Monday, 2015-07-27

*** chlong has joined #openstack-keystone		00:00
*** ankita_wagh has quit IRC		00:08
*** hrou has joined #openstack-keystone		00:12
*** r-daneel has joined #openstack-keystone		00:37
*** r-daneel has quit IRC		00:44
*** dims has joined #openstack-keystone		00:58
*** tellesnobrega has quit IRC		01:10
*** iurygregory has quit IRC		01:11
*** gabriel-bezerra has quit IRC		01:11
*** samueldmq has quit IRC		01:11
*** ericksonsantos has quit IRC		01:11
*** Kennan has quit IRC		01:13
*** htruta has quit IRC		01:14
*** iurygregory has joined #openstack-keystone		01:15
*** htruta has joined #openstack-keystone		01:15
*** samueldmq has joined #openstack-keystone		01:15
*** ericksonsantos has joined #openstack-keystone		01:15
*** Kennan has joined #openstack-keystone		01:16
*** tellesnobrega has joined #openstack-keystone		01:16
*** gabriel-bezerra has joined #openstack-keystone		01:17
*** krotsche_vaca is now known as krotscheck		01:28
*** davechen has joined #openstack-keystone		01:31
*** htruta_ has quit IRC		01:34
bigjools	is it possible to mix different identity services in the same domain?	01:34
openstackgerrit	Dave Chen proposed openstack/keystone: Show friendly message when request body is not provided https://review.openstack.org/195001	01:38
openstackgerrit	Dave Chen proposed openstack/keystone: Region creation with id given also need schema validation https://review.openstack.org/201007	01:39
*** topol has joined #openstack-keystone		01:39
*** ChanServ sets mode: +v topol		01:39
*** chenhong has joined #openstack-keystone		02:06
ayoung	bigjools, no.	02:16
ayoung	and with that, I am going to sleep. Ask me more tomorrow	02:17
bigjools	ayoung: thanks. :)	02:17
*** ayoung has quit IRC		02:17
*** topol has quit IRC		02:31
*** jsavak has joined #openstack-keystone		02:37
openstackgerrit	jiaxi proposed openstack/keystone: Reject create endpoint with invalid urls https://review.openstack.org/200512	02:40
*** jsavak has quit IRC		02:41
*** hakimo has joined #openstack-keystone		02:52
*** hakimo_ has quit IRC		02:54
*** markvoelker has joined #openstack-keystone		02:58
*** snapdey has joined #openstack-keystone		02:58
*** dims has quit IRC		02:59
*** tsubic has quit IRC		02:59
*** snapdey has quit IRC		03:02
*** markvoelker has quit IRC		03:02
*** topol has joined #openstack-keystone		03:31
*** ChanServ sets mode: +v topol		03:31
openstackgerrit	Dave Chen proposed openstack/keystone: Merge `clean.py` into `utils.py` https://review.openstack.org/205886	03:33
*** topol has quit IRC		03:36
*** dims has joined #openstack-keystone		04:00
*** dims has quit IRC		04:06
*** hrou has quit IRC		04:08
*** btully has joined #openstack-keystone		04:11
*** jecarey has joined #openstack-keystone		04:12
*** Kennan2 has joined #openstack-keystone		04:20
*** Kennan has quit IRC		04:20
*** ankita_wagh has joined #openstack-keystone		04:25
*** marzif has joined #openstack-keystone		04:41
*** jecarey has quit IRC		04:47
*** markvoelker has joined #openstack-keystone		04:58
*** browne has joined #openstack-keystone		05:02
*** markvoelker has quit IRC		05:03
*** marzif has quit IRC		05:11
*** pballand has joined #openstack-keystone		05:18
*** jasonsb has joined #openstack-keystone		05:18
*** pballand has quit IRC		05:40
*** browne has quit IRC		05:41
*** browne has joined #openstack-keystone		05:41
*** fifieldt has joined #openstack-keystone		06:00
*** dims has joined #openstack-keystone		06:03
*** ParsectiX has joined #openstack-keystone		06:05
*** dims has quit IRC		06:09
*** lsmola has joined #openstack-keystone		06:12
*** mestery has quit IRC		06:31
*** btully has quit IRC		06:56
*** markvoelker has joined #openstack-keystone		06:59
*** markvoelker has quit IRC		07:04
*** pnavarro has joined #openstack-keystone		07:14
*** henrynash has joined #openstack-keystone		07:15
*** ChanServ sets mode: +v henrynash		07:15
*** pawel_ has quit IRC		07:17
*** lsmola has quit IRC		07:21
*** lsmola has joined #openstack-keystone		07:21
*** miguelgrinberg has joined #openstack-keystone		07:24
*** lhcheng has joined #openstack-keystone		07:24
*** ChanServ sets mode: +v lhcheng		07:24
*** chlong has quit IRC		07:28
openstackgerrit	jiaxi proposed openstack/keystone: Reject create endpoint with invalid urls https://review.openstack.org/200512	07:34
*** ankita_wagh has quit IRC		07:41
*** fifieldt has quit IRC		07:42
*** jistr has joined #openstack-keystone		07:44
*** fhubik has joined #openstack-keystone		07:45
*** topol has joined #openstack-keystone		07:49
*** ChanServ sets mode: +v topol		07:49
*** ankita_wagh has joined #openstack-keystone		07:49
*** topol has quit IRC		07:53
jagter	hi guys	07:55
jagter	is it possible to create a domain admin who is only allowed to see/create projects/users in his own domain?	07:55
*** ankita_wagh has quit IRC		08:13
*** fhubik is now known as fhubik_afk		08:22
*** fhubik_afk is now known as fhubik		08:26
*** lhcheng has quit IRC		08:29
*** aix has joined #openstack-keystone		08:31
*** e0ne has joined #openstack-keystone		08:33
*** browne has quit IRC		08:36
*** fhubik is now known as fhubik_afk		08:36
*** fhubik_afk is now known as fhubik		08:41
*** eandersson has joined #openstack-keystone		09:00
*** markvoelker has joined #openstack-keystone		09:00
*** markvoelker has quit IRC		09:05
*** dims has joined #openstack-keystone		09:06
*** dims has quit IRC		09:11
openstackgerrit	Marek Denis proposed openstack/keystoneauth-saml2: Standardize federated auth token scoping https://review.openstack.org/177227	09:23
*** yottatsa has joined #openstack-keystone		09:23
*** fhubik is now known as fhubik_afk		09:26
*** afazekas has joined #openstack-keystone		09:28
*** yottatsa has quit IRC		09:40
*** yottatsa has joined #openstack-keystone		09:41
*** bradjones has joined #openstack-keystone		09:42
*** bradjones has quit IRC		09:42
*** bradjones has joined #openstack-keystone		09:42
*** fhubik_afk is now known as fhubik		09:43
*** henrynash has quit IRC		09:48
yottatsa	davechen, pls see https://review.openstack.org/#/c/205554/	09:50
*** yottatsa has quit IRC		09:51
*** davechen has left #openstack-keystone		09:54
*** dims has joined #openstack-keystone		10:04
*** yottatsa has joined #openstack-keystone		10:05
*** dims_ has joined #openstack-keystone		10:06
*** dims has quit IRC		10:10
*** lhcheng has joined #openstack-keystone		10:18
*** ChanServ sets mode: +v lhcheng		10:18
Daviey	Hey, given just a token - the only way I can determine what roles that token has is by creating a new one, using it for Auth - right?	10:19
*** chenhong has quit IRC		10:20
*** dobson` has quit IRC		10:21
*** albertom has quit IRC		10:21
*** Guest66585 has quit IRC		10:21
*** mancdaz has quit IRC		10:21
*** albertom has joined #openstack-keystone		10:22
yottatsa	yep, the only way is rescope your token via Auth	10:22
