Wednesday, 2015-02-18

« Tuesday, 2015-02-17 Index Thursday, 2015-02-19 »
*** ljfisher has quit IRC00:00
*** jaosorior has quit IRC00:01
*** ljfisher has joined #openstack-keystone00:02
*** henrynash has quit IRC00:07
*** abhirc has joined #openstack-keystone00:12
*** thedodd has quit IRC00:12
*** ljfisher has quit IRC00:18
*** ljfisher has joined #openstack-keystone00:19
*** abhirc has quit IRC00:21
*** r-daneel has quit IRC00:26
*** dims__ has quit IRC00:33
*** dims__ has joined #openstack-keystone00:33
*** dims__ has quit IRC00:33
*** dims__ has joined #openstack-keystone00:35
*** markvoelker has quit IRC00:37
*** markvoelker has joined #openstack-keystone00:37
*** browne has quit IRC00:37
*** ljfisher has quit IRC00:39
*** bknudson has quit IRC00:41
*** markvoelker has quit IRC00:42
*** david-lyle has quit IRC00:44
*** jasondotstar has quit IRC00:55
*** avozza is now known as zz_avozza00:58
*** zz_avozza is now known as avozza00:58
*** ncoghlan has joined #openstack-keystone01:03
openstackgerritMerged openstack/keystone: Remove incubator version of log and local  https://review.openstack.org/15478301:08
*** avozza is now known as zz_avozza01:08
adam_gjamielennox, still around?01:09
adam_gkeystoneclient question01:09
jamielennoxadam_g: yep01:09
openstackgerritMerged openstack/keystone: Move backend role tests into their own module  https://review.openstack.org/15642301:09
adam_gjamielennox, so im trying to migrate ironic away from directly creating Client objects and instead use a session everywhere it needs. i assume this is the preferred way moving forward?01:09
*** timcline has quit IRC01:13
*** timcline has joined #openstack-keystone01:14
jamielennoxadam_g: yes - that's prefered, and great01:16
adam_gjamielennox, cool. so my question is this: theres a case where an ironic service needs to validate a token has not expired, and get a new one if it has. i'm attempting to create a session with a given token, but can't seem to do any operations on that session without it reauthenticating and getting a new token. should i be doing this another way?01:17
jamielennoxadam_g: validate as in online validate?01:18
jamielennoxlike given a token fetch the data from keystone?01:18
*** timcline has quit IRC01:19
adam_gjamielennox, this is the existing check: https://git.openstack.org/cgit/openstack/ironic/tree/ironic/common/keystone.py#n13101:20
jamielennoxadam_g: ok - so you shouldn't need to do that any more. The session will fetch a new token for you when it is required01:21
*** zzzeek has quit IRC01:22
jamielennoxor at least if i'm reading this right you won't01:23
jamielennoxadam_g: ok - so the point of the session is to handle all this auth and token management for you01:23
adam_gjamielennox, well, in the ironic case it is needed (at least currently)01:23
adam_gthe server writes out an admin token to disk, thats later used by a provisioning node to callback to the api server when its ready to proceed with provisioning01:23
*** topol has joined #openstack-keystone01:23
*** ChanServ sets mode: +v topol01:24
jamielennoxthe _get_ksclient would be converted into an auth plugin, and then when attached to a session that's managed for you01:24
adam_gprior to writing it out, we do a check to see if it will expire during the provisioning process and, if so, refresh it01:24
jamielennoxah01:24
jamielennoxare you writing out the whole auth_ref object or just the token string?01:25
adam_gonly the token string currently01:25
*** timcline has joined #openstack-keystone01:25
jamielennoxso what you are currently doing (it looks like) is not reusing the token that's been written out, but using that token to fetch a new token01:25
jamielennoxand in the v3 case not even that - in v3 you are always using user/pass form conf01:26
jamielennoxoh - doh, misread that01:27
jamielennoxbut i think you are still doing a token exchange, rather than validating and reusing the old01:27
adam_gthis is the corresponding writeout code https://git.openstack.org/cgit/openstack/ironic/tree/ironic/drivers/modules/pxe.py#n25201:28
jamielennoxthey have a similar effect as the new token will be valid for the same period that the old one has remaining, but it is a new token01:28
adam_gtheres a timeout that we enforce on the time it will take for the node to callback to the API.. we refresh the token if it looks like it will expire before that timeout01:29
jamielennox ok, but still the way you are instantiating keystoneclient it will fetch a new token using the old one as authentication01:31
jamielennoxif you want to keep doing that you can use the ksc.auth.identity.[v2|v3].Token plugins01:31
adam_gso is the existing keystone.py token_expires_soon() not actually checking the expiry of the given token?01:31
*** zzzeek has joined #openstack-keystone01:31
adam_g(i didnt write the existing code, only trying to port it and it looks like thats the behavior /w the new sessions)01:32
jamielennoxyes and no01:32
jamielennoxwhen you use a token to get a new token the expiry will be set to the same as the old token01:32
jamielennoxso it's checking the expiry of the new token - which happens to equal the expiry of the old token01:33
adam_gim creating a token auth_plugin, using that to create the session. then trying to session.auth.get_auth_ref(self.session)01:33
jamielennoxbut there is another auth process in ther e01:33
adam_gjamielennox, oh, i think thats making sense to me now01:33
* adam_g goes to peak more at the returned auth_ref01:34
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665701:34
jamielennoxso what you are doing is very equivalent to the old code, and its trying to auth with that token as a credential01:35
adam_gjamielennox, ok, i got it now.01:36
adam_gjamielennox, thanks for clarifying. would mind sanity checking this when i push it for review tomorrowish?01:36
jamielennoxadam_g: sure01:37
jamielennoxadam_g: also makes me think how i have a patch that solves a very similar case to this which may have more general use than i first though01:37
jamielennoxnot ready yet though - sorry01:38
adam_g:P01:38
*** spandhe has quit IRC01:46
*** tqtran has joined #openstack-keystone01:47
openstackgerritDolph Mathews proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531701:48
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665701:48
*** rwsu is now known as rwsu-afk01:54
*** markvoelker has joined #openstack-keystone01:59
*** zz_avozza is now known as avozza01:59
jamielennoxayoung: here?02:03
*** stevemar has quit IRC02:09
*** david-lyle has joined #openstack-keystone02:11
*** richm has quit IRC02:12
*** timcline has quit IRC02:15
*** timcline has joined #openstack-keystone02:16
*** _cjones_ has quit IRC02:18
*** abhirc has joined #openstack-keystone02:18
*** timcline has quit IRC02:21
*** stevemar has joined #openstack-keystone02:22
*** ChanServ sets mode: +v stevemar02:22
*** timcline has joined #openstack-keystone02:24
*** erkules has joined #openstack-keystone02:28
*** erkules_ has quit IRC02:31
*** samueldmq has joined #openstack-keystone02:35
*** abhirc has quit IRC02:35
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response  https://review.openstack.org/15686702:42
*** lhcheng has quit IRC02:46
*** avozza is now known as zz_avozza02:56
*** radez is now known as radez_g0n302:58
*** gyee has quit IRC03:06
*** browne has joined #openstack-keystone03:09
*** abhirc has joined #openstack-keystone03:10
*** boris-42 has quit IRC03:12
ayoungjamielennox, I should not be here.03:22
