Tuesday, 2014-07-29

« Monday, 2014-07-28 Index Wednesday, 2014-07-30 »
*** dims_ has quit IRC00:03
*** marcoemorais has quit IRC00:16
*** hrybacki has joined #openstack-keystone00:24
*** navid_ has joined #openstack-keystone00:40
*** zzzeek has quit IRC00:41
*** marcoemorais has joined #openstack-keystone00:43
*** marcoemorais has quit IRC00:43
*** amerine has quit IRC00:48
*** jdennis1 has quit IRC00:51
*** gyee has quit IRC00:52
hrybackijamielennox: ping00:53
jamielennoxhrybacki: hey00:53
jamielennoxi ticked off one of your reviews, and put a comment on another00:54
hrybackiI shot you an email just before headed off of work00:54
hrybacki++ thank you00:54
jamielennoxi'm just going through auth_token now00:54
hrybackiokay00:54
hrybackiit's been quite the chore getting that patch to work00:54
openstackgerritA change was merged to openstack/keystone: Sqlite files excluded from the repo  https://review.openstack.org/10916500:56
*** gabriel-bezerra has quit IRC00:58
*** gabriel-bezerra has joined #openstack-keystone00:59
*** stevemar has joined #openstack-keystone01:01
openstackgerritHarry Rybacki proposed a change to openstack/keystone: Update setup docs with Fedora 20 dependencies  https://review.openstack.org/10617601:02
hrybackidamnit01:02
openstackgerritHarry Rybacki proposed a change to openstack/keystone: Update setup docs with Fedora 19+ dependencies  https://review.openstack.org/10617601:03
hrybackijamielennox: let me know if why added the property stuff isn't clear01:03
*** jdennis has joined #openstack-keystone01:05
*** gabriel-bezerra has quit IRC01:06
hrybackijamielennox: Next week is my last week working full time, next Thursday being my last day -- I'd like to get sessions merged before than if possible01:06
*** gabriel-bezerra has joined #openstack-keystone01:06
*** alex_xu has joined #openstack-keystone01:11
navid_@dolphm: hi01:16
*** amerine has joined #openstack-keystone01:21
openstackgerritHarry Rybacki proposed a change to openstack/keystone: Update setup docs with Fedora 19+ dependencies  https://review.openstack.org/10617601:28
hrybackistevemar: good catch -- not sure how that happened01:28
* stevemar shrugs at hrybacki 01:29
*** amerine has quit IRC01:30
jamielennoxstevemar: is there a spec for keystone-to-keystone that i can't find?01:30
stevemarjamielennox, not sure why you can't find it: https://github.com/openstack/keystone-specs/blob/master/specs/juno/keystone-to-keystone-federation.rst01:31
stevemari'm playing fast and loose, on laptop with no power connected, might go offline any minute01:31
jamielennoxstevemar: ok, for the record the more i do with SAML the less i like it - i don't think k2k via SAML is a good idea01:32
stevemarjamielennox, i wasn't onboard with it either at the beginning, but we drew it out on whiteboards and it made the most sense01:33
jamielennoxstevemar: i think it's only because people see apache modules as the ONLY means to do federation01:34
jamielennoxstevemar: i think we're going to need an in-python version as well01:34
jamielennoxanyway i don't think it'll be me writing the token->saml parsers so it's ok01:34
stevemarjamielennox, i'm looking at that tomorrow01:34
jamielennoxstevemar: so it cam up at summit that i think we need like a keystone interface for all these different mod_auth_X plugins such that they write there own landing page and then ask keystone for a token, rather than jam it through our existing auth plugins01:36
stevemarjamielennox, i'm hoping to leverage this library, specifically this part: https://github.com/rohe/pysaml2/blob/master/src/saml2/saml.py#L741-L75401:36
jamielennoxi think if we had something like that then having an in-python handler is just adding the route to the paste pipeline rather than the apache one01:36
*** xianghui has joined #openstack-keystone01:36
stevemarjamielennox, well, the Kent guys are working on that, i believe there is an active patch01:37
stevemarjamielennox, https://review.openstack.org/#/c/105597/ << the keystone code from Kent01:38
jamielennoxstevemar: ok, just means i need to follow all this more closely01:38
openstackgerritA change was merged to openstack/keystone: Fix for V2 token issued_at time changing  https://review.openstack.org/10974701:38
jamielennoxugh, they're still jamming it through the existing auth plugins01:39
*** mberlin1 has joined #openstack-keystone01:42
*** rwsu has quit IRC01:42
*** mberlin has quit IRC01:43
stevemarjamielennox, might be worth crafting an email to them01:43
jamielennox-1 and comments01:45
jamielennoxjust need to make sure i'm not ignored01:45
jamielennoxhopefully as of next week i'll have some time again i might be able to try it myself01:46
*** ncoghlan has joined #openstack-keystone01:47
ayounghrybacki, why F19 https://review.openstack.org/#/c/106176/  ?01:48
hrybackiayoung: 19+01:48
ayoungah01:48
hrybacki19/20 rather01:48
*** diegows has quit IRC01:50
*** cjellick_ has joined #openstack-keystone01:52
hrybackiayoung: docs test fails anyway. Duplicate virtualenv link. Any thoughts on pointing readers to http://www.virtualenv.org/ or https://pypi.python.org/pypi/virtualenv ?01:52
ayounghrybacki, you act like I actually understand all this Python stuff.  Vee env?  What is that?01:54
ayounghrybacki, what broke?01:54
hrybackiayoung: lol -- virtualenv is referenced by two links, the first is to it's respective PyPi repo and the other to the actual org's website01:55
jamielennoxhrybacki: i'd say it doesn't matter and if there is an existing link there you may as well reuse that01:55
ayounghrybacki, just reduce it to one link, then.01:55
*** cjellick has quit IRC01:56
*** cjellick_ has quit IRC01:56
ayounghrybacki, is it just complaining that the  link is in there twice?  Just drop one of them?02:03
hrybackiayoung: yeah it was a simple thing -- just wasn't sure which link to use02:03
hrybackiopted to stick with original one02:03
ayoungcoo02:03
*** stevemar has quit IRC02:03
openstackgerritHarry Rybacki proposed a change to openstack/keystone: Update setup docs with Fedora 19+ dependencies  https://review.openstack.org/10617602:05
*** topol has joined #openstack-keystone02:09
ayoungjamielennox, ok,  right now, Horizon does everything with just cachiung the token.  Does it make sense for Horizon to serialize a Keystone Client session (somehow) or to reconstitute the session on each Horizon request?02:11
jamielennoxreconstructing the session is cheap, i don't think i'd worry about serializing that02:13
ayoungjamielennox, here's what I learned:  to populate the Projects dropdown,  it calls http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/user.py#n22002:13
jamielennoxserializing the auth_plugin probably makes sense because you have discovery cached on there02:13
ayoungand the call to self._authorized_tenants = utils.get_project_list(  is in utils..02:13
jamielennoxas well as the catalog and such returned from auth02:13
ayounghttp://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/utils.py#n10802:13
jamielennoxthat code makes sense02:15
ayoung client = get_keystone_client().Client(*args, **kwargs)02:15
ayoungso I need to replace that call with something that uses a sesssion...and an auth plugin02:15
jamielennoxayoung: i'd have the session passed into the call02:16
jamielennoxmaintain the plugin elsewhere02:16
jamielennoxyou'll still need to do some discovery but you can use session.get_endpoint() for that02:16
jamielennoxthen construct the appropriate client02:17
ayoungjamielennox, discover should happen in authenticate...02:17
jamielennoxand return02:17
jamielennoxauth and this are two seperate things02:17
ayounghttp://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py#n6802:17
jamielennoxdiscovery *can* happen in authenticate02:17
jamielennoxif you construct a client like that i'm not sure you get discovery anywhere02:18
jamielennoxayoung: so you've got to look at it now as auth and client are no longer linked, you can use a v3 token with a v2 client and vice versa02:19
jamielennoxso yes you might do discovery to figure out which auth plugin to use, but you might not02:19
jamielennoxbut none of that tells you which client you should use02:20
*** cjellick has joined #openstack-keystone02:22
ayoungjamielennox, default to v3 and be done with it I think02:22
jamielennoxayoung: if you want, that's not a decision i can/should make in ksc02:23
ayoungjamielennox, right, that is for django-openstack-auth02:23
ayoungjamielennox, I'm wondering about the persistance of the auth plugin.02:24
jamielennoxayoung: this is something that is definetly going to come up, and i don't have a good answer for02:24
ayoungjamielennox, lets say that it has come up02:25
ayoungI need to solve this02:25
jamielennoxso the things worth persisting in an auth plugin are definetly the token and the information from it, the service catalog, and maybe the discovery cache02:26
jamielennoxdiscovery cache is going to be another thing that will come up from the likes of horizon02:26
jamielennoxi don't know if you should be allowed to dump out a password though02:26
jamielennoxthere are arguments for both02:27
