Thursday, 2016-02-04

« Wednesday, 2016-02-03 Index Friday, 2016-02-05 »
*** ninag has quit IRC00:02
*** jasonsb has joined #openstack-keystone00:16
*** PsionTheory has quit IRC00:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/27279000:21
*** r-daneel has joined #openstack-keystone00:23
*** bill_az has quit IRC00:31
*** spzala has joined #openstack-keystone00:34
*** cburgess_ has quit IRC00:39
*** chlong has joined #openstack-keystone00:40
*** cburgess has joined #openstack-keystone00:42
*** jbell8 has joined #openstack-keystone00:43
*** daemontool has joined #openstack-keystone00:47
*** daemontool_ has quit IRC00:48
*** jbell8 has quit IRC00:48
*** jbell8 has joined #openstack-keystone00:48
*** jamielennox is now known as jamielennox|away01:01
*** diazjf has joined #openstack-keystone01:06
*** jbell8 has quit IRC01:07
*** mylu has quit IRC01:19
*** gildub_ has joined #openstack-keystone01:24
*** esp has quit IRC01:25
*** mylu has joined #openstack-keystone01:26
*** gildub has quit IRC01:27
*** gildub_ has quit IRC01:27
*** gildub has joined #openstack-keystone01:27
*** crinkle_ has joined #openstack-keystone01:30
*** crinkle has quit IRC01:31
*** mylu has quit IRC01:31
*** spzala has quit IRC01:31
*** crinkle_ is now known as crinkle01:31
*** fpatwa has joined #openstack-keystone01:33
*** Ephur has quit IRC01:40
*** r-daneel has quit IRC01:41
*** _cjones_ has quit IRC01:49
*** phalmos has joined #openstack-keystone01:49
*** ericksonsantos has quit IRC01:50
*** mgarza_ has joined #openstack-keystone01:55
*** mylu has joined #openstack-keystone01:57
*** spzala has joined #openstack-keystone01:58
*** ericksonsantos has joined #openstack-keystone01:59
*** browne has quit IRC01:59
*** spzala has quit IRC02:00
*** spzala has joined #openstack-keystone02:00
*** davechen has joined #openstack-keystone02:05
*** spandhe has quit IRC02:05
*** erlarese has joined #openstack-keystone02:07
*** su_zhang has quit IRC02:09
*** fpatwa has quit IRC02:10
*** diazjf has quit IRC02:14
openstackgerritMerged openstack/python-keystoneclient: Update keyring requirements  https://review.openstack.org/27443502:16
openstackgerritMerged openstack/python-keystoneclient: Remove python 2.5 workaround  https://review.openstack.org/27443602:16
*** __zouyee has joined #openstack-keystone02:16
*** alejandrito has joined #openstack-keystone02:20
*** jorge_munoz has left #openstack-keystone02:28
*** Dave has quit IRC02:30
*** jamielennox|away is now known as jamielennox02:32
*** jed56 has quit IRC02:33
*** ChanServ sets mode: +v topol_02:39
*** topol_ is now known as topol02:39
*** spandhe has joined #openstack-keystone02:42
*** roxanagh_ has quit IRC02:51
*** jamielennox is now known as jamielennox|away03:06
*** phalmos has quit IRC03:06
*** jamielennox|away is now known as jamielennox03:11
*** alejandrito has quit IRC03:17
stevemarandrewbogott: i'm assuming you opened a bunch of keystone bugs?03:21
stevemarandrewbogott: if so, thank you :]03:26
*** woodster_ has quit IRC03:26
*** dims has joined #openstack-keystone03:37
*** erlarese has quit IRC03:41
openstackgerritMerged openstack/keystone: Add schema for OAuth1 consumer API  https://review.openstack.org/26679103:43
*** woodster_ has joined #openstack-keystone03:44
*** browne has joined #openstack-keystone03:44
*** __zouyee has quit IRC03:45
notmorganstevemar: back post drive and dinner03:46
*** daemontool has quit IRC03:46
*** daemontool has joined #openstack-keystone03:46
notmorgandolphm: ++ on the billion roles thing.03:47
*** links has joined #openstack-keystone03:49
openstackgerritMerged openstack/keystone: Create neutron service in sample_data.sh  https://review.openstack.org/20821503:50
openstackgerritMerged openstack/keystone: Do not assign admin to service users  https://review.openstack.org/27533503:50
*** vivekd has joined #openstack-keystone03:52
*** dims has quit IRC03:53
*** browne has quit IRC03:53
*** browne has joined #openstack-keystone03:56
notmorganDinaBelova: I am still a hard -1 or -2 for profiling enabled by default ftr.03:56
notmorganProfiling needs to be opt in especially since osprofiler can leak sensitive data due to its deep hook points.03:57
*** fpatwa has joined #openstack-keystone03:57
notmorganIt was one of the core requirements I had for backing down from my original -203:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:58
*** vivekd has quit IRC03:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:59
*** fpatwa has quit IRC04:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947904:00
*** mgarza_ has quit IRC04:06
*** su_zhang has joined #openstack-keystone04:07
*** jasonsb has quit IRC04:09
*** jasonsb has joined #openstack-keystone04:10
*** boris-42 has quit IRC04:11
*** ryanpetrello has quit IRC04:11
*** briancurtin has quit IRC04:11
*** dtroyer has quit IRC04:12
*** ctracey has quit IRC04:12
*** andrewbogott has quit IRC04:12
*** jamielennox is now known as jamielennox|away04:12
*** comstud has quit IRC04:12
*** tpeoples has quit IRC04:12
*** BlackDex has quit IRC04:12
*** Nakato has quit IRC04:12
*** eglute has quit IRC04:13
*** sigmavirus24_awa has quit IRC04:13
*** g2` has quit IRC04:13
*** BlackDex has joined #openstack-keystone04:13
*** dtroyer has joined #openstack-keystone04:13
*** BrAsS_mOnKeY has joined #openstack-keystone04:13
*** gus has quit IRC04:13
*** chlong has quit IRC04:13
*** Nakato has joined #openstack-keystone04:13
*** ryanpetrello has joined #openstack-keystone04:14
*** comstud has joined #openstack-keystone04:14
*** gus has joined #openstack-keystone04:14
*** mylu has quit IRC04:14
*** eglute has joined #openstack-keystone04:14
*** EinstCrazy has joined #openstack-keystone04:14
*** jimbaker has quit IRC04:15
*** jasonsb has quit IRC04:15
*** spzala has quit IRC04:15
*** sigmavirus24_awa has joined #openstack-keystone04:16
*** spzala has joined #openstack-keystone04:16
*** jasonsb has joined #openstack-keystone04:16
*** tpeoples has joined #openstack-keystone04:16
*** mylu has joined #openstack-keystone04:17
*** ctracey has joined #openstack-keystone04:18
*** xek_ has joined #openstack-keystone04:18
*** jimbaker has joined #openstack-keystone04:18
*** boris-42 has joined #openstack-keystone04:18
*** jimbaker has quit IRC04:18
*** jimbaker has joined #openstack-keystone04:18
*** amit213 has quit IRC04:19
*** bradjones has quit IRC04:19
*** BAKfr has quit IRC04:19
*** tristanC has quit IRC04:19
*** boltR has quit IRC04:19
*** smcginnis has quit IRC04:19
*** Daviey has quit IRC04:19
*** tristanC has joined #openstack-keystone04:19
*** Daviey has joined #openstack-keystone04:19
*** xek has quit IRC04:19
*** jrist has quit IRC04:19
*** boltR has joined #openstack-keystone04:20
*** BAKfr has joined #openstack-keystone04:20
*** briancurtin has joined #openstack-keystone04:20
*** spzala has quit IRC04:20
*** jrist has joined #openstack-keystone04:20
*** smcginnis has joined #openstack-keystone04:20
*** bradjones has joined #openstack-keystone04:21
*** bradjones has quit IRC04:21
*** bradjones has joined #openstack-keystone04:21
*** andrewbogott has joined #openstack-keystone04:23
*** chlong has joined #openstack-keystone04:28
*** Nirupama has joined #openstack-keystone04:35
*** vivekd has joined #openstack-keystone04:35
*** diazjf has joined #openstack-keystone04:38
*** fpatwa has joined #openstack-keystone04:38
*** fpatwa has quit IRC04:41
*** vivekd has quit IRC04:48
stevemarnotmorgan: o hai04:58
notmorganstevemar: hehe04:59
notmorganheyya04:59
notmorganhotel wifi... fun04:59
notmorganwas a nice rainy drive to seattle though04:59
*** esp has joined #openstack-keystone04:59
notmorganonly ~3hrs04:59
notmorgannot too bad04:59
*** Nirupama has quit IRC05:03
*** vivekd has joined #openstack-keystone05:11
*** boris-42 has quit IRC05:13
*** jbell8 has joined #openstack-keystone05:14
*** jbell8 has quit IRC05:16
*** jbell8 has joined #openstack-keystone05:17
*** jbell8 has quit IRC05:19
*** jbell8 has joined #openstack-keystone05:20
*** esp has quit IRC05:21
*** spandhe_ has joined #openstack-keystone05:23
*** spandhe has quit IRC05:24
*** spandhe_ is now known as spandhe05:24
*** Nirupama has joined #openstack-keystone05:24
stevemarnotmorgan: oh right05:30
stevemarsay hi to craig, jesse and paul for me05:30
notmorganwill do05:30
*** andrewbogott has quit IRC05:31
*** andrewbogott has joined #openstack-keystone05:31
*** csoukup_ has quit IRC05:31
*** csoukup_ has joined #openstack-keystone05:32
*** fpatwa has joined #openstack-keystone05:32
*** markvoelker_ has quit IRC05:34
*** __zouyee has joined #openstack-keystone05:37
*** spzala has joined #openstack-keystone05:46
*** lhcheng_ has quit IRC05:47
*** fpatwa has quit IRC05:50
*** vgridnev has joined #openstack-keystone05:51
*** spzala has quit IRC05:52
openstackgerritDave Chen proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343805:53
