Monday, 2015-05-11

*** dimsum__ has joined #openstack-keystone00:06
*** dimsum__ has quit IRC00:14
*** dimsum__ has joined #openstack-keystone00:39
*** trey has joined #openstack-keystone00:43
*** fhubik_lunch has joined #openstack-keystone01:01
*** lsmola_ has joined #openstack-keystone01:01
openstackgerritJamie Lennox proposed openstack/keystone: Make Pecan the root routing framework
*** fhubik_afk has quit IRC01:04
*** lsmola has quit IRC01:04
*** lsmola_ has quit IRC01:11
*** fhubik_lunch has quit IRC01:11
*** fhubik_lunch has joined #openstack-keystone01:11
*** fhubik_lunch is now known as fhubik_afk01:11
mordredjamielennox: well, _they_ have an endpoint - but so far I've never been able to get keystone to work like the other services01:12
*** ericksonsantos has quit IRC01:12
mordredjamielennox: let me try a fwe things and see if they help ...01:12
jamielennoxmordred: my first suggestion is to print the service catalog and make sure what you're asking for lines up01:13
mordredjamielennox: I'm not asking for anything ... I'm trying two different ways ...01:13
mordredjamielennox: one is "openstack project list" with all the env vars set01:13
mordredjamielennox: the other is using to get a client, which calls this:
mordredto get the endpoint I pass to the ksc Client constructor - and then trying to run kscclient.projects.list()01:15
mordredboth fail with the admin interface error, even though I do not pass in anything requesting the admin url in either case01:15
*** ericksonsantos has joined #openstack-keystone01:16
jamielennoxmordred: what does "openstack catalog list" show?01:17
jamielennoxis there an endpoint there for identity at all?01:17
mordredjamielennox: yup. although it _Does_ have a different region01:19
mordred|      | identity | center                                       |01:20
mordred|      |          |   public:    |01:20
jamielennoxit should only matter if you are asking for a region01:21
mordredwell, I have a region configured in clouds.yaml01:21
mordredone sec - let me try with that region specified01:21
jamielennoxif you say i want to be in region X it will only put it in that region, if you don't specify a region it will use whatever it can01:21
mordredkeystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound: admin endpoint for identity service not found01:21
mordredeven with center listed as region01:21
jamielennoxis there an admin?01:21
jamielennoxyou should public in your excert01:22
mordredno idea. it's a public cloud01:22
mordredI do01:22
mordredeverything in my code requests public01:22
mordredI think something in ksc is asking for admin even though I request public01:22
mordredbut I think tht's because:01:22
mordred                endpoint = self.keystone_session.get_endpoint(01:22
mordred                    interface=ksc_auth.AUTH_INTERFACE)01:22
jamielennoxyea, it was one of those compatibility things that ksc always did with admin rather than public which we couldn't change01:23
mordrednormally I'd do "get_endpoint('identity', interface='public')01:23
jamielennoxthis is part of the reason for ksa, then a new ksc01:23
jamielennoxso AUTH_INTERFACE isn't actually oging to the catalog, it's saying use the url you provided for auth - OS_AUTH_URL01:23
jamielennoxbecause there are some things we need to ask when we only have an unscoped token01:24
jamielennoxif you specify interface=public does it work?01:24
mordredit does not01:24
mordred(just tried)01:25
*** lsmola_ has joined #openstack-keystone01:25
mordredis what the catalog shows around identity when I just yaml the catalog01:26
mordredso, if I say  "type='identity', interface='public'" - it returns as you'd expect -and then when I call ksc.projects.list() I still get: keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound: admin endpoint for identity service not found01:27
jamielennoxmordred: so somewhere something is not getting the message for the public interface01:28
jamielennoxmy next step would be put a pdb statement in the get_endpoint function and see what's calling it with the wrong params01:29
mordredwell, get_endpoint is returning the right thing01:29
mordredI dont thin kthat's actually making it into the guts ot ksc01:29
jamielennoxit's saying though: admin endpoint for identity service not found01:30
jamielennoxso something is still asking for admin01:30
mordredyah - but that's coming from inside of the traceback for projects.list() - when I do the "get_endpoint()" call myself before passing the return value into the ksc Client constructor, it's returning the expected value ... so for some reason ksc is ignoring the endpoint I'm passing to it and asking for one itself01:31
jamielennoxso there you probably want to specify interface=(whereever you get interface from)01:31
mordredah- ok. lemme try01:32
jamielennoxpossibly region_name as well01:32
mordredkeystoneclient.openstack.common.apiclient.exceptions.Forbidden: You are not authorized to perform the requested action, identity:list_user_projects. (HTTP 403)01:32
mordredthat's better01:32
mordredso - for the other Client objects, I pass endpoint_type to keystone_session.get_endpoint() - but it seems for identity I also need to pass it to the Client constructor01:33
mordredcool - I've learned something01:33
*** markvoelker has quit IRC01:35
*** markvoelker has joined #openstack-keystone01:36
jamielennoxmordred: so you are calling get_endpoint manually for the other clients?01:36
mordredjamielennox: nope. just for keystone01:37
*** markvoelker has quit IRC01:37
mordredshade.exc.OpenStackCloudException: Error constructing keystone client: Not enough information to determine URL. Provide either auth_url or endpoint01:38
mordredthat's what happens if I don't call get endpoint01:38
jamielennoxmordred: so the same rules should apply for all the clients, you should need to pass interface to them all01:38
jamielennoxoh, yuk, yea, i know that issue01:38
jamielennoxneed to fix that01:38
jamielennoxreally i'd just use keystoneclient.v2_0.client or v3.client directly01:39
mordredhrm. I may be broken for non-public endpoint too01:39
mordredwell, but I don't know which version01:39
jamielennoxfair enough, yes, you shouldn't really need to pass auth_url to the basic client01:40
mordredespecially if I have a session, yeah?01:40
jamielennoxthat was made pre-session stuff and it's because it needed to know where to go to do discovery01:40
mordredbut ... should I be passing endpoint_type to the session constructor?01:41
jamielennoxno, it won't accept it01:41
mordredawesome. then I should pass it along with the session object to individual client constructors?01:41
jamielennoxyes - all of them should accept it01:41
mordredwell, not that it matters here, but I am doing that wrong and will fix01:42
jamielennoxmordred: so the pattern is that session and auth should be able to be reused between any number of clients that may do different things with regions and endpoints etc01:42
jamielennoxin ksc we have adapter:
jamielennoxclients construct an adapter around a session which is like the local client state01:43
mordredrght - but in my model I'm creating a session up front and passing it to one or more clients, yeah?01:43
mordredthe confusing part is which thing owns which piece of data01:44
mordredlike, why I'd pass endpoint_type to Client rather than session - but I'm learning each one by rote :)01:44
jamielennoxyep, essentially if you passed an interface or region to session or auth you would be imposing that region on every client that made use of the session/auth01:44
*** Jarot has joined #openstack-keystone01:45
mordredso - fwiw - ironicclient and glanceclient still seem to want me to get an endpoint and pass it in01:46
jamielennoxso we have to put it on client, and i've at least been trying to standardize the options that each of those clients take01:46
mordredthe others seem fine with me passing in a session and figuring out the endpoint themselves01:46
jamielennoxi didn't know about ironicclient, but glanceclient i knew01:46
jamielennoxglanceclient is different to the others01:46
mordredof course it is01:46
jamielennoxi've had patches up for a while, but you know... slow01:46
mordredbecause *bong*01:46
mordredjamielennox: ironicclient doesn't support session at all01:47
jamielennoxi did some stuff server side on ironic but i've never had much to do with that one01:47
jamielennoxserver side was a mess01:47
mordredjamielennox: this is what I'm thinking based on this conversation:
jamielennoxmordred: you're not going to like this answer but be careful of endpoint_type vs interface, i don't know where the difference comes from but some clients use endpoint_type and they were moving back to interface=01:49
jamielennoxi know keystoneclient is interface=01:49
mordredoh good01:49
mordredthat's so exciting01:49
jamielennoxthe one's i've done i made sure that i just handled it on the client side01:49
jamielennoxbut that's not all of them01:49
jamielennoxand because keystoneclient ignores unknown kwargs - because compatibility01:50
jamielennoxso you wouldn't know you got it wrong till it didn't work01:50
openstackgerritJulian Edwards proposed openstack/keystone: Improve websso documentation.
