Tuesday, 2016-03-08

« Monday, 2016-03-07 Index Wednesday, 2016-03-09 »
*** ninag has joined #openstack-keystone00:02
*** maxabidi has quit IRC00:02
*** ninag has quit IRC00:07
mfischlbragstad: dolphm hey Fernetians, our talk was picked00:08
mfischget your slide faces on00:08
*** sdake has joined #openstack-keystone00:12
*** GB21 has quit IRC00:13
*** jasonsb has joined #openstack-keystone00:13
*** Ephur has quit IRC00:16
*** rk4n has quit IRC00:17
*** jrist has quit IRC00:17
*** dan_nguyen has left #openstack-keystone00:17
*** jrist has joined #openstack-keystone00:18
*** rk4n has joined #openstack-keystone00:18
*** dan_nguyen has joined #openstack-keystone00:20
*** sdake has quit IRC00:29
*** browne has quit IRC00:34
*** anush has quit IRC00:36
*** sheel has joined #openstack-keystone00:39
*** pushkaru has quit IRC00:41
openstackgerritBrant Knudson proposed openstack/keystone: Fix warning when running tox  https://review.openstack.org/28963500:43
*** spandhe has quit IRC00:45
*** fangxu has joined #openstack-keystone00:48
*** wanghua has joined #openstack-keystone00:50
*** fpatwa_ has joined #openstack-keystone00:52
*** trown|outtypewww has quit IRC00:55
openstackgerritBrant Knudson proposed openstack/keystone: Un-wrap functions  https://review.openstack.org/28964201:00
*** fpatwa_ has quit IRC01:04
*** rk4n has quit IRC01:05
openstackgerritSean Perry proposed openstack/keystoneauth: Show deprecation when a user_agent is not set  https://review.openstack.org/28964501:06
*** rk4n has joined #openstack-keystone01:07
*** gyee has quit IRC01:11
openstackgerritBrant Knudson proposed openstack/keystone: Un-wrap function  https://review.openstack.org/28964201:13
dolphmmfisch: oh noes01:14
dolphmmfisch: i linked to your blog today01:15
*** browne has joined #openstack-keystone01:17
*** ankita_wagh has quit IRC01:22
*** harlowja has quit IRC01:23
*** shaleh has quit IRC01:25
*** pushkaru has joined #openstack-keystone01:31
*** furface has quit IRC01:33
*** furface has joined #openstack-keystone01:36
openstackgerritMerged openstack/keystoneauth: Adding authentication compatibility for OpenStackClient  https://review.openstack.org/28947201:44
*** spzala has quit IRC01:49
*** spzala has joined #openstack-keystone01:50
*** spzala has quit IRC01:54
*** spzala has joined #openstack-keystone01:54
*** rderose has quit IRC01:59
*** anush has joined #openstack-keystone02:02
*** ankita_wagh has joined #openstack-keystone02:12
*** rk4n has quit IRC02:13
*** dan_nguyen has quit IRC02:24
*** fangxu has quit IRC02:24
*** edmondsw has quit IRC02:25
*** sdake has joined #openstack-keystone02:27
*** fangxu has joined #openstack-keystone02:28
*** JBenson has quit IRC02:30
*** pushkaru has quit IRC02:36
*** richm has quit IRC02:50
*** jamielennox is now known as jamielennox|away02:56
*** woodster_ has quit IRC02:57
*** anush has quit IRC03:01
*** jamielennox|away is now known as jamielennox03:01
*** fpatwa_ has joined #openstack-keystone03:03
*** mtreinish has quit IRC03:04
*** mtreinish has joined #openstack-keystone03:04
*** jamielennox is now known as jamielennox|away03:05
*** sheel has quit IRC03:07
*** fangxu has quit IRC03:10
*** jamielennox|away is now known as jamielennox03:15
*** fpatwa_ has quit IRC03:16
*** browne1 has joined #openstack-keystone03:22
*** lhcheng_ has joined #openstack-keystone03:23
*** browne has quit IRC03:24
*** spandhe has joined #openstack-keystone03:26
*** lhcheng has quit IRC03:26
*** spandhe_ has joined #openstack-keystone03:29
*** fangxu has joined #openstack-keystone03:30
*** spandhe has quit IRC03:30
*** spandhe_ is now known as spandhe03:30
*** lhcheng_ has quit IRC03:32
*** fangxu has quit IRC03:34
*** ccard_ has quit IRC03:35
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235803:48
*** ccard_ has joined #openstack-keystone03:50
*** wxy has joined #openstack-keystone03:52
*** JBenson has joined #openstack-keystone03:52
*** dan_nguyen has joined #openstack-keystone03:57
*** smcginnis has left #openstack-keystone03:58
*** spzala has quit IRC04:01
*** spzala has joined #openstack-keystone04:01
*** spzala has quit IRC04:06
*** ankita_wagh has quit IRC04:08
*** ankita_wagh has joined #openstack-keystone04:08
*** lhcheng has joined #openstack-keystone04:10
*** ChanServ sets mode: +v lhcheng04:10
*** ninag has joined #openstack-keystone04:12
*** bapalm has quit IRC04:13
*** ninag has quit IRC04:16
*** bapalm has joined #openstack-keystone04:30
*** dan_nguyen has quit IRC04:31
*** EinstCrazy has joined #openstack-keystone04:32
*** links has joined #openstack-keystone04:33
*** lhcheng_ has joined #openstack-keystone04:40
*** spzala has joined #openstack-keystone04:41
*** fangxu has joined #openstack-keystone04:41
*** lhcheng has quit IRC04:43
*** spzala has quit IRC04:44
*** nisha has joined #openstack-keystone04:45
*** jaosorior has joined #openstack-keystone04:46
nishaHello all :)04:50
*** sdake_ has joined #openstack-keystone05:00
*** sdake has quit IRC05:01
*** nkinder has joined #openstack-keystone05:01
nishaI am participating in Openstack BugSmash and I am trying to fix this documentation bug https://bugs.launchpad.net/openstack-manuals/+bug/145940205:05
openstackLaunchpad bug 1459402 in openstack-manuals "Conceptual overview of the Keystone service catalog" [Wishlist,Confirmed] - Assigned to Nisha Yadav (ynisha11)05:05
*** markvoelker_ has quit IRC05:06
*** fpatwa_ has joined #openstack-keystone05:07
*** phalmos has joined #openstack-keystone05:11
*** dave-mccowan has quit IRC05:21
*** fawadkhaliq has quit IRC05:22
*** phalmos has quit IRC05:25
*** EinstCrazy has quit IRC05:27
*** belmoreira has joined #openstack-keystone05:31
*** sdake_ has quit IRC05:40
*** fawadkhaliq has joined #openstack-keystone05:42
*** fpatwa_ has quit IRC05:43
*** rha has quit IRC05:46
*** frickler has quit IRC05:46
*** Nirupama has joined #openstack-keystone05:47
*** boris-42 has quit IRC05:54
*** furface has quit IRC05:54
*** tomoiaga has joined #openstack-keystone05:56
*** fangxu has quit IRC05:56
*** rcernin has joined #openstack-keystone06:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/28972206:03
*** roxanagh_ has joined #openstack-keystone06:06
*** markvoelker has joined #openstack-keystone06:07
*** jamielennox is now known as jamielennox|away06:08
nishaHas anyone come across a low-hanging fruit or an easy documentation bug related to keystone?06:23
nishaI am looking for one, any suggestions ?06:23
*** belmoreira has quit IRC06:24
*** spandhe has quit IRC06:26
*** spandhe has joined #openstack-keystone06:28
*** roxanagh_ has quit IRC06:37
*** furface has joined #openstack-keystone06:37
*** ankita_w_ has joined #openstack-keystone06:39
*** zzzeek has quit IRC06:42
*** ankita_wagh has quit IRC06:43
*** david-lyle_ has joined #openstack-keystone06:44
*** david-lyle has quit IRC06:44
*** fawadkhaliq has quit IRC06:44
morgannisha: I can take a gander later tonight or tomorrow. It's late in the US/North America where most keystone devs are.06:56
morganSo might take a bit to get a response.06:57
*** pcaruana has quit IRC06:57
nisha ohh, i understand morgan06:57
nishamorgan: I was looking at this as of now https://bugs.launchpad.net/openstack-manuals/+bug/151634106:58
openstackLaunchpad bug 1516341 in openstack-manuals "Identity services (keystone) in High Availability Guide" [Undecided,New]06:58
*** spandhe has quit IRC07:16
*** nkinder has quit IRC07:22
*** lhcheng has joined #openstack-keystone07:23
*** ChanServ sets mode: +v lhcheng07:23
*** lhcheng_ has quit IRC07:27
*** belmoreira has joined #openstack-keystone07:31
stevemarjamielennox|away: mordred :) you guys are fun!07:37
stevemarjamielennox|away: mordred great to hear that the bootstrap with endpoint works great :)07:38
*** fpatwa_ has joined #openstack-keystone07:44
*** e0ne has joined #openstack-keystone07:48
*** fpatwa_ has quit IRC07:49
*** e0ne has quit IRC07:49
*** frickler has joined #openstack-keystone07:57
*** browne1 has quit IRC08:07
*** permalac has joined #openstack-keystone08:15
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118808:24
*** ankita_w_ has quit IRC08:35
openstackgerritMerged openstack/keystone: Race condition in keystone domain config  https://review.openstack.org/28702008:40
*** mvk has joined #openstack-keystone08:41
*** pece has joined #openstack-keystone08:46
*** markus_z has left #openstack-keystone09:00
*** jistr has joined #openstack-keystone09:11
openstackgerritMerged openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/28972209:22
nishaany quick links on how to do code coverage in keystone, please09:30
nishaI tried this http://adam.younglogic.com/2013/06/keystone-test-coverage/, but it says no such file or directory when I used the command ./run_tests.sh -c09:31
marekdnisha: hi, try tox -ecover09:34
marekdgenerally speaking tox is now recommended way to run unit tests.09:35
*** mhickey has joined #openstack-keystone09:35
nishamarekd: thanks for help, it's running09:38
marekdnisha: cool!09:38
stevemarmarekd: o/09:38
stevemarmarekd: i'm only one tz behind you!09:38
marekdstevemar: why one?09:38
marekdyou are UTC+109:38
stevemaroh!09:38
stevemarsame!09:38
marekdyeah09:38
marekdstevemar: you see how calm the channel is at this time?!09:39
stevemarUTC+1 is lonely on irc, but my goodness do changes get merged fast09:39
marekd:)09:39
marekdhow is your time in France?09:39
stevemargood! great food so far09:39
marekdhehe09:39
marekdseafood you mean or wine and cheese?09:40
stevemarwine and bread :)09:40
marekd:)09:40
*** fpatwa_ has joined #openstack-keystone09:45
*** fpatwa_ has quit IRC09:50
nishamarekd: http://paste.openstack.org/show/489647/09:51
