Monday, 2017-02-13

*** martinlopes has joined #openstack-keystone00:04
*** lucas_ has quit IRC00:05
*** thorst_ has joined #openstack-keystone00:10
*** thorst_ has quit IRC00:12
*** jamielennox is now known as jamielennox|away00:24
*** guoshan has joined #openstack-keystone00:26
*** jlwhite has quit IRC00:28
*** jlwhite has joined #openstack-keystone00:28
*** rvba has quit IRC00:28
*** rvba has joined #openstack-keystone00:28
*** rvba has quit IRC00:29
*** rvba has joined #openstack-keystone00:29
*** catintheroof has joined #openstack-keystone00:36
*** catintheroof has quit IRC00:37
*** lucas_ has joined #openstack-keystone00:38
*** hoangcx has joined #openstack-keystone00:42
*** jamielennox|away is now known as jamielennox00:50
*** guoshan has quit IRC01:16
*** sileht has quit IRC01:19
*** iurygregory has quit IRC01:19
*** v1k0d3n has quit IRC01:19
*** thorst_ has joined #openstack-keystone01:19
*** liujiong has joined #openstack-keystone01:19
*** thorst_ has quit IRC01:19
*** iurygregory has joined #openstack-keystone01:19
*** v1k0d3n has joined #openstack-keystone01:22
*** sileht has joined #openstack-keystone01:23
*** YModeMonk has quit IRC01:24
*** martinlopes has quit IRC01:28
*** guoshan has joined #openstack-keystone01:43
*** thorst_ has joined #openstack-keystone01:45
*** thorst_ has quit IRC01:45
*** martinlopes has joined #openstack-keystone02:05
*** martinlopes has quit IRC02:08
*** martinlopes has joined #openstack-keystone02:13
*** v1k0d3n has quit IRC02:14
*** thorst_ has joined #openstack-keystone02:19
*** v1k0d3n has joined #openstack-keystone02:19
*** edtubill has joined #openstack-keystone02:25
*** akrzos-pto is now known as akrzos02:49
*** akrzos is now known as akrzos-pto02:49
*** ngupta has joined #openstack-keystone02:52
*** tovin07_ has joined #openstack-keystone02:57
*** edmondsw has joined #openstack-keystone03:13
*** sonuk has joined #openstack-keystone03:16
*** edmondsw has quit IRC03:17
*** thorst_ has joined #openstack-keystone03:20
*** ngupta has quit IRC03:21
*** ngupta has joined #openstack-keystone03:22
*** thorst_ has quit IRC03:25
*** ngupta has quit IRC03:26
*** ngupta has joined #openstack-keystone03:40
*** guoshan has quit IRC03:50
*** Dinesh_Bhor has joined #openstack-keystone04:08
*** lucas_ has quit IRC04:20
*** thorst_ has joined #openstack-keystone04:21
*** adriant has quit IRC04:25
*** thorst_ has quit IRC04:26
*** hoonetorg has quit IRC04:34
*** ngupta has quit IRC04:36
*** ngupta has joined #openstack-keystone04:37
*** ngupta has quit IRC04:41
*** hoonetorg has joined #openstack-keystone04:47
*** lucas_ has joined #openstack-keystone04:51
*** lucas_ has quit IRC05:01
*** mtreinish has quit IRC05:20
*** jaosorior has joined #openstack-keystone05:28
*** mtreinish has joined #openstack-keystone05:31
*** agrebennikov_ has joined #openstack-keystone05:33
*** agrebennikov_ has quit IRC05:38
*** jrist has joined #openstack-keystone06:04
*** lucas_ has joined #openstack-keystone06:12
*** edtubill has quit IRC06:18
*** edtubill has joined #openstack-keystone06:19
*** thorst_ has joined #openstack-keystone06:22
*** edtubill has quit IRC06:24
*** thorst_ has quit IRC06:26
*** martinlopes has quit IRC06:26
*** itisha has quit IRC06:42
*** lucas_ has quit IRC06:46
*** guoshan has joined #openstack-keystone06:48
*** Jack_I has joined #openstack-keystone07:02
*** rcernin has joined #openstack-keystone07:15
*** phalmos has quit IRC07:16
*** tesseract has joined #openstack-keystone07:28
*** tesseract is now known as tesseract-RH07:29
*** pcaruana has joined #openstack-keystone07:49
*** phalmos has joined #openstack-keystone07:56
*** pnavarro has joined #openstack-keystone08:10
*** thorst_ has joined #openstack-keystone08:22
*** phalmos has quit IRC08:25
*** thorst_ has quit IRC08:27
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** tqtran has joined #openstack-keystone09:05
bretonyes, breton@cynicmansion.ru09:08
*** tqtran has quit IRC09:09
bretonnevermind ^09:13
breton(still my email though if someone wants to tell something)09:13
