Monday, 2015-03-23

« Sunday, 2015-03-22 Index Tuesday, 2015-03-24 »
*** nkinder has joined #openstack-keystone00:13
*** markvoelker has joined #openstack-keystone00:17
*** markvoelker has quit IRC00:22
*** dims has joined #openstack-keystone01:01
*** dims has quit IRC01:01
*** browne has joined #openstack-keystone01:14
*** dims__ has joined #openstack-keystone01:15
*** markvoelker has joined #openstack-keystone01:18
*** markvoelker has quit IRC01:23
*** stevemar has quit IRC01:34
*** mestery_ is now known as mestery01:53
*** Kennan has left #openstack-keystone01:56
*** davechen has joined #openstack-keystone02:00
*** spandhe has quit IRC02:08
*** erkules_ has joined #openstack-keystone02:16
*** erkules has quit IRC02:18
*** markvoelker has joined #openstack-keystone02:19
*** markvoelker has quit IRC02:23
*** dims__ has quit IRC03:01
*** trey has quit IRC03:13
*** trey has joined #openstack-keystone03:14
*** spandhe has joined #openstack-keystone03:16
*** iamjarvo has joined #openstack-keystone03:22
*** dims__ has joined #openstack-keystone04:06
*** stevemar has joined #openstack-keystone04:15
*** ChanServ sets mode: +v stevemar04:15
*** spandhe has quit IRC04:18
*** iamjarvo has quit IRC04:35
*** dims__ has quit IRC04:36
*** richm1 has quit IRC04:38
*** pcaruana has quit IRC05:07
*** bernardo-silva has joined #openstack-keystone05:14
*** bernardo-silva has quit IRC05:15
*** rushiagr_away is now known as rushiagr05:19
*** lhcheng_afk has quit IRC05:21
*** lhcheng_afk has joined #openstack-keystone05:28
*** spandhe has joined #openstack-keystone05:50
*** ishant has joined #openstack-keystone05:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16658106:05
*** dims__ has joined #openstack-keystone06:22
*** browne has quit IRC06:26
*** jamielennox is now known as jamielennox|away06:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow saving and caching the plugin auth state  https://review.openstack.org/14917506:28
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available  https://review.openstack.org/14486006:31
*** stevemar has quit IRC06:48
*** dims__ has quit IRC06:54
marekdGood morning.06:55
*** pcaruana has joined #openstack-keystone06:58
*** Bsony has joined #openstack-keystone06:59
*** jamiec has quit IRC07:00
*** jamiec has joined #openstack-keystone07:03
*** rushiagr is now known as rushiagr_away07:03
*** henrynash has joined #openstack-keystone07:04
*** ChanServ sets mode: +v henrynash07:04
*** mflobo has joined #openstack-keystone07:13
*** lhcheng_afk has quit IRC07:19
*** lhcheng_afk has joined #openstack-keystone07:23
*** lhcheng_afk has quit IRC07:44
*** ParsectiX has joined #openstack-keystone07:53
*** chlong has quit IRC07:58
zigo_Can anyone help with this? https://bugs.launchpad.net/keystone/+bug/143517408:11
openstackLaunchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Undecided,New]08:11
*** markvoelker has joined #openstack-keystone08:24
*** junhongl has quit IRC08:25
*** markvoelker has quit IRC08:28
*** pnavarro has joined #openstack-keystone08:29
*** pnavarro has quit IRC08:30
*** pnavarro has joined #openstack-keystone08:32
*** dims__ has joined #openstack-keystone08:39
*** jistr has joined #openstack-keystone09:02
*** lsmola has joined #openstack-keystone09:10
*** dims__ has quit IRC09:12
*** erkules_ is now known as erkules09:14
*** erkules has quit IRC09:14
*** erkules has joined #openstack-keystone09:14
*** markvoelker has joined #openstack-keystone09:24
*** markvoelker has quit IRC09:29
*** afazekas_ has joined #openstack-keystone09:29
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16658109:35
*** ccard__ has joined #openstack-keystone09:40
ccard__I have configured keystone to use domain-specific configuration, so that I can get end users from an LDAP db, and configured horizon to the v3 keystone api.09:42
ccard__I have created a project in the users domain and added a user to the project as _member_, and can successfully login to horizon as the user in the users domain.09:43
*** fhubik has joined #openstack-keystone09:43
fhubikHi there, anyone here expert on keystone v2 and v3 policy files?09:45
ccard__But I get lots of Unauthorized error messages when I click on the various project menu items in horizon. When I login as the end users I get the error "Unable to retrieve usage information" and turning on debug logging in the nova api I can see messages from keystoneclient.auth.identity.v2 which indicate that horizon is talking to nova api and the nova api is trying to authenticate to the keystone v2.0 url rather than the v3 url09:47
ccard__What configuration item(s) do I have to change to get the keystone client to use the v3 keystone api?09:48
fhubikI was wondering about possibility of deprecation the default v2 policy.json file instead of new policy.v3cloudsample.json. Is this possible or those files aren't backward-compatible?09:48
*** dims__ has joined #openstack-keystone09:51
*** kodoku has joined #openstack-keystone09:55
*** davechen has left #openstack-keystone09:56
kodokuHi, Is it possible to use mysql and ldap authentification in keystone V2 ?09:57
*** krykowski has joined #openstack-keystone10:00
*** henrynash has quit IRC10:23
*** markvoelker has joined #openstack-keystone10:25
*** amakarov_away is now known as amakarov10:28
*** markvoelker has quit IRC10:30
*** junhongl has joined #openstack-keystone10:31
*** junhongl has quit IRC10:35
*** krykowski has quit IRC10:51
*** krykowski_ has joined #openstack-keystone10:51
*** junhongl has joined #openstack-keystone10:51
*** jaosorior has joined #openstack-keystone10:53
*** junhongl has quit IRC10:56
*** Bsony_ has joined #openstack-keystone11:00
*** Bsony has quit IRC11:04
*** samueldmq has joined #openstack-keystone11:23
samueldmqmorning11:23
*** markvoelker has joined #openstack-keystone11:26
*** markvoelker has quit IRC11:30
*** fhubik is now known as fhubik_afk11:30
*** kodoku has quit IRC11:34
ccard__which configuration option is it that drives the use of keystoneclient/auth/identity/v2.py rather than keystoneclient/auth/identity/v3.py?11:43
*** markvoelker has joined #openstack-keystone11:46
*** henrynash has joined #openstack-keystone12:00
*** ChanServ sets mode: +v henrynash12:00
*** krykowski_ has quit IRC12:00
*** krykowski has joined #openstack-keystone12:01
*** raildo has joined #openstack-keystone12:04
*** richm has joined #openstack-keystone12:07
*** iurygregory has quit IRC12:20
*** gordc has joined #openstack-keystone12:27
*** ishant has quit IRC12:27
*** fhubik_afk is now known as fhubik12:27
*** fhubik has quit IRC12:28
*** davechen has joined #openstack-keystone12:32
*** fhubik has joined #openstack-keystone12:33
*** dims__ has quit IRC12:34
*** fhubik_afk has joined #openstack-keystone12:34
*** dims__ has joined #openstack-keystone12:34
davechenhenrynash: hi,12:40
henrynashhi12:40
davechenhenrynash: I saw your comments and the bugs you filed. :)12:40
henrynashI;ve just invalidated two of those busg now I ACTUALLY undertand what’s going on!12:40
davechenhenrynash: yes, as far i as i know, 1435310 is invalid. :(12:41
henrynashI’m going to put in a fix for the metadata shortly….since I can’t see that is used anywhere12:42
