Friday, 2017-10-27

*** AlexeyAbashkin has joined #openstack-keystone		00:10
*** itlinux has joined #openstack-keystone		00:10
*** catintheroof has joined #openstack-keystone		00:11
*** eckesicle has joined #openstack-keystone		00:13
*** AlexeyAbashkin has quit IRC		00:14
*** rcernin has joined #openstack-keystone		00:21
*** catintheroof has quit IRC		00:32
*** catintheroof has joined #openstack-keystone		00:38
*** gyee has quit IRC		00:40
*** catintheroof has quit IRC		00:42
*** catintheroof has joined #openstack-keystone		00:44
*** AlexeyAbashkin has joined #openstack-keystone		00:46
*** AlexeyAbashkin has quit IRC		00:51
*** catintheroof has quit IRC		00:55
*** catintheroof has joined #openstack-keystone		00:56
*** zzzeek has quit IRC		00:58
*** zzzeek has joined #openstack-keystone		01:00
*** thorst has joined #openstack-keystone		01:16
*** thorst has quit IRC		01:17
*** catintheroof has quit IRC		01:20
*** namnh has joined #openstack-keystone		01:21
*** catintheroof has joined #openstack-keystone		01:21
*** catintheroof has quit IRC		01:24
*** gmann_afk is now known as gmann		01:25
*** dave-mccowan has quit IRC		01:26
*** dave-mccowan has joined #openstack-keystone		01:28
*** wes_dillingham has quit IRC		01:34
*** rcernin has quit IRC		01:43
*** rcernin has joined #openstack-keystone		01:44
*** wes_dillingham has joined #openstack-keystone		01:48
openstackgerrit	Shan Guo proposed openstack/keystone master: Remove simple cert support https://review.openstack.org/515309	01:50
*** catintheroof has joined #openstack-keystone		01:55
*** catintheroof has quit IRC		02:00
*** thorst has joined #openstack-keystone		02:18
*** thorst has quit IRC		02:23
*** annp has joined #openstack-keystone		02:23
*** catintheroof has joined #openstack-keystone		02:28
*** catintheroof has quit IRC		02:33
*** AlexeyAbashkin has joined #openstack-keystone		02:47
*** spzala has quit IRC		02:50
*** AlexeyAbashkin has quit IRC		02:52
*** spzala has joined #openstack-keystone		03:02
*** spzala has quit IRC		03:06
*** AlexeyAbashkin has joined #openstack-keystone		03:08
*** gvrangan has joined #openstack-keystone		03:08
*** AlexeyAbashkin has quit IRC		03:12
*** dave-mccowan has quit IRC		03:14
*** prashkre__ has joined #openstack-keystone		03:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements https://review.openstack.org/470137	03:15
*** nicolasbock has quit IRC		03:30
*** aselius has quit IRC		03:30
*** markvoelker has quit IRC		03:43
openstackgerrit	Shan Guo proposed openstack/keystone master: Remove simple cert support https://review.openstack.org/515309	03:55
*** catintheroof has joined #openstack-keystone		04:01
*** spzala has joined #openstack-keystone		04:03
*** catintheroof has quit IRC		04:05
*** spzala has quit IRC		04:07
*** thorst has joined #openstack-keystone		04:19
*** annp has quit IRC		04:20
*** thorst has quit IRC		04:24
*** rmcallis has quit IRC		04:27
*** annp has joined #openstack-keystone		04:28
*** lamt has quit IRC		04:51
*** cburgess has quit IRC		04:51
*** suramya_ has joined #openstack-keystone		04:51
*** gvrangan has quit IRC		04:52
*** gvrangan has joined #openstack-keystone		04:52
*** rmcallis has joined #openstack-keystone		04:53
*** Suramya has joined #openstack-keystone		04:53
*** rmcallis has quit IRC		04:58
*** rmcallis has joined #openstack-keystone		04:59
*** wes_dillingham has quit IRC		05:00
*** spzala has joined #openstack-keystone		05:02
*** cburgess has joined #openstack-keystone		05:03
*** lamt has joined #openstack-keystone		05:04
*** lamt is now known as Guest53850		05:04
*** jaosorior has joined #openstack-keystone		05:05
*** spzala has quit IRC		05:06
*** masuberu has joined #openstack-keystone		05:15
*** masber has quit IRC		05:18
*** masber has joined #openstack-keystone		05:20
*** masuberu has quit IRC		05:23
*** markvoelker has joined #openstack-keystone		05:43
*** BenderRodriguez has quit IRC		05:47
*** spzala has joined #openstack-keystone		06:03
*** spzala has quit IRC		06:07
*** markvoelker has quit IRC		06:18
*** thorst has joined #openstack-keystone		06:20
*** spectr has joined #openstack-keystone		06:22
*** thorst has quit IRC		06:25
*** gvrangan has quit IRC		06:26
*** magicboiz has joined #openstack-keystone		06:27
*** magicboiz has quit IRC		06:32
*** aojea has joined #openstack-keystone		06:32
*** magicboiz has joined #openstack-keystone		06:32
*** gvrangan has joined #openstack-keystone		06:32
*** gvrangan has quit IRC		06:44
openstackgerrit	Shan Guo proposed openstack/keystone master: Remove simple cert support https://review.openstack.org/515309	06:53
*** magicboiz has quit IRC		06:53
*** magicboiz has joined #openstack-keystone		06:55
*** aojea has quit IRC		06:58
*** magicboiz has quit IRC		07:00
*** suramya_ has quit IRC		07:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Imported Translations from Zanata https://review.openstack.org/514529	07:02
*** aojea has joined #openstack-keystone		07:03
*** magicboiz has joined #openstack-keystone		07:07
*** aojea has quit IRC		07:08
*** markvoelker has joined #openstack-keystone		07:14
*** tesseract has joined #openstack-keystone		07:22
*** ioggstream has joined #openstack-keystone		07:31
*** thorst has joined #openstack-keystone		07:33
*** namnh has quit IRC		07:34
*** thorst has quit IRC		07:38
*** josecastroleon has joined #openstack-keystone		07:41
*** itlinux has quit IRC		07:43
*** markvoelker has quit IRC		07:48
*** prashkre__ has quit IRC		07:53
*** prashkre__ has joined #openstack-keystone		07:53
*** AlexeyAbashkin has joined #openstack-keystone		07:56
*** rcernin has quit IRC		07:58
*** magicboiz has quit IRC		08:00
*** magicboiz has joined #openstack-keystone		08:03
*** magicboiz has quit IRC		08:08
*** magicboiz has joined #openstack-keystone		08:15
*** rmcallis has quit IRC		08:44
*** markvoelker has joined #openstack-keystone		08:45
*** rmcallis has joined #openstack-keystone		08:46
*** namnh has joined #openstack-keystone		08:51
*** rmcallis has quit IRC		08:53
*** spzala has joined #openstack-keystone		09:04
*** spzala has quit IRC		09:09
*** markvoelker has quit IRC		09:18
*** thorst has joined #openstack-keystone		09:34
*** thorst has quit IRC		09:39
openstackgerrit	Rajat Sharma proposed openstack/keystone master: Install and configure in Installation Guide: Populate the Identity service database step fails https://review.openstack.org/515662	09:42
*** links has quit IRC		09:42
*** Suramya has quit IRC		09:50
*** zhangjl has quit IRC		09:50
*** zhangjl has joined #openstack-keystone		09:51
*** gmann is now known as gmann_afk		10:02
*** daidv has quit IRC		10:12
*** eckesicle has quit IRC		10:12
*** markvoelker has joined #openstack-keystone		10:15
*** namnh has quit IRC		10:36
*** markvoelker has quit IRC		10:49
*** rmcallis has joined #openstack-keystone		10:49
*** rmcallis has quit IRC		10:54
*** robcresswell has quit IRC		11:03
*** annp has quit IRC		11:03
*** spzala has joined #openstack-keystone		11:06
*** spzala has quit IRC		11:12
*** thorst has joined #openstack-keystone		11:35
*** zhangjl has quit IRC		11:39
*** thorst has quit IRC		11:40
*** sambetts\|afk is now known as sambetts		11:41
*** nicolasbock has joined #openstack-keystone		11:43
*** belmoreira has joined #openstack-keystone		11:45
*** thorst has joined #openstack-keystone		11:46
*** markvoelker has joined #openstack-keystone		11:46
*** ioggstream has quit IRC		11:48
*** raildo has joined #openstack-keystone		12:07
*** spzala has joined #openstack-keystone		12:08
*** spzala has quit IRC		12:13
