Friday, 2017-01-27

*** rcernin has joined #openstack-keystone		00:00
*** stingaci has joined #openstack-keystone		00:00
*** lamt has quit IRC		00:03
*** lamt has joined #openstack-keystone		00:04
*** lamt has quit IRC		00:04
*** harlowja has quit IRC		00:04
*** stingaci has quit IRC		00:04
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	00:05
*** chris_hultin\|AWA is now known as chris_hultin		00:08
*** chris_hultin is now known as chris_hultin\|AWA		00:11
rderose	morgan stevemar lbragstad dstanek browne knikolla: PCI patch is ready ^ Thanks for the reviews!	00:16
*** spzala has joined #openstack-keystone		00:37
*** MasterOfBugs has quit IRC		00:42
*** PramodJ has joined #openstack-keystone		00:42
*** pramodrj07 has quit IRC		00:42
*** MasterOfBugs has joined #openstack-keystone		00:42
*** jose-phillips has quit IRC		00:43
*** thorst_ has joined #openstack-keystone		00:45
*** agrebennikov__ has quit IRC		00:48
*** stingaci has joined #openstack-keystone		00:49
*** rcernin has quit IRC		00:51
*** stingaci has quit IRC		00:53
*** rcernin has joined #openstack-keystone		00:54
*** martinlopes is now known as martinlopes\|busy		00:54
*** thorst_ has quit IRC		00:55
*** rcernin has quit IRC		00:55
*** rcernin has joined #openstack-keystone		00:55
*** adrian_otto has quit IRC		01:03
*** spotz_zzz is now known as spotz		01:06
*** browne has quit IRC		01:10
openstackgerrit	Steve Martinelli proposed openstack/keystone: add additional deprecation warnings for KVS options https://review.openstack.org/426009	01:15
stevemar	morgan: i added https://review.openstack.org/#/c/426009/ for posterity	01:15
*** spotz is now known as spotz_zzz		01:16
Adobeman	https://bugs.launchpad.net/keystone/+bug/1063858 <- is this still in effect?	01:18
openstack	Launchpad bug 1063858 in OpenStack Identity (keystone) "LDAP identity driver does not support 'enabled'" [Wishlist,Fix released] - Assigned to Yuriy Taraday (yorik-sar)	01:18
Adobeman	with newton	01:18
Adobeman	uhm should've been fixed by grizzly..	01:19
*** stingaci has joined #openstack-keystone		01:21
*** stingaci has quit IRC		01:26
*** thorst_ has joined #openstack-keystone		01:27
*** edmondsw has joined #openstack-keystone		01:31
*** edmondsw has quit IRC		01:43
samueldmq	ayoung: you around ?	01:44
samueldmq	ayoung: I thought it wasn't possible to create implied roles with domain-specific roles from different domains.	01:45
samueldmq	for me, domain-specific roles were isolated inside its owning domain	01:45
*** chris_hultin\|AWA is now known as chris_hultin		01:46
*** v1k0d3n has quit IRC		01:51
*** v1k0d3n has joined #openstack-keystone		01:53
*** stingaci has joined #openstack-keystone		01:53
*** edmondsw has joined #openstack-keystone		01:54
*** stingaci has quit IRC		01:58
*** spotz_zzz is now known as spotz		02:00
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Fix boto version strip regex https://review.openstack.org/424700	02:01
*** spzala has quit IRC		02:02
*** chris_hultin is now known as chris_hultin\|AWA		02:05
openstackgerrit	Merged openstack/keystone: Code-Defined Resource-specific Options https://review.openstack.org/424334	02:08
samueldmq	ayoung: see my comment in https://review.openstack.org/#/c/422819/	02:08
openstackgerrit	Merged openstack/keystone: Add 'options' as an explicit user schema validation https://review.openstack.org/425536	02:09
*** spotz is now known as spotz_zzz		02:10
*** MasterOfBugs has quit IRC		02:11
*** dims_ has joined #openstack-keystone		02:14
*** PramodJ has quit IRC		02:14
*** dims has quit IRC		02:14
*** thorst_ has quit IRC		02:18
samueldmq	jamielennox: hey, you around ?	02:20
*** thorst_ has joined #openstack-keystone		02:20
samueldmq	jamielennox: would like to discuss bp/return-request-id-to-caller with you	02:20
*** stingaci has joined #openstack-keystone		02:26
*** stingaci has quit IRC		02:30
*** spotz_zzz is now known as spotz		02:37
*** edmondsw has quit IRC		02:42
*** edmondsw has joined #openstack-keystone		02:43
*** edmondsw has quit IRC		02:43
*** edmondsw has joined #openstack-keystone		02:43
*** spotz is now known as spotz_zzz		02:46
*** dims_ has quit IRC		02:47
*** d-bark has joined #openstack-keystone		02:47
lbragstad	gagehugo even though samueldmq and stevemar beat me to it, i +2'd it	02:49
lbragstad	gagehugo thanks for submitting the follow up patch!	02:49
*** dims has joined #openstack-keystone		02:50
*** edmondsw has quit IRC		02:52
*** stingaci has joined #openstack-keystone		02:57
dstanek	samueldmq: i hate that review	02:59
dstanek	Adobeman: still no luck?	03:00
*** edmondsw has joined #openstack-keystone		03:01
*** stingaci has quit IRC		03:02
*** edmondsw has quit IRC		03:09
*** edmondsw has joined #openstack-keystone		03:11
stevemar	dstanek: samueldmq, agreed bp/return-request-id-to-caller stinks :(	03:13
*** edmondsw has quit IRC		03:14
*** edmondsw has joined #openstack-keystone		03:14
*** edmondsw has quit IRC		03:14
*** edmondsw has joined #openstack-keystone		03:15
stevemar	if someone is interested, this should be an easy review https://review.openstack.org/#/c/426009/	03:20
openstackgerrit	Steve Martinelli proposed openstack/keystone: add additional deprecation warnings for KVS options https://review.openstack.org/426009	03:21
*** severion has joined #openstack-keystone		03:27
*** stingaci has joined #openstack-keystone		03:30
*** spotz_zzz is now known as spotz		03:31
*** yarkot has joined #openstack-keystone		03:31
*** stingaci has quit IRC		03:35
*** thorst_ has quit IRC		03:40
*** spotz is now known as spotz_zzz		03:40
ayoung	samueldmq, nope	03:51
*** tqtran has quit IRC		03:55
*** stingaci has joined #openstack-keystone		04:02
*** spotz_zzz is now known as spotz		04:06
*** stingaci has quit IRC		04:07
openstackgerrit	Merged openstack/python-keystoneclient: Fix boto version strip regex https://review.openstack.org/424700	04:13
*** spotz is now known as spotz_zzz		04:16
*** edmondsw has quit IRC		04:17
*** edmondsw has joined #openstack-keystone		04:17
*** nicolasbock has quit IRC		04:17
*** stingaci has joined #openstack-keystone		04:19
*** edmondsw has quit IRC		04:21
*** mtreinish has quit IRC		04:22
*** mtreinish has joined #openstack-keystone		04:22
*** stingaci has quit IRC		04:23
*** diazjf has joined #openstack-keystone		04:41
*** spotz_zzz is now known as spotz		04:57
rderose	stevemar that's a weak -1	05:06
stevemar	rderose: the -1 was for rel note and docs	05:07
stevemar	previous patch had them	05:07
rderose	:)	05:07
rderose	was planning to do that in a separate patch	05:07
*** spotz is now known as spotz_zzz		05:07
rderose	you want it all in one?	05:07
rderose	stevemar: btw where do you want the constants?	05:08
rderose	stevemar: it's mostly being used in the backend, so I thought I'd keep with resource_options.py	05:08
stevemar	rderose: all in one doesn't bug me	05:09
stevemar	rderose: the constant thing was more of a general observation, my spidey sense went off	05:10
rderose	:)	05:10
stevemar	just felt weird to have it there, but i won't hold it against ya	05:10
rderose	alright	05:10
rderose	let me add the release notes	05:10
rderose	stevemar: okay for docs update to be separate?	05:10
rderose	docs update not so important now, as this is only impacts passwords going forward	05:13
stevemar	sure, that one is less important	05:13
rderose	cool	05:13
stevemar	it was more "hey, this patch had other stuff before"	05:13
rderose	stevemar: by the way, I love single line functions. but no worries, I'll change this one just for you my friend.	05:14
stevemar	rderose: bknudson just rolled off his bed in disgust at that	05:15
rderose	haha	05:15
stevemar	single-line is OK	05:15
stevemar	single use is my issue	05:15
stevemar	i'd rather just short-circuit if you're worried about readability	05:15
rderose	you learned that "short-circuit" from dolphm	05:16
stevemar	i'm actually trying to find some theory of programming to backup my claim, no luck yet!	05:16
rderose	I've heard that before :)	05:16
stevemar	dolphm and bknudson have beat certain things into me	05:16
rderose	haha	05:16
rderose	:)	05:17
breton	morning, keystone	05:17
rderose	morning ;)	05:17
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	05:28
*** richm has joined #openstack-keystone		05:29
*** richm has quit IRC		05:41
*** spotz_zzz is now known as spotz		05:44
*** david-lyle has quit IRC		05:46
*** spotz is now known as spotz_zzz		05:48
breton	sooo, that trusts for federated user patch is sad.	05:51
*** Jack_V has joined #openstack-keystone		05:56
*** thorst_ has joined #openstack-keystone		05:56
breton	federated users, when not in context, don't have any non-direct role assignments. And the code checks that they have. And while i could work around that in trust creation, there is similar check in trust usage.	05:58
*** thorst_ has quit IRC		06:01
openstackgerrit	Nishant Kumar proposed openstack/keystone: Reuse already existing groups from upstream tempest config https://review.openstack.org/426078	06:08
breton	which cannot be worked around, because the only one who knows what groups they had at the moment is that user.	06:08
morgan	hey breton =:)	06:12
morgan	how goes?	06:12
morgan	stevemar: wait you don't like single line functions?!	06:13
morgan	stevemar: LAMBDAS WANT A WORD WITH YOU ;)	06:13
breton	hey	06:14
