Thursday, 2016-11-03

*** gyee has quit IRC00:05
*** guoshan has joined #openstack-keystone00:14
*** adrian_otto has quit IRC00:26
ayoungandrewbogott, no00:29
ayoungandrewbogott, a role assigned on a domain is different from a role assigned on a project, and yes, we made that way too confusing00:29
ayoungstevemar, I talked with 3 CS students today about a project to enable Kerberos for RabbitMQ00:30
andrewbogottayoung: what is then?00:30
ayoungandrewbogott, so I think you can make it work with some majik00:30
ayoungandrewbogott, follow me for a moment here, cuz it is weird00:31
andrewbogottok :)00:31
ayoungwe should never have introduced domains as a separate concept00:31
ayounginstead, we should have made projects hierarchical00:31
ayoungbut we did, and the world suffers for it00:31
ayoungso...we tried to do some semantic sandpapering and say "a domain IS A project"00:32
ayoungand, it sort of is, and it sort of isn't00:32
ayoungbut what you need to do is assign the user a role on a project at the top of a tree, and THAT gets inherited down00:32
ayoungassigning it on a domain is a different kind of role assignment, and that means something different00:32
ayoungso I *think* you can do a project role assignment on the project-that-is-the-domain00:33
ayoungand, let me test to see if that works00:33
andrewbogottSo the thing in the docs that says 'Assign role to user on projects owned by domain'...00:33
ayoungthis one /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects00:34
ayounglet me see...00:34
ayoungandrewbogott, ok here is my set up
ayoungso now let me create a user...00:39
ayoung$ openstack  role add --user-domain default --user u1 --project-domain test --project test mediator --inherited00:42
ayoungNo project with a name or ID of 'test' exists.00:42
ayoungok...lets try that by ID00:42
andrewbogottI'm confused that you're specifying —project-domain and —project00:42
ayoung openstack  role add --user-domain default --user u1 --project 1ef534c4cb9349188870cac6ccd6bbef  mediator --inherited00:43
ayoungok it seemed to like that00:43
ayoungandrewbogott, so I am trying to assign the role to the user on the project named test...but here is where it is weird00:43
ayoungI never created a proejdct named test00:43
ayoungI created a domain named test00:43
andrewbogottok, so that last one made sense… that's the same as setting it on any project, you just passed in a domain id instead of a project id00:43
andrewbogottwith —inherited00:43
ayoungand it turns out, that is also a project in the default domain...00:44
ayoungso, yes, that is what I did00:44
ayoungand let's see what we have00:44
andrewbogottok.  So the question is, can I set that on the 'default' domain and just have it everywhere...00:44
* andrewbogott tries00:44
andrewbogottI think I'm doing what you're doing...00:46
andrewbogott(although there are software version differences which could confound)00:46
ayoungthis is wierd00:47
ayoungI know what it looks like in the database...00:48
ayoungOK so here is what has succeeded:00:48
ayounglet me take a look in the database...00:50
*** markvoelker has quit IRC00:52
andrewbogottdid your paste cut off, or is the role not set on t31?00:52
andrewbogott(I guess I can't tell w/not it worked on t3 either since I don't know your role or user ids)00:53
ayoungandrewbogott, hmmm let me see00:53
ayoungandrewbogott, here is what my database shows00:53
ayoungandrewbogott, openstack  role assignment list  --project-domain test --project t31 --inherited00:55
ayoung  returned no results00:55
ayoungso that is kindof hostile00:55
*** LiYuenan has joined #openstack-keystone00:55
andrewbogottwell, wait, when you did 'select * from assignment where actor_id = '865066d4f2ba46e7ac4c4352146ffe93';'00:55
ayounglet me see if we have a better api, for listing effective role assignements as callable from the CLI00:55
andrewbogottI would expect the target_id to be the id for domain 'test'00:56
andrewbogott /or/ a list of a bunch of projects00:56
andrewbogottbut instead it's just the ID of one arbitrary project?00:56
andrewbogottSo I don't see how that's doing anything other than just misfiring and applying the role to the first project in the list00:56
andrewbogottWhich is 'inheritance' in a sense, I suppose :(00:57
ayoungselect * from project where id = '2487d826053a47ceaa57278a9245045b';00:57
ayoung| id                               | name | extra | description | enabled | domain_id                        | parent_id                        | is_domain |00:57
ayoung| 2487d826053a47ceaa57278a9245045b | t3   | {}    |             |       1 | 1ef534c4cb9349188870cac6ccd6bbef | 1ef534c4cb9349188870cac6ccd6bbef |         0 |00:57
*** guoshan has quit IRC00:58
andrewbogottright, the first project in the domain, right?00:58
ayoungnope that was the project t3  from...00:59
ayoungrole add --user-domain default --user u2 --project 2487d826053a47ceaa57278a9245045b  mediator --inherited00:59
ayoungso that is explicitly on t3, but we did something wicked00:59
ayoungthat role will only show up on project *under* t301:00
ayoungto get a role on t3 itself I need to do this:01:00
ayoungopenstack role add --user-domain default --user u2 --project 2487d826053a47ceaa57278a9245045b  mediator01:00
ayoungnow I have01:01
ayoungselect * from assignment where actor_id = '865066d4f2ba46e7ac4c4352146ffe93';01:01
ayoung| type        | actor_id                         | target_id                        | role_id                          | inherited |01:01
ayoung| UserProject | 865066d4f2ba46e7ac4c4352146ffe93 | 2487d826053a47ceaa57278a9245045b | a5507dce2ca742628ea9fecc93188f94 |         0 |01:01
ayoung| UserProject | 865066d4f2ba46e7ac4c4352146ffe93 | 2487d826053a47ceaa57278a9245045b | a5507dce2ca742628ea9fecc93188f94 |         1 |01:01
ayoungandrewbogott, so inherited is *only* applied to children01:01
ayoungand not inherited is only applied to the parent01:01
andrewbogottok, that makes sense01:01
ayoungpersonally, I would have liked to have a *both* value01:01
ayoungand make that the default, but would not be backwards compat now01:02
ayoungah well...01:02
andrewbogottbut what I'm missing is the part where you did this:01:02
