Wednesday, 2017-01-18

*** harlowja has joined #openstack-keystone00:06
openstackgerritMerged openstack/keystone: Handling of 'region' parameter as None
*** agrebennikov has quit IRC00:24
*** jose-phillips has quit IRC00:28
*** stingaci has joined #openstack-keystone00:30
*** jose-phillips has joined #openstack-keystone00:30
*** jaosorior has quit IRC00:31
openstackgerritMerged openstack/keystone: Exclude 'keystone_tempest_plugin' in doc build
*** thorst has joined #openstack-keystone00:33
*** stingaci has quit IRC00:34
*** thorst has quit IRC00:34
*** adrian_otto has joined #openstack-keystone00:35
*** ravelar has joined #openstack-keystone00:36
*** lamt has joined #openstack-keystone00:39
ayoungIf anyone is wondering, here is what Kubernetes is doing that is comparable to the RBAC from Middleware spec:
*** chris_hultin is now known as chris_hultin|AWA00:39
*** ravelar has quit IRC00:41
*** hoangcx has joined #openstack-keystone00:52
*** jose-phillips has quit IRC01:00
*** adrian_otto has quit IRC01:05
*** jerrygb has quit IRC01:11
*** jerrygb has joined #openstack-keystone01:14
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table
*** liujiong has joined #openstack-keystone01:16
*** adriant has quit IRC01:18
*** lamt has quit IRC01:22
*** dave-mccowan has quit IRC01:26
*** Dinesh_Bhor has quit IRC01:27
*** stevemar has quit IRC01:27
*** basilAB has joined #openstack-keystone01:28
*** Dinesh_Bhor has joined #openstack-keystone01:29
*** stevemar has joined #openstack-keystone01:29
*** sets mode: +o stevemar01:29
*** thorst has joined #openstack-keystone01:35
*** jhesketh has quit IRC01:36
*** jhesketh has joined #openstack-keystone01:36
*** thorst has quit IRC01:40
openstackgerritEric Brown proposed openstack/keystone: Catch potential SyntaxError in federation mapping
*** thorst has joined #openstack-keystone01:50
*** thorst has quit IRC01:50
*** edtubill has joined #openstack-keystone01:51
*** browne1 has joined #openstack-keystone01:52
*** browne has quit IRC01:56
*** browne1 has quit IRC01:56
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table
*** jrist has quit IRC02:18
*** thorst has joined #openstack-keystone02:30
*** browne has joined #openstack-keystone02:30
*** jrist has joined #openstack-keystone02:32
*** harlowja has quit IRC02:36
*** browne has quit IRC02:37
*** thorst has joined #openstack-keystone02:56
*** thorst has quit IRC02:56
openstackgerritMerged openstack/keystoneauth: Correctly Omit Response Body in Debug Mode
*** tqtran has joined #openstack-keystone03:16
*** tqtran has quit IRC03:18
*** dave-mccowan has joined #openstack-keystone03:18
*** antwash has quit IRC03:21
*** jlwhite has quit IRC03:22
*** agrebennikov has joined #openstack-keystone03:23
*** dave-mccowan has quit IRC03:23
*** thorst has joined #openstack-keystone03:27
*** thorst has quit IRC03:33
*** sheel has joined #openstack-keystone03:34
*** agrebennikov has quit IRC03:58
*** links has joined #openstack-keystone04:02
*** furface has joined #openstack-keystone04:03
*** nicolasbock has quit IRC04:17
*** jlwhite has joined #openstack-keystone04:20
*** antwash has joined #openstack-keystone04:21
*** agrebennikov has joined #openstack-keystone04:29
*** stingaci has joined #openstack-keystone04:31
openstackgerritSteve Martinelli proposed openstack/keystone: Fix typo in shibboleth federation docs
*** woodster_ has quit IRC04:35
*** stingaci has quit IRC04:36
*** adrian_otto has joined #openstack-keystone04:41
*** agrebennikov_ has joined #openstack-keystone04:49
*** agrebennikov has quit IRC04:52
*** adrian_otto has quit IRC04:55
*** agrebennikov_ has quit IRC05:00
*** adrian_otto has joined #openstack-keystone05:03
stevemar#success number of open keystone bugs < 100 !05:08
openstackstatusstevemar: Added success to Success page05:08
*** adrian_otto has quit IRC05:09
*** furface has quit IRC05:09
*** lucas has joined #openstack-keystone05:13
*** dikonoor has joined #openstack-keystone05:19
*** edmondsw has joined #openstack-keystone05:20
stevemarlbragstad: 94 bugs in keystone :D05:20
*** edmondsw has quit IRC05:24
*** jose-phillips has joined #openstack-keystone05:26
*** agrebennikov_ has joined #openstack-keystone05:27
*** thorst has joined #openstack-keystone05:29
*** furface has joined #openstack-keystone05:29
*** jose-phillips has quit IRC05:31
*** thorst has quit IRC05:34
*** agrebennikov_ has quit IRC05:35
bretonmorning, keystone05:37
*** jerrygb has quit IRC05:45
*** jerrygb has joined #openstack-keystone05:46
*** Jack_V has joined #openstack-keystone05:50
*** jerrygb has quit IRC05:50
*** furface has quit IRC05:59
*** lucas has quit IRC06:04
*** tqtran has joined #openstack-keystone06:05
*** liujiong has quit IRC06:11
*** liujiong has joined #openstack-keystone06:13
*** liujiong has quit IRC06:17
*** liujiong has joined #openstack-keystone06:20
*** richm has quit IRC06:42
*** jose-phillips has joined #openstack-keystone06:43
*** jose-phillips has quit IRC06:47
*** edtubill has quit IRC07:02
*** edtubill has joined #openstack-keystone07:04
*** edtubill has quit IRC07:08
*** jrist has quit IRC07:11
*** jrist has joined #openstack-keystone07:12
*** jrist has quit IRC07:14
*** bapalm has quit IRC07:16
*** jrist has joined #openstack-keystone07:16
*** bapalm has joined #openstack-keystone07:18
*** voelzmo has joined #openstack-keystone07:21
*** tesseract has joined #openstack-keystone07:25
*** tesseract has quit IRC07:25
*** tesseract has joined #openstack-keystone07:26
*** voelzmo has quit IRC07:27
*** thorst has joined #openstack-keystone07:30
*** voelzmo has joined #openstack-keystone07:33
*** thorst has quit IRC07:35
*** stewie925 has quit IRC07:36
*** tqtran has quit IRC07:47
*** thorst has joined #openstack-keystone08:00
*** thorst has quit IRC08:00
*** stingaci has joined #openstack-keystone08:05
openstackgerritMerged openstack/keystone: Fix typo in shibboleth federation docs