jamielennoxayoung: that's ok - i got it eventually03:22
*** harlowja_ is now known as harlowja_away03:22
jamielennoxayoung: i still fail as often as not with basic ldap commands03:22
ayounggood.  I'm going to bed.  I'm  taking the next two days off03:22
jamielennoxayoung: cool - enjoy03:23
ayoungso...let me know now if you have anything...03:23
ayoungskiing  tomorrow...we'll see on the following day.   School vacation.03:23
jamielennoxskiing... i'm sitting here sweating03:23
jamielennoxhaven't been skiing for years now03:24
jamielennoxayoung: have fun03:24
ayounghave to find some positive outlet for all the snow.  We've been hammered, as I am sure you've heard.03:25
jamielennoxyea, it made the news even here03:25
ayoungIs there any skiing in Australia, or do you have to head to NZ?03:25
jamielennoxthere's a patch of mountains down on the nsw/victoria border03:26
jamielennoxbut it's a fair way from everywhere and it's stupidly expensive03:26
jamielennoxreally have to dedicate a few days to make it worth it03:26
ayoungVancouver will be too late for ski season even up there03:27
ayoungThough I hear it is stellar skiing03:27
jamielennoxthey need to offset these summits by a few months03:27
jamielennoxIt'd be more interesting to go to vancouver in either proper summer, or deep winter03:28
ayounghttps://en.wikipedia.org/wiki/Mt_Norquay03:28
*** rushiagr_away is now known as rushiagr03:28
ayoungStill a good way from Vancouver, but if you are coming all the way from Australia during the season it would be worth the extra trip03:29
ayoungOK...bed03:29
*** ayoung has quit IRC03:29
*** samueldmq has quit IRC03:32
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687003:33
stevemarbooooo on tokenless auth03:33
stevemarnow there is more to review :(03:34
*** david-lyle has quit IRC03:35
*** david-lyle has joined #openstack-keystone03:35
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851903:35
*** david-lyle has quit IRC03:40
*** dims__ has quit IRC03:49
morganfainbergstevemar, awww no more to review03:52
morganfainbergpooooooor you03:52
morganfainbergs/no more/more03:52
morganfainberg;)03:52
stevemarmorganfainberg, i'm beating the tokenless auth one down03:54
*** browne has quit IRC04:12
*** timcline has quit IRC04:18
*** stevemar has quit IRC04:20
*** david-lyle has joined #openstack-keystone04:22
*** david-lyle is now known as david-lyle_afk04:23
*** lhcheng has joined #openstack-keystone04:26
morganfainbergjamielennox, let me know if there are issues w/ -kerberos stuff04:28
morganfainbergit should be released04:28
morganfainbergwell crap04:29
morganfainbergwe messed up :(04:29
morganfainbergi'll need to clean this up04:29
morganfainbergwe missed the versionin04:29
morganfainberghttps://pypi.python.org/pypi/python-keystoneclient-kerberos/2a90b7804:29
morganfainbergi'll deal with this tmmrow04:29
*** stevemar has joined #openstack-keystone04:36
*** ChanServ sets mode: +v stevemar04:36
*** dims__ has joined #openstack-keystone04:50
*** dims__ has quit IRC04:54
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove check_role_for_trust from sample policies  https://review.openstack.org/15676304:55
lhchengstevemar, hopefully bknudson will be happy with the last patch ^ :)05:04
*** _cjones_ has joined #openstack-keystone05:04
stevemarlhcheng, hopefully!05:04
lhchengI haven't set the deprecation warning before, is the setting "remove_in=+2" correct?05:05
openstackgerritMerged openstack/keystone: Drop foreign key (domain_id) from user and group tables  https://review.openstack.org/15648805:09
*** abhirc has quit IRC05:10
*** timcline has joined #openstack-keystone05:19
*** timcline has quit IRC05:24
*** timcline has joined #openstack-keystone05:29
*** timcline has quit IRC05:34
*** _cjones_ has quit IRC05:38
*** _cjones_ has joined #openstack-keystone05:39
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696205:40
stevemarlhcheng, i believe so05:41
lhchengstevemar: cool, thanks for the review! :)05:41
stevemarlhcheng, now you have me wondering...05:42
lhchenghah05:42
*** zzzeek has quit IRC05:43
stevemarlhcheng, looks good: https://github.com/openstack/keystone/blob/18efc7827a2b6767182772134bd00d1c110de7f7/keystone/common/kvs/legacy.py#L49-L5205:43
stevemar:D05:43
lhchenglol thanks for checking!05:44
lhchengyou'll get a good sleep now05:44
lhcheng:)05:44
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212205:46
openstackgerritSteve Martinelli proposed openstack/keystone: Removes unnecessary checks when cleaning a domain  https://review.openstack.org/14626405:46
*** lhcheng has quit IRC05:48
openstackgerritSteve Martinelli proposed openstack/keystone: Enable endpoint_policy, endpoint_filter and oauth by default  https://review.openstack.org/15384205:49
*** ajayaa has joined #openstack-keystone05:51
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186705:57
*** markvoelker has quit IRC06:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15689506:04
*** markvoelker has joined #openstack-keystone06:04
*** lhcheng has joined #openstack-keystone06:04
*** lhcheng_ has joined #openstack-keystone06:05
*** lhcheng has quit IRC06:05
*** zz_avozza is now known as avozza06:05
*** tqtran has quit IRC06:05
lhcheng_stevemar: when you get a chance, can you take a look at : https://bugs.launchpad.net/python-openstackclient/+bug/141836906:07
openstackLaunchpad bug 1418369 in python-openstackclient "please support hypervisor servers command" [Medium,Triaged] - Assigned to Lin Hua Cheng (lin-hua-cheng)06:07
stevemarlhcheng_, sure06:08
lhcheng_stevemar, wondering if we should just close it.06:08
lhcheng_stevemar, thanks!06:08
stevemari remember looking at this one06:08
stevemarand was confused by what the author wanted06:08
*** markvoelker has quit IRC06:08
lhcheng_stevemar, I think he was looking for listing instances by hypervisor06:09
stevemarlhcheng_, so hypervisor-servers is essentially supported, in the form of server list --host vm-ubuntu06:10
stevemarwhat about hypervisor-stats, and hypervisor-uptime ?06:10
jamielennoxmorganfainberg: i don't understand - shouldn't it take the version number from the tag you pushed06:10
stevemari feel like we already report similar info already06:10
lhcheng_nope, that's another opportunity :)06:10
jamielennoxstevemar: you're being online later and later06:10
stevemarjamielennox, it's just 1am, :)06:11
stevemarjamielennox, i feel bad for not reviewing enough06:11
lhcheng_jamielennox, sshh there's two stevemar, this is the good one06:12
lhcheng_the guy that gives +2 in the evening06:12
lhcheng_:P06:12
stevemarlhcheng_, haha06:12
stevemarlhcheng_, compare hypervisor-stats, and hypervisor-uptime  to `os usage show` and `os usage list`06:12
stevemarif you can06:13
stevemari feel like they will be similar06:13
stevemari'll update the bug with that info06:13
lhcheng_stevemar: sure, I can do that.06:13
jamielennoxheh - he gets tired and just throws the +2 around06:13
lhcheng_If we need to add that, probably open it as separate bug to make the bug history cleaner06:14
stevemarlhcheng_, ++06:14
stevemarjamielennox, nah i just pick the easy ones at night to make me calm before sleep06:15
lhcheng_jamielennox, hah I should submit more code in the evening then :)06:15
jamielennoxalright - beach time06:15
jamielennoxlater all06:15
*** avozza is now known as zz_avozza06:15
lhcheng_jamielennox, have fun!06:16
stevemarjamielennox, have fun06:16
*** jamielennox is now known as jamielennox|away06:17
*** topol has quit IRC06:25
*** timcline has joined #openstack-keystone06:30
*** timcline has quit IRC06:34
stevemarlhcheng_, i think i'll add the failure case at the end of the chain06:43
