| *** gyee has quit IRC | 00:45 | |
| *** markvoelker has quit IRC | 00:54 | |
| *** markvoelker has joined #openstack-keystone | 00:54 | |
| *** lbragstad has quit IRC | 00:59 | |
| *** markvoelker has quit IRC | 00:59 | |
| *** lbragstad has joined #openstack-keystone | 01:08 | |
| *** ChanServ sets mode: +o lbragstad | 01:08 | |
| *** lbragstad has quit IRC | 01:09 | |
| *** sayalilunkad has quit IRC | 01:23 | |
| *** sayalilunkad has joined #openstack-keystone | 01:28 | |
| *** dave-mccowan has quit IRC | 01:41 | |
| openstackgerrit | wangxiyuan proposed openstack/keystone master: Invalidate shadow_federated_user cache when deleting protocol https://review.openstack.org/628132 | 01:46 |
|---|---|---|
| *** dave-mccowan has joined #openstack-keystone | 01:48 | |
| *** szaher has quit IRC | 01:51 | |
| *** markvoelker has joined #openstack-keystone | 01:55 | |
| *** mhen has quit IRC | 02:05 | |
| *** mhen has joined #openstack-keystone | 02:06 | |
| *** erus has quit IRC | 02:13 | |
| *** markvoelker has quit IRC | 02:46 | |
| *** markvoelker has joined #openstack-keystone | 02:46 | |
| *** lifeless has joined #openstack-keystone | 03:10 | |
| *** cfriesen has quit IRC | 03:36 | |
| *** erus has joined #openstack-keystone | 03:44 | |
| *** shyamb has joined #openstack-keystone | 03:59 | |
| *** sapd1_ has quit IRC | 04:12 | |
| *** sapd1__ has joined #openstack-keystone | 04:12 | |
| *** shyamb has quit IRC | 04:14 | |
| *** dave-mccowan has quit IRC | 04:25 | |
| *** whoami-rajat has joined #openstack-keystone | 05:22 | |
| *** shyamb has joined #openstack-keystone | 05:37 | |
| *** shyamb has quit IRC | 05:56 | |
| *** shyamb has joined #openstack-keystone | 06:01 | |
| *** ayoung has quit IRC | 06:29 | |
| *** rcernin has quit IRC | 06:47 | |
| *** shyamb has quit IRC | 07:08 | |
| *** sapd1__ has quit IRC | 07:41 | |
| *** shyamb has joined #openstack-keystone | 07:50 | |
| *** shyamb has quit IRC | 07:57 | |
| *** markvoelker has quit IRC | 08:08 | |
| *** markvoelker has joined #openstack-keystone | 08:08 | |
| *** markvoelker has quit IRC | 08:13 | |
| *** shyamb has joined #openstack-keystone | 08:16 | |
| *** jaosorior has joined #openstack-keystone | 08:39 | |
| *** xek_ has joined #openstack-keystone | 09:10 | |
| *** shyamb has quit IRC | 09:17 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Add prerequisites section to keystone-to-keystone https://review.openstack.org/627847 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Enhance authn sections in federation guide https://review.openstack.org/627966 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Clean up keystone-to-keystone section https://review.openstack.org/627968 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Reorganize guide on configuring a keystone SP https://review.openstack.org/627972 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Add section on configuring protected auth paths https://review.openstack.org/627975 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Consolidate WebSSO guide into SP instructions https://review.openstack.org/627976 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Enhance the shibboleth guide https://review.openstack.org/627982 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Enhance the mellon guide https://review.openstack.org/627993 | 09:46 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Enhance the openidc guide https://review.openstack.org/628037 | 09:46 |
| *** markvoelker has joined #openstack-keystone | 10:09 | |
| *** erus has quit IRC | 11:08 | |
| *** erus has joined #openstack-keystone | 11:09 | |
| *** erus has quit IRC | 11:16 | |
| *** erus has joined #openstack-keystone | 11:22 | |
| *** erus has quit IRC | 11:29 | |
| *** shyamb has joined #openstack-keystone | 11:29 | |
| *** erus has joined #openstack-keystone | 11:38 | |
| *** erus has quit IRC | 11:44 | |
| *** erus has joined #openstack-keystone | 11:52 | |
| *** erus has quit IRC | 11:59 | |
| *** raildo has joined #openstack-keystone | 12:04 | |
| *** erus has joined #openstack-keystone | 12:09 | |
| *** lifeless has quit IRC | 12:42 | |
| *** kevko has joined #openstack-keystone | 13:02 | |
| kevko | Hi, can someone advice me how to debug slow keystoneclient on debian ? When trying to get token via openstack token issue on debian ..it takes 5 seconds ... on devstack ubuntu 1.5 ... any ideas how to compare ? ...versions of a clients are the same | 13:03 |