breton	morgan: how do we make trusts work with federated users? what do you think about adding shadow federated users to groups when they authenticate?	06:15
breton	maybe we should switch murano and heat and others who use trusts to ?allow_expired	06:17
morgan	shouldn't shadow federated users already get some groups?	06:18
morgan	based upon the user object itelse?	06:18
morgan	basically, shouldn't trusts just work with the shadow user code (if it doesn't, that is how i'd manage that)	06:18
breton	nope, they don't have any groups	06:18
morgan	eh, they should support groups	06:19
morgan	just like everything else, a shadow user should be a near mirror of a real user	06:19
morgan	(near, just some auth like things aren't there)	06:19
morgan	i'd actually go a step further...	06:19
breton	but if the mapping changes, the user will still be in the groups they shouldn't be in	06:19
morgan	use shadow users as a mechanism and make the created user a fully realized user object (doable based upon my convos w/ rderose )	06:20
morgan	if mapping changes we're getting something wonky	06:20
breton	or if remote groups change	06:20
morgan	it's not really the same user if you change the mapping rules unless it is to change the attributes mapped ot the same local ones (aka name moves from X to Y on the federated side... though that should never happen)	06:20
morgan	i don't see an issue with using local groups explicitly	06:21
morgan	the implicit groups shouldn't ever be used in trusts	06:21
breton	same thing -- the user will still be in the wrong groups	06:21
morgan	if you add user X to group Y, it shouldn't matter if they are federated or not (since shadow user landed)	06:21
morgan	if you're leaning on group information from the federated source, that is exclusive for that login	06:22
morgan	vs a local-in-keystone-defined-group	06:22
morgan	that the user has explicitly been added to	06:22
morgan	hold on	06:22
morgan	ok working through this in my head	06:22
morgan	so 2 options	06:23
morgan	1) allow federated users to be added ot a local group	06:23
morgan	in keystone	06:23
morgan	2) populate groups (visibly) for federated users within keystone	06:23
morgan	these options are not mutally exclusive	06:23
morgan	we could do both	06:23
morgan	i'd need to think over the stuff (not 2 whiskeys in) for security implications of both	06:24
morgan	off the cuff, i am not opposed to either.	06:24
breton	1 is easy, i think we can already do it now	06:24
morgan	1 might be the way to support what you need.	06:24
morgan	today*	06:24
morgan	2... might be a bit more of an issue	06:24
breton	yep. But it required adding user to group manually	06:25
morgan	like i said i need to think through security implications when not trying to read/write code based on rderose's PCI patches (and a few whiskeys and late night)	06:25
morgan	i don't have a real issue with that for the moment.	06:25
breton	i proposed this https://review.openstack.org/#/c/415545/3/keystone/auth/plugins/mapped.py	06:25
morgan	direct, manual, adding isn't terrible	06:25
*** martinlopes\|busy has quit IRC		06:25
morgan	to start	06:25
morgan	we can improve the UX as we move forward	06:25
breton	but it has 2 issues. 1. mapping changes. 2. type: OIDC_GROUPS	06:27
morgan	i'll ponder this a bit more	06:29
morgan	i can't answer concretely atm. sorry :(	06:29
openstackgerrit	Steve Martinelli proposed openstack/keystone: clean up release notes for ocata https://review.openstack.org/426095	06:35
stevemar	i really need to start enforcing better release ntoes :(	06:36
*** spotz_zzz is now known as spotz		06:39
breton	stevemar: we've lost one here: https://review.openstack.org/#/c/415545/3	06:41
*** diazjf has quit IRC		06:42
morgan	stevemar: shhhhhh. it's almost over	06:44
morgan	stevemar: :P	06:44
morgan	stevemar: did rderose respin to only set expired on admin set automatically?	06:44
morgan	stevemar: because if he did... a lot of strings/commit message/help messages are wrong	06:45
morgan	and option names	06:45
morgan	it shouldn'tbe "after first use" anything	06:45
morgan	rderose: ^ sorry wince	06:45
*** spotz is now known as spotz_zzz		06:49
*** adriant has quit IRC		07:11
*** spotz_zzz is now known as spotz		07:15
*** stingaci has joined #openstack-keystone		07:17
*** stingaci has quit IRC		07:21
*** rcernin has quit IRC		07:24
*** spotz is now known as spotz_zzz		07:24
*** richm has joined #openstack-keystone		07:25
*** stingaci has joined #openstack-keystone		07:49
*** stingaci has quit IRC		07:54
*** thorst_ has joined #openstack-keystone		07:57
*** thorst_ has quit IRC		08:01
*** spotz_zzz is now known as spotz		08:09
*** gitudaniel has joined #openstack-keystone		08:14
*** spotz is now known as spotz_zzz		08:19
*** spotz_zzz is now known as spotz		08:45
*** spotz is now known as spotz_zzz		08:55
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:01
gitudaniel	I'm trying to set up a keystone development environment. I'm currently folloing the Best Practices documentation http://docs.openstack.org/developer/keystone/devref/development_best_practices.html In the section on Running Keystone, on running the command uwsgi --http 127.0.0.1:35357 --wsgi-file $(which keystone-wsgi-admin)	09:04
gitudaniel	I get the error uwsgi: option '--wsgi-file' requires an argument	09:05
gitudaniel	getopt_long() error	09:05
breton	gitudaniel: what is output of $(which keystone-wsgi-admin) ?	09:07
gitudaniel	breton: it returns no output	09:09
gitudaniel	I tried editing the configurations with the keystone-manage bootstrap command but got "The program 'keystone-manage' is currently not installed. You can install it by typing: sudo apt install keystone	09:11
*** richm has quit IRC		09:21
*** richm has joined #openstack-keystone		09:37
*** spotz_zzz is now known as spotz		09:39
breton	gitudaniel: probably some virtualenv is not activated or keystone is not installed. http://docs.openstack.org/developer/keystone/devref/development.environment.html -- this describes virtualenv	09:49
*** spotz is now known as spotz_zzz		09:49
samueldmq	morning all	09:49
breton	gitudaniel: or you can just google about virtualenv in python	09:49
breton	gitudaniel: it will work too	09:49
breton	samueldmq: \o	09:50
samueldmq	breton: hey	09:50
gitudaniel	samueldmq o/	09:52
samueldmq	gitudaniel: hello!	09:54
gitudaniel	breton: I did create a virtualenv before cloning into keystone. I followed the Setting up a Development environment then moved to the Python Project Guide and onto the Best Practices. Did I miss something?	09:54
*** tqtran has joined #openstack-keystone		09:58
*** thorst_ has joined #openstack-keystone		09:58
*** tqtran has quit IRC		10:02
*** thorst_ has quit IRC		10:02
*** richm has quit IRC		10:06
*** richm has joined #openstack-keystone		10:09
*** richm has quit IRC		10:14
*** d-bark has quit IRC		10:17
*** spotz_zzz is now known as spotz		10:33
*** spotz is now known as spotz_zzz		10:43
*** mvk has quit IRC		11:06
*** spotz_zzz is now known as spotz		11:09
*** stingaci has joined #openstack-keystone		11:09
*** spotz is now known as spotz_zzz		11:19
*** chlong has joined #openstack-keystone		11:24
*** stingaci has quit IRC		11:27
*** stingaci has joined #openstack-keystone		11:28
*** stingaci has quit IRC		11:32
breton	gitudaniel: have you activated it?	11:45
breton	gitudaniel: `source /path/to/venv/bin/activate`	11:46
gitudaniel	breton: yes I have. It is active	11:48
*** stingaci has joined #openstack-keystone		11:55
*** thorst_ has joined #openstack-keystone		11:59
*** stingaci has quit IRC		12:00
*** richm has joined #openstack-keystone		12:00
*** thorst_ has quit IRC		12:03
*** spotz_zzz is now known as spotz		12:03
*** catintheroof has joined #openstack-keystone		12:04
*** mvk has joined #openstack-keystone		12:04
*** nicolasbock has joined #openstack-keystone		12:04
*** richm has quit IRC		12:05
*** severion has quit IRC		12:11
*** spotz is now known as spotz_zzz		12:13
*** stingaci has joined #openstack-keystone		12:26
*** thorst__ has joined #openstack-keystone		12:43
*** richm has joined #openstack-keystone		12:50
*** spotz_zzz is now known as spotz		12:54
dstanek	gitudaniel: what is in you virtualenv's bin directory?	12:56
gitudaniel	dstanek: activate mdexport.pyc parse_xsd2.py	12:58
gitudaniel	activate.csh merge_metadata.py parse_xsd2.pyc	12:59
gitudaniel	activate.fish merge_metadata.pyc pbr	12:59
gitudaniel	activate_this.py migrate pip	12:59
gitudaniel	alembic migrate-repository pip2	12:59
gitudaniel	bindep netaddr pip2.7	12:59
gitudaniel	convert-json oslo-config-generator pybabel	12:59
gitudaniel	easy_install oslo-messaging-send-notification python	12:59
gitudaniel	easy_install-2.7 oslo-messaging-zmq-broker python2	12:59
gitudaniel	jsonschema oslo-messaging-zmq-proxy python2.7	12:59
gitudaniel	lockutils-wrapper oslopolicy-checker python-config	12:59
gitudaniel	make_metadata.py oslopolicy-list-redundant sqlformat	12:59
gitudaniel	make_metadata.pyc oslopolicy-policy-generator uwsgi	12:59
gitudaniel	mako-render oslopolicy-sample-generator wheel	12:59
gitudaniel	mdexport.py osprofiler	12:59
*** tqtran has joined #openstack-keystone		13:00
dstanek	gitudaniel: it doesn't look like keystone is installed in the virtual env	13:01
dstanek	do we really delete users from the database when we delete a federation protocol?	13:01
dstanek	samueldmq: you need to be a little more liberal with the -1s :-D	13:02
