Wednesday, 2017-01-18

*** harlowja has joined #openstack-keystone		00:06
openstackgerrit	Merged openstack/keystone: Handling of 'region' parameter as None https://review.openstack.org/304489	00:24
*** agrebennikov has quit IRC		00:24
*** jose-phillips has quit IRC		00:28
*** stingaci has joined #openstack-keystone		00:30
*** jose-phillips has joined #openstack-keystone		00:30
*** jaosorior has quit IRC		00:31
openstackgerrit	Merged openstack/keystone: Exclude 'keystone_tempest_plugin' in doc build https://review.openstack.org/420171	00:33
*** thorst has joined #openstack-keystone		00:33
*** stingaci has quit IRC		00:34
*** thorst has quit IRC		00:34
*** adrian_otto has joined #openstack-keystone		00:35
*** ravelar has joined #openstack-keystone		00:36
*** lamt has joined #openstack-keystone		00:39
ayoung	If anyone is wondering, here is what Kubernetes is doing that is comparable to the RBAC from Middleware spec: https://kubernetes.io/docs/admin/authorization/#rbac-mode	00:39
*** chris_hultin is now known as chris_hultin\|AWA		00:39
*** ravelar has quit IRC		00:41
*** hoangcx has joined #openstack-keystone		00:52
*** jose-phillips has quit IRC		01:00
*** adrian_otto has quit IRC		01:05
*** jerrygb has quit IRC		01:11
*** jerrygb has joined #openstack-keystone		01:14
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	01:14
*** liujiong has joined #openstack-keystone		01:16
*** adriant has quit IRC		01:18
*** lamt has quit IRC		01:22
*** dave-mccowan has quit IRC		01:26
*** Dinesh_Bhor has quit IRC		01:27
*** stevemar has quit IRC		01:27
*** basilAB has joined #openstack-keystone		01:28
*** Dinesh_Bhor has joined #openstack-keystone		01:29
*** stevemar has joined #openstack-keystone		01:29
*** adams.freenode.net sets mode: +o stevemar		01:29
*** thorst has joined #openstack-keystone		01:35
*** jhesketh has quit IRC		01:36
*** jhesketh has joined #openstack-keystone		01:36
*** thorst has quit IRC		01:40
openstackgerrit	Eric Brown proposed openstack/keystone: Catch potential SyntaxError in federation mapping https://review.openstack.org/421616	01:47
*** thorst has joined #openstack-keystone		01:50
*** thorst has quit IRC		01:50
*** edtubill has joined #openstack-keystone		01:51
*** browne1 has joined #openstack-keystone		01:52
*** browne has quit IRC		01:56
*** browne1 has quit IRC		01:56
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	02:08
*** jrist has quit IRC		02:18
*** thorst has joined #openstack-keystone		02:30
*** browne has joined #openstack-keystone		02:30
*** jrist has joined #openstack-keystone		02:32
*** harlowja has quit IRC		02:36
*** browne has quit IRC		02:37
*** thorst has joined #openstack-keystone		02:56
*** thorst has quit IRC		02:56
openstackgerrit	Merged openstack/keystoneauth: Correctly Omit Response Body in Debug Mode https://review.openstack.org/421319	03:15
*** tqtran has joined #openstack-keystone		03:16
*** tqtran has quit IRC		03:18
*** dave-mccowan has joined #openstack-keystone		03:18
*** antwash has quit IRC		03:21
*** jlwhite has quit IRC		03:22
*** agrebennikov has joined #openstack-keystone		03:23
*** dave-mccowan has quit IRC		03:23
*** thorst has joined #openstack-keystone		03:27
*** thorst has quit IRC		03:33
*** sheel has joined #openstack-keystone		03:34
*** agrebennikov has quit IRC		03:58
*** links has joined #openstack-keystone		04:02
*** furface has joined #openstack-keystone		04:03
*** nicolasbock has quit IRC		04:17
*** jlwhite has joined #openstack-keystone		04:20
*** antwash has joined #openstack-keystone		04:21
*** agrebennikov has joined #openstack-keystone		04:29
*** stingaci has joined #openstack-keystone		04:31
openstackgerrit	Steve Martinelli proposed openstack/keystone: Fix typo in shibboleth federation docs https://review.openstack.org/317284	04:32
*** woodster_ has quit IRC		04:35
*** stingaci has quit IRC		04:36
*** adrian_otto has joined #openstack-keystone		04:41
*** agrebennikov_ has joined #openstack-keystone		04:49
*** agrebennikov has quit IRC		04:52
*** adrian_otto has quit IRC		04:55
*** agrebennikov_ has quit IRC		05:00
*** adrian_otto has joined #openstack-keystone		05:03
stevemar	#success number of open keystone bugs < 100 !	05:08
openstackstatus	stevemar: Added success to Success page	05:08
*** adrian_otto has quit IRC		05:09
*** furface has quit IRC		05:09
*** lucas has joined #openstack-keystone		05:13
*** dikonoor has joined #openstack-keystone		05:19
*** edmondsw has joined #openstack-keystone		05:20
stevemar	lbragstad: 94 bugs in keystone :D	05:20
*** edmondsw has quit IRC		05:24
*** jose-phillips has joined #openstack-keystone		05:26
*** agrebennikov_ has joined #openstack-keystone		05:27
*** thorst has joined #openstack-keystone		05:29
*** furface has joined #openstack-keystone		05:29
*** jose-phillips has quit IRC		05:31
*** thorst has quit IRC		05:34
*** agrebennikov_ has quit IRC		05:35
breton	morning, keystone	05:37
*** jerrygb has quit IRC		05:45
*** jerrygb has joined #openstack-keystone		05:46
*** Jack_V has joined #openstack-keystone		05:50
*** jerrygb has quit IRC		05:50
*** furface has quit IRC		05:59
*** lucas has quit IRC		06:04
*** tqtran has joined #openstack-keystone		06:05
*** liujiong has quit IRC		06:11
*** liujiong has joined #openstack-keystone		06:13
*** liujiong has quit IRC		06:17
*** liujiong has joined #openstack-keystone		06:20
*** richm has quit IRC		06:42
*** jose-phillips has joined #openstack-keystone		06:43
*** jose-phillips has quit IRC		06:47
*** edtubill has quit IRC		07:02
*** edtubill has joined #openstack-keystone		07:04
*** edtubill has quit IRC		07:08
*** jrist has quit IRC		07:11
*** jrist has joined #openstack-keystone		07:12
*** jrist has quit IRC		07:14
*** bapalm has quit IRC		07:16
*** jrist has joined #openstack-keystone		07:16
*** bapalm has joined #openstack-keystone		07:18
*** voelzmo has joined #openstack-keystone		07:21
*** tesseract has joined #openstack-keystone		07:25
*** tesseract has quit IRC		07:25
*** tesseract has joined #openstack-keystone		07:26
*** voelzmo has quit IRC		07:27
*** thorst has joined #openstack-keystone		07:30
*** voelzmo has joined #openstack-keystone		07:33
*** thorst has quit IRC		07:35
*** stewie925 has quit IRC		07:36
*** tqtran has quit IRC		07:47
*** thorst has joined #openstack-keystone		08:00
*** thorst has quit IRC		08:00
*** stingaci has joined #openstack-keystone		08:05
openstackgerrit	Merged openstack/keystone: Fix typo in shibboleth federation docs https://review.openstack.org/317284	08:06
*** dikonoor has quit IRC		08:26
*** markvoelker has joined #openstack-keystone		08:26
*** dikonoor has joined #openstack-keystone		08:26
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** StefanPaetowJisc has joined #openstack-keystone		09:02