*** phalmos has joined #openstack-keystone09:42
*** jamielennox is now known as jamielennox|away09:48
*** jdennis1 has joined #openstack-keystone10:02
*** jdennis has quit IRC10:02
*** tqtran has joined #openstack-keystone10:15
*** dims_ has quit IRC10:16
*** tqtran has quit IRC10:20
*** dims has joined #openstack-keystone10:23
*** thorst_ has joined #openstack-keystone10:23
*** liujiong has quit IRC10:24
*** jamielennox|away is now known as jamielennox10:24
*** thorst_ has quit IRC10:28
*** guoshan has quit IRC10:38
*** mvk has quit IRC10:40
johnthetubaguyI am looking into policy in Nova10:52
johnthetubaguyI am thinking about "admin" tokens, and the scope of tokens10:52
johnthetubaguydoes anyone know of a good doc to read up about token scope?10:52
johnthetubaguy(thinking about project membership tests, and if there is a token where project="*" or similar)10:53
johnthetubaguyit might mean we have to become domain aware and respect domain global tokens for "admins"10:53
*** portdirect is now known as portdirect_10:58
*** portdirect_ is now known as portdirec10:59
*** portdirec is now known as portdirect_10:59
*** portdirect_ is now known as portdirect10:59
*** portdirect has joined #openstack-keystone11:00
*** hoangcx has quit IRC11:00
*** jamiec has quit IRC11:04
*** mvk has joined #openstack-keystone11:09
*** jamiec has joined #openstack-keystone11:12
*** nicolasbock has joined #openstack-keystone11:31
*** Mr_Smurf has joined #openstack-keystone11:43
Mr_SmurfHello... I'm trying to figure out why login saml2 federation is behaving strangely.. So I could really need some help..11:45
Mr_SmurfI've looked over the documentation and it looks like I have setup everyting correct in my newton installation.11:46
Mr_SmurfWhat happends is when I login I'm redirected to my IDP (simpsamlphp) and I authenticate and I'm returned to my keystone port:5000 en then I just get the normal text as you get if you just surf to your keystone on port 5000.. If I then go to my horizon startpage and try to login again I'm redirected to /auth/webbsso and then to the dashboard and the login is successful11:48
Mr_SmurfI do not see any mapping or anything in keystone on the first request (debug=true) just a request for GET
Mr_Smurfthe second time I get the mapping correct11:52
samueldmqmorning keystone11:54
Mr_Smurfgood morning11:54
*** dave-mccowan has joined #openstack-keystone12:04
*** pbourke has quit IRC12:08
*** pbourke has joined #openstack-keystone12:09
*** tqtran has joined #openstack-keystone12:17
*** tqtran has quit IRC12:22
*** dims has quit IRC12:23
*** dave-mcc_ has joined #openstack-keystone12:28
*** dave-mccowan has quit IRC12:30
*** phalmos has quit IRC12:40
*** catintheroof has joined #openstack-keystone12:41
*** thorst_ has joined #openstack-keystone12:48
*** dims has joined #openstack-keystone13:20
*** edmondsw has joined #openstack-keystone13:23
*** dolphm has quit IRC13:32
*** martinus__ has quit IRC13:32
*** hyakuhei has quit IRC13:32
*** kevinbenton has quit IRC13:32
*** dolphm_ has joined #openstack-keystone13:32
*** ChanServ sets mode: +o dolphm_13:32
*** martinus__ has joined #openstack-keystone13:32
*** hyakuhei has joined #openstack-keystone13:32
*** hyakuhei has quit IRC13:32
*** hyakuhei has joined #openstack-keystone13:32
*** hyakuhei has quit IRC13:32
*** hyakuhei has joined #openstack-keystone13:32
*** dolphm_ is now known as dolphm13:33
*** dikonoor has joined #openstack-keystone13:34
*** kevinbenton has joined #openstack-keystone13:35
dikonoormorgan: Hi morgan. This is about
openstackLaunchpad bug 1662762 in OpenStack Identity (keystone) ocata "Authentication for LDAP user fails at MFA rule check" [High,Triaged]13:39
*** dims_ has joined #openstack-keystone13:43
*** lamt has joined #openstack-keystone13:44
*** dims has quit IRC13:45
*** akrzos-pto is now known as akrzos13:48
samueldmqjohnthetubaguy: hi13:51
johnthetubaguysamueldmq: hi13:51
samueldmqjohnthetubaguy: perhaps is a good place to start13:52
samueldmqjohnthetubaguy: there is a "authentication and token management" section13:52
samueldmqjohnthetubaguy: the best alternative will of course depending on the operation you're looking at13:53
johnthetubaguysamueldmq: cool, I think I found some of that, somehow I got fixated on the version history, and moved on, oops13:53
samueldmqsome operations do not make sense to be associated to a project, e.g manage supervisor13:54
johnthetubaguysamueldmq: unscoped tokens are usually for getting hold of several scoped tokens, I assume?13:54
johnthetubaguyah, so maybe that is what we want13:54
