*** ChanServ sets mode: +o stevemar | 00:00 | |
*** thorst_ has joined #openstack-keystone | 00:02 | |
*** jamielennox_ has joined #openstack-keystone | 00:02 | |
*** thorst_ has quit IRC | 00:02 | |
*** ngupta has quit IRC | 00:02 | |
*** jamielennox_ is now known as jamielennox | 00:06 | |
*** ChanServ sets mode: +v jamielennox | 00:06 | |
*** hyakuhei has joined #openstack-keystone | 00:06 | |
*** lamt has quit IRC | 00:08 | |
*** rm_work| is now known as rm_work | 00:11 | |
*** rm_work has joined #openstack-keystone | 00:11 | |
*** martinlopes has joined #openstack-keystone | 00:22 | |
*** catintheroof has quit IRC | 00:29 | |
*** esp has joined #openstack-keystone | 00:33 | |
*** esp has quit IRC | 00:40 | |
*** Guest3904 is now known as medberry | 00:43 | |
*** medberry has quit IRC | 00:43 | |
*** medberry has joined #openstack-keystone | 00:43 | |
*** medberry is now known as med_ | 00:43 | |
*** tovin07_ has quit IRC | 00:46 | |
*** bkudryavtsev has joined #openstack-keystone | 00:53 | |
*** hoangcx has joined #openstack-keystone | 01:05 | |
*** guoshan has joined #openstack-keystone | 01:06 | |
*** thorst_ has joined #openstack-keystone | 01:10 | |
*** thorst_ has quit IRC | 01:10 | |
*** thiagolib has joined #openstack-keystone | 01:11 | |
*** martinlopes has quit IRC | 01:13 | |
*** lucasxu has joined #openstack-keystone | 01:21 | |
*** liujiong has joined #openstack-keystone | 01:23 | |
*** MasterOfBugs has quit IRC | 01:26 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements https://review.openstack.org/431900 | 01:35 |
---|---|---|
*** tovin07 has joined #openstack-keystone | 01:41 | |
*** thorst_ has joined #openstack-keystone | 01:44 | |
*** liujiong has quit IRC | 01:51 | |
*** liujiong has joined #openstack-keystone | 01:51 | |
*** thorst_ has quit IRC | 02:03 | |
*** bkudryavtsev has quit IRC | 02:20 | |
*** thorst_ has joined #openstack-keystone | 02:24 | |
*** lucasxu has quit IRC | 02:25 | |
*** thorst_ has joined #openstack-keystone | 02:25 | |
*** thorst_ has quit IRC | 02:29 | |
*** ngupta has joined #openstack-keystone | 02:30 | |
*** thorst_ has joined #openstack-keystone | 02:31 | |
*** thorst_ has quit IRC | 02:36 | |
*** browne1 has quit IRC | 02:39 | |
*** tqtran has quit IRC | 02:45 | |
*** dikonoor has joined #openstack-keystone | 02:56 | |
*** ravelar1 has joined #openstack-keystone | 03:01 | |
*** edmondsw has joined #openstack-keystone | 03:02 | |
*** markvoelker_ has joined #openstack-keystone | 03:02 | |
*** edmondsw has quit IRC | 03:02 | |
*** edmondsw has joined #openstack-keystone | 03:03 | |
*** esp_ has joined #openstack-keystone | 03:03 | |
*** ngupta_ has joined #openstack-keystone | 03:03 | |
*** waj334_ has joined #openstack-keystone | 03:04 | |
*** robcresswell_ has joined #openstack-keystone | 03:04 | |
*** boris-42_ has joined #openstack-keystone | 03:04 | |
*** nikhil_ has joined #openstack-keystone | 03:05 | |
*** nikhil_ is now known as Guest16200 | 03:05 | |
*** tonyb_ has joined #openstack-keystone | 03:06 | |
*** serverascode_ has joined #openstack-keystone | 03:06 | |
*** dmellado_ has joined #openstack-keystone | 03:06 | |
*** _d34dh0r53_ has joined #openstack-keystone | 03:06 | |
*** sudorandom_ has joined #openstack-keystone | 03:06 | |
*** edmondsw has quit IRC | 03:07 | |
*** martinus__ has quit IRC | 03:07 | |
*** nikhil has quit IRC | 03:07 | |
*** sudorandom has quit IRC | 03:07 | |
*** dmellado has quit IRC | 03:07 | |
*** david_cu has quit IRC | 03:07 | |
*** waj334 has quit IRC | 03:07 | |
*** serverascode has quit IRC | 03:07 | |
*** Tahvok has quit IRC | 03:07 | |
*** markvoelker has quit IRC | 03:07 | |
*** boris-42 has quit IRC | 03:07 | |
*** Mech422 has quit IRC | 03:07 | |
*** ngupta has quit IRC | 03:07 | |
*** ravelar has quit IRC | 03:07 | |
*** tonyb has quit IRC | 03:07 | |
*** robcresswell has quit IRC | 03:07 | |
*** lbragstad has quit IRC | 03:07 | |
*** d34dh0r53 has quit IRC | 03:07 | |
*** Mech422 has joined #openstack-keystone | 03:07 | |
*** sudorandom_ is now known as sudorandom | 03:07 | |
*** martinus- has joined #openstack-keystone | 03:07 | |
*** waj334_ is now known as waj334 | 03:07 | |
*** Tahvok has joined #openstack-keystone | 03:08 | |
*** lbragstad has joined #openstack-keystone | 03:08 | |
*** ChanServ sets mode: +v lbragstad | 03:08 | |
*** robcresswell_ is now known as robcresswell | 03:09 | |
*** Guest16200 is now known as nikhil | 03:09 | |
*** thorst_ has joined #openstack-keystone | 03:10 | |
*** thorst_ has quit IRC | 03:11 | |
*** aasthad has quit IRC | 03:13 | |
*** serverascode_ is now known as serverascode | 03:18 | |
*** jaosorior has joined #openstack-keystone | 03:19 | |
*** tonyb_ is now known as tonyb | 03:21 | |
*** esp_ has quit IRC | 03:31 | |
*** ngupta_ has quit IRC | 03:37 | |
*** thorst_ has joined #openstack-keystone | 03:37 | |
*** thorst_ has quit IRC | 03:37 | |
*** ngupta has joined #openstack-keystone | 03:37 | |
*** ngupta has quit IRC | 03:41 | |
*** dikonoor has quit IRC | 03:43 | |
*** guoshan has quit IRC | 03:59 | |
openstackgerrit | Merged openstack/python-keystoneclient master: Updated from global requirements https://review.openstack.org/431900 | 04:00 |
*** ngupta has joined #openstack-keystone | 04:01 | |
*** nicolasbock has quit IRC | 04:06 | |
*** thiagolib has quit IRC | 04:11 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone-specs master: Policy in code https://review.openstack.org/428453 | 04:21 |
lbragstad | ravelar1 rderose ^ comments have been addressed - thanks for the reviews! | 04:21 |
ravelar1 | lbragstad just a small typo where you made the change lol | 04:28 |
