#openstack-meeting log

18:00:54 <dolphm> #startmeeting keystone
18:00:55 <openstack> Meeting started Tue Aug 19 18:00:54 2014 UTC and is due to finish in 60 minutes.  The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:58 <openstack> The meeting name has been set to 'keystone'
18:00:58 <henrynash> hi
18:01:03 <dolphm> \o/
18:01:04 <dolphm> #topic Feature proposal freeze August 21st
18:01:19 <bknudson> that's 2 days from now
18:01:24 <dolphm> i suspect this is going to be what most of today's meeting is about, but.... FPF is happening!
18:02:16 <dolphm> it is technically two days from now, but i want to make sure all the blueprinty stuff that we're shipping in juno is in review today/tomorrow so we can make clear cuts on thursday if necessary
18:02:35 <dolphm> right now it only looks like a few things are skating close to the deadline
18:02:50 <stevemar> o/
18:02:53 <dolphm> which requires things to be "spec approved, code complete, and in review"
18:02:59 <grantbow> o/
18:03:27 <dolphm> so bp endpoint-policy which has no implementation in review, but has an API review up https://review.openstack.org/#/c/112292/
18:03:59 <bknudson> dolphm: it looks pretty staightforward
18:04:03 <dolphm> henrynash says that should make it?
18:04:08 <dolphm> bknudson: i hope so!
18:04:14 <stevemar> it does have that going for it
18:04:21 <dolphm> bp non-persistent-tokens has had some updates today - is that still 85/90% going to make it, morganfainberg?
18:04:41 <bknudson> morganfainberg: I had some questions about HEAD ops with no GET on https://review.openstack.org/#/c/112292/3/v3/src/markdown/identity-api-v3-os-endpoint-policy.md
18:04:42 <henrynash> dolphm: so I just posted the backend part of this extension
18:04:44 <morganfainberg> i'd say we'll be in the 90% range
18:05:01 <henrynash> https://review.openstack.org/115362
18:05:08 <morganfainberg> dolphm, for change of completion. but it's a load of code
18:05:26 <stevemar> henrynash is awesome, chucks up a patch at 2:04
18:05:39 <morganfainberg> dolphm, so far like 16 reviews and 1100 lines of change or so
18:05:42 <dstanek> henrynash: that was fast!
18:05:47 <dolphm> henrynash: yay!
18:05:57 <dolphm> henrynash: so we'll expect (1?) more patch?
18:06:17 <henrynash> dolphm: yes. I split it into two - backend and then the controller
18:06:23 <dolphm> henrynash: that works
18:06:26 <morganfainberg> bknudson, ah i'll take a look
18:06:57 <dolphm> are we still doing separate migrate repos? :-/
18:07:02 <dolphm> looking at https://review.openstack.org/#/c/115362/
18:07:30 <henrynash> dolphm: it’s all in the extension, so it has its own migrate repo
18:08:41 <ayoung> dolphm, separate migrate repos lead to fewer conflicts. I'd like to keep them as the norm
18:08:48 <dolphm> alrighty
18:09:02 <morganfainberg> ayoung, i think we should revisit that concept in K
18:09:14 <ayoung> morganfainberg, sure
18:09:16 <morganfainberg> ayoung, i think it poses a lot of other associated headaches. but not now
18:09:32 <ayoung> morganfainberg, lets table for now
18:09:36 <morganfainberg> ayoung, ++
18:09:43 <dolphm> someone, i'm assuming stuart put composite auth support on the agenda, but that would be outside the named integrated release process https://review.openstack.org/#/c/108384/
18:09:50 <morganfainberg> dolphm, wrong section
18:09:59 <morganfainberg> that was me, was supposed to be one less *
18:10:00 <morganfainberg> :P
18:10:05 <morganfainberg> so, as in "please review it"
18:10:10 <dolphm> cool
18:10:46 <dolphm> aand... i'm going to do a separate topic for this, but hopefully it'll be quick
18:10:53 <dolphm> #topic Deprecations in Juno
18:11:04 <morganfainberg> ooh ooh, token_api
18:11:04 <dolphm> do we have anything? as of this morning, the bp was blank & not started
18:11:19 <morganfainberg> just tagged a patch to that a few minutes ago
18:11:19 <bknudson> Identity API V2?
18:11:23 <dolphm> morganfainberg: as opposed to token persistence API?
18:11:23 <ayoung> referring to auth plugins by method name
18:11:25 <bknudson> oops, too soon
18:11:36 <bknudson> XML?