*** cjellick has quit IRC02:31
ayoungjamielennox, I want to hold on to the unscoped and scoped tokens02:31
ayoungbut...wondering what to do about the service catatlog02:32
ayoungand is there anything else I need to hold on to?02:33
jamielennoxayoung: AccessInfo is just a dict02:34
jamielennoxif you can take that from the identity plugins you could trivially make a new plugin that just reused that02:35
ayoungjamielennox, ReuseTokenPlugin?02:35
jamielennoxyou will get a lot of discovery requests going out, if you can make horizon hold on to the session object that would be best02:35
ayoungno where to hold a Python object02:35
jamielennoxat all in horizon?02:36
ayoungjamielennox, nah, not at scale02:36
jamielennoxayoung: it's not going to be one per user, it'll be one object02:36
ayoungthe second request might have to repopulate the horizon session from memcache02:36
jamielennoxwell ideally it would be, i don't think the managers will support that02:36
ayoungdiscovery?  Hmmm  yeah, Horizon should do that once at startup02:37
jamielennoxayoung: i cache per url02:37
jamielennoxso that when you get an entry in the service catalog it does the lookup then02:37
ayoungjamielennox, you mean for the other clients?02:37
ayoungone for auth_url, and one per service catalog url?02:38
jamielennoxayoung: for everytihng that does discovery through the session/auth_plugin02:38
jamielennoxhmm, that's not true02:38
jamielennoxfor everything that the auth plugin tells you you can use02:38
ayoungjamielennox, Django has the ability to hold on to the client, but then it doesn't use it02:41
jamielennoxayoung: i can see the problem with holding on to every auth plugin02:42
jamielennoxwhat i thought they would reuse is the session object02:42
ayoungjamielennox, yeah we want to toll the Password Auth plugin once it has gotten the token02:43
ayoungtoll->toss02:43
jamielennoxthat's what will give them connection pooling and that's what i expected them to use for discovery caching02:43
ayoungjamielennox, connection pooling and auth plugins seem to be at odds02:44
*** gabriel-bezerra has quit IRC02:44
jamielennoxayoung: not really, they are at different layers02:44
jamielennoxthis is something i don't think i've communicated very well02:44
ayoungjamielennox, doesn't the session hold on to the auth plugin?02:45
*** gabriel-bezerra has joined #openstack-keystone02:45
jamielennoxyou can use a session without attaching the auth plugin02:45
jamielennoxinstead you provide it per request02:45
jamielennoxobviously you don't want to pass that through all the managers02:45
jamielennoxso the adapter handles that for you02:45
ayoungok, that sounds more like how we want to use it from horizon02:45
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/adapter.py#L6302:45
ayoungso what about this:02:46
jamielennoxso what that means is that when you create novaclient you don't put auth on the session02:46
jamielennoxyou create the session, you create the auth02:46
ayoungget session from Horizon out of some pool...02:46
jamielennoxthen you pass them both to nova.client(session=session, auth=auth)02:46
ayoungpassword_auth = utils.get_keystone_identity().Password(**kwargs)02:46
jamielennoxayoung: pool of 102:46
ayoungsession = utils.get_kcsession().Session(verify=ca_cert)02:46
ayoungthen02:46
ayoungwait...02:47
ayoungsession.get_token(password_auth)02:47
ayoungbut then I need to make a client...02:47
ayoung client = keystone_client.Client(session=session, debug=settings.DEBUG, insecure=insecure)02:47
ayoungat this point the auth plugin is embedded02:48
jamielennoxi'm not sure what you're trying to do there02:49
jamielennoxthings like ca_cert should come from horizon's config file02:50
jamielennoxso you only ever need one of those02:50
jamielennoxyou can create your password plugin and pass that to whatever you want to use it with02:50
jamielennoxyou can also rip out password.auth_ref at that point and save/cache that somewhere else for reuse02:51
jamielennoxyou need your own plugin to bring it back, but it's literally about 5 lines02:51
jamielennoxyou then pass session and auth as seperate objects any time you want to construct a client02:52
jamielennoxnote, i don't think that keystoneclient actually takes auth and session seperately yet - i've made sure to do this in the clients i'm converting but i'm not sure about keystoneclient02:52
jamielennoxthere's a review out that would fix that though i think02:53
jamielennoxneed to bring it back: https://review.openstack.org/#/c/97681/02:54
jamielennoxotherwise you could short term just add it to the things that HTTPClient takes02:54
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768102:57
morganfainberghm..02:59
*** stevemar has joined #openstack-keystone03:00
* jamielennox is going for some food 03:01
* ayoung even more confused than before I started03:04
*** harlowja is now known as harlowja_away03:07
*** harlowja_away is now known as harlowja03:08
ayoungjamielennox, I think that the session objects need to be specific to a user.  It does not look like it is safe or correct to share session objects.  As you said oin your blog:  "When working with clients you would first create an authentication object, then create a session object with that authentication and then re-use that session object across all the clients you instantiate."03:11
ayoungSo, maybe the right abstraction is that the Horizon User object holds on to the session03:12
ayoung I need to read up a little on how Django Users work.   Django- Openstack _auth seems to be extending a Base Django user Object03:12
jamielennoxayoung: right, but i modelled this off of requests sessions03:19
jamielennoxso the idea was that you can attach an auth object and you would always be authenticated via that session03:19
*** gabriel-bezerra has quit IRC03:19
jamielennoxor you could pass an auth object for calls that you want to be authenticated03:19
jamielennoxso long as youre not mixing and matching eiteher should be fine03:20
*** gabriel-bezerra has joined #openstack-keystone03:20
openstackgerritA change was merged to openstack/python-keystoneclient: Example JSON files should be human-readable  https://review.openstack.org/10821003:24
openstackgerritA change was merged to openstack/keystonemiddleware: Example JSON files should be human-readable  https://review.openstack.org/10821103:24
openstackgerritA change was merged to openstack/keystonemiddleware: Use keystoneclient fixtures in middleware tests  https://review.openstack.org/10721203:24
ayoungjamielennox, there is  Token object in Django OpenStack Auth http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/user.py#n5403:26
ayoungThat holds the auth info03:27
*** cjellick has joined #openstack-keystone03:27
ayoungauth_ref.03:27
ayoungwell, the data from the auth ref03:27
*** alex_xu has quit IRC03:32
*** ayoung has quit IRC03:33
jamielennoxok03:34
*** cjellick has quit IRC03:36
*** alex_xu has joined #openstack-keystone03:45
*** stevemar has quit IRC03:46
*** stevemar has joined #openstack-keystone03:46
*** mitz has quit IRC04:06
*** mitz has joined #openstack-keystone04:10
*** chandankumar has joined #openstack-keystone04:15
*** ukalifon1 has joined #openstack-keystone04:23
*** david-lyle has joined #openstack-keystone04:25
*** ncoghlan is now known as ncoghlan_afk04:26
openstackgerritA change was merged to openstack/keystone: Update setup docs with Fedora 19+ dependencies  https://review.openstack.org/10617604:31
*** gabriel-bezerra has quit IRC04:31
*** gabriel-bezerra has joined #openstack-keystone04:31
*** hrybacki has quit IRC04:37
*** bvandenh has joined #openstack-keystone04:45
*** gabriel-bezerra has quit IRC04:45
*** gabriel-bezerra has joined #openstack-keystone04:46
*** ncoghlan_afk is now known as ncoghlan04:48
*** morganfainberg is now known as morganfainberg_Z04:59
*** david-lyle has quit IRC05:00
*** afazekas is now known as __afazekas05:00
*** david-lyle has joined #openstack-keystone05:00
*** david-lyle has quit IRC05:05
*** david-lyle has joined #openstack-keystone05:05
openstackgerritA change was merged to openstack/keystonemiddleware: Remove mox dependency  https://review.openstack.org/10988705:07
*** david-lyle has quit IRC05:12
*** amerine has joined #openstack-keystone05:12
*** david-lyle has joined #openstack-keystone05:12
*** ajayaa has joined #openstack-keystone05:13
*** david-lyle has quit IRC05:17
*** alex_xu has quit IRC05:22
*** gabriel-bezerra has quit IRC05:23
*** gabriel-bezerra has joined #openstack-keystone05:23
*** afazekas has joined #openstack-keystone05:26
*** harlowja is now known as harlowja_away05:26
*** ncoghlan is now known as ncoghlan_afk05:29
*** gabriel-bezerra has quit IRC05:31
*** gabriel-bezerra has joined #openstack-keystone05:31
*** jaosorior has joined #openstack-keystone05:42
*** topol has quit IRC05:52
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert shell tests to httpretty  https://review.openstack.org/11021005:57
*** jraim has quit IRC06:00
*** zhiyan has quit IRC06:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert shell tests to httpretty  https://review.openstack.org/11021006:01
*** ctracey has quit IRC06:01
*** serverascode has quit IRC06:04
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:04
