| *** wchrisj has joined #openstack-keystone | 00:11 | |
| *** stevemar has joined #openstack-keystone | 00:11 | |
| *** RockKuo has joined #openstack-keystone | 00:17 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/80401 | 00:19 |
|---|---|---|
| *** mfisch has quit IRC | 00:20 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/80401 | 00:27 |
| *** mfisch has joined #openstack-keystone | 00:29 | |
| *** mfisch has joined #openstack-keystone | 00:29 | |
| *** stevemar has quit IRC | 00:30 | |
| ayoung | bknudson, is mode an option on cms already? | 00:30 |
| bknudson | ayoung: it just merged. | 00:30 |
| ayoung | and, if so, when did that happen | 00:30 |
| ayoung | ah | 00:30 |
| bknudson | ayoung: I hope that keystone tests will fail... unless it uses master. | 00:31 |
| ayoung | ? | 00:31 |
| ayoung | *will* fail? | 00:31 |
| bknudson | ayoung: I would expect the tests to fail until a new release of keystoneclient... maybe it won't | 00:32 |
| ayoung | ah...so lets see... | 00:32 |
| bknudson | ayoung: I'll mark the keystone change as WIP -- we don't want that to merge until the keystoneclient release. | 00:32 |
| ayoung | ++ | 00:33 |
| ayoung | looks good, though | 00:33 |
| bknudson | ayoung: yes, dolphm's idea makes it easier. | 00:33 |
| bknudson | and also works better. | 00:34 |
| ayoung | I like the sequence....hash support in the client, server support optional, next up I assume is your support for both hash versions in the client? Do you want that in before we release a new offcial version? | 00:34 |
| bknudson | ayoung: actually, I just split out the hash support in the client because it wasn't changing and made the other changes easier. | 00:34 |
| ayoung | ++ | 00:35 |
| bknudson | I was starting over with the client changes a lot | 00:35 |
| *** mfisch has quit IRC | 00:35 | |
| bknudson | ayoung: https://review.openstack.org/#/c/80398/ are the changes for the client to check multiple hashes. | 00:36 |
| *** mfisch has joined #openstack-keystone | 00:36 | |
| *** mfisch has joined #openstack-keystone | 00:36 | |
| ayoung | bknudson, I hope to make this whole thing Moot with Ephemeral, but this is a good risk mitigation effort. I assume you will be backporting this to Icehouse for inhouse use? | 00:36 |
| bknudson | ayoung: please, do. | 00:36 |
| ayoung | I need to get back to revocation events in the client | 00:36 |
| ayoung | task for tomorrow | 00:36 |
| bknudson | ayoung: yes, we'll have this backported to our product | 00:36 |
| bknudson | not sure if anyone will use it but it'll allow us to check the box. | 00:37 |
| *** marcoemorais has quit IRC | 00:37 | |
| bknudson | but I don't think we're the only ones interested either. It'll be out there for anyone. | 00:38 |
| *** derek_c has quit IRC | 00:45 | |
| bknudson | dstanek: you had a -1 on https://review.openstack.org/#/c/84389/ -- want to take another look? | 00:57 |
| *** derek_c has joined #openstack-keystone | 00:58 | |
| *** derek_c has quit IRC | 01:06 | |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: revoke events https://review.openstack.org/81166 | 01:07 |
| *** wchrisj has quit IRC | 01:08 | |
| *** richm has quit IRC | 01:12 | |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687 | 01:13 |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: revoke events https://review.openstack.org/81166 | 01:13 |
| ayoung | and with that....goodnith | 01:13 |
| ayoung | good night | 01:13 |
| *** ayoung is now known as ayoung-ZZzz_ | 01:13 | |
| lbragstad | bknudson: I'm still good with https://review.openstack.org/#/c/84389/ too, I'm thinking a topic should be purposed for talking about the jsonschema implementation? | 01:14 |
| lbragstad | for the Keystone meeting? | 01:14 |
| lbragstad | according to marekd|away 's comment | 01:15 |
| bknudson | lbragstad: not sure how useful it is to talk about it if nobody's going to work on it. | 01:16 |
| lbragstad | I have something that is *very* rough | 01:16 |
| lbragstad | stored away on a local branch | 01:16 |
| lbragstad | bknudson: it was a lot of what Nova already had as a validator, but I just wanted to give it a shot in Keystone to see if it would work | 01:18 |
| lbragstad | it does, but it still needs some work | 01:18 |
| *** dims has joined #openstack-keystone | 01:19 | |
| *** jamielennox has quit IRC | 01:23 | |
| *** bknudson has quit IRC | 01:23 | |
| *** jamielennox has joined #openstack-keystone | 01:24 | |
| *** bknudson has joined #openstack-keystone | 01:25 | |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Initial implementation of validator https://review.openstack.org/86483 | 01:30 |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Implement validation on projects https://review.openstack.org/86484 | 01:30 |
| openstackgerrit | Nathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive https://review.openstack.org/86486 | 01:38 |
| nkinder | anyone around for a unit test question? | 01:38 |
| morganfainberg | nkinder, whats up? | 01:40 |
| nkinder | morganfainberg: This is related to my fix for https://review.openstack.org/86486 | 01:41 |
| nkinder | I need to add a test where the LDAP implementation (fakeldap in this case) will return an attribute name with an unexpected case (like "cN") | 01:41 |
| nkinder | I suppose that is going to require me to tweak something in fakeldap itself? | 01:42 |
| morganfainberg | nkinder, hm. you could use mock.patch if you wanted to not need to screw up fakeldap too much | 01:42 |
| morganfainberg | nkinder, otherwise yeah, you'd need to tweak fakeldap to return something odd. | 01:43 |
| openstackgerrit | Nathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive https://review.openstack.org/86486 | 01:44 |
| morganfainberg | s/odd/mixedup case | 01:44 |
| *** derek_c has joined #openstack-keystone | 01:44 | |
| morganfainberg | nkinder, you're looking for an end-to-end test (e.g. inline with other stuff) or contrived unit test of that method | 01:45 |
| nkinder | morganfainberg: well, I'd like to do something like get a user and ensure it has all of the expected values, even though LDAP returned the LDAP attribute names in some unexpected case. | 01:45 |