johnthetubaguysamueldmq: do we have docs on how policy and oslo.context work with unscoped tokens?13:54
samueldmqjohnthetubaguy: unscoped tokens are normally used when you don't know what you can scope to yet13:55
johnthetubaguyyeah, I guess there are no roles attached13:55
samueldmqe.g in the federation workflow, you get an unscoped token first, then list the projects you can scope, then get a scoped token to one of those13:55
johnthetubaguyyeah, thats what I thought happened13:55
johnthetubaguymy memory is a bit rusty on these bits13:55
samueldmqjohnthetubaguy: correct, no roles since roles are assigned in a scope (to a project or domain)13:55
johnthetubaguyI think its probably the domain scoped token thats interesting13:56
johnthetubaguysamueldmq: for context, its this Nova spec I am thinking about:
johnthetubaguybasically how to evolve all our stupid is_admin checks to something better13:57
* samueldmq looks13:57
*** spilla has joined #openstack-keystone13:59
Mr_Smurffound the problem.. I am using memcache and relayState was stored in local memory.. chaning relayState to ss:mc in shibboleth2.xml solved that issue14:00
samueldmqjohnthetubaguy: cool, I had a glance at the spec and I'll have a better look today14:01
johnthetubaguysamueldmq: that would be awesome, thanks14:01
samueldmqjohnthetubaguy: I'll also make sure to add dstanek and lbragstad as reviewers, they've been leading the weekly policy meeting14:01
johnthetubaguysamueldmq: I should tell lbragstad about the new specs14:01
johnthetubaguyah, jinx, cool14:01
samueldmqjohnthetubaguy: nice, thanks for reaching out14:02
johnthetubaguyno worries, thanks for replying :)14:02
samueldmqMr_Smurf: hi14:03
*** dave-mcc_ has quit IRC14:03
*** mvk has quit IRC14:03
samueldmqMr_Smurf: that's great you got it sorted out. I do not have a strong knowledge on saml2 federation14:03
samueldmqMr_Smurf: since most of us are based on the US, more devs will be available soon14:04
samueldmqMr_Smurf: and someone should be able to assist you on debugging the issue if you have further ones14:04
*** dave-mcc_ has joined #openstack-keystone14:07
Mr_Smurfsamueldmq: ok, thanks now I have another issue... every few loggin attempts i get "An error occurred authenticating. Please try again later." But when I look in the keystone logs it looks like the login was successful14:07
rodrigodsMr_Smurf, for this final error, you might be stumbling upon
openstackLaunchpad bug 1660436 in OpenStack Dashboard (Horizon) "Federated users cannot log into horizon" [Critical,Fix released] - Assigned to Colleen Murphy (krinkle)14:11
samueldmqthere we go, thanks rodrigods14:12
Mr_Smurfcould be but it is a different error message in that bug report14:14
*** jperry has joined #openstack-keystone14:14
*** mvk has joined #openstack-keystone14:18
dstanekgood morning keystone14:19
rodrigodsMr_Smurf, hmm, are you using devstack? everything latest master?14:21
Mr_Smurfrodrigods: openstack-ansible stable/newton14:22
robcresswellMr_Smurf: What's your session engine?14:22
Mr_Smurfrobcresswell: django.contrib.sessions.backends.cached_db14:23
robcresswellWell there goes my idea.14:25
Mr_Smurflogin does not fail every time..14:26
dikonoormorgan : hi.. on this, , as mentioned in the bug, LDAP user does not work.. As you did most of the hcanges for MFA, would you know what's the simplest way to fix this ?14:26
openstackLaunchpad bug 1662762 in OpenStack Identity (keystone) ocata "Authentication for LDAP user fails at MFA rule check" [High,Triaged]14:26
Mr_SmurfI do not get any errors in the logs and all looks fine but it just stops after  DEBUG oslo_messaging._drivers.amqpdriver [req-c86b6184-5bdf-4cb2-a412-3b1f6391ca28 - - - - -] CAST unique_id: 14bbcb7d65184a42a802189816218c4c NOTIFY exchange 'keystone' topic '' _send /openstack/venvs/keystone-14.0.7/lib/python2.7/site-packages/oslo_messaging/_drivers/
dikonoormorgan : In an earlier discussion , dstanek mentioned that he thinks adding an options attribute for LDAP user will be the right direction..The simplest fix would be to not assume that options attribute is always going to be around14:28
dstanekdikonoor: that wouldn't be the simplest fix. the simplest fix is adding the options attribute.14:29
Mr_Smurfso it never gets to auth_token/ which is the next line when login is successful14:30