nishaplease have a look, the command is still running but the screen shows this09:52
nishadisplays*09:52
marekdnisha: you have nevest keystone?09:52
marekdand up to date tox?09:52
stevemarmarekd: there's a small fix to the warning here: https://review.openstack.org/#/c/289635/09:53
patchbotstevemar: patch 289635 - keystone - Fix warning when running tox09:53
* stevemar will try running cover09:53
marekdstevemar: let's see how soon it will be in master branch :-)09:54
marekdnisha: let me run it locally09:55
nishamarekd:  nevest ? do you mean to say newest?09:56
nishaI had done git pull and ran tox also before09:57
marekdyes, i meant newest, most up to date09:57
stevemarnisha: did a directory get created? cover?09:57
nishastevemar: so, the command is still running, though nothing has popped up after the paste link09:58
nishai had a directory .cover09:58
stevemarnisha: yeah, same here09:58
marekdnisha: it takes time usually09:59
marekdnisha: in the end you are supposed to examine html generated pages with coverage10:00
nishastevemar: marekd : i am sorry spelling mistake,  I have a directory hidden .coverage10:00
nishaI don't have any cover directory though10:01
nishamarekd: I am using a VM for running keystone10:03
stevemarnisha: did the command finish?10:03
marekdnisha: doesn't matter i think.10:03
marekdnisha: i am running tox-ecover and have 'cover' dir.10:04
nishamarekd: stevemar : alright, not yet still running10:04
marekdnisha: permission problems?10:04
marekdls -al s okay in keystone dir?10:04
marekdis*10:04
nishashould i cancel the running command and then check?10:05
marekdnisha: maybe open another terminal10:05
nishaoki, sure10:05
nishastill the same thing, no directory named cover10:07
nishahttp://paste.openstack.org/show/489650/10:07
stevemarnisha: i think it takes a while10:07
marekdnisha: but what about permissions?10:07
marekdmeybe you cloned repo as root or something and now tox cannot create dir10:07
marekdor something10:07
nishai ran tox command before without sudo , that worked well10:08
nishamarekd: Is there any way I can cross check, to be sure about permissions?10:08
marekdls10:08
marekdls -al10:08
marekdwill show you who owns the dir10:09
marekdand files10:09
*** _pece has joined #openstack-keystone10:10
nishahttp://paste.openstack.org/show/489650/ this was the result of the query ls- -al10:10
marekdnisha: looks goo10:11
marekdok, so one thing off the table.10:11
marekdnisha: i'd wait few more minutes10:11
nishamarekd: stevemar : the directory cover will be created once the command has finished right? at least is should10:11
marekdnisha: not sure when exactly10:11
nishathanks, sure10:11
*** pece has quit IRC10:11
stevemarnisha: yes it should10:11
marekdnisha: but yes, it should be there at some point10:11
marekdnisha: as this is where coverage files are located.10:12
marekdso you can browse them.10:12
*** mvk has quit IRC10:14
stevemarnisha: http://ronaldbradford.com/blog/writing-and-testing-unit-tests-in-openstack-2015-06-05/10:14
stevemarYou can use the code coverage of unit tests to determine possible places to start adding to existing unit tests. The following command will produce a HTML report in the /cover directory of your project10:15
stevemartox -e cover10:15
*** mvk has joined #openstack-keystone10:15
stevemarshould be able to open keystone/cover/html/index.html in firefox ... if i remember it correctly10:16
marekdstevemar: ++10:16
stevemarlooks like it runs the entire py27 suite, then determines the coverage10:16
stevemarwow10:16
marekdnisha: maybe it just takes time as you VM is slow or low on memory?10:16
nishaumm, stevemar marekd  i had typed $tox -ecover not $tox -e cover10:18
marekdnisha: it doesn't matter10:18
stevemarnisha: that's fine,10:18
marekdnisha: check if it's still running something10:19
marekdfor instance if your CPU are loaded :-)10:19
nishathe screen just says the same , looks freezdd10:20
nishaand i had allocated 3.5 GB RAM and 100 GB hard disk size10:20
nishafor the VM10:21
nishacan't I cancel and try running it again10:21
marekdnisha: yes, you can - it's your VM :-)10:21
stevemarnisha: my run just finished10:21
marekdnisha: one thing you can do is to try updating all your packages10:22
marekdpip install --upgrade -r test-requirements.txt -r requirements.txt10:22
stevemarnisha: http://paste.openstack.org/show/489653/10:22
stevemarnisha: i opened it with $ firefox cover/index.html and see the data10:23
stevemarnisha: report: http://paste.openstack.org/show/489655/10:23
nishayeah, sure will update packages marekd :)10:26
nishahttp://paste.openstack.org/show/489658/10:32
*** openstackgerrit has quit IRC10:33
*** openstackgerrit has joined #openstack-keystone10:33
nishamarekd: I am getting some errors while upgrading packages10:33
nishaTried with sudo command as well, same error10:33
stevemarohhh i like this change: https://review.openstack.org/#/c/289848/10:35
patchbotstevemar: patch 289848 - openstack-infra/project-config - Convert tox jobs with DB to use ubuntu-trusty10:35
marekdstevemar: so, all jenkins jobs would be running on top Mysql and postgres?!10:36
marekdcool!10:36
marekdmore realistic testing suite10:36
stevemarhmm, i guess it does some set up for that...10:37
*** dims has joined #openstack-keystone10:44
nishastevemar: marekd : nice taking to you! Gotta catch a flight in few hours10:46
nishathanks for all the help, will try to fix the errors later :)10:46
marekdnisha: good luck110:46
*** lhcheng has quit IRC10:47
*** nisha has left #openstack-keystone10:48
openstackgerritMerged openstack/keystone: Fix warning when running tox  https://review.openstack.org/28963510:52
marekdstevemar: ^^ fast, he?10:52
odyssey4mestevemar rumour has it you're lonely at UTC+1?11:10
stevemarodyssey4me: so lonely :(11:10
stevemarodyssey4me: but lunch soon!11:10
odyssey4mehaha, but the gate queues are nice and low in the morning :)11:10
odyssey4metry working on weekends when the gate queues are <10 long... it's amazing11:11
*** ninag has joined #openstack-keystone11:12
*** trown has joined #openstack-keystone11:13
*** trown is now known as trown|outtypewww11:14
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744911:15
*** ninag has quit IRC11:17
*** rk4n has joined #openstack-keystone11:19
*** rk4n has quit IRC11:23
*** wxy has quit IRC11:29
*** dave-mccowan has joined #openstack-keystone11:33
*** sheel has joined #openstack-keystone11:38
*** wxy has joined #openstack-keystone11:39
rcerninayoung, can you integrate keystone v2 with AD?11:40
*** rk4n has joined #openstack-keystone11:43
*** fpatwa_ has joined #openstack-keystone11:46
*** fpatwa_ has quit IRC11:51
*** permalac has quit IRC11:55
*** EinstCrazy has joined #openstack-keystone11:56
*** jaosorior has quit IRC12:02
*** jaosorior has joined #openstack-keystone12:02
*** bjornar has joined #openstack-keystone12:05
stevemarrcernin: you sure can!12:09
stevemarrcernin: it doesn't matter what version of keystone you use -- keystone supports AD12:09
stevemaryou may not have group support, which is sad times12:09
*** fpatwa_ has joined #openstack-keystone12:09
stevemarodyssey4me: marekd, so apparently after lunch time everyone starts joining up! getting all sorts of pings from early risers12:10
*** rodrigods has quit IRC12:11
*** rodrigods has joined #openstack-keystone12:11
*** andreykurilin__ has joined #openstack-keystone12:14
*** pece has joined #openstack-keystone12:15
*** _pece has quit IRC12:16
andreykurilin__hi all! Does it possible to setup devstack with keystone v3 as an identity api by default?12:17
*** rk4n has quit IRC12:19
*** tellesnobrega is now known as tellesnobrega_af12:25
odyssey4mestevemar yeah, we get a quiet morning to be all productive and stuff - then herd the cats all afternoon :p12:26
stevemarodyssey4me: damn those cats12:32
*** gordc has joined #openstack-keystone12:35
marekd++12:38
*** fpatwa_ has quit IRC12:45
*** trown|outtypewww has quit IRC12:48
*** tomoiaga has quit IRC12:51
*** tomoiaga has joined #openstack-keystone12:52
*** Nirupama has quit IRC12:56
*** markvoelker has quit IRC12:57
*** markvoelker has joined #openstack-keystone12:57
*** edmondsw has joined #openstack-keystone12:57
*** markvoelker_ has joined #openstack-keystone12:59
*** markvoelker has quit IRC13:01
*** doug-fish has joined #openstack-keystone13:07
*** Soni has joined #openstack-keystone13:11
SoniHi13:11
SoniNeed some help13:11
Soniregarding endpoint filter in keystone13:11
SoniAnyone?13:11
stevemarSoni: ask away and stay online :)13:12
stevemarSoni: eventually someone will answer you, we're just not always available every minute :)13:12
*** SAshish has joined #openstack-keystone13:12
SAshishThanks :) I am asking on behalf of Soni13:13
SAshishI have a keystone v3 setup and using keystone API. Can someone please tell me how to know whether my keystone uses endpoint filter or not?13:14
rodrigodsstevemar, any talk in Austin?13:15
stevemarSAshish: depends on the keystone version, i think as of liberty we deploy it by default13:16
stevemarrodrigods: i think i'm on a panel? what about you?13:16
rodrigodsstevemar, didn't submit anything, will be just watching :)13:17
SAshishthanks Steve, Any way to get it confirmed?13:17
rodrigodsstevemar, link for the panel?13:17
stevemarrodrigods: ah, that makes getting a talk accepted rather difficult13:17
SAshishI mean any API call ?13:18
stevemarSAshish: try GET /v3//OS-EP-FILTER/endpoint_groups and see if it 404's13:18
stevemarif it does, then it's not in the pipeline just yet!13:18
stevemarrodrigods: https://www.openstack.org/summit/austin-2016/summit-schedule/events/779513:19