*** StefanPaetowJisc has quit IRC		09:11
*** StefanPaetowJisc has joined #openstack-keystone		09:11
*** jhesketh has quit IRC		09:27
*** jhesketh has joined #openstack-keystone		09:30
*** liujiong has quit IRC		09:40
*** pcaruana has joined #openstack-keystone		09:41
*** mvk has quit IRC		09:45
*** asettle has joined #openstack-keystone		09:58
*** thorst has joined #openstack-keystone		10:01
*** StefanPaetowJi-1 has joined #openstack-keystone		10:05
*** thorst has quit IRC		10:06
*** slunkad has quit IRC		10:06
*** hoangcx has quit IRC		10:06
*** StefanPaetowJi-1 has quit IRC		10:08
*** StefanPaetowJisc has quit IRC		10:09
*** slunkad has joined #openstack-keystone		10:10
*** thiagolib has joined #openstack-keystone		10:12
*** StefanPaetowJisc has joined #openstack-keystone		10:20
*** mvk has joined #openstack-keystone		10:21
*** pnavarro has joined #openstack-keystone		10:22
*** StefanPaetowJisc has quit IRC		10:23
*** pcaruana has quit IRC		10:38
*** edmondsw has joined #openstack-keystone		10:44
*** tqtran has joined #openstack-keystone		10:47
*** edmondsw has quit IRC		10:48
*** tqtran has quit IRC		10:50
*** herdesh has joined #openstack-keystone		11:06
herdesh	hi all	11:07
herdesh	Im getting error KeyError: 'OS-TRUST:trust' sometimes while executing a command	11:08
herdesh	can someone help on how to resolve the issue, or any configuration needed?	11:08
*** richm has joined #openstack-keystone		11:11
*** Jack_I has joined #openstack-keystone		11:14
*** Jack_V has quit IRC		11:16
*** nicolasbock has joined #openstack-keystone		11:53
*** pcaruana has joined #openstack-keystone		11:56
*** thorst has joined #openstack-keystone		12:02
*** thorst has quit IRC		12:06
*** dave-mccowan has joined #openstack-keystone		12:34
dstanek	herdesh: only some of the time?	12:35
*** masterjcool has quit IRC		12:42
*** links has quit IRC		12:46
*** thorst has joined #openstack-keystone		12:51
*** masterjcool has joined #openstack-keystone		12:54
*** jamielennox is now known as jamielennox\|away		12:59
*** edmondsw has joined #openstack-keystone		13:12
*** jamielennox\|away is now known as jamielennox		13:19
*** lamt has joined #openstack-keystone		13:23
*** lamt has quit IRC		13:24
*** agrebennikov_ has joined #openstack-keystone		13:41
*** catintheroof has joined #openstack-keystone		13:45
*** voelzmo has quit IRC		13:54
*** jerrygb has joined #openstack-keystone		13:56
*** jerrygb has quit IRC		13:59
*** jerrygb has joined #openstack-keystone		14:03
*** jerrygb has quit IRC		14:03
*** jerrygb has joined #openstack-keystone		14:04
lbragstad	stevemar nice!	14:09
lbragstad	I'll take it	14:09
stevemar	o/	14:19
*** jperry has joined #openstack-keystone		14:20
breton	i actually thought that we have fixed the webob issue, haven't we?	14:24
*** jperry has quit IRC		14:25
breton	oooh, so we have this error in keystone server now	14:25
breton	noce.	14:25
breton	*nice	14:25
*** jperry has joined #openstack-keystone		14:25
dstanek	breton: we do have an encoding error (or lack of)	14:27
*** pnavarro has quit IRC		14:30
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Set the domain for federated users https://review.openstack.org/408332	14:30
*** voelzmo has joined #openstack-keystone		14:32
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Set the domain for federated users https://review.openstack.org/408332	14:32
*** voelzmo has quit IRC		14:33
*** jose-phillips has joined #openstack-keystone		14:37
*** tqtran has joined #openstack-keystone		14:40
lbragstad	stevemar do we have any docs on `stable` versus `experimental` APIs?	14:40
lbragstad	stevemar i perused our dev docs and didn't find anything	14:41
rodrigods	lbragstad, iirc, the difference between stable/experimental was just a note in the specific docs	14:42
breton	dstanek: this is not an encoding error	14:45
dstanek	breton: ?	14:46
dstanek	we don't set the charset properly	14:46
lbragstad	rodrigods hmm - parsing the docs doesn't seem to turn up a format definition of either http://cdn.pasteraw.com/etnmfvefe38trn9uzly8eg7nsb1a0ia	14:46
breton	dstanek: this is lack of charset in the response	14:47
*** lucas__ has joined #openstack-keystone		14:47
dstanek	breton: exactly	14:47
breton	dstanek: https://review.openstack.org/#/c/415502/ and then https://review.openstack.org/#/c/416198/ is how we fixed it in ksm	14:48
dstanek	breton: it's an encoding issue in that webob doesn't know what encoding we are using	14:48
breton	dstanek: yep	14:49
dstanek	there is another issue too that i am trying to work out	14:49
*** spilla has joined #openstack-keystone		14:50
*** links has joined #openstack-keystone		14:56
*** links has quit IRC		14:56
*** adrian_otto has joined #openstack-keystone		14:56
stevemar	lbragstad: rodrigods there was something we did in the code too...	14:59
stevemar	lbragstad: rodrigods the JSON home documents had some logic about it: https://github.com/openstack/keystone/blob/fab399e26cdbe7cffba895f99d7247896ec6cb82/keystone/common/json_home.py#L61-L63	15:00
rodrigods	hmm	15:00
*** dikonoor has quit IRC		15:04
*** ravelar has joined #openstack-keystone		15:04
*** jistr is now known as jistr\|mtg		15:05
stevemar	rodrigods: lbragstad each API has a json home entry, so if we plan on marking an API as experimental we can do that	15:09
stevemar	but i believe we don't have any marked experimental	15:09
openstackgerrit	ChangBo Guo(gcb) proposed openstack/oslo.policy: Add optional exception for check_rules https://review.openstack.org/374251	15:09
lbragstad	interesting - cdent sent out a note about a discussion they had in the TC meeting yesterday	15:10
lbragstad	basically revamping the API guidelines	15:10
*** chris_hultin\|AWA is now known as chris_hultin		15:10
lbragstad	and there is a section in there on "extensions" which we don't have any more	15:10
lbragstad	(i'm not sure if many projects do either?)	15:10
stevemar	lbragstad: its kinda vague at the moment, but i think theres a move to getting away from extensions	15:11
stevemar	it was an issue early on when openstack growth was exploding	15:11
*** david-lyle has joined #openstack-keystone		15:13
*** openstack has joined #openstack-keystone		15:17
*** jlvillal_ has joined #openstack-keystone		15:17
*** odyssey4me has joined #openstack-keystone		15:17
*** BlackDex_ has joined #openstack-keystone		15:18
*** pcaruana is now known as pablo\|500\|		15:18
*** Dave has quit IRC		15:18
*** BlackDex has quit IRC		15:18
*** Dave has joined #openstack-keystone		15:19
*** asettle has quit IRC		15:19
*** dancn has quit IRC		15:19
*** briancurtin has quit IRC		15:19
*** jascott1 has quit IRC		15:19
*** martinus__ has quit IRC		15:19
*** jmccrory has quit IRC		15:19
*** chris_hultin has quit IRC		15:19
*** dtroyer has quit IRC		15:19
*** dstanek has quit IRC		15:19
*** mgagne has quit IRC		15:19
*** comstud has quit IRC		15:19
*** Daviey has quit IRC		15:19
*** DuncanT has quit IRC		15:19
*** rarora has quit IRC		15:19
*** zeus has quit IRC		15:19
*** mancdaz has quit IRC		15:19
*** woodburn has quit IRC		15:19
*** fungi has quit IRC		15:19
*** dancn has joined #openstack-keystone		15:19
*** asettle has joined #openstack-keystone		15:19
*** jlvillal_ is now known as jlvillal		15:20
*** fungi has joined #openstack-keystone		15:20
*** jlvillal is now known as Guest88977		15:20
*** dstanek has joined #openstack-keystone		15:22
*** chris_hultin has joined #openstack-keystone		15:22
*** mgagne has joined #openstack-keystone		15:22
*** comstud has joined #openstack-keystone		15:22
*** Daviey has joined #openstack-keystone		15:22
*** martinus__ has joined #openstack-keystone		15:22
*** jmccrory has joined #openstack-keystone		15:22
*** dtroyer has joined #openstack-keystone		15:22
*** zeus has joined #openstack-keystone		15:22
*** mancdaz has joined #openstack-keystone		15:22
*** woodburn has joined #openstack-keystone		15:22
*** mgagne has quit IRC		15:23
*** ChanServ sets mode: +v dstanek		15:23
*** mgagne has joined #openstack-keystone		15:23
*** mgagne is now known as Guest58531		15:23
*** BlackDex_ is now known as BlackDex		15:23
*** rarora has joined #openstack-keystone		15:24
*** v1k0d3n has joined #openstack-keystone		15:25
*** DuncanT has joined #openstack-keystone		15:27
*** lucas__ has quit IRC		15:28
*** briancurtin has joined #openstack-keystone		15:29
*** lucas__ has joined #openstack-keystone		15:29
openstackgerrit	Steve Martinelli proposed openstack/keystone: replace all hybrid properties with property https://review.openstack.org/422021	15:29
