Friday, 2015-07-03

morganfainbergbigjools: it does a mapping to deconflict, but it's not really an ephemeral user00:01
morganfainbergthey are real users you can target roles to00:02
bigjoolsjust trying to get my head around things - do they count the same as local DB users?00:02
morganfainbergbigjools: and the mapping is only if you have multiple ldap backends (per-domain identity)00:02
morganfainbergbigjools: they would count as local users00:02
morganfainbergyou don't need to assign exclusively to the group00:02
bigjoolscool thanks, just what I needed to know00:02
morganfainbergif they aren't part of the default identity backend, you'll need to do a "get" or something to create the deconflicted id00:03
*** tqtran has quit IRC00:03
morganfainbergbecause the deconflicted id is SHA256(<dn bit>, domain_id)00:03
bigjoolswhat do you mean by deconflict?00:03
bigjoolssame users in diff backends?00:04
*** zzzeek has quit IRC00:04
morganfainbergso if you have 2 ldap backends00:04
morganfainbergone per domain00:04
morganfainbergwe only use a bit of the DN00:05
morganfainberglike CN=<username>00:05
morganfainbergwell, that isn't globally unique00:05
morganfainbergso we force a hash of the DN bit and the domain_id (something from the LDAP server and something keystone controls)00:05
morganfainbergso we can ensure globally unique ids00:05
morganfainbergwhich is a requirement for keystone user id00:05
samueldmqmorganfainberg: I'd like to hear what you have to make the policy thing easier :)00:06
bigjoolsmorganfainberg: gotcha, thanks00:06
samueldmqmorganfainberg: and thanks for taking a look at the email00:06
morganfainbergsamueldmq: so if we move to consul as a service catalog backend00:08
morganfainbergit would be possible to use that to either A) communicate (live) the new policy00:08
morganfainbergor for keystone to source in the local (authoritative) policy00:08
samueldmqmorganfainberg: I am not aware of exactly mean being a service catalog backend00:09
morganfainbergconsul is something i'm looking at to replace the service catalog in the db00:10
samueldmqmorganfainberg: lacking some context, sorry :-(00:10
*** dims__ has joined #openstack-keystone00:10
samueldmqmorganfainberg: hmm00:10
morganfainbergit can handle communication to / from keystone00:10
morganfainbergand handle live-catalog state00:10
morganfainbergaka: if nova api (one of them) stops responding, it could drop out of the catalog00:10
morganfainbergand a new one would just appear when it is registered/starts responding00:10
morganfainbergplus it has a built-in DNS interface00:10
samueldmqmorganfainberg: ohhh00:10
samueldmqmorganfainberg: that manages a live catalog00:11
morganfainbergit also has a key-value store00:11
morganfainbergso the serivice could push it's local policy into the KVS00:11
morganfainbergand keystone could push down dynamic policy files and such00:11
morganfainbergsome ideas i'm playing with00:12
morganfainbergi'll go over it at the midcycle00:12
samueldmqmorganfainberg: so using the consul "connection" to transmit policies00:12
*** dims_ has quit IRC00:12
morganfainbergyou could.00:13
samueldmqmorganfainberg: this looks interesting .. this way the deployer wouln't need to register endpoints by hand , right ? (registering in keystone I mean)00:13
morganfainbergthats the idea.00:13
samueldmqmorganfainberg: it should be configuring consul-client in the endpoints00:13
samueldmqmorganfainberg: and they register themselves00:13
samueldmqmorganfainberg: everything via api00:13
morganfainbergthats is part of the idea00:13
samueldmqmorganfainberg: and they tell keystone what their policy is ..00:13
*** shaleh has quit IRC00:13
samueldmqmorganfainberg: hmm ...00:14
samueldmqmorganfainberg: target ? I'd like to see how that fits with how we're planning to implement the dynamic policy stuff00:14
samueldmqmorganfainberg: if this would invalidate our current proposal (those specs in the email) or not00:14
morganfainbergit would change the fetch model00:14
morganfainbergbut the rest would be the same00:15
morganfainbergagain something to talk over @ midcycle00:15
samueldmqmorganfainberg: ok, so we can keep the current plans .. and start implementing as we've planned00:16
samueldmqmorganfainberg: starting by oslo, etc .. the basics00:16
samueldmqmorganfainberg: unfortunatelly I won't attend the micycle meetup :/ I'd love to hear about this00:16
morganfainbergi'll have a better idea in a couple weeks00:18
morganfainbergif this is viable00:18
morganfainbergthere are some gaps that i need to work through00:18
*** darrenc is now known as darrenc_afk00:20
samueldmqmorganfainberg: I kind of just trust when you say you'll have a better idea in a couple of weeks00:20
samueldmqmorganfainberg: I don't know how your mind works00:21
morganfainbergthis may not work at all00:21
morganfainbergi'm seeing what data can go into consul and how it handles different states00:21
samueldmqmorganfainberg: but that worked when you said you'd have a good idea on the fetch & cache thing00:21
samueldmqmorganfainberg: sure00:22
samueldmqmorganfainberg: let me know if you need somethin on that front00:23
samueldmqmorganfainberg: it's what is in,right ?00:23
morganfainbergsamueldmq: yeah00:24
*** shaleh has joined #openstack-keystone00:26
samueldmqmorganfainberg: kk00:26
*** shaleh_ has joined #openstack-keystone00:27
*** raildo_ has quit IRC00:27
*** shaleh has quit IRC00:30
sigmavirus24Is anyone running keystone v3 with Nova? I keep seeing "ERROR (BadRequest): Expecting to find domain in project - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400)" when trying to use novaclient, but I'm not sure what's missing from my openrc00:32
morganfainbergsigmavirus24: with neutron or nova net? and what release?00:37
morganfainbergthere are some issues with v3 keystone in some releases00:37
sigmavirus24Running with master right now.00:37
sigmavirus24(master keystone, master nova)00:37
sigmavirus24And I'm just trying to do a nova list00:37
morganfainbergit should work.00:37
morganfainbergbut i mean... i don't know off hand right this second00:37
sigmavirus24No worries00:38
sigmavirus24Am I missing something here?