*** dikonoor has quit IRC08:26
*** markvoelker has joined #openstack-keystone08:26
*** dikonoor has joined #openstack-keystone08:26
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** StefanPaetowJisc has joined #openstack-keystone09:02
*** StefanPaetowJisc has quit IRC09:11
*** StefanPaetowJisc has joined #openstack-keystone09:11
*** jhesketh has quit IRC09:27
*** jhesketh has joined #openstack-keystone09:30
*** liujiong has quit IRC09:40
*** pcaruana has joined #openstack-keystone09:41
*** mvk has quit IRC09:45
*** asettle has joined #openstack-keystone09:58
*** thorst has joined #openstack-keystone10:01
*** StefanPaetowJi-1 has joined #openstack-keystone10:05
*** thorst has quit IRC10:06
*** slunkad has quit IRC10:06
*** hoangcx has quit IRC10:06
*** StefanPaetowJi-1 has quit IRC10:08
*** StefanPaetowJisc has quit IRC10:09
*** slunkad has joined #openstack-keystone10:10
*** thiagolib has joined #openstack-keystone10:12
*** StefanPaetowJisc has joined #openstack-keystone10:20
*** mvk has joined #openstack-keystone10:21
*** pnavarro has joined #openstack-keystone10:22
*** StefanPaetowJisc has quit IRC10:23
*** pcaruana has quit IRC10:38
*** edmondsw has joined #openstack-keystone10:44
*** tqtran has joined #openstack-keystone10:47
*** edmondsw has quit IRC10:48
*** tqtran has quit IRC10:50
*** herdesh has joined #openstack-keystone11:06
herdeshhi all11:07
herdeshIm getting error  KeyError: 'OS-TRUST:trust' sometimes while executing a command11:08
herdeshcan someone help on how to resolve the issue, or any configuration needed?11:08
*** richm has joined #openstack-keystone11:11
*** Jack_I has joined #openstack-keystone11:14
*** Jack_V has quit IRC11:16
*** nicolasbock has joined #openstack-keystone11:53
*** pcaruana has joined #openstack-keystone11:56
*** thorst has joined #openstack-keystone12:02
*** thorst has quit IRC12:06
*** dave-mccowan has joined #openstack-keystone12:34
dstanekherdesh: only some of the time?12:35
*** masterjcool has quit IRC12:42
*** links has quit IRC12:46
*** thorst has joined #openstack-keystone12:51
*** masterjcool has joined #openstack-keystone12:54
*** jamielennox is now known as jamielennox|away12:59
*** edmondsw has joined #openstack-keystone13:12
*** jamielennox|away is now known as jamielennox13:19
*** lamt has joined #openstack-keystone13:23
*** lamt has quit IRC13:24
*** agrebennikov_ has joined #openstack-keystone13:41
*** catintheroof has joined #openstack-keystone13:45
*** voelzmo has quit IRC13:54
*** jerrygb has joined #openstack-keystone13:56
*** jerrygb has quit IRC13:59
*** jerrygb has joined #openstack-keystone14:03
*** jerrygb has quit IRC14:03
*** jerrygb has joined #openstack-keystone14:04
lbragstadstevemar nice!14:09
lbragstadI'll take it14:09
*** jperry has joined #openstack-keystone14:20
bretoni actually thought that we have fixed the webob issue, haven't we?14:24
*** jperry has quit IRC14:25
bretonoooh, so we have this error in keystone server now14:25
*** jperry has joined #openstack-keystone14:25
dstanekbreton: we do have an encoding error (or lack of)14:27
*** pnavarro has quit IRC14:30
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users
*** voelzmo has joined #openstack-keystone14:32
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users
*** voelzmo has quit IRC14:33
*** jose-phillips has joined #openstack-keystone14:37
*** tqtran has joined #openstack-keystone14:40
lbragstadstevemar do we have any docs on `stable` versus `experimental` APIs?14:40
lbragstadstevemar i perused our dev docs and didn't find anything14:41
rodrigodslbragstad, iirc, the difference between stable/experimental was just a note in the specific docs14:42
bretondstanek: this is not an encoding error14:45
dstanekbreton: ?14:46
dstanekwe don't set the charset properly14:46
lbragstadrodrigods hmm - parsing the docs doesn't seem to turn up a format definition of either
bretondstanek: this is lack of charset in the response14:47
*** lucas__ has joined #openstack-keystone14:47
dstanekbreton: exactly14:47
bretondstanek: and then is how we fixed it in ksm14:48
dstanekbreton: it's an encoding issue in that webob doesn't know what encoding we are using14:48
bretondstanek: yep14:49
dstanekthere is another issue too that i am trying to work out14:49
*** spilla has joined #openstack-keystone14:50
*** links has joined #openstack-keystone14:56
*** links has quit IRC14:56
*** adrian_otto has joined #openstack-keystone14:56
stevemarlbragstad: rodrigods there was something we did in the code too...14:59
stevemarlbragstad: rodrigods the JSON home documents had some logic about it:
*** dikonoor has quit IRC15:04
*** ravelar has joined #openstack-keystone15:04
*** jistr is now known as jistr|mtg15:05
stevemarrodrigods: lbragstad each API has a json home entry, so if we plan on marking an API as experimental we can do that15:09
stevemarbut i believe we don't have any marked experimental15:09
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy: Add optional exception for check_rules
lbragstadinteresting - cdent sent out a note about a discussion they had in the TC meeting yesterday15:10
lbragstadbasically revamping the API guidelines15:10