18:11:44 <bknudson> do we need to call it out if it's still deprecated?
18:11:50 <dolphm> bknudson: xml support was deprecated in icehouse
18:11:52 <morganfainberg> dolphm, the internal `token_api` will be deprecated, but persistence is housed under token_provider_api
18:12:03 <ayoung> er...make the class name?  morganfainberg what exactly did we deprecate there?
18:12:07 <morganfainberg> dolphm, the idea is no one should ever use token_api.XXXX
18:12:09 <dolphm> bknudson: i'm going to leave v2 be for the moment - i don't think we totally meet the TC's recommendation on when we can deprecate v2
18:12:22 <bknudson> dolphm: y, nova doesn't work with v3
18:12:27 <bknudson> nor does auth_token middleware
18:12:48 <morganfainberg> ayoung, the use of <class>.token_api.<method>
18:12:52 <dolphm> bknudson: what's missing in auth_token?
18:13:02 <morganfainberg> ayoung, that massive chain of stuff i've been shuffling around to get us to non-persistence
18:13:11 <ayoung> ++
18:13:16 <bknudson> dolphm: it doesn't authenticate using v3... e.g., it doesn't support domains
18:13:30 <bknudson> specifying the user domain and project domain
18:13:32 <morganfainberg> ayoung, it doesn't change the underlying code, just managers and controlelrs shouldn't use token_api, let token_provider_api call it's .persistence instead
18:13:33 <bknudson> for its token
18:13:34 <dolphm> bknudson: oh from the auth token user's perspective ++
18:13:35 <jamielennox> don't i have a patch up for that?
18:13:52 <dolphm> jamielennox: i believe you do...
18:13:53 <gyee> jamielennox, yeah, I thought I saw something from you
18:14:33 <jamielennox> actually maybe i don't, i had something working in testing but i can't see it
18:14:42 <gyee> bknudson, nova CLI patch is under review
18:15:13 <bknudson> gyee: the part that I thought I'd get done for nova is to use v3 auth to get the token for its communication with neutron.
18:15:14 <morganfainberg> bknudson, i need to chase down jogo and resolve the policy,json issues in nova. it's a bit of a headache
18:15:20 <gyee> bknudson, https://review.openstack.org/#/c/105900/
18:15:28 <morganfainberg> bknudson, for nova (and this applies to other projectd) to be v3 friendly
18:15:32 <jogo> morganfainberg: o/
18:15:52 <bknudson> I had a spec in nova but I since we're running against the same freeze I told them I wasn't going to get it done for J
18:15:53 <morganfainberg> jogo, post meeting you around/not busy? [~45mins]
18:15:54 <morganfainberg> ?
18:16:07 <morganfainberg> jogo, probably will be quick.
18:16:08 <jogo> morganfainberg: I think I can squeeze that in
18:16:10 <bknudson> I should be able to work on it and have it ready soon in K
18:16:20 <morganfainberg> jogo, ok will ping you as soon as we're done
18:16:29 <jogo> morganfainberg: sounds good
18:16:33 <jogo> morganfainberg: thanks
18:16:38 <gyee> bknudson, what else is missing for Nova?
18:16:43 <bknudson> it also depends on a new release of some client libs
18:17:04 <bknudson> gyee: nova needs to be able to use v3 authentication to get a token for its neutronclient stuff
18:17:04 <Haneef> bknudson: How about service user/service tenant in middleware. That is still v2
18:17:34 <bknudson> Haneef: we were just talking about that... jamielennox said he might have been working on it.
18:18:04 <gyee> bknudson, so as long as nova is passing the token to neutronclient we're fine right?
18:18:15 <jamielennox> yep, i'm not sure why it isn't up already but it works
18:18:35 <bknudson> gyee: nova doesn't always pass a token to neutronclient now... it can also pass username + password
18:18:47 <jamielennox> gyee: nova uses its own auth to talk to  neutron not the users
18:19:02 <jamielennox> no idea why, but it means there are a bunch of options to remove
18:19:20 <gyee> oh, you mean like their own auth plugins?
18:19:43 <jamielennox> gyee: no as in the nova service user
18:19:45 <bknudson> gyee: it uses neutronclient which accepts username and password
18:20:04 <bknudson> here was a first stab at the nova work: https://review.openstack.org/#/c/113735/
18:20:07 <bknudson> it didn't go well
18:20:56 * gyee speechless
18:21:03 <jamielennox> we are lacking at least a way to override the catalog from a plugin/session
18:21:10 <jamielennox> there was something else as well....
