Thursday, 2015-03-26

« Wednesday, 2015-03-25 Index Friday, 2015-03-27 »
bknudsonmorganfainberg: I'm just surprised somebody's using db2.00:00
morganfainbergbknudson, lol00:00
bknudsonreturn [x.target_id for x in query.all()] -- so it only cares about distinct target_id.00:02
bknudsonoh, wrong one.00:04
bknudsonah, the code doesn't exist in kilo.00:05
*** krtaylor has joined #openstack-keystone00:08
*** browne has quit IRC00:11
*** gyee has quit IRC00:16
*** junhongl_ has quit IRC00:31
openstackgerritMerged openstack/keystone: use tokens returned by delete_tokens to invalidate cache  https://review.openstack.org/15350100:42
openstackgerritMerged openstack/keystone: Loosen the validation schema used for trustee/trustor ids  https://review.openstack.org/14502400:42
openstackgerritMerged openstack/keystone: Distinguish between unset and empty black and white lists  https://review.openstack.org/16479800:42
openstackgerritBrant Knudson proposed openstack/keystone: Tests use common base class  https://review.openstack.org/16785000:44
*** markvoelker has joined #openstack-keystone00:48
*** markvoelker has quit IRC00:53
openstackgerritBrant Knudson proposed openstack/keystone: Move common checks into base testcase  https://review.openstack.org/16785200:54
*** jasondotstar has joined #openstack-keystone00:54
*** stevemar has joined #openstack-keystone01:04
*** ChanServ sets mode: +v stevemar01:04
openstackgerritLin Hua Cheng proposed openstack/keystone: Rename notification for create/delete grants  https://review.openstack.org/16750101:07
*** raildo_ has joined #openstack-keystone01:18
*** diegows has quit IRC01:32
*** browne has joined #openstack-keystone01:42
openstackgerritayoung proposed openstack/keystone-specs: certmonger  https://review.openstack.org/13409901:43
*** lhcheng has quit IRC01:46
*** lhcheng has joined #openstack-keystone01:49
*** markvoelker has joined #openstack-keystone01:49
*** lhcheng has quit IRC01:53
*** markvoelker has quit IRC01:53
*** raildo_ has quit IRC02:02
*** trey has quit IRC02:03
*** _cjones_ has quit IRC02:04
*** trey has joined #openstack-keystone02:05
*** raildo_ has joined #openstack-keystone02:06
raildo_morganfainberg: ping, I saw that patch: https://review.openstack.org/#/c/167834/1 when you're removing the sql downgrades... so may I have to remove the downgrades for the reseller scripts?02:08
morganfainbergYeah that is the idea. But not sure when it'll land02:09
morganfainbergMight land liberty, if it lands post reseller, it would remove the downgrades.02:09
raildo_ok... I'll pay attention in this patch, thanks02:11
*** erkules_ has joined #openstack-keystone02:12
*** erkules has quit IRC02:14
*** gokrokve has joined #openstack-keystone02:16
*** iamjarvo has joined #openstack-keystone02:19
*** sigmavirus24 is now known as sigmavirus24_awa02:22
*** zzzeek has quit IRC02:26
*** rushiagr_away is now known as rushiagr02:33
*** gokrokve has quit IRC02:36
*** dims has quit IRC02:39
*** gokrokve has joined #openstack-keystone02:45
*** gokrokve has quit IRC02:45
*** iamjarvo has quit IRC02:46
*** markvoelker has joined #openstack-keystone02:49
*** iamjarvo has joined #openstack-keystone02:53
*** iamjarvo has quit IRC02:53
*** harlowja is now known as harlowja_away02:53
*** iamjarvo has joined #openstack-keystone02:54
*** markvoelker has quit IRC02:54
*** raildo_ has quit IRC03:01
*** tqtran has quit IRC03:06
ayoungmorganfainberg, did I settle your fears on certmonger?03:06
*** _cjones_ has joined #openstack-keystone03:16
*** _cjones_ has quit IRC03:21
*** _cjones_ has joined #openstack-keystone03:21
*** markvoelker has joined #openstack-keystone03:50
*** dims has joined #openstack-keystone03:52
*** markvoelker has quit IRC03:55
*** dims has quit IRC04:14
*** lhcheng has joined #openstack-keystone04:17
*** _cjones_ has quit IRC04:18
*** davechen has joined #openstack-keystone04:24
openstackgerritLin Hua Cheng proposed openstack/keystone: Rename notification for create/delete grants  https://review.openstack.org/16750104:24
*** iamjarvo has quit IRC04:25
stevemarlhcheng, thx!04:36
lhchengstevemar, test should pass this time. :)04:38
lhchengstevemar: about relaxing the trusted_dashboard check, is that going to be scoped for rc1?04:40
stevemarlhcheng, oh yeah... i keep forgetting about that one04:44
stevemarlhcheng, it probably should be, but if it misses, i don't think it's a big deal04:44
stevemarlhcheng, i heard websso stuff got an FFE for horizon :)04:45
lhchengstevemar: we'll be relaxing it anyway later, so that should still be backward compatible04:45
lhchengstevemar: yeah, I am working on rebasing the websso patch with the plugin model that jamielennox added.04:46
stevemarlhcheng, i was just going to ask you that!04:46
lhchengstevemar: and still need to figure out the issue with project switching in horizon04:47
jamielennoxlhcheng: excellent, i was just finalizing the kerberos one and was going to look at that tomorrow04:47
stevemarlhcheng, i have an FFE for keystone but i think it's pretty much done (ECP wrapped assertions), so i'm mainly bug triaging right now04:47
stevemarlhcheng, let me know if you need me to review / test the horizon stuff, my plan was to let you and tqtran figure that out :\ since i'm a nub at horizon04:48
lhchengjamielennox: the kerberos plugin is going to DOA or as separate package? I remember you were asking about the package naming convention.04:50
jamielennoxlhcheng: https://github.com/jamielennox/django-openstack-auth-kerberos04:50
*** markvoelker has joined #openstack-keystone04:51
lhchengstevemar: cool. I accidentally run devstack on my vm, had to re-setup keystone/horizon04:51
lhchengstevemar: was going to say the websso missed add the "OIDCRedirectURI" in the apache.conf, but you already got in covered in the latest one. :)04:52
openstackgerritDave Chen proposed openstack/keystone: More content in the guide for core components' migration  https://review.openstack.org/16418804:52
stevemarlhcheng, yeah! thanks for that, i did forget about it; i was mostly going from memory04:53
*** fifieldt has joined #openstack-keystone04:53
lhchengjamielennox: nice! that would come in handy as reference. I'll go back working on the websso patch tomorrow.04:54
jamielennoxlhcheng: i think so, there's some interesting things about how you integrate a package like that with websso because it brings along a bunch of assets04:55
jamielennoxbut i think the basics should be the same04:55
jamielennoxlhcheng: also i filled out the basics in docs/source/installation.rst for how it would be setup04:55
*** markvoelker has quit IRC04:56
lhchengjamielennox: we're you able to setup your local freeipa server? :)04:57
jamielennoxlhcheng: i'm rebuilding an environment now based on freeipa, unfortunately it's internal04:58
jamielennoxi'm down to building an environment in about 4 hours - god knows how admins are supposed to work this stuff04:58
jamielennoxhorzion/freeipa/kerberos04:58
lhchengjamielennox: how many times have you done it?05:00
jamielennoxlhcheng: probably 405:02
lhcheng4 hours jamie time =~ 4 wks to others (optimistic estimate) :P05:02
*** _cjones_ has joined #openstack-keystone05:05
jamielennoxwell, i wrote a bunch of the guides so maybe05:06
lhchengjamielennox: is this a good starting point? http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/05:07
jamielennoxlhcheng: yes, you need that and http://www.jamielennox.net/blog/2015/02/27/setting-up-s4u2proxy/ for horizon05:07
jamielennoxlhcheng: i want to go back and rewrite big chunks of that though, there's no point in like moving services users to freeipa, just do the domain specific config05:08
jamielennoxalso i found i left out a bit of the step-by-step - implying that no one else has tried it yet05:08
*** _cjones_ has quit IRC05:09
lhchengjamielennox: you mean Part-6 is not needed ?05:12
lhcheng"Part 6 - Recreate the LDAP users"05:12
jamielennoxlhcheng: right, skip part 5 and part 6 - leave the service users in the default domain and put your actual users in a new domain05:12
lhchengjamielennox: cool05:13
* lhcheng adding to list of to-do05:14
lhchengthanks for writing all those guides!05:15
*** r-daneel has joined #openstack-keystone05:36
openstackgerritDave Chen proposed openstack/keystone: Let "region" be effective both in the testcase and API  https://review.openstack.org/16753405:40
*** r-daneel has quit IRC05:41
stevemarlhcheng, btw - did you have an idea about how to loosen the validation on the hostnames?05:42
stevemarjamiec, domain config ftw!05:43
*** _cjones_ has joined #openstack-keystone05:46
*** _cjones_ has quit IRC05:50
*** markvoelker has joined #openstack-keystone05:52
*** markvoelker has quit IRC05:56
lhchengstevemar:  Instead of reading from the origin query parameter, I am thinking we could key off the Referer from the Http header to get the hostname of horizon.05:59
lhchengstevemar: sounds like that should get what we need: http://en.wikipedia.org/wiki/HTTP_referer06:00
stevemarlhcheng, reading about that now06:00
