Tuesday, 2018-06-19

*** lifeless_ has joined #openstack-keystone		00:05
*** lifeless has quit IRC		00:05
*** Dinesh_Bhor has joined #openstack-keystone		00:11
*** felipemonteiro has quit IRC		00:17
kmalloc	lbragstad: ugh, we have a linger hard-coded "admin_rquireD" check in keystone	00:51
*** felipemonteiro has joined #openstack-keystone		00:54
*** zxy has joined #openstack-keystone		00:59
*** yikun has joined #openstack-keystone		01:06
*** masber has joined #openstack-keystone		01:27
*** gyee has quit IRC		01:33
openstackgerrit	Merged openstack/keystone master: Unified limit update APIs Refactor https://review.openstack.org/559552	01:34
openstackgerrit	Merged openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/575896	01:34
wxy	lbragstad: kmalloc: We had the Dragon Boat Festival in China yesterday. I'll complete the follow-up patch about PK today.	01:37
*** lifeless_ has quit IRC		01:43
*** lifeless has joined #openstack-keystone		01:45
openstackgerrit	wangxiyuan proposed openstack/keystone master: Api-ref: Refresh the Update APIs for limits https://review.openstack.org/569741	01:52
adriant	kmalloc: I tried once to read through the @protected code to figure out why something was doing a thing. It was terrifying.	01:52
kmalloc	wxy: sounds good, hope the festival was fun.	01:57
kmalloc	adriant: yeah, I'm re-writing the whole thing. It's terrible what we have now.	01:57
*** felipemonteiro has quit IRC		02:17
*** mvenesio has joined #openstack-keystone		02:21
*** liuzz has joined #openstack-keystone		02:27
*** felipemonteiro has joined #openstack-keystone		02:36
*** sapd_ has joined #openstack-keystone		02:48
*** sapd has quit IRC		02:48
*** blake has joined #openstack-keystone		02:57
*** david-lyle has joined #openstack-keystone		03:00
*** boris_42_ has quit IRC		03:04
*** david-lyle has quit IRC		03:09
*** mvenesio has quit IRC		03:11
*** itlinux has joined #openstack-keystone		03:15
*** felipemonteiro has quit IRC		03:23
*** felipemonteiro has joined #openstack-keystone		03:24
*** felipemonteiro has quit IRC		03:36
*** ykarel\|pto has joined #openstack-keystone		04:01
*** blake has quit IRC		04:03
*** blake has joined #openstack-keystone		04:04
*** germs has quit IRC		04:07
*** itlinux has quit IRC		04:09
*** ykarel\|pto is now known as ykarel		04:26
*** jaosorior has joined #openstack-keystone		04:32
*** pcichy_ has joined #openstack-keystone		04:55
*** pcichy has quit IRC		04:56
*** pcichy_ is now known as pcichy		04:56
*** AlexeyAbashkin has joined #openstack-keystone		05:01
*** markvoelker has quit IRC		05:01
*** sonuk_ has joined #openstack-keystone		05:05
*** sonuk has quit IRC		05:05
*** links has joined #openstack-keystone		05:33
*** AlexeyAbashkin has quit IRC		05:34
*** AlexeyAbashkin has joined #openstack-keystone		05:39
*** quiquell\|off is now known as quiquell\|rover		05:44
*** pcichy has quit IRC		05:49
*** josecastroleon has joined #openstack-keystone		05:49
*** lifeless has quit IRC		05:53
*** lifeless has joined #openstack-keystone		05:53
*** blake has quit IRC		06:02
*** AlexeyAbashkin has quit IRC		06:07
*** gongysh has joined #openstack-keystone		06:17
*** fiddletwix has quit IRC		06:28
*** fiddletwix has joined #openstack-keystone		06:28
*** ykarel_ has joined #openstack-keystone		06:33
*** ykarel has quit IRC		06:36
*** ykarel_ is now known as ykarel		06:36
*** ispp has joined #openstack-keystone		06:39
*** martinus__ has joined #openstack-keystone		06:40
*** felipemonteiro has joined #openstack-keystone		06:40
*** zxy has quit IRC		06:49
*** felipemonteiro has quit IRC		06:51
*** markvoelker has joined #openstack-keystone		07:01
*** tesseract has joined #openstack-keystone		07:02
*** rcernin has quit IRC		07:05
*** amoralej\|off is now known as amoralej		07:06
*** jmlowe has quit IRC		07:07
*** namnh has joined #openstack-keystone		07:28
*** blake has joined #openstack-keystone		07:28
*** tosky has joined #openstack-keystone		07:34
*** markvoelker has quit IRC		07:36
andreykurilin	hi folks! Can anyone help me to figure out why it happens at stable/pike? http://logs.openstack.org/82/575682/2/check/neutron-rally-neutron/64d4cab/logs/devstacklog.txt.gz#_2018-06-18_14_49_45_039	07:49
*** pcaruana has joined #openstack-keystone		07:50
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit https://review.openstack.org/576025	08:01
wxy	andreykurilin: http://logs.openstack.org/82/575682/2/check/neutron-rally-neutron/64d4cab/logs/screen-keystone.txt.gz	08:03
wxy	andreykurilin: the oslo.config's version is less than 5.2.0	08:04
andreykurilin	wxy: oh...do not know how I missed it	08:04
andreykurilin	thanks	08:04
wxy	andreykurilin: :)	08:04
*** blake_ has joined #openstack-keystone		08:05
*** blake has quit IRC		08:08
*** blake_ has quit IRC		08:09
*** nicolasbock has joined #openstack-keystone		08:17
*** nicolasbock has quit IRC		08:24
*** AlexeyAbashkin has joined #openstack-keystone		08:25
*** lifeless has quit IRC		08:28
*** markvoelker has joined #openstack-keystone		08:33
*** jaosorior has quit IRC		08:49
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Added check to avoid keyerror "user['name']" https://review.openstack.org/576433	08:53
*** markvoelker has quit IRC		09:06
*** jaosorior has joined #openstack-keystone		09:15
frickler	andreykurilin: I talked about that with slaweq yesterday. from my analysis the main issue is that rally_openstack requires dependencies that are too new for stable/pike	09:17
frickler	andreykurilin: you also have a bug in your devstack plugin that hides the output from pip install here: http://logs.openstack.org/82/575682/2/check/neutron-rally-neutron/64d4cab/logs/devstacklog.txt.gz#_2018-06-18_14_49_13_402	09:18
*** liuzz has quit IRC		09:34
*** sonuk has joined #openstack-keystone		09:36
*** sonuk_ has quit IRC		09:39
*** Dinesh_Bhor has quit IRC		09:49
*** gongysh has quit IRC		09:55
*** markvoelker has joined #openstack-keystone		10:03
*** namnh has quit IRC		10:14
*** sonuk_ has joined #openstack-keystone		10:20
*** sonuk has quit IRC		10:23
*** annp has quit IRC		10:36
*** markvoelker has quit IRC		10:37
*** ykarel has quit IRC		10:56
*** ykarel has joined #openstack-keystone		10:56
*** slaweq has joined #openstack-keystone		10:59
slaweq	hi	10:59