andrewbogottopenstack  role add --user-domain default --user u1 --project 1ef534c4cb9349188870cac6ccd6bbef  mediator --inherited01:02
andrewbogottDid that have any effect at all?  Can we see that role applied to things in that domain?  (1ef534c4cb9349188870cac6ccd6bbef is the 'test' domain, right'?)01:03
ayoungandrewbogott, so I have proejct t3 and a child of that is t3101:04
ayoungthat assignement means that user u1 gets a role on t3101:04
ayoungIf I make another child project of t3 it will get that role. Or if I make a child project of t3101:04
ayoungtry this out, and have the users request tokens, and look at the roles assigned on the tokens01:05
ayoungandrewbogott, OK>01:05
andrewbogottSorry, was that an answer to my question about setting an inherited role on the 'test' domain?01:05
andrewbogottI think I understand about setting things on new projects-inside-projects01:06
*** hoangcx has joined #openstack-keystone01:06
andrewbogottbut am still confused about how that relates to the 'use a domain id but tell the UI it's a project' bit01:07
andrewbogottFor what it's worth, my ultimate goal:  Set a role on all my projects, current and future.  All my projects are conveniently in the 'default' domain, hence my interest in domains :)01:11
ayoungandrewbogott, I think it would only work for a domain other than default01:14
ayoungjust cuz that one is wonky01:14
andrewbogottoooh, because 'default' is special01:14
ayoungbut you might be able to do this01:14
ayoungcreate a new domain and update the config file to say that is now the default domain01:14
ayoungactually, that will break everything01:15
ayoungdefautl domain is a V2 ism anywauy01:15
ayoungso  yeah, put them somewhere else01:15
andrewbogottis it possible/safe to move existing projects to a new domain?  Or move them under another project?01:16
ayoungyou can't move nothin01:18
ayoungwell, you could if you hacked the DB01:18
ayoungbut that is not something I would advocate01:18
andrewbogottso sounds like inheritance is another dead end01:19
andrewbogottI guess I'll just write a cron that enumerates the projects and adds roles to them :)01:19
ayoungandrewbogott, nah, just don't do things in 'default'01:19
andrewbogottBut I already have 100+ projects in the default domain01:19
ayoungyou OK with hacking the database?01:20
andrewbogottis it really just the one field?01:20
ayoungmaybe...hold on01:20
ayoungtry this01:20
ayoung| bc2b077e3b814f2988b706c383d90b50 | service                                                          | {}    | Tenant for the openstack services |       1 | default                          | default01:21
ayoungselect * from project;01:21
ayoungin my case, I have a project as you see above01:21
ayoungit is the default domain, but you see its project id is bc2b077e3b814f2988b706c383d90b5001:22
ayoungtry assigning roles on that proejct with --inherited and I think you will get what you want01:22
andrewbogottin my case the default domain has an id of 'default'01:23
andrewbogottwhich I can't set roles on, as per my earlier paste01:23
andrewbogotthm, the project table doesn't seem to have an entry called 'default' at all01:23
* andrewbogott looks again01:23
ayoungI'm running the latest code.  What version are you running?01:24
andrewbogotthm, nope, not there.  Which probably explains why I can't set roles on it :)01:24
andrewbogottMy install is very old though, upgraded from D01:24
ayoungAh.  Yeah, think this was done in Mitaka.   Devs that did it are not here01:24
ayoungTime to upgrade again01:25
andrewbogottah, you mean the 'domains are actually projects' change is an M thing?01:25
jamielennoxraj_singh: sent you an email linking to
jamielennoxstevemar et al: ^ example of how the service token wrapper plugin would be used01:29
jamielennoxwe will need to make it more intuitive, but building an auth plugin from an oslo_context has been on the cards for a while now, just need to get dependent stuff merged01:29
*** jerrygb_ has joined #openstack-keystone01:30
*** jerrygb has quit IRC01:31
*** iurygregory_ has quit IRC01:32
ayoungjamielennox, so..question for you, on our last convo...why do you want the policy enforcement on a domain socket as opposed to a library called but the current process?01:37
*** guoshan has joined #openstack-keystone01:40
*** rvba has quit IRC01:44
*** guoshan has quit IRC01:44
*** jerrygb has joined #openstack-keystone01:45
*** guoshan has joined #openstack-keystone01:45
*** woodster_ has quit IRC01:45
*** jerrygb_ has quit IRC01:45
*** rvba has joined #openstack-keystone01:50
*** rvba has quit IRC01:50
*** rvba has joined #openstack-keystone01:50
*** markvoelker has joined #openstack-keystone01:53
*** markvoelker has quit IRC01:58
*** jerrygb has quit IRC01:59
*** jerrygb has joined #openstack-keystone01:59
*** adrian_otto has joined #openstack-keystone02:14
*** jerrygb has quit IRC02:17
*** jerrygb has joined #openstack-keystone02:18
openstackgerritayoung proposed openstack/keystone: Support AD Nested groups
*** kiran-r has joined #openstack-keystone02:22
*** jerrygb has quit IRC02:22
*** kiran-r has quit IRC02:23
*** GB21 has joined #openstack-keystone02:34
knikollaayoung: dumb python question. in your ad nested patch, the format string is '(%s:%s:=%s)%s' however there's 3 arguments.02:47
knikollaam i missing something?02:48
*** GB21 has quit IRC02:54
*** dave-mccowan has quit IRC02:57
*** jerrygb has joined #openstack-keystone02:59
*** adrian_otto has quit IRC03:03
*** nicolasbock has quit IRC03:08
ayoungknikolla, that does look suspect03:12
ayoungknikolla, it should have a test anyway.  I wonder if I broke that after I tested it03:13
ayoungknikolla, I think the second one should have "member" replaced with the member attribute too, but not 100% certain03:14
knikollaayoung: it's the same in patchset 5, and the tests for 5 passed.03:14
ayoungnot sure if that code gets tested, though, due to the filtered part of it03:15
knikollaayoung: true, that doesn't seem to get tested.03:17
ayoung-1 it and I'll fix tomorrow.  I suspect I just never tested that code path.  it should throw an error.  Against the live server, I used the CLI, and I probably didn't use the filter.03:18
knikollaayoung: -1ed.03:20