stevemarlol - The word “referrer” has been misspelled in the RFC as well as in most implementations to the point that it has become standard usage and is considered correct terminology06:01
*** _cjones_ has joined #openstack-keystone06:02
lhchengheh can't break backward compatibility06:02
lhchengadd a note in the code about that, otherwise you might get a -1 for misspelling06:06
*** stevemar has quit IRC06:09
*** stevemar has joined #openstack-keystone06:09
*** ChanServ sets mode: +v stevemar06:09
*** dims has joined #openstack-keystone06:12
*** _cjones_ has quit IRC06:13
openstackgerritSteve Martinelli proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215606:14
*** jamielennox is now known as jamielennox|away06:16
openstackgerritSteve Martinelli proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215606:21
*** dims has quit IRC06:32
openstackgerritSteve Martinelli proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215606:37
*** chlong has quit IRC06:45
*** markvoelker has joined #openstack-keystone06:52
*** markvoelker has quit IRC06:57
*** stevemar has quit IRC06:58
*** stevemar has joined #openstack-keystone07:09
*** ChanServ sets mode: +v stevemar07:09
*** browne has quit IRC07:16
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog  https://review.openstack.org/14486007:19
*** ParsectiX has joined #openstack-keystone07:19
*** stevemar has quit IRC07:21
davechenstevemar: hi, steve07:25
*** ParsectiX has quit IRC07:26
*** ParsectiX has joined #openstack-keystone07:29
*** ParsectiX has quit IRC07:32
*** ParsectiX has joined #openstack-keystone07:32
bretonmorning, post-utc keystone shift07:40
marekdbreton: hehe07:40
*** ParsectiX has quit IRC07:41
*** ParsectiX has joined #openstack-keystone07:41
marekdbreton: where are you based?07:44
bretonMoscow07:44
*** Bsony has joined #openstack-keystone07:52
*** markvoelker has joined #openstack-keystone07:53
*** markvoelker has quit IRC07:58
*** ekarlso has quit IRC07:59
*** jaosorior has joined #openstack-keystone08:01
*** nellysmitt has joined #openstack-keystone08:03
*** rm_work is now known as rm_work|away08:03
*** krykowski has joined #openstack-keystone08:12
*** henrynash has joined #openstack-keystone08:15
*** ChanServ sets mode: +v henrynash08:15
*** dims has joined #openstack-keystone08:17
*** fifieldt has quit IRC08:20
*** dims has quit IRC08:25
*** jistr has joined #openstack-keystone08:27
*** dims has joined #openstack-keystone08:38
* breton has that feel when everyone puts their + to a patch and he comes and spoils the party08:39
marekdDDistributed breton links links08:41
marekdbreton: maybe you are becoming another bknudson08:42
*** markvoelker has joined #openstack-keystone08:54
*** markvoelker has quit IRC08:58
*** ekarlso has joined #openstack-keystone09:09
*** davechen has left #openstack-keystone09:46
*** erkules_ is now known as erkules09:49
*** erkules has quit IRC09:50
*** erkules has joined #openstack-keystone09:50
*** markvoelker has joined #openstack-keystone09:55
*** markvoelker has quit IRC09:59
*** jorge_munoz has quit IRC10:06
*** jorge_munoz has joined #openstack-keystone10:14
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332210:21
*** fmarco76 has joined #openstack-keystone10:27
*** fifieldt has joined #openstack-keystone10:36
samueldmq-awayhenrynash, hi10:37
openstackgerritLin Hua Cheng proposed openstack/keystone: Add routing for list_endpoint_groups_for_project  https://review.openstack.org/16793910:38
*** afazekas has joined #openstack-keystone10:39
*** henrynash has quit IRC10:39
*** samueldmq-away is now known as samueldmq10:39
*** Bsony_ has joined #openstack-keystone10:49
openstackgerritBoris Bobrov proposed openstack/keystone: Deprecate memcache as token persistence backend  https://review.openstack.org/16759410:50
openstackgerritLin Hua Cheng proposed openstack/keystone: Rename notification for create/delete grants  https://review.openstack.org/16750110:51
openstackgerritBoris Bobrov proposed openstack/keystone: Deprecate memcache as token persistence backend  https://review.openstack.org/16759410:51
*** Bsony has quit IRC10:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16643710:55
*** markvoelker has joined #openstack-keystone10:56
*** lhcheng has quit IRC10:56
*** markvoelker has quit IRC11:00
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/16235511:01
*** nellysmitt has quit IRC11:05
*** crinkle_ has joined #openstack-keystone11:17
*** esp_ has joined #openstack-keystone11:17
*** fhubik_lunch has joined #openstack-keystone11:18
*** nkinder_ has joined #openstack-keystone11:18
*** dims_ has joined #openstack-keystone11:18
*** mordred_ has joined #openstack-keystone11:20
*** _nonameentername has joined #openstack-keystone11:20
*** lifeless1 has joined #openstack-keystone11:21
*** Qlawy_ has joined #openstack-keystone11:21
*** amakarov_away is now known as amakarov11:22
*** vhoward- has joined #openstack-keystone11:23
*** rodrigod` has joined #openstack-keystone11:25
*** fhubik_afk has quit IRC11:25
*** lsmola has quit IRC11:25
*** arif-ali has quit IRC11:25
*** g2` has quit IRC11:25
*** lifeless has quit IRC11:25
*** wolsen has quit IRC11:25
*** tristanC has quit IRC11:25
*** chlong has joined #openstack-keystone11:26
*** g2` has joined #openstack-keystone11:27
*** arif-ali has joined #openstack-keystone11:29
*** wolsen has joined #openstack-keystone11:29
*** tristanC has joined #openstack-keystone11:29
*** dims has quit IRC11:30
*** nonameentername has quit IRC11:30
*** Qlawy has quit IRC11:30
*** nkinder has quit IRC11:30
*** dhellmann has quit IRC11:30
*** rodrigods has quit IRC11:30
*** crinkle has quit IRC11:30
*** vhoward has quit IRC11:30
*** esp has quit IRC11:30
*** mordred has quit IRC11:30
*** anteaya has quit IRC11:30
*** ekarlso has quit IRC11:30
*** dobson has quit IRC11:30
*** marekd has quit IRC11:30
*** zz_avozza has quit IRC11:30
*** mordred_ is now known as mordred11:30
*** esp_ is now known as esp11:30
*** lsmola has joined #openstack-keystone11:31
*** dhellmann has joined #openstack-keystone11:33
*** ekarlso has joined #openstack-keystone11:33
*** dobson has joined #openstack-keystone11:33
*** marekd has joined #openstack-keystone11:33
*** zz_avozza has joined #openstack-keystone11:33
*** sendak.freenode.net sets mode: +v marekd11:33
*** anteaya has joined #openstack-keystone11:39
*** Qlawy_ is now known as Qlawy11:48
*** Qlawy has quit IRC11:49
*** Qlawy has joined #openstack-keystone11:49
*** ajayaa has joined #openstack-keystone11:56
*** markvoelker has joined #openstack-keystone11:56
*** lhcheng has joined #openstack-keystone11:57
*** markvoelker has quit IRC12:01
*** lhcheng has quit IRC12:01
*** rodrigod` is now known as rodrigods12:05
*** rushiagr is now known as rushiagr_away12:05
*** markvoelker has joined #openstack-keystone12:08
samueldmqdstanek, bknudson could you please revisit [1] and check if you agree with my replies to your concerns12:13
samueldmqdstanek, bknudson [1] https://review.openstack.org/#/c/167230/2/keystone/tests/unit/test_v3_assignment.py12:13
*** Ephur has quit IRC12:27
*** bknudson has quit IRC12:30
*** gordc has joined #openstack-keystone12:38
*** rodrigods has quit IRC12:48
*** rodrigods has joined #openstack-keystone12:48
*** henrynash has joined #openstack-keystone12:58
*** ChanServ sets mode: +v henrynash12:58
*** ParsectiX has quit IRC13:03
*** nellysmitt has joined #openstack-keystone13:06
*** afazekas has quit IRC13:07
*** rushiagr_away is now known as rushiagr13:10
*** sigmavirus24_awa is now known as sigmavirus2413:10
*** nellysmitt has quit IRC13:10
-openstackstatus- NOTICE: gerrit stopped emitting stream events around 11:30 utc and has now been restarted. please recheck any changes currently missing results from jenkins13:12
*** krtaylor has quit IRC13:17
*** Bsony_ has quit IRC13:20
*** nkinder_ has quit IRC13:21
*** afazekas has joined #openstack-keystone13:23
*** afazekas has quit IRC13:30
*** breton has quit IRC13:32
*** iamjarvo has joined #openstack-keystone13:33
*** iamjarvo has quit IRC13:34
*** iamjarvo has joined #openstack-keystone13:34
*** iamjarvo has quit IRC13:34
*** breton has joined #openstack-keystone13:34
*** iamjarvo has joined #openstack-keystone13:35
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug when getting hierarchy on Project API  https://review.openstack.org/16723013:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug when getting hierarchy on Project API  https://review.openstack.org/16723113:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor _create_projects_hierarchy in tests  https://review.openstack.org/16799113:38
samueldmqdstanek, henrynash, raildo ^13:40
*** iamjarvo has quit IRC13:40
*** lhcheng has joined #openstack-keystone13:41
*** afazekas has joined #openstack-keystone13:43
dstaneksamueldmq: that does make sense13:44
fmarco76henrynash: Hi, I am looking at your comment to the patch https://review.openstack.org/#/c/152156/36/keystone/contrib/federation/migrate_repo/versions/007_add_remote_id_table.py13:44
raildosamueldmq, sounds good to me, thanks :)13:45
fmarco76henrynash: when you said there we do not need to provide downgrade, what do you mean?13:45