*** jraim__ has joined #openstack-keystone06:05
*** zhiyan has joined #openstack-keystone06:05
*** ctracey has joined #openstack-keystone06:07
*** serverascode has joined #openstack-keystone06:13
*** ncoghlan_afk is now known as ncoghlan06:16
*** serverascode has quit IRC06:22
*** ctracey has quit IRC06:22
*** zhiyan has quit IRC06:23
*** jraim__ has quit IRC06:24
*** zhiyan has joined #openstack-keystone06:28
*** jraim__ has joined #openstack-keystone06:28
*** ctracey has joined #openstack-keystone06:29
*** serverascode has joined #openstack-keystone06:31
*** chandankumar has quit IRC06:35
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768106:42
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert shell tests to httpretty  https://review.openstack.org/11021006:42
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477106:42
*** ajayaa has quit IRC06:49
*** bvandenh has quit IRC06:52
*** tomoiaga has joined #openstack-keystone07:03
*** ajayaa has joined #openstack-keystone07:09
*** ncoghlan is now known as ncoghlan_afk07:16
*** ncoghlan_afk is now known as ncoghlan07:20
*** henrynash has joined #openstack-keystone07:25
*** __afazekas has quit IRC07:29
*** stevemar has quit IRC07:46
*** henrynash has quit IRC07:48
*** alex_xu has joined #openstack-keystone08:06
*** ajayaa has quit IRC08:09
openstackgerritAjaya Agrawal proposed a change to openstack/keystone-specs: Fixes a typo.  https://review.openstack.org/11023008:15
*** ncoghlan has quit IRC08:22
*** jamielennox is now known as jamielennox|away08:23
*** cjellick has joined #openstack-keystone08:24
*** cjellick has quit IRC08:29
*** ajayaa has joined #openstack-keystone08:29
*** andreaf has joined #openstack-keystone08:32
*** henrynash has joined #openstack-keystone08:35
*** henrynash has quit IRC09:11
*** alex_xu has quit IRC09:13
*** bvandenh has joined #openstack-keystone09:17
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Catch correct oslo.db exception  https://review.openstack.org/10893509:28
*** bvandenh has quit IRC09:39
openstackgerritA change was merged to openstack/python-keystoneclient: Use oslosphinx to generate doc theme  https://review.openstack.org/10947009:50
*** cjellick has joined #openstack-keystone10:02
*** cjellick has quit IRC10:03
*** cjellick has joined #openstack-keystone10:03
*** marzif has joined #openstack-keystone10:23
openstackgerritA change was merged to openstack/keystone: Correct revocation event test for domain_id  https://review.openstack.org/10981910:32
*** xianghui has quit IRC10:36
*** toddnni has quit IRC10:42
*** ajayaa has quit IRC11:03
*** ajayaa has joined #openstack-keystone11:16
*** baffle_ is now known as baffle11:38
*** baffle has quit IRC11:39
*** diegows has joined #openstack-keystone12:11
openstackgerritIhar Hrachyshka proposed a change to openstack/keystone: migration: adopt for MySQL Connector  https://review.openstack.org/11027112:13
*** miqui has joined #openstack-keystone12:18
*** bvandenh has joined #openstack-keystone12:38
*** gordc has joined #openstack-keystone12:41
*** jasondotstar has joined #openstack-keystone12:57
*** lbragstad has joined #openstack-keystone12:57
*** hrybacki has joined #openstack-keystone13:01
*** bvandenh has quit IRC13:03
*** miqui has quit IRC13:14
*** joesavak has joined #openstack-keystone13:16
*** tomoiaga has quit IRC13:19
*** stevemar has joined #openstack-keystone13:28
*** dims has joined #openstack-keystone13:31
openstackgerritAjaya Agrawal proposed a change to openstack/keystone-specs: Fixes a typo.  https://review.openstack.org/11023013:40
*** ajayaa has quit IRC13:40
*** bknudson has joined #openstack-keystone13:41
*** tomoiaga has joined #openstack-keystone13:44
*** lnxnut has joined #openstack-keystone13:48
*** lbragsta_ has joined #openstack-keystone13:56
*** lbragsta_ has quit IRC13:57
*** lbragsta_ has joined #openstack-keystone13:58
*** lbragstad has quit IRC13:58
*** alex_xu has joined #openstack-keystone14:08
openstackgerritA change was merged to openstack/keystone-specs: Fixes a typo.  https://review.openstack.org/11023014:09
*** chandankumar has joined #openstack-keystone14:11
*** gabriel-bezerra has quit IRC14:11
*** gabriel-bezerra has joined #openstack-keystone14:12
*** dhellmann has quit IRC14:17
*** dhellmann has joined #openstack-keystone14:20
*** gabriel-bezerra has quit IRC14:29
*** david-lyle has joined #openstack-keystone14:30
*** dims has quit IRC14:31
*** david-ly_ has joined #openstack-keystone14:31
*** gabriel-bezerra has joined #openstack-keystone14:31
*** david-ly_ is now known as david-lyle_14:33
*** david-lyle has quit IRC14:35
*** david-lyle_ is now known as david-lyle14:43
*** chandankumar has quit IRC14:43
*** gabriel-bezerra has quit IRC14:47
*** gabriel-bezerra has joined #openstack-keystone14:47
*** jsavak has joined #openstack-keystone14:56
*** chandankumar has joined #openstack-keystone14:58
*** joesavak has quit IRC14:58
*** morganfainberg_Z is now known as morganfainberg15:01
*** jsavak has quit IRC15:04
*** joesavak has joined #openstack-keystone15:04
*** gabriel-bezerra has quit IRC15:05
*** gabriel-bezerra has joined #openstack-keystone15:07
*** chandankumar has quit IRC15:08
dstaneklbragsta_: ping15:09
*** lbragsta_ is now known as lbragstad15:10
lbragstaddstanek: pong15:10
morganfainberglbragstad, dstanek, https://review.openstack.org/#/c/110039/ if you have a moment15:11
morganfainbergstevemar, ^ cc15:11
dstanekmorganfainberg: looking now15:13
morganfainbergdstanek, please note my comment.15:14
morganfainbergi just don't want to be the blocker on infra being able to use tox 1.7.215:14
morganfainbergwe will need to do the same (probably) for keystoneclient and keystonemiddleware15:15
dstanekmorganfainberg: haha, where do we do that kind or comparison?15:15
morganfainbergdstanek, all over the catalog15:15
dstaneknice15:15
morganfainbergand those are the only cases i've *found*15:15
morganfainbergbut i think we need to create a recursive 'assertDictEqual' method15:16
lbragstadFYI: bugs opened against Keystone this week and status: http://paste.openstack.org/show/88936/15:16
morganfainbergbut yeah [{'endpoint': {'id': 1, [{"interface": "admin", "url": ... }, {"interface": "internal", "url": ...}]}, {'endpoint': {'id': 2, [{"interface": "admin", "url": ... }, {"interface": "internal", "url": ...}]}]15:17
morganfainbergthat doesn't *need* to be a list15:17
morganfainbergi'd argue it shouldn't be a list15:17
morganfainbergbut changing the format of the catalog would be *bad*15:18
morganfainberglbragstad, nice15:18
openstackgerritA change was merged to openstack/keystone-specs: Specification for OpenID Connect  https://review.openstack.org/10789015:19
morganfainbergwe should totally get the untriaged bot that triple-o has.15:19
morganfainberg:)15:19
morganfainbergit's kinda cool15:19
*** vhoward has left #openstack-keystone15:21
lbragstadmorganfainberg: ?15:21
*** vhoward has joined #openstack-keystone15:21
lbragstadmorganfainberg: how often does it run? daily?15:21
morganfainbergi think once a day15:21
morganfainbergor twice a day15:21
lbragstadnice15:21
morganfainbergit repors the bugs to irc15:21
* morganfainberg will need to ask the tripleo team about it15:22
lbragstaddstanek: did you need something?15:24
lbragstaddstanek: pinging earlier?15:24
*** cjellick has quit IRC15:29
dstaneklbragstad: yeah, i put together a string of commits as a proof of concept for object based schema15:29
*** cjellick has joined #openstack-keystone15:30
lbragstaddstanek: sweet15:30
dstaneklbragstad: it was a very interesting process for sure15:30
lbragstaddstanek: and you were able to work around the config import issue?15:30
dstaneklbragstad: not yet, but i know how it can be done; it's just ugly15:31
*** hrybacki has quit IRC15:31
lbragstaddstanek: ok15:31
lbragstaddstanek: do you have it written up as a gist, or?15:32
lbragstadproposed?15:32
dstaneki'll push it up in just a second15:32
dstanekit requires several changes to my schema library that i need to get committed15:33
lbragstadah15:34
lbragstaddstanek: are we going to include that in the keystone?15:34
lbragstaddstanek: or a separate library, like dolphm suggested?15:34
*** cjellick has quit IRC15:35
lbragstads/the//15:35
dstaneklbragstad: i would be fine with either - i've already released is separately, but it's really only a single file15:35
lbragstaddstanek: that should be fine? I would think we could keep it that way and just expand on it iff we need to15:35
dstaneklbragstad: i really just wanted to get this proof of concept out of my head - if we use it great and if not then i can at least sleep a little better at night :-)15:36
lbragstadlol15:36
lbragstaddstanek: I think that is the direction that jamielennox|away wanted to go anyway15:37
*** zzzeek has joined #openstack-keystone15:38
dstaneklbragstad: the reason the config stuff is difficult is the decorator15:39
lbragstadyeah15:39
