Tuesday, 2014-08-19

*** hrybacki has joined #openstack-keystone		00:00
*** oomichi has joined #openstack-keystone		00:00
openstackgerrit	Morgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext https://review.openstack.org/114857	00:11
*** yasukun has joined #openstack-keystone		00:18
*** harlowja is now known as harlowja_away		00:29
*** yasukun has quit IRC		00:31
*** yasukun has joined #openstack-keystone		00:31
*** marcoemorais has quit IRC		00:35
*** yasukun has quit IRC		00:36
*** yasukun has joined #openstack-keystone		00:36
*** rwsu has quit IRC		00:37
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add extra guarding to revoke_by_audit_id methods https://review.openstack.org/115147	00:39
*** cjellick has quit IRC		00:41
*** cjellick has joined #openstack-keystone		00:42
openstackgerrit	Richard Megginson proposed a change to openstack/keystone: ldap/core deleteTree not always supported https://review.openstack.org/74897	00:44
*** ncoghlan_afk is now known as ncoghlan		00:45
*** cjellick has quit IRC		00:46
*** ayoung has quit IRC		00:49
*** ayoung has joined #openstack-keystone		00:49
*** rwsu has joined #openstack-keystone		00:50
*** stevemar has joined #openstack-keystone		00:50
*** andreaf_ has joined #openstack-keystone		00:54
*** marcoemorais has joined #openstack-keystone		00:55
*** harlowja_away is now known as harlowja		00:56
*** andreaf has quit IRC		00:56
*** Kui has joined #openstack-keystone		00:59
*** yasukun_ has joined #openstack-keystone		01:01
*** yasukun has quit IRC		01:03
*** gokrokve has joined #openstack-keystone		01:10
*** jdennis1 has quit IRC		01:15
*** gokrokve has quit IRC		01:17
*** gokrokve has joined #openstack-keystone		01:18
*** gokrokve has quit IRC		01:22
*** bknudson has quit IRC		01:23
*** gokrokve has joined #openstack-keystone		01:25
*** jdennis has joined #openstack-keystone		01:26
*** yasukun_ has quit IRC		01:28
*** shakamunyi has joined #openstack-keystone		01:34
*** shikui_ has joined #openstack-keystone		01:39
*** Kui has quit IRC		01:42
*** oomichi has quit IRC		01:48
*** mitz has quit IRC		01:48
*** stevemar has quit IRC		01:50
*** stevemar has joined #openstack-keystone		01:52
*** gokrokve_ has joined #openstack-keystone		01:56
*** oomichi has joined #openstack-keystone		01:57
*** gokrokve_ has quit IRC		01:58
*** gokrokve_ has joined #openstack-keystone		01:59
*** gokrokve has quit IRC		01:59
stevemar	dstanek, if you're looking for another easy one ... https://review.openstack.org/#/c/114811/	02:05
*** gokrokve has joined #openstack-keystone		02:08
*** gokrokve_ has quit IRC		02:09
*** RicoLin has joined #openstack-keystone		02:10
*** morganfainberg is now known as morganfainberg_Z		02:14
*** hrybacki has quit IRC		02:24
*** Krast_ has quit IRC		02:26
*** Krast has joined #openstack-keystone		02:26
*** marcoemorais has quit IRC		02:31
*** hrybacki has joined #openstack-keystone		02:32
*** hrybacki has quit IRC		02:32
*** hrybacki has joined #openstack-keystone		02:33
*** gokrokve has quit IRC		02:34
*** gokrokve has joined #openstack-keystone		02:34
*** hrybacki has quit IRC		02:38
*** gokrokve has quit IRC		02:39
openstackgerrit	A change was merged to openstack/keystone: Expose context to create grant and delete grant https://review.openstack.org/114809	02:46
*** hrybacki has joined #openstack-keystone		02:47
*** alex_xu has joined #openstack-keystone		02:48
ayoung	jamielennox, not yet. Hadn't ran back around to it. I was working on the Kerberos client review, and trying to deal with the httpretty exorcism	03:02
*** shakamunyi has quit IRC		03:09
*** KanagarajM has joined #openstack-keystone		03:17
*** hrybacki has quit IRC		03:31
*** gyee_ has quit IRC		03:32
*** shikui_ has quit IRC		03:34
*** richm has quit IRC		03:35
*** amirosh has joined #openstack-keystone		03:57
*** amirosh has quit IRC		03:59
*** amirosh has joined #openstack-keystone		04:00
*** stevemar has quit IRC		04:00
*** xianghuihui has quit IRC		04:03
*** xianghuihui has joined #openstack-keystone		04:04
*** amirosh has quit IRC		04:04
*** shakamunyi has joined #openstack-keystone		04:07
*** harlowja is now known as harlowja_away		04:08
*** Kui has joined #openstack-keystone		04:12
openstackgerrit	Kanagaraj Manickam proposed a change to openstack/keystone: endpoint table is missing reference to region table https://review.openstack.org/113183	04:15
*** xianghuihui has quit IRC		04:18
*** xianghui has joined #openstack-keystone		04:21
*** ayoung has quit IRC		04:41
*** Krast has quit IRC		05:08
*** shakamunyi has quit IRC		05:13
*** ctracey has quit IRC		05:16
*** afazekas has quit IRC		05:17
*** ctracey has joined #openstack-keystone		05:20
*** ncoghlan is now known as ncoghlan_afk		05:20
*** amerine has quit IRC		05:20
*** k4n0 has joined #openstack-keystone		05:36
*** ajayaa has joined #openstack-keystone		05:36
*** morganfainberg_Z is now known as morganfainberg		05:41
*** ncoghlan_afk is now known as ncoghlan		05:45
*** rwsu has quit IRC		05:51
*** tomoiaga has joined #openstack-keystone		05:59
*** alex_xu has quit IRC		06:04
*** rwsu has joined #openstack-keystone		06:07
*** amirosh has joined #openstack-keystone		06:13
*** Krast has joined #openstack-keystone		06:14
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/111920	06:19
*** alex_xu has joined #openstack-keystone		06:22
*** ukalifon has joined #openstack-keystone		06:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/identity-api: Add information about audit_id in token docs https://review.openstack.org/114590	06:28
*** Krast has quit IRC		06:28
openstackgerrit	Morgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext https://review.openstack.org/114857	06:28
*** alex_xu has quit IRC		06:44
*** alex_xu has joined #openstack-keystone		06:55
*** chandankumar has joined #openstack-keystone		07:04
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	07:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api https://review.openstack.org/113429	07:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model https://review.openstack.org/113430	07:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add extra guarding to revoke_by_audit_id methods https://review.openstack.org/115147	07:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api https://review.openstack.org/109462	07:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api https://review.openstack.org/115012	07:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api https://review.openstack.org/115045	07:06
morganfainberg	zzzzzzzz	07:09
*** afazekas has joined #openstack-keystone		07:12
openstackgerrit	Morgan Fainberg proposed a change to openstack/identity-api: Add information about audit_id in token docs https://review.openstack.org/114590	07:12
openstackgerrit	Morgan Fainberg proposed a change to openstack/identity-api: Add information about audit_id in token docs https://review.openstack.org/114590	07:12
*** rushiagr_away is now known as rushiagr		07:22
*** amirosh has quit IRC		07:30
*** amirosh has joined #openstack-keystone		07:31
*** amirosh has joined #openstack-keystone		07:31
*** alex_xu has quit IRC		07:33
*** mitz has joined #openstack-keystone		07:49
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove wsgi and base controller dependency on token_api https://review.openstack.org/115205	07:49
*** alex_xu has joined #openstack-keystone		07:57
*** aix has joined #openstack-keystone		07:57
*** amerine has joined #openstack-keystone		07:58
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/keystone: Error on _ldap_get_list without attrlist value https://review.openstack.org/114986	07:59
*** alex_xu has quit IRC		08:09
*** alex_xu has joined #openstack-keystone		08:22
*** Krast has joined #openstack-keystone		08:22
*** rushiagr is now known as rushiagr_away		08:22
*** gpocente1 is now known as gpocentek		08:27
*** gpocentek has joined #openstack-keystone		08:27
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	08:28
*** amirosh_ has joined #openstack-keystone		08:29
*** amirosh has quit IRC		08:29
*** aix has quit IRC		08:31
*** ncoghlan is now known as ncoghlan_afk		08:39
*** ajayaa has quit IRC		08:45
*** rushiagr_away is now known as rushiagr		08:48
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	08:51
*** ajayaa has joined #openstack-keystone		08:52
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	08:58