slaweq	can someone from keystone team take a look at errors which we have in neutron-rally-job for stable/pike and stable/ocata branches: http://logs.openstack.org/51/576451/1/check/neutron-rally-neutron/e320b1f/logs/screen-keystone.txt.gz	11:00
slaweq	maybe You will quickly know from where this oslo.config>=5.2.0 comes from and how to fix it	11:00
*** links has quit IRC		11:06
*** lifeless has joined #openstack-keystone		11:19
openstackgerrit	wangxiyuan proposed openstack/keystone master: [WIP]Add auto increase primary key for unified limit https://review.openstack.org/576025	11:20
*** links has joined #openstack-keystone		11:22
*** lifeless has quit IRC		11:28
*** lifeless has joined #openstack-keystone		11:28
*** markvoelker has joined #openstack-keystone		11:34
*** links has quit IRC		11:39
*** quiquell\|rover is now known as quique\|rover\|lch		11:39
*** pcichy has joined #openstack-keystone		11:48
*** edmondsw has joined #openstack-keystone		11:50
*** amoralej is now known as amoralej\|lunch		11:57
*** markvoelker has quit IRC		12:01
*** markvoelker has joined #openstack-keystone		12:02
frickler	slaweq: as I said to andreykurilin earlier, rally installs newer packages that collide with stable/pike. they also hide the output of their pip install due to a bug here http://logs.openstack.org/51/576451/1/check/neutron-rally-neutron/e320b1f/logs/devstacklog.txt.gz#_2018-06-19_10_40_24_143	12:04
frickler	they execute "sudo pip install rally_openstack>=1.1.0" which results in the output landing in a file called "=1.1.0" instead of applying the version cap	12:05
andreykurilin	frickler: yup. you are right. I'm working on this. soon, there will be a fix	12:05
slaweq	frickler: yes, but I did small patch https://review.openstack.org/#/c/576451/ so rally should be installed in 0.10.1 version which has good requirements IMO	12:05
slaweq	and issue is still the same	12:05
*** quique\|rover\|lch is now known as quiquell\|rover		12:05
andreykurilin	hm..	12:05
*** links has joined #openstack-keystone		12:05
andreykurilin	slaweq: that patch doesn't work	12:07
andreykurilin	http://logs.openstack.org/51/576451/1/check/neutron-rally-neutron/e320b1f/logs/devstacklog.txt.gz#_2018-06-19_10_40_24_143	12:07
andreykurilin	it is still master branch	12:07
slaweq	andreykurilin: ahh, so it installs rally from pip instead of git repo	12:08
andreykurilin	slaweq: not exactly	12:08
andreykurilin	slaweq: neutron job triggers opentack/rally devstack plugin and it's installs a package via pip. It was introduced in master branch and was not released yet. installing rally != master should work, but it did not work in your patch. do not know why	12:09
frickler	slaweq: the branch tag on the enable_plugin has no effect if the repo already exists via required-projects	12:10
slaweq	frickler: so should I remove rally from required-projects in job definition?	12:10
*** raildo has joined #openstack-keystone		12:10
*** sonuk_ has quit IRC		12:12
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit https://review.openstack.org/576025	12:12
frickler	slaweq: no, because devstack is not allowed to clone anything in that gate setup. I think you'd instead need to add the target branch here http://git.openstack.org/cgit/openstack/neutron/tree/.zuul.yaml?h=stable/pike#n79	12:12
andreykurilin	slaweq: https://docs.openstack.org/infra/zuul/user/config.html?highlight=secret#attr-job.required-projects.override-checkout	12:12
andreykurilin	replace `- openstack/rally` by `- {"name": "openstack/rally", "override-checkout": "0.12.1"}`	12:13
slaweq	thx andreykurilin and frickler I will try	12:13
slaweq	but should it be 0.12.1?	12:13
slaweq	isn't it too new?	12:13
andreykurilin	slaweq: no, it is not too new:)	12:15
slaweq	andreykurilin: are You sure? in 0.12.1 I see oslo.config>=5.1.0: https://github.com/openstack/rally/blob/0.12.1/requirements.txt#L12	12:16
andreykurilin	slaweq: I suppose devstack will install versions from u-c and since there is no `pip install` calls, nothing will be updated	12:17
slaweq	andreykurilin: ok, I will try 0.12.1 then	12:18
slaweq	andreykurilin: frickler thx a lot for help with this issue	12:20
andreykurilin	slaweq: sorry for introducing this issue. I did not expect that it can have such side-effect	12:21
slaweq	andreykurilin: no problem, it's normal :)	12:21
slaweq	but I think that other projects also might be affected, it's not only related to neutron	12:22
*** jmlowe has joined #openstack-keystone		12:23
*** d0ugal has quit IRC		12:24
*** jmlowe has quit IRC		12:27
*** jistr is now known as jistr\|mtg		12:28
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add policy for limit model protection https://review.openstack.org/562714	12:28
openstackgerrit	wangxiyuan proposed openstack/keystone master: Implement enforcement model logic in Manager https://review.openstack.org/562715	12:28
openstackgerrit	wangxiyuan proposed openstack/keystone master: Expose endpoint to return enforcement model https://review.openstack.org/562716	12:28
openstackgerrit	wangxiyuan proposed openstack/keystone master: Strict two level hierarchical limit https://review.openstack.org/557696	12:28
*** jmlowe has joined #openstack-keystone		12:33
knikolla	o/	12:41
*** d0ugal has joined #openstack-keystone		12:44
*** amoralej\|lunch is now known as amoralej		12:52
*** mvenesio has joined #openstack-keystone		12:52
*** s10 has joined #openstack-keystone		13:01
*** devx is now known as DevX		13:16
*** links has quit IRC		13:22
ildikov	knikolla: hi	13:27
ildikov	knikolla: I asked about the OPNFV Edge Cloud meeting and this week it's in an alternate slot which is 0300 UTC on Thursday	13:28