*** roxanagh_ has joined #openstack-keystone05:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/27551706:04
openstackgerritSteve Martinelli proposed openstack/keystone: deprecate pki_setup and ssl_setup from keystone-manage  https://review.openstack.org/27605206:10
stevemardavechen: ^ easy one :O06:11
*** vivekd_ has joined #openstack-keystone06:11
openstackgerritSteve Martinelli proposed openstack/keystone: deprecate pki_setup and ssl_setup from keystone-manage  https://review.openstack.org/27605206:11
*** vivekd has quit IRC06:12
*** vivekd_ is now known as vivekd06:12
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: WIP: migrate to keystoneauth  https://review.openstack.org/27605506:14
openstackgerritFernando Diaz proposed openstack/keystone: Opt-out certain Keystone Notifications  https://review.openstack.org/25378006:25
*** mylu has quit IRC06:26
davechenstevemar: looking...06:32
*** richm has joined #openstack-keystone06:33
*** markvoelker has joined #openstack-keystone06:35
davechenstevemar: maybe change 'O' to 'O release'.06:36
openstackgerritFernando Diaz proposed openstack/keystone: Opt-out certain Keystone Notifications  https://review.openstack.org/25378006:36
*** woodster_ has quit IRC06:36
stevemardavechen: feel free to make the change using the edit button and +2'ing it :P06:37
stevemari'm knee deep in squashing migrations06:37
davechenstevemar: okay, okay.06:38
*** henrynash has joined #openstack-keystone06:39
*** ChanServ sets mode: +v henrynash06:39
davechenif these commands are gone, how to get the CA certifiate from federation?06:39
*** markvoelker has quit IRC06:39
*** vivekd has quit IRC06:40
davechenstevemar: keystone federation depends on `keystone-manage pki_setup` to get the certificates.06:40
stevemardavechen: hmm, it really shouldn't be getting it from there...06:40
davechenstevemar: yep, it's not for production, and maybe document it on how to generate one self-sign certificate?06:41
*** mylu has joined #openstack-keystone06:41
davechens/production/product06:41
stevemardavechen: yeah, we should... i dont know if our tests will fail06:42
davechenstevemar: let's do this at first.06:42
*** diazjf has quit IRC06:42
stevemardavechen: the [saml] options just specify we need to point to a cert for signing stuff06:43
openstackgerritDave Chen proposed openstack/keystone: deprecate pki_setup and ssl_setup from keystone-manage  https://review.openstack.org/27605206:43
*** tyagiprince has joined #openstack-keystone06:45
davechenstevemar: yep, some change should be made since i saw from somewhere that suggest to use `keystone-manage pki_setup` to generate the cert.06:46
davechenhmm, it's here. https://review.openstack.org/#/c/234531/2/keystone/common/config.py06:47
*** spzala has joined #openstack-keystone06:49
davechenthe help message of [saml]/certfile.06:49
*** spzala has quit IRC06:53
*** tyagiprince has quit IRC06:54
*** spandhe has quit IRC06:54
*** tyagiprince has joined #openstack-keystone06:58
*** rha has quit IRC07:00
*** roxanagh_ has quit IRC07:01
*** belmoreira has joined #openstack-keystone07:02
*** spandhe has joined #openstack-keystone07:03
*** su_zhang has quit IRC07:03
*** roxanagh_ has joined #openstack-keystone07:03
*** roxanagh_ has quit IRC07:08
openstackgerritDave Chen proposed openstack/keystone: deprecate pki_setup and ssl_setup from keystone-manage  https://review.openstack.org/27605207:13
davechenstevemar: fixed pep8, +2ed.07:15
*** richm has quit IRC07:24
tyagiprinceHii everyone..07:27
tyagiprinceCan I use multiple identity backends in keystone?07:28
tyagiprinceI want the groups to be stored in mysql and users are coming from LDAP.07:28
*** rha has joined #openstack-keystone07:31
*** rha has quit IRC07:31
*** rha has joined #openstack-keystone07:31
*** mylu has quit IRC07:32
*** spandhe has quit IRC07:34
*** spandhe_ has joined #openstack-keystone07:34
*** markvoelker has joined #openstack-keystone07:36
*** markvoelker has quit IRC07:41
*** richm has joined #openstack-keystone07:42
*** spzala has joined #openstack-keystone07:49
*** fhubik has joined #openstack-keystone07:49
openstackgerritSteve Martinelli proposed openstack/keystone: squash migrations - kilo  https://review.openstack.org/27607907:52
*** gyee has quit IRC07:53
*** spzala has quit IRC07:54
*** mvk_ has quit IRC07:57
*** roxanagh_ has joined #openstack-keystone08:04
*** sinese has joined #openstack-keystone08:05
*** vgridnev has quit IRC08:08
*** roxanagh_ has quit IRC08:09
openstackgerritSteve Martinelli proposed openstack/keystone: squash migrations - kilo  https://review.openstack.org/27607908:09
*** Nirupama has quit IRC08:09
stevemaranyone feel like debugging a weird test failure for the migration squash :)08:11
*** spandhe_ has quit IRC08:12
*** jbell8 has quit IRC08:12
*** jbell8 has joined #openstack-keystone08:13
*** tyagiprince has quit IRC08:15
*** pnavarro has joined #openstack-keystone08:21
*** browne has quit IRC08:21
*** Nirupama has joined #openstack-keystone08:22
*** vgridnev has joined #openstack-keystone08:25
*** browne has joined #openstack-keystone08:26
*** mvk_ has joined #openstack-keystone08:26
*** jistr has joined #openstack-keystone08:29
*** jaosorior has joined #openstack-keystone08:31
*** _cjones_ has joined #openstack-keystone08:41
*** _cjones_ has quit IRC08:42
*** _cjones_ has joined #openstack-keystone08:43
*** vgridnev has quit IRC08:46
*** mhickey_ has joined #openstack-keystone08:50
*** spzala has joined #openstack-keystone08:50
*** spzala has quit IRC08:55
*** _cjones_ has quit IRC09:00
*** tyagiprince has joined #openstack-keystone09:04
*** roxanagh_ has joined #openstack-keystone09:05
*** mhickey has joined #openstack-keystone09:07
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118809:07
*** mhickey_ has quit IRC09:08
*** roxanagh_ has quit IRC09:10
*** tyagiprince has quit IRC09:11
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744909:14
*** jistr has quit IRC09:16
*** openstackgerrit has quit IRC09:17
*** openstackgerrit has joined #openstack-keystone09:17
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118809:21
*** browne has quit IRC09:23
*** Dave has joined #openstack-keystone09:33
*** gildub has quit IRC09:36
*** markvoelker has joined #openstack-keystone09:37
*** markvoelker has quit IRC09:41
*** spzala has joined #openstack-keystone09:51
*** spzala has quit IRC09:56
*** davechen has left #openstack-keystone09:57
*** roxanagh_ has joined #openstack-keystone10:06
*** roxanagh_ has quit IRC10:10
openstackgerritMarek Denis proposed openstack/keystone: Service providers groups associations  https://review.openstack.org/27563610:11
*** e0ne has joined #openstack-keystone10:14
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118810:18
*** esp has joined #openstack-keystone10:20
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744910:20
*** esp has quit IRC10:24
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744910:27
*** x58 has quit IRC10:40
*** __zouyee has quit IRC10:48
*** nkinder has joined #openstack-keystone10:49
*** x58 has joined #openstack-keystone10:51
*** spzala has joined #openstack-keystone10:52
*** spzala has quit IRC10:56
*** bdossant has joined #openstack-keystone11:00
*** jaosorior has quit IRC11:01
*** roxanagh_ has joined #openstack-keystone11:07
*** jbell8 has quit IRC11:11
*** dims has joined #openstack-keystone11:12
*** jbell8 has joined #openstack-keystone11:12
*** roxanagh_ has quit IRC11:13
*** nkinder has quit IRC11:19
*** rodrigods has quit IRC11:24
*** rodrigods has joined #openstack-keystone11:24
*** jbell8 has quit IRC11:26
*** jbell8 has joined #openstack-keystone11:26
*** markvoelker has joined #openstack-keystone11:38
*** samueldmq has joined #openstack-keystone11:42
*** markvoelker has quit IRC11:43
*** spzala has joined #openstack-keystone11:53
*** samueldmq has quit IRC11:54
*** jaosorior has joined #openstack-keystone11:55
*** jistr has joined #openstack-keystone11:56
*** spzala has quit IRC11:57
*** cdent has joined #openstack-keystone12:00
*** rvba has quit IRC12:01
*** rvba has joined #openstack-keystone12:03
*** rvba has quit IRC12:04
*** rvba has joined #openstack-keystone12:04
*** xek_ is now known as xek12:08
*** roxanagh_ has joined #openstack-keystone12:09
*** vgridnev has joined #openstack-keystone12:13
*** roxanagh_ has quit IRC12:14
*** jbell8 has quit IRC12:16
*** EinstCrazy has quit IRC12:19
*** EinstCrazy has joined #openstack-keystone12:20
*** nkinder has joined #openstack-keystone12:21
*** raildo-afk is now known as raildo12:23
*** rk4n has joined #openstack-keystone12:24
*** rk4n has quit IRC12:29
*** su_zhang has joined #openstack-keystone12:38
*** su_zhang_ has joined #openstack-keystone12:39
*** su_zhang has quit IRC12:42
*** iurygregory has joined #openstack-keystone12:44
*** bdossant has quit IRC12:45
*** su_zhang_ has quit IRC12:47
*** davechen has joined #openstack-keystone12:47
*** davechen is now known as davechen_afk12:47
*** daemontool_ has joined #openstack-keystone12:48
*** spzala has joined #openstack-keystone12:53
*** daemontool has quit