*** aix has joined #openstack-keystone		08:59
*** ajayaa has quit IRC		09:00
*** alex_xu has quit IRC		09:09
*** andreaf_ has quit IRC		09:10
*** ukalifon has quit IRC		09:14
*** amirosh has joined #openstack-keystone		09:30
*** amirosh_ has quit IRC		09:30
*** andreaf has joined #openstack-keystone		09:42
*** Daviey has quit IRC		09:44
*** rushiagr is now known as rushiagr_away		09:47
*** rushiagr_away is now known as rushiagr		09:50
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/python-keystoneclient: Attributes required using token for auth https://review.openstack.org/115228	09:50
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/keystone: Error on _ldap_get_list without attrlist value https://review.openstack.org/114986	10:04
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/python-keystoneclient: Attributes required using token for auth https://review.openstack.org/115228	10:07
*** Daviey has joined #openstack-keystone		10:16
*** amirosh_ has joined #openstack-keystone		10:20
*** amirosh has quit IRC		10:20
*** ukalifon has joined #openstack-keystone		10:28
*** andreaf has quit IRC		10:33
*** mitz has quit IRC		10:51
*** mitz has joined #openstack-keystone		10:53
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	11:10
*** KanagarajM has quit IRC		11:11
*** ajayaa has joined #openstack-keystone		11:11
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	11:12
*** andreaf has joined #openstack-keystone		11:19
*** RicoLin has quit IRC		11:23
*** hrybacki has joined #openstack-keystone		11:52
*** hrybacki has quit IRC		11:57
*** Krast has quit IRC		12:02
*** alex_xu has joined #openstack-keystone		12:04
*** gordc has joined #openstack-keystone		12:09
*** hrybacki has joined #openstack-keystone		12:17
*** hrybacki has quit IRC		12:17
*** hrybacki has joined #openstack-keystone		12:28
*** richm has joined #openstack-keystone		12:30
*** jkappert has quit IRC		12:34
*** jkappert_ has joined #openstack-keystone		12:39
*** jkappert_ has quit IRC		12:39
*** jkappert_ has joined #openstack-keystone		12:40
*** jkappert_ has left #openstack-keystone		12:43
*** hrybacki has quit IRC		12:49
*** ajayaa has quit IRC		13:03
*** jasondotstar has joined #openstack-keystone		13:04
*** bknudson has joined #openstack-keystone		13:12
*** joesavak has joined #openstack-keystone		13:24
*** ncoghlan_afk is now known as ncoghlan		13:25
*** radez_g0n3 is now known as radez		13:25
*** zzzeek has joined #openstack-keystone		13:32
*** ncoghlan is now known as ncoghlan_afk		13:35
*** oomichi has quit IRC		13:42
openstackgerrit	David Stanek proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series https://review.openstack.org/107328	13:44
*** HenryG_ has joined #openstack-keystone		13:46
*** HenryG has quit IRC		13:47
*** zzzeek has quit IRC		13:48
dolphm	is there an implementation for endpoint-policy in review?	13:49
*** zzzeek has joined #openstack-keystone		13:50
*** ayoung has joined #openstack-keystone		13:52
dolphm	morganfainberg: i'm not caught up on the recent reviews in non-persistent tokens -- is it feature complete?	13:53
*** RicoLin has joined #openstack-keystone		13:54
openstackgerrit	ayoung proposed a change to openstack/keystonemiddleware: Hash for PKIZ https://review.openstack.org/114646	14:01
*** stevemar has joined #openstack-keystone		14:03
stevemar	marekd, good debugging on the xmlsec1 failure!	14:07
stevemar	marekd, i thought it wasn't finding the keys :( ... like the certs weren't generated yet	14:07
*** HenryG_ is now known as HenryG		14:07
ayoung	stevemar, marekd there has to be a way to sign those things without writing to the Filesystem	14:09
stevemar	ayoung, it's actually how the pysaml2 library does it also	14:10
ayoung	I'm sure that is true, but its drainbed	14:10
*** stevemar has quit IRC		14:11
*** stevemar has joined #openstack-keystone		14:11
*** henrynash has joined #openstack-keystone		14:12
ayoung	stevemar, it ain't gonna scale.	14:12
*** oomichi has joined #openstack-keystone		14:12
ayoung	stevemar, do we have an example signed doc I can poke at?	14:13
ayoung	https://review.openstack.org/#/c/110542/22/keystone/tests/xml/signed_saml2_assertion.xml ? I take it?	14:13
marekd	that's assertion only	14:13
marekd	which is in the end wrapped in the <Response></Response>	14:14
marekd	but in general that's that (only assertion is actually signed)	14:14
marekd	ayoung: ^^	14:14
marekd	stevemar: thanks, be back in 5 mins.	14:14
ayoung	marekd, so the block <ns1:SignatureValue>	14:14
openstackgerrit	A change was merged to openstack/keystone-specs: Auth Specific Data https://review.openstack.org/107325	14:16
*** shakamunyi has joined #openstack-keystone		14:16
*** oomichi has quit IRC		14:17
*** zzzeek has quit IRC		14:17
*** zzzeek_ has joined #openstack-keystone		14:17
*** chandankumar has quit IRC		14:17
ayoung	stevemar, looks like it is doig sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1	14:18
marekd	ayoung: not only.	14:18
marekd	it also does that's called canonicalization.	14:18
marekd	c14	14:18
ayoung	marekd, instead of canonicalizing to ASN1, they do XMl	14:18
ayoung	http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/	14:18
ayoung	and ="http://www.w3.org/2000/09/xmldsig#enveloped-signature"	14:19
ayoung	So b//GXtGeCIJPFsMAHrx4+3yjrL4smSpRLXG9PB3TLMJvU4fx8n2PzK7+VbtWNbZG16	14:19
ayoung	vSgbvbQR52jq77iyaRfQ2iELuFEY+YietLRi7hsitkJCEayPmU+BDlNIGuCXZjAy17	14:19
ayoung	7tmtGFkLlZZJaom1jAzHfZ5JPjZdM5hvQwrhCI2Kzyk=	14:19
ayoung	should be the signed version of Lem2TKyYt+/tJy2iSos1t0KxcJE=	14:19
raildo	ayoung: If you have some free time, could you review the spec? https://review.openstack.org/#/c/101017/	14:20
ayoung	raildo, will do	14:20
marekd	ayoung: so what do you suggest?	14:20
*** samuelmz has joined #openstack-keystone		14:20
raildo	ayoung: thanks a lot :-D	14:20
ayoung	marekd, either we hack the execuatable you are using to generate the signed XML, or we perform the same operation using different tools. I suspect that all the library calls are available to perform it without writing to a file	14:21
ayoung	marekd, Updating my venv to get the right libraries for the XML code	14:22
marekd	ayoung: xmlsec uses underlying library.	14:22
ayoung	marekd, so what part of that document is actually signed?	14:23
marekd	Assertion.	14:23
marekd	w8	14:23
*** david-lyle has joined #openstack-keystone		14:24
morganfainberg	dolphm,no	14:24
ayoung	marekd, be more specific please	14:24
openstackgerrit	Alexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID https://review.openstack.org/113232	14:24
marekd	ayoung: sorry, I meant <Assertion></Assertion> block.	14:24
morganfainberg	dolphm, it is not feature complete. though it's getting close, about 4 more patches to post. (not inc. the keystone middleware changes)	14:25
ayoung	marekd, minus anything with ns1: ?	14:25
morganfainberg	dolphm, https://review.openstack.org/#/q/status:open+branch:master+topic:bp/non-persistent-tokens,n,z	14:26
dolphm	morganfainberg: are they going to be ready today? :-/	14:26
marekd	ayoung: i would say so. So basically you need to reate an assertion, and a ns1 'template'indicating algos etc. You pass it through xmlsec1 (or similar) that reads the input canonicalizes, hashes and signsm otputting a signed data.	14:27
marekd	https://review.openstack.org/#/c/110542/22/keystone/tests/xml/signed_saml2_assertion.xml	14:27
morganfainberg	dolphm, there are 2 more ugly patches, a cleanup patch, a 2 liner, make validate use cms when possivle, then a toggle for persistence	14:27
morganfainberg	the ugly ones is getting token_api out of assignement and oaut	14:27
dolphm	morganfainberg: it was a yes/no question :P	14:28
marekd	ayoung: https://review.openstack.org/#/c/110542/22/keystone/contrib/federation/idp.py \| grep "def _create_signature" will show you how the empty 'Signature' block looks like.	14:28
morganfainberg	dolphm, sorry was still answering the first one	14:28
morganfainberg	dolphm, lets say 30%	14:28
dolphm	eek	14:28
dolphm	morganfainberg: what if we include tomorrow?	14:28
marekd	ayoung: I found this blogpost useful: http://sgros.blogspot.ch/2013/01/signing-xml-document-using-xmlsec1.html	14:28
dolphm	cob	14:28
morganfainberg	dolphm, closer to 85%	14:29
dolphm	morganfainberg: i'm putting together a list of work items to make sure we hit FPF	14:29
morganfainberg	dolphm, 90+% if there are no further nasty surprises inc. tomorrow	14:29
dolphm	morganfainberg: what about the other 90%?	14:30
morganfainberg	dolphm, the other 90% other 10%?	14:30