18:21:26 <ayoung> its ok.  no one uses neutron anyway
18:21:39 <henrynash> ayoung: aahhhhhhh
18:21:50 <gyee> lmao
18:22:04 <bknudson> jamielennox: nova might actually be happier using the service catalog rather than having the endpoint in the config file
18:22:32 <bknudson> but when it's doing token auth then it will need to get the endpoint/catalog from somewhere.
18:22:41 <jamielennox> bknudson: i still can't figure out why they are using the nova service user rather than the user token
18:23:00 <jamielennox> but yes, i would imagine they would be ok with that bit
18:23:10 <bknudson> jamielennox: it's possible there isn't a case where the nova service user is actually used.
18:23:53 <jamielennox> the problem is we still need to honour the old setting if it is present
18:23:57 <ayoung> "This deal is getting worse all the time! "
18:24:58 <dolphm> so, back on topic, it sounds like token_api was the only thing we actually wanted to deprecate as part of bp deprecated-as-of-juno ? :P
18:25:00 <ayoung> Need to beat on Horizon some more to make sure it can support V3.
18:25:11 <ayoung> dolphm, and the auth-plugin thing
18:25:19 <dolphm> ayoung: was that not already deprecated?
18:25:20 <ayoung> the use of <class>.token_api.<method>
18:25:28 <ayoung> not officially
18:25:35 <ayoung> wasn't even inthe docs that you could do it
18:25:58 <jamielennox> bknudson, ayoung: on that i did a new version of the endpoint hack: https://review.openstack.org/#/c/90632/ with a WIP follow up review
18:26:09 <jamielennox> not sure about it though so i'll talk to you both about it post meeting
18:26:16 <gyee> how do you deprecate something that's not officially documented?
18:26:25 <gyee> just saying :)
18:27:10 <dolphm> ayoung: are you volunteering to deprecate that then?
18:27:26 <gyee> self deprecation
18:27:32 <ayoung> dolphm, a deprecation message is in Log now if it is used
18:27:42 <ayoung> that was morganfainberg 's req to approve the patch
18:27:49 <dolphm> ayoung: well, that's what i meant by "isn't it already deprecated?"
18:28:10 <ayoung> dolphm, ah, misunderstood.
18:28:27 <dolphm> and then there was some conversation here about the federation API
18:28:27 <dolphm> https://review.openstack.org/#/c/107325/6/specs/juno/auth-specific-data.rst
18:28:46 <dolphm> to deprecate both /v3/OS-FEDERATION/projects and /v3/OS-FEDERATION/domains ?
18:29:03 <bknudson> right because jamielennox provides /auth/projects and /auth/domains
18:29:05 <jamielennox> i think that's a good idea
18:29:11 <ayoung> works for me.
18:29:16 <dolphm> even though we basically have to support those forever
18:29:36 <bknudson> we'll use JSONHome to point clients to the right URL
18:30:11 <dolphm> so, basically don't advertise both, ever
18:30:11 <boris-42> Hi guys
18:31:01 <jamielennox> i'll redo that spec and deprecate the federation resources
18:31:10 <jamielennox> i put up a implementation patch as well
18:31:41 <jamielennox> oh - spec was merged already
18:32:21 <bknudson> can't change it now.
18:32:48 <dolphm> jamielennox: i already put it on the deprecation spec
18:32:49 <ayoung> deprecation can and should be a separate commit anyway
18:32:56 <dolphm> jamielennox: https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-juno
18:33:01 <dolphm> ayoung: ++
18:33:13 <dolphm> jamielennox: follow the /auth/ implementation with a deprecation patch to OS-FEDERATION?
18:33:23 <jamielennox> dolphm: yep
18:33:47 <dolphm> alrighty, that's three things then, and one is already done (ayoung's)
18:34:02 <dolphm> and morganfainberg's is deep in review
18:34:16 <dolphm> #topic Email as a first class attribute
18:34:19 <dolphm> #link https://review.openstack.org/#/c/111982/
18:34:22 <dolphm> henrynash o/
18:34:39 <henrynash> dolphm: so really a couple of questions here
18:34:52 <bknudson> I thought we just removed the code that even tried to use it (since it would 500)
18:35:15 <henrynash> we seem to sort-of support it…
18:35:25 <bknudson> for what?