ildikov	knikolla: it seems highly inconvenient for both of us, so I requested a slot for the meeting next week, which I believe is 1300 UTC on Wednesday	13:29
ildikov	knikolla: would that work for you next week?	13:29
knikolla	ildikov: hi	13:32
knikolla	yeah, 1300 UTC next week works for me	13:32
ildikov	knikolla: great, I will confirm it and will send you a calendar invite	13:32
ildikov	knikolla: the Edge Computing Group call for this week s in ~25 minutes, I will give a highlight on what we discussed yesterday and will see if anyone has bandwidth to join	13:33
ildikov	knikolla: the call details are here if you would be interested to dial in: https://wiki.openstack.org/wiki/Edge_Computing_Group#Meetings	13:33
ildikov	knikolla: not a must, I don't want to fully fill up your calendar :)	13:34
ildikov	knikolla: we're usually taking notes on IRC too: #edge-computing-group	13:34
knikolla	ildikov: thanks! but I can't make it today as I have to wrap up some things before an internal meeting.	13:36
knikolla	i'll be sure to check the notes	13:36
ildikov	no worries	13:36
ildikov	will ping you once I got a hold on a few people to work on this :)	13:37
*** jistr\|mtg is now known as jistr		13:42
*** blake has joined #openstack-keystone		13:59
*** spilla has joined #openstack-keystone		14:03
*** wxy\| has joined #openstack-keystone		14:06
*** jeremyfreudberg has joined #openstack-keystone		14:06
*** germs has joined #openstack-keystone		14:08
*** germs has quit IRC		14:08
*** germs has joined #openstack-keystone		14:08
*** spilla has quit IRC		14:08
*** spilla has joined #openstack-keystone		14:08
jeremyfreudberg	kmalloc / lbragstad: http://paste.openstack.org/raw/723829/ i just tried this on a fresh devstack, simple example for duplicated roles through trust	14:10
lbragstad	jeremyfreudberg: oh - cool	14:12
lbragstad	jeremyfreudberg: i'll see if i can recreate here in a minute	14:12
*** germs has quit IRC		14:15
*** felipemonteiro_ has joined #openstack-keystone		14:15
*** felipemonteiro__ has joined #openstack-keystone		14:17
*** felipemonteiro_ has quit IRC		14:21
*** germs has joined #openstack-keystone		14:22
*** mvk has quit IRC		14:24
*** germs has quit IRC		14:27
*** germs has joined #openstack-keystone		14:31
*** germs has quit IRC		14:31
*** germs has joined #openstack-keystone		14:31
*** quiquell\|rover is now known as quiquell\|off		14:35
kmalloc	jeremyfreudberg: nice.	14:35
*** paul122345 has joined #openstack-keystone		14:40
*** felipemonteiro__ has quit IRC		14:43
*** felipemonteiro has joined #openstack-keystone		14:49
*** biggles has joined #openstack-keystone		14:52
*** efried has joined #openstack-keystone		14:53
*** slaweq has quit IRC		14:53
*** biggles has quit IRC		14:53
efried	Good ugt morning folks. Is now a good time to propose a ksa release to include https://review.openstack.org/#/c/574784/ ?	14:55
*** nicolasbock has joined #openstack-keystone		14:56
lbragstad	efried: yeah - i think we can get around to one today or tomorrow, i'd like to get https://review.openstack.org/#/c/575685/	15:01
openstackgerrit	Jeremy Freudberg proposed openstack/keystone master: De-duplicate role list during trust creation https://review.openstack.org/576548	15:01
efried	lbragstad: Okay, sure. Would you like it to be 3.8.1 or 3.9.0?	15:01
efried	lbragstad: Hm, that patch won't show up in the release. But meh, in the tag; and I'm in no special hurry.	15:02
lbragstad	3.9.0? since it's add a new kwarg?	15:03
efried	wfm	15:03
efried	I'll keep an eye on that other patch and roll one for the release once I see it merge.	15:03
lbragstad	efried: thanks	15:03
lbragstad	jeremyfreudberg: i just recreated that bug	15:03
*** paul122345 has quit IRC		15:04
lbragstad	jeremyfreudberg: but i saw ['reader', 'member', 'reader'] in the list of roles returned, is that consistent with what you saw?	15:04
jeremyfreudberg	lbragstad: yes	15:05
lbragstad	jeremyfreudberg: it looks like we can probably add a test to keystone/tests/unit/test_v3_auth.py	15:11
lbragstad	there is a test class in there for trust specific behavior that'd be a good home for something like this i think	15:11
ayoung	kmalloc, lbragstad I want to add a "Token" service to the service catalog	15:11
kmalloc	ayoung: and what is this "Token" service?	15:11
ayoung	if you go to the auth_url, you get an unscoped token with a service catalog with only the token service in it	15:12
ayoung	and that is what you use to convert an unscoped token to a scoped one	15:12
lbragstad	jeremyfreudberg: https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n3767	15:12
ayoung	it lets us break the auth-url off the implicit knowledge that this is the keystone server	15:12
kmalloc	do we even need that? i mean.. can we just offer an endpoint that is the catalog without a token?	15:12
ayoung	kmalloc, same thing	15:13
kmalloc	except you needed auth-url to get the unscoped token	15:13
lbragstad	jamielennox: was working on that	15:13
ayoung	if we do the catalog without the token, we need to give people a place to get a token	15:13
lbragstad	he wanted to add a catalog with just the identity endpoint for unscoped tokens	15:13
ayoung	right, all you need is auth_url but Horizon uses that to do other keystoney things	15:13
kmalloc	which we can encode (don't call it "token", call it "auth" or identity-auth)	15:13
ayoung	I want to be able to add additional auth_urls per IdP	15:13
kmalloc	this comes back to my desire to split auth and catalog from the /v3 suburl	15:14
kmalloc	for much the same reason. it could be promoted to it's own endpoint	15:14
ayoung	the assumption is that you go to the Auth_url with the federated identity mechanism. Token would only accept unscoped and issue scoped tokens	15:14
ayoung	right	15:14
kmalloc	anyway, i prefer a "you can get a catalog without a token" and "here is where you auth"	15:14
kmalloc	vs "i have an unscoped token with just a token-endpoint"	15:14
ayoung	kmalloc, works for me	15:14
kmalloc	but tl;dr ++	15:15
kmalloc	and i'll bikeshed on name later ;)	15:15