davechenhenrynash: thanks for your focus on this issue.12:42
davechenyeah, did some troubleshooting either, but never see where the metadata come from.12:43
davechenhenrynash: I will rebase on your patch once you the fix is done.12:43
henrynashyep, I’ll ping youwhen it is posted12:44
davechenhenrynash: thanks henry, leave for an while, will check it when I back.12:47
henrynashnp12:47
openstackgerritMerged openstack/keystone: Specify time units for default_lock_timeout  https://review.openstack.org/16630412:51
*** ayoung has joined #openstack-keystone12:51
*** ChanServ sets mode: +v ayoung12:51
*** henrynash has quit IRC12:52
*** dims__ is now known as dims12:52
*** Bsony has joined #openstack-keystone13:01
*** Bsony_ has quit IRC13:04
*** fhubik_afk has quit IRC13:09
*** fhubik_afk has joined #openstack-keystone13:09
*** fhubik_lunch has joined #openstack-keystone13:09
*** fhubik_lunch is now known as fhubik_13:09
*** fhubik has quit IRC13:13
*** henrynash has joined #openstack-keystone13:13
*** ChanServ sets mode: +v henrynash13:13
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635413:13
marekdraildo: s ^^ is it part of FFE ?13:14
marekdraildo: or you are already working in the Liberty window?13:14
raildomarekd, its FFE, morganfainberg  needs to put a -2 on this patch :)13:14
raildomarekd, or can i put a -1 explain this?13:15
marekdraildo: i don't know13:15
marekdprobably a -2 must land there.13:15
marekdso people really don't approve, even by mistake.13:16
raildomarekd, sure... I'll talk with morganfainberg to put  -2  when I see him online.13:17
marekdyep13:17
raildomarekd, thanks :)13:20
*** iamjarvo has joined #openstack-keystone13:26
*** iamjarvo has quit IRC13:27
*** ParsectiX has quit IRC13:27
*** ljfisher has joined #openstack-keystone13:28
*** ParsectiX has joined #openstack-keystone13:30
*** mattfarina has joined #openstack-keystone13:30
*** zzzeek has joined #openstack-keystone13:36
ayoungmarekd, can you tag this bug as verified? https://bugs.launchpad.net/keystone/+bug/143470113:39
openstackLaunchpad bug 1434701 in Keystone "websso should compare remote_id_attribute to remote_id of IdP" [Undecided,In progress] - Assigned to Nathan Kinder (nkinder)13:39
ayoungI can accept that his fix is correct, if I can accept that the original logic was wrong13:40
ayoungI'm guessing that you think he's right considering you responded on the review13:40
ayoungmarekd, the whole concept of Remote ID scares me.  WTH are we doing there? The Identity provider should not be specifying anything that is not then mapped, and this appears to be the case.  I can't help but wonder if we are being too clever fro our own good here.  What am I missing?13:49
henrynashis anyone having a problem with test_auth failing with Rule [identity:create_trust] does not exist (even on master)?13:53
henrynash(even though it actually does exist in policy.json)13:54
bknudsonwhat does this comment mean? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/notifications.py#n11213:55
openstackgerrithenry-nash proposed openstack/keystone: Remove unused metadata parameter from get_catalog methods  https://review.openstack.org/16683713:57
*** henrynash has quit IRC14:01
openstackgerritDave Chen proposed openstack/keystone: Use `region` or `region_id` in a consistent way  https://review.openstack.org/16246514:01
*** hogepodge has joined #openstack-keystone14:02
bknudsonthe event_type for role_assignment is like 'identity.created.role_assignment' whereas for projects it's like 'identity.project.created' (the order is incorrect for role assignments, based on the docs)14:03
lbragstaddolphm: fernet token brown bag?14:04
bknudsonI think we'll have to remove fernet tokens... can't update cryptography requirement to support it.14:05
lbragstadbknudson: what is the min requirement we need?14:06
lbragstadbknudson: I thought it was already supported by global reqs?14:06
bknudsonlbragstad: 0.7 , when MultiFernet was added.14:06
bknudsonglobal reqs says we support down to 0.4.14:06
ayoungbknudson, bknudson remove?14:07
ayoungI would think that something not enabled by default would be OK14:07
bknudsony, we could add some documentation14:08
lbragstadso we can't bump our version up?14:08
lbragstadhttps://github.com/openstack/keystone/blob/master/requirements.txt#L1314:08
ayoungif we need a way to split the dependency14:08
bknudsonnone of us here have authority to bump the requirements.14:08
ayoungbknudson, what happens if we leave it as is?14:09
lbragstadbknudson: ah, right... version bumps are done from the OpenStack Proposal Bot...14:09
lbragstadayoung: unsupport MultiFernet14:09
ayoungIt means that if someone tried to enable fernet, it would break14:09
lbragstadunsupported*14:10
bknudsonayoung: if you're using cryptography 0.4 and you enable fernet it doesn't work (raises exceptions)14:10
lbragstadayoung: bknudson https://github.com/openstack/keystone/blob/d638709b7ecfdcc0f9664073689c1fc9d75a475a/keystone/token/providers/fernet/token_formatters.py#L6414:10
*** stevemar has joined #openstack-keystone14:10
*** ChanServ sets mode: +v stevemar14:10
ayoungbut they could bump up the cryptography version themselves, it will, so it is just the global req that can't be met.  Its an experimental feature, adn I think this is appropriate14:10
bknudsonI assume it fails pretty quickly... not sure though... the only one I know about is MutiFernet.14:10
bknudsonthere should at least be documentation.14:11
lbragstadbknudson: ++, I'll see if I can run the tests with 0.414:11
lbragstadbknudson: if not, then maybe dolphm has a workaround for the MultiFernet stuff?14:12
ccard__"which configuration option is it that drives the use of keystoneclient/auth/identity/v2.py rather than keystoneclient/auth/identity/v3.py?" - I have tracked down the answer, /etc/nova/nova.conf must have auth_version set to v3.0 (not v3)14:12
bknudsonlbragstad: actually, never mind, the requirements update was approved: https://review.openstack.org/#/c/164289/14:13
lbragstadbknudson: sweet!14:14
bknudsonI didn't think it would be approved.14:14
lbragstadbknudson: we're getting 0.8 too14:14
*** sigmavirus24_awa is now known as sigmavirus2414:16
bknudsonhttp://docs.openstack.org/developer/keystone/event_notifications.html#example-notification-role-assignment -- docs also say identity.created.role_assignment rather than what is actually used.14:16
bknudsonoh, no, the docs are correct.14:16
stevemarbknudson, i filed a bug to change it around to identity.role_assignment.created14:17
bknudsonstevemar: I don't see a fix posted from you.14:20
openstackgerritDave Chen proposed openstack/keystone: Skip endpoints which is not available  https://review.openstack.org/14486014:21
bknudsonhttps://bugs.launchpad.net/keystone/+bug/141676714:21
openstackLaunchpad bug 1416767 in Keystone "event_type for role assignment notifications is incorrect" [Medium,Triaged]14:21
stevemarbknudson, we would need to emit it twice, and a deprecation warning for the original event_type14:21
bknudsonthis was added before kilo?14:22
stevemaryeah in juno14:22