sigmavirus24I imagine it must be something trivial but I'm not sure what's going on00:39
sigmavirus24I can auth with keystone client without an issue00:39
*** mhu has quit IRC00:42
*** mhu has joined #openstack-keystone00:42
lhchengsigmavirus24: try changing OS_DOMAIN_NAME=default to OS_DOMAIN_NAME=Default00:50
sigmavirus24lhcheng: Oh, Let me try that. `default` was working as the domain_id, the name is probably different00:50
lhcheng'default' is the domain_id, and 'Default' is the domain name00:50
jamielennoxsigmavirus24: yea, in devstack (and therefore most setups) id=default and name=Default00:51
sigmavirus24Didn't work =/00:51
jamielennoxsigmavirus24: oh - in project00:51
sigmavirus24Looks this is using keystoneclient.auth ... let me see if I can reproduce this there00:51
sigmavirus24jamielennox: ?00:52
jamielennoxum, you don't want OS_DOMAIN_X thats for scoping to domains00:52
jamielennoxyou want OS_PROJECT_DOMAIN_X00:52
*** shaleh_ has quit IRC00:52
lhchengjamielennox: good catch00:52
jamielennoxOSC does some hacks around that to make it easier from the CLI, but for working with plugins you need to be explicit00:52
sigmavirus24jamielennox: I think I'm doing it wrong:
jamielennoxsigmavirus24: this is for OSC?00:56
sigmavirus24jamielennox: nope. Just plain old novaclient00:56
jamielennoxergh, i'll need to look00:56
*** chlong has joined #openstack-keystone00:56
jamielennoxbut i expect you need at least OS_USER_DOMAIN_X00:56
sigmavirus24Although I get the same problem with osc00:57
sigmavirus24e.g., OS_USER_DOMAIN_NAME=Default?00:57
sigmavirus24Oh that did it for nova00:57
*** browne has joined #openstack-keystone00:57
sigmavirus24I still get "Error: openstack" from osc with no other details with that though00:58
sigmavirus24Thanks jamielennox00:58
jamielennoxfor OSC you probably want OS_IDENTITY_API_VERSION=300:58
sigmavirus24That was it01:01
jamielennoxmorganfainberg: when you have a moment01:05
jamielennoxor lhcheng ^ do you mind?01:06
lhchengjamielennox: will take a look01:06
*** ayoung has joined #openstack-keystone01:09
*** ChanServ sets mode: +v ayoung01:09
*** davechen has joined #openstack-keystone01:13
*** dhellmann has quit IRC01:15
*** dhellmann has joined #openstack-keystone01:15
*** mfisch has quit IRC01:20
*** darrenc_afk is now known as darrenc01:20
*** woodster_ has quit IRC01:21
*** davechen1 has joined #openstack-keystone01:26
*** _cjones_ has quit IRC01:27
*** davechen has quit IRC01:28
*** sigmavirus24 is now known as sigmavirus24_awa01:30
*** stevemar has joined #openstack-keystone01:46
openstackgerritMerged openstack/keystonemiddleware: Add token_auth helper to request
*** Kennan has joined #openstack-keystone02:02
*** Kennan2 has quit IRC02:03
morganfainbergjamielennox: its a holiday for us now :P02:04
jamielennoxmorganfainberg: i thought that was tomorrow02:04
morganfainbergjamielennox: when i get home will look.02:04
morganfainbergIts 7pm here :P02:04
jamielennoxmorganfainberg: ok - there's no rush, you're just normally around at this time so i was pushing things forward02:05
jamielennoxmorganfainberg: go enjoy the holiday02:05
miguelgrinbergjamielennox: are you up for a quick auth related question?02:12
jamielennoxmiguelgrinberg: sure02:13
* jamielennox mentally prepares02:13
miguelgrinbergI have a horizon running with a federated user (ADFS IdP), and when it sends requests to APIs it gets errors.02:13
miguelgrinbergthe error from nova is Malformed request URL: URL's project_id '69f5cff441e04554b285d7772630dec1' doesn't match Context's project_id 'None'02:14
miguelgrinbergI was wondering if you've seen this and can tell me where to go chase this02:14
miguelgrinbergsomehow the context's project id is missing02:14
jamielennoxso no, i've never seen it02:14
miguelgrinbergokay, it was true that it was a qucik question then :)02:14
jamielennoxit's weird because the project_id in the url is being added to the catalog02:14
jamielennoxso that's happening at token creation time, so the project_id should be a part of the token02:15
miguelgrinbergwhen nova says "context's project id" it means a project derived from the token, correct?02:15
jamielennoxso it's like you're trying to access it with an unscoped token02:15
*** stevemar has quit IRC02:16
jamielennoxmy first step would be to have a look at the token you're using02:16
miguelgrinbergwell, I'll have to debug it some more to find out. This is horizon getting the token, so I have no idea how it got it.02:16
*** stevemar has joined #openstack-keystone02:16
jamielennoxsure, but you can probably capture the token id and then just get keystone to validate it for you02:16
miguelgrinbergyes, I'll start from there. We are so close to get this federation thing working...02:17
*** chenhong has joined #openstack-keystone02:19
miguelgrinbergjamielennox: and since we are talking, I was wondering if there is anything I can help with to get the heat trustee changes over the finish line. If I can help let me know.02:19
*** lhcheng has quit IRC02:19
*** chenhong has quit IRC02:19
jamielennoxmiguelgrinberg: yea, i just haven't got back to looking at the heat stuff02:20
jamielennoxtalking at summit we decided we needed to simplify the way contexts were being created in heat, so have one context always and have multiple plugins that you can use from it02:20
jamielennoxbut that's a lot of refactoring and test rearrangements02:20
*** stevemar has quit IRC02:21
miguelgrinbergyes, sounds like a good idea, but I think a shorter term goal would be to enable heat to use v3, which I think is much smaller in scope.02:21
miguelgrinbergit basically involves eliminating the accesses to the [keystone_authtoken] section02:22
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reject user creation using admin_token.