openstackgerrit | Lance Bragstad proposed openstack/keystone-specs master: Define a richer policy by default https://review.openstack.org/428454 | 04:31 |
openstackgerrit | Lance Bragstad proposed openstack/keystone-specs master: Policy in code https://review.openstack.org/428453 | 04:31 |
lbragstad | ravelar1 ah - nice catch! done ^ | 04:31 |
*** links has joined #openstack-keystone | 04:34 | |
lbragstad | ravelar1 johnthetubaguy has proposed a couple specs the build on the work we were talking about earlier today - https://review.openstack.org/#/c/433010/5 | 04:36 |
*** thorst_ has joined #openstack-keystone | 04:38 | |
*** lucasxu has joined #openstack-keystone | 04:39 | |
lbragstad | s/the/that/ | 04:40 |
*** thorst_ has quit IRC | 04:43 | |
*** guoshan has joined #openstack-keystone | 04:50 | |
ravelar1 | lbragstad ha no problem it is late. And sweet, saved to book mark to discuss with anthony | 04:52 |
*** rdo has quit IRC | 04:53 | |
lbragstad | ravelar1 awesome - just fyi but those are the next steps nova is vetting for their policy story | 04:53 |
*** wllabs has joined #openstack-keystone | 04:54 | |
wllabs | hello, everybody. | 04:54 |
*** nkinder has joined #openstack-keystone | 05:02 | |
*** adriant has quit IRC | 05:07 | |
*** guoshan has quit IRC | 05:29 | |
*** v1k0d3n has quit IRC | 05:31 | |
*** guoshan has joined #openstack-keystone | 05:44 | |
*** tqtran has joined #openstack-keystone | 05:44 | |
*** tqtran has quit IRC | 05:49 | |
*** gyee has quit IRC | 05:58 | |
*** dikonoor has joined #openstack-keystone | 06:03 | |
*** lucasxu has quit IRC | 06:16 | |
*** pcaruana has joined #openstack-keystone | 06:20 | |
*** rdo has joined #openstack-keystone | 06:25 | |
*** ngupta has quit IRC | 06:33 | |
*** ngupta has joined #openstack-keystone | 06:33 | |
*** ngupta has quit IRC | 06:38 | |
*** ravelar1 has quit IRC | 06:39 | |
*** thorst_ has joined #openstack-keystone | 06:39 | |
*** wllabs has quit IRC | 06:42 | |
*** wllabs has joined #openstack-keystone | 06:43 | |
*** richm has quit IRC | 06:43 | |
*** thorst_ has quit IRC | 06:43 | |
*** rcernin has joined #openstack-keystone | 07:07 | |
*** tesseract has joined #openstack-keystone | 07:31 | |
*** tqtran has joined #openstack-keystone | 07:46 | |
*** tqtran has quit IRC | 07:50 | |
*** masterjcool has quit IRC | 08:00 | |
*** masterjcool has joined #openstack-keystone | 08:12 | |
*** links has quit IRC | 08:36 | |
*** thorst_ has joined #openstack-keystone | 08:40 | |
*** thorst_ has quit IRC | 08:44 | |
*** links has joined #openstack-keystone | 08:53 | |
*** zzzeek has quit IRC | 09:00 | |
*** zzzeek has joined #openstack-keystone | 09:00 | |
*** cmurphy has quit IRC | 09:16 | |
*** cmurphy has joined #openstack-keystone | 09:16 | |
*** links has quit IRC | 09:26 | |
*** links has joined #openstack-keystone | 09:43 | |
*** mdavidson has joined #openstack-keystone | 09:54 | |
*** hyakuhei has quit IRC | 10:01 | |
*** hyakuhei has joined #openstack-keystone | 10:01 | |
*** hyakuhei has quit IRC | 10:01 | |
*** hyakuhei has joined #openstack-keystone | 10:01 | |
*** guoshan has quit IRC | 10:10 | |
*** liujiong has quit IRC | 10:21 | |
*** hoangcx has quit IRC | 10:39 | |
*** thorst_ has joined #openstack-keystone | 10:41 | |
*** mvk has quit IRC | 10:43 | |
*** thorst_ has quit IRC | 10:46 | |
*** nicolasbock has joined #openstack-keystone | 11:02 | |
*** richm has joined #openstack-keystone | 11:14 | |
breton | lbragstad: any followup on https://review.openstack.org/#/c/429047/ ? | 11:15 |
*** mvk has joined #openstack-keystone | 11:15 | |
*** edmondsw has joined #openstack-keystone | 11:28 | |
*** edmondsw has quit IRC | 11:32 | |
*** v1k0d3n has joined #openstack-keystone | 11:32 | |
*** thiagolib has joined #openstack-keystone | 11:57 | |
*** raildo has joined #openstack-keystone | 12:02 | |
*** catintheroof has joined #openstack-keystone | 12:36 | |
*** thorst_ has joined #openstack-keystone | 12:38 | |
*** edmondsw has joined #openstack-keystone | 13:23 | |
*** prashkre has joined #openstack-keystone | 13:23 | |
*** edmondsw has quit IRC | 13:25 | |
*** edmondsw has joined #openstack-keystone | 13:25 | |
*** lamt has joined #openstack-keystone | 13:45 | |
*** lamt has quit IRC | 13:49 | |
*** spilla has joined #openstack-keystone | 13:57 | |
robcresswell | lbragstad: I'll be around today till about 2100 UTC if you want to talk PTG | 14:07 |
lbragstad | robcresswell I'm assuming we're going to do a cross-project session for horizon and keystone, are there any times that you've already committed to? | 14:12 |
*** lamt has joined #openstack-keystone | 14:20 | |
robcresswell | lbragstad: Our schedule is pretty open | 14:21 |
robcresswell | lbragstad: (sorry, had a meeting just then) | 14:21 |
robcresswell | lbragstad: I haven't assigned times to anything yet, so we can work around Keystone happily. | 14:22 |
*** jperry has joined #openstack-keystone | 14:24 | |
lbragstad | robcresswell awesome - wanna shoot for an hour on wednesday afternoon? | 14:24 |
*** mvk has quit IRC | 14:25 | |
lbragstad | robcresswell and do you think there will be more or less than 20 people in attendance? | 14:25 |
robcresswell | lbragstad: Oh interesting, I assumed keystone would be a horizontal. So we're Mon/Tue. | 14:25 |
robcresswell | lbragstad: Less then 20. | 14:25 |
lbragstad | robcresswell do you know if there is going to be anyone around from horizon on wednesday? | 14:26 |
lbragstad | all keystone tracks are wednesday - friday? | 14:26 |
lbragstad | s/?// | 14:27 |
robcresswell | lbragstad: I don't know the status of the others, but I'll be around. I would imagine david-lyle will be too. | 14:27 |