dolphm	morganfainberg: http://en.wikipedia.org/wiki/Ninety-ninety_rule	14:30
morganfainberg	lol	14:30
morganfainberg	i think we're in the other 90% now	14:30
morganfainberg	it's been a lot of landmines in revocation events :(	14:31
morganfainberg	the whole audit id, federated user domains, etc	14:31
*** shakamunyi has quit IRC		14:32
dstanek	dolphm: the rechecks on that XML review are just getting silly now	14:32
dolphm	dstanek: yeah...	14:33
dstanek	is there a good reference for how deployers use policy.json?	14:33
dolphm	dstanek: like documentation? or another sample?	14:34
dstanek	dolphm: docs, user guide - i can read the code for the what/how, but i'm looking for the why	14:34
morganfainberg	dolphm, i think i can short-cut the 2 tough patches left (been really trying to avoid more tech debt because we've been paying so much back here)	14:34
ayoung	marekd, OK, no need to write the file to disk http://pyxmlsec.labs.libre-entreprise.org/index.php?section=examples&id=3	14:37
*** amirosh_ has quit IRC		14:37
*** amirosh has joined #openstack-keystone		14:38
dolphm	dstanek: hmm...	14:39
stevemar	ayoung, not much active development going on there	14:40
stevemar	ayoung, https://pypi.python.org/pypi/dm.xmlsec.binding/1.2 looks a bit better	14:40
ayoung	stevemar, doesn't matter.	14:40
dolphm	dstanek: there's a blurb here http://docs.openstack.org/admin-guide-cloud/content/keystone-user-management.html	14:40
ayoung	stevemar, so long as the underlying library is good, the Python should be a thin thin wrapper	14:41
ayoung	stevemar, marekd I think I want this to go in keystoneclient first and foremost	14:41
ayoung	client is going to need to be able to verify signatures, it should be written once.	14:41
dolphm	dstanek: which has about the only "why" i can think of: start with the default policy files, and then add additional rules/role definitions as you need more granular roles	14:41
* ayoung wishes we shipped client out of the same repo as server...ah well		14:42
marekd	ayoung: what 'this'? xml signing?	14:42
ayoung	marekd, yep	14:42
*** amirosh has quit IRC		14:42
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects https://review.openstack.org/111842	14:42
ayoung	marekd, right next to cms	14:42
marekd	ayoung: but not instead of having it in the server....?	14:42
dolphm	dstanek: and the v3cloud policy file illustrates the direction we'd like to take default policy, but it's not all the way there because we're still stuck with tenancy-based admin-ness, rather than a higher level tenantless based admin-ness	14:42
ayoung	keystoneclient.common.xmlsec	14:43
ayoung	marekd, yes, instead	14:43
ayoung	marekd, I understand it makes your task more difficult, and I won;t insist	14:43
ayoung	but keep it in mind, and get the client reviews started	14:43
marekd	ayoung: it's not about being it difficult or easy.	14:44
marekd	ayoung: you want the server to issue an unsigned assertion ?	14:44
marekd	and hand it to the client?	14:44
dstanek	dolphm: thanks	14:45
*** hrybacki has joined #openstack-keystone		14:47
ayoung	marekd, no	14:47
ayoung	marekd, come on...you know I am not that dense	14:47
marekd	ayoung: yeah	14:47
ayoung	marekd, the server imports the client as a library	14:47
marekd	ayoung: that's what i wanted to hear.	14:47
*** shakamunyi has joined #openstack-keystone		14:48
dolphm	henrynash: do you have an implementation of endpoint policy available offline?	14:51
*** zzzeek_ has quit IRC		14:55
*** zzzeek has joined #openstack-keystone		14:55
dolphm	henrynash: "code up later this week" vs {"feature_proposal_freeze": "august 21"} # need to consider bumping it to kilo if it's not feature complete in gerrit :-/	14:56
*** afazekas has quit IRC		14:58
marekd	stevemar: do you know how to make saml generation work with pysaml?	15:00
marekd	stevemar: blah....i mean, how to make jenkins not complaining on requirements and pysaml2	15:00
stevemar	marekd, yeah get this merged: https://review.openstack.org/#/c/113294/	15:01
marekd	stevemar: okay	15:01
stevemar	marekd, thats it :(	15:01
*** ukalifon has quit IRC		15:01
marekd	nothing that needs some work/configuration.	15:02
henrynash	dolphm: if not by the 21st, I agree	15:02
stevemar	marekd, when the user exchanges the token for saml assertion, we should just return text/xml in the header?	15:02
stevemar	let the client handle any "real" saml headers	15:02
stevemar	?	15:02
dstanek	stevemar: marekd: i was just going to ask you guys about the xmlsec requirement	15:02
marekd	dstanek: xmlsec or pysaml2?	15:02
marekd	dstanek: xmlsec is a binary, use yum/apt for that.	15:03
dstanek	marekd: it looks like some of the k2k is failing on jenkins because that's missing	15:03
marekd	dstanek: pysaml2 is mising.	15:03
*** jorge_munoz has joined #openstack-keystone		15:03
*** gokrokve has joined #openstack-keystone		15:03
marekd	dstanek: i fixed missing xmlsec1 thing with mocking some methods.	15:03
stevemar	dstanek, pysaml2 is missing, and because xmlsec is not included	15:03
stevemar	dstanek, you reviewed the subsequent patch (where marek'd mocking wasn't included)	15:04
dstanek	stevemar: ah, is there a new patch to mock it out?	15:04
stevemar	dstanek, yeah https://review.openstack.org/#/c/110542/	15:05
stevemar	dstanek, check the tests, jenkins still fails because of the missing pysaml2 requirement	15:05
dstanek	stevemar: ok, i'll take a look at that one.	15:06
stevemar	marekd, i was thinking you could write #noqa for the imports, not sure why it's failing that pep8 check	15:08
marekd	stevemar: #noqa makes pep ignore the lines, right?	15:08
marekd	stevemar: thanks, i will fix it.	15:08
stevemar	i think so	15:08
dstanek	marekd: is there a reason why the imports in idp.py are mixed?	15:09
marekd	dstanek: yes, pep8 complaining.	15:09
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	15:09
marekd	dstanek: i think i pasted the pep warning	15:09
stevemar	marekd, ^ heads up, rodrigo updated	15:09
dstanek	marekd: pep8 wants the thirdpary and stdlib together?	15:09
marekd	dstanek: yes, it thinks saml2 is a stdlib.	15:09
marekd	dstanek: no idea HOW	15:10
*** ayoung has quit IRC		15:10
marekd	dstanek: # noqa will do the job?	15:10
marekd	dstanek: as stevemar suggests.	15:10
dstanek	marekd: yes it should	15:10
stevemar	marekd, i think so, just double space after the line ends	15:10
*** ayoung has joined #openstack-keystone		15:10
dstanek	marekd: but then again pep8 is acting incorrectly already	15:11
marekd	dstanek: stevemar: let's see.	15:11
stevemar	dstanek, we can fix pep8, then fix this, no idea why it thinks saml2 is stdlib	15:11
stevemar	maybe it checks it against globral requirements	15:11
marekd	stevemar: i don't know how to be honest ;/	15:12
stevemar	marekd, dstanek apparently this is how it determines 3rd party or stdlib	15:14
stevemar	https://github.com/openstack-dev/hacking/blob/master/hacking/checks/imports.py#L165-L204	15:14
dstanek	is there now Python or C libs for xmlsec?	15:15
stevemar	dstanek, the best i could find is here: https://pypi.python.org/pypi/dm.xmlsec.binding	15:16
marekd	dstanek: there is something, but i recall seeing wrappers for wrappers.	15:16
openstackgerrit	Brant Knudson proposed a change to openstack/keystonemiddleware: Hash for PKIZ https://review.openstack.org/114646	15:24
openstackgerrit	Richard Megginson proposed a change to openstack/keystone: ldap/core deleteTree not always supported https://review.openstack.org/74897	15:26
*** cjellick has joined #openstack-keystone		15:29
dstanek	i hate when i accidentially use a tox command with -r	15:32
*** gyee has joined #openstack-keystone		15:41
*** afazekas has joined #openstack-keystone		15:42
*** ukalifon1 has joined #openstack-keystone		15:42
stevemar	dstanek, that is pretty awful	15:43
stevemar	dstanek, bknudson thanks for reviewing the API change for exchanging a token for a saml assertion, i guess you guys are fine with the proposed request json?	15:44
dstanek	stevemar: i was	15:45
dstanek	holy hell batman, pysaml2's list of requirements is terrible	15:46
dolphm	oh noes	15:46
stevemar	uh oh	15:46
dstanek	zope.interface :-(	15:46
bknudson	stevemar: which one is that?	15:47
stevemar	bknudson, the one you just reviewed - line 956 - https://review.openstack.org/#/c/113998/6/v3/src/markdown/identity-api-v3-os-federation-ext.md	15:47
bknudson	stevemar: I didn't look at the interface	15:48
bknudson	stevemar: I just noticed it didn't update the version so I don't see how anybody is going to know if it's available or not.	15:49
