Friday, 2015-05-29

« Thursday, 2015-05-28 Index Saturday, 2015-05-30 »
*** arif-ali has quit IRC00:00
*** arif-ali has joined #openstack-keystone00:04
*** markvoelker has quit IRC00:12
*** setmason has joined #openstack-keystone00:16
*** gyee has quit IRC00:18
*** arunkant_ has quit IRC00:22
*** emagana has quit IRC00:25
*** gyee has joined #openstack-keystone00:25
*** ChanServ sets mode: +v gyee00:25
openstackgerritRodrigo Duarte proposed openstack/keystone: Update testing keystone2keystone doc  https://review.openstack.org/18639500:28
openstackgerritRodrigo Duarte proposed openstack/keystone: Add "enabled" to create service provider example  https://review.openstack.org/18640200:28
*** setmason_ has joined #openstack-keystone00:39
*** dsirrine has quit IRC00:40
*** setmason has quit IRC00:41
*** setmason_ is now known as setmason00:41
*** sigmavirus24 is now known as sigmavirus24_awa00:41
*** dims_ has quit IRC00:42
*** dims_ has joined #openstack-keystone00:47
*** mdrnstm has joined #openstack-keystone00:48
*** mdrnstm is now known as Guest72300:48
*** tobe has joined #openstack-keystone00:52
*** Guest723 has quit IRC00:55
*** dsirrine has joined #openstack-keystone00:55
*** browne has quit IRC00:56
*** _cjones_ has quit IRC01:00
*** gokrokve has joined #openstack-keystone01:03
openstackgerritayoung proposed openstack/keystone: IAM Models  https://review.openstack.org/18465101:06
*** ayoung has joined #openstack-keystone01:08
*** ChanServ sets mode: +v ayoung01:08
*** markvoelker has joined #openstack-keystone01:13
*** markvoelker has quit IRC01:18
*** gokrokve has quit IRC01:20
*** gokrokve has joined #openstack-keystone01:20
*** tobe has quit IRC01:22
openstackgerritayoung proposed openstack/keystone-specs: Simplified template for backlog items.  https://review.openstack.org/17122601:22
*** davechen has joined #openstack-keystone01:22
davechenstevemar, dolphm: ping?01:24
*** gokrokve has quit IRC01:25
davechenstevemar, dolphm: may i ask you a question, pls?01:25
*** alanf-mc has quit IRC01:25
openstackgerritayoung proposed openstack/oslo.policy: Convert Exceptions to failures.  https://review.openstack.org/16590801:26
samueldmqdavechen, just ask, then when they are available they may see and reply you01:28
samueldmqdavechen, also; someone else may have the answer you are looking for :)01:28
openstackgerritayoung proposed openstack/oslo.policy: Convert Exceptions to failures.  https://review.openstack.org/16590801:29
davechensamueldmq, stevemar, dolphm: yep, I  just not quite understand about the default scope, per my understanding, it maybe equivalent to unscoped  in the context of get a token.01:31
*** emagana has joined #openstack-keystone01:32
openstackgerritayoung proposed openstack/keystone: default policy  https://review.openstack.org/14011301:33
davechenI am trying to understand the inline comment in this patch: https://review.openstack.org/#/c/186310/1/doc/source/api_curl_examples.rst, the CURL request is acutally for a unscoped token, so we will not get some service catalog in the response, is that true?01:33
*** dims_ has quit IRC01:35
*** setmason_ has joined #openstack-keystone01:36
davechenmaybe I miss something, but I checked with that request, there is indeed no service catalog returned, so I am not quite understand why I need add service catalog back, stevemar and dolphm, pls drop by if you saw these message. :)01:36
samueldmqdavechen, I am not aware what the 'default scope' said there means  ... for me there scoped tokens (you specify the scope); otherwise they are unscoped01:37
samueldmqdavechen, I am not sure what default scope means in that context01:37
davechenme either, so I am thinking whether it is an accurate desc.01:38
*** setmason has quit IRC01:39
*** setmason_ is now known as setmason01:39
davechenwhat's default scope means?01:39
samueldmqdavechen, regardless the scope, I think the service catalog may be present, i.e the services that are available and you could use01:39
*** dims_ has joined #openstack-keystone01:39
samueldmqdavechen, so I agree the service catalog should be there, as stated by them01:39
jamielennoxdavechen: so there is such a thing (unfortunately) as a default_project for users01:39
jamielennoxso that if they request a token with no scoping information then it will automatically scope to that project01:39
jamielennoxthis may be how you are seeing a service catalog when you don't expect one01:40
samueldmqjamielennox, oh that makes sense01:40
davechensamueldmq: i don't think so, if it's unscoped token, there will not be *project* or *domain* associated, where i can get the service catalog?01:41
samueldmqjamielennox, can a service catalog be present in an unscoped token ?01:41
davechensamueldmq: just try the CURL provided in the example, and check the source, you will see what i am trying to do :)01:41
jamielennoxsamueldmq: there was a spec i wrote to do that - but for now no01:41
samueldmqdavechen, ^01:41
samueldmqjamielennox, k thanks01:42
*** lhcheng has quit IRC01:43
jamielennoxdavechen: i haven't heard it said as "default scope" before, but i'm thinking it's the same as scoped to the default project, in which case there is a service catalog01:43
jamielennoxdavechen: to get that response when you create a user add --default-project <id> to your command line and you will see the difference01:43
davechenjamielennox: yes, I haven't heard too.01:43
davechen jamielennox: cool, I will try it, thx.01:44
openstackgerritayoung proposed openstack/keystone-specs: Hierarchical Roles  https://review.openstack.org/12570401:45
*** dims_ has quit IRC01:45
davechenjamielennox: I can understand default-project, but still not default scope, for me, it seems like unscoped actually.01:46
ayoungdavechen, unscoped tokens return no service catalog.  Only scoped tokens return a service catalog01:46
jamielennoxdavechen: so having a default project means you will get a scoped catalog by default01:47
davechenayoung: yes, so this is what i am trying to fix the doc, the doc is not accurate, since there is service catalog returned with the unscoped token.01:47
jamielennoxdavechen: the token you refer to is not unscoped01:47
jamielennoxi can see the project value in there - id=default01:48
davechenjamielennox: sure, so what about the default scoped, shall we return service catalog for such a *default* scope?01:48
jamielennoxah, oops - id=some uuid, name=admin01:48
jamielennoxdavechen: i think you are overthinking the concept of default scoped01:48
davechenjamielennox: I think so. :P01:48
samueldmqdavechen, default scope = user's default-project scope (if there is one, otherwise, unscoped)01:49
samueldmqjamielennox, is this accurate ? ^01:49
jamielennoxit's purely a keystone server concept, if a user requests a token and they don't specify a project then keystone will set the project to the default one from the user data and then proceed exactly the same if the user had asked for a project scoped token01:49
ayoungthe correct term is "token scoped to the users default project"01:49
jamielennoxayoung: ++01:49
samueldmqayoung, ++01:49
davechenayoung: ++01:49
dolphmdavechen: if you give the user a default project ID, you'll get service catalog back in response to the example request01:49
ayoungWe need a karmabot01:50
* ayoung now has 3 points of karma01:50
jamielennoxayoung: you think you'd be positive?01:50
dolphmlol01:50
ayoungjamielennox, yes, as I implmenet a bot that can't go negative, just bottoms out at zero01:50
ayoungyou notice I asssumed I was starting from 001:51
samueldmqhehehe01:51
davechendolphm: emm, so if I give a default project ID for the user, and not specify the project information in the CURL reuqest, I will still get the service catalog returned?01:51
davechendolphm: I will have a try.01:52
*** tobe has joined #openstack-keystone01:52
*** bradjones has quit IRC01:52
dolphmdavechen: correct01:53
dolphmdavechen: you also have to explicitly assign that user a role on the project, but then you'll get a complete scoped token01:53
ayoungrpmquery -a | wc -l01:53
ayoung388001:53
ayounggah01:53
ayoungneed to remove something before upgradeing to f2201:53
davechendolphm: i miss that part, thx.01:53
*** Qiming has joined #openstack-keystone01:54
jamielennoxayoung: f21 made a mess for me, i'm a little nervous about f2201:54
ayoungjamielennox, I'm expecting trouble.  Used to it01:54
ayoungI've found getting rid of as many RPMS as possible before the upgrade will help01:55
ayoungespecailly all the new ones that our team has been developing, as I suspect I installed a few out of COPRs01:55
ayoungthis time, I also plan on making sure my /lib/python does not have pip installed files01:56
ayoungthat really messed me up last time01:56
jamielennoxyea, i try to limit coprs and installing things via pip etc01:56
jamielennoxright, pip overriding system packages is a disaster01:56
*** bradjones has joined #openstack-keystone01:56
Qiminggyee, around?01:56
jamielennoxbut it takes a few weeks to get like spotify working again01:56
*** emagana has quit IRC01:57
*** emagana has joined #openstack-keystone01:58
ayoungI'm doing google play.  $10/month, and I've yet to come across an album they don't have01:58
ayoungIt will kill the music industry and crush the artists, but most of the artists I like are already dead01:58
jamielennoxthey're all the same price - but i will switch to the first one that does proper DLNA support02:00
jamielennoxstupid spotify connect reimplements a complete industry standard so that it will only work on new, certain branded speakers02:00
jamielennox</rant>02:00
*** csoukup has joined #openstack-keystone02:01
davechenayoung: funny, these artists die too early.02:02
ayoungdavechen, not all of them.  Sonny Rollins is still alive and kicking.02:03
davechenayoung: I am also a fun of old songs and old artists.02:03
*** zzzeek has quit IRC02:04
samueldmqayoung, tomorrow I will update the overview spec02:06
