Friday, 2015-06-05

dstanek	morganfainberg: i don't think it's keystone caching - i'll take a deeper look in a bit though	00:09
morganfainberg	dstanek: look at keystonemiddleware caching	00:10
morganfainberg	dstanek: unless this is directly an issue in keystone itself	00:10
dstanek	morganfainberg: i turned off memcache in my environment	00:11
dstanek	morganfainberg: http://paste.openstack.org/show/264303/ i do get this in the log, but can still see the page	00:11
morganfainberg	the keystonemiddleware by default caches tokens for 300s	00:11
*** dims__ has joined #openstack-keystone		00:11
morganfainberg	dstanek: there was an issue or three where horizon wouldn't log you out, but the page was still visible - you just couldn't do actions	00:11
dstanek	morganfainberg: that may be is then because after about 5 minutes i can get in	00:11
*** dims_ has quit IRC		00:12
morganfainberg	and ksm caches in memory-dict	00:12
morganfainberg	by default	00:12
dstanek	morganfainberg: i don't get logged out, i see a little pink dialog after 5 minutes saying: unauthorized...	00:12
morganfainberg	yeah that is likely it	00:12
morganfainberg	some endpoint is cachin the token validation	00:12
dstanek	morganfainberg: ok, i'll futz a little bit more with it	00:12
morganfainberg	and/or horizon is.	00:12
*** markvoelker has joined #openstack-keystone		00:13
*** iamjarvo has quit IRC		00:16
*** dims__ has quit IRC		00:17
*** dims_ has joined #openstack-keystone		00:17
*** markvoelker has quit IRC		00:18
*** jaosorior has quit IRC		00:22
*** lhcheng has quit IRC		00:31
*** nkinder_ has quit IRC		00:33
*** jsavak has quit IRC		00:42
*** _cjones_ has quit IRC		00:49
*** woodster_ has quit IRC		00:50
*** chlong has quit IRC		00:52
*** chlong has joined #openstack-keystone		00:54
*** lhcheng has joined #openstack-keystone		00:55
*** ChanServ sets mode: +v lhcheng		00:55
bigjools	morganfainberg, marekd: FYI I got it all to work as I described by using this marvellous hack in Shibboleth: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionCreationParameters	01:01
bigjools	you can basically visit a second site and provided you know the secure access URL you tell shibboleth which Idp to use via url params	01:02
*** alanf-mc has quit IRC		01:05
*** woodster_ has joined #openstack-keystone		01:10
openstackgerrit	Merged openstack/keystone-specs: Federated domain identified by ``id`` not ``name`` https://review.openstack.org/187520	01:14
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Stop using function deprecated in py34 https://review.openstack.org/188226	01:33
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Common base class for unit tests https://review.openstack.org/187770	01:33
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Unit tests catch deprecated function usage https://review.openstack.org/187775	01:33
*** tobe has joined #openstack-keystone		01:38
*** markvoelker has joined #openstack-keystone		02:02
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo https://review.openstack.org/179486	02:04
*** ayoung_ has joined #openstack-keystone		02:06
*** markvoelker has quit IRC		02:07
*** ayoung_ has quit IRC		02:08
*** davechen has joined #openstack-keystone		02:11
*** gordc has quit IRC		02:13
*** iamjarvo has joined #openstack-keystone		02:15
*** iamjarvo has quit IRC		02:15
*** iamjarvo has joined #openstack-keystone		02:15
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: _verify_*_token returns AccessInfo https://review.openstack.org/188650	02:15
*** spandhe has quit IRC		02:16
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract method for offline validation https://review.openstack.org/188650	02:31
*** diabloneo has joined #openstack-keystone		02:39
*** stevemar has quit IRC		02:40
*** diabloneo has left #openstack-keystone		02:42
openstackgerrit	liusheng proposed openstack/keystone: Add validity check of 'expires_at' in trust creation https://review.openstack.org/188315	02:47
openstackgerrit	Merged openstack/keystone: Order routes so most frequent requests are first https://review.openstack.org/182781	02:49
*** boris-42 has quit IRC		02:58
*** dims_ has quit IRC		03:07
*** lhcheng has quit IRC		03:08
*** liusheng has joined #openstack-keystone		03:19
*** richm has quit IRC		03:32
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Serialize user auth plugin https://review.openstack.org/167181	03:36
*** csoukup has joined #openstack-keystone		03:47
*** nkinder_ has joined #openstack-keystone		03:47
*** csoukup has quit IRC		03:47
*** markvoelker has joined #openstack-keystone		03:50
*** markvoelker has quit IRC		03:55
openstackgerrit	Chenhong Liu proposed openstack/keystone: Add testcases of list_role_assignments of v3 domains https://review.openstack.org/187899	04:04
*** dims_ has joined #openstack-keystone		04:05
*** lhcheng has joined #openstack-keystone		04:05
*** ChanServ sets mode: +v lhcheng		04:05
*** lhcheng has quit IRC		04:08
*** dims_ has quit IRC		04:10
*** lhcheng has joined #openstack-keystone		04:18
*** ChanServ sets mode: +v lhcheng		04:18
*** lhcheng has quit IRC		04:19
*** rushiagr_away is now known as rushiagr		04:22
*** rushiagr is now known as rushiagr_away		04:27
*** lhcheng has joined #openstack-keystone		04:28
*** ChanServ sets mode: +v lhcheng		04:28
*** henrynash has joined #openstack-keystone		04:29
*** ChanServ sets mode: +v henrynash		04:29
*** iamjarvo has quit IRC		04:31
*** jamielennox is now known as jamielennox\|away		04:32
*** iamjarvo has joined #openstack-keystone		04:36
*** rushiagr_away is now known as rushiagr		04:40
*** sks has joined #openstack-keystone		04:42
*** lhcheng has quit IRC		04:48
*** ajayaa has joined #openstack-keystone		04:49
*** Ephur has quit IRC		04:55
*** lhcheng has joined #openstack-keystone		04:56
*** ChanServ sets mode: +v lhcheng		04:56
*** lhcheng has quit IRC		05:01
*** esp has left #openstack-keystone		05:12
*** iamjarvo has quit IRC		05:32
*** markvoelker has joined #openstack-keystone		05:39
*** mitz has quit IRC		05:41
*** tobe has quit IRC		05:41
*** tobe has joined #openstack-keystone		05:42
*** tobe has quit IRC		05:44
*** markvoelker has quit IRC		05:44
*** chenhong has joined #openstack-keystone		05:45
*** josecastroleon has joined #openstack-keystone		05:50
*** jaosorior has joined #openstack-keystone		05:54
*** belmoreira has joined #openstack-keystone		05:55
*** lhcheng has joined #openstack-keystone		05:58
*** ChanServ sets mode: +v lhcheng		05:58
*** topol has quit IRC		06:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/186279	06:07
*** tobe has joined #openstack-keystone		06:19
*** ajayaa has quit IRC		06:28
*** ajayaa has joined #openstack-keystone		06:40
*** dims_ has joined #openstack-keystone		06:54
*** e0ne has joined #openstack-keystone		06:54
*** jistr has joined #openstack-keystone		06:57
*** dims_ has quit IRC		06:59
*** ajayaa has quit IRC		07:03
*** e0ne has quit IRC		07:04
*** woodster_ has quit IRC		07:10
*** lufix has joined #openstack-keystone		07:12
marekd	bigjools: great!	07:13