*** adrian_otto has joined #openstack-keystone03:26
adriantHey, silly question... Groups need a domain_id to be created. A domain is a project. Can groups be greated and scoped to a project (and its children), or does the project need to actually be a domain?03:27
adriantIf it does actually need to be a domain, why?03:27
*** adrian_otto has quit IRC03:27
adriants/greated/created/  odd typo03:31
*** adrian_otto has joined #openstack-keystone03:35
*** richm has quit IRC03:41
adriantha! if I change:
adriantto get_project(..) it works03:50
adriantNow lets see just how badly I've broken my devstack.03:50
*** markvoelker has joined #openstack-keystone03:54
*** browne has quit IRC03:55
*** guoshan has quit IRC03:56
adrianthmmm interesting. You can only add users which are in the 'domain' for that group. Which if the domain_id for the group is actually a project complicates matters.03:57
*** prometheanfire has left #openstack-keystone03:57
adriantno wait, that's just horizon no listing users. CLI lets me add a user just fine.03:58
*** markvoelker has quit IRC03:59
*** jerrygb has quit IRC03:59
*** jerrygb has joined #openstack-keystone04:01
*** links has joined #openstack-keystone04:01
adriantah ha! But I can't add roles to said group because there are no projects on the same 'domain' as it. :(04:03
jamielennoxayoung: i was purely thinking that we would want something more dynamic than could be handled on a library04:04
jamielennoxayoung: a library is basically what oslo.policy provides04:04
jamielennoxthere was also a case where companies wanting to integrate with external policy would want more info that they could plug in there04:05
*** adrian_otto has quit IRC04:15
*** adrian_otto has joined #openstack-keystone04:24
*** jerrygb_ has joined #openstack-keystone04:28
*** jerrygb has quit IRC04:29
adriantOk... so it's a little broken, but I have a group with domain_id that is just a project. I can add roles to it, and users. And I can then login as those users.04:33
*** jerrygb has joined #openstack-keystone04:44
*** jerrygb_ has quit IRC04:45
*** guoshan has joined #openstack-keystone04:57
*** jerrygb_ has joined #openstack-keystone04:59
*** jerrygb has quit IRC04:59
*** guoshan has quit IRC05:01
*** jerrygb_ has quit IRC05:15
*** jerrygb has joined #openstack-keystone05:15
*** GB21 has joined #openstack-keystone05:18
*** g2[CUBS-ATL] is now known as g205:18
*** jerrygb has quit IRC05:33
*** jerrygb has joined #openstack-keystone05:33
*** jerrygb has quit IRC05:33
*** adrian_otto has quit IRC05:34
*** adrian_otto has joined #openstack-keystone05:34
*** adrian_otto has quit IRC05:35
*** adrian_otto has joined #openstack-keystone05:36
*** adriant has quit IRC05:39
*** openstackgerrit has quit IRC05:48
*** openstackgerrit has joined #openstack-keystone05:48
*** markvoelker has joined #openstack-keystone05:55
*** adrian_otto has quit IRC05:56
*** guoshan has joined #openstack-keystone05:57
*** markvoelker has quit IRC05:59
*** guoshan has quit IRC06:02
*** ravelar has joined #openstack-keystone06:12
*** guoshan has joined #openstack-keystone06:15
*** guoshan has quit IRC06:19
*** guoshan has joined #openstack-keystone06:20
*** annp has joined #openstack-keystone06:23
*** sheel has joined #openstack-keystone06:24
*** GB21 has quit IRC06:26
*** tobberyd_ has joined #openstack-keystone06:28
*** mnaser has quit IRC06:37
*** afazekas has quit IRC06:40
*** afazekas has joined #openstack-keystone06:40
*** mnaser has joined #openstack-keystone06:46
*** GB21 has joined #openstack-keystone06:46
*** markvoelker has joined #openstack-keystone06:55
*** markvoelker has quit IRC07:00
*** flaper87 has joined #openstack-keystone07:00
*** flaper87 has quit IRC07:00
*** flaper87 has joined #openstack-keystone07:00
*** ravelar has quit IRC07:05
*** tesseract has joined #openstack-keystone07:14
*** tesseract is now known as Guest2520907:14
*** belmoreira has joined #openstack-keystone07:24
*** GB21 has quit IRC07:25
*** jaosorior has joined #openstack-keystone07:28
*** jerrygb has joined #openstack-keystone07:34
*** rcernin has joined #openstack-keystone07:34
*** jerrygb has quit IRC07:39
*** GB21 has joined #openstack-keystone07:44
*** openstackgerrit has quit IRC07:48
*** openstackgerrit has joined #openstack-keystone07:48
*** GB21 has quit IRC07:48
*** martinus__ has joined #openstack-keystone07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** amoralej|off is now known as amoralej08:35
*** jpich has joined #openstack-keystone08:54
*** markvoelker has joined #openstack-keystone08:56
*** markvoelker has quit IRC09:00
*** GB21 has joined #openstack-keystone09:01
*** GB21 has quit IRC09:07
*** abhishekk has joined #openstack-keystone09:09
*** GB21 has joined #openstack-keystone09:19
*** xek has quit IRC09:24
*** jerrygb has joined #openstack-keystone09:35
*** jerrygb has quit IRC09:41
*** jaosorior is now known as jaosorior_lunch09:41
*** jpich has quit IRC09:45
*** jpich has joined #openstack-keystone09:49
*** mvk has quit IRC09:51
openstackgerritNITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint
*** jerrygb has joined #openstack-keystone09:58
*** jerrygb has quit IRC10:03
*** hoangcx has quit IRC10:20
*** mvk has joined #openstack-keystone10:26
samueldmqmorning keystone10:27
*** links has quit IRC10:40
*** nicolasbock has joined #openstack-keystone10:41
*** nkinder has quit IRC10:43
*** guoshan_ has joined #openstack-keystone10:46
*** guoshan has quit IRC10:49
*** guoshan_ has quit IRC10:50
*** ChanServ sets mode: +v breton10:53
*** nkinder has joined #openstack-keystone10:53
*** markvoelker has joined #openstack-keystone10:57
dstaneksamueldmq: morning11:01
*** markvoelker has quit IRC11:02
*** GB21 has quit IRC11:03
*** dave-mccowan has joined #openstack-keystone11:05
openstackgerritNITIN GUPTA proposed openstack/keystone: Add test cases for passing "None" as a hint
*** GB21 has joined #openstack-keystone11:15
*** gb21_ has joined #openstack-keystone11:16
samueldmqdstanek: o/11:18
*** GB21 has quit IRC11:20
*** annp has quit IRC11:22
*** jerrygb has joined #openstack-keystone11:26
*** gb21_ is now known as GB2111:27
*** AlexeyAbashkin has quit IRC11:30
*** links has joined #openstack-keystone11:30
*** AlexeyAbashkin has joined #openstack-keystone11:35
*** jaosorior_lunch is now known as jaosorior11:44
*** GB21 has quit IRC11:48
*** AlexeyAbashkin has quit IRC11:49
*** AlexeyAbashkin has joined #openstack-keystone11:50
*** tobberyd_ has quit IRC11:51
*** edmondsw has joined #openstack-keystone12:05
*** LiYuenan has quit IRC12:07
*** tobberyd_ has joined #openstack-keystone12:11
*** raildo has joined #openstack-keystone12:14
raj_singhjamielennox: Thanks Jamie. I will ping you if need more info.12:14