stevemarlhcheng_, tired of rebasing :)06:43
lhcheng_stevemar: hah sure, that's fine :)06:43
stevemarand technically it's just about creating parity with the existing notifications06:44
stevemarlhcheng_, but yes, we technically can06:46
lhcheng_stevemar, hmm yeah. from that perspective, what we have now is fine.  the failure case could be treated as an enhancement06:47
stevemaryeah06:47
lhcheng_stevemar, sounds good to me06:47
stevemari'm writing up the code now, the code itself it easy, the test might take a while06:47
lhcheng_it's always the damn test :P06:48
marekdmorning.06:49
*** markvoelker has joined #openstack-keystone06:53
*** markvoelker has quit IRC06:58
stevemarmarekd, o/06:59
* marekd half eating half looking at websso patch06:59
openstackgerritMerged openstack/keystone: Fix tests to not load federation manager twice.  https://review.openstack.org/15606507:09
openstackgerritMerged openstack/keystone: Remove unnecessary code setting provider  https://review.openstack.org/15606907:09
stevemarmarekd, i expect nothing less07:10
openstackgerritMerged openstack/keystone: Wrap dependency registry  https://review.openstack.org/15607007:10
marekdstevemar: erm, did you actually manage to setup websso somewhere on a dev env?07:12
marekdstevemar: re: https://review.openstack.org/#/c/156509/ AFAIR morganfainberg advised service_providers should be included always (as long as there is something to include).07:15
*** mzbik has joined #openstack-keystone07:16
marekdstevemar: hm, docs say the other way round.07:16
marekdstevemar: i will in investigate it.07:17
marekd:P07:17
stevemarmarekd, i did07:17
stevemarwell, not me, but tqtran07:17
marekdstevemar: and what was the verdict?07:17
marekddid you double check with morgan ?07:17
stevemarmarekd, it worked, a few kinks with some of the menus on the side07:18
stevemardouble check what?07:18
marekdwhether we should add service_providers to the SC always, or only upon explicit request (by adding ?service_providers )07:18
*** pnavarro has joined #openstack-keystone07:21
stevemarmarekd, i didn't double check, i just assumed since we don't always return it with /token then why change the behviour07:21
*** _cjones_ has quit IRC07:23
*** _cjones_ has joined #openstack-keystone07:24
*** _cjones_ has quit IRC07:28
marekdstevemar: we don't always return it with token, but in fact this patch https://review.openstack.org/#/c/152659/10/keystone/catalog/core.py,cm proposes that we only skip service_providers if thhere are no enabled service providers.07:28
openstackgerritSteve Martinelli proposed openstack/keystone: Emit failure notifications for CADF audits events  https://review.openstack.org/15690507:30
stevemarlhcheng_, ^07:30
lhcheng_stevemar, you still not going to sleep? :P07:30
lhcheng_stevemar, that was fast!07:31
marekdlhcheng_: forget it.07:31
*** timcline has joined #openstack-keystone07:31
lhcheng_marekd, stevemar is in euro timezone now. so.. it is morning now07:31
stevemar:D07:31
stevemarso much to review!07:31
marekdyes, he switches zones.07:32
stevemarmarekd, so i understand what you mean, i can go either wy07:32
stevemarway07:32
marekdi will check with morgan, but i *think* I had asked him about that and we concluded "always include service providers"07:32
stevemarmarekd, find me the paper trail!07:33
stevemarmarekd, ever since your work with pysaml2 i trust you with file descriptors07:34
marekdstevemar: hehe :D07:34
marekdstevemar: it can be added in a followup patch, nothing serious i think.07:35
*** timcline has quit IRC07:35
stevemarmarekd, nice catch07:36
stevemarmarekd, np, i can fix now, i don't mind, no additional rebasing :P07:36
marekdstevemar: OK, thanks.07:36
marekdI guess I cannot +2 this since i am mentioned somewhere as a Co-Author :(07:36
openstackgerritSteve Martinelli proposed openstack/keystone: Add WebSSO support for federation  https://review.openstack.org/13617707:37
stevemarmarekd, i think you can, it's pretty different from when you started07:37
marekdoh yeah, this belondg to you, sir :-)07:37
marekdbelongs07:37
stevemari did that more to honor you and jose, since it CERNs idea07:37
marekdyeha yeah07:37
stevemarbut through the comments and such it became mutated into this :)07:37
marekdthanks, then :-)07:37
*** pnavarro has quit IRC07:38
marekdhowever, it'd be nice to try the code out07:38
*** lhcheng_ is now known as lhcheng_afk07:38
lhcheng_afkok, I give up. I can't stay later than stevemar..07:39
stevemarlhcheng_afk, haha07:39
lhcheng_afkstevemar, you win..07:39
lhcheng_afkgood night guys07:39
stevemararen't you west coast?07:39
lhcheng_afkyeah07:39
stevemarbooo!07:39
stevemarhehe07:39
stevemargood night!07:39
lhcheng_afk11:4007:39
stevemari am joking of coure07:39
* lhcheng_afk ashamed07:39
stevemarlhcheng_afk, you've been so helpful to keystone, thanks a lot07:39
lhcheng_afklol07:39
marekd++07:39
stevemari mean it!07:40
lhcheng_afkglad to help! :)07:40
morganfainbergjamielennox|away: yes it should. Something went wrong and we need to fix. :(07:40
stevemarlhcheng_afk, and we welcome the help! good night sir07:40
lhcheng_afkstevemar: thanks! and good morning to you shortly...07:40
lhcheng_afk:D07:40
stevemarsoon enough07:41
morganfainbergstevemar: marekd I think sps should always be there if available. But it's fine as is. (Ux is better if you don't need07:41
morganfainbergTo ask again to get the sps)07:41
stevemarmorganfainberg, so then what's the point of the query param ?service_providers07:41
marekdmorganfainberg: so, this is what code does, we jus have docs out of sync.07:41
marekdstevemar: ^^07:42
morganfainbergWe should eliminate the query param07:42
stevemarmarekd, glad i'm not going crazy07:42
morganfainbergFrom the docs.07:42
morganfainberg;)07:42
marekdmorganfainberg: stevemar i will remove it.07:42
stevemarmorganfainberg, alright! full steam ahead with federation support for sps07:42
morganfainberg:)07:42
morganfainbergJust landed at SEA.07:43
morganfainbergLoong day.07:43
marekdSEA == Seattle ?07:43
*** lhcheng_afk has quit IRC07:49
*** afazekas has joined #openstack-keystone07:54
*** markvoelker has joined #openstack-keystone07:54
morganfainbergYep07:56
morganfainbergI tend to use airport codes when talking about cities I'm in (if they have a real airport)07:57
marekdmorganfainberg: sure07:57
stevemarmarekd, where is get_v3_catalog() called?07:57
marekdstevemar: for 90% somewhere in /auth/controllers.py07:57
marekdbut let me check.07:58
stevemarmarekd, oh nvm, i see it now, it's a manager function that was originally going right to controller07:58
stevemargah, i hate it when the code does that, just create the damn manager functions too07:58
marekd./token/providers/common.py:323:            service_catalog = self.catalog_api.get_v3_catalog(07:58
marekd./auth/controllers.py:626:            'catalog': self.catalog_api.get_v3_catalog(user_id, project_id),07:58
*** markvoelker has quit IRC07:59
*** boris-42 has joined #openstack-keystone08:00
stevemarmarekd, now to figure out why it's not conflicting with https://github.com/openstack/keystone/blob/master/keystone/catalog/core.py#L43108:02
stevemari think thats just the driver code for templated catalog?08:02
stevemari hate our catalog/region/endpoint system08:02
*** carlosmarin has quit IRC08:04
marekdstevemar: afair it's because my impl of get_v3_catalog is in Manager class, so it's has a priority while calling Manager.get_v3_catalog()08:05