*** ajayaa has joined #openstack-keystone		07:23
*** markvoelker has joined #openstack-keystone		07:28
*** markvoelker has quit IRC		07:33
*** dguerri` is now known as dguerri		07:39
*** jistr is now known as jistr\|biab		07:47
*** rwsu has joined #openstack-keystone		07:48
*** abhishekk has joined #openstack-keystone		07:51
*** ajayaa has quit IRC		08:04
*** pnavarro__ has joined #openstack-keystone		08:08
*** ajayaa has joined #openstack-keystone		08:16
*** bdossant has joined #openstack-keystone		08:16
*** dguerri is now known as dguerri`		08:22
*** dguerri` is now known as dguerri		08:22
*** dguerri is now known as dguerri`		08:22
*** dguerri` is now known as dguerri		08:22
*** Nikkau has joined #openstack-keystone		08:23
*** ajayaa has quit IRC		08:23
*** amaretskiy has joined #openstack-keystone		08:31
*** chlong has quit IRC		08:34
*** rwsu has quit IRC		08:36
*** merlin_ has quit IRC		08:46
*** jistr\|biab is now known as jistr		08:50
*** jistr has quit IRC		08:59
abhishekk	Hi all, I want to add role to x-service-token, how can I do that? any help is appreciated	09:03
*** ajayaa has joined #openstack-keystone		09:07
*** e0ne has joined #openstack-keystone		09:09
*** henrynash has quit IRC		09:10
*** markvoelker has joined #openstack-keystone		09:17
*** lhcheng has quit IRC		09:17
*** jistr has joined #openstack-keystone		09:19
*** marzif_ has joined #openstack-keystone		09:21
*** markvoelker has quit IRC		09:22
*** chenhong has quit IRC		09:27
*** chenhong has joined #openstack-keystone		09:27
*** afazekas_mtg has joined #openstack-keystone		09:33
*** aix has joined #openstack-keystone		09:34
*** davechen is now known as davechen_afk		09:37
*** Nikkau has quit IRC		09:38
*** dims_ has joined #openstack-keystone		09:43
*** dims__ has joined #openstack-keystone		09:47
*** dims_ has quit IRC		09:48
*** e0ne is now known as e0ne_		10:07
*** e0ne_ is now known as e0ne		10:12
*** markvoelker has joined #openstack-keystone		10:17
*** boris-42 has joined #openstack-keystone		10:20
*** markvoelker has quit IRC		10:23
*** ajayaa has quit IRC		10:31
*** lufix has quit IRC		10:33
*** ajayaa has joined #openstack-keystone		10:34
*** lufix has joined #openstack-keystone		10:40
*** ajayaa has quit IRC		10:47
*** wasmum has quit IRC		10:55
*** ajayaa has joined #openstack-keystone		11:04
*** e0ne is now known as e0ne_		11:05
*** lhcheng has joined #openstack-keystone		11:05
*** ChanServ sets mode: +v lhcheng		11:05
*** e0ne_ is now known as e0ne		11:07
*** lhcheng has quit IRC		11:10
*** marzif_ has quit IRC		11:11
*** marzif_ has joined #openstack-keystone		11:12
*** marzif_ has quit IRC		11:13
*** marzif_ has joined #openstack-keystone		11:13
*** markvoelker has joined #openstack-keystone		11:18
*** wasmum has joined #openstack-keystone		11:19
*** markvoelker has quit IRC		11:22
*** radez is now known as radez_g0n3		11:23
*** amakarov_away is now known as amakarov		11:35
*** tobe has quit IRC		11:42
*** rwsu has joined #openstack-keystone		11:43
*** dguerri is now known as dguerri`		11:48
abhishekk	hi, how to use/enable service token?	11:51
abhishekk	'X-Service-Token'	11:52
*** iamjarvo has joined #openstack-keystone		11:54
*** sks has quit IRC		11:56
*** sks has joined #openstack-keystone		12:09
marekd	rodrigods: are you going to work on k2k the plugin today or I can change a little bit of the structure?	12:11
*** e0ne is now known as e0ne_		12:21
*** e0ne_ is now known as e0ne		12:22
*** bdossant has quit IRC		12:24
*** woodster_ has joined #openstack-keystone		12:27
*** sks has quit IRC		12:31
*** markvoelker has joined #openstack-keystone		12:34
*** dguerri` is now known as dguerri		12:35
*** markvoelker has quit IRC		12:38
*** pnavarro_ has joined #openstack-keystone		12:39
*** pnavarro__ has quit IRC		12:39
*** gordc has joined #openstack-keystone		12:41
*** pnavarro_ has quit IRC		12:43
*** bknudson has joined #openstack-keystone		12:44
*** ChanServ sets mode: +v bknudson		12:44
*** sks has joined #openstack-keystone		12:44
*** fhubik has joined #openstack-keystone		12:46
*** mattfarina has joined #openstack-keystone		12:48
*** radez_g0n3 is now known as radez		12:52
*** ajayaa has quit IRC		12:54
*** lhcheng has joined #openstack-keystone		12:55
*** ChanServ sets mode: +v lhcheng		12:55
*** pnavarro_ has joined #openstack-keystone		12:56
*** fhubik has quit IRC		12:56
*** lhcheng has quit IRC		13:00
*** fhubik has joined #openstack-keystone		13:02
*** rlt has joined #openstack-keystone		13:04
*** ajayaa has joined #openstack-keystone		13:06
*** topol has joined #openstack-keystone		13:07
*** ChanServ sets mode: +v topol		13:07
*** iamjarvo has quit IRC		13:08
*** dims__ has quit IRC		13:09
*** dims_ has joined #openstack-keystone		13:10
*** topol has quit IRC		13:14
*** mestery is now known as mestery_afk		13:16
*** mattfarina has quit IRC		13:17
openstackgerrit	Guojian Shao proposed openstack/keystone-specs: fix wrong title for OS-INHERIT Extension spec https://review.openstack.org/188771	13:18
*** boris-42 has quit IRC		13:18
*** lhcheng has joined #openstack-keystone		13:18
*** ChanServ sets mode: +v lhcheng		13:18
*** richm has joined #openstack-keystone		13:20
*** fhubik is now known as fhubik_afk		13:21
*** lhcheng has quit IRC		13:23
*** geoffarnold_ has joined #openstack-keystone		13:28
*** rushiagr is now known as rushiagr_away		13:28
*** geoffarn_ has joined #openstack-keystone		13:29
*** pnavarro_ has quit IRC		13:30
*** mattfari_ has joined #openstack-keystone		13:32
*** iamjarvo has joined #openstack-keystone		13:32
*** iamjarvo has quit IRC		13:32
*** geoffarn_ has quit IRC		13:37
*** e0ne is now known as e0ne_		13:39
*** e0ne_ is now known as e0ne		13:39
*** afazekas_mtg has quit IRC		13:40
*** boris-42 has joined #openstack-keystone		13:41
*** HT_sergio has joined #openstack-keystone		13:42
openstackgerrit	Corey Bryant proposed openstack/python-keystoneclient: Use python-six shim for assertRaisesRegex/p https://review.openstack.org/188774	13:45
