Tuesday, 2016-11-15

« Monday, 2016-11-14 Index Wednesday, 2016-11-16 »
*** dave-mccowan has joined #openstack-keystone00:17
*** guoshan has joined #openstack-keystone00:41
*** hoangcx has joined #openstack-keystone00:41
morgan_mfisch: yep00:44
*** guoshan has quit IRC00:45
*** catintheroof has quit IRC00:47
*** catintheroof has joined #openstack-keystone00:48
*** gyee has quit IRC00:48
*** catintheroof has quit IRC00:52
*** woodster_ has quit IRC00:56
*** chris_hultin is now known as chris_hultin|AWA00:58
openstackgerritSteve Martinelli proposed openstack/keystone: Test revocation race conditions  https://review.openstack.org/22799501:01
*** agrebennikov has quit IRC01:03
openstackgerritEric Brown proposed openstack/keystone: Remove reference to future removal of saml  https://review.openstack.org/39745601:06
stevemarmfisch: i'm around now, still needed?01:06
stevemardstanek: you around?01:07
*** guoshan has joined #openstack-keystone01:21
*** diazjf has joined #openstack-keystone01:21
*** diazjf has quit IRC01:23
*** davechen_afk is now known as davechen01:31
stevemarSO CLOSE to <100 open changes in keystone repo01:36
stevemarah well01:36
stevemarcleaned up a fair bit anyway01:36
* stevemar goes to pick up sushi01:36
*** dave-mccowan has quit IRC01:45
*** zhangjl has joined #openstack-keystone01:48
*** markvoelker has quit IRC01:50
*** kfox1111 is now known as kfox1111_away01:51
*** annp has joined #openstack-keystone01:56
*** markvoelker has joined #openstack-keystone02:19
*** mnaser has quit IRC02:24
*** mnaser has joined #openstack-keystone02:24
*** namnh has joined #openstack-keystone02:37
*** namnh has quit IRC02:40
*** namnh has joined #openstack-keystone02:40
openstackgerritDavid Stanek proposed openstack/keystone: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528702:42
*** tqtran has quit IRC02:48
*** links has joined #openstack-keystone02:49
*** hoangcx has quit IRC03:00
*** nkinder has joined #openstack-keystone03:01
*** hoangcx has joined #openstack-keystone03:02
*** david_cu has joined #openstack-keystone03:02
*** namnh has quit IRC03:04
*** jamielennox is now known as jamielennox|away03:07
*** GB21 has joined #openstack-keystone03:08
*** GB21 has quit IRC03:19
*** jamielennox|away is now known as jamielennox03:21
*** udesale has joined #openstack-keystone03:42
*** g2` has quit IRC03:50
*** nicolasbock has quit IRC03:54
*** guoshan has quit IRC03:54
*** nkinder has quit IRC03:56
*** BrAsS_mOnKeY has joined #openstack-keystone03:56
*** BrAsS_mOnKeY has quit IRC04:11
openstackgerritSteve Martinelli proposed openstack/keystone: cache_on_issue default to true  https://review.openstack.org/38333304:13
*** jamielennox is now known as jamielennox|away04:15
*** jamielennox|away is now known as jamielennox04:17
openstackgerritCao Xuan Hoang proposed openstack/keystoneauth: Using assertIsNotNone() instead of assertNotEqual(None)  https://review.openstack.org/39752104:38
*** jamielennox is now known as jamielennox|away04:40
*** r1chardj0n3s is now known as r1chardj0n3s_afk04:40
*** guoshan has joined #openstack-keystone04:45
*** guoshan has quit IRC04:49
*** jamielennox|away is now known as jamielennox05:03
*** khamtamtun has joined #openstack-keystone05:04
*** khamtamtun has quit IRC05:21
jamielennoxbreton: can you have another look at https://review.openstack.org/#/c/382098/8, i think the current way is correct and we need to move on this05:23
*** adriant has quit IRC05:29
openstackgerritJamie Lennox proposed openstack/keystone: Allow fetching an expired token  https://review.openstack.org/38209805:29
jamielennoxbreton: no you're right - still not sure why but in practice it works05:31