*** timcline has joined #openstack-keystone14:23
*** henrynash has joined #openstack-keystone14:26
*** ChanServ sets mode: +v henrynash14:26
dstanekstevemar: will it screw up auditing if the event is emitted twice?14:27
*** davechen has left #openstack-keystone14:27
stevemardstanek, i think that depends on what the client is lookin at14:29
stevemardstanek, it should be fine though14:29
*** carlosmarin has joined #openstack-keystone14:31
*** henrynash_ has joined #openstack-keystone14:36
*** ChanServ sets mode: +v henrynash_14:36
*** henrynash has quit IRC14:39
*** henrynash_ is now known as henrynash14:39
*** Ephur has joined #openstack-keystone14:39
stevemardstanek, bknudson the trouble was the deprecation message, wasn't sure how to handle that, with the usual LOG message or something else...14:40
stevemarthe usual log message wouldn't be much to a consuming application14:41
bknudsonstevemar: I don't think there needs to be a deprecation message in all cases... does cadf have a way to indicate that a message is deprecated?14:41
*** henrynash_ has joined #openstack-keystone14:42
*** ChanServ sets mode: +v henrynash_14:42
stevemarbknudson, i'm thinking it doesn't...14:42
dstanekstevemar: you just need something that tells the operator that they need to inform the auditing people right?14:42
bknudsonput it in the release notes.14:42
stevemardstanek, yeah, in that case the usual log message would work14:42
stevemarwe could also put it in the payload of the cadf event :P14:43
stevemarbknudson, CADF doesn't handle deprecations at all14:44
*** samueldmq_ has joined #openstack-keystone14:45
*** henrynash has quit IRC14:45
*** henrynash_ is now known as henrynash14:45
dstanekstevemar: it would probably be a good idea to get Matt or topol involved to know what a typical process for auditing changes looks like14:45
*** junhongl has joined #openstack-keystone14:46
stevemardstanek, yeah, i was gonna bug Matt about this, i am thinking there is no case for this, and the spec could benefit from it14:47
dstanekyeah, there really should be a standard way to tell people the messages will be changing otherwise the reports could be messed up14:48
*** r-daneel has joined #openstack-keystone14:49
*** junhongl has quit IRC14:50
*** henrynash has quit IRC14:56
*** thedodd has joined #openstack-keystone14:57
*** junhongl has joined #openstack-keystone14:59
openstackgerritLance Bragstad proposed openstack/keystone: Document requirement of cryptography>=0.7  https://review.openstack.org/16687415:03
*** junhongl has quit IRC15:04
*** ParsectiX has quit IRC15:04
lbragstadvim15:06
* lbragstad hangs head... 15:06
* lbragstad switches back to terminal window... 15:07
morganfainberg^^ lbragstad https://review.openstack.org/#/c/164289/15:12
morganfainbergDocumentation warning is superfluous as we have g-r update coming.15:14
stevemarlbragstad, just got destroyed https://review.openstack.org/#/c/166874/15:14
morganfainbergSoooooooooo15:15
lbragstadstevemar: lol, I was just adding docs based on bknudson's suggestion.15:15
morganfainbergHi everyone;)15:15
morganfainbergTurns out Barbican is also using crypto features not in 0.415:16
dolphmanyone know where to configure what projects OpenStack Proposal Bot hits?15:18
morganfainbergstevemar: re cadf deprecation of msgs. I recommend you do the google protobuf thing, requires etc15:18
morganfainbergdolphm: yes it's in a text file in the g-r repo. Iirc15:18
sigmavirus24dolphm: somewhere in openstack-infra's repos probably15:18
sigmavirus24or not15:18
dolphmsigmavirus24: glance doesn't seem to be getting requirements updates, which would eliminate your usage of ~=15:19
stevemardolphm, it comes from requirements/projects.txt15:19
dolphmsigmavirus24: there's a stable patch for glance, but nothing from master15:19
morganfainbergdolphm: or its a zuul job in project-config, but I think it's in the project.txt file15:19
dolphmstevemar: awesome, thanks15:19
sigmavirus24stevemar: ftw15:19
sigmavirus24dolphm: yeah I was going to look into that later15:20
dolphmsigmavirus24: glance is in the list ... https://github.com/openstack/requirements/blob/master/projects.txt15:20
sigmavirus24dolphm: I know. we usually get updates15:20
marekdayoung: Hi. How do you want Keystone to actually verify who issued assertion X if not via remote_id ?15:22
ayoungmarekd, no clue15:22
ayoungI'm just knee-jerk panicking as usual15:22
ayoungmarekd, so...what is a remote_id anyway15:22
marekdayoung: please don't say now: we should have listened to DWChadwick, make one global mapping and list of trusted attributes"15:23
marekdayoung: remote_id is entityId15:23
marekdayoung: and it will usually be a URL15:23
morganfainbergdolphm: g-r has stable branches too.15:24
ayoungmarekd, heh,   I just want to make sure we have a plan in place to move towards self-modification of rules by the IdPs15:24
ayoungso remote_id...is it something we really expect the IdPs to issue?  Shouldn't it be mapped?15:25
marekdif it doesn't then I deem the protocol as broken...or not functinoal in all cases.15:25
marekdayoung: right now you need (idp, proto) to actually know HOW to map anything15:26
marekdayoung: see, the point is there is kind of split in this architecture - there is mod_shib, where you actually configure who can access some URLs, and there is Keystone with its IdentityProvider backend objects. And until now , the IDentityProvider was a sstub with unique name.15:27
marekdplus, for websso - there is one endpoint only, and somehow we need to be able to see what was the issuer of this assertion.15:28
marekdmod_shib will make sure the IdP is trusted, and somewhere in that process will also check entityID (remote_id in our jargon)15:28
ayoungmarekd, ... so this is a naming problem.  Pretty much everything in the world is references by a "remote_id" of some sort.  In this case, we have multiple remote_ids to...the IdP?  And we are looking up the IdP bi its id...which is different from the remote_id?  Can you see how a casual user will get confused.15:29
marekdand since mod_shib/mellon/whatever is not part of Keystone, we need to duplicate few things.15:29
*** samueldmq__ has joined #openstack-keystone15:29
ayoungSo entityId/remote_id is the remote attribute that maps to...the Identity Provider itself?15:29
marekdit doesn't map..i'd say it identifies15:30
marekdayoung: and yes, there are multiple remote_ids tied to one Idp, but then there is our work to change ppls minds and tell them: "hey, since you share your policies and mappings because your 100 universiteis agreed (SOMEHOW) on that, treat this IdP as your "federation instance"15:31
*** samueldmq_ has quit IRC15:31
ayoungmarekd, is the remote_id validated by mod_shib?15:33
marekdnow let me explain how this emerged. CERN doesn't have this problem cause we have MS ADFS and this time they did better job than FOSS community (Shibboleth), but there is Marco from INFN (italian institute) show manages OpenStack there and he comes to me and complains: dude, now you made me make up 500 stupid names to be configured in Keysone. Just becase my institute is in the federation with 500 members.15:33