mordredjamielennox: so I need to go look at the source of each of the constructors to see who is interface and who is endpoint_type?01:54
jamielennoxat this point i would expect that interface= worked for all of the clients that used session, but i haven't tried that01:54
mordredok. awesome - and thank you. at this point I want to go shove my head into a meat blender - so I'm going to step away from the laptop01:57
mordredbut I believe I understand more about the situation01:57
jamielennoxunfortunately the more you know the more appealing that blender is01:57
mordredso - keystoneclient is one of the three clients that I have to pass an endpoint to and that cannot just use the session01:58
mordredwhich is ... amusing01:58
jamielennoxyea - does not apply to using v2 or v3 directly01:59
jamielennoxbut needs to be fixed for the generic one01:59
mordredwell, I have a thing that works now01:59
lifelessmordred: and a order in for alcohol ?01:59
mordredlifeless: *facestab*02:01
mordredjamielennox: "interface" is the future, right?02:01
jamielennoxmordred: yea02:01
lifelessmordred: thats a tad excessive.02:01
mordredjamielennox: I'll follow up with checking each Client to see if they want interface or endpoint_type02:02
mordredbut for now, I wanted to get that written down so I'd remember in the morning02:03
*** lhcheng has joined #openstack-keystone02:11
*** ChanServ sets mode: +v lhcheng02:11
*** dimsum__ has quit IRC02:12
*** ericksonsantos has quit IRC02:19
*** yasu_ has joined #openstack-keystone02:22
*** lhcheng has quit IRC02:23
*** davechen has joined #openstack-keystone02:36
*** richm has quit IRC02:38
*** lhcheng has joined #openstack-keystone02:55
*** ChanServ sets mode: +v lhcheng02:55
*** boris-42 has quit IRC02:58
*** lhcheng has quit IRC03:00
*** iamjarvo has joined #openstack-keystone03:13
*** alex_xu has quit IRC03:20
*** alex_xu has joined #openstack-keystone03:21
*** Jarot has left #openstack-keystone03:27
*** rushiagr_away is now known as rushiagr04:06
*** lhcheng has joined #openstack-keystone04:24
*** ChanServ sets mode: +v lhcheng04:24
*** iamjarvo has quit IRC04:25
*** lhcheng has quit IRC04:28
*** markvoelker has joined #openstack-keystone04:37
*** stevemar has joined #openstack-keystone04:42
*** ChanServ sets mode: +v stevemar04:42
*** rushiagr is now known as rushiagr_away04:46
*** afazekas has joined #openstack-keystone04:55
*** rushiagr_away is now known as rushiagr04:55
*** rushiagr is now known as rushiagr_away05:08
*** chlong has quit IRC05:09
*** emagana has joined #openstack-keystone05:15
*** ericksonsantos has joined #openstack-keystone05:15
*** stevemar has quit IRC05:17
*** ericksonsantos has quit IRC05:20
*** mabrams has joined #openstack-keystone05:33
*** rushiagr_away is now known as rushiagr05:36
*** rushiagr is now known as rushiagr_away05:37
*** davechen has left #openstack-keystone05:51
*** mflobo has joined #openstack-keystone06:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** lhcheng has joined #openstack-keystone06:13
*** ChanServ sets mode: +v lhcheng06:13
*** lhcheng has quit IRC06:18
*** rushiagr_away is now known as rushiagr06:26
*** mabrams has quit IRC06:39
*** mabrams has joined #openstack-keystone06:42
*** jaosorior has joined #openstack-keystone06:53
*** yasu_ has quit IRC06:56
*** yasu_ has joined #openstack-keystone06:56
*** browne has quit IRC07:37
*** davechen has joined #openstack-keystone07:50
*** fifieldt has joined #openstack-keystone07:57
*** fifieldt has quit IRC07:58
*** jistr has joined #openstack-keystone07:58
*** belmoreira has joined #openstack-keystone08:11
*** mabrams has quit IRC08:17
*** mabrams has joined #openstack-keystone08:18
*** pnavarro has joined #openstack-keystone08:24
*** fhubik has joined #openstack-keystone08:28
*** davidckennedy has joined #openstack-keystone08:51
*** henrynash has joined #openstack-keystone09:14
*** ChanServ sets mode: +v henrynash09:14
*** aix has joined #openstack-keystone09:20
*** pnavarro has quit IRC09:32
mfloboHow can I propose a Keystone client blueprint? In I can not see anything for this09:45
mfloboFor keystone we have but I don't see anything for the client09:45
mflobomaybe here?