| morganfainberg | nkinder, you probably could get away with circumventing the fakeldap stuff altogether and just test that method with a mock.patch | 01:45 |
| *** sudorandom has quit IRC | 01:46 | |
| nkinder | morganfainberg: would that still exercise _ldap_res_to_model() with the mock.patch approach? | 01:46 |
| morganfainberg | nkinder, let me take a closer look, sec | 01:46 |
| *** sudorandom has joined #openstack-keystone | 01:48 | |
| nkinder | morganfainberg: I'm completely unfamiliar with mock.patch too, so I need to look closer myself. :P | 01:49 |
| morganfainberg | nkinder, if you did something (mock.patch) to replace the ._ldap_get method on BaseLdap to return the format you want, you then call .get() and it exercises _ldap_res_to_model | 01:49 |
| morganfainberg | basically mock.patch lets you replace a method and inspect the call on that method and / or control the explicit return value | 01:49 |
| nkinder | morganfainberg: I see. So I can just return whatever object I want to fake it out | 01:50 |
| morganfainberg | nkinder, exactly | 01:50 |
| nkinder | morganfainberg: so take this example... | 01:50 |
| nkinder | @mock.patch.object(common_ldap_core.KeystoneLDAPHandler, 'connect') | 01:51 |
| nkinder | def test_chase_referrals_on(self, mocked_fakeldap): | 01:51 |
| nkinder | mocked_fakeldap is my method, and that overrides connect()? | 01:52 |
| *** derek_c has quit IRC | 01:52 | |
| morganfainberg | you could do that. | 01:52 |
| morganfainberg | you could also do it as a context manager | 01:53 |
| morganfainberg | and you can do https://github.com/openstack/keystone/blob/master/keystone/tests/test_revoke.py#L153 | 01:53 |
| morganfainberg | <mocked_method_reference>.return_value = <value to be returned> | 01:53 |
| morganfainberg | if you want | 01:53 |
| morganfainberg | or if you like the decorator, you could pass the return value in as the return_value kwarg to the decorator | 01:54 |
| morganfainberg | nkinder, and yes, mocked_fakeldap is the method that is overriding connect | 01:54 |
| nkinder | I see. So set mock_foo.return_value before whatever call will actually invoke the method I'm mocking? | 01:54 |
| morganfainberg | nkinder, doesn't invoke the method, it statically assigns the return value | 01:55 |
| morganfainberg | so mock_foo() will now return that value no matter what | 01:55 |
| nkinder | I meant the caller. | 01:55 |
| morganfainberg | nkinder, oh yes | 01:56 |
| nkinder | So it _ldap_res_to_model() calls _ldap_get(), I can create mock_ldap_get and set it's return value | 01:56 |
| morganfainberg | nkinder, sorry misread that | 01:56 |
| nkinder | I'll give it a shot. Thanks for the help! | 01:56 |
| morganfainberg | yep. exactly | 01:56 |
| morganfainberg | nkinder, sure thing | 01:56 |
| nkinder | my python newb-ness is showing... | 01:56 |
| openstackgerrit | song (bruce) zhang proposed a change to openstack/keystone: replace word 'by' with 'be' https://review.openstack.org/86246 | 01:57 |
| morganfainberg | nkinder, phsaw, you're asking better questions than most python newbs (most wouldn't know to ask how to mock things out) | 01:57 |
| morganfainberg | nkinder, most seasoned developers get heachaches with mock and mox etc and unit tests | 01:57 |
| morganfainberg | nkinder, so.. nah not a newb ;) | 01:57 |
| nkinder | I'm used to plain C mostly | 01:57 |
| morganfainberg | nkinder, i kinda miss type-safely | 01:58 |
| morganfainberg | safety* | 01:58 |
| morganfainberg | and real polymorphism | 01:58 |
| morganfainberg | it's kindof like i want something between python, c, c++, and java... then i feel dirty thinking about it :P | 01:59 |
| *** mberlin has quit IRC | 02:06 | |
| *** Gue______ has joined #openstack-keystone | 02:11 | |
| *** derek_c has joined #openstack-keystone | 02:13 | |
| *** browne has joined #openstack-keystone | 02:14 | |
| *** xuhaiwei_ has joined #openstack-keystone | 02:15 | |
| xuhaiwei_ | hi | 02:16 |
| xuhaiwei_ | how to use v3 API? It seems --os-identity-api-version doesn't work | 02:17 |
| *** amcrn has quit IRC | 02:17 | |
| *** mberlin has joined #openstack-keystone | 02:22 | |
| xuhaiwei_ | @dolphm: could you answer my question? | 02:28 |
| nkinder | morganfainberg: the mock.patch approach worked great! Thanks again for the tips! | 02:35 |
| morganfainberg | nkinder, np happy to help! | 02:35 |
| *** stevemar has joined #openstack-keystone | 02:36 | |
| *** harlowja is now known as harlowja_away | 02:39 | |
| *** harlowja_away is now known as harlowja | 02:39 | |
| xuhaiwei_ | can v3 api be used now? | 02:40 |
| xuhaiwei_ | can anyone answer this? | 02:40 |
| *** xuhaiwei_ has quit IRC | 02:44 | |
| *** david-lyle has joined #openstack-keystone | 02:56 | |
| *** wchrisj has joined #openstack-keystone | 02:58 | |
| openstackgerrit | Nathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive https://review.openstack.org/86486 | 02:59 |
| *** wchrisj has quit IRC | 03:02 | |
| *** Gue______ has quit IRC | 03:04 | |
| *** topol has joined #openstack-keystone | 03:10 | |
| dstanek | bknudson: i'll take a second look | 03:21 |
| *** stevemar has quit IRC | 03:25 | |
| *** wchrisj has joined #openstack-keystone | 03:42 | |
| *** wchrisj has quit IRC | 03:46 | |
| *** wchrisj has joined #openstack-keystone | 03:51 | |
| *** wchrisj has quit IRC | 04:06 | |
| *** chandan_kumar_ has joined #openstack-keystone | 04:14 | |
| *** chandan_kumar_ has quit IRC | 04:21 | |
| *** zhiyan_ is now known as zhiyan | 04:22 | |
| *** marcoemorais has joined #openstack-keystone | 04:22 | |
| *** wchrisj has joined #openstack-keystone | 04:29 | |
| *** chandan_kumar_ has joined #openstack-keystone | 04:36 | |
| *** gyee has quit IRC | 04:47 | |
| *** wchrisj has quit IRC | 04:57 | |
| *** harlowja is now known as harlowja_away | 05:10 | |
| *** ilives has joined #openstack-keystone | 05:19 | |
| *** ilives has quit IRC | 05:25 | |
| openstackgerrit | A change was merged to openstack/keystone: List all forbidden attributes in the request body. https://review.openstack.org/84389 | 05:25 |
| *** ilives has joined #openstack-keystone | 05:25 | |