lbragstadI don't think we *need* to have the configuration option in order to complete the validation of the keystone api, but it is nice allowing the user to define the how tight the id_strings should be15:40
openstackgerritBrant Knudson proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988115:42
*** rwsu has joined #openstack-keystone15:42
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes syntax error in tests  https://review.openstack.org/11033515:46
openstackgerritDavid Stanek proposed a change to openstack/keystone: Splits generic validation tests from model tests  https://review.openstack.org/11033615:46
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a dependency on jsd  https://review.openstack.org/11033715:46
openstackgerritDavid Stanek proposed a change to openstack/keystone: Makes domain_id required for projects  https://review.openstack.org/11033815:46
openstackgerritDavid Stanek proposed a change to openstack/keystone: Convert projects from embeded JSON to jsd schemas  https://review.openstack.org/11033915:46
openstackgerritDavid Stanek proposed a change to openstack/keystone: Initial attempt at lazy configs - ugly  https://review.openstack.org/11034015:46
dstaneki need to mark all that as wip15:46
morganfainberghehe15:46
dstaneklbragstad: here is the difference in how it looks https://review.openstack.org/#/c/110339/15:49
*** cjellick has joined #openstack-keystone15:50
lbragstaddstanek: I like https://review.openstack.org/#/c/110339/1/keystone/assignment/schema.py15:50
*** amcrn has joined #openstack-keystone15:51
dstaneklbragstad: the thing i'm most unhappy with is the same complaint i have with django models - require vs. nullable15:54
lbragstadwe had that issue with regions, I think15:54
*** cjellick has quit IRC15:54
dstaneklbragstad: http://paste.openstack.org/show/88773/15:54
lbragstad√15:55
lbragstadhttps://github.com/openstack/keystone/blob/f4267c1d8b16a2c617edf87bd29ddb8ab81455ec/keystone/catalog/core.py#L89-L9215:55
dstaneki'm struggling with a usecase for #215:55
dstanekand maybe 315:55
*** cjellick has joined #openstack-keystone15:55
dstanekno 3 is valid15:55
lbragstaddstanek: a use case for 2 would be region creation15:56
lbragstadthe db schema for regions requires a description15:56
lbragstadregion.description can't be null, but it doesn't have to be unique15:57
lbragstadso two regions can have the same description string ''15:57
lbragstaddstanek: do you have a usecase for #3?15:57
dstaneklbragstad: but for regions you can't have a null value right?15:58
dstanek#2 forces the key to exist in the object, but allows for a null value15:59
lbragstaddstanek: oh, right15:59
lbragstadyeah, region.description can't be null...15:59
lbragstadhttps://github.com/openstack/keystone/blob/f4267c1d8b16a2c617edf87bd29ddb8ab81455ec/keystone/common/sql/migrate_repo/versions/037_add_region_table.py#L2616:00
dstanekso maybe i can get rid of nullable after all. I wanted to just set 'required=True' to mean that the property must be in the object and that it needs an actual value16:00
lbragstadhttps://github.com/openstack/keystone/blob/f4267c1d8b16a2c617edf87bd29ddb8ab81455ec/keystone/common/sql/migrate_repo/versions/043_fixup_region_description.py#L5216:00
lbragstaddstanek: ok16:01
dstaneki added it in because one of the existing tests broke...let me see which one16:01
*** marcoemorais has joined #openstack-keystone16:03
dstaneklbragstad: the 'test_create_schema_with_null_string_on_required_fails' test fails because if the original code the uuid was not actually required, but can't be null16:06
*** dims has joined #openstack-keystone16:08
lbragstadlooks like the only places where we have nullable=True, from a db perspective, is region.parent_region_id and trust.remaining_uses.16:09
dolphmlbragstad: isn't nullable=True the default?16:11
morganfainbergdolphm, yes16:11
dolphmlbragstad: region description should certainly be nullable16:11
lbragstadI guess I was looking at places were we specify16:11
openstackgerritA change was merged to openstack/keystone: Add workaround to support tox 1.7.2  https://review.openstack.org/11003916:11
dolphmlbragstad: do a schema dump from mysql or something that will show that for every column16:12
morganfainbergdolphm, lbragstad, i thought we decided region description would not be nullable16:12
dolphmmorganfainberg: refresh me?16:12
lbragstadregion.description isn't nullable.16:12
morganfainbergbut that the controller would set the value to '' if it was a none16:12
dolphmmorganfainberg: ah ++16:13
lbragstadmorganfainberg: ++16:13
lbragstadyeah, that's taken care of in the Manager16:13
dolphmall the descriptions could behave that way16:13
lbragstadhttps://github.com/openstack/keystone/blob/f4267c1d8b16a2c617edf87bd29ddb8ab81455ec/keystone/catalog/core.py#L89-L9216:14
*** gyee has joined #openstack-keystone16:16
lbragstadcredential.project_id can be null16:17
lbragstadso can credential.extra16:17
dstanekthere are really a few high level cases i think i case about http://paste.openstack.org/show/88951/ (the bottom list)16:18
lbragstadso can domain.extra, endpoint.legacy_endpoint_id, endpoint.region, endpoint.extra, policy.extra, region.extra, region.parent_region_id, a lot of stuff in revocation_event table, role.extra, service.type, service.extra16:21
lbragstadtoken.expires, token.extra, token.trust_id, token.user_id16:22
lbragstadthere are quite a few columns that can be nullable16:22
dolphmdstanek: ++16:22
lbragstaddstanek: makes sense16:23
dolphmlbragstad: the .extra ones shouldn't be nullable... they should default to '{}'16:23
dolphmlbragstad: but anyway, extra isn't an attribute to be validated at the API layer16:23
lbragstaddolphm: ok, most all .extra columns are nullable16:23
dolphmlegacy_endpoint_id is also not exposed to the API16:24
lbragstaddolphm: yeah, we are passing that through with additionalAttributes: true16:24
*** jsavak has joined #openstack-keystone16:24
dolphmi'm not sure why service.type should be nullable - that's quite important16:25
lbragstaddolphm: yeah16:25
dolphmtoken.expires should be non-nullable, i think (worst case is a token that expires far in the future?)16:25
lbragstaddolphm: quite a bit of stuff in token is16:25
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946216:26
dolphmtoken.user_id should be non-nullable16:26
dolphmunless that's something to do with federation or something (?)16:26
morganfainbergdolphm, the token schema is all sorts of wacky16:26
dolphmlbragstad: so that leaves endpoint.region, region.parent_region_id, most attributes of revocation events, and token.trust_id16:26
dolphmmorganfainberg: ++16:27
dolphmmorganfainberg: that table has a schema?16:27
morganfainbergdolphm, lol16:27
lbragstaddolphm: the user table has some stuff that is nullable too16:27
lbragstadnot sure how much that matters16:27
morganfainbergi;d leave the token table alone if we can.16:27
*** joesavak has quit IRC16:27
*** gabriel-bezerra has quit IRC16:27
dolphmlbragstad: user.password?16:28
lbragstaduser.password, user.enabled, user.default_project_id16:28
lbragstadare all nullable16:28
*** gabriel-bezerra has joined #openstack-keystone16:28
*** gordc is now known as gordc_lunch16:32
*** marcoemorais has quit IRC16:33
morganfainberguser.password is nullable for some *real* reason i can't remember16:34
lbragstadssh key pairs?16:34
morganfainbergdefault_project_id should be nullable16:34
morganfainberglbragstad, maybe?16:34
*** marcoemorais has joined #openstack-keystone16:34
lbragstadthat's the big reason I can think of...16:34
morganfainbergenabled, that should be handled at the manager level - if anything and should not be nullable16:34
lbragstadyeah16:34
raildogyee: I answered your questions there, if you can take a look https://review.openstack.org/#/c/101017/14/specs/juno/hierarchical_multitenancy.rst16:37
gyeeraildo, sure16:38
*** gabriel-bezerra has quit IRC16:38
lbragstadso, should we go through all those tables and switch them?16:38
lbragstador compensate at the manager layers for each?16:38
*** gabriel-bezerra has joined #openstack-keystone16:39
gyeeraildo, I only see patch 1416:44
*** afazekas has quit IRC16:44
*** gabriel-bezerra has quit IRC16:48
*** dims has quit IRC16:49
*** gabriel-bezerra has joined #openstack-keystone16:49
*** dims has joined #openstack-keystone16:50
*** marzif has quit IRC16:54
*** tomoiaga has quit IRC16:55
*** aqweqwe has joined #openstack-keystone16:58
*** aqweqwe has quit IRC16:58
*** gokrokve has joined #openstack-keystone17:00
*** jdennis1 has joined #openstack-keystone17:03
*** gabriel-bezerra has quit IRC17:06
*** jdennis has quit IRC17:06
*** gabriel-bezerra has joined #openstack-keystone17:07
*** ayoung has joined #openstack-keystone17:11
raildogyee: I answered the comments in this patch.17:17