*** markvoelker has joined #openstack-keystone12:22
*** thiagolib has joined #openstack-keystone12:29
*** jerrygb has quit IRC12:30
*** lamt has joined #openstack-keystone12:32
*** daemontool has joined #openstack-keystone12:37
dstanekbreton: good morning12:43
*** haplo37_ has quit IRC12:47
*** haplo37_ has joined #openstack-keystone12:47
bretondstanek: morning!12:47
breton15:47 :312:47
dstanekquit showing off :-)12:48
*** david-lyle has quit IRC12:55
openstackgerritayoung proposed openstack/keystone-specs: Token Verify Role Check
*** jerrygb has joined #openstack-keystone13:10
bretonkeystone_manage token_flush doesn't purge token cache13:15
*** jperry has joined #openstack-keystone13:16
bretonnot a big deal though.13:21
*** jerrygb_ has joined #openstack-keystone13:21
*** jerrygb has quit IRC13:22
*** amoralej is now known as amoralej|lunch13:25
*** Alexey_Abashkin has joined #openstack-keystone13:27
*** spzala has joined #openstack-keystone13:30
*** AlexeyAbashkin has quit IRC13:30
*** dikonoor has joined #openstack-keystone13:42
*** rodrigods has quit IRC13:46
*** rodrigods has joined #openstack-keystone13:46
*** links has quit IRC13:52
*** edtubill has joined #openstack-keystone13:53
*** pcaruana has joined #openstack-keystone13:53
*** dave-mcc_ has joined #openstack-keystone13:54
*** tobbery__ has joined #openstack-keystone13:55
*** dave-mccowan has quit IRC13:57
*** jerrygb has joined #openstack-keystone13:57
*** agrebennikov has joined #openstack-keystone13:58
*** tobberyd_ has quit IRC13:59
*** sheel has quit IRC14:00
*** jerrygb_ has quit IRC14:00
*** dave-mcc_ has quit IRC14:01
*** amoralej|lunch is now known as amoralej14:03
*** abhishekk has left #openstack-keystone14:05
*** spilla has joined #openstack-keystone14:12
*** jaugustine has joined #openstack-keystone14:16
*** jaosorior has quit IRC14:17
openstackgerritayoung proposed openstack/keystone: Support AD Nested groups
ayoungbreton, so...I know I -2ed your proposal.  I don't want to leave you stuck.14:19
ayoungbreton, how badly do you need that, and why?14:20
*** chris_hultin|AWA is now known as chris_hultin14:21
*** edtubill has quit IRC14:22
*** edtubill has joined #openstack-keystone14:23
bretonayoung: project properties? That's not my proposal. I just know that we had to do that for at least one customer.14:25
ayoungbreton, ah...thought it was you.14:26
bretonayoung: my proposal is about quota limits, which is kinda similar in terms of new attributes. But lets talk about it later, after i formalize it and do some other things.14:27
ayoungbreton, OK, but, other than deactivation of a project, why is Quota limits going into Keystone as opposed to having it as a separate microservice?14:28
*** dave-mccowan has joined #openstack-keystone14:29
gagehugoayoung: project properties was "mine", but we do want it pretty badly so we don't need to keep using janky ways to keep things in extras.  Using something external would not be ideal to just keep track of these labels for projects.14:34
gagehugoI dont mean to butt in on the quota limits discussion however14:34
ayounggagehugo, please butt in14:35
dstanekgagehugo: what's the usecase?14:35
ayoungdstanek, they provide 2 in the spec14:35
ayoungpost server orchestration processing,14:36
ayoungboth of which I find suspect14:36
dstanekayoung: i don't understand the first usecase. what would need to be stored?14:37
ayounggagehugo, I think quota limits falls exactly into the same category as bookkeeping14:37
dstanekthe second usecase is really just the ability to add tags - i like this a lot for my own environments14:38
ayoungdstanek, so, lets say you have a generic key-value store under each project.  One of the keys could be "host group" and you could add all of the servers in that project to the corresponding host group in Active Directory/FreeIPA14:38
ayoungdstanek, so here is what I am worried about14:38
ayoungsay someone decides to use a tag like, production14:39
ayoungwho gets to set that on a proejct?14:39
ayoungthe admin of the project?  CLoud admin?14:39
ayoungits an ownership and clash thing, and could have security ramifications14:39
ayoungWe don't do a good job of saying "in order to operate on subordinate projects, you need to have this role on the parent project"14:40
ayoungbut even there it is possible to abuse14:40
gagehugothe second use case is more of what we need than the first14:40
ayoungwe are making a global namespace, and see how hard that is to manage in python?14:40
dstanekayoung: yes i agree that security is a huge concern here14:40
bretonayoung: i don't have very strong opinion about keystone vs separate service. However, we own everything the limits are related to: projects, domains, users, services, regions.14:40
dstanekthe example is billing codes - who gets to set that?14:41
ayoungbreton, heh...except for the things that the limits are actually placed on: storage, networks, objects in swift etc14:41
dstanekbreton: is there a spec for that too?14:41
ayoungtreat the project as an external resource to the tools that manage specific resources, not the other way around14:42
*** nk2527 has joined #openstack-keystone14:43
*** edtubill has quit IRC14:43
bretondstanek: not really,
*** woodster_ has joined #openstack-keystone14:43
*** edtubill has joined #openstack-keystone14:44
ayoungbreton, so what services actually consume quotas?  Cinder, Swift  and neutron?  Any others?14:45
ayoungNova has a is a list14:45
bretonayoung: ayoung nova, cinder, neutron. I know there was something else from the big tent.14:46
ayoungSo we have BLock Storage and Compute resources.14:46
ayoungIts like policy all over again...Keystone is going to have to know about everything else in Openstack to do that14:47
ayounga type system14:47
gagehugodstanek: the billing stuff is why we want the ability to tag projects14:47
*** dikonoor has quit IRC14:48
bretonayoung: i'd say it's more like service catalog, but without formats. Also, there are only 2 types.14:48