ayoung	"here is where you auth" gives back a small catalog which only points to the catalog service and the token service	15:15
kmalloc	(paint it chartreuse_	15:15
ayoung	I like Chartreuse. ++2A	15:16
ayoung	thing is, token service is read only	15:16
ayoung	I want to split the read parts of keystone from the write portions	15:16
ayoung	catalog endpoint is readonly too	15:16
kmalloc	you mean it is POST/GET only	15:17
kmalloc	for tokens	15:17
ayoung	right	15:17
kmalloc	not "CRUD FOR OTHER THINGS"	15:17
ayoung	from a DB perspective, it is readonly.	15:17
lbragstad	you can revoke tokens	15:17
kmalloc	^	15:17
kmalloc	well...	15:17
ayoung	lbragstad, kill that, too	15:17
kmalloc	no you can't	15:17
kmalloc	revoke api never was properly exposed	15:17
ayoung	kmalloc, can be done via a different service	15:17
kmalloc	delete sortof worked.	15:17
*** r-daneel has joined #openstack-keystone		15:18
kmalloc	anyway, uh, this is a major reason i wanted /auth vs /v3/auth	15:18
kmalloc	so we could do things like this	15:18
ayoung	++	15:18
kmalloc	because we can't break /v3/auth	15:18
lbragstad	POST /v3/auth/tokens {X-Auth-Token: $GOOD_TOKEN} {X-Subject-Token: $BAD_TOKEN} writes a revocation event	15:18
kmalloc	but we can change how auth works under /auth to support such things	15:18
lbragstad	s/POST/DELETE/	15:19
kmalloc	lbragstad: ah	15:19
kmalloc	ayoung: for your work on @protected you just split out some of the check_protection wrapper bits, right?	15:27
kmalloc	ayoung: i am going to re-write the enforcer from the ground up in flask, but i wanted to make sure i knew what you were doing.	15:28
*** jeremyfreudberg has quit IRC		15:28
*** pcaruana has quit IRC		15:29
kmalloc	lbragstad: just talked with dhellman and turns out any place we do msg = _(<message>) then pass that to logger and then raise an exception is wrong	15:30
kmalloc	lbragstad: we should be duplicating the string and pass the untranslated bit to logger	15:30
kmalloc	and the translated version to the exception.	15:30
lbragstad	ah	15:30
kmalloc	we have a LOT of cleanup on that front to do	15:30
lbragstad	yeah...	15:30
lbragstad	we should open a bug	15:31
lbragstad	that would be good lhf	15:31
kmalloc	it's mostly busy work, i'll open a bug and target R-3/RC	15:31
*** felipemonteiro has quit IRC		15:31
*** felipemonteiro has joined #openstack-keystone		15:32
kmalloc	lbragstad: https://bugs.launchpad.net/keystone/+bug/1777671	15:33
openstack	Launchpad bug 1777671 in OpenStack Identity (keystone) "Incorrect use of translation _()" [Medium,Triaged]	15:33
*** wxy\|_ has joined #openstack-keystone		15:38
*** wxy\| has quit IRC		15:39
openstackgerrit	wangxiyuan proposed openstack/keystone master: [WIP]Add auto increase primary key for unified limit https://review.openstack.org/576025	15:41
*** dklyle has joined #openstack-keystone		15:41
*** ispp has quit IRC		15:41
*** fiddletwix has quit IRC		15:41
*** felipemonteiro has quit IRC		15:42
*** ykarel is now known as ykarel\|away		15:43
*** felipemonteiro has joined #openstack-keystone		15:44
*** dklyle has quit IRC		15:46
*** felipemonteiro has quit IRC		15:51
*** felipemonteiro has joined #openstack-keystone		15:51
*** belmoreira has quit IRC		15:53
*** ykarel\|away has quit IRC		15:54
*** asteroide has joined #openstack-keystone		15:59
*** asteroide has quit IRC		16:00
lbragstad	kmalloc: keystone meeting?	16:02
*** dklyle has joined #openstack-keystone		16:11
*** knikolla has quit IRC		16:19
*** felipemonteiro has quit IRC		16:26
*** felipemonteiro has joined #openstack-keystone		16:31
gagehugo	lbragstad I can take a swing at the documentation for case-insensitivity/what keystone expects	16:38
lbragstad	ok	16:38
*** blake has quit IRC		16:43
*** blake has joined #openstack-keystone		16:43
*** gyee has joined #openstack-keystone		16:46
*** blake has quit IRC		16:48
*** s10 has quit IRC		16:49
*** AlexeyAbashkin has quit IRC		16:52
*** blake has joined #openstack-keystone		16:54
*** knikolla has joined #openstack-keystone		16:55
*** blake has quit IRC		16:55
*** blake has joined #openstack-keystone		16:55
*** felipemonteiro has quit IRC		16:56
*** blake has quit IRC		17:00
hrybacki	have to run to a lunch appt -- bbiab!	17:00
* cmurphy afk		17:00
lbragstad	#startmeeting keystone-office-hours	17:01
openstack	Meeting started Tue Jun 19 17:01:03 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:01
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:01
openstack	The meeting name has been set to 'keystone_office_hours'	17:01
*** homeski has quit IRC		17:01
kmalloc	lookit i spy a gyee	17:01
*** homeski has joined #openstack-keystone		17:01
lbragstad	stepping away to grab lunch real quick and i'll back back to talk about migration options	17:02
gyee	kmalloc, IRC is my source of enlightenment :-)	17:03
wxy\|_	I'll review the IRC log tomorrow. Then the patch will be ready tomorrow I think.	17:03
*** wxy\|_ has quit IRC		17:04
*** pcaruana has joined #openstack-keystone		17:05
*** blake has joined #openstack-keystone		17:06
*** felipemonteiro has joined #openstack-keystone		17:07
*** tesseract has quit IRC		17:08
*** felipemonteiro has quit IRC		17:08
*** lifeless_ has joined #openstack-keystone		17:12
*** lifeless has quit IRC		17:12
ildikov	knikolla: cmurphy: there's a thread on the Edge ML on Keystone architectures which touches on federation	17:20
ildikov	knikolla: cmurphy: is either of you subscribed to that ML and could chime in?	17:21
ildikov	lbragstad: kmalloc: the question applies to you too in case you're interested ^^	17:21
* cmurphy resubscribes		17:30
lbragstad	thanks wxy	17:34
*** r-daneel has quit IRC		17:37
*** jeremyfreudberg has joined #openstack-keystone		17:47
*** jeremyfreudberg has quit IRC		17:48
*** boris_42_ has joined #openstack-keystone		17:52
*** amoralej is now known as amoralej\|off		17:53
*** dklyle has quit IRC		18:10
lbragstad	http://lists.openstack.org/pipermail/openstack-dev/2018-June/131630.html	18:12
hrybacki	lbragstad++	18:15