Daviey	yottatsa: thanks	10:23
*** lhcheng has quit IRC		10:23
*** dan_ has joined #openstack-keystone		10:23
*** dan_ is now known as Guest47142		10:24
yottatsa	Daviey, BTW, if you're writing the Application that receive user requests, you could check token against the API	10:24
yottatsa	http://developer.openstack.org/api-ref-identity-admin-v2.html#admin-validateToken http://developer.openstack.org/api-ref-identity-v3.html#validateTokens	10:24
*** dobson has joined #openstack-keystone		10:25
Daviey	yottatsa: Yeah, that is what i want to do - but also get a list of roles, without knowing the Project or User.	10:26
yottatsa	AFAIK in OpenStack, if you're an app, you can only work with the scope of the token	10:29
yottatsa	Daviey, tell me more about your case	10:30
Daviey	yottatsa: Well, currently looking at https://github.com/openstack/anchor/blob/73c989342b41fbd3b370193730c651b9afb50bdd/anchor/auth/keystone.py#L28	10:31
Daviey	Which is all kinds of broken	10:31
Daviey	yottatsa: for starters the return code is 201 on a POST	10:31
yottatsa	calling GET /v3/auth/tokens with your app token in X-Auth-Token and user token in X-Subject-Token will get you his roles in project the token scoped	10:34
Daviey	yottatsa: Perfect, thanks	10:36
yottatsa	also, there is keystonemiddleware that will do all the work	10:36
Daviey	yottatsa: Yeah, that is what i'd like to do.. but first I wanted to do the minimal to unbreak this.	10:38
Daviey	I more wanted validation that I wasn't going nuts.	10:39
marekd	samueldmq: so, afair all this dynamic policy is going to be optional at least for couple of first releases when it's merged	10:39
openstackgerrit	Vladimir Eremin proposed openstack/keystone: Replace 401 to 404 when token is invalid https://review.openstack.org/205554	10:40
*** pnavarro is now known as pnavarro\|lunch		10:40
*** mancdaz has joined #openstack-keystone		10:41
jamielennox	Daviey: what the hell is that - i've not seen anyone else use that pattern	10:43
Daviey	jamielennox: Yeah, it doesn't work either.	10:44
jamielennox	it seems to expect a token in the config file	10:44
Daviey	jamielennox: No, the service isn't trusted.. it has a keystone uri in the config, and just proxies the token provided by the user to the keystone service and processes the response.	10:45
jamielennox	i am not a great fan of some of the oslo libraries, but anchor seems to have gone out of it's way to not actually use any of the openstack libraries	10:46
jamielennox	Daviey: so... auth_token middleware?	10:46
Daviey	That would make sense.	10:46
Daviey	jamielennox: I wanted to fix this to at least /work/, then try and do it properly.	10:47
jamielennox	so keystoneclient has methods for validating an existing token	10:47
jamielennox	generally you need to have a token to validate another token though	10:48
Daviey	jamielennox: Maybe i should just drop this current implementation and go straight to using middleware.	10:48
jamielennox	hence why we have service users in auth_token middleware	10:48
jamielennox	i guess what they are doing with just rescoping kind of works as well	10:49
jamielennox	Daviey: they are already using paste	10:49
jamielennox	i would look at putting auth_token middleware in there and setting the ingore_invalid flag (i can't remember what it's called0	10:49
jamielennox	https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L249	10:50
Daviey	right!	10:51
Daviey	jamielennox: that is useful, thanks	10:51
jamielennox	np	10:52
*** ParsectiX has quit IRC		10:52
jamielennox	alright - night everyone	10:53
*** kiran-r has joined #openstack-keystone		10:53
samueldmq	morning	10:53
samueldmq	marekd: yeah it is going to have a config option, and will be turned of by default	10:53
*** ParsectiX has joined #openstack-keystone		10:53
samueldmq	marekd: and just to be clear, what we are talking right now is about the centralized policy distribution, there other bits that will still be addressed in future cycles, like hierarchical roles, etc	10:54
samueldmq	jamielennox: hey, how far we are in the v3 only jobs in devstack? I saw a couple of patches have merged	10:59
*** yottatsa has quit IRC		11:01
*** markvoelker has joined #openstack-keystone		11:01
*** yottatsa has joined #openstack-keystone		11:02
*** markvoelker has quit IRC		11:05
*** pnavarro\|lunch has quit IRC		11:06
*** pnavarro\|lunch has joined #openstack-keystone		11:09
marekd	samueldmq: yeah, i figured there was not a single word about fixing 'global adminness'	11:19
marekd	samueldmq: i hope you are not triking everybody and the only thing will be centralized policies management :P	11:19
marekd	samueldmq: anyway, everywhere in the specs it looks like this will be default mechanism, and since it will be optional you should emphasize it.	11:19
marekd	thats my opinion.	11:20
samueldmq	marekd: hey I did that, I made clear there will be a config option	11:20
samueldmq	marekd: and per your comment in the spec last Friday, I made that still clearer by saying it will be false by default, meaning the old mechanism will be used	11:21
samueldmq	marekd: see 'other deployer impact' https://review.openstack.org/#/c/134655/13/specs/backlog/dynamic-policies-fetch-cache.rst	11:21
samueldmq	:)	11:21
*** yottatsa has quit IRC		11:29
*** marzif has joined #openstack-keystone		11:31
*** kiran-r has quit IRC		11:38
*** yottatsa has joined #openstack-keystone		11:40
*** jsavak has joined #openstack-keystone		11:41
*** jsavak has quit IRC		11:45
*** amakarov_away is now known as amakarov		11:52
*** jiaxi has joined #openstack-keystone		11:55
jiaxi	Hello,everyone	11:56
jiaxi	Is there anyone here ? adam david ?	11:56
*** jaosorior has joined #openstack-keystone		12:03
*** raildo has joined #openstack-keystone		12:04
*** lhcheng has joined #openstack-keystone		12:07
*** ChanServ sets mode: +v lhcheng		12:07
jiaxi	lhcheng ,Hi	12:08
*** fhubik is now known as fhubik_afk		12:09
jiaxi	Hello,everyone.	12:09
jiaxi	There is a bug that assined to me. But I don't know how to solve it. So anyone is free to take it.	12:10
jiaxi	bug is here : https://bugs.launchpad.net/keystone/+bug/1473292	12:10
openstack	Launchpad bug 1473292 in Keystone "Cannot delete or show a trust with an expired date" [High,Triaged] - Assigned to jiaxi (tjxiter)	12:10
*** lhcheng has quit IRC		12:11
marekd	dolphm: lbragstad: Read my comment at th bottom please: https://review.openstack.org/#/c/202176/	12:12
jiaxi	marekd: hello	12:13
*** gordc has joined #openstack-keystone		12:26
marekd	jiaxi: i am about to disappear	12:26
jiaxi	why	12:26
marekd	because i have to.	12:27
*** edmondsw has joined #openstack-keystone		12:30
*** chlong has joined #openstack-keystone		12:30
*** lhcheng has joined #openstack-keystone		12:31
*** ChanServ sets mode: +v lhcheng		12:31
*** lhcheng has quit IRC		12:35
*** TheIntern has joined #openstack-keystone		12:36
jiaxi	TheIntern, hi	12:37
