both in relevant responses	14:38
*** grapsus_ has joined #openstack-dev		14:38
dolphm	dstanek: thank you sir!	14:38
dstanek	dolphm: we don't return passwords from service calls do we?	14:38
*** trey_h has quit IRC		14:39
dolphm	dstanek: oh no, nvm lol	14:39
*** datsun180b has joined #openstack-dev		14:40
*** chenxu has joined #openstack-dev		14:41
*** changbl has joined #openstack-dev		14:43
*** DinaBelova has joined #openstack-dev		14:46
*** polfilm has joined #openstack-dev		14:46
*** topol has joined #openstack-dev		14:48
*** polfilm has quit IRC		14:48
*** chenxu has quit IRC		14:49
*** sushils has quit IRC		14:51
*** lbragstad has quit IRC		14:54
lyncos	Hi.. is there any .deb package of Havana RC1 ? or any documentation on how to packages different openstack pieces ?	14:55
*** FunnyLookinHat has quit IRC		14:55
*** matiu has joined #openstack-dev		14:56
*** matiu has quit IRC		14:56
*** matiu has joined #openstack-dev		14:56
*** rcleere has joined #openstack-dev		14:56
*** FunnyLookinHat has joined #openstack-dev		14:56
*** mrodden has quit IRC		14:57
*** neelashah has quit IRC		14:57
*** mrodden has joined #openstack-dev		14:58
*** herndon_ has joined #openstack-dev		14:58
*** neelashah has joined #openstack-dev		14:59
*** cjellick has joined #openstack-dev		15:00
*** reidrac has quit IRC		15:02
*** ifarkas has quit IRC		15:02
*** lbragstad has joined #openstack-dev		15:02
*** neelashah has quit IRC		15:02
*** carl_baldwin has joined #openstack-dev		15:03
*** bashok has joined #openstack-dev		15:03
dolphm	lyncos: the tarballs for each project are all i'm aware of so far, for example: https://launchpad.net/keystone/havana/havana-rc1	15:04
*** neelashah has joined #openstack-dev		15:04
*** venkatesh has quit IRC		15:04
dolphm	lyncos: i'm not sure if we'll see RC-based packages or not	15:04
*** o_petit has joined #openstack-dev		15:04
*** sushils has joined #openstack-dev		15:04
*** o_petit has quit IRC		15:04
*** o_petit has joined #openstack-dev		15:05
*** cjellick has quit IRC		15:05
lyncos	ok so I need to use the tarballs ... so that leave my system un-upgradable to the stable version once the real .deb packages are created	15:05
lyncos	There is no doc on how to do it ?	15:06
*** chenxu has joined #openstack-dev		15:06
dolphm	lyncos: https://wiki.openstack.org/wiki/Packaging/Ubuntu https://wiki.openstack.org/wiki/Packaging/Debian	15:07
lyncos	Thanks I'll take a look at it	15:07
bknudson	dolphm: I've been looking at using oslo.db -- https://review.openstack.org/#/c/49460/	15:07
bknudson	I think it's going to be too big of a change to backport (new config options)	15:08
dolphm	bknudson: ++ definitely not backportable	15:08
*** boris-42 has quit IRC		15:09
*** shinylasers has quit IRC		15:09
bknudson	dolphm: so if we want https://review.openstack.org/#/c/49271/ and https://review.openstack.org/#/c/49272/ , could those be merged/backported in the interim?	15:09
*** zhiyan has quit IRC		15:10
dolphm	bknudson: all you care about is the db2 fix, right?	15:10
dolphm	bknudson: is the refactor necessary to land that?	15:10
*** dstufft has quit IRC		15:10
bknudson	dolphm: well, all we care about is the db2 fix... mysql is not working now either.	15:11
dolphm	bknudson: what's wrong with mysql?	15:11
bknudson	dolphm: https://review.openstack.org/#/c/49270/1	15:11
*** flaper87 is now known as flaper87\|afk		15:11
*** jasdeepH has joined #openstack-dev		15:11
*** alunduil has joined #openstack-dev		15:11
*** amuller has quit IRC		15:11
*** rnirmal has joined #openstack-dev		15:11
*** flaper87\|afk is now known as flaper87		15:11
*** jmontemayor has joined #openstack-dev		15:12
*** pasquier-s has quit IRC		15:12
bknudson	I could merge all these together	15:12
dolphm	bknudson: ah, so mysql DOES work :P	15:12
*** dstufft has joined #openstack-dev		15:12
dolphm	bknudson: if the mysql server is ACTUALLY gone, then keystone doesn't fail very gracefully	15:12
dolphm	right?	15:12
bknudson	dolphm: right, keystone doesn't recover as it should.	15:13
*** radez_g0n3 is now known as radez		15:13
dolphm	bknudson: well, it wouldn't recover anyway... it'd abort the request with a 500 i assume	15:13
dolphm	500 either way	15:13
*** cjellick has joined #openstack-dev		15:13
bknudson	dolphm: with the fix for https://review.openstack.org/#/c/49270/1 it does recover, so not 500	15:14
dolphm	bknudson: does the DisconnectionError cause sqlalchemy to try again?	15:14
bknudson	dolphm: yes, sqlalchemy will discard the connection and then start a new one, which works if mysql is running now	15:15
dolphm	bknudson: that makes sense then - and this patch specifically is backportable	15:16
*** o_petit has quit IRC		15:16
*** bashok has quit IRC		15:17
*** bdpayne has joined #openstack-dev		15:17
bknudson	dolphm: great, thanks	15:17
*** bashok has joined #openstack-dev		15:17
*** chenxu has quit IRC		15:18
dolphm	bknudson: but, back to db2 support -- this patch alone is also backportable https://review.openstack.org/#/c/49272/2/keystone/common/sql/core.py	15:19
dolphm	bknudson: but it's based on a refactor that i'm not a fan of because it diverges from oslo.db, and it's not backportable either	15:19
*** jprovazn has quit IRC		15:19
dolphm	(the refactor, not the fix)	15:19
bknudson	dolphm: I could get rid of the refactor... have a separate handler for db2?	15:20
bknudson	then the mysql handler would not be touched.	15:20
*** jayg is now known as jayg\|g0n3		15:21
*** jayg\|g0n3 is now known as jayg		15:21
bknudson	dolphm: the fix is also proposed to oslo -- https://review.openstack.org/#/c/48733/	15:21
*** pfreund has joined #openstack-dev		15:22
*** johnthetubaguy has quit IRC		15:22
*** iartarisi has quit IRC		15:23
*** davidhadas_ has quit IRC		15:24
*** chenxu has joined #openstack-dev		15:24
*** dtyarnell has joined #openstack-dev		15:24
*** jcoufal_ has quit IRC		15:25
*** athomas has quit IRC		15:25
*** devoid has joined #openstack-dev		15:25
dolphm	bknudson: downvoted that... the query in your looks better	15:25