fmarco76henrynash: if I remove it the tests will fail because there is the downgrade of 001 removing the linked table13:45
henrynashfmarco76: see: https://review.openstack.org/#/c/167834/13:46
*** lhcheng has quit IRC13:46
henrynashfmarco76: but I think you are right, you need to eitehr keep it for now (and maybe add a TODO to go and delete it), or rebase on https://review.openstack.org/#/c/167834/ and then you don’t need it13:46
*** krtaylor has joined #openstack-keystone13:46
bretonhenrynash: I suggest not to -1 patches with downgrades until the master patch lands13:47
henrynashbreton: agreed13:47
samueldmqdstanek, nice to hear, that keeps me sane13:47
samueldmqdstanek, raildo thanks13:47
fmarco76henrynash: is this for Kilo? It is not on GIST13:48
fmarco76henrynash: additionally, this means that I can leave the downgrade as it is if there is not error and then it will be removed along the other13:48
*** samueldmq is now known as samueldmq-away13:49
henrynashfmarco76: so I *thought* this was for Kilo….but just checked to see that a number of projets have this marked as Kilo-rc1, but we do not….it’s not got a target13:49
fmarco76henrynash: OK, I leave for the moment as it is13:50
henrynashfmarco76: ok13:50
fmarco76henrynash: for the other comment about the migration test, if I get correctly I should populate the DB before the migration, migrate and verify the values are correct13:51
henrynashbreton: (and I don’t *think* I have -1 any patches for that, the -1 for fmarco76’s patch was because there was no migration test)13:51
fmarco76henrynash: but where does the migration takes place13:52
henrynashfmarco76: look in test_sql_upgrade.py13:52
fmarco76henrynash: OK13:52
fmarco76henrynash: thanks13:52
bretonhenrynash: great, thank you13:52
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix for migration 062  https://review.openstack.org/16800314:01
dstaneksamueldmq: i did find it weird that getting the parents of a subproject can skip intermediaries; does the user know their project's full heirarchy even when they can't see all of it?14:04
*** mattfarina has joined #openstack-keystone14:06
*** rm_work|away is now known as rm_work14:08
*** r-daneel has joined #openstack-keystone14:12
*** iamjarvo has joined #openstack-keystone14:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994414:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742714:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635414:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185414:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376314:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers  https://review.openstack.org/16593614:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837214:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418014:17
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137814:17
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839814:17
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Token Tests  https://review.openstack.org/16783214:18
*** gokrokve has joined #openstack-keystone14:23
*** nkinder has joined #openstack-keystone14:25
*** stevemar has joined #openstack-keystone14:25
*** ChanServ sets mode: +v stevemar14:25
*** nellysmitt has joined #openstack-keystone14:26
*** thedodd has joined #openstack-keystone14:26
*** timcline has joined #openstack-keystone14:27
*** __TheDodd__ has joined #openstack-keystone14:30
*** nellysmitt has quit IRC14:30
*** breton_ has joined #openstack-keystone14:31
*** breton has quit IRC14:32
*** thedodd has quit IRC14:32
henrynashstevemar, dstanek, lbragstad: a few realtive easy FFE items that maybe if you haev time we could knock in: https://review.openstack.org/#/c/166018/, https://review.openstack.org/#/c/165075/, https://review.openstack.org/#/c/165754/....and finally https://review.openstack.org/#/c/163322/ (which might need closer inspection)14:33
stevemaradding them to my list14:33
henrynashstevemar: thx (you’ve alrady +2’s one of those)14:33
stevemarlooking at the cert monger stuff atm, for fun14:33
henrynashstevemar: you need to get outmore14:34
stevemarhenrynash, you're probably right14:34
openstackgerritDave Chen proposed openstack/keystone: More content in the guide for core components' migration  https://review.openstack.org/16418814:36
*** dims_ has quit IRC14:42
*** dims has joined #openstack-keystone14:42
*** ajayaa has quit IRC14:48
henrynashmorgainfianberg: are we shooting for Kilo on https://review.openstack.org/#/c/167834/ - it doesn’t seem to have a target set for keystone14:50
*** ajayaa has joined #openstack-keystone14:50
*** davidckennedy has joined #openstack-keystone14:52
stevemardo we track which projects can use v3?15:00
*** bknudson has joined #openstack-keystone15:06
*** ChanServ sets mode: +v bknudson15:06
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517115:10
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215615:10
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token.  https://review.openstack.org/16517115:12
*** zzzeek has joined #openstack-keystone15:13
*** crinkle_ is now known as crinkle15:15
*** breton_ has quit IRC15:17
*** timcline has quit IRC15:20
*** timcline has joined #openstack-keystone15:20
*** timcline_ has joined #openstack-keystone15:22
*** timcline_ has quit IRC15:22
*** timcline_ has joined #openstack-keystone15:23
*** jistr is now known as jistr|mtg15:23
davidckennedymorganfainberg I've added a comment to bug 1410543.  Could you take a look and let me know your thoughts when you have a moment.15:24
openstackbug 1410543 in Keystone "Include service name in filtered catalog" [Medium,In progress] https://launchpad.net/bugs/1410543 - Assigned to David Charles Kennedy (dkennedy-p)15:24
*** jistr|mtg is now known as jistr15:25
*** timcline has quit IRC15:26
*** ajayaa has quit IRC15:27
*** davidckennedy has quit IRC15:30
*** gyee has joined #openstack-keystone15:36
*** ChanServ sets mode: +v gyee15:36
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215615:37
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215615:41
*** Tahmina has joined #openstack-keystone15:44
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764015:44
openstackgerritVictor Sergeyev proposed openstack/keystone: Share engine between migration helpers.  https://review.openstack.org/13777815:44
openstackgerritVictor Sergeyev proposed openstack/keystone: Use metadata.create_all() to fill a test database  https://review.openstack.org/9355815:44
openstackgerritVictor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763915:44
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063015:44
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table.  https://review.openstack.org/13763715:44
*** ajayaa has joined #openstack-keystone15:45
*** raildo has quit IRC15:45
*** iamjarvo has quit IRC15:46
*** ekarlso has quit IRC15:46
*** raildo has joined #openstack-keystone15:51
*** _cjones_ has joined #openstack-keystone15:53
*** timcline has joined #openstack-keystone15:57
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL  https://review.openstack.org/16800315:59
stevemarnkinder, henrynash let's 'hangout'!16:00
*** timcline_ has quit IRC16:01
nkinderstevemar: the hangout plugin is installing right now.  Should just take a minute16:01
stevemar\o/16:01
openstackgerritMerged openstack/keystone-specs: Endpoint to generate ECP assertions  https://review.openstack.org/16762116:02
stevemarif that fails or the reception is choppy we can use a phone number16:02
nkinderstevemar: plugin is working, but I get a timeout trying to connect to the call16:06
*** timcline has quit IRC16:07
*** timcline has joined #openstack-keystone16:08
*** browne has joined #openstack-keystone16:12
*** davidckennedy has joined #openstack-keystone16:13
*** lhcheng has joined #openstack-keystone16:20
*** tqtran has joined #openstack-keystone16:23
*** samueldmq-away is now known as samueldmq16:26
*** lhcheng has quit IRC16:26
*** nellysmitt has joined #openstack-keystone16:27
*** ekarlso has joined #openstack-keystone16:27
*** lhcheng_ has joined #openstack-keystone16:30
*** chlong has quit IRC16:31
*** lhcheng_ has quit IRC16:31
*** lhcheng has joined #openstack-keystone16:31
*** nellysmitt has quit IRC16:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837216:32
*** timcline_ has joined #openstack-keystone16:34
*** timcline has quit IRC16:37
*** fmarco76 has quit IRC16:46
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376316:47
morganfainbergstevemar: ping16:50
*** _cjones_ has quit IRC16:57
*** _cjones_ has joined #openstack-keystone16:58
*** arunkant_ has joined #openstack-keystone17:00
*** jistr has quit IRC17:01
*** fmarco76 has joined #openstack-keystone17:03
*** gokrokve_ has joined #openstack-keystone17:05
*** _cjones_ has quit IRC17:05
*** Tahmina has quit IRC17:05
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376317:06
*** gyee has quit IRC17:07
marekdstevemar: we have another meeting in ~1h, right?17:08