*** guoshan has joined #openstack-keystone05:39
*** guoshan has quit IRC05:44
*** tqtran has joined #openstack-keystone05:48
*** tqtran has quit IRC05:52
jamielennoxptg rooms are sold out already? that's crazy05:54
*** jaosorior has joined #openstack-keystone06:07
*** khamtamtun has joined #openstack-keystone06:17
*** guoshan has joined #openstack-keystone06:22
*** khamtamtun has quit IRC06:35
*** jaosorior has quit IRC06:40
*** jaosorior has joined #openstack-keystone06:40
*** richm has quit IRC06:41
*** nk2527 has quit IRC06:42
*** khamtamtun has joined #openstack-keystone06:48
*** rcernin has quit IRC07:23
*** tobberyd_ has joined #openstack-keystone07:31
*** belmoreira has joined #openstack-keystone07:33
*** BrAsS_mOnKeY has joined #openstack-keystone07:38
morgan_jamielennox: wtf... really?07:53
* morgan_ rolls eyes.07:53
morgan_oookay, guess if i am going i'll have to do the ol' not-the-conference^wPTG-hotel07:54
openstackgerritMerged openstack/keystone: Remove reference to future removal of saml  https://review.openstack.org/39745607:58
*** pcaruana has joined #openstack-keystone08:22
*** amoralej|off is now known as amoralej08:22
jamielennoxmorgan_: no, i think i made a mistake08:32
jamielennoxif i didn't include saturday before i could get a room08:32
morgan_ah08:32
jamielennoxbut corp rate at the hilton around the block is better so going to do that instead08:32
bretonthe ptg hotel says the rum is USD 185.00 /night08:36
bretonand hilton on the booking is ~12008:36
*** jpich has joined #openstack-keystone08:40
jamielennoxlol, my "corp discounted rate" was still 16008:44
jamielennoxbut it's not the first time i've found the "special rate" to be higher than just getting it from the website08:45
*** markvoelker has quit IRC08:49
*** jaosorior is now known as jaosorior_lunch08:52
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** tobberyd_ has quit IRC09:08
*** mvk has quit IRC09:13
*** pnavarro has joined #openstack-keystone09:14
*** mvk has joined #openstack-keystone09:15
*** openstackgerrit has quit IRC09:18
*** openstackgerrit has joined #openstack-keystone09:18
*** clsacramento has joined #openstack-keystone09:21
*** jperry has joined #openstack-keystone09:21
*** jaosorior_lunch is now known as jaosorior09:42
*** udesale has quit IRC09:45
*** markvoelker has joined #openstack-keystone09:49
*** markvoelker has quit IRC09:55
*** udesale has joined #openstack-keystone09:56
*** hoangcx has quit IRC10:06
*** asettle has joined #openstack-keystone10:22
*** khamtamtun has quit IRC10:39
*** deep_1 has joined #openstack-keystone10:51
*** guoshan has quit IRC10:52
*** udesale has quit IRC10:53
deep_1Is there any way to use credentials from ldap for swift and s3 ? I want to avoid openstack credential create for every user from ldap ?10:54
bretondeep_1: no, because credentials are encrypted by keystone and they are far from users. But it might be a nice feature if you describe your usecase, probably on the openstack-dev mailing list or at our meeting today.10:59
*** khamtamtun has joined #openstack-keystone11:01
*** richm has joined #openstack-keystone11:11
*** zhangjl has left #openstack-keystone11:14
*** mvk has quit IRC11:16
*** guoshan has joined #openstack-keystone11:21
*** guoshan has quit IRC11:26
*** deep_1 has quit IRC11:39
*** nicolasbock has joined #openstack-keystone11:42
*** links has quit IRC11:43
*** mvk has joined #openstack-keystone11:47
*** markvoelker has joined #openstack-keystone11:51
*** rodrigods has quit IRC11:51
*** rodrigods has joined #openstack-keystone11:51
*** iurygregory has joined #openstack-keystone11:54
*** markvoelker has quit IRC11:55
*** annp has quit IRC12:08
*** guoshan has joined #openstack-keystone12:16
*** guoshan has quit IRC12:20
*** nkinder has joined #openstack-keystone12:25
*** catintheroof has joined #openstack-keystone12:28
*** nkinder has quit IRC12:31
*** deep_1 has joined #openstack-keystone12:44
*** dave-mccowan has joined #openstack-keystone13:03
*** toabctl has joined #openstack-keystone13:07
toabctlis there a way to tell keystone to use --config-dir with the apache wsgi deployment?13:08