*** chris_hultin|AWA is now known as chris_hultin15:10
lbragstadand there is a section in there on "extensions" which we don't have any more15:10
lbragstad(i'm not sure if many projects do either?)15:10
stevemarlbragstad: its kinda vague at the moment, but i think theres a move to getting away from extensions15:11
stevemarit was an issue early on when openstack growth was exploding15:11
*** david-lyle has joined #openstack-keystone15:13
*** openstack has joined #openstack-keystone15:17
*** jlvillal_ has joined #openstack-keystone15:17
*** odyssey4me has joined #openstack-keystone15:17
*** BlackDex_ has joined #openstack-keystone15:18
*** pcaruana is now known as pablo|500|15:18
*** Dave has quit IRC15:18
*** BlackDex has quit IRC15:18
*** Dave has joined #openstack-keystone15:19
*** asettle has quit IRC15:19
*** dancn has quit IRC15:19
*** briancurtin has quit IRC15:19
*** jascott1 has quit IRC15:19
*** martinus__ has quit IRC15:19
*** jmccrory has quit IRC15:19
*** chris_hultin has quit IRC15:19
*** dtroyer has quit IRC15:19
*** dstanek has quit IRC15:19
*** mgagne has quit IRC15:19
*** comstud has quit IRC15:19
*** Daviey has quit IRC15:19
*** DuncanT has quit IRC15:19
*** rarora has quit IRC15:19
*** zeus has quit IRC15:19
*** mancdaz has quit IRC15:19
*** woodburn has quit IRC15:19
*** fungi has quit IRC15:19
*** dancn has joined #openstack-keystone15:19
*** asettle has joined #openstack-keystone15:19
*** jlvillal_ is now known as jlvillal15:20
*** fungi has joined #openstack-keystone15:20
*** jlvillal is now known as Guest8897715:20
*** dstanek has joined #openstack-keystone15:22
*** chris_hultin has joined #openstack-keystone15:22
*** mgagne has joined #openstack-keystone15:22
*** comstud has joined #openstack-keystone15:22
*** Daviey has joined #openstack-keystone15:22
*** martinus__ has joined #openstack-keystone15:22
*** jmccrory has joined #openstack-keystone15:22
*** dtroyer has joined #openstack-keystone15:22
*** zeus has joined #openstack-keystone15:22
*** mancdaz has joined #openstack-keystone15:22
*** woodburn has joined #openstack-keystone15:22
*** mgagne has quit IRC15:23
*** ChanServ sets mode: +v dstanek15:23
*** mgagne has joined #openstack-keystone15:23
*** mgagne is now known as Guest5853115:23
*** BlackDex_ is now known as BlackDex15:23
*** rarora has joined #openstack-keystone15:24
*** v1k0d3n has joined #openstack-keystone15:25
*** DuncanT has joined #openstack-keystone15:27
*** lucas__ has quit IRC15:28
*** briancurtin has joined #openstack-keystone15:29
*** lucas__ has joined #openstack-keystone15:29
openstackgerritSteve Martinelli proposed openstack/keystone: replace all hybrid properties with property
stevemarrodrigods: lets see how ^ goes15:30
openstackgerritSteve Martinelli proposed openstack/keystone: replace all hybrid properties with property
*** pnavarro has joined #openstack-keystone15:30
rodrigodsstevemar, ++15:31
stevemarrodrigods: from what i gather from the docs, we shouldn't need @hybrid unless we are using it directly from the class15:31
stevemarrodrigods: so something like ... User.enabled or User.password15:32
rodrigodsstevemar, something like "static" in java? :)15:32
stevemar*shrugs* doesn't remember java15:33
*** v1k0d3n has quit IRC15:33
*** v1k0d3n has joined #openstack-keystone15:34
*** david-lyle has quit IRC15:36
*** david-lyle_ has joined #openstack-keystone15:36
*** david-lyle_ has quit IRC15:37
*** david-lyle_ has joined #openstack-keystone15:37
*** sheel has quit IRC15:37
*** jaosorior has joined #openstack-keystone15:41
*** v1k0d3n has quit IRC15:41
*** david-lyle_ has quit IRC15:41
knikollastevemar: static in java is similar to @classmethod in python, IIRC.15:43
stevemarmorgan: mordred btw i will be creating a stable/ocata branch today for keystoneauth15:43
stevemarmorgan: so the context manager stuff may have to wait15:44
rodrigodsknikolla, ++15:44
morganyeah it will wait15:44
morganit's fine.15:44
*** david-lyle has joined #openstack-keystone15:47
mordredstevemar: yah. totally fine - if I'd gotten my act together and made the example...15:47
*** mvk has quit IRC15:48
*** phalmos has joined #openstack-keystone15:49
*** v1k0d3n has joined #openstack-keystone15:49
*** jaugustine has joined #openstack-keystone15:50
*** jistr|mtg is now known as jistr15:51
*** voelzmo has joined #openstack-keystone15:52
*** voelzmo has quit IRC15:53
*** voelzmo has joined #openstack-keystone15:54
lbragstadreminder that the policy meeting will be starting in a few minutes in #openstack-meeting-cp15:56
*** adrian_otto has quit IRC16:06
*** voelzmo has quit IRC16:07
*** markvoelker has quit IRC16:11
*** diazjf has joined #openstack-keystone16:15
*** jose-phillips has quit IRC16:16
*** phalmos has quit IRC16:18
*** Guest88977 is now known as jlvillal16:25
*** phalmos has joined #openstack-keystone16:27
*** adrian_otto has joined #openstack-keystone16:31
*** ravelar has quit IRC16:34
*** dikonoor has joined #openstack-keystone16:39
*** harlowja has joined #openstack-keystone16:39
*** jose-phillips has joined #openstack-keystone16:40
*** stingaci has quit IRC16:41
*** ravelar has joined #openstack-keystone16:46
*** sheel has joined #openstack-keystone16:48
*** stingaci has joined #openstack-keystone16:52
morgan#success Good policy meeting, provided history and background that cleared up a lot of confusion16:54
openstackstatusmorgan: Added success to Success page16:54
knikollamorgan: ++16:55
asettlestevemar: got a q for you again :)16:55
asettleDo you remember implementing this?