jamielennoxmiguelgrinberg: yes, i need to get those patches revised, there was a fairly serious merge conflict i think but i will get back into it02:25
jamielennoxmiguelgrinberg: if you want to push it quicker than that i have no issue with you having a go at it02:25
*** richm has quit IRC02:25
jamielennoxeither starting from those patches or from scratch02:25
miguelgrinbergjamielennox: there is one that needs a quick improvement, you had a method defined as a @property and it's not memoizing the result. I'll see if I can get that one fixed for a start.02:26
jamielennoxmiguelgrinberg: that'd be great, thanks02:27
*** gyee has quit IRC02:33
*** mhu has quit IRC02:38
*** topol has joined #openstack-keystone02:41
*** ChanServ sets mode: +v topol02:41
*** mfisch has joined #openstack-keystone02:42
*** mfisch is now known as Guest6154802:42
*** mhu has joined #openstack-keystone02:47
*** stevemar has joined #openstack-keystone02:48
*** stevemar has quit IRC02:51
*** hakimo_ has joined #openstack-keystone02:52
*** hakimo has quit IRC02:54
*** hogepodge has quit IRC03:06
*** kiran-r has joined #openstack-keystone03:15
*** stevemar has joined #openstack-keystone03:35
*** raildo has quit IRC03:48
*** samueldmq has quit IRC03:48
*** ericksonsantos has quit IRC03:48
*** iurygregory has quit IRC03:48
*** htruta has quit IRC03:48
*** tellesnobrega has quit IRC03:49
*** hogepodge has joined #openstack-keystone03:51
*** dims__ has quit IRC03:52
*** hogepodge has quit IRC03:56
*** hogepodge has joined #openstack-keystone04:00
*** hogepodge has quit IRC04:05
*** hogepodge has joined #openstack-keystone04:08
*** kiran-r has quit IRC04:10
*** stevemar has quit IRC04:13
*** stevemar has joined #openstack-keystone04:13
*** jkomg has joined #openstack-keystone04:14
*** kiran-r has joined #openstack-keystone04:17
*** hogepodge has quit IRC04:17
*** jkomg has quit IRC04:19
*** _cjones_ has joined #openstack-keystone04:19
*** kiran-r has quit IRC04:22
*** hogepodge has joined #openstack-keystone04:25
*** _cjones_ has quit IRC04:26
*** _cjones_ has joined #openstack-keystone04:26
*** hrou has quit IRC04:33
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reject user creation using admin_token.
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Return correct token id in response
*** rushiagr_away is now known as rushiagr04:58
*** topol has quit IRC04:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add service token to user token plugin
*** stevemar has quit IRC05:03
*** stevemar has joined #openstack-keystone05:04
*** drjones has joined #openstack-keystone05:05
*** _cjones_ has quit IRC05:07
*** stevemar has quit IRC05:10
*** stevemar has joined #openstack-keystone05:11
*** ajayaa has joined #openstack-keystone05:14
*** _cjones_ has joined #openstack-keystone05:19
*** vg_ has joined #openstack-keystone05:22
*** drjones has quit IRC05:23
*** ayoung has quit IRC05:25
*** _cjones_ has quit IRC05:28
*** vg___ has joined #openstack-keystone05:31
*** vg_ has quit IRC05:32
*** Kennan has quit IRC06:02
*** Kennan has joined #openstack-keystone06:02
*** lhcheng has joined #openstack-keystone06:15
*** ChanServ sets mode: +v lhcheng06:15
openstackgerritMasaki Matsushita proposed openstack/keystone: Make max_header_line configurable
*** tobe has joined #openstack-keystone06:24
*** belmoreira has joined #openstack-keystone06:46
*** stevemar has quit IRC06:53
*** dims_ has joined #openstack-keystone06:53
*** stevemar has joined #openstack-keystone06:53
*** stevemar has quit IRC06:56
*** stevemar has joined #openstack-keystone06:57
*** dims_ has quit IRC06:58
*** lufix2 has quit IRC07:10
*** dguerri` has quit IRC07:10
*** dguerri` has joined #openstack-keystone07:10
*** med_ has quit IRC07:10
*** dguerri` is now known as dguerri07:10
*** afazekas has quit IRC07:10
*** lufix has joined #openstack-keystone07:11
*** lufix has joined #openstack-keystone07:11
*** josecastroleon1 has joined #openstack-keystone07:11
*** med_` has joined #openstack-keystone07:11
*** dguerri has quit IRC07:11
*** dguerri has joined #openstack-keystone07:11
*** afazekas has joined #openstack-keystone07:11
*** josecastroleon has quit IRC07:11
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache
*** rharwood has quit IRC07:32
*** albertom has quit IRC07:32
*** andreaf has quit IRC07:32
*** _afazekas has joined #openstack-keystone07:33
*** e0ne has joined #openstack-keystone07:33
*** fhubik has joined #openstack-keystone07:33
*** andreaf_ has joined #openstack-keystone07:33
*** browne has quit IRC07:33
*** chlong has quit IRC07:33
*** powerbsd has joined #openstack-keystone07:33
*** rharwood_ has joined #openstack-keystone07:33
*** andreaf_ is now known as andreaf07:33
*** rharwood_ is now known as rharwood07:33
*** powerbsd is now known as albertom07:33
*** fhubik has quit IRC07:33
*** fhubik has joined #openstack-keystone07:33
*** rharwood has quit IRC07:33
*** rharwood has joined #openstack-keystone07:33
*** albertom has quit IRC07:33
*** albertom has joined #openstack-keystone07:33
*** afazekas has quit IRC07:33
*** e0ne has quit IRC07:36
*** jistr has joined #openstack-keystone07:39
*** lhcheng has quit IRC07:41
*** stevemar has quit IRC07:41
*** lhcheng has joined #openstack-keystone07:41
*** ChanServ sets mode: +v lhcheng07:41
*** stevemar has joined #openstack-keystone07:42
*** bdossant has joined #openstack-keystone07:42
openstackgerritMasaki Matsushita proposed openstack/keystone: Make max_header_line configurable
*** dguerri has quit IRC07:48
*** openstackstatus has quit IRC07:49
*** dguerri has joined #openstack-keystone07:50
*** dguerri is now known as dguerri`07:50
*** aix has joined #openstack-keystone07:50
*** openstackstatus has joined #openstack-keystone07:51
*** ChanServ sets mode: +v openstackstatus07:51
*** bdossant has quit IRC07:52
*** bdossant has joined #openstack-keystone07:53
*** browne has joined #openstack-keystone07:54
*** amaretskiy has joined #openstack-keystone08:05
*** fhubik is now known as fhubik_afk08:06
*** bdossant has quit IRC08:06
*** bdossant has joined #openstack-keystone08:10
*** browne has quit IRC08:19
*** stevemar has quit IRC08:20
*** fhubik_afk is now known as fhubik08:33
openstackgerritMerged openstack/keystone: Add test case for deleting endpoint with space in url
*** henrynash has joined #openstack-keystone08:34
*** ChanServ sets mode: +v henrynash08:34
*** afazekas has joined #openstack-keystone08:37
*** bdossant has quit IRC08:38
*** bdossant has joined #openstack-keystone08:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** bdossant has quit IRC08:47
*** bdossant has joined #openstack-keystone08:50
*** bdossant has quit IRC08:55
*** openstackgerrit has quit IRC08:57
*** openstackgerrit has joined #openstack-keystone08:58
*** henrynash_ has joined #openstack-keystone09:05
*** ChanServ sets mode: +v henrynash_09:05
*** henrynash has quit IRC09:05
*** henrynash_ is now known as henrynash09:05
*** e0ne has joined #openstack-keystone09:08
*** mflobo has quit IRC09:09
*** josecastroleon1 has quit IRC09:10
*** belmoreira has quit IRC09:11
openstackgerritIvan Mironov proposed openstack/keystone: Do not specify 'objectClass' twice in LDAP filter string.