*** stevemar has joined #openstack-keystone		12:39
*** ChanServ sets mode: +v stevemar		12:39
*** stevemar has quit IRC		12:39
*** jiaxi has quit IRC		12:43
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Use classifier for python-memcached https://review.openstack.org/206044	12:43
*** topol has joined #openstack-keystone		12:44
*** ChanServ sets mode: +v topol		12:44
*** hrou has joined #openstack-keystone		12:45
*** woodster_ has joined #openstack-keystone		12:45
*** bknudson has quit IRC		12:46
*** jiaxi has joined #openstack-keystone		12:51
jiaxi	dstanek	12:52
jiaxi	dstanek: hello,david	12:52
*** dguerri` is now known as dguerri		12:52
*** _hrou_ has joined #openstack-keystone		13:00
*** fhubik_afk is now known as fhubik		13:00
*** hrou has quit IRC		13:01
*** stevemar has joined #openstack-keystone		13:05
*** ChanServ sets mode: +v stevemar		13:05
*** stevemar has quit IRC		13:05
*** edmondsw has quit IRC		13:08
*** fhubik is now known as fhubik_afk		13:08
*** jsavak has joined #openstack-keystone		13:12
*** fhubik_afk is now known as fhubik		13:13
*** yottatsa has quit IRC		13:14
*** bknudson has joined #openstack-keystone		13:14
*** ChanServ sets mode: +v bknudson		13:14
dstanek	jiaxi: hi	13:19
*** browne has joined #openstack-keystone		13:19
dstanek	jiaxi: did you see my email?	13:19
*** btully has joined #openstack-keystone		13:19
*** Nirupama has joined #openstack-keystone		13:20
*** kiran-r has joined #openstack-keystone		13:22
samueldmq	dstanek: hi, I was thinking about how we decide what policy to get from a list of endpoint_ids .. in the current proposal, we iterate over the list and get the first endpoint_id which has a policy associated with it	13:23
samueldmq	dstanek: an alternative would be pass the list to the server, and it will decide what policy to return	13:24
samueldmq	dstanek: that would be better in the case we need to consider higher policies (service/region) and multiple endpoint_ids , we keep all the compelxity in the server	13:24
jiaxi	dstanek: Yes, I have read it. I got out to buy some water. Return just now	13:24
jiaxi	dstanek: What you said is pretty right.	13:25
*** _kiran_ has joined #openstack-keystone		13:27
*** dsirrine has joined #openstack-keystone		13:27
*** browne has quit IRC		13:28
dstanek	samueldmq: so the current spec the middleware will pull down N policies and iterate over them to find the best match?	13:28
*** Nirupama has quit IRC		13:28
dstanek	jiaxi: cool, if you trim down that patch to only fix the bug i think we can get it merged quickly	13:29
jiaxi	dstanek: I have updated it. Just running tox now.	13:29
samueldmq	dstanek: no, actually it iterates over the list of endpoint_ids, and call the server, if the response is valid, break and use that policy	13:29
*** kiran-r has quit IRC		13:30
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain in token response https://review.openstack.org/197331	13:30
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	13:30
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	13:30
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	13:30
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: WIP: Change policy to comply with is_domain in token https://review.openstack.org/206063	13:30
jiaxi	samueldmq: You should have a good discuss with David, I have changed my code in direction for so many times...	13:32
dstanek	jiaxi: if you look back at my comments in your first few revisions you'll see that what it arrived at is what i was asking for :-)	13:33
*** markvoelker has joined #openstack-keystone		13:34
jiaxi	dstanek: Totally right. Only fix the bug. I just think about more cases above the issue.	13:35
*** samueldmq has quit IRC		13:35
jiaxi	dstanek: This is my first patch set to openstack, tt is aslo my first patch set to open source.	13:36
*** samueldmq has joined #openstack-keystone		13:36
dstanek	jiaxi: as a group we are pretty picky about cramming lots of things into a single patch; you'll get used to it	13:36
jiaxi	dstanek: lack experence.	13:36
jiaxi	dstanek: Yes , I will	13:37
dstanek	samueldmq: so a server hit to get a list of endpoint_ids and the 1..N server hits for each endpoint_id until you find the one you want?	13:37
*** stevemar has joined #openstack-keystone		13:37
*** ChanServ sets mode: +v stevemar		13:37
samueldmq	dstanek: basically yes, so the change would to to get 1 hit to find the appropriate policy as well	13:37
dstanek	jiaxi: your best bet is to keep things short and concise (since that makes a patch easier to read), but make sure that new/changed code is tested	13:38
*** fhubik is now known as fhubik_afk		13:38
jiaxi	dstanek: Okay, I will keep your words in mind.	13:39
dstanek	samueldmq: since you are already going to hit the server at least twice (and possibly up the num_endpoints+1) having a single hit where the server evaluates things seems like a good idea	13:39
*** _kiran_ has quit IRC		13:39
*** yottatsa has joined #openstack-keystone		13:39
*** yottatsa has quit IRC		13:40
dstanek	dolphm: lbragstad: fernet is still considered experimental right?	13:40
*** yottatsa has joined #openstack-keystone		13:40
samueldmq	dstanek: nice, thanks	13:40
samueldmq	dstanek can hold multiple conversations at the same time :)	13:41
*** chlong has quit IRC		13:42
jiaxi	samueldmq: :) means laugh ?	13:43
dstanek	jiaxi: a smile	13:44
samueldmq	jiaxi: that means a happy face :)	13:44
samueldmq	dstanek: ++	13:44
jiaxi	samueldmq: 你们会说中文吗？哈哈	13:44
samueldmq	jiaxi: lol	13:44
samueldmq	jiaxi: google translating that .. wait	13:45
jiaxi	samueldmq: what does lol mean ?	13:45
samueldmq	jiaxi: 是的，我讲	13:45
dstanek	jiaxi: no	13:45
jiaxi	samueldmq: ...	13:46
*** richm has joined #openstack-keystone		13:46
dstanek	jiaxi: 我很难有足够的时间与英语	13:46
jiaxi	dstanek: In fact, chinese is very easy to learn.	13:46
samueldmq	jiaxi: by definition that means 'laughing out loud', I use that in some funny situations, like you writing something in chinese and I have no idea what you said :p	13:47
samueldmq	dstanek: ++	13:47
samueldmq	dstanek: +1 what you said (after translating ..)	13:48
jiaxi	samueldmq: lol, :) I got it.	13:48
breton	哈 -- this looks like some weird house	13:48
jiaxi	breton: it means lol	13:49
dstanek	jiaxi: i intended to learn French for the paris summit, but that fell through. too hard to learn without having someone to talk to in that language	13:50
*** zzzeek has joined #openstack-keystone		13:50
samueldmq	dstanek: hmm.. tu peux le faire avec moi, je parles un petit peu de français :)	13:51
*** fhubik_afk is now known as fhubik		13:51
jiaxi	dstanek: Yes, so I learn english throught talking with you.	13:51
