Thursday, 2015-12-10

« Wednesday, 2015-12-09 Index Friday, 2015-12-11 »
*** aginwala has quit IRC00:01
*** jbell8 has quit IRC00:03
*** markvoelker has quit IRC00:05
*** aginwala has joined #openstack-keystone00:06
*** EinstCrazy has quit IRC00:07
*** chlong has quit IRC00:09
*** EinstCrazy has joined #openstack-keystone00:10
notmorgan.00:10
notmorganooh looks like gerribot is out to lunch00:10
notmorganstevemar, bknudson, dstanek, ayoung: https://review.openstack.org/#/c/255599/00:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Add `keystone-manage bootstrap` command  https://review.openstack.org/25559900:11
notmorganor it's just sllooooowwww00:11
*** gokrokve has joined #openstack-keystone00:13
*** EinstCrazy has quit IRC00:15
openstackgerritHenrique Truta proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591600:16
RichardRaseleyCan someone help me better understand the difference between the token persistence backend driver and the cache backend module?00:21
*** tonytan4ever has quit IRC00:21
*** RichardRaseley has quit IRC00:25
*** jbell8 has joined #openstack-keystone00:28
*** atiwari2 has joined #openstack-keystone00:29
*** atiwari1 has quit IRC00:31
*** gokrokve_ has joined #openstack-keystone00:39
*** arunkant_ has quit IRC00:39
*** gildub has quit IRC00:40
openstackgerritMerged openstack/keystone: Remove invalid TODO related to bug 1265071  https://review.openstack.org/25363600:40
openstackbug 1265071 in OpenStack Identity (keystone) "extra column is required for new models, otherwise unit tests fail" [Low,Fix released] https://launchpad.net/bugs/1265071 - Assigned to David Stanek (dstanek)00:40
openstackgerritMerged openstack/keystone: Remove exposure of routers at package level  https://review.openstack.org/25311900:40
openstackgerritMerged openstack/keystone: Refactor: Use Federation constants where possible  https://review.openstack.org/25294900:40
openstackgerritMerged openstack/keystone: Create new version of assignment driver interface  https://review.openstack.org/24285300:41
*** gokrokve has quit IRC00:41
notmorganjamielennox|away: i think this is correct https://review.openstack.org/#/c/254399/ it seems to be00:41
notmorganjamielennox|away: but want a 2x check from you00:42
*** sigmavirus24_awa is now known as sigmavirus2400:48
openstackgerritMerged openstack/keystone: Create V9 Role Driver  https://review.openstack.org/24780500:50
*** notmyname has left #openstack-keystone00:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463300:51
openstackgerritMerged openstack/keystone: Use new_policy_ref consistently  https://review.openstack.org/24725700:52
openstackgerritMerged openstack/keystone: Remove unfixable FIXME  https://review.openstack.org/25541900:52
*** EinstCrazy has joined #openstack-keystone00:52
openstackgerritMerged openstack/keystone: Ensure endpoints returned is filtered correctly  https://review.openstack.org/25003200:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463300:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463300:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463300:56
*** aginwala has quit IRC00:56
*** jbell8 has quit IRC00:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463300:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463301:00
*** EinstCra_ has joined #openstack-keystone01:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463301:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463301:03
*** EinstCrazy has quit IRC01:04
notmorganwow... lots of config updates01:05
notmorganwonder if something is weird w/ the bot01:05
*** chlong has joined #openstack-keystone01:05
*** markvoelker has joined #openstack-keystone01:05
*** aginwala has joined #openstack-keystone01:06
openstackgerritMorgan Fainberg proposed openstack/keystone: Add `keystone-manage bootstrap` command  https://review.openstack.org/25559901:09
*** john5223 is now known as zz_john522301:10
*** markvoelker has quit IRC01:11
*** terryyao has joined #openstack-keystone01:12
*** sigmavirus24 is now known as sigmavirus24_awa01:16
*** chlong has quit IRC01:23
*** browne has quit IRC01:23
*** atiwari1 has joined #openstack-keystone01:27
*** atiwari2 has quit IRC01:29
*** tonytan4ever has joined #openstack-keystone01:33
*** atiwari2 has joined #openstack-keystone01:38
*** chenke__ has quit IRC01:40
*** atiwari1 has quit IRC01:40
*** chenke__ has joined #openstack-keystone01:41
*** steveng has quit IRC01:42
*** terryyao has quit IRC01:43
openstackgerritMerged openstack/keystone: Use assertDictEqual instead of assertEqualPolicies  https://review.openstack.org/25148201:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463301:44
*** lhcheng has joined #openstack-keystone01:44
*** ChanServ sets mode: +v lhcheng01:44
*** wangqun has joined #openstack-keystone01:45
*** _cjones_ has quit IRC01:47
*** terryyao has joined #openstack-keystone01:47
*** richm has joined #openstack-keystone01:48
*** jamielennox|away is now known as jamielennox01:48
*** aginwala has quit IRC01:48
*** lhcheng has quit IRC01:49
ayoungnotmorgan, guessing that they were all rebases done singly01:51
notmorganno idea01:51
jamielennoxnotmorgan: i'm not sure i understand what that patch is trying to do01:52
jamielennoxyou're skipping auth validation when there's no plugin01:52
jamielennoxfine01:52
notmorganjamielennox: basically yes01:53
notmorganit's the "hey we aren't actually doing anything magic with session cause we don't have a plugin for this"01:53
jamielennoxbut it's not really backwards compatible and it'll be a bit of an unusual result for people who have misconfigured things01:53
notmorganit's the OCC way of saying "be a requests thing, not a keystoneauth thing"01:53
jamielennoxdo endpoints work there, or ADMIN_TOKEN, i know that was mordred's initial use case01:54
jamielennoxsomething something swift01:54
notmorganjamielennox: yep01:54
*** boris-42_ has quit IRC01:54
*** dolphm has quit IRC01:54
notmorganswift01:54
notmorganthat is the reasoning01:54
* notmorgan also has 1st pass to kill admin_token01:54
notmorgan:)01:54
notmorganjust need to tell bandit "no the try/except/pass is FINE"01:54
*** wangqun has quit IRC01:54
*** johnthetubaguy has quit IRC01:54
*** wangqun has joined #openstack-keystone01:54
*** dolphm has joined #openstack-keystone01:54
notmorganayoung: is #nosec "ok" to use or should i really be "not" doing try/except/pass?01:55
*** wangqun has quit IRC01:55
*** wangqun has joined #openstack-keystone01:56
jamielennoxi like try/except/pass if there is a decent exception mentioned01:56
*** boris-42_ has joined #openstack-keystone01:56
*** wangqun has quit IRC01:56
*** wangqun has joined #openstack-keystone01:57
*** johnthetubaguy has joined #openstack-keystone01:57
*** ayoung has quit IRC01:58
*** rcernin has quit IRC02:01
*** aginwala has joined #openstack-keystone02:03
*** tqtran has quit IRC02:04
notmorganjamielennox: i think i've covered it here02:05
notmorganit's an ensurance the default domain is there02:05
notmorganbecause we *require* it for this action02:05
notmorganso, make sure it is in place02:05
notmorganunfortunately we don't bubble up the real exception to the manager02:06
notmorganso i have to guess w/ the UnexpectedError02:06
notmorgani guess i could reach in and match the message02:06
*** ayoung has joined #openstack-keystone02:08
*** ChanServ sets mode: +v ayoung02:08
openstackgerritJamie Lennox proposed openstack/keystoneauth: Use SAML2 requests plugin  https://review.openstack.org/25505602:09
jamielennoxprefer no to, but sometimes theres on other choice - where's the default domain problem coming from?02:10
*** wangqun has quit IRC02:12
*** wangqun has joined #openstack-keystone02:12
notmorganwell https://review.openstack.org/#/c/255599/02:12
notmorganhere i'm trying to re-work how we bootstrap keystone02:12
notmorgani'd like to drop the "create the default domain" in the sql migrations while we're at it02:12
*** terryyao has quit IRC02:13
*** wangqun has quit IRC02:14
*** wangqun has joined #openstack-keystone02:14
*** wangqun has quit IRC02:16
*** wangqun has joined #openstack-keystone02:16
*** terryyao has joined #openstack-keystone02:18
*** pumaranikar has joined #openstack-keystone02:26
*** wangqun has quit IRC02:29
*** pumaranikar has quit IRC02:31
*** browne has joined #openstack-keystone02:32
*** links has joined #openstack-keystone02:33
jamielennoxnotmorgan: i'm pretty sure i know the answer to this but there's not much value in running the v3cloudsample policy file just in keystone right?02:35
*** aginwala has quit IRC02:38
stevemarjamielennox: not really02:40
jamielennoxstevemar: so i got the request at summit to do a devstack install so that tempest could test the domain admin based model02:41
jamielennoxi know we don't recommend it but enough people use the domain admin concept now because of this that tempest wants to test it02:41
*** richm has quit IRC02:41
jamielennoxbut in playing with devstack i'm not sure there's a whole lot of point because you would need to have a similar file for nova or neutron to understand domain admins02:42
jamielennoxand i don't want to write all those02:42
stevemarjamielennox: thanks for abandoning a bunch of old OSC patches02:42
jamielennoxstevemar: trying to clean up a little02:43