rodrigodsstevemar, awesome13:20
*** tellesnobrega_af is now known as tellesnobrega13:24
*** palexster has quit IRC13:25
ayoungrcernin, there is not Keystone V2.  Only Zuul.13:44
ayoungstevemar, stop lying to rcernin13:45
rcerninayoung, cheers, is there any guide on downgrading keystone V3 back to V2 with AD support?13:48
*** zzzeek has joined #openstack-keystone13:48
*** dave-mccowan has quit IRC13:48
ayoungrcernin, there is no V2.  Anyone who says differently is selling something13:48
*** dave-mccowan has joined #openstack-keystone13:48
ayoungrcernin, OK...here is the real deal13:48
*** lennyb__ is now known as lennyb13:49
ayoungV2 does not support multiple domains13:49
ayoungrcernin, usually, when you do AD/LDAP you can't write users to the Directory Server STore13:49
ayoungso, the best option is to do this:  http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/13:49
ayoungif you do that, then you can, possibly, make the LDAP backed domain the default domain, but you have to be careful not to break your other services:  the service users need to use v3 to talk to the Keystone server13:50
*** Ephur has joined #openstack-keystone13:53
dstaneksamueldmq: are you still working on https://review.openstack.org/#/c/127433 ?13:53
*** jistr is now known as jistr|call13:59
*** markvoelker_ has quit IRC14:00
htrutaayoung: does that mean that all services use v3 service token by default?14:01
ayounghtruta,  well..there is no "default"  as you need to explicitly add it to their config files to do so, but yes, they all use V314:02
htrutaayoung: but the 'default' config gen with oslo_config and the middleware set them to v3, right?14:02
ayounghtruta, no clue14:03
*** rk4n has joined #openstack-keystone14:03
htrutaayoung: ok14:03
stevemari get so sad when people think keystone has a v2 or v3 version :(14:03
ayounghtruta, I always assume the worst.  THat way, I am sometimes pleasantly surprised14:03
*** LZ has quit IRC14:04
ayoungstevemar, we should just deprecate the entire V2 API14:04
ayoungcaput14:04
htrutastevemar: hehe14:04
stevemarrcernin: v2 and v3 are API versions, keystone's versions are released with openstack (havana, grizzly, icehouse, etc...) and since grizzly, keystone supports both API versions14:04
stevemarayoung: we already did!14:05
ayoungstevemar, including auth14:05
stevemarayoung: that's deprecated too14:05
ayoungstevemar, really?  See.  Assume the worst and you are never disappointed14:05
*** ninag has joined #openstack-keystone14:05
htrutaayoung: they're all deprecated, but some have no timeline for removal14:05
*** ninag has quit IRC14:05
stevemarhttps://github.com/openstack/keystone/commit/e63a8311fa2e5d7cccdb76b4cd3fc17719cc86c614:05
*** ninag has joined #openstack-keystone14:05
stevemarayoung: the CRUD routes have a timeline for removal of Q, the auth routes have no timeline for removal14:06
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a few LDAP tests to actually run  https://review.openstack.org/28993314:06
ayoungstevemar, OK.  Removing them now....14:06
stevemarhehe14:06
stevemari wish!14:06
stevemarayoung: if you're in the mood for removing crud, hopefully these patches can satisfy your hunger when newton opens up: https://review.openstack.org/#/c/258181/ - https://review.openstack.org/#/c/249486/ and https://review.openstack.org/#/c/257127/14:07
patchbotstevemar: patch 258181 - python-keystoneclient - remove CLI from keystoneclient14:07
patchbotstevemar: patch 249486 - keystone - Remove eventlet support14:07
patchbotstevemar: patch 257127 - python-keystoneclient - remove oslo-incubator apiclient14:07
htrutaFYI, we had a keystone talk accepted: https://www.openstack.org/summit/austin-2016/summit-schedule/events/845814:08
ayoungstevemar, remove the -1 and I'll +2 A them now14:08
ayoungheh14:08
*** petertr7_away is now known as petertr714:08
ayounganyway, progress....14:08
stevemarayoung: hehe, soon soon :)14:08
stevemarhtruta: NICE14:08
htrutawe've also submitted one "It's time to move to identity API v3", but it wasn't accepted14:08
stevemarhtruta: aww man14:09
stevemarhtruta: that would be a good topic14:09
htrutastevemar: :/14:09
stevemarbut i guess it's a known issue :P14:09
htrutastevemar: known issue for us... considering the amount of people that still have v2 doubts in here, I wouldn't say it's well spread14:10
openstackgerritMerged openstack/keystone: Adding 'domain_id' filter to list_user_projects()  https://review.openstack.org/18256914:10
*** pauloewerton has joined #openstack-keystone14:11
rodrigodshtruta, ppl like HMT more than v3 x v2, be proud14:12
htrutarodrigods: I am! hehe14:12
stevemarhmm, we have "fixtures" still in keystoneclient, but they are in keystoneauth now...14:14
stevemarbut it looks like other projects still use it: http://codesearch.openstack.org/?q=from%20keystoneclient%20import%20fixture&i=nope&files=&repos= :(14:14
stevemari wonder if we can do a simple s/keystoneclient/keystoneauth14:14
htrutastevemar: speaking of keystoneauth... I've been using it one of these days, and I created a token auth without passing the project_id and it gave no catalog14:15
htrutastevemar: is this a bug?14:15
htrutaI wonder if it shouldn't take the project_id from the token14:15
stevemarhtruta: doesn't sound like one, that's what i would expect14:16
stevemarwas the token a project scoped token?14:16
SAshishcan some one tell me what is client here. class keystoneclient.v3.contrib.endpoint_filter.EndpointFilterManager(client)14:16
htrutastevemar: almost sure it was14:16
stevemarhtruta: then it probably should take the project id from the token, like you said14:17
*** richm has joined #openstack-keystone14:18
stevemarjamielennox|away: have we deprecated ksc-kerb yet?14:18
stevemaroh we did, yay!14:19
htrutastevemar: I'll double check and submit a bug14:19
stevemarcoolio14:19
dstanekstevemar: wontfix? https://bugs.launchpad.net/keystone/+bug/128008414:21
openstackLaunchpad bug 1280084 in OpenStack Identity (keystone) "get trust missing @controller.protected" [Medium,Confirmed]14:21
stevemardstanek: yeah, i saw that recently and it raised an eyebrow14:21
stevemardstanek: yeah, it's weird... i can't think of a way to undo the change without it being backwards incompatible14:22
dstanekstevemar: i agree. it may be a bug (or feature) that some of those URLs and cases are not controlled by policy14:23
dstanekstevemar: but that bug specifically isn't all that useful14:23
stevemardstanek: yeah, you know what, let's mark it as won't fix.14:23
*** jaugustine has joined #openstack-keystone14:23
stevemardstanek: please go ahead and mark it as such14:23
dstanekstevemar: done14:26
*** links has quit IRC14:27
*** markvoelker has joined #openstack-keystone14:31
*** doug-fish has quit IRC14:32
*** doug-fish has joined #openstack-keystone14:33
openstackgerritBrant Knudson proposed openstack/keystone: Correct create_project driver versioning  https://review.openstack.org/28905814:33
*** EinstCrazy has quit IRC14:34
stevemartossed up https://review.openstack.org/#/c/289945/114:36
patchbotstevemar: patch 289945 - django-openstack-auth-kerberos - switch to ksa14:36
*** doug-fish has quit IRC14:37
*** jistr|call is now known as jistr14:40
edmondswhtruta stevemar, you can use a token to get another token in another project, so it can't assume which project you want if you don't tell it14:44
edmondswit will assume you want unscoped, which is also allowed14:45
*** doug-fish has joined #openstack-keystone14:46
*** spzala has joined #openstack-keystone14:46
*** markvoelker has quit IRC14:50
ayoungOK, so I 'm trying my hack again to run Keystone on ports 80/443 in additions to running on ports 5000/35357.  And, I am getting an error opening the log file on both admin and main14:55
*** sigmavirus24_awa is now known as sigmavirus2414:55
ayoungBTW, I wonder if we can drop admin/main split in V3 in the future.14:55
ayoungBut, anyway14:55
ayoungthe WSGI process is running as keystone user and group14:55
ayoungWSGIApplicationGroup %{GLOBAL}14:56
ayoungWSGIDaemonProcess keystone_main_11 display-name=keystone-main group=keystone processes=1 threads=1 user=keystone14:56
ayoungSE Linux is set to permissive14:56
ayoungI can su - keystone and echo a value into the log file. so the keystone user has permissions14:56
ayoungIt must be something in the WSGI setup14:57
*** knikolla has joined #openstack-keystone14:58
edmondswayoung, I just run it on 5000/35357, and then have a reverse proxy setup to point to those from 80/443, rather than trying to run on both14:59
ayoungedmondsw, good, now come and rewrtie Tripleo for me and I'm done14:59
edmondswayoung... lol15:00
ayoungedmondsw, there are many ways to divest this particular Feline of its hide15:00
*** sdake has joined #openstack-keystone15:00
* edmondsw crawls back under rock15:00
ayoungedmondsw, nope15:00
ayoungedmondsw, now you need to help me brainstorm15:00
lbragstaddolphm fyi - https://ask.openstack.org/en/question/87887/keystone-notifications-on-addremove-user-to-group/15:00
ayoungwhy am I getting a permissons error?15:00
ayoung[Tue Mar 08 14:58:58.519525 2016] [:error] [pid 31057] [remote 10.45.2.8:248] IOError: [Errno 13] Permission denied: '/var/log/keystone/keystone.log'15:00
*** knikolla has quit IRC15:00
ayoung31057 ?        00:00:00 httpd15:01
ayoungapache   31057 31052  0 14:58 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND15:01
edmondswayoung did you set them up to use separate log files, so they're not trying to open the same file?15:01
dolphmlbragstad: we should totally do that15:01