marekdif it was not there, Driver.get_v3_catalog would be called.08:05
marekdTo be honest, I never know what Manager and Driver are responsible for :(08:05
stevemarmarekd, i think it's OK08:06
*** carlosmarin has joined #openstack-keystone08:06
marekdstevemar: https://github.com/openstack/keystone/blob/master/keystone/common/manager.py#L72-L7608:07
marekdthis is why it;s not conflicting (code proving what i have said )08:07
*** jistr has joined #openstack-keystone08:08
*** amerine_ has joined #openstack-keystone08:08
*** amerine has quit IRC08:09
marekdbut oh08:09
marekdwait08:09
*** chlong has quit IRC08:10
marekdstevemar: thanks for the review.08:14
stevemarmarekd, moar review08:17
openstackgerritSteve Martinelli proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899508:18
openstackgerritSteve Martinelli proposed openstack/keystone: Re-use list_role_assignments wherever is possible  https://review.openstack.org/15573308:19
*** rushiagr is now known as rushiagr_away08:21
*** ncoghlan has quit IRC08:26
*** bjornar has joined #openstack-keystone08:27
*** rushiagr_away is now known as rushiagr08:28
*** stevemar has quit IRC08:31
*** timcline has joined #openstack-keystone08:32
*** pnavarro has joined #openstack-keystone08:33
*** timcline has quit IRC08:36
*** pnavarro has quit IRC08:39
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493408:40
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15689508:45
*** markvoelker has joined #openstack-keystone08:55
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493408:56
*** markvoelker has quit IRC09:00
openstackgerritMarek Denis proposed openstack/keystone-specs: Drop ?service_providers from /auth/catalog  https://review.openstack.org/15692509:01
*** akuznetsova has left #openstack-keystone09:01
openstackgerritMarek Denis proposed openstack/keystone-specs: Drop ?service_providers from /auth/tokens  https://review.openstack.org/15692509:02
*** henrynash has joined #openstack-keystone09:21
*** ChanServ sets mode: +v henrynash09:21
*** amakarov_away is now known as amakarov09:25
*** henrynash has quit IRC09:32
*** timcline has joined #openstack-keystone09:34
*** timcline has quit IRC09:39
*** zz_avozza is now known as avozza09:46
*** markvoelker has joined #openstack-keystone09:56
*** pnavarro has joined #openstack-keystone10:00
*** markvoelker has quit IRC10:02
*** jamiec has quit IRC10:13
*** jamiec has joined #openstack-keystone10:17
*** MasterPiece has joined #openstack-keystone10:22
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215610:26
*** MasterPiece has quit IRC10:26
*** timcline has joined #openstack-keystone10:35
*** timcline has quit IRC10:39
*** rudzha has quit IRC10:40
*** samueldmq has joined #openstack-keystone10:46
*** lhcheng_afk has joined #openstack-keystone10:49
*** nellysmitt has joined #openstack-keystone10:49
*** lhcheng_afk has quit IRC10:54
*** dims__ has joined #openstack-keystone11:19
*** pnavarro has quit IRC11:26
*** timcline has joined #openstack-keystone11:36
*** aix has joined #openstack-keystone11:37
*** timcline has quit IRC11:40
*** chlong has joined #openstack-keystone11:45
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215611:47
*** fmarco76 has joined #openstack-keystone11:50
*** mzbik has quit IRC11:53
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215611:56
*** aix_ has joined #openstack-keystone11:58
*** aix_ has quit IRC11:59
*** aix has quit IRC11:59
*** ajayaa has quit IRC11:59
*** aix has joined #openstack-keystone11:59
*** aix has quit IRC12:00
*** aix has joined #openstack-keystone12:00
*** jistr has quit IRC12:09
*** jistr has joined #openstack-keystone12:12
*** nellysmitt has quit IRC12:15
*** ajayaa has joined #openstack-keystone12:19
*** NellyK has joined #openstack-keystone12:23
*** pnavarro has joined #openstack-keystone12:25
*** NellyK has quit IRC12:32
*** NellyK has joined #openstack-keystone12:33
*** timcline has joined #openstack-keystone12:36
*** NellyK has quit IRC12:40
*** timcline has quit IRC12:41
*** pnavarro has quit IRC12:45
*** radez_g0n3 is now known as radez12:48
*** pnavarro has joined #openstack-keystone12:48
*** nellysmitt has joined #openstack-keystone12:53
*** pnavarro has quit IRC12:53
*** aix has quit IRC12:59
*** rushiagr is now known as rushiagr_away13:09
*** markvoelker has joined #openstack-keystone13:11
*** aix has joined #openstack-keystone13:12
*** samueldmq_ has joined #openstack-keystone13:13
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215613:13
*** samueldmq has quit IRC13:16
*** zigo has quit IRC13:18
*** zigo has joined #openstack-keystone13:20
*** marg7175 has joined #openstack-keystone13:31
*** henrynash has joined #openstack-keystone13:35
*** ChanServ sets mode: +v henrynash13:35
*** gordc has joined #openstack-keystone13:37
*** aix has quit IRC13:37
*** timcline has joined #openstack-keystone13:37
*** marg7175 has quit IRC13:39
*** timcline has quit IRC13:42
*** krtaylor has quit IRC13:50
*** henrynash has quit IRC13:53
*** krtaylor has joined #openstack-keystone13:56
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630813:58
*** abhirc has joined #openstack-keystone14:00
*** aix has joined #openstack-keystone14:03
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630814:06
*** rushiagr_away is now known as rushiagr14:07
*** pnavarro has joined #openstack-keystone14:14
*** dims__ has quit IRC14:15
*** my_openstack_use has joined #openstack-keystone14:17
*** my_openstack_use is now known as sly_boots14:18
*** dims__ has joined #openstack-keystone14:20
*** dims__ has quit IRC14:20
*** dims__ has joined #openstack-keystone14:21
*** richm has joined #openstack-keystone14:21
*** dims__ has quit IRC14:25
*** Guest37356 has joined #openstack-keystone14:35
*** joesavak has joined #openstack-keystone14:37
*** Guest37356 is now known as dims__14:49
openstackgerritAlexander Makarov proposed openstack/keystone: Fix for KVS cache backend incompatible with redis-py  https://review.openstack.org/15330714:51
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215614:52
*** krtaylor has quit IRC14:54
*** krtaylor has joined #openstack-keystone14:55
*** topol has joined #openstack-keystone14:56
*** ChanServ sets mode: +v topol14:56
openstackgerritAlexander Makarov proposed openstack/keystone: Fix for KVS cache backend incompatible with redis-py  https://review.openstack.org/15330714:58
*** ajayaa has quit IRC15:03
fmarco76HI all, I am writing on a blue-print extending a previous patch and I need to create a table whereas the previous patch I am extending were creating only a new column15:03
marekdhttps://review.openstack.org/#/c/152156/715:04
fmarco76can I change the migration script so I will create a table or do I need to create a new migration script?15:04
fmarco76the previous migration was never released because both patch are for kilo15:05
*** Ephur has joined #openstack-keystone15:08
marekddstanek: dolphm ^^ fancy helpig with the marco's question ?15:11
*** abhirc has quit IRC15:12
*** dnalezyt has joined #openstack-keystone15:13
morganfainbergfmarco76, needs to be a new migration15:14
morganfainbergthink about people who are chasing master15:14
morganfainbergunless the previous migration was never merged to git15:14
marekdmorganfainberg: it was.15:14
morganfainberg(even kilo)15:14
fmarco76OK15:15
fmarco76but I have to remove the column from the previous patch or I can just leave it unsed and add the new column?15:16
marekdi'd say remove.15:16