*** gabriel-bezerra has quit IRC17:19
*** gabriel-bezerra has joined #openstack-keystone17:19
*** nkinder is now known as nkinder_away17:21
*** bvandenh has joined #openstack-keystone17:22
*** gmurphy has quit IRC17:26
*** gabriel-bezerra has quit IRC17:27
*** amerine has quit IRC17:27
*** gabriel-bezerra has joined #openstack-keystone17:28
*** gmurphy has joined #openstack-keystone17:29
*** marekd|away has quit IRC17:29
*** amerine has joined #openstack-keystone17:29
*** marekd|away has joined #openstack-keystone17:29
*** hrybacki has joined #openstack-keystone17:30
*** david-lyle has quit IRC17:33
*** david-lyle has joined #openstack-keystone17:33
*** david-lyle has quit IRC17:35
*** david-lyle has joined #openstack-keystone17:36
*** harlowja_away is now known as harlowja17:36
*** gabriel-bezerra has quit IRC17:36
*** nonameentername has joined #openstack-keystone17:36
*** gabriel-bezerra has joined #openstack-keystone17:37
lbragstaddstanek: so if we use something like http://paste.openstack.org/show/88969/ for domain and region validation,17:37
lbragstadwe will still need separate schemas for the update requests?17:38
lbragstaddstanek: oh wait... never mind17:40
dstaneklbragstad: did you answer yourself?17:40
*** chandankumar has joined #openstack-keystone17:41
lbragstaddstanek: https://review.openstack.org/#/c/110339/1/keystone/common/validation/__init__.py17:41
*** gabriel-bezerra has quit IRC17:41
lbragstaddstanek: so, based on that, in order to use jsd, the schema has to be written for the create case, right?17:42
dstaneklbragstad: yep, I'm moving something similar into the library too17:42
lbragstadand def restful_update_schema() will handle converting that schema to update format17:42
*** gabriel-bezerra has joined #openstack-keystone17:42
lbragstadand not having something like 'name' required in the update request when it should be required for the create request.17:43
*** david-lyle has quit IRC17:44
*** topol has joined #openstack-keystone17:44
lbragstaddstanek: cool, I'm curious to see it in the library17:44
*** david-lyle has joined #openstack-keystone17:44
*** henrynash has joined #openstack-keystone17:46
lbragstaddstanek: are you going to move that utility to jsd.py or into a utils module of jsd?17:47
*** amerine_ has joined #openstack-keystone17:48
*** gordc_lunch is now known as gordc17:48
*** david-lyle has quit IRC17:49
*** ukalifon1 has quit IRC17:50
*** amerine has quit IRC17:51
openstackgerritguang-yee proposed a change to openstack/keystone: KeyError instead of exception.KeyError  https://review.openstack.org/11039717:53
*** gabriel-bezerra has quit IRC17:56
stevemargordc, i think i found out why your patch was erroring, made comments17:56
*** henrynash has quit IRC17:58
*** gabriel-bezerra has joined #openstack-keystone17:58
*** henrynash has joined #openstack-keystone17:58
gordcstevemar: yeah it worked with something similar. i guess interpreter doesn't know how to traverse multiple levels?17:59
stevemargordc, i dunno, it's weird18:00
dstaneklbragstad: i'm not entirely sure yet how it'll look - i'm in the middle of some significant changes18:00
gordcstevemar: too lazy to figure it out. thanks for the help18:00
stevemarnp18:00
lbragstaddstanek: ok, let me know if you need anything. I'm looking through the purposed revieews18:00
lbragstadreviews*18:01
*** marcoemorais has quit IRC18:02
dstaneklbragstad: i tried to break it up to tell a story of how i got to the end result18:02
*** marcoemorais has joined #openstack-keystone18:02
lbragstadyep18:03
*** david-lyle has joined #openstack-keystone18:07
*** jamielennox|away is now known as jamielennox18:07
*** gabriel-bezerra has quit IRC18:10
*** jorge_munoz has joined #openstack-keystone18:10
*** gabriel-bezerra has joined #openstack-keystone18:11
*** marcoemorais has quit IRC18:12
*** marcoemorais has joined #openstack-keystone18:12
*** topol has quit IRC18:13
*** marcoemorais has quit IRC18:13
*** marcoemorais has joined #openstack-keystone18:14
*** gabriel-bezerra has quit IRC18:17
*** gabriel-bezerra has joined #openstack-keystone18:17
*** marcoemorais has quit IRC18:26
*** marcoemorais has joined #openstack-keystone18:26
*** gabriel-bezerra has quit IRC18:27
*** gabriel-bezerra has joined #openstack-keystone18:28
*** gabriel-bezerra has quit IRC18:29
*** gabriel-bezerra has joined #openstack-keystone18:30
hrybackiayoung: can a strong argument be made for either creating the session within AuthProtocol and handing it to IdenitityServer as a param vs creating it when IdentityServer is instantiated in auth_token?18:32
ayounghrybacki, Keystone meeting happening right now in #openstack-meeting,  you might want to monitor. We can discuss after.18:34
hrybackiayoung: damnit++18:34
*** marekd|away has quit IRC18:37
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295818:38
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295818:40
openstackgerritOpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements  https://review.openstack.org/11041518:41
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10900218:41
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/11009818:41
stevemargordc, the patch looks good18:43
*** gabriel-bezerra has quit IRC18:44
gordcstevemar: cool cool. let me know if anything needs to be changed/18:44
*** gabriel-bezerra has joined #openstack-keystone18:47
*** jogo has joined #openstack-keystone18:47
jogomorganfainberg: ping have a v3 question18:47
morganfainbergjogo, have the keystone meeting going on at the moment, but sure, i'm here (might take a few moments to answer though)18:47
morganfainbergjogo, ask away :)18:48
*** bvandenh has quit IRC18:48
*** marekd|away has joined #openstack-keystone18:50
*** gmurphy has quit IRC18:50
jogomorganfainberg: we are talking about what the final steps are for moving nova to keystone v318:50
stevemarjogo, that sounds super exciting18:51
jogoit sounds like we need an update to the policy file to ignore domain scoped tokens? is that correct18:51
dimsguess we need to try devstack with nova using v3...or do we already have a switch for that?18:51
jogomorganfainberg: if so, sounds like that is the last thing we need to do18:52
morganfainbergjogo, hm. why are you ignoring domain scoped tokens? and yes that might be the last thing (just switching contexts from meeting, and don't rememebr why domain scope was an issue)18:52
dimsmorganfainberg, folks were talking about a first pass. what's min needed to switch nova to use v3 api18:53
morganfainbergdims, ah, basically you want to make sure a token is project scoped so the instance goes to the right place18:53
morganfainbergdims, jogo, yes that sounds like the right thing, have policy make sure a token is project scoped not domain scoped coming into nova18:54
jamielennoxmorganfainberg: i don't think anyone other than keystone really has a us for domain scoped tokens. what would nova do with them?18:54
morganfainbergjamielennox, right18:55
dimsmorganfainberg, no other code changes needed?18:56
dimsas far as we know :)18:56
morganfainbergdims, shouldn't really be. middleware should present all the info you need (in the same manner as v2) to the underlying app (in this case nova)18:56
*** david-lyle has quit IRC18:57
*** gmurphy has joined #openstack-keystone18:57
dimsmorganfainberg, cool18:57
*** david-lyle has joined #openstack-keystone18:57
jogomorganfainberg: because we can't do 'list all instances in a domain'18:57
morganfainbergjogo, ++ makes sense18:58
*** david-lyle has quit IRC18:59
*** david-ly_ has joined #openstack-keystone18:59
jogomorganfainberg: so can you push up a patch for that19:00
morganfainbergjogo, to make nova poilcy reject domain scoped tokens. i'll see what i can figure out :)19:00
morganfainberg?19:00
jamielennoxmorganfainberg: umm, it and httpretty should play well together, the problem is that i put the mock start in the global setUp19:00
dolphmbknudson: that's a useless constant though, 'GET' is never going to change to 'FETCH' or anything19:01
morganfainbergjamielennox, might want to make it a phased rollout, just to help your head not explode everytime something lands and makes you need to update it19:01
morganfainbergjamielennox, it's why i've split up the persistence stuff as much as i have.19:01
jamielennoxbknudson: ok, i have a better solution in a newer version (ie call .get() rather than request_uri('GET')) but i had enough trouble getting it in to do an immediate version bump19:02
morganfainbergjamielennox, i don't mind reviewing that patchset, but just trying to save you an issue trying ot get it landed unless we can land it before the next ksc patch lands19:02
dolphmjamielennox: it already needs a rebase; i'd be happy to get it in quickly when it's ready19:03
jogomorganfainberg: sounds good19:03
dolphmjamielennox: like, within the next hour19:03
morganfainbergdolphm, ++19:03
jamielennoxmorganfainberg: it's probably ok, if i do the mock start in a per-file setUp then they will play nice together, then at the end i just remove all the individual ones to a global19:03
jogomorganfainberg: so for this spec https://review.openstack.org/#/c/103617/2/specs/juno/support-keystone-v3-api.rst19:03
jogoit sounds like its been done?19:03
jogoor is the neutron stuff not done yet19:03
morganfainbergjamielennox, dolphm, let me know and i'm on the review right away, if we can land it today, score, lets do it in one shot.19:04
morganfainbergjamielennox, dolphm,  but otherwise staging it might be a lot easier since you'll rebase only sometimes not anytime something lands19:04