*** dmellado_ is now known as dmellado | 14:27 | |
robcresswell | lbragstad: btw whats your tz? I forgot :/ | 14:28 |
lbragstad | UTC -6 | 14:28 |
lbragstad | or Central Standard Time | 14:28 |
lbragstad | robcresswell I know most the keystone folks are getting in late tuesday or early wednesday, should we still plan on having something on wednesday afternoon in hopes there will at least be a couple horizon folks around? | 14:29 |
*** Krenair has quit IRC | 14:30 | |
*** links has quit IRC | 14:31 | |
robcresswell | lbragstad: Yeah sure | 14:31 |
*** lamt has quit IRC | 14:32 | |
lbragstad | robcresswell sweet I have it on the schedule from 2:30 - 3:30 on Wednesday in Savannah | 14:32 |
robcresswell | lbragstad: Sounds good | 14:33 |
breton | lbragstad: we should also talk to Heat about the issue with trusts btw | 14:36 |
breton | lbragstad: any idea when? | 14:36 |
* breton missed all ptg planning | 14:36 | |
*** Krenair has joined #openstack-keystone | 14:37 | |
*** chlong has quit IRC | 14:37 | |
lbragstad | breton yeah - i have that listed as one of our topics | 14:38 |
lbragstad | breton i think i have that tentatively scheduled for thursday afternoon | 14:39 |
lbragstad | ricolin has been contacting me about it | 14:39 |
*** mvk has joined #openstack-keystone | 14:39 | |
dstanek | lbragstad: i just responded to a ML thread about bringing back PKI tokens | 14:45 |
lbragstad | dstanek nice - i was just about to start drafting something | 14:45 |
lbragstad | dstanek i wanted to ask a bit more about their caching setup | 14:45 |
lbragstad | dstanek and how large their catalog was | 14:46 |
dstanek | lbragstad: the test uses nocatalog | 14:47 |
*** lamt has joined #openstack-keystone | 14:49 | |
lbragstad | dstanek do you happen to remember all the caching issues we fixed as a result of fernet? | 14:52 |
*** lamt has quit IRC | 14:56 | |
*** lamt has joined #openstack-keystone | 14:56 | |
*** lucasxu has joined #openstack-keystone | 14:57 | |
*** adrian_otto has joined #openstack-keystone | 15:00 | |
dstanek | lbragstad: nope. did we have issues caching fernet? | 15:00 |
lbragstad | dstanek not fernet specifically - but caching issues in general | 15:01 |
lbragstad | fernet just exposed some of those issues | 15:01 |
*** chris_hultin|AWA is now known as chris_hultin | 15:02 | |
*** haplo37_ has quit IRC | 15:03 | |
*** ngupta has joined #openstack-keystone | 15:04 | |
*** chris_hultin is now known as chris_hultin|AWA | 15:04 | |
*** dikonoo has joined #openstack-keystone | 15:05 | |
*** chris_hultin|AWA is now known as chris_hultin | 15:06 | |
*** haplo37_ has joined #openstack-keystone | 15:06 | |
dstanek | lbragstad: i don't remember token issues, but that doesn't mean there weren't any over the last year. they are using mitaka to test i think. | 15:07 |
*** mvk has quit IRC | 15:07 | |
lbragstad | dstanek yeah - I thought we had some issues somewhere related to caching | 15:08 |
* lbragstad has to go dig | 15:08 | |
*** dikonoor has quit IRC | 15:08 | |
*** jaosorior has quit IRC | 15:09 | |
*** jaosorior has joined #openstack-keystone | 15:10 | |
*** nkinder has quit IRC | 15:19 | |
*** mvk has joined #openstack-keystone | 15:19 | |
*** lamt has quit IRC | 15:23 | |
*** adrian_otto has quit IRC | 15:27 | |
*** dikonoor has joined #openstack-keystone | 15:28 | |
*** adrian_otto has joined #openstack-keystone | 15:28 | |
*** lamt has joined #openstack-keystone | 15:29 | |
*** dikonoo has quit IRC | 15:32 | |
*** aasthad has joined #openstack-keystone | 15:49 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone-specs master: Policy in code https://review.openstack.org/428453 | 15:50 |
lbragstad | antwash rderose ^ | 15:50 |
*** ngupta has quit IRC | 15:51 | |
*** ngupta has joined #openstack-keystone | 15:52 | |
*** ngupta has quit IRC | 15:52 | |
*** ngupta has joined #openstack-keystone | 15:52 | |
*** nkinder has joined #openstack-keystone | 15:53 | |
lbragstad | ping antwash, raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan, raj_singh | 16:01 |
lbragstad | policy meeting in #openstack-meeting-cp for those interested! | 16:01 |
lbragstad | cc johnthetubaguy | 16:01 |
*** chlong has joined #openstack-keystone | 16:04 | |
*** thorst_ has quit IRC | 16:08 | |
*** mvk has quit IRC | 16:08 | |
*** thorst_ has joined #openstack-keystone | 16:09 | |
breton | lbragstad: https://etherpad.openstack.org/p/heat-pike-ptg-sessions | 16:09 |
breton | lbragstad: heat plans to have it thursday morning | 16:09 |
lbragstad | breton yep - i schedule it with them in their weekly meeting | 16:09 |
breton | lbragstad: perfect | 16:10 |
*** morgan_ is now known as morgan | 16:10 | |
*** dikonoor has quit IRC | 16:10 | |
breton | lbragstad: thanks for doing it, i dropped a ball with it | 16:11 |
lbragstad | breton no worries - the scheduling in kinda hectic right now | 16:11 |
lbragstad | I want to try and have something a little more official (schedule-wise) by the end of the day | 16:11 |
*** ravelar has joined #openstack-keystone | 16:14 | |
*** erhudy has joined #openstack-keystone | 16:14 | |
*** agrebennikov has joined #openstack-keystone | 16:15 | |
*** prashkre has quit IRC | 16:15 | |
openstackgerrit | ayoung proposed openstack/keystone master: Refactor Authorization: https://review.openstack.org/387161 | 16:19 |
openstackgerrit | ayoung proposed openstack/keystone master: Refactor is_admin https://review.openstack.org/387710 | 16:20 |
openstackgerrit | ayoung proposed openstack/keystone master: Add is_admin_project check to policy.json https://review.openstack.org/257636 | 16:20 |