*** lhcheng has joined #openstack-keystone09:51
*** ChanServ sets mode: +v lhcheng09:51
jamielennoxmflobo: yes, there's a keystoneclient folder in keystone-specs09:52
mflobojamielennox, so, for a keystoneclient library blueprint (not the CLI) I should put it there09:53
mflobojamielennox, thanks09:54
*** davechen has left #openstack-keystone09:54
*** lhcheng has quit IRC09:55
*** dimsum__ has joined #openstack-keystone10:02
*** pnavarro has joined #openstack-keystone10:03
*** topol has joined #openstack-keystone10:15
*** ChanServ sets mode: +v topol10:15
*** topol has quit IRC10:20
*** samueldmq has joined #openstack-keystone10:33
*** yogeshwars1 has joined #openstack-keystone10:35
*** ajayaa has joined #openstack-keystone10:35
*** belmoreira has quit IRC10:48
*** nanz has joined #openstack-keystone11:06
nanzbhai reply karo11:08
nanzkeystone ?11:08
*** nanz has left #openstack-keystone11:08
samueldmqnanz, hi, english only please :)11:08
openstackgerritMerged openstack/keystone: Use stevedore for backend drivers
openstackgerritMerged openstack/keystone: Use short names for drivers
openstackgerritMerged openstack/keystone: Remove unnecessary oauth_api check
*** fhubik has quit IRC11:19
*** fhubik_afk has quit IRC11:19
*** fhubik has joined #openstack-keystone11:21
*** fhubik is now known as fhubik_afk11:26
*** EmilienM|afk is now known as EmilienM11:28
*** henrynash has quit IRC11:53
*** henrynash has joined #openstack-keystone11:58
*** ChanServ sets mode: +v henrynash11:58
*** fhubik_afk is now known as fhubik11:58
*** gordc has joined #openstack-keystone12:01
*** dimsum__ has quit IRC12:03
*** boris-42 has joined #openstack-keystone12:04
*** _dguerri is now known as dguerri12:13
*** lmtaylor has joined #openstack-keystone12:18
*** fhubik has quit IRC12:18
*** fhubik has joined #openstack-keystone12:18
*** raildo has joined #openstack-keystone12:19
*** htruta has joined #openstack-keystone12:19
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
samueldmqbknudson, hi, thanks for your review on 'Adds inherited column to RoleAssignment PK'12:29
samueldmqbknudson, what about adding a DB2 job to our gate ?12:29
bknudsonsamueldmq: we're working on getting the DB2 job working again12:44
*** dobson has quit IRC12:56
samueldmqbknudson, nice, let me know if you need a hand12:56
samueldmqbknudson, I am not an expert on gate jobs, but I am learning as I go (identity v3 only job for example)12:56
*** dobson has joined #openstack-keystone12:57
*** bknudson has quit IRC13:01
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
*** vhoward has joined #openstack-keystone13:07
*** rushiagr is now known as rushiagr_away13:07
*** sigmavirus24_awa is now known as sigmavirus2413:11
*** lmtaylor has quit IRC13:13
*** henrynash has quit IRC13:15
*** fifieldt has joined #openstack-keystone13:17
*** fifieldt has quit IRC13:17
davidckennedydstanek lbragstad any chance of a re-review on it's been becalmed a little of late :)13:18
lbragstaddavidckennedy: sure thing, thanks for the reminder.13:18
davidckennedy(just hope you like it now I've asked...)13:19
*** josecastroleon has joined #openstack-keystone13:21
*** bknudson has joined #openstack-keystone13:22
*** ChanServ sets mode: +v bknudson13:22
*** chlong has joined #openstack-keystone13:22
*** lhcheng has joined #openstack-keystone13:28
*** ChanServ sets mode: +v lhcheng13:28
*** davechen has joined #openstack-keystone13:30
*** lhcheng has quit IRC13:32
*** iurygregory has joined #openstack-keystone13:34
*** dimsum__ has joined #openstack-keystone13:39
*** iurygregory has quit IRC13:40
*** _1_Julio has joined #openstack-keystone13:41
*** emagana has quit IRC13:43
*** blewis has joined #openstack-keystone13:45
*** richm has joined #openstack-keystone13:46
*** lmtaylor has joined #openstack-keystone13:47
*** ajayaa has quit IRC13:48
*** dimsum__ has quit IRC13:53
*** mattfarina has joined #openstack-keystone13:54
*** markvoelker has quit IRC13:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** stevemar has joined #openstack-keystone14:01
*** ChanServ sets mode: +v stevemar14:01
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-saml2: Updated from global requirements
*** openstackgerrit has quit IRC14:06
*** openstackgerrit has joined #openstack-keystone14:07
stevemarmarekd, what time works for you on wednesday?14:08
marekdstevemar: as early as possible, so i guess 18UTC would work for our tzs ?14:12
stevemarmarekd, that should work for everyone14:15
*** dims has joined #openstack-keystone14:16
marekdstevemar: hope so.14:16
*** zzzeek has joined #openstack-keystone14:18
*** openstack has joined #openstack-keystone14:18
*** fhubik has quit IRC14:19
*** yasu_ has quit IRC14:20
*** blewis` has joined #openstack-keystone14:25
*** blewis has quit IRC14:26
*** blewis` has quit IRC14:27
openstackgerritBrant Knudson proposed openstack/keystone: Move bandit requirement to test-requirements-bandit.txt
stevemarmarekd, rodrigods, morganfainberg fyi - i created an outline for our presentation, would appreciate some help in filling in the content :)14:30
stevemarlet me know if you don't have the links14:30
openstackgerritBrant Knudson proposed openstack/keystone: Move bandit requirement to test-requirements-bandit.txt
rodrigodsstevemar, great! did you use the etherpad link? I think I lost it14:31
stevemarrodrigods, nope, i'll pM it to you14:31
rodrigodsstevemar, thx14:31
marekdstevemar: google doc link?14:34
*** jsavak has joined #openstack-keystone14:38
*** mestery has quit IRC14:38
stevemarmarekd, yeah, i sent it out14:40
*** emagana has joined #openstack-keystone14:42
*** anteaya has joined #openstack-keystone14:46
*** davechen has left #openstack-keystone14:47
dolphmmarekd: stevemar: according to the spec, each protocol has an 'id' attribute but the client tests aren't creating such an attribute and14:55
dolphm instead create a 'protocol_id' attribute ... which is correct? i'm hoping the client tests are wrong...14:55
*** mabrams has quit IRC15:00
dolphmmarekd: stevemar: the server seems to implement the spec correctly...