samueldmq	jiaxi: nice, most of the English I know I learned like you're doing :)	13:52
*** jistr has quit IRC		13:52
samueldmq	jiaxi: expose yourself to the language (music, text, movies, etc) and you'll learn it	13:52
*** jistr has joined #openstack-keystone		13:54
jiaxi	samueldmq: Good suggestion. I can sing serval english songs.	13:54
*** henrynash has joined #openstack-keystone		13:54
*** ChanServ sets mode: +v henrynash		13:54
openstackgerrit	jiaxi proposed openstack/keystone: Reject create endpoint with invalid urls https://review.openstack.org/200512	13:55
samueldmq	henrynash: good morning sir, thanks for your review on the 'centralized policy fetch'	13:56
samueldmq	henrynash: I am finishing a new patchset to address your concerns in a couple of minutes	13:56
henrynash	samueldmq: np…currently on a call…so response will be slow	13:56
samueldmq	henrynash: np, I will ping you as soon as I post it, thanks	13:56
*** edmondsw has joined #openstack-keystone		13:57
jiaxi	dstanek: Hello, David. My patch looks much much much much better now...	13:58
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/206082	13:59
dstanek	jiaxi: nice, thx	14:00
*** mylu has joined #openstack-keystone		14:00
*** boris-42 has joined #openstack-keystone		14:02
*** sigmavirus24_awa is now known as sigmavirus24		14:04
*** TheIntern has quit IRC		14:06
*** ParsectiX has quit IRC		14:07
jiaxi	Please have a look at my patch set https://review.openstack.org/#/c/200512/ It looks nice now.	14:09
*** jecarey has joined #openstack-keystone		14:15
*** TheIntern has joined #openstack-keystone		14:18
*** fhubik is now known as fhubik_afk		14:21
*** pnavarro\|lunch has quit IRC		14:22
*** fhubik_afk is now known as fhubik		14:24
*** mylu has quit IRC		14:27
*** ayoung has joined #openstack-keystone		14:27
*** ChanServ sets mode: +v ayoung		14:27
*** mylu has joined #openstack-keystone		14:28
*** henrynash has quit IRC		14:36
*** henrynash has joined #openstack-keystone		14:37
*** ChanServ sets mode: +v henrynash		14:37
*** yottatsa has quit IRC		14:41
*** r-daneel has joined #openstack-keystone		14:46
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Fetch and Cache https://review.openstack.org/134655	14:58
samueldmq	henrynash: I added the details/clarifications you asked for ^, thanks	14:58
*** pgbridge has joined #openstack-keystone		14:58
*** mestery has joined #openstack-keystone		15:00
*** jsavak has quit IRC		15:00
*** dsirrine has quit IRC		15:06
openstackgerrit	Victor Stinner proposed openstack/keystonemiddleware: Enable memcache tests on Python 3 https://review.openstack.org/206107	15:09
*** yottatsa has joined #openstack-keystone		15:14
*** browne has joined #openstack-keystone		15:16
*** yottatsa has quit IRC		15:18
*** jasonsb has quit IRC		15:18
*** davi8784 has joined #openstack-keystone		15:20
*** davi8784 has quit IRC		15:20
*** dims_ has quit IRC		15:21
*** TheIntern has quit IRC		15:21
*** dims has joined #openstack-keystone		15:21
*** aix has quit IRC		15:22
*** dsirrine has joined #openstack-keystone		15:22
*** thedodd has joined #openstack-keystone		15:22
jiaxi	Hello, everyone. Doen anyone have interest in hints ? Take this bug for free https://bugs.launchpad.net/keystone/+bug/1477451	15:23
openstack	Launchpad bug 1477451 in Keystone "Assumption that db drivers can ignore hints is false" [Medium,Triaged] - Assigned to jiaxi (tjxiter)	15:23
*** diazjf has joined #openstack-keystone		15:24
jiaxi	Okay, Now it's unsigned https://bugs.launchpad.net/keystone/+bug/1477451	15:25
openstack	Launchpad bug 1477451 in Keystone "Assumption that db drivers can ignore hints is false" [Medium,Triaged]	15:25
*** kiran-r has joined #openstack-keystone		15:25
*** _kiran_ has joined #openstack-keystone		15:26
*** dobson has quit IRC		15:29
*** jecarey has quit IRC		15:30
*** kiran-r has quit IRC		15:30
*** jecarey has joined #openstack-keystone		15:30
*** dobson has joined #openstack-keystone		15:34
dolphm	dstanek: it's a major change with less than 3 milestones under it's belt - so, sure!	15:34
dstanek	dolphm: i was just asking because i was a thread about using it for Fuel this morning	15:34
dstanek	dolphm: that's what i figured	15:34
dolphm	dstanek: i feel like the number of issues is fairly stable, and none are particularly severe (albeit, there's a couple broken use cases) https://bugs.launchpad.net/keystone/+bugs?field.tag=fernet	15:35
*** afazekas has quit IRC		15:36
*** pballand has joined #openstack-keystone		15:37
openstackgerrit	jiaxi proposed openstack/keystone: Reject create endpoint with invalid urls https://review.openstack.org/200512	15:39
dolphm	dstanek: do you remember the conversation in vancouver about including project IDs in k2k SAML assertions so that they could be replicated in the consuming cloud? i believe there's a BP for it	15:39
dolphm	https://blueprints.launchpad.net/keystone/+spec/cross-cloud-project-sync	15:39
*** jiaxi has quit IRC		15:41
ayoung	dolphm, lbragstad, I have a version of the revoke events code that does the linear search method instead of the tree. Want to beat on it an tell me if it suits your needs?	15:42
dolphm	ayoung: i'd be happy to benchmark it	15:42
ayoung	dolphm, https://review.openstack.org/#/c/205266/ thanks.	15:42
dolphm	ayoung: should that still be WIP?	15:42
dolphm	mfisch: you might be interested too ^	15:43
ayoung	dolphm, I'm certain it is tested code; the algorithm was actually maintained in the test branch of the Tree code. Do you want to keep it as WIP until you benchmark?	15:43
dolphm	ayoung: your call	15:44
*** lhcheng has joined #openstack-keystone		15:45
*** ChanServ sets mode: +v lhcheng		15:45
ayoung	dolphm, I've rewired all the tests to use the new code. I think it is OK not as WIP, since the Fernet tokens are still in experiement mode; if you are using Fernet, we should probably see a benefit to using this.	15:46
ayoung	dolphm, I think this will not get merged until you and lbragstad bless it anyway.	15:46
ayoung	I'm not planning any more work on it.	15:46
dolphm	ayoung: k	15:48
dolphm	anyone have a link to the midcycle etherpad?	15:49
*** henrynash has quit IRC		15:50
openstackgerrit	Boris Bobrov proposed openstack/keystone: Migrations squash https://review.openstack.org/203229	15:50
*** haneef has quit IRC		15:51
lhcheng	dolphm: https://etherpad.openstack.org/p/keystone-liberty-midcycle-meetup	15:51
dolphm	lhcheng: thanks!	15:51
*** _kiran_ has quit IRC		15:52
bknudson	dolphm: dstanek: if you're looking for fernet issues, see the results of running tempest using it: https://review.openstack.org/#/c/195780/	15:54
dstanek	bknudson: i'll take a look. i also have been working on a patch to fix the unicode issues in it so we don't keep doing the .encode().decode() pattern	15:55
