Friday, 2014-05-23

« Thursday, 2014-05-22 Index Saturday, 2014-05-24 »
gyeelooking at the session code, doesn't seem it handles token revocation00:00
gyeesay, session.get() and we got back a 40100:00
gyeewe don't ask the plugin for a new token00:00
jamielennoxgyee: https://review.openstack.org/#/c/94529/00:01
jamielennoxi've got it defaulting to don't reauth - i'm not sure which way it should go00:02
gyeeah, nice!00:02
gyeejamielennox, how about a retries param00:02
*** bobt has joined #openstack-keystone00:02
gyeewe'll retry for x number of times and if we continue to get 401, we give up00:03
*** rodrigods has quit IRC00:03
jamielennoxgyee: i can see retries might make sense in how we use it in auth_token - but in general if you have just gotten a fresh token and it still doesn't work i think you probably want to give up00:04
lbragstadstevemar: ++00:04
gyeejamielennox, sure, I am fine with that too00:05
*** sbfox has quit IRC00:06
jamielennoxanyway auth_token does retries with a back off period - i don't think that's something we should default to00:06
*** browne has quit IRC00:06
jamielennoxand it's a fairly easy thing to wrap around a call now00:06
*** dstanek_zzz is now known as dstanek00:07
gyeejamielennox, sure, its at the discretion of the plugin anyway00:09
*** browne has joined #openstack-keystone00:10
*** rodrigods has joined #openstack-keystone00:10
gyeejamielennox, is your append_identity_args() review on the way?00:11
jamielennoxgyee: the argparse one?00:12
gyeeyes sir00:12
jamielennoxi had the start of one on my work computer00:12
*** gokrokve has joined #openstack-keystone00:12
jamielennoxi was intending to be there today, however started early and never left :)00:13
jamielennoxi'll probably just end up starting it again today00:13
jamielennoxi was doing some stuff around OSC just to make sure it would fit in00:13
ayounggyee, jamielennox one of you pull the trigger on https://review.openstack.org/#/c/94987/7  and get us a spec repo, please?  morganfainberg 's done great work, lets keep up the momentum00:14
gyeeayoung, yeah, lemme look00:14
ayoungAnd there is nothing wrong with putting two spaces after a period.00:15
gyeehahaha00:15
gyeeseriously?00:15
gyee!00:15
*** dstanek is now known as dstanek_zzz00:17
*** Camisa has joined #openstack-keystone00:17
*** Camisa has joined #openstack-keystone00:17
jamielennoxayoung: done00:18
ayoungnice00:18
jamielennoxi don't see any problems - but i don't think we'll know what they are until we've used it for a while00:18
jamielennoxfor example a way to mark a spec as completed would be good00:18
ayoungjamielennox, we really really need to hack on packstack and get it to work with LDAP/FreeIPA.  I think that might be the most important thing we can do for Keystone00:18
jamielennoxbut we can figure that stuff out as we go00:18
openstackgerritA change was merged to openstack/identity-specs: Initial Commit for Identity-specs repo  https://review.openstack.org/9498700:19
ayoungjamielennox, good point00:19
ayoungIf I had an intern this summer, that is what I would have them work on00:19
jamielennoxalso possibly a client impact00:19
jamielennoxso you can prevent people marking a spec as finished until they've done the client side as well00:20
ayoungjamielennox, BTW we still don't have requests-kerberos in global reqs00:20
ayoungclient impact...from the server?00:20
ayoungmaybe a way to link specs?00:20
ayounglike pairing a client and server spec?00:20
jamielennoxno, but if you're doing a spec that exposes an API, are you expecting to add a new manager to the client etc00:21
ayoung++00:21
*** rodrigods has quit IRC00:23
ayoungjamielennox, https://review.openstack.org/#/c/84740/  should be good to go, but I need to figure out who can/will approve00:24
*** rodrigods has joined #openstack-keystone00:24
jamielennoxayoung: oh cool, so they did do a py33 compatible release00:27
*** xianghui has joined #openstack-keystone00:27
ayoungyep00:27
morganfainbergayoung, silly unrelated to anything keystone - you have a home office chair you recommend?00:27
* morganfainberg needs a new one.00:27
ayoungmorganfainberg, get a barstool00:28
gyeek, looks like jamielennox a+ already, no need to double tap00:28
ayoungand a standing desk00:28
morganfainbergayoung, hm. that was one of the options.00:28
ayoungtake it from the guy about to turn 43 with lower back pain.00:28
ayoungsitting is the new smoking00:28
morganfainbergayoung, ++ (l2 compression fracture here, standing helps, but can't do it all day)00:28
ayoungbarstool.  Means you don't have to move your computer00:29
ayoungI'm building one out of birch00:29
jamielennoxayoung: requests-kerberos doesn't do a travis build on 3.300:29
morganfainbergayoung, cool. thanks for the input :)00:29
ayoungjamielennox, travis?00:29
jamielennoxayoung: seriously?00:29
ayoungjamielennox, is that a python thing?00:29
morganfainbergayoung, travis-ci00:29
gyeemorganfainberg, l2 compression fracture sound painful00:30
morganfainbergayoung, it's an external ci system that hooks into github decently00:30
jamielennoxit's a ci server that links into github00:30
ayoungah00:30
morganfainberggyee, snowboarding accident00:30
jamielennoxand it's the first thing i look at to tell if 3.3 is supporte00:30
jamielennoxd00:30
morganfainberggyee, happend ~4 yrs ago. but i need to be careful about sitting/standing/etc for work :)00:30
ayoungjamielennox, we got the tests to pass with it00:30
ayoungat least the client unit tests00:31
jamielennoxayoung: so it appears to fail on py3 for me00:32
jamielennoxkerberos module00:33
jamielennoxImportError: No module named 'commands'00:33
ayoungjamielennox, so when you said "doesn't do a travis build on 3.3" you mean that they don't test it or that it fails?00:33
jamielennoxso they don't test it, i figured if they think the new release supports it i'd just submit a PR00:33
ayoungjamielennox, ah, yeah, they wouldn;t run it, they didn';t have any py33 support prior00:33
jamielennoxbut it fails00:33
jamielennoxyea, but i thought if they were cutting a release based on supporting py3.3 they'd test it00:34
ayoungit really was a case of dolphm  bugging him to do it, and crickets...then I did, and he cut it like within hours00:34