| cmurphy | kevko: do you have caching enabled on the keystone server? | 13:04 |
| *** raildo_ has joined #openstack-keystone | 13:19 | |
| *** raildo has quit IRC | 13:19 | |
| *** markvoelker has quit IRC | 13:33 | |
| *** markvoelker has joined #openstack-keystone | 13:33 | |
| kevko | cmurphy: no i don't have | 13:39 |
| kevko | cmurphy: i'm not troubleshooting keystone ...keystone is responding in 0.7 sec ...it is OK , which problem i'm trying to solve is , that client is slow ... and i really don't know why | 13:40 |
| kevko | cmurphy: 1 , i've tried to create venv with inherit packages from system and local checkouted openstackclient from git => SLOW, 2, Created pure venv , run the same code = FAST :( | 13:42 |
| cmurphy | kevko: the only reason i can think of for it to be that slow is that caching is disabled or the cache is not warmed up on the first request | 13:45 |
| cmurphy | if it's not that, you can try using the --debug option or some python profiling library to debug the client itself | 13:46 |
| kevko | cmurphy: i tried profiling ...but i am not more clever from it ... | 13:53 |
| kevko | cmurphy: ok, i will try more | 13:54 |
| kevko | thanks for this time | 13:54 |
| *** mvkr has quit IRC | 13:57 | |
| *** shyamb has quit IRC | 14:01 | |
| *** dave-mccowan has joined #openstack-keystone | 14:03 | |
| *** erus has quit IRC | 14:07 | |
| *** lbragstad has joined #openstack-keystone | 14:08 | |
| *** ChanServ sets mode: +o lbragstad | 14:08 | |
| *** erus has joined #openstack-keystone | 14:09 | |
| *** mvkr has joined #openstack-keystone | 14:12 | |
| lbragstad | o/ | 14:17 |
| cmurphy | \o | 14:17 |
| erus | \o/ | 14:17 |
| aning_ | lbragstad: ayoung is not online yet ... for the explicit domain IDs, will keystone local users ID be preditable as well? | 14:19 |
| aning_ | I read the spec, it mainly talks about domain ids. | 14:19 |
| aning_ | and ayoung mentioned sha256(domain_id, federated_user_name) yesterday. | 14:21 |
| lbragstad | by local user ids do you mean SQL users? | 14:21 |
| aning_ | Yes, the users in "local" user table. These are the users authenticated locally by keystone. | 14:22 |
| aning_ | sorry I mean "user" table. | 14:23 |
| lbragstad | right - i wasn't sure if you were asking about ldap users or sql users | 14:23 |
| aning_ | sql users, not ldap | 14:24 |
| lbragstad | i'm not sure if the plan is to make sql user ids predictable | 14:24 |
| aning_ | I'm a bit confused since keystone has "federated_user". | 14:25 |
| aning_ | Should it be explicitly in the spec? | 14:25 |
| lbragstad | well, keystone has a federated_user, local_user, nonlocal_user, and user tables | 14:29 |
| lbragstad | nonlocal_user is for users from ldap | 14:29 |
| aning_ | Oh well, I think sql users will be covered, since the user model in keystone is, the "user" table holds the unique IDs, and other tables like "local_user" and "federated_user" reference to the ID of "user" table. | 14:30 |
| lbragstad | right | 14:30 |
| lbragstad | i'm not sure if he is planning on doing that work with the domain id work | 14:30 |
| aning_ | right, the spec only say "The IDs for users will now fall into the category of “predictable-but-not-settable.” Since the uuid is a hash of the string, and not explicitly setable, the will not be a potential for “User_ID squatting.” where a user pre-allocates an entry to block another user." | 14:32 |
| aning_ | maybe just for ldap users. | 14:32 |
| lbragstad | right | 14:32 |
| lbragstad | some of that already exists for nonlocal users | 14:32 |
| lbragstad | where it takes a property from the user reference from ldap and hashes that against the domain id for that user to get the ID | 14:33 |
| aning_ | so ldap users can be implemented separately and it won't break anything, since at the end ldap users wil have IDs in "user" table, even it's geneared differently but it's transparent and no different from others. | 14:35 |
| lbragstad | well - hashing of user ids from ldap is already implemented | 14:37 |
| lbragstad | but sql users have ids that are randomly generated | 14:37 |
| aning_ | that's right. | 14:37 |
| lbragstad | (same with federated users, but that's something ayoung wants to change) | 14:37 |
| aning_ | It would be nice for sql users and federated users to have predictable IDs. | 14:38 |
| aning_ | That will greatly aid for multiple region deployment. | 14:39 |