openstackgerritAlexander Makarov proposed openstack/keystone: Fix for KVS cache backend incompatible with redis-py  https://review.openstack.org/15330715:16
*** abhirc has joined #openstack-keystone15:16
fmarco76do I also migrate the content?15:17
fmarco76or just the schema?15:17
marekdhm, good question.15:17
* marekd morganfainberg to the rescue15:17
openstackgerritMarek Denis proposed openstack/keystone-specs: Drop query parameter ?service_providers from docs  https://review.openstack.org/15692515:17
*** abhirc has quit IRC15:18
morganfainbergfmarco76, depends on what you're doing.15:19
morganfainbergfmarco76, if data already exists that needs to be in the table, you migrate content as well15:19
fmarco76I get it, thanks15:20
amakarovmorganfainberg, greetings! I've found a test for KVS with mocked mutex. It had lock_timeout field we shouldn't expect - removed it. Would you kindly review that again? :) https://review.openstack.org/#/c/15330715:22
openstackgerritBrant Knudson proposed openstack/keystone: Consistently use oslo_config.cfg.CONF  https://review.openstack.org/14736715:23
*** stevemar has joined #openstack-keystone15:24
*** ChanServ sets mode: +v stevemar15:24
amakarovdstanek, good day! Addressed your comment - nice catch!15:25
morganfainbergamakarov, sure15:25
morganfainbergamakarov, might be a little later today.15:25
* morganfainberg is just getting started.15:25
amakarovmorganfainberg, np, it's Jenkins turn anyway15:28
*** timcline has joined #openstack-keystone15:29
*** devlaps has joined #openstack-keystone15:32
*** henrynash has joined #openstack-keystone15:33
*** ChanServ sets mode: +v henrynash15:33
*** samueldmq_ has quit IRC15:33
stevemarhenrynash, morganfainberg you may want to revisit https://review.openstack.org/#/c/125521/ now that the domain FK has been dropped...15:41
morganfainbergstevemar: aye15:42
*** zzzeek has joined #openstack-keystone15:43
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531715:43
henrynashstevemar: your patch has merged?15:45
stevemarhenrynash, yep15:45
stevemarhenrynash, you +2d and morganfainberg +A'ed15:45
stevemari'm hoping to knock both of brants bps off the blueprint list today, they are fairly small15:46
bretonklwt +a!15:47
bretonyay!15:47
stevemar\o/15:47
openstackgerritMerged openstack/keystone-specs: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/13005015:47
stevemartoday there is joy in the keystone kingdom15:48
morganfainbergso more important than that.. lbragstad , ^^15:48
lbragstadmorganfainberg: nice, thanks!15:48
henrynashstevemar: excellent…just +2’d yours…..15:48
stevemarlbragstad, is the bp open already?15:49
morganfainberglbragstad, no further blocking comment. all outstanding comments look to be resolved.15:49
stevemarhenrynash, i was just going to ask why no +A, but that's been our theme this release huh15:49
henrynashstevemar: yep!15:49
lbragstadmorganfainberg: atiwari asked if we are going to use AE or KLWT for the impl acronym15:49
lbragstadstevemar: not yet15:50
morganfainberglbragstad, so use KLWT where possible. but don't worry about renaming everything everywhere at once - docstrings etc can happen as things are worked on15:50
morganfainbergthe bp can stay "ae-tokens"15:50
morganfainbergit doesn't really matter what the bp is named15:51
dolphmmorganfainberg: lbragstad: breton: stevemar: \o/15:51
lbragstadmorganfainberg: from a user perspective, I think AE would be easier to look up/research15:51
stevemarlbragstad, the K is kinda assume no? just lwt in the code?15:51
morganfainberglbragstad, but honestly, i don't really care what they are called15:51
atiwarimorganfainberg, lbragstad +1 name does not matters15:51
atiwari:)15:51
stevemar++ morganfainberg15:51
dolphmlbragstad: let's get a solid implementation and then figure out a more appropriate user-facing name15:51
morganfainberglbragstad, ^^15:51
lbragstadmorganfainberg: dolphm works for me, just checking since atiwari asked in the review15:52
* morganfainberg looks at coffee shops in seattle today.15:52
dolphmlbragstad: my answer is that it doesn't matter until we ship it, until then we can brainstorm15:52
dolphmatiwari: ^15:52
*** henrynash has quit IRC15:52
lbragstadagreed15:52
dstanekamakarov: no problem15:53
gordcstevemar: great day: https://www.openstack.org/vote-vancouver/presentation/openstack-is-doomed-and-it-is-your-fault15:53
morganfainberglbragstad, so in short, we can cleanup names *after* code is ready15:53
*** jaosorior has joined #openstack-keystone15:53
atiwarilbragstad, ++ for the good work. Lets not worry for the name too much for now. If it is easy make the change if not please follow morganfainberg  suggestions15:53
lbragstadmorganfainberg: works for me15:54
stevemargordc, that is a fantastic title15:54
gordclook who speaker is!15:54
stevemarby termie! oh man that is great! i love this +315:54
morganfainberggordc, did you see the faith one?15:54
lbragstadI kinda jumped the gun in the renaming everything to klwt, so I'll be sure to take the todo when we want to change the name15:54
gordcmorganfainberg: nope? link?15:54
morganfainberghttps://www.openstack.org/vote-vancouver/Presentation/faith-the-secret-ingredient-of-a-successful-system-integration15:54
morganfainberglbragstad, yeah the spec needed the name change, everything else can come as a final sweep15:55
marekdgordc: "You'll laugh, you'll cry, and you'll probably want to rewrite everything in Go."15:55
morganfainberggordc, marekd, i'm disappointed he didn't say Rust.15:55
lbragstadmarekd: ++15:55
marekdmorganfainberg: for the record, i am not biased for Go15:56
atiwarilbragstad, only suggestion is make extensible. I will add more int he specs15:56
gordci like +3 even though i know it's just trigger a page refresh and nothing else.lol15:56
marekdmorganfainberg: language looks interesting, but at the end it's just language.15:56
dolphmstevemar: +315:56
atiwarilbragstad,  s/make/make it15:56
morganfainbergmarekd, but Rust is awesome /holywar-verbiage15:56
morganfainberg;)15:56
marekdmorganfainberg: why?!15:57
marekdmorganfainberg: teach, master!15:57
morganfainbergcause why not?15:57
morganfainberg;)15:57
gordcmarekd: don't ask why!15:57
* marekd troll mode15:57
openstackgerritBrant Knudson proposed openstack/keystone: Create extension provider instances once  https://review.openstack.org/15607115:57
openstackgerritBrant Knudson proposed openstack/keystone: Avoid multiple instances for a provider  https://review.openstack.org/12459915:57
* gordc googled "rust"... got exactly that. seems about right.15:58
morganfainberggordc, /non-troll: i actually like the language. but uhm.. lol15:58
morganfainbergwe need to convert keystone to use https://github.com/dcramer/mangodb, it's CLOUD SCALE! :P15:59
*** marg7175 has joined #openstack-keystone16:00
morganfainberghm.16:01
marekdmorganfainberg: sad thing is that one could spend literally  8h/day reading all those blogposts about new kickass languages, databases, scalin techniques, engineering blogposts etc :(16:01
gordcmorganfainberg: is it used in any (notable) projects? /me does not follow new cutting-edge languages16:01
morganfainberggordc, afaik rust is too early to really be used. but i like a lot of what they're driving at. it feels like what i want from both python and c/c++16:02
gordcmarekd: you have to find the entertaining ones...(ie. a lot of profanity on why it sucks/is good)16:02
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Clean up configuration option management  https://review.openstack.org/15704416:02