marekdayoung: for 99% yes.15:33
ayoungmarekd, so I only have to worry about 1% of my users?  That will help me sleep at night15:34
marekdayoung: in fact, we should probably let them configure trusted idp like ppl configure mod_shib - by handing in Metadata files issued by a trusted IdP.15:34
marekdayoung: i said that for 99% yes it validates, and i kept this 1% because i personally didn't see the line of code that does this validation.15:35
*** ryanpetrello has joined #openstack-keystone15:35
dolphmsigmavirus24: as it turns out, you killed the requirements job15:35
marekdayoung: let me google15:35
ayoungheh15:35
ryanpetrelloanybody around knowledgeable on keystone trusts?15:35
stevemarayoung, ^^15:35
ryanpetrelloI have an interesting problem I'm trying to solve and am kind of stuck; looking for fresh ideas15:35
ayoungryanpetrello, well I wrote "trusts"  so I am like, the last person yiou should trust15:36
ryanpetrello:D15:36
ryanpetrelloas an admin user, I want to perform some actions on behalf of a non-admin user15:36
ayoungI only know what I *think* they do15:36
sigmavirus24dolphm: me personally or glance?15:36
ryanpetrellonamely, I want to prefill their tenant with some things, e.g., make `neutron net-create` calls, etc...15:36
ayoungOK15:36
ryanpetrelloI've *been* using user-role-add/remove to temporarily add the user into the tenant and perform some of these actions on their behalf15:36
morganfainbergdolphm: proposal bot can't do ~= ?15:37
marekdayoung: http://blogs.forgerock.org/petermajor/2011/10/federation-with-shibboleth-sp-apache-module/ you actually specify entityId as identifier for the IdP.15:37
ryanpetrellobut this has an unfortunate side effect: after the user-role-remove is called, *all* of the active tokens for that user are invalidated15:37
dolphmsigmavirus24: you personally, i'm putting up a "fix" now :P15:37
ryanpetrellotrusts looks like a promising alternative, but as an admin, it doesn't look like I can grant myself a trust on another user's tenant; only they can grant *me* the trust15:37
ayoungryanpetrello, and you would rather use a trust....not certain it makes sense....but I see why15:37
sigmavirus24dolphm: which commit?15:37
dolphmmorganfainberg: requirements/update.py can't handle it, so the bot can't15:37
sigmavirus24dolphm: oh hah15:37
ayoungyeah...that is a concern.15:37
* sigmavirus24 knows which change15:37
ryanpetrelloayoung: https://github.com/openstack/keystone/blob/stable/juno/keystone/trust/controllers.py#L12715:38
ayoungSo, a trust has to be created by the trustor.15:38
ryanpetrelloright15:38
ryanpetrelloany other ideas how I could accomplish this?15:38
ayoungFor audit reasons, you want the admin to do it with their own account...15:38
ayoungryanpetrello, I'm putting design work in to clean up this process...but let me think if there is a way you can do it today....15:39
ryanpetrellothe only other thought I had was kind of disgusting :\15:40
ryanpetrelloI thought about, as an admin, adding an anonymous user to the target project15:40
ayoungtemporary user?15:40
ryanpetrellodoing the work as that user15:40
ryanpetrellothen removing them15:40
ryanpetrelloright15:40
ayoungryanpetrello,  don;'t you really want the project setup to be automated?15:40
ayoungSounds like a user for a Heat template15:40
ayoungyou still have the trust issue, but you could probably automate the trust creation when you user create the user account15:41
ryanpetrellowouldn't the user in question still have to run it?15:42
ryanpetrelloright15:42
ryanpetrellothe tricky part is that we don't *always* to this at user creation time15:42
*** afazekas_ has quit IRC15:42
ryanpetrellosometimes folks want us to do a "factory reset" of their tenant15:42
ayoungstill would be a heat template or something...but sure...15:43
ryanpetrellowe *could* set up a very long-running trust at user creation time15:43
ryanpetrellobut then you've sort of got that trust hanging around forever15:43
ryanpetrellowhich is probably not super kosher from a security perspective15:44
dolphmsigmavirus24: the fix https://review.openstack.org/#/c/166897/15:44
dolphmsigmavirus24: the result https://review.openstack.org/#/c/166894/15:44
ayoungryanpetrello, OK...so  the problem is that there is no chain of responsibility.  No way to say that ryanpetrello createed the ayoung user in this server, and assigned him his roles.15:44
ayoungIdeally, everything would be an explicit delegation15:45
marekdayoung: i think IdentityProvider objects should be equipped with more and more attributes.15:45
ayoungtemp assigning of roles is wrong because you already have the power....15:45
sigmavirus24dolphm: ah, that was something dhellmann or stevemar asked me to use and somehow merged as part of the oslo.policy graduation. Interesting15:46
dolphmsigmavirus24: yeah, that's what requirements *did* specify -- but it's since been updated to rip all those out15:46
ayoungryanpetrello, really the bug is the revoke-all-tokens thing in your case.15:46
sigmavirus24dolphm: also https://review.openstack.org/#/c/166796/15:46
dolphmsigmavirus24: and glance's requirements weren't getting updated in the mean time15:46
ryanpetrelloayoung: correct15:47
dolphmsigmavirus24: oh there you go15:47
sigmavirus24yeah15:47
ryanpetrelloif the tokens weren't auto-revoked on the remove, what we have would work fine15:47
sigmavirus24but we have a migration that's broken with alembic 0.7.515:47
ayoungryanpetrello, For the factory reset case...you could build a web service that the user hits themself to do it.15:48
sigmavirus24because 0.7.5 introduced some seemingly backwards incompat behaviour since 0.7.415:48
sigmavirus24so our gate is broken on that too15:48
ryanpetrelloyea, potentially15:48
ryanpetrellookay, I'll think some more on it15:48
ayoungthey create the trust, and then you execute it15:48
ryanpetrellojust wanted to make sure I wasn't missing something obvious15:48
dolphmlbragstad: abandon? https://review.openstack.org/#/c/166874/15:48
ayoungryanpetrello, for the initialization...it would work the same.  Do you have some sort of provisioning system?15:48
stevemardolphm, that ~ was in a bunch of other oslo libs no?15:49
lbragstaddolphm: yeah, I can. I threw up a review because bknudson wanted to see some docs.15:49
dolphmstevemar: yes, but they've since been removed because it broke everything15:49
dolphmlbragstad: requirements.txt is docs :)15:49
stevemardolphm, someone forgot to remove for policy?15:49
dolphmstevemar: no, so...15:49
dolphmstevemar: ~= was in global requirements for policy for a moment15:50
lbragstaddolphm: works for me!15:50
stevemaroh15:50
dolphmstevemar: you suggested sigmavirus24 change to match requirements15:50
dolphmstevemar: it got ripped out of global requirements15:50
dolphmstevemar: and sigmavirus24's patch merged15:50
sigmavirus24stevemar: it's all your fault =P15:50
dolphmstevemar: and glance was left broken15:50
stevemargotcha, didn't realize it was ripped out so quickly15:50
stevemari broken is all15:50
stevemarit*15:50
stevemareven that sentence15:50
sigmavirus24lol15:51
lbragstadstevemar: have you done a brown bag before?15:51
bknudsongross.15:51