*** krtaylor has quit IRC17:08
marekdstevemar: just wanted to make sure i didn't mess up the timing17:08
*** gokrokve has quit IRC17:08
morganfainbergdavidckennedy: ok the filtering itself is just an effect of the sql driver17:09
*** gokrokve_ has quit IRC17:09
morganfainbergdavidckennedy: the api should now be in the pipeline by default. The important part here is to make sure that the sql driver isn't something special that also has to be enabled. (Part of this bug)17:10
rodrigodsmarekd, yep17:10
morganfainbergdavidckennedy: long term we are removing in-tree extensions. The first step is enabling them 100% of the time.17:10
morganfainbergWhich has already been done17:10
*** ajayaa has quit IRC17:11
davidckennedymorganfainberg ok I'm thinking about that.17:13
morganfainbergThis is just collapsing catalog_sql to keystone.catalog.backends.sql17:13
morganfainbergAnd leaving a deprecated class wrapper class that lives in the old place that can be removed in liberty17:14
*** _cjones_ has joined #openstack-keystone17:14
samueldmqpkiz is much smaller than pki tokens?17:16
samueldmqI mean, is it common to a pkiz token pass 4k?17:17
marekdsamueldmq: probably not smaller enough since pki was not widely accepted everywhere yet :/17:17
samueldmqdolphm, morganfainberg ^ any idea/17:17
samueldmqmarekd, I'm trying to make it so17:17
marekdsamueldmq: make it accepted?17:17
morganfainbergstevemar: I can't do a hangout today.17:18
morganfainberg4th day of fire alarm testing.17:18
marekd0_o17:19
samueldmqmarekd, well at least on horizon, I am trying to figure out why exactly working with pkiz tokens passes 4k limit from cokes17:19
samueldmqcookies17:19
samueldmqnot cokes17:19
samueldmqlol17:19
marekdheh17:19
marekdmorganfainberg: do you mind if we do first iteration without you today?17:19
morganfainbergGo for it17:20
marekdmorganfainberg: next week i will be gone, and topol will be back :-)17:20
morganfainbergI just have had a migrane for 4 days now17:20
lhchengsamueldmq: you can have as much coke as you like :)17:20
morganfainbergAnd have to do conf calls on the street. Doesn't work well w/ hangouts.17:20
*** tqtran has quit IRC17:20
samueldmqlhcheng, yeah, cookies + cokes :-)17:21
samueldmqlhcheng, should be not a bad ide17:21
samueldmqa17:21
morganfainbergsamueldmq: fixing pki(z) tokens in django OpenStack auth is hard17:21
samueldmqmorganfainberg, yeah, that's what makes it interesting, right?17:21
morganfainbergThey do a cms hash and treat the token like a uuid token17:21
lhchengsamueldmq: haha that will keep you up all night :)17:22
morganfainbergMy recommendation, don't look at it too hard :P17:22
lhchengmorganfainberg: lol17:22
samueldmqmorganfainberg, haha so let me say you what I'm thinking :p17:22
lhchengmorganfainberg: "it just works"17:22
dstanekdavidckennedy: i didn't realize you were hanging out here. i just added a comment to that ssl bug17:23
morganfainberglhcheng: it works... Except when it doesn't.17:23
*** browne has quit IRC17:23
samueldmqmorganfainberg, pkiz tokens are <4k (on most cases, *I hope so*)17:23
samueldmqmorganfainberg, why dont we store them compressed into the session ?17:23
morganfainbergsamueldmq: sometimes. 50/50 at best17:23
samueldmqmorganfainberg, that should solve the issue17:23
samueldmqmorganfainberg, shouldnt?17:23
morganfainbergBecause they still blow out session size17:23
morganfainbergNo guarantee the token isn't >4k17:23
lhchengmorganfainberg: yeah, it works based on some condition. Have to test this out on multi-node deployment, other than devstack17:24
morganfainbergThis is another reason for fernet tokens.17:24
morganfainbergAnd pkiz are already compressed17:24
samueldmqmorganfainberg, but with fernet, we still need to ask for catalogs, etc17:24
samueldmqmorganfainberg, and the issue comes again17:24
morganfainbergsamueldmq: I want all tokens to eliminate he catalog from the token body17:25
marekdmorganfainberg: what if keystonemiddleware was caching portions of tokens on every service?17:25
marekdmorganfainberg: do we do that now?17:25
marekdmorganfainberg: some kind of LRU type of cache.17:25
marekdto off load keystone.17:25
samueldmqmorganfainberg, even if the catalog is not in the token body, horizon asks for it separately to store in the session, and booom!17:25
*** fmarco76 has quit IRC17:25
morganfainbergsamueldmq: we shouldn't ever store the catalog in the session. Period.17:26
morganfainbergThat is the *wrong* place for it17:26
samueldmqmorganfainberg, so where to put it? (for horizon )17:26
samueldmqmorganfainberg, we do that today, right lhcheng ?17:26
morganfainbergHorizon could pair down the catalog to something sane17:27
samueldmqmorganfainberg, catalog on serverside?17:27
lhchengmorganfainberg: Do you suggest requesting the service catalog for each request? store the catalog only in the scope of the django request.17:27
morganfainbergAlternatively we need to be able to ask keystone (or a registry service) the endpoint17:27
*** gokrokve has joined #openstack-keystone17:28
morganfainbergOk I can't talk about this till I get out of my house.17:28
samueldmqmorganfainberg, k will wait for you17:28
morganfainbergWill type more when I am not dealing with a fire alarm going off every 30s17:28
morganfainbergBe back around 11iah17:28
samueldmqlhcheng, I see a great discussion over there :)17:29
morganfainberg11ish (uh 30mins)17:29
samueldmqmorganfainberg, yeah, timezones ... I was asking myself how long that would be :p17:29
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Provide more flexibility in response body handling in GET, PUT & PATCH  https://review.openstack.org/16808717:30
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Provide more flexibility in response body handling in GET, PUT & PATCH  https://review.openstack.org/16808717:30
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/16808917:30
*** ajayaa has joined #openstack-keystone17:37
samueldmqcan the service catalog differ for different users? domains?17:41
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Token Tests  https://review.openstack.org/16783217:41
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/16808917:41
*** amakarov is now known as amakarov_away17:42
davidckennedydstanek I saw your comment and started off cross but you're right really.  I did try the approach you recommend (and even recommended it myself in one of my comments) but couldn't make it work.  Maybe because I'm just not that good with ssl certs and I wanted to get on with solving the problem I was actually working on.17:43
henrynashstevemar: would value your views on my proposed patch of adding keystoneclient support for domain-specific configs (https://review.openstack.org/168089)….using “raw output” capability….I think that’s best, but unsure17:43
lhchengsamueldmq: I think so. The endpoint grouping feature allows the admin to assign set of endpoint by project.17:43
dstanekdavidckennedy: i think my little patch would actually work if you could get the right hostname in there17:43
dstanekdavidckennedy: right now i think the hostname is only provided in an arg that get sent to openssl and not in the config17:44
samueldmqlhcheng, hmm17:44
davidckennedyAs I had that change that worked I thought I'd post it.  After all, it's only dev/test scenario and even then just a warning which trashes the bathtub parsing going on in the sample_data script.  If there are guys out there using the ssl_gen script to generate their ssl certs.......17:45
henrynashstevemar: is there a better way to do it that will mess more easily with osc and the abiliy to have commans that can manipulate a single option in teh domain-specific config?17:45
henrynashmorganfainberg: (I may have missed your reply to my earlier question)….are we shooting for Kilo for the removal of the SQL downgrades?17:46
davidckennedydstanek to generate their ssl certs for production use then somebody ought to be cross.  I'll see what I can do with your suggestion when I have a moment.17:46
stevemarhenrynash, i'll have to take a look at it first,17:46
stevemarstuck in meetings :(17:46
henrynashstevemar: we have some time in this one…so no rush17:47
*** krtaylor has joined #openstack-keystone17:47
dstanekdavidckennedy: they would not be using pki_setup for production. if they do, they've already lost17:47
davidckennedyPrecisely.17:48
lhchenghenrynash: any tips on debugging test failure with test_json_home_root?17:50
lhchenghenrynash: I got a big json blob (json_home) that doesn't match error17:50
henrynashlhcheng: I assume you have acres of test debug output17:50
*** krykowski has quit IRC17:51
henrynashI loaded teh out into a file and then split up teh excepted and actual17:51
lhchenghenrynash: yeah, can't argue with the amount of output :)17:51
henrynashlhcheng: what did you change…I might be able to spot the error looking at the code for you17:51
lhchenghenrynash: I guess the ordering of the values are the same?17:52
lhchenghenrynash: https://review.openstack.org/#/c/167939/17:52
*** krykowski has joined #openstack-keystone17:52
lhchenghenrynash: ugh, could be 'href-template': '/OS-EP-FILTER/endpoint_groups/'17:53