*** Max__ has quit IRC		15:25
*** o_petit has joined #openstack-dev		15:26
*** johnthetubaguy has joined #openstack-dev		15:26
*** radez is now known as radez_g0n3		15:27
*** jtomasek has quit IRC		15:27
*** herndon_ has quit IRC		15:28
*** sumanthns has quit IRC		15:28
*** devoid has quit IRC		15:29
*** mlavalle has joined #openstack-dev		15:30
*** herndon_ has joined #openstack-dev		15:30
*** dtyarnell has quit IRC		15:32
*** tvb has joined #openstack-dev		15:32
*** xga__ has quit IRC		15:35
*** tvb has quit IRC		15:35
*** tvb has joined #openstack-dev		15:35
*** tvb has quit IRC		15:35
*** tvb has joined #openstack-dev		15:35
*** xga has joined #openstack-dev		15:35
*** shakayumi has quit IRC		15:37
*** dtyarnell has joined #openstack-dev		15:38
*** corXi has quit IRC		15:39
*** pfreund has quit IRC		15:40
*** DinaBelova has quit IRC		15:40
*** aelkikhia has joined #openstack-dev		15:41
*** carl_baldwin has left #openstack-dev		15:42
*** pmathews has joined #openstack-dev		15:42
*** aelkikhia has left #openstack-dev		15:42
*** johnthetubaguy has quit IRC		15:45
*** johnthetubaguy1 has joined #openstack-dev		15:45
*** david-lyle has quit IRC		15:46
*** herndon_ has quit IRC		15:48
*** nshaikh has left #openstack-dev		15:48
*** jistr has quit IRC		15:49
*** shinylasers has joined #openstack-dev		15:50
*** dkehn_ has joined #openstack-dev		15:50
*** shinylasers has quit IRC		15:50
*** dkehn has quit IRC		15:51
*** lyncos has quit IRC		15:51
*** shinylasers has joined #openstack-dev		15:51
*** angdraug has joined #openstack-dev		15:51
*** yassine has quit IRC		15:53
*** lyncos has joined #openstack-dev		15:53
*** dkehn has joined #openstack-dev		15:54
*** lyncos has quit IRC		15:54
*** lyncos has joined #openstack-dev		15:55
*** pberis has joined #openstack-dev		15:55
*** dkehn_ has quit IRC		15:56
*** athomas has joined #openstack-dev		15:56
*** chenxu has quit IRC		15:57
*** venkatesh has joined #openstack-dev		15:58
*** davidhadas has joined #openstack-dev		15:59
*** ygbo has quit IRC		16:00
*** corXi has joined #openstack-dev		16:00
*** JordanP has quit IRC		16:00
*** Ruetobas has quit IRC		16:01
*** marun has quit IRC		16:01
*** romcheg has quit IRC		16:01
*** marun has joined #openstack-dev		16:02
*** herndon_ has joined #openstack-dev		16:02
*** corXi has quit IRC		16:02
*** Ruetobas has joined #openstack-dev		16:03
*** Ryan_Lane has joined #openstack-dev		16:04
*** chenxu has joined #openstack-dev		16:04
*** DinaBelova has joined #openstack-dev		16:05
*** zaitcev has joined #openstack-dev		16:05
*** markmcclain has quit IRC		16:07
*** Mandell has quit IRC		16:07
*** Mandell has joined #openstack-dev		16:08
*** Ruetobas has quit IRC		16:08
*** alop has joined #openstack-dev		16:08
*** carl_baldwin has joined #openstack-dev		16:09
*** martyntaylor has quit IRC		16:11
*** afazekas has quit IRC		16:12
*** dperaza has quit IRC		16:12
*** neelashah has quit IRC		16:12
*** AlexF has joined #openstack-dev		16:13
*** Mandell has quit IRC		16:13
*** garyk has quit IRC		16:13
*** dperaza has joined #openstack-dev		16:13
*** o_petit has quit IRC		16:13
*** Ruetobas has joined #openstack-dev		16:13
lyncos	ayoung .. are you there ?	16:14
*** vuil has joined #openstack-dev		16:15
*** odyssey4me has quit IRC		16:15
*** flaper87 is now known as flaper87\|afk		16:16
*** boris-42 has joined #openstack-dev		16:16
*** nermina has quit IRC		16:17
*** flaper87\|afk is now known as flaper87		16:17
*** david-lyle has joined #openstack-dev		16:17
*** dtyarnell_ has joined #openstack-dev		16:18
*** dtyarnell has quit IRC		16:19
*** dtyarnell_ is now known as dtyarnell		16:19
*** AlexF has quit IRC		16:20
*** safchain has quit IRC		16:21
*** lbragstad has quit IRC		16:22
*** DinaBelova has quit IRC		16:22
*** xga has quit IRC		16:22
*** sarob has joined #openstack-dev		16:22
*** SergeyLukjanov has quit IRC		16:22
lyncos	I need help with the hybrid backend feature in keystone if anyone interested to help	16:23
*** sarob has quit IRC		16:23
*** lbragstad has joined #openstack-dev		16:23
*** sarob has joined #openstack-dev		16:24
*** shardy is now known as shardy_afk		16:24
*** rkukura has quit IRC		16:26
*** thingee_zzz is now known as thingee		16:26
*** afazekas has joined #openstack-dev		16:27
*** freedomhui has joined #openstack-dev		16:28
*** markwash has joined #openstack-dev		16:29
*** tmclaugh[work] has joined #openstack-dev		16:31
*** ArcTanSusan has joined #openstack-dev		16:32
*** alop has quit IRC		16:33
*** bswartz has quit IRC		16:33
*** AlexF has joined #openstack-dev		16:34
*** SumitNaiksatam has quit IRC		16:34
*** rkukura has joined #openstack-dev		16:35
*** Shaan7 has quit IRC		16:36
*** Shaan7 has joined #openstack-dev		16:36
*** alop has joined #openstack-dev		16:36
*** afazekas_ has joined #openstack-dev		16:36
*** SumitNaiksatam has joined #openstack-dev		16:36
*** ArcTanSusan has quit IRC		16:36
*** SumitNaiksatam has quit IRC		16:37
*** DennyZhang has left #openstack-dev		16:37
*** DennyZhang has quit IRC		16:38
*** grapsus_ has quit IRC		16:38
*** grapsus_ has joined #openstack-dev		16:38
*** DennyZhang has joined #openstack-dev		16:38
*** carl_baldwin has quit IRC		16:41
*** kbrierly has joined #openstack-dev		16:41
*** AlexF has quit IRC		16:42
*** sushils has quit IRC		16:42
*** jpich has quit IRC		16:44
*** lbragstad has quit IRC		16:44
*** sushils has joined #openstack-dev		16:46
*** yjiang5 has joined #openstack-dev		16:46
zul	is cinder rc1 out yet?	16:46
*** chenxu has quit IRC		16:47
*** paragan has quit IRC		16:50
*** Ryan_Lane has quit IRC		16:50
*** MaxV has joined #openstack-dev		16:51
*** gyee has joined #openstack-dev		16:53
*** eglynn has quit IRC		16:53
*** danpb has quit IRC		16:53
*** MaxV has quit IRC		16:53
*** FatDarrel has joined #openstack-dev		16:54
*** lucasagomes has quit IRC		16:55
*** comay has joined #openstack-dev		16:55
*** neelashah has joined #openstack-dev		16:57
dstanek	dolphm: where is the OS-KSCRUD extension documented	16:57