*** guoshan has joined #openstack-keystone13:10
*** nk2527 has joined #openstack-keystone13:10
*** guoshan has quit IRC13:14
rodrigodsstevemar, ayoung https://review.openstack.org/#/c/397735/113:15
rodrigodsdstanek, ^13:15
*** khamtamtun has quit IRC13:16
*** lamt has joined #openstack-keystone13:16
*** nkinder has joined #openstack-keystone13:16
*** lamt has quit IRC13:16
stevemarrodrigods: i thought there was a race condition in the ksc tests?13:16
rodrigodsstevemar, did you see it again?13:17
stevemarhmm13:17
rodrigodsstevemar, it is non-voting anyway13:17
stevemaryeah13:17
stevemardoes that mean we remove them from ksc gate?13:17
*** lamt has joined #openstack-keystone13:17
rodrigodsstevemar, nope13:18
*** edmondsw has joined #openstack-keystone13:18
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741013:20
rodrigodsstevemar, regarding tests, what do you think we propose to have a LDAP gate job as the project for the outreachy student?13:20
bretonor to gsoc student if we get accepted to gsoc13:23
*** lamt has quit IRC13:24
rodrigodsbreton, we have a student for outreachy's next round13:24
rodrigodsbreton, her project is exactly about keystone tests scenarios and infra :)13:25
*** markvoelker has joined #openstack-keystone13:28
*** jdennis has joined #openstack-keystone13:30
*** asettle is now known as her-royalness13:32
*** spligak has joined #openstack-keystone13:34
stevemardolphm: can you look at https://bugs.launchpad.net/keystone/+bug/1498556 when you get a chance, you filed it a long time ago and its vague in what it'll take to close the bug13:39
openstackLaunchpad bug 1498556 in keystoneauth "Reasonable assumptions concerning domain references" [Medium,Triaged]13:39
dolphmstevemar: sure13:39
stevemarrodrigods: up to you, i was going to start looking at the ldap stuff soon13:39
stevemari wasn't going to create a job13:39
dolphmstevemar: how on earth is this vague?! :P13:40
rodrigodsstevemar, creating the job is enough work i guess - assuming the ldap stuff is ready on devstack13:40
rodrigodsstevemar, if it needs some fixes, would be nice to have before the project starts :) and is something me and raildo can help out13:41
dolphmstevemar: you're talking about the bug where i wrote a short novel about how we should offer a better user experience across the board, yes?13:41
openstackgerritSteve Martinelli proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327313:42
rodrigodsdolphm, that bug looks like a spec13:44
rodrigodsa well written spec, btw13:44
dolphmi tried to document the way that the default domain was intended to be used - for many users, it's a reasonable assumption. what we have instead is an overly complicated user experience because we have too many options, and as jamie pointed out, we have yet another option to try to make the user experience of having too many options better.13:46
dolphmstevemar: ^13:46
toabctlstevemar, any idea how to use --config-dir with the apache wsgi deployment?13:47
*** crinkle_ has joined #openstack-keystone13:48
*** crinkle has quit IRC13:49
*** jdennis has quit IRC13:52
*** jperry has quit IRC13:53
*** her-royalness is now known as asettle13:57
*** crinkle_ is now known as crinkle13:58
*** khamtamtun has joined #openstack-keystone13:58
*** jdennis has joined #openstack-keystone13:59
*** udesale has joined #openstack-keystone14:00
*** guoshan has joined #openstack-keystone14:04
stevemarjlk: was there something you specifically wanted documented for the healthcheck middleware addition? the bug https://bugs.launchpad.net/keystone/+bug/1640616 was created cause you used DocImpact in the commit message14:06