notmorganjamielennox: not not really... but easy to enhance it to be more cloud-admin friendly02:43
notmorganjamielennox: and we should do domain admin and start pushing that down to the othe rprojects02:43
jamielennoxi think domain admin isn't actually a bad model we just never got it pushed out to other projects02:44
*** chlong has joined #openstack-keystone02:44
*** timcline has joined #openstack-keystone02:44
jamielennoxbut i'm not sure there's an advantage to tempest testing domain admin if the only ones with a domain aware policy file is keystone02:44
*** aginwala has joined #openstack-keystone02:44
jamielennoxi guess i could change the is_admin definition of all projects...02:45
jamielennoxis there a reason we never merged https://review.openstack.org/#/c/212345/702:47
*** Guest71412 has quit IRC02:47
*** gildub has joined #openstack-keystone02:48
*** timcline has quit IRC02:49
stevemarno idea02:52
openstackgerritMorgan Fainberg proposed openstack/keystone: Add `keystone-manage bootstrap` command  https://review.openstack.org/25559902:54
notmorganstevemar: ^ so bootstrap - another "well we talked about this so here we go"02:58
*** tonytan4ever has quit IRC02:58
*** terryyao has quit IRC02:59
*** terryyao has joined #openstack-keystone03:00
stevemarnotmorgan: i'll see about it in a few, watching tv!03:02
notmorganstevemar: no excuse! :P03:02
*** aginwala has quit IRC03:02
*** tsymanczyk has joined #openstack-keystone03:02
*** tsymanczyk is now known as Guest9443103:03
*** boris-42_ has quit IRC03:03
*** aginwala has joined #openstack-keystone03:06
*** markvoelker has joined #openstack-keystone03:07
*** aginwala has quit IRC03:10
*** markvoelker has quit IRC03:12
*** RichardRaseley has joined #openstack-keystone03:14
*** steveng has joined #openstack-keystone03:15
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove confusing documentation  https://review.openstack.org/25565103:16
*** topol has joined #openstack-keystone03:17
*** ChanServ sets mode: +v topol03:17
ayoungjamielennox, did you see my followon to implied_roles?03:18
jamielennoxayoung: no03:19
jamielennoxayoung: spec or code?03:19
ayoungjamielennox, https://review.openstack.org/#/c/240720/  code03:19
ayoungthat would be a better start for dealing with the domain admin model.  It means we could start applying changes to the other services policy files03:20
jamielennoxayoung: hmm, that does break a little what i was planning on for tempest03:20
ayoungjamielennox, why?03:21
jamielennoxso tempest wants to be able to run with the v3 cloud policy file03:21
jamielennoxi was looking at doing a devstack to support that03:21
jamielennoxbut if you remove admin_domain_id then i can't sed to replace it03:21
*** topol has quit IRC03:22
jamielennoxas much as we said v3cloudsample wasn't supported apparently there are enough people out there using it and requesting tempest test it that they want to03:22
*** spandhe has quit IRC03:27
*** gyee has quit IRC03:41
*** gokrokve_ has quit IRC03:42
*** timcline has joined #openstack-keystone03:45
*** terryyao has quit IRC03:48
*** timcline has quit IRC03:50
*** flwang1 has quit IRC03:55
*** lhcheng has joined #openstack-keystone03:58
*** ChanServ sets mode: +v lhcheng03:58
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use load_from_options_getter for auth plugins  https://review.openstack.org/25566104:02
*** lhcheng has quit IRC04:03
*** jasonsb has joined #openstack-keystone04:11
*** terryyao has joined #openstack-keystone04:28
ayoungjamielennox, I guess I could leave it alone and do a different policy file....04:28
ayoungthere is no real benfit to breaking that one.   But don't put any more effort in to it, I think.  I'll have to figure out how to do the new one, but I kindof like that.04:29
jamielennoxayoung: i'm not sure what to do about that04:31
jamielennoxayoung: really it made me want to be able to set something from conf so i didn't have to find the id, insert into policy file and reboot :)04:31
ayoungjamielennox, so...I'll leave cloudsample alone, but you shouldn't do any tempest work on it either04:31
jamielennoxayoung: this is what i'm coming to to04:32
ayounglets focus on a new policy file that is maintainable04:32
jamielennoxi told andreaf_ i would get him something i can test, but if i replace just that keystone policy file it doesn't become a coherent system04:32
jamielennoxall the other projects are still using the policy file they had before04:33
jamielennoxso there still needs to be an admin project for them04:33
*** steveng has quit IRC04:34
jamielennoxayoung: i'll need to ask him again what he wants to do, because i don't want to maintain a full set of domain based policy scripts in tempest/devstack which is the only real way to do it04:34
ayoungunified policy file04:35
jamielennoxyea04:35
jamielennoxbecause all i want to change is the definition of is_admin04:35
ayoungjamielennox, none of the other services used domains04:37
jamielennoxayoung: no, but they need to know what global admin is04:37
jamielennoxlike not project based04:37
ayoungI think I have a hack that will work with the cloud_admin file without breaking it04:37
jamielennoxayoung: just leave it in there as an OR statement04:38
ayoungif the old admin_domain_id is the last thing in the line, it might trigger an exception, but it will be when policy was supposed to fail anyway04:38
jamielennoxthough i don't expect i'm going to get that to work04:38
ayoungjamielennox, that is why I had  thies https://review.openstack.org/#/c/165908/04:39
jamielennoxayoung: what was being raised?04:45
jamielennoxoh, i'm guessing keyerror04:45
jamielennoxyea, we need to standardize what goes into that and not just dump the token04:45
jamielennoxayoung: you would at least need a lot more logging in that patch04:45
jamielennoxayoung: a failure to enforce policy - particularly like httpcheck is bad04:46
*** timcline has joined #openstack-keystone04:46
jamielennoxayoung: i don't know that code well enough but if it really is a keyerror we should fix that instead04:46
jamielennoxlike just use .get()04:47
*** fawadkhaliq has joined #openstack-keystone04:48
ayoungjamielennox, if we do that it means that we can never run policy off an optional field04:49
ayoungbut the Or means that if one things fails, the other should succeed.  Erroring out means that it always fails04:50
ayoungkey error was due to changing token formats04:50
*** timcline has quit IRC04:50
*** timcline has joined #openstack-keystone04:51
jamielennoxayoung: throwing an exception is not failing - it's misconfiguration04:52
jamielennoxayoung: i was thinking it would mean we could always ignore optional fields04:52
jamielennoxso linking policy enforcement keys to token contents is bad04:53
ayoung500 errors are not the way to tell your users that there is something wrong with the site04:53
jamielennoxayoung: maybe, but otherwise they'll get 401s and think they've done something wrong with their password04:53
ayoungjust deny access and move on04:53
ayoungOK...I think I have it04:54
jamielennoxit's not about telling users, it's about telling admins they screwed up04:54
*** steveng has joined #openstack-keystone04:54
*** timcline has quit IRC04:55
jamielennoxhttpretty is dead! https://review.openstack.org/#/c/183745/04:59
stevemar\o/05:01
jamielennoxstevemar: did all the extensions to core things merge/05:07
*** markvoelker has joined #openstack-keystone05:07
*** markvoelker has quit IRC05:12
openstackgerritayoung proposed openstack/keystone: Implied Roles  https://review.openstack.org/24261405:24
openstackgerritayoung proposed openstack/keystone: Updated Cloudsample  https://review.openstack.org/24072005:24
*** RichardRaseley has quit IRC05:24
*** david8hu has quit IRC05:25
stevemarjamielennox: i believe so05:32
stevemarjamielennox: how much do you like me05:39
stevemari'll fix https://bugs.launchpad.net/keystoneauth/+bug/1517858 myself :P05:40
openstackLaunchpad bug 1517858 in keystoneauth "Correct the examples in keystoneauth documentation" [Low,Confirmed]05:40
*** Nirupama has joined #openstack-keystone05:41
openstackgerritSteve Martinelli proposed openstack/keystoneauth: small fix to missing parameters in documentation  https://review.openstack.org/25567705:45
stevemarjamielennox: you gotta return the favor for ^05:45
*** RichardRaseley has joined #openstack-keystone05:48
jamielennoxstevemar: ah, nice05:50
jamielennoxstevemar: i just +2ed but really you should use Default for name not default05:51
jamielennoxstevemar: cause you know that confuses people already05:51
*** timcline has joined #openstack-keystone05:52
*** timcline has quit IRC05:56
*** RichardRaseley has quit IRC05:56
*** steveng has quit IRC05:58
*** aginwala has joined #openstack-keystone06:00
*** links has quit IRC06:01
*** links has joined #openstack-keystone06:01
*** steveng has joined #openstack-keystone06:02
stevemarjamielennox: everything confuses everyone all the time06:05
stevemarnotmorgan: ^ theres an easy one there for you to punt off into the gate06:05
*** steveng has quit IRC06:06
stevemarjamielennox: i've also learned that i'm perpetually behind on everything06:06
stevemari need time to stand still for like a week06:06
stevemarso i can catch up06:06
*** steveng has joined #openstack-keystone06:07
*** RichardRaseley has joined #openstack-keystone06:07
jamielennoxstevemar: i heard rumours of this about being PTL06:09