*** mattfari_ has quit IRC		13:45
*** geoffarnold_ has quit IRC		13:47
*** chenhong has quit IRC		13:50
openstackgerrit	Guojian Shao proposed openstack/keystone-specs: fix wrong title for OS-INHERIT Extension spec https://review.openstack.org/188771	13:51
* breton trying gertty		13:57
*** afazekas has joined #openstack-keystone		13:58
*** zzzeek has joined #openstack-keystone		14:01
*** jsavak has joined #openstack-keystone		14:03
openstackgerrit	Dolph Mathews proposed openstack/keystone: rename policy.v3cloudsample.json to policy.future.json https://review.openstack.org/188784	14:03
*** markvoelker has joined #openstack-keystone		14:05
*** ajayaa has quit IRC		14:06
*** dsirrine has joined #openstack-keystone		14:06
*** topol has joined #openstack-keystone		14:07
*** ChanServ sets mode: +v topol		14:07
openstackgerrit	Dolph Mathews proposed openstack/keystone: rename policy.v3cloudsample.json to policy.future.json https://review.openstack.org/188784	14:08
*** henrynash has joined #openstack-keystone		14:08
*** ChanServ sets mode: +v henrynash		14:08
*** iamjarvo has joined #openstack-keystone		14:09
*** iamjarvo has quit IRC		14:09
amakarov	ayoung, hi! Are you here?	14:09
*** markvoelker has quit IRC		14:09
ayoung	amakarov, depends one where "here" is. Aren't you like in Russia or something?	14:10
ayoung	I am not here in Russia.	14:10
*** iamjarvo has joined #openstack-keystone		14:10
amakarov	ayoung, I think, according your logic, for your perspective "here" is just where you are :)	14:11
ayoung	amakarov, then, by definition, I am always here. Just here is not there.	14:11
amakarov	I'm about revocations	14:11
ayoung	I'm about the Pentiums	14:11
*** sigmavirus24_awa is now known as sigmavirus24		14:12
amakarov	My patch solves issue only partially :(	14:12
ayoung	link?	14:12
*** topol has quit IRC		14:12
amakarov	https://review.openstack.org/#/c/141854/	14:12
amakarov	If the user has role in project AND belongs to the group having the same role, his personal role assignment will be also revoked upon group role revocation	14:13
ayoung	amakarov, yep	14:14
ayoung	amakarov, so...my view is that tokens are way to long lived anyway, and getting a new token should be cheap. But I can see how this might mess up a long running workflow	14:15
amakarov	The solution I see is to store group in revocation event, but in this case we'll have to obtain the group for the user in KSM too	14:15
ayoung	amakarov, that is one solution. But headed the wrong direction, IMO	14:15
*** abhishekk has quit IRC		14:15
ayoung	amakarov, it is putting more work in place to make it easy to keep long lived tokens around	14:16
ayoung	and making tokens bigger, and committing to a larger contract	14:16
*** e0ne is now known as e0ne_		14:16
ayoung	amakarov, I'm not going to hold it up, but don't expect me to get excited about it or support it	14:17
*** merlin_ has joined #openstack-keystone		14:17
ayoung	amakarov, I can see how it is likely to play out...law of unintended consequences	14:17
ayoung	people can then enforce policy based on group instead of role/project	14:18
ayoung	and then they are going to realize that groups come only from the IdP, except for mapping	14:18
amakarov	ayoung, well, as I see in you comment, you suggest to revoke by role, and don't care about some innocent tokens got killed? )	14:18
*** rushiagr_away is now known as rushiagr		14:18
ayoung	amakarov, tokens are never innocent	14:18
ayoung	tokens suffer from origianal sin	14:18
amakarov	ayoung, origi-what?? )))	14:19
ayoung	well, my name is Adam....	14:19
amakarov	pleased to meet you, grandpa	14:19
ayoung	amakarov, I know that I am associated with revocations, but that is because I lack common sense. I should never have agreed to do revocations	14:20
ayoung	I should have let the people that actually care about them do them	14:20
*** henrynash has quit IRC		14:20
ayoung	but I was strongarmed into them when I wrote PKI tokens	14:20
ayoung	I spent the whole release getting the feature ready, only to have someone (I want to blame RussellBryant) said that we could not have tokens that couldn;'t be revoked	14:21
ayoung	I pointed out that we already had that, as tokens went in to Memcache and were never revalidated	14:21
ayoung	I should have held my ground,	14:21
ayoung	Now we have bad idea on top of bad idea.	14:21
*** timcline has joined #openstack-keystone		14:22
ayoung	and the CLI still gets a new token for every operation	14:22
amakarov	ayoung, I see, interesting... So your point is to let tokens live their short life and die young?	14:22
ayoung	and Horizon still hashes the PKIZ tokens, and we are headed to Fernet tokens but getting revocation events split off them	14:22
ayoung	amakarov, yes yes yes	14:22
ayoung	die die die!	14:22
ayoung	As Billy Joel says, Only the good die young.	14:23
ayoung	and, since my last name is young, and I am going to die someday, I must be good	14:23
*** jsavak has quit IRC		14:23
amakarov	Let's go kill something already! Maybe something small! Anything!! Huh?? (c) Lilarcor	14:24
ayoung	amakarov, I liked your earlier suggestion of just revoking by role assignments	14:24
ayoung	in Federation, we won't have the user list	14:24
ayoung	lets not stick the groups in the tokens, and just revoke all for a role-on-project	14:25
amakarov	ayoung, hm, that ruins the idea of revoking by user	14:25
ayoung	user suck	14:25
ayoung	users suck	14:25
ayoung	all users	14:25
dolphm	amakarov: group stuff recently came up on the mailing list, so i put this together yesterday https://review.openstack.org/#/c/188564/	14:25
ayoung	dolphm, I saw that. Was holding off on commenting.	14:26
ayoung	dolphm, what if we just kill revocations?	14:26
*** e0ne_ has quit IRC		14:26
ayoung	across the board	14:26
dolphm	ayoung: user expectations	14:26
ayoung	say "if you are doing something long lived use a delegation" we can even push OAUTH as the way to do it since it is something like a standard	14:27
ayoung	with Fernet, tokens are always going back to Keystone to validate...so the round trip is expected.	14:27