jamielennoxso it appears to be the fault of the kerberos librar00:35
jamielennoxlast uploaded: 2011-04-2700:35
ayoungthe python-kerberos lib?00:35
jamielennoxyea00:35
ayoungpython-kerberos-1.1-13.fc20.x86_64  ?00:36
jamielennoxi'm looking at pip00:36
jamielennoxit says 1.1.100:36
jamielennoxugh, svn00:36
jamielennoxi almost forgot how bad svn is, it's cloning user branches00:39
*** gokrokve has quit IRC00:41
ayoungyou probably checked out too high in the tree.  that is a common problem with the way svn branches00:43
*** gokrokve has joined #openstack-keystone00:44
*** gokrokve_ has joined #openstack-keystone00:45
*** joesavak has joined #openstack-keystone00:46
*** arborism has quit IRC00:48
*** gokrokve has quit IRC00:49
*** schofield_away is now known as schofield00:50
*** joesavak has quit IRC00:52
*** rodrigods has quit IRC00:56
*** diegows has joined #openstack-keystone00:56
*** stevemar has quit IRC00:57
jamielennoxayoung: so i can make it build with python301:00
jamielennoxtesting it - or getting that accepted is another matter01:01
ayoungwhich version of the kerberos library are you using?01:01
jamielennoxsvn01:02
ayoungtop of tree, no version number?01:02
jamielennoxyea, head01:02
jamielennoxit's mostly a C binding so it's just some old stuff in the setup.py that isn't py3 compatible01:03
ayoungwe don't even have requests-kerberos for python27 right now.  I'm not super concerned about 33 yet.  We can skip the tests for that in the client until we hav a workable configuration01:03
jamielennoxi thought 33 was a requirement of passing into global reqs?01:04
ayoungjose got something working somehow01:04
ayoungyeah, 33 is necessary, just that we might not be able to get the pkc tests working for a kerberos auth plugin due to package stuff.  TBH, its been long enough that I don't know the tweaks necessary01:05
ayoungI tested it at one point...let me see what is on my system01:05
*** dstanek_zzz is now known as dstanek01:08
gyeejamielennox, I am mostly good, just a couple of questions https://review.openstack.org/#/c/94529/1/keystoneclient/session.py01:09
jamielennoxayoung: can you activate a trust from v2 auth?01:12
ayoungjamielennox, yes01:13
jamielennoxoh, cool - i was expecting a no there01:13
ayoungpretty sure Heat needed that up front01:13
ayounglook in token/controller.py01:13
ayoungI think you pass it without the OS-TRUST extenstion prefix01:13
*** r-daneel has joined #openstack-keystone01:17
*** dstanek is now known as dstanek_zzz01:18
jamielennoxdo you know if horizon ever did anything to allow creating trusts graphically? i haven't seen it01:20
jamielennoxayoung: internal questions01:20
ayoungnope01:20
ayoungOnly via Heat AFAIK01:21
*** diegows has quit IRC01:31
*** bobt has quit IRC01:35
*** marcoemorais has quit IRC01:36
*** browne has quit IRC01:37
*** rodrigods has joined #openstack-keystone01:48
*** pack3t has joined #openstack-keystone01:51
rodrigodsjamielennox, the exception raised at https://review.openstack.org/#/c/91578/9/keystoneclient/v3/assignments.py is definitely a problem to you, or you are ok leaving this custom one?01:53
jamielennoxrodrigods: i won't block it, but python has an exception for that and i don't see the point in carrying our own01:55
jamielennoxand really it doesn't matter what we raise there, you just don't want to let it fall through to the underyling implementation01:55
*** packet has quit IRC01:58
*** pack3t is now known as packet01:58
*** r-daneel has quit IRC01:59
rodrigodsjamielennox, ok02:03
*** rodrigods has quit IRC02:07
*** dstanek_zzz is now known as dstanek02:09
*** packet has quit IRC02:12
*** zhiyan_ is now known as zhiyan02:18
*** dstanek is now known as dstanek_zzz02:19
*** rodrigods has joined #openstack-keystone02:24
*** rodrigods has quit IRC02:24
*** rodrigods has joined #openstack-keystone02:24
*** rodrigods has quit IRC02:28
*** stevemar has joined #openstack-keystone02:40
*** gyee has quit IRC02:40
*** praneshp has quit IRC02:42
*** mberlin1 has joined #openstack-keystone02:42
*** mberlin has quit IRC02:43
*** stevemar has quit IRC02:54
*** harlowja_ is now known as harlowja_away02:55
morganfainbergayoung, you around?02:57
morganfainbergayoung, nvm02:57
*** Abhijeet has joined #openstack-keystone03:02
*** dstanek_zzz is now known as dstanek03:09
jamielennoxmorganfainberg: here?03:11
morganfainbergjamielennox, yeah03:12
jamielennoxyou're generally the only one left by this time03:12
morganfainbergdstanek, just woke up (for a moment at least)03:12
morganfainbergor so irc claims03:12
jamielennoxso ages ago we talked about how auth_token using session should reauthenticate the token if it gets a 40103:12
morganfainbergjamielennox, what can i do for ya?03:12
morganfainbergjamielennox, correct. because... we have that behavior now.03:13
jamielennox(i wonder what that looks like sometimes, maybe IRC on the phone and they bump it at night)03:13
jamielennoxok so i've got a review to do that03:13
jamielennoxhttps://review.openstack.org/#/c/94529/103:13
jamielennoxi can't decide on whether that behaviour should be the default or not03:13
jamielennoxthere are definetly times you want it03:13
morganfainberghm.03:14
jamielennoxopinion?03:14
*** radez is now known as radez_g0n303:14
morganfainbergjamielennox, i think in most cases the current usecase would assume it is the default to reauth03:15
jamielennoxi initially wrote it default on, then swapped, and gyee's comment is to swap bacj03:15
jamielennoxright03:15
morganfainbergjamielennox, not saying that it is correct to make that the default, but if you have the requisite information and you get a 401 (only should occur on bad x-subject-token) reauth makes sense03:15
jamielennoxbut i also think that that is because we've been a little lax in permission management03:16
morganfainbergs/bad/invalid03:16
jamielennoxif the 401 is because you don't have the right roles then it doesn't matter how many times you reauth03:16
morganfainbergjamielennox, i think it's 50/50 here03:16
jamielennoxx-subject-token?03:16
morganfainbergjamielennox, V3 token validation03:17
morganfainbergjamielennox, x-subject-token is the header (easier to say than the "token that is being validated")03:17
morganfainbergjamielennox, :P03:17