openstackgerritJamie Lennox proposed openstack/keystone: Perform middleware tests with webtest  https://review.openstack.org/24444006:09
openstackgerritJamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware  https://review.openstack.org/25568606:09
jamielennoxstevemar: woop ^06:10
*** gildub has quit IRC06:10
jamielennoxah, damn, that class is still marked as private06:16
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make BaseAuthProtocol public  https://review.openstack.org/25569106:24
*** chlong has quit IRC06:28
*** jaosorior has joined #openstack-keystone06:29
*** topol has joined #openstack-keystone06:34
*** ChanServ sets mode: +v topol06:34
*** ajayaa has joined #openstack-keystone06:35
*** topol has quit IRC06:38
*** gildub has joined #openstack-keystone06:47
*** links has quit IRC06:49
*** spandhe has joined #openstack-keystone06:49
*** chlong has joined #openstack-keystone06:49
*** RichardRaseley has quit IRC06:50
*** spandhe_ has joined #openstack-keystone06:50
ajayaaHi guys. What is the use of path_vars variable in routers of each component such as assignment, identity etc.?06:52
ajayaastevemar, jamielennox, rodrigods ^^06:52
*** timcline has joined #openstack-keystone06:53
*** spandhe has quit IRC06:53
*** spandhe_ is now known as spandhe06:53
*** jdennis has quit IRC06:57
*** timcline has quit IRC06:57
*** jdennis has joined #openstack-keystone07:00
stevemarajayaa: link?07:00
stevemararen't those the variables that are passed in as part of the API request07:00
stevemarso DELETE /v3/users/aad7393d79a07:00
stevemarthe aad7...9a part would be in path_vars07:00
stevemarthats if i recall correctly...07:01
ajayaastevemar https://github.com/openstack/keystone/blob/master/keystone/assignment/routers.py#L6907:01
ajayaafor e.g.07:01
ajayaaYes.07:01
stevemaroh that stuff07:01
stevemarthat's used for JSON home support07:01
stevemareach one corresponds to the /{var_name}/ in the API07:02
ajayaaWhy do we return something different when the mime type is json/home?07:02
ajayaaIs it to help clients to determine what resources/apis does the service expose?07:02
ajayaaRephrasing my question, what is JSON home and how is it useful?07:03
ajayaastevemar ^^07:03
*** chlong has quit IRC07:04
ajayaaThis might sound naive. I am not an api expert. :)07:04
notmorganomg...07:04
notmorganmoving sucks sometimes :P07:04
notmorganon the plus side... have most stuff unpacked now.07:05
*** links has joined #openstack-keystone07:05
*** aginwala has quit IRC07:05
*** markvoelker has joined #openstack-keystone07:08
*** flwang1 has joined #openstack-keystone07:09
*** rcernin has joined #openstack-keystone07:11
*** steveng has quit IRC07:12
*** steveng1 has joined #openstack-keystone07:12
*** markvoelker has quit IRC07:13
stevemarnotmorgan: got a stable ABI question for you07:14
notmorganstevemar: i have an answer that is probably not useful07:14
notmorganstevemar: lets see if the match07:14
notmorganthey*07:14
stevemarnotmorgan: this patch: https://review.openstack.org/#/c/233069/07:14
*** steveng1 is now known as steveng07:14
stevemarbreton is moving around the truncated decorator, which is fine07:15
notmorganyah07:15
stevemarbut now we have https://github.com/openstack/keystone/blob/master/keystone/assignment/V8_role_backends/sql.py#L2707:15
stevemaris the decorator part of the stable interface?07:15
notmorganuhmmm.07:16
notmorganwe should keep a reference to the decorator in the old spot07:16
notmorganfor consistency07:16
notmorganso we don't break anyone who is still refernecing it for the old driver version07:16
notmorgani mean... it isn't imperative, but to be nice to fokls, it would be ideal to just [in the old location] truncated = <new location>.truncated07:17
notmorganwith a note that it'll be moved when the driver interface X,Y,Z is removed07:17
notmorganor some such07:17
openstackgerritSteve Martinelli proposed openstack/keystone: Fix exposition of bug about limiting with ldap  https://review.openstack.org/23422607:17
notmorganbut i mean... you could also let this one slide07:17
* notmorgan shrugs07:17
openstackgerritSteve Martinelli proposed openstack/keystone: Make @truncated common for all backends  https://review.openstack.org/23306907:17
* ajayaa reading https://tools.ietf.org/html/draft-nottingham-json-home-02 stevemar, am I in the right path?07:19
*** chlong has joined #openstack-keystone07:20
notmorganajayaa: it's pretty good eh?07:20
notmorgan:)07:20
ajayaanotmorgan, don't know! I want to learn what json/home is. If you have a better suggestion then the above one, I would take it. :)07:22
notmorganajayaa: that is about as good as it gets.07:22
*** topol has joined #openstack-keystone07:22
*** ChanServ sets mode: +v topol07:22
notmorganbut... in short: JSON response that gives you relavant info about what is on the server07:22
notmorgansomething machine parsable that owuld be the equivalant of an index07:23
notmorganthe alternative is an XML doc07:23
stevemarnotmorgan: /me doesn't understand how pep8 and our new legacy tests are passing with a references to that removed function07:23
notmorganthat describes where resources/APIs are07:23
notmorganstevemar: uhmmmmmm.07:23
stevemaroh there we go!07:23
stevemara failure yay07:23
notmorganstevemar: heh07:23
ajayaanotmorgan, Thanks. That's the kind of explanation I was looking for.07:24
stevemarnotmorgan: on another note, i think oauth stuff is broken07:26
stevemarwomp womp07:26
*** dims_ has joined #openstack-keystone07:26
stevemarsomething is going all screwy with signature calculation07:27
stevemari think it may be the oslo request id being in the header07:27
openstackgerritSteve Martinelli proposed openstack/keystone: Make @truncated common for all backends  https://review.openstack.org/23306907:27
openstackgerritSteve Martinelli proposed openstack/keystone: Limiting for fake LDAP  https://review.openstack.org/24774907:28
notmorganstevemar: yay oauth07:28
notmorganstevemar: eventually i think oauth is going to be really useful...07:28
stevemarnotmorgan: another reason we need functional tests :@07:28
notmorganstevemar: like when I get us all sub-url mounted in devstack >.>07:28
notmorganand people can use oauth for all apis, vs needing to oauth and then get a token :(07:29
notmorganbuuuuttt.t......07:29
notmorganuntil then... yes functional tests07:29
notmorganmake them happen!07:29
notmorgan:)07:29
notmorganajayaa: it's a simple explination but it gets the gist of what is being attempted07:30
openstackgerritSteve Martinelli proposed openstack/keystone: Use @truncated in ldap for users  https://review.openstack.org/23307007:35
*** aginwala has joined #openstack-keystone07:38
*** browne has quit IRC07:40
ajayaanotmorgan, I like simple explanations. On the same note, Bill gates recommends this book "Thing Explainer: Complicated Stuff in Simple Words" in which the author explains very complicated subjects in simple ideas.07:41
notmorganajayaa: I have the book07:42
notmorganit's fantastic07:42
notmorganRandall Munroe is pretty darn good at the stuff07:42
ajayaa:)07:42
notmorgani mean... XKCD is fun.07:42
notmorganThing Explainer is entertaining07:42
ajayaaI am yet to read this book. stacked up in my reading list though. Reading "Thinking fast and slow" now. :)07:43
ajayaayep, XKCD is fun.07:43
notmorganajayaa: https://twitter.com/MdrnStm/status/674455084164448257 that is the next book i am reading07:44
notmorgan(actually just starting)07:45
*** topol has quit IRC07:45
notmorganand i have ~3 other similar books i'm going to start soon07:45
*** topol has joined #openstack-keystone07:46
*** ChanServ sets mode: +v topol07:46
ajayaalooks fancy. I would ask about your opinions/thoughts after you finish it.07:47
openstackgerritSteve Martinelli proposed openstack/keystone: Enable limiting in ldap for groups  https://review.openstack.org/23484907:49
*** spandhe_ has joined #openstack-keystone07:53
*** timcline has joined #openstack-keystone07:53
*** spandhe has quit IRC07:54
*** spandhe_ is now known as spandhe07:54
notmorganajayaa: the zingerman's books are really fantastic07:57
notmorgancan't say enough good things about them07:57
notmorganif you are into reading about leadership and running teams, etc07:57
notmorgansome people really aren't07:57
notmorganconsidering the role I tend to fall into in an org/group/open source07:58
*** fawadkhaliq has quit IRC07:58
notmorganit's really good for me to read them, and i def. learn a lot/benefit from them07:58
*** timcline has quit IRC07:58
*** fawadkhaliq has joined #openstack-keystone07:58
*** terryyao has quit IRC08:01
*** topol has quit IRC08:03
openstackgerritMerged openstack/keystoneauth: small fix to missing parameters in documentation  https://review.openstack.org/25567708:04
*** terryyao_ has joined #openstack-keystone08:04
*** dansmith has quit IRC08:05
*** chlong has quit IRC08:05
*** jgriffith has quit IRC08:05
*** sirushti has quit IRC08:05
bretonstevemar: thanks for reviews!08:06
stevemarbreton: np!08:07
stevemarbreton: it takes me a while, but i usually get around to reviewing08:07
stevemarbreton: nice job on that stuff btw08:07
*** dansmith has joined #openstack-keystone08:07
*** dansmith is now known as Guest1777908:07
stevemarit wasn't easy08:08