*** sks has quit IRC		14:28
ayoung	We can just make it easier to get new tokens instead of trying to solve all the issues with revocation	14:28
ayoung	dolphm, lets put the band aid on revocations: if a group loses a role, revoke all by role-assignment. Its not perfect, but it is the current status quo	14:29
dolphm	what's henrynash's current email address?	14:29
dolphm	bknudson: ? ^	14:29
ayoung	dolphm, I have it, one sec	14:29
dolphm	@linux.vnet.ibm.com ? @uk.ibm.com ?	14:29
ayoung	dolphm, I have the first one	14:29
ayoung	did it change?	14:29
dolphm	possibly, he moved to a new group in IBM	14:29
dolphm	within the last cycle	14:30
*** jsavak has joined #openstack-keystone		14:30
amakarov	ayoung, dolphm: we can drop revocations, but we'll have to make other components to create trusts if they want delegation. Ideally it will be some sort of one-time ticket instead of token	14:32
openstackgerrit	Boris Bobrov proposed openstack/keystone: Remove custom assertions for python2.6 https://review.openstack.org/188796	14:32
openstackgerrit	Dolph Mathews proposed openstack/keystone: Avoid using the interactive interpreter for a one-liner https://review.openstack.org/188799	14:34
ayoung	amakarov, so, right now, there is no limit on what a user can do with a token. If I pass a token to nova, it can turn around and use it to make a trust in Keystone. Heat does that already. I don;t loveit, but it shows the right general direction	14:34
ayoung	what we should do is make the trust mechanism limited by default:	14:34
openstackgerrit	Dolph Mathews proposed openstack/keystone: Avoid using the interactive interpreter for a one-liner https://review.openstack.org/188799	14:34
ayoung	that way, a revocation is done by revoking a trust, not a token	14:35
*** geoffarnold has quit IRC		14:35
dolphm	ayoung: how is that the right general direction?	14:35
ayoung	I think, to do it right, would require the dynamic policy stuff	14:35
amakarov	ayoung, what about merging trusts with assignments?	14:35
ayoung	amakarov, yes	14:35
ayoung	unified delegation	14:35
dolphm	amakarov: ++.	14:35
amakarov	spec?	14:36
ayoung	dolphm, points in right direction...not the right solution at the moment	14:36
ayoung	dolphm, have not written it yet, as I am truying to get policy going fiirst, but...	14:36
*** packet has joined #openstack-keystone		14:37
ayoung	eer.. amakarov that is...I have not written the spec yet, as I still don't really know all the steps. I do know that we need to make it easy to make and use delegations, and to make them limited by default, and that trusts, role assignments, and oauth should al use the same mechanism	14:38
amakarov	ayoung, maybe we can start with a blueprint, describe use-cases there and spec will be obvious?	14:39
ayoung	there are some interesting issues to solve when merging trusts and assignements. Lets say that bknudson works for topol, and gets his roles assigned from topol. If topol then moves to a different position, where he can no longer delegate to bknudson what happens to bknudson 's assignemnts	14:39
ayoung	amakarov, go for it...I have my hands full with policy. I was thinking that unified delegations would be a topic for the next summit	14:40
ayoung	getting it started now would be fantastic.	14:40
*** sks has joined #openstack-keystone		14:40
*** jsavak has quit IRC		14:40
ayoung	amakarov, https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ you note that it was my starting point for dynamic policy	14:41
bknudson	I don't work for topol!	14:41
ayoung	dolphm, I am not going to get in your way if you want to drive on with roles in the tokens. I think they might have additional uses in the future, but make sure you are ok with those uses please. They are not inheriantly a bad idea	14:42
ayoung	bknudson, heh	14:42
ayoung	bknudson, and then you lost all the roles he assigned you!	14:42
* amakarov writing a post-it "spec for unified delegation"		14:42
*** belmoreira has quit IRC		14:42
ayoung	amakarov, +++++++	14:42
bknudson	aww	14:42
ayoung	amakarov, please include out existing oauth extension in there	14:43
ayoung	amakarov, please includeour existing oauth extension in there	14:43
amakarov	ayoung, ++	14:43
*** jsavak has joined #openstack-keystone		14:43
amakarov	ayoung, so for now I modify my patch to revoke by role	14:44
*** stevemar has joined #openstack-keystone		14:44
*** ChanServ sets mode: +v stevemar		14:44
ayoung	amakarov, role + scope	14:44
ayoung	like you had origianlly, right?	14:44
amakarov	ayoung, ok	14:44
*** zzzeek has quit IRC		14:45
*** e0ne has joined #openstack-keystone		14:45
ayoung	dolphm, you OK with amakarov doing that?	14:45
*** zzzeek has joined #openstack-keystone		14:46
*** zzzeek has quit IRC		14:46
dolphm	absolutely, trusts should have been backed by assignments in the first place	14:48
amakarov	ayoung, 1 more thing: https://review.openstack.org/#/c/188131/	14:48
dolphm	they're the exact same thing, one just has a bunch of extra metadata and dynamic behaviors layered on top	14:48
ayoung	dolphm, yep. One reason I called them trusts instead of delegation is I was aware I was experien\menting, and that this was not the only, not even the dominant delegation mechanism. And now I can see it was cus we lacked some of the structure we needed in the core assignments	14:49
ayoung	being able to maintain the chain of delegation was missing, and if we get that into the core assignments mechanism, trusts become a trivial extension	14:50
*** nkinder_ has quit IRC		14:51
dolphm	ayoung: but unfortunately, you weren't experimenting at all, even if that's what it felt like. you were pushing to ship a stable implementation of a user-accessible feature.	14:52
*** topol has joined #openstack-keystone		14:53
*** ChanServ sets mode: +v topol		14:53
openstackgerrit	Boris Bobrov proposed openstack/keystone: Remove custom assertions for python2.6 https://review.openstack.org/188796	14:55
*** hemnafk is now known as hemna		14:58
ayoung	dolphm I stnad by the implementation. Just the name was an ack that it was not the only form of delegation	14:59
ayoung	I also thought of delagation as serer to server	14:59
*** andrewbogott has joined #openstack-keystone		15:00
*** esp has joined #openstack-keystone		15:01
ayoung	server to server.	15:01
andrewbogott	What determines what url the keystone client uses for the keystone API?	15:03