*** wes_dillingham has joined #openstack-keystone		12:16
*** magicboiz has quit IRC		12:16
*** ioggstream has joined #openstack-keystone		12:18
*** markvoelker has quit IRC		12:20
*** markvoelker has joined #openstack-keystone		12:27
*** rm_work has quit IRC		12:29
*** rm_work has joined #openstack-keystone		12:30
*** rm_work has quit IRC		12:30
*** rm_work has joined #openstack-keystone		12:30
*** spzala has joined #openstack-keystone		12:50
*** spzala has quit IRC		13:04
*** catintheroof has joined #openstack-keystone		13:04
*** panbalag has joined #openstack-keystone		13:13
*** efried is now known as fried_rice		13:14
*** panbalag has left #openstack-keystone		13:18
lbragstad	o/	13:28
*** dansmith is now known as superdan		13:30
*** sheel has joined #openstack-keystone		13:32
*** catintheroof has quit IRC		13:34
*** catintheroof has joined #openstack-keystone		13:42
*** spectr has quit IRC		13:49
*** dave-mccowan has joined #openstack-keystone		13:53
*** arxcruz is now known as arxcruz\|pto		13:56
*** Dinesh_Bhor has quit IRC		14:04
*** d0ugal_ has joined #openstack-keystone		14:04
*** d0ugal has quit IRC		14:05
*** spectr has joined #openstack-keystone		14:09
*** McClymontS has joined #openstack-keystone		14:16
*** dave-mccowan has quit IRC		14:20
*** McClymontS has quit IRC		14:26
*** spectr has quit IRC		14:39
openstackgerrit	Vladyslav Drok proposed openstack/keystoneauth master: Make none auth usable in CLI https://review.openstack.org/515730	14:45
*** josecastroleon has quit IRC		14:46
openstackgerrit	Vladyslav Drok proposed openstack/keystoneauth master: Make none auth usable in CLI https://review.openstack.org/515730	15:03
*** belmoreira has quit IRC		15:09
*** dave-mccowan has joined #openstack-keystone		15:11
*** AlexeyAbashkin has quit IRC		15:13
*** jmlowe_ has joined #openstack-keystone		15:14
*** jmlowe has quit IRC		15:16
*** links has joined #openstack-keystone		15:19
*** dave-mccowan has quit IRC		15:21
prashkre__	kmalloc: Hi! Could you please review https://review.openstack.org/#/c/514885/	15:23
*** itlinux has joined #openstack-keystone		15:30
*** itlinux has quit IRC		15:30
cmurphy	kmalloc: you had this note to remove the simple_cert router: https://review.openstack.org/#/c/515309/6/keystone/version/service.py doesn't that break the API contract?	15:35
kmalloc	Yeh probably.	15:35
kmalloc	I think that note predated our TC agreement	15:36
kmalloc	And such	15:36
cmurphy	gotcha	15:36
kmalloc	Let's nuke the note	15:36
kmalloc	Leave the api	15:36
kmalloc	If it works at all.	15:37
kmalloc	If it doesn't, we may need to fix it too	15:37
*** sheel has quit IRC		15:41
*** McClymontS has joined #openstack-keystone		15:45
openstackgerrit	Vladyslav Drok proposed openstack/keystoneauth master: Make none auth usable in CLI https://review.openstack.org/515730	15:46
*** McClymontS has quit IRC		15:47
*** jaosorior has quit IRC		15:48
*** BenderRodriguez has joined #openstack-keystone		15:49
*** BenderRodriguez has quit IRC		15:49
*** BenderRodriguez has joined #openstack-keystone		15:49
*** itlinux has joined #openstack-keystone		15:57
itlinux	hello all..	16:04
*** dave-mccowan has joined #openstack-keystone		16:04
itlinux	I have two env.. running Ocata.. both same LDAP servers.. both can pull the users fine but one of them cannot retrieve the group list.. the other can.. any suggestions on what to look for?	16:04
*** fried_rice has quit IRC		16:05
itlinux	I get this in the logs There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. fill_context	16:17
itlinux	any tips?	16:17
itlinux	TY	16:18