bknudson	if nobody knows that they can use it or not then it's useless	15:49
stevemar	bknudson, fair enough, i can fix that pretty easily though. Just wanted to make sure folks were OK with using region (it's in the spec) http://specs.openstack.org/openstack/keystone-specs/specs/juno/keystone-to-keystone-federation.html	15:49
dolphm	dstanek: does anything else in openstack/requirements use zope.interface?	15:50
stevemar	dolphm, list of reqs: decorator, requests, paste, zope.interface, repoze.who, pycrypto, pytz, pyOpenSSL, python-dateutil	15:52
stevemar	time to look up wth zope is	15:52
dolphm	stevemar: it's kind of an extensive joke	15:52
stevemar	dolphm, seems like an elaborate extensive joke	15:53
dolphm	stevemar: ++	15:53
dstanek	dolphm: not that i know of	15:54
dstanek	stevemar: it's the joke that keeps on giving - has to be like 15 years now	15:54
stevemar	dstanek, dolphm python-dateutil, zope.interface, and repoze.who are not in global req.	15:55
dolphm	stevemar: something else could already depend on them though - i'm wondering if they'd be new to our pypi mirror & packagers	15:55
stevemar	dstanek, dolphm the pypi page also says you need xmlsec1 to sign/verify https://pypi.python.org/pypi/pysaml2 - we definitely want to put this under test-requirements :(	15:56
dolphm	stevemar: what's xmlsec1?	15:56
*** chandankumar has joined #openstack-keystone		15:57
stevemar	a binary that installable via apt-get, used to sign xml	15:57
openstackgerrit	guang-yee proposed a change to openstack/keystone-specs: X.509 SSL certificate authentication https://review.openstack.org/105913	15:59
dolphm	stevemar: well it's already in wheezy and fedora at least	15:59
*** hrybacki has quit IRC		16:03
marekd	dstanek: so, how bad pysaml2 is?	16:09
dstanek	marekd: overall i don't know - just crawling through it now; in general since it's optional even if it depends on some strange stuff it should be ok	16:11
marekd	stevemar: dstanek OK	16:12
*** afazekas_ has joined #openstack-keystone		16:14
stevemar	dstanek, marekd phew	16:15
marekd	stevemar: ?	16:15
stevemar	marekd, phew -> expressing a strong reaction of relief	16:15
marekd	ty	16:15
dolphm	phew is an onomatopoeia	16:17
openstackgerrit	guang-yee proposed a change to openstack/keystone: Standardizing the Federation Process https://review.openstack.org/105597	16:17
morganfainberg	henrynash, +2 on multitenancy spec	16:18
morganfainberg	henrynash, didn't +A so others can weigh in, but thanks for being aweosme and forcing the continued updates to make it solid	16:19
dstanek	dolphm: that brings me back the 8th grade English class	16:19
*** rushiagr is now known as rushiagr_away		16:20
*** marcoemorais has joined #openstack-keystone		16:21
*** rushiagr_away is now known as rushiagr		16:22
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api https://review.openstack.org/109462	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api https://review.openstack.org/113429	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator https://review.openstack.org/114863	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove wsgi and base controller dependency on token_api https://review.openstack.org/115205	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api https://review.openstack.org/115045	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens https://review.openstack.org/114306	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api https://review.openstack.org/115012	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Notification Constant Cleanup and internal notify type https://review.openstack.org/115337	16:24
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove assignment_api dependency on token_api https://review.openstack.org/115338	16:24
gyee	morganfainberg, wow, how did you manage to push all the patches at the same time?	16:25
marekd	gyee: dependencies, i think :-)	16:25
gyee	awesome	16:26
morganfainberg	gyee, it's been rebases and it's a massive patch chain	16:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model https://review.openstack.org/113430	16:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add extra guarding to revoke_by_audit_id methods https://review.openstack.org/115147	16:26
gyee	for a moment I thought morganfainberg is a alien with 20 fingers	16:26
gyee	:D	16:26
morganfainberg	gyee, https://review.openstack.org/#/q/status:open+branch:master+topic:bp/non-persistent-tokens,n,z	16:26
gyee	hierarchical multiprojectcy looks awesome	16:27
morganfainberg	and there are maybe another 4-5 patches to go in the chain	16:27
gyee	++ for taking out the reseller lingo	16:27
marekd	stevemar: I couldn't understand what you meant in samlzie tests: "Match generated key text to key that was used"	16:33
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	16:34
marekd	dstanek: stevemar: rodrigods: ^^ some minor fixes	16:35
stevemar	marekd, just that the signature value should match that of the key that was used to sign it	16:36
*** RicoLin has quit IRC		16:42
*** gokrokve_ has joined #openstack-keystone		16:43
*** RicoLin has joined #openstack-keystone		16:44
openstackgerrit	Marek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator https://review.openstack.org/114850	16:46
dstanek	stevemar: check out the size of this file https://github.com/rohe/pysaml2/blob/master/tests/InCommon-metadata.xml	16:47
*** gokrokve has quit IRC		16:47
*** RicoLin has quit IRC		16:48
stevemar	lol	16:49
stevemar	dstanek, jeez	16:49
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove oauth controller dependency on token_api https://review.openstack.org/115343	16:49
*** RicoLin has joined #openstack-keystone		16:49
stevemar	dstanek, looks like he has the metadata for a bunch of universities	16:50
henrynash	morganfainberg; np…yep, I think it is pretty solid now	16:51
*** harlowja_away is now known as harlowja		16:56
morganfainberg	oh .. wonderful	16:58
morganfainberg	someone broke versionutils.deprecated to only work with functions or classes, you can't apply it now programatically to methods on objects	16:58
* ayoung still trying to move Kerberos client patch to jamies new requests replacement for httpretty. accepting help		17:00
marekd	stevemar: lol, at least he has pysaml2 tested	17:01
stevemar	marekd, thats for sure	17:05
mhu	marekd, are there any plans for a saml2scopedtoken plugin in keystoneclient ?	17:09
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Mark methods on token_api deprecated https://review.openstack.org/115347	17:11
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Mark methods on token_api deprecated https://review.openstack.org/115347	17:16
marekd	mhu: how about this: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L428 ?	17:17
marekd	mhu: and wrapper: https://gist.github.com/zaccone/509136cfa1c4efca6926	17:18
openstackgerrit	A change was merged to openstack/keystone: Fixes an issue with the XMLEquals matcher https://review.openstack.org/109177	17:18
ayoung	jamielennox, you awake yet?	17:19
stevemar	dstanek, congrats! finally got that xml fix merged!	17:20
dstanek	stevemar: about time!	17:22
*** amirosh has joined #openstack-keystone		17:29
*** hrybacki has joined #openstack-keystone		17:31
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Non-persistent Token Driver https://review.openstack.org/115355	17:37
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Non-persistent Token Driver https://review.openstack.org/115355	17:37
* morganfainberg takes a short break before meeting		17:38
*** chandankumar has quit IRC		17:39
*** shakamunyi has quit IRC		17:39
morganfainberg	bleh.	17:43
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION https://review.openstack.org/113998	17:47
*** hrybacki has quit IRC		17:48
*** tomoiaga has quit IRC		17:52
*** dims has joined #openstack-keystone		17:56
*** jsavak has joined #openstack-keystone		17:57
*** radez is now known as radez_g0n3		17:58
*** joesavak has quit IRC		17:59
openstackgerrit	A change was merged to openstack/python-keystoneclient: Make auth plugins dest save to os_ https://review.openstack.org/114435	18:00
*** joesavak has joined #openstack-keystone		18:00
* morganfainberg does the meeting dance: (>'-')> <('-'<) ^(' - ')^ <('-'<) (>'-')>		18:01
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/111620	18:02