openstackLaunchpad bug 1640616 in OpenStack Identity (keystone) " Add healthcheck middleware to pipelines" [Undecided,New]14:06
*** guoshan has quit IRC14:08
*** jperry has joined #openstack-keystone14:10
openstackgerritDavid Stanek proposed openstack/keystone: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603014:12
dstanekstevemar: just saw your message from last night14:13
*** pcaruana has quit IRC14:13
*** BrAsS_mOnKeY has quit IRC14:16
*** nkinder has quit IRC14:16
*** khamtamtun has quit IRC14:16
*** nkinder has joined #openstack-keystone14:18
*** chris_hultin|AWA is now known as chris_hultin14:18
*** BrAsS_mOnKeY has joined #openstack-keystone14:22
*** chris_hultin is now known as chris_hultin|AWA14:24
openstackgerritMerged openstack/keystone: Limits config fixture usage to where it's needed  https://review.openstack.org/26639914:25
*** BrAsS_mOnKeY has quit IRC14:26
*** chris_hultin|AWA is now known as chris_hultin14:26
*** BrAsS_mOnKeY has joined #openstack-keystone14:27
*** BrAsS_mOnKeY has quit IRC14:29
*** BrAsS_mOnKeY has joined #openstack-keystone14:30
*** BrAsS_mOnKeY has quit IRC14:32
*** jdennis has quit IRC14:36
*** jaosorior has quit IRC14:36
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741014:41
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741014:43
*** amoralej is now known as amoralej|lunch14:43
*** khamtamtun has joined #openstack-keystone14:45
*** BrAsS_mOnKeY has joined #openstack-keystone14:49
*** khamtamtun has quit IRC14:50
*** tqtran has joined #openstack-keystone14:53
*** udesale has quit IRC14:54
*** lamt has joined #openstack-keystone14:55
*** tqtran has quit IRC14:57
*** BrAsS_mOnKeY is now known as g214:57
*** guoshan has joined #openstack-keystone14:58
*** guoshan has quit IRC15:02
*** edtubill has joined #openstack-keystone15:03
stevemarlbragstad: can you weigh in on https://bugs.launchpad.net/keystone/+bug/159707715:17
openstackLaunchpad bug 1597077 in OpenStack Identity (keystone) "Mitaka token 'expires' padding differs between POST and GET/HEAD on Fernet tokens" [Medium,Triaged]15:17
lbragstadstevemar sure15:18
ayoungrodrigods, for somereason, I cannot even +1 that patch15:19
stevemarrderose: lbragstad: which of you is following ravelar's work closely?15:22
stevemarsamueldmq: update https://bugs.launchpad.net/keystone/+bug/1402339 please15:25
openstackLaunchpad bug 1402339 in OpenStack Identity (keystone) "Status code from HEAD requests must be consistent" [Low,Triaged]15:25
*** woodburn has joined #openstack-keystone15:25
*** jaugustine has joined #openstack-keystone15:26
rderosestevemar: I have been trying to, why?15:26
rderosestevemar: especially around the revocation stuff15:26
*** agrebennikov has joined #openstack-keystone15:30
knikollao/15:30
stevemarrderose: look at https://bugs.launchpad.net/keystone/+bug/1268751 please15:34
openstackLaunchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [Low,Triaged]15:34
stevemarits an old one that may be resolved now15:34
*** jaugustine has quit IRC15:42
*** deep_1 has quit IRC15:42
*** adrian_otto has joined #openstack-keystone15:43
*** jdennis has joined #openstack-keystone15:46
*** openstackgerrit has quit IRC15:48
*** openstackgerrit has joined #openstack-keystone15:48
*** amoralej|lunch is now known as amoralej15:48
*** guoshan has joined #openstack-keystone15:52
* breton sighs15:56
*** guoshan has quit IRC15:57
bretonhas the request id chaining ever been implemented?15:57
bretondims: maybe you know15:57
dimsbreton : don't think it was ever done fully (with tests(15:58
*** dave-mccowan has quit IRC15:59
bretondims: was there a cross-project spec, bp or anything else to track?15:59