samueldmqayoung, and we can struggle to get that in02:06
ayoungsamueldmq, thanks.  MAybe this time people will realize it is an overview02:07
samueldmqayoung, so people will start looking at the individual specs02:07
samueldmqayoung, ++02:07
samueldmqayoung, I will also start the fetch policy based on endpoint url02:07
samueldmqayoung, did you get dolphm 's toughts on that ?02:07
ayoungdolphm, we had a discussion earlier today about fetching policy for an endpoint.  morganfainberg stated (firmyl) that he wanted it fetched based on the endpoint's URL, not the enpoint ID.  Do you have an opinion?  I can see his point, and am willing to implement, but I'd rather we hash out the decision now02:08
ayoungsamueldmq, right there with you02:08
samueldmqayoung, nice02:09
samueldmqayoung, btw that should be only changing the GET policy right ?02:09
dolphman endpoint is more likely to know it's own URL than it's keystone-assigned ID, so that makes sense to me02:09
samueldmqayoung, or should we enable all the CRUD by url ?02:09
dolphmless fussy configuration for sure02:09
ayoungdolphm, that is what we figured, and the cms would know the url ahead of time, too02:09
ayoungso it could put it the url in the config file so the endpoint knows its own before any call to keystone02:10
ayoungdolphm, OK, so last question is the URL to fetch it.  Suggesting in a couple  seconds...02:10
ayoungif we were keeping the endpoint_policy in an extension, we'd put the url in the extension, but now it is in the main keystone routes02:11
ayounghttp://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n5365  is GET /policy02:11
ayoungbut it is followed by an id,  I was thinking:02:11
ayoungGET /policies?url=<endpointurl>02:12
dolphmlike, GET /v3/policies?endpoint_url={encoded_url} ?02:12
ayoungdolphm, ^^ sound about right?02:12
ayoungyeah02:12
dolphm:)02:12
ayoungsamueldmq, and there you have it02:12
dolphmseems natural to have it as an attribute of a policy02:13
samueldmqdolphm, do you have an oracle ?02:13
samueldmq:-)02:13
ayoungsamueldmq, nah, I've just learned to think like dolph from time to time02:13
dolphm+102:13
samueldmqcool, I will be observing from now, maybe I can learn too02:14
ayoung"for all our mutual experience our separate conclusions are the same"  Billy Joel, Summer, Highland Falls02:14
samueldmq:)02:14
samueldmqayoung, so it will just be adding  an optional query parameter to http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n531902:15
samueldmqayoung, am I right ? and the other operations (CUD) won't be affected02:16
*** dsirrine has quit IRC02:20
*** kiran-r has joined #openstack-keystone02:20
ayoungsamueldmq, well, from an API perspective, it is a new API, as /policies does not currently return anything.  the api is /policies/<id> today02:20
ayoungbut beyond that, yeah, not other changes02:20
ayoungshould be only one new function in the controller02:20
samueldmqayoung, /policies does02:20
* ayoung goes to confirm assumptions02:20
samueldmqayoung, look at the example http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n531902:20
ayoungah, right, it lists the policies02:21
samueldmqayoung, yeah, and that's what we wnat to do, applying a new filter :)02:21
ayoungOK,  even simpler02:21
samueldmqayoung, yeah :D02:21
samueldmqayoung, and everybody should be happy with it02:22
samueldmqayoung, btw, should  a cms be able to POST a policy based on the URL ?02:23
ayoungsamueldmq, I don't think so02:23
samueldmqayoung, it is deploying the cloud , it knows the urls/services .. should be in the same path02:23
ayoungnah, policeis are assigned to endpoints via a different mechanism.  See the endpoint_policy spec02:24
ayoungBut there it would need to know the endpoint id, and that is probably beyond the scope of this here02:24
ayoungI would expect a cms to maybe post the default policy, but not a per-endpoint policy02:24
*** rwsu has quit IRC02:25
samueldmqayoung, k, let' keep it simple and implement the fetch thing02:25
ayoung++02:25
samueldmqayoung, if there are any request for that in the future, we then implement :)02:25
samueldmqrequests*02:26
ayoungsamueldmq, in general, the goal is for endpoints to be able to fetch by their own identity, but we can assign either a default or a per-service policy file, as well as an endpoint specific policy file02:26
samueldmqayoung, yeah I understand, that's important to the ksmiddleware02:26
samueldmqayoung, which will have access to the endpoint's URL which it's serving02:27
ayoungright on02:27
samueldmqayoung, and ask keystone for the right policy02:27
samueldmqayoung, and ksmiddleware will get that from a confg file :)02:27
ayoungdolphm, was there any reason you did not implement a "default" when doing endpoint_policy?02:27
samueldmqayoung, I think I got that o/02:27
ayoungwas it just that we had not good example of a policy file that we could return for all services yet?  The need for the unified policy file?02:29
stevemarmorganfainberg, ready for slide making soon!?02:30
dstanekdolphm: ayoung: just catching up - also i don't think the templated catalog had ids for endpoints02:30
ayoungdstanek, yeah, of course.  Good point02:30
*** setmason has quit IRC02:31
morganfainbergstevemar: doing a meetup thing for a few more minutes but will be soon.02:32
dolphmdstanek: oh true02:34
dolphmdstanek: i think it *should* but even if it did, they wouldn't be consistent02:34
stevemarmorganfainberg, cool cool, finishing up a few things myself02:36
samueldmqdolphm, why a fernet token is considered too long if it has lenght > 255, and not > 256?02:38
samueldmqdolphm, sorry it can be a dumb question02:39
ayoungsamueldmq, needs to fit in the index field of a database table02:40
ayoung255 is max02:40
samueldmqayoung, I was supposing an offset ... at least assuming its minimal length is  102:41
dstanekayoung: why? they aren't persisted02:42
samueldmqayoung, so that 1-256 in that case02:42
ayoungdstanek, not in Keystone they aren't, but they might be elsewhere02:42
ayoungit's a goal to make them small enough to fit in those fields02:42
ayoungthat was why that particular number02:43
dstanekah, that makes sense02:43
samueldmqhmmm, yes02:45
samueldmqthanks02:45
*** samueldmq has quit IRC02:53
*** spandhe has quit IRC02:56
*** kiran-r has quit IRC02:56
*** kiran-r has joined #openstack-keystone02:57
lbragstadwe knew that they needed to be small but we also weren't sure if we could get them around 100 characters... 255 seems like a reasonable limit too02:57
lbragstad(hence some of the tricks to save space)02:58
*** mdrnstm has joined #openstack-keystone03:01
*** ChanServ sets mode: +v mdrnstm03:01
gyeeQiming, yes03:01
mdrnstmstevemar: oh hai03:02
*** markvoelker has joined #openstack-keystone03:02
gyeemdrnstrm, what did you do to morganfainberg?03:02
ayounglbragstad, you probably did not implement the binding portion of the token, did you?  The thing that says a token can only be used with a specific X509 or Kerberos Principal?03:02
*** spandhe has joined #openstack-keystone03:02
mdrnstmgyee: shhhh03:02
* mdrnstm is hiding03:02
Qiminghi, gyee, could you help point me to a sample test case how a policy.json entry change should be tested03:02
lbragstadayoung: checking the code03:03
*** kiran-r has quit IRC03:03
gyeeQiming, one sec03:03
ayounglbragstad, I don't see how you could have.  I would have to e in the signed body of the token03:03
rodrigodslbragstad, commented in the fernet size change, just suggested to make a clearer commit message and add a comment in the check03:03
lbragstadayoung: yeah, you're right https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L49-L5203:04
*** _cjones_ has joined #openstack-keystone03:04
ayounglbragstad, good enough03:04
gyeeQiming, see this patch, https://review.openstack.org/#/c/164848/03:04
ayounglbragstad, someday tokens will go away.03:04
Qiminggyee, thanks, will check03:04
gyeeQiming, test_policy.py and test_v3_protection.py03:04
*** _cjones_ has quit IRC03:05
Qiminggot it, gyee03:05
*** _cjones_ has joined #openstack-keystone03:05
mdrnstmstevemar: ok here now03:06
mdrnstmstevemar: sitting around the meetup and looking at the slides03:06
*** gyee is now known as operator9903:06
*** markvoelker has quit IRC03:06
mdrnstmstevemar: i'll get the extra diagram for the internal Keystone architecture diagram tonight03:07
mdrnstmstevemar: since i just had to draw some of that up03:07
rodrigodsmdrnstm, stevemar another talk already?03:09
*** someara2 has joined #openstack-keystone03:11
mdrnstmrodrigods: yep03:11
mdrnstmrodrigods: actually a number of talks :P03:11
rodrigodswhere?03:11
mdrnstmrodrigods: Cloud Identity Summit, OpenStack CEE, and some others03:11
rodrigodsmdrnstm, cool! :)03:12
* rodrigods still catching up with the presentations of the summit03:12
openstackgerritLance Bragstad proposed openstack/keystone: Log warning for Fernet tokens over 255 chars  https://review.openstack.org/18639603:13
lbragstadrodrigods: ^ done, thanks for the review!03:14
mdrnstmjamielennox: when do you want to do the next KSA release?03:14
rodrigodslbragstad, thanks!03:14
jamielennoxmdrnstm: i was going to start seeing what the ksc on ksa patches look like, what fixes are required03:14
mdrnstmjamielennox: would a 0.2.0 with current stateof the repo make sense?03:15
mdrnstmfor this integration - things have moved a fair bit since the 0.1.003:15
jamielennoxmdrnstm: sure - doesn't make much difference to me yet03:15
mdrnstmok let me drop a 0.2.0 in03:15
stevemarmdrnstm, lookin' now03:16
mdrnstmjamielennox: tagged03:17
mdrnstm0.2.0 released03:17
mdrnstmjamielennox: for the next one i'm going to get us moved to the keystoneauth1 package03:17
mdrnstmand get the virtual package (keystoneauth) spun up.03:18
*** liusheng has quit IRC03:27
marekddolphm: i haven't yet. (re:Fernet)03:27
mdrnstmstevemar: what tool did you use to make the images in the presenation ?03:28