| *** chandan_kumar_ has quit IRC | 05:31 | |
| *** topol has quit IRC | 05:38 | |
| *** ilives has quit IRC | 05:47 | |
| *** ilives has joined #openstack-keystone | 05:47 | |
| *** ilives has quit IRC | 05:49 | |
| *** ilives has joined #openstack-keystone | 05:53 | |
| openstackgerrit | Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/83955 | 06:01 |
| *** ilives has quit IRC | 06:08 | |
| *** jamielennox is now known as jamielennox|away | 06:24 | |
| *** derek_c has quit IRC | 06:28 | |
| *** jaosorior has joined #openstack-keystone | 06:30 | |
| *** chandan_kumar has joined #openstack-keystone | 06:38 | |
| *** tomoiaga has joined #openstack-keystone | 06:39 | |
| *** ilives has joined #openstack-keystone | 06:55 | |
| *** dims has quit IRC | 06:58 | |
| ilives | Dear stackers, does the keystone has the same authorization as the the AWS IAM?thanks! | 06:59 |
| *** derek_c has joined #openstack-keystone | 07:05 | |
| *** ilives has quit IRC | 07:06 | |
| *** ilives has joined #openstack-keystone | 07:07 | |
| *** dims has joined #openstack-keystone | 07:10 | |
| *** ukalifon1 has joined #openstack-keystone | 07:19 | |
| *** zigo has quit IRC | 07:29 | |
| *** arborism has joined #openstack-keystone | 07:40 | |
| *** arborism is now known as amcrn | 07:40 | |
| tomoiaga | Is there a way to login as a normal user without knowing the user password but having all the admin details ? | 07:50 |
| *** marekd|away is now known as marekd | 07:57 | |
| *** derek_c has quit IRC | 08:10 | |
| *** marcoemorais has quit IRC | 08:10 | |
| *** andreaf has joined #openstack-keystone | 08:12 | |
| *** leseb has joined #openstack-keystone | 08:17 | |
| *** zigo has joined #openstack-keystone | 08:23 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which get elements of tree in ldap moved to one common method https://review.openstack.org/86302 | 08:31 |
| *** inc0 has joined #openstack-keystone | 08:42 | |
| inc0 | hello, I have problem with keystone/dashboard. On my production env in admin dashboard I have Identity Panel in menu and it has Groups, Domains etc in submenu. On devstack on the other hand I have only projects and users in identity panel. I'm trying to find config which adds these views, but I have no luck so far. Could you please tell me what defines it? | 08:44 |
| *** morganfainberg is now known as morganfainberg_Z | 09:03 | |
| *** david-lyle has quit IRC | 09:16 | |
| *** ilives has quit IRC | 09:18 | |
| *** ilives has joined #openstack-keystone | 09:19 | |
| *** andreaf has quit IRC | 09:22 | |
| openstackgerrit | Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325 | 09:33 |
| *** marcoemorais has joined #openstack-keystone | 09:38 | |
| *** zhiyan is now known as zhiyan_ | 09:39 | |
| *** marcoemorais has quit IRC | 09:43 | |
| *** topol has joined #openstack-keystone | 10:14 | |
| *** topol_ has joined #openstack-keystone | 10:16 | |
| *** ilives has quit IRC | 10:16 | |
| *** ilives has joined #openstack-keystone | 10:17 | |
| *** topol has quit IRC | 10:18 | |
| *** topol_ is now known as topol | 10:18 | |
| *** marcoemorais has joined #openstack-keystone | 10:39 | |
| *** zhiyan_ is now known as zhiyan | 10:41 | |
| *** marcoemorais has quit IRC | 10:43 | |
| *** andreaf has joined #openstack-keystone | 10:50 | |
| *** RockKuo has quit IRC | 11:15 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 11:36 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447 | 11:36 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446 | 11:36 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445 | 11:36 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444 | 11:36 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448 | 11:36 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 11:36 |
| *** marcoemorais has joined #openstack-keystone | 11:42 | |
| *** dims has quit IRC | 11:42 | |
| *** marcoemorais1 has joined #openstack-keystone | 11:44 | |
| *** marcoemorais has quit IRC | 11:47 | |
| *** marcoemorais1 has quit IRC | 11:48 | |
| dolphm | marekd: "reverify no bug" isn't a thing anymore, you have to cite a bug | 12:03 |
| marekd | dolphm: ok, thanks. | 12:10 |
| openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols. https://review.openstack.org/83829 | 12:25 |
| *** dims has joined #openstack-keystone | 12:35 | |
| *** marcoemorais has joined #openstack-keystone | 12:45 | |
| *** marcoemorais has quit IRC | 12:49 | |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which gets elements of tree and deletes them was moved to one method https://review.openstack.org/86578 | 12:49 |
| *** topol has quit IRC | 13:02 | |
| *** nkinder has quit IRC | 13:05 | |
| *** tomoiaga has left #openstack-keystone | 13:07 | |
| ayoung-ZZzz_ | ilives, no idea. Never used Amazon. | 13:20 |
| ilives | Thanks Adam.Currently the keystone do the authorization with the help of the other serivces's policy.json , there is no centralized way in keystone to do authorization for other servcies , is that correct?thanks! | 13:24 |
| *** kun_huang has joined #openstack-keystone | 13:27 | |
| ilives | As for AWS IAM , it provides a centralized identity and authorization serivce for all the AWS services by RBAC, will the keystone do the same in a future?thanks!:) | 13:31 |
| *** wchrisj has joined #openstack-keystone | 13:34 | |
| openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols. https://review.openstack.org/83829 | 13:36 |
| openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method https://review.openstack.org/86578 | 13:39 |
| *** stevemar has joined #openstack-keystone | 13:41 | |
| *** wchrisj has quit IRC | 13:41 | |
| *** wchrisj has joined #openstack-keystone | 13:44 | |
| *** marcoemorais has joined #openstack-keystone | 13:45 | |
| stevemar | marekd, fyi `reverify no bug` doesn't do anything, you can only use `no bug` on rechecks :) | 13:45 |
| *** wchrisj has quit IRC | 13:46 | |
| *** topol has joined #openstack-keystone | 13:46 | |
| marekd | stevemar: yep, dolph already enlightened me :-) | 13:46 |
| stevemar | marekd, ah okay! cool | 13:47 |
| marekd | stevemar: but thanks for being on watch! :D | 13:47 |