*** dklyle has joined #openstack-keystone		18:32
*** jeremyfreudberg has joined #openstack-keystone		18:51
openstackgerrit	Jeremy Freudberg proposed openstack/keystone master: Expose duplicate role names bug in trusts https://review.openstack.org/576610	18:54
openstackgerrit	Jeremy Freudberg proposed openstack/keystone master: Fix duplicate role names in trusts bug https://review.openstack.org/576611	18:54
jeremyfreudberg	^ lbragstad, kmalloc: there it is	18:55
*** r-daneel has joined #openstack-keystone		19:00
lbragstad	jeremyfreudberg: awesome	19:03
lbragstad	kmalloc: lemme know when you free to continue to migration stuff	19:03
lbragstad	(caught up in TC scrollback)	19:04
*** r-daneel_ has joined #openstack-keystone		19:05
*** r-daneel has quit IRC		19:05
*** r-daneel_ is now known as r-daneel		19:05
*** r-daneel_ has joined #openstack-keystone		19:13
*** r-daneel has quit IRC		19:14
*** r-daneel_ is now known as r-daneel		19:14
*** felipemonteiro has joined #openstack-keystone		19:14
*** AlexeyAbashkin has joined #openstack-keystone		19:26
*** AlexeyAbashkin has quit IRC		19:37
kmalloc	lbragstad: i am	19:38
kmalloc	lbragstad: landlords just left (and I have 2 more errands to run today but they can wait)	19:38
kmalloc	need to get the AC from the storage unit and a 2nd one for my office.	19:38
openstackgerrit	Merged openstack/keystoneauth master: Add minimum version for requirements https://review.openstack.org/575685	19:39
kmalloc	lbragstad: we need to fix @wip to be smarter	19:39
kmalloc	lbragstad: i want it to handle explicit "what kind of error ot expect"	19:39
kmalloc	not just "an error"	19:39
kmalloc	jeremyfreudberg: OH it's trust with implied roles that get expanded	19:40
kmalloc	jeremyfreudberg: thats... wow.	19:40
kmalloc	jeremyfreudberg: nice catch	19:40
kmalloc	lbragstad: because i dislike that @wip doesn't lock us into a specific error. what if we change something and the error case changes... thats bad =/	19:41
*** blake has quit IRC		19:41
*** blake has joined #openstack-keystone		19:42
jeremyfreudberg	kmalloc: happy to help. since my newest patch prevents keystone from shooting itself in the foot, do you think we even need https://review.openstack.org/#/c/576548 (which covers up the foot shooting)	19:43
kmalloc	nah, we don't need it. it isn't a bad case to use suspenders and a belt though :P	19:43
*** blake has quit IRC		19:47
*** aojea has joined #openstack-keystone		19:48
lbragstad	jeremyfreudberg: was that the cause of your issue in sahara?	19:53
jeremyfreudberg	lbragstad: yes, this bug was the only cause (the case sensitivity stuff did NOT affect us)	19:53
lbragstad	so sahara was affected by duplicate role names in the token response?	19:54
lbragstad	strange	19:54
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Avoid redundant policy syntax checks https://review.openstack.org/511426	19:57
jeremyfreudberg	lbragstad: yes, because the token which had duplicate role names was used to create a second trust (in heat)	19:57
lbragstad	oh - so sahara was pulling that list, which included duplicates, and then put them in a request to build a new trust, which broken	19:58
lbragstad	broke8	19:58
lbragstad	/me sigh	19:58
lbragstad	broke*	19:58
jeremyfreudberg	correct	19:58
*** dklyle has quit IRC		20:00
efried	lbragstad, kmalloc, mordred: https://review.openstack.org/576634 Release keystoneauth 3.9.0	20:03
* efried hopes that was done correctly, been a while		20:03
kmalloc	efried: looks good to me	20:04
lbragstad	jeremyfreudberg: i assume you already have a patch that corrects that behavior in sahara?	20:04
jeremyfreudberg	lbragstad: no, because it's all tied up in how sahara and heat interact	20:05
jeremyfreudberg	sahara passes a token to heat which just so happens to have this problem, and heat tries to create a trust with it	20:05
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Add Flask-RESTful as a requirement https://review.openstack.org/574414	20:07
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Implement scaffolding for Flask-RESTful use https://review.openstack.org/574415	20:08
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Keystone adheres to public_endpoint opt only https://review.openstack.org/574502	20:08
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask https://review.openstack.org/574736	20:08
tosky	the tl;dr version is that it's usually not sahara's fault, and that if sahara with the integration for all components works, then OpenStack works	20:09
* tosky runs :)		20:09
kmalloc	lbragstad: ^ did I get the minimum bit added ok on 574414?	20:11
lbragstad	this is the start of a bug fix if anyone is interested in reviewing - https://review.openstack.org/#/c/562714/	20:11
lbragstad	kmalloc: looks ok to me	20:11
*** felipemonteiro has quit IRC		20:17
kmalloc	lbragstad: migrations?	20:17
lbragstad	sure	20:17
lbragstad	so - would we be able to take the traditional path for the migration?	20:19
lbragstad	create new table with correct schema, migrate data, drop old table?	20:19
kmalloc	probably	20:20
kmalloc	it is likely to be a headache, because you have to do a lot of heavy lifting to determine which registered limit to FK to	20:20
kmalloc	because name is non-unique	20:21
kmalloc	so its, (name, service[, region]) for each migration to figure out what to FK to	20:21
*** felipemonteiro has joined #openstack-keystone		20:22
lbragstad	name as in service name?	20:22
lbragstad	no, you mean resource_name	20:23
kmalloc	resource_name	20:23
kmalloc	yeah	20:23
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Add support for before and after request functions https://review.openstack.org/576637	20:23
*** felipemonteiro has quit IRC		20:26
lbragstad	hmm	20:27
*** jeremyfreudberg has left #openstack-keystone		20:27
*** jeremyfreudberg has quit IRC		20:27
hrybacki	lbragstad: question regarding DocumentedRuleDefaults	20:29
*** pcaruana has quit IRC		20:29
hrybacki	so, what was the intended purpose of the description field?	20:29