*** agrebennikov has quit IRC | 16:23 | |
*** browne has joined #openstack-keystone | 16:34 | |
*** thorst_ has quit IRC | 16:38 | |
*** adrian_otto has quit IRC | 16:39 | |
*** rcernin has quit IRC | 16:43 | |
*** thorst_ has joined #openstack-keystone | 16:49 | |
*** tqtran has joined #openstack-keystone | 16:55 | |
*** esp has joined #openstack-keystone | 16:57 | |
*** tesseract has quit IRC | 16:58 | |
*** adrian_otto has joined #openstack-keystone | 16:59 | |
dstanek | johnthetubaguy: does nova have an api implemented for policy discovery? | 17:04 |
edmondsw | dstanek not today | 17:05 |
dstanek | edmondsw: so as a deployer you still generate a policy file for horizon? | 17:06 |
lbragstad | to me that sounds like something that will go hand in hand with the capability api | 17:06 |
lbragstad | (or the capability api could build on it?) | 17:06 |
*** ngupta has quit IRC | 17:06 | |
edmondsw | dstanek I don't actually use horizon | 17:06 |
edmondsw | but I would assume so | 17:06 |
*** mvk has joined #openstack-keystone | 17:07 | |
dstanek | lbragstad: yep, i'd think so | 17:07 |
*** ngupta has joined #openstack-keystone | 17:07 | |
edmondsw | lbragstad ++ | 17:07 |
dstanek | edmondsw: yeah, it wasn't immediately obvious is the generate sample config would include overrides or is there was a new way to do that | 17:08 |
edmondsw | dstanek good question... I haven't played with that | 17:09 |
dstanek | antwash: ravelar: something to look into ^ | 17:10 |
*** dikonoor has joined #openstack-keystone | 17:10 | |
*** tqtran has quit IRC | 17:11 | |
lbragstad | looks like oslopolilcy does all the generation | 17:11 |
dstanek | lbragstad: is there a new way to include the overrides? | 17:15 |
*** d0ugal has quit IRC | 17:16 | |
* dstanek thinks it's time for lunch | 17:18 | |
lbragstad | dstanek in the policy file? | 17:18 |
lbragstad | dstanek er - in the generated policy file? | 17:18 |
lbragstad | dstanek i thought so | 17:18 |
lbragstad | i'm having trouble finding the nova/oslo command for it though | 17:19 |
dstanek | lbragstad: same trouble i was having :-) | 17:19 |
lbragstad | cc johnthetubaguy ? ^ | 17:19 |
johnthetubaguy | sorry, which thing you looking for | 17:20 |
johnthetubaguy | does https://docs.openstack.org/developer/oslo.policy/usage.html help? | 17:20 |
johnthetubaguy | the policy file just becomes overrides only | 17:21 |
johnthetubaguy | so no file at all by default | 17:21 |
dstanek | johnthetubaguy: how do you generate a full policy for horizon that has the defaults and overrides? | 17:21 |
johnthetubaguy | why does horizon need that? | 17:22 |
*** ngupta has quit IRC | 17:22 | |
*** ngupta has joined #openstack-keystone | 17:22 | |
johnthetubaguy | oslopolicy-policy-generator --namespace nova --output-file policy-merged.yaml | 17:22 |
dstanek | johnthetubaguy: i thought we still needed to deploy policy files so i knew how to display stuff | 17:22 |
johnthetubaguy | I think is what you want | 17:22 |
johnthetubaguy | dstanek: thats news to me, not heard about that | 17:23 |
dstanek | johnthetubaguy: cool, thanks. i'll play around with that | 17:23 |
johnthetubaguy | actually it tweaks a distant memory about what horizon was wanting that for now | 17:24 |
*** chlong has quit IRC | 17:24 | |
dstanek | when you deploy horizon you had project policy defaults for nova, keystone, glance and others in the conf directory. i had to change the keystone one when i use the cloud policy sample on keystone. | 17:25 |
dstanek | david-lyle: ^ that's still the case right? | 17:25 |
johnthetubaguy | so if its just the defaults, the generator should give you the default file | 17:27 |
johnthetubaguy | the merge should let you look at overrides + the defaults in the code | 17:28 |
dstanek | johnthetubaguy: from what i understood the policies had to match. so you have you some overrides then they'd have to make it into the horizon copy as well | 17:28 |
johnthetubaguy | just reminds me how much we need to get the capabilities API sorted | 17:28 |
robcresswell | dstanek: Yeah, Horizon still needs updated policy files if you want it to accurately display/hide what a user can do. | 17:28 |
dstanek | ++ | 17:28 |
johnthetubaguy | OK, sounds like you need the merge one then | 17:28 |
johnthetubaguy | :( | 17:29 |
dstanek | robcresswell: thx | 17:29 |
johnthetubaguy | must get the capabilities API sorted | 17:29 |
robcresswell | Is there a common policy API or anything yet? My understand was that it didnt exist | 17:29 |
dstanek | something to document as we change policy to be in code | 17:29 |
robcresswell | johnthetubaguy: +lots | 17:29 |
dstanek | robcresswell: not yet | 17:29 |
robcresswell | Horizon could drop 3/4 of its config if we had an API to see what User X can or cant do | 17:30 |
robcresswell | its nearly all just duplication. | 17:30 |
*** d0ugal has joined #openstack-keystone | 17:30 | |
*** d0ugal has quit IRC | 17:30 | |
*** d0ugal has joined #openstack-keystone | 17:30 | |
johnthetubaguy | robcresswell: is there a good bit in the horizon code to look for the list of questions you need answering? | 17:31 |
*** thiagolib has quit IRC | 17:31 | |
robcresswell | johnthetubaguy: https://docs.openstack.org/developer/horizon/topics/settings.html#openstack-neutron-network | 17:32 |
robcresswell | johnthetubaguy: We have dozens of those kinds of settings | 17:32 |
robcresswell | johnthetubaguy: If you just search the settings doc for a service name you'll find a lot of settings that should really be API controlled on login. | 17:33 |
robcresswell | johnthetubaguy: Same situation with policy, we just use copies of the files to control what a user can or cant see. | 17:33 |
