Monday, 2015-08-03

« Sunday, 2015-08-02 Index Tuesday, 2015-08-04 »
*** markvoelker has quit IRC00:02
*** dims_ has joined #openstack-keystone00:02
*** chlong has joined #openstack-keystone00:03
bigjoolswill see if I can come over after lunch, depends on the mrs00:04
*** dimsum__ has quit IRC00:04
*** ankita_w_ has joined #openstack-keystone00:11
*** ankita_wagh has quit IRC00:14
morganfainbergbigjools: are you hiding around the sprint area(s)00:23
bigjoolsmorganfainberg: I'm at home!00:23
morganfainbergbigjools: ahhh00:23
bigjoolsthe mrs is out this morning and we have a needy dog that can't be left on her own00:24
morganfainbergbigjools: ah ok00:28
bigjoolsI'll try to get over later00:29
*** Kennan has left #openstack-keystone00:29
morganfainbergjamielennox: https://review.openstack.org/#/c/190532/ if you don't mind taking a look00:31
morganfainberg(backlog)00:31
*** dims_ has quit IRC00:50
*** dimsum__ has joined #openstack-keystone00:53
*** lhcheng has joined #openstack-keystone00:55
*** ChanServ sets mode: +v lhcheng00:55
openstackgerritMerged openstack/keystoneauth: Expose bug in AccessToken  https://review.openstack.org/20509400:56
openstackgerritMerged openstack/keystoneauth: Fix decorators of properties in AccessToken  https://review.openstack.org/20520901:02
*** jamielennox is now known as jamielennox|away01:08
*** ankita_w_ has quit IRC01:15
*** ankita_wagh has joined #openstack-keystone01:16
*** dimsum__ has quit IRC01:25
*** dimsum__ has joined #openstack-keystone01:28
bigjoolsjamielennox|away, morganfainberg: I am heading your way now, will be there in around an hour.01:30
*** jsavak has joined #openstack-keystone01:31
*** davechen has joined #openstack-keystone01:32
morganfainbergbigjools: jamielennox|away wandered off but will be back in a couple hours01:33
morganfainbergwe are here01:33
bigjoolsmorganfainberg: which room?01:35
morganfainberggrand windsor room01:35
bigjoolsok cool, see you soon01:35
morganfainbergwhere the afternoon teas were01:35
*** jsavak has quit IRC01:36
*** piyanai has joined #openstack-keystone01:39
*** davechen1 has joined #openstack-keystone01:46
*** davechen has quit IRC01:49
*** davechen has joined #openstack-keystone01:54
*** davechen1 has quit IRC01:56
*** markvoelker has joined #openstack-keystone01:59
*** dimsum__ has quit IRC02:02
*** markvoelker has quit IRC02:03
*** kiran-r has joined #openstack-keystone02:27
*** kiran-r has quit IRC02:27
*** topol has joined #openstack-keystone02:28
*** ChanServ sets mode: +v topol02:28
*** piyanai has quit IRC02:29
*** topol has quit IRC02:33
*** hakimo_ has joined #openstack-keystone02:52
*** piyanai has joined #openstack-keystone02:53
*** hakimo has quit IRC02:54
*** alejandrito has quit IRC03:12
*** topol has joined #openstack-keystone03:20
*** ChanServ sets mode: +v topol03:20
*** topol has quit IRC03:24
*** jecarey has joined #openstack-keystone03:33
*** piyanai has quit IRC03:58
*** Daviey has quit IRC03:59
*** markvoelker has joined #openstack-keystone04:00
*** piyanai has joined #openstack-keystone04:04
*** markvoelker has quit IRC04:04
*** piyanai has quit IRC04:06
*** jecarey has quit IRC04:17
*** boris-42 has joined #openstack-keystone04:18
*** jamielennox|away is now known as jamielennox04:38
*** Daviey has joined #openstack-keystone04:58
*** kiran-r has joined #openstack-keystone05:03
*** Nirupama has joined #openstack-keystone05:05
openstackgerritAndrey Pavlov proposed openstack/keystonemiddleware: Adding parse of protocol v4 of AWS auth to ec2_token  https://review.openstack.org/20544005:19
*** urulama has joined #openstack-keystone05:20
*** yottatsa has joined #openstack-keystone05:21
*** yottatsa has quit IRC05:21
*** btully has quit IRC05:30
bretongood morning, keystone05:34
*** yottatsa has joined #openstack-keystone05:35
*** afazekas has joined #openstack-keystone05:37
*** harlowja has quit IRC05:44
*** afazekas has quit IRC05:46
*** afazekas has joined #openstack-keystone05:49
*** josecastroleon has joined #openstack-keystone05:58
*** markvoelker has joined #openstack-keystone06:01
*** ParsectiX has joined #openstack-keystone06:04
*** markvoelker has quit IRC06:05
morganfainbergsooooo06:07
morganfainbergjust got almost everything working for uwsgi. soooooo easy06:08
morganfainbergdstanek: ^^06:08
*** pcaruana has quit IRC06:09
*** Kennan has joined #openstack-keystone06:11
*** lhcheng has quit IRC06:11
morganfainberglbragstad, dstanek, dolph, (cc bknudson) : starting a fresh checkout of keystone (keystone-deploy) I get 2015-08-03 05:45:25.211 96 WARNING oslo_log.versionutils [-] Deprecated: direct import of driver is deprecated as of Liberty in favor of entrypoints and may be removed in N.06:12
morganfainberghaven't looked if this is a default issue or a keystone-deploy issue06:12
*** yottatsa has quit IRC06:22
*** belmoreira has joined #openstack-keystone06:25
*** afazekas has quit IRC06:27
*** afazekas has joined #openstack-keystone06:31
bretonuwsgi is good06:40
*** geoffarn_ has joined #openstack-keystone06:47
*** geoffarnold has quit IRC06:50
*** browne1 has quit IRC07:04
*** yottatsa has joined #openstack-keystone07:04
*** e0ne has joined #openstack-keystone07:06
*** boris-42 has quit IRC07:10
*** henrynash has joined #openstack-keystone07:12
*** ChanServ sets mode: +v henrynash07:12
openstackgerritMarek Denis proposed openstack/keystone: Refactor: rename Fernet's unscoped federated payload  https://review.openstack.org/20219007:13