stevemarmdrnstm, i used inkspace03:29
stevemarinkscape*03:29
mdrnstmstevemar: ahh ok03:29
mdrnstmyeah i have inkscape03:29
stevemarlet me send you the file i have saved03:30
*** someara2 has quit IRC03:30
mdrnstmnice03:30
mdrnstmthat'll help some03:30
stevemardone03:31
mdrnstmstevemar: thnx03:32
*** someara2 has joined #openstack-keystone03:34
ayoungmdrnstm, stevemar you can automate the conversion of inkscape files to png if you need to03:39
ayoung%.eps: %.svg03:40
ayoung        inkscape -z -f $< -D --export-area-snap -E $@03:40
*** _cjones_ has quit IRC03:40
ayoung^^ for example that come out of the makefile I used for the latex based presentation03:40
*** someara2 has quit IRC03:40
ayoungI'm actually working on an internal talk for our support folks for the 16th.  I might steal some of your slides.03:41
*** someara2 has joined #openstack-keystone03:42
*** Qiming_ has joined #openstack-keystone03:43
*** Qiming has quit IRC03:43
*** Qiming__ has joined #openstack-keystone03:44
*** Qiming__ is now known as Qiming03:44
*** someara2 has quit IRC03:46
*** Qiming_ has quit IRC03:47
*** someara2 has joined #openstack-keystone03:57
mdrnstmayoung: of course. happy to have you steal slides03:57
* mdrnstm is hoping to really get to spend some time with the slides next week to do another round of polish03:58
mdrnstmbut...03:58
mdrnstmdone is often "good enough"03:58
ayoungmdrnstm, I'm repurposing a few of my own from a year or so back03:59
ayoungHIJ  was past present and future then04:00
*** setmason has joined #openstack-keystone04:00
ayoungmdrnstm, your presentation is basically "what is keystone"  right?04:01
mdrnstmayoung: uhmm...04:01
mdrnstmayoung: a bit more nuts and bolts but yes04:02
ayoungMy slide decks are all here http://adam.younglogic.com/presentations/04:02
mdrnstmayoung: next week going to refloat the idea of getting us official publications04:02
*** markvoelker has joined #openstack-keystone04:02
ayoungfeel free to snag any, or let me know if you want any of the slides there in some other format04:03
mdrnstmayoung: cool.04:03
mdrnstmwill check them out04:03
mdrnstmthnx04:03
ayoungI like the sequence diagram I did for token auth in the dynamic policy one.  USed a python tool...04:03
ayoungthe source was very simple04:03
ayounghttp://interactive.blockdiag.com/seqdiag/?compression=deflate&src=eJx1Uk1PAjEQvfMrGk6QgAvoQYNLYgJ61ERvYkjpzrINTbu2ZSMSEu_-S3-Js7vdD9ilp7bz3sx7M2PgM-B0Qw4dkp0AQroTdhUqaQ3_BuKTyWjqgiamchUB30QW_8f47wI0jt2NCQ7SuodUCS0QOxtZtQVZ4DC_VkKAdh9ryjAauFesBGd799jC3lgloVaNDGeuFHkXdA0C9XQRFPfubh_mj4u_n99-92N6IirlFKkcy---PL--keTaS_V5mUDT4N0Pm7wM2lYh9Xya3UsmV2NvKQ3oBLTBW65xNMcrZZarWqKMjmnKfpW5GBWiwlXxNldPi8zUuZ-K1GaJMgbGEC5DdaFONbQLqmoAhLuRlt04:06
ayounggQLItIbr6Vg6rOOXnTlvLAAz9nHlup_sztTMkE9KEZ9FIQfNkByVs9IJbqDdj-hba0eNRgYoXjO5sSgptTamKrJTpZjcnopqYANzqtnUOnnWPnHxWEF_s04:06
ayounghmm, let me tinyurl that04:06
ayoungmdrnstm, stevemar http://tinyurl.com/q8sp6q704:07
mdrnstmayoung: darn irc with message length!04:07
mdrnstmayoung: ok that is a cool tool04:07
mdrnstmvery cool04:07
ayoungmdrnstm, there are other diagram types there, too04:07
mdrnstmsequence diagrams are awesome04:07
ayoungif you tool around with that "other diagram type" dropdown in the top right04:07
*** markvoelker has quit IRC04:07
ayoungI liked the seq diagrams from that best, used latex library for UML, and some inkscape for freehand drawings04:08
ayoungah, and I used dia for the diagram that explained HTM.  It just came out cleaner.04:10
*** someara2 has quit IRC04:10
*** iamjarvo has joined #openstack-keystone04:14
stevemarayoung, pretty neat guy04:14
ayoungstevemar, thanks04:14
ayoungas I said, let me know if you want any of them.04:15
ayoungBeamer and latex for presentations work very nicely04:15
mdrnstmstevemar: ok i need to jump off being asked keystone questions cause i am at this meetup-y thin04:17
mdrnstmg04:17
mdrnstmstevemar: will continue with diagrams and such tonight04:17
mdrnstmhope to have k2k and keystone internal architecture done by then04:17
stevemarmdrnstm, i fully intend on continuing tonight04:17
stevemaruntil most of it is done04:18
mdrnstmstevemar: i might need wine or whisky tonight to complete it04:18
mdrnstmbecause i also need to do expense reports04:18
stevemari'll need tea or coffee04:18
mdrnstmirish coffee!04:18
mdrnstm;)04:18
mdrnstmbbib04:18
mdrnstmbbiab*04:18
stevemari *tried* to do my ERs but .... hotel wasn't on my amex yet :(04:18
*** mdrnstm has quit IRC04:18
stevemarstupid lack of next-day transaction04:18
ayoungok, rebooting to upgrade.  wish me luck04:21
*** ayoung has quit IRC04:21
*** _cjones_ has joined #openstack-keystone04:37
*** setmason has quit IRC04:48
*** setmason has joined #openstack-keystone04:50
*** tobe has quit IRC04:52
*** _cjones_ has quit IRC04:53
*** _cjones_ has joined #openstack-keystone04:53
*** _cjones_ has quit IRC04:54
*** nikil22 has joined #openstack-keystone05:05
nikil22hi how to enable https in keystone ? I did [ssl] enable=true in keystone.conf. Is there anything else we have to do?05:06
stevemarnikil22, are you using devstack to deploy?05:08
stevemarit has to be done at deployment, or else all your endpoints are going to be messed up05:08
nikil22+stevemar: I am trying in Redhat 7.0 with juno05:09
nikil22+stevemar during deployment i did not enable any ssl options05:10
*** iamjarvo has quit IRC05:10
nikil22+stevemar , now i just enabled ssl in keyston.conf and restarted the services and tried the cli command it througs me error "SSL exception connecting to https:/MY-IP"05:11
*** tobe has joined #openstack-keystone05:14
stevemarnikil22, are you running keystone under apache or with eventlet?05:16
nikil22+stevemar : how to check if it is with apache or eventlet ? In keystone.conf in comments i see "eventlet"05:19
*** lhcheng has joined #openstack-keystone05:22
*** ChanServ sets mode: +v lhcheng05:22
*** kiran-r has joined #openstack-keystone05:23
stevemarnikil22, check where your apache or httpd server is running and see if there is a keystone.conf file? what do the keystone logs say? if you're running keystone under apache it should be much easier to enable ssl05:23
nikil22+stevemar yes apache is running but in keystone.log i do see some error related to eventlet , "http://paste.openstack.org/show/243978/"05:31
*** lhcheng_ has joined #openstack-keystone05:32
stevemarthat error shows that your keystone is already running05:33
stevemarand you are trying to start it by doing $keystone-all05:33
stevemarlet apache start the process instead05:33
nikil22+stevemar : yes i changed enable = True under [ssl] in keyston.conf and restarted the service05:34
nikil22+stevemar so first i have to stop keystone all service? then start keyston with apache?05:34
stevemardon't restart the service with $keystone-all, thats only related to eventlet05:34
stevemarjust restart your webserver05:34
stevemar$service apache restart (or whatever you are using)05:34
*** lhcheng has quit IRC05:36
stevemarthen add the appropriate SSL config entries to your keystone vhost file under apache05:36
stevemarhttps://developer.rackspace.com/blog/configure-keystone-apache/05:36
stevemar#SSLEngine on05:36
stevemar#SSLCertificateFile /etc/ssl/certs/mycert.pem05:36
stevemar#SSLCertificateKeyFile /etc/ssl/private/mycert.key05:36
stevemar#SSLVerifyClient optional05:36
*** setmason_ has joined #openstack-keystone05:40
*** setmason has quit IRC05:43
*** rushiagr_away is now known as rushiagr05:44
*** setmason_ has quit IRC05:46
*** tobe has quit IRC05:47
*** markvoelker has joined #openstack-keystone05:52
nikil22+stevemar : i don't see any vhost file in /etc/httpd folder also httpd.conf i see the port only for 80 and there is no " #Listen 5000" in the config file. So sitll i am first not clear does keystone server is using apache or not05:53
nikil22+stevemar : Is there any config option in keyston.conf where i should change to apache ?05:54
*** markvoelker has quit IRC05:56
*** browne has joined #openstack-keystone05:58
*** kiran-r has quit IRC05:58
*** csoukup has quit IRC06:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/18627906:06
*** spandhe has quit IRC06:07
*** tobe has joined #openstack-keystone06:15
*** raghava has joined #openstack-keystone06:32
stevemarmorganfainberg, allo?06:33
morganfainbergstevemar: just finished food. Looking at diagrams now.06:37
morganfainbergBeen a long day.06:37
stevemari hear ya :(06:39
stevemari have something more or less working for the authN bits06:39
stevemarjust needs to be tighter06:39
*** dguerri`away is now known as dguerri06:41
openstackgerritQiming Teng proposed openstack/keystone: Enable service role to list/get users  https://review.openstack.org/18129806:42
*** e0ne has joined #openstack-keystone06:42
*** ajayaa has joined #openstack-keystone06:43
stevemarmorganfainberg, i like your comments06:46
morganfainbergstevemar: thought you would06:46
*** dguerri is now known as dguerri`away06:46
*** e0ne has quit IRC06:49
stevemarmorganfainberg, we're almost done-ish06:50
morganfainbergyah trying to figure out the *best* way to show the keystone architecture06:50
morganfainbergi think i'm going to highligh the key backends06:50
*** woodster_ has quit IRC06:50
stevemarmorganfainberg, did you want to expand on the 'future' section? or just speak to the points?06:51
morganfainbergidentity, resource, assignment, assignment.roles, etc06:51
morganfainbergstevemar: i'll probably expand a little06:51
stevemari also don't know jack about CORS, so i'm going to nuke that part06:51
morganfainbergCORS = browser lets user access things from <not this specific host>06:51
morganfainbergit is just a way to break the "everything from one place" lockin06:51
morganfainbergthe wikipage is more than you need to know to talk about it06:52
morganfainbergthe server sends headers browser has to^w^wshould obey headers. no extra security is conveyed06:52