morganfainbergjogo, /me looks19:04
jogomorganfainberg: thanks. If that work wasn't done it sounds like the only issue is the service account for neutron cannot be in the non-default domain19:05
morganfainberggyee, jamielennox, ^ re jogo 's question on neutronclient19:05
gyeeneutronclient is almost there19:05
jogomorganfainberg: and we want to allign the specs with reality for documentation/tracking purposes19:05
*** david-ly_ is now known as david-lyle19:05
morganfainbergjogo, ++ makes sense19:06
gyeemorganfainberg, jogo, https://review.openstack.org/#/c/92390/19:06
gyeejust need another +219:06
jogogyee morganfainberg: cool19:06
jogoso we should approve the nova spec then?19:06
jogomorganfainberg: as its happening if we approve it or not.19:06
gyeejogo, yes, user can't do much with a domain-scoped token anyway19:07
morganfainbergjogo, haha, probably going to happen in either case19:07
gyeeunless the domain-scoped token contains the "admin" role19:07
jogomorganfainberg: can you chime in on that spec and we can update the spec status19:07
morganfainbergjogo, i'll work on figuring out policy stuff for you guys on that.19:07
gyeein that case, he's admin for the world anyway19:07
jogomorganfainberg: that would be great19:07
morganfainbergjogo, ++ gyee ^ mind chiming in as well re: neutron19:07
jogogyee: yeah we want to future proof our selves a bit19:07
gyeealmost all services have this problem19:08
jogomorganfainberg: heading to lunch, but if you can put all your commntents in that spec we can approve it etc19:08
gyeeif user have 'admin' role, he's admin for everybody19:08
jogogyee: feel free to chime in on tjhe spec19:08
morganfainbergjogo, yep will do.19:08
gyeejogo, k, will do19:08
jogogyee morganfainberg: thanks!19:08
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert httpretty to requests-mock  https://review.openstack.org/10665919:08
jamielennoxdolphm, morganfainberg: ^19:09
jamielennoxmorganfainberg: sorry, booted from VPN - what question?19:09
morganfainbergjamielennox, gyee  answered it19:10
*** gabriel-bezerra has quit IRC19:12
*** gabriel-bezerra has joined #openstack-keystone19:13
dolphmjamielennox: looking now19:19
openstackgerritA change was merged to openstack/identity-api: Updated from global requirements  https://review.openstack.org/11041519:19
dolphmjamielennox: applies cleanly!19:20
jamielennoxdolphm: until the next patch with a httpretty statement lands :)19:20
dolphmjamielennox: is anything gating?19:20
jamielennoxnot that i'm aware of19:20
jamielennoxzuul says no19:21
*** chandankumar has quit IRC19:24
*** cjellick has quit IRC19:26
ayoungjamielennox, is httpretty really that bad?19:26
dstanekayoung: i19:26
dstanek'm not a fan19:26
jamielennoxayoung: yes19:27
jamielennoxayoung: enough for me to write a _testing_ library19:27
ayoungjamielennox, this is a problem that I was not aware we had19:28
jamielennoxayoung: so. bad.19:28
*** cjellick has joined #openstack-keystone19:28
*** shuffleb1t is now known as shufflebot19:28
*** shufflebot has quit IRC19:28
*** shufflebot has joined #openstack-keystone19:28
*** cjellick has quit IRC19:28
jamielennoxthat may be unfair - i've had a lot to do with it, but yes i would like to move away from it19:28
*** cjellick has joined #openstack-keystone19:29
jamielennoxit made sense when we were dealing with both httplib and requests, but now we've switched i think this will be much cleaner19:29
dstaneki think it's tests are mostly useless anyway and that we'd be better served moving away19:29
dolphmjamielennox: is token_response() ever used? https://review.openstack.org/#/c/106659/6/keystoneclient/tests/test_auth_token_middleware.py19:29
dstanekwe can do better at the domain object level19:29
ayoungdstanek, can you exapnd that statement?19:30
*** lbragsta_ has joined #openstack-keystone19:31
*** lbragst__ has joined #openstack-keystone19:32
*** lbragst__ is now known as lbragstad_19:33
*** lbragsta_ has quit IRC19:33
dstanekayoung: about domain layer?19:34
*** lbragstad has quit IRC19:34
jamielennoxdstanek: yes, about 3 lines above it19:34
jamielennoxabove where it is defined19:35
jamielennoxit's a calback19:35
dstaneki think that httpretty is a way to sort of go between end-to-end tests and unit tests19:36
jamielennoxdstanek: i understand the point, but i have found so many stupid little mistakes in libraries where the mocking layer does something wrong19:37
ayoungdstanek, domain object level is unit test.  I think we should be using httpretty or its replacemetn to confirm http level interfaces, not Python19:37
dstanekayoung: httpretty doesn't confirm http interfaces at all - actually it's the opposite19:38
dstanekif confirms you are hitting the URL you expect and they you tell it what to give you back19:38
ayoungdstanek, it fakes out HTTP responses19:38
jamielennoxdstanek: it doesn't confirm them, but it does mean if you get something from the socket it is handled correctly all the way up19:38
ayoungdstanek, I did something comparable in FreeIPA development.  We cached json responses from the server so that we could do client side development without a live server19:39
ayoungfor Keystone client it is the right tool.19:39
dstaneki just think it promotes more testing on the edges and less unit level testing - not saying we shouldn't use it19:40
ayoungand the server side doesn't tend to use httpretty.  More of the opposite:  the server gave you back thuis JSON blob19:40
*** cjellick_ has joined #openstack-keystone19:41
dstanekon the server side we don't need to use httpretty because we don't do many service calls19:41
*** cjellick_ has quit IRC19:41
dolphmjamielennox: i don't think i've ever appreciated gerrit's light green vs dark green and light red vs dark red highlighting as much as i do reviewing this19:41
ayoungjamielennox, so your code change is just to replace httpretty with a comparable library for mocking responses that is specific to the "requests" python library, correct?19:41
*** gordc has quit IRC19:41
jamielennoxayoung: yes19:42
ayounghrybacki, this shouldn't be too bad a rebase.19:42
jamielennoxdolphm: it's just a lot of small semantic changes19:42
jamielennoxdolphm: it was crap to write19:42
hrybackiayoung++19:42
ayounghrybacki, and he is not proposing it for middleware yet, so it won't affect that patch19:43
dolphmjamielennox: what's the difference between b'' and six.b('') ?19:43
hrybackiayoung: so the identity_server will always be needed in production -- the lazy loaded (which works now btw) was to resolve the issue with tests caused by determing api version on load messing up the httpretty stuff19:44
jamielennoxdolphm: umm, i don't know, probably nothing as of python3.319:44
*** cjellick has quit IRC19:44
*** gabriel-bezerra has quit IRC19:44
dolphmjamielennox: what's the difference in py2?19:44
hrybackiso I think the best solution is to remove the lazy loading and hard code the auth_url, like before, until httpretty stuff is replaced19:44
hrybackithan I can submit a followup for determing api version and generating the auth_url then19:44
jamielennoxhrybacki: ++ don't confuse the session patch with the one for v3 auth, auth is a follow up19:45
dstanekdolphm: in py2 nothing19:45
ayounghrybacki, ok,  sounds like a plan19:45
hrybackiayoung, jamielennox unless you see a reason to keep lazy loading19:45
*** gabriel-bezerra has joined #openstack-keystone19:45
jamielennoxif the only reason to do lazy loading was to get around the initial auth request then no19:46
ayounghrybacki, lazy load was the norm before19:46
ayoungdie.  don't go to keystone inorder to just bring up Nova19:46
dstanekdolphm: the different is betwee 2 and 3 - 2 returns a string because str is bytes and in 3 it returns bytes19:46
morganfainbergdolphm, in py3 b is bytes, b in py2 is str()19:46
ayoungthe goal was to not force service ordering for bringup19:46
hrybackiayoung: are there any possible adverse side effects from lazy loading idenityserver?19:47
*** dims has quit IRC19:47
ayounghrybacki, no new ones.  The existing problem is that if you misconfigure the keystone data, you don't find out until first request19:47
hrybackiwould lazy loading stack onto that problem? I'm assuming that's not a behavior we want19:48
dolphmdstanek: morganfainberg: so it's bytes either way in python2 and 3... ?19:48
dolphmb'' is six.b('') # in python 2 and 319:48
morganfainbergdolphm, trying to confirm what it is on python 319:48
jamielennoxayoung: i think you are talking about different things in lazy loading - you can load the object - we just don't do a HTTP request initially19:48
morganfainbergdolphm, but my guess is ... six.b is superfluous19:48
dstanekdolphm: yes19:48
morganfainbergin most cases19:48
*** openstackgerrit has quit IRC19:48
*** gabriel-bezerra has quit IRC19:49
ayoungjamielennox, he was doing discovery in the init of auth_token19:49
ayoungit forced the call to keystone19:49
jamielennoxayoung: yep, if we don't do auth in this patch then we defer that probelm19:49
ayoungyep19:49
dolphmdstanek: erm http://pasteraw.com/d2rwjc4wdiuuvrtpvmnzdi3x8nqw2fe19:49