*** mrodden1 has joined #openstack-dev		16:58
jgriffith	zul: no	16:58
*** vuil has quit IRC		16:58
jgriffith	zul: close hopefully tomorrow morning	16:58
jgriffith	zul: it should be ready shortly	16:59
dolphm	dstanek: not sure, i just looked myself	16:59
*** odyssey4me has joined #openstack-dev		17:00
*** mrodden has quit IRC		17:00
dolphm	dstanek: found an example on page 101 of this, which looks to be from openstack-manuals http://www.vcomtech.net/linux/6/6Server/en/updates/openstack/docs/bk-compute-adminguide-trunk.pdf	17:01
*** venkatesh has quit IRC		17:02
dolphm	dstanek: openstack-manuals doc/admin-guide-cloud/ch_identity_mgmt.xml	17:02
dolphm	dstanek: so, doc'd but maybe not spec'd?	17:03
*** moted has quit IRC		17:03
*** moted has joined #openstack-dev		17:04
*** odyssey4me2 has joined #openstack-dev		17:04
*** SumitNaiksatam has joined #openstack-dev		17:04
*** odyssey4me has quit IRC		17:05
*** oubiwann has quit IRC		17:05
*** nati_ueno has joined #openstack-dev		17:05
*** oubiwann has joined #openstack-dev		17:06
*** garyk has joined #openstack-dev		17:08
HenryG	salv-orlando: ping	17:09
*** derekh has quit IRC		17:11
*** lbragstad has joined #openstack-dev		17:13
*** garyk has quit IRC		17:13
*** jbryce has joined #openstack-dev		17:14
*** danwent has joined #openstack-dev		17:14
*** mmagr has quit IRC		17:14
*** vuil has joined #openstack-dev		17:15
*** markmcclain has joined #openstack-dev		17:15
*** gimps_ has joined #openstack-dev		17:16
*** amotoki has quit IRC		17:17
*** nermina has joined #openstack-dev		17:17
*** kbrierly has quit IRC		17:17
*** avishay is now known as avishay_zzz		17:17
*** garyk has joined #openstack-dev		17:19
*** flaper87 is now known as flaper87\|afk		17:21
*** djoreilly_ has joined #openstack-dev		17:22
*** SergeyLukjanov has joined #openstack-dev		17:23
ayoung	lyncos, ok...I'm here	17:29
lyncos	Yeah	17:29
lyncos	Ok I did install keystone from havana/ubuntu repo .. and I'm trying to get the 'mixed' backend thing	17:29
dstanek	dolphm: https://review.openstack.org/49594 should just about cover it	17:30
lyncos	ayoung is there any doc on this ?	17:30
ayoung	lyncos, cool. So you set the identity backend to LDAP and the assignments backend to SQL?	17:30
*** nati_ueno has quit IRC		17:31
lyncos	ayoung this is what I'm trying to do ... the ldap part is working (getting the user list) but when I do role-list it's still going to ldap... I probably missed something	17:31
*** markmcclain1 has joined #openstack-dev		17:31
*** nati_ueno has joined #openstack-dev		17:31
ayoung	lyncos, you need to explicitly set the assignments backend....otherwise we would have broken all of the LDAP deployments out there upon upgrade	17:31
ayoung	so	17:31
*** nati_ueno has quit IRC		17:31
*** markmcclain has quit IRC		17:32
lyncos	I'm not sure i'm using RC2	17:32
*** nati_ueno has joined #openstack-dev		17:32
ayoung	https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L276	17:33
lyncos	argh I think I don't have the latest version	17:33
lyncos	I think what I have is B2 not RC2	17:33
ayoung	lyncos, RC-1 just got cut yesterday	17:33
ayoung	B2 should still work	17:33
lyncos	ok	17:33
ayoung	This code got done early in the cycle	17:33
lyncos	in the package I'm using... they put the wrong config file I think	17:34
ayoung	[assignments]	17:34
*** herndon_ has quit IRC		17:34
lyncos	that's the only section I need to add ?	17:34
ayoung	driver = keystone.assignment.backend.sql.Assignment	17:35
ayoung	lyncos, yeah...the logic is a little convoluted, and not what I would have wanted in a blank-slate implementation	17:35
jgriffith	dhellmann: https://review.openstack.org/#/c/49500/	17:35
lyncos	ok let's try that	17:36
ayoung	the default backend is SQL...unless you ahve an LDAP identity backend. In that case, we grandfather in assignmnets out of LDAP	17:36
*** sandeepr_ltp has joined #openstack-dev		17:36
jgriffith	dhellmann: assuming ttx added you explicitly	17:36
lyncos	it still try to use ldap when I do role-list	17:36
ayoung	and that is [assignmnet] not [assignments]	17:36
ayoung	feh	17:36
lyncos	dah :-)	17:36
ayoung	[assignment]	17:37
ayoung	https://github.com/openstack/keystone/blob/master/keystone/common/config.py#L128	17:37
ayoung	lyncos, we are working toward supporting multiple LDAP servers. When that happens, each one will get its own domain, and each one will get its own config file. We have most of that impl in Havana, but there are some devils in the details that don't work quite right yet	17:38
lyncos	ok when I put the assigment thing .. keystone dosen't restart	17:39
*** venkatesh has joined #openstack-dev		17:39
lyncos	my fault I think	17:39
*** xqueralt has quit IRC		17:40
*** djoreilly_ has quit IRC		17:40
lyncos	nice works I think	17:41
lyncos	thanks a lot.. that's the best option ever :-)	17:42
*** johnthetubaguy1 has quit IRC		17:42
*** AlexF has joined #openstack-dev		17:42
*** ndipanov has quit IRC		17:42
*** venkatesh_ has joined #openstack-dev		17:42
*** melwitt has joined #openstack-dev		17:43
*** venkatesh has quit IRC		17:44
ayoung	lyncos, took a long time to come around to understanding that this is what we should be doing. I think it is going to be the killer feature in Keystone Havana	17:44
lyncos	Yeah because maintaining wierd objects in AD is difficult	17:45
*** gimps_ has quit IRC		17:45
*** rkukura has quit IRC		17:45
lyncos	:-)	17:47
*** eglynn has joined #openstack-dev		17:47
*** rkukura has joined #openstack-dev		17:48
*** ArcTanSusan has joined #openstack-dev		17:48
*** jergerber has joined #openstack-dev		17:49
*** afazekas_ has quit IRC		17:49
*** afazekas has quit IRC		17:49
*** jruzicka has quit IRC		17:50
*** ArcTanSusan has quit IRC		17:52
*** cdub has joined #openstack-dev		17:55
*** vuil has quit IRC		17:56
*** cdub_ has quit IRC		17:59
*** nati_ueno has quit IRC		18:01
*** nati_ueno has joined #openstack-dev		18:02
*** vuil has joined #openstack-dev		18:04
*** isd has joined #openstack-dev		18:05
*** AlexF has quit IRC		18:05
*** AlexF has joined #openstack-dev		18:05
*** jbryce has quit IRC		18:06
*** mlavalle has quit IRC		18:07
*** AlexF has quit IRC		18:07
*** vuil has quit IRC		18:08
*** bswartz has joined #openstack-dev		18:09
bknudson	dolphm: submitted change to oslo-incubator db req'd for keystone -- https://review.openstack.org/#/c/49598/	18:11