*** lhcheng_ has quit IRC07:00
*** kiran-r has joined #openstack-keystone07:04
*** dguerri`away is now known as dguerri07:07
*** dguerri is now known as dguerri`away07:08
*** davechen has left #openstack-keystone07:10
*** davechen has joined #openstack-keystone07:11
morganfainbergoh i see a henrynash07:11
morganfainbergand an operator9907:12
morganfainbergoh ha nice gyee.07:12
henrynashhi07:12
morganfainberghenrynash: hows the new home?07:12
* morganfainberg pokes at stevemar with a stick. 07:12
henrynashmorganfainberg: excellen, thanks07:12
morganfainberghenrynash: great to hear!07:13
morganfainberghenrynash: i mean... we're not all jealous or anything :P07:13
*** spandhe has joined #openstack-keystone07:13
stevemarhenrynash, !!07:14
henrynashstevemar, morganfainberg: :-)07:14
*** spandhe_ has joined #openstack-keystone07:16
stevemarhenrynash, did you look into hotels for nice yet?07:16
*** spandhe has quit IRC07:19
*** spandhe_ is now known as spandhe07:19
*** pnavarro has joined #openstack-keystone07:23
*** henrynash has quit IRC07:29
*** rlt_ has joined #openstack-keystone07:38
*** jistr has joined #openstack-keystone07:38
*** markvoelker has joined #openstack-keystone07:40
*** markvoelker has quit IRC07:45
*** pnavarro has quit IRC07:46
*** stevemar has quit IRC07:55
*** BrAsS_mOnKeY has quit IRC07:56
openstackgerritDave Chen proposed openstack/keystone: `api_curl_examples.rst` is out of date  https://review.openstack.org/18631008:02
*** dguerri`away is now known as dguerri08:04
*** g2` has joined #openstack-keystone08:06
*** dims_ has joined #openstack-keystone08:12
*** dims_ has quit IRC08:18
*** tobe has quit IRC08:23
*** tobe has joined #openstack-keystone08:29
*** spandhe has quit IRC08:32
*** fhubik has joined #openstack-keystone08:47
*** davechen has left #openstack-keystone08:55
*** bdossant has joined #openstack-keystone08:58
*** fhubik is now known as fhubik_afk09:01
*** markvoelker has joined #openstack-keystone09:29
*** markvoelker has quit IRC09:34
*** fhubik_afk is now known as fhubik09:34
*** aix has joined #openstack-keystone09:41
*** fhubik has quit IRC09:41
*** fhubik has joined #openstack-keystone09:41
*** browne has quit IRC09:43
*** browne has joined #openstack-keystone09:43
*** dims_ has joined #openstack-keystone09:51
*** Qiming has quit IRC10:03
*** afazekas has joined #openstack-keystone10:12
*** samueldmq has joined #openstack-keystone10:30
samueldmqmorning10:30
marekdhey10:31
*** henrynash has joined #openstack-keystone10:45
*** ChanServ sets mode: +v henrynash10:45
*** dims_ has quit IRC10:52
*** aix has quit IRC10:54
samueldmqhmmm ... /whois operator9910:59
samueldmq[operator99] is logged in as gyee10:59
samueldmqhehe :)10:59
*** markvoelker has joined #openstack-keystone11:18
*** markvoelker has quit IRC11:22
openstackgerritNikita Konovalov proposed openstack/python-keystoneclient: Fix logging of binray contentent in request  https://review.openstack.org/18351411:33
*** tobe has quit IRC11:39
*** aix has joined #openstack-keystone11:45
*** fhubik is now known as fhubik_afk11:46
*** dims_ has joined #openstack-keystone11:50
*** rushiagr is now known as rushiagr_away11:50
kragnizis there a link to the design summit etherpads around?11:52
dims_kragniz: wiki.openstack.org/wiki/Summit/Liberty/Etherpads11:57
kragnizdims_: yeah, but the keystone section is empty :(11:59
*** nikil22 has quit IRC11:59
dims_duh! sorry11:59
*** markvoelker has joined #openstack-keystone11:59
kragnizthat's okay!12:00
dims_kragniz: there are links off of this gist which seem to have some etherpads with info - https://gist.github.com/dstanek/fa40364d5c13657d61c712:02
*** kiran-r has quit IRC12:05
*** kiran-r has joined #openstack-keystone12:05
*** aix has quit IRC12:06
kragnizdims_: thanks, that lead to the one I think I was looking for12:06
kragnizkeystone people, is the keystoneauth library likely to get to a 1.0.0 release in L?12:08
*** aix has joined #openstack-keystone12:08
*** tobe has joined #openstack-keystone12:13
*** tobe has quit IRC12:14
*** fhubik_afk is now known as fhubik12:15
*** kiran-r has quit IRC12:16
dstanekkragniz: that gist unfortunately only has some12:22
dstaneki hope that we were able to pull the non-OpenStack etherpad content back in12:22
*** fhubik is now known as fhubik_afk12:30
*** fhubik_afk is now known as fhubik12:31
*** bdossant_ has joined #openstack-keystone12:33
*** bdossant has quit IRC12:35
*** ayoung has joined #openstack-keystone12:36
*** ChanServ sets mode: +v ayoung12:36
*** Guest66545 has joined #openstack-keystone12:37
samueldmqmorganfainberg, let me know if you need someone to feed https://wiki.openstack.org/wiki/Design_Summit/Liberty/Etherpads#Keystone12:37
*** ChanServ sets mode: +v Guest6654512:37
samueldmqmorganfainberg, I can do that later today12:37
samueldmqayoung, good morning12:37
*** jsavak has joined #openstack-keystone12:38
openstackgerritLouis Taylor proposed openstack/keystoneauth: Remove i18n stub  https://review.openstack.org/18674812:39
openstackgerritMarek Denis proposed openstack/keystone: Update testing keystone2keystone doc  https://review.openstack.org/18639512:42
*** rushiagr_away is now known as rushiagr12:43
*** woodster_ has joined #openstack-keystone12:50
*** gsilvis has quit IRC12:50
*** radez_g0n3 is now known as radez12:54
*** afaranha has quit IRC12:56
*** henrynash has quit IRC12:58
*** afaranha has joined #openstack-keystone12:59
*** afaranha has left #openstack-keystone12:59
*** sigmavirus24_awa is now known as sigmavirus2413:01
samueldmqayoung, hello, I'd like to talk about how often the ksmiddleware will ask keystone for the service's policy and update it (as a file for now, as we defined for this first step)13:02
openstackgerritLouis Taylor proposed openstack/keystoneauth: Remove i18n stub  https://review.openstack.org/18674813:03
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands  https://review.openstack.org/18656013:03
ayoungsamueldmq, configurable timeout, like the certificates13:03
ayoungcache for one minute by default13:03
samueldmqayoung, great!13:04
ayoungunless you have a better idea.  We have some thoughts around eventing, but I think we need the cache approach first, and then we'll use eventing in the future13:04
samueldmqayoung, and where that config option for the endpoint_url will be?13:04
samueldmqayoung, I mean, what is the config ksmiddleware use ?13:04
ayoungsamueldmq, all that goes in the auth_token section of the config file.13:04
samueldmqayoung, nice13:04
samueldmqayoung, for now, let's do this .. as it simpler13:04
samueldmqayoung, we can change for events later if we need/want/decide to13:05
ekarlsoheya guys, will keystoneauth become usiable anytime soon ?13:05
ayoungsamueldmq, yep13:05
openstackgerritMarek Denis proposed openstack/keystoneauth: Rename federated.py to federation.py  https://review.openstack.org/18675313:05
*** dsirrine has joined #openstack-keystone13:07
*** Ephur has joined #openstack-keystone13:18
ayoungekarlso, soonish13:20
*** raghava has quit IRC13:23
*** afaranha has joined #openstack-keystone13:23
samueldmqayoung, do I need a spec for /policies?url=<endpoint_url>13:28
samueldmqayoung, or is the API spec enough? need a bp ?13:28
*** afaranha has left #openstack-keystone13:29
ayoungsamueldmq, I think API spec is enough13:29
*** gsilvis has joined #openstack-keystone13:29
samueldmqayoung, ++13:30
*** henrynash has joined #openstack-keystone13:30
*** ChanServ sets mode: +v henrynash13:30
dstanekayoung: it should be configurable on the keystone server side though and use http headers13:31
ayoungdstanek, the cache policy?  Yep13:32
ayoungsamueldmq, ^^13:32
samueldmqdstanek, ayoung could you clarify this for me ?13:32
samueldmqthe option being read by ksmiddleware is clear, but the part it is configurable in the keystone server13:32
ayoungsamueldmq, when we fetch the file, read the http headers13:32
samueldmqI am not sure how kserver teels middleware about it13:33
ayoungthe value in the http header should come from a keystoen conifg option13:33
samueldmqayoung, and kserver pass the timeout to be considered ?13:33
samueldmqto ksmiddleware13:33
ayoungyes13:33
samueldmqayoung, dstanek got it, thanks13:33
dstaneksamueldmq: right, keystone will tell the client how long to cache13:33
samueldmqnice13:33
dstaneksince we are trending toward a "REST" service i'd love to see us get more of the basics implemented13:34
*** rushiagr is now known as rushiagr_away13:35
openstackgerritRodrigo Duarte proposed openstack/keystone: Add "enabled" to create service provider example  https://review.openstack.org/18640213:35
samueldmqdstanek, ++13:35
ayoungdstanek, do we have support for headers like that now?13:36
dstanekayoung: we just need to add them to the response, probably from the controller layer - might be a small about of work to get there13:37
ayoungdstanek, would we need to configure the durations per resource?13:40
dstanekayoung: only for things we care about13:40
ayoungthis seems like scope creep here...not a bad idea, but too much for just policy to cover13:41
dstaneki'll try to work up an example today13:41
ayoungdstanek, how about a spec instead?13:41
dstanekayoung: adding a header is too much?13:41
ayoungdstanek, adding headers to all APIs13:41
dstanekyou don't have to do that13:41
ayoungdstanek, most of our data is fetched and potentially cached...if we do it at one place, we should make the mechanism available across the board13:42
ayoungtokens, for example, should be cached for the lifespan of the token.13:42
ayoungok...once more attempting to upgrade.  wish me luck.  If you don't hear from me in a few minutes, my laptop is probably stuck13:43
*** ayoung has quit IRC13:43
dstanekayoung: right, that is adding scope creep - all i'm saying is you should do it for the policy since that is the spec you are talking about13:43