*** phalmos has joined #openstack-keystone15:59
*** diazjf has joined #openstack-keystone16:00
*** nicolasbock has quit IRC16:01
*** pcaruana has joined #openstack-keystone16:02
*** nicolasbock has joined #openstack-keystone16:05
openstackgerritTin Lam proposed openstack/keystone: Enable CADF notification format by default  https://review.openstack.org/39733916:07
*** g2 has quit IRC16:10
*** phalmos has quit IRC16:10
*** BrAsS_mOnKeY has joined #openstack-keystone16:10
rodrigodsbreton, is it the thing that appears in the logs?16:16
dimsbreton : https://github.com/openstack/openstack-specs/blob/master/specs/return-request-id.rst16:17
*** BrAsS_mOnKeY is now known as g216:17
openstackgerritGage Hugo proposed openstack/keystone: WIP - Add reason to notification payload  https://review.openstack.org/39675216:18
*** dave-mccowan has joined #openstack-keystone16:18
* breton sighs at https://bugs.launchpad.net/python-openstacksdk/+bug/146581716:20
openstackLaunchpad bug 1465817 in OpenStack SDK "Provide method to get latest request id" [Medium,Confirmed]16:20
stevemarlbragstad: got another bug for you to look at: https://bugs.launchpad.net/keystone/+bug/143331116:20
openstackLaunchpad bug 1433311 in OpenStack Identity (keystone) "Fernet tokens don't support token bind" [Wishlist,Triaged]16:20
stevemarbreton: it's a mess16:20
briancurtincan we just not do that? look in the logs16:22
*** belmoreira has quit IRC16:22
*** jaugustine has joined #openstack-keystone16:23
*** kfox1111_away is now known as kfox111116:28
openstackgerritJohannes Grassler proposed openstack/keystone-specs: Added trust-scope-extensions  https://review.openstack.org/39633116:28
openstackgerritJohannes Grassler proposed openstack/keystone-specs: Added spec on standalone trusts  https://review.openstack.org/39663416:29
stevemarbriancurtin: turns out it was broken in keystoneclient for a year and no one noticed16:39
stevemarbriancurtin: now we're trying to remove it, and determining if fixing it is a good option16:40
stevemarmorgan_: ehrm, do you have a minute to look at a betamax failure? http://logs.openstack.org/21/397521/1/check/gate-keystoneauth-python34/33fde2f/testr_results.html.gz16:41
*** guoshan has joined #openstack-keystone16:46
*** diazjf has quit IRC16:46
*** chrisplo has joined #openstack-keystone16:48
*** guoshan has quit IRC16:50
*** tqtran has joined #openstack-keystone16:52
*** phalmos has joined #openstack-keystone16:56
*** pnavarro has quit IRC16:58
*** spzala has joined #openstack-keystone16:59
*** kbaikov has joined #openstack-keystone16:59
*** phalmos_ has joined #openstack-keystone17:00
*** haplo37_ has quit IRC17:03
*** phalmos has quit IRC17:03
*** diazjf has joined #openstack-keystone17:05
*** browne has joined #openstack-keystone17:13
*** adrian_otto has quit IRC17:15
*** diazjf has quit IRC17:16
jlkstevemar: I misunderstood the docimpact flag. I documented it in the review request.17:23
*** diazjf has joined #openstack-keystone17:24
*** adrian_otto has joined #openstack-keystone17:27
*** arunkant has joined #openstack-keystone17:32
*** mvk has quit IRC17:38
*** guoshan has joined #openstack-keystone17:40
*** haplo37 has joined #openstack-keystone17:44
*** guoshan has quit IRC17:45
*** jpich has quit IRC17:51
openstackgerritDavid Stanek proposed openstack/keystone-specs: Add spec for native SAML2  https://review.openstack.org/39786017:52
*** diazjf has quit IRC17:59
*** edtubill has quit IRC17:59
*** henrynash has joined #openstack-keystone18:03
*** ChanServ sets mode: +v henrynash18:03
edmondswcan anyone think of a good reason that test_create_trust_without_project_id uses an unscoped token? Seems totally wrong to me18:06
morgan_stevemar: i do once the metting is done18:08