IRC12:53
*** jimbaker has quit IRC12:53
*** topol has quit IRC12:53
*** markvoelker has joined #openstack-keystone12:53
*** mc_nair has quit IRC12:54
*** jimbaker has joined #openstack-keystone12:54
*** jimbaker has quit IRC12:54
*** jimbaker has joined #openstack-keystone12:54
*** topol_ has joined #openstack-keystone12:55
*** mc_nair has joined #openstack-keystone12:57
*** daemontool_ has quit IRC12:58
*** markvoelker has quit IRC12:58
*** spzala has quit IRC12:58
*** pauloewerton has joined #openstack-keystone13:03
*** bdossant has joined #openstack-keystone13:05
*** bdossant has quit IRC13:10
*** bdossant has joined #openstack-keystone13:10
*** markvoelker has joined #openstack-keystone13:11
*** roxanagh_ has joined #openstack-keystone13:11
*** roxanagh_ has quit IRC13:17
*** gordc has joined #openstack-keystone13:22
*** nkinder has quit IRC13:24
*** sinese has quit IRC13:28
*** sinese has joined #openstack-keystone13:29
*** sinese has quit IRC13:29
*** erlarese has joined #openstack-keystone13:30
*** edmondsw has joined #openstack-keystone13:31
*** cdent has quit IRC13:33
*** petertr7_away is now known as petertr713:34
*** Nirupama has quit IRC13:36
*** nkinder has joined #openstack-keystone13:36
*** david-lyle has quit IRC13:38
*** mylu has joined #openstack-keystone13:39
*** pnavarro has quit IRC13:42
*** mylu has quit IRC13:43
*** sigmavirus24_awa is now known as sigmavirus2413:51
*** sigmavirus24 is now known as sigmavirus24_awa13:52
*** lennyb has joined #openstack-keystone13:53
*** spzala has joined #openstack-keystone13:54
*** pnavarro has joined #openstack-keystone13:55
*** ninag has joined #openstack-keystone13:56
*** links has quit IRC13:56
lennybHello, how can I lower debug level of /var/log/apache2/keystone.log ? I am using devstack.13:59
*** spzala has quit IRC13:59
*** spzala has joined #openstack-keystone14:00
*** ayoung has quit IRC14:01
raildolennyb: you can use ./rejoin_stack.sh to see what is happen on the services14:01
raildolennyb: http://www.sebastien-han.fr/blog/2013/08/08/devstack-in-1-minute/14:02
openstackgerritMarek Denis proposed openstack/keystone: Service providers groups associations  https://review.openstack.org/27563614:06
*** bdossant_ has joined #openstack-keystone14:07
*** ChanServ sets mode: +v topol_14:07
*** topol_ is now known as topol14:07
*** daemontool has joined #openstack-keystone14:09
*** bdossant has quit IRC14:10
*** dims_ has joined #openstack-keystone14:10
lennybraildo: thanks, but my desire is to lower log level in /opt/stack/keystone/httpd/wsgi-keystone.conf , so /var/log/apache2/keystone.log will not take so much of the storage. currently it show DEBUG messages that I dont need14:12
*** dims has quit IRC14:12
*** roxanagh_ has joined #openstack-keystone14:13
*** nkinder has quit IRC14:14
*** bdossant_ has quit IRC14:15
*** su_zhang has joined #openstack-keystone14:16
*** bdossant has joined #openstack-keystone14:16
*** su_zhang_ has joined #openstack-keystone14:17
*** roxanagh_ has quit IRC14:18
*** davechen_afk has left #openstack-keystone14:19
*** su_zhang has quit IRC14:20
openstackgerrithenry-nash proposed openstack/keystone: Add CRUD support for domain specific roles  https://review.openstack.org/26187014:22
*** mylu has joined #openstack-keystone14:23
*** jsavak has joined #openstack-keystone14:35
*** nkinder has joined #openstack-keystone14:37
*** mylu has quit IRC14:40
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207814:40
*** nileshg4444 has joined #openstack-keystone14:40
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207814:41
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles  https://review.openstack.org/26306414:42
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments  https://review.openstack.org/26354914:42
*** mylu has joined #openstack-keystone14:43
*** shoutm has quit IRC14:46
*** ayoung has joined #openstack-keystone14:47
*** ChanServ sets mode: +v ayoung14:47
*** hk135 has joined #openstack-keystone14:50
*** spzala has quit IRC14:54
htrutabknudson_: hey. what would you expect to get if you call a delete_list() method passing an empty list?15:00
bknudson_typically I'd expect it to just do nothing.15:00
htrutashould it bypass silently or raise a NotFound?15:00
bknudson_the docstring for the function should say what it does.15:01
*** esp has joined #openstack-keystone15:01
htrutabknudson_: I thought of making it do nothing too. will put at the docstring. thanks15:01
*** pushkaru has joined #openstack-keystone15:03
*** doug-fish has joined #openstack-keystone15:03
*** samueldmq has joined #openstack-keystone15:05
*** sigmavirus24_awa is now known as sigmavirus2415:06
*** ninag_ has joined #openstack-keystone15:07
*** ninag has quit IRC15:08
*** esp has quit IRC15:10
*** samueldmq has quit IRC15:10
*** timcline has joined #openstack-keystone15:25
*** spzala has joined #openstack-keystone15:26
*** spzala_ has joined #openstack-keystone15:28
*** mgarza has joined #openstack-keystone15:29
*** woodster_ has joined #openstack-keystone15:29
*** e0ne has quit IRC15:29
*** hk135 has quit IRC15:29
*** esp has joined #openstack-keystone15:30
*** e0ne has joined #openstack-keystone15:30
*** spzala has quit IRC15:31
*** phalmos has joined #openstack-keystone15:31
*** vgridnev has quit IRC15:32
*** mylu has quit IRC15:36
*** mylu has joined #openstack-keystone15:39
*** hughsaunders has quit IRC15:44
*** hughsaunders has joined #openstack-keystone15:45
openstackgerritMarek Denis proposed openstack/keystone: Service providers groups associations  https://review.openstack.org/27563615:49
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343815:49
openstackgerritMarek Denis proposed openstack/keystone: Create V9 version of catalog driver interface  https://review.openstack.org/26945515:49
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485415:49
*** hughsaunders has quit IRC15:49
*** hughsaunders has joined #openstack-keystone15:49
*** hughsaunders has quit IRC15:50
*** slberger has joined #openstack-keystone15:51
*** hughsaunders has joined #openstack-keystone15:51
openstackgerritSteve Martinelli proposed openstack/keystone: keystone: provide an error message if downgrading schema  https://review.openstack.org/27629615:56
stevemartjcocozz: http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html16:00
*** jorge_munoz has joined #openstack-keystone16:00
tjcocozzstevemar, http://docs.openstack.org/developer/swift/cors.html#test-cors-page16:01
*** petertr7 is now known as petertr7_away16:01
*** mylu has quit IRC16:02
*** petertr7_away is now known as petertr716:03
*** csoukup_ has quit IRC16:04
*** nkinder has quit IRC16:04
*** r-daneel has joined #openstack-keystone16:04
*** nkinder has joined #openstack-keystone16:06
*** jbell8 has joined #openstack-keystone16:06
stevemartjcocozz: saml2 auth link: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#authenticating16:08
*** richm has quit IRC16:08
*** jed56 has joined #openstack-keystone16:09
*** hughsaunders has quit IRC16:13
*** jbell8 has quit IRC16:13
*** hughsaunders has joined #openstack-keystone16:15
*** jbell8 has joined #openstack-keystone16:16
*** jbell8 has quit IRC16:16
ayoungiurygregory, So,  here's what I'm trying to do:16:20
*** richm has joined #openstack-keystone16:20
ayoungI have a setup where I need to register an up-and-running Keystone server with an IdP  (Keycloak and Ipsilon both fall into this category)16:21
ayoungSo I need to add an entry for /etc/httpd/conf.d  etc16:21
*** mylu has joined #openstack-keystone16:21
ayoungas well as the keystone client calls to register the IdP, etc.  It looks like you did most of the heavy lifting here16:22
ayoungbut I think you were focused on the K2K use case instead of general Federation, right?16:22
iurygregoryayoung, yeah my focus was on configure keystone and apache for K2K16:23
iurygregorythe spec approved was considering openid and mellon too16:24
ayoungiurygregory, yeah, this is all a grat starting point for what we need.  Most of the work is the same16:24
*** david-lyle has joined #openstack-keystone16:24
ayoungwhat needs to be done is, for the most part, IdP specific16:24
ayoungiurygregory, for example, here is the Ansible playbook we used for setting up Keystone with Ipsilon:16:25
iurygregoryayoung, if you can point what are the steps to setup idp with mellon i can update ;)16:25
ayoungiurygregory, https://github.com/admiyo/rippowam/blob/master/roles/packstack/tasks/keystone-ipsilon.yml16:25
ayoungthat is the keystone client steps16:25
ayoungwhich should be just about the same as what you've done16:26
ayoungand thenthe httpd stuff is16:26
iurygregoryoh you need the support for the openstack cli to add idp right?16:26
* ayoung still looking16:26
ayoungiurygregory, here is the httpd config https://github.com/admiyo/rippowam/blob/master/roles/packstack/tasks/keystone.yml16:27
ayoungiurygregory, and this does not need to fall on your shoulders16:28