hrybacki	I ask because Barbican uses the same rule for multiple parts of the API with similar but not the same purpose	20:29
*** spilla has quit IRC		20:30
lbragstad	it's to describe the API in human terms as opposed to just being POST /v3/users	20:30
lbragstad	you could say description='Create a new user'	20:30
hrybacki	right. I'm wondering if moving the description /into/ the operations dict might be useful	20:30
*** felipemonteiro has joined #openstack-keystone		20:30
hrybacki	example: https://docs.openstack.org/barbican/latest/api/reference/secret_metadata.html#put-v1-secrets-uuid-metadata-key and https://docs.openstack.org/barbican/latest/api/reference/secret_metadata.html#put-v1-secrets-uuid-metadata	20:31
hrybacki	utilize the same rule	20:31
hrybacki	but server different functions. We could 1) abstract the description to something that fits both 2) cover one but not the other 3) change DocumentedRuleDefault to handle description at the operation level	20:32
hrybacki	I'm guessing they aren't the only ones using the same rule for similar but different apis	20:33
*** mvenesio has quit IRC		20:34
*** mvenesio_ has joined #openstack-keystone		20:34
lbragstad	i'm not quite understanding i don't think	20:34
lbragstad	is the problem that they use the same rule to protect the policy?	20:35
*** felipemonteiro has quit IRC		20:36
hrybacki	lbragstad: lemme submit a PS and show you	20:38
hrybacki	gimmie 5, wrapping up this one controller	20:38
hrybacki	okay lbragstad: so for their secretmeta controller they have two endpoints: /v1/secrets/{secret-id}/metadata and /v1/secrets/{secret-id}/metadata/{key-id}	20:45
hrybacki	https://review.openstack.org/#/c/575218/8/barbican/common/policies/secretmeta.py	20:45
hrybacki	four rules, with 6 actions	20:45
*** felipemonteiro has joined #openstack-keystone		20:45
hrybacki	secret_meta:put and secret_meta:get rules are used in both endpoints	20:45
hrybacki	similar actions but not the same. However the way that they have laid out their poicy makes a single description field hard to use imo	20:46
lbragstad	oh	20:46
hrybacki	unless I'm being too verbose	20:46
hrybacki	yeah. and if they did it, you know others did too	20:46
hrybacki	I'm taking notes on re-occuring patterns	20:46
*** spilla has joined #openstack-keystone		20:46
lbragstad	so - in that case, is there anything stopping barbican from creating a new policy for other of those endpoints?	20:47
hrybacki	lbragstad: not that I am aware of	20:47
lbragstad	you can keep the policy value/check_str the same	20:47
hrybacki	other than they don't want to make any 'policy changes' in Rocky	20:47
*** edmondsw has quit IRC		20:47
lbragstad	breaking them apart would let you be more descriptive about each policy since it's making each more specific	20:48
hrybacki	right. I'll make a note of that	20:48
hrybacki	lbragstad: I've been using https://wiki.openstack.org/wiki/Barbican/Policy to help me track this	20:49
hrybacki	and expanding it quite a bit	20:49
hrybacki	do we have anything akin to this in keystone?	20:49
lbragstad	then you'd just change the barbican code to enforce one of the endpoint on the new policy	20:49
* hrybacki nods		20:49
lbragstad	we haven't used a wiki in ages	20:49
hrybacki	ack	20:49
lbragstad	if an operator overrides the default	20:49
lbragstad	it can be aliased	20:49
lbragstad	https://docs.openstack.org/oslo.policy/queens/reference/api/oslo_policy.policy.html#oslo_policy.policy.DeprecatedRule	20:50
lbragstad	I wrote up an example in there - but you might not need something that involved	20:50
hrybacki	oh that's nice lbragstad	20:51
hrybacki	they do have a decprecated api	20:51
lbragstad	i wrote an example of breaking a policy into more granular policies https://docs.openstack.org/oslo.policy/queens/reference/api/oslo_policy.policy.html#oslo_policy.policy.DocumentedRuleDefault	20:51
lbragstad	its the example right above ^	20:51
* hrybacki nods		20:51
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer https://review.openstack.org/576639	20:52
openstackgerrit	Gage Hugo proposed openstack/keystone master: WIP Add docs for case-insensitivity in keystone https://review.openstack.org/576640	20:53
lbragstad	kmalloc: pulling down the client patches quick for limits and checking some existing constraints	20:56
*** martinus__ has quit IRC		20:57
kmalloc	okie	20:58
kmalloc	lbragstad: ... i hate our enforcement model	20:58
kmalloc	it's such a PITA to work with	20:58
kmalloc	i think i almost have it working without decorators.	20:58
lbragstad	?	20:58
lbragstad	oh... @controller.protected?	20:59
kmalloc	yeah	20:59
kmalloc	https://review.openstack.org/#/c/576639/	20:59
kmalloc	see	20:59
kmalloc	it's starting to come together in a much cleaner way	20:59
kmalloc	all methods on flask dispatched requests will have an "after request" check to ensure enforcement was called	21:00
kmalloc	and in the method it is the responsibility of the contributor to do "<new_enforcer>.enforce_call(<args>)	21:01
kmalloc	which will do a lot of the magic @protected does now.	21:01
kmalloc	but eliminates all the stupid callback bits.	21:01
*** felipemonteiro has quit IRC		21:02
lbragstad	http://paste.openstack.org/raw/723860/	21:04
lbragstad	so - for the migration	21:04
lbragstad	1.) create a new table called limits	21:04
kmalloc	ok	21:04
lbragstad	that has the correct schema, FK relationship	21:05
*** r-daneel has quit IRC		21:06
kmalloc	yes	21:06
kmalloc	and the new model object that is smarter/loads the right things.	21:06
*** r-daneel has joined #openstack-keystone		21:06
lbragstad	2.) for every limit, check the limit.resource_name, limit.service_id, limit.region_id (if applicable)	21:06
lbragstad	use those values to query the registered limit table	21:07
lbragstad	finding the id of the registered limit those values apply to	21:07
lbragstad	and update the limit.registered_limit_id to the registered limit id of that query	21:07
kmalloc	yes.	21:08
lbragstad	hmmm	21:09
lbragstad	could this be done without another table?	21:09