*** henrynash has quit IRC13:44
*** gokrokve has joined #openstack-keystone13:45
*** gokrokve has quit IRC13:45
*** gokrokve has joined #openstack-keystone13:46
*** gsilvis has quit IRC13:47
*** lufix_ has joined #openstack-keystone13:47
*** aix has quit IRC13:49
*** aix has joined #openstack-keystone13:49
*** bdossant_ has quit IRC13:52
*** bdossant has joined #openstack-keystone13:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Listing policies filtered by service endpoint URL  https://review.openstack.org/18676513:53
samueldmqdstanek, ^13:53
samueldmqdstanek, I also created a blueprint to point to ... that shouldn't hurt :)13:53
dstaneksamueldmq: nice, i'll take a look in a few13:54
*** blewis has joined #openstack-keystone13:54
samueldmqdstanek, great thanks, I am going afk for a bit, will be back soon13:55
*** henrynash has joined #openstack-keystone13:56
*** ChanServ sets mode: +v henrynash13:56
*** fhubik has quit IRC13:57
*** ayoung has joined #openstack-keystone14:03
*** ChanServ sets mode: +v ayoung14:03
*** emagana has quit IRC14:04
*** Ephur has quit IRC14:05
*** sigmavirus24 is now known as sigmavirus24_awa14:06
*** htruta has quit IRC14:06
*** afazekas has quit IRC14:06
*** ajayaa has quit IRC14:10
*** bdossant has quit IRC14:12
*** henrynash has quit IRC14:14
*** blewis` has joined #openstack-keystone14:15
*** gsilvis has joined #openstack-keystone14:15
*** henrynash has joined #openstack-keystone14:15
*** ChanServ sets mode: +v henrynash14:15
*** dims_ has quit IRC14:16
*** csoukup has joined #openstack-keystone14:18
*** blewis has quit IRC14:18
*** timcline has joined #openstack-keystone14:21
*** Ephur has joined #openstack-keystone14:21
*** bdossant has joined #openstack-keystone14:23
*** gsilvis has quit IRC14:24
*** htruta has joined #openstack-keystone14:25
*** sigmavirus24_awa is now known as sigmavirus2414:25
*** jistr has quit IRC14:26
*** ayoung has quit IRC14:29
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844214:30
openstackgerritDavid Stanek proposed openstack/keystone: Adds missing list_endpoints tests  https://review.openstack.org/17643414:30
openstackgerritDavid Stanek proposed openstack/keystone: Adds proper isolation to templated catalog tests  https://review.openstack.org/17455614:30
marekdjamielennox: dstanek morganfainberg: do we have ksa stable date already scheduled (or plans for that coming in relatively soon) ?14:32
*** nkinder has quit IRC14:38
*** stevemar has joined #openstack-keystone14:39
*** ChanServ sets mode: +v stevemar14:39
*** ayoung has joined #openstack-keystone14:44
*** ChanServ sets mode: +v ayoung14:44
*** jistr has joined #openstack-keystone14:47
openstackgerritDavid Stanek proposed openstack/keystone: Removed dependency.provider  https://review.openstack.org/16302914:49
openstackgerritDavid Stanek proposed openstack/keystone: Removed optional dependency support  https://review.openstack.org/16277014:49
openstackgerritDavid Stanek proposed openstack/keystone: Decouple notifications from DI  https://review.openstack.org/16276914:49
marekdstevemar: bonjour, sir14:50
marekdstevemar: speaking of pull requests - i split them a little bit, but eventually they are a chain of commits, added on top of older ones14:51
marekdyou can probably merge just the lastest one.14:51
stevemarmarekd, excellent14:52
stevemarmarekd, i think i did it?14:53
stevemari'm too used to gerrit14:53
marekdstevemar: me too, unfortnately14:54
marekdstevemar: that's why i made so many PRs14:54
stevemarlooks like it worked14:54
stevemardoes it pass tox?14:54
marekdstevemar: anyways, i am thinking about adding some exec so one can run it from cmdline, inject mapping rules and some input (env like) and see the output - do you think it's ok for a lib to add it there?14:55
marekdstevemar: passes pep8,py27, doesn't pass py34 with some error "cannot find db type"14:55
stevemarmarekd, that was my other intention for the library :)14:55
marekdstevemar: i know- the questions whether we add something like 'bin' directory there or add another repo?14:56
marekdstevemar: personally i am ok for a bin like dir14:56
stevemari was thinking, we should bug infra and get this online for v0.114:56
stevemarbin directory !14:56
stevemarthe project shouldn't get much bigger than where it is now14:56
marekdstevemar: can you try out py34 ?14:56
stevemarbin directory + docs and call it done14:56
stevemarsure, let me load everything up14:57
marekdstevemar: my error might be something local, not code related.14:57
marekdonce we have it gerrit i can push some changes so keystone starts depending on it.15:00
*** emagana has joined #openstack-keystone15:02
dstanekmarekd: that db type error is due to having a .testrepository directory15:02
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: create the lookup object once  https://review.openstack.org/18318715:05
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: use __getitem__ when the key will exists  https://review.openstack.org/18318815:05
openstackgerritDavid Stanek proposed openstack/keystone: WIP: reduce redundant get_user calls  https://review.openstack.org/18318915:05
openstackgerritDavid Stanek proposed openstack/keystone: Order routes so most frequent requests are first  https://review.openstack.org/18278115:05
*** zzzeek has joined #openstack-keystone15:06
marekddstanek: you are right, it worked15:08
marekdthanks.15:08
dstanekmarekd: no problem15:08
marekdstevemar: looks like py34 are passing too :-)15:08
marekdstevemar: who should we ask for gerrit repo for keystone-mapper?15:10
stevemarmarekd, yeah i suspect is py27 passes then so should py34 :)15:10
stevemarummm15:10
stevemarlets go to infra and find out15:10
dstanekwe'll soon be competing with puppet for most project repos!15:11
marekdstevemar: openstack-infra ?15:11
stevemary15:12
*** hemnafk is now known as hemna15:14
stevemarmarekd, i'll start going through the steps in a minute15:14
stevemarlets not clobber each other on launchpad15:14
marekdstevemar: ok, thanks!15:15
stevemarmarekd, you've done enough, rest up15:15
stevemar:P15:15
marekdi will fininsh what i am working on right now and start playing with cmd15:15
marekdstevemar: i am always behind you in that matter :P15:15
*** dims_ has joined #openstack-keystone15:16
*** ajayaa has joined #openstack-keystone15:18
*** ajayaa has quit IRC15:26
*** someara2 has joined #openstack-keystone15:33
*** someara2 has quit IRC15:34
*** someara2 has joined #openstack-keystone15:34
*** dsirrine has quit IRC15:39
*** gyee has joined #openstack-keystone15:41
*** ChanServ sets mode: +v gyee15:41
*** bdossant_ has joined #openstack-keystone15:41
*** bdossant has quit IRC15:41
*** dsirrine has joined #openstack-keystone15:43
*** ayoung has quit IRC15:45
*** browne has quit IRC15:49
*** dims_ is now known as dimsum__15:49
gyeehenrynash, around?15:51
henrynashgyee: yep15:51
henrynashgyee: so you want to talk list role assignments, I assume15:52
gyeehenrynash, the list role assignment bug is needed by Horizon15:52
gyeeyes15:52
gyeebasically, they need a way to list the role assignment for targets within a given domain15:52
gyeeto enhance usability15:53
henrynashgyee: so understand the goal….as per my comments on the bug, this would be new terretory for us in terms of concept….15:53
henrynashgyee: how would we indicate in the API call that we want to restruict by domain?15:54
gyeehenrynash, well, right now domain admin can assign roles to targets (domain and projects) within the domain15:54
henrynashgyee: agreed15:54
gyeeso its nature that domain admin can also list those assignments15:55
henrynashgyee: and they can (just not all in one go)15:55
gyeebut why not?15:55
henrynashgyee: I’m not syaing they *shouldn’t*….just stating the current situation…and pointing out that we don’t currently have the language to ask the question15:56
gyeehenrynash, I think we should, Horizon needed it in order to build an intuitive UI15:57
*** mattfarina has joined #openstack-keystone15:57
gyeeUI dictates what APIs looks like usually15:57
henrynashgyee: I;m not necessarily arguing against it…but wanting us to work out how we change to the identity spec to satisfy the requirement15:58
*** jistr has quit IRC15:58
gyeehenrynash, how about 'GET /role_assignments?scope.domain.id=<id>&all_targets'?15:59
*** bknudson has joined #openstack-keystone15:59
*** ChanServ sets mode: +v bknudson15:59
henrynashgyee: no, I don’t like that since the scope.domain_id means assignments on the domain16:00
henrynashgyee: not on projects in that domain16:00
henrynashgyee: GET /role_assignments?target.domain.id=<ID> ?16:00
henrynashor maybe16:01
gyeehenrynash, sounds good16:01
*** someara2 has quit IRC16:01
henrynashGET /role_assignments?projects.domain.id=<ID>16:01
henrynashactually maybe16:01
gyeehenrynash, no, projects.domain.id is no good16:01
gyeewe need both project and domain assignments for the given domain16:01
dstanekwe didn't freeze all of ksc right? just the cli16:01
henrynashGET /role_assignments/domain/<ID>16:02
gyeedstanek, right, ony the cli16:02
gyeehenrynash, YES! that one seem more nature16:02
gyeeGET /role_assignments/domains/ID16:02
dstanekgyee: thx, adam's -2 here confused me; seems like a change that should go through16:03
gyeeor GET /domains/ID/role_assignments16:03
henrynashgyee: the only thing I am wary of on GET /role_assignments?target.domain.id=<ID> is that today our query filters all relate to an attribute being returned in the collection....16:03
dstanekhttps://review.openstack.org/#/c/167543/416:03
*** someara2 has joined #openstack-keystone16:04
gyeedstanek, I think ayoung is wrong16:04
gyeewe still support the SDK side of things16:04
henrynashgyee: the trouble with16:04
henrynashgyee: brb16:04
bknudsonmorganfainberg: was looking at keystoneclient releases and noticed we could use a 0.11.3 (stable/icehouse) release -- http://git.openstack.org/cgit/openstack/python-keystoneclient/log/?h=stable/icehouse16:05