*** jsavak has quit IRC		15:03
*** jsavak has joined #openstack-keystone		15:04
ayoung	andrewbogott, two things	15:05
ayoung	first the AUTH_URL env var tells the client where to go to get a token (and a couple other early stage things like listing projects)	15:05
ayoung	andrewbogott, then it gets a service catalog back with that token that the client will use for any other scoped operations on Keystone	15:06
andrewbogott	ayoung: is AUTH_URL the same as —os-auth-url?	15:06
ayoung	and it depends on the operation which URL it uses, admin or main, in the v2 world.	15:06
ayoung	andrewbogott, yes	15:06
ayoung	andrewbogott, the CLI arg to openstack client (and keystone CLI) overrides the env var	15:06
andrewbogott	$ keystone --os-auth-url "http://labcontrol1001.wikimedia.org:35357/v2.0" service-list	15:07
andrewbogott	Unable to establish connection to http://virt1000.wikimedia.org:35357/v2.0/OS-KSADM/services	15:07
andrewbogott	So, what’s happening there? Does labcontrol1001 have a catalog that sends me to virt1000 for… the catalog?	15:07
ayoung	andrewbogott, looks like a netowkr issue	15:07
ayoung	network	15:07
ayoung	andrewbogott, its not a 404	15:08
andrewbogott	ayoung: note that the url in the error message is different from the url I requested	15:08
andrewbogott	I don’t think my network is rewriting urls	15:08
ayoung	andrewbogott, but the hostname is the same...	15:08
ayoung	ah	15:08
ayoung	no it is not	15:08
andrewbogott	:)	15:08
ayoung	ok, so that is probably coming from the service catalog	15:08
andrewbogott	—service-list is redirected through the service catalog?	15:09
ayoung	andrewbogott, yep	15:09
andrewbogott	So I can never actually see the service catalog on labcontrol1001?	15:09
ayoung	andrewbogott, not if you can't see the admin host	15:09
andrewbogott	...	15:10
ayoung	andrewbogott, there are possibly hacks you can do to get around it	15:10
ayoung	but it is a setup issue,	15:10
andrewbogott	ok	15:10
breton	dolphm: > It would enable token revocation events to be issued per user group	15:10
andrewbogott	I can think why this would happen. labcontrol1001 and virt1000 share a common db server, so probably the new server is pulling the catalog that I set up for the old host	15:10
andrewbogott	ayoung: I think this is making sense now. So, in fact, I probably /do/ need to just fix my network.	15:11
andrewbogott	And then, actually, this is good, because I can move services over one at a time.	15:11
ayoung	cool	15:11
breton	dolphm: what's the problem with issuing token revocations per group and match user's group dynamically in revocation code?	15:11
breton	dolphm: without including the group to the token	15:12
andrewbogott	ayoung: thank you for the explanation.	15:12
dolphm	breton: the goal is to be able to match revocation events in keystonemiddleware.auth_token, not just in keystone	15:12
*** lsmola has quit IRC		15:12
breton	got it.	15:12
dstanek	dolphm: did you see my note on that security bug?	15:16
dolphm	dstanek: the one i just closed?	15:17
dstanek	dolphm: maybe :-) i didn't see that email yet	15:17
dolphm	https://bugs.launchpad.net/keystone/+bug/1461095	15:17
openstack	Launchpad bug 1461095 in OpenStack Security Advisory "Token is not revoked when removing a user from project in Horizon" [Undecided,Won't fix]	15:17
dolphm	dstanek: thanks for reproducing!	15:19
dstanek	dolphm: cool, glad it's closed. i was up too late last night so having trouble getting into the groove this morning	15:19
dolphm	dstanek: curl coffee \| git apply	15:20
*** Ephur has joined #openstack-keystone		15:24
*** lufix has quit IRC		15:26
*** e0ne is now known as e0ne_		15:29
*** e0ne_ is now known as e0ne		15:30
*** markvoelker has joined #openstack-keystone		15:30
*** e0ne is now known as e0ne_		15:30
*** e0ne_ is now known as e0ne		15:30
bknudson	I hope there's no git revert	15:32
*** markvoelker has quit IRC		15:34
*** thedodd has joined #openstack-keystone		15:36
*** gyee_ has joined #openstack-keystone		15:38
*** david-lyle has quit IRC		15:46
*** david-lyle has joined #openstack-keystone		15:46
openstackgerrit	Merged openstack/keystone-specs: fix wrong title for OS-INHERIT Extension spec https://review.openstack.org/188771	15:51
*** _cjones_ has joined #openstack-keystone		15:55
openstackgerrit	Boris Bobrov proposed openstack/keystone: Remove custom assertions for python2.6 https://review.openstack.org/188796	15:58
sigmavirus24	So about the stuff Sean wants from the policy work, it seems like what he really wants is a way of saying, "introspect this rule and apply these constraints" which seems reasonable, but probably belongs in oslo.policy instead of in each service, no? It should be plausible to do it, but I'm not sure if A) it's something most services will use or B) if it should be checked when the server is running or be provided as part of	16:00
sigmavirus24	ayoung's tool for testing policy files	16:00
*** jistr has quit IRC		16:03
openstackgerrit	Marek Denis proposed openstack/keystone: Mapping Engine CLI https://review.openstack.org/188302	16:05
openstackgerrit	Marek Denis proposed openstack/keystone: Mapping Engine CLI https://review.openstack.org/188302	16:05
dstanek	marekd: nice ^	16:06
marekd	dstanek: ty	16:06
ayoung	sigmavirus24, http://adam.younglogic.com/2015/06/dyn-policy-microversions/	16:07
sigmavirus24	ayoung: reading	16:08
*** dsirrine has quit IRC		16:11
*** jsavak has quit IRC		16:12
*** dguerri is now known as dguerri`		16:13
*** jsavak has joined #openstack-keystone		16:13
*** fhubik_afk is now known as fhubik		16:18
ayoung	sigmavirus24, I realize it does not answer exactly what you were saying	16:19
ayoung	but the whole discussion is huge, and I think this is the heart of it	16:19
sigmavirus24	ayoung: yeah, it just seems like we're all talking a bit past each other	16:19
*** geoffarnold has joined #openstack-keystone		16:19
sigmavirus24	I understand Sean's concerns	16:19
sigmavirus24	I also understand that they're a bit tangential and can be addressed later	16:19
*** geoffarnold has quit IRC		16:22
*** geoffarnold has joined #openstack-keystone		16:22
ayoung	sigmavirus24, If default policy comes from the service, and we always layer a new policy down on top of an old one, we get the behavior he wants, but not the warning	16:23
