Tuesday, 2014-04-22

« Monday, 2014-04-21 Index Wednesday, 2014-04-23 »
stevemarjamielennox, oh np, there *was* a patch that leveraged the work, but i think it's abandoned now00:00
dstanekjamielennox: is pecan powered by tulip?00:03
jamielennoxdstanek: no00:03
jamielennoxit's purely a controller thing00:03
jamielennoxafaik there is nothing powered by tulip yet00:03
dstanekwill it work under tulip or would that be a rewrite?00:03
jamielennoxdstanek: i have no idea, i think that's more a general question though00:04
jamielennoxit's been accepted as the OS default framework00:05
dstanekit seemed like that was the general directly that people wanted to go00:05
bknudson1jamielennox: the dependent patch expired00:05
*** browne has quit IRC00:07
*** wchrisj has joined #openstack-keystone00:15
*** praneshp has quit IRC00:24
*** praneshp has joined #openstack-keystone00:25
*** praneshp has quit IRC00:25
*** praneshp has joined #openstack-keystone00:26
*** praneshp has quit IRC00:28
*** franco has quit IRC00:28
*** praneshp has joined #openstack-keystone00:32
*** praneshp has quit IRC00:33
*** franco has joined #openstack-keystone00:36
*** richm has quit IRC00:38
*** wchrisj has quit IRC00:58
ayoungmorganfainberg, can you at least kick this on along  https://review.openstack.org/#/c/89428/00:59
morganfainbergayoung, sec00:59
morganfainbergayoung yep00:59
ayoungno rush...just want to keep things moving on this.  I want compressed tokens in before we cut another client00:59
morganfainbergdone00:59
morganfainbergayoung, nah it was easy, i'm working on something that takes 10+minutes per attempt01:00
morganfainbergayoung, so quick reviews are easy at this point01:00
ayoungmorganfainberg, cool, now, about the follow on patch...you cool with the changes?01:00
morganfainberglooking at it now actually01:00
ayounghttps://review.openstack.org/#/c/79411/6..7/keystoneclient/common/cms.py01:01
ayoungthat pretty much sums it up01:01
morganfainbergyep01:01
morganfainbergayoung, we're the only ones that really consume cms_verify atm right01:02
morganfainberg?01:02
ayoungyes01:02
ayoungmorganfainberg, I want to use it with Messaging n the future01:02
morganfainbergi really want to ensure we're not accidentally breaking someone by potentially returning binary data01:02
morganfainbergit's my only concern.01:02
morganfainbergayoung, other than that LGTM.01:03
morganfainbergayoung, hm. 2x checking but i think it's a safe (and yes eliminating universal_newlines is good)01:03
ayoungcool01:03
morganfainbergayoung, stupid question ... we don't need tests for this right?01:04
morganfainbergayoung, erm extra tests01:04
ayoungmorganfainberg, existing tests cover it01:04
morganfainbergayoung, thought so, but worth asking before +201:05
morganfainbergayoung, +2 on it, with a comment saying as much (about my concern)01:07
morganfainbergayoung, but i agree, don't think anyone else is using it01:08
morganfainbergayoung going to hold on the compress one, its a bit more code and i need to get back to this task and figure out broken debian packages.01:08
*** nkinder_ has joined #openstack-keystone01:12
ayoungmorganfainberg, that is fine.  Compression needs to have full attention.01:23
morganfainbergayoung, yep01:23
openstackgerritayoung proposed a change to openstack/python-keystoneclient: remove universal_newlines  https://review.openstack.org/7941101:37
*** franco has quit IRC01:46
*** rwsu has quit IRC01:47
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Fix the catalog format of a sample token  https://review.openstack.org/8945301:47
*** franco has joined #openstack-keystone01:48
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/8923501:48
*** diegows has quit IRC01:51
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/8924501:55
*** gokrokve has quit IRC02:06
*** wchrisj has joined #openstack-keystone02:06
*** gokrokve has joined #openstack-keystone02:07
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118102:08
*** franco has quit IRC02:11
*** gokrokve has quit IRC02:11
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs  https://review.openstack.org/8922002:19
*** praneshp has joined #openstack-keystone02:19
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make auth_token return a V2 Catalog  https://review.openstack.org/8945802:20