*** fried_rice has joined #openstack-keystone		16:18
*** robcresswell has joined #openstack-keystone		16:19
*** catintheroof has quit IRC		16:23
*** jmlowe_ has quit IRC		16:23
*** dave-mccowan has quit IRC		16:26
*** catintheroof has joined #openstack-keystone		16:27
*** ioggstream has quit IRC		16:28
*** catintheroof has quit IRC		16:35
*** catintheroof has joined #openstack-keystone		16:36
*** links has quit IRC		16:38
*** catintheroof has quit IRC		16:39
lbragstad	itlinux: that warning is actually being removed because it's not really an issue https://review.openstack.org/#/c/514810/	16:39
lbragstad	context ^	16:39
*** catintheroof has joined #openstack-keystone		16:39
*** sambetts is now known as sambetts\|afk		16:41
*** dave-mccowan has joined #openstack-keystone		16:50
*** AlexeyAbashkin has joined #openstack-keystone		16:53
*** AlexeyAbashkin has quit IRC		16:57
*** dave-mccowan has quit IRC		17:03
*** dave-mccowan has joined #openstack-keystone		17:03
itlinux	so how do I make this work.. users shows up and groups do not	17:07
itlinux	thanks	17:07
*** rmcallis has joined #openstack-keystone		17:07
*** prashkre__ is now known as prashkre		17:18
prashkre	kmalloc: https://review.openstack.org/#/c/514885/ needs your review. could you please add it to your list.	17:21
*** itlinux has quit IRC		17:28
*** rmascena has joined #openstack-keystone		17:28
*** dave-mccowan has quit IRC		17:29
*** jmlowe has joined #openstack-keystone		17:30
*** raildo has quit IRC		17:31
hogepodge	cmurphy: or anyone else, can you give me a high-level overview of project-lived credentials?	17:37
hogepodge	I want to understand...	17:37
lbragstad	hogepodge: sure	17:42
* lbragstad will try but cmurphy will keep him honest		17:43
lbragstad	hogepodge: so - I find it easy to thinking about using the application example	17:43
hogepodge	ok	17:44
lbragstad	if you and i work on a team that uses openstack to host an application, and that application needs access to various openstack APIs	17:44
lbragstad	today - we have a couple ways to make that happen	17:44
kmalloc	prashkre: it is on my list, as soon as I have dealt with plumbing emergency	17:44
lbragstad	1.) you or I can put our username and passwords in an application configuration file and the application accesses OpenStack as our users	17:45
hogepodge	that's what I do! :-)	17:45
hogepodge	(hey ci/cd system, here's my personal login lol)	17:46
lbragstad	2.) we have a dedicated user created for the application to use (which might require opening a service ticket to the corporate ldap team to create some user - which kinda defeats the purpose )	17:46
* lbragstad is sorry		17:46
lbragstad	i apologize - but that makes you the perfect user for this conversation then!	17:46
lbragstad	both options 1 and 2 are pretty bad	17:47
lbragstad	and they likely violate company security policies	17:47
lbragstad	instead - the whole concept of application credentials was to make it so you or I can generate an application specific password in keystone - then use that in the application configuration file	17:47
hogepodge	I distract them from that violation by setting up rogue torrent servers for them to deal with. ;-)	17:48
lbragstad	lol	17:48
hogepodge	how is it different from case 2?	17:48
lbragstad	so - application credentials are similar to case 2 initially	17:49
lbragstad	but we eventually want to be able to associate specific operations to application credentials	17:49
lbragstad	(give me an application specific credential that can only list instances)	17:49
hogepodge	ok, cool	17:50
lbragstad	which should hopefully help with damage control if the application is compromised	17:50
hogepodge	when you say eventually...	17:50
*** mwynne has joined #openstack-keystone		17:50
lbragstad	yeah...	17:50
lbragstad	that's were things get fuzzy, because we have a mountain of policy/rbac issues to fix across openstack too, in order for that to be a reality	17:51
lbragstad	(but, we do have a plan)	17:51