stevemar	rodrigods: lets see how ^ goes	15:30
openstackgerrit	Steve Martinelli proposed openstack/keystone: replace all hybrid properties with property https://review.openstack.org/422021	15:30
*** pnavarro has joined #openstack-keystone		15:30
rodrigods	stevemar, ++	15:31
stevemar	rodrigods: from what i gather from the docs, we shouldn't need @hybrid unless we are using it directly from the class	15:31
stevemar	rodrigods: so something like ... User.enabled or User.password	15:32
rodrigods	stevemar, something like "static" in java? :)	15:32
stevemar	shrugs doesn't remember java	15:33
*** v1k0d3n has quit IRC		15:33
*** v1k0d3n has joined #openstack-keystone		15:34
*** david-lyle has quit IRC		15:36
*** david-lyle_ has joined #openstack-keystone		15:36
*** david-lyle_ has quit IRC		15:37
*** david-lyle_ has joined #openstack-keystone		15:37
*** sheel has quit IRC		15:37
*** jaosorior has joined #openstack-keystone		15:41
*** v1k0d3n has quit IRC		15:41
*** david-lyle_ has quit IRC		15:41
knikolla	o/	15:42
knikolla	stevemar: static in java is similar to @classmethod in python, IIRC.	15:43
stevemar	morgan: mordred btw i will be creating a stable/ocata branch today for keystoneauth	15:43
stevemar	morgan: so the context manager stuff may have to wait	15:44
rodrigods	knikolla, ++	15:44
morgan	yeah it will wait	15:44
morgan	it's fine.	15:44
*** david-lyle has joined #openstack-keystone		15:47
mordred	stevemar: yah. totally fine - if I'd gotten my act together and made the example...	15:47
*** mvk has quit IRC		15:48
*** phalmos has joined #openstack-keystone		15:49
*** v1k0d3n has joined #openstack-keystone		15:49
*** jaugustine has joined #openstack-keystone		15:50
*** jistr\|mtg is now known as jistr		15:51
*** voelzmo has joined #openstack-keystone		15:52
*** voelzmo has quit IRC		15:53
*** voelzmo has joined #openstack-keystone		15:54
lbragstad	reminder that the policy meeting will be starting in a few minutes in #openstack-meeting-cp	15:56
*** adrian_otto has quit IRC		16:06
*** voelzmo has quit IRC		16:07
*** markvoelker has quit IRC		16:11
*** diazjf has joined #openstack-keystone		16:15
*** jose-phillips has quit IRC		16:16
*** phalmos has quit IRC		16:18
*** Guest88977 is now known as jlvillal		16:25
*** phalmos has joined #openstack-keystone		16:27
*** adrian_otto has joined #openstack-keystone		16:31
*** ravelar has quit IRC		16:34
*** dikonoor has joined #openstack-keystone		16:39
*** harlowja has joined #openstack-keystone		16:39
*** jose-phillips has joined #openstack-keystone		16:40
*** stingaci has quit IRC		16:41
*** ravelar has joined #openstack-keystone		16:46
*** sheel has joined #openstack-keystone		16:48
*** stingaci has joined #openstack-keystone		16:52
morgan	#success Good policy meeting, provided history and background that cleared up a lot of confusion	16:54
openstackstatus	morgan: Added success to Success page	16:54
knikolla	morgan: ++	16:55
asettle	stevemar: got a q for you again :)	16:55
asettle	Do you remember implementing this? https://review.openstack.org/#/c/289889/8	16:55
asettle	Sorry, not that patch in particular - you didn't write it. But you reviewed it.	16:55
stevemar	asettle: back in 2 minutes	16:57
asettle	o/	16:57
lbragstad	morgan ++	16:57
*** v1k0d3n has quit IRC		16:58
lbragstad	asettle what's up?	16:58
*** v1k0d3n has joined #openstack-keystone		16:58
asettle	lbragstad: well helloooooo. I'm checking out this bad boy: https://bugs.launchpad.net/openstack-manuals/+bug/1557165 and there was an old patch up for it that was abandoned.	16:58
openstack	Launchpad bug 1557165 in openstack-manuals " Add docs for additional bootstrap endpoint parameters" [Medium,Confirmed] - Assigned to olaph (zxkuqyb)	16:58
asettle	Reason: All of the necessary features merged after RC3. Therefore, the Mitaka version of the installation guide will continue to use the admin token method.	16:58
asettle	Was going to check in if we needed to reopen it for newton.	16:59
asettle	If not, closey the bugsey	16:59
*** phalmos has quit IRC		16:59
stevemar	asettle: i thought we use the bootstrap method now in the install guide?	17:01
asettle	We do indeedy, just checking if you wanted anything else?	17:02
stevemar	hmm	17:02
lbragstad	looks like we document the endpoint stuff in our devdocs - https://review.openstack.org/#/c/290226/3	17:02
asettle	That's probably the best place for it, tbh.	17:02
asettle	The install guide is fairly sufficient.	17:03
asettle	It is meant to be a manual install, not a config guide.	17:03
lbragstad	looks like we use the endpoint parameters in the install guide - http://docs.openstack.org/newton/install-guide-ubuntu/keystone-install.html	17:03
asettle	We could link to the dev docs. But if they're additional configurations, it's usually not 100% necessary.	17:04
asettle	Unless I'm completely misunderstanding?	17:04
lbragstad	asettle well - there are a bunch of things you can have bootstrap do for you	17:05
lbragstad	but I think most of those are actually documented pretty well in `keystone-manage bootstraps` help text	17:05
lbragstad	cc stevemar ^	17:05
asettle	lbragstad: well that's handy	17:06
*** lucas__ has quit IRC		17:07
lbragstad	asettle for example - http://cdn.pasteraw.com/55gblfvg9vaaykv0zv9vzjvqytxr5w6	17:07
asettle	hmmm to be fair then, I don't think we need it. If you're an operator, the idea is if you're doing a full install and not using a deployment project, you should have enough operations knowledge and administration experience to know to look at the help text.	17:07
lbragstad	makes sense	17:08
asettle	Cool, well, I think we can probably close this bad boy too.	17:11
lbragstad	asettle sweet	17:14
asettle	lbragstad: got another question for you if you have time? :) i'm going through the keystone bugs that are relatively old and making sure everything is up to date	17:14
*** edtubill has joined #openstack-keystone		17:15
lbragstad	asettle sure thing	17:15
asettle	https://bugs.launchpad.net/openstack-manuals/+bug/1517708 lbragstad this guy. I can see we still use 'revoke' in the install guide.	17:15
openstack	Launchpad bug 1517708 in openstack-manuals " Move revoke extension into core" [Medium,Confirmed]	17:15
asettle	So, I'm not entirely too sure what the doc impact is/was. As it's a docimpact bug - so not muc hinfo.	17:15
asettle	much*	17:15