18:35:32 <henrynash> …i.e. LDAP mapping will fill in the email attribute
18:35:49 <henrynash> and the keystoneclient supports it explicitly
18:35:49 <bknudson> LDAP mapping can fill in any attribute
18:36:07 <bknudson> https://review.openstack.org/#/c/90296/
18:36:13 <henrynash> bknudson: we have a specific config variable to control email attribute
18:36:28 <dolphm> henrynash: first of all, do we need to discuss this in the context of juno or kilo? i'd rather have this conversation in terms of kilo
18:36:32 <jamielennox> keystoneclient talks about it by name but it just goes into the extra data column
18:36:47 <henrynash> teh real question is….are we already in danger of supporting PII info ?
18:36:52 <dolphm> right, keystone itself doesn't have first class support for email
18:36:54 <bknudson> btw the docs also say that you can filter on email still
18:37:13 <henrynash> so wondered if we should get a security viewpoint on this
18:37:20 <dolphm> henrynash: that's a good argument in favor of not supporting email :P
18:37:24 <gyee> hanrynash, pii according to which compliance?
18:37:34 <dolphm> gyee: all of the compliances
18:37:40 <bknudson> docs change: https://review.openstack.org/#/c/115330/
18:37:56 <bknudson> (it's the wadls)
18:38:28 <henrynash> bknudson: all our user entity exampels in the spec also include email
18:38:29 <dstanek> henrynash: email is traditionally in the PII realm
18:38:37 <dolphm> bknudson: +1!
18:39:27 <henrynash> dolphm: ione option is to pull email from teh idenity_api spec in all places
18:39:37 <dolphm> henrynash: i'd be in favor of that
18:39:46 <dolphm> unless there's a strong use case behind the spec
18:39:47 <bknudson> so what's the proposal? move it from extras column to an email column?
18:40:17 <dolphm> bknudson: the current proposal is just to add a filter for email - which i'd argue does require making it a real column, yes
18:40:26 <henrynash> bknudson: no, there’s noneed for that…this was kciked off by looking to impelemt what the spec said taht you can filter on email
18:40:50 <henrynash> dolphm: technicallyit doesn’t required it….but if it gest used a lot, then you need to
18:41:09 <gyee> but you can stash anything in "extra", PII or not
18:41:09 <dolphm> henrynash: but it's not actually documented as an attribute on the user resource in the spec -- it's just copy pasta in the examples
18:41:16 <bknudson> I'm worried about giving someone the option to do something that's going to be very inefficient
18:41:31 <henrynash> dolphm: agreed…it is not listed as an optional attribute
18:42:00 <henrynash> dolphm: OK…so for Juno…we pull it from the spec…but leave the client and LDAP support as is?
18:42:35 <bknudson> what's the client support?
18:42:46 <dstanek> so the implementation (using extras) would download the entire table and record by record serialize JSON to find the match?
18:42:50 <jamielennox> bknudson: just an 'extra'
18:42:52 <henrynash> I think we support it in the user entity class
18:42:56 <henrynash> ?
18:43:38 <jamielennox> we support anything that is returned from the server as an attribute on the user object (or any object)
18:43:41 <bknudson> I was wondering if the client requires email for a new user or has filtering by email or something.
18:43:50 <dolphm> henrynash: the client support can be undocumented & pushed into **kwargs
18:43:53 <jamielennox> on creation it's just named in the param list but we don't treat it special
18:43:57 <dolphm> maybe
18:43:59 <gyee> henrynash, but compliance is deployment-specific right, if one needs to encrypt/obfuscate a field, roll their own driver
18:44:53 <gyee> I would think PII and API are two separate issues
18:44:53 <henrynash> gyee: well yes, but not sure we should ship something that by default risks security defects
18:45:18 <dolphm> henrynash: ++
18:45:37 <bknudson> The following data clearly classify as PII: Email address, Login name, screen name, nickname, or handle
18:45:50 <bknudson> that's from wikipedia
18:45:52 <gyee> so we are going to encrypt username now
18:45:58 <dstanek> bknudson: ++
18:46:13 <dstanek> can we not store PII in keystone?