ayoung	gitudaniel, are you using the uwsgi from the venv pip install, and not the package provided by the distro?	13:03
ayoung	the distro uwsgi for Fedora at least was out of data	13:03
ayoung	fate	13:03
ayoung	date	13:04
ayoung	dinnerplate	13:04
ayoung	gah	13:04
*** tqtran has quit IRC		13:04
*** spotz is now known as spotz_zzz		13:04
gitudaniel	dstanek: thank you. I created a folder then activated a virtual env before cloning into keystone. In the dependencies it installs virtual env should I have first cloned the repo cd into it and then activate the virtual env?	13:04
*** catintheroof has quit IRC		13:05
gitudaniel	ayoung: to install uwsgi I ran sudo apt install uwsgi	13:05
ayoung	gitudaniel, yeah don't do that	13:05
ayoung	gitudaniel, get rid of that, and instead activate the venv and pip install	13:05
ayoung	gitudaniel, I usually run tox on a checkout, to make sure the tests run, and it also builds the venv	13:06
ayoung	so then	13:06
ayoung	. .tox/py27/bin/activate	13:06
ayoung	or 34 or whatever python version you want to use	13:07
ayoung	pip install uwsgi	13:07
gitudaniel	ayoung: thank you. So after cloning the repo should I run vitualenv keystone cd keystone then source bin/activate to prevent the dependencies from installing on my host system?	13:11
*** catintheroof has joined #openstack-keystone		13:16
*** tlbr has joined #openstack-keystone		13:16
*** edmondsw has joined #openstack-keystone		13:21
*** edmondsw_ has joined #openstack-keystone		13:23
*** richm1 has joined #openstack-keystone		13:23
*** richm has quit IRC		13:24
*** edmondsw has quit IRC		13:25
*** raildo has joined #openstack-keystone		13:30
dstanek	gitudaniel: you still have to install keystone into the virtualenv	13:33
dstanek	'python setup.py develop' in the activated enironment	13:34
gitudaniel	dstanek: thanks let me do that	13:35
*** thorst__ is now known as thorst_		13:42
*** spotz_zzz is now known as spotz		13:48
rodrigods	stevemar, around? i'm doing some testing here with domain specific roles and the API is returning something like: http://paste.openstack.org/raw/596735/	13:52
rodrigods	stevemar, do you know if this is expected?	13:53
gitudaniel	dstanek: ayoung breton thank you for your help i ran python setup.py develop then uwsgi --http 127.0.0.1:35357 --wsgi-file $(which keystone-wsgi-admin) it ran and I got an /etc/keystone/fernet-keys/ does not exist. Hopefully the configuration file covers this as I read up on what fernet keys are. Can we make it such that someone else doesn't run into the same challenges I did. I honestly	13:55
gitudaniel	wouldn't have thought to run python setup.py develop. If it is I'd like to help	13:55
ayoung	gitudaniel, keystone-manage --help	13:56
*** lamt has joined #openstack-keystone		14:01
*** tqtran has joined #openstack-keystone		14:01
*** spilla has joined #openstack-keystone		14:01
dstanek	gitudaniel: yeah, what ayoung said. look for fernet_setup	14:05
*** tqtran has quit IRC		14:05
*** spzala has joined #openstack-keystone		14:06
rodrigods	stevemar, nvm, "domain" is the "extras"	14:07
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	14:09
samueldmq	dstanek: hey, too little -1's ? :)	14:09
samueldmq	dstanek: sometimes I felt I was doing so many -1s, sometimes I don't want to block because of an easy thing, specially if it's something important to get in	14:10
samueldmq	easy/nit	14:10
dstanek	samueldmq: :-)	14:11
gitudaniel	ayoung, dstanek: thanks I found it let me run it	14:11
samueldmq	dstanek's +ratio is 43.7%	14:12
samueldmq	bknudson also used to have that +ratio :-)	14:12
*** agrebennikov__ has joined #openstack-keystone		14:12
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	14:14
*** markvoelker has joined #openstack-keystone		14:16
openstackgerrit	Steve Martinelli proposed openstack/keystone: clean up release notes for ocata https://review.openstack.org/426095	14:17
*** stingaci has quit IRC		14:18
samueldmq	stevemar: given your reply in ^ about the PCI options that are being deprecated	14:22
samueldmq	then https://review.openstack.org/#/c/423909/ and https://review.openstack.org/#/c/424220/ would not need to deprecate those options	14:22
samueldmq	just replace them with the in-code configs instead	14:23
*** jperry has joined #openstack-keystone		14:24
samueldmq	rderose: morgan: dstanek ^ since lockout_ignored_user_ids and ignore_password_expire_user_ids were added this cycle, we don't need to deprecate, just switch to in-code options	14:25
samueldmq	if we get those replacements in in time	14:26
rderose	samueldmq: those were added in newton	14:26
dstanek	samueldmq: is that true? those were added in this cycle?	14:26
dstanek	rderose: that's what i thought	14:26
samueldmq	rderose: dstanek https://review.openstack.org/#/c/398571	14:28
samueldmq	bug it's closing is tagged as ocata-2	14:28
rderose	samueldmq dstanek: hmm... password ignores list was definitely added in newton: https://review.openstack.org/#/c/351749/	14:30
rderose	samueldmq: but you are right about lockout ignore list, thought for sure it was newton :)	14:32
samueldmq	rderose: cool, we should be able to just replace without deprecation in that case	14:32
samueldmq	if we still get that in this cycle	14:32
rderose	samueldmq: yep	14:33
samueldmq	rderose: dstanek: cool, posted a comment in https://review.openstack.org/#/c/424220/	14:34
samueldmq	just to document it	14:34
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: clean up release notes for ocata https://review.openstack.org/426095	14:36
*** Dinesh_Bhor has quit IRC		14:37
samueldmq	dstanek: ^ could you +2 again ? and +A ..	14:37
samueldmq	dstanek: there was just a nit, closing backsticks were wrong: `.` rather than ``.	14:38
samueldmq	I fixed it	14:38
lbragstad	office hours!!	14:38
lbragstad	today I'm going to be working on reviewing https://review.openstack.org/#/c/425507 (it's getting close!)	14:38
samueldmq	lbragstad: hey	14:38
lbragstad	samueldmq o/	14:39
dstanek	samueldmq: done	14:41
samueldmq	dstanek: yt	14:41
samueldmq	ty	14:42
rderose	lbragstad: ++	14:42
*** stingaci has joined #openstack-keystone		14:48
rderose	dstanek: confused by your last comment. if you change what?	14:51
*** stingaci has quit IRC		14:52
samueldmq	rderose: reviewed and commented, just minor things in tests and doc	14:54
samueldmq	rderose: that's looking pretty nice	14:54
rderose	samueldmq: cool, thanks :)	14:55
dstanek	rderose: in the future it could be possible to break that code and have the test pass. probably not a huge deal	14:55
dstanek	rderose: the reason i don't think it's that big of a deal is that the bug would likely be caught in the other password tests	14:57
rderose	dstanek: but create_user password doesn't have any impact on update_user password. update_user creates a new password and decides if it is expired.	14:58
dstanek	rderose: if you tooks out the update_user your test would still pass	14:59
rderose	dstanek: but that is what I'm testing (update_user), so I wouldn't take it out :)	14:59
dstanek	rderose: that's not the point. the point is that the user will already be in the required state for the test to pass. so that means that you are not proving update_user is doing the right thing. you are proving that it doesn't change the outcome	15:01
dstanek	rderose: for example, what if we later decide to make admins use a separate api to reset passwords? (maybe for extra security or whatever) you test will not detect an issue	15:02
rderose	dstanek: then update_user would create a new password and it wouldn't be expired	15:03
rderose	dstanek: but I see your point	15:04
knikolla	o/ morning	15:04
dstanek	morning knikolla	15:05
knikolla	anything i should be helping out with today?	15:09
lbragstad	rderose fwiw - i like the new approach in https://review.openstack.org/#/c/425507/11	15:17
rderose	lbragstad: thanks, yeah it's getting better	15:19
rderose	lbragstad: less of an impact on operators	15:19
lbragstad	rderose so - would operators have to go through and update each user in their deployment?	15:20
rderose	lbragstad: to ignore, yeah	15:20
lbragstad	rderose got it - and they can do that before they make the config switch	15:21
dstanek	likely that's only service users	15:21
rderose	lbragstad: right	15:21
dstanek	if you want through them all then you wouldn't flip the switch anyway	15:21
lbragstad	rderose but after `keystone.conf [security_compliance] change_password_upon_first_use = True`, existing users in the system that don't have options set still need to be updated by an admin in order to change their password	15:22
rderose	lbragstad: sorry, not following...	15:23
lbragstad	say a deployment has 1000 existing users, and 5 of those are service users	15:24
rderose	existing users that don't have options, would now be required to change their password	15:24
dstanek	lbragstad: no, this will only immediately impact new users and user that have their passwod reset by admin	15:24
lbragstad	dstanek right	15:24
rderose	dstanek lbragstad: ah, right. yeah, now it only impact passwords going forward	15:25
*** jaosorior has joined #openstack-keystone		15:25
lbragstad	so if an operator wanted to force everyone in their deployment to reset their password - they would have to manually reset passwords for the other 995 useres	15:25
rderose	dstanek lbragstad: but as soon as you change a service users password, they will be impacted	15:25