hogepodge	so post queens?	17:51
lbragstad	yes	17:51
lbragstad	but - once you have an application credential	17:51
lbragstad	how long should it live for	17:51
lbragstad	?	17:51
mwynne	Hi guys. I have a quick question. I have 2 keystone apache processes using 100+% CPU while the stack is basically idle, killing my controller. Any idea how I can troubleshoot this issue?	17:51
mwynne	31476 keystone 20 0 647660 144180 12996 S 115.6 0.9 727:18.22 apache2	17:51
lbragstad	^ that essentially the question that makes project-lived or user-lived application creds make snese	17:51
lbragstad	hogepodge: one of the biggest things we wanted to avoid with app creds, was when a team member leaves the application stops working	17:52
lbragstad	if i put my username and password in the application configuration file, and i get fire, then our app doesn't work	17:53
lbragstad	the same would be true if we associate app creds to the user life cycle	17:53
lbragstad	which is why we thought it important to associate them to the project	17:53
*** itlinux has joined #openstack-keystone		17:53
lbragstad	mwynne: can you share a little more on how you have keystone configured?	17:54
lbragstad	hogepodge: but that also means that anytime someone leaves the team, the application credential should be rotated (because I could write down the application credential and still access API with it even after I get fired)	17:55
hogepodge	great, this is all good information	17:56
mwynne	lbragstad: Sorry, what do you need to know specifically? Want my keystone.conf?	17:56
lbragstad	hogepodge: that's essentially the gist of project-lived versus user-lived application credentials	17:58
lbragstad	(fwiw - mordred is picking that up this release)	17:58
lbragstad	mwynne: sure - that might be a start, omitting sensitive information if you have any	17:59
mwynne	lbragstad: http://paste.openstack.org/show/624843/	18:01
hogepodge	thanks, we're just trying to come up with something succinct and correct to say in our project roadmap presentation	18:01
hogepodge	this helps a lot	18:01
lbragstad	hogepodge: awesome	18:01
mwynne	lbragstad: I get a pretty constant stream of these: 2017-10-27 18:02:29.034 31476 INFO keystone.common.wsgi [req-bacff250-4223-43b4-8594-e77a63be7ab0 d9f834e0d74a4ab7a55318d412b0f2ea 4f779ae189834a9a9e193b1b9d7546a6 - default default] GET http://10.10.10.5:35357/v3/auth/tokens	18:02
lbragstad	mwynne: you have eventlet configuration options defined but you're running in apache, right?	18:03
mwynne	lbragstad: Correct. I was wondering why those were there....	18:03
lbragstad	mwynne: yeah - that's a log telling you someone is validating a token (or a service)	18:03
mwynne	lbragstad: should I remove those settings from eventlet?	18:04
lbragstad	mwynne: you could - but i was more or less just curious	18:04
lbragstad	i think those should be specific to keystone's eventlet support in tree	18:04
lbragstad	otherwise apache should be handling that for you	18:04
mwynne	Will those have any effect if I'm using apache?	18:05
lbragstad	they shouldn't	18:05
mwynne	ok	18:05
*** harlowja has quit IRC		18:05
mwynne	lbragstad: This stack has 90 tenants, 90 networks, and 180 vms	18:05
*** harlowja has joined #openstack-keystone		18:05
mwynne	So, quite a bit of stuff.	18:06
mwynne	but I wouldn't have thought apache would be totally pinned while everything's idle	18:06
lbragstad	mwynne: have you tried configuring caching in keystone?	18:06
mwynne	lbragstad: no. what's require for that?	18:06
lbragstad	https://docs.openstack.org/keystone/latest/admin/identity-caching-layer.html	18:07
lbragstad	there are a couple options in keystone.conf that will let you turn it on	18:07
lbragstad	and optionally point to a memcached deployment	18:07