Mr_Smurfits like the process just dies14:30
dstanekit's also, by far, more OO of the two14:30
dikonoordstanek: What's OO ?14:30
dikonoordstanek : Do you know what is this options attribute supposed to be for ?14:31
dstanekdikonoor: OO == object oriented14:34
dstanekthe options attribute is going to be a place to put new attributes for a user that change behavior.14:34
dstanekso not something that describes a user like name, email, etc. something like uses_mfa, must_be_encrypted, etc. - in the past we put this information in the config file as a setting and then another setting for an exclusion list14:35
dikonoordstanek : ok :) (for OO)14:35
dstanekdikonoor: the reason i said it was simplier and more OO is that I don't want 'if instance(user, SQLUser)' or 'if getattr(user, "options", None)' littered all over the code14:38
*** jamielennox is now known as jamielennox|away14:39
*** Jack_V has joined #openstack-keystone14:44
*** jaugustine has joined #openstack-keystone14:45
*** Jack_I has quit IRC14:45
*** dikonoor has quit IRC14:46
*** pcaruana has quit IRC14:50
*** ngupta has joined #openstack-keystone14:54
*** pcaruana has joined #openstack-keystone14:55
*** dave-mcc_ has quit IRC14:57
*** jose-phillips has joined #openstack-keystone15:00
*** openstackgerrit has joined #openstack-keystone15:05
*** dave-mccowan has joined #openstack-keystone15:11
*** jose-phillips has quit IRC15:16
*** jose-phi_ has joined #openstack-keystone15:17
*** lucas_ has joined #openstack-keystone15:18
*** tqtran has joined #openstack-keystone15:19
*** tqtran has quit IRC15:24
*** nkinder has joined #openstack-keystone15:25
*** dave-mccowan has quit IRC15:29
*** chris_hultin|AWA is now known as chris_hultin15:31
*** dave-mccowan has joined #openstack-keystone15:34
*** lucas_ is now known as lucasxu15:34
*** lucasxu has quit IRC15:42
*** lucas_ has joined #openstack-keystone15:43
*** lucas_ has quit IRC15:44
*** lucasxu has joined #openstack-keystone15:44
openstackgerritMerged openstack/pycadf master: Updated from global requirements
*** lucasxu has quit IRC15:48
*** lucasxu has joined #openstack-keystone15:49
-openstackstatus- NOTICE: We are currently investigating an issue with our AFS mirrors which is causing some projects jobs to fail. We are working to correct the issue.15:49
*** mvk has quit IRC15:53
*** jose-phi_ has quit IRC15:56
*** ngupta has quit IRC16:02
*** ngupta has joined #openstack-keystone16:03
lbragstadjohnthetubaguy sounds like you're making progress on the nova policy bits?16:12
lbragstadjohnthetubaguy I had my head in the sand trying to organize topics of the PTG16:12
johnthetubaguylbragstad: not sure about progress, splitting up the specs a bit16:12
lbragstadjohnthetubaguy cool - how are you planning on splitting it up? Do you have a general direction yet?16:13
*** spzala has joined #openstack-keystone16:13
*** ngupta has quit IRC16:16
*** ngupta has joined #openstack-keystone16:16
*** rcernin has quit IRC16:19
*** dims_ has quit IRC16:19
*** pcaruana has quit IRC16:20
*** dims has joined #openstack-keystone16:24
*** tqtran has joined #openstack-keystone16:25
*** v1k0d3n has quit IRC16:25
*** spzala has quit IRC16:26
*** v1k0d3n has joined #openstack-keystone16:28
*** pcaruana has joined #openstack-keystone16:34
*** ravelar has joined #openstack-keystone16:46
*** richm has joined #openstack-keystone16:50
*** dims has quit IRC16:51
*** spzala has joined #openstack-keystone16:54
*** dims has joined #openstack-keystone16:55
*** tesseract-RH has quit IRC16:55
lbragstaddstanek dolphm  looks like there is going to be some API-WG sessions on both monday and tuesday
lbragstaddstanek dolphm - it sounds like if any capability API discussion is had, it is going to be in those sessions16:57
*** pcaruana has quit IRC16:58
*** pcaruana has joined #openstack-keystone16:58
*** dims_ has joined #openstack-keystone17:06
*** dims has quit IRC17:07
dstaneklbragstad: yeah, i saw mention of that on the mailing list17:18
lbragstaddstanek cool17:18
-openstackstatus- NOTICE: AFS replication issue has been addressed. Mirrors are currently re-syncing and coming back online.17:19
lbragstaddstanek not sure if you'll be there that early - but I figured I'd drop it in here so that we could talk about it17:19