ayoungit is not the Keystone user opening it15:01
ayoungit is the Httpd daemon prefork...15:01
ayoungedmondsw, see you 've been helpful already15:01
stevemaredmondsw: stop hiding under rocks! :)15:02
ayoungBut it is a python exception, which means python should have forked already15:02
ayoungbut it is called from  File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 38, in initialize_application15:03
ayoungWhy does this not fail for 10-keystone that is in a virtual-host>15:03
*** phalmos has joined #openstack-keystone15:04
ayoungedmondsw, so, I thought about the multiple writers issue, but Keystone already logs both main and admin to the same file, so it can't be an exclusive lock15:05
edmondswayoung true15:06
*** mhickey has quit IRC15:06
ayoungand I was able to echo a value in there as the keystone user, too.  No, it looks like the issue is that the HTTPD user is doing the writing, for some reason15:06
*** woodster_ has joined #openstack-keystone15:06
ayoungand that must have to do with how processes are forked in HTTPD, and it is different for virastul hosts?15:06
samueldmqdstanek: hi, looking15:06
dstaneksamueldmq: o15:07
dstaneksamueldmq: i'm actually rebasing it now. almost done. checkout my comments and see if you agree15:07
samueldmqdstanek: should we log a warn saying that method is being ignored ?15:07
samueldmqdstanek: yes I do15:07
dstaneksamueldmq: maybe15:07
samueldmqdstanek: but I think we should log a warn in the wrapper saying it isn't doing anything15:08
samueldmqdstanek: cool15:08
dstaneki'm just rebasing now and not making any changes15:08
ayoungedmondsw, so my goal here is to eradicate the 5000 and 35357 port expectations. If we keep those around, people will keep using them, and they might end up, in your case, caloling direct as opposed to via the reverse Proxy15:08
ayoungMaybe if I drink more coffee...15:09
edmondswayoung what's your LogLevel?15:09
edmondswmaybe turn it down and see if the problem goes away?15:09
edmondsw(as a test)15:09
*** knikolla has joined #openstack-keystone15:10
ayoungedmondsw, IN the apache log?  THe Keystone Log?  I don't follow your reasoning15:11
stevemardstanek: good luck with the keystone meeting, sucker!15:11
edmondswapache15:11
ayoungit appears to be that the initial python application runs as HTTPD.  The HTTPD user does not have the right to post to the log file15:11
ayoungI could probably change that15:11
edmondswseems like httpd is logging something... maybe they only log something if you have the log level turned way up?15:12
ayoung...let's see, got grins15:12
ayoungedmondsw, nah, it is in the initialization15:12
ayoungFile "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 319, in _setup_logging_from_conf15:12
*** knikolla has quit IRC15:12
dstanekstevemar: is that really all there is on the agenda?15:12
dstanekstevemar: when does m3 actually get cut?15:13
ayoungedmondsw, Ok, not a straight permissions error.  I get it even with: -rw-rw-rw-. 1 keystone apache 1175807 Mar  8 15:08 /var/log/keystone/keystone.log15:16
edmondswugh15:16
edmondswayoung what does the error look like?15:17
ayoungedmondsw, its the directory15:17
ayoungmaking the dir world readable moved the problem down the line15:17
ayoungnow it is is reading the config file?15:17
ayoungfind_paste_config15:18
ayoungso the real question is why is it trying to do all this stuff as apache, and not as keystone?15:18
ayoungwhat did I fat finger here?15:18
*** spzala has quit IRC15:20
*** mhickey has joined #openstack-keystone15:20
*** phalmos has quit IRC15:21
*** knikolla has joined #openstack-keystone15:23
*** jorge_munoz has joined #openstack-keystone15:25
*** pushkaru has joined #openstack-keystone15:26
ayoungedmondsw, ok...so I think the answer is here http://paste.openstack.org/show/489694/15:28
ayoungWSGIProcessGroup keystone_main_1115:28
ayoung  is not tied to the line above it15:28
*** phalmos has joined #openstack-keystone15:28
openstackgerritDavid Stanek proposed openstack/keystone: Remove foreign assignments when deleting a domain  https://review.openstack.org/12743315:32
dstaneksamueldmq: ^15:32
dstaneksamueldmq: i fixed the issues i brought up too15:33
edmondswayount how would you tie them together?15:34
edmondswayoung even15:34
ayoungedmondsw, no idea.  Maybe the problem is that the Application group is global?15:34
edmondswayoung oh, you mean in the Location block15:34
*** EinstCrazy has joined #openstack-keystone15:34
ayoungyeah, but I don;t think location works to scope it15:35
edmondswyeah15:35
ayounghttp://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIProcessGroup.html15:35
ayoungserver config, virtual host, directory15:35
samueldmqdstanek: lgtm, thanks for updating it15:36
dstaneksamueldmq: gotta be bug squashing!15:36
*** bunting has left #openstack-keystone15:37
ayoungedmondsw, directory15:38
ayoung    A directive marked as being valid in this context may be used inside <Directory>, <Location>, <Files>, <If>, and <Proxy> containers in the server configuration files, subject to the restrictions outlined in Configuration Sections.15:38
ayounghttps://httpd.apache.org/docs/2.4/mod/directive-dict.html#Context15:38
ayoungso Location should be OK...15:38
*** ff has joined #openstack-keystone15:39
samueldmqdstanek: ++15:40
samueldmqO/15:40
*** EinstCrazy has quit IRC15:41
*** rha has joined #openstack-keystone15:42
*** ksavich has joined #openstack-keystone15:45
*** permalac has joined #openstack-keystone15:46
dstanekdo we care about this? https://bugs.launchpad.net/keystone/+bug/127975015:47
openstackLaunchpad bug 1279750 in OpenStack Identity (keystone) "username validation 64 chars but can be 255 in database" [Low,In progress] - Assigned to Trevor McCasland (twm2016)15:47
*** links has joined #openstack-keystone15:52
*** slberger has joined #openstack-keystone15:53
*** tomoiaga has quit IRC15:55
*** permalac_ has joined #openstack-keystone15:56
*** phalmos has quit IRC15:57
*** mhickey_ has joined #openstack-keystone15:57
*** tellesnobrega is now known as tellesnobrega_af15:57
*** tellesnobrega_af is now known as tellesnobrega15:59
*** mhickey has quit IRC15:59
*** daemontool_ has joined #openstack-keystone15:59
*** permalac has quit IRC16:00
*** daemontool has quit IRC16:01
*** sdake_ has joined #openstack-keystone16:05
*** sdake has quit IRC16:05
htrutaedmondsw: makes sense16:06
dolphmjorge_munoz: https://review.openstack.org/#/c/278693/16:06
patchbotdolphm: patch 278693 - keystone - Make fernet support trust auth against v2.016:06
*** phalmos has joined #openstack-keystone16:09
*** bjornar has quit IRC16:10
*** browne has joined #openstack-keystone16:19
*** jaosorior has quit IRC16:21
openstackgerritJorge Munoz proposed openstack/keystone: Validate v2 fernet token returns extra attributes  https://review.openstack.org/28961816:21
*** petertr7 is now known as petertr7_away16:24
*** david-lyle_ is now known as david-lyle16:28
openstackgerritMerged openstack/keystone: Un-wrap function  https://review.openstack.org/28964216:28
*** henrynash has joined #openstack-keystone16:29
*** ChanServ sets mode: +v henrynash16:29
*** belmoreira has quit IRC16:29
*** gyee has joined #openstack-keystone16:34
*** ChanServ sets mode: +v gyee16:34
lbragstadjorge_munoz it was between these two reviews - https://review.openstack.org/#/c/278802/ https://review.openstack.org/#/c/278693/ cc dolphm16:35
patchbotlbragstad: patch 278802 - keystone - Remove support for trust scoped tokens in v2.0 (ABANDONED)16:35
patchbotlbragstad: patch 278693 - keystone - Make fernet support trust auth against v2.016:35
*** sdake_ is now known as sdake16:36
*** EinstCrazy has joined #openstack-keystone16:40
*** petertr7_away is now known as petertr716:41
*** pgbridge has joined #openstack-keystone16:43
*** phalmos has quit IRC16:44
*** EinstCrazy has quit IRC16:46
openstackgerritguang-yee proposed openstack/keystoneauth: Support TOTP auth plugin  https://review.openstack.org/28108616:46
*** SAshish has quit IRC16:52
*** browne has quit IRC16:54
*** ff has quit IRC16:55
*** ff has joined #openstack-keystone16:56
*** ff has quit IRC16:58
lbragstadmorgan dstanek dolphm I'd be happy to get your opinion on my latest comments here https://review.openstack.org/#/c/288643/4 (in the bug report or the patch)16:59
patchbotlbragstad: patch 288643 - keystone - Send notifications with entity name in payload16:59
*** rderose has joined #openstack-keystone17:01
openstackgerritKristi Nikolla proposed openstack/keystone: Changes the policy to allow non-admin users to List and Get service providers.  https://review.openstack.org/29002017:02
*** lhcheng has joined #openstack-keystone17:05
*** ChanServ sets mode: +v lhcheng17:05
*** dan_nguyen has joined #openstack-keystone17:06
openstackgerritKristi Nikolla proposed openstack/keystone: Policy to allow non-admin users to List and Get service providers.  https://review.openstack.org/29002017:14
*** daemontool_ has quit IRC17:16
ayoungedmondsw, so...I am sure you want some closuer on our conversation this morning.  I found out what was causing the mess up17:17
ayoungit was two things17:17
ayoungfirst, I had 2 threads, and oslo-conf does not like threads,17:17
ayoungbut the real problem was that I was matching on17:18
ayoung<Location "/keystone/admin/">  instead of <Location "/keystone/admin">17:18
bknudsonayoung: devstack has a sample apache config - http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/apache-keystone.template17:20
ayoungbknudson, I know17:20
ayoungbknudson, and now that you've made the mistake of drawing my attention, can you tell me what I hate about those?17:21