henrynashmauybe...17:54
lhchenghenrynash: nevermind, that seems right..17:54
henrynashlhcheng: so laod it all into an editor…search for the actual and expected putput, isolte it and tehn caompare17:55
lhchenghenrynash: yeah, going to use a file comparison tool17:56
morganfainberghenrynash: if it lands in kilo sure, if not it can land in liberty. If it misses kilo we should put in a shim migration that disables downwards migrations. New migrations shouldn't need downgrade.17:56
lhchenghenrynash: thanks for the tip!17:56
*** browne has joined #openstack-keystone17:57
henrynashmorganfainberg: agreed…that last bit is what’s needed to stop peopel having to add domangrades now…but me thinks we can get it in for Kilo…it looks good17:57
morganfainbergYeah.17:57
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers  https://review.openstack.org/16593617:58
*** davidckennedy has left #openstack-keystone17:58
*** __TheDodd__ has quit IRC17:59
openstackgerrithenry-nash proposed openstack/keystone: Add caching to getting of the fully substituted domain config  https://review.openstack.org/16601818:01
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332218:02
lhchenghenrynash: found it, I need to add the new routing to the expected data in josn_home_test. Thanks18:07
* david-lyle wants to hear more about how horizon should request the catalog continuously18:07
henrynashlncheng: excellent18:09
*** krykowski has quit IRC18:10
dstanekdavid-lyle: continuously?18:13
lhchenghenrynash: qq, how is resource_name defined in the router? Do we define our own value for that?18:14
samueldmqdavid-lyle, yeah we were discussing that with morganfainberg, waiting him to get available :-)18:14
samueldmqdstanek, maybe he wants to hear continuously, and not request continuously, lol our languages are ambiguous :)18:15
dstanekhaha, ok18:15
david-lyledstanek: we use that information on every page load at a mininum18:15
stevemarhenrynash, so apparently my mic works just fine for marekd and rodrigods :)18:15
samueldmqdstanek, as far as I could see, the service catalog does not change per user, am I right?18:15
*** gyee has joined #openstack-keystone18:16
*** ChanServ sets mode: +v gyee18:16
lhchenghenrynash: does that map to the "Resource:" in the specs: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-ep-filter-ext.html18:16
david-lylesamueldmq: it could, but that's a different argument18:16
morganfainbergHorizon should use a cached version. Request if a) the cache is expired *or* if an endpoint it has never seen arrives in the catalog18:16
morganfainbergThis cached version should be the complete catalog18:17
david-lylethe session is the cache18:17
dstanekmorganfainberg: do we provide proper cache control headers for the catalog?18:17
morganfainbergWe then could offer a mode where horizon asks just for the endpoint ids.18:17
samueldmqdavid-lyle, my point is, if there is no different catalog per user, there is no catalog per token, and then no need to store in the client-side (cookie)18:17
samueldmqdavid-lyle, put it on the horizon server side18:17
morganfainbergThe cookie can't hold the catalog. Same reason it can't hold big tokens.18:17
samueldmqmorganfainberg, yes, I think what I just said goes in this direction ^18:18
morganfainbergUnless session is moved to db18:18
morganfainbergdstanek: no we provide no cc headers. We should.18:18
david-lylemorganfainberg: right, we're being force into a server side session cache because the catalog and token are so large18:18
*** gokrokve has quit IRC18:18
*** gokrokve_ has joined #openstack-keystone18:18
morganfainbergdavid-lyle: I have a solution but it isn't kilo.18:19
david-lylesamueldmq: that's a very simplistic model18:19
morganfainbergdavid-lyle: as I described above.18:19
david-lyleI think the catalog should be able to change per user18:19
morganfainbergIf we have server side, at least we don't break.18:19
morganfainbergdavid-lyle: the catalog is global, the per-user is the filtered/replaced/etc version18:19
samueldmqdavid-lyle, it maybe simplistic, but I think it is what makes sense if catalog does not change per user18:20
david-lyleI'm arguing it should and could18:20
david-lylebut I think others lost that fight in keystone before18:20
david-lyleand gave up18:20
morganfainbergsamueldmq: the catalog today does hanged per user.18:20
morganfainbergChange*18:20
morganfainbergWell per project18:21
david-lyleor maybe they didn't18:21
samueldmqmorganfainberg, k so just store the whole catalog on horizon server-side18:21
morganfainbergYou can endpoint filter, project if substitution into the urls18:21
morganfainbergEtc18:21
dstanekendpoint filtering is by user right?18:21
samueldmqmorganfainberg, ah yes, that's what you were saying :-)18:21
morganfainbergdstanek: project / domain18:21
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137818:21
david-lylehorizon doesn't have a privileged session running to make admin level calls18:22
david-lyleand store the data18:22
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418018:22
david-lyleso we only grab per user18:22
morganfainbergSo horizon would cache the catalog. And the user's token would contain just the ids, or horizon could only access the data for the user.18:22
morganfainbergdavid-lyle: catalog should not be priv. Info18:22
morganfainbergdavid-lyle: that call should be unprotected imo.18:23
david-lylehow do I know if it's filtered?18:23
david-lyleas a user I can request regular and decaf?18:23
morganfainbergdavid-lyle: you would just look at the ids provided to you, and then you'd return the right form of the catalog18:23
samueldmqdavid-lyle, the user token has the filtered catalog, but only the ids18:23
david-lyleor just cache for the usrer?18:23
david-lyle*user18:23
morganfainbergsince you have a whole catalog cache.18:23
samueldmqit works as today, but the token has the ids, and horizon server has the whole catalog :)18:24
*** gyee has quit IRC18:24
morganfainbergIt's not a kilo development thing.18:24
morganfainbergToday, there is no good answer.18:24
morganfainbergShort of server - side tokens.18:24
david-lyleright about kilo18:24
morganfainbergS/tokens/sessions18:24
lhchengmorganfainberg: not sure if catalog should not be priv. request, could be giving away info to malicious user18:24
*** afazekas has quit IRC18:25
david-lylebut, what account is doing the catalog cache on the horizon server?18:25
david-lylethat's the part I'm missing18:25
samueldmqmorganfainberg, the cache should be done by the keystoneclient/middleware ?18:25
morganfainbergdavid-lyle: no authentication needed. Horizon would cache in memcache or wherever makes sense.18:25
morganfainbergdavid-lyle: the complete cache would be a global / no user thing18:26
morganfainbergdavid-lyle: you would refresh the cache if: user catalog has an id you haven't seen, your cache is expired, or you don't have a cache.18:26
david-lyleok, so there is a completely open API to hit on keystone to get the full catalog?18:26
david-lyleno user_id or token required18:26
morganfainbergdavid-lyle: that would be something we need to add but yes. That would be the approach I would take.18:27
morganfainbergdavid-lyle: that's why I said not kilo18:27
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635418:27
david-lyleand then I grab that and DDOS all the openstack API endpoints?18:27
david-lylewithout ever logging into the cloud?18:27
samueldmqmaybe we should crypt the info18:27
*** nellysmitt has joined #openstack-keystone18:28
samueldmqdavid-lyle, I think 'open' implies to having a valid token in this case, at least18:28
morganfainbergdavid-lyle: if your endpoints are not rate limiting, and are on the Internet it isn't any more or less safe18:28
morganfainbergdavid-lyle: security through obscurity is not18:28
*** gyee has joined #openstack-keystone18:28
*** ChanServ sets mode: +v gyee18:28
david-lylecorrect, but I don't have as easy a path to discovery as a single call18:28
morganfainbergSo you ask keystone for the catalog. You have the whole catalog.18:29
*** breton has joined #openstack-keystone18:29
morganfainbergThe user then hands you a token. You ask for the ids from that users's catalog. That is list can go in the session18:29
morganfainbergIt's just a list of ids.18:29
samueldmqmorganfainberg, the API endpoint to request the whole catalog could be configured to service tokens, couldnt (through policy) ?18:29
morganfainbergYou then know both: the user's catalog and the global one18:30
morganfainbergAnd it all fits nicely in the session18:30
david-lyleI understand, the point I'm hung up on is bootstrapping the catalog in horizon18:30
samueldmqdavid-lyle, I think that can be configurable by policy18:31
morganfainbergdavid-lyle: on the first request ask keystone for the catalog. Cache it. The global catalog in this model is not protected info18:31
david-lyleas the only sessions we manage are user sessions18:31
morganfainbergYou already need to know the keystone apriori18:31
morganfainbergSo you know where to ask, that is in your config18:31