jamielennoxyea, i mean i just hadn't thought through the difference, i don't think we differentiate that now03:17
morganfainbergjamielennox, the token being validated vs the auth token?03:18
morganfainbergjamielennox, we absolutely do.03:18
morganfainbergoh wait... i'm inverting it03:18
jamielennoxwould the 401 response change between X-Auth-Token is invalid and X-Subject-Token is invalid?03:18
morganfainbergx-subject-token would raise 403 if invalid03:18
jamielennoxok03:18
morganfainberg401 is raised if x-auth-token is bad03:18
morganfainbergi think03:18
morganfainberg*checks*03:18
jamielennoxthat's a distinction i hope we make everywhere03:19
jamielennoxie Unauthorized if the token is bad, Forbidden if the policies don't work03:19
jamielennoxin which case i'd be happy to have reauth by default03:19
*** dstanek is now known as dstanek_zzz03:19
morganfainbergyes that should be the case. i know we "fixed" that in... Havana?03:20
morganfainbergi'm 2x checking still though03:20
*** stevemar has joined #openstack-keystone03:20
morganfainbergjamielennox, ah03:21
morganfainbergno03:21
morganfainbergwe 404 for an expired token03:22
morganfainbergor non-validatable token03:22
morganfainberg(not thinking PKI)03:22
morganfainbergok so lets see.03:22
jamielennoxmorganfainberg: i'm actually not so worried about the keystoneclient -> keystone case03:22
morganfainbergjamielennox, right but it should be the blueprint for all other cases03:22
jamielennoxor auth_token -> keystone03:23
jamielennoxyep, and it's how we enforce policy03:23
jamielennoxcan we differentiate between no permissions, and not these permissions03:23
morganfainbergjamielennox, doesn't look like we can.03:24
morganfainbergjamielennox, https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L261 if you get to "enforce" you only have one possible exception to raise03:24
morganfainbergnow..03:25
morganfainbergwhat does middleware say if token is revoked/expired03:25
morganfainbergjamielennox, looks like we raise the generic: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L37903:26
jamielennoxmorganfainberg: but that might be ok03:26
morganfainbergInvalidUserToken03:26
morganfainbergthe only time a reauth is really warranted is on expired/revoked token.03:26
morganfainbergreauthing wont matter if you get bounced by policy03:27
jamielennoxhttps://github.com/openstack/keystone/blob/master/keystone/policy/backends/rules.py#L9103:27
morganfainbergjamielennox, looks like https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L700 401 is what we typically do w/ invalid user token03:27
morganfainbergcalled from the block: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L63403:28
morganfainbergjamielennox, so, we should 401 instead of 403 if it's a reauth-capable situation03:29
morganfainbergjamielennox, i think that means allow_reauth is probably ok as the default03:29
jamielennoxyea, and that we might need to fix auth_token03:29
jamielennoxi don't think we are granular enough there03:29
jamielennoxactually no03:30
jamielennoxthat's right03:30
jamielennoxauth_token should still reject with 40103:30
jamielennoxand then policy should reject with 40303:30
morganfainbergyep03:30
jamielennoxok, so given that all auth_token checks is signature and expiry time anyway that should be fine03:30
morganfainbergjamielennox. yep03:31
jamielennoxif auth_token is getting 403 then you're otherwise screwed and you'll find out soon enough without worrying about reauths03:31
*** stevemar has quit IRC03:31
jamielennoxok, default to True03:31
morganfainbergjamielennox, ++ i support this03:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Auth Plugin invalidation  https://review.openstack.org/9452903:36
jamielennoxmorganfainberg: fixed ^03:36
jamielennoxmorganfainberg: cheers03:36
*** dstanek_zzz is now known as dstanek04:10
*** sbfox has joined #openstack-keystone04:11
*** dstanek is now known as dstanek_zzz04:20
*** morganfainberg is now known as morganfainberg_Z04:42
*** schofield is now known as schofield_away04:44
*** marcoemorais has joined #openstack-keystone04:48
*** marcoemorais1 has joined #openstack-keystone04:49
*** marcoemorais has quit IRC04:52
*** dstanek_zzz is now known as dstanek05:11
*** stevemar has joined #openstack-keystone05:14
*** dstanek is now known as dstanek_zzz05:21
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:00
*** stevemar has quit IRC06:06
*** dstanek_zzz is now known as dstanek06:12
*** praneshp has joined #openstack-keystone06:18
*** gokrokve_ has quit IRC06:21
*** dstanek is now known as dstanek_zzz06:22
*** praneshp_ has joined #openstack-keystone06:37
*** praneshp has quit IRC06:40
*** praneshp_ is now known as praneshp06:40
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes  https://review.openstack.org/9253506:44
*** jaosorior has joined #openstack-keystone06:44
*** zhiyan is now known as zhiyan_06:52
*** gokrokve has joined #openstack-keystone06:52
*** gokrokve_ has joined #openstack-keystone06:54
*** gokrokve has quit IRC06:56
*** gokrokve_ has quit IRC06:59
*** marcoemorais1 has quit IRC07:04
*** marcoemorais has joined #openstack-keystone07:04
*** zhiyan_ is now known as zhiyan07:10
*** dstanek_zzz is now known as dstanek07:13
*** dstanek is now known as dstanek_zzz07:23
*** amcrn has joined #openstack-keystone07:28
*** BAKfr has joined #openstack-keystone07:29
*** sbfox has quit IRC07:32
*** leseb has joined #openstack-keystone07:51
*** dstanek_zzz is now known as dstanek07:54
*** gokrokve has joined #openstack-keystone07:55
*** rwsu has quit IRC07:58
*** praneshp has quit IRC07:58
*** gokrokve has quit IRC08:00
*** dstanek is now known as dstanek_zzz08:04
*** gokrokve has joined #openstack-keystone08:32
*** amcrn has quit IRC08:37
*** gokrokve has quit IRC08:38
*** xianghui has quit IRC08:41
*** xianghui has joined #openstack-keystone08:42
*** xianghui has quit IRC08:43
*** xianghui has joined #openstack-keystone08:44
*** dstanek_zzz is now known as dstanek08:55
*** xianghui has quit IRC08:58
*** dstanek is now known as dstanek_zzz09:05
*** xianghui has joined #openstack-keystone09:05
*** henrynash_ has joined #openstack-keystone09:09
*** xianghui has quit IRC09:10
*** henrynash has quit IRC09:13
*** henrynash_ is now known as henrynash09:13
*** henrynash_ has joined #openstack-keystone09:19
*** henrynash has quit IRC09:20
*** henrynash_ is now known as henrynash09:20
*** xianghui has joined #openstack-keystone09:23
*** gokrokve has joined #openstack-keystone09:33
openstackgerritJose Castro Leon proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation.  https://review.openstack.org/7497409:34