*** jperry has quit IRC18:09
*** asettle has quit IRC18:10
*** spilla has joined #openstack-keystone18:11
edmondswoh, nm18:11
edmondswbetter question... does it really make sense to try to get a scoped token from an unscoped trust?18:29
*** guoshan has joined #openstack-keystone18:34
*** harlowja has quit IRC18:38
*** guoshan has quit IRC18:38
*** amoralej is now known as amoralej|off18:40
openstackgerritKam Nasim proposed openstack/keystone: Network conn timeout on Identity LDAP backend  https://review.openstack.org/39094818:40
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741018:40
*** knikolla has left #openstack-keystone18:49
*** gyee has joined #openstack-keystone18:54
*** spzala has quit IRC19:00
morgan_stevemar: eeeuuuwww on that betamax failure19:01
*** rcernin has joined #openstack-keystone19:02
ayoungmorgan_, lbragstad on the RBAC spec I proposed...would it make more sense to push for code that can be run inside of middleware based on fetching the URL pattern matching info from Keystone?  It means that all the caching we now do will still work19:02
morgan_ayoung: let me re-read that sentence19:03
morgan_i see words... but strung together like that... my brain isn't parsing it19:03
morgan_ok still not making sense19:03
jamielennoxstevemar, breton: can you guys give https://review.openstack.org/#/c/382098/ another pass? would like to merge that soon19:03
morgan_care to re-phrase that?19:03
morgan_jamielennox: why are you coding an option for the expired window?19:05
jamielennoxmorgan_: why not?19:05
morgan_jamielennox: it would seem like the requestor should be able to enforce how long expired it wants19:05
morgan_i just don't see a benefit to a hard-limit in this case enforced in keystone19:05
jamielennoxi would think you have to have some server side enforcement19:05
morgan_the requestor knows the token is expired already19:05
morgan_it specifically asked and can examine the expiry19:06
jamielennoxamongst other things you still need to purge uuid tokens19:06
*** harlowja has joined #openstack-keystone19:06
morgan_for uuid i would just make it an option on the purge19:06
jamielennoxnot really, i think mostly this will be auth_token wanting to know19:06
morgan_right.. so, auth token would (imo) check the expiry19:06
morgan_it's the requestor in this case19:06
morgan_not keystone.19:07
morgan_and the enforcement would be <this task allows expired tokens>19:07
morgan_not really a rejection from auth token or keystone19:07
morgan_jamielennox: if that makes sense?19:07
jamielennoxi mean i can put something liek that into policy enforcement, but i'm not sure wouldn't sue it19:08
morgan_so step me through how auth token gates this when you need to enforce below auth token19:09
morgan_this seems to work like delay auth decision19:09
morgan_but conditionally19:09
morgan_how does auth token know if this action is allowed to use an expired token? how does it know what the epxiry extension should be?19:09
jamielennoxso in my current thinking i don't see any reason to provide that, i'm just saying i can19:10
jamielennoxwhy would an action not allow an expired token?19:10
jamielennoxi wasn't thinking of letting this be a controlled thing, this should just work for everyone19:11
stevemarjamielennox: will do19:11
stevemarmorgan_: thats 2 or 3 betamax failures now :(19:12
morgan_jamielennox: so... we just ignore expiry for <window> for every action19:12
morgan_why don't we just make expiry longer then19:12
jamielennoxbecause you can only get the expiry with a service token19:13
jamielennoxit's only extended after the token enters the system19:13
morgan_euuuw19:13
jamielennoxis that enlightenment or disgust?19:14
morgan_so i'll then reiterate: why do we have a fixed window?19:14