*** gokrokve has joined #openstack-keystone02:22
lbragstad1stevemar: I had a review up for api validation using json schema but I need to revisit, it's currently a work in progress02:23
*** praneshp_ has joined #openstack-keystone02:26
*** praneshp has quit IRC02:28
*** praneshp_ is now known as praneshp02:28
*** zhiyan_ is now known as zhiyan02:30
jamielennoxlbragstad1: where is that? i've got some ideas about jsonschema as well02:36
*** wchrisj has quit IRC02:47
*** mberlin has quit IRC02:50
openstackgerritA change was merged to openstack/python-keystoneclient: replace double quotes with single.  https://review.openstack.org/8942802:57
*** harlowja is now known as harlowja_away02:58
*** mberlin has joined #openstack-keystone03:06
openstackgerritA change was merged to openstack/keystone: Fixes for in-code documentation  https://review.openstack.org/8796503:09
*** harlowja_away is now known as harlowja03:16
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.  https://review.openstack.org/8494503:17
stevemarlbragstad1, nothing that leveraged the immutable/mutable stuff in v3 base controller? (i dont remember the details)03:33
*** chandan_kumar has joined #openstack-keystone04:02
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure  https://review.openstack.org/7732504:09
*** chandan_kumar has quit IRC04:10
*** wchrisj has joined #openstack-keystone04:30
*** jimbaker has quit IRC04:53
*** morganfainberg is now known as morganfainberg_Z04:55
*** jimbaker has joined #openstack-keystone04:58
*** jimbaker has quit IRC04:58
*** jimbaker has joined #openstack-keystone04:58
*** morganfainberg_Z is now known as morganfainberg04:59
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth  https://review.openstack.org/8198105:04
*** daneyon has quit IRC05:07
*** wchrisj has quit IRC05:10
gyeeis launchpad down? I can't seem to access https://bugs.launchpad.net/python-keystoneclient/+bug/130759805:19
uvirtbotLaunchpad bug 1307598 in python-keystoneclient "Debian/Ubuntu system wide CA certificate file doesn't seem to be used" [Undecided,New]05:19
*** stevemar has quit IRC05:28
*** sergmelikyan has quit IRC05:35
*** topol has quit IRC05:41
*** harlowja is now known as harlowja_away05:41
*** jzl-ctrip has quit IRC05:53
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.  https://review.openstack.org/8494505:53
*** tomoiaga1 has joined #openstack-keystone05:54
*** gyee has quit IRC05:56
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/8850306:01
*** chandan_kumar has joined #openstack-keystone06:02
*** tomoiaga1 is now known as tomoiaga06:06
*** gokrokve has quit IRC06:18
*** derek_c has joined #openstack-keystone06:18
*** gokrokve has joined #openstack-keystone06:48
*** chandan_kumar has quit IRC06:49
*** gokrokve_ has joined #openstack-keystone06:50
*** derek_c has quit IRC06:52
*** gokrokve has quit IRC06:53
*** gokrokve has joined #openstack-keystone06:56
*** gokrokve_ has quit IRC06:57
*** gokrokve has quit IRC07:00
*** chandan_kumar has joined #openstack-keystone07:07
*** derek_c has joined #openstack-keystone07:10
*** derek_c has quit IRC07:17
*** leseb has joined #openstack-keystone07:26
*** gokrokve has joined #openstack-keystone07:57
*** andreaf has joined #openstack-keystone07:59
*** gokrokve has quit IRC08:01
*** jamielennox is now known as jamielennox|away08:04
*** andreaf has quit IRC08:12
*** andreaf has joined #openstack-keystone08:13
*** Chicago has joined #openstack-keystone08:22
*** Chicago has joined #openstack-keystone08:22
*** praneshp has quit IRC08:23
openstackgerritAlvaro Lopez Garcia proposed a change to openstack/keystone: Fix typo on cache backend module  https://review.openstack.org/8950908:44
*** gokrokve has joined #openstack-keystone08:57
*** gokrokve has quit IRC09:01
*** mberlin has quit IRC09:04
*** mberlin has joined #openstack-keystone09:07
*** mberlin has quit IRC09:11
*** mberlin has joined #openstack-keystone09:13
*** chandan_kumar has quit IRC09:15
*** chandan_kumar has joined #openstack-keystone09:29
*** chandan_kumar is now known as chandankumar09:55
*** chandankumar is now known as chandan_kumar09:56
*** gokrokve has joined #openstack-keystone09:58
*** gokrokve has quit IRC10:02
*** gokrokve has joined #openstack-keystone10:59
*** gokrokve has quit IRC11:04
*** lbragstad1 has quit IRC11:37
*** tomoiaga has quit IRC11:38
*** diegows has joined #openstack-keystone11:57
*** gokrokve has joined #openstack-keystone11:59
*** gokrokve has quit IRC12:04
*** erecio has joined #openstack-keystone12:13
*** bada has joined #openstack-keystone12:32
*** lbragstad has joined #openstack-keystone12:53
*** bknudson1 has quit IRC12:55
*** gokrokve has joined #openstack-keystone13:00
*** gokrokve has quit IRC13:04
lbragstaddstanek: qq for you on the notification tests13:05