*** Qlawy has quit IRC09:12
*** stevemar has joined #openstack-keystone09:21
*** bdossant has joined #openstack-keystone09:22
*** josecastroleon has joined #openstack-keystone09:23
*** stevemar has quit IRC09:24
*** Qlawy has joined #openstack-keystone09:30
*** Qlawy has quit IRC09:30
*** Qlawy has joined #openstack-keystone09:30
*** rdo has quit IRC09:31
*** rdo has joined #openstack-keystone09:32
*** marzif_ has joined #openstack-keystone09:37
*** belmoreira has joined #openstack-keystone09:39
odyssey4merodrigods marekd Could you help me work through a problem with federation sso with saml auth? it would appear that for some reason horizon is able to auth initially with an unscoped token, but it doesn't then request a scoped token and thus errors out. We've set Horizon into debug mode and done a bit more hacking to expose the exception.09:42
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided
*** davechen1 has left #openstack-keystone09:49
odyssey4merodrigods marekd the clue is in the error itself returned by the nova api: project_id '<...>' doesn't match Context's project_id10:02
*** alex_xu has quit IRC10:06
*** hughsaunders has quit IRC10:07
*** alex_xu has joined #openstack-keystone10:07
*** hughsaunders has joined #openstack-keystone10:07
*** SpamapS has quit IRC10:09
*** SpamapS has joined #openstack-keystone10:09
*** fhubik is now known as fhubik_afk10:11
*** alex_xu has quit IRC10:15
*** alex_xu has joined #openstack-keystone10:15
*** lhcheng has quit IRC10:23
*** dims_ has joined #openstack-keystone10:25
*** fhubik_afk is now known as fhubik10:40
*** henrynash has quit IRC11:09
marekdodyssey4me: i am here11:10
odyssey4memarekd :)11:10
*** stevemar has joined #openstack-keystone11:10
marekdodyssey4me: i have never spotted anything like that.11:10
marekdodyssey4me: have you tried private session so other cookies do not interfere ?11:11
odyssey4memarekd just done that with the same result11:13
odyssey4methis looks curious to me though:11:13
odyssey4meu'user': {u'OS-FEDERATION': {u'identity_provider': {u'id': u'adfs-idp'}, u'protocol': {u'id': u'saml2'}, u'groups': []}, u'id': u'My%20Self', u'name': u'My%20Self'}}}11:13
*** stevemar has quit IRC11:14
odyssey4meit would seem that no groups are coming through - does that look like it could be problem?11:14
marekdodyssey4me: did you copy this or rewrite?11:14
marekdthere should be group_ids11:14
marekdah no11:15
marekdmaybe it's fine :P11:15
marekdanyway, empty groups is bad.11:16
marekdit should not authN you.11:16
*** tobe has quit IRC11:16
odyssey4meso you suspect a mapping issue then?11:16
*** samueldmq has joined #openstack-keystone11:19
odyssey4memarekd this appears to show that it's done the right thing? 2015-07-03 11:21:18.017 15349 ERROR keystone.auth.plugins.mapped [-] {'group_ids': [u'5a4d1d4af1fc4f54aba6ab8831c05efd'], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'My Self', u'email': u'myself@pigeonbrawl.local'}, 'group_names': [{u'domain': {u'name': u'Default'}, u'name': u'fedgroup'}]}11:23
odyssey4memarekd some info for review: and a partial keystone debug log from the above-mentioned line onwards:
marekdodyssey4me: i see you are using fernet tokens.11:28
*** vg___ has quit IRC11:29
odyssey4memarekd yep, do you think that may be an issue?11:29
marekdodyssey4me: maybe, can we make a quick test and switch to uuid for a second and see if it works?11:31
odyssey4memarekd I just noticed in the above-mentioned log line is has the domain id as 'Federated', whereas my mapping is to the 'Default' domain... I see that the group is correctly mapped to the Default domain11:32
*** mflobo has joined #openstack-keystone11:36
*** radez is now known as radez_g0n311:37
marekdodyssey4me: oh yes!11:39
marekdthat means it mapped to an existing user.11:39
marekdand this explains empty group list.11:39
marekdi think you wanted to have ephemeral user, right?11:39
odyssey4memarekd yep, what is odd is that there is no such domain as 'Federated'11:40
marekdodyssey4me: true11:40
marekdit's a service domain :-)11:40
odyssey4menotice that the type is ephemeral11:40
*** dguerri` is now known as dguerri11:46
odyssey4meheh marekd switching to uuid instead of fernet appears to work11:52
*** ericksonsantos has joined #openstack-keystone11:53
*** gordc_afk has quit IRC11:55
odyssey4meit's a pity that dolphm and dstanek have a holiday today :p12:00