*** amohn9 has joined #openstack-dev		18:12
*** AlexF has joined #openstack-dev		18:13
*** djoreilly has quit IRC		18:13
ayoung	bknudson, does it really need to be deprecated? Without that option, can we support multiple different SQL connections? I'm think of a future case where Policy came out of one SQL source and tokens another	18:13
*** pberis has quit IRC		18:13
bknudson	ayoung: the old option and the new option will work. It's just a renaming	18:14
ayoung	I guess, though, that this is still a global connection	18:14
bknudson	so shouldn't affect multiple SQL connections	18:14
ayoung	bknudson, Ideally we will do with SQL connections what henrynash has done with LDAP connections	18:14
bknudson	ayoung: is your concern that switch to oslo.db won't support everything we need?	18:14
dstanek	bknudson: ping	18:14
ayoung	bknudson, nah, I think we are good	18:14
ayoung	I was thinking forward	18:14
bknudson	ayoung: btw - oslo.db does support 2 connections, it has a "slave" connection that I don't know what it is.	18:15
bknudson	dstanek: I'm right here.	18:15
dstanek	bknudson: i'm looking at https://review.openstack.org/#/c/43524/10 and i don't understand the magic 512 number	18:15
ayoung	bknudson, I would like to be able to name a connection and then have the various backends use that name as opposed to the whole sql connection string\	18:15
dstanek	bknudson: yeah, i was scrolled way up in history and didn't see the current conversation	18:15
bknudson	dstanek: https://w3-connections.ibm.com/wikis/home?lang=en_US#!/wiki/W71527676a1d3_4c3f_9f75_43d3d96f3a2e/page/How%20to%20integrate%20Keystone%20with%20Windows%20Active%20Directory	18:16
*** mrodden1 has quit IRC		18:16
bknudson	dstanek: also http://www.netvision.com/ad_useraccountcontrol.php	18:16
dolphm	bknudson: awesome	18:16
*** pberis has joined #openstack-dev		18:16
bknudson	dstanek: so if you're using active directory and using regular windows user attrs, then the "enabled" field is encoded in a bit field attribute	18:17
*** mrodden has joined #openstack-dev		18:17
bknudson	dstanek: 512 == enabled whereas 512 \| 2 = 514 is disabled	18:17
dolphm	bknudson: lgtm	18:17
dstanek	bknudson: interesting...thanks for the links	18:17
bknudson	dstanek: so 2 is the mask that keystone applies to extract the enabled/disabled value from the bit field.	18:18
*** changbl has quit IRC		18:18
dolphm	bknudson: that should be doc'd in keystone.conf comments if it's not already	18:18
dolphm	bknudson: it's caused a lot of confusion	18:18
ayoung	bknudson, hmmm, I can't see that url	18:21
bknudson	ayoung: oops, sorry, was an internal one from my bookmarks	18:21
ayoung	bknudson, is that document public?	18:22
bknudson	ayoung: no, it's not	18:22
ayoung	bknudson, Secret sauce, huh?	18:22
bknudson	ayoung: I think it's based on public info, though, because I could have sworn I've seen it elsewhere.	18:22
bknudson	ayoung: a doc for our test team.	18:22
*** athomas has quit IRC		18:22
*** eglynn has quit IRC		18:23
ayoung	bknudson, that is exactly the blog post I don't want to write. I don't want people thinking I know AD	18:23
ayoung	But I would be thrilled if you made it public, and would point many people at it and sing the praises of the author	18:23
ayoung	of course, we know it was our friends at CERN that really worked out the kinks in AD support	18:24
ayoung	bknudson, I was actually just writing up a blog post based on the Identity/Assignment split. Having a link to the AD specifics would be awesome. Can you get that doc made public?	18:25
bknudson	ayoung: yes, as I said this for testing and not a real deployment.	18:25
*** Mandell has joined #openstack-dev		18:26
*** athomas has joined #openstack-dev		18:26
ayoung	bknudson, we work with virtual machines. there is no "real"	18:26
*** markmcclain1 has quit IRC		18:26
*** chenxu has joined #openstack-dev		18:26
*** burt has quit IRC		18:26
*** devoid has joined #openstack-dev		18:27
*** devoid has left #openstack-dev		18:27
*** eharney has quit IRC		18:27
*** eharney has joined #openstack-dev		18:27
*** CaptTofu has quit IRC		18:28
*** CaptTofu has joined #openstack-dev		18:28
*** vartom19 has joined #openstack-dev		18:29
*** markmc has quit IRC		18:29
*** Alexei_987 has quit IRC		18:32
*** kbrierly has joined #openstack-dev		18:32
*** CaptTofu has quit IRC		18:33
*** AlexF has quit IRC		18:33
*** oubiwann is now known as Guest7950		18:36
*** troytoman is now known as troytoman-away		18:37
*** Ryan_Lane has joined #openstack-dev		18:38
*** CaptTofu has joined #openstack-dev		18:39
*** radez_g0n3 is now known as radez		18:40
*** READ10 has quit IRC		18:42
*** novas0x2a\|laptop has joined #openstack-dev		18:43
*** chenxu has quit IRC		18:43
*** sarob has quit IRC		18:44
*** READ10 has joined #openstack-dev		18:44
*** vartom19 has quit IRC		18:46
*** angdraug has quit IRC		18:49
ayoung	lyncos, http://adam.younglogic.com/2013/10/read-only-ldap-in-keystone/	18:50
lyncos	Oh thanks.. you just did write it ?	18:51
morganfainberg	ayoung with another awesome blog post!	18:55
morganfainberg	ayoung, your posts are far too readable for an engineer to be writing them ;)	18:55
*** athomas has quit IRC		18:57
*** sarob has joined #openstack-dev		18:59
*** garyk has quit IRC		19:00
*** DennyZhang has quit IRC		19:01
*** DinaBelova has joined #openstack-dev		19:01
*** yolanda has quit IRC		19:03
*** aelkikhia has joined #openstack-dev		19:04
*** amohn9 has quit IRC		19:04
*** bashok has quit IRC		19:04
*** AlexF has joined #openstack-dev		19:05
*** AlexF has quit IRC		19:05
*** eglynn has joined #openstack-dev		19:06
*** amohn9 has joined #openstack-dev		19:06
*** nati_ueno has quit IRC		19:06
*** gyee has quit IRC		19:06
*** sirushti has quit IRC		19:07
*** nati_ueno has joined #openstack-dev		19:07
*** shakayumi has joined #openstack-dev		19:09
*** rkukura has quit IRC		19:09
lyncos	ayoung just a quick question... the services user and passwords are still taken on LDAP right ? is there any way to have them in db ?	19:09