| stevemar | np at all | 13:47 |
| *** marcoemorais has quit IRC | 13:50 | |
| *** saju_m has joined #openstack-keystone | 13:50 | |
| marekd | stevemar: what lines like that one actually do? | 13:54 |
| marekd | stevemar: https://github.com/openstack/python-openstackclient/blob/master/setup.cfg#L164 | 13:54 |
| marekd | stevemar: some indication: "this is for APIv3" ? | 13:55 |
| stevemar | marekd, basically, yes | 13:55 |
| stevemar | marekd, if you have OS_IDENTITY_API, as an env. var, set to 3, it'll use those values | 13:56 |
| stevemar | if you have it set to 2, or not set (it defaults to 2), you get the ones at line 125 | 13:56 |
| marekd | stevemar: ok | 13:56 |
| dolphm | ilives: what about centralized authorization are you interested in? what's the advantage you're looking for? | 13:57 |
| stevemar | marekd, if you tried to issue a v3 command, when OS_IDENTITY_API is set to 2, it would respond in an error | 13:57 |
| marekd | stevemar: so when I have something like domain_create = openstackclient.identity.v3.domain:CreateDomain it means that the command domain_create is added and one can call now $ openstack domain_add ? | 13:57 |
| marekd | stevemar: i guess not. | 13:57 |
| *** nkinder has joined #openstack-keystone | 13:58 | |
| stevemar | marekd, you were right until the last part, it would be $ openstack domain create | 13:58 |
| marekd | stevemar: ok, so there is a magic splitting somewhere in between | 13:58 |
| stevemar | marekd, yep | 13:58 |
| marekd | stevemar: what if want to add commands like identity_provider {add,delete,list,show,...} ? | 13:59 |
| marekd | i should go ahead and so sth like identity_provider_add, identity_provider_delete and so on? | 13:59 |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Templated v3 catalog https://review.openstack.org/70630 | 13:59 |
| stevemar | then add_identity_provider = ... | 13:59 |
| marekd | stevemar: why the other way round? | 14:00 |
| stevemar | add != create | 14:00 |
| stevemar | in OSC, add is reserved for adding one entity to another | 14:01 |
| lbragstad | dolphm: addressed your comments ^ | 14:01 |
| marekd | stevemar: good to know, however this was not my point. You can s/add/create and I think my question stays? :-) | 14:02 |
| marekd | stevemar: I can suspect the algorithm will always split on the last '_' and the first parts is an object/section (identity_provider) and the second the action (create, delete, update) ? | 14:02 |
| *** G________ has joined #openstack-keystone | 14:02 | |
| stevemar | marekd, ohh you are worried about the underscores | 14:03 |
| marekd | yes | 14:03 |
| stevemar | marekd, all the _'s are turned to spaces | 14:03 |
| stevemar | https://github.com/openstack/python-openstackclient/blob/master/setup.cfg#L126 | 14:03 |
| stevemar | that line is issued with $ openstack ec2 credentials create <args> | 14:04 |
| *** diegows has joined #openstack-keystone | 14:04 | |
| stevemar | https://wiki.openstack.org/wiki/OpenStackClient/Commands#Actions | 14:05 |
| stevemar | marekd, openstack [<global-options>] <object-1> <action> [<object-2>] [<command-arguments>] | 14:05 |
| stevemar | where the arguments in [] are optional | 14:05 |
| openstackgerrit | A change was merged to openstack/keystone: replace word 'by' with 'be' https://review.openstack.org/86246 | 14:06 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337 | 14:08 |
| *** ukalifon1 has quit IRC | 14:12 | |
| ilives | @dolphm, keystone will be the real authentication and authorization service in the cloud, here is a sample scenario correct me if i am wrong, the keystone admin or cloud admin defines a role in keystone which can do what actions on which openstack services, just like AWS IAM do. | 14:12 |
| *** thiagop has quit IRC | 14:13 | |
| ilives | curretly keystone will use the policy.json in each services to do authorization and this policy file cannot be modified in horizon dashboard if we add another new role which is not defined in the policy file. | 14:15 |
| ilives | the cloud admin would be happy to use dashboard to do role based acess control for the tenant or users in the cloud, and to achieve this the keystone should be provide api to let the cloud admin do the authorization.that is my humble opinion.thanks! | 14:19 |
| *** ukalifon has joined #openstack-keystone | 14:24 | |
| *** wchrisj has joined #openstack-keystone | 14:27 | |
| *** jaosorior has quit IRC | 14:30 | |
| *** G________ has quit IRC | 14:32 | |
| *** raildo has joined #openstack-keystone | 14:33 | |
| raildo | anyone knows any method that returns true/false if a role is inheritable? | 14:40 |
| *** chandan_kumar has quit IRC | 14:47 | |
| *** ilives has quit IRC | 14:47 | |
| *** ilives has joined #openstack-keystone | 14:48 | |
| ayoung-ZZzz_ | stevemar, are you sure that list doesn't exist in services?: https://review.openstack.org/#/c/82687/8/examples/scripts/initialize_keystone.py | 14:51 |
| stevemar | ayoung-ZZzz_, i don't see it here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/services.py#L34 | 14:53 |
| *** thedodd has joined #openstack-keystone | 14:53 | |
| *** Guest_ has joined #openstack-keystone | 15:00 | |
| *** Guest_ has quit IRC | 15:00 | |
| *** thedodd has quit IRC | 15:00 | |
| *** thedodd has joined #openstack-keystone | 15:01 | |
| *** saju_m has quit IRC | 15:05 | |
| *** inc0 has quit IRC | 15:14 | |
| dstanek | ayoung-ZZzz_: create bug #1305950 regarding the first of several problems i'm having running tests against real databases | 15:19 |
| uvirtbot | Launchpad bug 1305950 in keystone "Inconsistency with handling of unique constraints" [Undecided,New] https://launchpad.net/bugs/1305950 | 15:19 |
| *** ayoung-ZZzz_ is now known as ayoung | 15:23 | |
| ayoung | stevemar, Ill test, but I thought I had that working | 15:25 |
| *** wchrisj has quit IRC | 15:37 | |
| *** wchrisj has joined #openstack-keystone | 15:41 | |
| *** browne has joined #openstack-keystone | 15:42 | |
| *** ukalifon has quit IRC | 15:55 | |
| afaranha | Does anybody knows how can I create a keystoneclient in a fake environment? I implemented a nova API that uses keystoneclient to check users and projects. I need a test environment where I can create users and projects, and that the keystoneclient in nova API access these datas. Thank you | 15:55 |