asettleSorry, not that patch in particular - you didn't write it. But you reviewed it.16:55
stevemarasettle: back in 2 minutes16:57
lbragstadmorgan ++16:57
*** v1k0d3n has quit IRC16:58
lbragstadasettle what's up?16:58
*** v1k0d3n has joined #openstack-keystone16:58
asettlelbragstad: well helloooooo. I'm checking out this bad boy: and there was an old patch up for it that was abandoned.16:58
openstackLaunchpad bug 1557165 in openstack-manuals " Add docs for additional bootstrap endpoint parameters" [Medium,Confirmed] - Assigned to olaph (zxkuqyb)16:58
asettleReason: All of the necessary features merged after RC3. Therefore, the Mitaka version of the installation guide will continue to use the admin token method.16:58
asettleWas going to check in if we needed to reopen it for newton.16:59
asettleIf not, closey the bugsey16:59
*** phalmos has quit IRC16:59
stevemarasettle: i thought we use the bootstrap method now in the install guide?17:01
asettleWe do indeedy, just checking if you wanted anything else?17:02
lbragstadlooks like we document the endpoint stuff in our devdocs -
asettleThat's probably the best place for it, tbh.17:02
asettleThe install guide is fairly sufficient.17:03
asettleIt is meant to be a manual install, not a config guide.17:03
lbragstadlooks like we use the endpoint parameters in the install guide -
asettleWe could link to the dev docs. But if they're additional configurations, it's usually not 100% necessary.17:04
asettleUnless I'm completely misunderstanding?17:04
lbragstadasettle well - there are a bunch of things you can have bootstrap do for you17:05
lbragstadbut I think most of those are actually documented pretty well in `keystone-manage bootstraps` help text17:05
lbragstadcc stevemar ^17:05
asettlelbragstad: well that's handy17:06
*** lucas__ has quit IRC17:07
lbragstadasettle for example -
asettlehmmm to be fair then, I don't think we need it. If you're an operator, the idea is if you're doing a full install and not using a deployment project, you should have enough operations knowledge and administration experience to know to look at the help text.17:07
lbragstadmakes sense17:08
asettleCool, well, I think we can probably close this bad boy too.17:11
lbragstadasettle sweet17:14
asettlelbragstad: got another question for you if you have time? :) i'm going through the keystone bugs that are relatively old and making sure everything is up to date17:14
*** edtubill has joined #openstack-keystone17:15
lbragstadasettle sure thing17:15
asettle lbragstad this guy. I can see we still use 'revoke' in the install guide.17:15
openstackLaunchpad bug 1517708 in openstack-manuals " Move revoke extension into core" [Medium,Confirmed]17:15
asettleSo, I'm not entirely too sure what the doc impact is/was. As it's a docimpact bug - so not muc hinfo.17:15
asettle this one too - same vibes17:16
openstackLaunchpad bug 1459458 in openstack-manuals " Move endpoint policy into keystone core" [Medium,Confirmed]17:16
*** ravelar has quit IRC17:16
asettleyo dolphm - do you still want this documented:
openstackLaunchpad bug 1459402 in openstack-manuals "Conceptual overview of the Keystone service catalog" [Wishlist,Confirmed]17:17
asettlelbragstad: another 'move to core' one:
openstackLaunchpad bug 1517706 in openstack-manuals " Move oauth1 extension into core" [Undecided,Confirmed]17:18
dolphmasettle: actually, i think that *did* get documented in a cross-project effort17:18
asettledolphm: good news! We can close that bad boy then?17:19
lbragstadasettle ah - so those extension ones are just saying that we need to make sure we don't advertise those extensions in our paste files17:19
asettleOh! Um, so if the 'revoke' extension is still documented in teh install guide?17:19
lbragstadasettle for some context - when keystone used to have extension, we had a little document describing how to enable it, setup a db for it if it needed one, etc...17:20
dolphmasettle: maybe.. i was thinking of this
asettledolphm: I see, that's just a spec. The content then hasn't been implemented further?17:21
*** v1k0d3n has quit IRC17:21
*** phalmos has joined #openstack-keystone17:21
asettlelbragstad: oh right! Is that still applicable?17:21
lbragstadasettle when we moved all the extensions to be official keystone resources - we wanted to make sure the paste files didn't contain references to a revoke extension that no longer existed (because it moved in the source)17:21
asettleOh I see, okay, jeez. Do you guys have a handy dandy list of all the things you don't want listed in the paste files?17:21
stevemarasettle: yay my laziness worked17:21
lbragstadasettle looking at the existing paste files, I don't see any extension in keystone sources17:21
stevemarthanks dolphm and lbragstad :D17:21
*** tesseract has quit IRC17:21
asettlelbragstad: excellent, that's good to hear! I will close those for now, and tehn if it comes up I know what I'm looking for.17:22
asettlestevemar: you should do it more often :P17:22
lbragstadasettle i don't believe we have a list - i think we just follow a convention of correcting the change in a subsequent patch to the change the broke/modified it?17:22
asettlelbragstad: in docs as well as keystone?17:22
lbragstadasettle in keystone for sure17:22
lbragstadwe would be modifying this file -
dolphmasettle: not that i'm able to google... although, i swear it exists somewhere17:22
asettlelbragstad: anything in here-
*** ravelar has joined #openstack-keystone17:23
asettledolphm: okay, we can work on implementing it in the docs a bit more. But I'll need you to fill out that bug with a bit more context of what exactly you want and why.17:23
asettlelbragstad: ignore that, I gave you the liberty link17:23
* lbragstad was confused17:23
*** browne has joined #openstack-keystone17:24
asettlelbragstad: sorry,
asettleLooks like revoke etc has been removed in the up-to-date version17:24
*** lucas__ has joined #openstack-keystone17:25
lbragstadasettle ++17:25
lbragstadI'm actually not seeing any references to keystone-paste.ini (or any paste file) in either of those links you mentioned17:25
lbragstadso i guess the contents would be determined by the packagers17:25
*** edtubill has quit IRC17:27
*** lucas__ has quit IRC17:27
*** lucas__ has joined #openstack-keystone17:28
openstackgerritSteve Martinelli proposed openstack/keystone: switch @hybrid_property to @property
*** lucas__ has quit IRC17:30
gagehugostevemar: awesome, I was just looking at that, the bug should be done after that patch17:30
stevemargagehugo: :)17:30
stevemargagehugo: thanks for figuring everything out!17:30
gagehugostevemar idk if I figured everything out, maybe some of it :)17:31
gagehugowas clueless on the property stuff vs hybrid17:31