ayoungiurygregory, I thikn the openstack c;li idp call is there now16:28
ayoungiurygregory, that was submitted (I think) after you did you work16:28
*** diazjf has joined #openstack-keystone16:28
iurygregoryayoung, nice, i'll talk with the people in puppet =)16:28
ayoungiurygregory, I've been conspiring with richm on this already16:29
ayoungiurygregory, the issue we've uncoverd is that registering the HTTPD instance with the IdP is very different from IdP to IdP.16:29
ayoungiurygregory, so I think we will end up with a Python based helper script to make that call.16:30
iurygregoryhumm i understand16:30
ayoungthis is not a Keystone specific issue, either16:30
ayoungit will be for anything that tries to do SAML16:30
*** pnavarro is now known as pnavarro|afk16:30
ayoungiurygregory, for instance make metadata https://github.com/admiyo/rippowam/blob/master/roles/packstack/tasks/keystone.yml#L11716:30
*** fhubik has quit IRC16:31
ayoungthat is what is in bug report re  keystone-manage16:31
*** clenimar has joined #openstack-keystone16:32
ayounghttps://github.com/admiyo/rippowam/blob/master/roles/packstack/tasks/keystone.yml#L66   is the ipsilon specific call.  We needto find a way to abstract that.  Shib, Ipsilon, and Keycloak all need that step, and all do it differently. I suspect ADFS has yet another way to do it, too16:32
ayoungiurygregory, if you can update the bug with any details you feel will ease developmen here, I'd much appreciate it.16:33
iurygregoryayoung, i agree, maybe a flag about what is the user wants (ipsilon, shib..)16:33
ayoungiurygregory, right.16:34
iurygregoryi'll do my best to update the identity_provider class to consider mellon =)16:34
*** belmoreira has quit IRC16:34
iurygregorybut the part about the cli i can't help very much16:35
iurygregoryayoung, I will carefully look at the link you passed16:35
ayoungiurygregory, that is OK,  we have someone working on it already16:36
iurygregoryayoung, this person will send a patch? i'll be happy to review it =)16:37
*** mvk_ has quit IRC16:37
*** mylu has quit IRC16:42
openstackgerritHenrique Truta proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591616:42
*** vgridnev has joined #openstack-keystone16:43
*** mylu has joined #openstack-keystone16:43
*** jbell8 has joined #openstack-keystone16:43
*** mylu has quit IRC16:46
*** petertr7 is now known as petertr7_away16:46
*** mylu has joined #openstack-keystone16:47
*** mylu has quit IRC16:50
*** spzala_ has quit IRC16:51
*** mylu has joined #openstack-keystone16:51
dims_stevemar : am seeing some issues in the gate with "/usr/local/bin/keystone-manage db_sync"16:52
dims_stevemar : http://logs.openstack.org/55/271755/2/gate/gate-grenade-dsvm-neutron/4fabdb7/logs/grenade.sh.txt.gz#_2016-02-04_16_48_28_41616:52
dims_stevemar : http://logs.openstack.org/57/273957/1/gate/gate-neutron-dsvm-api/90c9d31/logs/devstacklog.txt.gz#_2016-02-04_16_40_52_31716:52
*** jaosorior has quit IRC16:52
dims_a couple of more logs as well16:52
*** spandhe has joined #openstack-keystone16:53
*** mylu has quit IRC16:54
ayoungdims_, 2016-02-04 16:48:28.416 | pkg_resources.ContextualVersionConflict: (fixtures 1.2.0 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('fixtures>=1.3.0'), set(['testtools']))16:57
ayoungsame thing in both16:57
ayounglooks like a package conflict16:57
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414916:57
*** jgriffith is now known as jgriffith_away16:58
openstackgerrithenry-nash proposed openstack/keystone: Verify project unique constraints for projects acting as domains  https://review.openstack.org/15837216:58
*** petertr7_away is now known as petertr716:59
ayoungdims_, is something locking fixtures to a lower value?16:59
dims_ayoung : stevemar just pointed out that those are logs from stable/kilo. so master may be ok16:59
*** e0ne has quit IRC16:59
*** browne has joined #openstack-keystone17:00
*** diazjf has quit IRC17:00
openstackgerrithenry-nash proposed openstack/keystone: Add tests in preparation of projects acting as a domain  https://review.openstack.org/27236917:00
*** mylu has joined #openstack-keystone17:02
*** gyee has joined #openstack-keystone17:02
*** ChanServ sets mode: +v gyee17:02
*** jistr has quit IRC17:02
openstackgerrithenry-nash proposed openstack/keystone: Add is_domain filter to v3 list_projects  https://review.openstack.org/15839817:02
*** diazjf has joined #openstack-keystone17:04
*** bdossant_ has joined #openstack-keystone17:04
*** bdossant_ has quit IRC17:07
*** samueldmq has joined #openstack-keystone17:07
samueldmqhenrynash: hi17:07
henrynashsamueldmq: hi17:08
*** bdossant has quit IRC17:08
samueldmqhenrynash: I was thinking about our yesterday's discussion on policies17:08
henrynashsamueldmq: ok17:08
*** jaosorior_ has joined #openstack-keystone17:08
samueldmqhenrynash: perhaps an intermediate approach could be (for now) just split the policy between RBAC vs scope checks17:08
*** jaosorior_ is now known as jaosorior17:09
samueldmqhenrynash: the scope check policy reflects what is in the code and deployers receive warnings if they're changing the default17:09
henrynashsamueldmq: could you give me an example of how that would look?17:09
samueldmqhenrynash: the RBAC policy may be customized as they want17:09
samueldmqhenrynash: sure17:10
* ayoung totally not snooping17:10
*** ninag_ has quit IRC17:10
samueldmqhenrynash: 2 files, 1 for RBAC, 1 for scope check17:10
samueldmqayoung: hey :-)17:10
* ayoung not here...carry on17:10
samueldmqehhe17:10
jorge_munozstevemar: Hey Steve, I have an item I want to add to the meeting agenda for next week. Is it ok if i clear it or would you like to do it?17:10
samueldmqhenrynash: so, scope is hardcoded in python code AND in the scope policy17:11
samueldmqhenrynash: deployers can still customize scope check, but they will receive warnings (kind of what nova proposed a few months ago)17:11
*** ninag has joined #openstack-keystone17:11
henrynashsamueldmq: hmm….perhaps…don;t liek that we might have misisng lines etc…..17:11
samueldmqRBAC policy contains only roles checks (and can eventually be enforced in the middleware cc ayoung)17:12
henrynashsamueldmq: is there anyway we can just let teh policy line override what is in code17:12
samueldmqhenrynash: yes, you can override the scope check that is in the code with the scope_policy.json17:12
henrynashsamueldmq: splitting it is hard, since one of my concerns is taht you need to match up specific roles and specific scope checks17:12
henrynash(I meant without having two files)17:13
samueldmqyeah, but the idea would be to have 2 files17:13
samueldmqbecause:17:13
samueldmq1) policy_rbac may be enforced at middleware later, so it'd be easier17:13
samueldmq2) if (after a survey) we discover nobody customizes scope checks, we may just remove support for scope_policy.json17:14
samueldmqand just use what's in the code17:14
*** petertr7 is now known as petertr7_away17:14
samueldmqthis would result in what I was proposing to you yesterday, but won't remove the ability to customize scope checks if people want it17:15
henrynashsamueldmq: so I can tell you 100% IBM will use specific scope checks…and if you enforced it in code, we  wold endup forking keystone17:15
henrynashto remove that17:15
henrynashit’s that cut and dried for me17:15
samueldmqhenrynash: not if you can still override that in scope_policy.json right?17:15
*** ninag has quit IRC17:15
*** jistr has joined #openstack-keystone17:16
henrynashwhat I a syaing is there is no way you can remove that capability wihout a disaster for us17:16
ayounghenrynash, BTW, for the admin override (cloud_admin, unscoped) we duplicate that check in both policy files/  role check and scope17:16
ayounghenrynash, so, it is nova looking for policy in cod17:17
ayounge17:17
henrynashif I could wave the wand I would absoluely do all teh checks in one file (scope and role) and take it all OUT of code across all projcets17:17
ayounghenrynash, um...well, grab the dynamic policy code that samueldmq did last summer and you can do exactly that17:18
*** jistr has quit IRC17:18
ayounghenrynash, but, the issue for most of openstack is that the role check is pretty static17:18
henrynashso this is going, imho, in teh wrong direction…but if everything thinks it’s teh right way to go, well ahve to take our wounds and patch/fork where required17:18
samueldmqdefault in the code is just the default. they should still be able to customize in policy file anyways17:18
henrynashayoung: not for us, they’re not17:19
henrynashwe modify every line of every pociy file17:19
ayounghenrynash, what are you matching on that needs to be custom?  Is it something generalizable?17:19
samueldmqhenrynash: good to know17:19
notmorganhenrynash: scope check in policy seems like the wrong direction fwiw17:19
henrynashok, not every line, but most17:19
samueldmq:)17:19
notmorgansince that requires a resource to be loaded after the "are you allowed to call X API" check17:20
samueldmqyeah, this isn't just authz (rbac)17:20