gagehugothese use cases we wrote could probably be clarified better tbh14:48
ayoungbreton, Gigabytes, Instances, Injected Files, Keypairs, Metadata Items, RAM, Security Groups, Security Groups Rules, Snapshots, VCPUs, Volumes...14:49
ayoungand that is just from 2 services14:49
bretonayoung: none of that is tracked in those services14:50
ayoungadd in the neutron concepts you have about a dozen more14:50
bretonayoung: it's just (string) key: (int) value14:50
ayoungbreton, the fact that it is written down means that someone wants to track it.  It is a type system.14:50
ayoungAnd it is the same idea as the policy enforcement per resource14:50
ayoungquote is kindof like a role assignment14:51
bretonlets talk about limits and usages. "Quota" is too generic.14:52
ayoungURLs are, literally, Universal Resource Locators.14:52
ayoungand we want to enforce policy on URLS...but really on resources14:52
ayoungbreton, did you see what I wrote up for RBAC?14:52
*** tobbery__ has quit IRC14:52
dstanekgagehugo: i don't really understand what you need to do with the first usecase14:53
bretonayoung: if role check, then yes14:53
ayoungbreton, and inherited roles are kindof like inherited resource limits...14:54
bretonayoung: you are talking about limits enforcement14:54
*** xarses has joined #openstack-keystone14:54
bretonayoung: *usages14:55
bretonayoung: you are talking about usages14:55
*** edtubill has quit IRC14:55
*** andreww has joined #openstack-keystone14:55
ayoungbreton, I'm unclear on your distinction between the terms.  Usages must be equal to or lower than limits, no?14:56
bretonayoung: i suggest to leave the enforcemnt and usage on the services. Nova fetched the key-value from keystone, checks the usages and allows/forbids the creation14:56
gagehugodstanek: the first use case is just built off the second about doing something with the tags14:57
gagehugoIts not written in the best way, I can clean it up14:57
gagehugothe main thing is use case #214:57
ayoungbreton, so, no.14:57
gagehugowhich is being able to associate string values to projects14:57
gagehugowhich we do in extras currently, which sucks14:57
ayoungbreton, Nova already knows about the resource types14:57
bretonayoung: and marks that N resources are already used, in its own database14:57
ayoungnova should store those limits]14:57
*** d0ugal has quit IRC14:57
gagehugoayoung I think nova does14:57
knikollaanybody have the eventbrite ptg link handy?14:57
*** ravelar has joined #openstack-keystone14:58
ayounggagehugo, yes, it does ,because we've had this discussion multiple times, and that is where Nova always ends up coming back to wanting them14:58
ayoungknikolla, I think so, one sec14:58
*** edtubill has joined #openstack-keystone14:59
*** xarses has quit IRC14:59
bretonayoung: that's how it is done now. And it leads to 3 places to store these key-values. And they all support different things. For example, Cinder supports hierarchical projects, nova per-user quotas and neutron supports none of that. And that support happens not because of resource types, but just because.14:59
knikollaayoung: thanks! buying now.14:59
ayoungI think it is only the inheritance part of the project setup that causes people to head back to ask for it out of Keystone14:59
*** tobberyd_ has joined #openstack-keystone15:00
ayoungbreton, If we tell Nova that they can no longer store per user  quotas they will ignore us and do it anyway15:00
bretonayoung: we will support per-user quotas.15:01
bretonayoung: (even if they are not exposed via horizon)15:01
ayoungbreton, I think that is a mistake15:01
ayoungactually, it is a huge mistake.15:02
robcresswellJust lurking, but quotas is likely to get some love this cycle in Horizon if anyone wanted to explain their expectations etc.15:03
ayoungbreton, think what that means.  On a give resource consumption, the service needs to identify if the quota comes from the user or the organization.15:03
bretonayoung: another problem with services storing their own limits is that it requires people (or clients) to know which keys correspond to which services. To set "disk_usage" limit i must know that it relates to cinder, and that "number_of_ip" is from neutron.15:03
ayoungIt should only ever come from the organization15:03
ayoungbreton, they should be, explicitly, APIs on those services15:04
dstanekgagehugo: i added some questions to your review15:04
bretonayoung: there are ~30 resources now. Should there be 30 APIs?15:04
ayoungbreton, the services should assume that Keystone is read only data15:04
ayoungbreton, how many services are there?  Perhaps one per service.15:05
gagehugodstanek ok15:05
bretonayoung: keystone in this case will be read-only data. When usage happens, data will be read from keystone, writes will happen on service side.15:05
ayoungbreton, there are 30 different APIs for createing and 30 for deleteing resources.  Why should quota then be centralized?15:05
ayoungbreton, if a new service comes along, and wants to write its quota data into Keystone?15:06
ayoungAlot will have to be written there....15:06
ayoungI'm really torn on this.  I see both sides....15:06
bretonayoung: it will do the write the same way it creates a service, endpoint etc.15:06
ayoungEspecially as this really parallels what I was mulling over with policy15:06
ayoungbreton, OK, here is the weakness in my policy proposal15:07
ayoungassume Hroizon FTM15:07
bretonpolicy was never managed via API. Limits always were.15:07
ayoungand a user logs in to horiozon, getting a token15:07
ayoungHoriz sends it to Nova, that authenticates it, and caches the auth15:07
ayoungbreton, table that thought...I have some pedantry for the response, but let me proceed...15:08
ayoungso if Horizon makes 16 calls to Nova, there is only one call to Keystone15:08
ayoungIf we implement my proposal, each of those calls would need to be sent to Keystone, assuming they are for differnt verbs/urls15:08
ayoungso caching is shot15:09
ayoungnow, assume that 1/3rd of them are for creating something, each of those would have to be calls to Keysonte (or a bulk call with data cached...)15:09
ayoungagain we are going to hammering Keystone15:09