*** eglynn has quit IRC		19:10
*** herndon_ has joined #openstack-dev		19:11
*** radez is now known as radez_g0n3		19:11
*** davidhadas has quit IRC		19:11
*** mrodden1 has joined #openstack-dev		19:12
*** davidhadas has joined #openstack-dev		19:13
*** rfolco has quit IRC		19:13
*** sirushti has joined #openstack-dev		19:13
*** mrodden has quit IRC		19:14
*** chenxu has joined #openstack-dev		19:14
*** vuil has joined #openstack-dev		19:14
*** shakayumi has quit IRC		19:16
*** mlavalle has joined #openstack-dev		19:16
*** eglynn has joined #openstack-dev		19:16
*** aelkikhia has left #openstack-dev		19:17
*** nermina has quit IRC		19:20
*** marun has quit IRC		19:21
*** tellesnobrega has joined #openstack-dev		19:22
ayoung	lyncos, morganfainberg thanks. Yeha, Its been stewing in my brain for a while. Once you've answered the same question a few times, it gets easier to write down the answer	19:22
*** amohn9 has quit IRC		19:23
ayoung	lyncos, unfortunately, not in Havana. henrynash is working on a better approach, but there are some bugs in it for Havana, so we are punting to Icehouse for full implementation	19:23
*** otherwiseguy has quit IRC		19:23
tellesnobrega	dolphm: hey, can you help me out on this bug https://bugs.launchpad.net/keystone/+bug/1220913	19:23
uvirtbot	Launchpad bug 1220913 in keystone "bp split-identity left unfinished" [Wishlist,In progress]	19:23
ayoung	however, the general idea is this	19:23
tellesnobrega	??	19:23
*** freedomhui has quit IRC		19:23
lyncos	ayoung ok .. will do with it for now .. not a big deal for us	19:23
ayoung	lyncos, the default domain will be in sql, but then a specific config file will say "but domain X is in LDAP"	19:24
ayoung	lyncos, it might work for your use cases	19:24
ayoung	there are some gnarlyness with globally unique user ids	19:24
lyncos	ah in that way it should work for us too	19:24
*** venkatesh_ has quit IRC		19:24
ayoung	but if most user ids are, say the CN value from LDAP, and then the service users get UUIDS, it shoud be ok	19:24
ayoung	tellesnobrega, that is bascialyl what we were discussing	19:26
ayoung	tellesnobrega, what do you need?	19:26
tellesnobrega	i just logged in, didnt see the whole conversation	19:26
*** odyssey4me has joined #openstack-dev		19:27
ayoung	tellesnobrega that is fine...what do you need help with?	19:27
tellesnobrega	i removed most of the methods from the indenty_api and changed the call to assignment_api	19:27
ayoung	and...	19:27
tellesnobrega	but the get_domain and get_domain_by_name didnt work as the others	19:28
tellesnobrega	when i try to remove them from the identity most of the tests break	19:28
ayoung	tellesnobrega, yeah, those are going to be tricky. However, what did you see?	19:28
tellesnobrega	i was looking through the code and i think that the problems lays on the second part of the bug	19:28
*** odyssey4me2 has quit IRC		19:29
*** nermina has joined #openstack-dev		19:29
tellesnobrega	that is removing the cross references to assignment_api and also there is a call to this method _select_identity_driver	19:29
tellesnobrega	that im not sure what it does, but it looks like it get the driver from identity, but since i removed the method it breaks the tests	19:30
*** pberis has quit IRC		19:31
ayoung	tellesnobrega, so...that is exactly what I was just dicussing. I would say htat, for now, leave that one alone	19:31
*** nermina has quit IRC		19:31
ayoung	what we have is a feature we are not quite ready to advertise	19:31
tellesnobrega	ok	19:32
ayoung	bascially, say you have a large company with Mergers and Acquisitions that went on such that you have 3 LDAP servers. You also have a bunch of cusotmers using your cloud, and you have a policy where each custiomer gets their own domain	19:32
*** marun has joined #openstack-dev		19:32
ayoung	we want to be able to have each LDAP server supported in its own domain as well	19:33
*** chenxu has quit IRC		19:33
ayoung	so...henrynash made that happen	19:33
ayoung	what we have as a problem is a two things around userids	19:33
ayoung	one is to figure, based on the user id, which domain are they in	19:33
ayoung	in the old scheme we did not have this problem	19:33
lyncos	ayoung I cannot make it work .. I get Authorization failed. Invalid user / password from .... but it's not showing the user	19:33
lyncos	it seems the debug logs for keystone are different...	19:34
ayoung	in the old scheme either all of the domains were in SQL...and the userids were unique enoght that we could link from uuserid to domain or	19:34
ayoung	we had LDAP and only a single domain	19:34
tellesnobrega	im already done with the removing of the other methods, how should i act on the bug, can it be marked as done?	19:34
ayoung	the call you are tripping over is where it tries to figure out which backend to call.	19:35
ayoung	We might be able to drop it, but I'll have to look more closely into it	19:35
*** otherwiseguy has joined #openstack-dev		19:35
*** vipul is now known as vipul-away		19:35
*** mkollaro has quit IRC		19:35
ayoung	in general, we don't want to have the assignments backend "validate" calls into Identity...for federation, we won't jhave al;l the data we need...but that is future looking	19:35
ayoung	tellesnobrega, lyncos sorry, got a meeting now...back in a few	19:35
lyncos	np will try to troubleshoot :-)	19:36
*** odyssey4me has quit IRC		19:36
tellesnobrega	ok	19:36