*** jsheeren has joined #openstack-keystone07:17
*** e0ne has quit IRC07:21
*** ankita_wagh has quit IRC07:28
*** fhubik has joined #openstack-keystone07:35
*** vivekd has joined #openstack-keystone07:35
*** chlong has quit IRC07:38
*** pcaruana has joined #openstack-keystone07:40
*** bdossant has joined #openstack-keystone07:46
*** mhu has quit IRC07:46
*** hrou has quit IRC07:47
*** e0ne has joined #openstack-keystone07:52
*** e0ne has quit IRC07:55
*** jamielennox is now known as jamielennox|away07:57
*** yottatsa has quit IRC07:57
*** lhcheng has joined #openstack-keystone08:00
*** ChanServ sets mode: +v lhcheng08:00
*** markvoelker has joined #openstack-keystone08:02
*** lhcheng has quit IRC08:04
*** markvoelker has quit IRC08:06
*** geoffarn_ has quit IRC08:10
*** jistr has joined #openstack-keystone08:15
*** henrynash has quit IRC08:16
*** aix has joined #openstack-keystone08:18
openstackgerritMerged openstack/keystone: Refactor _populate_roles_for_groups()  https://review.openstack.org/20778508:30
*** mhu has joined #openstack-keystone08:40
ParsectiXguys here is mandatory to pass project_id http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#authenticating-using-sessions08:42
ParsectiX?08:42
marekdParsectiX: as opposed to 'tenant' ?08:43
ParsectiXI'm trying to pass only username and password and it fails to auth08:44
marekdParsectiX: with what error?08:44
*** mhu has quit IRC08:44
ParsectiXkeystoneclient.openstack.common.apiclient.exceptions.BadRequest: Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400)08:44
marekd"Expecting to find domain in user"08:45
ParsectiXyeap08:45
marekdso...?08:45
ParsectiXwhat's that ?08:45
marekdadd OS_USER_DOMAIN_NAME08:45
ParsectiXwhere can I find this info for an already existing user ?08:46
ParsectiXin the RC file does not included.08:46
marekdwhich API are you using?08:47
marekdAPI version08:47
ParsectiXV308:47
marekdso rc files are for v2 for now08:47
marekdtry domain 'defau;t'08:47
ParsectiXohh okay08:47
marekddefault08:47
ParsectiXno luck08:48
marekdParsectiX: so that's strange because i am getting different error: Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name08:49
marekdwhich is more like something you are talking about, but clearly you provided different log.08:50
ParsectiXI'm not using the env. variables. I'm trying to pass the values to  authentication = v3.Password(...) function08:51
marekdParsectiX: so how did you call it?08:52
marekdwhat params did you provide?08:52
ParsectiXauth_url, username, password and now domain_name08:53
ParsectiXi set the domain_name=None08:53
ParsectiXalso tried "default"08:53
marekdParsectiX: did it work with project specified?08:53
ParsectiXNo08:54
ParsectiXI was using this http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#non-session-authentication-deprecated08:54
ParsectiXand now I'm trying to migrate to use sessions08:54
marekdhttp://www.jamielennox.net/blog/2014/09/15/how-to-use-keystoneclient-sessions/08:56
ParsectiXThanks let me read it08:56
marekdaha, and why asking if it will work without project since it didn't even work the "old way" ?08:56
ParsectiXI thought maybe that was the issue08:57
marekdaha08:57
ParsectiXmarekd: Thanks for your help08:57
marekdParsectiX: you welcome08:58
ParsectiXmarekd: it worked. the issue was to add those two arguments09:00
ParsectiXuser_domain_name='default',09:00
ParsectiXproject_domain_name='default'09:00
marekdok09:01
marekdcol09:01
marekdcool09:01
*** e0ne has joined #openstack-keystone09:08
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Remove KDS from the list of api extensions  https://review.openstack.org/20838309:17
*** lexloofer is now known as lxsli09:20
*** urulama has quit IRC09:21
*** urulama has joined #openstack-keystone09:22
bretonhttp://developer.openstack.org/api-ref-identity-v2-ext.html#os-ksvalidate-ext -- where does this section come from? I can't find any reference to OS-KSVALIDATE in keystone-specs09:23
*** fhubik is now known as fhubik_afk09:26
*** fhubik_afk is now known as fhubik09:26
*** fhubik is now known as fhubik_afk09:27
ParsectiXGuys do you have any Doc mapping the old implementations of V2 to V3 ?09:36
ParsectiXAs an example I used this http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.service_catalog.html#module-keystoneclient.service_catalog09:36
ParsectiXto get the service catalog09:36
ParsectiXand now looking how to do it with V309:37
ParsectiXand after some research i concluded that those functions are now in endpoint manager09:38
*** fhubik_afk is now known as fhubik09:44
*** marzif_ has quit IRC09:46
*** marzif_ has joined #openstack-keystone09:47
*** marzif_ has quit IRC09:48
*** lhcheng has joined #openstack-keystone09:49
*** ChanServ sets mode: +v lhcheng09:49
morganfainbergbreton: those api docs are wronf09:53
morganfainbergWrong09:53
*** lhcheng has quit IRC09:53
morganfainbergbreton: use the specs.openstack.org docs09:53
*** davechen has left #openstack-keystone09:54
*** marzif has joined #openstack-keystone09:57
bretonmorganfainberg: maybe we should ping someone to remove it09:58
morganfainbergIt is an active docs bug /09:59
morganfainbergBeen raised before.09:59
bretonok.09:59
morganfainbergIt shouldnt be removed, but updated automatically09:59