morganfainbergHorizon has server-side constructs, it can cache that big catalog. Bootstrap is either a startup or first request thing.18:32
morganfainbergAnd then refresh happens if stale, or if an endpoint Id from a user is not in your cache.18:32
*** nellysmitt has quit IRC18:32
samueldmqdavid-lyle, it will be a new call to get the whole catalog, a new API endpoint, portected by policy ... you can configure your policy to set it to : user:service18:32
*** Ephur has joined #openstack-keystone18:32
david-lyleagain I don't have an account to do that unless it's completely open18:32
morganfainbergdavid-lyle: that is what I am advocating. The catalog list should be open18:33
samueldmqmorganfainberg, why do we need it to be open?18:33
morganfainbergsamueldmq: there is no user for horizon to access it with.18:33
morganfainbergWhy does it need to be protected? I mean it could be, but the default would be not imo18:34
samueldmqmorganfainberg, ok so it *could* be, how to do so?18:35
david-lyleit's down to implementation details now, I just want the full catalog to cache from a trusted source, not create a mechanism for an arbitrary user to publish shared information18:35
samueldmqmorganfainberg, I am just interested on how to protect if we want18:35
morganfainbergdavid-lyle: keystone should still be authoritiative. The ids from the catalog for the token are issued by keystone.18:36
morganfainbergdavid-lyle: it's all the same on that front today.18:36
david-lylemorganfainberg: right, again my concern was opening a hole to share data from one user to others18:37
morganfainbergdavid-lyle: I don't see the hole18:37
david-lylenot if the catalog is open18:37
morganfainbergRight. Catalog is open in my view.18:37
david-lylestill feels like advertising for trouble, but that's your realm18:38
david-lyleI'll consume the APIs that are there18:38
*** rushiagr is now known as rushiagr_away18:41
morganfainbergdavid-lyle, the reality is obscuring your catalog is just not really buying much18:43
david-lylemorganfainberg: I understand your point18:43
morganfainbergdavid-lyle, i have a few other options that i'd like to explore re: endpoints registering via middleware or such and horizon could subscribe to it.18:43
morganfainbergdavid-lyle, subcribe/ask from a very fast service the active list/18:44
*** __afazekas is now known as afazekas18:44
morganfainbergdavid-lyle, but my thought is we make catalog available, give a mode where horizon can just ask for the endpoint ids, and then you're off to the races18:44
morganfainbergdavid-lyle, this is all thinking liberty timeline18:44
david-lylerequires some mapping changes, but not too invasive to horizon18:45
samueldmqmorganfainberg, planning to put a session in the summit ?18:45
samueldmqthat would be great to discuss with ppl18:45
morganfainbergsamueldmq, it is something i want to discuss at the summit18:45
*** ajayaa has quit IRC18:46
morganfainbergdavid-lyle, i have a whole profile of stuff i want to see done in liberty, i need to type it all up18:46
morganfainbergdavid-lyle, but if i have my way it's mostly going to be a UX and stability release ;)18:46
morganfainbergsamueldmq, ^^18:46
samueldmqmorganfainberg, ++18:46
morganfainberg david-lyle , and this fallsinto "ux" ;)18:46
david-lylemorganfainberg: works for, we're still playing catch up18:47
samueldmqmorganfainberg, I know some ideas, I am curious to know your list, let me know when you write them up o/18:47
morganfainbergsamueldmq, i'll have them written up soon - i need to do it before PTL election season18:47
samueldmqmorganfainberg, nice... looks like a *buuunch* of challenging things to be done in Liberty :-)18:51
morganfainbergdavid-lyle, samueldmq, there is nothing saying we can'd make all requests to keystone use a x509 cert or similar for getting the catalog18:52
morganfainbergbut that is mechanism *after* the open default18:52
morganfainbergthere are ways to cleanly secure things18:52
morganfainbergbut you need the stuff to base it all on first18:52
samueldmqmorganfainberg, ah nice, so if a company has its own interface, clis etc, just need to wrap them in cert checks18:53
morganfainbergsamueldmq, that would be next logical steps18:54
morganfainbergsamueldmq, but do it all in iteration18:54
morganfainbergstart with the clear way to get catalogs18:54
samueldmqmorganfainberg, you're good on thinking step-by-step :/18:54
samueldmqmorganfainberg, sometimes I dont see goals like something we need to walk to them, but just jumping onto them instead, if you understand me :p18:55
morganfainbergsamueldmq, of course!18:55
samueldmqmorganfainberg, this comes with experience I think, but see, I am learning o/18:56
morganfainbergsamueldmq, i also try not to talk too much about nebulous future goals.18:56
morganfainbergsamueldmq, the open catalog, and horizon consuming ids is a feature unto itself18:56
samueldmqmorganfainberg, yes, but sometimes I do talk to make sure at least someone agrees with my nebulous future goals :)18:56
morganfainbergsamueldmq, the implementing a way to limit access afterwards could be done 20 different ways and i don't want to try to implement that ;)18:56
lhchengmorganfainberg: I agree that eventually all service-to-service communication should be done via cert18:56
lhchengmorganfainberg: I wonder if concept of service account would be useful18:57
morganfainberglhcheng, we have a patch for at least service->keystone via x50918:57
morganfainbergbut it can't land in kilo18:57
lhchengmorganfainberg: yeah, I saw that. We had that feature back in HP :)18:58
morganfainberglhcheng, :)18:58
samueldmqmorganfainberg, hmm, and then we could make admin and public endpoitns different?18:58
morganfainbergsamueldmq, well.. that changes a lot18:59
lhchengmorganfainberg: I guess for service account, I can create a service domain. That should do the trick.18:59
samueldmqmorganfainberg, yeah and looks like stepping back18:59
samueldmq:p18:59
morganfainbergassume keystone's public and admin endpoints are just one thing. in v3 we don't differentiate18:59
lhchengmorganfainberg: so that real users are not mixed up with service users.  Just another way of doing it.18:59
morganfainberglhcheng, today that is the approach i would take18:59
morganfainberglhcheng, with x509 you still need a user to map to iirc (w/ the current patch)18:59
lhchengmorganfainberg: yup, ++18:59
samueldmqmorganfainberg, yes let's not separate them again, nor call domain + projects as tenants again :p18:59
morganfainbergsamueldmq, actually if we could re-do it i would have kept tenant vs project19:00
morganfainbergor made domain "tenant"19:00
lhchengmorganfainberg: yeah, the x509 need to map to a user. The cert need to have some attribute to map to a keystone user.19:00
morganfainbergbut we're not changing it back now.19:00
samueldmqmorganfainberg, yeah, I saw a thread saying users still get confused with tenant vs project :/19:00
morganfainbergsamueldmq, well in liberty i hope we can recommend/provide a means for people to turn off v2 keystone19:00
morganfainbergmeaning....19:01
samueldmqmorganfainberg, 'no, I dont want to create a project, I want a tenant' ...19:01
morganfainbergwe can deprecate it and start eliminating the confusion19:01
samueldmqmorganfainberg, ++19:01
morganfainbergyeesh, grizzly -> Liberty to get v3 adopted19:01
samueldmqmorganfainberg, I remember in the summit we talked about having v3 on all services .. :/19:01
morganfainberglets never change the API version again19:01
*** sigmavirus24 is now known as sigmavirus24_awa19:01
samueldmqmorganfainberg, we had got keystone people to help others services to get v3 working19:01
morganfainbergactually i'd be ok with changing the API version again, but we need to next move auth endpoints out from the versioning19:02
morganfainbergthen it becomes much easier to change versioning if we need19:02
morganfainbergif i wasn't on battery power i'd stand up a VM and try running tempest w/o v2 on19:02
morganfainbergsee what breaks19:02
morganfainberghm..19:03
morganfainbergactually.19:03
lhchengmorganfainberg: what does moving out auth endpoints from versioning?  you mean the info from /versions ?19:03
samueldmqyeah, but v2 v3 was more than that.. the problem is not only the version, but the concepts introduced (domain, etc)19:03
morganfainberglhcheng, i means authentication isn't /v3/auth19:03
lhchengmorganfainberg: ah, interesting..19:04
morganfainberglhcheng, instead we should support /auth/<version for auth>19:04
samueldmqmorganfainberg, the same url, but with backwards compatibility19:04
morganfainberglhcheng, so if there isn't a reason to change how people auth, we don't. v4 keystone API (no we aren't doing this now or soon) could change w/o changing how the services get relevant information19:04
lhchengmorganfainberg: sounds reasonable, I'll be happy with that19:04
morganfainberglhcheng, since most everything needs exactly: auth, catalog19:04
morganfainberglhcheng, unless you're heat.19:04
morganfainberglhcheng, it also means if we want to change how people auth, we can change to auth/v3.1 and not affect keystone's api19:05