*** pberis has joined #openstack-dev		19:36
*** mkollaro has joined #openstack-dev		19:36
*** radez_g0n3 has quit IRC		19:37
*** chenxu has joined #openstack-dev		19:40
*** sarob has quit IRC		19:40
*** amohn9 has joined #openstack-dev		19:41
*** spzala has quit IRC		19:41
*** marun has quit IRC		19:41
*** angdraug has joined #openstack-dev		19:41
*** DinaBelova has quit IRC		19:41
*** pberis has joined #openstack-dev		19:42
*** yolanda has joined #openstack-dev		19:42
*** vipul-away is now known as vipul		19:44
*** gatuus has joined #openstack-dev		19:44
*** vipul is now known as vipul-away		19:44
*** gatuus has quit IRC		19:46
*** AlexF has joined #openstack-dev		19:47
*** dubsquared has joined #openstack-dev		19:47
*** marun has joined #openstack-dev		19:50
*** yolanda has quit IRC		19:51
*** safchain has joined #openstack-dev		19:55
*** venkatesh has joined #openstack-dev		19:56
*** dprince has quit IRC		19:58
*** rkukura has joined #openstack-dev		19:58
*** mkollaro has quit IRC		19:59
*** herndon_ has quit IRC		19:59
*** AlexF has quit IRC		19:59
*** herndon has joined #openstack-dev		20:01
*** pixelb has quit IRC		20:02
*** rnirmal has quit IRC		20:02
*** carl_baldwin has joined #openstack-dev		20:02
*** markwash has quit IRC		20:02
*** markwash has joined #openstack-dev		20:03
*** adalbas has quit IRC		20:03
bknudson	dolphm: posted new version of mysql fix https://review.openstack.org/#/c/49270/	20:04
bknudson	with tests	20:04
*** herndon has quit IRC		20:04
*** rnirmal has joined #openstack-dev		20:05
*** zhiyan has joined #openstack-dev		20:05
*** herndon_ has joined #openstack-dev		20:07
*** CaptTofu has quit IRC		20:07
*** markmcclain has joined #openstack-dev		20:07
*** CaptTofu has joined #openstack-dev		20:07
*** mkollaro has joined #openstack-dev		20:08
*** SergeyLukjanov has quit IRC		20:09
*** pcm_ has quit IRC		20:09
*** vkmc has quit IRC		20:09
*** aelkikhia has joined #openstack-dev		20:09
*** aelkikhia has quit IRC		20:10
*** chenxu has quit IRC		20:10
*** FatDarrel has quit IRC		20:10
*** isd has quit IRC		20:11
*** devoid has joined #openstack-dev		20:13
*** shinylasers has quit IRC		20:14
*** gyee has joined #openstack-dev		20:15
*** chenxu has joined #openstack-dev		20:17
metral	anyone else running into the nova-api not starting / timeout bug? unstacking & stacking arent doing the trick - even get the error when stacking on a fresh ubuntu 12.04 vm	20:20
metral	Waiting for nova-api to start...	20:23
metral	+ wait_for_service 60 http://<IP_ADDR>:8774	20:23
metral	+ local timeout=60	20:23
metral	+ local url=http://<IP_ADDR>:8774	20:23
metral	+ timeout 60 sh -c 'while ! http_proxy= https_proxy= curl -s http://<IP_ADDR>:8774 >/dev/null; do sleep 1; done'	20:23
metral	+ die 709 'nova-api did not start'	20:23
metral	+ local exitcode=0	20:23
metral	+ set +o xtrace	20:23
metral	[Call Trace]	20:23
metral	./stack.sh:1163:start_nova_api	20:23
metral	[ERROR] /home/ubuntu/devstack/lib/nova:709 nova-api did not start	20:23
*** dstanek has quit IRC		20:23
*** eglynn has quit IRC		20:24
*** devoid has left #openstack-dev		20:24
*** FatDarrel has joined #openstack-dev		20:24
lifeless	metral: have a look in the logs?	20:25
metral	lifeless looking as we speak - dont see much	20:26
*** danwent has quit IRC		20:28
*** marun has quit IRC		20:29
*** chenxu has quit IRC		20:29
metral	scratch my message - found a typo in my localrc	20:30
*** sarob has joined #openstack-dev		20:30
*** amohn9 has quit IRC		20:33
*** jcoufal has joined #openstack-dev		20:34
*** tmclaugh[work] has quit IRC		20:35
*** carl_baldwin has quit IRC		20:36
*** CaptTofu has quit IRC		20:37
*** carl_baldwin has joined #openstack-dev		20:37
*** CaptTofu has joined #openstack-dev		20:37
*** dvarga has quit IRC		20:37
*** tellesnobrega has quit IRC		20:39
*** cdub_ has joined #openstack-dev		20:40
*** tvb has quit IRC		20:41
*** chenxu has joined #openstack-dev		20:42
*** nermina has joined #openstack-dev		20:44
*** radsy has joined #openstack-dev		20:45
*** tmclaugh[work] has joined #openstack-dev		20:48
*** MaxV has joined #openstack-dev		20:48
*** burt has joined #openstack-dev		20:49
*** sgordon has quit IRC		20:50
*** amohn9 has joined #openstack-dev		20:50
*** rkukura has quit IRC		20:51
*** gordc has quit IRC		20:51
*** vipul-away is now known as vipul		20:54
*** alunduil has quit IRC		20:55
*** pfreund has joined #openstack-dev		20:56
*** jpeeler has quit IRC		20:56
*** rnirmal has quit IRC		20:57
*** pfreund has quit IRC		20:58
*** herndon_ has quit IRC		20:59
*** jvrbanac has quit IRC		21:00
*** herndon_ has joined #openstack-dev		21:01
*** chenxu has quit IRC		21:03
*** johnthetubaguy has joined #openstack-dev		21:04
*** rfolco has joined #openstack-dev		21:05
*** nermina has quit IRC		21:08
*** dims has quit IRC		21:08
*** dims has joined #openstack-dev		21:09
*** rfolco has quit IRC		21:11
*** mrodden1 is now known as mrodden		21:13
*** tjones has joined #openstack-dev		21:13
*** safchain has quit IRC		21:13
*** JordanP has joined #openstack-dev		21:14
*** donaldh has joined #openstack-dev		21:14
*** marun has joined #openstack-dev		21:14
*** jmontemayor has quit IRC		21:15
*** boris-42 has quit IRC		21:15
*** vipul is now known as vipul-away		21:17
*** burt has quit IRC		21:17
*** isd has joined #openstack-dev		21:19
*** boden has quit IRC		21:20
*** herndon_ has quit IRC		21:21
*** alop has quit IRC		21:22
*** herndon_ has joined #openstack-dev		21:24
*** tjones has quit IRC		21:24
*** alop has joined #openstack-dev		21:25
*** isd has quit IRC		21:25
*** tjones has joined #openstack-dev		21:26
*** vladikr has quit IRC		21:27
*** JordanP has quit IRC		21:30
*** chenxu has joined #openstack-dev		21:32
*** eglynn has joined #openstack-dev		21:32
*** tjones has quit IRC		21:33
*** venkatesh has quit IRC		21:33
*** bswartz has quit IRC		21:33
*** shinylasers has joined #openstack-dev		21:33
*** shinylasers has quit IRC		21:33
*** thomasm has quit IRC		21:35
*** chenxu has quit IRC		21:36
*** vipul-away is now known as vipul		21:38
*** rkukura has joined #openstack-dev		21:38
*** venkatesh has joined #openstack-dev		21:43
*** jcoufal has quit IRC		21:43
*** pixelb has joined #openstack-dev		21:44
*** eglynn has quit IRC		21:44
*** dtyarnell has quit IRC		21:47
dolphm	bknudson: i subscribed you to bug 1213106 -- did we talk about it at some point / do you run into somehow?	21:47