ayounghenrynash, specifically:  this custome scope check you are doing.  Does it have to be done based on the resource being looked up in the database, or is there enough information in the request itself?17:20
notmorganhenrynash: what are y... what ayoung just asked17:20
ayoung:)17:20
henrynashayoung: let me think about that17:20
notmorganayoung: damn it.. you're typing faster than i am today17:20
*** richm has quit IRC17:20
*** nkinder has quit IRC17:21
ayoungnotmorgan, I'm still on a high from ImpliedRoles merging nad Keystone HTTPD passing Tripleo CI17:21
ayoungthose are like my major tasks for this release17:21
henrynashayoung: so for keystone it probably does, for most of the other services you can do it from the request (I thnk)17:21
ayounghenrynash, so, if it can be done from the request, we would put it into the role check side of policy17:22
ayoungKeystone we can always one-off.  We always do...17:22
*** mylu has quit IRC17:22
henrynashayoung: so today that’s probably OK….i’m still very uneasy about this direction, but hey17:23
ayounghenrynash, the goal here is to get something that can vary from deployment to deployment.17:23
ayounghenrynash, would you ever want to remove the scope checks that Nova or Neutron code in?17:23
ayoungAdditive checks done this way are easy.17:23
ayoungits the removal of checks that is going to make things difficult for you.17:23
henrynashayoung: to be clear, we expect multple, radically different, keystone policy files to be in play across diffent deployemnts, where we could NOT do scope checks in code (without changing keystoen for each one)17:24
notmorganhenrynash: can you give a real example of one of these cases?17:25
mc_nairhey there - two questions... 1) If you do a "list_projects" as cloud admin, do you get *all* projects that exist in Keystone?  2) Can there be multiple users with the cloud_admin role?17:25
notmorgani'm trying to avoid the abstract of "we can't", well what was the limitation :)17:25
henrynashayoung: ideally, in some case, we would bypass thsoe checks yes, but we can work round them17:25
notmorganmaybe it's something we can fix.17:25
notmorganwithout needing to depart drastically / force your forking17:25
samueldmqnotmorgan:++17:26
*** _cjones_ has joined #openstack-keystone17:26
henrynashnotmorgan: so oslo.policy allows you do use external Polciy Decisions Points (PDPs)….where some other system is making all or part of the go/no-go deciions…you can do that today with oslo policy, I don’t really want it to go away17:27
henrynashmc_nair: i general, list_projects() without a domain_id filter will list all the projects17:28
notmorganhenrynash: you're going to hate me, but ... user story, please. concrete example of what is being solved.17:28
*** mhickey has quit IRC17:28
notmorganhenrynash: it really does help us all end up on the same page.17:29
mc_nairhenrynash: perfect thanks.  Any exceptions to that (other than passing domain_id / user_id)?17:30
ayoungnotmorgan, I'm kindof with you here:  "It breaks our secret sauce" is not something that makes me want to cooperate17:31
notmorganayoung: i also have assurances from people in IBM that it shouldn't be "secret sauce"17:32
ayounghenrynash, so, we are willing to work with you, but you need to give us some veggies for our stone soup here.  Note that this policy thing is bigger than Keystone17:32
notmorganayoung: and i am willing to believe it.17:33
ayoungnotmorgan, really, I am so surprised17:33
henrynashnotmorgan: so maybe the policy deicsion involves state that exists in other systems - e.g. maybe your application has not just openstack services, but other higher level services (sorry,  I can’t share the specifics) and that higher level service is in charge of overall application resource allocation17:33
*** jsavak has quit IRC17:33
ayounghenrynash, are you just asking that we not diable the http check?17:34
ayoungdisable17:34
ayoungdiablo17:34
henrynashayoung: I’m asking not to discable http check (or teh abiity add new oslo polcicy plugins) that has access to both the scope and role ifo that they have today17:34
ayounghenrynash, I can accept that;  for example, I could see doing an LDAP query at that point for ownership of the VM itself prior to destroying it17:35
henrynashayoung: that’s a good enough example17:35
ayounghenrynash, so , splitting the check would work for you, but not coding the policy check in Python, because we need to allow for a remote PDP call based on the contract we've set out17:36
ayoungI think that is fair17:36
ayoungsamueldmq, what if...17:37
ayoungthe scoped policy check is hardcoded, but also allows a scope-policy.json file for additional checks17:37
notmorganayoung: i think that is always going to be the case17:37
notmorganto be honest17:37
samueldmqayoung: that's what i was saying17:37
ayoungand an option there to say..."only use the policy.json version for this check, not the default"17:37
notmorgani don't care if nova hard-codes a scope chck17:37
samueldmqand scope-policy.json can override what's in the code17:38
notmorganwe'll always be able to do the normal policyu.json thing17:38
samueldmqand only scope checks are in the code (hardcoded)17:38
notmorganwhich could include external checks17:38
notmorganright now if your scope doesn't match tenant for example, nova rejects it [in code]17:38
ayoungSo...we would have a range of options.17:38
notmorgannot in policy.json17:38
*** spandhe_ has joined #openstack-keystone17:38
notmorganthat wont ever preclude using an external <thing> too17:39
samueldmqnotmorgan: yes that's true17:39
ayounglets say this lands in ... what was O called again?  Ocelot?17:39
notmorganotaka i think?17:39
openstackgerritMerged openstack/keystone: Deprecate simple_cert extension  https://review.openstack.org/27447917:39
samueldmqnotmorgan: what I argue is that we should be able to customize what's in the code by default17:39
samueldmqwith a scope-policy.json :)17:39
notmorgansamueldmq: i'll argue against that17:39
*** spandhe has quit IRC17:39
*** spandhe_ is now known as spandhe17:39
ayoungIf you upgrade from Newton to Ottawa and you make no changes, the existing policy.json file will work just fine17:39
ayoungstage 217:39
notmorganuntil i have a clear example of where it's needed.17:39
notmorgani wont argue for removing external check things17:40
samueldmqnotmorgan: remove flexibility then ? and just leave the hardcoded checks ?17:40
notmorganor take away functionality17:40
ayoungif you deploy new, or run an upgrade script of some form, the policy will be split by default17:40
notmorganthey can still do it in the normla policy stuff17:40
notmorganwe will maintain it17:40
notmorganjust move away from it being the default17:40
notmorganscope check in nova, keystone, etc will continue to be coded.17:40
ayoungthe changes will be, I think minimal17:40
notmorgansame as today.17:40
notmorganjust more focused on splitting them17:40
samueldmqmy usecase for splitting policies is that almost eveyone runs on defaults, and when they customize, most of them customize the roles17:41
notmorganright17:41
henrynashnotmorgan: we do scope checks in code in keystone today?17:41
notmorganso.. we move devstack towards role check only.17:41
notmorganhenrynash: we do.17:41
ayoungwe will change the policy.json file with default-scope-policy.json17:41
notmorganhenrynash: every project does17:41
ayoungand add in the check for default-rbac.json in the middleware layer17:41
notmorganhenrynash: it's the callback things in the @protected decorator17:41
notmorganit's horribly confusing and hard to follow, but it ends up being a coded-scope check17:42
ayoungdefault-scope-policy will come along with an extension to oslo-policy which allows for "ignore hardcoded check"17:42
notmorganfor ownership. not always in policy.json17:42
samueldmqayoung: so policy.json becomes rbac-policy.json and scope-policy.json17:42
ayoungsamueldmq, yes17:42
ayoungI think so17:42
samueldmqayoung: rbac-policy.json can be enforced in middleware17:42
notmorgansamueldmq: again, please don't do that :(17:42
henrynashnotmorgan: I don’t think so….it just loads more taget objects and hands them to oslo policy17:42
ayoungnotmorgan, well, scope-policy.json would be empty by default17:42
samueldmqnotmorgan: why not? we're just making it easier to understand, and rbac-policy would be true rbac :/17:42
notmorganhenrynash: oslo-polciy does the hit, but it is a hardcoded "is this in scope?"17:43
notmorganhenrynash: not "policy.json" loaded17:43
ayoungnotmorgan, yeah...17:43
ayoungnotmorgan, you have the option to override, but the default is to use the logic in the python code17:43
henrynashnotmorgan: I need to check that….since that sure as hell wasn’t how I wrote it orginally (sorry, it was me)17:43
notmorganhenrynash: next week i'm breaking the decorators apart completely17:44
ayounghenrynash, that is fine.  THis requirement, to keep the remote PDP check, is new to me.  But understandable17:44