| *** wchrisj has quit IRC | 16:03 | |
| *** wchrisj has joined #openstack-keystone | 16:08 | |
| *** marcoemorais has joined #openstack-keystone | 16:11 | |
| stevemar | ayoung, get any results back? | 16:13 |
| ayoung | haven't context shifted back yet. | 16:13 |
| *** marcoemorais has quit IRC | 16:15 | |
| afaranha | ayoung: About yesterday, It works to create a v3 keystoneclient, but I needed to replace the "v2.0" in the url, by "v3" (string replace http://10.1.0.32:5000/v2.0 to http://10.1.0.32:5000/v3), only cutting off the v2.0 didn't work. But after all it worked, thank you :) | 16:15 |
| ayoung | afaranha, glad to hear it. | 16:15 |
| ayoung | afaranha, discovery should have worked (determining the v3 was missing), but maybe I misunderstood how you were calling it. Nice to know. | 16:16 |
| raildo | ayoung: Do you know any method that returns true/false if a role is inheritable? | 16:18 |
| ayoung | raildo, nope | 16:18 |
| afaranha | ayoung: I tried with discory in the begging, but now that you recommended me to just cutting off the "v2.0" I didn't try. I'll see if its work now | 16:18 |
| ayoung | raildo, doesn't mean it doesn't exist, just I don't know off the top of my head | 16:18 |
| ayoung | afaranha, yeah, discovery assumes you are starting above the versions, so /v3 would mess it up, as would /v2.0 | 16:19 |
| raildo | ok | 16:19 |
| raildo | ayoung: thanks | 16:19 |
| *** marcoemorais has joined #openstack-keystone | 16:22 | |
| *** browne has quit IRC | 16:24 | |
| *** david-lyle has joined #openstack-keystone | 16:26 | |
| *** gyee has joined #openstack-keystone | 16:34 | |
| *** david_lyle_ has joined #openstack-keystone | 16:37 | |
| afaranha | ayoung: No, It didn't work with discovery, it's really strange because it uses exactly the same Client(V3) but only without the version in the url... Anyway, do you have any links that helps me to create tests for it? I need to add users and projects in a fake environment and be able to retrieve those in the nova API. | 16:37 |
| *** dklyle has joined #openstack-keystone | 16:38 | |
| ayoung | afaranha, yep | 16:38 |
| ayoung | https://review.openstack.org/#/c/82687/ | 16:38 |
| *** leseb has quit IRC | 16:39 | |
| afaranha | thanks | 16:39 |
| *** david-lyle has quit IRC | 16:40 | |
| nkinder | ayoung: I got to the bottom of that LDAP case-sensitivity bug - https://review.openstack.org/#/c/86486/ | 16:40 |
| *** david-lyle has joined #openstack-keystone | 16:40 | |
| ayoung | nkinder, looking | 16:41 |
| *** david_lyle_ has quit IRC | 16:41 | |
| *** david_lyle_ has joined #openstack-keystone | 16:41 | |
| ayoung | nkinder, that is against master, but I assume it is backportable, although it will need to work around jdennis' refactoring | 16:42 |
| ayoung | nkinder, is using 'string' the right python33 way? | 16:42 |
| *** dklyle has quit IRC | 16:43 | |
| nkinder | ayoung: correct. I think it's backport worthy, as we know that AD doesn't return case as expected | 16:43 |
| nkinder | ayoung: possibly not right for python33... good point | 16:43 |
| nkinder | I'd ask jdennis if he wasn't on vacation | 16:43 |
| ayoung | bknudson, dstanek do we need a six specific way to do lowercase? https://review.openstack.org/#/c/86486/ | 16:44 |
| *** david-lyle has quit IRC | 16:45 | |
| dstanek | ayoung: not really, but i don't think that code will work in py3 | 16:46 |
| *** marekd is now known as marekd|away | 16:46 | |
| dstanek | the string module usually shouldn't be used for things in py2 anyway and lower was removed | 16:46 |
| dstanek | i'll comment with an alternate solution | 16:47 |
| *** andreaf has quit IRC | 16:48 | |
| *** saju_m has joined #openstack-keystone | 16:48 | |
| dstanek | ayoung: just commented; the code was creating two separate lists and then combining back together :-( so i countered with a generator driver version | 16:52 |
| nkinder | dstanek, ayoung: it doesn't wotk in py3. It needs to use str.lower() instead of string.lower(). | 16:53 |
| nkinder | dstanek: or your other approach (which I'm about to read) | 16:54 |
| dstanek | nkinder: i'm using str.lower, but since you were using the key and values from a single dict, i was able to use a generator | 16:56 |
| ayoung | can't you use the lower method on the object | 16:57 |
| dstanek | ayoung: ? it's not a string object? | 16:58 |
| ayoung | ah, yeah, that is what you are doing... | 16:58 |
| ayoung | k.lower() | 16:58 |
| *** david_lyle_ has quit IRC | 16:58 | |
| ayoung | ah, type safety, how I miss thee... | 16:59 |
| nkinder | dstanek: That approach works nicely. New patch coming once the tests finish running. | 17:04 |
| dstanek | nkinder: i forgot to comment about removing the import | 17:05 |
| *** wchrisj has quit IRC | 17:06 | |
| *** harlowja_away is now known as harlowja | 17:07 | |
| nkinder | dstanek: yeah, I got that already | 17:08 |
| openstackgerrit | Nathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive https://review.openstack.org/86486 | 17:10 |
| dstanek | Krsna: take a look at the linked issue - it has a pretty good discussion | 17:20 |
| Krsna | dstanek: one second | 17:20 |
| afaranha | ayoung: I actually initialize keystone, but I need to initialize it in another environment for tests purposes. The way I'm doing right know is exactly like the one in your code, but I should not use real url for testing. Is there a way to create a fake url that can be accessible in nova API keystoneclient? | 17:21 |
| Krsna | dstanek: lauchpad seems to be having issues opening that bug | 17:23 |
| dstanek | Krsna: looks like launchpad may be having issues | 17:25 |
| dstanek | Krsna: the idea is the ldap servers return the names in a seeminly arbitrary case - this makes it hard to look for them in the dictionary | 17:26 |
| afaranha | ayoung: I don't understand because I use 10.1.0.32 to access openstack, but using localhost I could retrieve all the openstack users. Also in here https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/v3/utils.py it uses localhost too. Should I keep using it? | 17:26 |