morganfainberglhcheng, it helps to isolate "keystone api" from "authn/authz/catalog"19:06
morganfainbergit's something we talked about a couple cycles ago19:06
morganfainbergi think it makes sense.19:06
morganfainberghell if it's all post data, you can even change how the auth is done w/o versions19:06
samueldmqmorganfainberg, yeah and maybe even having them split =x19:06
morganfainbergjust let people auht with new methods.19:06
morganfainbergwe can get really fancy w/o making ux bad19:07
*** jasondotstar has quit IRC19:07
lhchengmorganfainberg: I like the idea, something you planning for Liberty? or planned to prioritize in the summit?19:08
morganfainberglhcheng, something to talk about at the summit19:08
*** jasondotstar has joined #openstack-keystone19:08
lhchengmorganfainberg: cool19:08
morganfainberglhcheng, i see some critical features for L, but for the most part i think we can focus on stability, performance, and UX and snag a really big win19:08
samueldmqmorganfainberg, ++19:09
*** rushiagr_away is now known as rushiagr19:09
*** _cjones_ has quit IRC19:10
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove SQL Downgrades  https://review.openstack.org/16783419:10
samueldmqmorganfainberg, agree 100%, and functional tests, tests changes will be there to help on stability and correctness as well19:10
samueldmqhenrynash, I think I missed something .. do I still need to rebase my work on this ^19:10
lhchengmorganfainberg: agree with that, it'll give other services catch up with the new features.19:10
morganfainberghenrynash, breton ^ fixed the comment on that19:10
samueldmqmorganfainberg, is this work landing in kilo ^ ? if so, I'd better rebase mines on it ( https://review.openstack.org/#/c/142472 )19:13
openstackgerritLin Hua Cheng proposed openstack/keystone: Add routing for list_endpoint_groups_for_project  https://review.openstack.org/16793919:13
morganfainbergsamueldmq, it'll land either early in liberty or in kilo19:14
morganfainbergsamueldmq, if it can land in kilo, that'd be nice, but i understand if it doesn't19:14
samueldmqmorganfainberg, ack thanks19:15
openstackgerritLance Bragstad proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212219:21
*** lifeless1 is now known as lifeless19:25
*** nellysmitt has joined #openstack-keystone19:26
*** nellysmitt has quit IRC19:27
*** _cjones_ has joined #openstack-keystone19:35
*** timcline_ has quit IRC19:36
*** timcline has joined #openstack-keystone19:38
*** mestery has quit IRC19:42
*** mestery has joined #openstack-keystone19:45
*** rushiagr is now known as rushiagr_away19:46
*** openstackgerrit has quit IRC19:52
*** openstackgerrit has joined #openstack-keystone19:52
openstackgerritVictor Morales proposed openstack/python-keystoneclient: Replaced assertRaisesRegexp deprecated function  https://review.openstack.org/16812519:59
*** samueldmq is now known as samueldmq-away20:01
morganfainbergi need one of those servers with like 40 cores20:01
morganfainbergso i cna run my unit tests in <60s20:01
*** rushiagr_away is now known as rushiagr20:01
samueldmq-awaymorganfainberg, we could do something like https://folding.stanford.edu/ to run the tests20:04
samueldmq-awaymorganfainberg, each contributor lends his/her pc o/20:04
dstanekthat would be pretty funny20:07
dstanek-infra could add them to node pool :-)20:07
morganfainbergdstanek, hehe20:07
morganfainbergdstanek, you should get RAX to give me a bare metal server for unit testing :P20:08
dstanekopenstack@home20:08
morganfainberg>.>20:08
dstanekmorganfainberg: don't you work for a big cloud provider?20:08
morganfainbergshhh20:08
morganfainberg:P20:08
morganfainbergbare metal = awesome20:08
morganfainbergyeah i need to fix my hp cloud account something something validation via voip phoneline20:08
*** timcline has quit IRC20:14
*** timcline has joined #openstack-keystone20:15
morganfainbergcrap20:15
morganfainbergi just found another place we log token ids :(20:15
morganfainbergin an exception20:15
morganfainberg.... /me grumbles20:16
morganfainbergthough i think this one is safe...20:16
morganfainbergcause it's when a token fails to validate...20:16
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "Document mapping of policy action to operation"  https://review.openstack.org/16813620:20
stevemarmorganfainberg, sounds like a reasonable case to log the token id20:22
*** tqtran has joined #openstack-keystone20:22
*** samueldmq has joined #openstack-keystone20:23
samueldmqmorganfainberg, dstanek ahahah saw the conversation in the logs :p20:25
openstackgerritDan Prince proposed openstack/keystone: Revert "Document mapping of policy action to operation"  https://review.openstack.org/16813820:25
samueldmqdstanek, yeah openstack@home ftw20:25
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "Document mapping of policy action to operation"  https://review.openstack.org/16813620:25
*** tqtran_ has joined #openstack-keystone20:27
*** tqtran has quit IRC20:27
morganfainbergoookay time to go find power...20:27
morganfainbergi hate coffee shops that don't provide power outlets...20:27
morganfainberg:P20:27
stevemardstanek, can you push https://review.openstack.org/#/c/168136/ through?20:29
stevemarit's breaking everything in the world right now :)20:29
morganfainbergstevemar: if not I'll push it as soon as I get laptop power20:30
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Replace assertRaisesRegexp with assertRaisesRegex  https://review.openstack.org/16812520:31
morganfainbergstevemar: wait what?20:31
stevemarmorganfainberg, the revert one20:31
morganfainbergDone.20:32
stevemaryay20:32
stevemaryou're the best20:32
stevemari really wonder why our tests didn't fail20:32
stevemarmorganfainberg, are we going through with removing sql downgrades?20:34
*** mattfarina has quit IRC20:34
morganfainbergstevemar: yes. But the question is kilo or liberty.20:34
morganfainbergThe x-project spec landed. And other projects already dumped the downgrades.20:35
stevemarmorganfainberg, i'm tempted to push it through, but we didn't create a spec or bp for it20:35
stevemaror really brought it up at a meeting20:35
stevemarthough i imagine everyone will vote for removal20:36
openstackgerrithenry-nash proposed openstack/keystone: Reload drivers when their domain config is updated  https://review.openstack.org/16332220:36
morganfainbergstevemar: there is a bug and its tied to a cross-project spec.20:38
morganfainbergNo keystone spec needed in this case.20:38
morganfainbergbp we could add if needed20:41
stevemarmorganfainberg, i'm gonna +A it!20:49
morganfainbergok20:49
stevemari feel like this is a big item and we should get more votes?20:49
stevemarmaybe i'm over thinking it20:49
morganfainbergi'm good with it either way20:49
morganfainbergask for more votes20:49
morganfainberg+A it.20:49
morganfainberghonestly i'm digging through some other bugs that need to be addressed now.20:50
morganfainbergfeel free to ask for more eyes20:50
morganfainberg:)20:50
stevemaryeah, i will - ayoung, bknudson -> https://review.openstack.org/#/c/167834/20:50
stevemarit's a bit piece, and i don't want to push it without more eyes20:51
stevemarbreton, seems to think it's good to go :)20:51
bknudsonwatch it breaks triple-o20:52
stevemarbknudson, we already broke them today, we need to share the love20:54
raildomorganfainberg, dstanek finally we found the error in the drop domain table \o/20:54
raildoThe problem is when we are using sqlite, we can't list/drop/add constraints, so the script https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/064_drop_user_and_group_fk.py just drop this contraints for other databases.20:54
stevemarbknudson, break ceilometer or neutron20:54
raildoSo, when I drop the domain table, in the tearDown() https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_sql_upgrade.py#L176 they will load all tables but for group and user tables, the FK for domain_id still exists. So they try to load the Domain table id, but it's dropped.20:54
ayoungstevemar, that makes me happy20:54
raildoAs you can see in the pdb log: http://paste.openstack.org/raw/196942/20:54
ayoung+58, -66420:54
raildoayoung, ^20:55
stevemarayoung, it makes me happy too, but i wanted to give y'all the opportunity to say "NOOOOooo"20:55
ayoungstevemar, the reason I've been so quiet is that I've been setting up Federation with Ipsilon and Devstack:20:56
ayoung{"token": {"methods": ["saml2"], "expires_at": "2015-03-26T21:45:22.771808Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "ipsilon"}, "protocol": {"id": "saml2"}, "groups": [{"id": "c1de735a1e214b9fbb5641db04eaa5f5"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "ayoung", "name": "ayoung"}, "audit_ids": ["DQwpk-2KTRCfBEMYPQzm_Q"], "issued_at": "2015-03-26T20:45:22.771840Z"}20:56
raildomorganfainberg, dstanek ayoung this will happen for every table that is FK for other table20:56
ayoungJust got that back....20:56
stevemarayoung, \o/ !!!20:56
stevemaripsilon, ipsilon!20:56
morganfainbergayoung, woot20:56