*** markvoelker has joined #openstack-keystone10:02
*** yottatsa has joined #openstack-keystone10:04
*** aix has quit IRC10:06
*** markvoelker has quit IRC10:07
*** Kennan has quit IRC10:07
*** blogan has quit IRC10:08
*** Guest58084 has quit IRC10:08
*** HenryG has quit IRC10:08
*** HenryG has joined #openstack-keystone10:08
*** blogan has joined #openstack-keystone10:08
*** Kennan has joined #openstack-keystone10:09
*** Guest58084 has joined #openstack-keystone10:09
*** lhcheng has joined #openstack-keystone10:13
*** ChanServ sets mode: +v lhcheng10:13
*** rdo has quit IRC10:14
*** rdo has joined #openstack-keystone10:16
*** e0ne has quit IRC10:16
*** e0ne has joined #openstack-keystone10:17
*** lhcheng has quit IRC10:18
*** josecastroleon has quit IRC10:20
*** dimsum__ has joined #openstack-keystone10:34
*** urulama has quit IRC10:37
*** urulama has joined #openstack-keystone10:38
*** piyanai has joined #openstack-keystone10:49
*** e0ne has quit IRC10:50
*** pcaruana has quit IRC10:57
*** josecastroleon has joined #openstack-keystone11:02
*** marzif has quit IRC11:09
*** marzif has joined #openstack-keystone11:10
*** pcaruana has joined #openstack-keystone11:14
*** dims_ has joined #openstack-keystone11:18
*** dimsum__ has quit IRC11:20
*** marzif has quit IRC11:27
*** amakarov_away is now known as amakarov11:30
*** edmondsw has joined #openstack-keystone11:31
*** kiran-r has quit IRC11:31
*** markvoelker has joined #openstack-keystone11:33
*** markvoelker has quit IRC11:38
*** fhubik is now known as fhubik_afk11:39
*** rdo has quit IRC11:41
*** rdo has joined #openstack-keystone11:42
samueldmqmorning11:46
samueldmqmorganfainberg: hey11:47
samueldmqmorganfainberg: you got up early or hadn't went sleep yet or are you in a different tz ?11:47
samueldmqmorganfainberg:  or ... :-)11:47
*** iurygregory has joined #openstack-keystone11:47
morganfainbergsamueldmq: its 2148 here11:48
samueldmqmorganfainberg: uh where are you today ?11:48
morganfainberg2148, monday night that is11:48
samueldmqmorganfainberg: Australia?11:48
morganfainbergsamueldmq: hint - ill see koalas tomorrow11:49
morganfainbergYah11:49
morganfainbergBrisbane11:49
samueldmqmorganfainberg: haha great11:49
morganfainberg3 more days here.11:50
samueldmqmorganfainberg: was looking for some pics, looks to be a great city11:50
morganfainbergFun so far. Good food etc11:50
samueldmqnice, I suppose jamie is there as well11:50
marekdmorganfainberg: got a few minutes?11:51
samueldmqpycon australia ?11:51
morganfainbergsamueldmq: yes and yes11:51
morganfainbergmarekd: a few.11:51
samueldmqmorganfainberg: yes! o/11:51
samueldmqmorganfainberg: enjoy11:52
morganfainbergmarekd: talked with jamielennox|away btw, we have the short list of what is needed for keystoneauth11:52
morganfainbergIt's about 2-3 real11:52
marekdmorganfainberg: so, regarding revocations - we support revocation lists for uuid tokens, and do we have anything for fernet? Would it be revocation events? If so, does it work now?11:52
marekdmorganfainberg: great!11:52
morganfainbergPatches. Maybe 5-6 if you count minor tweaks11:53
morganfainbergRevocation events are used for fernet exclusively11:53
morganfainbergMust use revocation events for fernet. Uuid can be either token revocation list or events11:53
marekdmorganfainberg: so ksm will query for both revocation lists and revocation events.11:53
morganfainbergKsm will not ever query for the events11:54
marekdmorganfainberg: how do i decide on what uuid should use (lists vs events) ?11:54
morganfainbergEvents are keystone side only (during validate)11:54
bretonmarekd: events11:54
*** markvoelker_ has joined #openstack-keystone11:54
bretonmarekd: lists show some bad performance11:54
morganfainbergBut use events.11:54
marekdbreton: i know.11:54
*** dims_ has quit IRC11:54
marekdmorganfainberg: so a service gets a token, it must send it to keystone in order to validate, and server will basically match token with event.11:55
morganfainbergYes11:55
morganfainbergUuid and fernet require keystone to validate11:55
marekdmorganfainberg: sure.11:55
morganfainbergSo it works.11:55
*** dimsum__ has joined #openstack-keystone11:55
marekdmorganfainberg: so how is that better/faster ather than querying token table and checking if it's valid?11:56
marekdah, the process on invalidating tokens may take long so lots of tokesn...11:56
marekdis that a reason ?11:56
*** fhubik_afk is now known as fhubik11:56
morganfainbergIt is optimised for a balance of fernet and/or uuid. But if you have tons of tokens token lookup can be slow even with indexes11:56
marekdmorganfainberg: is ksm by default using revocation events?11:57
morganfainbergUuid will be faster revocations with a small table. However, events are more flexible and dont require table scans/updates of tons of rows11:57
morganfainbergKeystonemiddleware doesnt look at revocation events at all directly11:57
*** htruta_ has joined #openstack-keystone11:58
marekdksm, uh, right11:58
marekdvadliation on server side.11:58
morganfainbergYep11:58
morganfainbergEvents need some11:59
marekdrevocation event should be created for every operation like user delete, project delete, domain delete, idp delete etc (same for disabling)11:59
morganfainbergLove / profiling and updates.11:59
morganfainbergSo they can be made faster. But they are the better solution in most cases n11:59
marekdmorganfainberg: are revocation events some removed from the DB? Like...after some time or upon some action?12:01
morganfainbergThey are pruned on each new event12:01
morganfainbergIf they are expired on the next revocation, they are cleaned up.12:02
marekdmorganfainberg: smart.12:03
marekdall the code to look into is actually keystone/contrbi/revoke12:04
marekd?12:04
marekdmorganfainberg: one more question - how a even "user was deleted" can actually expire?12:04
morganfainbergNot sure what youre asking12:05
*** yottatsa_ has joined #openstack-keystone12:05
marekdmorganfainberg: you said " If they are expired on the next revocation, they are cleaned up"12:05
marekdmorganfainberg: what was expired - tokens or events ?12:05