stevemardolphm, the client tests seem wrong15:01
morganfainbergstevemar: cool. Will be looking at it soon.15:02
dolphmstevemar: thanks, i'll file a bug then15:02
stevemardolphm, should just be 'id'15:02
dolphmstevemar: ++ tjat15:03
dolphmstevemar: that's* what i figured15:03
morganfainbergsamueldmq: ping - was looking at your devstack change and I think it needs to be split into 2 things. - 1: always use v3 to setup devstack, never use v2 apis. 2: the bit about honoring the v3 only flag.15:03
dolphmstevemar: i wrote a new test that applied to every API, and they all passed except for everything on /protocols15:03
*** markvoelker has joined #openstack-keystone15:03
marekddolphm: stevemar:  protocol's create call is:15:04
marekdwhich expect arg protocol_id15:04
*** pnavarro has quit IRC15:09
dolphmmarekd: but that's not an object reference. protocol_id is perfect for routing purposes in URLS15:10
dolphmmarekd: but that protocol_id gets persisted as just an id
dolphmmarekd: which all looks correct to me (in the server)15:10
dolphmmarekd: stevemar: filed a bug btw
openstackLaunchpad bug 1453847 in python-keystoneclient "Federation /protocols tests mistakenly use 'protocol_id' instead of 'id'" [Medium,Confirmed] - Assigned to Dolph Mathews (dolph)15:11
*** dims has quit IRC15:12
*** aix has quit IRC15:12
*** henrynash has joined #openstack-keystone15:15
*** ChanServ sets mode: +v henrynash15:15
marekddolphm: allrighty then.15:19
*** fifieldt has joined #openstack-keystone15:22
*** fifieldt has quit IRC15:23
marekddolphm: need to clarify something - do you expect 'id' (protocol id) to be sent in the request body?15:25
*** Zanatoz has joined #openstack-keystone15:26
dolphmmarekd: in what request body?15:26
marekdfor instance creating a protocol15:27
*** blewis has joined #openstack-keystone15:27
marekdPUT /v3/OS-FEDERATION/identity_providers/idp/protocols/saml215:28
dolphmmarekd: you create a protocol using a PUT request which is routed with a 'protocol_id' for clarity, which is then persisted as the protocol reference's "id" attribute and returned as the "id" in the response
dolphmthere is no protocol id of any kind in the request body there (nor should there be, because it's in the URL)15:29
*** rushiagr_away is now known as rushiagr15:29
dolphmmarekd: the spec also asserts that you reference a mapping with a 'mapping_id' (see that same link)... and the tests are using something called a 'mapping' =(15:30
marekdallrighty, thought you were expect id in the request body there.15:30
dolphmnone of these unit tests would work if they were functional tests - because the server is implementing something totally different15:32
dolphmwhich makes all the unit tests completely pointless... because the client does the right thing anyway, right?15:32
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Add subjectAltName to generated ssl cert
marekddolphm: let me see.15:35
bknudsondevstack change to use stevedore entrypoints:
marekddolphm: i recall there was some 'parameter names splitting' or glueing15:35
dolphmso, it looks like all three attributes in ProtocolsTests.new_ref()'s implementation doesn't follow the HTTP API as it does in other test modules, so the entire test pattern used in other modules had to be re-invented to accomidate it.15:38
*** gyee has joined #openstack-keystone15:41
*** ChanServ sets mode: +v gyee15:41
*** atiwari2 has quit IRC15:42
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Use 'id' instead of 'protocol_id' in federation protocol tests
*** markvoelker has quit IRC15:45
*** topol has joined #openstack-keystone15:47
*** ChanServ sets mode: +v topol15:48
*** rwsu has joined #openstack-keystone15:48
rodrigodsstevemar, marekd ping... did you see this error before?
*** lhcheng has joined #openstack-keystone15:52
*** ChanServ sets mode: +v lhcheng15:52
marekdrodrigods: very likely, but this paste doesn't gve much information to point us to the right direction :/15:53
rodrigodsmarekd, it is after being redirected by the SP15:53
rodrigodsand trying to get the unscoped token15:53
marekdwhat's has changed from the last version you had?15:53
stevemarrodrigods, unsupported method... did you enable saml2 auth in config15:54
rodrigodsmarekd, the code that I have here works for a Juno SP15:54
rodrigodsstevemar, hmm true!15:54
rodrigodsstevemar, forgot about it15:54
marekdrodrigods: didn't you have similar thing few weeks ago?15:54
rodrigodsmarekd, it was similar, but in the other way around15:55
marekdrodrigods: nah that was 'token' auth method.15:55
*** esp has joined #openstack-keystone15:55
*** e0ne has joined #openstack-keystone15:57
*** e0ne is now known as e0ne_15:58
rodrigodsmarekd, stevemar my keystone.conf was missing the saml2 entry15:58
*** e0ne_ is now known as e0ne15:58
stevemarrodrigods, we got your back ;)15:59
*** _cjones_ has joined #openstack-keystone16:04
*** _cjones_ has quit IRC16:05
*** _cjones_ has joined #openstack-keystone16:07
*** rdo has quit IRC16:08
*** rdo has joined #openstack-keystone16:10
*** browne has joined #openstack-keystone16:13
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Use 'mapping_id' instead of 'mapping' in federation protocol tests
*** jistr has quit IRC16:17
*** alexsyip has joined #openstack-keystone16:18
*** _1_Julio has quit IRC16:19
*** rdo has quit IRC16:19
*** rdo has joined #openstack-keystone16:21
*** henrynash has quit IRC16:25
*** gothicmindfood has quit IRC16:29
*** davidckennedy has quit IRC16:30
*** gothicmindfood has joined #openstack-keystone16:31
*** ajayaa has joined #openstack-keystone16:36
*** browne has quit IRC16:39
samueldmqmorganfainberg, hi, I am back now16:49
morganfainbergsamueldmq: I can take a crack at splitting up your devstack change if you want.16:49
morganfainbergJust getting food right now.16:50
samueldmqmorganfainberg, ++ feel free to split it16:50
samueldmqmorganfainberg, but I am not sure I understood how you want to split, ping me once you're back16:51
*** pnavarro has joined #openstack-keystone16:51
*** haneef has quit IRC16:53
*** rushiagr is now known as rushiagr_away16:53
samueldmqmfisch, why ?  :(16:54
*** afazekas has quit IRC16:55
mfischmainly because it's buggy. I've been using it and still have not won the lottery, so I think the code might have a subtle bug16:58
*** jsavak has quit IRC16:59
samueldmqmfisch, fair enough :)16:59