asettle	https://bugs.launchpad.net/openstack-manuals/+bug/1459458 this one too - same vibes	17:16
openstack	Launchpad bug 1459458 in openstack-manuals " Move endpoint policy into keystone core" [Medium,Confirmed]	17:16
*** ravelar has quit IRC		17:16
asettle	yo dolphm - do you still want this documented: https://bugs.launchpad.net/openstack-manuals/+bug/1459402	17:17
openstack	Launchpad bug 1459402 in openstack-manuals "Conceptual overview of the Keystone service catalog" [Wishlist,Confirmed]	17:17
asettle	lbragstad: another 'move to core' one: https://bugs.launchpad.net/openstack-manuals/+bug/1517706	17:18
openstack	Launchpad bug 1517706 in openstack-manuals " Move oauth1 extension into core" [Undecided,Confirmed]	17:18
dolphm	asettle: actually, i think that did get documented in a cross-project effort	17:18
asettle	dolphm: good news! We can close that bad boy then?	17:19
lbragstad	asettle ah - so those extension ones are just saying that we need to make sure we don't advertise those extensions in our paste files	17:19
asettle	Oh! Um, so if the 'revoke' extension is still documented in teh install guide?	17:19
lbragstad	asettle for some context - when keystone used to have extension, we had a little document describing how to enable it, setup a db for it if it needed one, etc...	17:20
dolphm	asettle: maybe.. i was thinking of this https://specs.openstack.org/openstack/openstack-specs/specs/service-catalog.html	17:20
asettle	dolphm: I see, that's just a spec. The content then hasn't been implemented further?	17:21
*** v1k0d3n has quit IRC		17:21
*** phalmos has joined #openstack-keystone		17:21
asettle	lbragstad: oh right! Is that still applicable?	17:21
lbragstad	asettle when we moved all the extensions to be official keystone resources - we wanted to make sure the paste files didn't contain references to a revoke extension that no longer existed (because it moved in the source)	17:21
asettle	Oh I see, okay, jeez. Do you guys have a handy dandy list of all the things you don't want listed in the paste files?	17:21
stevemar	asettle: yay my laziness worked	17:21
lbragstad	asettle looking at the existing paste files, I don't see any extension in keystone sources	17:21
stevemar	thanks dolphm and lbragstad :D	17:21
*** tesseract has quit IRC		17:21
asettle	lbragstad: excellent, that's good to hear! I will close those for now, and tehn if it comes up I know what I'm looking for.	17:22
asettle	stevemar: you should do it more often :P	17:22
lbragstad	asettle i don't believe we have a list - i think we just follow a convention of correcting the change in a subsequent patch to the change the broke/modified it?	17:22
asettle	lbragstad: in docs as well as keystone?	17:22
lbragstad	asettle in keystone for sure	17:22
lbragstad	we would be modifying this file - https://github.com/openstack/keystone/blob/stable/mitaka/etc/keystone-paste.ini	17:22
dolphm	asettle: not that i'm able to google... although, i swear it exists somewhere	17:22
asettle	lbragstad: anything in here- http://docs.openstack.org/liberty/install-guide-rdo/keystone-install.html	17:22
*** ravelar has joined #openstack-keystone		17:23
asettle	dolphm: okay, we can work on implementing it in the docs a bit more. But I'll need you to fill out that bug with a bit more context of what exactly you want and why.	17:23
asettle	lbragstad: ignore that, I gave you the liberty link	17:23
* lbragstad was confused		17:23
*** browne has joined #openstack-keystone		17:24
asettle	lbragstad: sorry, http://docs.openstack.org/newton/install-guide-rdo/keystone-install.html	17:24
asettle	Looks like revoke etc has been removed in the up-to-date version	17:24
*** lucas__ has joined #openstack-keystone		17:25
lbragstad	asettle ++	17:25
lbragstad	I'm actually not seeing any references to keystone-paste.ini (or any paste file) in either of those links you mentioned	17:25
lbragstad	so i guess the contents would be determined by the packagers	17:25
*** edtubill has quit IRC		17:27
*** lucas__ has quit IRC		17:27
asettle	\o/	17:28
*** lucas__ has joined #openstack-keystone		17:28
openstackgerrit	Steve Martinelli proposed openstack/keystone: switch @hybrid_property to @property https://review.openstack.org/421468	17:29
*** lucas__ has quit IRC		17:30
gagehugo	stevemar: awesome, I was just looking at that, the bug should be done after that patch	17:30
stevemar	gagehugo: :)	17:30
stevemar	gagehugo: thanks for figuring everything out!	17:30
gagehugo	stevemar idk if I figured everything out, maybe some of it :)	17:31
gagehugo	was clueless on the property stuff vs hybrid	17:31
stevemar	gagehugo: team effort, but you did the patches :P	17:31
stevemar	gagehugo: did you get any feedback regarding PTG?	17:31
*** jose-phillips has quit IRC		17:32
*** harlowja has quit IRC		17:33
gagehugo	stevemar: not yet	17:33
stevemar	gagehugo: damn	17:34
gagehugo	stevemar: hopefully soon™, the tickets have been bought	17:34
*** v1k0d3n has joined #openstack-keystone		17:35
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Set the domain for federated users https://review.openstack.org/408332	17:36
*** stevemar changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Ocata goals: https://docs.google.com/spreadsheets/d/156q820cXcEc8Y9YWQgoc_hyOm3AZ2jtMQM3zdDhwGFU/edit?usp=sharing \| Bugs that need triaging: http://bit.ly/2iJuN1h"		17:36
*** lamt__ has joined #openstack-keystone		17:36
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Set the domain for federated users https://review.openstack.org/408332	17:36
*** david-lyle is now known as bailing-wire		17:37
*** markvoelker has joined #openstack-keystone		17:38
*** mvk has joined #openstack-keystone		17:38
*** catintheroof has quit IRC		17:44
*** catintheroof has joined #openstack-keystone		17:44
*** markvoelker_ has joined #openstack-keystone		17:44
*** catintheroof has quit IRC		17:44
*** catintheroof has joined #openstack-keystone		17:45
*** markvoelker has quit IRC		17:46
*** bailing-wire has quit IRC		17:46
*** mugsie has left #openstack-keystone		17:48
*** diazjf has quit IRC		17:49
*** catintheroof has quit IRC		17:50
*** lucas__ has joined #openstack-keystone		17:52
*** lucas__ has quit IRC		17:53
*** lucas__ has joined #openstack-keystone		17:54
*** markvoelker has joined #openstack-keystone		17:58
*** markvoelker_ has quit IRC		18:01
*** lucas__ has quit IRC		18:05
*** edtubill has joined #openstack-keystone		18:08
*** lucas__ has joined #openstack-keystone		18:08
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	18:08
*** lucas__ has quit IRC		18:09
rderose	stevemar: want to talk about PCI?	18:11
SamYaple	im more of an AGP person	18:12
rderose	SamYaple: :)	18:13
*** edtubill has quit IRC		18:17
stevemar	rderose: o/	18:22
rderose	stevemar: cool	18:22
rderose	stevemar: so regarding PCI force user to change their password patch, I've added more documentation	18:22
stevemar	rderose: so you want make all my users reset their password eh :)	18:22
rderose	:)	18:23
*** jerrygb has quit IRC		18:23
rderose	stevemar: I want to complete PCI	18:23
rderose	stevemar: I could make only effect password changes going forward, but that doesn't seem in the spirit of this security requirement	18:23