marekdlbragstad: what's that?15:51
lbragstadmarekd: http://openstack.prov12n.com/vbrownbag-techtalks-in-vancouver/?awesm=awe.sm_p8ZHg15:51
stevemarlbragstad, nope, but i know the gist of them15:51
* lbragstad shakes head at bknudson :) 15:51
lbragstadstevemar: gotcha15:52
stevemarbknudson, get your mind out of the gutter15:52
*** spandhe has quit IRC15:52
*** _cjones_ has joined #openstack-keystone15:56
*** _cjones_ has quit IRC15:58
*** _cjones_ has joined #openstack-keystone15:58
bknudsonI don't see any keystone brown bags: https://www.youtube.com/playlist?list=PL2rC-8e38bUUSBsGoBGFwohNhGO8l_UlJ16:00
bknudsonhttps://www.youtube.com/watch?v=3jErNTJYI-Q&list=PL2rC-8e38bUUSBsGoBGFwohNhGO8l_UlJ&index=5916:01
bknudsonCraig Lee – Federation Management Using Keystone16:01
bknudsonanyone go to that?16:01
marekdbknudson: there are plenty of such talks16:02
marekdi wonder how many different federation approaches can co-exist16:02
morganfainbergmarekd: all of them.16:02
morganfainberg:P16:02
stevemaroh neat 12 minute talks16:03
stevemarlbragstad, oh these brown bags.... nope never did those16:03
marekdmorganfainberg: .... hapilly there is only one in OpenStack upstream.16:03
marekd:P16:03
morganfainberg;)16:03
*** samueldmq__ has quit IRC16:04
raildomorganfainberg, morning :)16:04
raildomorganfainberg, can you put a -2 in the patch? https://review.openstack.org/#/c/166354/ it's part of reseller FFE.16:05
marekd ^^^ weidres request I have ever read on this channel :P16:05
marekdweirdest16:06
raildomarekd, haha :(16:06
raildosad but true16:06
morganfainbergDone16:06
*** thedodd has quit IRC16:07
raildomarekd, in a few days I will request a +2 :D16:07
marekdmore normal.16:07
marekdbknudson: why did you ask about Lee's talk?16:08
*** Bsony has quit IRC16:08
bknudsonmarekd: that's the only keystone one I could find.16:08
marekdin Vancouver?16:08
bknudsonmarekd: that one was from paris.16:09
*** gyee has joined #openstack-keystone16:09
*** ChanServ sets mode: +v gyee16:09
marekdbknudson: LOL i thought you found it on vancouver sched and was asking who wants to see it ;/ <facepalm>16:10
* marekd facepalm16:10
rodrigodsstevemar, hey... going to implement service providers CRUD in OSC16:11
openstackgerritDavid Stanek proposed openstack/keystone: region.description is optional and can be null  https://review.openstack.org/11761116:12
bknudsonwhy do we have both add_role_to_user_and_project and create_grant?16:12
dstanekis this one worth picking up and fixing? https://review.openstack.org/#/c/13694616:13
marekdrodrigods: https://review.openstack.org/#/c/165755/16:13
bknudsondstanek: it seems like it happened maybe once?16:13
stevemarrodrigods, is that a question? marekd has it going on https://review.openstack.org/#/c/165755/516:13
bknudsonnever seen it myself.16:13
stevemardstanek, isn't that a non-issue now with migration collapse?16:14
bretondstanek: no. We've squashed migrations16:14
bretonthere is no more migration 03916:15
stevemaryeah, what breton said16:15
bknudsonstill exists in stable/ if you want to fix it there.16:16
rodrigodsstevemar, ahh... great, wasn't aware about it16:16
rodrigodsstevemar, marekd, so not implement, just review :)16:16
marekdrodrigods: and play with it16:16
marekdi did last Friday and it worked.16:16
stevemarmarekd, i was going to check it out and run some commands now16:17
stevemarrodrigods, do the same and we can merge it today :)16:17
marekdstevemar: yes, please :-)16:17
marekdrodrigods: U216:17
bretonsomeone should do something about https://bugs.launchpad.net/keystone/+bug/139595916:17
openstackLaunchpad bug 1395959 in Keystone "assignment table migration fails for keystone-manage db_sync if duplicate entry exists" [Undecided,In progress] - Assigned to Will Foster (wfoster-b)16:17
stevemarbreton, i am thinking i will mark it as invalid16:18
dstanekbknudson: right, that would still be an issue in stable. a patch may not be worth the risk though16:18
bretonit should be either marked as invalid or a milestone on stable/ set16:18
rodrigodsstevemar, marekd, where devstack is currently placing OSC source?16:20
marekd#which openstack ?16:20
dstanekstevemar: the bug itself isn't invalid for stable16:20
marekdrodrigods: but i always create my own virtualenv, clone osc and keystone and build it there.16:21
marekdyou still need to fetch review.16:21
*** spandhe has joined #openstack-keystone16:21
*** gyee has quit IRC16:21
marekdre: https://www.youtube.com/watch?v=3jErNTJYI-Q&list=PL2rC-8e38bUUSBsGoBGFwohNhGO8l_UlJ&index=59 (Lee's Keystone federation) Anyone actually know where this code lays ?16:22
marekdsome repo?16:22
*** spandhe has quit IRC16:22
*** gyee has joined #openstack-keystone16:23
*** ChanServ sets mode: +v gyee16:23
stevemarrodrigods, devstack install all libs from pypi now, only release levels16:25
stevemarrodrigods, if you want the latest master code, use the following https://gist.github.com/stevemart/9ce3c7f120c25d3e6175#file-localrc-L1216:25
stevemarrodrigods, then pull down the review like you normally would (git review -d <patch_number>) and run `python setup.py develop` to get the latest OSC changes for that patch (or use venvs)16:26
rodrigodsstevemar, thanks16:27
*** ryanpetrello has left #openstack-keystone16:28
*** junhongl has joined #openstack-keystone16:34
dstanekmhu: are you around?16:34
mhudstanek, yes16:34
dstanekmhu: i just commented on your notifications review16:35
mhudstanek, I am having a look now16:35
stevemardstanek, link me?16:36
dstanekstevemar: https://review.openstack.org/#/c/158777/16:36
stevemarnvm https://review.openstack.org/#/c/158777/16:36
*** iamjarvo has joined #openstack-keystone16:36
*** iamjarvo has quit IRC16:37
*** iamjarvo has joined #openstack-keystone16:37
*** junhongl has quit IRC16:38
*** iamjarvo has quit IRC16:39
*** iamjarvo has joined #openstack-keystone16:40
mhudstanek, ok, that should work, I am going to remove the version test and see how it goes. Thw16:43
mhuthx16:43
*** junhongl has joined #openstack-keystone16:46
openstackgerritDavid Stanek proposed openstack/keystone: Add docstrings to keystone.notifications functions  https://review.openstack.org/14731316:48
*** junhongl has quit IRC16:53
*** browne has joined #openstack-keystone16:54
*** tqtran has joined #openstack-keystone16:55
*** spandhe has joined #openstack-keystone16:57
*** ljfisher has quit IRC16:58
*** lhcheng_afk has joined #openstack-keystone17:00
*** iamjarvo has quit IRC17:03
*** atiwari has joined #openstack-keystone17:04
*** lhcheng_afk has quit IRC17:04
*** henrynash has joined #openstack-keystone17:05
*** ChanServ sets mode: +v henrynash17:05
*** iamjarvo has joined #openstack-keystone17:05
*** dan has quit IRC17:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16643717:07
*** dan has joined #openstack-keystone17:12
*** ljfisher has joined #openstack-keystone17:15
ayoungnkinder, are you doing more work on https://review.openstack.org/#/c/166391/  or are you comfortable with the tests as they are written?17:18
marekdayoung: i think it's fine. I only don't know whether we want to merge it now or postpone until <something>17:21
ayoungmarekd, nah, push it17:22