dolphm	bknudson: last i looked, that was just an issue with the expiration microseconds being a lie?	15:55
dolphm	bknudson: i had a fix for that, and then lbragstad refactored a bunch of stuff and obliterated the fix	15:55
bknudson	dolphm: I don't know what all issues there were... the microseconds was one of them.	15:55
dolphm	the microseconds thing, although the bug reports gets it backwards https://bugs.launchpad.net/keystone/+bug/1469563	15:55
openstack	Launchpad bug 1469563 in Keystone liberty "Fernet tokens do not maintain expires time across rescope (V2 tokens)" [High,In progress] - Assigned to Lance Bragstad (lbragstad)	15:55
dolphm	err https://bugs.launchpad.net/keystone/+bug/1459790	15:56
openstack	Launchpad bug 1459790 in Keystone "With fernet tokens, validate token loses the ms on 'expires' value " [Low,Triaged] - Assigned to Dolph Mathews (dolph)	15:56
bknudson	I think tempest catches both of those	15:56
*** dtroyer_zz has quit IRC		15:56
bknudson	looks like the fix for https://bugs.launchpad.net/keystone/+bug/1459790 is already committed	15:57
openstack	Launchpad bug 1459790 in Keystone "With fernet tokens, validate token loses the ms on 'expires' value " [Low,Triaged] - Assigned to Dolph Mathews (dolph)	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain in token response https://review.openstack.org/197331	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change policy to comply with is_domain in token https://review.openstack.org/206063	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	15:57
bknudson	oh, the test is committed	15:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	15:57
*** mgarza_ has joined #openstack-keystone		16:00
*** henrynash has joined #openstack-keystone		16:02
*** ChanServ sets mode: +v henrynash		16:02
dolphm	bknudson: that ended up merging just as a Related-Bug with tests	16:03
dolphm	bknudson: lbragstad has 4 in progress patches (one merged) that i need to rewrite against	16:04
dolphm	bknudson: basically, the issue is that the expiration time returned in the response body on token creation (which contains microseconds) doesn't match what fernet is actually encoding (which is an integer timestamp). so when you validate the token later, it returns the integer value just as fernet persisted it, rather than the microsecond value keystone originally claimed	16:05
*** henrynash has quit IRC		16:05
bknudson	dolphm: don't we want expiration times in microseconds?	16:06
dolphm	bknudson: the best you can do with fernet is .00000	16:06
bknudson	dolphm: same for issued_at ?	16:08
*** tqtran has joined #openstack-keystone		16:09
dolphm	bknudson: yes	16:09
bknudson	with https://review.openstack.org/#/c/205851/ we should be able to get a bunch of keystone tests working with py3	16:09
dolphm	bknudson: issued_at is what is actually persisted in the fernet spec itself. we carry the TTL in the payload (as an int) to compute the expiration	16:09
*** e0ne has quit IRC		16:10
bknudson	that's what I though	16:10
bknudson	thought	16:10
*** stevemar has quit IRC		16:16
*** jsavak has joined #openstack-keystone		16:17
openstackgerrit	Victor Stinner proposed openstack/keystonemiddleware: Enable memcache tests on Python 3 https://review.openstack.org/206107	16:19
*** jasonsb has joined #openstack-keystone		16:34
*** kiran-r has joined #openstack-keystone		16:34
*** _kiran_ has joined #openstack-keystone		16:35
*** afazekas has joined #openstack-keystone		16:36
*** mylu has quit IRC		16:37
*** _cjones_ has joined #openstack-keystone		16:38
*** mylu has joined #openstack-keystone		16:38
*** kiran-r has quit IRC		16:39
*** jsavak has quit IRC		16:40
*** snapdey has joined #openstack-keystone		16:41
openstackgerrit	Victor Stinner proposed openstack/keystonemiddleware: Enable memcache tests on Python 3 https://review.openstack.org/206107	16:42
*** jsavak has joined #openstack-keystone		16:46
*** afaranha has joined #openstack-keystone		16:46
*** afaranha has left #openstack-keystone		16:46
*** rm_work is now known as rm_work\|away		16:51
*** darrenc_ has joined #openstack-keystone		16:51
*** gus has quit IRC		16:52
*** darrenc has quit IRC		16:52
*** roxanaghe has joined #openstack-keystone		16:53
breton	when we talked about our "functional unit" tests, we talked about those using keystone.tests.unit.core.TestClient, right?	16:53
*** gus has joined #openstack-keystone		16:54
*** jistr has quit IRC		16:55
*** _kiran_ has quit IRC		16:55
*** topol has quit IRC		16:57
*** snapdey has quit IRC		16:57
*** afazekas has quit IRC		16:58
*** afazekas has joined #openstack-keystone		17:00
*** snapdey has joined #openstack-keystone		17:01
*** samleon has joined #openstack-keystone		17:02
*** jsavak has quit IRC		17:02
*** jsavak has joined #openstack-keystone		17:03
*** tqtran has quit IRC		17:04
dstanek	breton: no, functional tests will use requests	17:06
dstanek	we'll be building a base of stuff outside of that and hopefully in a better way	17:07
breton	dstanek: they will, but what do we use now instead of normal functional tests?	17:07
*** jasonsb has quit IRC		17:07
*** dguerri is now known as dguerri`		17:09
dstanek	breton: do you want to make new tests?	17:09
dstanek	we have a couple of ways i think that we do things - based on what you are trying to test	17:10
breton	dstanek: we have a bunch of tests in test_versions.py for example. I'm thinking about moving them all to functional/ and replace the TestClient they use	17:11
breton	dstanek: http://paste.openstack.org/show/405943/ something like that, just smarter	17:14
*** stevemar has joined #openstack-keystone		17:17
*** ChanServ sets mode: +v stevemar		17:17
*** ankita_wagh has joined #openstack-keystone		17:17
*** jasonsb has joined #openstack-keystone		17:21
*** stevemar has quit IRC		17:21
*** diazjf has quit IRC		17:22
*** afazekas has quit IRC		17:22
*** e0ne has joined #openstack-keystone		17:22
*** snapdey has quit IRC		17:24
*** jsavak has quit IRC		17:25
*** snapdey has joined #openstack-keystone		17:26
*** jsavak has joined #openstack-keystone		17:26
*** fhubik has quit IRC		17:28
SpamapS	Can somebody else look at this line and confirm what I'm seeing: you can make Keystone explode by making a .bak file in its key directory: https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/utils.py#n177	17:36
*** snapdey has quit IRC		17:36
*** boris-42 has quit IRC		17:40
*** mgarza_ has quit IRC		17:44
*** stevemar has joined #openstack-keystone		17:48
*** ChanServ sets mode: +v stevemar		17:48
dstanek	SpamapS: looks like that would be the case	17:49
SpamapS	dstanek: almost done writing a test :)	17:49
*** afazekas has joined #openstack-keystone		17:49
SpamapS	dstanek: thanks for looking at it	17:50
*** harlowja has joined #openstack-keystone		17:52
dstanek	SpamapS: np	17:53