notmorganhenrynash: so i'll be able to be more certain17:44
notmorganit's impossible to know what is happening atm with the levels of indirection :(17:44
ayoungand it is also, I think, not on the radar for the folksin Nova that are tacklingthis, which is your real risk here17:44
samueldmqayoung: actually the default could be exactly the same what is in the python code, so can be easily seen by deloyers17:44
notmorganhenrynash: and not your fault you hit exactly what was asked of you17:44
samueldmqayoung: the default of scope-policy ..;17:44
ayoungsamueldmq, yeah...we can do it either way:  have the polic in the jso or in code17:45
*** jsavak has joined #openstack-keystone17:45
notmorganayoung: i'm still going to beg for a better user-story than "we might want an external PDP".17:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947917:45
ayoungand the json could be a documentation of what the code does, but I would worry that they would get out of sync17:45
notmorganayoung: before we march down this path. so i'd like henry to really lock in the cases he's solving17:45
samueldmqayoung: do both, and json overrides the code; this way we loose no flexibility17:45
henrynashayoung: so we get round it by giving everyone a basic role on all projects…and then this is never looked at in the polciy checks…it just gets us through the tenant check17:45
ayoungnotmorgan, how about "We don't likethe scope chekcs that neutron is ddoing for sharing networks, they don't match our approach"17:46
notmorganso we know what we are solving for. a clear specification17:46
samueldmqnotmorgan: that makes sense17:46
ayoungthey do some weirdness17:46
notmorganayoung: no.17:46
notmorganayoung: that is not a user story17:46
notmorganthat is a "i want a thing and am not telling you what but it's not what you're doing"17:46
ayoungnotmorgan, have you looked at neutron's policy.json?17:47
notmorganit's insane17:47
ayoungIts weeeeeeiiieieieierd17:47
ayoungnotmorgan, so,  if they leave it in JSON, we're fine17:47
notmorgandoesn't mean it helps us hit a target cleanly othwerwise17:47
ayoungits  only the cae where they code that into Python, and the deployer really does not want it, that I think we would be rescuing here17:47
notmorganso, before we split this. i am a hard -2 on that split until we define the usecase we're solving for17:48
notmorganthats all17:48
notmorgandefine a couple concrete stories so we make sure we hit them17:48
ayoungnotmorgan, but, agree, would like to know what the external checks are17:48
ayoung++17:48
notmorganand then i'll 100% support moving down that path :)17:48
ayoungnotmorgan, so, today...could we limit it to an optional, role only policy check that is done in middleware, for keystone only?17:48
ayoungprrof of concept like?17:48
notmorgani'm just going to be a real stickler for this because i want to make sure we're not engineering for a very very very narrow one off case that could be solved elsewhere17:49
notmorganayoung: again, define the concrete user story, i'm happy to support engineering/pocing/etc after that17:49
ayoungnotmorgan, and...we can tell people that they should be using the v3 cloud sample by default, and maybe rename it?17:49
notmorganayoung: i'm not going to be super picky about the result as long as we know what the target is17:49
notmorganand make sure it isn't tyring to just be flexible for the sake of flexible17:50
notmorganayoung: sure we can do that - all of it - just lets make sure we have a super clear target to hit17:50
ayoungnotmorgan, I wonder if the external PDP check could be a single config value instead of in each line of a policy file17:51
notmorganit might be17:51
samueldmqnotmorgan: but we maybe need to keep flexible just for backwards compat17:51
notmorganthat might be the right choice.17:51
notmorgansamueldmq: we will always support "today" workflow17:51
notmorganthat wont break17:51
samueldmqwhere flexible == customize scope checks17:51
ayoungsamueldmq, yeah, that was my thinking17:51
notmorganeven if we change directions17:51
notmorganbut we can't know how to stay reverse compat w/o having a target to hit/evaluate if it can be reverse compat17:52
ayoungsamueldmq, can you start a spec with the "split keystone policy"  title or something that let's us capture the first step?17:52
notmorgansamueldmq: just like the convo yesterday on how we get user->svc and svc->svc to change, but would still maintain "working" as it does today17:52
notmorganayoung: ++17:52
ayounglets not try to solve thisfor all of openstack until we have a clear way it will work in a single service17:52
notmorganayoung: wfm.17:53
*** ninag has joined #openstack-keystone17:53
ayoungnow is a goodtime to start thinking about the specs we are going to need  to implement in Newton.17:53
notmorgansamueldmq: and please focus on the "problem description" and what we're trying to solve / the concrete use case17:53
samueldmqnotmorgan: yeah, and will be great if these two convos can go in parallel17:53
ayoungOK,  lunch17:53
notmorganthe API things and security impact, etc isn't as important as having the clear target of what we're solving17:53
samueldmqnotmorgan: even if they're orthogonal17:53
notmorgansamueldmq: yep17:53
samueldmqayoung: notmorgan: yes, I will give a first try, and will work together with you and henrynash to make it good/well defined enough17:54
notmorgan++17:54
henrynashayoung: and I want to understand the drive for that…..we seem chizophrenic about this….we say nobody is changing policy files, so we think we need to fix them by removing teh current ability, while we think (at least some of us do) that the future is more coustomization of policy17:55
notmorganalso ayoung knows what i am looking for17:55
*** amit213 has joined #openstack-keystone17:55
notmorganso use him too as a resource17:55
samueldmq++17:55
*** timcline has quit IRC17:55
*** amit213 has quit IRC17:55
notmorganhenrynash: honestly part of openstack's issue is it is not opinionated enough - it is everything to everyone for everyreason - so a lot of implmeentation details leak out the APIs to the end users17:56
notmorganhenrynash: so the solution is to tighten that up.17:56
samueldmqhenrynash: I think we want people to customize, and that's why we are trying to make customization an easier task17:56
notmorganhenrynash: regardless of how.17:56
henrynashnotmorgan: and unfortunately you and I have opposite views on this…I do NOT want us yto be opinionated here, and I know that you think we should be17:56
notmorganhenrynash: so if we're changing things - we want clear targets.17:56
*** amit213 has joined #openstack-keystone17:56
notmorganhenrynash: we should abolutely be opinionated here.17:56
notmorganhenrynash: making sure we are opinionated enough to not leak implementation details17:57
notmorganthat is how far we need to move the needle17:57
notmorganright now we leak a bunch of details in all ways17:57
*** ayoung has quit IRC17:58
notmorganso, if we're changing it, define the cases we need to ensure work, then work on making it so we don't leak backend.17:58
notmorganand the end user experience is the same if an external PDP is used or the simple policy.json17:58
notmorganthey get the same results for the same accept/deny cases17:58
notmorgan*and* make sure we test it17:58
notmorganbecause in openstack if we don't test it, it is broken17:59
henrynashnotmorgan: so agree with the not leaking part….I’m just not sure I’d describe the solution as being opionated, we may have different views of WHAT we need to be opionated about17:59
notmorganopinionated = it works like X in all cases, regardless of backend17:59
henrynashnotmogran: and I agree with all those last 5 points17:59
notmorganwhich means you cater to a specific workflow17:59
henrynashnotmorgan: so when you see opionated, I hear “we lock down your options and you can only do it this way"18:00
notmorganif the backend can't support the workflow, we either did a bad job of speccing it out or the backend is solving something the workflow doesn't need18:00
notmorganhenrynash: it does lock down a lot of options18:00
notmorganheck i would love to be more opinionated about somethings and drop pgsql18:00
notmorganfrom "officially supported"18:00
*** spzala has joined #openstack-keystone18:01
notmorganit doesn't mean another db backend can't work, it means you might need to put work into it so it does18:02
notmorganand might need to test it yourself.18:02
henrynashnotmorgan: I don’t see it that way (not pgsql), but I agree with your comment taht we have to build our backends so you can’t tell (at the API level) which implemtation options are being used under the hood18:02
notmorganaka db2 right now18:02
notmorganso, we need to be more opinionated of our workflows and what we're solving18:02
notmorganhaving a blob of "oh do things in .json and it just works and can do anything i want"18:02
notmorganopens the doors for a lot of bugs, edge cases, etc18:03