jamielennoxdolphm: yes, it makes no difference to b'' except possible python 3.0-3.2 which didn't have b'' but which we don't support19:49
*** gabriel-bezerra has joined #openstack-keystone19:49
hrybackiI'll leave lazy loading out for the time being -- I can add it w/o issue if we want it in the follow up19:50
*** asmacdo has joined #openstack-keystone19:50
dstanekdolphm: i think that's an is vs. equal thing19:50
jamielennoxdstanek: ++19:50
morganfainbergdolphm, dstanek, jamielennox, six.b() in python 3 creates bytes() in python2 it's str()19:51
morganfainbergbasically... it's not super useful19:51
morganfainbergjamielennox, ah python 3.0-3.219:51
morganfainbergyeah tesing on 3.3 and 3.419:51
*** jasondotstar has quit IRC19:51
dstanekmorganfainberg: exactly19:52
dstanekhttp://paste.openstack.org/show/88995/19:52
*** jasondotstar has joined #openstack-keystone19:52
morganfainbergdolphm, <class 'bytes'>19:52
morganfainberg>>> b'a' == six.b('a')19:52
morganfainbergTrue19:52
morganfainbergin python 3.419:52
dstanekthat would be true in all versions of Python that support the b prefix19:53
morganfainbergdstanek, ++19:53
morganfainbergdolphm, 'is' is a bad comparitor in some cases, it checks exact instance not value19:53
*** portante has joined #openstack-keystone19:54
portantemorganfainberg: here19:55
morganfainbergportante, so re: Swift and concerns on pki token size19:55
portantek19:55
dstaneksix.b isn't useful for literals in code; it's more for passing in a variable and wanting a byte string back19:55
morganfainbergportante, i know some of you talked to ayoung at the summit19:55
morganfainbergportante, is the concern of the token being *large* only for subsequent requests e.g. i request 20 things with the same token19:55
portanteyes19:55
ayoungmake that "20 separate requests"19:55
morganfainbergportante, or is it a concern for *all* requests (both a single request or multiple requests)19:55
*** jorge_munoz has quit IRC19:56
*** lbragstad_ has quit IRC19:56
morganfainbergportante, e.g. use rA requests 1 thing, with a token and uses a different project (or a different user with a different token) requests 2nd object19:56
*** lbragstad has joined #openstack-keystone19:56
morganfainbergportante, the distinction is reuse of token vs separate requests (different scope / user /etc ) for 1-off requests19:57
portantesec, reading, and internalizing19:57
bknudsondolphm: re https://review.openstack.org/#/c/109389/14/keystone/contrib/revoke/core.py "i assume this is xor - but that should be enforced here" -- do you mean raise an exception if domain_id and project_id are set?19:57
morganfainbergjogo, i need to head to lunch shortly, will work on the nova policy stuff later today, will get comments on the spec before i leave for food19:58
dolphmbknudson: yes19:58
bknudsondolphm: ok.19:58
dstanekmorganfainberg: why the distinction? if the token is passed 20 times does it matter if it's the same user or not?19:58
dolphmbknudson: a 50019:58
morganfainbergdstanek, it matters because a reuse token implies the same user.19:59
*** lbragstad has quit IRC19:59
bknudsondolphm: yep, ok. I'll also make sure that the message with the error gets back to the user!19:59
*** lbragstad has joined #openstack-keystone19:59
morganfainbergdstanek, same scope. so i'm asking for 20 obejcts (separately) with the same authorization. the other one would be 1-off (1 request and done)19:59
*** gordc has joined #openstack-keystone19:59
*** gabriel-bezerra has quit IRC20:00
morganfainbergdstanek, i'm trying to hammer down the specific size-of-request concern swift has so we have it recorded (and fresh in our minds) when discussing PKI vs UUID20:00
bknudsondolphm: so do I need a new exception for that or would raise Exception accomplish it?20:00
jogomorganfainberg: woot! thanks20:00
dstanekmorganfainberg: if you take a sample of 20 requests and the tokens are too big i don't see the distinction (same user or different user, 20 large requests are 20 large requests)20:00
portantemorganfainberg: it is a concern on the overall size, no matter what the number of requests20:01
*** gabriel-bezerra has joined #openstack-keystone20:01
morganfainbergportante, that was my understanding. thank you :)20:01
portantethe number of requests is also a factor, and folks want to reduce that as well20:01
dolphmbknudson: raise keystone.exception.UnexpectedError()20:01
bknudsondolphm: ok.20:01
morganfainbergportante, but i wanted to be sure there wasn't some case i wasn't seeing that swift was expecting20:01
dolphmbknudson: _('Programmer dun goofed.')20:01
morganfainbergportante, hence the question20:01
morganfainbergdolphm, ++ love that error message :)20:02
morganfainbergportante, much appreciated! thnaks for your time20:02
portantemorganfainberg: sec20:02
morganfainbergdstanek, yes that was my interpretation20:03
dolphmmorganfainberg: gordc: including pycadf in the identity program and renaming the identity program are on the TC agenda for today, meeting just started20:05
morganfainbergdolphm, ah, thanks i'll lurk.20:05
*** cjellick has joined #openstack-keystone20:06
*** gabriel-bezerra has quit IRC20:06
*** gabriel-bezerra has joined #openstack-keystone20:06
*** cjellick has quit IRC20:07
*** cjellick has joined #openstack-keystone20:07
jamielennoxmorganfainberg, dolphm: some very legitimate nits, thanks for passing it through anyway20:07
jamielennoxs/nits/-1s20:07
*** gabriel-bezerra has quit IRC20:14
*** gabriel-bezerra has joined #openstack-keystone20:14
*** gabriel-bezerra has quit IRC20:18
*** peluse_ has joined #openstack-keystone20:18
*** gabriel-bezerra has joined #openstack-keystone20:19
*** dims has joined #openstack-keystone20:19
*** david-lyle has quit IRC20:22
*** david-lyle has joined #openstack-keystone20:22
*** david-lyle has quit IRC20:27
*** david-lyle has joined #openstack-keystone20:27
*** gabriel-bezerra has quit IRC20:27
*** gabriel-bezerra has joined #openstack-keystone20:28
*** david-lyle has quit IRC20:28
*** david-lyle has joined #openstack-keystone20:29
*** lnxnut has quit IRC20:30
*** gabriel-bezerra has quit IRC20:46
*** gabriel-bezerra has joined #openstack-keystone20:47
*** lbragstad has quit IRC20:48
*** lbragstad has joined #openstack-keystone20:49
*** lbragstad has quit IRC20:53
*** gabriel-bezerra has quit IRC20:57
*** openstackgerrit has joined #openstack-keystone20:58
morganfainbergdolphm, one of two things clearly positive there :)20:58
dolphmmorganfainberg: yep!20:58
bknudsonare we renaming or what?20:58
morganfainbergbknudson, not yet20:59
dolphmbknudson: probably not20:59
dolphm(yet)20:59
morganfainbergbknudson, but we are now +audit20:59
morganfainbergbknudson, or will be once that patch merges20:59
dolphmmorganfainberg: well, it's not approved20:59
*** gabriel-bezerra has joined #openstack-keystone20:59
morganfainbergdolphm, true, but it wasn't a "no don't do that" result :)20:59
dolphmwe have some homework to do to add some pythonic flair to pycadf though20:59
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Config fixture from oslo-incubator is not used.  https://review.openstack.org/10399821:00
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Use config fixture from oslo.config  https://review.openstack.org/11013821:00
*** gabriel-bezerra has quit IRC21:00
*** gabriel-bezerra has joined #openstack-keystone21:01
morganfainbergdolphm, it does look very java-eqsue21:03
morganfainbergdolphm, but it isn't bad / hard to follow.21:03
dolphmmorganfainberg: it is, but it's consistently done and easy to read21:03
morganfainbergdolphm, yep21:03
dolphmmorganfainberg: ++21:03
bknudsonmaybe java is just a better language21:03
* morganfainberg ducks and looks for the flamewar starting at bknudson's behest21:04
*** lbragstad has joined #openstack-keystone21:04
*** david-lyle has quit IRC21:05
*** david-lyle has joined #openstack-keystone21:06
*** lbragstad has quit IRC21:07
*** lbragstad has joined #openstack-keystone21:07
dolphmmorganfainberg: i'll file the bp to switch pycadf to xml and it'll be perfect21:08
morganfainberghehe21:08
morganfainbergcan we demand it is run in jython at all times?21:09
*** david-lyle has quit IRC21:10
*** david-lyle has joined #openstack-keystone21:11
*** gabriel-bezerra has quit IRC21:11
dolphm$ jython -m pycadf >> event.xml && echo put event.xml | ftp $AUDIT_HOST21:11
dolphmi'll update the docs21:11
*** gabriel-bezerra has joined #openstack-keystone21:11
morganfainbergdolphm, +1million21:13
*** david-lyle has quit IRC21:15
*** mrmoje has joined #openstack-keystone21:17
bknudsonwhy does keystone depend on keystonemiddleware?21:17
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions  https://review.openstack.org/10503121:17
bknudson`find keystone -name "*.py" | xargs grep keystonemiddleware` -- nothing21:18
*** hrybacki_ has joined #openstack-keystone21:22
jamielennoxmarekd|away: ping21:22
*** jasondotstar has quit IRC21:25
*** hrybacki has quit IRC21:26
*** hrybacki_ has quit IRC21:26
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove fixture from openstack-common.conf  https://review.openstack.org/10325521:30
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use config fixture from oslo.config  https://review.openstack.org/10325421:30