*** jsavak has joined #openstack-keystone17:00
morganfainbergmfisch: if you do win the lottery ... Share it with us :P17:02
mfischI'm going to hire steve as my personal keystone dev17:11
dstanekmfisch: your session sounds very interesting - about the push->pray alternative17:11
mfischits a pretty broad talk but might still be interesting17:12
dstanekmfisch: i've actually been using OSAD more and more to develop Keystone without using devstack17:13
*** e0ne has quit IRC17:13
mfischwe use vagrant based virtual environments to bring up whatever we need17:13
mfischkeystone or a full cluster + lbs and control nodes17:13
*** jsavak has quit IRC17:14
*** jsavak has joined #openstack-keystone17:14
dstaneka full all-in-one - similar to devstack, but much easier with change deployment options17:14
mfischours are standalones that mimic our environment17:14
*** browne has joined #openstack-keystone17:14
mfischstarting from the puppet master17:14
*** turul has joined #openstack-keystone17:15
dstanekit's basically the same idea - OSAD is what Rax private cloud uses to deploy17:15
*** turul is now known as afazekas17:15
*** samleon has joined #openstack-keystone17:16
*** blewis has quit IRC17:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table
*** rushiagr_away is now known as rushiagr17:21
*** ankita_wagh has joined #openstack-keystone17:23
*** emagana has quit IRC17:24
dstanektwo x-project policy sessions at the same time!17:25
gyeedstanek, how's le weekend? I had le big mac to celebrate le win!17:25
*** emagana has joined #openstack-keystone17:26
morganfainbergdstanek: crap! :P17:26
dstanekgyee: i don't really follow the Cavs. i lost interest in basketball when Jordan left (the first time) and never got it back17:27
topolwhat's the policy for choosing between the two x-project policy  sessions? :-)17:29
stevemartopol, depends on who has the admin role :P17:29
*** larsks has joined #openstack-keystone17:29
gyeelet congress decide17:29
topolstevemar, choose between milli or vanilli?17:30
*** esp has quit IRC17:30
stevemari wont be letting you forget that one17:30
topolbetween the silence on that and spzala letting me know how great it was not having standups for two weeks :-)  Heck of a morning17:32
*** rushiagr is now known as rushiagr_away17:36
-openstackstatus- NOTICE: We have discovered post-upgrade issues with Gerrit affecting nova (and potentially other projects). Some changes will not appear and some actions, such as queries, may return an error. We are continuing to investigate.17:38
*** ChanServ changes topic to "We have discovered post-upgrade issues with Gerrit affecting nova (and potentially other projects). Some changes will not appear and some actions, such as queries, may return an error. We are continuing to investigate."17:38
*** mestery has joined #openstack-keystone17:41
samleonstevemar, how's going? just like to see if you will have a chance to do another review for the x.509 patch since you've been one of the nice folks have a closed look at this patch ;-)
samleonstevemar, so far got a +2 from ayoung, that made me a day! ;-) so hopefully this can be merged soon17:43
*** mestery has quit IRC17:44
stevemarsamleon, i'll try and squeeze in a review this week17:45
stevemarsuper busy in preparation for the summit :(17:45
samleonstevemar, that's great! sure, I kow that, thx17:45
*** mestery has joined #openstack-keystone17:46
morganfainbergsamleon: if we don't get the review in here before summit, it's def. on the list for @ the summit17:53
*** mestery has quit IRC17:56
*** rushiagr_away is now known as rushiagr18:02
samleonmorganfainberg,  that's great! can't wait to see all you guys over there ;-)18:08
*** emagana has quit IRC18:15
*** emagana has joined #openstack-keystone18:17
morganfainbergayoung: ping18:19
morganfainbergayoung: we might have an issue with token v2 <-> v3 interop18:19
ayoungcaught yourself there....18:19
dolphmif you squint, i'm pretty sure this is morganfainberg
morganfainbergayoung: notably we are probably issuing inconsistent expires_at for the tokens due to a failure to properly format the string18:19
morganfainbergdolphm: hah no18:20
ayoungdolphm, , not if you sawthem side by sid or heard them speak18:20
dolphmmorganfainberg: my first thought was "morganfainberg looks different somehow"18:20
morganfainbergayoung: so ... this is highlighted by - i was about to say "no we are not changing that validation string" but in looking it looks like we have a bug where it is possible to get v2 tokens with microsecond expires_at18:21
ayoungmorganfainberg, is there a bug for " issuing inconsistent expires_at for the tokens due to a failure to properly format the string"18:22
*** ankita_w_ has joined #openstack-keystone18:22
ayoungdolphm, so Arthur has thick Israeli accent, and body mass is about 2 morganfainbergs18:23
*** ankita_wagh has quit IRC18:23
*** ankita_wagh has joined #openstack-keystone18:24
*** pnavarro has quit IRC18:25
*** lsmola_ has quit IRC18:25
*** Guest64787 has quit IRC18:25
*** smallbig has quit IRC18:25
*** morganfainberg has quit IRC18:25
*** tsufiev has quit IRC18:25
*** samueldmq_ has joined #openstack-keystone18:26
*** larsks|alt has joined #openstack-keystone18:26
*** topol_ has joined #openstack-keystone18:26
*** emagana has quit IRC18:26
*** jimbaker has quit IRC18:26
*** larsks has quit IRC18:26
*** topol has quit IRC18:26
*** samueldmq has quit IRC18:26
*** x58 has quit IRC18:26
*** htruta has quit IRC18:26
*** svasheka has quit IRC18:26
*** miguelgrinberg has quit IRC18:26
*** topol_ is now known as topol18:26
*** ChanServ sets mode: +v topol18:26
*** ankita_wagh has quit IRC18:26
*** samueldmq_ is now known as samueldmq18:26
*** x58 has joined #openstack-keystone18:26
*** jimbaker has joined #openstack-keystone18:27
*** jimbaker has quit IRC18:27
*** jimbaker has joined #openstack-keystone18:27
*** miguelgrinberg_ has joined #openstack-keystone18:27
*** ankita_w_ has quit IRC18:27
*** ankita_wagh has joined #openstack-keystone18:27
*** pnavarro has joined #openstack-keystone18:27
*** lsmola_ has joined #openstack-keystone18:27
*** smallbig has joined #openstack-keystone18:27
*** morganfainberg has joined #openstack-keystone18:27
*** tsufiev has joined #openstack-keystone18:27
*** sets mode: +v morganfainberg18:27
*** htruta has joined #openstack-keystone18:27
hogepodgemorganfainberg: it's a problem for them18:27