rderose	lbragstad: or, run a db update script to expire everyone's password	15:25
lbragstad	so - for a period of time after an operator switches change_password_upon_first_use = True, there will be users in the deployment that can still authenticate with their old password	15:29
dstanek	lbragstad: possibly forever	15:30
lbragstad	dstanek right -depends on how the operator goes about doing the "migration"	15:30
*** lamt has quit IRC		15:33
*** stingaci has joined #openstack-keystone		15:40
*** stingaci has quit IRC		15:44
*** ravelar has joined #openstack-keystone		15:49
*** mvk has quit IRC		15:58
*** phalmos has joined #openstack-keystone		15:59
*** phalmos has quit IRC		15:59
*** adrian_otto has joined #openstack-keystone		16:05
*** v1k0d3n has quit IRC		16:06
*** adrian_otto has quit IRC		16:09
*** adrian_otto has joined #openstack-keystone		16:12
*** lamt has joined #openstack-keystone		16:12
*** adrian_otto has quit IRC		16:13
*** v1k0d3n has joined #openstack-keystone		16:16
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	16:20
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	16:20
*** v1k0d3n has quit IRC		16:21
*** v1k0d3n has joined #openstack-keystone		16:21
morgan	o/	16:25
morgan	samueldmq: rderose claims the lockout and the password expiry were newton	16:26
*** stingaci has joined #openstack-keystone		16:26
gitudaniel	morgan: o/	16:26
rderose	morgan: password expiry was newton, but I was mistaken about lockout	16:26
morgan	samueldmq, rderose: i still want to deprecate because (lockout specifically) since people are tracking master and it went out in a tag	16:27
morgan	i don't want to break anyone leaning on that option yet	16:27
morgan	rderose: sorry about the -1 there.	16:27
rderose	morgan: apologies, could have sworn lock list was newton, but it was just after the release	16:27
morgan	no worries. still people can be using it because it went in tag-1	16:27
morgan	so we'll still deprecate	16:27
rderose	morgan: if I set options to empty dict, does it clear out all my options?	16:28
morgan	if you set the option mapper	16:28
morgan	yes	16:28
morgan	this is why i don't want it exposed as a property and kept as a private attribute	16:29
morgan	i toy with using __ prefix in all these cases	16:29
morgan	but opt for _ just because ease of use	16:29
morgan	where needed/testing	16:29
*** david-lyle has joined #openstack-keystone		16:29
morgan	rderose: rebase your change on https://review.openstack.org/#/c/425957/ 425957 was approved and will conflict with your change.	16:30
morgan	rderose: notably here https://review.openstack.org/#/c/425957/1/keystone/identity/backends/resource_options.py	16:30
*** stingaci has quit IRC		16:30
morgan	gitudaniel: allo there! :)	16:30
morgan	rderose: also it makes it easier for you to acccess the constant	16:31
rderose	morgan: okay	16:31
morgan	rderose: and you don't need identity.backends.resource_contstants	16:32
morgan	:)	16:32
rderose	morgan: oh great!	16:32
rderose	:)	16:32
morgan	rderose: once you do that i'll finish the deprecation patch rebases	16:34
*** thiagolib has joined #openstack-keystone		16:34
gitudaniel	thank you guys for all your help. It's getting late in my part of the world	16:37
rderose	morgan: user['options'] = {}	16:40
morgan	gitudaniel: then sleep well.	16:40
rderose	morgan: self.identity_api.update_user(user['id'], user)	16:40
morgan	rderose: no	16:40
rderose	morgan: doesn't seem to clear out the options	16:40
morgan	rderose: i meant if you did user_ref._resource_option_mapper = {}	16:40
morgan	rderose: if you want to unset options you must set each to None	16:40
morgan	explicitly in the dict	16:40
morgan	it is designed specifically so not specifying options (or an option) doesn't change the value	16:41
rderose	morgan: I don't allow None for ignore_password_expiry	16:41
rderose	:)	16:41
morgan	so an update to the user that says options['ignore_password_expiry] = None wont affect say lockout	16:41
morgan	rderose: you should.	16:41
rderose	morgan: great	16:41
morgan	rderose: None is how you unset / delete options	16:41
rderose	:)	16:41
morgan	ooooor	16:41
morgan	you don't allow unsetting	16:41
*** diazjf has joined #openstack-keystone		16:41
morgan	only allow setting to False	16:41
rderose	morgan: you can set to False	16:41
rderose	right	16:42
morgan	once the option is set... it lives forever in the DB	16:42
morgan	for that user	16:42
morgan	(forever = until the user object is deleted)	16:42
morgan	(from the db itself)	16:42
morgan	i'm ok with that choice	16:42
morgan	the design is explicitly to allow None on the backend to unset an option/clear it	16:42
morgan	but both works. MFA Rules for example should be unsettable if you want to dump all of them	16:43
morgan	but ignore_passworD_expiry is fine to persist in iether true/false	16:43
morgan	rderose: if you think it would help... i could always start populating (minor change) defaults for options in the user's option key and accept a default value	16:44
morgan	but i kindof think it's better to only display options set	16:45
morgan	stevemar: ^ cc on the defaults for Resource Options	16:45
morgan	(question)	16:45
gitudaniel	morgan: thank you. Have a great day	16:46
*** gitudaniel has quit IRC		16:46
dstanek	morgan: rderose: oh, i didn't even think about that when looking at the schema	16:48
morgan	dstanek: it's not the end of the world.	16:49
dstanek	morgan: easily fixable	16:49
rderose	morgan: hmm... I don't think we need defaults	16:49
rderose	morgan: we can improve it later if needed	16:49
morgan	dstanek: i built the systme so we can unset options... but by no means we need to support that from the API	16:50
morgan	i don't feel strongly that users (or admins) need to unset options if you can set the option to a value that restores default behavior	16:50
dstanek	rderose: everything has a default, even if it's not explicit	16:52
knikolla	morgan: in https://bugs.launchpad.net/keystone/+bug/1659053 the warnings are coming from the domain id 'default'	16:53
openstack	Launchpad bug 1659053 in OpenStack Identity (keystone) "use uuids with pycadf" [Medium,Triaged] - Assigned to Gage Hugo (gagehugo)	16:53
knikolla	oh, somebody assigned himself, alright. should have refreshed my page.	16:53
morgan	knikolla: so... we need to figure out what to do about that even if it is adding a logger to pycadf that explicitly exempts that issue	16:53
morgan	it's stupid to warn on it if it's going ot be a real thing	16:54
knikolla	gagehugo: ^^	16:54
morgan	for a loooong time	16:54
morgan	:)	16:54
gagehugo	o/	16:54
morgan	we may need to fix pycadf	16:54
morgan	but we can do that (if it isn't something we can fix in keystone)	16:54
rderose	morgan: btw why don't I need the constants?	16:54
morgan	the fact it comes from the default domain tells me we are warning on a known design of keystone and should fix it	16:54
morgan	rderose: look at how keystone.backend.resource_options is built now	16:54
morgan	rderose: you can reference the constants from that module directly	16:55
lbragstad	wait - so options can't be unset?	16:55
morgan	the list was move into the register function and the constants defined in the file	16:55
morgan	lbragstad: if you can't send a None for an explicit option you cna't unset it	16:55
dstanek	lbragstad: they can if you set them to None	16:55
morgan	lbragstad: the way it works is user['options'] = {} doesn't change any options (by design)	16:55
morgan	and setting one option doesn't change the value of others	16:56
rderose	morgan: possible circular dependency here if I reference the module: https://review.openstack.org/#/c/425507/13/keystone/identity/backends/sql.py	16:56
morgan	but if you set an option explicitly to None	16:56
rderose	morgan: as this also references the sql_model	16:56
morgan	rderose: should be fine.	16:56
morgan	rderose: resource_options doesn't import anything except keystone.common.resource_options	16:57
rderose	morgan: okay, let me rebase	16:57
lbragstad	so if we set user['options'] = {'ignore_expired_password': True}	16:58
lbragstad	and then change it to False - that makes sense to me	16:58
morgan	yes	16:58
lbragstad	but we can never remove it?	16:58
morgan	if you set it to None, the option would be unset and the row deleted from the DB	16:58
lbragstad	back to user['options'] = {} ?	16:58
lbragstad	oh - so ^ that would be possible by setting the option to NOne	16:58
morgan	but right now the json_schema doesn't allow user['options'] = {'ignore_expired_password': None}	16:58
dstanek	lbragstad: we'd have to let null through in the schema	16:59
morgan	what dstanek said	16:59
lbragstad	ah - so that should be possible but right it isn't because of jsonschema	16:59
dstanek	we should totally do that	16:59
morgan	it's designed to allow unsetting. but jsonschema is blocking atm	16:59
gagehugo	knikolla: were you working on that already? I just grabbed it a bit ago since it was unassigned, currently waiting for tests to finish running	16:59
lbragstad	aha	16:59
*** spotz is now known as spotz_zzz		16:59
morgan	lbragstad: i tried to make the option setting as foolproof as possible and also allow (future) setting of options each with a policy check	17:00
knikolla	gagehugo: i just poked at it for a few minutes to figure out the root cause. which is domain_id 'default' is not a valid uuid so pycadf complains.	17:00
gagehugo	knikolla: interesting	17:00