*** jsavak has quit IRC		18:02
*** amirosh has quit IRC		18:03
openstackgerrit	henry-nash proposed a change to openstack/keystone: Implements backend for policy endpoint extension https://review.openstack.org/115362	18:04
*** radez_g0n3 is now known as radez		18:05
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/114067	18:07
*** hrybacki has joined #openstack-keystone		18:08
*** browne has joined #openstack-keystone		18:10
*** shakamunyi has joined #openstack-keystone		18:11
openstackgerrit	henry-nash proposed a change to openstack/keystone: Implements backend for policy endpoint extension https://review.openstack.org/115362	18:14
*** aix has quit IRC		18:15
openstackgerrit	Boris Pavlovic proposed a change to openstack/python-keystoneclient: Add shell --profile option to tirgger osprofiler from CLI https://review.openstack.org/114856	18:26
boris-42	ayoung ping	18:27
*** radez is now known as radez_g0n3		18:28
*** chandankumar has joined #openstack-keystone		18:28
ayoung	boris-42, keystone meeting now...but yes?	18:29
boris-42	ayoung heh I would discuss profiler stuff feature=)	18:29
boris-42	future*	18:29
boris-42	ayoung maybe meeting is proper place ;p	18:30
*** shakamunyi has quit IRC		18:30
ayoung	#openstack-meeting	18:30
*** dims has quit IRC		18:37
*** gokrokve has joined #openstack-keystone		18:40
*** shakamunyi has joined #openstack-keystone		18:44
*** gokrokve_ has quit IRC		18:44
*** gokrokve has quit IRC		18:45
*** david-ly_ has joined #openstack-keystone		18:50
*** david-lyle has quit IRC		18:51
*** rushiagr is now known as rushiagr_away		18:54
*** dims has joined #openstack-keystone		19:00
*** dims has quit IRC		19:00
*** dims has joined #openstack-keystone		19:01
boris-42	dolphm so lemme take a look at your comments	19:02
boris-42	dolphm I really don't see big issues to put in default pipeline	19:02
boris-42	dolphm really, it is stuff on demand	19:03
dstanek	dolphm: i like the idea of not having an enabled setting	19:03
bknudson	when someone complains about how slow keystone is I'll just point them at this.	19:03
ayoung	boris-42, I hear your frustration. I've been through that thought process myself. But profilin is not normal operations, and should not be enabled in a default configuration. The same is true of the Linux Kernel, of any application, etc. Adding it to the pipeline is not a major roadblock if you need to profile. If you add it to paste in devstack, I would throw my support behind it.	19:03
dolphm	ayoung: ++	19:03
dolphm	it should be in devstack by default	19:03
boris-42	ayoung I need to call this function	19:03
boris-42	like tinykitty	19:03
dolphm	but not in every project's sample configuration file	19:03
boris-42	instead of profiler	19:04
boris-42	I created this for production clouds and Operators	19:04
boris-42	specially	19:04
ayoung	boris-42, let it be the operators decision to deploy it.	19:04
dolphm	bknudson: SELECT 1; # SQL needs a better built in expression for DATABSE ARE YOU STILL THERE;	19:04
boris-42	ayoung they can remove it from api-paste ini	19:04
boris-42	if they would	19:04
boris-42	or just put enabled = no	19:05
boris-42	why removing it?	19:05
dolphm	bknudson: http://www.youtube.com/watch?v=Kgrt7XZ-BQw	19:05
*** dims has quit IRC		19:05
ayoung	boris-42, because it has the potential, no matter how well reviewed, to leak sensitive data, and Keystone is very security focused.	19:06
ayoung	boris-42, and profiling touches everything	19:06
bknudson	ayoung: it does leak sensitive data... it's got the token in the database update	19:06
ayoung	as I said...	19:07
dolphm	along with password queries	19:07
*** amirosh has joined #openstack-keystone		19:07
dolphm	although those are hashed	19:07
dolphm	nevermind	19:07
boris-42	dolphm bknudson ayoung	19:07
boris-42	guys	19:07
dolphm	/v3/credentials, ec2 keys, etc	19:07
boris-42	can we keep it enabled=False	19:07
boris-42	in api-paste.ini	19:07
dolphm	boris-42: and excluded from the default pipeline	19:08
boris-42	so no data will be send	19:08
dstanek	hashed or not if you get your hands on all of the hashes you could be in trouble	19:08
boris-42	dolphm this will make really hard to use it..	19:08
*** gyee has quit IRC		19:08
raildo	ayoung: What is Openstack Silicon Valley?	19:08
dolphm	boris-42: you just explained how easy it was to remove it, it's the same tiny little hurdle to enable it	19:08
raildo	its like a summit?	19:08
boris-42	dolphm https://github.com/stackforge/osprofiler/blob/master/osprofiler/web.py#L98-L99	19:08
boris-42	dolphm heh did you try to say customer to restart his serviers?	19:09
boris-42	services?)	19:09
boris-42	it's really buthurt	19:09
boris-42	dolphm but okay as you wish	19:09
boris-42	dolphm but you'll need to wait about 1 year	19:09
boris-42	dolphm to get this in gates	19:10
boris-42	dolphm if you are ok with this I will remove	19:10
dolphm	boris-42: i'm not in a rush, but it'll be nice when it happens	19:10
boris-42	dolphm can I left then it enabled at least?	19:10
boris-42	dolphm if it is not in pipelines then it doesn't make any sesne	19:10
*** hrybacki has quit IRC		19:11
morganfainberg	boris-42, getting things into gate isn't that hard to do. but it does take time. I'd rather see this off by default and something that can be enabled when appropriate	19:12
dstanek	boris-42: is there any reason why the middleware does't do the setup? and then you don't need the enabled config value	19:12
dolphm	boris-42: i don't think there should be a hard dependency on osprofiler	19:12
boris-42	morganfainberg this will take a lot)	19:12
dstanek	boris-42: are they against it?	19:13
*** harlowja has quit IRC		19:13
boris-42	dstanek could you elaborate	19:13
boris-42	dstanek please at least left it in requiremnts	19:13
*** harlowja has joined #openstack-keystone		19:13
boris-42	dolphm ^	19:13
boris-42	dolphm it is really super tiny library	19:13
*** david-ly_ is now known as david-lyle		19:13
dstanek	boris-42: why would this be harder for infra than other things?	19:13
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation. https://review.openstack.org/74974	19:13
*** bklei has joined #openstack-keystone		19:13
*** henrynash has quit IRC		19:14
boris-42	dstanek cause you need to provide via devstack-gate	19:14
boris-42	dstanek this thing	19:14
boris-42	dstanek for example putting 1 argument to change CEILIMETER notifications topics	19:14
boris-42	dstanek took about 1 month	19:14
boris-42	dstanek this will be harder to change	19:14
boris-42	dstanek and will take much more time	19:14
*** Guest64178 is now known as med_		19:14
*** med_ has joined #openstack-keystone		19:14
*** med_ is now known as medberry		19:14
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Create authentication specific routes https://review.openstack.org/114903	19:15
boris-42	dstanek to be honest I don't know how to change this	19:15
boris-42	dstanek so some R&D will be required	19:15
*** zzzeek has quit IRC		19:15
dstanek	boris-42: i would imagine that it's a tweak to whatever infra uses to roll out the paste configs	19:16
boris-42	dstanek I don't know I just say that it will take a lot of time	19:16
boris-42	dstanek I don't say that it is impossible	19:16
boris-42	dstanek if keystone team is ready to wait it's OK	19:16
morganfainberg	dstanek, it's a devstack change, in reality i don't even thing devstack-gate needs an update to make it work if devstack accepts it by default	19:17
boris-42	dolphm it can't be in test requirments	19:17
dolphm	boris-42: sure it can	19:17
dstanek	boris-42: that's where our optional deps go	19:17
boris-42	dstanek the issue is next	19:17
*** zzzeek has joined #openstack-keystone		19:17
boris-42	it is lib	19:18
morganfainberg	zzzeek, hiya! had a question for you...	19:18
boris-42	that is imported in code	19:18
morganfainberg	zzzeek, i.. crap, let me figure out what i was going to ask...	19:18
morganfainberg	zzzeek was a SQLA question.	19:18
dstanek	boris-42: i think we can fix that	19:18
boris-42	https://review.openstack.org/#/c/103368/16/keystone/common/sql/core.py	19:18
boris-42	how you are going to fix this?	19:18
morganfainberg	boris-42, try: import ?	19:19
boris-42	morganfainberg dstanek dolphm guuuys	19:19
boris-42	realy	19:19
boris-42	who cares is it optional or not??	19:19
dolphm	boris-42: basically everyone downstream from us	19:19
boris-42	I mean really it's super tiny lib	19:20
dolphm	so: us	19:20
boris-42	that is created for openstack	19:20
dstanek	boris-42: have other projects already gone through this?	19:20
boris-42	and if it is not inited it doesn't do anything	19:20