*** e0ne is now known as e0ne_		16:23
ayoung	sigmavirus24, also, if the default policy is not uploaded to the central server, queries about "what can I do" against the central server m,ight be wrong	16:23
*** e0ne_ has quit IRC		16:24
ayoung	sigmavirus24, so, I think the warning he wants needs to be done at the policy server	16:25
ayoung	and...that should be auditable anyway	16:25
gyee_	ayoung, OpenStack deployment various a lot because of security and compliance, there's really no golden "default". Warning will make it counterintuitive.	16:25
*** davidckennedy has quit IRC		16:25
ayoung	gyee_, I think he's on the right track, but maybe has not gone far enough:	16:25
gyee_	if I have to bet on it, default will just be either "admin" or "owner" :)	16:26
ayoung	gyee_, default should actually be "NOTHING!"	16:27
gyee_	ayoung, how do you think we got into bug 968696 in the first place?	16:27
openstack	bug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)	16:27
gyee_	default to "admin" for everything	16:27
ayoung	gyee_, I think the first thing we do is throw out the default. Then everything has to be explicit, or it gets denied	16:28
gyee_	isn't that what we are trying to avoid?	16:28
ayoung	second is to get common header...the common policy file was the start for that	16:28
ayoung	no, we want an explicit rule for each	16:28
ayoung	otherwise, we end up with ceilometer	16:28
ayoung	http://git.openstack.org/cgit/openstack/ceilometer/tree/etc/ceilometer/policy.json	16:29
gyee_	:)	16:30
gyee_	yeah, that's pretty what the "default" looks like	16:30
*** amaretskiy has quit IRC		16:33
*** geoffarnold has quit IRC		16:39
*** e0ne has joined #openstack-keystone		16:40
*** roxanaghe has joined #openstack-keystone		16:42
*** e0ne has quit IRC		16:43
*** spandhe has joined #openstack-keystone		16:43
*** henrynash has joined #openstack-keystone		16:47
*** ChanServ sets mode: +v henrynash		16:47
*** fhubik is now known as fhubik_afk		16:51
*** alanf-mc has joined #openstack-keystone		16:52
*** geoffarnold has joined #openstack-keystone		16:56
rodrigods	hi marekd, I won't work on it today, please do the changes you are suggesting and add yourself as co-author :)	16:57
marekd	rodrigods: let me add another patch on top of that, ok?	16:57
rodrigods	sure	16:57
marekd	so i don't destroy your work in case mine is a crap :-)	16:57
*** jsavak has quit IRC		16:59
rodrigods	i'm sure it won't be :)	16:59
*** alanf-mc_ has joined #openstack-keystone		17:00
*** alanf-mc has quit IRC		17:02
*** geoffarnold has quit IRC		17:08
*** alanf-mc_ has quit IRC		17:11
*** alanf-mc has joined #openstack-keystone		17:11
*** yottatsa has joined #openstack-keystone		17:14
yottatsa	hello everybody	17:14
yottatsa	just dug into new keystone and have some questions about Fernet	17:14
dolphm	yottatsa: some questions answered http://dolphm.com/openstack-keystone-fernet-tokens/	17:15
*** dguerri` is now known as dguerri		17:16
yottatsa	thanks dolphm, but there is a question not from FAQ )	17:17
*** lhcheng has joined #openstack-keystone		17:18
yottatsa	Actually, why don't just impersist usual PKI token? It already validates offline, so keystone could validate it same way?	17:18
stevemar	yottatsa, PKI had size issues :(	17:19
*** markvoelker has joined #openstack-keystone		17:19
dolphm	yottatsa: yep, just because they're too big	17:19
yottatsa	stevemar, yup I know it veeeery bad, I had 6 region setup full of services	17:19
dolphm	yottatsa: otherwise, they share the same basic advantages	17:19
yottatsa	dolphm, so why don't just remove catalog from PKI token?	17:21
ayoung	In keeping with the wonderful naming patterns of Boston, BU grounds East are East of, and slightly to the south of, BU grounds south.	17:22
dstanek	yottatsa: if you removed the catalog and stopped putting them in the database it would be great for PKI, but still not as lightweight as fernet	17:23
dstanek	ayoung: sorry, can't parse	17:23
*** markvoelker has quit IRC		17:24
* yottatsa is rewriting federation/sso on new framework now.. (((		17:26
*** henrynash has quit IRC		17:26
ayoung	dstanek, things to be aware of before the midcycle: http://www.cartalk.com/content/you-know-youre-boston-when-2	17:27
marekd	yottatsa: i am curious what do you mean by new framework ?	17:27
*** harlowja has quit IRC		17:27
yottatsa	in Yandex, we have sso and federation with existing token system calles Yandex.Passport since havana	17:28
*** lhcheng has quit IRC		17:28
marekd	yottatsa: so your goal is to start using upstream version of federation/sso or propose Yandex.Passport to the upstream, because you think it's better?	17:29
yottatsa	marekd, our goal is to start using upstream version instead of ours custom auth.token driver	17:30
marekd	yottatsa: ah, ok :-)	17:30
dstanek	"It's not a purse, it's a pockabook."	17:31
*** lhcheng has joined #openstack-keystone		17:32
*** harlowja has joined #openstack-keystone		17:32
*** lastops has joined #openstack-keystone		17:33
*** amakarov is now known as amakarov_away		17:34
stevemar	yottatsa, how were you guys doing federation before?	17:36
yottatsa	stevemar, yandex.passport https://passport.yandex.com/ is a sort of token issue/validation system, that provides you with web cookie or oauth token, and service for validation	17:39
dolphm	yottatsa: we've actually introduced an API to remove the catalog from PKI tokens already - authenticate with ?nocatalog	17:39
*** rushiagr is now known as rushiagr_away		17:40
stevemar	yottatsa, you should be able to use that with the federation extension, i thinks	17:41
*** jsavak has joined #openstack-keystone		17:42
yottatsa	stevemar, so customer could validate cookie or OAuth with the keystone's /v3/auth/token	17:42
yottatsa	keystoneclient.session.Session(auth=keystoneclient.auth.identity.v3.Token(auth_url=auth_uri, token=cookie))	17:43
dolphm	stevemar: rodrigods: marekd: questions on k2k workflow! https://etherpad.openstack.org/p/federated-authentication	17:43
yottatsa	stevemar, actually the problem is to provide users with cli and python API for using this federation	17:44
marekd	dolphm: looking	17:44
*** henrynash has joined #openstack-keystone		17:44
*** ChanServ sets mode: +v henrynash		17:44
dolphm	stevemar: marekd: rodrigods: i'm trying to figure out if the bold bits are correct, and if so, why? the rest looks good to me	17:45