*** jperry has quit IRC17:23
*** jperry has joined #openstack-keystone17:24
johnthetubaguylbragstad: this is where I am currently thinking for staging things:
lbragstadjohnthetubaguy ok - is that spec something your working in parallel to the pike goals specs?17:28
lbragstadjohnthetubaguy oh! nevermind, that's actually the same spec, you just renamed it17:29
johnthetubaguylbragstad: I was really meaning, take a look at the two dependent specs too17:29
johnthetubaguyyeah, its been split up17:29
johnthetubaguythe first one, once we have the details agreed, should be a no brainer17:29
johnthetubaguy(famous last words!)17:29
johnthetubaguythe second one I think is important, but I am not 100% happy with that myself17:30
lbragstadjohnthetubaguy exactly17:30
lbragstadjohnthetubaguy first == ?17:30
lbragstadsecond == ?17:30
johnthetubaguylbragstad: yeah17:30
lbragstadjohnthetubaguy ok - cool, just want to make sure I'm following17:30
lbragstadjohnthetubaguy sweet - i have all those starred so I'll be reviewing those at some point today17:31
johnthetubaguythe second one gets rid of is_admin_or_owner rules17:31
lbragstadjohnthetubaguy I also wanted to recap the notes from last weeks policy meeting (but I just haven't had the time yet)17:31
lbragstadjohnthetubaguy i'm still working with (policy in code)17:32
AdobemanI supposed its good news that I have freeipa up and running, its returning ldapsearch query.  I am following keith's blog on getting keystone to communicate with ipa, except the keystone part of the blog still appears to be version 2 (newton only really talk to v3)..17:32
johnthetubaguylbragstad: cool17:32
lbragstadjohnthetubaguy that one seems straight forward since nova has blazed the path there17:32
*** ayoung has quit IRC17:33
lbragstadjohnthetubaguy I want to follow up on though and possible propose a second spec that takes sdague's idea into consideration17:33
lbragstadjohnthetubaguy it'd be interesting to compare the two side-by-side to see what they both have  in common and what-not17:33
johnthetubaguylbragstad: so that "second" spec is interesting, as it blew apart my original ideas for the policy rules17:34
johnthetubaguylbragstad: I am down to: is_global, observer, member, admin17:34
johnthetubaguywere the is_global thing is a bit separate17:35
lbragstadjohnthetubaguy ah - so you're already ahead of the curve and working that perspective into your other specs?17:35
johnthetubaguylbragstad: adding the is_global idea really simplifies things17:35
*** mvk has joined #openstack-keystone17:38
dstaneklbragstad: i'm going to try to get there for tuesday discussions, but i doubt i'll be there monday as i don't have a room for that night17:38
lbragstaddstanek that makes sense17:39
johnthetubaguydstanek: I think I managed to capture your ideas in that chain of specs, somewhat anyways17:41
johnthetubaguyI may have mangled some of your ideas along the way too17:41
*** ayoung has joined #openstack-keystone17:43
*** ChanServ sets mode: +v ayoung17:43
*** pcaruana has quit IRC17:44
*** spilla has quit IRC17:45
dstanekjohnthetubaguy: nice, i'll take a look17:46
johnthetubaguydstanek: that second spec is a bit unclear right now, just noticed, pushing a new version in about 15mins17:46
*** spilla has joined #openstack-keystone17:46
*** lucasxu has quit IRC17:47
*** adrian_otto has joined #openstack-keystone17:48
*** david-lyle has joined #openstack-keystone17:58
*** spzala has quit IRC18:01
*** hrybacki has quit IRC18:06
*** david-lyle_ has joined #openstack-keystone18:08
*** jaosorior has quit IRC18:08
*** david-lyle has quit IRC18:09
*** david-lyle_ is now known as david-lyle18:12
*** lucasxu has joined #openstack-keystone18:19
*** ravelar has quit IRC18:30
*** hrybacki has joined #openstack-keystone18:45
*** cheran has joined #openstack-keystone19:05
*** Jack_V has quit IRC19:07
*** ravelar has joined #openstack-keystone19:08
*** ravelar has quit IRC19:12
*** MasterOfBugs has joined #openstack-keystone19:21
lbragstadrderose ping19:23
*** lamt has quit IRC19:32
*** lamt has joined #openstack-keystone19:37
rderoselbragstad: hi19:38
lbragstadrderose do you know if there was any additional things we needed to do in keystone in order for horizon to be able to consume ?19:40