*** yottatsa has quit IRC12:06
morganfainbergThe events12:07
*** dimsum__ has quit IRC12:08
*** javier_ has joined #openstack-keystone12:08
marekdhow can they expire?12:08
morganfainbergSo if an event is expired, when the next event is issued, we cleanup12:08
morganfainbergThey last for token_ttl + window12:08
morganfainbergYou dont need to keep them forever. They basically say "all tokens that match these rules from are invalid if they were issued before x datetime"12:09
marekdmorganfainberg: do we somewhere keep a time when was last token issued for this user/project/domain/something ? or it's statically calculated.12:09
morganfainbergAll tokens have an issued at time12:10
morganfainbergEvents are from the moment they are issued12:10
marekdmorganfainberg: ok, so expiration time of the event would be now() + tokens_ttl + window12:11
morganfainbergSo if i revoke all events for user x at midnight, (password change) the event is tied to when that password change occirrd12:11
morganfainbergAnd lasts for the token ttl (config options) and some extra12:11
morganfainbergTime12:11
morganfainbergYeah12:11
marekdmorganfainberg: ok, that's very helpful.12:12
marekdthanks!12:12
marekdnot bothering you too much now!12:12
morganfainbergHehe12:12
morganfainbergNo worries.12:12
*** raildo has joined #openstack-keystone12:18
*** dimsum__ has joined #openstack-keystone12:22
*** yottatsa_ has quit IRC12:24
*** marzif has joined #openstack-keystone12:24
*** yottatsa has joined #openstack-keystone12:24
*** e0ne has joined #openstack-keystone12:24
*** marzif has quit IRC12:24
*** yottatsa has quit IRC12:24
*** javier_ has quit IRC12:25
*** marzif has joined #openstack-keystone12:25
openstackgerritMerged openstack/keystonemiddleware: Merge test-requirements-py3.txt to test-requirements.txt  https://review.openstack.org/20604412:26
*** dims_ has joined #openstack-keystone12:27
*** dims__ has joined #openstack-keystone12:29
*** dimsum__ has quit IRC12:29
*** yottatsa has joined #openstack-keystone12:29
*** Nirupama has quit IRC12:30
*** dimsum__ has joined #openstack-keystone12:32
*** marzif_ has joined #openstack-keystone12:32
*** dims_ has quit IRC12:32
*** mflobo has left #openstack-keystone12:32
*** daemontool_ has joined #openstack-keystone12:33
*** marzif has quit IRC12:33
*** dims__ has quit IRC12:34
*** chlong has joined #openstack-keystone12:35
*** piyanai has quit IRC12:36
*** urulama has quit IRC12:36
*** urulama has joined #openstack-keystone12:37
*** dims_ has joined #openstack-keystone12:45
*** dimsum__ has quit IRC12:46
*** daemontool_ is now known as marzif12:46
*** yottatsa has quit IRC12:47
lbragstadmorganfainberg: interesting, you didn't have fatal_deprecations enabled by default did you?12:51
*** dims_ has quit IRC12:53
*** dimsum__ has joined #openstack-keystone12:54
*** topol has joined #openstack-keystone12:54
*** ChanServ sets mode: +v topol12:54
*** dimsum__ is now known as dims12:55
*** jsavak has joined #openstack-keystone12:57
*** browne has joined #openstack-keystone12:57
*** piyanai has joined #openstack-keystone12:57
*** topol has quit IRC12:59
*** jaosorior has joined #openstack-keystone12:59
*** yottatsa has joined #openstack-keystone13:01
*** markvoelker_ has quit IRC13:02
*** jsavak has quit IRC13:04
*** markvoelker has joined #openstack-keystone13:04
*** topol has joined #openstack-keystone13:04
*** ChanServ sets mode: +v topol13:04
*** jsavak has joined #openstack-keystone13:04
*** e0ne has quit IRC13:08
*** e0ne has joined #openstack-keystone13:10
*** aix has joined #openstack-keystone13:11
*** browne has quit IRC13:13
*** dsirrine has joined #openstack-keystone13:15
*** piyanai has quit IRC13:19
*** doug-fish has joined #openstack-keystone13:21
*** boris-42 has joined #openstack-keystone13:22
*** urulama has quit IRC13:23
*** urulama has joined #openstack-keystone13:23
*** dsirrine has quit IRC13:24
*** zzzeek has joined #openstack-keystone13:24
*** dsirrine has joined #openstack-keystone13:25
*** bapalm has joined #openstack-keystone13:27
*** TheIntern has joined #openstack-keystone13:30
*** bdossant_ has joined #openstack-keystone13:32
*** jsheeren has quit IRC13:33
*** bdossant has quit IRC13:33
*** ayoung has joined #openstack-keystone13:35
*** ChanServ sets mode: +v ayoung13:35
*** ayoung is now known as admiyo13:35
*** bdossant_ has quit IRC13:37
*** piyanai has joined #openstack-keystone13:38
*** richm1 has joined #openstack-keystone13:38
*** richm1 is now known as richm13:38
*** bdossant has joined #openstack-keystone13:40
*** tjcocozz has joined #openstack-keystone13:40
*** tjcocozz_ has joined #openstack-keystone13:40
-openstackstatus- NOTICE: The Gerrit service on review.openstack.org has been restarted in an attempt to improve performance.13:40
*** tjcocozz_ has quit IRC13:40
*** jistr is now known as jistr|mtg13:41
*** marzif_ has quit IRC13:43
*** marzif_ has joined #openstack-keystone13:44
*** bdossant has quit IRC13:44
*** h00327910__ has quit IRC13:48
*** bknudson has quit IRC13:49
*** browne has joined #openstack-keystone13:50
*** vivekd has quit IRC13:50
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848813:51