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/204937	17:55
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/197254	17:55
SpamapS	same mistake in load_keys	17:56
bknudson	breton: tempest provides functional tests	17:56
breton	bknudson: why do we functional tests in keystone then?	17:57
bknudson	breton: tempest doesn't want to maintain them for us	17:57
edmondsw	bknudson, is there a spec for splitting auth out of keystoneclient? I can't seem to find it	17:58
bknudson	it would be great if we could get https://review.openstack.org/#/c/206044/ or something like it merged so that we can update reqs in keystonemiddleware again	17:58
*** jsavak has quit IRC		18:01
*** e0ne has quit IRC		18:01
*** jsavak has joined #openstack-keystone		18:02
*** Guest28145 is now known as tsymanczyk_		18:03
*** tsymanczyk_ is now known as Guest2544		18:04
* morganfainberg yawns		18:05
*** Guest2544 is now known as tsymanczyk		18:05
*** tsymanczyk is now known as Guest62601		18:05
dstanek	bknudson: do you need that now that memcache has been updated in https://review.openstack.org/#/c/197254 ?	18:05
*** spandhe has joined #openstack-keystone		18:07
*** jsavak has quit IRC		18:07
*** mylu has quit IRC		18:07
*** Guest62601 has quit IRC		18:08
*** mylu has joined #openstack-keystone		18:08
*** jsavak has joined #openstack-keystone		18:08
*** tsymanczyk has joined #openstack-keystone		18:10
*** snapdey has joined #openstack-keystone		18:10
morganfainberg	oh we finally got a python-memcache that works with py3?	18:12
morganfainberg	don't get me wrong, i still dislike the library	18:12
*** diazjf has joined #openstack-keystone		18:13
dstanek	lol, yes. unfortunately this may lower the motivation to replace it	18:13
*** afazekas has quit IRC		18:19
*** jsavak has quit IRC		18:21
openstackgerrit	Clint 'SpamapS' Byrum proposed openstack/keystone: Handle non-numeric files in key_repository https://review.openstack.org/206177	18:21
*** jsavak has joined #openstack-keystone		18:21
dstanek	morganfainberg: so i wanted some practice with Python internals so over the weekend i created a new project that asserts params/returns/raises from the docstring against the function calls at test time	18:24
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	18:24
morganfainberg	dstanek: neat!	18:24
dstanek	i need to get it published today, but i've been running against Keystone as my tests	18:24
dstanek	hmmm...maybe i need a few real tests too	18:25
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	18:26
SpamapS	dstanek: ^^ that patch I just issued is the fix for the non-numeric files in key_repository btw. Your +1 would be very much appreciated. :)	18:26
dstanek	SpamapS: looking	18:27
*** ayoung has quit IRC		18:30
*** eandersson has quit IRC		18:32
openstackgerrit	Morgan Fainberg proposed openstack/keystone-specs: Specification for alternative wsgi documents https://review.openstack.org/206181	18:35
*** snapdey has quit IRC		18:36
morganfainberg	dstanek: also looking forward to seeing flask impl patches go up	18:36
*** rm_work\|away is now known as rm_work		18:37
*** morganfainberg changes topic to "Liberty-2 this week! Land Code! \| MidCycle Etherpad: https://etherpad.openstack.org/p/keystone-liberty-midcycle-meetup"		18:37
dstanek	SpamapS: i think that looks good. just skip over the files that don't fit the pattern?	18:41
dstanek	morganfainberg: ++	18:41
*** boris-42 has joined #openstack-keystone		18:42
*** mylu has quit IRC		18:47
bknudson	dstanek: we still do need the change to get rid of test-requirements-py3,.txt	18:48
*** ankita_wagh has quit IRC		18:50
SpamapS	dstanek: yeah, I mean, they don't do any harm.	18:50
dstanek	bknudson: yes, i made that change locally with you as the co-author - want me to push it or did you have something ready to go?	18:50
SpamapS	dstanek: logging them at least alerts the admin to their presence in a place they should not be.	18:50
SpamapS	dstanek: though we could also just log at DEBUG and forget that too.	18:51
*** ankita_wagh has joined #openstack-keystone		18:51
bknudson	dstanek: https://review.openstack.org/#/c/206044/ gets rid of test-requirements-py3.txt	18:51
*** mylu has joined #openstack-keystone		18:51
bknudson	although it might not work now that g-r has changed... might need to run update-requirements again	18:52
*** stevemar2 has joined #openstack-keystone		18:56
*** ChanServ sets mode: +v stevemar2		18:56
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Merge test-requirements-py3.txt to test-requirements.txt https://review.openstack.org/206044	18:57
stevemar2	dolphm, hey!	18:58
dolphm	stevemar2: o/	18:58
stevemar2	dolphm, showing folks how to use irc	18:58
stevemar2	keep the profanity down	18:58
stevemar	stevemar2: stevemar2 is the fake one	18:59
bknudson	stevemar2: how do you use irc?	18:59
* bknudson still hasn't figured it out		18:59
samueldmq	morganfainberg, dstanek I'd like to check the sanity of what I am saying in the policy spec at keystone side with you guys	19:00
stevemar2	bknudson, use same time instead	19:00
bknudson	slack!	19:01
samueldmq	morganfainberg: dstanek policy has to be the same in processes behind a proxy.. besides the regular cache control to make it possible, I am saying we need the concept of policy 'releases'	19:01
samueldmq	morganfainberg: dstanek i.e, if my timeout is 5 min, I will save a copy of policy with id X at 12:00 at that is what I will deliver to service endpoints asking for policy X	19:02
samueldmq	morganfainberg: dstanek and that will be valid for (12:05 - now()), where 12:05 is the next release	19:02
samueldmq	morganfainberg: dstanek so that would require a table to store the 'last_released_policies'	19:03
samueldmq	does that seem to be sane ? :)	19:03
*** stevemar2 is now known as not_stevemar		19:06
*** _hrou_ is now known as hrou		19:06
samueldmq	stevemar: look at this guy >>> not_stevemar	19:09
samueldmq	:-)	19:09
not_stevemar	samueldmq, imposter!	19:10
samueldmq	not_stevemar: oh, I don't know how you have privileged modes in the channel for both nicknames .. :(	19:11
*** samueldmq is now known as not_samueldmq		19:11
not_samueldmq	not_stevemar: hi	19:12
not_samueldmq	not_stevemar: better now :)	19:12
*** jeffDeville has joined #openstack-keystone		19:12
not_stevemar	not_samueldmq, i do? oh thats funny	19:13
not_samueldmq	not_stevemar: yeah, you do :) send me the tutorial to put that on mine's as well	19:13
not_samueldmq	not_stevemar: hehe	19:13
SpamapS	dolphm: OH! I see where I read the code wrong. TokenFormatter.crypto() is run on every validation!	19:17
*** not_samueldmq is now known as samueldmq		19:17
*** snapdey has joined #openstack-keystone		19:22
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix remaining mention of KLWT https://review.openstack.org/206195	19:23