bknudsonI don't know what you think is wrong with it.17:21
bknudsonsince you haven't posted a review to fix it17:21
*** daemontool has joined #openstack-keystone17:21
*** bjornar has joined #openstack-keystone17:22
openstackgerritMerged openstack/keystone: Fixes a few LDAP tests to actually run  https://review.openstack.org/28993317:22
*** permalac_ has quit IRC17:22
bknudsonseems to work pretty well since the gate's passing17:22
ayoungbknudson, virtual host.  port 5000 3535717:22
ayoungbknudson, that is because the whole world is taking crazy pills17:23
bknudsonthose are pretty much required for tempest.17:23
openstackgerritColleen Murphy proposed openstack/keystone: Clarify virtualenv setup in developer docs  https://review.openstack.org/29002917:23
bknudsonunfortunately tempest doesn't support doing requests on /identity/ yet17:23
ayoungbknudson, hence: http://adam.younglogic.com/2016/02/keystone-on-port-80-for-tripleo/17:23
ayoungbknudson, so I a trying to run them side by side.17:23
*** browne has joined #openstack-keystone17:24
bknudsondo you run tempest on tr17:24
ayoungleave the 5000/35357 tehre, but add in another that is on the server default17:24
ayoungbknudson, I was just getting it set up for the first time17:24
bknudsondevstack apache config listens on both :5000 and :8017:24
ayoungbknudson, but in seaprate virtual hosts17:24
*** pece has quit IRC17:25
bknudsonI think I need the virtualhost to get apache to accept on :5000?17:25
ayoungspecifically, 80 and 443 are the server defaults. So I wanted to make sure what I did worked outside a virtual host.17:25
ayoungI have not yet tried to get 443 working, as that is usually a virtual host, too....17:25
*** d0ugal has quit IRC17:26
*** harlowja has joined #openstack-keystone17:29
ayoungbknudson, is there any reason to do both /identity/admin and /identity/main now, or can I just put a single /identity  in there?17:32
ayoungand have /identity/v3  etc17:32
*** rcernin has quit IRC17:34
bknudsonayoung: admin and main are different for v217:39
*** wxy has quit IRC17:39
ayoungbknudson, I keep forgetting we haven't killed v2 yet17:40
*** spandhe has joined #openstack-keystone17:40
bknudsonanother configuration that we could try is have keystone run as uwsgi and apache does reverse-proxy17:41
bknudsonrun keystone under uwsgi or gunicorn or something17:41
bknudsonapache could be reverse-proxy http or whatever protocols uwsgi/gunicorn support17:42
*** jistr has quit IRC17:43
openstackgerrithenry-nash proposed openstack/keystone: Move domain config backend tests  https://review.openstack.org/29003817:44
*** EinstCrazy has joined #openstack-keystone17:44
*** EinstCrazy has quit IRC17:49
*** knikolla has quit IRC17:53
*** rk4n has quit IRC17:58
*** tsymanczyk has joined #openstack-keystone17:58
*** mvk has quit IRC18:00
henrynashstevemar: tried to modify meeting agenda…can’t seem to save anymore!18:00
stevemarhenrynash: there's an anti-spam thing at the top of the wiki page now, with a lame question like "What's the first letter of this sentence"18:01
*** agrebennikov has joined #openstack-keystone18:02
henrynashstevemar: gahhh18:02
*** e0ne has joined #openstack-keystone18:03
agrebennikovstevemar, hi, I have a question/comment about https://review.openstack.org/#/c/289537/18:03
patchbotagrebennikov: patch 289537 - keystone (stable/liberty) - Backported POSIX groups support for MOS 818:03
stevemaragrebennikov: i'm on mobile, but the rest of the  keystone team should be able to help out, bknudson dstanek and others18:04
agrebennikovstevemar, ok, let me find out who was reviewing that one18:04
agrebennikovdstanek, let me know if you are able to discuss the original patch https://review.openstack.org/#/c/258528/18:05
patchbotagrebennikov: patch 258528 - keystone - Enable support for posixGroups in LDAP (MERGED)18:05
dstanekagrebennikov: sure, after the meeting i'll get back to yo18:06
dstaneku18:06
*** petertr7 is now known as petertr7_away18:06
agrebennikovdstanek, ok, thanks! (the idea is that you guys allowed to merge non-working one ;) )18:06
dstanekagrebennikov: you found a bug?18:07
agrebennikovyep18:07
agrebennikovdstanek, just ping me when you back please18:07
dstanekagrebennikov: ok, can you file a bug?18:09
*** Guest40848 has quit IRC18:09
agrebennikovdstanek, I can, but I'm just not sure if it makes sense to start over or we can work it out as commit change18:11
agrebennikovdstanek, (if it is possible in general)18:11
agrebennikovdstanek, I'll probably re-open initial one18:11
*** ankita_wagh has joined #openstack-keystone18:11
*** shaleh has joined #openstack-keystone18:12
*** sdake_ has joined #openstack-keystone18:15
*** e0ne has quit IRC18:17
*** e0ne has joined #openstack-keystone18:17
*** e0ne has quit IRC18:17
dstanekagrebennikov: sounds good. give as much details as you can18:18
agrebennikovdstanek, https://bugs.launchpad.net/keystone/+bug/1526462/comments/1218:18
openstackLaunchpad bug 1526462 in OpenStack Identity (keystone) "Need support for OpenDirectory in LDAP driver" [Medium,Fix released] - Assigned to Alexander Makarov (amakarov)18:18
*** markvoelker has joined #openstack-keystone18:18
agrebennikovdstanek, please take a look18:18
morgandstanek, agrebennikov: usually config options are not back portable18:18
morganfyi18:18
*** sdake has quit IRC18:19
agrebennikovmorgan, do you mean we cannot take it back to liberty?18:19
morganeven if default behavior isn't changed, it is semi-icky to backport a change with a config option18:19
morganagrebennikov: if the default behavior is changed at all, it isn't backportable. and even if default behavior is the same, new options would be an extreme case18:20
lbragstadjorge_munoz https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3.py#L30918:20
*** sdake_ is now known as sdake18:20
*** jasonsb has quit IRC18:20
agrebennikovmorgan, that's sad... seems it will be custom one for the current deployment...18:20
morganagrebennikov: http://docs.openstack.org/project-team-guide/stable-branches.html#review-guidelines18:21
morganagrebennikov: this is somewhere between a "new feature" and a "bug fix"18:22
morganagrebennikov: i would want more stable-core folks to sign off on it [not just keystone stable core]18:23
*** links has quit IRC18:23
*** mhickey_ has quit IRC18:25
*** jbell8 has joined #openstack-keystone18:25
agrebennikovmorgan, "There is no rule about how often or how many bugs found and fixed in master should be backported to stable branches" ;)18:25
*** petertr7_away is now known as petertr718:26
*** fawadkhaliq has joined #openstack-keystone18:28
morganagrebennikov: it is what is being added i am pointing out18:31
morganthis is somewhere between a bug and a feature18:31
morganand it adds config options18:31
agrebennikovmorgan, right18:31
morganagrebennikov: so i'd like some of the stable-core to weigh in18:32
openstackgerrithenry-nash proposed openstack/keystone: Move domain config backend tests  https://review.openstack.org/29003818:32
morganbefore we accept it as a backport (not just keystone stable folks)18:32
morgani'll support it if stable maintainers don't have an issue with it18:32
* morgan isn't against it.18:32
morgan:)18:32
morganfor the record18:32
agrebennikovmorgan, the problem is as usually - you guys mostly are focused on just development in master and stables are only for actually Fixing bugs. What happens in the field is something different18:32
morganagrebennikov: the nice thing is it is in master, right? for mitaka18:33
agrebennikovmorgan, we are doing some large deployments with kilo and liberty for now18:33
*** jbell8 has quit IRC18:33
agrebennikovmorgan, and we Just started with liberty18:33
morganso, i am on the stable keystone team. i am just asking for you to get eyes from the main stable core folks18:33
morganso that i feel good with the backport18:34
morganmtreinish: ^ cc (re stavle backport)18:34
dims@morgan : over on #openstack-stable?18:34
morgandims: yeah that would be good.18:34
mtreinishmorgan: which patch?18:34
morgandims: i can't keep track of all the things...18:34
morganhttps://review.openstack.org/#/c/289537/318:34
patchbotmorgan: patch 289537 - keystone (stable/liberty) - Backported POSIX groups support for MOS 818:34
morganthere is an original one with the changeid, but ignoring that - that is basically the code18:35
*** markvoelker has quit IRC18:35
morganthat would be backported [so if the changeid/other bits are fixed]18:35
morganhow does the stable team feel about it. i'll be ok with it if the -stable folks are18:35
mtreinishmorgan: that looks like a feature backport18:36
mtreinishwrapped in a bug number18:36
morganmtreinish: that was my gut response18:36
morganmtreinish: i THINK it's somewhere between featuere and bug, but leaning towards feature18:37
*** markvoelker has joined #openstack-keystone18:37
mtreinishright, and I'd support your -2 on that backport on those grounds18:37
mtreinish(assuming you want to play the bad guy instead of me :) )18:37
morganeh, i can play bad guy but wanted agrebennikov to get the feedback on why more directly :)18:38
mtreinishwell based on the lack of a commit msg, it's needed for the mirantis product :)18:38
morganagrebennikov: ^ so this is too close to a feature add for a stable backport - sorry. =/ . You'll need to carry this code for your deplyments unless you can swing dims and mtreinish's views18:39
morganagrebennikov: but upgrade to mitaka [when it happens] will mean you can drop your version of it.18:39
morganmtreinish: i assumed the commit msg/change-id would be fixed before it landed - but i was basing my view and looking for confirmation based on content18:40