lbragstad | ravelar antwash this seems like it would be the next logical step after moving policy into code - https://review.openstack.org/#/c/433010 | 17:35 |
*** jaosorior has quit IRC | 17:35 | |
* antwash adds link to 1000 tabs opened already haha | 17:36 | |
*** nkinder has quit IRC | 17:37 | |
robcresswell | lbragstad: Not just operators, that'd be pretty useful for Horizon too. I dislike digging through service code to find out which policy rules do what :( | 17:37 |
lbragstad | robcresswell ++ | 17:38 |
lbragstad | so far, i think regardless of the overall direction we take on policy, we can agree on two things. 1.) move policy into code 2.) provide well written descriptions for each policy, describing *exactly* what it does | 17:39 |
* lbragstad shamelessly stole that from johnthetubaguy | 17:39 | |
antwash | lbragstad : lets use this https://etherpad.openstack.org/p/policy_links :) | 17:41 |
lbragstad | antwash if that helps you and ravelar stay organized, go for it :) | 17:42 |
*** d0ugal has quit IRC | 17:42 | |
antwash | lbragstad : yeah centralized location for a lot of information lol | 17:42 |
*** prashkre has joined #openstack-keystone | 17:43 | |
lbragstad | grabbing lunch | 17:54 |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 17:56 |
*** dikonoor has quit IRC | 18:02 | |
*** tqtran has joined #openstack-keystone | 18:13 | |
*** jamielennox is now known as jamielennox|away | 18:13 | |
*** spzala has joined #openstack-keystone | 18:16 | |
*** tqtran has quit IRC | 18:17 | |
*** adrian_otto has quit IRC | 18:17 | |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 18:17 |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Api-refs for extending user api for fed attributes https://review.openstack.org/427320 | 18:18 |
*** lucasxu has quit IRC | 18:20 | |
*** tqtran has joined #openstack-keystone | 18:31 | |
*** adrian_otto has joined #openstack-keystone | 18:36 | |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 18:37 |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 18:40 |
*** adrian_otto has quit IRC | 18:40 | |
*** MasterOfBugs has joined #openstack-keystone | 18:45 | |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 18:55 |
openstackgerrit | Ron De Rose proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 18:55 |
*** ravelar has quit IRC | 18:57 | |
*** pcaruana has quit IRC | 19:03 | |
*** MasterOfBugs has quit IRC | 19:07 | |
*** MasterOfBugs has joined #openstack-keystone | 19:07 | |
*** adrian_otto has joined #openstack-keystone | 19:08 | |
*** ngupta has quit IRC | 19:22 | |
*** ngupta has joined #openstack-keystone | 19:23 | |
*** ngupta has quit IRC | 19:23 | |
*** ngupta has joined #openstack-keystone | 19:23 | |
*** chlong has joined #openstack-keystone | 19:36 | |
*** ravelar has joined #openstack-keystone | 19:40 | |
lbragstad | breton you wanted to talk about hierarchical quotas, right? | 19:40 |
lbragstad | breton fyi - http://lists.openstack.org/pipermail/openstack-dev/2017-February/112277.html | 19:42 |
*** chlong has quit IRC | 19:51 | |
breton | i'd love if morgan or ayoung participate there, as main opposers of my ideas | 19:53 |
ayoung | breton, I have no problem with your idea. I just think it is going to die the way it has every other time | 19:53 |
ayoung | breton, what happens is we talk through the issues with the CInder and Nova teams, and they realize that it is not a Keystone issue to solve and the proposal comes off the table | 19:54 |
ayoung | I've been through it Thrice so far | 19:54 |
ayoung | last time was Atlanta, IIRC | 19:55 |
breton | ayoung: i agree. Not a keystone issue at all. I want to move part of the issue to keystone. | 20:00 |
breton | ayoung: so come join us again in Atlanta :) | 20:01 |
morgan | wait what am i missing? | 20:04 |
* morgan context shifts | 20:05 | |
morgan | breton: summary of how far back i should read? | 20:05 |
lbragstad | gagehugo https://review.openstack.org/#/c/431785/ was the only spec that existed for tags, right? | 20:05 |
morgan | is this re: centralizing policy in keystone again? | 20:05 |
morgan | aka storing policy.json there? | 20:06 |
morgan | ayoung: ^ cc | 20:06 |
lbragstad | gagehugo there isn't another one floating around somewhere that has context in it is there? | 20:06 |
gagehugo | lbragstad not that I'm aware of? | 20:06 |
lbragstad | gagehugo ok - just double checking | 20:06 |
breton | morgan: quota limits in keystone | 20:09 |
morgan | oh | 20:09 |
dstanek | morgan: not that i am aware of right now. policy is going the other way right now :-) | 20:09 |
morgan | dstanek: right, phew | 20:09 |
morgan | so, the biggest concerns with quata limits in keystone are the following: | 20:09 |
morgan | 1: Asking keystone every time for "are we allowed to do this, quota wise", aka, where does this data get stored/communicated to the consuming service? | 20:10 |
morgan | does it go in the token body? | 20:10 |
morgan | etc | 20:10 |
morgan | most services do not *want* to ask keystone yet again for quota data. | 20:10 |
dstanek | i'd rather have a small lib that uses something like a redis backend | 20:10 |
morgan | 2: is the data stored in keystone for actual consumption or in the consuming service | 20:10 |
morgan | ? | 20:11 |
morgan | i am not opposed to having quota limits set in keystone. i am opposed to creating something no one will use and adding it to our contract | 20:11 |
breton | morgan: limits in token, usages are stored in the services themselves | 20:11 |
morgan | FTR: with the resource-options code, we can easily add this information | 20:11 |
morgan | and i am even less opposed now that we can just define (and validate) the data easily, but not need to expand columns endlessly for it. | 20:12 |