*** svasheka has joined #openstack-keystone18:27
hogepodgemorganfainberg: from what I understand, they're not running keystone proper, though.18:27
*** emagana has joined #openstack-keystone18:28
*** larsks|alt is now known as larsks18:28
*** dan| has joined #openstack-keystone18:29
morganfainbergdolphm: how awful is it going to be for RAX if we say v2 tokens cannot have microsecond resolution for expires_at? (sorry was netsplit)18:29
morganfainbergcc dstanek, lbragstad ^18:29
morganfainberghogepodge: right and i'm asking the RAX folks about it ;)18:29
morganfainbergdolphm: because is waaaay too broad a change18:29
morganfainbergbut we are potentially inconsistent.18:29
morganfainbergas is18:29
*** radez has joined #openstack-keystone18:30
dolphmmorganfainberg: i was investigating that the other day - depends on whether it's allowed / expected to be an integer or if a .000 floating point is acceptable18:30
lbragstaddolphm: you had a commit up to fix that, right?18:30
morganfainbergdolphm: today it is not acceptible for microsecond resolution, meaingin v3 -> v2 token validate fails18:30
*** jsavak has quit IRC18:32
morganfainbergso i've tossed a -1 on that patch18:32
morganfainbergbasically i'd be ok with seing a validate that allowed either microsecond resolution or non-microsecond resolution, but "any ISO8601 format" is not really what I'd like to have to support18:33
dolphmlbragstad: i had a commit somewhere -- not sure if it went to gerrit18:33
gyeewe have a bunch of unit tests for v2, v3 interop18:33
morganfainbergbecause you can get crazy with iso860118:33
gyeeI would expect those tests to fail18:33
dolphmmorganfainberg: why are they dropping utcnow() in that patch in favor of now()18:33
*** jsavak has joined #openstack-keystone18:33
morganfainbergdolphm: because they want to allow lots of variations18:34
morganfainbergthe author is going to come back and say "The spec says 8601 format, so we should support all of those"18:34
dolphmmorganfainberg: i think they just wanted to allow for variation between 0 and 0.000 and 0.0000018:34
*** e0ne has joined #openstack-keystone18:35
dolphmmorganfainberg: i'm not convinced we really have a use case for any floating point seconds anymore18:35
dolphmbut that's an aside18:35
morganfainbergthey are also allowing all tz-variations18:35
dolphmthat's sort of alarming and i'd like to know why18:35
morganfainbergdolphm: so if we move to pure 8601 format handling in keystone i'd be ok with switching this but today we use an 8601-like format18:37
dolphmmorganfainberg: non-pure in v3?18:37
morganfainbergwe do st = at.strftime(_ISO8601_TIME_FORMAT18:38
morganfainberg                     if not subsecond18:38
morganfainberg                     else _ISO8601_TIME_FORMAT_SUBSECOND)18:38
morganfainbergwhich is explicit: _ISO8601_TIME_FORMAT_SUBSECOND = '%Y-%m-%dT%H:%M:%S.%f'18:38
morganfainberg_ISO8601_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S'18:38
morganfainbergthis is not using 8601 module so we can't be sure we're going to capture lots of variations18:38
morganfainberg8601 can do W for weeks, etc.18:39
morganfainbergso we're doing iso8601-like formatting18:39
dolphmdon't we include Z (zulu tz) everywhere?18:39
dolphm(they're not in your format examples)18:40
morganfainbergyeah we do18:40
morganfainbergin some cases18:40
dolphm"if it strictly validated for microsecond and/or non-microsecond resolution expires_at in tokens for v2" so, EXPIRY_DATE_FORMATS = ['%Y-%m-%dT%H:%M:%SZ', '%Y-%m-%dT%H:%M:%S.%fZ'] in v2 then?18:40
morganfainbergi think we explicitly append it18:40
morganfainbergdolphm: yah that would be fine i think.18:40
dolphmmorganfainberg: that would cover your #2 thing, i think (v3 token validated by v2)18:41
morganfainberghm. maybe timeutils has gotten a bit smarter18:42
morganfainbergit does use .parse_iso860118:42
morganfainbergfrom iso8601 now that I look at ti18:42
morganfainbergbleh. i still don't like allowing servers to issue *any* 8601-valid format18:42
radezstevemar: ping, it was suggested a little while ago to talk to you about integrating TryStack.orgkeystone with once we18:43
radezgot kilo installed an happy18:43
radezI noticed oauth in keystone is v1 and is v218:44
radezwould we have to do some patching to get oauth2 support for
*** ajayaa has quit IRC18:45
morganfainbergradez: openstackid supports openid connect though, right?18:45
*** Zanatoz has quit IRC18:45
radezmorganfainberg: not sure, I've just circled back to this today.18:45
* radez looks for openid connect support18:45
openstackgerritMerged openstack/python-keystoneclient: Use 'id' instead of 'protocol_id' in federation protocol tests
morganfainbergradez: because keystone can consume OIDC18:47
radezmorganfainberg: I see docs for that, I'll ask infra if there is oidc support for openstackid.org18:48
morganfainbergayoung: what were we going to call that extra fishbowl (cc jamielennox )?18:49
*** dan| has quit IRC18:49
*** Zanatoz has joined #openstack-keystone18:50
ayoungmorganfainberg, the one where we talkg about access info, consuming the products of auth plugins etc18:51
radezmorganfainberg: there's not oauth2 support in keystone correct?18:51
morganfainbergwhat was the title we wanted to call that?18:51
morganfainbergradez: not afaik18:51
ayoungradez, oauth was 1.3a explicitly18:52
radezkk, thx18:52
*** harlowja has quit IRC18:52
ayoungradez, out of curioustity why do you ask18:52
*** harlowja has joined #openstack-keystone18:52
radezayoung: trying to integrate TryStack with openstackid.org18:53
ayoungradez, ah...and openstackid only does oauth2?18:54
*** jsavak has quit IRC18:54
ayoungradez,, that doesn't matter18:54
radezafaik yes18:54
ayoungwhy you are about is if Keystone for trystack consumes oauth2?18:54
*** jsavak has joined #openstack-keystone18:54
ayoungradez, the short answer is:  it is another federation integration18:54
*** dan_ has joined #openstack-keystone18:54
ayoungI think we can make that happend18:54
*** dan_ is now known as Guest2558018:55
ayoungmorganfainberg,  we need to clarify what we mean by ouath support....18:55
*** esp has joined #openstack-keystone18:55
radezayoung: meaning there's support that could make it happen now or that would be a feature req?18:55
morganfainbergayoung: i usually say OIDC is the right approach vs strict oauth in this case.18:55