*** marzif_ has quit IRC		17:45
*** dsirrine has joined #openstack-keystone		17:45
marekd	dolphm: you copied those steps from some documentation ?	17:45
dolphm	marekd: i was given this - i'm not sure where that person got them from ;)	17:45
rodrigods	dolphm, the service provider entry is not "inside" the catalog	17:46
dolphm	marekd: i googled and couldn't find a source	17:46
rodrigods	is right below it	17:46
marekd	dolphm: no worries	17:46
rodrigods	dolphm, i made this blog post about the setup as well: http://rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/	17:47
*** e0ne has joined #openstack-keystone		17:48
*** jsavak has quit IRC		17:49
*** jsavak has joined #openstack-keystone		17:49
*** henrynash has quit IRC		17:50
dolphm	rodrigods: nice!	17:50
*** andrewbogott has left #openstack-keystone		17:51
*** marzif_ has joined #openstack-keystone		17:51
*** dsirrine has quit IRC		17:53
stevemar	dolphm, bold bits?	17:53
stevemar	oh	17:53
stevemar	the etherpad	17:53
dolphm	stevemar: yeah, i think they answered my questions	17:53
stevemar	dammit	17:53
stevemar	i was writing an email	17:53
* stevemar too slow!		17:53
dolphm	stevemar: i think you directed me to this review earlier https://review.openstack.org/#/c/159910/ the remaining todo list there is pretty simple, but looks like worked stopped at summit time :)	17:56
dolphm	stevemar: any idea if that could land as part of django_openstack_auth 1.4.0 ?	17:56
yottatsa	soooo, should I use https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/federated.py this boilerplate as an auth plugin base?	17:57
marekd	yottatsa: yes, however bear in mind, we are going to use https://github.com/openstack/keystoneauth/blob/master/keystoneauth/auth/identity/v3/federation.py in the nearest future. much cleaner	17:58
marekd	and simpler	17:59
marekd	and this will be the interface-class for those plugins.	17:59
marekd	yottatsa: if you are writing something that can wait few weeks i'd recommend building on top on federation.py, not federated.py	17:59
yottatsa	marekd, does it mean that python-ksc is now splitting on keystoneauth, keystonemiddleware and pure keystone client?	18:01
marekd	yottatsa: yes	18:01
yottatsa	thanks	18:01
marekd	yottatsa: and some auth plugins will be pulled out into separate repositories, for instance saml2 auth plugins and kerberos	18:02
* yottatsa didn't interested in saml2 and kerberos though )		18:04
*** rwsu has quit IRC		18:04
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPLugin scoping capabilities https://review.openstack.org/188881	18:04
marekd	gerrit shouldn't run tests on patches marked as WIP - it's intended to not be review-ready so why waste resources....	18:06
dolphm	marekd: i'm glad it does though - although i agree that they shouldn't receive equal priority	18:10
marekd	dolphm: why are you glad?	18:11
marekd	patches marked WIP are more like a place where developer may keep his unfinished work, so why run tests on them. he can ask for gerrit tests when he is ready.	18:13
*** jsavak has quit IRC		18:13
bknudson	is draft still supported?	18:13
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPLugin scoping capabilities https://review.openstack.org/188881	18:15
marekd	ok, i am out of here for a while. bye!	18:16
*** yottatsa has quit IRC		18:21
*** brad[] has joined #openstack-keystone		18:25
*** yottatsa has joined #openstack-keystone		18:27
*** jsavak has joined #openstack-keystone		18:28
*** Zanatoz has quit IRC		18:29
*** sks has quit IRC		18:33
*** jsavak has quit IRC		18:35
*** jsavak has joined #openstack-keystone		18:36
*** fhubik_afk is now known as fhubik		18:38
yottatsa	could you please show me any example of federation auth?	18:43
yottatsa	not k2k or kerb?	18:43
*** iamjarvo has quit IRC		18:44
*** lhcheng has quit IRC		18:46
*** harlowja has quit IRC		18:46
*** mattfarina has joined #openstack-keystone		18:47
*** gyee_ has quit IRC		18:47
*** fhubik has quit IRC		18:48
*** iamjarvo has joined #openstack-keystone		18:50
*** htruta has quit IRC		18:52
*** harlowja has joined #openstack-keystone		18:53
*** ctracey has quit IRC		18:54
*** serverascode has quit IRC		18:54
*** nzeer has quit IRC		18:54
*** jraim has quit IRC		18:54
*** briancurtin has quit IRC		18:54
*** zhiyan has quit IRC		18:54
*** lhcheng has joined #openstack-keystone		18:54
*** sumanth has joined #openstack-keystone		18:54
sumanth	Hi	18:54
sumanth	I am new to openstack developement	18:55
dstanek	sumanth: welcome	18:56
*** yottatsa has quit IRC		18:58
*** lastops has quit IRC		19:00
sumanth	I need some help with intergating our organizations sso	19:05
*** ayoung has quit IRC		19:05
sumanth	with openstack	19:05
sumanth	Thank you dstanek	19:05
*** iamjarvo has quit IRC		19:06
sumanth	I was wondering if that is possible	19:06
sumanth	is so how do I go about doing it?	19:06
bigjools	What sort of SSO is it? SAML? Kerberos?	19:07
*** markvoelker has joined #openstack-keystone		19:08
*** lastops has joined #openstack-keystone		19:10
*** jaosorior has quit IRC		19:12
*** markvoelker has quit IRC		19:12
sumanth	Bigjools: it shibboleth authentication	19:14
sumanth	which generates a SAML	19:15
*** lastops has quit IRC		19:15
*** radez is now known as radez_g0n3		19:15
*** iamjarvo has joined #openstack-keystone		19:19
bigjools	sumanth: you're in luck, I wrote a blog post https://bigjools.wordpress.com/2015/05/22/saml-federation-with-openstack/	19:19
sumanth	cool thanks a lot !	19:20
sumanth	I will go through it	19:20
*** ayoung has joined #openstack-keystone		19:20
*** ChanServ sets mode: +v ayoung		19:20
bigjools	I am neck deep in Shibboleth config right now	19:20
sumanth	great	19:20
sumanth	:D	19:20
bigjools	you will swear a lot	19:20
*** lastops has joined #openstack-keystone		19:22
sumanth	I dont mind that , thats reason I do programing :D	19:22
sumanth	If I have any questins while I configure, can I ping you directly ?	19:23
*** lastops has quit IRC		19:25
*** iamjarvo has quit IRC		19:31
bigjools	sumanth: sure	19:33
stevemar	dolphm, how important is irc in openstack development?	19:33
bigjools	I am travelling over the weekend so catch me before then	19:33
bknudson	dolphm: if openstack was a tree, what species would it be?	19:36
*** iamjarvo has joined #openstack-keystone		19:37
*** iamjarvo has quit IRC		19:37
bknudson	it's deep questions for dolphm friday.	19:38
*** iamjarvo has joined #openstack-keystone		19:38
*** e0ne has quit IRC		19:39
dstanek	bknudson: is there one that blooms every 6 months?	19:40