lbragstadrderose did we agree to advertising that a user needed to be able to change their password somehow?19:41
rderoselbragstad: hmm... not that I recall. in fact, I remember us discuss this requirement with horizon19:42
lbragstadrderose yeah - that's what I thought, too19:42
lbragstadrderose but I can't seem to find any sort of decision as to "how" horizon would know to take a user through that flow?19:42
rderoselbragstad: the earlier version would set the password_expires_at to be expired, which is how we would indicate that the user was required to change their password19:45
rderosekind of lost sight of horizon integration with what got merged19:46
lbragstadsame here19:46
lbragstadkeystone has the bits to make it so that a user can change their password after an administrative reset19:47
rderoselbragstad: actually...19:47
rderoselbragstad: the password is still getting set to be expired19:47
rderoseso if the password is expired, show the change password screen19:47
lbragstadrderose how do we advertise that the password is expired?19:47
rderosepassword_expires_at attribute19:47
lbragstadrderose so then the only other thing they need to complete that flow is the new password that the administrator set?19:48
rderoselbragstad: the new password?19:49
lbragstadrderose i'm looking at line 1000 here - ?19:49
lbragstadrderose which I'm assuming would be communicated via something like an email or secure message of some sort?19:51
rderoselbragstad: to the user, yeah19:51
*** gk-1wm-su has joined #openstack-keystone19:51
rderoselbragstad: so admin reset, system emails user the password19:52
rderoseuser attempts logs in, unauthorized19:52
rderoselbragstad: horizon would need to make an API call to get user to get the passwords_expires_at attribute19:53
rderoseand if expired, allow the user to change it with the rest password19:53
rderose*reset password19:54
*** gk-1wm-su has quit IRC19:54
lbragstadrderose ah - so that technically all do-able today from a keystone perspective19:55
rderoselbragstad: yeah, but it would be nice to indicate during authentication that the password is expired19:55
rderosebut currently, horizon would need to make an extra api call to check if the password is expired19:56
lbragstadok - i think i'm following19:58
openstackgerritSean Dague proposed openstack/keystoneauth master: Make docs about interface less authoritative
lbragstadrderose if the user is unauthorized - how is horizon suppose to be able to do a get user call?20:00
david-lylelbragstad, rderose this is the WIP patch for horizon, has the underlying keystone implementation ? and the expiry is not in the token?20:01
rderoselbragstad: in the earlier version, we allowed the user to login (first use) and then set the password to be expired.  so the password_expires_at attribute was in the token.20:01
david-lyleI guess we're just doing a before the fact check20:01
david-lylenot after20:01
rderoselbragstad: with the current version, we set the password to be expired during admin reset or user create20:01
*** ravelar has joined #openstack-keystone20:02
*** nkinder has quit IRC20:02
rderosedavid-lyle: yeah, the password is already expired, so it would not be in the token because it would fail auth20:02
lbragstadrderose so - after the admin resets a user's password, how is horizon suppose to get a token to get the user?20:02
rderoselbragstad: can horizon get it with the service token?20:03
lbragstadrderose horizon doesn't have a service token, there is no horizon user20:04
rderoselbragstad: hmm... that's a problem then20:04
*** cheran has quit IRC20:05
lbragstadrderose yeah20:05
rderoselbragstad: I should have stuck with my first approach :)20:05
lbragstadrderose I was working through the horizon+keystone stuff and i'm trying to summarize the current state of things20:06
rderoselbragstad: gotcha20:06
rderoselbragstad: we should log a bug for this20:06
lbragstadrderose weren't we just talking about something that could fix this?20:06
*** ravelar has quit IRC20:06
lbragstadrderose like more detailed error messages?20:07
lbragstadrderose or error codes?20:07
rderoselbragstad: yeah, a specific error code would fix it20:07
lbragstadlike KSXXXXX20:07
rderoselbragstad: right, just something to tell horizon that the password is expired20:07
lbragstador whatever the implementation is - it would technically mean 401 due to expired password20:07