*** bapalm_ has joined #openstack-keystone13:51
*** sigmavirus24_awa is now known as sigmavirus2413:54
*** bapalm has quit IRC13:54
*** piyanai has quit IRC13:58
*** jsavak has quit IRC14:00
*** jsavak has joined #openstack-keystone14:02
*** josecastroleon has quit IRC14:02
*** mylu has joined #openstack-keystone14:05
*** browne has quit IRC14:08
*** ParsectiX has quit IRC14:10
*** afazekas has quit IRC14:12
*** pballand has quit IRC14:12
*** bknudson has joined #openstack-keystone14:13
*** ChanServ sets mode: +v bknudson14:13
*** fhubik is now known as fhubik_afk14:18
*** yottatsa has quit IRC14:19
*** jistr|mtg is now known as jistr14:20
*** yottatsa has joined #openstack-keystone14:20
*** fhubik_afk is now known as fhubik14:21
*** jsavak has quit IRC14:22
*** jsavak has joined #openstack-keystone14:23
*** jiaxi has joined #openstack-keystone14:24
*** yottatsa has quit IRC14:25
*** yottatsa has joined #openstack-keystone14:26
*** admiyo has quit IRC14:28
*** yottatsa has quit IRC14:31
*** jiaxi has quit IRC14:31
*** afazekas has joined #openstack-keystone14:32
*** yottatsa has joined #openstack-keystone14:33
*** jsavak has quit IRC14:35
*** jsavak has joined #openstack-keystone14:36
*** jecarey has joined #openstack-keystone14:37
*** yottatsa has quit IRC14:43
*** admiyo has joined #openstack-keystone14:43
*** hrou has joined #openstack-keystone14:58
openstackgerritBrant Knudson proposed openstack/keystone: Remove oslo import hacking check  https://review.openstack.org/20821614:59
*** piyanai has joined #openstack-keystone14:59
*** woodster_ has joined #openstack-keystone15:00
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:01
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837215:01
*** konstantin-m has joined #openstack-keystone15:02
*** bdossant has joined #openstack-keystone15:05
konstantin-mHello, can anyone please review https://review.openstack.org/#/c/207456/   ?15:06
*** yottatsa has joined #openstack-keystone15:08
*** afazekas has quit IRC15:10
*** pcaruana has quit IRC15:13
*** diazjf has joined #openstack-keystone15:18
*** bdossant has quit IRC15:24
*** thedodd has joined #openstack-keystone15:28
*** mylu has quit IRC15:30
*** mylu has joined #openstack-keystone15:31
*** jsavak has quit IRC15:33
*** jsavak has joined #openstack-keystone15:34
*** pballand has joined #openstack-keystone15:34
*** pballand has quit IRC15:39
*** mestery is now known as mestery_afk_toda15:42
*** mestery_afk_toda is now known as mestery_afk15:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:44
*** belmoreira has quit IRC15:45
*** gyee has joined #openstack-keystone15:47
*** ChanServ sets mode: +v gyee15:47
*** jiaxi_ has joined #openstack-keystone15:48
jiaxi_dstanek: Hi,David15:48
jiaxi_I met a problem with tox.15:49
rodrigodsanyone willing to review the first patch in Reseller chain? https://review.openstack.org/#/c/157427/15:49
jiaxi_when I run the cmd 'tox -i http://pypi.dev.ustack.com/simple -e py27 --notest'15:49
jiaxi_It failed15:50
jiaxi_ The relative error info is ' http://pypi.dev.ustack.com/simple/python-keystoneclient/ uses an insecure transport scheme (http). Consider using https if pypi.dev.ustack.com has it available'15:50
*** openstackgerrit_ has joined #openstack-keystone15:54
*** yottatsa has quit IRC15:57
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Docstring updates  https://review.openstack.org/20821315:58
*** yottatsa has joined #openstack-keystone16:02
*** _cjones_ has joined #openstack-keystone16:03
*** jsavak has quit IRC16:04
*** jsavak has joined #openstack-keystone16:06
*** rdo has quit IRC16:07
*** fhubik is now known as fhubik_afk16:07
*** konstantin-m has quit IRC16:07
*** rdo has joined #openstack-keystone16:08
*** mylu has quit IRC16:08
*** yottatsa has quit IRC16:09
*** fhubik_afk is now known as fhubik16:09
*** mylu has joined #openstack-keystone16:10
*** jiaxi_ has quit IRC16:11
*** lsmola has quit IRC16:11
*** mylu has quit IRC16:14
*** Ephur has joined #openstack-keystone16:14
*** _cjones_ has quit IRC16:16
*** browne has joined #openstack-keystone16:21
*** mylu has joined #openstack-keystone16:22
*** mylu has quit IRC16:25
*** marzif_ has quit IRC16:25
samueldmqdstanek: hey sir, you around ?16:27
*** jistr has quit IRC16:28
*** mylu has joined #openstack-keystone16:28
openstackgerritBrant Knudson proposed openstack/keystone: Documentation for other services  https://review.openstack.org/20480116:29
*** jdandrea has joined #openstack-keystone16:29
*** yottatsa has joined #openstack-keystone16:31
*** geoffarnold has joined #openstack-keystone16:31
*** lhcheng has joined #openstack-keystone16:37
*** ChanServ sets mode: +v lhcheng16:37
*** TheIntern has quit IRC16:37
*** e0ne has quit IRC16:38
*** yottatsa has quit IRC16:39
samueldmqlhcheng: hi16:40
lhchengsamueldmq: hello!16:40
*** urulama has quit IRC16:40
*** urulama has joined #openstack-keystone16:41
samueldmqlhcheng: there was a thread earlier today from someone talking about dynamic policies as UI component16:41
*** Guest23066 has quit IRC16:42
samueldmqlhcheng: the message is from Timur Sufiev from Mirantis and has 'UI for Keystone dynamic policies editing' as subject16:43
samueldmqlhcheng: did you see that ? He posted a link of a demo where there is some interface he'd like to re-use for dynamic policies in horizon16:43
samueldmqlhcheng: I'd appreciate some of your view on that (with your Horizon cap)16:44
samueldmq:-)16:44
*** yottatsa has joined #openstack-keystone16:44
*** browne has quit IRC16:45
*** kiran-r has joined #openstack-keystone16:46
lhchengsamueldmq: I've seen the mistral workbook in the last summit16:47
lhchengsamueldmq: I think there are some opportunity for concept re-use16:47
samueldmqlhcheng: do you think we can re-use some of that for policies ?16:48
lhchengsamueldmq: seems like for policy editing, we can use some of the its existing component16:48
*** yottatsa has quit IRC16:48
samueldmqlhcheng: nice, anyway it will be only for M in Horizon (or later), as we are still trying to finish our side (keystone) this cycle16:48