morgan	which likely means we either need to pass a smart logger to pycadf that explicitly allows defualt (or squashes that message) or patch pycadf	17:01
mfisch	stevemar et al: Is there a way to make only 1 endpoint https?	17:03
*** tqtran has joined #openstack-keystone		17:03
mfisch	enabling SSL seems to do all of them	17:03
mfisch	and a gradual switch is far easier than some big bang all openrcs and all services affected one	17:03
knikolla	biab, grabbing lunch	17:03
*** jaugustine has joined #openstack-keystone		17:03
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	17:06
rderose	hold on ^	17:06
*** tqtran has quit IRC		17:07
*** stingaci has joined #openstack-keystone		17:13
*** spzala has quit IRC		17:16
*** stingaci has quit IRC		17:17
* morgan holds on to... something...		17:18
mfisch	oh boy ^	17:18
mfisch	I hope thats disableable	17:18
samueldmq	mfisch: yes it is, change_password_upon_first_use is disabled by default	17:20
samueldmq	:-)	17:20
mfisch	I checked	17:21
*** tqtran has joined #openstack-keystone		17:21
*** spzala has joined #openstack-keystone		17:22
*** diazjf has quit IRC		17:22
lbragstad	it's an mfisch!	17:23
mfisch	lol	17:23
stevemar	o/	17:27
stevemar	morgan: re: pycadf change -- at least its just noise in the logger, nothing terribly broken	17:30
stevemar	morgan: umm, its because "default" isn't a uuid eh	17:30
stevemar	morgan: i also question how many people use the notifications in keystone? either writing to log or message bus	17:30
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	17:31
rderose	lbragstad samueldmq: rebased off of morgan's cleanup patch ^	17:31
mfisch	stevemar: have you heard of a good process for switching to SSL in keystone, without blowing up the other services	17:35
mfisch	best idea I have so far is to run 2 containers and 2 endpoints	17:35
*** stingaci has joined #openstack-keystone		17:37
*** stingaci has quit IRC		17:37
*** stingaci has joined #openstack-keystone		17:37
dstanek	mfisch: why wouldn't you have the same containers running SSL and non-SSL	17:39
dstanek	?	17:39
mfisch	it would be the same binaries and docker images yes	17:40
mfisch	I need to figure out the right way with puppet to generate 2 config files	17:40
dstanek	can the same keystone instance not serve both?	17:40
*** diazjf has joined #openstack-keystone		17:40
mfisch	it appears once you set enable_ssl in keystone.conf it makes all endpoints ssl	17:41
mfisch	but since deployments are not instantaneous all services will break until a new config lands for them too	17:41
mfisch	this is probably a good question for the ops list	17:43
dstanek	mfisch: i'm not sure what enable_ssl is. what i would have thought you could do is setup 2 pools in the load balancer and use the same instances. i would hope that when we generate URLs we take HTTP/S into account	17:43
stevemar	mfisch: yeah, unfortunately you're saying all the right things :P	17:43
*** adrian_otto has joined #openstack-keystone		17:43
mfisch	[ssl]	17:43
mfisch	enable=False	17:43
mfisch	thats the section I was paraphrasing	17:43
dstanek	mfisch: what does that do? have keystone terminate the SSL?	17:44
mfisch	it seems to configure keystone to read certs in and configure ssl and then nothing works until you make all your keystone endpoints be https:// and reconfigure the authtoken sections for all services	17:46
dstanek	mfisch: odd. why not terminate in apache?	17:46
mfisch	that would probably simplify this, we're not using apache currently though	17:47
dstanek	so just fair warning if you terminate in keystone it'll be much slower and reduce throughput	17:48
mfisch	dstanek: I need to dig more into this, another engineer was leading this investigation	17:48
mfisch	dstanek: yep, that is also a concern	17:48
mfisch	plan on getting some real numbers	17:48
dstanek	do you have anything in front of it?	17:48
dstanek	mfisch: you could also try to put a terminator in front of it	17:49
mfisch	we have that for our public endpoints	17:49
mfisch	hardware lb	17:50
dstanek	what are you doing this for just testing enironment?	17:50
mfisch	mgmt directive	17:50
mfisch	now that this plan has gotten this far I'm paying attention to it ;)	17:51
dstanek	i always like terminating on the app server because then there is no internal traffic unencrypted. i usually use apache for that, but have has some success with stud	17:52
dstanek	that was years ago though so there may be new hottness now	17:52
dstanek	topol: you going to PTG?	17:52
topol	YES!	17:53
topol	You?	17:53
mfisch	dstanek: I'll be at PTG also	17:53
topol	dstanek	17:53
mfisch	do board members hang out with regular people or no?	17:53
topol	dstanek flying in Sunday.	17:53
topol	This board member does!!!!	17:53
mfisch	+1	17:54
topol	just a regular guy. I put my pants on two legs at a time just like everyone else :-)	17:54
mfisch	I figured you'd say "my dress team puts my pants on one leg at a time"	17:54
dstanek	topol: yup. whoa that early?	17:55
topol	bahahaha	17:55
mfisch	I'm flying in on Sat	17:55
stevemar	topol: it's customary for board members to buy the keystone team (and some operators) dinner	17:55
stevemar	just saying	17:55
dstanek	stevemar: ++	17:55
stevemar	topol: i should clarify, new board members	17:55
topol	dstanek I have Interop meetings Monday Tuesday	17:55
mfisch	I bet if I called our IBM sales guy and said we wanted a nice dinner with Steve it would be setup ;)	17:55
stevemar	new ones from ibm, new ones whose name starts with B	17:56
stevemar	mfisch: does your sales guy have to come?	17:56
topol	Im sure I can buy something for a few close friends	17:56
mfisch	stevemar: nah he'll give you his CC number ;)	17:56
stevemar	mfisch: yessss	17:56
mfisch	not even sure we have an IBM sales guy but probably somewhere	17:56
dstanek	topol: i was going to see if you'd be around NC on Tuesday for lunch, but looks like not	17:56
stevemar	it'll be added to my amazon acct, k thx	17:56
mfisch	good plan	17:56
topol	dstanek, sorry. But will I see you at PTG?	17:59
dstanek	topol: yeah, i'll be there. driving down on Tuesday	17:59
topol	K	18:00
*** harlowja has joined #openstack-keystone		18:02
*** chlong has quit IRC		18:03
*** diazjf has quit IRC		18:06
*** ravelar has quit IRC		18:06
*** jose-phillips has joined #openstack-keystone		18:08
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	18:08
stevemar	rderose: you forgot to commit the rel note!	18:10
rderose	oops	18:10
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	18:11
rderose	stevemar: done	18:11
stevemar	morgan / samueldmq did you want to have a last look at https://review.openstack.org/#/c/425507/ ?	18:13
* samueldmq looks again		18:13
samueldmq	still good to me	18:14
*** mvk has joined #openstack-keystone		18:16
stevemar	rderose: thank you ronald!	18:17
rderose	stevemar: hey, thanks for the reviews	18:17
stevemar	rderose: just doing my job	18:17
rderose	stevemar: love how this one ended up	18:17
stevemar	aye	18:18
stevemar	barely any code	18:18
stevemar	all tests	18:18
rderose	yeah	18:18
rderose	:)	18:18
knikolla	ayoung: looks like they dropped our class project.	18:18
stevemar	rderose: hmmm	18:19
stevemar	rderose: i think we called the option name incorrect	18:19
stevemar	rderose: the option should be "ignore_change_password"	18:19
rderose	stevemar: hmm...	18:20
stevemar	cause: https://review.openstack.org/#/c/424220/ should create the option "ignore_lockout"	18:20
stevemar	and https://review.openstack.org/#/c/423909/ should create the the option "ignore_password_expiry"	18:20
rderose	stevemar was sharing this for both password expires and change password...	18:21
rderose	but...	18:21
ayoung	knikolla, no one signed up for it?	18:22
stevemar	rderose: yeah, we could they are the same, i was thinking of a 1:1 with the config option	18:22
dstanek	lots o churn	18:22
stevemar	rderose: cause failure to change passwd every X days, and being exempt from a gloabl passwd reset are two differnt things	18:22
knikolla	ayoung: guess not enough.	18:23
knikolla	probably got intimidated or wanted something that sounded cooler.	18:23
rderose	stevemar: so you could enforce one but not the other	18:23
stevemar	rderose: i think so, right?	18:23
stevemar	rderose: 1:1 makes more sense in my head	18:24
rderose	stevemar: yeah, I'm tending to agree	18:24
rderose	let me change it	18:24
stevemar	but there could be logical reasons why they would never not be both enabled	18:24
stevemar	yeah	18:24
stevemar	if you don't mind, i'll solo +A the fix	18:24
stevemar	rderose: let me bump it out	18:25
rderose	sure, fixing it now	18:25
stevemar	well, the gate is stupid long anyway	18:25
stevemar	kk	18:25
*** ravelar has joined #openstack-keystone		18:26
ayoung	knikolla, then I guess is is not going to happen	18:26
*** jose-phillips has quit IRC		18:26
lbragstad	stevemar i updated https://bugs.launchpad.net/keystone/+bug/1291157	18:27
openstack	Launchpad bug 1291157 in OpenStack Identity (keystone) "idp deletion should trigger token revocation" [Medium,Confirmed]	18:27
knikolla	ayoung: i can pick it up if you don't have time to work on it.	18:27
lbragstad	stevemar I can retest that later today and close accordingly	18:27
stevemar	lbragstad: sounds bueno to me	18:29
stevemar	morgan: i saw you and breton talking in the morning about https://review.openstack.org/#/c/415545/ -- what the recap there?	18:29
ayoung	knikolla, I don't have time. It is yours. PLease make it happen	18:31