stevemargagehugo: team effort, but you did the patches :P17:31
stevemargagehugo: did you get any feedback regarding PTG?17:31
*** jose-phillips has quit IRC17:32
*** harlowja has quit IRC17:33
gagehugostevemar: not yet17:33
stevemargagehugo: damn17:34
gagehugostevemar: hopefully soon™, the tickets have been bought17:34
*** v1k0d3n has joined #openstack-keystone17:35
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users
*** stevemar changes topic to "Meeting Agenda: | Ocata goals: | Bugs that need triaging:"17:36
*** lamt__ has joined #openstack-keystone17:36
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users
*** david-lyle is now known as bailing-wire17:37
*** markvoelker has joined #openstack-keystone17:38
*** mvk has joined #openstack-keystone17:38
*** catintheroof has quit IRC17:44
*** catintheroof has joined #openstack-keystone17:44
*** markvoelker_ has joined #openstack-keystone17:44
*** catintheroof has quit IRC17:44
*** catintheroof has joined #openstack-keystone17:45
*** markvoelker has quit IRC17:46
*** bailing-wire has quit IRC17:46
*** mugsie has left #openstack-keystone17:48
*** diazjf has quit IRC17:49
*** catintheroof has quit IRC17:50
*** lucas__ has joined #openstack-keystone17:52
*** lucas__ has quit IRC17:53
*** lucas__ has joined #openstack-keystone17:54
*** markvoelker has joined #openstack-keystone17:58
*** markvoelker_ has quit IRC18:01
*** lucas__ has quit IRC18:05
*** edtubill has joined #openstack-keystone18:08
*** lucas__ has joined #openstack-keystone18:08
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users
*** lucas__ has quit IRC18:09
rderosestevemar: want to talk about PCI?18:11
SamYapleim more of an AGP person18:12
rderoseSamYaple: :)18:13
*** edtubill has quit IRC18:17
stevemarrderose: o/18:22
rderosestevemar: cool18:22
rderosestevemar: so regarding PCI force user to change their password patch, I've added more documentation18:22
stevemarrderose: so you want make all my users reset their password eh :)18:22
*** jerrygb has quit IRC18:23
rderosestevemar: I want to complete PCI18:23
rderosestevemar: I could make only effect password changes going forward, but that doesn't seem in the spirit of this security requirement18:23
rderosestevemar: I've added this:
rderosestevemar: not sure what else we can do, it would be in their hands to properly plan18:24
* stevemar goes to look at the patch18:31
stevemarrderose: so i flip the switch and enable this option, can the user reset their own password or must they go to an admin?18:34
rderosecurrently they must go to an admin18:35
rderosebut, there is a patch out there to change this18:35
rderosewhere a user could change their password without a token18:35
stevemarrderose: gagehugo's patch?18:36
stevemarrderose: i still think "completing PCI" is a garbage reason to do something18:38
stevemarevery feature should have a use case18:38
stevemarsomeone should want us to do it18:38
rderosestevemar: what was the point of implementing PCI if we weren't going to complete it?18:38
stevemarrderose: at the summit we had several people ask us for specific PCI bits, we did those, no one has asked us for this18:39
rderosedolphm wrote this spec and it was his intention to include this requirement (when I spoke to him about this)18:39
*** lamt__ is now known as lamt18:39
stevemarthen say that, checking off ticky boxes isn't a good reason :P18:39
rderosestevemar: :)18:40
*** lamt has quit IRC18:40
*** lamt has joined #openstack-keystone18:40
stevemarwithout gagehugo's change this is a terrible UX18:41
dikonoordolphm:stevemar: Hi..Is there any restrictions caching fernet token in memcache servers?18:41
stevemarrderose: last i looked at gagehugo's change it was pretty close18:42
dikonoordolphm:stevemar: says - "Fernet tokens do not need to be persisted in a back end and therefore must not be cached."18:42
rderosestevemar: I'm happy to make mine dependent on his18:42
stevemardikonoor: not that i know of, caching is definitely recommended18:42
gagehugoI think the feature is definitely useful, especially if a user can change their own expired password18:42
gagehugoI'm almost done with mine, just need to address the decorator change I made18:42
rderosegagehugo: ++18:43
stevemargagehugo: yes i agree, but its only useful with your patch :P18:43
dikonoorstevemar: I thought so..the documentation just needs update then.. anyway talks about using fernet with memcahe18:43
openstackLaunchpad bug 1460225 in keystonemiddleware "Fernet + Memcache causes validation failures" [Medium,Fix released] - Assigned to Morgan Fainberg (mdrnstm)18:43
dolphmdikonoor: the opposite is true - fernet tokens SHOULD be cached. /me summons asettle18:43
rderosestevemar: okay, if I make my patch dependent on gagehugo's, will you unblock?18:43
stevemarrderose: OK, you addressed my main concerns: 1) no write on auth, 2) no locking out admin/service users and 3) self-service passwd changes18:44
morganall token validation should be cached where possible18:44
stevemarrderose: no, don't worry about that. they don't conflict18:44
dolphmasettle: "Fernet tokens do not need to be persisted in a back end and therefore must not be cached." -> "Fernet tokens do not need to be persisted but should be cached for optimal performance."
rderosestevemar: cool18:44
morgandolphm: ++18:44
stevemarrderose: lifting -2 :)18:44
stevemarrderose: see, i'm not *that* much of a hard ass18:44
dikonoordolphm: i have a configuration where I did not set [token] caching= true (basically missed enabling it) ..and everything seems to work fine..So caching is recommended merely from a performance angle..isn't it18:45
*** ravelar1 has joined #openstack-keystone18:45
rderosestevemar: \o/18:45
dolphmdikonoor: yes18:45
*** ravelar15 has joined #openstack-keystone18:45
dolphmdikonoor: if it's not a production system then you can skip caching18:46
stevemarrderose: actually they do conflict, but no need to stagger them honestly18:46
dikonoordolphm: it..makes sense..thanks..just that the documentation confused me18:46
stevemarthey => the two patches18:46
dolphmdikonoor: with good reason - it's wrong!18:46
stevemarrderose: gagehugo whoever goes in first wins, the other will have to rebase18:46
gagehugostevemar: ok18:47
stevemarrderose: gagehugo we've got 1 week to get those 2 patches merged!18:47
*** v1k0d3n has quit IRC18:48
rderosestevemar: ++18:48
*** ravelar1 has quit IRC18:49
*** ravelar15 has quit IRC18:50
*** v1k0d3n has joined #openstack-keystone18:52
*** lucas__ has joined #openstack-keystone18:52
stevemargagehugo: rderose dolphm lbragstad dstanek samueldmq rodrigods: -- list of patches that *have* to land in the next week18:53
dstanekstevemar: k18:53
dolphmstevemar: thanks18:53
gagehugostevemar: ok18:53
samueldmqstevemar: ack thanks sir18:54