lbragstadrderose ok - i'm updating
rderoselbragstad: cool20:08
lbragstad(starting at line 90)20:08
lbragstadI'll have to remember to bring this up in the weekly meeting with horizon if we have one this week20:09
*** spzala has joined #openstack-keystone20:09
rderoselbragstad: sounds good20:10
*** nkinder has joined #openstack-keystone20:16
lbragstaddavid-lyle quick question for you if you're still here20:18
lbragstaddavid-lyle do you know if horizon has propose patches to pull password requirements from keystone?20:18
*** Jack_V has joined #openstack-keystone20:18
lbragstadif those aren't up for review yet thats fine, i just want to make sure we have them tracked somewhere if they are20:19
lbragstadjohnthetubaguy fwiw - i threw us up on the policy meeting agenda to go over your specs (
david-lylelbragstad: not that I'm aware of20:23
lbragstaddavid-lyle ok - awesome. thanks for the confirmation20:23
*** adrian_otto has quit IRC20:26
*** Jack_V has quit IRC20:28
lbragstadbreton around? curious if there is a follow up here at line 175 -
*** ravelar has joined #openstack-keystone20:56
bretonlbragstad: nothing to follow up on. All was done there.20:57
lbragstadbreton cool - thanks for confirming20:58
bretonlbragstad: the only thing not done is from 173. Client part is still not in.20:58
lbragstadListing won't work?20:59
lbragstadbreton as in the client isn't able to browse LDAP users?21:00
*** ravelar has quit IRC21:01
*** jamielennox|away is now known as jamielennox21:02
*** ravelar has joined #openstack-keystone21:03
*** nkinder has quit IRC21:10
*** phalmos has joined #openstack-keystone21:20
*** pnavarro has quit IRC21:21
morganlbragstad: want to see how dumb keystoneclient is?21:24
morganlbragstad: look at how much mocking is needed to create/list/delete users
morganthe fact that it does a list to get the id and then a get of the id, but all the info was already in the list....21:24
*** pramodrj07 has joined #openstack-keystone21:28
*** phalmos_ has joined #openstack-keystone21:29
*** pramodrj07 has quit IRC21:30
*** pramodrj07 has joined #openstack-keystone21:30
*** MasterOfBugs has quit IRC21:32
*** pramodrj07 has quit IRC21:32
*** MasterOfBugs has joined #openstack-keystone21:32
*** phalmos has quit IRC21:33
*** dave-mccowan has quit IRC21:36
lbragstadmorgan hmm - i'm trying to figure out if some of the things marked as "done" on the keystone+horizon list are actually done or not21:39
* morgan goes back to making requests_mock use in shade a thing21:40
*** phalmos_ has quit IRC21:41
*** mriedem has joined #openstack-keystone21:48
mriedemlbragstad: someone threw "Centralized quota limits storage in keystone" in the nova ptg etherpad as a topic, are you guys going to be talking about that at the ptg?21:49
lbragstadmriedem that is a topic we have on ours too -
lbragstaditem #1621:49
lbragstadit was a carry over topic from the last summit that we didn't get consensus on21:50
mriedemso something you'll likely talk about on wed or thursday?21:50
lbragstadmriedem probably - I don't think it needs to be on the top of our list, but we can carve time out for it21:50
lbragstadit's also a proposed spec that we've had in review for quite a while - so I'd like make some ground on at least figuring out what to do with it21:51
mriedemok, garbage time on thursday afternoon it is21:51
lbragstadsweet -21:51
lbragstadmriedem do you know if there are rooms available or if we need to fit things into a schedule?21:52
lbragstador does each project just get a room to work in for 3 days?21:52
mriedem ?21:52
mriedemi think that's what that is for21:52
mriedembut it looks like it's down21:52
lbragstadhuh - yep same here21:53
lbragstadmriedem are you planning on time-boxing the sessions? specifically the ones for cross-project discussion?21:54
lbragstadlike the typical 40 minute time slot per topic?21:54
mriedemour nova/cinder one is boxed21:54
mriedemhonestly the scheduling here is a giant clusterf*ck21:55
* lbragstad nods21:55
mriedemi want to gouge my eyes out when i look at our etherpad21:55
mriedembut i'm trying to organize it21:55
lbragstadsame here21:55
mriedemlike laura's house when i moved in...21:55
mriedemmy plan is to slot chunks of time for bigger things, and then we'll just fill in with the randoms when we have time21:56