morgan	stevemar: i need to think more	18:32
morgan	that was the recap	18:32
*** stingaci_ has joined #openstack-keystone		18:35
*** stingaci has quit IRC		18:36
*** david-lyle has quit IRC		18:39
stevemar	morgan: good recap :)	18:39
*** spzala has quit IRC		18:43
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to change password upon first use https://review.openstack.org/425507	18:47
rderose	stevemar: ^	18:47
rderose	stevemar: wait, for got the release notes...	18:48
rderose	stevemar: nevermind, it should be good	18:48
morgan	stevemar: I targeted bug 1659053 for ocata-RC1	18:48
openstack	bug 1659053 in OpenStack Identity (keystone) "use uuids with pycadf" [Medium,Triaged] https://launchpad.net/bugs/1659053 - Assigned to Gage Hugo (gagehugo)	18:48
morgan	stevemar: we can bump it if it doesn'tland	18:48
morgan	but...	18:48
morgan	just FYI	18:48
*** spzala has joined #openstack-keystone		19:00
morgan	rderose: nit on your patch (can be a followup) I don't like the use of UTCnow	19:09
morgan	rderose: for an expiration, I like an explicit date such as epoch 0-	19:09
morgan	rderose: i wouldn't aks for a change, but in theory utcnow could be wonky based upon NTP / manual clock updates, etc	19:10
morgan	setting an explicit "there is no way this is valid" expiration is better	19:10
morgan	it could be a followup	19:10
morgan	stevemar: ^ cc	19:10
*** richm1 has quit IRC		19:13
rderose	morgan: I thought UTC as our standard; not clear why utcnow would be wonky	19:16
*** stingaci_ has quit IRC		19:17
morgan	rderose: it's tied to local clock for evaluation	19:17
rderose	morgan: hmm... so we can't trust it to be utc accurate?	19:18
morgan	and not centralized. so edge nodes are responsible for timing. it's one of those general things.	19:18
morgan	we can to be within 5m	19:18
morgan	or so	19:18
morgan	which is acceptable drift	19:18
morgan	what we've said is our threshold for token validtity +/- 300s	19:18
morgan	if you look at many systems when they do this and lean on the expiry setting for forcing a password change (vs an explicit attr)	19:19
morgan	they set to like EPOCH start	19:19
morgan	just to be sure there is no reason it could be valid due to drive	19:19
morgan	drift*	19:19
morgan	etc	19:19
morgan	+2 on your patch	19:19
morgan	comment is added for potential followup	19:19
rderose	okay, cool	19:19
rderose	thx	19:19
*** tqtran has quit IRC		19:20
morgan	not a requirement, just one of those things that you don't think about... and then you do..and then someone's password works when it shouldn't :P	19:20
rderose	right :)	19:20
stevemar	rderose: looking now!	19:26
stevemar	rderose: ah you went for the option name = ignore + config_option, nice	19:27
*** spzala has quit IRC		19:29
stevemar	rderose: approved !	19:29
rderose	stevemar: sweet!	19:30
stevemar	rderose: you going to pick up https://review.openstack.org/#/c/423909/ ?	19:32
stevemar	rderose: i'll try rebasing https://review.openstack.org/#/c/424220/1 for you	19:32
*** stingaci has joined #openstack-keystone		19:32
rderose	stevemar: sounds good	19:34
*** stingaci has quit IRC		19:37
dstanek	what's left?	19:37
* morgan will be doing the deprecations now		19:38
morgan	and the MFA thing	19:38
morgan	today	19:38
dstanek	morgan: ping me if you need a review	19:39
morgan	dstanek: will do	19:42
*** richm has joined #openstack-keystone		19:42
openstackgerrit	Steve Martinelli proposed openstack/keystone: Deprecate `lockout_ignored_user_ids` conf option https://review.openstack.org/424220	19:44
*** jose-phillips has joined #openstack-keystone		19:48
*** d-bark has joined #openstack-keystone		19:53
*** david-lyle has joined #openstack-keystone		19:53
*** david-lyle has quit IRC		19:53
*** david-lyle has joined #openstack-keystone		19:54
*** Jack_V has quit IRC		19:58
dstanek	stevemar: do we still need that ^?	19:59
morgan	ROFL... i was wondering why my new opt wasn't showing up... because it wasn't registered!	20:00
*** david-lyle has quit IRC		20:01
*** david-lyle has joined #openstack-keystone		20:01
openstackgerrit	Steve Martinelli proposed openstack/keystone: Create user option `ignore_lockout_failure_attempts` https://review.openstack.org/424220	20:01
stevemar	dstanek: you refering to the deprecation?	20:02
stevemar	dstanek: no, i forgot to adjust the commit message	20:02
stevemar	dstanek: i think i migrated that patch to the new option format, just the tests need to be cleaned up	20:02
stevemar	dstanek: give it a cursory glance :)	20:02
stevemar	morgan: rderose let's all base our patches on 425507	20:03
stevemar	first one to get approved doesn't have to rebase :D	20:03
*** stingaci has joined #openstack-keystone		20:04
morgan	hah	20:04
dstanek	stevemar: got it, thanks	20:04
rderose	stevemar: it sounded like morgan was working on the deprecation patches.	20:05
rderose	morgan: did you want me to take over?	20:05
stevemar	rderose: oh ja?	20:05
rderose	stevemar: "morgan will be doing the deprecations now" ^	20:06
morgan	i am working on deprecations	20:06
morgan	almost have the first one working	20:06
rderose	:)	20:07
morgan	debugging a small oddity	20:07
*** stingaci has quit IRC		20:08
openstackgerrit	Steve Martinelli proposed openstack/keystone: Create user option `ignore_lockout_failure_attempts` https://review.openstack.org/424220	20:10
morgan	LOL oh man. ... i think the context cache is biting me for this test	20:10
stevemar	rderose: hehe	20:11
stevemar	rderose: whoops, missed that	20:12
stevemar	rderose: you take a well deserved break then lol	20:12
morgan	so.. i am setting the option for ignores_password_expiry and testing the passwor din expired	20:12
morgan	and it passes	20:12
rderose	stevemar: :)	20:12
morgan	then i set the option to false.. and i re-auth and it still succeeds	20:12
*** MasterOfBugs has joined #openstack-keystone		20:12
morgan	checking user['options']['ignore_password_expiry'] says "false"	20:12
morgan	but the option_value from the resource_mapper says it's "true"	20:13
morgan	w.t.f	20:13
morgan	.	20:13
rderose	morgan: looking	20:13
morgan	let me post the code.	20:13
*** pramodrj07 has joined #openstack-keystone		20:15
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate [security_compliance]\password_expires_ignore_user_ids https://review.openstack.org/426384	20:15
morgan	rderose: ^	20:15
stevemar	morgan: i've been udpating the lockout one fyi	20:15
stevemar	should just need tests at this point	20:15
morgan	so i added debugger lines, and in the latest test... if i update the user['options']['ignore_password_expiry'] to be false	20:15
morgan	the user_ref says it is false	20:16
morgan	but when i hit the SQL model's check expired, the mapper says the option value is true	20:16
morgan	w.t.f	20:16
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP update_user https://review.openstack.org/426386	20:18
dstanek	ugg...looks like i have to give up on lxc on fedora and maybe move to docker	20:18
*** MasterOfBugs has quit IRC		20:18
morgan	=/	20:18
dstanek	unprivileged containers == all fail	20:19
*** portdirect_travl is now known as portdirect		20:21
*** diazjf has joined #openstack-keystone		20:23
morgan	rderose: i figured it out.	20:25
morgan	well. crap on a stick	20:25
rderose	:)	20:25
morgan	rderose: *rolls eyes8	20:25
morgan	sec i'll show you	20:25
morgan	oh wait. no this shouldn't be hitting the cache	20:25
rderose	sql_model and condition?	20:25
rderose	in list and option?	20:26
rderose	((self.id not in ignore_list) and (	20:26
rderose	ignore_pw_expiry and not ignore_pw_expiry.option_value)):	20:26
morgan	no, the actual value from the resource manager is showing as True there	20:26
morgan	evne though the options_dict says it's false	20:26
rderose	no, that's right	20:26
morgan	here is an updated version	20:26
morgan	sec	20:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate [security_compliance]\password_expires_ignore_user_ids https://review.openstack.org/426384	20:27
morgan	a little more direct	20:27
morgan	but the issue is option_value is showing as True	20:27
morgan	even though the user dict says ['options']['ignore_password_expiry'] is False	20:27
morgan	see the result	20:28
morgan	sec	20:28
morgan	https://www.irccloud.com/pastebin/UoHnntZQ/	20:28
morgan	rderose: ^	20:28
morgan	as you can see, it's not rasing PassworDexpired	20:28
morgan	but returning the auth dict... and ignore_password_expiry is in-fact false	20:29
*** jose-phillips has quit IRC		20:29
rderose	hmm...	20:29
morgan	if i add an addition layer of debugging, model._resouce_option_mapper[password_expiry_opt.option_id] == True	20:29
morgan	in the _get_password_expires_at method	20:29
morgan	wondering if the resource_option_manager is somehow stale in the authenticate call?	20:30
rderose	or, it's calling _get_password_expires_at before the options are set?	20:31
morgan	shouldn't be possible	20:31
morgan	https://www.irccloud.com/pastebin/t98QLGyL/	20:31
morgan	^	20:31
rderose	hmm...	20:32
morgan	inverting the set/update of the option	20:34
morgan	just to be sure	20:34
morgan	well fu...	20:34
morgan	it passes when i invert it	20:34
morgan	so create sets the value to false, but the update sets the value to true	20:34
morgan	... whaaaaat the hell	20:34
*** stingaci has joined #openstack-keystone		20:35
dstanek	:-)	20:35
*** stingaci has quit IRC		20:40
morgan	dstanek, rderose: can you see why this change would make it work?	20:41