ayoungso people are going to say "put the quotas into the token validation response"15:10
openstackgerritRichard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly
*** edtubill has quit IRC15:10
ayoungBut that will bloat the memcache stored data15:10
bretonwe can't do that for some other reasons too15:11
bretonnot only memcache15:11
ayoungWe'll end up with either a load of data we don't need, or multiple trips to Keystone for each user, negating the value of caching the token data15:11
breton> now, assume that 1/3rd of them are for creating something15:11
bretonwhy is that?15:12
ayoungso, since quota is specific to each individual service, what is the benefit of holding it in Keystone instead of in Nova?15:12
*** jerrygb_ has joined #openstack-keystone15:12
ayoungGarbage collection is just as big a problem:15:12
ayoungsay you have HMT set up.15:12
ayoungP1 is parent, C1 C2 C3 are children15:12
*** d0ugal has joined #openstack-keystone15:12
ayoungP1 gets 10 instances15:12
ayoungadmin decides to split it 3 3 4 over child projects15:13
ayoungthen C3 is deactiveated,15:13
ayoungquota is still allocated to C3 until someone takes it away15:13
*** jerrygb has quit IRC15:13
gagehugodstanek: good points15:14
ayoungits workflow15:14
ayoungand while you might be able to see "some" workflow, I suspect the right answer there should be "make it code run in mistral, triggered from project deletion"15:14
ayoungBut you still need somewhere to store that data...15:16
*** jaosorior has joined #openstack-keystone15:17
bretonayoung: benefit of holding it in keystone is easier to manage, easier to support new things. How do i add HMT to nova and neutron when cinder supports it?15:18
bretonand when the customer asks "can i have hierarchical quotas" we have to answer him "weeel, in cinder yes, in nova we can kinda emulate it, in neutron no"15:19
*** edtubill has joined #openstack-keystone15:19
breton(true story)15:19
bretoni will afk for 10 minutes to get something to eat15:20
*** edtubill has quit IRC15:21
gagehugoayoung: we can clarify those use cases, I dont think they are written clearly enough.  We just want the ability to associate string values with projects in keystone, and those use cases are just generic things we use those tags for15:22
*** richm has joined #openstack-keystone15:24
ayounggagehugo, "just" is one of my trigger words15:27
ayoungit indicates an attempt to downplay an issue, usually the important issue at hand.15:27
gagehugoI can see the arguement15:27
gagehugofoot in the door situation15:27
ayounggagehugo, dumb idea...15:28
ayoungnah, forget it15:28
ayoungI already talked myself out of it.15:28
gagehugobut in this case, that is really what we want from project properties15:29
ayoungThe problem with all of this is that all the services need Keystone set up correctly to function15:29
ayoungwe are coding in dependencies15:29
ayoungand we haven't even figured out how to do RBAC right yet15:29
gagehugoquotas is not in the scope of that spec15:30
gagehugobut I can see that someone can abuse it for that15:30
dstanekgagehugo: what is keeping track of a project for billing purposes?15:30
ayoungdstanek, CloudKitty15:31
*** davechen has quit IRC15:31
gagehugomarking a project with a tag, then using that tag to bill people later15:32
dstanekgagehugo: so it is billing system related?15:32
*** davechen has joined #openstack-keystone15:33
gagehugothe tags we store in properties will be used later for billing yes15:33
dstanekgagehugo: so in a large could example...who maintains the tags? a cloud admin, domain admin or something else?15:34
lamtit is a use case AT&T uses - but generically we just want ways to query projects based on some properties.  We have a handful of these sandbox projects created that only exits for X days.15:34
gagehugodstanek: what lamt said15:34
lamtdstanek : currently it is the cloud admin15:34
dstanekso the spec should definitely be updated to show/enforce that15:35
lamtdstanek : agreed, the use cases need to be reworded15:36
dstaneklamt: not just that. the apis need to be changed15:36
gagehugoremoving the properties from creation/updating into their own separate calls?15:37
*** ashyoung has joined #openstack-keystone15:38
gagehugothat would be better in terms of security15:38
*** d0ugal has quit IRC15:39
dstanekgagehugo: without that you couldn't easily limit to cloud admin unless you start doing policy check deeping in the code15:41
gagehugodstanek: yeah thats a good point15:42
*** ashyoung has quit IRC15:43
dstanekdoes tag information need to be returned in the project resource?15:44
*** adrian_otto has joined #openstack-keystone15:44
lamtdstanek : no - that can be taken out. I thought for a while /projects returns extras too, but that was removed.15:45
*** jaosorior has quit IRC15:54
*** browne has joined #openstack-keystone15:55
*** edtubill has joined #openstack-keystone15:56
*** tobbery__ has joined #openstack-keystone16:01
dstaneklamt: there has been a push to not have extras around anymore because keystone shouldn't be used as a kvs16:02
*** rcernin has quit IRC16:02
*** edtubill has quit IRC16:02
lamtdstanek : ah16:02
*** davechen has quit IRC16:04
*** tobberyd_ has quit IRC16:04
*** tobbery__ has quit IRC16:06
gagehugodstanek: using extras really isnt the greatest16:06
*** david-lyle has joined #openstack-keystone16:10
*** dave-mccowan has quit IRC16:17
*** dave-mccowan has joined #openstack-keystone16:19
*** belmoreira has quit IRC16:19
*** pcaruana has quit IRC16:20
*** edtubill has joined #openstack-keystone16:21
*** rcernin has joined #openstack-keystone16:25
knikollacan a user use an unscoped token to update his own password?16:29
*** gyee has joined #openstack-keystone16:32
*** david-lyle has quit IRC16:32
*** david-lyle has joined #openstack-keystone16:33
gagehugoknikolla: yes16:33
gagehugoI was just able to anyway16:33
openstackgerritRichard Avelar proposed openstack/keystone: Remove unused statements in matches
knikollagagehugo: thanks!16:38
openstackgerritKam Nasim proposed openstack/keystone: Network conn timeout on Identity LDAP backend
*** edtubill has quit IRC16:44
*** edmondsw has quit IRC16:46
*** dikonoor has joined #openstack-keystone16:46
*** andreww has quit IRC16:46
*** xarses has joined #openstack-keystone16:50
openstackgerritRichard Avelar proposed openstack/keystone: Remove unused statements in matches