lbragstadi'd like to know if we have to hold to a schedule of some sort21:56
mriedemthis schedule is what you make of it, from what i can tell21:56
*** phalmos has joined #openstack-keystone21:56
mriedemthere are some common rooms you can try to sign up for if you want, but if we have our own room then i'm not sure why we couldn't just do a thing in one or the other21:56
mriedemlike at the design summit21:56
mriedemunless by room they mean closet21:56
lbragstadwell - if a have just one big room for a specific project then the schedule becomes pretty each21:57
lbragstadi'm just not sure if we have to switch rooms to go to different places, like previous design summits21:57
lbragstadlike, having a dedicated session for client stuff in room XYZ and a dedicated session for operator feedback in ABC, etc...21:58
*** lucasxu has quit IRC21:58
lbragstadbecause I think that technically determines the "topics" we have (?)21:58
*** phalmos has quit IRC21:58
mriedemthat's monday and tuesday from what i gather21:59
mriedemfor horizontal teams and workgroups22:00
mriedemthe rest of the week, or anytime maybe, you can sign up for a time slot in a common room22:00
mriedemfor xp things22:00
lbragstadhmm - ok22:00
lbragstadgood to know22:00
mriedemremember, this is the blind leading the blind here22:00
mriedemso don't trust me22:00
mriedemjust don't mess it up as your first time being PTL, everyone is watching22:01
mriedemand judging22:01
* lbragstad starts sweating even more22:01
*** edmondsw has quit IRC22:02
lbragstadmriedem ok - well we know we'll have some time to go through quota stuff on Thursday (afternoon?)22:02
lbragstad40 minutes?22:02
mriedemum sure22:02
*** spilla has quit IRC22:03
lbragstadmriedem where is your etherpad?22:03
*** thorst_ has quit IRC22:03
*** edmondsw has joined #openstack-keystone22:04
mriedemlbragstad: it's fluid22:05
mriedemi'm just trying to group things together right now22:05
lbragstadmriedem same - thanks for the link22:06
*** phalmos has joined #openstack-keystone22:06
*** edmondsw has quit IRC22:08
*** catintheroof has quit IRC22:20
*** ngupta has quit IRC22:26
*** ngupta has joined #openstack-keystone22:27
*** ngupta has quit IRC22:32
*** ngupta has joined #openstack-keystone22:32
*** thorst_ has joined #openstack-keystone22:33
*** martinlopes has joined #openstack-keystone22:35
*** lucasxu has joined #openstack-keystone22:35
*** ravelar has quit IRC22:35
*** martinlopes has quit IRC22:36
*** thorst_ has quit IRC22:38
*** ngupta has quit IRC22:40
*** jaugustine has quit IRC22:42
*** dhellmann has left #openstack-keystone22:43
*** lamt has quit IRC22:43
*** lamt has joined #openstack-keystone22:45
*** lamt has quit IRC22:46
*** martinlopes has joined #openstack-keystone22:46
*** martinlopes has quit IRC22:51
*** lamt has joined #openstack-keystone22:53
*** jperry has quit IRC22:55
*** thorst_ has joined #openstack-keystone23:01
*** mriedem is now known as mriedem_afk23:02
*** mriedem_afk has left #openstack-keystone23:02
*** lucasxu has quit IRC23:02
*** lucasxu has joined #openstack-keystone23:02
*** dhellmann has joined #openstack-keystone23:04
*** lamt has quit IRC23:04
*** lamt has joined #openstack-keystone23:04
*** dhellmann has quit IRC23:05
*** gk--1wm- has joined #openstack-keystone23:05
*** gk--1wm- has left #openstack-keystone23:05
*** lamt has quit IRC23:07
*** lamt has joined #openstack-keystone23:08
*** jamielennox is now known as jamielennox|away23:15
*** phalmos has quit IRC23:15
*** jamielennox|away is now known as jamielennox23:20
*** phalmos has joined #openstack-keystone23:22
*** spzala has quit IRC23:22
*** lucasxu has quit IRC23:28
*** ngupta has joined #openstack-keystone23:30
*** esp has joined #openstack-keystone23:33
*** nkinder has joined #openstack-keystone23:35
*** phalmos has quit IRC23:39
*** rerobot is now known as redrobot23:43
*** MasterOfBugs has quit IRC23:46
*** lamt has quit IRC23:48
*** lamt has joined #openstack-keystone23:49
*** edmondsw has joined #openstack-keystone23:50
*** edmondsw has quit IRC23:51
*** edmondsw has joined #openstack-keystone23:51
*** spzala has joined #openstack-keystone23:52
*** catintheroof has joined #openstack-keystone23:55
*** spzala has quit IRC23:56

Generated by 2.14.0 by Marius Gedminas - find it at!