dstaneklbragstad: fire away13:05
lbragstadso, here https://review.openstack.org/#/c/81659/5/keystone/tests/test_notifications.py13:06
lbragstadyou have the register_callback method,13:06
lbragstadwas the reason to not put that in a setUp() method because we needed to be able to pass in the operator type?13:07
lbragstadlike CREATED_OPERATION?13:07
lbragstadregister_callback(CREATED_OPERATION); because it's specific to the test case?13:07
dstaneklbragstad: it gets called with different params based on test case13:08
lbragstaddstanek: ok, just checking. I was going to leave a comment suggesting a setUp method but that makes sense13:09
dstaneki would have to create it up into different testcase classes for each invocation - not a bad idea, but a pretty large refactoring13:09
dstaneks/create/break/13:10
lbragstaddstanek: right, knowing that and the way you have it makes sense13:10
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Limited use trusts  https://review.openstack.org/5749213:18
*** bknudson has joined #openstack-keystone13:21
dstaneklbragstad: did you see this https://review.openstack.org/#/c/87849/?13:29
lbragstad or you do not have permission to view this page.13:29
lbragstaddstanek: ^13:29
lbragstadThe page you requested was not found, or you do not have permission to view this page.13:30
dstanekah, remove the ?13:30
dstaneklbragstad: did you have a patch to reuse that stuff or should we just put it back in federation?13:31
lbragstadI thought it was being used in other places13:31
lbragstadchecking13:31
lbragstaddstanek: ah, I was using it here... but the review got away from me13:34
lbragstadhttps://review.openstack.org/#/c/76444/5/keystone/catalog/controllers.py13:34
ayoungdstanek, lbragstad https://blueprints.launchpad.net/keystone/+spec/session-extendable-tokens  please hack on it.  I think that getting this right is essential to proper working with Horizon.13:36
dstanekayoung: what do you mean by "comes from the original source"?13:37
dstanekayoung: this sounds similar to oauth refresh tokens13:37
*** nkinder_ has quit IRC13:43
*** wchrisj has joined #openstack-keystone13:43
*** wchrisj has left #openstack-keystone13:43
ayoungdstanek, yep.  And for origianl source...that is a good question13:46
ayoungI would guess we would record the IP address of the original requestor and only allow it from there.  I realize it could be spoofed13:46
ayoungbut if we said "refresh tokens can only come from known endpoints of the Horizon service" it would work13:47
ayoungdstanek, maybe it makes sense for Oauth to be the mechanism for logging in to Horizon.13:47
dstanekayoung: i think that would be good13:48
dstanekayoung: you couldn't reliably use IP address. you could have a cluster of horizon boxes13:48
ayoungdstanek, then Keystone needs a webui, if only for the Oauth extension13:49
dstanekayoung: with oauth2 you wouldn't need a webui13:49
ayoungdstanek, then where are you going to type in userid and password?  The whole idea with oauth is that it does not go to the origianl web site.13:58
*** kun_huang has joined #openstack-keystone13:59
openstackgerritLance Bragstad proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional  https://review.openstack.org/7865814:00
openstackgerritLance Bragstad proposed a change to openstack/keystone: Enforce required parameters for V3 Regions  https://review.openstack.org/7644414:00
lbragstaddstanek: cleaned up^14:01
*** gokrokve has joined #openstack-keystone14:01
*** stevemar has joined #openstack-keystone14:02
*** gokrokve has quit IRC14:06
lbragstadstevemar: jamielennox|away here is the patch you were asking about last night (specifically the json schema api validation stuff)  https://review.openstack.org/#/c/86483/ it's very rough and it's a wip at the moment14:06
*** rwsu has joined #openstack-keystone14:09
stevemarlbragstad, coolio14:12