*** amakarov_away is now known as amakarov12:03
*** gordc has joined #openstack-keystone12:03
*** gordc has quit IRC12:04
dstanekodyssey4me: what's up?12:05
*** gordc has joined #openstack-keystone12:05
odyssey4medstanek you should be holidaying :p12:06
dstanekodyssey4me: nah. it's 8am and there's work to be done :-)12:06
odyssey4medstanek it would appear that using fernet tokens with federation breaks federation12:07
*** e0ne is now known as e0ne_12:08
*** raildo has joined #openstack-keystone12:08
odyssey4meusing uuid seems to work fine, but with fernet tokens the context switching doesn't work properly12:08
*** arunkant__ has joined #openstack-keystone12:08
dstanekwow, really? what are you seeing?12:08
odyssey4me(when using horizon's websso)12:08
*** lhcheng has joined #openstack-keystone12:09
*** ChanServ sets mode: +v lhcheng12:09
*** iurygregory has joined #openstack-keystone12:09
odyssey4menova api returns project_id '<...>' doesn't match Context's project_id12:09
*** marzif__ has joined #openstack-keystone12:10
dstanekso nova is given a fernet token that contains project id X and returns a project id Y?12:10
odyssey4medstanek yeah, either that or: 1) the project id isn't passed properly; 2) nova doesn't understand the project id properly12:11
*** arunkant_ has quit IRC12:11
*** e0ne_ is now known as e0ne12:12
odyssey4medstanek what info can I extract to help, or should I give you access to the test box to debug on?12:12
*** lhcheng has quit IRC12:13
*** marzif_ has quit IRC12:13
dstanekodyssey4me: i can send you my public key12:14
odyssey4medstanek go for it12:14
dstanekdo you know where nova gets the project id? it shouldn't be able to see into the token so it should get it from keystone during a validate12:14
*** tellesnobrega has joined #openstack-keystone12:16
odyssey4medstanek it looks to me like nova does a validation against keystone, but keystone always gives an unscoped token back12:22
odyssey4methe last nova req before it pukes is12:23
odyssey4me2015-07-03 12:13:19.637 8105 DEBUG keystoneclient.session [-] REQ: curl -g -i --insecure -X GET -H "X-Subject-Token: {SHA1}28765a35fdf7f49b05e595fb50a08eb1e1f2b2bc" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}3795f43af3b06e82d7c8c83e854816a265b68c92" _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneclient/ses12:23
odyssey4me2015-07-03 12:13:19.706 8105 DEBUG keystoneclient.session [-] RESP: [200] content-length: 330 x-subject-token: {SHA1}28765a35fdf7f49b05e595fb50a08eb1e1f2b2bc vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Fri, 03 Jul 2015 12:13:19 GMT content-type: application/json x-openstack-request-id: req-6d9365a0-9b54-47b3-859c-b3a219f8755a12:23
odyssey4meRESP BODY: {"token": {"methods": ["token"], "expires_at": "2015-07-04T00:13:19.000000Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "adfs-idp"}, "protocol": {"id": "saml2"}, "groups": []}, "id": "My%20Self", "name": "My%20Self"}, "audit_ids": ["oIesbmVAT2K_MIA_x6ywBA"], "issued_at": "2015-07-03T12:13:19.000000Z"}}12:23
odyssey4me _http_log_response /usr/local/lib/python2.7/dist-packages/keystoneclient/
odyssey4menotice the groups are empty in the RESP BODY12:23
dstanekis this v2 or v3?12:25
odyssey4medstanek should be v3 (see above REQ)12:25
*** e0ne_ has joined #openstack-keystone12:25
* dstanek is trying to remember how horizon works12:27
odyssey4medstanek yeah, so horizon is set to use the v3 api12:27
*** e0ne has quit IRC12:28
dstanekodyssey4me: hmmm...i wonder if maybe you don't have default_project_id set on the user data12:28
odyssey4meand I adjusted the ebug output of nova-os-api to dump more data12:28
odyssey4medstanek well, there is no user data as it's a federated user12:28
odyssey4meI could fix that in the mapping?12:28
dstaneknot sure....12:29
dstanekso doesn't horizon always get an unscoped token until the user picks a project?12:29
dstanekit can't be the default project...because you said uuid works and that would have the same data12:30
odyssey4medstanek good question - not sure... and I did think of trying to set the default project id earlier... but never did12:30
openstackgerritIvan Mironov proposed openstack/keystone: Do not specify 'objectClass' twice in LDAP filter string.