ayoungwe are in bug fix stage of development17:22
marekdmorganfainberg: ^ you are not going to -2 it, are you ?17:22
marekdayoung: i ned to step away for a second, will revisit this patch later on.17:24
*** _cjones_ has quit IRC17:24
*** _cjones_ has joined #openstack-keystone17:25
*** richm has quit IRC17:25
openstackgerritBrant Knudson proposed openstack/keystone: Fix for notifications for v2 role grant/delete  https://review.openstack.org/16693417:27
*** harlowja has joined #openstack-keystone17:27
*** _cjones_ has quit IRC17:29
openstackgerritRodrigo Duarte proposed openstack/keystone: Update ServiceProviderModel attributes  https://review.openstack.org/16693617:32
*** _cjones_ has joined #openstack-keystone17:32
rodrigodsstevemar, marekd, gyee ^ forgot this in the db migration patch17:32
*** junhongl has joined #openstack-keystone17:33
openstackgerritNicolas Simonds proposed openstack/python-keystoneclient: Upsell all command-line args to Unicode  https://review.openstack.org/16649517:37
*** junhongl has quit IRC17:37
haneefstevemar: In k2k, If an IDP has 2 sps registered, how  can I get an assertion for my choice of sp from IDP.   I don't see an option to specify the sp id  while exchanging token for  assertion17:38
haneefstevemar: ignore it. It is scoped to sp_id17:42
marekdhow can we overcome the burden of multiple tokens?17:51
rodrigodsmarekd, multiple tokens?17:54
*** jistr has quit IRC17:54
*** fhubik_ has quit IRC17:54
marekdrodrigods: yes17:55
marekdrodrigods: one token per cloud.17:55
marekdrodrigods: this doesn't give you abstraction of one cloud17:56
marekdrodrigods: you can handle this in client, you can make a daemon for that17:56
marekdrodrigods: but what if one day you will ask for inter cloud vm migrations17:56
marekdor soon, image sharing.17:56
*** amakarov is now known as amakarov_away17:56
rodrigodsmarekd, ahh, got it17:57
marekdare you going to push it through the poor adsl-wire client?17:57
marekdnoooooooooooooooooooooooooooooooooooooooooo17:57
marekdare actualy any protocols/standards that deal with such infrastructures?17:57
marekdhttp://www.stanford.edu/class/cs347/reading/zab.pdf17:59
marekdmaybe this17:59
*** bernardo-silva has joined #openstack-keystone18:00
*** stevemar has quit IRC18:02
htrutamarekd, rodri: some kind of shared storage between cloud wouldn't solve the problem?18:03
htrutaI mean... is it an usual thing to have?18:03
*** stevemar has joined #openstack-keystone18:03
*** ChanServ sets mode: +v stevemar18:03
*** krykowski has quit IRC18:07
gyeemarekd, how about copy them onto a CD and mail it over to the other cloud. :D18:08
*** dan has quit IRC18:08
openstackgerritBrant Knudson proposed openstack/keystone: Fix for notifications for v2 role grant/delete  https://review.openstack.org/16693418:09
*** lhcheng_afk has joined #openstack-keystone18:13
*** dank_ has joined #openstack-keystone18:14
nkinderayoung: I'm happy with the tests as they are for https://review.openstack.org/#/c/166391/18:17
*** lhcheng_afk is now known as lhcheng18:17
*** omkarjoshi has joined #openstack-keystone18:17
*** harlowja has quit IRC18:18
ayoungnkinder, Federation is broken without that fix, right?18:18
nkinderayoung: sort of, yes18:18
nkinderayoung: the comparison is just wrong18:19
ayoungnkinder, OK.. marekd let's get that one through.  I think nkinder is going to propose if for backport once it is in18:19
nkinderayoung: also, with mod_mellon, the remote ID value is a URL that comes straight from the IdP metadata18:19
ayoungnkinder, is there some way to validate that?18:20
nkinderthat means I have to name by IdP as a URL in keystone, which also means the federation auth url contains an url within it that has to be escaped18:20
nkinderIt would be hideous18:20
ayoungI wouln't want idp.pepsi.com to be able to claim to be idp.coke.com18:20
nkinderayoung: I would have to look at what Mellon does exactly internally18:20
*** harlowja has joined #openstack-keystone18:21
nkinderayoung: mellon has a distinct setting for the env. variable that the IdP ID should be dumped into.  I believe it overrides anything that would actually be in the assertion.18:21
ayoungGood18:22
ayoungthat is the right approach18:22
nkinderPretty sure it comes straight from the local metadata, and it validates that the assertion was signed by the matching cert18:22
*** omkarjoshi has quit IRC18:23
stevemarmorganfainberg, are we good to start merging code again?18:23
ayoungstevemar, bug fixes only, not features18:24
stevemarayoung, of course, oh... you mean FFE related feature code?18:25
ayoungstevemar, Do we have anything approved for Thawing out?18:26
bknudsonbug: this feature doesn't exist.18:26
*** thedodd has joined #openstack-keystone18:29
openstackgerritRodrigo Duarte proposed openstack/keystone: Update ServiceProviderModel attributes  https://review.openstack.org/16693618:32
*** omkarjoshi has joined #openstack-keystone18:32
rodrigodsmarekd, ^ added the bug reference, had to create a new bug since the other one was with Fix Released status18:32
dstanekquick review (i hope) -> https://review.openstack.org/#/c/147313/18:34
stevemardstanek, i'll be the judge of that18:40
*** richm has joined #openstack-keystone18:40
dstanekstevemar: that's what i am counting on18:42
ayoungstevemar, osol-policy has no order of operations.  The only way to enforce it to create nested rules.  Right?18:44
morganfainbergstevemar: for non features, yes.18:45
morganfainbergFFE I should have answers for tomorrow.18:45
stevemarmorganfainberg, i'm sending out an FFE email on the mailing list soon, for the ECP wrapped SAML assertion18:46
morganfainbergstevemar: ok. Send it today please.18:46
morganfainbergstevemar: I plan to chat with ttx before confirming any ffes.18:47
morganfainbergSo that'd be tomorrow.18:47
morganfainbergAnything not on that list I'm going to say is flat out deferred until liberty.18:47
stevemarmorganfainberg, writing it now...18:49
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185418:50
raildoayoung, dstanek If you can take a look ^ I created a test and its working alone... but when run entire suite, I get the error  migrate.exceptions.DatabaseAlreadyControlledError in test_extension_initial and other similar tests...18:52
rodrigodshenrynash, ping.. re: did you see the reply in https://review.openstack.org/#/c/159944/ ?18:52
*** samueldmq__ has joined #openstack-keystone18:52
ayoungraildo, merge conflict18:53
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185418:53
raildoayoung, done18:53
dstanekraildo: sure18:54
ayoung migrate.exceptions.DatabaseAlreadyControlledError means migrations have already ron on those extensions.  Should not be the case18:54
dstanekraildo: i'm getting a different error18:56
raildodstanek, in the teardown I'm get the NoSuchTableError: domain error18:58
ayoungraildo, let's see what the check job gets.  Suspect it is a dirty database problem19:02