| dstanek | Krsna: the patch converts the names to lower case for easier lookup | 17:27 |
| dstanek | nkinder: i just had one comment on the test and then i'd have no problem giving this a +2 | 17:27 |
| Krsna | dstanek: Yes, but how are we sending requests? Because if we are doing searches in a case insensitve way (in this case lowercase) then the server might not return valid results if it is expecting case sensitive searches | 17:27 |
| dstanek | Krsna: i believe we are using the case as defined in the config file, but i'd have to defer to nkinder or ayoung | 17:28 |
| Krsna | I personally would like to see that as an option that can be toggled on and off. I don't think that it should be the default and ONLY option. It makes a sane default IMHO but should be able to be turned off | 17:31 |
| nkinder | Krsna: why would it need to be turned off? It doesn't affect the way anything is displayed to a user of keystone | 17:31 |
| nkinder | Krsna: I can provide more background from an LDAP perspective if you like | 17:31 |
| Krsna | nkinder: because let us say that my server IS case sensitve then your change would be breaking everything for me. | 17:32 |
| nkinder | Krsna: then your server is not LDAP | 17:32 |
| nkinder | even AD follows the standard in this regard | 17:32 |
| nkinder | Krsna: I'm not referring to the case of attribute values | 17:33 |
| nkinder | this is the case of attribute names as returned in a search result | 17:33 |
| nkinder | Krsna: for example, "uid: foo" vs "UID: foo" | 17:34 |
| Krsna | nkinder: You are correct. The spec does state that it is case insensitve (http://www.ietf.org/rfc/rfc2251.txt) | 17:35 |
| ayoung | afaranha, "real" versus "fake" ? I would assume you would set up a development keystone server. It would be a "real" url frpom Nova's persepcitive, just have no data in it | 17:35 |
| ayoung | afaranha, localhost implies only that it is on the same machine, which might suit your purposes. | 17:35 |
| ayoung | nkinder, I would hate to add just another knob to turn for this one. I'd rather it always be the case-insensitive version. | 17:37 |
| nkinder | Krsna: one other thign to point out is that this is just an internal case-insensitivity when we consult a mapping to convert an LDAP result to the model. It doesn't permanently change the case of anything. | 17:37 |
| nkinder | ayoung: yeah, no knob is needed. Just want to be sure Krsna understands why it's not needed. | 17:38 |
| ayoung | ++ | 17:38 |
| Krsna | ;) | 17:38 |
| Krsna | nkinder: thanks for explaining. | 17:38 |
| nkinder | Krsna: Sure thing. | 17:38 |
| ayoung | So is the launchpad site accefted by heartbleed? Do we all need to update our launchpad passwords? | 17:38 |
| afaranha | ayoung: Yes, that's right. I need a working keystone server but without the data from the other server I'm running in this machine. I'm trying this right now, thanks | 17:40 |
| *** wchrisj has joined #openstack-keystone | 17:42 | |
| ayoung | Hmmmm. can't log in to Launchpad | 17:46 |
| nkinder | dstanek: I can add the uuid values to the test, but I'm curious about the purpose of checking those values since I'm mocking out the search results from LDAP. | 17:47 |
| nkinder | dstanek: are you thinking it would better test taking the values from the LDAP result and copying them to the model? | 17:47 |
| nkinder | dstanek: I suppose it adds a bit of code coverage there | 17:47 |
| *** ukalifon has joined #openstack-keystone | 17:47 | |
| dstanek | nkinder: i didn't look at the code under test, but i assume is pulls the values from that mocked data; i just want to make sure it's doing that because it "could" have those keys for other reasons | 17:48 |
| nkinder | dstanek: yeah, it's mocked (though I see value in doing what you suggest now that I've thought through it) | 17:48 |
| nkinder | dstanek: I'll update the patch. | 17:48 |
| dstanek | nkinder: great, thanks! | 17:49 |
| ayoung | So, I'ma go out on a limb here and say that the Ubuntu version of OpenSSL is likely to have been HeartBleed vulnerable, and they are updating launchpad. Once that is done, we should probably all update out passwords. | 17:49 |
| ayoung | yeah...so launchpad is broken | 17:50 |
| afaranha | ayoung: I have one keystone server running on my machine (A), but I need to create another one when testing and then destroy it (B), so that I can add and remove users from B without interfere in A. Do you know if it's possible? If so, how can I do this? Thank you | 17:53 |
| dstanek | afaranha: you just want to create a second server that is isolated from the first? | 17:54 |
| afaranha | dstanek: Yes. I need this to do tests for my implementation. | 17:55 |
| *** morganfainberg_Z is now known as morganfainberg | 17:56 | |
| *** kun_huang has quit IRC | 17:56 | |
| dstanek | afaranha: why can't you just create a new instance then? as long as you use a different database or LDAP server it won't interfere with your other Keystone server | 17:56 |
| morganfainberg | afternoon everyone not on the west coast :) | 17:57 |
| ayoung | morganfainberg, Good morning | 17:57 |
| ayoung | morganfainberg, have you patched openssl on all of your servers? | 17:58 |
| morganfainberg | ayoung, yeop | 17:58 |
| *** amcrn has quit IRC | 17:59 | |
| ayoung | morganfainberg, wonder if the launchpad ones have been updated...I can';t log in right now | 17:59 |
| *** amcrn has joined #openstack-keystone | 18:00 | |
| morganfainberg | ayoung, the quick in-browser test shows LP isn't affected currently | 18:00 |
| morganfainberg | ayoung, but that doesn't mean the test "works" | 18:00 |
| dstanek | ayoung: it's back for me | 18:00 |
| *** ukalifon has quit IRC | 18:00 | |
| *** amcrn has quit IRC | 18:00 | |
| morganfainberg | ayoung, and i just logged in for gerrit. | 18:00 |
| ayoung | yep, me too. Just updated the PW. Figure if the vuln is still there...they are are... | 18:00 |
| morganfainberg | ayoung, so maybe a hiccup | 18:00 |
| afaranha | dstanek: Can I just do this to code test to pass on Jenkins? I need to implement tests to submit with my code to be approved by the community. | 18:01 |