agrebennikovmorgan, mtreinish well... this was actually my mistake originally - I didn't point an attention that I'm commiting to upstream.18:40
morganagrebennikov: anyway. sorry for the bad news.18:40
dimsagrebennikov : morgan : mtreinish : i agree with the call as that's the current policy18:41
morganagrebennikov: if there is something non-behavior impacting (and no new options) that can solve the problem, we can revisit18:41
morganmtreinish: can you -2 it? i can't get LP to log me in. =(18:42
mtreinishmorgan: sure18:42
morganmtreinish: my x1c broke this weekend...and the macbook is ... ugh18:42
morganmtreinish: and by broke... i mean.. i have to replace it =/18:43
*** sdake_ has joined #openstack-keystone18:43
agrebennikovall right, thanks anyway18:43
mtreinishmorgan: ugh, that sucks18:44
morganagrebennikov: np. like i said, if there is another way that isn't as feature-like we can definitely discuss it18:44
*** sdake has quit IRC18:45
mtreinishmorgan: do you get to replace it under warranty? Or do you have to get a new one out of pocket?18:45
*** phalmos has joined #openstack-keystone18:45
morganmtreinish: the screen was shattered because i knocked it off a desk18:46
morganand the hinges broke18:46
mtreinishyikes18:46
morganhit just right to break the screen off from the body of the laptop18:46
morganhad a horrible migrane and phone went off right when i fell asleep18:46
dimsmorgan : ouch18:46
morganin an effort ot silence the phone knocked the laptop pretty hard and it went flying18:46
morganand all the wifi antennae are in the screen, so even if i connect it to an external monitor... it's not super useful.18:47
mtreinishmorgan: you still have the weird ethernet port pigtail thing18:49
mtreinishI've never used that before :)18:50
*** sdake_ is now known as sdake18:50
*** trown has joined #openstack-keystone18:52
*** belmoreira has joined #openstack-keystone18:52
*** petertr7 is now known as petertr7_away18:53
morganmtreinish: i'd need to buy another one... and find an ethernet port18:53
morganmtreinish: i don't... have one.18:53
*** petertr7_away is now known as petertr718:54
*** knikolla has joined #openstack-keystone18:55
*** ankita_wagh has quit IRC18:55
*** anush has joined #openstack-keystone18:55
*** ankita_wagh has joined #openstack-keystone18:56
*** ninag has quit IRC18:57
*** rderose has quit IRC18:57
*** ninag has joined #openstack-keystone18:57
*** henrynash has quit IRC18:59
*** doug-fis_ has joined #openstack-keystone18:59
*** anush has quit IRC19:00
*** ninag_ has joined #openstack-keystone19:00
*** ninag_ has quit IRC19:00
gyeedstanek, lbragstad, have you ever try to change username in a production system?19:01
*** ninag_ has joined #openstack-keystone19:01
dstanekgyee: openstack or other?19:01
lbragstadnope19:01
gyeedstanek, any19:01
dstanekgyee: yes, of course, but not in openstack19:01
*** bapalm has quit IRC19:02
*** ninag has quit IRC19:02
shalehpretty easy on the old Unix systems. vipw, fix the name, wait for NIS to catch up19:02
shalehthe UID was the important bit. The text is for us people.19:02
*** doug-fish has quit IRC19:02
*** doug-fish has joined #openstack-keystone19:03
*** doug-fish has quit IRC19:03
*** doug-fish has joined #openstack-keystone19:03
shalehgyee: is it particularly hard in OpenStack? The UUID is the bit passed around everywhere.19:03
dstanekbe back in a few19:03
*** doug-fis_ has quit IRC19:04
gyeeshaleh, it depends what the cloud providers allow you to do19:04
shalehgyee: I never expect to be able to do it as myself. I always expect the need of admins.19:05
shalehgyee: when it just works for me, that is great.19:05
*** jbell8 has joined #openstack-keystone19:05
gyeeshaleh, try changing your username for corp AD and see if 1) they let you, and 2) how many apps break after that :-)19:06
shalehgyee: like I said, I expect admin help.19:06
shalehand yes, Windows is particularly stupid about this. I have worked with enough women over the years to see them struggle.19:06
shalehlbragstad: the needs love list is looking a little more sane. More of them are under current activity now.19:07
*** tellesnobrega is now known as tellesnobrega_af19:09
lbragstadshaleh awesome - thanks!19:09
shalehlbragstad: little steps to the goal right?19:10
openstackgerritJorge Munoz proposed openstack/keystone: Validate v2 fernet token returns extra attributes  https://review.openstack.org/28961819:10
lbragstadshaleh thats right19:10
*** anush has joined #openstack-keystone19:10
*** ninag_ has quit IRC19:11
*** ninag has joined #openstack-keystone19:12
openstackgerritLance Bragstad proposed openstack/keystone: Send notifications with entity name in payload  https://review.openstack.org/28864319:12
*** ninag has quit IRC19:12
*** ninag has joined #openstack-keystone19:13
*** ninag has quit IRC19:14
*** ninag has joined #openstack-keystone19:14
openstackgerritLance Bragstad proposed openstack/keystone: Refactor TestFernetTokenProvider unscoped token tests  https://review.openstack.org/28690619:17
*** markus_z has joined #openstack-keystone19:17
markus_zbknudson: hi, do you have a minute?19:17
bknudsonmarkus_z: sure19:17
lbragstadbknudson comments addressed - https://review.openstack.org/#/c/286906/3/keystone/tests/unit/test_v3_auth.py19:17
patchbotlbragstad: patch 286906 - keystone - Refactor TestFernetTokenProvider unscoped token tests19:17
markus_zbknudson: I'm going through old nova bugs and found this one: https://bugs.launchpad.net/nova/+bug/146475019:17
openstackLaunchpad bug 1464750 in OpenStack Compute (nova) "Service accounts can be used to login horizon" [Undecided,Incomplete] - Assigned to Adam Young (ayoung)19:17
markus_zbknudson: I'm unsure what to do with this one19:18
openstackgerritLance Bragstad proposed openstack/keystone: Refactor TestFernetTokenProvider domain-scoped tests  https://review.openstack.org/28690719:18
ayoungmarkus_z, dynamic policy.19:18
ayoungmarkus_z, why should not a service account be able to log in to Horizon?19:18
openstackgerritLance Bragstad proposed openstack/keystone: Refactor TestFernetTokenProvider project-scoped tests  https://review.openstack.org/28690819:18
openstackgerritLance Bragstad proposed openstack/keystone: Refactor TestFernetTokenProvider trust-scoped tests  https://review.openstack.org/28690919:19
*** bapalm has joined #openstack-keystone19:19
bknudsonmarkus_z: there should be some way to disallow a user logging in to horizon? That sounds like a horizon issue if they don't provide some way to do that19:19
bknudsonI don't think keystone is ever going to have anything that says that a user can log into horizon or not19:19
markus_zIIUC it's that a service user has admin rights. I can use the same credentials with a CLI client, right?19:19
bknudsonbut they could implement it using roles19:19
bknudsonnot all service users have admin rights19:20
shalehlbragstad: in your notifications patch, you have a few places with 'if foo.get('name')'. So 'name' is always set but it might be empty/None?19:20
markus_zThat it can log in to horizon is a minor thing I guess?19:20
markus_zayoung: I don't understand what you mean with "dynamic policy". Is this a keystone concept?19:20
bknudsonwhether it's minor or not depends on the deployer... some companies may just not user openstack because of this19:20
david-lylewhy would I block a service user from logging in?19:20
lbragstadshaleh actually - we might not be doing that approach anymore... do you have thoughts on this: https://bugs.launchpad.net/keystone/+bug/155279519:21
openstackLaunchpad bug 1552795 in OpenStack Identity (keystone) "enhance notification for user events with user name" [Wishlist,In progress] - Assigned to Lance Bragstad (lbragstad)19:21
ayoungmarkus_z, heh...too much context.  Short answer is we don't have a general solution to that problem yet19:21
shalehlbragstad: let me look19:21
markus_zayoung: I wasn't fully sure that it is a real problem, to be honest.19:21
ayoungmarkus_z, so,  Horizon has long wanted a way to be able to query a users capabilities from a token. And we don't really ahve that19:22
bknudsondavid-lyle: I think you would block service users from horizon because service users don't need to use horizon.19:22
ayoungmarkus_z, so, a service use is a case of a user with no-viable roles19:23
markus_zok, I can follow19:23
david-lylebknudson: but what's the downside?19:23
ayoungbut, it could also be chaning the view so that users that have no network roles don't see the network tab19:23
ayoungetc etc19:23
ayoungdavid-lyle, you cornered me at the Summit how many years ago about this?19:23
shalehlbragstad: yeah, while I am not a fan of the UX with UUID it is more flexible and probably the right thing to do.19:23
david-lyleayoung: we honor that now, based on policy and service catalog contents19:24
shalehlbragstad: could you maybe post this to -operators and get some feedback there?19:25
ayoungdavid-lyle, yeah, it is a lot bettter  than it was19:25
bknudsondavid-lyle: the downside of allowing service users to login to horizon? The only thing I can think of is if there's a security flaw in horizon that a user could exploit that they couldn't exploit using the api directly.19:26
shalehlbragstad: maybe we need to document why the log has what it has and point at snippets for how to improve their experience?19:26
markus_zayoung: bknudson: I'm asking from a Nova point of view and I have no clue what we should do about that.19:26
lbragstadshaleh ++ that'd be a good idea - after thinking about it and discussing it i'm not sure keystone is the right place for the fix19:26