morgan	https://www.irccloud.com/pastebin/lRdJhOap/	20:41
morgan	that is all i changed... and the test now passes	20:42
rderose	hmm...	20:45
rderose	morgan: commit the latest and let me play with it	20:46
rderose	I'm not seeing why at the moment	20:46
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate [security_compliance]\password_expires_ignore_user_ids https://review.openstack.org/426384	20:47
morgan	posted	20:47
rderose	morgan: so when you create a user with the option, the tests fail, password is expired	20:49
rderose	right?	20:50
dstanek	morgan: what wasnt' working?	20:51
*** jose-phillips has joined #openstack-keystone		20:52
*** raildo has quit IRC		20:56
*** jose-phillips has quit IRC		20:58
openstackgerrit	Steve Martinelli proposed openstack/keystone: Create user option `ignore_lockout_failure_attempts` https://review.openstack.org/424220	21:00
stevemar	still needs a few more tests ^ morgan rderose	21:00
openstackgerrit	Kristi Nikolla proposed openstack/keystone: WIP: Install shibboleth-idp with Devstack plugin https://review.openstack.org/401421	21:01
rderose	okay morgan: now I'm baffled, it seems to be working for me, in either case (create/update)	21:02
rderose	morgan: and I haven't changed anything	21:03
knikolla	rodrigods: i think I'm not too far from having shibboleth-idp running. just need to debug why the container is throwing errors when launched with the configuration i created.	21:05
*** haplo37_ has quit IRC		21:05
*** stingaci has joined #openstack-keystone		21:07
dstanek	rderose: which review are you guys working on?	21:08
*** thiagolib has quit IRC		21:08
rderose	dstanek: https://review.openstack.org/#/c/426384/	21:08
dstanek	rderose: and that is failing morgan as-is?	21:09
rderose	dstanek: it's not failing for me	21:10
*** stingaci has quit IRC		21:11
dstanek	test_backend_sql work fine for me. running the full tests now	21:12
rderose	morgan dstanek: even when I take the ignore list out of the picture (test above), and replace it with ignore option, it passes	21:13
rderose	morgan: what's the issue?	21:13
rderose	seems to be working	21:13
*** haplo37_ has joined #openstack-keystone		21:16
knikolla	full tests pass for me	21:19
openstackgerrit	Merged openstack/keystone: Adds tests showing how mapping locals are handled https://review.openstack.org/418460	21:22
dstanek	full tests work for me as well	21:23
harlowja	hey guys, so jamielennox i think if i'm correct made a bunch of changes in oslo.context that are now spewing depreciations (which afaik are critical/gate stopping in keystone) and causing keystone to die	21:26
dims	stevemar : hey, latest oslo.context release can't get into u-c because of a problem...	21:26
harlowja	can we get those prioritized high to get fixed	21:26
harlowja	http://logs.openstack.org/34/421934/2/check/gate-cross-keystone-python27-db-ubuntu-xenial/b0c971f/testr_results.html.gz	21:26
dims	what harlowja said :) ^	21:27
harlowja	or turn off the critical 'test' until thats fixed	21:27
harlowja	(such critical depreciation thing imho shouldn't be a gate-blocker but that's a different story, lol)	21:27
dims	dstanek : morgan : stevemar : thoughts please ^	21:27
dstanek	dims: that from using the latest oslo.context?	21:34
dims	yep	21:34
dims	dstanek : off this review - https://review.openstack.org/#/c/421934/	21:34
dstanek	dims: is this a chicken/egg problem where i can fix it to pass your tests, but it will fail gerrit with what is currently installed?	21:35
harlowja	hmmm	21:38
harlowja	i'd say turn off that depreciations are critical first	21:38
harlowja	fix it in keystone	21:38
harlowja	turn it back on	21:38
harlowja	i think u can though fix it in the tests first	21:38
*** stingaci has joined #openstack-keystone		21:39
harlowja	with what's currently installed	21:39
harlowja	but not 100% on that	21:39
dims	is this the trigger? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/core.py#n496	21:40
harlowja	i d o believe so dims	21:40
harlowja	turns them all into critical exceptions	21:41
harlowja	which well, ya, was going to cause this to happen one day	21:41
dstanek	i vote for turning that off and fixing later. will be a quick patch is spawn	21:41
knikolla	++	21:42
harlowja	k	21:42
*** edtubill has joined #openstack-keystone		21:42
*** stingaci has quit IRC		21:43
*** catintheroof has quit IRC		21:44
dims	sounds good dstanek	21:45
dims	so who is going to file one? :)	21:45
*** catintheroof has joined #openstack-keystone		21:45
dstanek	i just created a patch now.	21:45
dstanek	i'm going to submit two actually :-) see which one wins	21:46
openstackgerrit	David Stanek proposed openstack/keystone: Turn off deprecation -> critical in tests https://review.openstack.org/426407	21:46
dims	:)	21:46
openstackgerrit	John Perkins proposed openstack/keystone: Integrate oslo.config validator https://review.openstack.org/426408	21:47
dims	dhellmann : working a plan with keystone folks about oslo.context. in their test suite they trigger failure on any deprecation - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/core.py#n496	21:48
dims	oops wrong channel :)	21:48
harlowja	thx dstanek	21:49
*** catintheroof has quit IRC		21:49
openstackgerrit	Merged openstack/keystone: Cleanup for resource-specific options https://review.openstack.org/425957	21:50
morgan	rderose: when i did "ignore = True" then set to false, it wouldn't pass	21:51
morgan	rderose: but inverting it to False first then True, passes	21:52
dstanek	harlowja: np	21:53
dstanek	dims: harlowja: i'm testing out a change now that fixes the errors at the source too	21:53
*** adrian_otto has quit IRC		21:54
openstackgerrit	Gage Hugo proposed openstack/keystone: WIP Fix multiple uuid warnings with pycadf https://review.openstack.org/426411	21:57
gagehugo	morgan knikolla ^^	22:01
morgan	uh	22:02
morgan	we're copy/pasting code into tools/ ?	22:02
morgan	dims: ^ config validator?	22:02
dstanek	morgan: dims: :-( we worked so hard to reduce those kinds of things	22:04
stevemar	harlowja: dhellmann dims -- we have the fail on deprecation so we don't end up using them in our code ... IIRC :)	22:05
stevemar	dstanek: yeah :(	22:05
dhellmann	stevemar : well, you're now blocking anyone else from using this new version of the lib	22:05
stevemar	dhellmann: yeah, we will unblock, that wasn't the intention	22:05
morgan	dstanek: i feel strong enough on that that it's getting a -2	22:05
dhellmann	stevemar : thanks	22:06
morgan	dstanek: no copy/paste/additions to tools/ (the limited shell scripts make sense)	22:06
dstanek	stevemar: i have another patch that i'm testing locally that fixes our context object	22:06
dhellmann	stevemar : maybe we can find another way to test that, by not using a job that's also running against the requirements repo	22:06
stevemar	dhellmann: yeah, probably, but this is the first time i think its happened in at least 18 months, just mostly horrible timing	22:07
morgan	dhellmann: it is important we're not leaning on deprecated things imo. so, i'd like to keep this kind of stuff somehow	22:07
morgan	dhellmann: i get it blocks things, but once in 18mo is not really bad imo	22:08
stevemar	dstanek: the tests are failing with your patch	22:08
dhellmann	morgan: I don't think it's fair for you to block progress elsewhere, on principle, so I would appreciate it if you would find another way to do this test.	22:08
dstanek	stevemar: which patch?	22:08
dstanek	stevemar: the deprecate->critical one?	22:09
stevemar	dstanek: yes, that one	22:09
stevemar	dstanek: http://logs.openstack.org/07/426407/1/check/gate-keystone-python27-db-ubuntu-xenial/a1b3e98/testr_results.html.gz	22:09
stevemar	dstanek: it also fails pep8 :)	22:09
morgan	dhellmann: i said i'd like to keep it somehow. i wasn't saying we should block everything here. though to be fair, it would be good if we had a way to run things that show how massive a headache deprecations are going to be for the projects	22:09
dstanek	stevemar: lol, ok. i didn't realize we had a test to make sure that happens	22:09
morgan	dhellmann: i am VERY against releasing code that has deprecation warnings emitted (on principal across openstack and any project) that the operator cannot fix/deal with	22:10
dhellmann	morgan : I agree, generally.	22:10
*** stingaci has joined #openstack-keystone		22:10
dhellmann	I would also have preferred for this change to land months ago so we had time to deal with it	22:11
morgan	so, i'd like to keep this somehow somewhere... and/or make it easier to identify before requirements update	22:11
dhellmann	that's fine. I just don't think it should gate requirements, since it's not a global policy.	22:11
morgan	that makes me sad.	22:11
*** jose-phillips has joined #openstack-keystone		22:11
stevemar	dstanek: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/tests/test_core.py#L85-L88 is the one that's failing	22:11
morgan	that other folks don't as strongly feel this way.	22:12
dhellmann	we could work to make it a global policy, but in that case we would either freeze out all oslo api changes or we would have to have some sort of assurance that project teams would not block oslo work.	22:12
dstanek	stevemar: fixed locally...pusing in a sec	22:12
dhellmann	the bottom of the stack is a hard place to work	22:12