*** gokrokve has quit IRC09:38
*** henrynash_ has joined #openstack-keystone09:40
*** henrynash has quit IRC09:41
*** henrynash_ is now known as henrynash09:41
*** dstanek_zzz is now known as dstanek09:55
*** marcoemorais has quit IRC09:57
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf and CLI  https://review.openstack.org/9501510:01
*** dstanek is now known as dstanek_zzz10:05
*** Abhijeet has quit IRC10:20
*** openstackstatus has quit IRC10:20
*** openstack has joined #openstack-keystone10:21
*** jaosorior has quit IRC10:21
*** openstackstatus has joined #openstack-keystone10:21
*** ChanServ sets mode: +v openstackstatus10:21
*** jaosorior has joined #openstack-keystone10:23
*** andreaf has joined #openstack-keystone10:26
jaosoriorHi, I'm refactoring the authenticate keystone.auth.controllers.Auth.authenticate_for_token function, is there a specific reason most of the function is surrounded by a "try...except exception.TrustNotFound" ? Or should I just narrow it to where it would actually throw that exception?10:27
*** gokrokve has joined #openstack-keystone10:34
*** gokrokve has quit IRC10:39
*** xianghui has quit IRC10:44
*** dstanek_zzz is now known as dstanek10:56
*** zhiyan is now known as zhiyan_10:58
*** xianghui has joined #openstack-keystone11:01
*** dstanek is now known as dstanek_zzz11:06
openstackgerritJose Castro Leon proposed a change to openstack/keystone: Initial kerberos plugin implementation.  https://review.openstack.org/7431711:27
*** dstanek_zzz is now known as dstanek11:34
*** gokrokve has joined #openstack-keystone11:34
*** andreaf_ has joined #openstack-keystone11:39
*** gokrokve has quit IRC11:39
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Adds function to compare DNs  https://review.openstack.org/9451311:40
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Add a test for getting grant for a user with a , in ID  https://review.openstack.org/9474011:40
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851711:40
*** andreaf_ has quit IRC11:55
*** juanmo has joined #openstack-keystone12:02
*** juanmo has quit IRC12:03
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Fixed wrong behavior when updating tenant with LDAP backends  https://review.openstack.org/9338612:03
*** dstanek is now known as dstanek_zzz12:04
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157812:23
*** rodrigods has joined #openstack-keystone12:23
*** andreaf has quit IRC12:25
*** gordc has joined #openstack-keystone12:25
*** dims has joined #openstack-keystone12:28
*** dims has quit IRC12:28
*** dims has joined #openstack-keystone12:33
*** gokrokve has joined #openstack-keystone12:35
*** rodrigods has quit IRC12:37
*** andreaf_ has joined #openstack-keystone12:37
*** gokrokve has quit IRC12:40
*** rodrigods has joined #openstack-keystone12:42
*** afaranha has quit IRC12:43
*** afaranha has joined #openstack-keystone12:44
*** dstanek_zzz is now known as dstanek12:44
*** radez_g0n3 is now known as radez12:51
*** erecio has joined #openstack-keystone12:51
*** radez is now known as radez_g0n312:52
*** radez_g0n3 is now known as radez12:52
*** bknudson has joined #openstack-keystone12:55
jaosoriorO_o13:01
*** Ju has quit IRC13:07
*** joesavak has joined #openstack-keystone13:07
*** henrynash has quit IRC13:16
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone: Filter User by project  https://review.openstack.org/8413613:32
*** ukalifon1 has joined #openstack-keystone13:32
*** gokrokve has joined #openstack-keystone13:36
*** gokrokve has quit IRC13:41
*** r-daneel has joined #openstack-keystone13:44
*** gokrokve has joined #openstack-keystone13:49
*** gokrokve has quit IRC13:52
*** rodrigods_ has joined #openstack-keystone13:55
*** rodrigods_ has quit IRC13:55
*** sbfox has joined #openstack-keystone13:59
ukalifon1ayoung: where do I find the file wsgi-keystone.conf? I'm trying to follow the instructions in: http://docs.openstack.org/developer/keystone/apache-httpd.html14:03
*** rodrigods_ has joined #openstack-keystone14:06
*** rwsu has joined #openstack-keystone14:08
*** rodrigods_ has quit IRC14:10
*** rodrigods_ has joined #openstack-keystone14:11
ukalifon1nkinder: ^^^ can you answer ?14:12
*** sbfox has quit IRC14:14
nkinderukalifon1: in devstack?14:16
nkinderukalifon1: it's in /opt/stack/keystone/httpd/14:16
bknudsonukalifon1: http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/apache-keystone.template14:16
nkinderukalifon1: you should copy it to /etc/httpd/conf.d14:17
ukalifon1I'm looking for it in RHWL OSP14:17
ukalifon1RHEL OSP14:17
bknudsonit goes in /etc/apache2/sites-available/keystone14:17
bknudson(which is probably httpd on RHEL)14:17
bknudsonThen create a symlink to enable it: ln -s /sites-available/keystone /etc/apache2/sites-enabled/14:18
bknudsonmaybe rhel has a different setup for httpd14:18
larsksukalifon1: You can use "rpm" tp find it: rpm -ql openstack-keystone |grep wsgi14:21
larsksukalifon1: which gets you: /usr/share/keystone/wsgi-keystone.conf14:21
larsks(I'm  actually using RDO/Icehouse, but in theory RHEL OSP should have it in the same place)14:21
ukalifon1larsks: thanks14:22
openstackgerritBrant Knudson proposed a change to openstack/keystone: Templated v3 catalog  https://review.openstack.org/7063014:28
openstackgerritBrant Knudson proposed a change to openstack/keystone: Templated v3 catalog  https://review.openstack.org/7063014:32
*** david-lyle has joined #openstack-keystone14:34
*** rodrigods_ has quit IRC14:37
*** thedodd has joined #openstack-keystone14:46
*** gokrokve has joined #openstack-keystone14:49
*** xianghui has quit IRC14:50
*** gokrokve has quit IRC14:54
BAKfrHi. When using a new message, by correcting a bug, is there something to do for i18n ? Edit locale/keystone.pot ?15:02