dolphmmorganfainberg: ttx just noticed that we got 4 zeroes on https://bugs.launchpad.net/keystone/+bug/135000021:30
uvirtbotLaunchpad bug 1350000 in keystone "UUID is a more friendly default token provider than PKI" [Wishlist,Triaged]21:30
morganfainbergbknudson, https://review.openstack.org/#/c/106478/21:30
morganfainbergbknudson, i always add the dep before making code changes.21:31
dolphm<jeblair>: i too have no substantive comments other than feeling the bug number is friendly21:31
morganfainbergdolphm, lol!21:31
bknudsonmorganfainberg: I didn't see it as a dependency on the other review.21:31
morganfainbergbknudson, probably was rebased a couple times since and lost it's direct dep21:32
morganfainbergin gerrit21:32
morganfainbergor *shrug*21:32
jamielennoxi think i agree with people that whilst we should incorporate auditing we should still be the 'identity' program21:32
* jamielennox runs away21:32
*** notmyname has joined #openstack-keystone21:36
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 API  https://review.openstack.org/8648421:37
dolphmmorganfainberg: what if we made keystone itself pluggable21:37
morganfainbergdolphm, explain?21:38
*** markwash has joined #openstack-keystone21:38
*** gabriel-bezerra has quit IRC21:39
*** gabriel-bezerra has joined #openstack-keystone21:40
dolphmmorganfainberg: i'm just trying to figure out a copout to introduce backwards incompatible everything21:40
morganfainbergdolphm, nice21:41
notmynameI hear this is the place to be21:41
lbragstaddstanek: I rolled https://review.openstack.org/#/c/110335/ into the assignment API patch21:41
morganfainbergnotmyname, shhh not so loud, it's a secret to everybody21:41
morganfainbergnotmyname, http://www.secrettoeverybody.com/21:42
dstaneklbragstad: cool, i'll rebase and push in a little bit then21:44
lbragstaddstanek: ok21:44
markwashif we were going to push kerberos or something similar further into the infrastructure of an openstack deployment (rather than just to authenticate token creation), what other protocols would need to be considered?21:47
lbragstaddstanek: I also have https://review.openstack.org/#/c/109098/21:47
markwashsaml maybe?21:48
markwashI don't even know what these protocols mean :-)21:48
*** gordc has quit IRC21:49
*** lbragsta_ has joined #openstack-keystone21:51
*** lbragstad has quit IRC21:54
*** lbragsta_ has quit IRC21:55
jamielennoxgyee: still holding your -1 on https://review.openstack.org/#/c/107333/ ?21:57
gyeejamielennox, I don't have anything major objection with it, just concern about the need for it21:58
bknudsonI don't know where you're getting the idea that auth_token middleware supports identity api v3... it authenticates with v2 and doesn't support domains.21:58
gyeeI won't cry if you guys decided to go ahead with it21:58
gyeebknudson, huh?21:59
gyeebknudson, you mean getting the service user token?21:59
bknudsongyee: yes.21:59
gyeebut we are changing it to use session22:00
bknudsongyee: ok... I don't see a proposal to have auth_token support identity v322:00
bknudsonfor auth22:00
gyeefor token validation, its already v322:01
gyeewe'll support service user authentication once the session patch is landed22:01
bknudsongyee: which one?22:01
bknudsongyee: https://review.openstack.org/#/c/105031/ ?22:01
gyeeyes22:02
*** gabriel-bezerra has quit IRC22:02
bknudsonthat patch doesn't add support for v3 auth22:02
*** gabriel-bezerra has joined #openstack-keystone22:02
gyeebknudson, it needs to22:02
bknudsonmaybe that's a follow-on patch that hasn't been submitted yet22:03
gyeebknudson, want to put on up? Otherwise, I can do it22:04
dolphm$ tox -e py27 && git review #dropsmic22:04
gyeeshould be a trivial change22:04
bknudsongyee: if you put it up I'll review it.22:04
gyeebknudson, okie dokie22:04
bknudsongyee: jamielennox: can you use the config options code in sessions?22:04
jamielennoxbknudson: what do you mean?22:05
bknudsonjamielennox: is there code in sessions to generate an auth plugin from config options?22:05
bknudsonor that provides config options?22:05
jamielennoxyes22:05
bknudsonand, can that be used in auth_token middleware?22:05
jamielennoxit's in the most recent release22:05
jamielennoxbknudson: i  need 0.10 in global-requirements: https://review.openstack.org/#/c/108832/22:06
jamielennoxi've added everyone to the review, might need to bug some people in infra for it22:07
*** gabriel-bezerra has quit IRC22:09
*** gabriel-bezerra has joined #openstack-keystone22:09
ayoungjamielennox, I think discovery breaks on  auth_url = kwargs.pop('auth_url', session.auth.auth_url)22:12
ayoungit seems that  session.auth.auth_url  gets evaluated first22:13
jamielennoxayoung: not following, where are you  looking?22:13
ayoungso if session.auth is None, it fails, even if  kwargs.pop('auth_url')  would have returned a value22:13
jamielennoxoh22:13
jamielennoxyou want22:13
jamielennoxhttps://review.openstack.org/#/c/107570/22:14
ayoungjamielennox, ah...is that in already...my repo must be out of date, but I think I see that change  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/discover.py22:14
ayoungjamielennox, cool,  not the same fix, although I think there is something else upstream that would fix it22:15
ayoungin this case, discovery is authenticate:  its from cinder22:15
ayoungah...but not yet authenticated...ok, I'll pull that in.22:16
*** jsavak has quit IRC22:16
jamielennoxso discovery being authed is a bit weird but paths like /v1/ for nova are authenticated paths so we default to authenticated22:17
jamielennoxotherwise - what are your trying to do?22:17
*** henrynash has quit IRC22:19
ayoungjamielennox, yeah, you just basically rewrote it since last I used this git repo\22:21
jamielennoxheh22:21
ayoungjamielennox, its the kerberos stuff.  I had everything working except for cinder....22:21
jamielennoxumm, it still won't automatically get session.auth.auth_url22:21
jamielennoxthat's not right anyway22:21
*** jaosorior has quit IRC22:22
ayoungjamielennox, that was fixed in ...22:24
ayoungum...wait22:26
ayoungjamielennox, commit 1ccefad0c6815f21ff32af9e774a8271c3ada6c5 introduced that22:27
*** gabriel-bezerra has quit IRC22:28
*** gabriel-bezerra has joined #openstack-keystone22:29
*** bknudson has quit IRC22:30
ayoungjamielennox, with http://paste.openstack.org/show/89033/  I was able to get further:22:35
ayoungjamielennox, I chopped /v3 off the auth url, and then22:35
jamielennoxayoung: that definitely feels like you are using it wrong22:36
jamielennoxwhy don't you know the URL that you want to do discovery on?22:36
ayoungjamielennox, something created a session already22:36
ayoungthis is cinder code22:36
ayoungso there is a session, but nothing in it?22:36
jamielennoxcinder server has session code?22:36
ayoung/opt/stack/python-cinderclient/cinderclient/shell.py22:37
ayoungyeah22:37
jamielennoxoh22:37
jamielennoxuh, yea i've seen some of that22:37
jamielennoxso what are you trying to do?22:37
ayoungjamielennox, cinder list22:37
ayoungjust confirm that cinder works22:37
jamielennoxusing kerberos22:38
ayoungjamielennox, this started as a packstack install, and little by little I've been hacking it to talk to keysrtone in httpd22:38
ayoungno kerberos here yet22:38
jamielennoxso i haven't tried the cinder shell code yet, what is it doing wrong?22:38
ayounglooking22:39
jamielennoxbecause it feels like a cinderclient problem rather than something to fix in ksx22:39
jamielennoxksc22:39
openstackgerritDolph Mathews proposed a change to openstack/keystone: Set default token provider to UUID  https://review.openstack.org/11048822:39
ayoungjamielennox, that may well be true22:40
openstackgerritA change was merged to openstack/python-keystoneclient: Convert httpretty to requests-mock  https://review.openstack.org/10665922:48
morganfainbergjamielennox, ^ :)22:50
ayoungjamielennox, https://github.com/openstack/python-cinderclient/blob/master/cinderclient/shell.py#L79322:52
ayoungso he creats a session in order to do discovery, but the is no auth plugin set.  I think maybe just remove the session?22:52
*** mtl11 has joined #openstack-keystone23:13
*** mtl1 has quit IRC23:14
*** dims has quit IRC23:14
*** bknudson has joined #openstack-keystone23:20
*** bknudson has quit IRC23:25
*** gabriel-bezerra has quit IRC23:25
*** gabriel-bezerra has joined #openstack-keystone23:26
*** bknudson has joined #openstack-keystone23:34
jamielennoxmorganfainberg: woot! have do do it for middleware now23:40
jamielennoxayoung: i think he is discarding the session before it gets to the client23:41
jamielennoxcinder doesn't actually have support for session internally23:41
jamielennoxwait - they are passing it to the client23:43
jamielennoxwhoa - wtf23:44
jamielennox:O cinder has gone ahead and adopted the session23:45
jamielennoxi forget that none of the other clients care about stability as much as us23:47
jamielennoxcinderclient done - no idea if that works23:48
*** cjellick has quit IRC23:48
« Monday, 2014-07-28 Index Wednesday, 2014-07-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!