*** ajayaa has joined #openstack-keystone16:02
* morganfainberg has the nightly build on my laptop16:02
gordcmorganfainberg: i see.. yeah, that'd be a good blend.16:03
marekdmorganfainberg: did you write anything in Rust?16:03
marekdmorganfainberg: or just simple examples?16:03
morganfainbergmarekd, just some hello-world examples16:03
marekdaha16:03
*** rm_work|away is now known as rm_work16:04
morganfainbergmarekd, i also like that variables are CONST by default, you need to declare a variable mutable16:04
morganfainberganyway...16:05
gordcmorganfainberg: was going to say that sounds annoying... but then in most cases variables outside of counters/object don't get modified much.16:06
morganfainberggordc, yep. and how many times do you run into issues where "oops i did an assignment where i meant to do something else"16:07
stevemarany oslo.policy core folk want to talk a string of patches? https://review.openstack.org/#/q/status:open+project:openstack/oslo.policy+branch:master+topic:cleanup,n,z16:08
morganfainberggordc, it's a common issue people end up needing to chase down. at least this way you know everything that can be changed upfront. less to look at16:08
morganfainbergstevemar, no :P i mean yes on my list today ;)16:08
morganfainbergpost coffee16:08
stevemarit's actually just 1 patch that needs to be kicked off, the rest have enough +2s16:09
stevemarhttps://review.openstack.org/#/c/156811/216:09
*** pnavarro has quit IRC16:15
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine  https://review.openstack.org/15493416:17
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630816:18
openstackgerritDavid Stanek proposed openstack/keystone: Update sample config file  https://review.openstack.org/15678616:21
*** marg7175 has quit IRC16:22
*** marg7175 has joined #openstack-keystone16:22
*** david-lyle_afk is now known as david-lyle16:28
*** avozza is now known as zz_avozza16:33
*** thedodd has joined #openstack-keystone16:39
openstackgerritMarek Denis proposed openstack/keystone-specs: Drop query parameter ?service_providers from docs  https://review.openstack.org/15692516:39
*** radez is now known as radez_g0n316:41
openstackgerritMarek Denis proposed openstack/keystone: Add ``service_providers`` in Service Catalog  https://review.openstack.org/15265916:45
*** rwsu-afk is now known as rwsu16:46
amakarovmarekd, please reformat commit message there ^^ :)16:46
stevemarmarekd, your commit message went crazy16:47
marekdwhich review?16:47
marekdmaybe i went crazy? :/16:47
marekdamakarov: stevemar https://review.openstack.org/#/c/156925/ ?16:48
stevemarmarekd, yep16:48
amakarovmarekd, ++16:48
stevemarthe commit msg is now all on one line16:48
openstackgerritMarek Denis proposed openstack/keystone-specs: Drop query parameter ?service_providers from docs  https://review.openstack.org/15692516:48
stevemaroh there we go16:49
marekdstevemar: it was not when i was editing it.16:49
marekdhad to add hard CR16:49
*** afazekas has quit IRC16:51
*** abhirc has joined #openstack-keystone16:51
stevemardstanek, may i ask why you rebased https://review.openstack.org/#/c/156786/ ?16:52
stevemarinstead of just hitting the rebase button on gerrit?16:52
stevemarwas it cause of the silly db2 ci saying 'merge failed' ?16:52
dstanekstevemar: no, my local script didn't like it for some reason16:53
stevemardstanek, oh16:53
stevemar:(16:53
stevemardstanek, cool then, was just wondering16:53
stevemarits always good to nuke .tox/sample_config before running it16:53
dstanekever review i do gets pulled down and looked at by some test code - for some reason it barked at me16:54
*** gyee has joined #openstack-keystone16:54
*** ChanServ sets mode: +v gyee16:54
*** samueldmq-away is now known as samueldmq16:55
* stevemar shrugs16:55
openstackgerritMerged openstack/oslo.policy: Create the temporary files needed for tests  https://review.openstack.org/15681117:03
openstackgerritMerged openstack/oslo.policy: Change default set of tox environments  https://review.openstack.org/15681217:03
*** ljfisher has joined #openstack-keystone17:08
openstackgerritMerged openstack/oslo.policy: Fix i18n imports  https://review.openstack.org/15681317:10
openstackgerritMerged openstack/oslo.policy: Update comments about tox configuration  https://review.openstack.org/15683617:10
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215617:14
*** tqtran has joined #openstack-keystone17:14
*** jistr has quit IRC17:15
*** lhcheng_afk has joined #openstack-keystone17:15
*** lhcheng_afk is now known as lhcheng17:20
*** chlong has quit IRC17:22
*** lhcheng_ has joined #openstack-keystone17:26
*** browne has joined #openstack-keystone17:27
*** raildo_ is now known as raildo17:28
*** lhcheng has quit IRC17:28
*** amakarov is now known as amakarov_away17:29
*** bknudson has joined #openstack-keystone17:33
*** ChanServ sets mode: +v bknudson17:33
*** marg7175 has quit IRC17:36
*** _cjones_ has joined #openstack-keystone17:36
*** EmilienM is now known as EmilienM|afk17:40
*** harlowja_away is now known as harlowja_17:42
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Clean up configuration option management  https://review.openstack.org/15704417:47
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665717:47
*** _cjones_ has quit IRC17:48
*** _cjones_ has joined #openstack-keystone17:48
*** fmarco76 has left #openstack-keystone17:50
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665717:51
*** lhcheng_ has quit IRC17:54
*** thedodd has quit IRC17:54
*** carlosmarin has quit IRC17:55
*** carlosmarin has joined #openstack-keystone18:01
*** ljfisher has quit IRC18:09
*** rushiagr is now known as rushiagr_away18:10
stevemarlooks like check-swift-dsvm-functional is failing18:10
*** abhirc has quit IRC18:10
morganfainbergstevemar, something we did?18:11
morganfainbergor everything?18:11
*** ljfisher has joined #openstack-keystone18:12
stevemareverything18:13
stevemarhttp://logstash.openstack.org/#eyJzZWFyY2giOiJweS5lcnJvci5FQUNDRVMiLCJmaWVsZHMiOltdLCJvZmZzZXQiOjAsInRpbWVmcmFtZSI6IjE0NDAwIiwiZ3JhcGhtb2RlIjoiY291bnQiLCJ0aW1lIjp7InVzZXJfaW50ZXJ2YWwiOjB9LCJzdGFtcCI6MTQyNDI4MzE3MDgxMn0=18:13
morganfainbergstevemar, looks like it's bad build nodes18:13
morganfainbergEPERM on making directories18:13
morganfainbergEACCESS sorry18:14
stevemarah18:14
morganfainberghttp://logs.openstack.org/86/156786/2/check/check-swift-dsvm-functional/045f454/console.html#_2015-02-18_16_59_17_04518:14
stevemarmorganfainberg, open a bug against infra?18:14
morganfainbergnotmyname, ping re ^18:15
morganfainbergstevemar, maybe just a ping in -infra channel for fungi/clark18:15
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531718:15
*** krtaylor has quit IRC18:16
*** lhcheng has joined #openstack-keystone18:17
*** zz_avozza is now known as avozza18:21
*** abhirc has joined #openstack-keystone18:22
*** ajayaa has quit IRC18:44
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808018:52
*** krtaylor has joined #openstack-keystone18:53
*** sly_boots has quit IRC18:53
*** avozza is now known as zz_avozza18:58
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531718:59
*** EmilienM|afk is now known as EmilienM19:02
claygthere was something that just landed to move swiftclient functests into tox - is the check-swift-dsvm-functional swift functests or swiftclient functests?19:04