uvirtbot	Launchpad bug 1213106 in keystone "TypeError: an integer is required" [Undecided,New] https://launchpad.net/bugs/1213106	21:47
*** henrynash has quit IRC		21:47
bknudson	dolphm: I remember keystone got the same error reading the config value for ldap enabled mask.	21:49
*** fbo is now known as fbo_away		21:49
bknudson	this looks different	21:49
*** boris-42 has joined #openstack-dev		21:49
*** flaper87\|afk is now known as flaper87		21:51
*** sushils has quit IRC		21:51
*** davidhadas has quit IRC		21:51
*** rnirmal has joined #openstack-dev		21:52
*** topol has quit IRC		21:53
*** dkranz has quit IRC		21:56
*** jecarey has quit IRC		21:56
*** johnthetubaguy has quit IRC		21:58
*** boris-42 has quit IRC		21:59
*** bpokorny has quit IRC		22:00
*** sarob has quit IRC		22:03
*** eglynn has joined #openstack-dev		22:04
*** changbl has joined #openstack-dev		22:05
*** vkmc has joined #openstack-dev		22:05
*** gmurphy has joined #openstack-dev		22:07
*** kbringard has quit IRC		22:08
dolphm	bknudson: weird	22:11
*** dolphm has quit IRC		22:11
*** grog500 has joined #openstack-dev		22:13
*** MaxV has quit IRC		22:15
*** datsun180b has quit IRC		22:15
*** MaxV has joined #openstack-dev		22:15
*** mrda has joined #openstack-dev		22:16
*** rkukura has quit IRC		22:18
*** phschwartz is now known as phschwartz_aw		22:18
*** gmurphy is now known as gmurphy_wfh		22:19
*** gmurphy_wfh is now known as gmurphy		22:19
*** MaxV has quit IRC		22:19
*** jayg is now known as jayg\|g0n3		22:20
*** venkatesh has quit IRC		22:21
*** thedodd has quit IRC		22:21
*** neelashah has quit IRC		22:24
*** sandeepr_ltp has quit IRC		22:26
*** colinmcnamara has joined #openstack-dev		22:26
*** sarob has joined #openstack-dev		22:27
*** dropped has joined #openstack-dev		22:27
*** samuelbercovici has quit IRC		22:28
*** alunduil has joined #openstack-dev		22:30
*** MaxV has joined #openstack-dev		22:32
*** prad has quit IRC		22:33
*** avishayb has quit IRC		22:33
*** noslzzp has quit IRC		22:34
*** AlanClark has quit IRC		22:34
*** FunnyLookinHat has quit IRC		22:34
*** colinmcnamara has quit IRC		22:37
*** flaper87 is now known as flaper87\|afk		22:39
*** galstrom is now known as galstrom_zzz		22:39
*** jhesketh has joined #openstack-dev		22:40
*** colinmcnamara has joined #openstack-dev		22:40
*** rushiagr has quit IRC		22:44
*** changbl has quit IRC		22:47
*** colinmcnamara has quit IRC		22:48
*** dubsquared has quit IRC		22:48
*** changbl has joined #openstack-dev		22:48
*** rnirmal has quit IRC		22:49
*** sarob has quit IRC		22:50
*** jimfehlig has quit IRC		22:50
*** zhiyan has quit IRC		22:54
*** eglynn has quit IRC		22:54
*** bswartz has joined #openstack-dev		22:55
*** rkukura has joined #openstack-dev		22:55
*** briancurtin has quit IRC		22:57
*** sarob has joined #openstack-dev		22:58
*** rcleere has quit IRC		22:58
*** herndon_ has quit IRC		22:59
*** radsy_ has joined #openstack-dev		22:59
*** kbrierly has quit IRC		23:01
*** radsy has quit IRC		23:01
*** lbragstad has quit IRC		23:01
*** rfolco has joined #openstack-dev		23:02
*** carl_baldwin has quit IRC		23:04
*** nermina has joined #openstack-dev		23:05
*** rudrarugge has joined #openstack-dev		23:06
*** dims has quit IRC		23:06
*** vkmc has quit IRC		23:06
*** amohn9 has quit IRC		23:07
*** MaxV has quit IRC		23:08
*** stevemar has joined #openstack-dev		23:08
*** MaxV has joined #openstack-dev		23:09
*** mlavalle has quit IRC		23:09
ayoung	jamielennox, I'm afraid that, if you don't take the KDS stuff, it is going to get dropped.	23:09
*** colinmcnamara has joined #openstack-dev		23:10
*** bauzas has joined #openstack-dev		23:11
jamielennox	ayoung: because no one else is able to?	23:12
jamielennox	sorry interested	23:12
*** MaxV has quit IRC		23:13
*** dkehn has quit IRC		23:14
*** nermina has quit IRC		23:14
*** bauzas has quit IRC		23:15
*** sthaha has joined #openstack-dev		23:15
*** sthaha has quit IRC		23:15
*** sthaha has joined #openstack-dev		23:15
*** radsy_ has quit IRC		23:15
ayoung	jamielennox, well, I'll chase down Simo when he gets back, but I don't think he has the time to push it through both the API and code review	23:17
ayoung	nor the patience, really	23:17
*** bauzas has joined #openstack-dev		23:17
*** sarob_ has joined #openstack-dev		23:17
*** jhesketh has quit IRC		23:17
ayoung	jamielennox, I think it is close, and we just need to A) make sure we have the details of the API correct and B) the implementation meets the spec	23:18
*** pixelb has quit IRC		23:18
jamielennox	alright	23:18
ayoung	jamielennox, basically, its either me or you, and I trust you more than me	23:18
jamielennox	i'll have to take it that he knows what he is doing so that the API will work with what is planned upstream	23:18
jamielennox	lol, eh?	23:19
ayoung	jamielennox, we should pull in the Oslo and RPC Gurus to confirm, but yeah, it should be good	23:19
ayoung	they have been involved in the design thus far	23:19
*** MaxV has joined #openstack-dev		23:20
*** sarob has quit IRC		23:20
ayoung	jamielennox, I'll add them to the design review	23:20
jamielennox	yea, we need someone with a much better understanding of how messaging and RPC works	23:20
jamielennox	the KDS itself is not too difficult	23:21
jamielennox	well, it's fiddly	23:21
*** donaldh has quit IRC		23:21
*** venkatesh has joined #openstack-dev		23:22
jamielennox	ayoung: have you looked at this: https://review.openstack.org/#/c/46771/	23:22
*** edmund has quit IRC		23:22
ayoung	jamielennox, have not looked at it.	23:23
jamielennox	maybe i've been doing too much crypto and took 'key' wrong	23:23
*** dims has joined #openstack-dev		23:24
ayoung	we made a mistake in ever doing authentication inside the API	23:24
*** venkatesh has quit IRC		23:24
jamielennox	oh?	23:24