*** packet has joined #openstack-keystone15:03
*** schofield_away is now known as schofield15:04
bknudsonBAKfr: there's a group that does the translation, so they'll provide us with an updated catalog at some point15:08
bknudsonBAKfr: so the answer is there's no change required to the message files15:08
*** stevemar has joined #openstack-keystone15:12
openstackgerritBrant Knudson proposed a change to openstack/keystone: Templated v3 catalog  https://review.openstack.org/7063015:12
BAKfrbknudson, thanks15:13
stevemarbknudson, updating the templated catalog is something we should definitely do more quickly in v4 =\15:18
*** gokrokve has joined #openstack-keystone15:18
bknudsonstevemar: maybe we thought nobody was using it...15:19
bknudsonit still doesn't support everything15:19
bknudsone.g., filtering15:19
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/endpoint_filter/backends15:20
bknudsonthe endpoint_filter extension only has sql15:20
*** gyee has joined #openstack-keystone15:23
stevemarbknudson, wouldn't that be most of the new contrib work?15:23
bknudsonstevemar: I think that's the only one that affects catalog15:24
*** ukalifon1 has quit IRC15:25
*** afaranha has quit IRC15:28
*** ukalifon1 has joined #openstack-keystone15:29
*** gabrielb has quit IRC15:30
*** afaranha has joined #openstack-keystone15:31
*** gabrielb has joined #openstack-keystone15:33
*** diegows has joined #openstack-keystone15:40
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/9122515:45
*** rodrigods has quit IRC15:57
*** rodrigods has joined #openstack-keystone16:01
*** rodrigods has quit IRC16:08
*** rodrigods has joined #openstack-keystone16:08
BAKfrAs a new contributor, I should do something special in my first commit ?16:09
*** rodrigods has quit IRC16:09
BAKfrLike adding my name to an AUTHOR file ?16:09
*** rodrigods has joined #openstack-keystone16:10
*** rodrigods has quit IRC16:10
*** rodrigods has joined #openstack-keystone16:10
*** marcoemorais has joined #openstack-keystone16:10
*** henrynash has joined #openstack-keystone16:12
*** morganfainberg_Z is now known as morganfainberg16:12
*** gokrokve has quit IRC16:12
larsksBAKfr: Nope.  The commit log provides a record of authors :).16:15
larsksYou should read https://wiki.openstack.org/wiki/Gerrit_Workflow if you haven't already.16:15
*** leseb has quit IRC16:19
BAKfrlarsks, I've already read it.16:19
larsksBAKfr: awesome.16:19
*** rodrigods_ has joined #openstack-keystone16:20
morganfainbergdolphm, bknudson, stevemar, gyee, ayoung, dstanek, nkinder, looks like programs are not winning the spec-repo naming, back to codenames16:21
*** jaosorior has quit IRC16:21
bknudsonthe name of the spec repo makes no difference to me16:23
morganfainbergbknudson, same, more of a heads up to expect it to be renamed.16:24
bknudsonI assume we don't need to get stuff merged before the name is changed?16:25
morganfainbergbknudson, don't think we have anything pending, and if we do, i'll repropose it if needed16:26
morganfainbergbknudson, if the origonal proposer doesn't want to16:26
morganfainbergbknudson, i think we're clear though16:26
*** rodrigods_ has quit IRC16:28
gyeemorganfainberg, what's in a name? :)16:29
morganfainberggyee, :P16:30
openstackgerritKevin BernardAllies proposed a change to openstack/keystone: Check that region ID is not an empty string  https://review.openstack.org/9521216:34
BAKfrmy first commit :)16:36
dstanekmorganfainberg: does that mean me may eventually have multple spec repos?16:39
morganfainbergdstanek, no16:39
morganfainbergdstanek, still one repo per program16:39
morganfainbergbut it looks like the primary project gets the name for now.16:39
* morganfainberg prefers program name, but not going to argue at the moment16:39
dstanekmorganfainberg: i agree on both counts16:40
*** raildo1 has left #openstack-keystone16:43
*** raildo has joined #openstack-keystone16:44
*** henrynash has quit IRC16:46
*** radez is now known as radez_g0n316:46
*** shufflebot has joined #openstack-keystone16:48
shufflebotSo I'm currently implementing SSL on keystone on havna via https://github.com/kjtanaka/deploy_havana/wiki/How-to-enable-ssl-on-keystone16:49
shufflebotkeystone --insecure token-get and services work appropriately, HOWEVER horizon fails to log in16:49
*** radez_g0n3 is now known as radez16:49
shufflebotand sadly I dont see any logs that help me identify whats going on. Its not in /var/log/httpd/{access.log,error.log}16:49
openstackgerritAlex Gaynor proposed a change to openstack/python-keystoneclient: Fixed an aparent typo in the code  https://review.openstack.org/9521416:50
*** esmute has quit IRC16:51
*** harlowja_away is now known as harlowja_16:55
*** BAKfr has quit IRC16:56
*** praneshp has joined #openstack-keystone17:06
gyeemorganfainberg, there?17:07
*** marcoemorais has quit IRC17:09
*** marcoemorais has joined #openstack-keystone17:09
*** marcoemorais has quit IRC17:09
*** marcoemorais has joined #openstack-keystone17:10
*** marcoemorais has quit IRC17:10
*** esmute has joined #openstack-keystone17:10
*** marcoemorais has joined #openstack-keystone17:10
*** sbfox has joined #openstack-keystone17:11
nkindershufflebot: rcrit (who isn't on here now) has been working on SSL stuff lately.  He has a write up on configuring it that I can dig up for you.17:13
nkindershufflebot: http://blog-rcritten.rhcloud.com/?p=517:14
*** bboris has joined #openstack-keystone17:15
bborishi17:16
bborisi have a question about the tokens17:16
bboriswhy is the token format everywhere like this: aaaaa-bbbbb-ccccc-dddd17:16
nkinderbboris: you are referring to UUID tokens?17:17
dolphmbboris: the last time we used that format for tokens was in diablo - we use the hex digest now instead17:17
bborisi guess i should've typed my question in one line. the tokens in the examples are in the format above, while my tokens are 6 lines long17:18
bborisand i dont know what uuid tokens are17:19
bborisi'm sending POST with curl and a json17:19
nkinderbboris: there are UUID tokens and PKI tokens17:19
dolphmbboris: the docs were written in diablo then, and are uuid-based tokens. keystone uses b64-encoded, pki-signed documents as tokens now17:19
bborisaha17:21
nkinderbboris: the PKI format tokens actually contain information inside of them, such as the roles that a user has on a project.17:21