*** clayg has left #openstack-keystone19:08
*** nellysmitt has quit IRC19:13
*** nellysmitt has joined #openstack-keystone19:14
*** bknudson has quit IRC19:14
*** spandhe has joined #openstack-keystone19:17
*** marg7175 has joined #openstack-keystone19:17
*** nellysmitt has quit IRC19:18
lhchengmorganfainberg, should the project_parent_id be included in the v3 token response?19:27
lhchengmorganfainberg, this wasn't mentioned anywhere in the HMT specs. But wondering if that should be included.19:28
lhchengraildo: ^19:29
openstackgerritMerged openstack/oslo.policy: Clean up configuration option management  https://review.openstack.org/15704419:39
gyeelhcheng, it should not, the parent hierarchy should be a separate lookup19:41
*** carlosmarin has quit IRC19:47
*** carlosmarin has joined #openstack-keystone19:48
raildolhcheng, gyee are right, he have a API call to return the parent hierarchy.19:48
morganfainberglhcheng, what gyee said.19:48
morganfainbergthe issue is we'd bloat the token badly otherwise19:48
*** marg7175 has quit IRC19:56
*** marg7175 has joined #openstack-keystone19:56
*** andreaf_ has joined #openstack-keystone19:58
*** bknudson has joined #openstack-keystone19:59
*** ChanServ sets mode: +v bknudson19:59
stevemargyee, responding to your comments20:00
lhchenggyee, raildo, morganfainberg: thanks for confirming20:02
lhchengwe got the parent_id in the v2 token response and not in v3 token response20:03
lhchenggot wondering if we got it just the other way around20:03
morganfainbergoh wait20:03
morganfainberghold on20:03
morganfainbergjust the partent id20:03
morganfainbergnot the whole hierarchy20:03
morganfainberghmmmmm.20:03
lhchengmorganfainberg: yes, just the parent_id20:04
morganfainberggyee, ^^20:04
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665720:05
bknudsonthe v3 api spec says that the project is the full representation of the project -- http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#tokens20:06
bknudson"Includes the full resource description of a project."20:06
morganfainbergyes, the parent_id should be there20:06
morganfainbergsorry20:06
morganfainbergi was thining the whole hierarchy20:07
bknudsonmaybe the v3 api spec is wrong... not sure how the parent_id is useful in the token.20:07
morganfainbergthe whole hierarchy should *not* be there20:07
morganfainbergbknudson, if it's the full resource description of the project, it's part of it20:07
*** aix has quit IRC20:08
morganfainbergbut honestly i think we could leave that out20:08
morganfainbergon both v2 and v3 and fix the docs20:08
bknudsonI'd prefer the spec was changed, too.20:08
bknudsonif an application wants the hierarchy it can fetch that separately.20:09
morganfainbergso lets fix the spec20:09
morganfainbergsold.20:09
*** ljfisher has quit IRC20:11
*** ljfisher has joined #openstack-keystone20:11
adam_gcan anyone shed light on why, when auth'ing with the password plugin, my auth_ref contains a populated service catalog and accurate list of role-se, but when auth'ing with a token only, it does not?20:12
*** ljfisher has quit IRC20:12
lhchengmorganfainberg, bknudson: okay, we'll leave it out. sounds good20:12
*** ljfisher has joined #openstack-keystone20:13
*** devlaps has quit IRC20:27
*** henrynash has joined #openstack-keystone20:30
*** ChanServ sets mode: +v henrynash20:30
openstackgerrithenry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module  https://review.openstack.org/15683020:32
gyeemorganfainberg, bknudson, lhcheng, yeah, token data should continue only the minimum set that are commonly used20:35
gyeestevemar, you mean the service provider one?20:35
gyeestevemar, marekd, I don't think we should treat the service providers any differently20:36
stevemargyee, responded in the patch20:42
*** devlaps has joined #openstack-keystone20:44
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808020:46
*** _cjones_ has quit IRC20:48
*** Tahmina has joined #openstack-keystone20:53
stevemaranyone want to be nice and save bknudson the headache of rebasing by approving https://review.openstack.org/#/c/147367/ ?20:55
dstanekstevemar: i can look at it right after i'm done with the one that i'm on20:57
*** topol has quit IRC20:59
openstackgerritMerged openstack/keystone: Update sample config file  https://review.openstack.org/15678621:00
*** marg7175_ has joined #openstack-keystone21:02
*** marg7175 has quit IRC21:04
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531721:04
*** aix has joined #openstack-keystone21:04
*** Tahmina has quit IRC21:05
dstaneklbragstad: you're killing me!21:06
lbragstaddstanek: :( I'm sorry21:06
gyeecold blooded21:06
lbragstadtoken work is ruthless!21:07
*** Tahmina has joined #openstack-keystone21:08
lbragstaddstanek: gyee good news is that the latest revision works with trusts!21:09
henrynashnkinder: ping21:09
nkinderhenrynash: pong21:09
henrynashnkinder: hi…any chance you could get my LDAP filtering patches a once over?21:10
henrynashnkninder: there are two: first is here: https://review.openstack.org/#/c/147551/ and the second is dependant on that21:10
gyeelbragstad, awesome!21:10
dhellmannmorganfainberg, stevemar: I just cut oslo.policy 0.1.0. This is a "quiet" release, to give us a distribution so we can test integration with one or two projects before announcing it more publicly.21:10
nkinderhenrynash: sure, will look now21:10
henrynashnkinder: thx21:11
*** nellysmitt has joined #openstack-keystone21:11
lbragstadgyee: I was having some trouble validating trust scoped tokens21:11
lbragstadbut, not I think the context is getting built properly21:11
gyeetold u, writing code is the easiest part :)21:13
*** samueldmq_ has joined #openstack-keystone21:13
*** _cjones_ has joined #openstack-keystone21:14
stevemardhellmann, i like it21:16
dhellmannstevemar: let's get a couple of patches for apps together before we make the formal announcement, just in case we have to break the API21:16
dhellmann:-)21:16
stevemardhellmann, sounds good, i'll toss one up for keystone21:16
*** Tahmina has quit IRC21:16
dhellmannstevemar: ++21:17
stevemarwe might be able to convince sigmavirus24 to try out for swift :P he seemed to know stuff and things about it21:17
dstanekstevemar: damn, that's a lot of files :-)21:17
stevemardstanek, +2, -2 of 90% of them :P21:17
dstanekyep, i'm almost done21:18
marekdgyee: whoa. https://review.openstack.org/#/c/156509/ that would rollback lots of work :(21:22
marekdwhat morganfainberg thinks about ^^ ?21:24
*** abhirc has quit IRC21:27
gyeemarekd, you don't need to introduce different structure in the service catalog21:27
gyeefundamentally, service provider is just another endpoint21:27
marekdgyee: how interfaces would be decided?21:28
marekd'interface'21:28
*** marg7175_ has quit IRC21:28
gyeemarekd, sure, or introduce a new attribute21:28
gyee"interface": "sp_auth"21:29
marekdgyee: no, you put some example in the review21:29
gyeemarekd, yes, in the spec review21:29
marekdand have 'interface':'auth' and 'interface':'service'21:29
gyeesure, we can pick a right word for it21:30
gyeemy point is, it shouldn't change the fact that it is fundamentally an endpoint21:30
nkinderhenrynash: first one reviewed.  I had one question inline for you.21:30
*** marg7175_ has joined #openstack-keystone21:31
henrynashnkinder; great...looking21:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Not allow create a project with slash in name  https://review.openstack.org/15715221:32
*** joesavak has quit IRC21:34
henrynashnkinder: responded…agree with the nits (happy to fix)…and I *think* the delete is needed…21:35
nkinderhenrynash: ok, the delete is fine (even if not needed).21:36