odyssey4meinterestingly, I've added the default project id to the mapping and it is getting through to nova api - but still failing: 'HTTP_X_AUTH_PROJECT_ID': '69f5cff441e04554b285d7772630dec1'12:34
*** arunkant_ has joined #openstack-keystone12:36
dstanekodyssey4me: the X-Auth-Token i see in the stacktrace doesn't look like a fernet token: gAAAAABVln7XPWiYMgh7UdewUiad8Pxgr1loj9faVD_MlFQtQLjJQaelHj6oE3W1XRNKszPhv0lCB2u4eEsBFYnqXJPzdXHbnwfEUoisnpOlbPAxhKry8EISy3rNUdFfqrXgANGVOT5tSxRzY5GVT1fM0GtrU-nCsA%3D%3D12:39
*** arunkant__ has quit IRC12:39
openstackgerritMerged openstack/keystone: Fix tox -e py34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
odyssey4medstanek I just did a fresh one, and it looks similar: gAAAAABVloNjiIscHvUElgNmfOMcA6tnyaT3-6Os39hw2QJQJiiNahnc4CebKUDzhGn3S1A8knf9lQ-PQYq62kY3ceUovGo4mv3K5x8gvZtxngzO2wQcve7KqvvloRarWQ-Lzntwhbbakme5vahuRbkZpXrENR_2_g%3D%3D12:44
dstanekoh, wait. don't listen to me.12:45
dstaneki probably got up too early12:46
*** hogepodge has quit IRC12:46
*** hogepodge has joined #openstack-keystone12:48
*** markvoelker has quit IRC12:53
marekdodyssey4me: sorry, i had to leave12:56
marekdodyssey4me: did you check uuid tokens?12:56
marekdodyssey4me: just noticed it works.12:57
marekdodyssey so oups, we have a problem.12:57
marekdodyssey4me: can you confirm whether the problem is with CLI or websso only?12:57
odyssey4memarekd yep, now we're trying to figure out why - dstanek's taking a peek too12:57
marekdodyssey4me: does CLI version works?12:57
odyssey4memarekd hmm, let me check12:58
*** markvoelker has joined #openstack-keystone13:00
marekdodyssey4me: please do13:01
*** e0ne has joined #openstack-keystone13:05
dstanekshiite - how do i tell openstack client to forget about cert issues?13:06
marekddstanek: --insecure ?13:06
dstanekmarekd: ah, right! thanks13:06
*** henrynash has joined #openstack-keystone13:06
*** ChanServ sets mode: +v henrynash13:06
dstanekit's been so long since i've had to do that13:06
odyssey4medstanek yep, it's a pain13:07
odyssey4meI'm trying to figure out how to get an assertion from adfs :p13:07
odyssey4me(via cli)13:07
*** e0ne_ has quit IRC13:08
dstanekodyssey4me: 'shutdown now' will usually do the trick13:08
odyssey4medstanek wrong sort of assertion :p13:08
amaretskiyHi all! Please someone review
marekdodyssey4me: aaaand? :-)13:09
*** hrou has joined #openstack-keystone13:11
*** nzeer has quit IRC13:12
*** nzeer has joined #openstack-keystone13:12
* dstanek thinks he found an unrelated client bug...13:13
dstanekamaretskiy: i'm curious about what brant meant13:17
amaretskiydstanek: in patch set 2 scenarios had heavy values so jobs run long time, now input values reduced so job run 28 min13:19
amaretskiydstanek:  so Brant's comment is fixed13:20
*** haypo has joined #openstack-keystone13:22
dstanekodyssey4me: marekd: i'm trying to use the fernet token against nova and running into issues - unfortunately i don't understand nova's context stuff just yet13:26
odyssey4medstanek so you're finding the issue without federation even being involved then?13:35
dstanekodyssey4me: well, i took the fernet token generated by the federation flow and tried to use it against nova from the cli13:37
dstanekjas...i'll PM you the command13:37
dstanekthat will cause nova to 500 because it seems that the context doesn't have the project13:38
dstanekbut according to nova/api/ that comes from is it the client that is messing me up?13:38
odyssey4medstanek so that's why I had the API output the headers for the websso - you'll notice the lack of project in the headers there too13:39
*** browne has joined #openstack-keystone13:41
odyssey4medoes it make sense that this is simply an unscoped token?13:44
dstanekodyssey4me: that's what i was wondering earlier....i thought horizon got an unscoped token until the user picked a project in the UI, but then again i have no idea. just a guess13:49
dstanekthat maybe a good question for horizon folks if any are around13:49
odyssey4medstanek well, I think there must be logic to choose the default project id or the first in the list13:50
odyssey4mewhen you land in horizon you get the instances view for a project13:50
odyssey4mebut you're right in saying that if it works for uuid tokens, then what's different here13:50
dstanekso adding '--os-project-name fedproject' still blows up13:52
dstaneknot sure why nova thinks forbidden is a 50013:52
*** henrynash has quit IRC13:53
*** henrynash has joined #openstack-keystone13:53
*** lhcheng has joined #openstack-keystone13:58
*** ChanServ sets mode: +v lhcheng13:58
*** raildo has quit IRC14:00
*** tellesnobrega has quit IRC14:00
*** lhcheng has quit IRC14:02
*** ericksonsantos has quit IRC14:05
*** iurygregory has quit IRC14:05
*** samueldmq has quit IRC14:05
*** ericksonsantos has joined #openstack-keystone14:07
*** raildo has joined #openstack-keystone14:08
odyssey4medstanek but when doing the request with '--os-project-name fedproject' the error is different, the context validation fails14:08
*** tellesnobrega has joined #openstack-keystone14:09
*** samueldmq has joined #openstack-keystone14:11
*** iurygregory has joined #openstack-keystone14:11
*** fhubik has quit IRC14:17
odyssey4medstanek for giggles I've double-checked that nova reacts properly to an internal user's token properly - it does14:21
dstaneka 500?14:21
odyssey4menope, it's fine14:21
dstanekso it's just the federated fernet token that makes it shit the bed?14:22
odyssey4medstanek yep14:22
*** lhcheng has joined #openstack-keystone14:22
*** ChanServ sets mode: +v lhcheng14:22
dstanekhave you cracked open the tokens to compare?14:23
odyssey4medstanek what's the best way to do that?14:24
*** lhcheng has quit IRC14:26
dstanekodyssey4me: something like this should work:
*** topol has joined #openstack-keystone14:29
*** ChanServ sets mode: +v topol14:29
odyssey4medstanek the key is the fernet key file patch right?14:30
odyssey4meie '/etc/keystone/fernet-keys/0' ?14:30
dstanekyeah, likely the highest numbered file14:32
odyssey4mehmm, TypeError: Incorrect padding14:33
odyssey4mecheck /root/ in the keystone container14:34
raildodstanek, Do you know what is the best way to test a change that have cross-repository dependency? I have a change in the keystonemiddleware that depends from a change in keystone client. I'm trying to put the keystoneclient patch in the requeriments.txt but it doesn't work very well14:35
dstanekodyssey4me: use the contents of the key itself14:36
dstanekodyssey4me: try that..just fixed it14:36
*** henrynash has joined #openstack-keystone14:36
*** ChanServ sets mode: +v henrynash14:36
dstanekraildo: yes...well no....there is a tag that you can put in the commit message. maybe 'Depends-on'14:36
dstanekraildo: nailed it!