| ayoung | afaranha, see the test in keystone/tests/test_v3*py files | 18:01 |
| ayoung | well, I guess that is not going to work for nova | 18:01 |
| dstanek | afaranha: if you are just looking to develop then you can just run the tests out of the repo | 18:01 |
| morganfainberg | ayoung, http://filippo.io/Heartbleed/#launchpad.net claims LP is fixed. | 18:02 |
| morganfainberg | ayoung, i hope it's accurate | 18:02 |
| dstanek | afaranha: i have a devstack instance, but i almost always work entirely out of my working copy | 18:02 |
| afaranha | dstanek: Actually I already manually test it. Is it okay to just submit without the test files? I'm confused about this. My implementation is done to be deployed, but I'm having trouble in the tests files. | 18:07 |
| dstanek | afaranha: more likely than not tests will be needed; unless the code is already being tested | 18:09 |
| dstanek | afaranha: what trouble are you having? | 18:09 |
| dstanek | afaranha: you can create a bug and code review with what you have and maybe someone can help with the tests | 18:09 |
| afaranha | In the Nova API I'm using keystoneclient services to check users and projects, so in the test file I need to access a independent keystoneclient to create users. And in Nova API it need to get the information of this keystoneclient. Maybe I need to do another kind of test, but I'm confused on how to do it. | 18:09 |
| afaranha | and the best way to do it | 18:09 |
| afaranha | dstanek: I'll do that, thank you. | 18:10 |
| *** browne has joined #openstack-keystone | 18:12 | |
| dstanek | afaranha: ping me when you have a review up; it sounds like you are making it more complicated than it needs to be | 18:12 |
| dstanek | afaranha: unit tests should not have anything to do with Nova (or any other non-Keystone project) | 18:12 |
| *** Guest_ has joined #openstack-keystone | 18:14 | |
| *** browne has quit IRC | 18:16 | |
| *** leseb has joined #openstack-keystone | 18:17 | |
| *** leseb has quit IRC | 18:22 | |
| *** amcrn has joined #openstack-keystone | 18:26 | |
| openstackgerrit | Nathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive https://review.openstack.org/86486 | 18:34 |
| *** Guest_ has quit IRC | 18:45 | |
| *** gyee has quit IRC | 18:46 | |
| *** zhiyan is now known as zhiyan_ | 18:56 | |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Collapse SQL Migrations https://review.openstack.org/78169 | 19:07 |
| *** chandan_kumar has joined #openstack-keystone | 19:19 | |
| *** chandan_kumar_ has joined #openstack-keystone | 19:19 | |
| *** chandan_kumar_ has quit IRC | 19:19 | |
| *** ukalifon has joined #openstack-keystone | 19:19 | |
| *** ilives has quit IRC | 19:24 | |
| *** thiagop has joined #openstack-keystone | 19:28 | |
| *** ukalifon has quit IRC | 19:32 | |
| ayoung | OK...the launchpad password field has autocomplete="off" set now. So I need to type it in every time. Mozilla doesn't really honor this, except that it now refuses to save old passwords. | 19:39 |
| morganfainberg | ayoung, thats... | 20:01 |
| morganfainberg | annoying | 20:01 |
| ayoung | yep | 20:01 |
| ayoung | morganfainberg, Ima have some operational difficulties with launchpad in the near future | 20:01 |
| ayoung | and Firefox doesn't let you edit the passwords it saves. | 20:02 |
| morganfainberg | ayoung, i use lastpass for this stuff mostly | 20:02 |
| morganfainberg | ayoung, but, that has other concerns. | 20:02 |
| ayoung | morganfainberg, and where exactly does lastpass ship your passwords off to? | 20:02 |
| ayoung | Kiev? | 20:02 |
| morganfainberg | ayoung, lol | 20:02 |
| morganfainberg | ayoung, like i said other conciderations | 20:03 |
| morganfainberg | ayoung, i don't use Lastpass for anything financial or email to be fair | 20:03 |
| ayoung | morganfainberg, Keeping my stored passwords in a password protected NSS database on my laptop is about the best I can do. Most of my passwords are `uuidgen -r | sed 's!-!!g'` | 20:04 |
| morganfainberg | ayoung, thats pretty much what i end up doing with lastpass | 20:04 |
| ayoung | although I guess most sites would probably accept the dashes | 20:04 |
| morganfainberg | ayoung, little more complex, but same concept | 20:04 |
| morganfainberg | password complexity that is | 20:04 |
| ayoung | maybe chrome is friendlier about this. I think they now share a password db | 20:05 |
| morganfainberg | chrome and FF? | 20:05 |
| *** nkinder has quit IRC | 20:05 | |
| ayoung | yeah. At least chrome now reads FF password file | 20:07 |
| ayoung | which kindof freaks me out, too | 20:08 |
| morganfainberg | interesting. never would have guessed chrome and FF having that kind of interoperability | 20:08 |
| morganfainberg | also... how secure is that password store then? | 20:08 |
| ayoung | morganfainberg, chrome has its own cache, it just reads from the FF one if FF is open. It is evil EEEEvil. | 20:13 |
| morganfainberg | ayoung, oh god | 20:13 |
| morganfainberg | ayoung, that is evil! | 20:13 |
| ayoung | I think. It got passwords from FF somehow | 20:14 |
| ayoung | the PW cache in my chrome profile is tiny | 20:14 |
| ayoung | not sure how passwords are encrypted in FF. I do know they are stored in: | 20:14 |
| ayoung | $HOME/.mozilla/firefox/<something>.default/signons.sqlite | 20:15 |
| ayoung | for exampe: | 20:15 |
| ayoung | sqlite3 $HOME/.mozilla/firefox/x4kktanr.default/signons.sqlite | 20:16 |
| ayoung | sqlite> .table | 20:16 |
| ayoung | moz_deleted_logins moz_disabledHosts moz_logins | 20:16 |
| ayoung | PRAGMA table_info (moz_logins); | 20:17 |
| *** topol has quit IRC | 20:22 | |
| ayoung | morganfainberg, so the table itself is not encrypted, but the fields are. | 20:22 |
| ayoung | I know the password I used to encrypt, but I suspect that the password is used to protect a different file, which then contains these passwords...or something like that | 20:23 |
| morganfainberg | ayoung interesting | 20:25 |
| ayoung | morganfainberg, what is interesting is that If I've used the same password on two sites, they both end up the same in that table's encryptedPassword field; | 20:28 |