ayoungradez, let me see if there is an apache module we can use.  We wanted to use mello for saml, but I thoguth we had an oauith2 approach, too18:55
morganfainbergif at all possible18:55
morganfainbergayoung: is that about right?18:56
ayoungmorganfainberg, so first hit was
radezayoung: cool, thx!18:56
ayoungmorganfainberg, looks about right18:56
morganfainbergayoung: we can easily do OIDC stevemar made that all work18:56
morganfainbergayoung: oauth2 is a bit different though18:56
ayoungmorganfainberg, stevemar putting something in front of Apache, right?18:57
morganfainbergit's using an apache mod iirc18:57
morganfainbergbut yes18:57
ayoungmorganfainberg, it really depends on what supports18:57
*** topol has quit IRC18:57
morganfainbergayoung: i know it supports traditional OpenID, just not sure about OIDC18:59
ayoungmorganfainberg, did he document it anywhere?18:59
morganfainbergstevemar: help us stevemar, you're our only hope19:00
radezayoung: yea I read that, but they don't support oidc19:00
stevemarayoung, morganfainberg radez sorry, i was away. looks like ayoung pulled up the right doc links and apache module19:00
ayoungradez, openstackid does not?19:01
radezayoung: nope19:01
ayoungradez, do you have a link to what they do support?19:01
radez mrmartin | radez: just plane openid and oauth19:01
stevemarthats weird19:01
radezspecifically oauth219:02
*** rushiagr is now known as rushiagr_away19:02
stevemarradez, i believe mod_auth_openidc works with plain old openid + oauth anyway19:02
stevemarso the docs should still be valid19:02
*** Rockyg has joined #openstack-keystone19:03
radezstevemar: oh cool, ok I'll try and do the openid integration according to that doc19:03
radezthx guys19:03
stevemarradez, np. make sure you turn on debug logging on keystone, once you see the environment variables from mod_auth_openidc in the keystone logs, you know you're getting close19:04
ayoungradez, please ask questions.  And please use Kilo code19:04
radezayoung: stevemar: ack, thx guys I'l be in touch with progress19:04
stevemarradez, also, websso works for openidc, but not so much keystoneclient support - but i have someone actively working on getting that in19:05
ayoungThere are often ricks to getting the mapping layer set up correctly19:05
*** emagana has quit IRC19:05
ayoungstevemar, is an auth plugin?19:05
*** emagana has joined #openstack-keystone19:05
* ayoung hopes that was rhetorical19:05
stevemarayoung, come again?19:05
ayoungstevemar, the client support you just mentioned19:06
stevemarayoung, 'as in an auth plugin' -- yes19:06
ayoungstevemar, cool.  Doesn't it feel like it is all coming together...19:06
stevemarcertainly has the feel to it now, finally.19:07
stevemarthat blog you pointed out was a nice ego boost19:07
*** dguerri is now known as _dguerri19:12
gyeeayoung, morganfainberg, you guys cool with this?
gyeeif you guys good with the spec, David and I can work on the code next19:13
*** topol has joined #openstack-keystone19:14
*** ChanServ sets mode: +v topol19:14
*** miguelgrinberg_ is now known as miguelgrinberg19:21
*** iamjarvo has joined #openstack-keystone19:22
*** e0ne has quit IRC19:22
morganfainberggyee: i'd rather see the endpoint binding filter always be installed and be something we can disable via config fwiw19:24
morganfainberggyee: than asking people to update paste-ini to enable things19:24
morganfainberggyee: trying to get out of the habit of "change the paste pipeline" reocmmendation to "turn things on"19:24
morganfainberggyee: since it's not going to be part of auth_token itself.19:24
morganfainberg(btw: when did that change?)19:25
dstanekmorganfainberg: looks like you got your answer on the timestamp thing19:26
morganfainbergdstanek: ?19:27
dstaneki finally went through the summit schedule. too much to do and not enough time19:27
morganfainbergdstanek: oh yeah19:27
morganfainbergdstanek: hehe19:29
morganfainbergdstanek: i really did try and keep our sessions light19:30
openstackgerritBrant Knudson proposed openstack/keystone: Remove identity_api from AuthInfo dependencies
morganfainbergbecause we should be interfacing with other teams more this summit19:30
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone
*** nkinder has joined #openstack-keystone19:32
*** pnavarro has quit IRC19:34
dstanekmorganfainberg: i'm planning on hitting up some QA stuff19:35
*** _dguerri is now known as dguerri19:38
ayounggyee, morganfainberg nah, separate middleware19:44
ayounggyee, lest sort this now...since I was part of the whipsaw19:45
ayoungmorganfainberg, I wonder if we can avoid another config option19:45
morganfainbergayoung: config option > edit paste pipeline19:45
ayoungwhat I would like is endpoint binding be the start of moving policy to a middleware19:45
ayoungand not just endpouintbinding19:46
ayoungbut all policy enforcement19:46
morganfainbergayoung: i don't think that is something that can land this cycle tbh19:46
ayoungand...that feels like it should be its own middleware19:46
ayoungno,  not completely19:46
morganfainbergwe're too far from having a view of policy19:46
morganfainbergclear view19:46
ayoungagreed not completetly19:46
morganfainbergwe could merge it down once we have a clearer view19:46
morganfainbergbut this likely needs to be separate until we're closer on the policy front19:47
ayoungmorganfainberg, my design goal is that endpoint binding should be a policy decision.  We should use the same mechanism for policy enforcement as we do for endpoint binding19:47
morganfainbergayoung: we could also morph the new pipeline entry19:57
morganfainbergayoung: if we are smart about it19:58
ayoungmorganfainberg, yes, that was my thought19:58
ayoungmorganfainberg, OTOH,  maybe auth token should be both.19:58
morganfainbergayoung: more summit convos.19:58
ayoungboth "expand the token" and "check the policy"19:58
ayoungall in one would probably be less surprising.  Therei s also the fact that expanding the token has to happen before the policy check, and I would not want to have an implied ordering dependcey there19:59
openstackgerritMerged openstack/python-keystoneclient: Use 'mapping_id' instead of 'mapping' in federation protocol tests
*** lhcheng has quit IRC20:02
*** dims has joined #openstack-keystone20:03
openstackgerritMerged openstack/keystone: De-duplicate auth methods
openstackgerritMerged openstack/keystone: Use [] where a value is required
dstanekthis review is creating a log jam!