gyeehenrynash, GET /domains/ID/role_assignments seem more nature16:05
gyeenatural16:06
*** jistr has joined #openstack-keystone16:06
*** bdossant_ has quit IRC16:07
stevemarmarekd, morganfainberg, https://review.openstack.org/#/c/186817/16:08
*** jistr has quit IRC16:09
marekdstevemar: https://review.openstack.org/#/c/186817/1/gerrit/projects.yaml you sure this should be your github account?16:11
stevemarhmm16:11
stevemari thought theres usually a file that lists the 'source' for the initialization16:12
stevemari thought that was it, i am wrong16:12
marekdi am asking, cause i don't know. byt it looks like this configures some reference repo location.16:12
gyeekeystone-mapper?!!16:12
stevemargyee, just pulling out some server code :)16:12
stevemarnothing fun16:12
gyeeso we are going to have mapping content validation besides syntax?16:13
morganfainbergbknudson: good to know.16:13
marekdgyee: YES*16:13
marekd* one day16:13
* gyee in euphoria16:13
marekdgyee: read the * with that tiny font16:13
morganfainbergbknudson: thnx16:13
gyeemarekd, fine prints :)16:14
*** lhcheng has joined #openstack-keystone16:14
*** ChanServ sets mode: +v lhcheng16:14
marekdgyee: right now the goal is to pull the RuleProcessor (+ deps) to separate library and add some cmdline so ppl can test their rules with some input of their choice16:14
*** rwsu has joined #openstack-keystone16:15
marekdgyee: but yes - i'd like to see it morphing into kind of DSL.16:15
marekdand not depending on string only.16:15
gyeemarekd, nice!16:15
henrynashgyee: the only other thing I was wondering was whether we could do this via hierarcical projects….i.e. an project API call to the top level project object that is acting as a domain….a bit like we already provide for listing all project IDs within teh hierarchy16:15
henrynashgyee: but I haven’t thought that through16:16
*** bdossant has joined #openstack-keystone16:16
gyeehenrynash, we can use the same paradigm for listing the hierarchy16:16
gyeehenrynash, GET /projects/ID/role_assignments?all_children16:17
henrynashgyee: yeah, somthing like that16:18
gyeeeither way, we need customer callbacks to enforce authorizatoin16:18
*** sigmavirus24 is now known as sigmavirus24_awa16:18
gyeeoslo.policy is not powerful enough right now for complex object relationships16:18
henrynashgyee: yes, we need something to do that agreed.16:18
*** josecastroleon has quit IRC16:19
henrynashgyee: there’s already a whole set of patches that mover all the filtering into the driver16:19
gyeehenrynash, should we put together a spec to get the party started?16:19
morganfainbergstevemar: added things for the slide deck n16:19
henrynashgyee: I’d be happy to drive taht if you like?16:19
gyeehenrynash, sure, thanks16:20
henrynashgyee: Ok, will put somthing up this weekend16:20
morganfainbergstevemar: I am going to do some more polish on it over the week. But I'm not unhappy with it as is.16:20
gyeehenrynash, I lov u man16:20
henrynashgyee: ahhh, shucks16:20
gyeehah16:20
*** henrique_ has joined #openstack-keystone16:20
stevemarmorganfainberg, i got ptl duties for ya: https://review.openstack.org/#/c/186827/16:23
gyeemorganfainberg, wtf? we deprecated ec2 middleware? https://review.openstack.org/#/c/185509/16:23
gyeeain't heat using it?16:23
*** gokrokve has quit IRC16:23
samueldmqmorganfainberg, dolphm spec for 'Listing policies filtered by service endpoint URL' (https://review.openstack.org/#/c/186765)16:24
morganfainberggyee: no that is the bit rotting version that was moved to ksm package16:24
stevemarmarekd, once that patch goes in, no more git!16:24
stevemargood ol fashioned gerrit16:24
gyeemorganfainberg, k, i c16:24
morganfainbergIf someone is importing all of keystone for that middleware.... they are doing it wrong.16:25
marekdstevemar: heh :-) git PRs model is i think more spreaded than gerrit :-)16:25
marekdstevemar: we are just more used to gerrit w-f16:25
morganfainbergmarekd: PRs also suck.16:26
morganfainbergAnd don't scale.16:26
marekdmorganfainberg: i cannot say anything about that.16:26
marekdmorganfainberg: because i simply don't know16:27
morganfainbergmarekd: I contributed to saltstack when everything was a PR.16:27
morganfainbergIt works for a small team.16:27
marekdwhy they don't scale?16:27
marekdcannot make dep chain ?16:27
*** htruta has quit IRC16:27
morganfainbergMoving to a big distributed team it doesn't scale. Bad commenting, dep chains are strange. And no easy way to clearly see who can accept / should review before accepting.16:28
*** sigmavirus24_awa is now known as sigmavirus2416:28
dolphmmarekd: it can't scale to the number of code reviewers and authors we have -- the workflow is too limited16:28
morganfainbergdolphm: ++16:28
morganfainbergit is good until about 5-7 contributors.16:28
morganfainbergIn my experience.16:28
morganfainbergThen it gets to be a highly complex problem the workflow just doesn't handle.16:29
morganfainbergFor mapper now.16:29
marekdmorganfainberg: dolphm all right, all right - never said that one is better than another, or i'd preffer to move our workflows to PRs! :-)16:29
morganfainbergBefore I +1 it16:29
marekdmorganfainberg: for mapper, stevemar and i used PRs because it was not in gerrit, and that's all.16:29
*** gokrokve has joined #openstack-keystone16:30
morganfainbergTwo questions: 1 ) does this belong under the keystone umbrella.16:30
morganfainbergOr is the generally useful (aka Oslo) or not even Oslo16:30
*** spandhe has joined #openstack-keystone16:30
morganfainberg2) if it does belong under keystone does it increase our scope of responsibility?16:30
*** kiran-r has joined #openstack-keystone16:30
marekdmorganfainberg: i doubt anybody will use it but keystone in a common shape and future roadmap.16:30
stevemar1) yes, i doubt anyone else will use it right now16:31
marekdmorganfainberg: 2) i don't know exact answer - all that code is basically copied from keuystone repo (some parts will need to be duplicated and kept in consistency manually, like exceptions for now)16:32
stevemar2) i plan on adding a small CLI for users to test their mapping, so a slight uptick in scope16:32
morganfainbergmarekd: what is the benefit of it moving out of tree at the moment?16:32
*** _cjones_ has joined #openstack-keystone16:32
marekdmorganfainberg: cmdtool we can ship easily16:32
morganfainbergstevemar: that could be done in keystone's tree to start.16:32
stevemarin case there is a bug with the mapping engine we don't have to backport changes, can just release a new version16:33
morganfainbergstevemar: that is not true. We have stable branches of libraries.16:33
morganfainbergstevemar: backport *and release * is a likely workflow today.16:33
morganfainbergLet me be clear, I16:34
morganfainbergAm not saying no16:34
morganfainbergI'm asking questions to see if it makes sense to add overhead to reviewers and ci16:34
bknudsongerrit for github: http://gerrithub.io/16:35
morganfainbergamakarov: I will respond to that bug soon.16:36
stevemarmorganfainberg, it just makes more sense archy-tectually i think16:36
marekdstevemar: ++16:36
morganfainbergSo my only real worry is reviewer overhead.16:36
bknudsonwe'll need stable releases of the keystone-mapping library, so we're not saved from anything.16:36
morganfainbergHaving another repo to look at.16:36
stevemarbknudson, that's cause the way we do stable is broken, with all our caps16:37
bknudsonit will actually be more work since we have to deal with more libraries16:37
stevemarrealistically it should just be updating a single lib16:37
morganfainbergbknudson: there is an effort to fix that in Python.16:37
marekdmorganfainberg: it's lighter for user to install just this lib + some binary and test mappingsets, instead of having to install relatively heavy keystone16:37
dstanekbknudson: that actually it's too bad - i've imported projects into it16:37
morganfainbergBut that is not quick work.16:37
dstanekmorganfainberg: fix in Python?16:38
bknudsonpackagers like us don't automatically update to new versions16:38
morganfainbergdstanek: dep resolution in pip, etc16:39
bknudsonand we've got our own internal process / legal issues that make it more difficult than it should be16:39
morganfainbergdstanek:  which lets us fix the cap issues and release models in our ci.16:39
dstanekmorganfainberg: ah, ok. i though you meant in cpython. do you have a link to that work? i'm curious now16:40
morganfainbergmarekd: it is lighter weight than bringing all of keystone.16:40
morganfainbergdstanek: lifeless is doing a lot of it.16:40
morganfainbergdstanek: you should chat with him :)16:40
morganfainbergdstanek: he's same kind of time zone as jamielennox FYI.16:41
morganfainbergSo probably out for the weekend.16:41
dstanekmorganfainberg: thx16:41
marekdmorganfainberg: i think i just said that.16:42
marekdmorganfainberg: BTW: ksa stable has been scheduled?16:42
*** browne has joined #openstack-keystone16:42
morganfainbergmarekd: I was confirming what you said. :)16:42
marekdmorganfainberg: ah, ok :-)16:43
morganfainbergmarekd: ksa has been setup to look at integration now. Once we have an idea what it will take, we will have more bugs (etc)16:43
*** sigmavirus24 is now known as sigmavirus24_awa16:43
morganfainbergmarekd: I want it stable asap16:43
morganfainbergBut it has been a bunch of fix the broken stuff first.16:44
morganfainbergIt is definitely moving forward.16:44
marekdmorganfainberg: ok, was not sure if it's worth changing dependencies to ksa.16:44
marekdmorganfainberg: or it will be waisted time atm.16:45
morganfainbergmarekd: not until it is stable.16:45
morganfainberg1.0 will be soon enough.16:45
morganfainbergBut assume the contract will break between now and then.16:45
marekdmorganfainberg: i am thinking about unreleased lib too (python-keystoneclient-saml2), so as long as it's matter of few weeks we can probably wait16:46