rderosestevemar: ack18:54
*** edtubill has joined #openstack-keystone18:55
rderosestevemar: would love to get his one in there as well:
rderosefor exending user API to support federated attributes18:55
rderoseravelar: ^18:56
stevemarrderose: done18:56
stevemari think that's enough for now, lets not add anything else18:56
stevemarso if you're working on something else, please dont :P18:56
asettledolphm: coolio, this can be fixed! Unless you want to put in a patch ;)18:59
stevemardolphm: can you check out if you get a chance... ?18:59
openstackLaunchpad bug 1636495 in OpenStack Identity (keystone) "Failures during db_sync --contract during Mitaka to Newton (live) upgrade" [High,Confirmed]18:59
*** pramodrj07 has joined #openstack-keystone19:00
* stevemar going afk for a bit19:00
*** woodster_ has joined #openstack-keystone19:01
dolphmasettle: happy to - but what's the repo?19:01
dolphmstevemar: yes19:01
asettledolphm: admin guide is openstack-manuals domain :)19:01
asettleJump on in19:01
dolphmstevemar: oh wow, that's relatively old19:01
dolphmasettle: thanks19:02
asettleNo problemo :) appreciate the patch!19:02
asettleAdd me as a reviewer :)19:02
*** pramodrj07 has quit IRC19:06
*** lucas__ has quit IRC19:06
*** lucas__ has joined #openstack-keystone19:07
*** MasterOfBugs has joined #openstack-keystone19:07
*** Jack_I has quit IRC19:13
*** Jack_I has joined #openstack-keystone19:13
dolphmcc- morgan: ^19:14
dolphmaand dikonoor ^19:14
asettledolphm: gracias19:15
dikonoordolphm: another question..This is around bug I opened19:17
openstackLaunchpad bug 1657014 in keystonemiddleware "Incorrect deprecation warning for revocations" [Undecided,Incomplete]19:17
*** lucas__ has quit IRC19:17
*** stingaci has quit IRC19:17
dikonoordolphm: which is about revocation flow which as per the deprecation is applicable to only PKI19:18
*** lucas__ has joined #openstack-keystone19:18
dikonoordolphm: so , i have fernet tokens configured.. and I wonder why is it that a non-pki flow doesn't have any logic to check for revoked tokens in cache ?19:19
dikonoorbut i guess it caching is enabled in [revoke] of keystone.conf , the revoked tokens are when is-token-revoked rest call is made to keystone, it would first search in the cache19:21
dolphmdikonoor: keystone does not persist fernet tokens, therefore keystone cannot produce a list of revoked fernet tokens19:21
dikonoorin my fernet token configuration, i do get something for
dikonoor-----BEGIN CMS-----19:22
dikonoor-----END CMS-----19:22
dikonoordolphm: and yeah.. I keep forgetting that fernet tokens dont reside in the the check for revoked cached tokens don't make sense19:23
*** spzala has joined #openstack-keystone19:23
*** spzala has quit IRC19:23
*** jerrygb has joined #openstack-keystone19:24
*** Jack_I has quit IRC19:25
*** Jack_I has joined #openstack-keystone19:25
*** Jack_V has joined #openstack-keystone19:29
*** Jack_I has quit IRC19:29
*** jerrygb has quit IRC19:29
*** dikonoor has quit IRC19:31
*** Jack_I has joined #openstack-keystone19:33
*** diazjf has joined #openstack-keystone19:33
*** spilla has quit IRC19:34
*** Jack_V has quit IRC19:34
openstackgerritEric Brown proposed openstack/keystone: Catch potential SyntaxError in federation mapping
morgandolphm: GAAAAAAAAAAAaaaaaaa </fernet>19:36
morgandolphm: :P19:36
*** stingaci has joined #openstack-keystone19:38
*** stingaci has quit IRC19:42
*** jidar has left #openstack-keystone19:45
*** voelzmo has joined #openstack-keystone19:48
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use
MasterOfBugsHi All19:53
MasterOfBugsI am trying to install Devstack19:53
MasterOfBugsI am getting this error from Keystone19:54
MasterOfBugsCan anyone help me reolve this?19:54
MasterOfBugsThis is the local.conf
*** bailing-wire has joined #openstack-keystone20:00
*** bailing-wire is now known as david-lyle20:02
*** markvoelker_ has joined #openstack-keystone20:03
*** jerrygb has joined #openstack-keystone20:05
*** markvoelker has quit IRC20:05
*** raildo has quit IRC20:05
openstackgerritOpenStack Release Bot proposed openstack/keystoneauth: Update reno for stable/ocata
*** jerrygb has quit IRC20:13
openstackgerritOpenStack Release Bot proposed openstack/keystonemiddleware: Update reno for stable/ocata
dstanekMasterOfBugs: what's the error?20:17
lbragstadmorgan did we have a spec on unscoped roles somewhere?20:17
morganlbragstad: nope20:18
morganlbragstad: back in grizzly we had a code comment saying "this is not supported"20:18
morganit might even still be lurking somewhere20:18
lbragstadmorgan hm20:22
lbragstadmorgan so by unscoped role we essentially mean - true RBAC, right?20:22
lbragstadi.e. if someone has the reader role, they are able to view things in all projects20:23
MasterOfBugs@dstanek - ++lib/keystone:create_keystone_accounts:372  openstack project show admin -f value -c id20:23
MasterOfBugsWARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils. This warning is caused by an out-of-date import in /usr/local/lib/python2.7/dist-packages/cueclient/osc/plugin.py20:23
MasterOfBugsDiscovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.20:23
MasterOfBugsCould not determine a suitable URL for the plugin20:23
morganlbragstad: maybe.20:24
morganlbragstad: i was thinking of it more like nova_admin -- why does it need a project20:24
morganor nova_service20:24
morganlbragstad: we really have never gone down this path, so open for interpretation20:24
lbragstadmorgan because what we do today is a more specific version of RBAC called scoped RBAC20:24
morganbut yeah it would be RBAC for global roles vs SCOPED RBAC20:25
morganbut like i said, we haven't discussed this really except "nope we don't do it"20:25
lbragstadmorgan ok - cool20:26
lbragstadso - in that world, what would that look like20:26
morgan*shrug* i was just looking at what would make service accounts and such easier to work with20:26
morganand it may or may not make sense20:26
morganbut it's an option20:26
lbragstadmorgan wouldn't that make the admin project case easier to deal with?20:28
lbragstadmorgan i mean, you'd end up with a cloud_admin role that wouldn't require scoping to a specific (and mysterious) "admin" project20:28
morganit would20:29
morganit could20:29
morganthere are benefits to global RBAC20:29
morganit also may make security in some of the other projects a little more wonky.20:29
morganthere is a dirty way around it... we could also simply make cloud_admin an inherited role from the magical root domain20:30
morganor similar for the global rbac, so the role exists for all projects (it's a lot of mechanism for scoping in that case) but ... i mean, like i said, we haven't really discussed besides "nope" in the past20:30