gyeemorganfainberg, ayoung, sorry I had to step out, I am fine with it being a separate middleware, I think it will converage into one20:17
gyeewith a general purpose enforcement middleware20:17
gyeescrolling back, if I read you guys correct, we now want it in auth_token?20:20
*** ankita_w_ has joined #openstack-keystone20:31
*** ankita_wagh has quit IRC20:31
*** radez is now known as radez_g0n320:36
*** iamjarvo has quit IRC20:37
*** lhcheng has joined #openstack-keystone20:41
*** ChanServ sets mode: +v lhcheng20:41
*** iamjarvo has joined #openstack-keystone20:43
*** openstackgerrit_ has joined #openstack-keystone20:44
*** topol has quit IRC20:52
*** htruta has quit IRC21:00
*** htruta has joined #openstack-keystone21:01
ayounggyee, we have not come to a conclusion.  Suggest we hash this out next week, as part of the policy discussion.21:03
ayoungI need to finish my presentation before I can have a clear brain on this21:03
*** jsavak has quit IRC21:06
*** iamjarvo has quit IRC21:09
morganfainberggyee: ^^ what ayoung said21:15
morganfainberggyee: I am not opposed to it either being in auth_token or a separate middleware21:15
morganfainberggyee: or part of policy21:16
ayoungdstanek, +2A21:18
ayounggyee, I think if you start as a separate middleware, it will be easier to merge it in to auth token .  Domn;t think We should start with it in one middleware21:18
ayoungif you need somthing to drive on with to get started21:19
gyeeayoung, morganfainberg, sure21:20
dstanekayoung: thx21:21
*** vhoward has left #openstack-keystone21:26
*** spandhe has joined #openstack-keystone21:32
morganfainbergstevemar dtroyer: so i think i found a flaw in openstackclient21:33
*** emagana has quit IRC21:34
morganfainbergstevemar dtroyer: I can't get any information on the commands w/o authenticating with an openstack keystone. there is no way to see the params needed for 'openstack service create'21:34
morganfainbergfor example21:34
morganfainbergw/o actually trying to use it.21:34
dtroyermorganfainberg: which version do you have?21:34
dtroyerthis crept back in recently and was fixed again.21:35
*** emagana has joined #openstack-keystone21:35
dtroyerso if you do an actual help command it'll do what you expect21:35
dtroyeropenstack help service create21:35
dtroyerI'll have to dig in to see why we want to auth before checking the comamnd args21:35
morganfainbergyeah that isn't intuitive at all21:36
dtroyerthe auth should be absolute last minute21:36
morganfainbergbut sure.21:36
dtroyerthis also might vary by command/api lib21:36
dtroyerbecause, you know, they're all different21:36
morganfainbergyeah trying to figure out how to make devstack rely on zero keystone v2 apis21:37
openstackgerritMerged openstack/keystone: Update sample config file
stevemarmorganfainberg, yo, i'm not here for the meeting tmrw21:38
morganfainbergstevemar: slacker ;)21:38
morganfainbergstevemar: no worries21:38
*** Rockyg has quit IRC21:39
stevemarmorganfainberg, apparently i'm seeing a doctor that is impossible to get an appointment with21:39
morganfainbergstevemar: doctors are strange like that21:39
bknudsonstevemar: #welcomeToObamacare!21:40
dtroyerbknudson: he wishes he had the awesome US healthcare system…21:40
stevemarbknudson, pfft we've had it since 1950s21:41
*** mattfarina has quit IRC21:42
dtroyeryeah, but we have the proverbial last-mover advantage21:42
dtroyeryou know, see how everyone else did it wrong and make even bigger mistakes21:42
* dtroyer crawls back into cave21:43
stevemarhey 'last-mover advatage' does work sometimes21:43
lbragstaddo we know if keystonemiddleware's gerrit repo is ok after the gerrit migration?21:52
lbragstadis that one of the repos that's having issues?21:52
lbragstadand being investigated?21:52
*** lmtaylor has quit IRC21:53
morganfainberglbragstad: is it?21:53
morganfainberglbragstad: i hadn't heard which ones were off21:53
morganfainberglbragstad: i recommend asking -infra21:53
lbragstadmorganfainberg: well, I'm redeploying a cluster of keystone nodes and I can't seem to checkout source from keystonemiddleware21:54
lbragstadI can checkout source for keystone and python-keystoneclient21:54
lbragstadbut not keystonemiddleware21:54
lbragstadI switched to using github and it works fine21:55
lbragstadprevious, I get something like
morganfainberglbragstad: i just cloned from just fine21:55
lbragstadmorganfainberg: from keystone middleware?21:55
lbragstadwhat about stable kilo branch?21:56
lbragstadthis is the steps that's failing21:57
lbragstadgit clone
lbragstadwhen I do that, locally, it fails as well.21:58
*** stevemar has quit IRC21:59
*** emagana has quit IRC22:00
*** emagana has joined #openstack-keystone22:05
openstackgerritBrant Knudson proposed openstack/keystone: Use stevedore for auth drivers
openstackgerritBrant Knudson proposed openstack/keystone: Use stevedore for auth drivers
*** ericksonsantos has joined #openstack-keystone22:09
*** esp has quit IRC22:14
openstackgerritMerged openstack/keystone: Handles Python3 builtin changes
*** esp has joined #openstack-keystone22:19
mfischproposed avatar for bknudson:
*** rwsu has quit IRC22:25
bknudsonmfisch: surprisingly accurate... although the default avatar is accurate too.22:25
mfischI saw UND and Minnaepolis, I knew you had a hat like that22:26
openstackgerritMerged openstack/keystone: Handles modules that moved in Python3
openstackgerritMerged openstack/keystone: Fixes a whitespace issue
*** erickson has joined #openstack-keystone22:31
openstackgerritMerged openstack/keystone: Add mocking for ldappool for Python3 tests
*** ericksonsantos has quit IRC22:34
*** rharwood has quit IRC22:34
*** rharwood has joined #openstack-keystone22:36
*** nkinder has quit IRC22:37
openstackgerritBrant Knudson proposed openstack/keystone: Default auth plugin
*** diegows has joined #openstack-keystone22:50
*** trey has quit IRC22:50
openstackgerritBrant Knudson proposed openstack/keystone: Short names for auth plugins
*** trey has joined #openstack-keystone22:56
*** bknudson has quit IRC22:56
*** gordc has quit IRC23:01
*** emagana has quit IRC23:03
jamielennoxoh, o - gives 5023:04
morganfainbergjamielennox: infra is working on it23:05
morganfainbergjamielennox: it's not pretty - but they're trying to resolve things related to fallout from the gerrit upgrade23:05
morganfainbergjamielennox: keep an eye on -infra channel23:05
morganfainbergjamielennox: for updates.23:05
jamielennoxmorganfainberg: interesting, will look in23:05
morganfainbergjamielennox: also
morganfainbergjamielennox: let me know if anything needs to be changed23:06
jamielennoxmorganfainberg: looks good23:07
*** jaosorior has quit IRC23:12
*** blewis has joined #openstack-keystone23:18
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone
*** arif-ali has quit IRC23:28
*** arif-ali has joined #openstack-keystone23:29
*** dims has quit IRC23:34
*** dims has joined #openstack-keystone23:39
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Handle sessions correctly in convenience client
*** dims has quit IRC23:43
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint policy into keystone core
*** nkinder has joined #openstack-keystone23:46
*** Raildo_ has joined #openstack-keystone23:49
-openstackstatus- NOTICE: Gerrit is going offline while we perform an emergency downgrade to version 2.8.23:54
*** ChanServ changes topic to "Gerrit is going offline while we perform an emergency downgrade to version 2.8."23:54

Generated by 2.14.0 by Marius Gedminas - find it at!