notmorgansince we're changing things, document the clear workflow how it needs to happen, the user story, the problem space and then we have a target18:03
notmorganyes it limites the options18:03
notmorganbut it also gives a clear supported scope18:03
*** jsavak has quit IRC18:04
notmorganso when someone says "i did X and it didn't work" we can clearly say "bug, it should" or "whoa.... that is never going to work because it isn't designed to work like that, and we need to consider if that is something we're solving for"18:04
notmorganhenrynash: so to be clear, i'm saying don't change anything today until we know what we're solving for, not just harping on your needs18:05
notmorganhenrynash: and we have a clearly defined target18:05
*** lhcheng_ has joined #openstack-keystone18:05
henrynashnotmorgan: so certainly agee with “if we gonna chaneg what we have, be clear of what we are chaing it for"18:05
notmorganif we hard-code a scope check, we better know what our design for doing that is. so we can justify it where needed when asked.18:05
notmorganin the process we will lock down/lock out some options.18:06
notmorganbut we will know what the workflow ends up being18:06
notmorganand how it should look.18:06
notmorganhenrynash: so.. work with samueldmq and get the concrete uses defined then we can make sure new system works without leaking backend and we aren't trying to be everything for everyone, solving for the real problems (heck some of your problem statements may be super easy as part of the baseline)18:08
notmorganit's something we've been bad at in keystone [and openstack in general], very concrete problem statements and use-case definitions. it's why we get weird apis and strange felxibilyt that leaks details18:09
samueldmqnotmorgan: I understand your "be opinionated" as, get a list of use cases, and make our implementation works for them VS trying to do something too generic that solves every usecase plus something else that may come in the future18:09
notmorgansamueldmq: yep18:09
notmorganspot on18:09
samueldmqnotmorgan: ++18:09
samueldmqhenrynash: I will draft a spec, and we can work together on putting more clarity/details and use-cases on it18:10
samueldmqhenrynash: sounds a good plan?18:10
*** samueldmq has quit IRC18:12
*** samueldmq has joined #openstack-keystone18:16
*** browne has quit IRC18:20
*** jimbaker has left #openstack-keystone18:25
*** diazjf has quit IRC18:26
*** timcline has joined #openstack-keystone18:26
*** e0ne has joined #openstack-keystone18:28
*** timcline has quit IRC18:30
*** spzala has quit IRC18:31
*** spzala has joined #openstack-keystone18:32
*** spzala_ has joined #openstack-keystone18:34
openstackgerritMerged openstack/keystonemiddleware: Remove bandit tox environment  https://review.openstack.org/26926018:36
*** spzala has quit IRC18:36
*** samueldmq has quit IRC18:39
*** spzala_ has quit IRC18:39
*** pnavarro|afk has quit IRC18:39
*** diazjf has joined #openstack-keystone18:41
*** petertr7_away is now known as petertr718:47
openstackgerritMerged openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687718:48
*** jsavak has joined #openstack-keystone18:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/27279018:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/27639318:55
*** clenimar has quit IRC18:58
*** browne has joined #openstack-keystone18:59
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27282518:59
*** jasonsb has quit IRC19:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:03
*** jsavak has quit IRC19:03
*** dansmith has quit IRC19:05
*** dansmith has joined #openstack-keystone19:05
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893119:06
*** diazjf has quit IRC19:07
*** diazjf has joined #openstack-keystone19:09
*** timcline has joined #openstack-keystone19:10
*** david-lyle has quit IRC19:11
*** ayoung has joined #openstack-keystone19:13
*** ChanServ sets mode: +v ayoung19:13
*** spzala has joined #openstack-keystone19:13
*** spzala has quit IRC19:15
*** spzala has joined #openstack-keystone19:15
*** jbell8 has quit IRC19:18
*** csoukup has joined #openstack-keystone19:18
*** jaosorior has quit IRC19:19
*** jbell8 has joined #openstack-keystone19:19
*** jorge_munoz has quit IRC19:33
*** jsavak has joined #openstack-keystone19:37
ayounglbragstad, are you doing development inside of a Docker container?19:41
lbragstadayoung nope19:41
*** jsavak has quit IRC19:46
*** jsavak has joined #openstack-keystone19:47
bknudson_docker docker docker!19:51
*** diazjf has quit IRC19:52
*** diazjf has joined #openstack-keystone19:55
*** topol has quit IRC19:56
*** stevemar has quit IRC19:56
*** jorge_munoz has joined #openstack-keystone20:03
*** ayoung has quit IRC20:04
notmorganbknudson_: shhh20:04
openstackgerritguang-yee proposed openstack/keystone: wsgi: fix base_url finding  https://review.openstack.org/22646420:05
*** gyee has quit IRC20:05
openstackgerritBrant Knudson proposed openstack/keystone: Provide an error message if downgrading schema  https://review.openstack.org/27629620:10
*** vgridnev has quit IRC20:11
*** diazjf has quit IRC20:15
*** jgriffith_away is now known as jgriffith20:19
*** jbell8 has quit IRC20:21
*** pnavarro|afk has joined #openstack-keystone20:21
*** jbell8 has joined #openstack-keystone20:22
*** slberger has quit IRC20:26
*** spzala has quit IRC20:30
*** cdcasey has quit IRC20:31
*** mylu has joined #openstack-keystone20:31
*** diazjf has joined #openstack-keystone20:31
*** jgriffith is now known as jgriffith_away20:31
*** ninag has quit IRC20:32
*** ninag has joined #openstack-keystone20:32
*** slberger has joined #openstack-keystone20:33
*** stevemar has joined #openstack-keystone20:36
*** ChanServ sets mode: +o stevemar20:36
*** su_zhang_ has quit IRC20:36
*** phalmos_ has joined #openstack-keystone20:38
*** ninag has quit IRC20:38
*** BrAsS_mO- has joined #openstack-keystone20:40
*** jed56_ has joined #openstack-keystone20:41
*** wolsen_ has joined #openstack-keystone20:41
*** rvba` has joined #openstack-keystone20:42
*** vgridnev has joined #openstack-keystone20:45
*** briancurtin_ has joined #openstack-keystone20:45
*** jbell8 has quit IRC20:46
*** jbell8 has joined #openstack-keystone20:47
*** diazjf has quit IRC20:47
*** jed56 has quit IRC20:47
*** phalmos has quit IRC20:47
*** rvba has quit IRC20:47
*** briancurtin has quit IRC20:47
*** BrAsS_mOnKeY has quit IRC20:47
*** crinkle has quit IRC20:47
*** lennyb has quit IRC20:47
*** dulek has quit IRC20:47
*** wolsen has quit IRC20:47
*** jed56_ is now known as jed5620:48
*** lennyb has joined #openstack-keystone20:48
*** briancurtin_ is now known as briancurtin20:48
*** mylu has quit IRC20:49
*** diazjf has joined #openstack-keystone20:49
*** crinkle has joined #openstack-keystone20:49
*** dulek has joined #openstack-keystone20:49
*** crinkle has quit IRC20:49
*** dulek has quit IRC20:50
*** mylu has joined #openstack-keystone20:50
*** diazjf has quit IRC20:50
*** stevemar has quit IRC20:52
*** mylu has quit IRC20:52
*** gordc has quit IRC20:52
*** mylu has joined #openstack-keystone20:54
*** jbell8 has quit IRC20:54
*** ninag has joined #openstack-keystone20:54
*** jbell8 has joined #openstack-keystone20:54
*** ninag has quit IRC20:59
*** ninag has joined #openstack-keystone21:01
openstackgerritBrant Knudson proposed openstack/keystone: Allow no s3 package  https://review.openstack.org/27644421:02
*** e0ne has quit IRC21:04
*** diazjf has joined #openstack-keystone21:05
*** raildo is now known as raildo-afk21:06
*** ninag has quit IRC21:06
*** mylu has quit IRC21:07
*** ericvw has joined #openstack-keystone21:08
*** ericvw has left #openstack-keystone21:10
*** esp_ has joined #openstack-keystone21:10
*** mylu has joined #openstack-keystone21:11
*** pnavarro|afk has quit IRC21:13
*** mylu has quit IRC21:13
edmondswhenrynash, notmorgan... late to the party, but I tried skimming over the earlier conversation on scope checks. I'd like to be in the loop there. It's crazy to me that we don't have more hardcoded scope checks, at least as a basis that you can then add on top of21:13
edmondswe.g. it would NEVER be a good idea to let someone with a token scoped to one project see things that are scoped to another project. Like what nova and cinder allow with their all_tenants stuff21:14
*** esp_ has quit IRC21:14
*** slberger has quit IRC21:16
*** spzala has joined #openstack-keystone21:17
*** mvk has joined #openstack-keystone21:22
*** pauloewerton has quit IRC21:29
*** slberger has joined #openstack-keystone21:35
notmorganedmondsw: did you see my response to auth_token_+admin thing21:36
edmondswdid you see mine?21:36
notmorganand if bootstrap doesn't meet your needs that is what we want to improve21:37
*** su_zhang has joined #openstack-keystone21:37
notmorganedmondsw: i'll look in a bit just getting into a meeting21:38
notmorganedmondsw: so will respond again soon21:38