18:46:13 <henrynash> bknudson: hhmm, user name is PII and we don’t encrypt that
18:46:14 <morganfainberg> gyee, an argument to why we should go to id-only in the tokens >.>
18:46:47 <gyee> security is a process, software is a tool
18:47:05 <morganfainberg> dstanek, while username is PII, you don't need to typeically encrypt it, just prevent it leaking out iirc
18:47:09 <gyee> just like a knife, it can be both a weapon or tool :)
18:47:41 <morganfainberg> dstanek, same for some of the other PII items. Some do *need* to be encrypted if stored
18:48:14 <dolphm> so i think it's fair to say we need to have this discussion outside the scope of Juno :)
18:48:14 <lbragstad> how do you go about drawing the line though?
18:48:25 <morganfainberg> dolphm, ++
18:48:32 <ayoung> #link http://en.wikipedia.org/wiki/Personally_identifiable_information
18:48:39 <dolphm> henrynash: re-propose for kilo and we can continue in the spec review?
18:48:40 <henrynash> morganfainberg: one thing I wondered was wether we had to leave PII info out of teh collection of users returned in list_users calls
18:48:46 <bknudson> I guess I wonder why we would treat email specially... how about allowing filtering on any of the "extras"?
18:48:52 <dstanek> morganfainberg: i don't think we would store anything that needed to be encrypted at rest
18:48:53 <gyee> dolphm, ++, lets talk more on this later
18:48:54 <morganfainberg> lbragstad, i think there are some explicitly listed (depending on the compliance standard) that need it
18:48:55 <henrynash> dolphm: OK
18:49:03 <lbragstad> morganfainberg: ok
18:49:15 <dstanek> this is the doc we used to use when dealing with PII for PCI compliance - http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
18:49:18 <dolphm> bknudson: because i don't want to expose anything more about 'extras' to the API - extras needs to die
18:49:32 <morganfainberg> lbragstad, what dstanek said, we don't store anything (directly) that needs encryption at rest (i think)
18:49:49 <bknudson> since we're heading towards federation I'd expect us to leave listing users to the provider.
18:49:51 <dolphm> we don't need first class support for an undocumented feature that we're never going to be good at supporting
18:49:51 <morganfainberg> dolphm, ++ extras dead = good
18:50:07 <dolphm> bknudson: ++
18:50:31 <henrynash> dolphm: the ability to store additional info with keystone entities is well used, I think
18:50:31 <dstanek> dolphm: i had a patch to delete it a while ago because i hated extras
18:50:36 <jamielennox> dolphm: ++ to killing extras
18:50:38 <dolphm> dstanek: lol should have put it up!
18:50:44 <morganfainberg> henrynash, doesn't mean it shouldn't die :P
18:51:01 <dstanek> dolphm: i doubt it'll be easy to merge now, but if it is i will
18:51:02 <dolphm> henrynash: having it used at all means we need to be careful about removing it :(
18:51:05 <morganfainberg> henrynash, maybe support it as an extension with a big "DONT DO THIS" warning block :P
18:51:25 <gyee> morganfainberg, make sure no one waits for you in the parking lot after you kill it :D
18:51:37 <morganfainberg> gyee, lol
18:51:39 <dstanek> henrynash: what do people use it for?
18:51:46 <bknudson> dstanek: email
18:51:50 <jamielennox> i think maybe we need  config option for disable_deprecated which turns deprecations into 404s to let people test this stuf
18:51:58 <morganfainberg> dstanek, metacloud uses it a lot, tracking cost centers etc,
18:51:59 <dolphm> jamielennox: ++
18:52:01 <dstanek> bknudson: i know that one :-P
18:52:04 <dolphm> fatal_deprecations = True
18:52:21 <dolphm> raise 501's or something when you hit a deprecation
18:52:31 <gyee> ++
18:52:38 <jamielennox> dolphm: yep, doesn't matter what just so that it fails
18:52:49 <henrynash> dstanek: additioal user info relating to products built on top of OPenStack/Keystone for example
18:52:51 <jamielennox> wouuld be useful even to see what the gate was using that it shouldn't
18:53:05 <dolphm> jamielennox: oslo has some sort of support for that from a logging perspective, i forgot what action it took on fatal
18:53:25 <dolphm> alright, last few minutes:
18:53:27 <dolphm> #topic OSprofiler & Keystone integration
18:53:29 <dolphm> boris-42: o/
18:53:34 <boris-42> dolphm hi there
18:53:36 <dolphm> #link https://review.openstack.org/#/c/103368/
18:53:41 <dolphm> #link https://review.openstack.org/#/c/114856/
18:53:55 <boris-42> dolphm I had to rebase python client patch
18:54:05 <boris-42> dolphm let me show the sample of trace that we can get with these patches
18:54:19 <boris-42> #link http://boris-42.github.io/ngk.html
18:54:37 <boris-42> ^ so this is sample of trace that goes through 3 services (nova, glance & keystone)
18:54:45 <boris-42> booting VM operation
18:54:46 <ayoung> boris-42, the assumption is that the middleware would be explicitly added to the pipeline, and not even enabled under normal circumstances, right?