lbragstad	we've seen that have significant performance improvements	18:08
mwynne	if I modify these I just need to restart the apache service?	18:09
lbragstad	if you want to point to a memcached service, you'll have to make sure that's running	18:10
lbragstad	other wise - keystone will cache in process	18:10
lbragstad	so - worst possible case is that you won't notice a difference until each thread has cached a specific response	18:10
mwynne	Yeah, the memcached service is running.	18:10
lbragstad	oh - then yeah... kicking keystone after making those changes should be all you need	18:11
mwynne	lbragstad: there's no keystone service, right? Just apache?	18:11
lbragstad	keystone is the service but it can run in a web service like apache, so restarting apache will restart keystone	18:12
mwynne	lbragstad: Right, thanks.	18:13
mwynne	lbragstad: It might look better...	18:14
*** wes_dillingham has quit IRC		18:14
mwynne	You just might be a life saver :)	18:14
lbragstad	mwynne: did it work?	18:15
mwynne	I think so	18:15
lbragstad	\o/	18:15
mwynne	CPU usage seems much better, for now, at least.	18:15
mwynne	Thank you so much!	18:15
lbragstad	yeah - anytime	18:15
lbragstad	hopefully you'll notice quicker response times in overall APIs \	18:15
mwynne	lbragstad: An unexpected error prevented the server from fulfilling your request. (HTTP 500)	18:16
mwynne	:(	18:16
lbragstad	uh oh	18:16
lbragstad	keystone logs?	18:16
* lbragstad wonders if python-memcached is installed		18:17
mwynne	ERROR keystone.common.wsgi OperationalError: (pymysql.err.OperationalError) (1040, u'Too many connections')	18:17
lbragstad	mwynne: oh - depending on how many instances of keystone you're running, you could be running out of mysql connections	18:18
lbragstad	1.) reduce the amount of keystone servers	18:19
lbragstad	2.) increase mysql connection limits	18:19
lbragstad	those would be my two guesses	18:19
mwynne	my.conf: max_connections = 151	18:19
mwynne	increase that and restart the service?	18:19
mwynne	Can I see what the current number of connections is?	18:19
mwynne	To ensure that's the limit being hit?	18:20
lbragstad	mwynne: you might be able to do something like this - https://stackoverflow.com/questions/7432241/mysql-show-status-active-or-total-connections	18:22
mwynne	lbragstad: Just found that :)	18:22
lbragstad	:)	18:23
mwynne	Thanks again for all your help!	18:23
lbragstad	yep - are you hitting that limit?	18:23
mwynne	Yup	18:24
lbragstad	nice	18:24
mwynne	increased and restarted	18:24
mwynne	looks better	18:24
mwynne	and faster :D	18:24
lbragstad	no more 500s?	18:24
mwynne	Nope	18:25
lbragstad	sweet	18:25
mwynne	APIs seem faster	18:25
lbragstad	good deal	18:25
mwynne	Learn something new every day. It's weird that the installation instructions tell you to install memcached but don't tell you to configure any services to actually use it :S	18:25
lbragstad	caching usually have a pretty good effect on API performance, especially when enabled for most subsystems	18:25
lbragstad	s/have/has/	18:26
lbragstad	did you just follow the basic installation guide or did you use a deployment tool?	18:26
mwynne	lbragstad: Can I enable that elsewhere?	18:26
mwynne	I've done both. This deployment was done with puppet though.	18:26
lbragstad	ok	18:26
lbragstad	mwynne: you can enable "global" caching in keystone, but then you can also opt into turning on caching for various subsystems (e.g. caching for tokens, users, catalogs, etc..)	18:27
lbragstad	which is detailed here - https://docs.openstack.org/keystone/latest/admin/identity-caching-layer.html	18:27
*** clenimar has quit IRC		18:28
mwynne	if I just enabled it in [cache] then it's enabled globally?	18:28
lbragstad	yeah	18:28
lbragstad	that option comes from oslo.cache	18:28