*** _cjones_ has joined #openstack-keystone08:10
*** jgriffith has joined #openstack-keystone08:11
*** sirushti has joined #openstack-keystone08:11
*** _cjones_ has quit IRC08:11
*** _cjones_ has joined #openstack-keystone08:12
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone  https://review.openstack.org/25047308:12
*** aginwala has quit IRC08:13
*** heha37 has joined #openstack-keystone08:14
*** links has quit IRC08:14
*** mhickey has joined #openstack-keystone08:18
*** fawadkhaliq has quit IRC08:21
stevemarjamielennox:08:23
stevemarpoke08:23
stevemari have a question in https://review.openstack.org/#/c/212345/7/keystonemiddleware/auth_token/_cache.py08:23
stevemarwon't return memcache.Client(*args, **kwargs) be run even if memcache = None08:23
stevemar?08:23
*** belmoreira has joined #openstack-keystone08:25
*** spandhe has quit IRC08:29
stevemarjamielennox: poke, review https://review.openstack.org/#/c/250473/ when you get a chance08:32
*** e0ne has joined #openstack-keystone08:32
*** pnavarro has joined #openstack-keystone08:35
*** lhcheng has joined #openstack-keystone08:38
*** ChanServ sets mode: +v lhcheng08:38
jamielennoxstevemar: might be bed time08:41
jamielennoxi think the memcache thing is fine08:41
jamielennoxif it hasn't been imported it will be08:41
jamielennoxthen it will always be available08:41
*** steveng has quit IRC08:46
*** terryyao_ has quit IRC08:51
*** e0ne has quit IRC08:52
*** links has joined #openstack-keystone08:52
*** flwang1 has quit IRC08:53
*** terryyao_ has joined #openstack-keystone08:54
*** timcline has joined #openstack-keystone08:54
*** timcline has quit IRC08:59
*** fhubik has joined #openstack-keystone09:01
*** terryyao_ has quit IRC09:02
*** terryyao_ has joined #openstack-keystone09:07
openstackgerritMerged openstack/keystone: refactor: move the common code to manager layer  https://review.openstack.org/25507009:08
*** markvoelker has joined #openstack-keystone09:09
*** jamielennox is now known as jamielennox|away09:09
*** markvoelker has quit IRC09:14
openstackgerritMerged openstack/keystone: Remove keystoneclient tests  https://review.openstack.org/24047409:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:26
*** hogepodge has quit IRC09:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463309:27
*** hogepodge has joined #openstack-keystone09:28
*** flwang1 has joined #openstack-keystone09:30
*** openstackgerrit has quit IRC09:32
*** openstackgerrit has joined #openstack-keystone09:32
*** andreykurilin__ has joined #openstack-keystone09:35
*** flwang1 has quit IRC09:36
andreykurilin__hi everyone! How can I configure devstack to install both v2(identity by default) and v3?09:37
*** _cjones_ has quit IRC09:40
*** links has quit IRC09:42
*** _cjones_ has joined #openstack-keystone09:42
*** _cjones_ has quit IRC09:43
*** _cjones_ has joined #openstack-keystone09:43
*** fawadkhaliq has joined #openstack-keystone09:44
*** _cjones_ has quit IRC09:45
*** steveng has joined #openstack-keystone09:45
*** terryyao_ has quit IRC09:45
*** EinstCra_ has quit IRC09:50
*** e0ne has joined #openstack-keystone09:51
*** timcline has joined #openstack-keystone09:55
*** links has joined #openstack-keystone09:55
*** pgbridge has joined #openstack-keystone09:58
*** jistr has joined #openstack-keystone09:59
*** timcline has quit IRC10:00
*** briancurtin has quit IRC10:01
*** briancurtin has joined #openstack-keystone10:03
*** EinstCrazy has joined #openstack-keystone10:04
*** links has quit IRC10:04
*** links has joined #openstack-keystone10:17
*** fhubik is now known as fhubik_brb10:23
*** markvoelker has joined #openstack-keystone10:25
*** markvoelker has quit IRC10:29
*** lhcheng has quit IRC10:33
*** fhubik_brb is now known as fhubik10:34
*** EinstCrazy has quit IRC10:38
*** _cjones_ has joined #openstack-keystone10:47
*** lhinds has quit IRC10:50
*** chenke_ has joined #openstack-keystone10:52
*** _cjones_ has quit IRC10:52
*** aix has joined #openstack-keystone10:54
*** chenke__ has quit IRC10:55
*** timcline has joined #openstack-keystone10:56
*** timcline has quit IRC11:00
*** heha37 has quit IRC11:03
*** dims_ has quit IRC11:04
*** pgbridge has quit IRC11:05
*** alexpro has joined #openstack-keystone11:30
*** EinstCrazy has joined #openstack-keystone11:30
samueldmqmorning keystoners11:42
samueldmqandreykurilin__: hi, it already does11:42
andreykurilin__samueldmq: hi! but service catalog doesn't include identity v3 service :(11:44
samueldmqandreykurilin__: hm, I think we have changed it to include versionless URL in the catalog11:46
samueldmqandreykurilin__: it means htttps://keystone:5000/ (without v2.0 or v3), this way the clients make the discovery themselves11:47
samueldmqandreykurilin__: what do you want to do ? have a v3 only cloud ? test v3?11:47
andreykurilin__samueldmq: testing both v2 and v3. breton already pointed me to http://developer.openstack.org/api-ref-identity-v3.html#listIdentityVersions11:48
bretonsamueldmq: > I think we have changed it to include versionless URL in the catalog11:49
bretonsamueldmq: no, we haven't11:49
*** _cjones_ has joined #openstack-keystone11:49
*** _cjones_ has quit IRC11:53
*** pnavarro is now known as pnavarro|lunch11:55
samueldmqbreton : hmm, thanks for checking, iircc jamielennox|away has a patch up for this11:55
*** timcline has joined #openstack-keystone11:57
samueldmqbreton: andreykurilin__: that's true, the patch from versionless url haven't merged yet https://review.openstack.org/#/c/182923/11:58
*** fhubik is now known as fhubik_brb11:59
*** fhubik_brb is now known as fhubik12:00
*** fawadkhaliq has quit IRC12:01
*** timcline has quit IRC12:01
*** jsheeren has joined #openstack-keystone12:02
*** gildub has quit IRC12:08
*** fhubik is now known as fhubik_brb12:13
*** fhubik_brb is now known as fhubik12:14
*** aix has quit IRC12:14
*** jsheeren has quit IRC12:17
openstackgerritMerged openstack/keystone: Fix exposition of bug about limiting with ldap  https://review.openstack.org/23422612:18
*** fhubik is now known as fhubik_brb12:19
openstackgerritMerged openstack/keystone: Make @truncated common for all backends  https://review.openstack.org/23306912:21
*** raildo-afk is now known as raildo12:22
*** fhubik_brb is now known as fhubik12:25
*** markvoelker has joined #openstack-keystone12:26
*** markvoelker has quit IRC12:30
*** doug-fish has joined #openstack-keystone12:32
*** fhubik is now known as fhubik_brb12:35
*** jsheeren has joined #openstack-keystone12:36
*** topol has joined #openstack-keystone12:42
*** ChanServ sets mode: +v topol12:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/25444412:42
*** atiwari1 has joined #openstack-keystone12:46
*** jaosorior has quit IRC12:47
*** openstackgerrit has quit IRC12:47
*** jaosorior has joined #openstack-keystone12:47
*** openstackgerrit has joined #openstack-keystone12:47
*** atiwari2 has quit IRC12:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463312:49
*** atiwari1 has quit IRC12:50
*** _cjones_ has joined #openstack-keystone12:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463312:51
*** topol has quit IRC12:51
*** atiwari1 has joined #openstack-keystone12:52
*** aix has joined #openstack-keystone12:55
*** fhubik_brb is now known as fhubik12:55
*** _cjones_ has quit IRC12:57
*** flwang has quit IRC12:57
*** swebb has quit IRC12:57
*** crinkle has quit IRC12:57
*** flwang has joined #openstack-keystone12:57
*** timcline has joined #openstack-keystone12:57
*** crinkle has joined #openstack-keystone12:57
*** timcline has quit IRC13:02
*** swebb has joined #openstack-keystone13:03
openstackgerritDina Belova proposed openstack/keystone: === WIP === Integrate OSprofiler in Keystone  https://review.openstack.org/10336813:06
*** markvoelker has joined #openstack-keystone13:08
openstackgerritHenrique Truta proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591613:11
*** gordc has joined #openstack-keystone13:17
*** Anticimex has quit IRC13:18
*** ajayaa has quit IRC13:20
*** fhubik is now known as fhubik_brb13:20
*** fhubik_brb is now known as fhubik13:26
*** Anticimex has joined #openstack-keystone13:29
*** fhubik has quit IRC13:35
*** jsheeren has quit IRC13:35
*** ninag has joined #openstack-keystone13:40
*** pauloewerton has joined #openstack-keystone13:42
*** dims has joined #openstack-keystone13:43
*** Nirupama has quit IRC13:45
*** dims has quit IRC13:48
*** zhiyan has quit IRC13:51
*** zhiyan has joined #openstack-keystone13:53
*** _cjones_ has joined #openstack-keystone13:53
*** dims_ has joined #openstack-keystone13:57
*** _cjones_ has quit IRC13:57
*** openstackstatus has quit IRC13:57
*** links has quit IRC13:57
*** timcline has joined #openstack-keystone13:58
*** sigmavirus24_awa is now known as sigmavirus2413:59
*** topol has joined #openstack-keystone14:01
*** ChanServ sets mode: +v topol14:01
*** timcline has quit IRC14:03
*** topol has quit IRC14:05
*** fawadkhaliq has joined #openstack-keystone14:16
*** fawadkhaliq has quit IRC14:17
*** pnavarro|lunch is now known as pnavarro14:17
*** fawadkhaliq has joined #openstack-keystone14:17
*** breitz has quit IRC14:19
*** breitz has joined #openstack-keystone14:19
*** alejandrito has joined #openstack-keystone14:22
*** RichardRaseley has joined #openstack-keystone14:23
*** petertr7_away is now known as petertr714:25
*** Ephur has joined #openstack-keystone14:32
*** andrewbogott has quit IRC14:36
*** andrewbogott has joined #openstack-keystone14:36
*** Guest17779 is now known as dansmith14:36
*** dansmith is now known as Guest1812414:37
*** Guest18124 is now known as dansmith14:37
*** _cjones_ has joined #openstack-keystone14:54
*** _cjones_ has quit IRC14:59
*** petertr7 is now known as petertr7_away14:59
*** boris-42_ has joined #openstack-keystone14:59
openstackgerritTom Cocozzello proposed openstack/python-keystoneclient: WIP set up incude names for list role assignments  https://review.openstack.org/25539215:00