rderose	stevemar: I've added this: https://review.openstack.org/#/c/403916/26/doc/source/security_compliance.rst	18:24
rderose	stevemar: not sure what else we can do, it would be in their hands to properly plan	18:24
* stevemar goes to look at the patch		18:31
stevemar	rderose: so i flip the switch and enable this option, can the user reset their own password or must they go to an admin?	18:34
rderose	currently they must go to an admin	18:35
rderose	but, there is a patch out there to change this	18:35
rderose	where a user could change their password without a token	18:35
stevemar	rderose: gagehugo's patch?	18:36
rderose	yeah	18:36
gagehugo	o/	18:36
stevemar	rderose: i still think "completing PCI" is a garbage reason to do something	18:38
stevemar	every feature should have a use case	18:38
stevemar	someone should want us to do it	18:38
rderose	stevemar: what was the point of implementing PCI if we weren't going to complete it?	18:38
stevemar	rderose: at the summit we had several people ask us for specific PCI bits, we did those, no one has asked us for this	18:39
rderose	dolphm wrote this spec and it was his intention to include this requirement (when I spoke to him about this)	18:39
*** lamt__ is now known as lamt		18:39
stevemar	then say that, checking off ticky boxes isn't a good reason :P	18:39
rderose	stevemar: :)	18:40
*** lamt has quit IRC		18:40
stevemar	hmm http://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/pci-dss.html	18:40
*** lamt has joined #openstack-keystone		18:40
stevemar	without gagehugo's change this is a terrible UX	18:41
dikonoor	dolphm:stevemar: Hi..Is there any restrictions caching fernet token in memcache servers?	18:41
stevemar	rderose: last i looked at gagehugo's change it was pretty close	18:42
dikonoor	dolphm:stevemar: http://docs.openstack.org/admin-guide/identity-caching-layer.html says - "Fernet tokens do not need to be persisted in a back end and therefore must not be cached."	18:42
rderose	stevemar: I'm happy to make mine dependent on his	18:42
stevemar	dikonoor: not that i know of, caching is definitely recommended	18:42
gagehugo	I think the feature is definitely useful, especially if a user can change their own expired password	18:42
gagehugo	I'm almost done with mine, just need to address the decorator change I made	18:42
gagehugo	"almost"	18:42
rderose	gagehugo: ++	18:43
stevemar	gagehugo: yes i agree, but its only useful with your patch :P	18:43
dikonoor	stevemar: I thought so..the documentation just needs update then..https://bugs.launchpad.net/keystonemiddleware/+bug/1460225 anyway talks about using fernet with memcahe	18:43
openstack	Launchpad bug 1460225 in keystonemiddleware "Fernet + Memcache causes validation failures" [Medium,Fix released] - Assigned to Morgan Fainberg (mdrnstm)	18:43
dolphm	dikonoor: the opposite is true - fernet tokens SHOULD be cached. /me summons asettle	18:43
rderose	stevemar: okay, if I make my patch dependent on gagehugo's, will you unblock?	18:43
stevemar	rderose: OK, you addressed my main concerns: 1) no write on auth, 2) no locking out admin/service users and 3) self-service passwd changes	18:44
morgan	all token validation should be cached where possible	18:44
stevemar	rderose: no, don't worry about that. they don't conflict	18:44
dolphm	asettle: "Fernet tokens do not need to be persisted in a back end and therefore must not be cached." -> "Fernet tokens do not need to be persisted but should be cached for optimal performance." http://docs.openstack.org/admin-guide/identity-caching-layer.html	18:44
rderose	stevemar: cool	18:44
morgan	dolphm: ++	18:44
stevemar	rderose: lifting -2 :)	18:44
stevemar	rderose: see, i'm not that much of a hard ass	18:44
dikonoor	dolphm: i have a configuration where I did not set [token] caching= true (basically missed enabling it) ..and everything seems to work fine..So caching is recommended merely from a performance angle..isn't it	18:45
*** ravelar1 has joined #openstack-keystone		18:45
rderose	stevemar: \o/	18:45
rderose	:)	18:45
dolphm	dikonoor: yes	18:45
*** ravelar15 has joined #openstack-keystone		18:45
dolphm	dikonoor: if it's not a production system then you can skip caching	18:46
stevemar	rderose: actually they do conflict, but no need to stagger them honestly	18:46
dikonoor	dolphm: ok..got it..makes sense..thanks..just that the documentation confused me	18:46
stevemar	they => the two patches	18:46
dolphm	dikonoor: with good reason - it's wrong!	18:46
stevemar	rderose: gagehugo whoever goes in first wins, the other will have to rebase	18:46
gagehugo	stevemar: ok	18:47
stevemar	rderose: gagehugo we've got 1 week to get those 2 patches merged!	18:47
*** v1k0d3n has quit IRC		18:48
rderose	stevemar: ++	18:48
*** ravelar1 has quit IRC		18:49
gagehugo	++	18:49
*** ravelar15 has quit IRC		18:50
*** v1k0d3n has joined #openstack-keystone		18:52
*** lucas__ has joined #openstack-keystone		18:52
stevemar	gagehugo: rderose dolphm lbragstad dstanek samueldmq rodrigods: https://etherpad.openstack.org/p/keystone-sprint-to-ocata -- list of patches that have to land in the next week	18:53
dstanek	stevemar: k	18:53
dolphm	stevemar: thanks	18:53
gagehugo	stevemar: ok	18:53
samueldmq	stevemar: ack thanks sir	18:54
rderose	stevemar: ack	18:54
*** edtubill has joined #openstack-keystone		18:55
rderose	stevemar: would love to get his one in there as well: https://review.openstack.org/#/c/414720/	18:55
rderose	for exending user API to support federated attributes	18:55
rderose	ravelar: ^	18:56
stevemar	rderose: done	18:56
stevemar	i think that's enough for now, lets not add anything else	18:56
stevemar	so if you're working on something else, please dont :P	18:56
asettle	dolphm: coolio, this can be fixed! Unless you want to put in a patch ;)	18:59
stevemar	dolphm: can you check out https://bugs.launchpad.net/keystone/+bug/1636495 if you get a chance... ?	18:59
openstack	Launchpad bug 1636495 in OpenStack Identity (keystone) "Failures during db_sync --contract during Mitaka to Newton (live) upgrade" [High,Confirmed]	18:59
*** pramodrj07 has joined #openstack-keystone		19:00
* stevemar going afk for a bit		19:00
*** woodster_ has joined #openstack-keystone		19:01
dolphm	asettle: happy to - but what's the repo?	19:01
dolphm	stevemar: yes	19:01
asettle	dolphm: admin guide is openstack-manuals domain :)	19:01
asettle	Jump on in	19:01
asettle	https://github.com/openstack/openstack-manuals	19:01
dolphm	stevemar: oh wow, that's relatively old	19:01
dolphm	asettle: thanks	19:02
asettle	No problemo :) appreciate the patch!	19:02
asettle	Add me as a reviewer :)	19:02
*** pramodrj07 has quit IRC		19:06
*** lucas__ has quit IRC		19:06
*** lucas__ has joined #openstack-keystone		19:07
*** MasterOfBugs has joined #openstack-keystone		19:07
*** Jack_I has quit IRC		19:13
*** Jack_I has joined #openstack-keystone		19:13
dolphm	asettle: https://review.openstack.org/#/c/422176/	19:14
dolphm	cc- morgan: ^	19:14
dolphm	aand dikonoor ^	19:14
dikonoor	dolphm:yes	19:14
asettle	dolphm: gracias	19:15
dikonoor	dolphm: another question..This is around https://bugs.launchpad.net/keystonemiddleware/+bug/1657014 bug I opened	19:17
openstack	Launchpad bug 1657014 in keystonemiddleware "Incorrect deprecation warning for revocations" [Undecided,Incomplete]	19:17