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion
odyssey4medstanek ah, need to print the contents out14:37
dstanekok, be back in a little bit. going for a vacation run14:37
raildoI use this tag in the patch, but I don't know how to test locally (tun tox with this dependency)14:38
raildodstanek, ^14:38
*** r-daneel has joined #openstack-keystone14:42
dstanekraildo: you'll have to install it in your virtual env14:44
*** e0ne is now known as e0ne_14:44
dstanekif your experimental patch is in /opt/stack/oslo.config and keystone is in /opt/stack/keystone14:45
dstaneki would 'cd /opt/stack/oslo.config; /opt/stack/keystone/.tox/py27/bin/python develop'14:45
dstanekthat will install whatever version os oslo.config you have there into keystone's py27 virtualenv14:46
*** e0ne_ is now known as e0ne14:46
*** haypo has left #openstack-keystone14:46
dstanekthen when you run tox -e py27 you'll have the correct version14:46
dstanekthere may be magic -infra tooling for this, but in general it's just Python venv stuff14:46
dstanekof source change olso.config and keystone to be what ever projects you are working on14:47
dstanekok...really taking off now - be back in an hour or so14:47
raildodstanek, great, i'll try this, thank you  :)14:47
*** stevemar has joined #openstack-keystone14:47
marekddstanek: are you talking fernet + federation or just fernet?14:48
marekddstanek: for tht you need to ping lbragstad or dolphm14:48
*** htruta has joined #openstack-keystone14:50
*** stevemar has quit IRC14:51
odyssey4memarekd fernet works just fine for internal users, but when using fernet + federation then nova blows up cc dstanek14:53
odyssey4methe decoded token for federation has more data in it14:54
marekdodyssey4me: so it works with keystone ? (fernet + fed)14:54
*** belmoreira has quit IRC14:54
odyssey4memarekd keystone auth is working fine - haven't really tried doing anything privileged inside keystone with a federated token14:55
marekdodyssey4me: maybe you can try doing that? I will  test it myself on Monday...and it's a pity that all the interesting bugs come up just before a break (i am going for holiday next Tuesday)14:58
*** lufix has quit IRC14:58
marekdodyssey4me: please, file a bug and assign it to me.14:58
odyssey4memarekd see the difference in interaction in the nova log when verifying the token:
*** jraim has quit IRC15:00
*** markvoelker has quit IRC15:00
*** jraim has joined #openstack-keystone15:00
odyssey4memarekd the internal user has "user": {"domain": {"id": "default", "name": "Default"}, "id": "76c8c3017c954d88a6ad69ee4cb656d6", "name": "test"}15:02
odyssey4methe federated user has "user": {"OS-FEDERATION": {"identity_provider": {"id": "adfs-idp"}, "protocol": {"id": "saml2"}, "groups": []}, "id": "S-1-5-21-2917001131-1385516553-613696311-1108", "name": "S-1-5-21-2917001131-1385516553-613696311-1108"}15:02
odyssey4methe whole data structure is different15:02
*** bdossant has quit IRC15:03
odyssey4meI see that the 'roles' and 'project' data structures aren't there either15:03
odyssey4memarekd a bug in keystone, or in nova?15:05
marekdodyssey4me: it's strange that goups are empty.15:08
*** henrynash has quit IRC15:08
marekdodyssey4me: so it may be agains bug15:08
marekdagainst keystone15:09
odyssey4memarekd great will do - what's good information to add to the bug :)15:11
marekdodyssey4me: everything :-)15:16
marekdlogs, environment etc.15:16
marekdhow to reproduce...15:16
*** afazekas has quit IRC15:26
*** henrynash has joined #openstack-keystone15:26
*** ChanServ sets mode: +v henrynash15:26
*** browne1 has joined #openstack-keystone15:29
*** browne has quit IRC15:29
*** _cjones_ has joined #openstack-keystone15:31
*** bdossant has joined #openstack-keystone15:31
*** bdossant has quit IRC15:37
*** viktors is now known as viktors|afk15:38
*** hrou has quit IRC15:42
*** henrynash has quit IRC15:42
*** hrou has joined #openstack-keystone15:44
*** vilobhmm has joined #openstack-keystone15:45
*** e0ne has quit IRC15:45
*** hrou has quit IRC15:46
odyssey4memarekd you don't appear to be on launchpad?15:47
marekdodyssey4me: marek-denis15:47
odyssey4methe bug is registered:
openstackLaunchpad bug 1471289 in Keystone "Fernet tokens and Federated Identities result in token scope failures" [Undecided,New]15:47
odyssey4memarekd ah, it seems that I can't assign it to you for some reason :/15:49
odyssey4memarekd great - I hope that's enough information to go on15:50
*** henrynash has joined #openstack-keystone15:50
*** ChanServ sets mode: +v henrynash15:50
*** _cjones_ has quit IRC15:51
*** _cjones_ has joined #openstack-keystone15:52
*** ericksonsantos has quit IRC15:52
*** zzzeek has joined #openstack-keystone15:59
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin
amakarovsamueldmq, hi! Are you here? Can you please take a look ^^ ?16:02
*** dims_ has quit IRC16:08
*** stevemar has joined #openstack-keystone16:15
*** jistr has quit IRC16:24
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Fetch and Cache
*** ctracey has quit IRC16:28
*** ctracey has joined #openstack-keystone16:28
samueldmqamakarov: just reviewed, let me know if you have any question, agree/disagree with the points I've put there16:31
*** hrou has joined #openstack-keystone16:31
*** zzzeek has quit IRC16:34
*** zzzeek has joined #openstack-keystone16:34
*** vilobhmm1 has joined #openstack-keystone16:37
*** vilobhmm has quit IRC16:37
*** dguerri is now known as dguerri`16:47
*** drjones has joined #openstack-keystone16:47
*** jdennis has quit IRC16:47
*** drjones has quit IRC16:48
*** drjones has joined #openstack-keystone16:48
*** markvoelker has joined #openstack-keystone16:49
*** _cjones_ has quit IRC16:49
*** dims_ has joined #openstack-keystone16:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Delivering Mechanism
*** browne1 has quit IRC17:00
*** dims_ has quit IRC17:01
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies with Custom IDs