bretonit seems that trusts don't work with fernet tokens15:00
* breton verifying15:00
*** Ephur has quit IRC15:00
*** pumaranikar has joined #openstack-keystone15:00
lbragstadbreton yeah I was just looking at that15:00
lbragstadbreton I have s pile of meetings today, but let me know if you can verify it15:01
bretonack15:01
*** vgridnev has joined #openstack-keystone15:02
*** rderose has joined #openstack-keystone15:02
*** petertr7_away is now known as petertr715:02
bknudsonservice catalog meeting in #openstack-meeting-cp15:03
*** atiwari2 has joined #openstack-keystone15:03
*** davechen has joined #openstack-keystone15:05
*** atiwari1 has quit IRC15:05
*** tonytan4ever has joined #openstack-keystone15:11
*** richm has joined #openstack-keystone15:12
openstackgerritGhe Rivero proposed openstack/keystone: Create neutron service in sample_data.sh  https://review.openstack.org/20821515:13
*** kairat has joined #openstack-keystone15:14
*** petertr7 is now known as petertr7_away15:16
*** RichardRaseley has quit IRC15:16
ayoungbknudson, is there an agenda link here somewhere?15:18
bknudsonayoung: https://wiki.openstack.org/wiki/ServiceCatalogTNG#Mitaka_Goals15:18
bknudsonayoung: oops, agenda is https://wiki.openstack.org/wiki/Meetings/ServiceCatalogTNG#Service_Catalog_TNG_Meeting15:18
*** petertr7_away is now known as petertr715:18
ayoungbknudson, how did TENANT_ID get in there for all those services>?  That is not vanilla?15:19
bknudsonayoung: they copied what nova did15:19
*** lxsli has left #openstack-keystone15:21
ayoungbut the other services don't support it15:21
ayoungdo they?15:21
*** slberger has joined #openstack-keystone15:22
bknudsonayoung: that's what the question is, anne is going to check if the other services have the project ID in the catalog entry15:27
bknudsonmaybe there aren't any other than nova15:27
bknudsonthere's a mailing list topic15:27
bknudsonayoung: you already commented on the mailing list topic15:29
ayoungbknudson, looking at the wiki list it looks like nova, cinder , trove , and heat.  HEAT?   REally, woulda thiught those guuysd knew better...15:32
*** tonytan4ever has quit IRC15:32
*** timcline has joined #openstack-keystone15:33
*** fawadkhaliq has quit IRC15:37
openstackgerritMerged openstack/keystoneauth: Remove confusing documentation  https://review.openstack.org/25565115:39
*** roxanaghe has joined #openstack-keystone15:49
*** tonytan4ever has joined #openstack-keystone15:52
*** tonytan4ever has quit IRC15:53
*** _cjones_ has joined #openstack-keystone15:56
*** tonytan4ever has joined #openstack-keystone15:58
*** _cjones_ has quit IRC16:01
*** wanghua has quit IRC16:03
*** topol has joined #openstack-keystone16:05
*** ChanServ sets mode: +v topol16:05
*** pgbridge has joined #openstack-keystone16:09
*** joseppc has joined #openstack-keystone16:09
zigoAny idea why I get this? https://mitaka-jessie.pkgs.mirantis.com/job/python-keystonemiddleware/6/console16:15
*** csoukup has joined #openstack-keystone16:15
*** ajayaa has joined #openstack-keystone16:15
*** haneef has quit IRC16:18
ayoungzigo, bug16:19
*** fawadkhaliq has joined #openstack-keystone16:19
ayoungzigo, so, Bind was an artifact of when we were headed toward PKI tokens16:19
ayoungit meant that you needed a second form of auth along with the token16:20
*** e0ne has quit IRC16:20
bknudsonzigo: these tests are working on my local system...16:20
*** diazjf has joined #openstack-keystone16:21
ayoungbknudson, I think we can drop bind from the API16:21
bknudsonayoung: we can drop token binding?16:21
bknudsondid it ever work?16:21
bknudsonI thought it was used with kerberos16:22
*** aix has quit IRC16:22
zigobknudson: It works on devstack (tm)16:22
zigo:)16:22
ayoungbknudson, you can't do kerberos to eventlet, so no16:22
zigoWhat I don't get is that it builds fine on my laptop, and the env should be the same as in my jenkins ... :(16:23
notmorganzigo: oh hi16:23
notmorganzigo: you're here16:23
zigonotmorgan: Like every day! :)16:23
notmorganzigo: so. debconf stuff.16:23
ayoungit was a good idea, and maybe someone picked it up and ran with it, but if its not mathrock's group, (and they don't) I don't know who would be so bold.  KC does nto support negotiate on connections other than to Keystione, and keuystone didn;'t soupport x509, so it would have to be a very customized install.16:23
notmorganzigo: whn you're done talking w/ ayoung16:23
bknudsonzigo: looks like "Expose bind data via AccessInfo" is in keystoneauth 1.2.0, but you're running with "1.1.0-2"16:24
*** rderose has quit IRC16:24
notmorganzigo: specifically i thnk we need to revisit the whole "you as a package maintainer controlling when the service starts and stops"16:24
zigobknudson: Oh, got it, so I just need to upgrade keysotneauth1 in my jenkins, easy enought, thanks ! :)16:25
bknudsonzigo: are you building ksm master? that's got keystoneauth1>=2.1.016:25
bknudsonok, great16:25
bknudsoncan't promise that's going to fix all the issues, but the missing bind property is pretty obvious16:25
ayoungnotmorgan, I'm going to write a spec for bootstrap16:26
notmorganayoung: sounds good16:26
notmorganayoung: and feel free to run with/change/update that patchset16:26
bknudsonayoung: notmorgan: would it be better to expose create_user, etc., in keystone-manage ?16:26
ayoung++16:26
notmorganayoung: it's probably 90% done16:26
zigonotmorgan: I do need to have keystone service started so I can use its API.16:26
ayoungbknudson, so, that is the catch16:26
ayoungI don't think so16:27
notmorganrecommendation i had was to source the password from OS_* variables16:27
bknudsonif I've got a ldap backend create user isn't going to work16:27
ayoungbknudson, we can't remove anything that Horizon uses16:27
ayoungand we probably should not duplicate16:27
notmorganzigo: auto configuring a service in the catalog or anywhere seems *verY* broken for a complex system like openstack16:27
notmorganzigo: i'll contest that debconf should not try and setup openstack at all16:27
bknudsonayoung: I don't understand the comment. I didn't suggest removing anything.16:27
ayoungbut...yeah, I guess we need it16:27
notmorganvia the apis16:27
notmorganjust base install and let people do the real work with other tools.16:27
notmorganpackaging shouldn't be trying to standup a complex system like openstack16:28
notmorganimo16:28
zigonotmorgan: It's entirely optional, but very useful for me for my CI.16:28
ayoungbknudson, yeah, I retract the objection.  Was thinkg "don't duplicate API ability" but of course we need to16:28
ayoungas they say around here "DER"16:28
zigonotmorgan: I do run a CI without anything but preseed and packages.16:28
zigoI don't want to drop this.16:28
zigoPlus preseeding is very helpful too.16:28
notmorganand i think encoding this into the packages is the wrong choice in every case.16:29
notmorgani told you you'd disagree with me when i pinged you earlier ;)16:29
zigonotmorgan: I know many people don't agree... :)16:29
bknudsonayoung: well, I'd prefer not to duplicate anything either, but prefer duplication to admin token.16:29
zigonotmorgan: Though again, it's optional, and by the Debian policy, it isn't on the way to do anything with a configuration manager.16:29
notmorganzigo: but it is the default behavior, is it not?16:30
* zigo found that the issue was that python-keystoneauth1 wasn't registered to use the correct debian/mitaka branch, so it was building an older version in my jenkins... :P16:30
notmorganzigo: can i at least encourage it to be the non-default behavior16:30
zigonotmorgan: No, the default behavior is to do nothing.16:30
notmorganok16:30
*** ajayaa has quit IRC16:30
notmorgani was misinformed/ran into something trying to autoconfigure in the past16:30
zigoNo automated dbconfig, no API registration, etc.16:31
notmorganzigo: i have too many things that try and auto-restart apache16:31
notmorganor drop configs and restart things.16:31
notmorganout of the box16:31
zigonotmorgan: I'd like to avoid restarting apache too.16:31
zigonotmorgan: Though that's a more general issue here.16:32
zigonotmorgan: If we get loads of API using a single Apache instance, restarting Apache because of any upgrade is crazy.16:32
notmorganyep16:32
zigouwsgi is much nicer in this regard.16:32
notmorganeh.16:33
bknudsonzigo: why wouldn't you use uwsgi?16:33
notmorganapache -> uwsgi is just fine16:33
notmorganvhosts are easy to config and reload is safe16:33
notmorganor graceful16:33
bknudsonif you're transitioning from eventlet I'd think uwsgi would be the easiest16:34
notmorganbknudson: i agree16:34
zigobknudson: Because upstream is telling me that Apache is *the* solution ! :)16:34
zigoAnd I'm trying to just listen ...16:34