* morgan_ wants ramen today19:14
jamielennoxbecause it seems like a bad idea to let these live forever, i don't want 2 week old tokens coming back19:15
jamielennoxits a problem for fernet key rotation19:15
jamielennoxand a problem for uuid token storage19:15
morgan_uuid token storage i view as a non-issue19:16
*** edtubill has joined #openstack-keystone19:16
morgan_that is easy to address with the purge options19:16
morgan_if the token has been purged... call it a day19:16
morgan_much the same with fernet key rotation19:17
morgan_i mean, is this something we should really make configurable?19:17
morgan_or would a fixed value of say 86400s be sufficient?19:17
jamielennoxmorgan_: i have no idea what that number should be19:17
jamielennoxi understand reducing the config options19:18
jamielennoxbut i really don't know what that number will settle out as19:18
morgan_i would start with 86400 (1 day019:18
morgan_i worry about too many configs and knobs to turn19:18
morgan_options that shouldn't be tuned shouldn't be options. This feels like one of those cases19:19
morgan_jamielennox: ftr, i wont block it because of an option (or even -1 it)19:20
morgan_just making sure we're not adding an option for the sake of making it tunable19:20
jamielennoxyea, i understand the desire, maybe this is just history but it seems like the sort of thing you owuld tune19:21
morgan_i think the general token expiry is something we've tuned historically19:22
*** spzala has joined #openstack-keystone19:22
morgan_but i'm not sure i would expect this value to be tuned.19:23
*** spzala has quit IRC19:23
morgan_we want it to be generous and to cover almost all cases in any deployment19:23
*** spzala has joined #openstack-keystone19:23
morgan_but not overly generous (e.g your 2 week example)19:23
stevemarlbragstad: anything interesting in the meeting?19:28
lbragstadstevemar nope - went pretty smooth, we visited about project properties a lot19:28
*** guoshan has joined #openstack-keystone19:28
stevemarah19:28
stevemara contentious one19:29
lbragstadvery :/19:29
lbragstadstevemar i suppose we'll try and cover the rest next week?19:29
*** guoshan has quit IRC19:33
*** diazjf has joined #openstack-keystone19:34
*** kbaikov has quit IRC19:37
*** kbaikov has joined #openstack-keystone19:37
mfischstevemar: rderose you guys wnat to talk about the PCI stuff in a few min?19:39
stevemarmfisch: sure thing amigo19:40
*** kbaikov has quit IRC19:40
stevemarlbragstad: we don't need to talk about ALL the specs19:40
lbragstadstevemar ok19:40
stevemari am hoping people comment on the reviews19:40
*** kbaikov has joined #openstack-keystone19:40
stevemarso we are not restricted to hour long segments once per week :)19:40
lbragstadstevemar good to know, i wasn't sure if we wanted to do a group review or not19:40
mfischstevemar: whenever Mr Rose is avail19:41
*** kbaikov has quit IRC19:41
mfischI have 2 pieces of feedback19:41
*** phalmos_ has quit IRC19:41
mfischstevemar: rolled Newton into my lab today19:44
mfischsmooth as butta19:44
morgan_stevemar: the betamax thing is weird.19:45
*** knikolla has joined #openstack-keystone19:45
*** knikolla has quit IRC19:45
*** knikolla has joined #openstack-keystone19:46
stevemarlbragstad: i kind of expect all the cores to see each spec proposed to ocata at least once19:49
stevemarwhether or not i'm delusional, we'll find out19:49
stevemarmfisch: okay, we can wait for ron, i'm cleaning up an osc patch now anyway19:50
stevemarhe's probably just on lunch19:50
mfischok19:50
jlkQuick question, project quotas, are those stored in Keystone, or are they stored in individual project databases?19:59
mfischindividual projects19:59
mfischjlk: ^20:00
jlkthanks20:00
mfischjlk: cross-region quota mgmt is a real pain20:02
jlkI can imagine.20:02