morgan	dhellmann: well. 2 things, if it's deprecated with no plans for removal... i'd give it a pass and make it a policy this needs to be prioritized prior to release(s)	22:13
dhellmann	if there were no plans for removal, a deprecation warning wouldn't be appropriate	22:13
dhellmann	so we could confirm those plans with the oslo team, but I assume they intend to remove the shims at some point	22:14
morgan	dhellmann: if it s deprecated with plans for removal... i have other words and thoughts about that for libraries. and strongly disagree with the g-r methodologies and not capping at major revisions.	22:14
dhellmann	it's too late on a friday to start that conversation	22:14
morgan	dhellmann: my complaints all stem from policies i really disagree with across how g-r works	22:14
*** stingaci has quit IRC		22:15
dhellmann	I welcome your contributions to the requirements team in pike. :-)	22:15
stevemar	hehe	22:15
morgan	and how we use major/minor revisions without explicit caps... but i'm far more of a stickler for these things than most of the community	22:15
dhellmann	we tried caps, and they introduced so many gate wedges we had to drop them	22:15
morgan	i've lost this argument enough times i wont block any changes on these fronts (but I would like some kind of clear way to identify the deprecations when the migrate into g-r)	22:15
*** thorst_ has quit IRC		22:16
stevemar	dhellmann: we'll ignore the warnings for now, i'll bug prometheanfire when the patch has merged	22:16
dhellmann	k	22:16
dhellmann	do talk to harlowja and gcb about the plans for removing the deprecated things, though. because if they don't plan to, maybe we can just not warn.	22:16
morgan	dhellmann: i was here for that time period and of the caps and wedges. i think we could have resolved it in a different way. i don't think we could reasonable change course now without another horrible/long discussion	22:16
openstackgerrit	David Stanek proposed openstack/keystone: Fixes deprecations caused by latest oslo.context https://review.openstack.org/426418	22:17
openstackgerrit	Gage Hugo proposed openstack/keystone: Fix multiple uuid warnings with pycadf https://review.openstack.org/426411	22:17
morgan	dhellmann: i actually think deprecation is healthy, even without plans for removal and warning	22:17
morgan	this is the old way, use the new way	22:17
morgan	please, use the new way, it's better and better supported. this is to make sure we don't break things"	22:17
morgan	(quote/unquote)	22:17
dhellmann	morgan : I was one of the people pushing caps before, fwiw. I like the constraints system a lot better.	22:17
* dhellmann nods		22:18
stevemar	dstanek: abandon https://review.openstack.org/#/c/426407/1 ? looks like you pushed 2 different patches	22:18
stevemar	dstanek: keep the newer one	22:18
morgan	my complaint with constraints is it doesn't accurately show that a future revision will break us. but that is because we are mis-using major/minor version imo. again. more philisophical discussion than I plan to try and sheppherd in a massive change back to caps	22:18
dstanek	stevemar: sounds good to me	22:19
* morgan wouldn't block these bits and changes to keystone in either case.		22:19
dstanek	i wanted to see both options	22:19
stevemar	dstanek: whoa https://review.openstack.org/#/c/426418/1/keystone/common/context.py	22:19
morgan	dhellmann: i think i'll noodle over how we can build something that'll highlight deprecations used that should be cleaned up... maybe some auto-created bugs on a periodic job (or post g-r update)	22:19
morgan	dhellmann: something so we can make sure projects are aware of/able to identify things to get fixed :)	22:20
dhellmann	morgan : I would support that work. Will you be at the ptg? Maybe we can discuss there?	22:20
morgan	yeah i'll be there	22:20
morgan	from tuesday ->	22:20
morgan	missing monday because i'm at a funeral that weekend befotre	22:20
dhellmann	I'm sure the whole oslo team would be happy to have something like that, because it would make it easier for us to clean up the legacy code we have	22:20
dhellmann	ah, sorry to hear that	22:20
dhellmann	mention it to gcb, I think he's leading up the ptg organizing	22:20
morgan	it was a long time coming and a very delayed (months delayed) funeral	22:21
dhellmann	make sure it's on the oslo agenda	22:21
* morgan will see about getting it on the agenda		22:21
morgan	until then... i has things to finish up in keystone ASAP :P	22:21
dhellmann	cool	22:21
dhellmann	++	22:22
*** edmondsw_ has quit IRC		22:23
dstanek	stevemar: ? the _gone i assume?	22:23
*** edmondsw has joined #openstack-keystone		22:23
stevemar	dstanek: yes	22:23
dstanek	stevemar: i wanted to make sure nothing would be using the old properties and i'm not sure how to do that	22:24
morgan	rderose: passes tests: https://review.openstack.org/#/c/426384/	22:24
dstanek	it shouldn't be possible for non-keystone code to use them, but i wasnt sure about keystone code	22:25
dstanek	i don't trust that the unit tests exercise everythig	22:25
*** edmondsw has quit IRC		22:28
dstanek	does oslo.context return the value of ctx.user_id if you access it as ctx.user?	22:29
*** PramodJ has joined #openstack-keystone		22:31
*** pramodrj07 has quit IRC		22:34
openstackgerrit	David Stanek proposed openstack/keystone: Fixes deprecations caused by latest oslo.context https://review.openstack.org/426418	22:37
*** richm has quit IRC		22:39
openstackgerrit	David Stanek proposed openstack/keystone: Turn off deprecation -> critical in tests https://review.openstack.org/426407	22:41
*** jaosorior has quit IRC		22:42
*** stingaci has joined #openstack-keystone		22:42
*** edtubill has quit IRC		22:45
*** stingaci has quit IRC		22:46
*** jaugustine has quit IRC		22:47
*** spotz_zzz is now known as spotz		22:48
stevemar	dstanek: almost done the tests for user lockout as option	22:57
stevemar	dstanek: probably? oslo is pretty good about that	22:57
stevemar	dstanek: https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L257	22:58
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate [security_compliance]\password_expires_ignore_user_ids https://review.openstack.org/426384	22:59
morgan	stevemar: ^ fixed comments	23:00
openstackgerrit	Steve Martinelli proposed openstack/keystone: Create user option `ignore_lockout_failure_attempts` https://review.openstack.org/424220	23:00
dstanek	stevemar: yep, already saw that and pushed an update	23:00
stevemar	morgan: fixed comments ^	23:00
stevemar	hehe	23:00
stevemar	high five	23:00
*** jperry has quit IRC		23:01
*** spilla has quit IRC		23:01
morgan	except i messed up pep8	23:01
morgan	damn	23:01
stevemar	morgan: i think you need a schema change too	23:01
morgan	i can do that as a followup. i want to make it a two-fold change.	23:02
stevemar	a test in test_v3_identity would have caught that :D	23:02
stevemar	ah	23:02
morgan	easier to do what i want to do in a followup or two	23:04
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate [security_compliance]\password_expires_ignore_user_ids https://review.openstack.org/426384	23:04
morgan	there we go	23:04
morgan	not broken pep8	23:04
openstackgerrit	Merged openstack/keystone: clean up release notes for ocata https://review.openstack.org/426095	23:06
lbragstad	morgan yes one for you https://review.openstack.org/#/c/426418/2	23:07
rderose	morgan: back...	23:08
harlowja	morgan +1 to ' i think i'll noodle over how we can build something that'll highlight deprecations used'	23:08
rderose	morgan: ah good, you got it working	23:08
harlowja	i think that would be super	23:08
harlowja	make a mailing list for deprecations	23:08
harlowja	that this thing sends to	23:08
harlowja	per-project email highlighting depreciations used (inside or outside of oslo)	23:09
harlowja	(because depreciations can be done by libraries consumed outside of openstack)	23:09
dstanek	it would be nice to have something that tests against master of all of our own stuff	23:09
dstanek	i have to get going in a few to go to a family thing. won't be back for about 90 minutes	23:10
harlowja	yup, agreed	23:12
*** stingaci has joined #openstack-keystone		23:13
*** stingaci has quit IRC		23:18
*** tqtran has joined #openstack-keystone		23:28
morgan	rderose, stevemar: is there a way to say "this attribute" can be any-type in json-schema?	23:30
rderose	morgan: seems reasonable, but haven't done that	23:32
morgan	rderose: looks like not specifying type is sufficient to make that happen	23:38
rderose	morgan: nice	23:38
rderose	morgan: you'll adding a new patch to add the attribute to the schema	23:38
rderose	* you'll be	23:38
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Implement better validation for resource options https://review.openstack.org/426431	23:39
morgan	rderose: ^	23:39
morgan	rderose: i think i need some help building a test case for that.	23:40
morgan	rderose: but ... in short...	23:40
morgan	stevemar: ^ cc see new patch	23:40
morgan	rderose: for the schema stuff covered in the previous patch	23:42
*** edmondsw has joined #openstack-keystone		23:43
rderose	morgan: ah, cool	23:44
*** pramodrj07 has joined #openstack-keystone		23:44
*** stingaci has joined #openstack-keystone		23:45
*** PramodJ has quit IRC		23:48
*** lamt has quit IRC		23:49
*** lamt has joined #openstack-keystone		23:49
*** stingaci has quit IRC		23:50
*** lamt has quit IRC		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!