*** Alexey_Abashkin_ has joined #openstack-keystone16:56
*** Alexey_Abashkin has quit IRC16:59
*** rcernin has quit IRC17:03
*** rcernin has joined #openstack-keystone17:03
*** esp has joined #openstack-keystone17:05
*** gyee has quit IRC17:07
*** rcernin has quit IRC17:08
*** artmr has joined #openstack-keystone17:14
*** rcernin has joined #openstack-keystone17:19
artmrI'm not sure if I am inconvenient when I request a review here, but it's a very simple patch:17:22
*** rcernin has quit IRC17:24
*** daemontool has quit IRC17:28
*** pjm6 has quit IRC17:38
jlkstevemar: so what needs to happen to kick into getting attention? Apparently we're able to tickle the issue in some of our testing.17:43
*** harlowja has quit IRC17:43
*** harlowja has joined #openstack-keystone17:46
*** ravelar has quit IRC17:49
*** kiran-r has joined #openstack-keystone17:56
*** edtubill has joined #openstack-keystone17:57
*** Guest25209 has quit IRC17:57
*** rcernin has joined #openstack-keystone18:05
*** sdake has joined #openstack-keystone18:05
gagehugohappy turtle18:08
ayounggagehugo, I call him stoney18:09
gagehugostoney the happy turtle18:10
gagehugoI like it18:10
bknudsonwhat is stoney smoking?18:11
*** chris_hultin is now known as chris_hultin|AWA18:12
ayounggagehugo, a first draft for a Keystone mascot18:12
gagehugoyeah, I was rooting for komodo dragon, but I like turtles as well18:13
gagehugoI like the keyhole in the shell18:13
bknudsonhigh on fernet18:14
*** kiran-r has quit IRC18:15
openstackgerritMatt Fischer proposed openstack/keystone: Allow running expand & migrate at the same time
*** chris_hultin|AWA is now known as chris_hultin18:17
*** ravelar has joined #openstack-keystone18:21
*** sdake has quit IRC18:22
artmrthank you for review, ayoung18:22
*** dikonoor has quit IRC18:22
*** davechen has joined #openstack-keystone18:24
*** davechen has quit IRC18:28
*** davechen has joined #openstack-keystone18:28
*** mvk has quit IRC18:32
morgan_ayoung: nice spec18:34
ayoungmorgan_, the RBAC one?18:34
morgan_the role verify one18:34
*** adrian_otto has quit IRC18:34
ayoungmorgan_, think it will work?18:36
morgan_I think it can work18:36
morgan_it's a lot of change, but doable.18:36
*** jpich has quit IRC18:37
ayoungmorgan_, so jamielennox 's big concer was about caching of tokens18:38
ayoungthis will essentially break that18:38
ayoungunless the request is identical, we'd have to revalidate, just to get the roles confirmed18:38
*** ravelar has quit IRC18:39
morgan_yep. but doable.18:39
*** ravelar has joined #openstack-keystone18:39
morgan_I think it can work. but it requires some hard engineering.18:40
ayoungmorgan_, my thought was implement this, and then extract it into middleware if we need to optimize it18:40
morgan_that is what I would do.18:40
ayoungmorgan_, so...the URL patterns we are matching.  I want them to be likes roles. I want to use the role inference rules to link from a role to a pattern.18:40
ayoungshould I require each one to have a name?18:41
*** asettle has joined #openstack-keystone18:41
morgan_I would.18:41
ayoungOr maybe just a UUID based ID18:41
morgan_operationally it'll be easier to digest18:41
morgan_code wise worse. don't make it harder to talk about / work with.18:42
morgan_uuid is always unfriendly outside of code18:42
ayoungright, but the "name" really should be "identity PUT /v3/users/{user_id}"18:42
ayoungort post or whatever add user is called18:43
ayoungso the name should then be18:43
*** spzala has quit IRC18:43
ayoungor maybe even a 3 part name:  (service,resource,operation)18:43
ayoungI don;t want to backpedal on the namespacing we have now in policy, but I would like to make it more rigorous18:44
ayoungI'm also wondering if we need to do something to accound for wildcards in the version strings.  I suspect we'll have things like18:45
ayoungPUT /v2.1/image18:45
ayoungwhich needs to really be18:45
ayoungPUT /v2.{subversion}/image18:45
ayounglots of details18:45
*** spzala has joined #openstack-keystone18:46
morgan_ayoung: true.18:48
ayoungmorgan_, I want to keep the fkey constraint on the role inference rules, so one thing we could do is a one-to-one link between an URL p[attern and a role, but that seems messy.  I kindof wnat the URL patterns to show up only when explicitly asked for, not when list-roles is done18:48
morgan_it needs a lot of work, but generally it would be an improvement over what we have today.18:48
*** thiagolib has quit IRC18:48
ayoungbut I do want the URL patterns to be usable in a trust-like way18:48
morgan_you might have e to pick one or the other there.18:48
ayoungI don't want one role per url pattern18:49
ayoungyeah, yeah18:49
*** thiagolib has joined #openstack-keystone18:50
ayoungmorgan_, also, I think if we make the default rule for most things be "Member" it allows people to then start adding Read_only roles18:50
ayoungsince it won't pass this check, it will not matter if a role like "auditor" passes the latter policy.json check18:51
openstackgerritMerged openstack/python-keystoneclient: Increase readability of 'find()' method and small improvements
*** asettle has quit IRC18:59
*** adrian_otto has joined #openstack-keystone18:59
*** adrian_otto1 has joined #openstack-keystone19:03
*** adrian_otto has quit IRC19:05
*** jaugustine_ has joined #openstack-keystone19:19
*** david-lyle has quit IRC19:23
*** david-lyle has joined #openstack-keystone19:25
*** adrian_otto1 has quit IRC19:29
*** adrian_otto has joined #openstack-keystone19:31
*** amoralej is now known as amoralej|off19:35
ayoungmorgan_, how about this.  We extend the definition of a role to have a couple extra fields.  One indicates whether it is directly assignable.  only assignable roles show up when you do "list_roles" by default.  The other field is a link to an url pattern.19:38
ayoungI really want "an url pattern IS-A role" because then trusts and oauth delegations will just work19:40
*** jrichli has joined #openstack-keystone19:41
jrichlihello. I am configuring keystone for the first time - not using devstack.  I only need a simple setup.  I have gotten as far as running keystone-manage bootstrap.19:45
jrichliBut verifying that is not working :