18:54:59 <dstanek> dolphm, jamielennox: IIRC setting fatal_deprecations in the config would raise a strange exception
18:55:08 <boris-42> ayoung it should be enabled by default
18:55:14 <ayoung> boris-42, no it shouldn't
18:55:19 <jamielennox> dstanek: it exists though?
18:55:23 <ayoung> security trumps profiling
18:55:36 <boris-42> ayoung what kind of security issues?
18:55:44 <dstanek> boris-42: i mentioned in one of the reviews that i think the middleware can't be enabled by default
18:55:49 * ayoung takes that question as rhetorical
18:55:58 <boris-42> ayoung nope
18:56:01 <ayoung> boris-42, its a great idea
18:56:05 <boris-42> ayoung I really spend half of year
18:56:08 <ayoung> but not on by default
18:56:12 <boris-42> ayoung to make it possible to keep turned on by default
18:56:13 <dstanek> in my view it is optional functionality
18:56:17 <ayoung> yep
18:56:23 <ayoung> optional, and easy to enable
18:56:34 <boris-42> ayoung it is hard to get it enabled in gates
18:56:53 <boris-42> ayoung end if every user will need to turn it on by hand nobody will use it..
18:57:02 <boris-42> ayoung and I really don't see any big issue
18:57:07 <ayoung> boris, I think you will find that it gets used
18:57:07 <boris-42> ayoung with security
18:57:29 <boris-42> ayoung really what kind of security ?
18:57:41 <boris-42> ayoung only admin can trigger it and only admin can fetch data
18:57:49 <jamielennox> boris-42: it's not something that will get deployed by hand, this stuff will get added to puppet so enabling across everything shouldn't be hard
18:58:06 <ayoung> boris-42, I take it you want data from gate?
18:58:12 <boris-42> ayoung yep
18:58:16 <boris-42> ayoung in rally perfromance jobs
18:58:20 <boris-42> ayoung that you have
18:58:24 <ayoung> boris-42, then enable it in devstack
18:58:25 <boris-42> ayoung so profling + benchmark
18:58:33 <boris-42> ayoung it will take about 1 year
18:58:38 <bknudson> the profiling stuff just doesn't happen if the client doesn't request it.
18:58:44 <boris-42> bknudson +1
18:58:50 <boris-42> bknudson it happens only if admin trigger it
18:58:58 <boris-42> bknudson and only for his request
18:59:09 <ayoung> boris-42, what you want is devstack, not the rest of the world
18:59:12 <boris-42> bknudson even if user knows secret key it won't be able to trigger data
18:59:15 <dstanek> i'm also not a fan of it automatically configuring itself - https://review.openstack.org/#/c/103368/10/bin/keystone-all
18:59:37 <boris-42> dstanek hm but I added CONF option
18:59:55 <boris-42> dstanek https://review.openstack.org/#/c/103368/16/keystone/common/profiler.py
19:00:07 <bknudson> it logs all the db queries... that's pretty neat
19:00:23 <boris-42> bknudson you can add in any place
19:00:28 <boris-42> bknudson new points
19:00:40 <boris-42> bknudson e.g. during benchmarking in gates put just any amount of points
19:00:44 <boris-42> bknudson and get them on graph
19:01:09 <bknudson> "statement": "SELECT 1", -- pretty exciting stuff
19:01:24 <dolphm> boris-42: this is a lot of copy/pasting around :(
19:01:31 <boris-42> dolphm ?
19:01:38 <dolphm> boris-42: i left review comments
19:01:46 <boris-42> dolphm about api-paste.ini
19:01:46 <morganfainberg> dolphm, at time
19:01:52 <boris-42> dolphm I would prefer to keep it in
19:02:01 <dolphm> boris-42: you should be pulling your boiler plate text from osprofiler so you don't have to maintain it everywhere
19:02:03 <boris-42> dolphm can we continue in keystone chat?
19:02:07 <dolphm> yes
19:02:10 <dolphm> ooh, we're over time
19:02:13 <dolphm> i had my head in gerrit
19:02:14 <morganfainberg> yep
19:02:15 <dolphm> #endmeeting