notmorganzigo: apache is the recommended solution because of the heavy reliance on mod_shib and that mod_wsgi was a lower barrier to entry16:34
notmorganalso ssl offload16:34
notmorganhowever, nginx is also a good offload16:34
bknudsonreally it's just allowing us to remove the crappy eventlet code in keystone, and letting uwsgi handle the connections. uwsgi is better at it then we are.16:34
notmorganrunning keystone in uwsgi is just better than we are at handling connections16:35
zigoI get that we all want to get rid of eventlet, no problem.16:35
notmorganbut i would *still* not run uwsgi in http mode16:35
zigoI just wonder if we are just misslead here, and that we could use something else, still in Python, to do the same job.16:35
notmorgani would still front it with a webserver in any real configuration16:35
notmorganno16:35
notmorganpython really does not do what we need.16:35
zigoThat's what I don't understand! :)16:35
notmorganwe are bad at writing wsgi containers16:36
notmorganpython doesn't do this well16:36
zigonotmorgan: Is it long to explain? :)16:36
notmorganthe options are eventlet? asyncio with custom code?16:36
notmorganor uwsgi/mod_wsgi + a very basic entry point16:36
bknudsonyou can't just expose everything to the internet. You need something that's been hardened16:36
bknudsonmaybe uwsgi has been hardened, I don't know.16:36
notmorgani trust mod_Wsgi/uwsgi more than my code for that16:36
bknudsonbut I do know that apache has been.16:36
notmorganthey are heavily used and have lots of eyes on it.16:37
zigopython-keystonemiddleware builds fine now... and so does Zaqar with it! :) \o/16:37
notmorganzigo: that is good news16:37
zigoI got only 6 server projects and I'm done with Mitaka b1. :)16:38
bknudsonzaqar doesn't use the ksm fixture?16:38
notmorgananyway. so use uwsgi + mod_uwsgi or uwsgi + mod_proxy, or uwsgi + nginx16:38
*** rderose has joined #openstack-keystone16:39
notmorganwe mostly test just apache + mod_wsgi, but we could expand that with functional testing in the gate16:39
bknudsonI don't think we need to test everything. There's too many options. Let's just get rid of specialized code.16:40
bknudsonwe're not going to test every possible http client, either.16:41
bknudsonalthough I agree it would be better to test 2 rather than only 1.16:42
bknudsonso a uwsgi gate job would be handy (we could change devstack's eventlet setup to do uwsgi instead)16:42
*** rcernin has quit IRC16:42
notmorganbknudson: yep16:43
*** vgridnev has quit IRC16:47
*** diazjf has quit IRC16:47
*** lhcheng has joined #openstack-keystone16:52
*** ChanServ sets mode: +v lhcheng16:52
*** david-lyle has quit IRC16:53
*** petertr7 is now known as petertr7_away16:53
*** ninag has quit IRC16:59
*** ninag has joined #openstack-keystone16:59
*** belmoreira has quit IRC17:02
*** ninag_ has joined #openstack-keystone17:03
*** ninag has quit IRC17:04
*** dims_ has quit IRC17:06
*** ninag_ has quit IRC17:07
*** ig0r_ has joined #openstack-keystone17:11
*** dims has joined #openstack-keystone17:12
*** steveng has quit IRC17:13
*** ChanServ sets mode: +o dolphm17:13
*** diazjf has joined #openstack-keystone17:14
*** topol has quit IRC17:15
*** dims has quit IRC17:16
*** dims has joined #openstack-keystone17:17
*** browne has joined #openstack-keystone17:19
*** _cjones_ has joined #openstack-keystone17:20
*** RichardRaseley has joined #openstack-keystone17:24
*** dims has quit IRC17:24
*** BAKfr has joined #openstack-keystone17:25
*** topol has joined #openstack-keystone17:25
*** ChanServ sets mode: +v topol17:25
openstackgerritTom Cocozzello proposed openstack/keystone: WIP List assignments with names  https://review.openstack.org/24995817:26
*** lhcheng_ has joined #openstack-keystone17:26
*** gyee has joined #openstack-keystone17:27
*** ChanServ sets mode: +v gyee17:27
openstackgerritBrian Curtin proposed openstack/keystoneauth: Provide a RFC 7231 compliant user agent string  https://review.openstack.org/25600217:28
*** sigmavirus24 is now known as sigmavirus24_awa17:29
*** lhcheng has quit IRC17:29
*** singhj has joined #openstack-keystone17:29
singhjHey guys, does anyone know the difference between --os-url and --os-auth-url?17:32
*** openstackstatus has joined #openstack-keystone17:37
*** tonytan4ever has quit IRC17:37
*** ChanServ sets mode: +v openstackstatus17:37
*** mhickey has quit IRC17:41
*** davechen has left #openstack-keystone17:44
*** dims has joined #openstack-keystone17:47
lhcheng_singhj: --os-url if you are going to use a token for authentication, it is used together with --os-token17:47
lhcheng_singhj: --os-auth-url if you're going to authenticate by password17:48
*** topol has quit IRC17:48
lhcheng_singhj: https://github.com/openstack/python-openstackclient/blob/master/doc/source/authentication.rst#authentication-plugins17:48
singhjlhcheng_: thank you17:49
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/25463317:49
*** dims has quit IRC17:53
*** browne has quit IRC17:54
*** roxanaghe has quit IRC17:55
*** roxanaghe has joined #openstack-keystone17:56
*** dims has joined #openstack-keystone17:57
notmorganso...17:58
*** ninag has joined #openstack-keystone18:00
*** spandhe has joined #openstack-keystone18:01
*** pnavarro has quit IRC18:09
stevemarso18:10
*** dims has quit IRC18:12
*** amit213 has quit IRC18:14
*** amit213 has joined #openstack-keystone18:15
notmorgansooooooooo18:17
gyeeayoung, https://review.openstack.org/#/c/177661/, oslo policy is still required18:18
gyeeayoung, you want to remove oslo policy dependency?18:18
ayounggyee, you still need it?18:19
gyeeayoung, yes, because even though we don't use policy.json, we still using a rule to have more flexibility18:19
*** aginwala has joined #openstack-keystone18:20
ayounggyee, and hence the temp dir as well...do we really need that, then?18:22
gyeeayoung, sorry, tempdir we don't need18:22
*** diazjf has quit IRC18:22
ayounggyee, how is the policy file going to be distributed, then?  CMS?18:22
ayoungI thought you had decided to put it entirely in the config file18:23
gyeeayoung, no need for policy.json, I just need to enforce a rule18:24
gyeethat can be done dynamically18:24
gyeeayoung, a rule is configured in aut_token middleware section18:24
gyeeI'll create an enforcer to enforce that, no policy.json18:25
ayounggyee, So, I think we need at a minimum to do two things:18:25
gyeeayoung, if we agree on using olso policy to do the enforcement, I can cleanup the rest18:25
ayoung1.  Make it work for a list of endpoint ids.  The same middleware will be executed for admin versus public vbersus private (in the keystone case)18:26
ayoung2)  make it work for the service catalog URLS instead of the ids18:26
gyeeayoung, both will work with a rule18:26
ayoungbecause the CMS will not know the ID before having to modify auth_token section of the config file18:26
gyeesince we flatten the catalog and use that for enforcement18:26
gyeeusing a rule is very flexible18:27
*** topol has joined #openstack-keystone18:27
*** ChanServ sets mode: +v topol18:27
gyeeayoung, if we agree on using policy for enforcement, then I can clean the rest. Otherwise, I'll need to duplicate some olso code in there.18:32
ayounggyee, Go for it18:32
ayoungpolicy is fine18:32
gyeeayoung, k, I'll cleanup the rest, thanks!18:33
ayounggyee, just you need to match "any" endpoiint defined, not just one18:33
ayoungso where youi do18:33
gyeeayoung, right18:33
gyeewe can match anything in the flatten catalog18:33
ayounggyee, but this is from the config file, and so it should be a multistropt I think18:34
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/25444418:34
ayoungfor endpoint in service.get('endpoints', []):18:34
ayoung    gyee ugh...the rules are going to  be ugly.   Do you ahave a text example in your tests?18:35
*** dims has joined #openstack-keystone18:36
gyeeayoung, https://review.openstack.org/#/c/177661/30/keystonemiddleware/tests/unit/auth_token/test_endpoint_constraint.py18:37
gyeeline 6718:37
gyeeyou can match multiple endpoints by IDs18:37
ayounggyee, ok so it would be18:37
*** jistr has quit IRC18:38
ayoungendpoint_id:%s' % (self.endpoint[0].id) or endpoint_id:%s' % (self.endpoint[1].id)18:38
gyeeayoung, not sure if I understand, what would user need to configure then?18:39
*** aginwala has quit IRC18:39
ayounggyee, lets asume that nova has two endpoint on the same phys machine, reading the same conf file18:40
ayoungpublic and admin or whatever18:40
*** diazjf has joined #openstack-keystone18:40
ayounggyee, https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Service_Catalog18:43
*** aginwala has joined #openstack-keystone18:43
*** shaleh has joined #openstack-keystone18:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605318:44
*** browne has joined #openstack-keystone18:44
gyeeayoung, so if we flatten the catalog, we can match whatever's in there18:45
ayounggyee,  All I am saying is test an Or rule from the config18:45
gyeeendpoint_id, region, service type, etc18:45
gyeeayoung, sure, I can add a few more tests18:46
ayoungmnake sure we can say multiple endpoint ids are valid for a single authtoken deploy. Capiche?18:46
gyeeayoung, roger that18:46
*** aginwala has quit IRC18:47
ayounggyee,  we're good.  ping me whe you want me to look again18:47