stevemarayoung, just don't set RECLONE=yes in your localrc20:57
ayoungstevemar, morganfainberg so, I think that the ipsilon plugin model might be a better SAML story than K2K long term:20:57
ayoungwe run ipslon with the keystione identity backend as the guts of a plugin...20:57
morganfainbergayoung, you can't assume ipslon is going to be available.20:58
ayoungstevemar, mostly I've been taking what nkinder had working for packstack and applying it by hand.  I wish I could do FreeIPA from devstack20:58
ayoungmorganfainberg, I said "long term"  and yes I can20:58
morganfainbergayoung, no you can't20:58
ayoungmorganfainberg, what I mean is that we can use Ipsilon as the SAML front end, no tokens required20:58
ayoungits a way to take the user table from Keystone and export it as a general purpose SAML assertion20:59
ayoungwhich has other potential benefits:20:59
morganfainbergayoung, something to discuss later, but my guess is that wont fly as *the* k2k model20:59
morganfainbergit might be a viable way to configure things but later.20:59
* morganfainberg is mired in token crap right now.20:59
* morganfainberg is a little grumpy about said token crap.20:59
*** hogepodge has quit IRC20:59
ayoungmorganfainberg, I won't torment you with it now. I'll just rest in the warm comfort of knowing I'm right.21:00
*** gokrokve_ has quit IRC21:00
ayoungWe can discuss in Vancouver21:00
lbragstadmorganfainberg: token crap?21:00
morganfainberglbragstad, a certain critical bug.21:00
openstackgerrithenry-nash proposed openstack/keystone: Update configuration documentation for domain config  https://review.openstack.org/16575421:01
stevemar"I'll just rest in the warm comfort of knowing I'm right"21:01
henrynashbknduson: a HEAD hhtp action should never result in a 200 status code should it?21:03
bknudsonhenrynash: it should be 200 if the request would have been successful21:04
bknudsone.g., if you replaced HEAD with GET the result should be the same.21:04
bknudsononly difference should be that HEAD doesn't return a body21:04
henrynashbknudson:ah, right its the same as GET but no body21:04
henrynashbkndudson: so never should retrun a 204?21:04
*** Tahmina has joined #openstack-keystone21:04
henrynash(HEAD, that is)21:04
bknudsonit could, if GET would have returned a 204.21:05
morganfainbergbknudson, ++21:05
bknudsonGET can return 204, if there's no representation for the resource21:05
henrynashbknudson: ah, right got it….just noticed that are spec does indeed list 200 and 204 as possible returns to HEAD…and was just chekcing21:05
*** fifieldt has quit IRC21:07
*** rushiagr is now known as rushiagr_away21:07
*** raildo is now known as raildo|away21:09
*** devlaps has joined #openstack-keystone21:11
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/16808921:12
*** jamielennox|away is now known as jamielennox21:21
*** fifieldt has joined #openstack-keystone21:24
*** stevemar has quit IRC21:25
*** gordc has quit IRC21:32
ayoungNO!21:41
ayoungstevemar I need you!21:41
*** tqtran has joined #openstack-keystone22:00
*** tqtran_ has quit IRC22:01
dstanekraildo|away:  great, i'll take a look22:08
*** nkinder has quit IRC22:11
*** timcline has quit IRC22:23
*** lhcheng_ has joined #openstack-keystone22:24
*** lhcheng has quit IRC22:24
*** lhcheng has joined #openstack-keystone22:24
*** dims_ has joined #openstack-keystone22:27
*** dims_ has quit IRC22:27
*** dims_ has joined #openstack-keystone22:27
*** dims has quit IRC22:28
*** lhcheng_ has quit IRC22:28
*** henrynash has quit IRC22:31
*** bknudson has quit IRC22:33
*** tqtran_ has joined #openstack-keystone22:37
*** tqtran has quit IRC22:40
*** gokrokve has joined #openstack-keystone22:47
*** asselin has joined #openstack-keystone22:50
morganfainbergdstanek, openstack@home would be fun, but couldn't we just take a page out of distcc to start :P run the testing across multuple nodes via a queue of "actions". the @home stuff might be more overhead [better distribution though] unless we want to run the same test multiple places and confirm the results :P22:51
asselinHi, trying devstack/master, and getting stack this error: /usr/local/bin/keystone-manage db_sync  pkg_resources.DistributionNotFound: oslo.config<=1.6.0,>=1.4.0 http://paste.openstack.org/show/196953/22:51
morganfainbergasselin, this is a re-used devstack i assume?22:51
morganfainbergasselin, or vm that is22:51
asselinmorganfainberg, yes22:51
morganfainbergasselin, ok so you need to update your oslo libaries22:52
morganfainbergthere are some oddities that occur when you re-use a VM22:52
morganfainbergespecially with the oslo namespace changes22:52
morganfainbergif you can afford to, i recommend a new/clean VM in this case. it should help.22:53
asselinmorganfainberg, ok this is bare metal...I tried uninstalling...but I guess maybe I need to reimage22:53
morganfainbergasselin, if you can afford to do so, it'll probably make for less of a headache22:53
morganfainbergasselin you might end up chasing a bunch of these types of errors22:54
asselinmorganfainberg, I did see this. Anyway to upgrade them to master (I was trying juno before) http://paste.openstack.org/show/196954/22:54
morganfainbergah22:54
asselinI don't know how to delete those22:54
morganfainbergyeah that could def do it22:54
morganfainbergit'll probably just be much much easier to re-image and start clean22:55
morganfainbergayoung, ping - posted that patch up22:55
asselinmorganfainberg, ok thanks22:55
morganfainbergayoung, eyes on it would be nice to have.22:55
morganfainbergayoung, i'd like to get feedback before i try to backport it, since it's not going to be a clean backport no matter what - but the general logic should stay the same23:01
*** jaosorior has quit IRC23:12
*** timcline has joined #openstack-keystone23:14
*** timcline has quit IRC23:14
*** timcline has joined #openstack-keystone23:14
*** timcline has quit IRC23:21
morganfainbergdstanek, gyee, since i've been doing security related stuff - you guys want to be on the hook for keystone-coresec (when VMT loops in the keystone core team)?23:23
morganfainbergdstanek, gyee, i'm happy to keep you, but just confirming it23:23
morganfainbergwill be bugging henrynash as well when he's on next23:23
morganfainbergdstanek, gyee, (also giving you an out if you don't want to deal with that stuff)23:24
gyeemorganfainberg, sure, what do I need to do?23:26
morganfainberggyee, you're already there23:26
morganfainberggyee, this is the sub-set of keystonecore who will be looped in when securtiy related bugs are opened23:26
gyeeoh23:26
morganfainbergby either the PTL or the VMT23:26
*** arunkant_ has quit IRC23:26
gyeesure I can help out with patches23:26
morganfainberggyee, if you don't want to be on that hook, i'm happy to take you off.23:26
morganfainbergbut it's a question of "do you want to be on the hook for that"23:26
* morganfainberg isn't sure how the current group was constructed23:27
gyee"on the hook" means triaging and submitting patches right?23:27
morganfainbergso letting people duck out if they want to.23:27
morganfainbergyep23:27
morganfainbergand reviewing23:27
morganfainbergwell less triage23:27
morganfainbergmore review/comment on/submitting patches for security bugs23:28
morganfainbergfor keystone and keystone projects23:28
gyeek, I can do that23:28
morganfainbergok will leave ya on there23:28
gyeejust saw one about tokens23:28
morganfainberggyee, yes.23:28
morganfainbergthat is part of what prompted the review of who had access to this stuff23:29
gyeek, will go review it23:29
*** zzzeek has quit IRC23:31
*** chlong has joined #openstack-keystone23:33
*** r-daneel has quit IRC23:38
gyeemorganfainberg, ya think we should come up with a standard template for people to file bugs? instead of having to asking which version of keystone, what backend, what configuration, etc23:42
morganfainberggyee, yes... but i don't think it'll help until we find something not LaunchPad23:43
gyeetru23:43
morganfainberggyee, also if you get a sec: please correct the comments on https://review.openstack.org/#/c/166086/ it is blocking a FFE23:44
morganfainberggyee, your comments that is23:44
morganfainberggyee, so we can get it through. -1s at this point need to get some correction done so we can land them for the FFEs.23:44
gyeek, I can amend that patch23:44
gyeegimme a min23:44
morganfainberggyee, thanks!23:44
morganfainberggyee, the security one is a bug, the FFEs need some love this week / by tuesday next week :)23:45
morganfainberggyee, appreciate it.23:45
gyeegotcha23:45
openstackgerritguang-yee proposed openstack/keystone-specs: Add a relay_state_prefix to the service provider resource  https://review.openstack.org/16608623:50
openstackgerritMorgan Fainberg proposed openstack/keystone: Make trust manager raise formatted message exception  https://review.openstack.org/14955023:56
openstackgerritMerged openstack/keystone: Revert "Document mapping of policy action to operation"  https://review.openstack.org/16813623:58
« Wednesday, 2015-03-25 Index Friday, 2015-03-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!