boris-42	dstanek glance	19:20
dolphm	boris-42: it doesn't matter how subjectively small or large it is	19:20
boris-42	dstanek it has enabled it by defult	19:20
boris-42	dstanek cinder is comming	19:20
boris-42	dstanek so but it should and can be used by production	19:20
boris-42	dolphm ^	19:21
dolphm	boris-42: that's not justifiable logic	19:21
dolphm	things can be used in production that are optional	19:21
morganfainberg	i'd argue it should be off by default everywhere	19:21
boris-42	dolphm btw actually it will be mostly always installed	19:21
morganfainberg	not just in keystone, but i only get to have a say when it comes to Keystone	19:22
boris-42	morganfainberg why cause it's called osprofiler and not tinykititty?	19:22
morganfainberg	boris-42, because profiling is optional behavior	19:22
boris-42	morganfainberg yep	19:22
boris-42	morganfainberg and it's on demand	19:22
dolphm	what is with the kitty reference	19:22
morganfainberg	boris-42, it should be opt-in not opt-out	19:22
boris-42	morganfainberg but it's on demand	19:22
boris-42	morganfainberg not on every request	19:22
boris-42	morganfainberg and only for admins	19:22
morganfainberg	boris-42, but it has security ramifications still	19:23
morganfainberg	it can leak data.	19:23
dstanek	boris-42: but operators can make that decision	19:23
morganfainberg	and o.. what dstanek said	19:23
boris-42	dstanek yep I didn't make it NON turnoff able	19:23
boris-42	dstanek so if somebody would like to turn it off it can be easily done	19:23
dolphm	boris-42: this isn't a particularly debatable point - and i think you understand why it should not be enabled.	19:23
morganfainberg	boris-42, by that logic, if someone wants to turn it on, it's super easy to do	19:23
boris-42	morganfainberg it's super hard	19:24
dolphm	boris-42: see point 5 http://dolphm.com/reviewing-code/	19:24
boris-42	morganfainberg you are not allowed to restart services in production but OK	19:24
*** gokrokve has joined #openstack-keystone		19:24
morganfainberg	boris-42, turning it off also requires restarting services. so it isn't easy to turn off	19:24
dstanek	boris-42: i'm assuming that to get the code for this feature they	19:24
dstanek	ll upgrade and restart	19:24
boris-42	dolphm guys can I remove default pipes	19:25
boris-42	dstanek and we will get this change in?	19:25
boris-42	dstanek dolphm ^	19:25
dolphm	boris-42: i've already shared my views in code review	19:25
boris-42	dolphm so I need to remove it from requirments?	19:25
boris-42	even if it will make code dirty	19:27
dolphm	boris-42: i would appreciate osprofiler being an optional dependency	19:27
boris-42	dolphm I can do that, but I'll be unhappy..	19:28
dolphm	boris-42: again, see point 5 http://dolphm.com/reviewing-code/	19:29
boris-42	dolphm you see, I have some points in my list as well.. Like if something requires confiugtaion it doesn't work	19:30
boris-42	dolphm and so on=)	19:30
boris-42	dolphm this thing requires configuration => osprofiler doesn't work in keystone	19:30
dolphm	boris-42: strong documentation	19:30
boris-42	dolphm it works when you are making 100 lines of code application, but not when you have 20 projects with 100 services	19:30
boris-42	dolphm and 4000 conf options	19:30
boris-42	it's really hard to being expert in all projects in all services in all conf options	19:31
boris-42	to get everything work	19:31
dolphm	boris-42: fortunately we don't have 100 hard dependencies on optional features	19:31
boris-42	but as I said, I'll do as you ask	19:31
dolphm	ayoung, bknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, lbragstad: i meant to share during the meeting, but if you're looking for juno-3 reviews, i'm going to maintain a list here through juno-rc1 https://gist.github.com/dolph/651c6a1748f69637abd0	19:33
dolphm	hopefully this will be nothing but review links by the end of the week	19:33
lbragstad	dolphm: cool, thanks	19:33
morganfainberg	dolphm, ++	19:34
lbragstad	all, btw bug reports for this week are looking good, http://50.56.175.133/keystone-bug-reports/	19:34
stevemar	dolphm, nice	19:34
dolphm	lbragstad: i totally glazed over your new section until the very end of the meeting :(	19:34
lbragstad	new bugs have at least been acknowledged and most are in progress	19:34
stevemar	dolphm, i'll add comments, missing some i think	19:34
morganfainberg	really generate_sample has no effect on os x"?	19:34
dolphm	lbragstad: i'm not used to having subsections :P	19:34
*** RicoLin has quit IRC		19:34
lbragstad	dolphm: no worries, it's just there for reference	19:35
dolphm	morganfainberg: none	19:35
morganfainberg	hmm	19:35
dolphm	morganfainberg: something it's calling at the end uses different options in the bsd build	19:35
morganfainberg	but the generate sample from tox works	19:35
dolphm	morganfainberg: not for me	19:35
lbragstad	it's setup to generate a new report every 15 minutes,	19:35
*** amirosh has quit IRC		19:35
morganfainberg	hhhhhhmmmmm	19:35
jamielennox	bknudson: i wanted to get your opinion on the newer https://review.openstack.org/#/c/90632/ and the follow up	19:36
dolphm	morganfainberg: the python version works fine	19:36
dolphm	but there's bknudson's sort order issue with it	19:36
morganfainberg	dolphm, oh is that the new thing?	19:36
boris-42	dolphm actually do we need my patch tne?	19:37
dolphm	morganfainberg: yeah, i have a patch in gerrit for keystone to use it	19:37
boris-42	dolphm I mean it doesn't add antyhing..	19:37
morganfainberg	dolphm, ah	19:37
boris-42	dolphm just changes test-requriments.txt	19:37
bknudson	jamielennox: is it going to work now? you had a -1 on it since... tenant_id in nova endpoint?	19:37
boris-42	dolphm I really don't see any benefit ..	19:37
openstackgerrit	Henrique Truta proposed a change to openstack/keystone: Base methods to handle hierarchical projects https://review.openstack.org/111841	19:37
openstackgerrit	Henrique Truta proposed a change to openstack/keystone: Add parent_project_id field https://review.openstack.org/111840	19:37
*** bklei has quit IRC		19:37
openstackgerrit	Henrique Truta proposed a change to openstack/keystone: Create, update and delete hierarchical projects https://review.openstack.org/111842	19:37
boris-42	dolphm if there is proper documentation people just can make hot patches	19:37
jamielennox	bknudson: so i made it a regexp so i think we can at least write a rule to accept tenant_id	19:37
jamielennox	bknudson: the problem is the build back up	19:37
dolphm	boris-42: ... if you don't need to integrate with any other service, then why are you?	19:38
boris-42	dolphm ?	19:38
dolphm	boris-42: maybe i don't understand your question	19:38
boris-42	dolphm other services are agree to accept it on normal basis	19:38
jamielennox	bknudson: so if i want to use nova v3 and i get a nova v1 endpoint, then i strip off the path including tenant id, then i want to use v3 which lets assume still contains a tenant_id in the url	19:38
boris-42	dolphm I mean the idea was next	19:38
boris-42	dolphm make it work out of box	19:38
boris-42	dolphm but turn off able	19:38
dolphm	boris-42: this conversation has gotten expensive	19:39
boris-42	dolphm and make teams work on required points	19:39
jamielennox	it means we can't just append the URL we find from discovery, we need to append extra stuff	19:39
bknudson	jamielennox: is it some kind of nova plugin that handles nova endpoints?	19:39
morganfainberg	dolphm, just ran tox -esample_config which calls {toxinidir}/tools/config/generate_sample.sh and it updated the sample config	19:39
morganfainberg	dolphm or is it ony broken on the new one?	19:39
boris-42	dolphm e.g. special good points for specific places..	19:39
boris-42	dolphm and in keystone there is no points except DB and middleware	19:39
morganfainberg	dolphm, eh doesn't matter more important fish to fry :)	19:39
jamielennox	bknudson: it's not a plugin - i was thinking maybe the client could register it's own hacks but i'm not sure how reasonable that is	19:39
boris-42	dolphm middleware should be removed, requirements should be removed, DB is just 2 lines of code	19:39
dolphm	boris-42: great	19:40
boris-42	dolphm so abonding patches/	19:40
boris-42	?	19:40
bknudson	jamielennox: ok, I'll take a look at it with that in mind	19:40
jamielennox	bknudson: so have a look at the follow u to that which is marked WIP	19:40
dolphm	morganfainberg: it's been broken for me as long as it's been in keystone	19:40