*** lhcheng_ is now known as lhcheng18:48
*** ChanServ sets mode: +v lhcheng18:48
*** fawadkhaliq has quit IRC18:50
*** aginwala has joined #openstack-keystone18:56
*** harlowja has quit IRC18:56
*** harlowja has joined #openstack-keystone18:56
*** ninag has quit IRC18:58
*** ninag has joined #openstack-keystone18:58
*** ninag_ has joined #openstack-keystone19:02
*** ninag has quit IRC19:03
*** zz_john5223 has quit IRC19:08
*** tonytan4ever has joined #openstack-keystone19:11
*** sigmavirus24_awa is now known as sigmavirus2419:11
*** e0ne has joined #openstack-keystone19:13
*** davechen has joined #openstack-keystone19:16
*** aginwala has quit IRC19:19
*** john5223 has joined #openstack-keystone19:21
*** aginwala has joined #openstack-keystone19:24
*** jorge_munoz has quit IRC19:26
*** diazjf has quit IRC19:27
*** r-daneel has joined #openstack-keystone19:27
*** ninag_ has quit IRC19:32
*** ninag has joined #openstack-keystone19:32
bretonhas anybody ran into problem with WebSSO when after authentication keystone redirects to http://ip/auth/websso/ instead of http://ip/horizon/auth/websso/ ?19:33
*** steveng has joined #openstack-keystone19:35
stevemarbreton: hmm, maybe that's cause of new horizon stuff putting it all under /horizon19:35
*** ninag has quit IRC19:36
*** rderose has quit IRC19:37
*** ninag has joined #openstack-keystone19:37
*** kibm has joined #openstack-keystone19:38
*** ninag has quit IRC19:40
*** ninag has joined #openstack-keystone19:41
*** phalmos has joined #openstack-keystone19:41
*** ninag has quit IRC19:42
gordcany idea what is throwing this deprecation? http://logstash.openstack.org/#/dashboard/file/logstash.json?query=message:%5C%22deprecated%5C%22%20AND%20loglevel:%5C%22WARNING%5C%22%20AND%20build_branch:%5C%22master%5C%2219:42
*** ninag has joined #openstack-keystone19:42
bknudsongordc: which one?19:43
gordcbknudson: all of them? they all seem to be from apache/keystone.txt... or is it just ending up there?19:45
*** ninag has quit IRC19:45
*** ninag has joined #openstack-keystone19:46
stevemarbknudson: gordc https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L68819:46
bknudsongordc: so one deprecation is `"admin_workers" from group "eventlet_server" is deprecated for removal.`19:46
*** diazjf has joined #openstack-keystone19:46
bknudsonif you're running in apache you don't need to set admin_workers, admin_bind_host, etc.19:46
bknudsonit's probably devstack that's setting these options even when it doesn't have to19:47
bknudsonjust because it's easier.19:47
gordcbknudson: yep that's what i think.19:47
*** tqtran has joined #openstack-keystone19:47
bknudsonso that might be an easy one to take care of, check if devstack is configured to run keystone in apache and if so skip the settings.19:48
bknudsonthen it'll be logged less, but since there's a gate job that tests keystone in eventlet we can't get rid of it entirely19:49
*** phalmos has quit IRC19:49
stevemarbknudson: it seems like the old option is being set19:49
gordcstevemar: what's the new option?19:50
bretonstevemar: that's in kilo. But yes, /auth/websso is hardcoded there in kilo19:54
stevemargordc: admin_workers should be in the [eventlet] group19:55
stevemardouble check that it's not in the [default] group19:55
gordcstevemar: [eventlet_server]?19:56
gordcor [evenlet]19:56
stevemargordc: you're gonna make me look it up19:56
gordci looked it up19:57
stevemareventlet_server19:57
gordcit's already under evenlet_server19:58
gordc Option "admin_workers" from group "eventlet_server" is deprecated for removal.  Its value may be silently ignored in the future.19:58
gordcbknudson: stevemar: meh, i did this https://review.openstack.org/#/c/256078/19:59
*** shaleh has quit IRC20:00
gordcplease +/- as you like :)20:00
*** ninag has quit IRC20:00
stevemargordc: ah right, both the old and the new group are deprecated20:01
stevemareverything is deprecated!20:01
*** ninag has joined #openstack-keystone20:01
*** rcernin has joined #openstack-keystone20:01
stevemargordc: looks good20:01
gordcstevemar: no one will let you. deprecation is a dream in openstack20:01
stevemarone day we'll remove eventlet20:02
stevemarone day20:02
gordcstevemar: come to ceilometer or aodh. the dream is real20:03
gordchttps://review.openstack.org/#/c/240888/20:04
*** jasonsb has quit IRC20:04
*** ninag has quit IRC20:05
bretondeployed keystone and horizon kilo with websso using okta.com as an IdP20:09
bretonhorizon is not ready for websso in kilo :(20:09
stevemarhmm20:14
stevemarbreton: lhcheng has set it up a bunch of times20:14
*** shaleh has joined #openstack-keystone20:16
lhchengbreton: it should work with kilo, you probably need to get the later version of django_openstack_auth20:16
lhchengbreton: what version of django_openstack_auth are you using?20:16
*** jorge_munoz has joined #openstack-keystone20:21
bretonlhcheng: django-openstack-auth==1.2.020:23
lhchengbreton: 1.2.0 is right, have you set the configuration in horizon to enable websso?20:25
bretondoes d-o-a still fish the url out of the referer?20:26
bretonlhcheng: I've set it up20:26
bretonlhcheng: and it works20:26
lhchengbreton: oh great20:27
bretonbut for example to support http://ip/horizon/auth/websso instead of http://ip/auth/websso I had to hardcode the suburl in openstack_auth/views.py L6320:27
bretonI also terribly disliked that horizon fished the url to validate the token against out of referer20:28
*** alex_xu has quit IRC20:30
lhchengbreton: ah ayoung fixed that issue in horizon20:30
bretonlhcheng: which one? With referer or suburl?20:30
lhchengwebroot not getting picked up20:30
lhchengit was fixed here: https://github.com/openstack/django_openstack_auth/commit/85b2aaea489f2e89e36bc08b99216939d8076462#diff-a2b178442c61a16a7978d4ecdc3d096420:31
amakarovlhcheng, nice to see that - the idea looked terrible20:32
*** alex_xu has joined #openstack-keystone20:33
lhchengbreton: why don't you like the idea of using the referer?20:34
amakarovlhcheng, http/https issue20:34
*** dims has quit IRC20:35
*** dims has joined #openstack-keystone20:35
amakarovlhcheng, sorry for intervening :)20:36
bretonlhcheng: because we already have the keystone url in horizon config20:36
amakarovlhcheng, the problem is that referer is an external url, while auth.authenticate operates internally in the cloud20:37
amakarovso external url may be inaccessible for this operation20:38
breton(or unwanted)20:38
stevemargordc: nooooooo20:38
stevemarhttp://logs.openstack.org/39/256039/1/check/gate-keystonemiddleware-python27/53e9755/testr_results.html.gz20:38
lhchengamakarov: that referer is where keystone will redirect to after federation is completed.20:38
amakarovfor example: if external urls use https and internal - http20:38
lhchengif keystone can't access horizon, you can't really do websso.20:39
gordcstevemar: master?20:39
openstackgerritSean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code  https://review.openstack.org/24671320:39
amakarovlhcheng, it can, but a bit differently20:39
stevemargordc: stable20:39
shalehanother day, another rebase ^^20:39
amakarovlhcheng, as I say: external urls aren't accessible internally20:40
amakarovdue to https scheme20:40
amakarovlhcheng, while the very same url can be served via http flawlessly20:40
gordc... it's because everything is uncapped20:40
*** e0ne has quit IRC20:41
lhchengamakarov: hmm user will be switched from https to http site?20:41
lhchengamakarov:  login page (https) -> federated login -> keystone (internal http) -> horizon (http?) ?20:42
amakarovlhcheng, no. user sits outside the cloud protected by https20:42
amakarovlhcheng, services communicate internally using http20:43
*** jasonsb has joined #openstack-keystone20:43
*** jorge_munoz has quit IRC20:43
amakarovlhcheng, we ran into issue, when service extracts url to communicate to another service from referrer20:44
amakarovwhich is for the external user, sitting outside20:44
amakarovlhcheng, service tries to do https://public_host_name:5000/whatever20:45
amakarovand fails20:45
amakarovas all 5000 port requests are served via http only20:45
amakarovI mean internal requests20:46
lhchengamakarov: hmm so keystone should redirect to the internal address of horizon?20:47
*** jaosorior has quit IRC20:47
*** jorge_munoz has joined #openstack-keystone20:47
*** jaosorior has joined #openstack-keystone20:47
gordcstevemar: i don't get it. it fails because of deprecation warning?20:48
amakarovlhcheng, no. External urls should be external, internal - internal20:48
stevemargordc: haven't looked into it yet20:48
amakarovlhcheng, and not get mixed20:48
amakarovlhcheng, I haven't said a word about redirecting20:49
stevemargyee: push shaleh's last patch: https://review.openstack.org/#/c/246713/ make him a happy camper20:49
*** steveng has quit IRC20:49
shalehstevemar: there is something meditative about fixing the same rebase issue every morning20:50
gyeestevemar, ack, employee happiness is important :)20:50
lhchengamakarov: I got confused, I thought you were disagreeing about the use of referer in context of websso.20:50
gyeeshaleh, that or tea :)20:51
lhchengamakarov: I get what you mean about internal and external endpoints.20:51
shalehgyee: tea is preferable :-)20:51
amakarovlhcheng, I'm against using external url in internal requests - that's all20:52
lhchengamakarov: this is not for internal requests20:52