mwynne	Ok. Is that generally bad?	18:28
lbragstad	which is the library we use to cache stuff	18:28
lbragstad	no, it's not bad	18:28
mwynne	memcached is configured for 64MB of memory. will it need more?	18:29
mwynne	Any idea?	18:29
lbragstad	it just defaults to off, but all keystone sub-systems default to caching if the global toggle is enabled	18:29
lbragstad	mwynne: that i'm not sure - that might depend in how long you intend to cache data	18:29
mwynne	Ah, good point.	18:29
lbragstad	for example - https://github.com/openstack/keystone/blob/master/keystone/conf/token.py#L97-L104	18:30
lbragstad	you can adjust those knobs per sub-system	18:30
lbragstad	so you can hold on to cached catalog information longer than cached token information	18:30
lbragstad	(for example)	18:30
mwynne	Ah, ok. Interesting stuff.	18:31
lbragstad	that might be one way to avoid allocating more that 64MB of memory	18:32
lbragstad	and take the performance hit of invalidating cache entries more often	18:33
mwynne	Cool	18:34
mwynne	I'll look into that more	18:34
*** dave-mccowan has joined #openstack-keystone		18:38
*** clenimar has joined #openstack-keystone		18:40
*** dave-mccowan has quit IRC		18:44
*** ioggstream has joined #openstack-keystone		18:44
*** wes_dillingham has joined #openstack-keystone		18:45
itlinux	hi is there a way to add AD users to local groups?	19:19
itlinux	I wonder if I can do this.. LDAP users to local groups.. by openstack role add --group xxxxxx --users ldap account..	19:21
itlinux	thanks!	19:21
*** catintheroof has quit IRC		19:29
*** tesseract has quit IRC		19:33
*** ioggstream has quit IRC		19:36
*** dave-mccowan has joined #openstack-keystone		19:37
*** catintheroof has joined #openstack-keystone		19:41
*** LobsterRoll has joined #openstack-keystone		19:41
*** wes_dillingham has quit IRC		19:43
*** LobsterRoll is now known as wes_dillingham		19:43
*** catintheroof has quit IRC		19:45
*** dave-mccowan has quit IRC		19:49
*** rcernin has joined #openstack-keystone		19:57
*** itlinux has quit IRC		20:01
*** aselius has joined #openstack-keystone		20:09
*** wes_dillingham has quit IRC		20:11
*** jmlowe has quit IRC		20:14
*** prashkre has quit IRC		20:18
*** dave-mccowan has joined #openstack-keystone		20:33
*** dave-mccowan has quit IRC		20:38
*** thorst has quit IRC		20:38
*** McClymontS has joined #openstack-keystone		20:39
*** itlinux has joined #openstack-keystone		20:41
*** nkinder has quit IRC		20:52
cmurphy	lbragstad: hogepodge sorry I was out, sounds like the question got answered?	21:01
cmurphy	itlinux: as far as I know you can't do that, because users and groups are both part of the identity driver and you can only have one backend for a driver	21:03
hogepodge	cmurphy: yes, thanks!	21:04
*** itlinux has quit IRC		21:07
*** itlinux has joined #openstack-keystone		21:15
*** McClymontS has quit IRC		21:27
*** rcernin has quit IRC		21:28
*** rmascena has quit IRC		21:31
*** wes_dillingham has joined #openstack-keystone		21:33
*** itlinux has quit IRC		21:44
*** wes_dillingham has quit IRC		21:49
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements https://review.openstack.org/470137	22:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements https://review.openstack.org/470137	22:03
*** dave-mccowan has joined #openstack-keystone		22:15
*** thorst has joined #openstack-keystone		22:24
*** dave-mccowan has quit IRC		22:24
*** thorst has quit IRC		22:29
*** itlinux has joined #openstack-keystone		22:33
*** itlinux has quit IRC		22:46
*** fried_rice is now known as efried		23:22
*** thorst has joined #openstack-keystone		23:27
*** thorst has quit IRC		23:38
*** thorst has joined #openstack-keystone		23:49
*** thorst has quit IRC		23:49

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!