nkinderbboris: uuid is just an identifier, and you have to ask keystone if it is valid17:21
ayoungbboris, you can blame me for that17:21
nkinderbboris: with pki, you can check the signature to see if it is valid without involving keystone17:21
bborisclever17:22
dstanekbknudson: i don't understand line 345 in https://review.openstack.org/#/c/76901/16/update.py,cm17:23
dstanekbknudson: seems like it is just trying to filter tools17:23
dolphmbboris: http://docs.openstack.org/developer/keystone/configuration.html#pki-or-uuid17:23
openstackgerritSantiago Baldassin proposed a change to openstack/python-keystoneclient: Add description param to v3 service create/update  https://review.openstack.org/7977417:23
*** BAKfr has joined #openstack-keystone17:23
morganfainberggyee, back17:26
bborisdolphm: nice, thanks17:27
gyeemorganfainber, I was wondering is there a way to transfer ownership of an existing review, I am asking that question in openstack-infra now17:27
*** marcoemorais has quit IRC17:28
bknudsondstanek: seems like _get_modules_in_conf should include install_venv_common, since the returned list is used to check if the modules are in alpha order.17:28
ayoungdolphm, we have Kerberos:  https://review.openstack.org/#/c/84740/17:28
morganfainbergayoung, tox has fixes merged, next release run_tests will become 100% a wrapper for tox17:28
ayoungmorganfainberg, ++17:28
dolphmayoung: still no bp reference?17:29
shufflebotnkinder: thanks17:29
ayoungdolphm, there was one in there.  Did it get removed?17:29
*** marcoemorais has joined #openstack-keystone17:29
bknudsondstanek: I think the issue is that it gets the list of modules in openstack/common and that doesn't include anything in tools.17:29
ayoungdolphm, must have been removed in a rebase by someone.  I added it17:29
*** marcoemorais has quit IRC17:30
ayoungPatch Set 5: Commit message was updated17:30
*** marcoemorais has joined #openstack-keystone17:30
bknudsondstanek: so I think you're right that it's essentially files in tools/ that don't have a corresponding file in openstack/common17:30
ayoungAh...Maybe I did that with Patch set 617:30
bknudsondstanek: maybe it would be better to just add files in tools to the list of modules17:30
*** marcoemorais has quit IRC17:31
ayoungthat is the risk of editing the commit message in the web ui.  I hadn't pulled it back down to do the other changes request for 617:31
*** marcoemorais has joined #openstack-keystone17:31
*** marcoemorais has quit IRC17:31
*** marcoemorais has joined #openstack-keystone17:32
dstanekbknudson: not sure that would work since the comparison is between the modules in the config and the things in keystone/openstack/common17:32
*** lbragstad has quit IRC17:32
*** amcrn has joined #openstack-keystone17:33
bknudsonsince we've got people around -- would be nice to get https://review.openstack.org/#/c/94470/ merged17:34
morganfainbergbknudson, i am about 75% done reviewing it17:35
bknudsonmorganfainberg: thanks!17:35
morganfainbergbknudson, spent a good chunk of time last night on it.17:35
bknudsoni'll be back online once I get home17:35
morganfainbergbknudson, i have 1 question17:35
bknudsongo ahead17:35
morganfainbergis it just the lack of info about the types that makes it so the is_ava_value_equal function ignores the attribute_type?17:36
morganfainberge.g. just a simplisitic comparitor vs more indepth implementation?17:36
bknudsonmorganfainberg: yes, it's because of the simplistic implementation17:37
morganfainbergbknudson, that was the only real sticking point i was running into.17:37
bknudsona complete implementation would have to take the attribute_type into consideration17:37
morganfainbergbknudson, let me finish reviewing the tests and we should be good.17:37
bknudsone.g., if the attribute_type was telephoneNumber then it would have to do a different type of comparison17:37
morganfainbergyep17:38
morganfainbergok, just making sure i was reading that correctly17:38
shufflebotnkinder: that was helpful - nova is now behaving as expected but horizon isn't >_> hrmmm17:39
*** bknudson has quit IRC17:39
morganfainberggyee, ping https://review.openstack.org/#/c/94470/5 i'd like to have your eyes on this as well. It looks good to me, but I, unfortunately can't spin up a instance at the moment to test (have a bunch of other things i need to get to)17:47
morganfainberggyee, since you do a bunch of ldap-y stuff your eyes would be good too17:48
gyeemorganfainberg, looking17:51
gyeeI don't know why we bother to compare DNs as users and groups should have different object classes17:53
gyeecomparing DNs sound risky17:53
morganfainberggyee, the issue is we don't have the objectClass once the query completes17:54
morganfainberggyee, erm, once we move out of the LDAP specific stuff17:54
morganfainberggyee, if you're looking at a python object in keystone, what objectclass did it originate from?17:55
morganfainberggyee, we have the ID which is a partial DN17:55
gyeemorganfainberg, yeah, that's problematic, DN is not a reliable to distinguish objects17:55
shufflebotnkinder: thanks that sort of helped - however I'm still stuck with horizon not being able to authenticate17:56
gyeeshufflebot, is your ca.pem self-signed? you may need to add it to /etc/ssl/certs/17:56
morganfainberggyee, well, i think we have to take suboptimal but better and continue to improve along the way vs. completely broken17:56
morganfainberggyee, this falls into the former category of a definite improvement, but perhaps not the long-term solution17:57
gyeemorganfainberg, yeah unfortunately17:57
shufflebotgyee: it is but I wouldn't think that mattered as OPENSTACK_SSL_NO_VERIFY = True17:58
shufflebotOPENSTACK_SSL_CACERT = '/etc/keystone/ssl/certs/ca.pem' are set17:58
morganfainberggyee, i'm going to +1 only because i can't do live tests right now, if you think it's not "broken" and is the incremental improvement mind +2/+A?17:58
shufflebotgyee: I'll try it though17:58
gyeemorganfainber, sure17:58
gyeesorry I mean morganfainberg17:58
morganfainberggyee, commented and said i asked you to look at it as well.17:59
morganfainberggyee, thanks.18:00