*** lucas__ has quit IRC		19:17
*** stingaci has quit IRC		19:17
dikonoor	dolphm: which is about revocation flow which as per the deprecation is applicable to only PKI	19:18
*** lucas__ has joined #openstack-keystone		19:18
dikonoor	dolphm: so , i have fernet tokens configured.. and I wonder why is it that a non-pki flow doesn't have any logic to check for revoked tokens in cache ?	19:19
dikonoor	but i guess it caching is enabled in [revoke] of keystone.conf , the revoked tokens are cached..so when is-token-revoked rest call is made to keystone, it would first search in the cache	19:21
dolphm	dikonoor: keystone does not persist fernet tokens, therefore keystone cannot produce a list of revoked fernet tokens	19:21
dikonoor	in my fernet token configuration, i do get something for https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_revocations.py#L60	19:22
dikonoor	-----BEGIN CMS-----	19:22
dikonoor	MIIBlQYJKoZIhvcNAQcCoIIBhjCCAYICAQExDTALBglghkgBZQMEAgEwHgYJKoZI	19:22
dikonoor	hvcNAQcBoBEED3sicmV2b2tlZCI6IFtdfTGCAUwwggFIAgEBMCMwHjEcMBoGA1UE	19:22
dikonoor	AwwTUG93ZXJWQyBrZXlzdG9uZSBDQQIBATALBglghkgBZQMEAgEwDQYJKoZIhvcN	19:22
dikonoor	AQEBBQAEggEAI0Gu6ilbcRMMZBA4oMHxJlny1A9cPTOs4ZdwK0maDMtwNqGnMT6y	19:22
dikonoor	ssOylsDzn/+4/hK7/hfdCUlSbzDXCd9U4np1WZvI5VF26YdtQxg2QbRvdO/lojiG	19:22
dikonoor	KxGFwM2NvEUXEfS5My3nXQSD9mfQWYNOiSHHLmneaBnUl8N1SllM1//HRfF0qjqT	19:22
dikonoor	0O7IAkOxcDFmIGxVDmhqhZBfqC82LVDeg7WcubLhRk9Od1Ix/EgpgWja+r3l3Klp	19:22
dikonoor	ix7hmRgPAnWWqX+RKsoB8nULW096hpby5fxELbx4HWH9hYnaWq2eC+dOcCeJ/Y8B	19:22
dikonoor	je2WgdORf7GWMpaqLFWgXK+9nwU5L8Q/+g==	19:22
dikonoor	-----END CMS-----	19:22
dikonoor	dolphm: and yeah.. I keep forgetting that fernet tokens dont reside in the db..so the check for revoked cached tokens don't make sense	19:23
*** spzala has joined #openstack-keystone		19:23
*** spzala has quit IRC		19:23
*** jerrygb has joined #openstack-keystone		19:24
*** Jack_I has quit IRC		19:25
*** Jack_I has joined #openstack-keystone		19:25
*** Jack_V has joined #openstack-keystone		19:29
*** Jack_I has quit IRC		19:29
*** jerrygb has quit IRC		19:29
*** dikonoor has quit IRC		19:31
*** Jack_I has joined #openstack-keystone		19:33
*** diazjf has joined #openstack-keystone		19:33
*** spilla has quit IRC		19:34
*** Jack_V has quit IRC		19:34
openstackgerrit	Eric Brown proposed openstack/keystone: Catch potential SyntaxError in federation mapping https://review.openstack.org/421616	19:35
morgan	dolphm: GAAAAAAAAAAAaaaaaaa </fernet>	19:36
morgan	dolphm: :P	19:36
*** stingaci has joined #openstack-keystone		19:38
*** stingaci has quit IRC		19:42
*** jidar has left #openstack-keystone		19:45
*** voelzmo has joined #openstack-keystone		19:48
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use https://review.openstack.org/403916	19:52
MasterOfBugs	Hi All	19:53
MasterOfBugs	I am trying to install Devstack	19:53
MasterOfBugs	I am getting this error from Keystone	19:54
MasterOfBugs	Can anyone help me reolve this?	19:54
MasterOfBugs	This is the local.conf http://paste.openstack.org/show/595461/	19:54
*** bailing-wire has joined #openstack-keystone		20:00
*** bailing-wire is now known as david-lyle		20:02
*** markvoelker_ has joined #openstack-keystone		20:03
*** jerrygb has joined #openstack-keystone		20:05
*** markvoelker has quit IRC		20:05
*** raildo has quit IRC		20:05
openstackgerrit	OpenStack Release Bot proposed openstack/keystoneauth: Update reno for stable/ocata https://review.openstack.org/422208	20:06
*** jerrygb has quit IRC		20:13
openstackgerrit	OpenStack Release Bot proposed openstack/keystonemiddleware: Update reno for stable/ocata https://review.openstack.org/422213	20:14
dstanek	MasterOfBugs: what's the error?	20:17
lbragstad	morgan did we have a spec on unscoped roles somewhere?	20:17
morgan	lbragstad: nope	20:18
morgan	lbragstad: back in grizzly we had a code comment saying "this is not supported"	20:18
morgan	it might even still be lurking somewhere	20:18
lbragstad	morgan hm	20:22
lbragstad	morgan so by unscoped role we essentially mean - true RBAC, right?	20:22
lbragstad	i.e. if someone has the reader role, they are able to view things in all projects	20:23
MasterOfBugs	@dstanek - ++lib/keystone:create_keystone_accounts:372 openstack project show admin -f value -c id	20:23
MasterOfBugs	WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils. This warning is caused by an out-of-date import in /usr/local/lib/python2.7/dist-packages/cueclient/osc/plugin.py	20:23
MasterOfBugs	Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.	20:23
MasterOfBugs	Could not determine a suitable URL for the plugin	20:23
morgan	lbragstad: maybe.	20:24
morgan	lbragstad: i was thinking of it more like nova_admin -- why does it need a project	20:24
morgan	or nova_service	20:24
morgan	lbragstad: we really have never gone down this path, so open for interpretation	20:24
lbragstad	morgan because what we do today is a more specific version of RBAC called scoped RBAC	20:24
morgan	but yeah it would be RBAC for global roles vs SCOPED RBAC	20:25
morgan	but like i said, we haven't discussed this really except "nope we don't do it"	20:25
lbragstad	morgan ok - cool	20:26
lbragstad	so - in that world, what would that look like	20:26
morgan	shrug i was just looking at what would make service accounts and such easier to work with	20:26
morgan	and it may or may not make sense	20:26
morgan	but it's an option	20:26
lbragstad	morgan wouldn't that make the admin project case easier to deal with?	20:28
lbragstad	morgan i mean, you'd end up with a cloud_admin role that wouldn't require scoping to a specific (and mysterious) "admin" project	20:28
morgan	yes	20:29
morgan	it would	20:29
morgan	it could	20:29
morgan	there are benefits to global RBAC	20:29
morgan	it also may make security in some of the other projects a little more wonky.	20:29
morgan	there is a dirty way around it... we could also simply make cloud_admin an inherited role from the magical root domain	20:30
morgan	or similar for the global rbac, so the role exists for all projects (it's a lot of mechanism for scoping in that case) but ... i mean, like i said, we haven't really discussed besides "nope" in the past	20:30
*** markvoelker_ has quit IRC		20:32
lbragstad	morgan so, at this point, with the amount of deployments with massive amounts of projects, I would assume we'd need to have traditional RBAC (global RBAC) and scoped RBAC, like we do today	20:32
lbragstad	but the problem becomes, how do we distinguish global RBAC assignments from scoped ones?	20:33
morgan	that would be a function of the token data	20:33
morgan	ultimately we control the token data, the issuer, and such, we can pass info down however we want	20:34
lbragstad	sure	20:34
morgan	so how do we differentiate it? we explicitly do so	20:34
morgan	what does the data look like? I don't really care ;)	20:34
lbragstad	makes sense	20:34
morgan	we can figure that out in the process	20:34
lbragstad	so, we'd need to be able to say "this user get's this role" instead of "this user gets this role on this project"	20:35
lbragstad	then when a user gets an unscoped token - that information would be represented in there some how	20:35