nkinderhenrynash: but if you found it's needed, I definitely believe you!21:36
*** timcline has quit IRC21:37
stevemardhellmann, alright, just testing it out now, we'll see if keystone falls on the floor or not21:37
*** timcline has joined #openstack-keystone21:37
*** carlosmarin1 has joined #openstack-keystone21:40
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy instead of incubated version  https://review.openstack.org/14862421:41
*** timcline has quit IRC21:42
dstanekdolphm: looking now21:42
*** carlosmarin has quit IRC21:43
stevemardhellmann, ^21:44
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubated version of oslo policy  https://review.openstack.org/15715821:44
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubated version of oslo policy  https://review.openstack.org/15715821:44
*** timcline has joined #openstack-keystone21:45
*** henrynash has quit IRC21:47
dstanekdolphm: i think i answered your questions21:49
*** henrynash has joined #openstack-keystone21:49
*** ChanServ sets mode: +v henrynash21:49
*** abhirc has joined #openstack-keystone21:50
*** jamielennox|away is now known as jamielennox21:51
*** ljfisher has quit IRC21:57
*** ljfisher has joined #openstack-keystone21:57
*** ljfisher has quit IRC21:57
*** marg7175_ has quit IRC21:59
*** marg7175 has joined #openstack-keystone21:59
dolphmdstanek: danke!22:00
*** ljfisher has joined #openstack-keystone22:01
*** joesavak has joined #openstack-keystone22:03
*** abhirc has quit IRC22:04
*** dnalezyt has quit IRC22:07
*** karimb has joined #openstack-keystone22:08
*** dnalezyt has joined #openstack-keystone22:08
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy instead of incubated version  https://review.openstack.org/14862422:17
*** nellysmitt has quit IRC22:18
openstackgerritSteve Martinelli proposed openstack/keystone: refactor: use _get_project_endpoint_group_url() where applicable  https://review.openstack.org/13908022:18
*** joesavak has quit IRC22:18
*** iwi has joined #openstack-keystone22:19
*** henrynash has quit IRC22:20
*** tqtran has left #openstack-keystone22:20
*** tqtran has joined #openstack-keystone22:20
iwiHi there, I'm just curious - is it possible to combine all of the service accounts into one account and use it across all of the openstack services?22:21
*** pnavarro has joined #openstack-keystone22:29
gyeedepends22:29
openstackgerritDolph Mathews proposed openstack/keystone: Use cryptography.fernet instead of python-keyczar  https://review.openstack.org/15665722:39
dolphmiwi: yes22:40
dolphmiwi: whether it's recommended or not depends on your security requirements and configuration22:40
iwi@gyee,@dolphm: any cons of such solution that you might think of ?22:41
gyeeiwi, if you are using the OpenStack toolings, it may not be possible as the service accounts are hardcoded in some places22:41
iwiI'm going to use AD for authorisation and just want to limit "service" accounts to bare minimum22:42
gyeebut if you are using your own tooling it is possible22:42
gyeehow are you deploying the stuff? via OOO?22:42
iwiI'm actually using fuel22:43
iwiand I'm wondering if its worth to customise it instead of convincing the AD guys to create more accounts22:44
gyeeiwi, you don't want to use domain-specific backend?22:45
gyeewith domain-specific backend, you don't have to create the service account in AD, you can isolate them in a separate domain22:45
iwihmmm22:45
iwididn't really look into that22:46
iwican you keep all service accounts in one domain and use AD for a domain with actual users ?22:46
gyeeyes, that's possible22:47
iwiare there any disadvantages of taking the domain route ?22:47
iwibesides enabling keystone v3?22:47
iwi:)22:47
gyeekeystone v3 is not a disadvantage :)22:48
iwibut can it case any troubles ?22:48
gyeeshouldn't not, I haven't run into any so far22:49
gyeejust create the service account in the 'default' domain22:49
*** pnavarro has quit IRC22:50
gyeeiwi, you'll also need to enable Keystone v3 authentication in Horizon22:50
gyeeiwi, https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L3722:52
*** timcline has quit IRC22:53
iwidoes all OS services support v3 ?22:57
*** openstackgerrit has quit IRC23:00
*** openstackgerrit has joined #openstack-keystone23:00
gyeeiwi, there are two aspects, 1) validating a V3 token, and 2) authenticating service user23:00
gyee1) is transparent to the services are it is handled by keystone auth_token middleware23:00
gyeeas for 2), not all services are using v3 to authenticate the service user right now23:01
gyeebut if you are creating the service accounts in the "default" domain, that should make the service account backward compatible regardless23:02
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy instead of incubated version  https://review.openstack.org/14862423:04
stevemardhellmann, ^ there we go, that one should work23:05
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubated version of oslo policy  https://review.openstack.org/15715823:07
jamielennoxiwi: there are some places that will be v2 only23:08
jamielennox(so can't be used in the non-default domain)23:09
jamielennoxfor example nova talking to neutron and vice-versa23:09
jamielennoxi haven't looked but i think ceilometer will have provlbmes as well23:09
gyeejamielennox, speaking of that, did neutronclient have a new release yet?23:10
jamielennoxgyee: i've been bugging mestry, he was going to do it within a few days23:10
jamielennoxwhich might have happened by now23:10
gyeesweeet!23:10
jamielennoxinterestingly the neutron -> novaclient has the same problem - but neutron doesn't mind having the hackj23:10
jamielennoxstill nothing...23:11
gyeejamielennox, I think one of the neutron drivers are using using v2 directly23:11
jamielennoxgyee: annoying as i wrote all this for k1 so that we'd have heaps of time to let it settle down and be tested23:11
jamielennoxgyee: yea - i've seen that, not my problem23:12
gyeejamielennox, we are moving at the speed of light :)23:12
gyeehahahaha23:12
iwi@gyee: but what about services that are not using V3 - won't they try to authenticate AD only users (from a separate domain) against sql backend specified in "default" domain ?23:14
gyeeiwi, "default" domain should be sql backend23:16
iwiyeap - I understood that part - but I'm just curious if there are any v2 only services that will need to authenticate actual users23:18
*** chlong has joined #openstack-keystone23:18
gyeeiwi, I hope not, otherwise, the architecture is f'ed up23:19
iwi:)23:21
jamielennoxiwi: heat can be deployed in that manner, but the newer work relies on trusts and you should use that instead23:21
iwiI guess I'll need to dig a bit on trusts now :)23:23
iwithanks for help anyway23:23
*** andreaf_ has quit IRC23:24
*** karimb has quit IRC23:25
*** iwi has quit IRC23:25
*** karimb has joined #openstack-keystone23:25
*** ljfisher has quit IRC23:32
*** ljfisher has joined #openstack-keystone23:35
*** krtaylor has quit IRC23:40
*** karimb has quit IRC23:41
*** dims_ has joined #openstack-keystone23:49
*** haneef_ has joined #openstack-keystone23:50
*** dims__ has quit IRC23:51
haneef_jamielennox:  Any idea what am I missing?  Did that ever work?  https://bugs.launchpad.net/python-keystoneclient/+bug/142331623:51
openstackLaunchpad bug 1423316 in python-keystoneclient "V3Password as plugin auth doesn't work with kesytonemiddleware" [Undecided,New]23:51
*** carlosmarin1 has quit IRC23:59
« Tuesday, 2015-02-17 Index Thursday, 2015-02-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!