morgan | it's a single migration to add resource options to a resource type, then we define the options. | 20:13 |
dstanek | breton: limits in token? | 20:13 |
morgan | if the other projects will consume the limit, i'm happy | 20:13 |
breton | current problem is that quotas are a mess | 20:13 |
morgan | dstanek: he's saying add the limit (aka, vm_count) in the token body scope basically | 20:13 |
morgan | dstanek: so the token body would hold quota information | 20:13 |
morgan | dstanek: not what is consumed, but what the limit(s) are | 20:14 |
dstanek | how would that actually work? the token would hold all of the limits for the project/domain it is scoped to? | 20:14 |
breton | 4 services with quotas, each with different naming and capabilities | 20:14 |
morgan | dstanek: yep. | 20:14 |
dstanek | ...and every parent above | 20:14 |
morgan | dstanek: not too difficult to do, we already have to resolve that. | 20:14 |
morgan | because we have to check "enabled" everywhere | 20:15 |
dstanek | morgan: looking up the hierarchy isn't difficult, but the variable amount of quota data feels wrong | 20:15 |
dstanek | unless you now scope a token to a service (like nova) and we dump all nova's quotas in there | 20:16 |
morgan | nah, we would only show the limit (min) for the whole hierarchy | 20:16 |
dstanek | that was you don't also need to include glance's, neutron's, etc. | 20:16 |
morgan | except you kindof still do | 20:16 |
morgan | because -- yay --- nova talks to glance on your behalf | 20:17 |
breton | dstanek: otherwise services have to do silly stuff like copying the entire project tree | 20:17 |
morgan | dstanek: i don't feel like quota info on a domain or project as part of the scope (limit data, not actual consumption) is inappropriate | 20:17 |
morgan | it is a value/option for the <resource> | 20:18 |
dstanek | so in that model every token has to carry a largely static catalog of limits | 20:18 |
morgan | dstanek: well the body | 20:18 |
morgan | it would be a soft store (populated like project data) on validate | 20:19 |
morgan | not something we add to the payload | 20:19 |
dstanek | sure, but that's retrieved everytime you use the token | 20:19 |
morgan | right. | 20:19 |
morgan | if it is done in the same manner as the resource_option data, it will be done as a join'd load | 20:19 |
morgan | so, like i said, i'm really not opposed to this as long as the projects agree to consume it. | 20:21 |
morgan | i also can see a relatively easy side-band utility to pull the data into keystone- the only concern is re-training people to put the stuff in keystone vs when they talk to nova... or some kind of proxy (ick) | 20:22 |
dstanek | i don't really like that model because you have quota defined in keystone, but the actual usage data somewhere else | 20:23 |
morgan | dstanek: quota centralization (for limits) kindof needs to be done somewhere | 20:24 |
*** ravelar has quit IRC | 20:24 | |
morgan | it does feel like a property of the scope resource | 20:24 |
dstanek | morgan: what about the usage of those quotas. is that left to the service itself? | 20:24 |
morgan | it would be. | 20:25 |
morgan | the service is the only thing that can know what is being used | 20:25 |
morgan | also the service is responsible for reservation->use->marked-consumed | 20:25 |
morgan | cmurphy: changed your nic on us. :P just noticed. | 20:26 |
morgan | dstanek: we could centralize another way, but like i said, this feels like a keystone[resource-subsystem] thing | 20:27 |
morgan | since quotas are tied to project/domain info | 20:27 |
dstanek | that feels very strange to me. | 20:27 |
dstanek | everything is related to a project, but not necessarily to identity | 20:28 |
breton | lets break keystone into auth and resource | 20:28 |
* breton ducks | 20:28 | |
morgan | since keystone is authortitative to the properties on the project... | 20:28 |
morgan | breton: *cough* see specs. | 20:28 |
morgan | anyway | 20:28 |
morgan | dstanek: i worry that we have a potential issue with a new service being quota authoritative | 20:29 |
morgan | just because it requires asking the service about quota each time | 20:29 |
morgan | similar issues with a policy service (i don't mean like congress, i mean something storing policy.json) | 20:29 |
dstanek | if we do anything in keystone land it should be a separate "microservice" like thing that we can easily get rid of | 20:29 |
morgan | dstanek: i think the more important bit would be encoding it in the token or not | 20:30 |
morgan | if it isn't in the token, not really worth centralizing it in keystone | 20:30 |
morgan | if it is, everyone gets the quota information as part of the auth context | 20:30 |
morgan | and it makes sense. | 20:31 |
morgan | mordred: ^ because you have interests in quota-y things | 20:33 |
morgan | mordred: thoughts on centralization of the "limit" (not the consumption) bits | 20:33 |
mordred | uhoh | 20:34 |
* mordred reads | 20:34 | |
dstanek | the argument for putting it in keystone regardless is that it would be much easier to get it deployed | 20:34 |
*** ravelar has joined #openstack-keystone | 20:34 | |
morgan | mordred: breton has proposed putting quota information (limit) data in keystone- attached to the resource itself, communicated via the token body | 20:34 |
morgan | aka, vm_limit would be a project-setting | 20:34 |
morgan | consumption and the like would strill be nova's job | 20:35 |
morgan | just the limit info could be calculated (inc. heirarchy data) and communicated via the token. | 20:35 |
mordred | works for me - BUT ... | 20:36 |