| *** saju_m has quit IRC | 20:28 | |
| morganfainberg | ayoung, huh. | 20:28 |
| *** saju_m has joined #openstack-keystone | 20:29 | |
| *** gyee has joined #openstack-keystone | 20:29 | |
| ayoung | morganfainberg, actually, not quite...the first half of the encrypted password is the same, but the second half is different. | 20:32 |
| *** richm has joined #openstack-keystone | 20:39 | |
| *** marcoemorais has quit IRC | 20:40 | |
| *** marcoemorais has joined #openstack-keystone | 20:41 | |
| ayoung | stevemar, so, not sure about the list operation, as, for now, default_domain = admin_client.domains.get('default') is failing on me | 20:42 |
| ayoung | keystoneclient.apiclient.exceptions.NotFound: The resource could not be found. (HTTP 404) | 20:43 |
| *** derek_c has joined #openstack-keystone | 20:44 | |
| stevemar | ayoung, try 'Default' ? | 20:44 |
| ayoung | stevemar, lemme see what mysql says | 20:45 |
| ayoung | id = default, name = Default | 20:45 |
| ayoung | nope | 20:46 |
| ayoung | hmmm | 20:46 |
| ayoung | stevemar, I bet I'm going against MAIN and not ADMIN | 20:48 |
| ayoung | stevemar, v2.0 | 20:49 |
| stevemar | ayoung, even worse :P | 20:49 |
| *** jamielennox|away is now known as jamielennox | 20:49 | |
| stevemar | ayoung, set those env vars! | 20:49 |
| ayoung | identity_service = admin_client.services.list(name='identity', | 20:50 |
| ayoung | type='identity')[0] works | 20:50 |
| ayoung | stevemar, try my script | 20:50 |
| ayoung | actually, let me update it | 20:50 |
| *** harlowja is now known as harlowja_away | 20:56 | |
| afaranha | dstanek: Hello, I just submitted the code. Here: https://review.openstack.org/#/c/85480/ | 21:01 |
| stevemar | ayoung, maybe that class gets list as a freebie because it extends something | 21:06 |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687 | 21:06 |
| dstanek | afaranha: ah, this is a nova change. i thought you were making keystone changes | 21:06 |
| ayoung | stevemar, I asssume that is the case. But take a look yourself. I updated the scripts in ^^ to take envvars for everything | 21:06 |
| jamielennox | some non-controversial client reviews for people: https://review.openstack.org/#/c/78410/ https://review.openstack.org/#/c/83630/ | 21:08 |
| jamielennox | and one that was passed previously but failed merge: https://review.openstack.org/#/c/74908/ | 21:08 |
| jamielennox | there are some there that do actual changes if you want to go looking | 21:09 |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: revoke events https://review.openstack.org/81166 | 21:09 |
| *** chandan_kumar has quit IRC | 21:23 | |
| morganfainberg | ayoung, i hate to ask, but should we make either a tempest scenario test or an isolated keystone test that makes the example scripts do work | 21:24 |
| morganfainberg | ayoung, ensure they don't languish | 21:24 |
| *** nkinder has joined #openstack-keystone | 21:35 | |
| *** thedodd has quit IRC | 21:36 | |
| *** Guest____ has joined #openstack-keystone | 21:38 | |
| *** harlowja_away is now known as harlowja | 21:45 | |
| jamielennox | ayoung: have you had a look at jose's kerberos plugin (server side) for dealing with http as well? | 21:48 |
| jamielennox | httpd | 21:48 |
| *** wchrisj has quit IRC | 21:54 | |
| *** diegows has quit IRC | 22:02 | |
| *** wchrisj has joined #openstack-keystone | 22:04 | |
| *** marcoemorais has quit IRC | 22:06 | |
| *** marcoemorais1 has joined #openstack-keystone | 22:10 | |
| *** marcoemorais1 has quit IRC | 22:11 | |
| *** marcoemorais1 has joined #openstack-keystone | 22:11 | |
| *** marcoemorais2 has joined #openstack-keystone | 22:13 | |
| *** marcoemorais2 has quit IRC | 22:13 | |
| *** marcoemorais has joined #openstack-keystone | 22:13 | |
| *** marcoemorais1 has quit IRC | 22:15 | |
| *** gabriel-bezerra has joined #openstack-keystone | 22:20 | |
| *** saju_m has quit IRC | 22:20 | |
| *** dims has quit IRC | 22:24 | |
| *** huats has quit IRC | 22:37 | |
| *** huats has joined #openstack-keystone | 22:41 | |
| *** huats has quit IRC | 22:41 | |
| *** huats has joined #openstack-keystone | 22:41 | |
| Krsna | morganfainberg: Just an update. Had a meeting and there is a ticket for federated keystone. Next monday I should be able to tell you if that will accepted or not. Either way it is something that needs to be done and if it is not me then it will be someone that should be helping you with that. | 22:42 |
| morganfainberg | Krsna, great! | 22:42 |
| *** browne has joined #openstack-keystone | 22:48 | |
| *** dims has joined #openstack-keystone | 22:58 | |
| *** diegows has joined #openstack-keystone | 23:03 | |
| *** derek_c has quit IRC | 23:08 | |
| *** marcoemorais has quit IRC | 23:25 | |
| *** marcoemorais has joined #openstack-keystone | 23:25 | |
| *** marcoemorais has quit IRC | 23:26 | |
| gabriel-bezerra | Hi folks | 23:29 |
| *** marcoemorais1 has joined #openstack-keystone | 23:29 | |
| gabriel-bezerra | Isn't the GET v3/extensions supposed to work? | 23:29 |
| *** marcoemorais1 has quit IRC | 23:30 | |
| *** marcoemorais1 has joined #openstack-keystone | 23:30 | |
| *** marcoemorais1 has quit IRC | 23:30 | |
| *** stevemar has quit IRC | 23:30 | |
| *** marcoemorais1 has joined #openstack-keystone | 23:30 | |
| gabriel-bezerra | I can only get the extensions from the v2.0 api | 23:30 |
| gabriel-bezerra | $ curl http://localhost:5000/v3/extensions {"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}} | 23:31 |
| gabriel-bezerra | I'm running devstack with a clone of openstack/keystone repository | 23:32 |
| gabriel-bezerra | the latest commit in there is of today: Merge "replace word 'by' with 'be'" | 23:33 |
| *** Guest____ has quit IRC | 23:47 | |
| *** browne has quit IRC | 23:51 | |
| *** wchrisj has quit IRC | 23:56 | |
| gabriel-bezerra | even more strange here: OS-FEDERATION is being listed as an extension when I call v2.0/extensions | 23:58 |
| gabriel-bezerra | pardon me, I thought I'd seen OS-FEDERATION instead of OS-OAUTH1 in the API documentation at http://api.openstack.org/api-ref-identity.html | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!