morganfainbergThe 0.x releases are to make it easier to do the integration / see the remaining work.16:46
*** gokrokve has quit IRC16:46
*** lhcheng has quit IRC16:47
morganfainbergmarekd: ok my biggest concern with the mapper moving to its own library is reviewer overhead. Conceptually it is nice to isolate these things to a library. But I worry it really is going to get lost.16:47
morganfainbergstevemar: ^16:47
*** lhcheng has joined #openstack-keystone16:47
*** ChanServ sets mode: +v lhcheng16:47
morganfainbergit keystone is the only thing really using it. We can do everything in keystone for now. See how useful the mapping engine CLI checker is (could be like keystone-manage)16:48
morganfainbergEtc.16:48
morganfainbergLet me do an informal poll.16:48
marekdmorganfainberg: understood. but i also feel ppl will get frustrated tring to install keystone on, say ubuntu box and adding tons of dependencies like python-ldap-something16:49
morganfainbergdolphm, bknudson, dstanek, lbragstad: thoughts on splitting the mapping stuff in to a lib?16:49
bknudsonmorganfainberg: my opinion is there's no need for it... I don't know why it's being proposed.16:51
morganfainbergmarekd: sure. However, today - and in the near-term (this cycle) most people mucking with the mapping engine will be the deployer / operator. Like I said, asking questions so I know where things sit before adding another repo to watch.16:51
marekdmorganfainberg: sure, i completely understand your hesitation.16:52
morganfainbergmarekd: we can also add this to the agenda for next week meeting.16:53
marekdmorganfainberg: let's wait for others' opinions and we can abandon the patch.16:53
morganfainberggyee, henrynash: ^ cc (too)16:53
dstanekmorganfainberg: i'm not a fan - what projects will use the lib?16:53
marekdmorganfainberg: sure, we can wait.16:53
morganfainbergmarekd: let's do this as part of the meeting.16:54
marekdmorganfainberg: no rush.16:54
morganfainbergCan you wip that patch please.16:54
marekdy16:54
dstanekhotels in Cambridge are very pricey16:54
morganfainbergThnx.16:54
marekdmorganfainberg: stevemar was an author and only he can WIP it.16:55
morganfainbergdstanek: let me send a reminder to the ML I need to get a count. Might be able to do a hotel block if we have enough.16:55
morganfainbergstevemar: ^^16:55
morganfainbergstevemar: please wip the patch.16:55
openstackgerritMerged openstack/python-keystoneclient: A Default CLI plugin  https://review.openstack.org/17956316:55
morganfainbergWip it good.16:55
morganfainberg /devo16:55
marekdLOL16:55
marekdstevemar: are you working on some bits for mapping cli right now?16:56
gyeemorganfainberg, I am fine with keeping it in Keystone if the other workflow sucks16:56
*** gokrokve has joined #openstack-keystone16:57
stevemari'll WIP it16:57
*** gokrokve has quit IRC16:57
*** mdrnstm has joined #openstack-keystone16:58
*** gokrokve has joined #openstack-keystone16:58
*** mdrnstm is now known as Guest4946516:58
*** Guest49465 is now known as morgan16:58
*** morgan has quit IRC16:58
*** morgan has joined #openstack-keystone16:58
*** ChanServ sets mode: +v morgan16:58
*** dguerri is now known as dguerri`away16:58
*** morgan is now known as mdrnstm16:59
*** raildo is now known as needmoresummit16:59
*** jsavak has quit IRC17:00
*** jsavak has joined #openstack-keystone17:02
*** bdossant has quit IRC17:03
*** timcline has quit IRC17:03
marekdmorganfainberg: i am guessing with the KSA joining our family python-keystoneclient-saml2 should be rather renamed to python-keystoneauth-saml2 (same for kerberos etc). What's the easist way to do so. Create another project, move the files, delete old project (it was not released yet) ?17:05
mdrnstmmarekd: i'd talk to jamielennox before it. we can rename projects but it is non-trivial and requires -infra time17:06
marekdmdrnstm: i will shoot him an e-mail then.17:06
*** jsavak has quit IRC17:07
*** jsavak has joined #openstack-keystone17:07
marekdstevemar: are you going to push it soon: https://review.openstack.org/#/c/134700/ ?17:07
marekdstevemar: maybe we should take a long-term approach and spend some time on working on oidc and cmd solutions popularization 0_o17:08
*** alanf-mc has joined #openstack-keystone17:09
*** bknudson has quit IRC17:12
* stevemar shrugs17:13
*** sigmavirus24_awa is now known as sigmavirus2417:26
*** aix has quit IRC17:31
*** kiranr has joined #openstack-keystone17:31
*** timcline has joined #openstack-keystone17:34
*** kiran-r has quit IRC17:35
*** timcline has quit IRC17:38
*** kiranr has quit IRC17:41
*** kiran-r has joined #openstack-keystone17:42
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Depend on python-keystoneauth  https://review.openstack.org/18685417:42
*** kiran-r has quit IRC17:46
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674617:46
*** timcline has joined #openstack-keystone17:51
marekdmorganfainberg: stevemar dstanek : Quite simple patch in ksa: https://review.openstack.org/#/c/186753/17:52
sigmavirus24dstanek: y u no suggest from six.moves.http import parser? =P17:54
openstackgerritMarek Denis proposed openstack/keystoneauth: Rename federated.py to federation.py  https://review.openstack.org/18675317:54
*** jsavak has quit IRC18:02
*** jsavak has joined #openstack-keystone18:02
*** jsavak has quit IRC18:04
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands  https://review.openstack.org/18656018:04
*** jsavak has joined #openstack-keystone18:05
*** bknudson has joined #openstack-keystone18:07
*** ChanServ sets mode: +v bknudson18:07
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands  https://review.openstack.org/18656018:07
*** Zanatoz has joined #openstack-keystone18:10
openstackgerritPhil Hopkins proposed openstack/keystone: updates sample_data script to use the new openstack commands  https://review.openstack.org/18656018:11
*** kiran-r has joined #openstack-keystone18:11
openstackgerritDavid Stanek proposed openstack/keystone: Removes unused database setup code  https://review.openstack.org/18686218:11
*** kiran-r has quit IRC18:11
*** bknudson has quit IRC18:12
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Constraint to prevent duplicates endpoints  https://review.openstack.org/13409518:14
*** bknudson has joined #openstack-keystone18:14
*** ChanServ sets mode: +v bknudson18:14
mdrnstmrodrigods: please put that question / topic you emailed me about on the Agenda for next week's meeting18:17
rodrigodsmdrnstm, will do18:18
mdrnstmwe should consider it [and we're rapidly approaching the spec freeze deadline]18:18
lifelesso/18:19
*** pnavarro has joined #openstack-keystone18:19
mdrnstmlifeless: pointed dstanek your way for all the awesome "fix the things in python and pip etc" you're doing.18:22
* mdrnstm goes to get food... or something.18:22
*** someara2 has quit IRC18:23
*** gokrokve_ has joined #openstack-keystone18:24
*** rushiagr_away is now known as rushiagr18:25
*** gokrokve has quit IRC18:27
lifelessmdrnstm: ruh roh18:29
*** gokrokve_ has quit IRC18:29
*** jsavak has quit IRC18:31
*** jsavak has joined #openstack-keystone18:31
*** gokrokve has joined #openstack-keystone18:31
*** jsavak has quit IRC18:37
*** jsavak has joined #openstack-keystone18:39
*** ajayaa has joined #openstack-keystone18:44
*** mdrnstm has quit IRC18:47
*** mdrnstm has joined #openstack-keystone18:49
*** ajayaa has quit IRC18:49
*** mdrnstm is now known as Guest5814818:49
*** Guest58148 has quit IRC18:50
needmoresummitI saw a bug here #1229093 and i'm thinking in how resolve this problem.18:52
needmoresummithttps://bugs.launchpad.net/keystone/+bug/122909318:53
openstackLaunchpad bug 1229093 in Keystone "the domain name is case insensitive with keystone v3" [Medium,Triaged] - Assigned to Alexey Miroshkin (amirosh)18:53
needmoresummitmaybe we can prohibit create new domain name with case insensitive and send a warning about previous conflicts?18:54
*** pnavarro has quit IRC18:54
bknudsonwe've always said that the case-sensitive or not is dependent on the backend18:56
needmoresummitbknudson, the guy that report the bug said: "This is not a consistent API behavior. I would like to get the same output no matter what kind of db in backend."18:56
bknudsonthe guy can configure his backend to work however he wants18:57
needmoresummitbknudson, so, this is why I don't know if we need to fix this on Keystone or can invalid the bug with your point18:57
bknudsonwe can add more documentation if there isn't any18:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds URL filter for GET /policies  https://review.openstack.org/18687418:58
samueldmqmorganfainberg, dolphm, dstanek ^18:58
*** rushiagr is now known as rushiagr_away18:58
needmoresummitI don't know about the documentation, I'll take a look on this :)18:59
*** aix has joined #openstack-keystone19:00
*** amakarov is now known as amakarov_away19:02
needmoresummitbknudson, do you agree in add some information about this here: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#domains-v3domains?19:03
bknudsonneedmoresummit: searching for case-sensitive in that document shows all sorts of hits for case or non-case-sensitive19:07
bknudsonI wonder how accurate that is.19:07
bknudsonI think we should have a general comment in the API document that says that string comparison depends on the setting of the backend driver19:07
bknudsonwe can't specify what exactly is going to happen in the API doc19:08
bknudsonsomething in the config / setup guide could explain that mysql and postgresql work differently19:08
needmoresummitbknudson, I agree19:08
needmoresummitbknudson, thanks19:09
bknudsonno problem19:09
morganfainbergbknudson: case sensitivity could also be squashed at the api layer for consistency. It might result in a migration to fix things though.19:09
morganfainbergUnfortunately, we probably should have solved this for some of the index'd data fields way earlier on.19:10