morganfainbergneed to get back to something on this end (have till end of day to complete it)18:00
gyeemorganfainberg, meh, I look forward to the 3 day break :)18:00
morganfainberggyee, lol18:00
shufflebotgyee: sadly: [Fri May 23 18:46:13 2014] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): $KEYSTONE_ENDPOINT18:01
shufflebot^ thats what comes up whenever I try to authorize against keystone18:01
shufflebot*throwing config on a gist.. holdon18:01
shufflebotgyee: https://gist.github.com/anonymous/263b4b97216131e0bbe918:03
*** gokrokve has joined #openstack-keystone18:06
gyeeshufflebot, can you try openssl to see if you can even talk to keystone?18:06
gyeeopenssl s_client -CAfile /etc/keystone/ssl/certs/ca.pem -connect keystonehost:500018:06
gyeealso, make sure the horizon process have read access to /etc/keystone/ssl/certs/ca.pem18:07
*** radez is now known as radez_g0n318:10
dstanekdolphm: those mid-cycle dates are prettry firm now, right?18:12
*** radez_g0n3 is now known as radez18:12
shufflebotgyee: mmk hangon18:18
shufflebotgyee: the openssl command worked fine. I think it might be the httpd user doesn't have access to the /etc/keystone/ss/certs/ca.pem <-- trying now18:20
*** radez is now known as radez_g0n318:27
*** bobt has joined #openstack-keystone18:31
*** bknudson has joined #openstack-keystone18:33
*** packet has quit IRC18:38
*** schofield is now known as schofield_away18:38
*** packet has joined #openstack-keystone18:39
*** marcoemorais has quit IRC18:45
*** marcoemorais has joined #openstack-keystone18:46
*** marcoemorais has quit IRC18:46
*** marcoemorais has joined #openstack-keystone18:47
*** marcoemorais has quit IRC18:47
*** marcoemorais has joined #openstack-keystone18:48
*** andreaf_ has quit IRC18:48
*** ukalifon1 has quit IRC18:49
*** marcoemorais has quit IRC18:49
*** marcoemorais has joined #openstack-keystone18:49
bknudsonhttps://review.openstack.org/#/c/94397/ is the backport to stable/icehouse. There were conflicts18:54
nkinderbknudson: I'll start reviewing now...18:57
*** radez_g0n3 is now known as radez18:58
nkinderbknudson: where were the conflicts?  In the fakeldap/test code?18:59
nkinderbknudson: it looks like you had to pull in a little extra stuff in fakeldap18:59
bknudsonnkinder: yes, there were conflicts there.19:00
bknudsonnkinder: maybe should have backported the fix for , in DN first.19:00
bknudsonactually, that might be in review already19:00
bknudsonnope, I don't see it19:01
bknudsonnkinder: so, I don't think having a user with a , in the ID would work on icehouse anyways.19:03
nkinderwhy is that?19:04
nkinderbecause the other fix is missing?19:04
nkinderbknudson: https://bugs.launchpad.net/keystone/+bug/130210619:05
uvirtbotLaunchpad bug 1302106 in keystone/havana "LDAP non-URL safe characters cause auth failure" [High,Fix committed]19:05
nkinderbknudson: that is in icehouse, so it should work19:05
bknudsonnkinder: ah, I must have added the tests in a separate commit.19:06
nkinderbknudson: yep - https://review.openstack.org/#/c/85478/19:08
nkinderbknudson: the test never went into icehouse19:11
bknudsonnkinder: y, I should have suggested that the test review gets merged in with the fix review19:11
nkinderbknudson: there was also another related patch that only went into master - https://review.openstack.org/#/c/87142/19:12
bknudsonnkinder: that covered some other situations where values weren't being escaped for the filter string. Nobody had complained about these ones.19:13
bknudsonjust seems like good hygiene to generate query strings properly.19:14
nkinderbknudson: ok, so does your proposed patch for icehouse stand as is, or do we need to add the other comma test?19:16
bknudsonnkinder: I think the proposed patch stands as is.19:17
nkinderbknudson: ok.  I just gave it a +1.19:18
bknudsonI've been trying it with devstack and looks like it's working as expected19:19
nkinderbknudson: devstack for icehouse?19:26
bknudsonnkinder: turns out that current devstack works with icehouse keystone.19:26
bknudsonwe'll see how long that lasts.19:26
nkinderbknudson: I've never tried to use branches with devstack19:27
bknudsonnkinder: I'll probably need a vm for icehouse19:28
bknudsonwhen it stops working19:28
*** thedodd has quit IRC19:31
*** erecio_1 has joined #openstack-keystone19:36
*** erecio has quit IRC19:39
*** sbfox has quit IRC19:40
*** sbfox has joined #openstack-keystone19:43
*** schofield_away is now known as schofield19:43
*** marcoemorais has quit IRC19:44
*** marcoemorais has joined #openstack-keystone19:45
*** radez is now known as radez_g0n319:46
*** jsavak has joined #openstack-keystone19:51
openstackgerritA change was merged to openstack/keystone: Stronger assertion for test_user_extra_attribute_mapping  https://review.openstack.org/8714519:51
*** joesavak has quit IRC19:54
*** erecio_2 has joined #openstack-keystone19:58
*** leseb has joined #openstack-keystone19:58
*** erecio_1 has quit IRC20:01
*** thedodd has joined #openstack-keystone20:02
morganfainbergdstanek, i think https://review.openstack.org/#/c/77325/16/keystone/common/utils.py the log.info on truncate is still too much noise20:07
morganfainbergdstanek, that log will occur everytime someone authenticates afaict20:07
morganfainbergdstanek, it feels more like a debug log if anything20:07
morganfainbergdstanek, "We're following exactly how you configured your installation to work" doesn't provide a lot of value imo20:08
openstackgerritDolph Mathews proposed a change to openstack/keystone: install from source docs never actually install the keystone service  https://review.openstack.org/9525820:10
dolphmschofield: https://review.openstack.org/#/c/95258/20:11
rodrigodsbknudson, What do you think about update the docstring at role_assignments patch with: "Is only possible to provide either an user or group, not both. The same is true for domain and project."20:11
bknudsonrodrigods: say what the behavior is -- if both user and group are provided then whatever exception is raised.20:12
bknudsonif both domain and project are provided then whatever exception is raised.20:12
rodrigodsbknudson, ok20:12