morganfainberg	dolphm, weird.	19:40
dolphm	morganfainberg: i'm on OS X 10.9 atm	19:40
zzzeek	morganfainberg: sup	19:40
morganfainberg	dolphm, same, and nullptr:ks2 morgan$ brew list	19:40
morganfainberg	gdbmgettextopensslpythonreadlinesqlite	19:40
morganfainberg	zzzeek, i can't remember the question :( sorry	19:41
zzzeek	:)	19:41
boris-42	dolphm abandoned this patch sorry for taking too much time..	19:44
openstackgerrit	Raildo Mascena de Sousa Filho proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355	19:51
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation. https://review.openstack.org/74974	19:54
*** chandankumar has quit IRC		19:56
*** RicoLin has joined #openstack-keystone		19:58
stevemar	dolphm, i don't understand your email re: tempfile, the docs only say mktemp is a security issue	19:59
stevemar	NamedFile and mkstemp are OK	19:59
dstanek	morganfainberg: you around?	20:05
openstackgerrit	A change was merged to openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/114059	20:09
*** andreaf_ has joined #openstack-keystone		20:11
dstanek	mkstemp should be ok to use, but is there anyway to get around needing a temp file at all?	20:11
*** gordc has quit IRC		20:11
*** andreaf_ has quit IRC		20:12
*** gordc has joined #openstack-keystone		20:12
*** andreaf_ has joined #openstack-keystone		20:12
*** andreaf_ has quit IRC		20:12
*** andreaf_ has joined #openstack-keystone		20:13
*** andreaf has quit IRC		20:14
morganfainberg	dstanek, hey	20:17
morganfainberg	dstanek whats up	20:17
morganfainberg	dstanek was about to grab lunch but am here for a moment	20:17
openstackgerrit	Morgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext https://review.openstack.org/114857	20:18
dstanek	morganfainberg: was going through your audit_id reviews, but i answered by own question	20:18
morganfainberg	dstanek, cool	20:18
stevemar	dolphm, bknudson question for y'all, if i want to add new a "New in Version X.Y" for OS-FEDERATION... what should X.Y be?	20:22
stevemar	should it follow keystone's 3.3?	20:22
bknudson	stevemar: each extension has its own version	20:22
bknudson	I think this would be 1.1	20:22
stevemar	bknudson, so 1.1?	20:22
stevemar	alrighty	20:23
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: Add SAML generation route to OS-FEDERATION https://review.openstack.org/113998	20:28
stevemar	bknudson, for you sir ^	20:28
openstackgerrit	A change was merged to openstack/keystone: Use python convention for function names in test_notifications https://review.openstack.org/114811	20:30
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: Update region entries to include URLs https://review.openstack.org/114118	20:33
*** gyee has joined #openstack-keystone		20:36
*** dims has joined #openstack-keystone		20:37
*** dims has quit IRC		20:45
*** shakamunyi has quit IRC		20:46
*** andreaf_ has quit IRC		20:54
*** andreaf_ has joined #openstack-keystone		20:54
*** andreaf_ has quit IRC		20:54
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	20:56
stevemar	dstanek, thanks for the suggestions, included a few here ^	20:56
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation. https://review.openstack.org/74974	21:05
*** browne has quit IRC		21:05
*** browne has joined #openstack-keystone		21:06
*** samuelmz has quit IRC		21:08
marekd	stevemar: i have comments for you on https://review.openstack.org/#/c/110542/	21:09
marekd	dolphm: ^^ for you too	21:09
stevemar	marekd, ughhh	21:10
marekd	stevemar: i'd wait for Dolph....	21:10
*** jasondotstar has quit IRC		21:11
*** rodrigods has quit IRC		21:11
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens https://review.openstack.org/106838	21:12
*** henrique_ has quit IRC		21:12
*** gabriel-bezerra has quit IRC		21:13
*** gabriel-bezerra has joined #openstack-keystone		21:13
dstanek	marekd: looks like you beat me to it	21:13
*** raildo has quit IRC		21:13
*** rodrigods has joined #openstack-keystone		21:14
*** rodrigods has quit IRC		21:14
*** rodrigods has joined #openstack-keystone		21:14
marekd	dstanek: hum?	21:14
*** henrique_ has joined #openstack-keystone		21:14
*** raildo has joined #openstack-keystone		21:14
dstanek	marekd: https://review.openstack.org/#/c/110542	21:14
*** samuelmz has joined #openstack-keystone		21:15
openstackgerrit	Marek Denis proposed a change to openstack/keystone: IdP SAML Metadata generator https://review.openstack.org/114850	21:18
marekd	dstanek: stevemar do you mind making a first iteraion on this one? ^^ ?	21:18
stevemar	yep, it's on my list	21:18
marekd	stevemar: thanks!	21:20
dstanek	marekd: sure	21:22
*** marekd is now known as marekd\|away		21:23
*** fifieldt has quit IRC		21:27
*** gokrokve has quit IRC		21:28
*** henrynash has joined #openstack-keystone		21:37
*** henrynash has quit IRC		21:37
dstanek	morganfainberg: got a new quesiton when you have a few	21:37
*** fifieldt has joined #openstack-keystone		21:41
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Auth plugin serialization https://review.openstack.org/113163	21:41
morganfainberg	dstanek, back	21:44
morganfainberg	dstanek, just finished lunch	21:45
morganfainberg	dstanek, what can i answer for you	21:45
*** gokrokve has joined #openstack-keystone		21:45
openstackgerrit	Thiago Paiva Brito proposed a change to openstack/keystone: Create, update and delete hierarchical projects https://review.openstack.org/111842	21:46
morganfainberg	dstanek, answered your question on the identity-api review	21:49
morganfainberg	(inline)	21:49
dstanek	morganfainberg: that's basically what i wanted to ask about	21:51
*** diegows has joined #openstack-keystone		21:51
dstanek	morganfainberg: what is the expected value of that list if the token is a re-scoped token or a re-scoped token?	21:52
morganfainberg	[<audit id of this token>, <audit id of the first token in the chain>]	21:53
morganfainberg	dstanek, if the token is the first in the chain it'll be [<audit id of this token>]	21:53
morganfainberg	dstanek, basically i'm doing the same thing that expires_at is doing, just with the audit ids, (and adding a unique id for the current token)	21:54
dstanek	morganfainberg: token1 is ['token1-audit_id'], token2 is ['token2-audit_id', 'token1-audit_id'], is token3 the same as token2?	21:56
morganfainberg	dstanek, token three would be ['token-3-audit-id', 'token1-audit-id']	21:57
dstanek	oh, i see that now in the token plugin	21:58
morganfainberg	yeah	21:58
morganfainberg	it lets us track a group of tokens, but not create an unbounded dataset	21:58
openstackgerrit	Brant Knudson proposed a change to openstack/keystone-specs: Hierarchical Multitenacy https://review.openstack.org/101017	21:59
openstackgerrit	Brant Knudson proposed a change to openstack/keystone-specs: Fix rst issues in hierarchical multitenancy https://review.openstack.org/115411	21:59
dstanek	i've browsed the first few patches in the chain and i think i'm getting lost in them now :-)	21:59
bknudson	oops, I just rebased https://review.openstack.org/101017.	22:00
morganfainberg	dstanek, how do you think i felt when i ran into a bug 5 deep and realized it was in the first... or was that the second...or was it the 5th patch	22:00
uvirtbot	Launchpad bug 5 in launchpad "Plone Placeless Translation Service metadata missing from po files" [Low,Fix released] https://launchpad.net/bugs/5	22:00
*** gokrokve has quit IRC		22:00
morganfainberg	bknudson, nbd. those don't take long to pass check	22:00
morganfainberg	uvirtbot, good bot, keep up the work!	22:00
uvirtbot	morganfainberg: Error: "good" is not a valid command.	22:00
morganfainberg	lol	22:01
bknudson	if only there were 5 bugs.	22:01
morganfainberg	dstanek, could smush them all together into a mega patch if that would help :P it's only ~1500 lines of change :P	22:01
dstanek	morganfainberg: yes please!	22:02
morganfainberg	dstanek, for the most part all of these changes affect only one system so review it like that	22:02
morganfainberg	dstanek, e.g. identity_core	22:02
morganfainberg	dstanek, except the auth context one. that one touches a lot of stuff	22:03
*** jsavak has joined #openstack-keystone		22:04
openstackgerrit	A change was merged to openstack/keystone: Enable filtering of credentials by user ID https://review.openstack.org/113232	22:05
*** gordc has quit IRC		22:07
*** joesavak has quit IRC		22:07
*** joesavak has joined #openstack-keystone		22:08
*** gordc has joined #openstack-keystone		22:08
*** jsavak has quit IRC		22:09
openstackgerrit	A change was merged to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/114067	22:10