samueldmqlhcheng: hmm, so he is really talking about re-using the UI components16:49
samueldmqlhcheng: I will thank him and say we will take his comments/suggestions in consideration when we start creating the horizon side of policies16:50
samueldmqlhcheng: or if he's aiming to implement that ... :-)16:50
lhchengsamueldmq: yeah, that's what I thought.16:51
bretonor we can invite him here16:51
samueldmqlhcheng: nice16:51
lhchengsamueldmq: I think the workbook is oookay.. but there are still a lot things needed. like how to build rules16:51
lhchengsamueldmq: otherwise, it is just  looks like a fancier input for key/value pairs16:52
bretonafaik mistral is a not a ready solution, it's a framework16:52
samueldmqlhcheng: yes, and we're having some hard times to get our work in policies for this cycle16:52
samueldmqlhcheng: waiting a bit more to look how it's going to change over the next cycle is safe to then start looking at the interface details16:53
samueldmqlhcheng: if that makes sense ..16:53
samueldmqbreton: cc ^16:53
*** jasonsb has quit IRC16:54
*** piyanai has quit IRC16:55
*** ankita_wagh has joined #openstack-keystone16:55
lhchengsamueldmq: defining the policy rule should still be the same.. like  <rule#1> OR <rule#2>, role:<role_name>16:56
lhchengsamueldmq: they could start working on that16:57
lhchengsamueldmq: some sort of rule expression builder16:57
samueldmqlhcheng: hmm, yes16:57
*** rdo has quit IRC16:57
*** tjcocozz has quit IRC16:57
samueldmqlhcheng: yeah makes sense16:57
samueldmqlhcheng: as the role would still be in the same semantics, even though we provide better apis to create them16:58
lhchengsamueldmq: I think that would be the hard part for the ui16:58
samueldmqlhcheng: I meant rule :(16:58
samueldmqlhcheng: why is it the hard part for the ui ?16:58
*** jsavak has quit IRC16:59
lhchengsamueldmq: expression builder is usually hard to build right16:59
*** rdo has joined #openstack-keystone16:59
*** jsavak has joined #openstack-keystone16:59
samueldmqlhcheng: nice, so as soon as we start talking about it, we get it right earlier :-)17:00
lhchengsamueldmq: maybe this is where the new UX project can help17:00
*** ankita_wagh has quit IRC17:00
lhchengtsufiev: ^17:00
samueldmqlhcheng: new UX project ? what is that ?17:00
lhchengsamueldmq: there was a new UX project approved couple of weeks ago...17:00
tsufievlhcheng, samueldmq: hello!17:01
samueldmqlhcheng: ah nice, tsufiev hi, I hadn't noticed you were available17:01
samueldmqtsufiev: so we were talking about your email in the ml earlier today :)17:01
lhchengsamueldmq: ux is the new openstack project for the month :P   http://governance.openstack.org/reference/projects/openstack-ux.html17:02
tsufievsamueldmq, yeah, breton already pinged me, but I didn't realize that the discussion is right now )17:02
samueldmqlhcheng: nice I am gonna take a look at it :)17:02
tsufievIMO the hardest part in re-using Merlin UI elements for dynamic policies would be data model adoption17:03
*** harlowja has joined #openstack-keystone17:03
samueldmqlhcheng: hmmm, and that's the project piet is ptl of ?17:03
lhchengsamueldmq: I think interim until there is an election17:03
tsufievat least some domain experts are needed (who know all the possible relations between policy elements)17:03
samueldmqlhcheng: nice17:03
samueldmqtsufiev: ok so basically each policy file is a set of rules, and each rule is composed by other rules or expressions, where an expression is a role check or scope check17:05
samueldmq(neutron has different checks, we need to look at them separately, with admiyo as well)17:05
lhchengsamueldmq: do we have a detailed doc somewhere explaining the semantics/expression that can be used in a rule?17:06
*** pcaruana has joined #openstack-keystone17:06
samueldmqadmiyo: hey, you're camouflaged, I found you!!17:06
samueldmqlhcheng: hmm, I think so, let me find it17:06
tsufievsamueldmq, yeah, I already have kind of superficial acquaintance with policy syntax, what is needed to render them automatically with Merlin is knowing their grammar17:06
lhchengsamueldmq: AFAIR, only doc I found was the doc in the policy code :P17:07
samueldmqlhcheng: yes I think we only have this one17:07
samueldmqlhcheng: ok adding deployer doc on policy is on my todo17:07
samueldmqlhcheng: tsufiev https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L18-L21017:08
*** fhubik is now known as fhubik_afk17:08
*** samleon has joined #openstack-keystone17:10
*** jsavak has quit IRC17:14
tsufievsamueldmq, added to my bookmarks17:14
*** jsavak has joined #openstack-keystone17:14
*** piyanai has joined #openstack-keystone17:17
bretontsufiev: http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html might also be useful17:18
*** tqtran has joined #openstack-keystone17:19
*** mylu has quit IRC17:21
*** e0ne has joined #openstack-keystone17:22
*** fhubik_afk is now known as fhubik17:23
tsufievbreton, thanks17:23