ayoung	it really should be limited by what HTTP supports	23:24
ayoung	auth data does not belong in the payload	23:24
jamielennox	that's very restricting	23:25
ayoung	Exactly	23:25
ayoung	I mean, why did they put userid and password into the post request instead of just using basic-auth?	23:25
*** tmclaugh[work] has quit IRC		23:26
jamielennox	cause people run scared when you say basic-auth?	23:26
*** MaxV has quit IRC		23:26
ayoung	Ha	23:27
*** MaxV has joined #openstack-dev		23:27
jamielennox	have you used AWS AccessKeys?	23:28
jamielennox	^^ open question	23:28
uvirtbot	jamielennox: Error: "^" is not a valid command.	23:28
ayoung	jamielennox, so...the fund here today was with Kerberos.	23:28
ayoung	fun	23:28
ayoung	we were trying to deal with the internal/external thing with ip addresses	23:28
ayoung	if you tell the SSH server to not be strcit on GSSAPI host verification, you can get a very flexible solution	23:29
*** mkollaro has quit IRC		23:29
ayoung	basically, it will respond to any request that has a ticket that it can decrypt	23:29
jamielennox	nice for testing, not really a solution	23:29
ayoung	nah..it is a solution	23:30
ayoung	it means that you can have a host record on the internal IP and create an A record on the external. You need to tell the LDAP server that both are valid principal and then it works	23:30
*** MaxV has quit IRC		23:31
*** jhesketh has joined #openstack-dev		23:31
ayoung	since the external A record referes to an IP address that the host never knows about, I don't think you can do any better...ideally, yeah, the server would have a list of valid hostnames, but right now the choice is between "matches the FQDN" and "any valid key"	23:32
ayoung	The thing is, the SSH key mechanism doesn't even check the host name, so its at least as secure as the default	23:32
jamielennox	because ssh keys have nothing to do with hosts	23:33
ayoung	probably still moreso, as the key needs to be valid to the ssh server.	23:33
ayoung	jamielennox, and, really, neither do Kerberos principals, when you get down to it. Its just an association based on a string match, really	23:33
jamielennox	that is a statement i don't know enough about kerberos to get around	23:34
ayoung	I mean, the request needs to have a valid principal in it, and the host needs to recognize that principal: they have to be in the /etc/krb5/keytab	23:34
jamielennox	i was under the impression you should be able to use a principal much like a CN	23:34
ayoung	so it is not really much more different than saying "these are the hostnames we respond to"	23:35
ayoung	jamielennox, I think it is morel ike a mnemonic, or a clear way of keeping track. Converiting things like usernames or hostnames to principals happens based on convention.	23:36
ayoung	So, what we had to do is an ldapmodify to the host entry adding an additional princiapl. It like adding a nickname to a wanted poster	23:36
*** rkukura has quit IRC		23:36
ayoung	anyway...I'm still a little stuck on the auto provisioning of IPA hosts. I think I need a hook in Nova that doesn't exist: "perform this custom action and create a file that you inject prior to creating the VM"	23:38
ayoung	I don't want to do anything IPA specific in nova, but I suspect that custom workflow upon VM creation is a pretty common request.	23:38
jamielennox	how do you inject a file prior to creating a VM	23:38
ayoung	jamielennox, there is hard coded logic in the Hyoervuisor specific drivers. I was looking at the libvirt driver that uses guestfish top put the ssh keys on the host	23:39
jamielennox	so you're looking for a way to abstract out "install user credentials on vm", such that installing ssh and setting up IPA can be done	23:41
*** jd__ has quit IRC		23:42
ayoung	jamielennox, I hadn't thought it in those terms, but that is not a bad phrasing	23:42
*** yaguang has joined #openstack-dev		23:42
jamielennox	well if installing ssh keys is hard coded it seems like a good aproach as you can say - maybe i don't want ssh keys but a keytab installed for ssh instead	23:43
jamielennox	once there is that abstraction you can do all sorts of things	23:44
*** jd__ has joined #openstack-dev		23:44
*** MaxV has joined #openstack-dev		23:44
ayoung	jamielennox, yeah.	23:44
ayoung	In my case, I want an OTP for registering the instance with IPA	23:44
ayoung	the ting is, I really want to minimmze who knows that OTP	23:45
*** sarob has joined #openstack-dev		23:45
ayoung	Ideally, Nova would generate it, put it in the vm ,and then kick off the ipa host creation	23:45
ayoung	ok, I'm at the office and need to head home.	23:45
jamielennox	no worries - i'll try to have a look at KDS today	23:46
ayoung	appreciate it	23:46
*** ayoung has quit IRC		23:46
*** sarob_ has quit IRC		23:49
jamielennox	dtroyer: ping	23:49
*** markwash has quit IRC		23:52
dtroyer	jamielennox: yo	23:54
jamielennox	dtroyer: i've been meaning to catch you all week, i'm looking to get https://review.openstack.org/#/c/47076/ fixed up	23:54
jamielennox	it's failing grenade, but from reading the log i can't see how it's ever supposed to work	23:55
*** dkehn has joined #openstack-dev		23:55
dtroyer	jamielennox: ah, right… I think things are finally calmed down enough to get real work done now	23:55
jamielennox	yea, i figured rc1 wasn't a great time to try and get things like this fixed	23:56
dtroyer	the gate issues didn't help either	23:56
jamielennox	yea, it's been bad	23:56
*** jhesketh has quit IRC		23:56
dtroyer	frankly, this should be a no-op for grenade…looking at the last log now	23:56
jamielennox	right, so the way i'm reading it grenade checks out devstack from master	23:57
*** jhesketh has joined #openstack-dev		23:57
jamielennox	however the change is a devstack change and it's somehow mashing them together (that's not a very clear description - i think i understood it a bit better when i was looking last week)	23:57
*** jcoufal has joined #openstack-dev		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!