morganfainbergFor policy. It's a blob thing ATM so harder still.19:10
bknudsonsome of this all seems a little late now... I assume it's been this way since the original release19:10
morganfainbergYep.19:11
morganfainberg=\19:11
stevemarmorganfainberg, i'm going to send off the slide deck to CIS folks now19:18
morganfainbergstevemar: did ya cleanup the extra couple slide things?19:19
morganfainbergstevemar: and go ahead and resolve my comments.19:19
morganfainbergI'm going to make some more policy stuff on it for me. But it can wait be used in the future.19:20
morganfainbergstevemar: just wanted to be sure we didn't leave the icky agenda in etc.19:20
stevemarmorganfainberg, yeah, just gotta nuke that one19:25
*** alanf-mc has quit IRC19:36
*** timcline has quit IRC19:39
*** timcline has joined #openstack-keystone19:52
*** timcline has quit IRC19:53
*** elmiko has left #openstack-keystone20:01
*** openstack has joined #openstack-keystone20:04
morganfainbergstevemar: the slide with logos. Make sure it says these are not all the orgs contributing.20:11
stevemari tried to reword it a bit20:15
stevemarif you have better language, thats cool20:15
*** alanf-mc has joined #openstack-keystone20:15
*** sigmavirus24 is now known as sigmavirus24_awa20:23
*** lufix_ has quit IRC20:24
*** mdrnstm has joined #openstack-keystone20:28
*** mdrnstm has quit IRC20:28
*** mdrnstm has joined #openstack-keystone20:28
*** ChanServ sets mode: +v mdrnstm20:28
*** openstack has joined #openstack-keystone20:29
*** ayoung has joined #openstack-keystone20:29
*** ChanServ sets mode: +v ayoung20:29
mdrnstmayoung: ping - if you have a moment would like you to look at a bug20:30
ayoungmdrnstm, sure20:30
*** needmoresummit is now known as raildo20:38
*** gokrokve has quit IRC20:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Update testing keystone2keystone doc  https://review.openstack.org/18639520:40
*** gokrokve has joined #openstack-keystone20:46
*** mattfarina has quit IRC20:48
*** gokrokve has quit IRC20:50
*** dguerri`away is now known as dguerri20:56
*** openstackgerrit has quit IRC20:59
*** openstackgerrit has joined #openstack-keystone21:00
*** raildo has quit IRC21:00
*** gokrokve has joined #openstack-keystone21:07
*** sigmavirus24_awa is now known as sigmavirus2421:14
*** jsavak has quit IRC21:17
*** openstack has joined #openstack-keystone21:30
*** openstackstatus has joined #openstack-keystone21:31
*** ChanServ sets mode: +v openstackstatus21:31
*** csoukup has quit IRC21:32
*** henrynash has quit IRC21:40
*** Ephur has quit IRC21:51
*** dims_ has joined #openstack-keystone21:53
*** stevemar has quit IRC21:53
*** Ephur has joined #openstack-keystone21:53
*** dimsum__ has quit IRC21:55
openstackgerritayoung proposed openstack/keystone-specs: query configuration via web API  https://review.openstack.org/18692621:55
ayoungmdrnstm, ^^21:56
ayoungsamueldmq, ^^21:56
bknudsonis there any reason keystone shouldn't switch to release whenever like swift / ironic?21:56
ayoungbknudson, absolutetutely none21:57
*** Guest66545 has quit IRC22:03
mdrnstmbknudson: right now - because it's going to cause lots of headaches22:03
mdrnstmbknudson: longer term (once we see the road ironic goes down and the bumps) no reason at all22:04
bknudsonso a couple of potential issues -- how are docs going to work22:06
bknudsonand, there isn't really any dep management between servers22:06
mdrnstmbknudson: this is why i don't want to lead the charge here22:07
mdrnstmthere are enough questions i'd rather hold back22:07
mdrnstmand see what comes out of the first one or two making the move22:07
bknudsonany project that uses keystone is probably going to want to wait until we make the change22:07
bknudsonalthough that hasn't affected swift somehow22:07
mdrnstmironic currently uses keystone in some ways22:08
mdrnstmlike i said, i don't want to pioneer in this case. i'd like to see how it shakes out w/ the first 1 or two22:08
mdrnstmthen we can jump on the train22:08
* mdrnstm needs to make a docker container with the base runtime needed to install keystone22:11
mdrnstmso i cna use it for quickly testing bugs.22:11
bknudsondocker docker docker!22:11
mdrnstmthis whole install build essential and python is timeconsuming22:12
mdrnstmbknudson: yeah.22:12
mdrnstmbknudson: it's nice from a standpoint of having a contained environment on the laptop22:12
bknudsonI just have 10 vms22:13
mdrnstmi can't run 10 vms :O22:13
mdrnstm8GB of ram = need to be thrifty with resources22:13
bknudsonI don't run them all at the same time22:13
mdrnstmooooooh :P22:14
mdrnstmi do need to get my account setup so i cna run vms in the ${cloud}22:14
bknudsonhttp://www.theonion.com/video/hp-offers-that-cloud-thing-everyone-is-talking-abo-2878922:15
*** alanf-mc has quit IRC22:15
openstackgerritayoung proposed openstack/keystone-specs: Policy Substitute Values  https://review.openstack.org/18692922:16
ayoungmdrnstm, I should move that convo here22:16
ayoungso ^^ is better, I think22:16
ayoungmaybe we want to keep the subsitution until the fetch time, but then we need to sync with the Database  when we get to that..,22:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/18693222:17
openstackgerritayoung proposed openstack/keystone-specs: query configuration via web API  https://review.openstack.org/18692622:19
mdrnstmlbragstad: on the 255 char length fernet token22:29
mdrnstmlbragstad: i think warning might be excessive22:29
ayoungmdrnstm, yeah, upload was just the first thought22:30
mdrnstmayoung: ++22:30
ayoungmdrnstm, syncing with the DB code is going to be hard, too.22:30
mdrnstmwe already need to solve the language to indicate subst.22:31
mdrnstmso my thought is define what we will subst in22:31
ayoungI like what Iorem wrote, but we need to make it match oslo.policy22:31
mdrnstmon fetch we can subst22:31
ayoungand defer the actual substitution22:31
ayoungwe can do it at whatever point makes the most sense22:32
bknudsonmaybe we can do a better job with the request body data with flask -- http://werkzeug.pocoo.org/docs/0.10/wrappers/#werkzeug.wrappers.BaseRequest.get_data22:34
bknudsonI suppose just limiting the size of the request body helps22:34
openstackgerritMerged openstack/keystoneauth: Rename federated.py to federation.py  https://review.openstack.org/18675322:34
*** alanf-mc has joined #openstack-keystone22:34
*** hemna is now known as hemnabeer22:36
bknudsonflask/workzeug has built-in request body size limiter -- http://werkzeug.pocoo.org/docs/0.10/request_data/#limiting-request-data22:36
bknudsonso we could drop the middleware22:36
mdrnstmlbragstad dolphm: issue with fernet tokens and KSM22:36
mdrnstmlbragstad dolphm: memcache code in KSM does bad things and ends up with key-lengths that are too long causing failures when enabled22:37
mdrnstmbknudson: ++22:37
bknudsonit's also got JSON parsing -- http://werkzeug.pocoo.org/docs/0.10/request_data/#how-to-extend-parsing22:38
mdrnstmbknudson: yay for getting things for Free ™22:38
mdrnstmbknudson: interesting we could offload a bunch of stuff it looks like22:39
*** aix has quit IRC22:39
bknudsonall of the stuff in http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/core.py seems like it shouldn't be in keystone, except for AuthContextMiddleware22:39
mdrnstmbknudson: I like this22:40
bknudsonadd it to the list!22:41
openstackgerritMerged openstack/keystonemiddleware: Fixup test-requirements-py3.txt  https://review.openstack.org/18488222:41
mdrnstmlbragstad dolphm: will add another bug in a momenet for this22:44
*** samueldmq has quit IRC22:47
*** samueldmq has joined #openstack-keystone22:48
*** boris-42 has quit IRC22:48
mdrnstmdstufft: holy crap.22:52
mdrnstmwhoopse22:52
mdrnstmthat wasn't meant to be targeted at dstufft22:52
* mdrnstm starts of22:52
mdrnstmover22:52
mdrnstmholy crap, this whole container thing might actually work for a dev environment22:53
* mdrnstm obviously can't type :)22:53
mdrnstmoh there it is... fail with ffi.h22:53
*** emagana has quit IRC22:55
*** emagana has joined #openstack-keystone22:55
samueldmqayoung, just in the case you didn't notice yet22:57
samueldmqayoung, https://review.openstack.org/#/q/status:open+branch:master+topic:bp/list-policies-by-endpoint-url,n,z22:57
samueldmqayoung, GET /policies?url=<endpoint_url> is already under review22:58
samueldmqayoung, :)22:58
*** mdrnstm has quit IRC23:02
*** zzzeek has quit IRC23:17
openstackgerritMerged openstack/keystone: Don't assume group IDs are UUID format  https://review.openstack.org/18639223:23
openstackgerritMerged openstack/keystone: Don't assume project IDs are UUID format  https://review.openstack.org/18639323:26
*** lhcheng has quit IRC23:27
*** browne has quit IRC23:32
*** lhcheng has joined #openstack-keystone23:33
*** ChanServ sets mode: +v lhcheng23:33
*** gokrokve_ has joined #openstack-keystone23:33
*** lhcheng has quit IRC23:33
*** lhcheng has joined #openstack-keystone23:34
*** ChanServ sets mode: +v lhcheng23:34
*** mdrnstm has joined #openstack-keystone23:37
*** mdrnstm has quit IRC23:37
*** mdrnstm has joined #openstack-keystone23:37
*** ChanServ sets mode: +v mdrnstm23:37
*** gokrokve has quit IRC23:37
mdrnstmdolphm: https://bugs.launchpad.net/keystonemiddleware/+bug/146022523:44
openstackLaunchpad bug 1460225 in keystonemiddleware "Fernet + Memcache causes validation failures" [Undecided,New]23:44
*** mdrnstm has quit IRC23:52
*** mdrnstm has joined #openstack-keystone23:53
*** mdrnstm is now known as Guest4664323:53
*** Guest46643 is now known as needscoffee23:54
*** needscoffee has joined #openstack-keystone23:54
*** ChanServ sets mode: +v needscoffee23:54
*** needscoffee is now known as mdrnstm23:54
*** gokrokve_ has quit IRC23:56
*** gokrokve has joined #openstack-keystone23:57
*** lhcheng has quit IRC23:59
« Thursday, 2015-05-28 Index Saturday, 2015-05-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!