morganfainbergdolphm, so after talking at the summit i think the general consensus was to go w/ JSONSchema validation for everything - I'll be trying to hammer that out for tokens here once i'm settled in next week so we always do pki validation (first step to non-persistent) in the server20:12
morganfainbergdolphm, vs protobuf or something else.20:12
openstackgerritDolph Mathews proposed a change to openstack/keystone: install from source docs never actually install the keystone service  https://review.openstack.org/9525820:12
dolphmschofield: much better https://review.openstack.org/#/c/95258/20:13
dolphmmorganfainberg: ++ but why make non-persistence dependent on validation?20:13
*** erecio_2 has quit IRC20:14
shufflebotgyee: getting this error with nova when running openstakc-status ERROR: hostname '10.192.2.121' doesn't match u'test-control-2'20:14
morganfainbergdolphm, i think i need a way to ensure we have all the data w/o doing the crazy lookups - also we need to be able to have an internal "token format" that can be emitted v2 or v3. basically, avoiding the whole "if v2 -> code path, if v3 -> other code" when validating20:14
gyeeshufflebot, that the ssl host validation error?20:15
morganfainbergdolphm, might be easier to convert to a consistent data structure instead of retrofitting a standard structure in once we have non-persistent. -- i think.20:15
morganfainbergdolphm, i guess we could go either way.20:16
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157820:17
*** dstanek is now known as dstanek_zzz20:17
shufflebotgyee: I'd belive so20:17
shuffleboteven though direct nova commands work fine20:18
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157820:21
gyeeshufflebot, I am guess nslookup 10.192.2.121 doesn't match test-control-220:27
gyeeguessing20:27
openstackgerritA change was merged to openstack/keystone: LDAP fix for get_roles_for_user_and_project user=group ID  https://review.openstack.org/9447020:28
*** doddstack has joined #openstack-keystone20:33
-openstackstatus- NOTICE: Gerrit will be offline for about 20 minutes in order to rename some projects starting at 21:00 UTC.20:33
*** marcoemorais1 has joined #openstack-keystone20:35
*** thedodd has quit IRC20:35
*** dstanek_zzz is now known as dstanek20:36
*** marcoemorais has quit IRC20:37
dstanekmorganfainberg: if would be fine to me to make that a debug, but the patch is less chatty already so i'm also fine with it as-is20:38
*** joesavak has joined #openstack-keystone20:41
*** jsavak has quit IRC20:44
*** amerine has quit IRC20:44
*** amerine has joined #openstack-keystone20:44
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove obsolete note from ldap  https://review.openstack.org/9526320:45
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth  https://review.openstack.org/8198120:46
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions  https://review.openstack.org/8019320:50
*** gordc has left #openstack-keystone20:56
*** raildo has quit IRC20:56
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions  https://review.openstack.org/8019320:57
*** rodrigods has quit IRC20:59
*** joesavak has quit IRC21:03
*** marcoemorais1 has quit IRC21:08
*** marcoemorais has joined #openstack-keystone21:08
*** jamielennox is now known as jamielennox|away21:08
*** leseb_ has joined #openstack-keystone21:23
*** jamielennox|away is now known as jamielennox21:23
openstackgerritA change was merged to openstack/keystone: Regenerate sample config  https://review.openstack.org/9273021:23
*** leseb has quit IRC21:25
openstackgerritA change was merged to openstack/python-keystoneclient: Fixed an aparent typo in the code  https://review.openstack.org/9521421:30
-openstackstatus- NOTICE: Gerrit is offline in order to rename some projects. ETA: 22:00.21:35
*** ChanServ changes topic to "Gerrit is offline in order to rename some projects. ETA: 22:00."21:35
*** leseb_ has quit IRC21:42
*** packet has quit IRC21:49
*** arunkant has quit IRC21:50
*** dstanek is now known as dstanek_zzz21:53
*** harlowja_ is now known as harlowja_away21:59
openstackgerritJohn Dennis proposed a change to openstack/keystone: Add module implementing DN, RDN & AVA objects to improve DN handling  https://review.openstack.org/9528222:02
*** mattinator has quit IRC22:04
*** doddstack has quit IRC22:11
*** sbfox1 has joined #openstack-keystone22:11
*** sbfox has quit IRC22:12
*** bknudson has quit IRC22:12
*** bknudson has joined #openstack-keystone22:12
*** openstackgerrit has quit IRC22:14
*** openstackgerrit has joined #openstack-keystone22:14
*** david-lyle has quit IRC22:16
*** nkinder has quit IRC22:18
*** openstackstatus has quit IRC22:18
*** openstack has joined #openstack-keystone22:18
*** harlowja_away is now known as harlowja_22:19
*** openstackstatus has joined #openstack-keystone22:19
*** ChanServ sets mode: +v openstackstatus22:19
*** sbfox1 has quit IRC22:26
*** gokrokve has quit IRC22:26
*** gokrokve has joined #openstack-keystone22:27
openstackgerritMonty Taylor proposed a change to openstack/keystone-specs: Updated gitreview file for repo rename  https://review.openstack.org/9529322:28
*** ChanServ changes topic to "Juno-1 June 12th! New formalized Identity-spec process for Juno-2 and beyond blueprints."22:28
*** gokrokve has quit IRC22:32
*** stevemar has quit IRC22:32
openstackgerritMonty Taylor proposed a change to openstack/keystone-specs: Updated gitreview file for repo rename  https://review.openstack.org/9529822:34
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.(Work-in-progress)  https://review.openstack.org/9530022:42
*** dstanek_zzz is now known as dstanek22:44
*** dstanek is now known as dstanek_zzz22:54
*** dims has quit IRC22:56
*** morganfainberg is now known as morganfainberg_Z23:01
openstackgerritA change was merged to openstack/keystone: Mapping engine does not handle regex properly  https://review.openstack.org/9451823:19
*** r-daneel has quit IRC23:34
*** bobt has quit IRC23:36
*** dstanek_zzz is now known as dstanek23:36
*** dstanek is now known as dstanek_zzz23:46
*** ozialien has joined #openstack-keystone23:56
*** praneshp has quit IRC23:57
*** derek_c has joined #openstack-keystone23:58
*** praneshp has joined #openstack-keystone23:58
« Thursday, 2014-05-22 Index Saturday, 2014-05-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!