*** raginbajin has quit IRC19:04
*** haneef has quit IRC19:04
*** Qlawy has quit IRC19:04
*** grantbow has quit IRC19:04
*** raginbajin has joined #openstack-keystone19:04
*** Qlawy has joined #openstack-keystone19:04
*** Qlawy has quit IRC19:04
*** Qlawy has joined #openstack-keystone19:04
*** haneef has joined #openstack-keystone19:04
*** _cjones_ has quit IRC19:07
*** bernardo-silva has quit IRC19:12
*** lhcheng is now known as lhcheng-afk19:13
*** omkarjoshi has quit IRC19:20
ayoungand dugh we have parenthesis19:21
*** timcline has quit IRC19:22
*** rushiagr_away is now known as rushiagr19:23
openstackgerritMatthieu Huin proposed openstack/keystone: Get method's class name in a python3-compatible way  https://review.openstack.org/15877719:26
*** _cjones_ has joined #openstack-keystone19:30
*** rushiagr is now known as rushiagr_away19:34
*** timcline has joined #openstack-keystone19:36
*** bernardo-silva has joined #openstack-keystone19:41
*** grantbow has joined #openstack-keystone19:50
*** grantbow has joined #openstack-keystone19:50
raildoayoung, the gate log for the drop table patch: http://logs.openstack.org/54/161854/12/check/gate-keystone-python27/81e74fe/console.html19:53
morganfainbergraildo, Fwiw, don't try and do a downwards migration w/ that patch.19:54
morganfainbergraildo, if it becomes a headache19:55
morganfainbergmfisch, ping - re no-downgrade stuff. want to coordinate things w/ you for documentation19:55
mfischhey19:55
morganfainbergmfisch, soooo thanks for volunteering to help shape up the docs!19:56
morganfainbergmfisch, >:)19:56
mfischYeah let me schedule that in between the 4 talks I have to give in Vancouver19:56
morganfainbergmfisch, i think most of them are in order, we just need to do a pass on them.19:56
mfischok19:56
morganfainbergmfisch, it's ok, I'm on the hook for PTL things, and a couple talks in vancouver as well.19:56
morganfainbergsoooo19:56
mfischwhat do the docs need? just a purging of downgrade stuff?19:57
morganfainbergand travel-y things19:57
morganfainbergmfisch, i think we just need to make sure we clearly communicate best practices and say "yeah no more downgrades"19:57
morganfainbergmfisch, since you *actually* run a cloud... i'd like you to look over the docs, see if anything stnads out as missing. we can collaborate on updates from there.19:58
raildomorganfainberg, ok... thanks for the advice :)19:58
mfischok19:58
mfischIs there a specific section of the docs or is downgrade all spread out?19:58
morganfainbergmfisch, it was linked in the spec.19:58
mfischmorganfainberg: FYI you guys have a cloud too ;)19:58
mfischmorganfainberg: ok19:58
mfischI will look it over tonight19:58
morganfainbergmfisch, *I* don't run a cloud19:58
morganfainberg;)19:58
morganfainbergand we have all sorts of mongo-fun baked in19:59
morganfainbergit's not really comparable to most.19:59
morganfainbergayoung, ping19:59
mfischmongo is always fun19:59
morganfainbergayoung, can't elaborate, but need to run something by you.19:59
morganfainbergayoung, let me know when you have a few19:59
morganfainbergnkinder, cc ^ you can help here as well.19:59
morganfainbergayoung, nkinder, this is re: 143403420:01
morganfainbergnkinder, ayoung, I added a comment. it shouldn't be a big ask to address it's a simple check.20:05
morganfainberganyway20:05
nkindermorganfainberg: in a meeting, but will take a look in a bit20:05
morganfainbergnkinder, ++20:06
mfischmorganfainberg: that doc references H to G...20:06
mfischis that the latest we have?20:06
morganfainbergmfisch, i think so.20:07
*** ljfisher_ has joined #openstack-keystone20:07
morganfainbergmfisch, another sign this is due for an update20:07
morganfainbergmfisch, lets plan to circle up enxt week and just hash out (etherpad) anything we want to change?20:07
mfischsure20:07
mfischI will file a bug now though20:07
*** omkarjoshi has joined #openstack-keystone20:07
morganfainbergmfisch, you want a email / invite for a meeting thing? or just catch ya ... say monday or tuesday (laate)20:08
morganfainbergmfisch, oh, also where are you based?20:08
mfischColorado20:08
morganfainbergahhh20:08
mfischyeah that works re: time20:08
mfischhttps://bugs.launchpad.net/openstack-manuals/+bug/143552920:08
openstackLaunchpad bug 1435529 in openstack-manuals "Rolling Back a Failed Upgrade in OpenStack Operations Guide" [Undecided,New] - Assigned to TWC Service (twc-service)20:08
mfischoops, signed in as service account.20:08
morganfainberglol20:09
*** ljfisher has quit IRC20:09
* morganfainberg likes that the bot tells who it's assigned to.20:10
*** ljfisher has joined #openstack-keystone20:11
*** ljfisher_ has quit IRC20:12
dstanekraildo: you still around?20:13
raildodstanek, yeap20:13
dstanekraildo: i think the 'domain' table not found is caused by SQL magic - the reflect call expects it to be there because it thinks that there is still a FK relationship to it from Project20:14
raildodstanek, but in the previous patch, I removed this FK... maybe can exists other for user, or group20:16
raildoI'll take a look on this.20:17
stevemarsamueldmq, lbragstad i marked https://bugs.launchpad.net/keystone/+bug/1409203 as fix commited20:19
openstackLaunchpad bug 1409203 in Keystone "Formatting in configuration.rst " [Low,Fix committed] - Assigned to Samuel de Medeiros Queiroz (samueldmq)20:19
samueldmqstevemar, ah sure ... sorry I forgot to reply that20:20
stevemarnp20:20
samueldmqstevemar, when we closes bugs, do we need to close them (in LP) manually ?20:20
samueldmqclose*20:20
stevemarlbragstad, dstanek take a look at: https://review.openstack.org/#/c/155919/ ?20:20
morganfainbergayoung, nkinder, opened 1435530 on the other side of that issue as i commented.20:20
ayoungmorganfainberg, is that a patch or a bug number?20:21
stevemarsamueldmq, so LP is smart enough to mark the bug as 'fix committed' but only if the commit message has "Closes-Bug: 123"20:21
openstackbug 123 in Launchpad itself "There's no direct way to see the project info when translating it" [Medium,Fix released] https://launchpad.net/bugs/12320:21
morganfainbergbug20:21
ayoungbug I'm guessing20:21
*** ljfisher_ has joined #openstack-keystone20:21
morganfainbergayoung, yeah.20:21
* morganfainberg sighs.20:22
stevemarsamueldmq, in your case, you used Partial-Bug, which just leaves a comment in LP, but doens't change status20:22
ayoungmorganfainberg, I recall bringing that up when we were discussing revocation way back wehn.  Nothing new.20:22
samueldmqstevemar, yeah I thought I did ... but I used partial on the whole chain :)20:22
stevemarah20:22
morganfainbergayoung, the issue is caching.20:22
samueldmqstevemar, needed to put closes-bug on the last one20:22
stevemargotcha20:22
ayoungmorganfainberg, I know.20:23
stevemarno big deal20:23
morganfainbergayoung, like i said, this is something we can probably just open up and issue OSSN on20:23
stevemarjust gotta go and clean up the bugs every now and then20:23
ayoungIt was my argument for not putting any revocation check into PKI tokens origianl design20:23
*** ljfisher has quit IRC20:23
morganfainbergayoung, or whatever. but erring on the side of VMT deciding what to do20:23
*** ljfisher_ is now known as ljfisher20:23
ayoung++20:23
* ayoung shuts up now and goes back to muttering under breath as usual20:23