*** zzzeek has joined #openstack-keystone		19:41
dstanek	...and can't agree on how to bloom the next time :-)	19:42
bknudson	dstanek: that's a tough one.	19:42
*** sumanth has quit IRC		19:46
*** sumanth has joined #openstack-keystone		19:50
lbragstad	bknudson: dstanek Sheep-Eating Plant	19:52
lbragstad	apparently they take a really long time to bloom	19:53
bknudson	lbragstad: plus they eat sheep	19:53
lbragstad	bknudson: yes, yes they do, they actually shoot mace like flowers	19:54
bknudson	like openstack	19:54
lbragstad	how's that for usability!	19:54
lbragstad	it's fun and dangerous	19:55
dstanek	i can respect a good sheep eater	19:56
lbragstad	they take 15 - 20 years to bloom	19:56
bknudson	I could use a deer-eater here.	19:56
*** henrynash has joined #openstack-keystone		19:56
*** ChanServ sets mode: +v henrynash		19:56
lbragstad	that's a long development cycle	19:56
bknudson	it'll probably take us 15-20 years to get rid of v2.	19:57
lbragstad	lol	19:57
*** dims__ has joined #openstack-keystone		19:57
*** henrynash_ has joined #openstack-keystone		20:00
*** ChanServ sets mode: +v henrynash_		20:00
*** dims_ has quit IRC		20:00
*** timcline has quit IRC		20:00
*** henrynash has quit IRC		20:01
*** henrynash_ is now known as henrynash		20:01
*** boris-42 has quit IRC		20:02
*** henrynash has quit IRC		20:10
*** thedodd has quit IRC		20:11
*** thedodd has joined #openstack-keystone		20:11
*** dims__ has quit IRC		20:11
*** jsavak has quit IRC		20:12
*** jsavak has joined #openstack-keystone		20:13
stevemar	bknudson, be more optimistic about it, maybe 5-10 :P	20:16
*** e0ne has joined #openstack-keystone		20:16
*** tellesnobrega_ has joined #openstack-keystone		20:17
bknudson	# Deprecated group/name - [ldap]/tenant_tree_dn -- when did this happen?	20:19
bknudson	oh, never mind.	20:20
bknudson	I was scared by the [ldap]... thought it had moved.	20:20
bknudson	but the name just changed	20:20
*** markvoelker has joined #openstack-keystone		20:24
stevemar	bknudson, as soon as devstack can run v3 alone, i am submitted a patch to deprecate v2.0 :P	20:25
ayoung	bigjools, use Mellon and Ipsilon	20:25
*** topol has quit IRC		20:25
*** markvoelker has quit IRC		20:28
bknudson	put a sleep(10) in the v2 controllers.	20:29
*** lhcheng has quit IRC		20:29
*** henrynash has joined #openstack-keystone		20:32
*** ChanServ sets mode: +v henrynash		20:32
*** nzeer has joined #openstack-keystone		20:36
*** tellesnobrega_ has quit IRC		20:38
*** jraim has joined #openstack-keystone		20:38
*** tellesnobrega_ has joined #openstack-keystone		20:39
*** iamjarvo has quit IRC		20:39
*** ayoung has quit IRC		20:44
*** e0ne has quit IRC		20:45
*** ctracey has joined #openstack-keystone		20:46
stevemar	that would be nasty	20:47
*** roxanaghe has quit IRC		20:48
*** e0ne has joined #openstack-keystone		20:48
*** serverascode has joined #openstack-keystone		20:51
*** zhiyan has joined #openstack-keystone		20:54
bknudson	make it go up over time... sleep(months since some date)	20:55
lbragstad	bknudson: ++	20:56
*** mattfarina has quit IRC		20:59
*** boris-42 has joined #openstack-keystone		21:00
*** ayoung has joined #openstack-keystone		21:00
*** ChanServ sets mode: +v ayoung		21:00
*** briancurtin has joined #openstack-keystone		21:05
*** e0ne has quit IRC		21:06
*** lhcheng has joined #openstack-keystone		21:06
*** lhcheng_ has joined #openstack-keystone		21:08
*** Ephur has quit IRC		21:11
*** lhcheng has quit IRC		21:11
*** tellesnobrega_ has quit IRC		21:11
*** iamjarvo has joined #openstack-keystone		21:12
*** iamjarvo has quit IRC		21:12
*** iamjarvo has joined #openstack-keystone		21:13
*** toddnni has joined #openstack-keystone		21:16
*** csoukup has joined #openstack-keystone		21:18
*** jsavak has quit IRC		21:18
*** lastops has joined #openstack-keystone		21:18
*** yottatsa has joined #openstack-keystone		21:22
*** lastops has quit IRC		21:23
*** jsavak has joined #openstack-keystone		21:27
*** jorge_munoz has quit IRC		21:27
*** sumanth has quit IRC		21:28
*** sumanth has joined #openstack-keystone		21:29
*** jorge_munoz has joined #openstack-keystone		21:29
*** henrynash has quit IRC		21:31
*** iamjarvo has quit IRC		21:31
*** jsavak has quit IRC		21:33
*** zzzeek has quit IRC		21:37
*** iamjarvo has joined #openstack-keystone		21:38
stevemar	dolphm, i added to your etherpad	21:41
*** openstack has joined #openstack-keystone		21:41
*** jsavak has joined #openstack-keystone		21:47
*** lhcheng_ has quit IRC		21:51
*** csoukup has quit IRC		21:51
*** lhcheng has joined #openstack-keystone		21:54
*** alanf-mc has quit IRC		22:00
*** marzif_ has quit IRC		22:01
*** Kennan2 has joined #openstack-keystone		22:02
*** Kennan has quit IRC		22:03
*** jsavak has quit IRC		22:06
*** thedodd has quit IRC		22:07
bknudson	AuthorizationFailure: No valid authentication is available	22:12
bknudson	not helpful	22:12
*** stevemar has quit IRC		22:12
*** markvoelker has joined #openstack-keystone		22:12
*** markvoelker has quit IRC		22:17
*** nkinder has joined #openstack-keystone		22:22
*** gordc has quit IRC		22:29
*** alanf-mc has joined #openstack-keystone		22:30
*** gabriel-bezerra has quit IRC		22:35
*** geoffarnold has joined #openstack-keystone		22:36
*** openstackgerrit has quit IRC		22:37
*** iamjarvo has quit IRC		22:37
*** openstackgerrit has joined #openstack-keystone		22:37
*** yottatsa has quit IRC		22:39
*** gabriel-bezerra has joined #openstack-keystone		22:40
*** ozialien has joined #openstack-keystone		22:49
*** bradjones is now known as bradjones_away		23:00
*** ozialien has quit IRC		23:02
*** ozialien has joined #openstack-keystone		23:05
*** hemna is now known as hemnafk		23:09
*** jsavak has joined #openstack-keystone		23:11
*** bradjones_away is now known as bradjones		23:20
*** geoffarnold has quit IRC		23:27
*** geoffarnold has joined #openstack-keystone		23:27
*** jsavak has quit IRC		23:29
*** ozialien has quit IRC		23:33
*** iamjarvo has joined #openstack-keystone		23:38
*** bradjones has quit IRC		23:42
*** bradjones has joined #openstack-keystone		23:42
*** bradjones is now known as bradjones_away		23:47
*** bradjones_away is now known as bradjones\|away		23:52
*** _cjones_ has quit IRC		23:58
*** lhcheng has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!