lhchengamakarov: horizon should be hitting the public endpoint, that's should be the configuration in the settings20:53
amakarovlhcheng, agreed20:53
lhchengso it should be:  external horizon login page  -> external ks endpoint -> federated login -> external ks endpoint   -> horizon external endpoint20:54
amakarovlhcheng, that's from outside - yes20:55
amakarovbesides, horizon's openstack_auth issues a request to keystone in the process of websso20:56
amakarovlhcheng, so it's not about redirecting the user20:56
amakarovit's the internal process talking to another internal process20:57
shalehgyee: I expected git to be smarter with its merges20:58
amakarovlhcheng, and the problem was (in our case - IS) that external url was used for this for some reason20:58
lhchengamakarov: ugh, yeah that's bad idea20:59
amakarovlhcheng, so I'm happy to know it's fixed :)21:00
*** gordc has quit IRC21:01
lhchengamakarov: awesome :)21:01
gyeeamakarov, what was the fix? burn a hole in your network to let your internal keystone access external horizon endpoint?21:03
*** petertr7_away is now known as petertr721:04
*** tonytan4ever has quit IRC21:06
*** raildo is now known as raildo-afk21:07
stevemargyee: you don't have to worry about waiting for jenkins results to +A (referring to https://review.openstack.org/#/c/246713/)21:08
stevemarif jenkins fails, then even with a +A, it won't gate21:09
gyeestevemar, k, thanks, good to known21:09
gyeeknow21:10
stevemargyee: i'm here to dish out knowledge21:10
*** sigmavirus24 is now known as sigmavirus24_awa21:10
gyeestevemar, I am enlighten21:10
*** sigmavirus24_awa is now known as sigmavirus2421:10
stevemargyee: you were already enlightened21:10
gyeeheh21:11
flwangstevemar: ping21:11
*** pauloewerton has quit IRC21:11
flwangstevemar: i was asked an interesting question and i think you may know the anwser21:11
flwangstevemar: why keystone's tenant id and user id is using the uuid format without '-'?21:11
flwangbut most of the other projects' id has the '-' like 0368593a-60ef-48a3-885a-add8dfefe56921:12
*** kibm has quit IRC21:14
amakarovgyee, no, just map external hostname to ::1 in /etc/hosts21:15
gyeeamakarov, that's assuming your network topology allows it21:15
amakarovgyee, it was PoC for another task, after all - so it's up to our dev-ops now :)21:15
gyeefor some deployments, internal network and external network are isolated21:15
lhchengamakarov: you aren't doing dev-ops? lucky you21:16
amakarovlhcheng, they'll come to us anyway21:16
* amakarov going home21:18
*** amakarov is now known as amakarov_away21:18
*** kairat has quit IRC21:20
*** kairat has joined #openstack-keystone21:20
openstackgerritFernando Diaz proposed openstack/keystone: WIP: Opt-out certain Keystone Notifications  https://review.openstack.org/25378021:20
*** atiwari2 has quit IRC21:25
*** topol has quit IRC21:26
*** chris_19 has joined #openstack-keystone21:27
*** atiwari2 has joined #openstack-keystone21:27
*** pkarikh has quit IRC21:27
*** pkarikh has joined #openstack-keystone21:28
*** amakarov_away has quit IRC21:28
*** timcline has quit IRC21:28
*** amakarov_away has joined #openstack-keystone21:28
*** tsufiev has quit IRC21:28
*** agireud has quit IRC21:31
*** diazjf has quit IRC21:31
*** jorge_munoz has quit IRC21:32
*** tsufiev has joined #openstack-keystone21:32
*** pwp has joined #openstack-keystone21:33
*** tonytan4ever has joined #openstack-keystone21:34
*** jorge_munoz has joined #openstack-keystone21:34
pwpstevemar: I'm was wondering if you agreed with henry-nash on https://bugs.launchpad.net/keystone/+bug/1218682.21:35
openstackLaunchpad bug 1218682 in OpenStack Identity (keystone) "User's email format hasn't been checked" [Wishlist,Triaged]21:35
*** gordc has joined #openstack-keystone21:35
pwpHe basically said that since it is an unsupported feature, the clients should handle it and if it is using ldap that it should be handled by the backend server.21:35
pwpDo you still think it is something that is likely to be accepted if implemented? I didn't get chance to work on it yesterday because I was sick, so no time would be lost if you just wanted to not support email validation.21:37
*** diazjf has joined #openstack-keystone21:38
*** atiwari1 has joined #openstack-keystone21:40
*** atiwari2 has quit IRC21:43
*** agireud has joined #openstack-keystone21:43
*** agireud has quit IRC21:48
*** agireud has joined #openstack-keystone21:51
bretonlbragstad: sorry, had not time to poke that fernet and trusts issue21:52
bretonlbragstad: will do first thing tomorrow morning21:52
*** ninag has joined #openstack-keystone21:58
*** gildub has joined #openstack-keystone21:59
*** ninag_ has joined #openstack-keystone21:59
*** lhcheng_ has joined #openstack-keystone21:59
*** ninag_ has quit IRC22:00
*** ninag_ has joined #openstack-keystone22:00
*** ninag_ has quit IRC22:00
*** ninag has quit IRC22:02
*** lhcheng has quit IRC22:03
*** aginwala has quit IRC22:04
*** petertr7 is now known as petertr7_away22:06
*** alex_xu has quit IRC22:07
*** alex_xu has joined #openstack-keystone22:09
*** hogepodge has quit IRC22:10
*** atiwari1 has quit IRC22:11
*** roxanaghe has quit IRC22:11
*** diazjf has quit IRC22:12
*** gyee has quit IRC22:12
*** arunkant has quit IRC22:12
*** hogepodge has joined #openstack-keystone22:13
*** gordc has quit IRC22:13
*** roxanaghe has joined #openstack-keystone22:13
pwpstevemar: I'm getting off for a bit.22:14
*** aginwala has joined #openstack-keystone22:14
pwpI'll be back on later tonight.22:14
*** arunkant has joined #openstack-keystone22:14
*** atiwari has joined #openstack-keystone22:15
*** pwp has quit IRC22:18
*** atiwari has quit IRC22:20
*** gyee has joined #openstack-keystone22:20
*** ChanServ sets mode: +v gyee22:20
*** david-lyle has joined #openstack-keystone22:20
*** atiwari has joined #openstack-keystone22:20
*** jamielennox|away is now known as jamielennox22:22
*** pumaranikar has quit IRC22:27
*** kibm has joined #openstack-keystone22:29
*** pumaranikar has joined #openstack-keystone22:29
*** pushkaru has joined #openstack-keystone22:32
*** pumaranikar has quit IRC22:32
*** agireud has quit IRC22:32
*** kibm_ has joined #openstack-keystone22:33
*** agireud has joined #openstack-keystone22:34
*** kibm has quit IRC22:36
*** pushkaru has quit IRC22:39
brownebknudson: i replied to your comment in https://review.openstack.org/#/c/236092/22:42
brownea cherry-pick seems troublesome22:42
*** rcernin has quit IRC22:45
*** alejandrito has quit IRC22:49
*** KarthikB has joined #openstack-keystone22:50
*** KarthikB has quit IRC22:50
*** david-lyle has quit IRC22:55
*** chris_19 has quit IRC22:55
*** openstackstatus has quit IRC23:01
*** slberger has left #openstack-keystone23:13
*** tonytan4ever has quit IRC23:16
*** aginwala has quit IRC23:21
*** singhj1 has joined #openstack-keystone23:21
*** gildub has quit IRC23:21
*** singhj has quit IRC23:23
*** singhj1 has quit IRC23:26
*** aginwala has joined #openstack-keystone23:26
mordredjamielennox, notmorgan: working on python-novaclient OCC/KSA patches, and they have this pluggable auth thing to provide non-keystone auth23:37
* notmorgan rolls eyes23:37
mordrednobody wants that code, but it hasn't been 'deprecated' in a way that communicates to users that it's deprecated23:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605323:37
mordredso we can't remove it directly23:37
mordredWHICH23:37
jamielennoxmordred: yep, it's horrible23:38
mordredmakes me want to write a plugin wrapper function factory thing that will take one of those auth plugins, wrap it in a ksa auth plugin and deal with it that way23:38
mordredhow terrible of an idea is that?23:38
jamielennoxmordred: i looked at doing exactly that and there was a problem - but i can't remember what it is and i think i actually made changes to session to accomodate it23:39
jamielennoxmordred: so it might work now23:39
mordredjamielennox: cool. I'll take a stab at it then and if I run in to problems I'll come scream23:40
jamielennoxmordred: ++23:40
mordredjamielennox: I've got https://review.openstack.org/#/c/256056/ up as patch #123:42
mordredneed to track down the functional test problem23:42
openstackgerritAkira YOSHIYAMA proposed openstack/oslo.policy: Fixes combined "and" and "or" rule handling  https://review.openstack.org/25376323:42
jamielennoxmordred: if you can make it work i think the neutron and maybe heat clients have similar stuff because those auth plugins made it into oslo.incubator23:45
mordredjamielennox: shudder23:45
jamielennoxmordred: i could never figure out how they were supposed to work because even the auth_url is coming from the plugin23:45
mordredjamielennox: so - if those plugins exist in multiple projects, should we put the code in ksa and then throw deprecations if it's triggered?23:45
jamielennoxmordred: propose to novaclient for now, but yea i'd be ok with the shim going to KSA23:46
jamielennoxmordred: just need to figure out who uses it, it's been a while since i dealt with the CLIs23:46
mordredkk23:47
*** atiwari1 has joined #openstack-keystone23:47
*** singhj has joined #openstack-keystone23:48
*** atiwari has quit IRC23:49
*** gildub has joined #openstack-keystone23:52
*** csoukup has quit IRC23:58
« Wednesday, 2015-12-09 Index Friday, 2015-12-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!