*** pnavarro is now known as pnavarro|off20:25
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Review RC Blocking Reviews."20:25
morganfainbergstevemar, i hear topol is on vacation20:26
stevemarmorganfainberg, yep20:27
dstanekstevemar: i can take a look in a few if lbragstad hasn't already started20:29
lbragstaddstanek: not yet,20:29
bknudsontopolino is afraid to tell us where he went.20:35
*** ljfisher_ has joined #openstack-keystone20:35
morganfainbergbknudson, i bet!20:35
morganfainbergbknudson, someone might call him20:35
*** ljfisher has quit IRC20:37
*** ljfisher has joined #openstack-keystone20:40
*** ljfisher_ has quit IRC20:41
*** ljfisher_ has joined #openstack-keystone20:43
*** ljfisher has quit IRC20:44
*** ljfisher_ is now known as ljfisher20:44
dstanekstevemar: bknudson: that's an inventive and weird way to do comments in a json file20:49
bknudsondstanek: I'm not sure it's the best idea, but it seems to work.20:49
bknudsonif we want the docs elsewhere it's easy to move.20:49
dstanekbknudson: can // not be in json?20:49
bknudsonkind of20:49
bknudsondstanek: http://www.json.org/20:50
bknudsonthere might be a FAQ on it, where he just says to use a javascript minimizer or something.20:50
stevemarthat site looks like something out of the 90s20:50
*** lhcheng-afk is now known as lhcheng20:50
bknudsonironically doesn't use AJAX20:51
*** samueldmq__ has quit IRC20:52
stevemarhehe20:52
stevemarsome sites are saying no comments allowed20:52
bknudsonget your head out of the gutter.20:52
stevemarsaying it's an Object notation20:53
dstanekvery odd that they left comments ouf of the spec20:53
lbragstadnot sure how common it is, but it looks like other people use this "convention" http://fadefade.com/json-comments.html20:54
*** raildo is now known as raildo|away20:57
*** pnavarro|off has quit IRC20:59
*** jamielennox|away is now known as jamielennox21:02
*** samueldmq is now known as samueldmq-away21:06
*** lhcheng has quit IRC21:06
*** iamjarvo has quit IRC21:08
*** lhcheng has joined #openstack-keystone21:09
*** afazekas_ has joined #openstack-keystone21:09
*** lhcheng_ has joined #openstack-keystone21:09
*** lhcheng has quit IRC21:09
*** iamjarvo has joined #openstack-keystone21:11
bknudsonI wouldn't trust http://fadefade.com/json-comments.html since it assumes new attributes overwrite old ones.21:16
*** iamjarvo has quit IRC21:17
*** samueldmq__ has joined #openstack-keystone21:26
*** samueldmq__ is now known as samueldmq21:26
*** thedodd has quit IRC21:28
*** lhcheng_ is now known as lhcheng21:30
*** mattfarina has quit IRC21:31
*** afazekas_ has quit IRC21:34
morganfainberggordc, ping: can you change https://launchpad.net/~pycadf-drivers owner over to "OpenStack Administrators"21:35
morganfainberggordc, when you have a few21:35
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline  https://review.openstack.org/15062921:36
*** afazekas_ has joined #openstack-keystone21:37
*** afazekas_ has quit IRC21:43
stevemaryeah gordc go do that, be a team player21:44
morganfainbergstevemar, ugh, FFEs are going to need String freeze exceptions too.21:44
morganfainbergstevemar, :(21:44
* morganfainberg grumbles.21:44
stevemar:\21:44
stevemardon't translate anything!21:44
morganfainbergstevemar, so... also yeah string freeze - remember when approving things21:44
stevemarnoted21:45
dstanekbknudson: id you do that json stuff by hand?21:45
bknudsondstanek: what do you mean?21:45
dstanekbknudson: did you write a script to figure it out or did you just do it by hand?21:46
bknudsondstanek: no script.21:46
bknudsondstanek: mostly grepping.21:47
bknudsonwhere it wasn't obvious... the routes are in routers.py21:47
openstackgerritMerged openstack/keystone: Lookup identity provider by remote_id for websso  https://review.openstack.org/16639121:50
*** Tahmina has joined #openstack-keystone21:58
dstanekbknudson: i hacked together a little script to help me verify things, but it doesn't entirely work21:58
bknudsondstanek: tjere21:59
bknudsonthere's probably a test you could write...21:59
bknudsonask the routes package?21:59
bknudsonwhat all the routes are, and what the function is21:59
bknudsonand then query the function?22:00
bknudsonto see what the string is22:00
gordcmorganfainberg: noooo!!! my power!22:01
gordcmorganfainberg: should be good now.22:01
dstanekbknudson: basically - i did it down and dirty, but only had time for the v3 routes22:02
*** timcline has quit IRC22:02
bknudsondstanek: there's only a couple of v2 routes that are protected by policy anyways.22:02
*** Tahmina has quit IRC22:04
morganfainberggordc, cool22:05
*** Tahmina has joined #openstack-keystone22:05
*** sigmavirus24 is now known as sigmavirus24_awa22:07
*** iamjarvo has joined #openstack-keystone22:16
*** thedodd has joined #openstack-keystone22:18
*** iamjarvo has quit IRC22:18
*** thedodd has quit IRC22:18
dstanekbknudson: this is what i was using to check that review: https://gist.github.com/dstanek/b6a5ae8daff0e6f9263d22:19
bknudsoncan't believe dstanek still uses the print statement.22:20
*** Tahmina has quit IRC22:20
dstanekHaha. I need to update my snippets22:21
bknudsonhe he: how to print: call print22:21
bknudsonwe all have that snippet.22:21
bknudsondstanek: put a link in the review.22:22
bknudsonthen maybe we can find it again l8r22:23
*** gordc has quit IRC22:23
* breton has just booked all the stuff for Vancouver and is pretty excited22:24
*** henrynash has quit IRC22:26
*** browne1 has joined #openstack-keystone22:28
*** browne has quit IRC22:29
*** breton has quit IRC22:30
*** bernardo-silva has quit IRC22:39
*** ljfisher has quit IRC22:39
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow saving and caching the plugin auth state  https://review.openstack.org/14917522:39
morganfainbergFYI i just fixed a bunch of security permissions on VMT bugs in our projects22:41
morganfainbergi drasitcally paired down who has access to bugs until VMT team figures out what to do with them.22:41
*** Tahmina_ has joined #openstack-keystone22:47
*** Tahmina_ has quit IRC22:50
*** carlosmarin has quit IRC22:53
*** carlosmarin has joined #openstack-keystone22:57
*** timcline has joined #openstack-keystone23:01
*** markvoelker has quit IRC23:01
*** timcline has quit IRC23:02
*** carlosmarin has quit IRC23:03
morganfainbergjamielennox, ping23:15
morganfainbergjamielennox, ok doing the split for session (or the start of it)23:15
morganfainbergjamielennox, what files do we want in keystoneauth module? session, adapter, access, auth, hacking, service_catalog.py?23:16
*** chlong has joined #openstack-keystone23:30
*** henrynash has joined #openstack-keystone23:31
*** ChanServ sets mode: +v henrynash23:31
*** zzzeek has quit IRC23:39
*** jaosorior has quit IRC23:42
*** markvoelker has joined #openstack-keystone23:47
*** markvoelker has quit IRC23:51
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support  https://review.openstack.org/16003123:55
*** dims_ has joined #openstack-keystone23:58
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response  https://review.openstack.org/15686723:59
« Sunday, 2015-03-22 Index Tuesday, 2015-03-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!