*** spandhe has joined #openstack-keystone17:24
*** fhubik is now known as fhubik_afk17:29
*** henrynash has joined #openstack-keystone17:30
*** ChanServ sets mode: +v henrynash17:30
*** browne has joined #openstack-keystone17:30
*** chlong has quit IRC17:31
*** e0ne has quit IRC17:31
*** spandhe_ has joined #openstack-keystone17:32
*** hrou has quit IRC17:32
*** spandhe has quit IRC17:32
*** spandhe_ is now known as spandhe17:32
*** fhubik_afk is now known as fhubik17:36
*** mylu has joined #openstack-keystone17:38
*** diazjf has quit IRC17:39
*** e0ne has joined #openstack-keystone17:42
*** TheIntern has joined #openstack-keystone17:42
*** tjcocozz has joined #openstack-keystone17:45
*** fhubik is now known as fhubik_afk17:48
*** jsavak has quit IRC17:53
*** piyanai has quit IRC17:55
*** jsavak has joined #openstack-keystone17:56
*** fhubik_afk is now known as fhubik17:57
*** piyanai has joined #openstack-keystone17:59
*** jasonsb has joined #openstack-keystone18:01
*** jsavak has quit IRC18:02
*** jsavak has joined #openstack-keystone18:02
*** openstackgerrit_ has quit IRC18:07
*** piyanai has quit IRC18:15
*** piyanai has joined #openstack-keystone18:20
*** harlowja has quit IRC18:21
*** Kennan has quit IRC18:21
*** harlowja has joined #openstack-keystone18:21
*** Kennan has joined #openstack-keystone18:29
*** diazjf has joined #openstack-keystone18:29
*** htruta_ has quit IRC18:32
*** mylu has quit IRC18:32
*** tjcocozz has quit IRC18:36
*** josecastroleon has joined #openstack-keystone18:36
*** admiyo has quit IRC18:37
openstackgerritBrant Knudson proposed openstack/keystone: Add LimitRequestBody to sample httpd config  https://review.openstack.org/20820818:38
*** TheIntern has quit IRC18:44
*** htruta_ has joined #openstack-keystone18:44
*** kiran-r has quit IRC18:45
*** amakarov is now known as amakarov_away18:46
*** TheIntern has joined #openstack-keystone18:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes query.one() return usage in endpoint-policy  https://review.openstack.org/20860918:47
dstaneksamueldmq: i'll take another look at those reviews for you in a little bit. technically today is a volunteer (vacation) day, but i've been doing other things on breaks18:48
samueldmqdstanek: btw this one is a very easy but interesting review ^ :)18:48
samueldmqdstanek: nice, I do appreciate your help. Feel free to take a look tomorrow, enjoy your vacation day18:49
dstaneksamueldmq: cool, i'll look at that to18:49
dstaneko18:49
dstaneksamueldmq: i'm actually volunteering for a local non-profit - doing "hard" labor18:49
samueldmqdstanek: very nice :)18:50
*** tqtran is now known as tqtran-afk18:52
*** mylu has joined #openstack-keystone18:53
*** urulama has quit IRC19:01
*** samleon has quit IRC19:02
*** urulama has joined #openstack-keystone19:02
*** josecastroleon has quit IRC19:06
*** flwang has quit IRC19:08
openstackgerritSergey Vilgelm proposed openstack/oslo.policy: [WIP] Add parse_rules method the the Rules class  https://review.openstack.org/20861719:10
*** e0ne has quit IRC19:11
openstackgerritMarianne Linhares Monteiro proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862019:11
raildogyee: henrynash ^ Marianne is for our team too :)19:13
*** jsavak has quit IRC19:14
*** jsavak has joined #openstack-keystone19:14
*** flwang has joined #openstack-keystone19:22
*** fhubik has quit IRC19:26
*** ayoung has joined #openstack-keystone19:26
*** ChanServ sets mode: +v ayoung19:26
*** mylu has quit IRC19:30
openstackgerritMarianne Linhares Monteiro proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862019:31
*** mylu has joined #openstack-keystone19:33
*** jsavak has quit IRC19:33
*** piyanai has quit IRC19:47
*** raildo has quit IRC19:49
*** jsavak has joined #openstack-keystone19:50
lhchengbknudson: regarding the default setting of 16k for LimitRequestBody : https://review.openstack.org/#/c/208208/19:53
lhchengbknudson: I am not sure either what the right setting should be (that it won't have issue when posting a mapping or policy file)19:54
lhchengmaybe gyee marekd or samueldmq may have some input ^19:54
bknudsonlhcheng: the current max size is 114688 , from http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n159619:55
bknudsona.k.a 112k19:57
bknudsonwhich seems excessive.19:57
lhchengbknudson: do you recall how we came up with the magic number? :)19:57
bknudsonlhcheng: that's coming from oslo.middleware, so they came up with it there.19:58
bknudsonthat has to work openstack-wide, not just on keystone.19:58
bknudsonit's not large enough for an image, though.19:58
lhchengbknudson: hmm that may not apply for image, I recall uploading an image at least 20mb in size20:01
bknudsonah, nobody uploads images into glance anyways... should be posting them on a web server and giving glance the url.20:01
lhchengyup, they should :)20:02
lhchengbknudson: yeah, 112k sounds excessive. But would changing our sample config to a smaller value means it could break backward compatibility?20:03
bknudsonsample config can't break anything20:03
bknudsonI'll make it 112k and we can worry about the value later.20:06
lhchengbknudson: okay, that sounds good to me20:06
*** piyanai has joined #openstack-keystone20:12
*** phalmos has joined #openstack-keystone20:13
*** boltR has joined #openstack-keystone20:16
boltRquestion.. if i disable in a service in keystone v3, will the service still show up in the catalog?20:16
boltRif i disable a service*20:17
phalmosIs it expected behavior when going from single-domain LDAP to multi-domain LDAP that all existing user roles become invalid and need to be re-done?20:19
*** opilotte has joined #openstack-keystone20:29
opilottequestion: with OS-FEDERATION, is it possible to map multiple group IDs ?20:30
openstackgerritMarianne Linhares Monteiro proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862020:31
*** hrou has joined #openstack-keystone20:44
gyeeopilotte, try using 'groups'20:51
gyeelhcheng, bknudson, 16K default should be fine20:52
gyeebesides, if that's not good enough for a specific deployment, we'll let the deployment script bump it up20:52
opilottegyee: so in identity values (returned by the IdP) 'groups': ['id_1', 'id_2', ...] ?20:54
gyeeopilotte, groups are names only20:55