lbragstad	what if step 1 is just adding a new column for limit.registered_limit_id	21:09
lbragstad	?	21:09
kmalloc	well, we are already doing a pivot for the PK change	21:11
*** raildo has quit IRC		21:11
lbragstad	is that being done on the limit table though?	21:11
kmalloc	yah	21:11
kmalloc	on both	21:11
lbragstad	or the registered limit table?	21:11
lbragstad	oh	21:11
lbragstad	https://etherpad.openstack.org/p/keystone-unified-limit-migration-notepad	21:12
kmalloc	oh holy crap we're adding more triggers	21:12
* kmalloc is going to cry		21:12
* lbragstad pumps brakes		21:12
kmalloc	we need to stop adding triggers in mysql migrations	21:12
kmalloc	they are terrifying and horrible	21:12
kmalloc	https://review.openstack.org/#/c/576025/5/keystone/common/sql/expand_repo/versions/046_expand_update_pk_for_unified_limit.py	21:13
lbragstad	hold up, if we're able to isolate the migrations a bit, and do one of the in place, we might not have to deal with the triggers bit (since we're not creating a new table)	21:13
kmalloc	and ultimately just cause tears	21:13
kmalloc	the PK change is going to need to be new tables	21:14
kmalloc	i pretty much want to -2 that for the trigger reason only	21:14
kmalloc	triggers should never have been used	21:14
lbragstad	ok - let's try and write down the changes we need	21:14
lbragstad	https://etherpad.openstack.org/p/keystone-unified-limit-migration-notepad	21:14
kmalloc	they are a terrible choice and are very very hard to debug.	21:14
lbragstad	and then see if we can break up the migrations to be a bit easier	21:14
knikolla	lbragstad, kmalloc: i'm undecided on a review as to what score to give and what is considerent nitpicking or not. would be helpful to get your opinion	21:18
lbragstad	knikolla: what's up?	21:18
knikolla	https://review.openstack.org/#/c/538371/6/keystone/tests/unit/limit/test_backends.py	21:18
*** mvenesio_ has quit IRC		21:18
knikolla	the test correctly tests deletion of the limits, but it doesn't test that it didn't delete limits of other projects	21:19
knikolla	the WHERE part of the sql query.	21:19
lbragstad	oh - that seems like it would be a sane test case	21:21
lbragstad	if not in that patch, at least in a follow on	21:22
knikolla	lbragstad: alright. didn't want to look like I was nitpicking.	21:24
cmurphy	i think it's worthwhile to consider the author - wxy is always responsive to feedback and isn't going to be discouraged by constructive criticism	21:25
lbragstad	++	21:25
kmalloc	nit picking: This is a bad way to do X, please reimplement stylistically different -- or "your verbiage is not accurate".	21:25
kmalloc	"This needs an expanded test case like FOO" - not nit picking	21:26
kmalloc	and very reasonable	21:26
kmalloc	esp. for someone like wxy who gets it's not personal and is super responsive	21:26
lbragstad	knikolla: are you asking because of the ml culture change thread?	21:26
knikolla	lbragstad: yes, in part.	21:27
kmalloc	advocating for further testing... is not nitpicking. you could easily also say "this can be a followup" and/or take on that followup yourself	21:29
knikolla	++	21:30
knikolla	just felt I should get some feedback first before I give feedback.	21:30
knikolla	thanks!	21:31
kmalloc	knikolla: also if you see my style of review where i say [NIT] <item>	21:32
kmalloc	it helps clarify what you think is a trivial thing	21:33
kmalloc	often i might have a review with 10+ nits but still +2	21:33
kmalloc	all nits can be fixed down the line.	21:33
knikolla	kmalloc: agree. most of my undecisiviness was in the score between +1/+2	21:33
kmalloc	often +1 "everything looks good, but i have a serious question that needs answering, aka "what happens when X""	21:34
kmalloc	imo	21:34
kmalloc	(from a core)	21:34
kmalloc	i avoid no-score because it seems like those get lost	21:34
kmalloc	so -1 = hey, I have a concern this might not do waht you want... or there is just no testing	21:34
lbragstad	i've been trying to do more no scores that i have in the past, but yeah... they are harder to see	21:35
lbragstad	unless i'm parsing emails from gerrit	21:35
knikolla	++	21:35
kmalloc	+1 = looks good, but expand [in the review, not even a patchset] on what i need answered	21:35
*** nicolasbock has quit IRC		21:35
kmalloc	+2 = anything nits only or close enough that it wont cause issues	21:35
knikolla	that helps	21:35
kmalloc	-2 = "not just no, awwww heck no, but here is why we can't do it"	21:35
kmalloc	i used to no-score anything that i just had questions about, vs +1,	21:36
*** mchlumsky has quit IRC		21:39
*** aojea has quit IRC		21:41
*** blake has joined #openstack-keystone		21:42
*** tellesnobrega has quit IRC		21:42
*** tellesnobrega has joined #openstack-keystone		21:43
lbragstad	kmalloc: rewrote the proposed migration without triggers	21:51
kmalloc	looking	21:52
kmalloc	yep.	21:52
kmalloc	that would be my preference.	21:52
kmalloc	but that sums up the alternative	21:52
lbragstad	so - that is going to require the database model to be cluttered for a release	21:53
kmalloc	yes, it does.	21:53
lbragstad	does it also mean we have to run keystone at a specific version for a certain amount of time before moving to the next release?	21:53
lbragstad	nova had an issue with that with one of their migrations in the past i think, but there wasn't much they could do about it	21:54
kmalloc	no.	21:54
kmalloc	if you run migrate_data in Rocky, which we use to setup the FK, in stein we just stop referencing the old column.	21:55
kmalloc	and we can drop it from the model and have a contract migration	21:55
kmalloc	that drops the actual column	21:55
lbragstad	what if i'm on Queens	21:55
lbragstad	i upgrade to rocky	21:55
lbragstad	and the immediately upgrade to Stein	21:55
lbragstad	(ff upgrades)	21:55
kmalloc	do we support upgrading to rocky and then to stien without running data_migrate?	21:55
kmalloc	because it seems like i keep getting a different answer on this	21:56
lbragstad	no - i think running data migrate is required	21:56