mordred | a) currently the quotas in most projects are implemented as an unenforced key/value mess that you can think you're raising a quota/limit for a project but you aren't becaues typo | 20:36 |
*** jerrygb has joined #openstack-keystone | 20:36 | |
mordred | we should fix that | 20:36 |
*** jamielennox|away is now known as jamielennox | 20:36 | |
morgan | mordred: each limit would be validated explicitly on quota-name key and a value that makes sense | 20:37 |
morgan | mordred: the way i see it | 20:37 |
mordred | but then you get in to a versioned cross repo schema dance if nova wants to add a new quota/limit key | 20:37 |
mordred | BUT - I love it | 20:37 |
morgan | mordred: they would need to define a new option | 20:37 |
morgan | no schama change in keystone | 20:37 |
breton | there will be table with keys basically | 20:37 |
breton | as i see it | 20:37 |
mordred | right. but that's what I'm saying is bad | 20:37 |
morgan | the way i look at doing it, it would use the resource_option code | 20:37 |
mordred | because that's what is it NOW and it's terrible | 20:37 |
mordred | there should be a set of keys defined in the API that are part of an api contract | 20:38 |
morgan | we define an option in code, it is validated | 20:38 |
mordred | the keys shoudl not be data | 20:38 |
morgan | and it is part of the api-contract | 20:38 |
morgan | as well as verified on the backend | 20:38 |
* mordred hands morgan a pie | 20:38 | |
morgan | we actually generate json-schema | 20:38 |
morgan | for the options | 20:38 |
breton | i would love to talk about it all, but lets talk at the PTG. It's 11:38pm and my brain sleeps | 20:39 |
morgan | anyway. i can support this concept *if* the other projects agree to consume it | 20:39 |
dstanek | each service should define it's own keys | 20:39 |
morgan | and we have a path forward to get limit setting from service to keystone. | 20:39 |
morgan | and the other services are ok with cross-repo dance to add new authoritative keys | 20:40 |
morgan | breton: anyway ^, and sleep well | 20:41 |
*** aasthad has quit IRC | 20:42 | |
dstanek | is there already a spec for this? | 20:42 |
morgan | not that i am aware of | 20:42 |
breton | dstanek: there is, but in a bad shape | 20:43 |
dstanek | breton: fair enough...go get some sleep | 20:53 |
-openstackstatus- NOTICE: We're currently battling an increase in log volume which isn't leaving sufficient space for new jobs to upload logs and results in POST_FAILURE in those cases; recheck if necessary but keep spurious rebasing and rechecking to a minimum until we're in the clear. | 20:56 | |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 20:59 |
*** adriant has joined #openstack-keystone | 20:59 | |
*** raildo has quit IRC | 21:11 | |
*** aasthad has joined #openstack-keystone | 21:17 | |
*** ravelar has quit IRC | 21:19 | |
*** ravelar has joined #openstack-keystone | 21:19 | |
*** edmondsw has quit IRC | 21:27 | |
*** edmondsw has joined #openstack-keystone | 21:33 | |
*** ravelar has quit IRC | 21:37 | |
*** haplo37_ has quit IRC | 21:41 | |
*** haplo37_ has joined #openstack-keystone | 21:41 | |
cmurphy | morgan: yeah, felt like the right time for a change | 21:47 |
*** ravelar has joined #openstack-keystone | 21:52 | |
lbragstad | morgan python-memcached lacks py3 support, right? | 22:01 |
morgan | lbragstad: some cases | 22:01 |
morgan | it is supposed to support py3 but it doesn't really | 22:02 |
lbragstad | morgan can you give me the two minute version of the biggest pain points we have with python-memcached? | 22:02 |
*** Krenair has quit IRC | 22:02 | |
morgan | the maintainer is not active, py3 support is spotty at best | 22:02 |
morgan | library is really poorly designed | 22:03 |
morgan | (it was fine back in the day, but it really doesn't look like something you'd write now), all functions not really class-based | 22:03 |
lbragstad | morgan does the design of the library prevent us from doing specific things? | 22:03 |
morgan | and finally, it explicitly relies on thread.local | 22:03 |
morgan | it makes it hard for us to do thing | 22:03 |
morgan | s | 22:03 |
morgan | not impossible | 22:03 |
morgan | i would like to drop it on the floor and never look at it again | 22:04 |
lbragstad | morgan just looking for a single thing that makes our lives harder | 22:04 |
morgan | i tried to take over the lib multiple times, and the current maintainer is very hard to reach even thogh he agreed to it | 22:04 |
morgan | and since i can't get the LP project and pypi bits put over to me/openstack | 22:04 |
morgan | i can't take it over | 22:04 |
lbragstad | right | 22:04 |
lbragstad | that makes sense | 22:04 |
morgan | so... my new plan: drop it | 22:04 |
morgan | drop it like it's hot | 22:04 |
*** wolsen has quit IRC | 22:04 | |
lbragstad | dumb question time | 22:04 |
morgan | pymemcache is the way to go | 22:05 |
lbragstad | what about thread.local is a problem for us? | 22:05 |
morgan | haha, it isn't | 22:05 |
morgan | it is a problem for anyone using eventlet | 22:05 |
morgan | we don't use eventlet so... no issue | 22:05 |
morgan | but it sucks for keystonemiddleware | 22:05 |
lbragstad | in services that run in eventlet | 22:05 |
jamielennox | what sucks for middleware? | 22:05 |
morgan | thread.local allows for the lib to consume all the memcache sockets | 22:05 |
morgan | if a service is hit hard | 22:05 |
morgan | so, you can end up DOSing your memcache server itself | 22:06 |
morgan | since eventlet creates green threads and each greenthread gets a connection to memcache | 22:06 |
morgan | it's the reason we tried the pool thing, but we're battling python-memcache to patch that out | 22:06 |