edmondswnotmorgan, tx. It definitely doesn't seem to have been designed to do what I need, but at a glance it looked like it might work, anyway. I'd have to try it, and I don't have a real easy way to do that atm21:38
*** su_zhang_ has joined #openstack-keystone21:38
notmorganyeah21:38
edmondswnotmorgan, besides that, there was my comment on the releasenotes for you to look at... tx21:39
notmorganright thnx!21:39
*** su_zhang has quit IRC21:42
*** ninag has joined #openstack-keystone21:42
*** gordc has joined #openstack-keystone21:49
*** mylu has joined #openstack-keystone21:51
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543821:54
*** mylu has quit IRC21:56
lbragstadjorge_munoz https://github.com/openstack/keystone/blob/master/keystone/trust/schema.py21:57
*** mylu has joined #openstack-keystone21:57
*** mylu has quit IRC21:58
*** jed56 has quit IRC22:03
notmorgandolphm: LOL at the typo'd channel22:05
*** clenimar has joined #openstack-keystone22:06
*** clenimar has quit IRC22:07
*** clenimar has joined #openstack-keystone22:07
*** jamielennox|away is now known as jamielennox22:10
notmorganbknudson_, topol: S3 and Ec2, use policy.json22:10
notmorganbknudson_: make it a deny rule for any/all scopes22:10
bknudson_lawyers told us we needed to remove the code entirely22:10
notmorganwtf.22:10
notmorganseriously?!22:10
notmorganthis is why i wanted to make this defcore22:10
notmorganrequired22:11
bknudson_then we wouldn't be compliant22:11
notmorganand you'd need to have it and 403 it22:11
*** henrynash has quit IRC22:11
notmorganthat was sprecifically what i was trying to do22:11
notmorganit is impossible for end users to develop sanely against a cloud if some APIs return 404 because they were removed instead of blocked22:12
bknudson_in this case they're developing against AWS and not openstack22:13
openstackgerritRonald Bradford proposed openstack/keystone: Use oslo.log specified method to set log levels  https://review.openstack.org/25425322:13
bknudson_not sure how always getting 403 is that much worse than 404.22:13
notmorganbknudson_: because you know the API is telling you fly a kite vs "was the resource missing or was the api removed?"22:14
notmorganbknudson_: then we should rm-rf it22:14
notmorganbknudson_: and make it out of tree22:14
* notmorgan is uncaring which way we go22:14
bknudson_I would like to see aws out of tree22:14
notmorganbut i am adamantly against "optional" apis22:15
bknudson_but I wouldn't sign up to do the work since I don't want to be associated with it22:15
*** petertr7 is now known as petertr7_away22:15
bknudson_nova moved their ec2 compat layer out of tree22:16
notmorganyes22:16
notmorganalso doesn't heat require EC2 in keystone for some things?22:17
notmorganbut not on the nova side22:17
*** vgridnev has quit IRC22:17
notmorganso, like i said, i am adamantly against optional APIs. if this means we need to punt it out, we punt it out. but that is where i draw the line22:17
bknudson_I'm all for punting it out22:18
notmorganbknudson_: make the folks doing the EC2 API22:18
*** timcline has quit IRC22:18
bknudson_I can't make anybody do anything22:19
notmorganso, we need to figure this out.22:19
notmorganwe should not carry any apis that are optional22:20
notmorganat all22:20
notmorgani don't care how we resolve it.22:20
*** clenimar has quit IRC22:21
*** clenimar has joined #openstack-keystone22:21
*** jbell8 has quit IRC22:21
notmorganalso looks like we had a massive netsplit22:21
notmorgancause steve, topol and a bunch of tothers are not on irc22:21
bknudson_their znc servers went down.22:21
notmorganah22:21
bknudson_maybe we can deprecate aws in keystone and somebody will pick it up and move it into another service before it goes away22:23
openstackgerritJorge Munoz proposed openstack/keystone: Move redelegated_trust_id out of extras  https://review.openstack.org/27647422:23
notmorganworks for me. and in this case i'd lazy import22:24
notmorganif it's absolutely deprecated22:24
notmorganwith no plans for replacement22:24
notmorganbut i'll say i know a lot of people *like* EC2 key-pairs [to be honest i wish we used it instead of bearer tokens]22:25
*** crinkle has joined #openstack-keystone22:25
bknudson_it would be nice if it wasn't a proprietary api22:26
notmorganyeh22:26
bknudson_https://www.eff.org/cases/oracle-v-google -- still not resolved22:27
notmorganbknudson_: so pitch it as deprecated and i'm ok to lazy import22:29
bknudson_alright, I can work on that.22:29
notmorganbknudson_: i just refuse to budge on "optional apis" we are supporting longterm22:29
notmorganbknudson_: if that makes sense. and deprecated 100% behind22:29
notmorganwithout question :)22:29
notmorgan(i'd rather deprecate it if we don't want to support it, totally not invested in keeping it around or antyhign)22:30
notmorganbknudson_: feel free to update my patch with that too22:30
bknudson_if oracle v google goes the way of google then I expect the lawyers would allow it back in.22:31
*** ninag has quit IRC22:44
*** mylu has joined #openstack-keystone22:44
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543822:46
*** spzala has quit IRC22:47
*** david-lyle has joined #openstack-keystone22:48
*** gyee has joined #openstack-keystone22:48
*** ChanServ sets mode: +v gyee22:48
*** david-lyle has quit IRC22:52
*** diazjf has quit IRC22:57
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/27639322:58
*** mylu has quit IRC23:01
*** daemontool has quit IRC23:01
*** slberger has left #openstack-keystone23:01
*** ayoung has joined #openstack-keystone23:02
*** ChanServ sets mode: +v ayoung23:02
*** ayoung_ has joined #openstack-keystone23:03
*** phalmos_ has quit IRC23:04
*** mylu has joined #openstack-keystone23:06
*** clenimar is now known as clenimar_23:07
*** clenimar_ is now known as clenimar23:08
*** erlarese has quit IRC23:12
*** clenimar has quit IRC23:25
*** aginwala has joined #openstack-keystone23:27
*** mgarza has quit IRC23:27
*** gordc has quit IRC23:28
*** chlong has quit IRC23:30
bigjoolshey guys, am I supposed to be able to override the client.Client with a version regardless of the URL passed in?23:31
bigjoolshttp://pastebin.ubuntu.com/14883441/23:31
*** dims_ has quit IRC23:31
*** jamielennox is now known as jamielennox|away23:31
bigjoolsbecause if I use a v3 URL and pass version=2, it goes boom23:31
*** dims has joined #openstack-keystone23:32
*** spzala has joined #openstack-keystone23:33
*** csoukup has quit IRC23:33
*** spzala has quit IRC23:34
*** spzala_ has joined #openstack-keystone23:34
*** sigmavirus24 is now known as sigmavirus24_awa23:35
edmondswnotmorgan, I vote rm-rf ec2/s323:46
*** aginwala has quit IRC23:51
notmorganedmondsw: thats fine23:52
notmorganedmondsw: i don't care either way :)23:53
notmorganedmondsw: but supported API = on imo.23:53
notmorganedmondsw: if that makes sense.23:53
notmorganit could totally be something completely out of tree23:53
notmorganand then not my problem :)23:53
ayoung_bigjools, I'd expecct that23:53
*** shoutm has joined #openstack-keystone23:54
bigjoolshey ayoung_23:54
bigjoolswhat's the recommended way to override the version it returns?23:54
ayoung_bigjools, I think that the logic is the force of the version is only effective if you give it a versionless URL23:54
bigjoolsah ok23:54
* bigjools tries23:54
ayoung_bigjools, I sense you want to use V223:54
bigjoolsheh not me23:55
bigjoolsRally :/23:55
ayoung_Ugh23:55
notmorganRally does their own very broken thing23:55
ayoung_notmorgan, they don23:55
bigjoolswell hopefully not for much longer, I am currently in the middle of a long review to make it work rught23:55
notmorganthere is a way they support v2.. or v3.. or something but it's like they wend and just re-implemented their own thing23:55
ayoung_'t use KSA right?23:55
notmorganayoung_: nope, they like just wholesale implemented their own way of authing23:55
*** aginwala has joined #openstack-keystone23:56
bigjoolshttps://review.openstack.org/#/c/274977 is my change23:56
ayoung_notmorgan, so...I'm finally learning Docker.  Trying to get a dev setup.  And...not sure if the mysql DB is supposed to be in the same container or a different.  What would be more Pythonic  er...Dockertastic?23:57
notmorganayoung_: one process per container23:57
notmorganayoung_: that is the general "thing"23:57
notmorganor so i hear23:57
ayoung_notmorgan, then do I need Kubernetes os something for multie container work?23:57
bigjoolsayoung_: cool, removing version in url does the trick, thanks23:57
notmorgandocker swarm23:57
notmorgankube23:58
notmorgansomething like that23:58
*** jsavak has quit IRC23:58
notmorgani haven't played much with it23:58
notmorganjust guessing based upon my limited knowledge23:58
ayoung_notmorgan, its like venv, but for native code!23:58
notmorganand also "not new technology"23:58
notmorgan:P23:58
ayoung_notmorgan, ewindish had a devstack in docker hack:  dockenstack23:59
« Wednesday, 2016-02-03 Index Friday, 2016-02-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!