*** markvoelker_ has quit IRC20:32
lbragstadmorgan so, at this point, with the amount of deployments with massive amounts of projects, I would assume we'd need to have traditional RBAC (global RBAC) and scoped RBAC, like we do today20:32
lbragstadbut the problem becomes, how do we distinguish global RBAC assignments from scoped ones?20:33
morganthat would be a function of the token data20:33
morganultimately we control the token data, the issuer, and such, we can pass info down however we want20:34
morganso how do we differentiate it? we explicitly do so20:34
morganwhat does the data look like? I don't really care ;)20:34
lbragstadmakes sense20:34
morganwe can figure that out in the process20:34
lbragstadso, we'd need to be able to say "this user get's this role" instead of "this user gets this role on this project"20:35
lbragstadthen when a user gets an unscoped token - that information would be represented in there some how20:35
morganit would be an unscoped token with roles20:35
lbragstadgot it20:36
lbragstadwould we expect global roles to be visible in scoped tokens?20:36
morgannope. i wouldn't20:36
morgani would make it mutually exclusive20:36
lbragstadso by default, everything would still work today20:36
morganso you can't take a "scoped token" and do "cloud admin" things20:36
*** edmondsw has quit IRC20:36
morganit would be a very explicit auth thing if we did this global role thing20:37
lbragstadmorgan so - we would effectively be getting rid of the admin project workaround20:37
morgani think it is one possible aspect20:37
morganagain, i think we need to think about the ramifications20:37
morgana lot of bits in a lot of projects may need to change to support this20:37
*** adrian_otto has quit IRC20:38
lbragstadi'd be curious to hear what edmondsw has to say about that20:38
*** voelzmo has quit IRC20:38
lbragstadi know he has an opinion on the admin project20:38
morganwe've had the request for global roles for a number of cases20:40
morganbut from the policy front, it may be enough to drive the benefits in a way to tip the scales20:40
lbragstadwell - we have global roles today20:40
morganunscoped roles*20:40
morgangyee asked for them at one point20:40
morganamong other things.20:40
lbragstadmorgan do you know what they are? The main one I see is the ability to implement cloud_admin without the admin project workaround20:41
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Update reno for stable/ocata
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Update reno for stable/ocata
morganservice users don't need scope then, could be given broader powers within their project without explicitly being tied to a specific scope for resource acces (and likewise be prevented from doing some actions that should always havre a scope)20:43
morganit allows differentiation.20:43
stevemargagehugo: question for you20:44
lbragstadtoday service users are given a service or admin role on a specific project account, right?20:44
gagehugostevemar: what's up?20:44
stevemargagehugo: how would the expired password stuff work from the CLI?20:44
*** adriant has joined #openstack-keystone20:44
gagehugostevemar: the one Im working on or the query patch?20:46
*** voelzmo has joined #openstack-keystone20:46
gagehugostevemar: that spilla is working on20:46
stevemargagehugo: the one you're working on20:46
gagehugostevemar: I've been looking at KSC atm, there will probably need to be a change20:47
gagehugostevemar: right now it shouldn't break anything, if you have that config option enabled it just skips checking the token in the header for change_password20:48
stevemargagehugo: i just think it's going to blow up upon initiating a connection and getting a token20:49
gagehugostevemar: how so?20:50
*** voelzmo has quit IRC20:50
stevemargagehugo: the clients go to '/users/%s/password'20:53
morganlbragstad: yes20:53
*** jerrygb has joined #openstack-keystone20:53
stevemargagehugo: so it goes to the right API20:54
stevemargagehugo: here's the OSC code:
stevemarand the KSC code:
stevemargagehugo: i *think* you'll get lucky...20:55
stevemarsince we put "required_scope = False" in the OSC code20:55
*** haplo37_ has quit IRC20:55
lbragstadmorgan so then each project could write a service role specific to that project's service operations?20:55
stevemargagehugo: you can see it used here:
*** v1k0d3n has quit IRC20:56
gagehugostevemar: ah20:56
stevemargagehugo: i think we may also need to add "auth_required = False" like here:
openstackgerritDavid Stanek proposed openstack/keystone: Small fixes for WebOb 1.7 compatibiltity
*** haplo37_ has joined #openstack-keystone20:58
*** spilla has joined #openstack-keystone20:58
gagehugostevemar: so even if it does require auth?  It would only *not* require auth if the config setting is enabled, otherwise it does require auth20:59
*** adrian_otto has joined #openstack-keystone21:00
* lbragstad sneaks away to grab a coffee quick 21:00
morganlbragstad: yep21:06
* morgan looks at coffee and realizes... i am sans caffiene21:06
gagehugostevemar: I'll test the current patchset with OSC, it works but the decorator is kinda hacky21:09
stevemargagehugo: yeah, good call21:11
*** jaugustine has quit IRC21:11
*** jperry has quit IRC21:15
*** Jack_I has quit IRC21:15
lbragstadmorgan ok - so then an example of a service operation would be?21:16
*** voelzmo has joined #openstack-keystone21:17
*** voelzmo has quit IRC21:22
browneCan I get some reviewer's eyes on  I want to cherrypick back to Mitaka where we observed the issue in our environment21:22
*** v1k0d3n has joined #openstack-keystone21:23
*** tjones has joined #openstack-keystone21:23
gagehugostevemar: OSC works, can get a token21:23
morganlbragstad: not sure21:24
morgani haven't looked too closely21:25
morganbut i know there are service user actions21:25
stevemargagehugo: what about reset your pw?21:25
gagehugostevemar: checking that now21:25
*** MasterOfBugs has quit IRC21:25
*** pnavarro has quit IRC21:25
stevemargagehugo: what about reset your pw, when it's been expired*21:25
*** MasterOfBugs has joined #openstack-keystone21:26
lbragstadmorgan gotcha - you mean things that a service does on behalf of a user?21:26
lbragstador something else?21:26
*** jamielennox is now known as jamielennox|away21:26
morgansome cases services do things and track things directly21:28
morganbut like i said, i haven't looked closely lately21:28
lbragstadand not on behalf of a user21:28
*** voelzmo has joined #openstack-keystone21:29
*** diazjf has quit IRC21:29
*** jerrygb_ has joined #openstack-keystone21:30
*** diazjf has joined #openstack-keystone21:31
*** jerrygb has quit IRC21:33
openstackgerritDavid Stanek proposed openstack/keystone: Small fixes for WebOb 1.7 compatibiltity