morgan | it's all around awful | 22:06 |
morgan | we should get a pymemcache driver in dogpile | 22:07 |
morgan | and we should make oslo.cache default to that | 22:07 |
morgan | and we should never ever ever use python-memcached | 22:07 |
*** chris_hultin is now known as chris_hultin|AWA | 22:07 | |
morgan | lbragstad: the other alternative is to fork python-memcached, but kindof feel like pymemcache is so much better why bother | 22:08 |
lbragstad | morgan ok - cool | 22:08 |
lbragstad | morgan i'm prepopulating an etherpad for the PTG on the topic | 22:08 |
morgan | lbragstad: https://github.com/pinterest/pymemcache | 22:08 |
morgan | also pinterest folks are smart ;) | 22:09 |
lbragstad | morgan would you be interested in driving that discussion | 22:09 |
lbragstad | ? | 22:09 |
lbragstad | I imagine it to be quick | 22:09 |
morgan | sure... i mean the discussion is super simple | 22:09 |
morgan | i might even have code posted by the PTG | 22:09 |
morgan | it's literally "here is dogpile driver, oslo_cache, use that" | 22:09 |
lbragstad | morgan yeah - i agree, i just want to air it out, document the tribal knowledge, and come up with a list of action items to move towards a solution | 22:10 |
morgan | the bigger issue is getting keystonemiddleware to use oslo.cache | 22:10 |
lbragstad | morgan what does keystonemiddleware use now? | 22:10 |
lbragstad | a home grown cache implementation? | 22:10 |
morgan | yep | 22:11 |
morgan | part of that is because swift | 22:11 |
lbragstad | gotcha | 22:12 |
*** thorst_ has quit IRC | 22:16 | |
lbragstad | morgan would you also be interested in driver the VMT discussion for identity related projects? | 22:18 |
morgan | i can participate | 22:19 |
morgan | though i would prefer to not be driving that one. | 22:19 |
lbragstad | morgan moderate? | 22:19 |
morgan | i can help on it, mostly i can communicate what the VMT wants from the projects | 22:20 |
lbragstad | morgan that'd work | 22:20 |
lbragstad | by drive I don't mean be stuck with the implementation | 22:20 |
lbragstad | or work | 22:20 |
morgan | the work is finding folks willing to do the threat analysis | 22:21 |
morgan | and publish it | 22:21 |
lbragstad | I want drivers to be folks who have an interest in seeing something get done and speaking to it | 22:21 |
morgan | this is not something i can do, and since i'm not the PTL i don't want to drive too hard on it | 22:21 |
morgan | i am happy to discuss the needs | 22:21 |
lbragstad | cool | 22:21 |
morgan | but they are largely the same as what was put in the meeting | 22:21 |
morgan | and barbican has done this, so the detail can follow in their steps | 22:22 |
openstackgerrit | Ron De Rose proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 22:22 |
*** chris_hultin|AWA is now known as chris_hultin | 22:26 | |
*** spilla has quit IRC | 22:29 | |
openstackgerrit | Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 22:31 |
morgan | lbragstad: https://review.openstack.org/#/c/428388/7 might be something to discuss at PTG | 22:33 |
lbragstad | morgan ok - let me see if I can find a spot for it | 22:34 |
lbragstad | morgan how long are you thinking the discussion will take? | 22:34 |
morgan | lbragstad: and https://review.openstack.org/#/c/428472/ can probably get a +A since no one else has poked at it | 22:34 |
morgan | lbragstad: short discussion it's just "is there a reason we shouldn't do this deprecation" | 22:34 |
morgan | if we | 22:34 |
morgan | re really doubling down on fernet | 22:34 |
morgan | dropping uuid is a good plan | 22:34 |
lbragstad | morgan ++ that reminds me that we need a deprecations session | 22:35 |
*** Krenair has joined #openstack-keystone | 22:36 | |
*** ngupta has quit IRC | 22:38 | |
openstackgerrit | Ron De Rose proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449 | 22:39 |
*** prashkre has quit IRC | 22:44 | |
openstackgerrit | Gage Hugo proposed openstack/keystone master: Force SQLite to properly deal with foreign keys https://review.openstack.org/126030 | 22:45 |
*** edmondsw has quit IRC | 22:48 | |
*** dave-mccowan has quit IRC | 22:53 | |
*** adrian_otto1 has joined #openstack-keystone | 22:59 | |
*** catintheroof has quit IRC | 23:00 | |
*** adrian_otto has quit IRC | 23:01 | |
*** jperry has quit IRC | 23:02 | |
*** ravelar has quit IRC | 23:04 | |
*** martinlopes has joined #openstack-keystone | 23:06 | |
*** _d34dh0r53_ is now known as d34dh0r53 | 23:09 | |
*** lamt has quit IRC | 23:09 | |
*** esp has quit IRC | 23:11 | |
*** lamt has joined #openstack-keystone | 23:11 | |
*** chris_hultin is now known as chris_hultin|AWA | 23:12 | |
*** esp has joined #openstack-keystone | 23:12 | |
*** lamt has quit IRC | 23:15 | |
*** spzala has quit IRC | 23:17 | |
*** adrian_otto1 has quit IRC | 23:17 | |
*** thorst_ has joined #openstack-keystone | 23:17 | |
*** gyee has joined #openstack-keystone | 23:18 | |
*** ravelar has joined #openstack-keystone | 23:18 | |
*** adrian_otto has joined #openstack-keystone | 23:19 | |
*** thorst_ has quit IRC | 23:21 | |
*** browne has quit IRC | 23:25 | |
*** thorst_ has joined #openstack-keystone | 23:27 | |
*** thorst_ has quit IRC | 23:32 | |
*** thorst_ has joined #openstack-keystone | 23:32 | |
*** thorst_ has quit IRC | 23:37 | |
*** aasthad has quit IRC | 23:42 | |
*** masterjcool has quit IRC | 23:49 | |
*** jerrygb_ has joined #openstack-keystone | 23:52 | |
*** jerrygb has quit IRC | 23:53 | |
*** spzala has joined #openstack-keystone | 23:55 | |
*** jerrygb_ has quit IRC | 23:59 | |
*** jerrygb has joined #openstack-keystone | 23:59 | |
*** spzala has quit IRC | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!