morgan	it would be an unscoped token with roles	20:35
morgan	basically	20:35
lbragstad	got it	20:36
lbragstad	would we expect global roles to be visible in scoped tokens?	20:36
morgan	nope. i wouldn't	20:36
morgan	i would make it mutually exclusive	20:36
lbragstad	so by default, everything would still work today	20:36
morgan	so you can't take a "scoped token" and do "cloud admin" things	20:36
morgan	yep.	20:36
*** edmondsw has quit IRC		20:36
morgan	it would be a very explicit auth thing if we did this global role thing	20:37
lbragstad	morgan so - we would effectively be getting rid of the admin project workaround	20:37
morgan	i think it is one possible aspect	20:37
morgan	again, i think we need to think about the ramifications	20:37
morgan	a lot of bits in a lot of projects may need to change to support this	20:37
*** adrian_otto has quit IRC		20:38
lbragstad	i'd be curious to hear what edmondsw has to say about that	20:38
*** voelzmo has quit IRC		20:38
lbragstad	i know he has an opinion on the admin project	20:38
morgan	we've had the request for global roles for a number of cases	20:40
morgan	but from the policy front, it may be enough to drive the benefits in a way to tip the scales	20:40
lbragstad	well - we have global roles today	20:40
morgan	unscoped roles*	20:40
morgan	gyee asked for them at one point	20:40
morgan	among other things.	20:40
lbragstad	morgan do you know what they are? The main one I see is the ability to implement cloud_admin without the admin project workaround	20:41
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Update reno for stable/ocata https://review.openstack.org/422208	20:41
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Update reno for stable/ocata https://review.openstack.org/422213	20:42
morgan	service users don't need scope then, could be given broader powers within their project without explicitly being tied to a specific scope for resource acces (and likewise be prevented from doing some actions that should always havre a scope)	20:43
morgan	it allows differentiation.	20:43
stevemar	gagehugo: question for you	20:44
lbragstad	today service users are given a service or admin role on a specific project account, right?	20:44
gagehugo	stevemar: what's up?	20:44
stevemar	gagehugo: how would the expired password stuff work from the CLI?	20:44
*** adriant has joined #openstack-keystone		20:44
gagehugo	stevemar: the one Im working on or the query patch?	20:46
*** voelzmo has joined #openstack-keystone		20:46
gagehugo	stevemar: that spilla is working on	20:46
stevemar	gagehugo: the one you're working on	20:46
gagehugo	stevemar: I've been looking at KSC atm, there will probably need to be a change	20:47
gagehugo	stevemar: right now it shouldn't break anything, if you have that config option enabled it just skips checking the token in the header for change_password	20:48
stevemar	gagehugo: i just think it's going to blow up upon initiating a connection and getting a token	20:49
gagehugo	stevemar: how so?	20:50
*** voelzmo has quit IRC		20:50
stevemar	gagehugo: the clients go to '/users/%s/password'	20:53
morgan	lbragstad: yes	20:53
*** jerrygb has joined #openstack-keystone		20:53
stevemar	gagehugo: so it goes to the right API	20:54
stevemar	gagehugo: here's the OSC code: https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/user.py#L381-L437	20:54
stevemar	and the KSC code: https://github.com/openstack/python-keystoneclient/blob/71af540c81ecb933d912ef5ecde128afcc0deeeb/keystoneclient/v3/users.py#L207-L230	20:54
stevemar	gagehugo: i think you'll get lucky...	20:55
stevemar	since we put "required_scope = False" in the OSC code	20:55
*** haplo37_ has quit IRC		20:55
lbragstad	morgan so then each project could write a service role specific to that project's service operations?	20:55
stevemar	gagehugo: you can see it used here: https://github.com/openstack/osc-lib/blob/8e1f3c2f9c44fd3e20bb2fcbea116b5a7b73674f/osc_lib/shell.py#L453	20:56
*** v1k0d3n has quit IRC		20:56
gagehugo	stevemar: ah	20:56
stevemar	gagehugo: i think we may also need to add "auth_required = False" like here: https://github.com/openstack/python-openstackclient/blob/0ef8535036c3739d798fd5627ae142d121f20d42/openstackclient/common/module.py#L30	20:57
openstackgerrit	David Stanek proposed openstack/keystone: Small fixes for WebOb 1.7 compatibiltity https://review.openstack.org/422234	20:58
*** haplo37_ has joined #openstack-keystone		20:58
*** spilla has joined #openstack-keystone		20:58
gagehugo	stevemar: so even if it does require auth? It would only not require auth if the config setting is enabled, otherwise it does require auth	20:59
*** adrian_otto has joined #openstack-keystone		21:00
* lbragstad sneaks away to grab a coffee quick		21:00
morgan	lbragstad: yep	21:06
* morgan looks at coffee and realizes... i am sans caffiene		21:06
gagehugo	stevemar: I'll test the current patchset with OSC, it works but the decorator is kinda hacky	21:09
stevemar	gagehugo: yeah, good call	21:11
*** jaugustine has quit IRC		21:11
*** jperry has quit IRC		21:15
*** Jack_I has quit IRC		21:15
lbragstad	morgan ok - so then an example of a service operation would be?	21:16
*** voelzmo has joined #openstack-keystone		21:17
*** voelzmo has quit IRC		21:22
browne	Can I get some reviewer's eyes on https://review.openstack.org/#/c/421616/? I want to cherrypick back to Mitaka where we observed the issue in our environment	21:22
*** v1k0d3n has joined #openstack-keystone		21:23
*** tjones has joined #openstack-keystone		21:23
gagehugo	stevemar: OSC works, can get a token	21:23
morgan	lbragstad: not sure	21:24
morgan	i haven't looked too closely	21:25
morgan	but i know there are service user actions	21:25
stevemar	gagehugo: what about reset your pw?	21:25
gagehugo	stevemar: checking that now	21:25
*** MasterOfBugs has quit IRC		21:25
*** pnavarro has quit IRC		21:25
stevemar	gagehugo: what about reset your pw, when it's been expired*	21:25
stevemar	:)	21:26
*** MasterOfBugs has joined #openstack-keystone		21:26
lbragstad	morgan gotcha - you mean things that a service does on behalf of a user?	21:26
lbragstad	or something else?	21:26
*** jamielennox is now known as jamielennox\|away		21:26
morgan	some cases services do things and track things directly	21:28
morgan	but like i said, i haven't looked closely lately	21:28
lbragstad	and not on behalf of a user	21:28
*** voelzmo has joined #openstack-keystone		21:29
*** diazjf has quit IRC		21:29
*** jerrygb_ has joined #openstack-keystone		21:30
*** diazjf has joined #openstack-keystone		21:31
*** jerrygb has quit IRC		21:33
openstackgerrit	David Stanek proposed openstack/keystone: Small fixes for WebOb 1.7 compatibiltity https://review.openstack.org/422234	21:42
*** lucas__ has quit IRC		21:43
*** severion has joined #openstack-keystone		21:47
gagehugo	stevemar: OSC won't let you change your password if expired	21:47
*** ksavich has joined #openstack-keystone		21:47
gagehugo	stevemar: no blowing up though	21:47