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix remaining mention of KLWT https://review.openstack.org/206195	19:24
*** amakarov is now known as amakarov_away		19:27
not_stevemar	dstanek, hey!	19:27
dolphm	SpamapS: correct	19:31
openstackgerrit	Clint 'SpamapS' Byrum proposed openstack/keystone: Handle non-numeric files in key_repository https://review.openstack.org/206177	19:34
SpamapS	dolphm: cool, that also means you definitely don't want logging in load_keys. :)	19:34
dolphm	SpamapS: that logging is currently serving as a reminder that we re-load keys all the friggin' time ;)	19:34
*** jsavak has quit IRC		19:35
dolphm	SpamapS: related bug https://bugs.launchpad.net/keystone/+bug/1452418	19:35
openstack	Launchpad bug 1452418 in Keystone "Fernet tokens read from disk on every request" [Low,In progress] - Assigned to Dolph Mathews (dolph)	19:35
*** jeffDeville has left #openstack-keystone		19:35
*** topol has joined #openstack-keystone		19:36
*** ChanServ sets mode: +v topol		19:36
dstanek	if you're not_stevemar, then who are you?	19:39
SpamapS	dolphm: I'm not surprised to hear that caching didn't solve much though. It's a pretty inexpensive operation to read a few text files that are already in VFS cache compared to doing crypto. :-P	19:40
*** ayoung has joined #openstack-keystone		19:43
*** ChanServ sets mode: +v ayoung		19:43
dstanek	dolphm: is that bug a won't fix since you abandoned your change? or do you still want to reduce the loggine?	19:45
dstanek	logging	19:45
*** harlowja has quit IRC		19:45
dolphm	dstanek: i wanted to leave it open in case it came up for discussion again - i'm fine to make it Won't Fix, but yeah, logging is a little verbose	19:46
*** spandhe has quit IRC		19:48
*** mestery has quit IRC		19:54
*** jsavak has joined #openstack-keystone		19:55
*** not_stevemar has quit IRC		19:56
*** stevemar has quit IRC		19:56
*** stevemar has joined #openstack-keystone		19:57
*** ChanServ sets mode: +v stevemar		19:57
*** harlowja has joined #openstack-keystone		20:01
*** stevemar has quit IRC		20:01
*** jsavak has quit IRC		20:02
*** jsavak has joined #openstack-keystone		20:04
*** jasonsb has quit IRC		20:04
*** spandhe has joined #openstack-keystone		20:10
*** dramakri has joined #openstack-keystone		20:11
*** snapdey has quit IRC		20:14
*** snapdey_ has joined #openstack-keystone		20:16
*** flwang has quit IRC		20:19
*** topol has quit IRC		20:20
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Distribution Mechanism https://review.openstack.org/197980	20:20
*** spandhe has joined #openstack-keystone		20:21
*** spandhe has quit IRC		20:22
*** stevemar has joined #openstack-keystone		20:24
*** ChanServ sets mode: +v stevemar		20:24
*** TheIntern has joined #openstack-keystone		20:25
dramakri	morganfainberg: ping.. can you please take a look at this patch which deals with reusing token_ref fetched in AuthContextMiddleware - https://review.openstack.org/#/c/190863/ ? ayoung and henry-nash have +2ed it and is waiting for workflow approval. Thanks!	20:29
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Fetch and Cache https://review.openstack.org/134655	20:31
*** jasonsb has joined #openstack-keystone		20:32
*** ankita_w_ has joined #openstack-keystone		20:32
*** flwang has joined #openstack-keystone		20:32
*** ankita_wagh has quit IRC		20:33
*** ankita_wagh has joined #openstack-keystone		20:34
*** ankita_w_ has quit IRC		20:34
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Centralized Policies Distribution Mechanism https://review.openstack.org/197980	20:34
*** spandhe has joined #openstack-keystone		20:34
*** spandhe has quit IRC		20:34
sigmavirus24	dolphm: bknudson morganfainberg hate to bug you, but y'all had taken a look at https://review.openstack.org/#/c/204741/ previously, thoughts?	20:37
dolphm	sigmavirus24: whoa, this has certainly changed	20:38
sigmavirus24	bknudson: gave some really good feedback and I noticed a logic bomb myself	20:38
*** pnavarro has joined #openstack-keystone		20:38
ayoung	dramakri, no need to bother morganfainberg with issues like that	20:39
sigmavirus24	Also better comments explaining what exactly is happening (I found an obscure socket programming reference that cleared up some of my confusion on the topic of how keep-alives work when configured a certain way)	20:39
sigmavirus24	I thought I'd use the code there as a cogent example for future readers/maintainers	20:39
ayoung	dramakri, the person we really want to see it is jamielennox but its a bit early for him yet	20:39
dramakri	ayoung: sorry, didn't know that.	20:40
dramakri	ayoung: okay, will check with him later.	20:40
ayoung	dramakri, not a big deal. jamielennox is the client side guru, but it could be any of the cores. Henrynash is just being cautious.	20:40
dramakri	ayoung: okay, thanks!	20:40
*** spandhe has joined #openstack-keystone		20:41
morganfainberg	sigmavirus24: ooh wow	20:42
sigmavirus24	morganfainberg: I also need to investigate the keystoneauth failures, but there's a patch for that	20:42
morganfainberg	sigmavirus24: yeah	20:42
* sigmavirus24 doesn't want infra getting caught in another 131.25 timeout situation		20:42
sigmavirus24	*131.25 min	20:42
morganfainberg	sigmavirus24: the keystoneauth one is important as well since we'll be moving that way	20:42
sigmavirus24	morganfainberg: so I heard at the summit :)	20:43
*** snapdey_ has quit IRC		20:43
*** spandhe has quit IRC		20:45
*** snapdey has joined #openstack-keystone		20:45
*** spandhe has joined #openstack-keystone		20:47
*** harlowja_ has joined #openstack-keystone		20:47
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/204937	20:49
*** harlowja has quit IRC		20:51
*** stevemar has quit IRC		20:55
*** raildo has quit IRC		21:00
*** pballand has quit IRC		21:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/206223	21:04
*** miguelgrinberg_ has joined #openstack-keystone		21:06
openstackgerrit	Roxana Gherle proposed openstack/keystone: Include latest oslo.config in requirements.txt https://review.openstack.org/206224	21:07
openstackgerrit	Henrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	21:12
*** hrou has quit IRC		21:16
*** dguerri` is now known as dguerri		21:21
*** david8hu has quit IRC		21:31
*** htruta_ has joined #openstack-keystone		21:36
*** david8hu has joined #openstack-keystone		21:36
*** mylu has quit IRC		21:41
*** diazjf has left #openstack-keystone		21:43
*** ankita_w_ has joined #openstack-keystone		21:43
*** ankita_wagh has quit IRC		21:45
*** snapdey has quit IRC		21:50
*** 16WAADQEM has joined #openstack-keystone		21:52
dolphm	i'm talking to myself about port numbers in this review if anyone wants to hit me with a stick please https://review.openstack.org/#/c/205667/2/keystone/tests/unit/test_versions.py,unified	21:52