*** diazjf has left #openstack-keystone20:55
gyeefor example, “local”: [20:55
gyee{20:55
gyee“groups”: {0},20:55
gyee“domain”: {“name”: “Default”}20:55
gyee}20:55
gyee],20:55
gyee“remote”: [20:55
gyee{20:55
gyee“type”: “REMOTE_USER_GROUPS”20:55
gyee}20:55
gyee]20:55
*** jsavak has quit IRC20:55
gyeeor "groups": ["group1", "group2"],20:55
openstackgerritMerged openstack/keystone: Refactor: clean up TokenAPITests  https://review.openstack.org/20325020:57
opilottegyee: it works it IDs for me20:57
*** bapalm_ has quit IRC21:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865221:05
gyeeayoung, u coming to the Ops MidCycle in two weeks? http://www.eventbrite.com/e/openstack-ops-mid-cycle-meetup-tickets-1770325892421:07
ayounggyee, nope21:07
gyeegreat place to sell your dynamic policy stuff21:07
ayounggyee, please be my proxy21:08
gyeeayoung, sure will try21:08
ayoung++21:08
gyeeayoung, I plan on attending OpenStack Silicon Valley as well21:08
ayoung++21:08
gyeelets see if we can find some audience for it21:09
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376321:14
*** henrynash has quit IRC21:16
*** henrynash has joined #openstack-keystone21:16
*** ChanServ sets mode: +v henrynash21:16
lhchenggyee: do they have a free pass for OpenStack Silicon valley?21:20
lhchenggyee: I contacted the organizer, they said they have not offered it "yet"21:21
gyeelhcheng, I though you can registered as a foundation member21:22
gyeenot sure if that'll work21:23
lhchenggyee: I don't see a way to register as foudation member.21:24
lhchengI've sent an email to the organizer 1.5 months back, they told to wait and they'll inform us.21:24
openstackgerritMerged openstack/keystone: Update exported variables for openstack client  https://review.openstack.org/20812021:25
openstackgerritMerged openstack/keystone: Missing ADMIN_USER in sample_data.sh  https://review.openstack.org/20812121:25
morganfainbergIm skipping openstack sv21:25
lhchengI guess the organizer don't want more contributors going :P21:25
gyeeI registered as foundation member three weeks back, maybe it was a glitch/bug in the system :)21:25
lhchenggyee: haha awesome timing :P21:25
gyeemaybe they'll bounce me at the door, we'll see21:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865221:26
lhchenggyee: you'll be our keystone rep for  openstack sv then :D21:26
morganfainbergIm totally going as openstack proposal bot21:27
morganfainberg:P21:27
gyeehahahah21:27
morganfainbergThat bot has mad contributions21:27
*** tqtran-afk is now known as tqtran21:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865221:27
openstackgerritLance Bragstad proposed openstack/keystone: Improve endpoint filtering docs  https://review.openstack.org/20866021:27
openstackgerritMerged openstack/keystone: Clean up notifications type checking  https://review.openstack.org/20073321:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865221:32
openstackgerritMerged openstack/keystone: Clean up code to use .items()  https://review.openstack.org/20073421:34
openstackgerritMerged openstack/keystone: Fix test_utils for py34  https://review.openstack.org/20389621:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865221:35
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865221:36
*** TheIntern has quit IRC21:36
openstackgerritMerged openstack/python-keystoneclient: Remove check for requests version  https://review.openstack.org/20821721:41
openstackgerritMerged openstack/python-keystoneclient: Clarify setting socket_options  https://review.openstack.org/20821821:42
*** piyanai has quit IRC21:43
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for Dicover.raw_version_data unstable parameter  https://review.openstack.org/20569021:43
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for httpclient.request()  https://review.openstack.org/20569921:43
lbragstadrandom noob federation question - the metadata exchange between the service provider and the identity provider is what builds the trust between the two, correct?21:44
*** jasonsb has quit IRC21:51
gyeelbragstad, yes, saml2 is a digitally signed document, and the SP needs to trust the signing key21:52
openstackgerritMerged openstack/python-keystoneclient: Fix tests passing user, project, and token  https://review.openstack.org/20570021:55
*** jecarey has quit IRC21:56
openstackgerritBrant Knudson proposed openstack/keystone: Remove unnecessary check from notifications.py  https://review.openstack.org/20306922:03
*** thedodd has quit IRC22:04
*** mylu has quit IRC22:08
*** opilotte has quit IRC22:08
openstackgerritAlberto Murillo proposed openstack/keystone: disable admin_token by default  https://review.openstack.org/18546422:18
*** piyanai has joined #openstack-keystone22:30
*** pauloewerton has quit IRC22:33
*** btully has joined #openstack-keystone22:43
*** jasonsb has joined #openstack-keystone22:45
*** dims_ has joined #openstack-keystone22:51
*** dims has quit IRC22:52
*** dims has joined #openstack-keystone22:53
*** bknudson has quit IRC22:56
*** dims_ has quit IRC22:56
*** jaosorior has quit IRC23:04
*** fangzhou has joined #openstack-keystone23:09
*** aix has quit IRC23:12
*** piyanai has quit IRC23:16
*** darrenc has quit IRC23:23
*** darrenc has joined #openstack-keystone23:23
*** sigmavirus24 is now known as sigmavirus24_awa23:24
*** topol has quit IRC23:25
*** dims has quit IRC23:29
*** darrenc has quit IRC23:35
*** darrenc has joined #openstack-keystone23:35
*** phalmos has quit IRC23:36
*** darrenc is now known as darrenc_afk23:45
« Sunday, 2015-08-02 Index Tuesday, 2015-08-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!