*** voelzmo has quit IRC		21:48
*** stingaci has joined #openstack-keystone		21:49
*** ksavich has left #openstack-keystone		21:50
*** lamt has quit IRC		21:51
*** lamt has joined #openstack-keystone		21:52
*** stingaci has quit IRC		21:54
*** severion has quit IRC		21:56
*** severion has joined #openstack-keystone		21:56
*** severion has quit IRC		21:58
morgan	lbragstad: if it's doing something on behalf of a user it should be using the user's token (currently)	22:00
*** severion has joined #openstack-keystone		22:00
morgan	lbragstad: since the user should be the owner	22:00
*** severion is now known as v1k0d3m		22:00
lbragstad	morgan that makes sense	22:00
*** v1k0d3m has quit IRC		22:01
morgan	lbragstad: long term that may change somewhat. but i think we'll identify more when we discuss more. hit up the nova and neutron folks and ask what their service user does	22:01
morgan	i think nova does things like downloading glance images and doesn't always have the user token	22:01
morgan	for example	22:01
morgan	(like on a compute restart)	22:01
lbragstad	aha	22:01
*** lucas has joined #openstack-keystone		22:02
*** severion has joined #openstack-keystone		22:03
*** agrebennikov_ has quit IRC		22:06
*** lucas has quit IRC		22:07
*** thorst has quit IRC		22:07
*** diazjf has quit IRC		22:08
stevemar	gagehugo: ah	22:09
stevemar	gagehugo: want to try changing it locally? need instructions on how?	22:09
gagehugo	stevemar: sure	22:09
*** jamielennox\|away is now known as jamielennox		22:10
stevemar	lbragstad: http://lists.openstack.org/pipermail/openstack-operators/2017-January/012470.html	22:12
stevemar	gagehugo: okay, clone the OSC repo	22:13
stevemar	git clone https://github.com/openstack/python-openstackclient	22:13
stevemar	make a virtualenv	22:13
stevemar	$ virtualenv test_expires	22:14
stevemar	source it	22:14
stevemar	$ source test_expires/bin/activate	22:14
lbragstad	stevemar is sam morrison around?	22:14
stevemar	now that you're in that virtualenv, you can modify the local OSC file	22:14
lbragstad	stevemar do you have an IRC nick?	22:14
gagehugo	ok	22:15
stevemar	lbragstad: no idea :)	22:15
stevemar	gagehugo: try changing https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/user.py#L384	22:16
stevemar	to "required_auth = False"	22:16
stevemar	gagehugo: then install OSC locally by running $ pip install -e .	22:16
stevemar	from the cloned OSC directory...	22:16
stevemar	gagehugo: you'll be running the local version of osc now, you can see if by running $ which openstack	22:17
*** jaugustine has joined #openstack-keystone		22:17
stevemar	when you're done, just run $ deactivate	22:17
stevemar	and delete the virtualenv	22:17
gagehugo	stevemar: same result	22:23
stevemar	hmm	22:23
stevemar	gagehugo: run it with --debug and paste the result	22:23
*** diazjf has joined #openstack-keystone		22:24
stevemar	gagehugo: i think OSC tries to establish a connection first before attempting to do anything	22:24
*** v1k0d3n has quit IRC		22:24
*** jamielennox is now known as jamielennox\|away		22:24
stevemar	gagehugo: change password only used to work with a correct "old password"	22:24
stevemar	not an expired one	22:24
*** severion has quit IRC		22:24
gagehugo	stevemar: correct	22:25
*** portdirect is now known as shipindirect		22:25
gagehugo	stevemar: yeah OSC tries to authenticate	22:25
gagehugo	one sec	22:25
openstackgerrit	Steve Martinelli proposed openstack/keystone: switch @hybrid_property to @property https://review.openstack.org/421468	22:27
*** browne has quit IRC		22:27
*** dave-mccowan has quit IRC		22:28
gagehugo	http://paste.openstack.org/show/595484/	22:29
gagehugo	stevemar: ^	22:29
*** david-lyle has quit IRC		22:32
*** agrebennikov_ has joined #openstack-keystone		22:36
*** phalmos has quit IRC		22:36
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	22:38
*** thorst has joined #openstack-keystone		22:39
*** spilla has quit IRC		22:39
*** david-lyle has joined #openstack-keystone		22:40
*** lamt has quit IRC		22:40
*** thorst has quit IRC		22:41
*** lamt has joined #openstack-keystone		22:42
*** jaugustine has quit IRC		22:43
bknudson	the mailing list discussion started with `why's nobody using barbican` and will soon become `nobody needs keystone`.	22:50
jlopezgu	rderose: are u there?	22:50
*** sshen has joined #openstack-keystone		22:50
rderose	jlopezgu: yeah, what's up	22:51
*** edtubill has quit IRC		22:51
jlopezgu	i'm trying to update the patch before the release, sorry I've been in something else	22:51
jlopezgu	I want to test it but destroyed my env	22:51
jlopezgu	already created a new one	22:51
jlopezgu	but how do I enable the password expires at?	22:52
jlopezgu	I need to modify ... and restart keystone, right?	22:52
rderose	right	22:52
jlopezgu	where do i need to modify?	22:53
rderose	so modify keystone config and set password_expires_days	22:53
jlopezgu	perfect, thanks	22:53
rderose	jlopezgu: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L2609	22:54
rderose	jlopezgu: there is also password_expires_ignore_user_ids	22:54
rderose	to ignore service accounts (if you want)	22:54
rderose	jlopezgu: np, let me know if you need anything else	22:54
*** tjones has left #openstack-keystone		22:55
*** diazjf has quit IRC		22:58
*** agrebennikov_ has quit IRC		23:00
*** chris_hultin is now known as chris_hultin\|AWA		23:06
openstackgerrit	Merged openstack/keystoneauth: Update reno for stable/ocata https://review.openstack.org/422208	23:13
*** adrian_otto has quit IRC		23:16
*** sheel has quit IRC		23:24
*** fungi has quit IRC		23:24
*** dancn has quit IRC		23:24
*** Dinesh_Bhor has quit IRC		23:24
*** stevemar has quit IRC		23:24
*** sheel has joined #openstack-keystone		23:24
*** fungi has joined #openstack-keystone		23:24
*** dancn has joined #openstack-keystone		23:24
*** Dinesh_Bhor has joined #openstack-keystone		23:24
*** stevemar has joined #openstack-keystone		23:24
*** adams.freenode.net sets mode: +o stevemar		23:24
gagehugo	stevemar: tried auth_required (https://github.com/openstack/osc-lib/blob/master/osc_lib/shell.py#L451-L455) thanks lamt, now just get "No valid authentication is available"	23:29
*** adrian_otto has joined #openstack-keystone		23:32
*** sorrison has joined #openstack-keystone		23:33
*** freerunner has quit IRC		23:34
*** NikitaKonovalov has quit IRC		23:34
*** DinaBelova has quit IRC		23:34
*** DinaBelova has joined #openstack-keystone		23:35
*** NikitaKonovalov has joined #openstack-keystone		23:36
*** freerunner has joined #openstack-keystone		23:36
*** nkinder has quit IRC		23:39
*** jerrygb_ has quit IRC		23:42
*** shipindirect is now known as portdirect		23:43
*** jerrygb has joined #openstack-keystone		23:48
*** jaosorior has quit IRC		23:49
*** browne has joined #openstack-keystone		23:49
*** lamt has quit IRC		23:50
openstackgerrit	Merged openstack/keystonemiddleware: Update reno for stable/ocata https://review.openstack.org/422213	23:53
*** lamt has joined #openstack-keystone		23:53
*** lamt has quit IRC		23:55
*** NikitaKonovalov has quit IRC		23:57
*** freerunner has quit IRC		23:57
*** DinaBelova has quit IRC		23:57
*** DinaBelova has joined #openstack-keystone		23:57
*** NikitaKonovalov has joined #openstack-keystone		23:58
*** freerunner has joined #openstack-keystone		23:58
*** DinaBelova has quit IRC		23:59
*** NikitaKonovalov has quit IRC		23:59
*** freerunner has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!