bknudson	dolphm: it is totally possible that it doesn't start up a server to listen on any port.	21:54
*** dguerri is now known as dguerri`		21:55
*** pballand has joined #openstack-keystone		21:56
*** iurygregory has quit IRC		21:56
*** dguerri` is now known as dguerri		21:57
marekd	dolphm: Hi. Appreciated you comments or suggestions on https://review.openstack.org/#/c/202176/	22:01
marekd	I could give it a stab tomorrow.	22:01
morganfainberg	dolphm: at least your comments to yourself are entertaining	22:01
*** TheIntern has quit IRC		22:04
*** topol has joined #openstack-keystone		22:05
*** ChanServ sets mode: +v topol		22:05
marekd	bknudson: morganfainberg: Your super power eyes would be also very helpful. We are running into problems with fernet federated tokens as we will need to keep either groups or roles in the scoped fernet payload: https://review.openstack.org/#/c/202176/	22:07
morganfainberg	marekd: keep all the things! i mean...	22:08
morganfainberg	marekd: looooooking	22:08
marekd	morganfainberg: make fernet new PKI! i mean....was super kidding!	22:09
*** chlong has joined #openstack-keystone		22:09
marekd	i am about to wake away but some sort of input on the review would speed things up :-) thanks!	22:09
bknudson	we should put the service catalog in the fernet token.	22:11
morganfainberg	marekd: waking away, is that some kind of irish thing?	22:11
bknudson	just as a JSON string	22:12
morganfainberg	bknudson: i think we should totally put the fernet token in the fernet token so we can fernet fernet fernet fernet fernet fernet	22:12
bknudson	everybody wants dual-scoped tokens...	22:12
morganfainberg	bknudson: lies, I want quad scoped tokens	22:12
morganfainberg	i hear they're all the rage	22:12
bknudson	probably one scope per service	22:13
morganfainberg	can we just remove scope all together?	22:13
bknudson	I've got to admit I've never cared what my scope it.	22:14
bknudson	is	22:14
*** edmondsw has quit IRC		22:14
bknudson	but then I just login as admin	22:14
morganfainberg	bknudson: I don't use scope - http://www.raininghotcoupons.com/wp-content/uploads/2015/06/e2643f8434fcd6bb63887faf94943a00.gif - stuff is gross	22:15
bknudson	you're not supposed to swallow it	22:15
marekd	morganfainberg: i think i meant 'walk away' and this is clear sign my brain needs some sleep :-)	22:16
marekd	bye!	22:16
morganfainberg	bknudson: oh.. so like fernet?	22:16
bknudson	alcohol content of Scope weighs in at 18.9%	22:16
*** dramakri has quit IRC		22:17
bknudson	fernet's 45%	22:18
*** samleon has quit IRC		22:21
*** gordc has quit IRC		22:21
*** harlowja_ has quit IRC		22:21
*** harlowja has joined #openstack-keystone		22:21
morganfainberg	lol	22:22
*** richm has quit IRC		22:28
*** miguelgrinberg_ has quit IRC		22:29
*** miguelgrinberg_ has joined #openstack-keystone		22:31
*** pnavarro has quit IRC		22:31
bigjools	is the	22:33
bigjools	argh	22:33
bigjools	is there any difference between ports 5000 and 35357 as far as the v3 api is concerned?	22:34
dolphm	bigjools: nope!	22:35
dolphm	bigjools: v2 behaves differently on each port, but v3 does not	22:35
bigjools	right, thanks	22:35
*** jsavak has quit IRC		22:38
*** dramakri has joined #openstack-keystone		22:39
*** dramakri has left #openstack-keystone		22:39
*** jsavak has joined #openstack-keystone		22:39
*** richm has joined #openstack-keystone		22:40
*** hrou has joined #openstack-keystone		22:44
dolphm	ayoung: i'm looking to benchmark https://review.openstack.org/#/c/205266/ a bit more deeply ... what's the best way to create a large number of revocation events in the tree, preferrably in test_v3_auth ?	22:48
dolphm	ayoung: i was thinking just creating and deleting a 1,000 unique users or something?	22:49
bknudson	you can configure your paste file to have different extensions on each port	22:50
dolphm	bigjools: ^	22:51
dolphm	bknudson: but our default paste file deploys the same pipeline on both ports	22:51
bigjools	ok - can you restrict issuing admin tokens to a port?	22:51
bknudson	bigjools: with custom middleware in your paste, sure.	22:52
bigjools	is that for both api versions?	22:52
*** dguerri is now known as dguerri`		22:52
morganfainberg	bigjools: what do you mean by admin token?	22:52
bknudson	it's all configurable in paste pipeline	22:52
morganfainberg	a token with a specific role? or you mean the "admin_token" paste api entry?	22:53
bigjools	morganfainberg: admin roles I guess	22:53
morganfainberg	bigjools: that really isn't something that is easily defineable	22:53
bigjools	yeah	22:53
morganfainberg	since what is an "admin" token in v3?	22:54
morganfainberg	it oculd be any role - tied to the policy.json	22:54
morganfainberg	also remember "admin" and "main" go away as a distinction in v3 as well	22:54
*** bknudson has quit IRC		22:54
*** miguelgrinberg_ has quit IRC		22:54
bigjools	yeah, noticed that	22:55
morganfainberg	ideally with v3 we'll be dropping the two ports in general as well	22:55
morganfainberg	v3-only that is	22:55
bigjools	sounds reasonable if there's no difference any more	22:57
*** henrynash has joined #openstack-keystone		22:58
*** ChanServ sets mode: +v henrynash		22:58
*** henrynash has quit IRC		22:58
bigjools	does the pipeline handle token issuance?	22:58
dolphm	bigjools: yes	22:59
bigjools	cool	22:59
*** pballand has quit IRC		22:59
dolphm	bigjools: there are three application objects in paste that can produce x-auth-tokens, plus the middleware that produces ec2 "style" tokens	22:59
dolphm	bigjools: v2's admin app, v2's service app, and the v3 app	23:00
*** 16WAADQEM has quit IRC		23:02
*** r-daneel has quit IRC		23:02
bigjools	dolphm: great, thanks!	23:02
*** snapdey has joined #openstack-keystone		23:05
openstackgerrit	Merged openstack/python-keystoneclient: Set reasonable defaults for TCP Keep-Alive https://review.openstack.org/204741	23:06
*** arahal has joined #openstack-keystone		23:06
*** zzzeek has quit IRC		23:07
*** jaosorior has quit IRC		23:11
*** thedodd has quit IRC		23:12
*** thedodd has joined #openstack-keystone		23:12
*** thedodd has quit IRC		23:16
*** darrenc_ is now known as darrenc		23:18
*** jsavak has quit IRC		23:28
*** jecarey has quit IRC		23:31
*** arahal has quit IRC		23:37
*** arahal has joined #openstack-keystone		23:37
*** arahal has quit IRC		23:37
*** markvoelker has quit IRC		23:40
*** jiaxi has joined #openstack-keystone		23:55
jiaxi	Good morning, everyone	23:56
jiaxi	ayoung: are you here ?	23:57
jiaxi	dstanek: Hello, David.	23:57
jiaxi	jamielennox : Hi,jamielennox	23:58
jamielennox	jiaxi: hello	23:58
jiaxi	Could you have a look at my patch set ? https://review.openstack.org/#/c/200512/	23:59
jiaxi	I think it's much much better now.	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!