*** lucas__ has quit IRC21:43
*** severion has joined #openstack-keystone21:47
gagehugostevemar: OSC won't let you change your password if expired21:47
*** ksavich has joined #openstack-keystone21:47
gagehugostevemar: no blowing up though21:47
*** voelzmo has quit IRC21:48
*** stingaci has joined #openstack-keystone21:49
*** ksavich has left #openstack-keystone21:50
*** lamt has quit IRC21:51
*** lamt has joined #openstack-keystone21:52
*** stingaci has quit IRC21:54
*** severion has quit IRC21:56
*** severion has joined #openstack-keystone21:56
*** severion has quit IRC21:58
morganlbragstad: if it's doing something on behalf of a user it should be using the user's token (currently)22:00
*** severion has joined #openstack-keystone22:00
morganlbragstad: since the user should be the owner22:00
*** severion is now known as v1k0d3m22:00
lbragstadmorgan that makes sense22:00
*** v1k0d3m has quit IRC22:01
morganlbragstad: long term that may change somewhat. but i think we'll identify more when we discuss more. hit up the nova and neutron folks and ask what their service user does22:01
morgani think nova does things like downloading glance images and doesn't always have the user token22:01
morganfor example22:01
morgan(like on a compute restart)22:01
*** lucas has joined #openstack-keystone22:02
*** severion has joined #openstack-keystone22:03
*** agrebennikov_ has quit IRC22:06
*** lucas has quit IRC22:07
*** thorst has quit IRC22:07
*** diazjf has quit IRC22:08
stevemargagehugo: ah22:09
stevemargagehugo: want to try changing it locally? need instructions on how?22:09
gagehugostevemar: sure22:09
*** jamielennox|away is now known as jamielennox22:10
stevemargagehugo: okay, clone the OSC repo22:13
stevemargit clone
stevemarmake a virtualenv22:13
stevemar$ virtualenv test_expires22:14
stevemarsource it22:14
stevemar$ source test_expires/bin/activate22:14
lbragstadstevemar is sam morrison around?22:14
stevemarnow that you're in that virtualenv, you can modify the local OSC file22:14
lbragstadstevemar do you have an IRC nick?22:14
stevemarlbragstad: no idea :)22:15
stevemargagehugo: try changing
stevemarto "required_auth = False"22:16
stevemargagehugo: then install OSC locally by running $ pip install -e .22:16
stevemarfrom the cloned OSC directory...22:16
stevemargagehugo: you'll be running the local version of osc now, you can see if by running $ which openstack22:17
*** jaugustine has joined #openstack-keystone22:17
stevemarwhen you're done, just run $ deactivate22:17
stevemarand delete the virtualenv22:17
gagehugostevemar: same result22:23
stevemargagehugo: run it with --debug and paste the result22:23
*** diazjf has joined #openstack-keystone22:24
stevemargagehugo: i think OSC tries to establish a connection first before attempting to do anything22:24
*** v1k0d3n has quit IRC22:24
*** jamielennox is now known as jamielennox|away22:24
stevemargagehugo: change password only used to work with a correct "old password"22:24
stevemarnot an expired one22:24
*** severion has quit IRC22:24
gagehugostevemar: correct22:25
*** portdirect is now known as shipindirect22:25
gagehugostevemar: yeah OSC tries to authenticate22:25
gagehugoone sec22:25
openstackgerritSteve Martinelli proposed openstack/keystone: switch @hybrid_property to @property
*** browne has quit IRC22:27
*** dave-mccowan has quit IRC22:28
gagehugostevemar: ^22:29
*** david-lyle has quit IRC22:32
*** agrebennikov_ has joined #openstack-keystone22:36
*** phalmos has quit IRC22:36
openstackgerritGage Hugo proposed openstack/keystone: Allow user to change own expired password
*** thorst has joined #openstack-keystone22:39
*** spilla has quit IRC22:39
*** david-lyle has joined #openstack-keystone22:40
*** lamt has quit IRC22:40
*** thorst has quit IRC22:41
*** lamt has joined #openstack-keystone22:42
*** jaugustine has quit IRC22:43
bknudsonthe mailing list discussion started with `why's nobody using barbican` and will soon become `nobody needs keystone`.22:50
jlopezgurderose: are u there?22:50
*** sshen has joined #openstack-keystone22:50
rderosejlopezgu: yeah, what's up22:51
*** edtubill has quit IRC22:51
jlopezgui'm trying to update the patch before the release, sorry I've been in something else22:51
jlopezguI want to test it but destroyed my env22:51
jlopezgualready created a new one22:51
jlopezgubut how do I enable the password expires at?22:52
jlopezguI need to modify ... and restart keystone, right?22:52
jlopezguwhere do i need to modify?22:53
rderoseso modify keystone config and set password_expires_days22:53
jlopezguperfect, thanks22:53
rderosejlopezgu: there is also password_expires_ignore_user_ids22:54
rderoseto ignore service accounts (if you want)22:54
rderosejlopezgu: np, let me know if you need anything else22:54
*** tjones has left #openstack-keystone22:55
*** diazjf has quit IRC22:58
*** agrebennikov_ has quit IRC23:00
*** chris_hultin is now known as chris_hultin|AWA23:06
openstackgerritMerged openstack/keystoneauth: Update reno for stable/ocata
*** adrian_otto has quit IRC23:16
*** sheel has quit IRC23:24
*** fungi has quit IRC23:24
*** dancn has quit IRC23:24
*** Dinesh_Bhor has quit IRC23:24
*** stevemar has quit IRC23:24
*** sheel has joined #openstack-keystone23:24
*** fungi has joined #openstack-keystone23:24
*** dancn has joined #openstack-keystone23:24
*** Dinesh_Bhor has joined #openstack-keystone23:24
*** stevemar has joined #openstack-keystone23:24
*** sets mode: +o stevemar23:24
gagehugostevemar: tried auth_required ( thanks lamt, now just get "No valid authentication is available"23:29
*** adrian_otto has joined #openstack-keystone23:32
*** sorrison has joined #openstack-keystone23:33
*** freerunner has quit IRC23:34
*** NikitaKonovalov has quit IRC23:34
*** DinaBelova has quit IRC23:34
*** DinaBelova has joined #openstack-keystone23:35
*** NikitaKonovalov has joined #openstack-keystone23:36
*** freerunner has joined #openstack-keystone23:36
*** nkinder has quit IRC23:39
*** jerrygb_ has quit IRC23:42
*** shipindirect is now known as portdirect23:43
*** jerrygb has joined #openstack-keystone23:48
*** jaosorior has quit IRC23:49
*** browne has joined #openstack-keystone23:49
*** lamt has quit IRC23:50
openstackgerritMerged openstack/keystonemiddleware: Update reno for stable/ocata
*** lamt has joined #openstack-keystone23:53
*** lamt has quit IRC23:55
*** NikitaKonovalov has quit IRC23:57
*** freerunner has quit IRC23:57
*** DinaBelova has quit IRC23:57
*** DinaBelova has joined #openstack-keystone23:57
*** NikitaKonovalov has joined #openstack-keystone23:58
*** freerunner has joined #openstack-keystone23:58
*** DinaBelova has quit IRC23:59
*** NikitaKonovalov has quit IRC23:59
*** freerunner has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!