| aning_ | ayoung mentioned he wants to make project IDs predictable as well. | 14:41 |
| aning_ | again, not clear about when it'll be available. | 14:41 |
| lbragstad | i'll see if i can ask him if he is around for the meeting next week (if he doesn't show up before then) | 14:45 |
| aning_ | lbragstad: thanks | 14:46 |
| lbragstad | yep | 14:46 |
| *** lbragstad has quit IRC | 15:36 | |
| *** lbragstad has joined #openstack-keystone | 15:40 | |
| *** ChanServ sets mode: +o lbragstad | 15:40 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: [WIP] Add manager support for app cred capabilities https://review.openstack.org/628193 | 16:04 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: [WIP] Add API changes for app cred capabilities https://review.openstack.org/628168 | 16:04 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: [WIP] Add API for /v3/allowed-requests https://review.openstack.org/628524 | 16:04 |
| *** jrist has joined #openstack-keystone | 16:08 | |
| *** itlinux has joined #openstack-keystone | 16:33 | |
| *** imus has joined #openstack-keystone | 16:56 | |
| *** whoami-rajat has quit IRC | 17:27 | |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service provider policies for system admin https://review.openstack.org/620158 | 17:59 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with sps https://review.openstack.org/620159 | 17:59 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with sps https://review.openstack.org/620160 | 17:59 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove service provider policies from v3cloudsample.json https://review.openstack.org/620161 | 17:59 |
| *** imacdonn has quit IRC | 17:59 | |
| *** imacdonn has joined #openstack-keystone | 18:00 | |
| lbragstad | cmurphy i fixed up the release note in 620158 | 18:02 |
| lbragstad | it looks like a few other patches landed with the vague wording... | 18:02 |
| lbragstad | once we have a satisfactory format/wording, i'll update the ones that already landed | 18:03 |
| cmurphy | thanks lbragstad | 18:03 |
| lbragstad | np | 18:03 |
| *** gyee has joined #openstack-keystone | 18:04 | |
| *** xek_ has quit IRC | 18:05 | |
| *** itlinux_ has joined #openstack-keystone | 18:33 | |
| *** itlinux has quit IRC | 18:35 | |
| lbragstad | stepping out for lunch | 18:36 |
| *** whoami-rajat has joined #openstack-keystone | 18:57 | |
| *** itlinux_ has quit IRC | 19:40 | |
| lbragstad | cmurphy maybe sometime next week we can follow up on https://review.openstack.org/#/c/624215/ | 19:59 |
| lbragstad | assuming you're going to be around? | 19:59 |
| cmurphy | lbragstad: sure | 19:59 |
| lbragstad | awesome | 20:00 |
| *** lifeless has joined #openstack-keystone | 20:12 | |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add keystone-manage jwt_setup functionality https://review.openstack.org/615315 | 20:28 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add configuration options for JWT provider https://review.openstack.org/628676 | 20:28 |
| *** itlinux has joined #openstack-keystone | 20:43 | |
| lbragstad | wxy-xiyuan i pulled your comments about jwt configuration options into another patch - https://review.openstack.org/#/c/628676/ | 20:53 |
| lbragstad | i think ^ will need another option or two in order to support rotation | 20:53 |
| lbragstad | but i left a comment there to kick start a discussion | 20:54 |
| *** raildo_ has quit IRC | 21:03 | |
| openstackgerrit | Merged openstack/keystone master: Invalidate shadow_federated_user cache when deleting protocol https://review.openstack.org/628132 | 21:08 |
| openstackgerrit | Merged openstack/keystone master: Use common system role definitions for registered limits https://review.openstack.org/626028 | 21:29 |
| *** imus has quit IRC | 21:38 | |
| *** dave-mccowan has quit IRC | 21:42 | |
| *** itlinux_ has joined #openstack-keystone | 21:56 | |
| *** itlinux has quit IRC | 21:59 | |
| *** xek has joined #openstack-keystone | 21:59 | |
| *** itlinux_ has quit IRC | 22:24 | |
| *** whoami-rajat has quit IRC | 22:37 | |
| *** jaosorior has quit IRC | 22:42 | |
| *** xek has quit IRC | 23:09 | |
| openstackgerrit | guang-yee proposed openstack/keystone master: correct the description on domain re-enable https://review.openstack.org/628705 | 23:14 |
| *** openstack has joined #openstack-keystone | 23:44 | |
| *** ChanServ sets mode: +o openstack | 23:44 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!