*** amaretskiy has quit IRC17:02
*** serverascode has quit IRC17:04
*** serverascode has joined #openstack-keystone17:06
*** Kiall has quit IRC17:15
*** Kiall has joined #openstack-keystone17:16
*** mgarza_ has joined #openstack-keystone17:24
*** _cjones_ has joined #openstack-keystone17:44
*** drjones has quit IRC17:44
*** vilobhmm1 has quit IRC17:45
*** drjones has joined #openstack-keystone17:46
amakarovsamueldmq, I argee about naming - will rename17:46
*** drjones has quit IRC17:47
*** drjones has joined #openstack-keystone17:47
*** _cjones_ has quit IRC17:48
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin
*** henrynash has quit IRC17:52
*** jecarey has joined #openstack-keystone17:56
*** BrAsS_mOnKeY has quit IRC18:06
*** mgarza_ has quit IRC18:06
*** mgarza_ has joined #openstack-keystone18:10
*** stevemar has quit IRC18:10
*** stevemar has joined #openstack-keystone18:10
*** boris-42 has quit IRC18:12
*** arunkant__ has joined #openstack-keystone18:15
*** arunkant_ has quit IRC18:18
*** zigo has quit IRC18:18
*** zigo has joined #openstack-keystone18:22
*** dguerri` is now known as dguerri18:34
*** _cjones_ has joined #openstack-keystone18:36
*** dguerri is now known as dguerri`18:36
*** dguerri` is now known as dguerri18:36
*** dguerri is now known as dguerri`18:38
*** drjones has quit IRC18:39
*** BrAsS_mOnKeY has joined #openstack-keystone18:39
*** BrAsS_mOnKeY has quit IRC18:39
*** zhiyan has quit IRC18:41
*** zhiyan has joined #openstack-keystone18:41
*** stevemar has quit IRC18:43
*** janonymous_ has joined #openstack-keystone18:46
*** topol has quit IRC18:49
*** mgarza_ has quit IRC18:49
*** edmondsw has joined #openstack-keystone18:52
*** edmondsw has quit IRC18:52
*** mgarza_ has joined #openstack-keystone18:57
-openstackstatus- NOTICE: is offline for scheduled database maintenance, ETA 19:30 UTC19:03
*** ChanServ changes topic to " is offline for scheduled database maintenance, ETA 19:30 UTC"19:03
brad[]Is it possible to use an LDAP backend for non-service users only, with API v2?19:12
brad[]Or is that only possible because of the capabilities of v3?19:12
bretonyou can do it using domains. domains are available only when you auth via v3.19:21
-openstackstatus- NOTICE: is still offline for scheduled database maintenance, ETA 19:45 UTC19:31
*** ChanServ changes topic to " is still offline for scheduled database maintenance, ETA 19:45 UTC"19:31
*** drjones has joined #openstack-keystone19:32
*** _cjones_ has quit IRC19:34
*** drjones has quit IRC19:47
*** _cjones_ has joined #openstack-keystone19:47
*** ajayaa has quit IRC19:49
*** mgarza_ has quit IRC19:49
*** mgarza has joined #openstack-keystone19:49
*** ChanServ changes topic to "| Review Code, Specs, Etc | Keystone MidCycle 15, 16, 17 | US Independence Day is observed 7/3 (Friday)"19:53
*** Ephur has joined #openstack-keystone20:02
*** jistr has joined #openstack-keystone20:08
*** ajayaa has joined #openstack-keystone20:08
*** fifieldt_ has joined #openstack-keystone20:19
*** fifieldt has quit IRC20:22
*** amakarov is now known as amakarov_away20:24
*** dguerri` is now known as dguerri20:24
*** ajayaa has quit IRC20:25
*** dguerri is now known as dguerri`20:25
*** raildo has quit IRC20:29
*** stevemar has joined #openstack-keystone20:31
*** stevemar has quit IRC20:35
*** drjones has joined #openstack-keystone20:42
*** drjones has quit IRC20:42
*** drjones has joined #openstack-keystone20:43
*** _cjones_ has quit IRC20:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** jistr has quit IRC20:50
*** HT_sergio has joined #openstack-keystone20:52
brad[]breton: This'll sound like I haven't done any research (I swear I have!) - is keystone v3 ready for general use?20:53
brad[]The info I've found has been ambiguous about that20:53
brad[]API v3 I should say20:53
openstackgerritAlberto Murillo proposed openstack/keystone: disable admin_token by default
*** _cjones_ has joined #openstack-keystone21:01
*** drjones has quit IRC21:04
*** BrAsS_mOnKeY has joined #openstack-keystone21:12
*** BrAsS_mOnKeY has quit IRC21:26
*** gordc has quit IRC21:30
*** stevemar has joined #openstack-keystone21:32
*** gabriel-bezerra has quit IRC21:35
*** stevemar has quit IRC21:36
*** _cjones_ has quit IRC21:42
*** _cjones_ has joined #openstack-keystone21:42
*** hrou has quit IRC21:46
*** r-daneel has quit IRC21:58
*** henrynash has joined #openstack-keystone22:04
*** ChanServ sets mode: +v henrynash22:04
*** henrynash has quit IRC22:07
*** ajayaa has joined #openstack-keystone22:12
*** htruta_ has joined #openstack-keystone22:14
*** HT_sergio has quit IRC22:15
*** gabriel-bezerra has joined #openstack-keystone22:17
bretonbrad[]: it is stable and should be used.22:17
bretonbrad[]: how to switch components to use it, ayoung here wrote it22:17
*** Ephur has quit IRC22:18
*** BrAsS_mOnKeY has joined #openstack-keystone22:21
*** rushiagr is now known as rushiagr_away22:23
*** mgarza has quit IRC22:26
*** drjones has joined #openstack-keystone22:32
*** _cjones_ has quit IRC22:32
*** zzzeek has quit IRC22:36
*** stevemar has joined #openstack-keystone22:48
*** stevemar has quit IRC22:50
*** dims_ has joined #openstack-keystone23:01
*** dims_ has quit IRC23:07
*** hrou has joined #openstack-keystone23:14
*** dims_ has joined #openstack-keystone23:14
*** stevemar has joined #openstack-keystone23:18
*** dims_ has quit IRC23:18
*** _cjones_ has joined #openstack-keystone23:27
*** stevemar has quit IRC23:27
*** stevemar has joined #openstack-keystone23:28
*** drjones has quit IRC23:29
*** _cjones_ has quit IRC23:50
*** _cjones_ has joined #openstack-keystone23:51

Generated by 2.14.0 by Marius Gedminas - find it at!