kmalloc	then data migrate moves the data (fk) and stien doesn't care about old code.	21:56
kmalloc	and old columns	21:56
lbragstad	when the nodes are down	21:56
kmalloc	stien contract removes that old column	21:57
lbragstad	yep	21:57
* lbragstad ventures into edge case land		21:57
lbragstad	let's say i do all this without downtime	21:57
kmalloc	we are going to have to do a nullable allowed for the extra columns	21:57
kmalloc	in rocky.	21:57
kmalloc	because stien may or may not know about the columns	21:57
lbragstad	and a limit gets updated/created in the rocky migration	21:57
lbragstad	so the limit.registered_limit_id of that entry isn't populated	21:58
kmalloc	right so	21:58
lbragstad	and then i upgrade to stein	21:58
kmalloc	in rocky, registered_limit_id is nullable	21:58
kmalloc	in rocky service_id, resource_name, region_id are all nullable	21:58
kmalloc	(code enforcement on if they are populated)	21:58
kmalloc	in stien we drop service_id, resource_name, region_id, and make registered_limit_id not nullable	21:59
kmalloc	stein*	21:59
*** lifeless has joined #openstack-keystone		21:59
*** lifeless_ has quit IRC		21:59
lbragstad	what happens if a limit sneaks in after the migration in rocky has been run to populate limit.registered_limit_ids?	22:00
lbragstad	on an older node?	22:00
lbragstad	like a Queens node accepts the POST /v3/limits requests	22:00
kmalloc	isn't migrate done when all nodes are rocky?	22:01
lbragstad	nope	22:01
kmalloc	facepalm	22:01
lbragstad	https://docs.openstack.org/keystone/latest/admin/identity-upgrading.html	22:01
kmalloc	we should fix that	22:01
kmalloc	that is bad.	22:01
lbragstad	how do we fix that though?	22:01
lbragstad	you need a place to transition things?	22:01
kmalloc	migrate happens once all nodes are on new code	22:01
kmalloc	data-migration	22:01
kmalloc	expand, upgrade code, migrate data, contract	22:01
kmalloc	code can run in n-1 scenario	22:01
kmalloc	for the schema	22:02
lbragstad	but can you run new code if the data hasn't been migrated yet?	22:02
kmalloc	app code is smart	22:02
lbragstad	mmm i know where this is going	22:02
lbragstad	you're going to make new code check all the places	22:02
kmalloc	lbragstad: https://github.com/openstack/keystone/blob/03a616d1bf5715ac74756f2cb3aec1f09352de81/keystone/identity/backends/sql_model.py#L104-L112	22:02
kmalloc	as an example	22:03
kmalloc	password_hash is the new column	22:03
kmalloc	password is the old	22:03
kmalloc	check for the new, if not there, do the thing with the old	22:03
kmalloc	writes write to both locations [in password case, because of security, we had a config option for that]	22:03
kmalloc	this is not security related, so you can just blindly write to both locations with the relevant data	22:04
kmalloc	migrate is run when the code is 100% on <new>	22:04
lbragstad	yeah	22:05
*** jrist has quit IRC		22:05
lbragstad	another vesrion of that would be to have the new code check the old location	22:05
lbragstad	and make things consistent	22:05
kmalloc	except you still need to make sure in Stein all data is in the new place	22:06
lbragstad	which would allow you to have old and new nodes running during migrateion	22:06
kmalloc	in rocky, code does look in both places	22:06
lbragstad	yep	22:06
kmalloc	but migrate still has to occur.	22:06
lbragstad	mmmm	22:07
lbragstad	damn	22:07
lbragstad	nevermind	22:07
lbragstad	fi - data problems are hard	22:07
*** r-daneel has quit IRC		22:07
kmalloc	yep	22:08
openstackgerrit	Merged openstack/keystone master: Add policy for limit model protection https://review.openstack.org/562714	22:10
*** rcernin has joined #openstack-keystone		22:12
*** r-daneel has joined #openstack-keystone		22:16
lbragstad	that's going to be a total pain	22:18
lbragstad	we're going to either need to change our upgrade process to make operators get all nodes on the new release before running migrate... or we break our rules and perform the migration in contract	22:19
*** blake has quit IRC		22:19
*** blake has joined #openstack-keystone		22:20
kmalloc	i've done that a couple times	22:23
kmalloc	because it was the only way to avoid breaking rules	22:23
kmalloc	it sucked	22:23
lbragstad	if i think about it, it would easier to do that then change our upgrade process which likely breaks upgrade automation for operators :(	22:23
*** blake has quit IRC		22:24
kmalloc	we should still change our upgrade process	22:24
kmalloc	even if it isn't this cycle	22:25
kmalloc	telegraph "we're changing to X"	22:25
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Migrate all password hashes to the new location if needed https://review.openstack.org/576660	22:29
kmalloc	lbragstad: ^ should be an easy review	22:29
lbragstad	ack	22:29
kmalloc	lbragstad: that does the lifting of moving password to password_hash if password_hash is none [cleanup]	22:30
kmalloc	and then in S, we can contract and drop the password.password column	22:30
*** mvenesio has joined #openstack-keystone		22:30
kmalloc	:)	22:30
kmalloc	local test succeeded, we'll see what zuul says	22:30
*** felipemonteiro has joined #openstack-keystone		22:42
*** dklyle has joined #openstack-keystone		22:43
*** spilla has quit IRC		22:43
*** david-lyle has joined #openstack-keystone		22:45
*** blake has joined #openstack-keystone		22:52
*** david-lyle has quit IRC		23:04
lbragstad	attempted to summarize the migrations https://etherpad.openstack.org/p/keystone-unified-limit-migration-notepad	23:05
*** felipemonteiro has quit IRC		23:12
*** felipemonteiro has joined #openstack-keystone		23:13
*** jmlowe_ has joined #openstack-keystone		23:14
*** jmlowe has quit IRC		23:15
*** boris_42_ has quit IRC		23:21
*** r-daneel has quit IRC		23:37
*** lifeless_ has joined #openstack-keystone		23:41
*** lifeless has quit IRC		23:42
*** tosky has quit IRC		23:45
*** r-daneel has joined #openstack-keystone		23:50
*** r-daneel has quit IRC		23:51

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!