*** gokrokve has joined #openstack-keystone		22:12
*** HenryG_ has joined #openstack-keystone		22:17
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller https://review.openstack.org/114138	22:18
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	22:18
*** nkinder has quit IRC		22:18
*** gokrokve has quit IRC		22:19
*** HenryG has quit IRC		22:19
*** gokrokve has joined #openstack-keystone		22:19
*** nkinder has joined #openstack-keystone		22:20
dstanek	morganfainberg: are there any tests in that patch that show that behavior?	22:21
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery https://review.openstack.org/107570	22:21
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681	22:21
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow providing a default value to CLI loading https://review.openstack.org/113742	22:21
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Fix handling of deprecated opts in CLI https://review.openstack.org/113859	22:21
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins https://review.openstack.org/81147	22:21
morganfainberg	dstanek, which behavior?	22:21
morganfainberg	dstanek, only 2 audit ids?	22:22
dstanek	morganfainberg: yeah	22:22
morganfainberg	dstanek, the base unit tests are here: https://review.openstack.org/#/c/114306/7/keystone/tests/unit/token/test_token_data_helper.py and assertEqualTokens here https://review.openstack.org/#/c/114306/7/keystone/tests/test_auth.py	22:23
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion https://review.openstack.org/110542	22:23
morganfainberg	dstanek, the assertEqualTokens explicitly checks for a len of < 3	22:23
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Create SAML generation route and controller https://review.openstack.org/114138	22:23
*** gokrokve has quit IRC		22:24
stevemar	rebase-a-mania	22:24
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter https://review.openstack.org/97681	22:25
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow providing a default value to CLI loading https://review.openstack.org/113742	22:25
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins https://review.openstack.org/81147	22:25
morganfainberg	ugh. trying to unwind this: http://paste.openstack.org/show/97515/	22:32
morganfainberg	i...	22:32
*** henrynash has joined #openstack-keystone		22:37
*** harlowja has quit IRC		22:39
*** harlowja has joined #openstack-keystone		22:39
*** zzzeek has quit IRC		22:42
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete https://review.openstack.org/112204	22:46
jamielennox	morganfainberg: oh, i remember that stuff - i didn't expect you'd have to mess with that, it's not fun	22:47
*** zzzeek has joined #openstack-keystone		22:47
morganfainberg	jamielennox, it's kinda making me cry some :(	22:47
jamielennox	morganfainberg: that was where my sec vuln came from, cause it's just a mess	22:47
morganfainberg	jamielennox, i'm really trying to not just completly re-write it	22:48
morganfainberg	because it'll be so freaking hard to follow	22:48
jamielennox	yep, there's no comments either	22:48
morganfainberg	oh god i am going to have to re-write it.	22:49
morganfainberg	there is no way around it.	22:49
jamielennox	i'm surprised it's impacting your stuff	22:49
jamielennox	i assume you mean around the non-persistent stuff	22:50
morganfainberg	basically, trying to conver things over to using the CMS data	22:50
morganfainberg	e.g. what we extract from a pki token is giving me hell. and it's all the awfulness that is the v2 stuff	22:50
morganfainberg	i'm going to need to completely re-write the v2 token provider bits :(	22:51
*** jorge_munoz has quit IRC		22:51
openstackgerrit	Jamie Lennox proposed a change to openstack/identity-api: API for auth-specific-data routes https://review.openstack.org/115423	22:51
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone-specs: Add deprecation tasks to auth-specific-data https://review.openstack.org/115424	22:51
morganfainberg	and how important it is it to maintain compat with OOOOOLD tokens # token is created by old v2 logic	22:51
morganfainberg	like pre-provider logic	22:52
morganfainberg	i'm guessing we can ditch that code.	22:52
* morganfainberg is surprised we don't get other strange errors.		22:52
jamielennox	morganfainberg: keystone-lite-lite	22:53
dstanek	morganfainberg: i was hoping to see a test like this: http://paste.openstack.org/show/97524/	22:58
morganfainberg	dstanek, easy to add into the mix. can just stick it as a patch dependant on that one, if that works (the one adding audit_ids to tokens in the first place)	22:59
morganfainberg	dstanek, or if you really want i'm happy to stick that into the one you're looking at now	22:59
dstanek	morganfainberg: either way is fine with me	23:00
*** bknudson has quit IRC		23:01
*** shakamunyi has joined #openstack-keystone		23:02
*** gordc has quit IRC		23:02
*** vkmc has joined #openstack-keystone		23:04
*** browne has left #openstack-keystone		23:07
openstackgerrit	David Lyle proposed a change to openstack/keystone: Fixing simple type in comment https://review.openstack.org/115429	23:07
*** zzzeek_ has joined #openstack-keystone		23:08
*** zzzeek has quit IRC		23:08
*** zzzeek_ is now known as zzzeek		23:08
*** zzzeek has quit IRC		23:10
morganfainberg	dstanek, ok i'll include that test since i need to reroll the patch to address your and brant's comments	23:14
dstanek	morganfainberg: sounds good. thanks!	23:16
*** shakamunyi has quit IRC		23:18
*** joesavak has quit IRC		23:19
vkmc	dolphm, ayoung around?	23:22
*** shakamunyi has joined #openstack-keystone		23:33
*** toddnni has quit IRC		23:36
*** toddnni has joined #openstack-keystone		23:36
jamielennox	stevemar: you may as well comment on the changes to wording in the deprecate federation routes review because there is a newline in there that bknudson is going to pull me up on for sure	23:36
jamielennox	gyee: https://review.openstack.org/#/c/105314/8 is a refactor, what tests would you liek?	23:39
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens https://review.openstack.org/114306	23:40
morganfainberg	dstanek, ^ that should address your comments and brant's	23:40
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator https://review.openstack.org/114863	23:40
gyee	jamielennox, no tests?	23:41
jamielennox	gyee: all i did was factor it into a class and subclass	23:41
jamielennox	there are existing tests that cover the cache	23:41
dstanek	morganfainberg: cool, i'll circle back in a bit; looking at https://review.openstack.org/#/c/114864 now, but will finish after dinner	23:42
*** HenryG_ is now known as HenryG		23:42
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	23:42
gyee	jamielennox, k, I'll double check on the existing tests. Seem like code change of this magnitude should at least come with some unit tests.	23:43
*** david-lyle has quit IRC		23:44
*** david-lyle has joined #openstack-keystone		23:45
*** david-lyle has quit IRC		23:45
gyee	morganfainberg, https://review.openstack.org/#/c/108384/8/keystonemiddleware/tests/test_auth_token_middleware.py	23:46
gyee	line 215	23:46
gyee	wtf's http code 418 I am a teapot?	23:46
jamielennox	gyee: it's an old review at this point that is just a nicety, i'm not commited to it	23:46
morganfainberg	gyee, lol	23:46
morganfainberg	gyee, april 1st RFC	23:46
gyee	morganfainberg, Stuart slip one in there :)	23:47
morganfainberg	looks like he did, i mean, it's useful for testing things that otherwise woulnd't be valid i guess	23:47
*** ncoghlan_afk is now known as ncoghlan		23:47
gyee	yeah, like the humor	23:48
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens https://review.openstack.org/114306	23:49
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator https://review.openstack.org/114863	23:49
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires https://review.openstack.org/114864	23:50
gyee	jamielennox, on my todo list, need to review your chain of patches for keystoneclient	23:50
jamielennox	gyee: appreciated, if you want to cheat there are a couple with a +2 on it already	23:50
*** ncoghlan is now known as ncoghlan_afk		23:51
gyee	morganfainberg, https://review.openstack.org/#/c/108384/ looks good	23:57
morganfainberg	gyee, cool	23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!