jrichliI having done any setup with db except for running keystone-manage db_sync.19:47
jrichliI see old config instructions that use mysql and there is setup to do.  but i am using the default sqlite - and I had the understanding that bootstrap would do what was needed.19:48
dstanekjrichli: i'm not entirely sure sqlite will actually work. it's really there for our testing processes19:50
*** jaugustine_ has quit IRC19:50
*** jerrygb has joined #openstack-keystone19:51
jrichlidstanek: oh, ok.  interesting.19:51
dstanekjrichli: are you just trying to test keystone out?19:52
jrichlidstanek: sort of ... I have a VM that already has  swift-all-in-one that I have been using for development.  I would like to add a minimal keystone setup for some internal dev testing.19:54
*** jerrygb_ has quit IRC19:54
*** jaugustine_ has joined #openstack-keystone19:55
*** adrian_otto has quit IRC19:55
*** artmr has quit IRC19:57
*** cheran75 has joined #openstack-keystone19:58
*** mvk has joined #openstack-keystone20:14
openstackgerritJeffrey Augustine proposed openstack/keystone-specs: Add keystone project properties
openstackgerritGage Hugo proposed openstack/keystone-specs: Add keystone project properties
*** khamtamtun has joined #openstack-keystone20:21
*** jaugustine_ has quit IRC20:22
morgan_ayoung: i could see that working20:22
*** andreww has joined #openstack-keystone20:23
openstackgerritGage Hugo proposed openstack/keystone-specs: Add keystone project properties
*** xarses has quit IRC20:26
*** esp has quit IRC20:28
*** dave-mccowan has quit IRC20:30
*** andreww has quit IRC20:30
*** andreww has joined #openstack-keystone20:31
morgan_dstanek, stevemar, breton: we should update the cacher(s) to use as the key gen function20:31
morgan_we can then directly memoize functions with kwargs/functions with kwargs passed to it20:32
morgan_rather than needing a "translate" latyer20:32
*** gyee has joined #openstack-keystone20:32
*** ChanServ sets mode: +v gyee20:32
openstackgerritRaildo Mascena proposed openstack/keystone: Disable user lists without a filter
ayoungOK,  URL pattern is not a role.  For now, we treat them separately.  Let's do things simply, and see how they progress.  We can always introduce new concepts later to optimize or improve UX20:37
openstackgerritayoung proposed openstack/keystone: Disable user lists without a filter
openstackgerritRaildo Mascena proposed openstack/keystone: Disable user lists without a filter
*** esp has joined #openstack-keystone20:39
ayoungraildo, heh20:40
raildoayoung, lol, you was faster than me20:41
ayoungdid we really tie on that?20:41
raildoayoung, ++20:41
*** ravelar has quit IRC20:41
ayoungraildo, let me look at your approach....20:41
ayoungraildo, OK, so logic like this belongs in the core, not in the controllers20:41
ayoung2 we don't want to throw an exception, as that will force Horizon et alles to change20:42
ayoungmake sense?20:42
ayoung3 the test needs to ensure it works without the config option set.20:42
raildoayoung, sure, for now I just tried to make a rebase, and fix some previous comments. I saw this patch away for a long time20:42
ayoungyou want to take my version and work on it?20:42
raildoayoung, I'll do that. :) thanks sir20:43
ayoungraildo, thank you20:43
ayoungraildo, lets come up with a better config option name, too20:44
raildoayoung, I'm not good with config/variable names, but I'll do my best!20:44
ayoungraildo, write it in the positive, with the default True20:44
raildoayoung, ok20:45
ayoungand keep it short...20:45
openstackgerritKristi Nikolla proposed openstack/keystoneauth: Adds last_request_id to adapter and session classes
*** raildo has quit IRC20:54
*** khamtamtun has quit IRC20:55
*** rcernin has quit IRC20:57
dstanekmorgan_: good call. i'll throw up a patch21:00
*** ayoung has quit IRC21:06
*** david-lyle has quit IRC21:09
*** spzala has quit IRC21:09
*** spzala has joined #openstack-keystone21:10
stevemarjlk: re: - i dunno, reviews :P21:12
*** jrichli has left #openstack-keystone21:14
jlklol, okay.21:14
*** spzala has quit IRC21:15
jlkI wasn't sure if it was blocked for some other reason.21:15
*** edtubill has quit IRC21:17
*** spzala has joined #openstack-keystone21:21
openstackgerritSteve Martinelli proposed openstack/keystone: Add test cases for passing "None" as a hint
openstackgerritSteve Martinelli proposed openstack/keystone: Allow running expand & migrate at the same time
*** adrian_otto has joined #openstack-keystone21:23
*** spilla has quit IRC21:25
*** khamtamtun has joined #openstack-keystone21:27
*** adrian_otto has quit IRC21:30
*** chris_hultin is now known as chris_hultin|AWA21:30
*** khamtamtun has quit IRC21:34
*** khamtamtun has joined #openstack-keystone21:34
stevemarjlk: nah21:39
stevemarjlk: hehe, sorry if my reply was snarky ... or czrarky :P21:39
*** jrichli has joined #openstack-keystone21:41
*** esp has quit IRC21:42
*** jaugustine_ has joined #openstack-keystone21:44
*** jaugustine_ has quit IRC21:44
*** khamtamtun has quit IRC21:45
*** jaugustine has quit IRC21:45
*** harlowja has quit IRC21:56
*** jperry has quit IRC22:00
*** david-lyle_ has joined #openstack-keystone22:01
*** david-lyle_ has quit IRC22:02
*** david-lyle has joined #openstack-keystone22:03
*** lamt has quit IRC22:10
*** ayoung has joined #openstack-keystone22:26
*** ChanServ sets mode: +v ayoung22:26
*** thiagolib has quit IRC22:28
*** jerrygb_ has joined #openstack-keystone22:29
*** jerrygb has quit IRC22:32
*** kiran-r has joined #openstack-keystone22:34
*** adriant has joined #openstack-keystone22:36
*** ayoung has quit IRC22:43
*** ayoung has joined #openstack-keystone22:44
*** ChanServ sets mode: +v ayoung22:44
*** adrian_otto has joined #openstack-keystone22:54
openstackgerritMerged openstack/keystone: Add test cases for passing "None" as a hint
*** andreww has quit IRC23:03
*** ayoung has quit IRC23:03
*** adrian_otto has quit IRC23:04
*** spzala has quit IRC23:04
openstackgerritMerged openstack/keystone: Allow running expand & migrate at the same time
*** g2 is now known as g2[ATL]23:28
*** ayoung has joined #openstack-keystone23:48
*** ChanServ sets mode: +v ayoung23:48
*** gyee has quit IRC23:49

Generated by 2.14.0 by Marius Gedminas - find it at!