david-lylebknudson: but horizon has to make the API calls ultimately anyway19:26
david-lylewe don't really do anything :D19:26
*** fawadkhaliq has quit IRC19:26
lbragstadshaleh dolphm had a really interesting solution that would maintain all the audit info without patching keystone at all19:26
bknudsondavid-lyle: this might be a security flaw in horizon where one logged-in user can access another user's tokens19:27
ayoungdavid-lyle, I really want to split Horizon.  I would like it if the user facing piece could run alone in a vm owned by the user, not in a a global instance, and only talk to the one Project.19:27
shalehlbragstad: some form of log/audit post processing?19:27
lbragstadshaleh well - if you have a consumer setup to consume events from keystone, you are always guaranteed a resource type and a resource ID in the payload of the notification19:28
markus_zShouldn't that bug report point to keystone then? Without a change there we in Nova cannot do anything, can we?19:28
lbragstadbut you don't always have to go to keystone to get more information about the resource that changed19:29
david-lylebknudson: we have bigger problems that service accounts in that case19:29
david-lylebut sure19:29
lbragstadand example would be if a consumer received a delete user event from identity and they wanted to query keystone about that user - that's obviously not going to work19:29
shalehlbragstad: agreed. Then one can make API calls to fill in the gaps when they are interested.19:29
david-lyleayoung: we could do that, versioning might become interesting19:30
bknudsonmarkus_z: I don't know what you could possibly do in nova to prevent users logging in to horizon19:30
ayoungdavid-lyle, I was thinking that we do RBAC on URLs19:30
lbragstadas a dba you could set up triggers to persist things from the keystone db to a shadow keystone database (that doesn't actually delete things)19:30
markus_zbknudson: can we do anything in how the nova account gets created?19:30
bknudsonmarkus_z: one thing you could do in nova is not require admin for service users19:30
gyeelbragstad, fwiw, added my $0.02 to https://bugs.launchpad.net/keystone/+bug/155279519:31
openstackLaunchpad bug 1552795 in OpenStack Identity (keystone) "enhance notification for user events with user name" [Wishlist,In progress] - Assigned to Lance Bragstad (lbragstad)19:31
ayoungdavid-lyle, https://review.openstack.org/#/c/279379/  is the current thinking19:31
patchbotayoung: patch 279379 - keystone-specs - Dynamic RBAC Policy19:31
lbragstadshaleh so you could essentially have all that data still around for audit purposes and query-able for the consuming application19:31
lbragstadbut you don't have to couple the consumer to the keystone API19:31
bknudsonmarkus_z: not require admin for service users by default, I mean.19:31
shalehlbragstad: but now the operators need to maintain two galera clusters.19:32
bknudsonmarkus_z: for example, nova requires the neutron user to have admin to send notifications19:32
bknudson(again, by default)19:32
bknudsonor, maybe it's hardcoded... I don't know how nova works19:32
lbragstadshaleh yeah - that would only be if they decided to not query keystone... but if you're concerned able keeping things around for audit purposes would that be a bad thing?19:33
shalehlbragstad: part of my surprise is "Delete" actually deletes. I am used to it marking the entry as "deleted" which hides it from most queries.19:33
lbragstadshaleh right - keystone doesn't currently do that19:33
markus_zbknudson: me neither :)19:33
shalehlbragstad: like I said, this is one of those moments where providing options to operators is a good way forward.19:34
*** phalmos has quit IRC19:34
lbragstadshaleh but do we only include usernames + domain ids?19:34
shalehlbragstad: I think adding yet another DB layer to monitor, maintain, etc. is quite a bit for many19:34
lbragstadwhat about idenitty providers?19:34
markus_zbknudson: OK, what I take with me from the discussion is that this is a valid and known issue. It could be mitigated in nova when we don't rely per default on admin rights from service users. Is this correct?19:35
bknudsonmarkus_z: that sounds right19:35
markus_zprogress, yeah :)19:35
markus_zbknudson: ayoung: ok, cool, thanks for your time and the explanation19:36
shalehlbragstad: agreed, there is the how much data to log question.19:36
markus_zayoung: I would remove your name as assignee in Nova, is that an issue? Just to avoid confusion if any one is working on that.19:37
shalehlbragstad: but really, 3 more machines. 3 more sets of disks. Yet anoter thing for the admins to get a call for at 2am.19:37
*** phalmos has joined #openstack-keystone19:37
*** lhcheng_ has joined #openstack-keystone19:37
gyeeshaleh, you never gotten a call at 2am?! :-)19:37
shalehgyee: damn right I have19:38
* shaleh has wore the sys admin hat19:38
ayoungmarkus_z, it was closed, I thought. I was working on it from the Keystone side.  Please take or do with it as you will19:38
gyeehahahah, you can have my on-call phone19:38
ayoungmarkus_z, rule of thumb, I have too much to do. Always take work away from me.19:38
markus_zayoung: "incomplete" is an open state and I'm working through the old open incomplete bugs.19:39
markus_zayoung: That's how I came here19:39
*** lhcheng has quit IRC19:41
lbragstadshaleh i'm trying to understand the pov of the operator - if an operator cares about audit-type things won't they want to have control of where the data is anyway?19:41
shalehlbragstad: my audit logging may go to another team's db or a db I have much less access to19:43
*** richm has quit IRC19:43
shalehlbragstad: asking them to maintain a copy of my DB just to keep their audit logs in sync seems a bit of an ask19:44
*** anush has quit IRC19:44
openstackgerritJorge Munoz proposed openstack/keystone: Validate v2 fernet token returns extra attributes  https://review.openstack.org/28961819:44
*** unsprinkled has joined #openstack-keystone19:44
shalehlbragstad: I can totally see some people accepting that19:44
*** tellesnobrega_af is now known as tellesnobrega19:44
lbragstadshaleh keep it in sync with what?19:44
shalehlbragstad: I am just not sure we should tell people that is the expected use scenario19:44
*** doug-fish has quit IRC19:45
dolphmhttp://arnab.org/blog/shadow-tables-using-mysql-triggers19:45
*** doug-fish has joined #openstack-keystone19:45
shalehlbragstad: if I understand, all of this is because I cannot query Keystone for a user's name based on ID because that user may have been deleted. So the audit group needs to keep a shadow copy of the Keystone DB so they can connect the dots.19:45
openstackgerritLance Bragstad proposed openstack/keystone: Remove TestFernetTokenProvider  https://review.openstack.org/28691019:46
shalehdolphm: I get that it works. I am asking is that the mechanism we want to suggest to people as the standard approach.19:46
*** richm has joined #openstack-keystone19:46
lbragstadshaleh yes - i believe so19:46
shalehlbragstad: personally, I would rather fix Keystone to not really delete users.19:46
lbragstadshaleh brb19:47
shalehlbragstad: either move them to a graveyard table or mark them as "invalid"19:47
dolphmshaleh: in my experience, it's a good separation of concerns between the application & it's data, versus historical auditing, etc (that stuff is not business logic and doesn't belong in the app)19:48
dolphmshaleh: i.e. keystone should not have to know about the "graveyard" table, etc19:48
dolphmjorge_munoz: https://bugs.launchpad.net/keystone/+bug/155322419:49
openstackLaunchpad bug 1553224 in OpenStack Identity (keystone) "keystone-manage bootstrap assumes user-project role assignment" [Wishlist,Triaged]19:49
shalehdolphm: from a purely software perspective sure. From a holistic design perspective I disagree.19:49
*** doug-fish has quit IRC19:50
*** daemontool has quit IRC19:51
bknudsonlet's not take a holistic design perspective if that means keystone becomes a kitchen sink19:51
*** agrebennikov has quit IRC19:52
dolphmshaleh: it's also a really widespread common problem that is not application-specific, i wouldn't expect an application-specific solution. if your employer cares that much, you're probably already familiar with the tools to make the job easy. let's not re-invent the wheel.19:52
*** unsprinkled has quit IRC19:52
shalehdolphm: I am not proposing a new wheel. Not deleting users is a very common design.19:53
shalehor not deleting entities I should say19:54
shalehexplicitly because it makes auditing, rollback, etc. work19:54
dolphmjorge_munoz: https://bugs.launchpad.net/keystone/+bug/155321619:54
openstackLaunchpad bug 1553216 in OpenStack Identity (keystone) "keystone-manage bootstrap does not work for non-SQL identity drivers" [Medium,Triaged]19:54
*** sdake_ has joined #openstack-keystone19:55
knikollaDoes OpenStackClient support issuing commands to a federated service provider?19:55
knikollasomething like: openstack image list --service-provider sp_id19:56
shalehknikolla: not yet19:56
*** sdake has quit IRC19:57
*** sheel has quit IRC19:57
knikollashaleh, I'd be interested in coding the functionality. Would I need to write a blueprint for that?19:57
shalehknikolla: yeah, and it needs to blend down to each OpenStack python interface19:58
shalehknikolla: one sec, let me get you a URL19:58
shalehknikolla: https://github.com/CCI-MOC/python-novaclient this adds that kind of functionality specifically for nova to mount a cinder volume over federation.19:59
shalehknikolla: look around their github for an idea of the work involved.19:59