openstackgerritDavid Stanek proposed openstack/keystone: Fixes remaining nits in endpoint_policy tests  https://review.openstack.org/39792820:05
*** jperry has joined #openstack-keystone20:06
*** chris_hultin is now known as chris_hultin|AWA20:06
*** diazjf has quit IRC20:13
*** chris_hultin|AWA is now known as chris_hultin20:19
*** guoshan has joined #openstack-keystone20:23
*** gyee has quit IRC20:24
*** guoshan has quit IRC20:27
*** browne has quit IRC20:30
*** spilla has quit IRC20:36
bretonmy internets died and i missed the meeting :(20:44
stevemarbreton: good to see your internets is living again20:46
*** nk2527 has quit IRC20:49
*** browne has joined #openstack-keystone21:10
*** adrian_otto has quit IRC21:13
*** adrian_otto has joined #openstack-keystone21:14
*** guoshan has joined #openstack-keystone21:17
*** guoshan has quit IRC21:21
*** edtubill has quit IRC21:26
*** phalmos has joined #openstack-keystone21:31
*** diazjf has joined #openstack-keystone21:31
*** spzala has quit IRC21:32
*** pcaruana has quit IRC21:32
*** spzala has joined #openstack-keystone21:32
*** spzala has quit IRC21:37
*** adriant has joined #openstack-keystone21:40
lbragstadstevemar dolphm responded -21:41
lbragstadhttps://bugs.launchpad.net/keystone/+bug/159707721:41
openstackLaunchpad bug 1597077 in OpenStack Identity (keystone) "Mitaka token 'expires' padding differs between POST and GET/HEAD on Fernet tokens" [Medium,Triaged]21:41
*** diazjf has quit IRC21:42
stevemarlbragstad: ah so its confirmed21:53
stevemarlbragstad: its different between post and get eh21:53
stevemarnasty21:53
lbragstadyeah21:53
*** harlowja has quit IRC21:55
*** diazjf has joined #openstack-keystone21:57
*** jdennis has quit IRC22:01
*** nkinder has quit IRC22:05
*** jaugustine has quit IRC22:07
*** guoshan has joined #openstack-keystone22:11
openstackgerritMatthew Edmonds proposed openstack/keystone: admin gets is_admin_project by default  https://review.openstack.org/31120322:13
*** harlowja has joined #openstack-keystone22:13
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notification payload for PCI-DSS  https://review.openstack.org/39675222:13
*** mvk has joined #openstack-keystone22:14
*** guoshan has quit IRC22:15
*** catinthe_ has joined #openstack-keystone22:18
*** catintheroof has quit IRC22:21
*** adrian_otto has quit IRC22:28
*** khamtamtun has joined #openstack-keystone22:29
*** adrian_otto has joined #openstack-keystone22:32
*** catintheroof has joined #openstack-keystone22:35
*** catinthe_ has quit IRC22:36
*** edmondsw has quit IRC22:36
*** rcernin has quit IRC22:42
*** adrian_otto has quit IRC22:45
*** lamt has quit IRC22:48
*** khamtamtun has quit IRC22:59
*** jperry has quit IRC23:00
*** guoshan has joined #openstack-keystone23:05
*** guoshan has quit IRC23:09
*** chris_hultin is now known as chris_hultin|AWA23:11
*** dave-mccowan has quit IRC23:12
*** lamt has joined #openstack-keystone23:23
rderoserderose23:29
rderosestevemar mfisch: sorry, stuck in meetings all day23:32
rderosestevemar mfisch: perhaps we can touch base tomorrow re PCI23:33
*** diazjf has quit IRC23:34
rderosestevemar: will look at https://bugs.launchpad.net/keystone/+bug/1268751 and try to reproduce. I'll get back to you on this.23:36
openstackLaunchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [Low,Triaged] - Assigned to Ron De Rose (ronald-de-rose)23:36
*** lamt has quit IRC23:41
*** catintheroof has quit IRC23:52
*** catintheroof has joined #openstack-keystone23:54
*** lamt has joined #openstack-keystone23:55
*** catintheroof has quit IRC23:58
*** agrebennikov has quit IRC23:59
*** guoshan has joined #openstack-keystone23:59
« Monday, 2016-11-14 Index Wednesday, 2016-11-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!