knikollashaleh, I'm actually on the team who coded that :)20:00
shalehknikolla: nice :-)20:00
*** ninag has quit IRC20:00
shalehknikolla: then why are you asking when your team had to add bits? :-)20:00
*** ninag has joined #openstack-keystone20:01
knikollashaleh, but all it actually does is pass a 'serviceProvider' attribute to the Nova API20:01
knikollaand then Nova API does the federation and SAML exchange20:01
shalehknikolla: right, that was my point. You need to add that ability to all of the CLI calls.20:01
shalehknikolla: --service-provider needs to work and be understood. Even if the end goal is not MOC style cross federation work.20:02
*** ninag_ has joined #openstack-keystone20:02
*** markus_z has left #openstack-keystone20:02
shalehknikolla: not impossible. not really a ton of work. but it needs to be written, tested, etc.20:03
shalehknikolla: plenty of people will be happy when it exists too :-)20:03
*** petertr7 is now known as petertr7_away20:03
*** Ephur has quit IRC20:03
shalehif I get time in my schedule to hack on k2k it is something I have been meaning to hack on.20:04
knikollashaleh: I understand that. What I was asking is something different.20:04
knikollashaleh: To add an argument to the openstack client so that the command itself is directed to the federated openstack.20:05
*** ninag__ has joined #openstack-keystone20:05
*** tellesnobrega is now known as tellesnobrega_af20:05
knikollaso: `nova list` and `nova --service-provider sp_id list` would be too different things20:05
*** petertr7_away is now known as petertr720:05
shalehknikolla: right, you need to make it be a supported top level argument for OSC. Then you need to plumb the code so when it exists it talks to the right place.20:05
*** ninag has quit IRC20:05
knikollashaleh, which i did for the novaclient only as a POC. Let me find a link.20:06
knikollashaleh: https://github.com/knikolla/python-novaclient/commit/ee88ea73b6e0311939303c4ee008a0d5eac585a320:06
shalehknikolla: if you have done this, what is the question?20:06
*** ninag_ has quit IRC20:07
knikollashaleh: I saw a --os-service-provider-endpoint command in osc and felt cautious to ask first if it does the same thing.20:07
*** gyee has quit IRC20:10
shalehknikolla: where did you see that? I do not see it on OSC master branch.20:10
dimsshaleh : knikolla : i think it gets pulled in from here - http://codesearch.openstack.org/?q=service_provider_endpoint&i=nope&files=&repos=20:11
*** sdake_ is now known as sdake20:11
shalehdims: right, that enables auth at the plugin level.20:12
dimsknikolla : is your code change make the call like the one in adfs.py?20:14
edmondswayoung glad you figured it out20:14
*** rbrady has joined #openstack-keystone20:15
knikolladims: I used the Keystone2Keystone class from keystoneauth, so I assumes that's what it does behind the scenes.20:16
rbradyI'm trying to do token auth.  Does this look correct? http://paste.openstack.org/show/489731/20:16
shalehrbrady: what do you mean by "token auth" here? You mean you have already a valid, authenticated token via something like `openstack token issue`?20:18
*** ksavich has quit IRC20:18
*** tellesnobrega_af is now known as tellesnobrega20:19
rbradyshaleh: yes, the client app authenticates through the API and receives a token.  That token is passed into the Mistral Workflow via a param20:20
*** sdake has quit IRC20:25
*** jbell8 has quit IRC20:29
dstanekhtruta: raildo-afk: did either of you guys make changes to https://review.openstack.org/#/c/134095 that haven't been pushed? i just fixed the merge conflict, but i don't want to mess you up20:31
htrutadstanek: I haven't. the <<null>> region_id stuff is on my todo list20:32
dstanekhtruta: ok, i'll push what i have and take a look at that20:32
htrutadstanek: don't count on raildo this week. He's on honeymoon20:32
dstanekhtruta: unacceptable!20:32
htrutadstanek: lol20:33
*** browne has quit IRC20:34
openstackgerritDavid Stanek proposed openstack/keystone: Constraint to prevent duplicate endpoints  https://review.openstack.org/13409520:36
dstanekhtruta: ^20:37
*** belmoreira has quit IRC20:37
dstaneki'll look at the region_id now20:37
*** rbrady is now known as rbrady-run20:37
*** mhickey_ has joined #openstack-keystone20:37
htrutadstanek: awesome. If you want, submit a WIP patch that I can work on it too20:38
*** phalmos has quit IRC20:41
*** shaleh has quit IRC20:41
*** sdake has joined #openstack-keystone20:52
*** tjcocozz_ has quit IRC20:58
*** bapalm has quit IRC20:58
*** sdake_ has joined #openstack-keystone21:05
*** browne has joined #openstack-keystone21:05
*** sdake has quit IRC21:07
*** tellesnobrega is now known as tellesnobrega_af21:11
*** bapalm has joined #openstack-keystone21:14
*** tjcocozz has joined #openstack-keystone21:15
*** boris-42 has joined #openstack-keystone21:18
openstackgerritwerner mendizabal proposed openstack/keystone: v2 tokens validated on the v3 API are missing timezones  https://review.openstack.org/29013921:21
*** mhickey_ has quit IRC21:24
*** ediardo has joined #openstack-keystone21:24
*** phalmos has joined #openstack-keystone21:29
*** browne has quit IRC21:37
*** ninag__ has quit IRC21:41
*** ninag has joined #openstack-keystone21:42
*** ediardo has quit IRC21:42
*** ankita_wagh has quit IRC21:42
*** ankita_wagh has joined #openstack-keystone21:42
*** tqtran has joined #openstack-keystone21:42
*** ankita_wagh has quit IRC21:43
*** ankita_wagh has joined #openstack-keystone21:43
*** ninag has quit IRC21:46
lbragstadhere's a bug that could use a review - https://review.openstack.org/#/c/287857/21:49
patchbotlbragstad: patch 287857 - keystone - Add notifications to user/group membership21:49
*** ediardo has joined #openstack-keystone21:53
*** henrynash has joined #openstack-keystone21:54
*** ChanServ sets mode: +v henrynash21:54
*** nkinder has joined #openstack-keystone21:58
*** browne has joined #openstack-keystone21:59
*** pauloewerton has quit IRC22:02
*** sdake_ is now known as sdake22:03
*** phalmos has quit IRC22:05
*** knikolla has quit IRC22:05
*** csoukup has joined #openstack-keystone22:06
openstackgerritDavid Stanek proposed openstack/keystone: Remove foreign assignments when deleting a domain  https://review.openstack.org/12743322:07
*** rbrady-run is now known as rbrady22:09
*** sdake_ has joined #openstack-keystone22:11
*** ediardo has quit IRC22:12
*** petertr7 is now known as petertr7_away22:12
*** sdake has quit IRC22:13
*** knikolla has joined #openstack-keystone22:20
openstackgerritJorge Munoz proposed openstack/keystone: Validate v2 fernet token returns extra attributes  https://review.openstack.org/28961822:21
openstackgerritJorge Munoz proposed openstack/keystone: Validate v2 fernet token returns extra attributes  https://review.openstack.org/28961822:23
*** jaugustine has quit IRC22:23
*** trown is now known as trown|outtypewww22:24
openstackgerrithenry-nash proposed openstack/keystone: Move domain config backend tests  https://review.openstack.org/29003822:28
*** jamielennox|away is now known as jamielennox22:29
*** knikolla has quit IRC22:30
*** nkinder has quit IRC22:31
openstackgerrithenry-nash proposed openstack/keystone: Move role backend tests  https://review.openstack.org/29016722:34
*** tsymanczyk has quit IRC22:34
*** rbrady has quit IRC22:36
*** ediardo has joined #openstack-keystone22:37
*** tsymanczyk has joined #openstack-keystone22:40
*** sigmavirus24 is now known as sigmavirus24_awa22:40
*** tsymanczyk is now known as Guest3955922:40
*** Guest39559 has quit IRC22:45
*** tellesnobrega_af is now known as tellesnobrega22:50
openstackgerrithenry-nash proposed openstack/keystone: Move domain config backend tests  https://review.openstack.org/29003822:52
*** tsymancz1k has joined #openstack-keystone22:54
*** jorge_munoz has quit IRC22:54
*** sdake_ has quit IRC22:56
openstackgerrithenry-nash proposed openstack/keystone: Move role backend tests  https://review.openstack.org/29016722:58
openstackgerrithenry-nash proposed openstack/keystone: Move role backend tests  https://review.openstack.org/29016722:59
*** slberger has left #openstack-keystone23:00
openstackgerrithenry-nash proposed openstack/keystone: Move domain config backend tests  https://review.openstack.org/29003823:01
*** ediardo has quit IRC23:05
mfischayoung: thanks for being clear about what I was trying to say "You'd be insane to do this in production"23:05
morganmfisch: hah, after i read "why" i was typing the same thing ayoung said23:09
morganmfisch: but hey, i mean, i didn't know "why" thye wanted it... maybe they had a usecase and it was just something we needed to explain the best approach for23:09
*** sdake has joined #openstack-keystone23:11
*** markvoelker has quit IRC23:14
*** tsymancz1k has quit IRC23:21
openstackgerritwerner mendizabal proposed openstack/keystone: v2 tokens validated on the v3 API are missing timezones  https://review.openstack.org/29013923:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/29018023:31
*** andreykurilin__ has quit IRC23:33
*** gordc has quit IRC23:34
*** ninag has joined #openstack-keystone23:34
*** ankita_wagh has quit IRC23:34
*** ankita_wagh has joined #openstack-keystone23:35
*** ninag has quit IRC23:35
*** arunkant has quit IRC23:36
*** markvoelker_ has joined #openstack-keystone23:38
openstackgerritMerged openstack/keystone: Minor edits to the installation doc  https://review.openstack.org/28512323:39
*** csoukup has quit IRC23:47
*** markvoelker_ has quit IRC23:48
« Monday, 2016-03-07 Index Wednesday, 2016-03-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!