*** ayoung has quit IRC14:14
*** thedodd has joined #openstack-keystone14:17
*** chandan_kumar has quit IRC14:17
*** morganfainberg is now known as morganfainberg_Z14:24
*** david-lyle has joined #openstack-keystone14:31
*** nkinder_ has joined #openstack-keystone14:33
*** gokrokve has joined #openstack-keystone14:40
*** daneyon has joined #openstack-keystone14:48
*** browne has joined #openstack-keystone15:19
mfischI hacked up my own password auth backend, but from what I can tell it never gets hit. It seems like the SQL ident driver is doing the password check itself and not using the auth module? Is that right?15:20
openstackgerritMatthieu Huin proposed a change to openstack/keystone: More random values for oAuth1 verifier  https://review.openstack.org/8961215:21
dstanekmfisch: did you wire it up in the config?15:22
mfischdstanek: I changed the password line to this: password = keystone.auth.plugins.stacked_password.Password15:23
*** richm has joined #openstack-keystone15:25
dstanekmfisch: from what i understand if you have that in your config and the auth method requested matches it should use it15:29
dstanekmfisch: also i think it's important to note that the methods are tried in order (i believe)15:29
mfischits odd, I've added some pdb set traces to the normal password module and they're not hit either15:30
mfischyes on the order, I think I just have the default: methods = external,password,token,oauth115:30
mfischwith external commented out15:30
*** doddstack has joined #openstack-keystone15:31
*** thedodd has quit IRC15:34
mfischwell from what I see, doing a simple user-list call the sql authenticate method is hit and the auth password driver is not15:34
mhumfish, how do you authenticate ? curl ? keystone CLI ?15:35
mhu(and hi :) )15:35
mfischmhu: just testing out the cli and bon matin15:35
mhumfisch, aren't you using by any chance the admin token to authenticate ?15:36
mfischit even works when I change keystone.conf to point to a non-existant password driver15:37
mfischmhu: just the basic openrc, password, username, auth_url etc15:37
mfischeven this produces no error15:37
mfischpassword = keystone.auth.plugins.does_not_exist.Password15:37
dstanekmfisch: is it the correct config you are changing? also you are not using as OS_TOKEN right?15:40
mfischdstanek: yes, I dont have a token set. and I'm sure I'm changing the config15:41
mfischI have pdb traces in the sql driver's authenticate() code and in the password auth modules authenticate() call. The auth module is not being called.15:41
mhumfisch, the fact that there's no error confirms you're not using a password to authenticate, so it's either because you're using a token or external auth15:42
mhuis your keystone served by apache ?15:42
mfischno, I dont think so15:42
mfischthe external auth module is commented out, default config15:42
mfischlet me hack up the list and try to force an error15:43
*** bach has joined #openstack-keystone15:43
*** _TheDodd_ has joined #openstack-keystone15:43
mfischwow it even still works when I have this set for my methods15:43
mfischmethods = thiswontwork15:43
dstanekput in some debugging into keystone/auth/controllers.py's load_auth_methods to see what it sees15:45
dstanekmfisch: ^15:45
mfischokay15:46
mfischso the auth driver is being bypassed15:46
*** doddstack has quit IRC15:46
mfischfrom the backtrace, I see controllers.py(265)_authenticate_local() calling directly into the identity driver's auth mechanism15:46
mfischthat's token/controllers.py, wonder how it got there15:46
mhumfisch, can you run your client with the --debug option, we'll see what's sent to the server15:47
mfischdstanek: interestingly that method is never called, I wonder how I got into that state15:48
dstanekmfisch: i'm not familiar with that bit of code so i'm stumbling in the dark :-)15:49
mfischits okay, I am too ;)15:49
mfischbut it's obviously ignoring my settings in the auth section for some reason because it's not upset about bogus values15:49
*** zhiyan is now known as zhiyan_15:50
mhumfisch, I suspect it's because it never gets there. It's either intercepted at the middleware level by token_auth or admin_token_auth, or you have a REMOTE_USER env variable set that is used by the external auth method (which is enabled in v2 regardless of config, IIRC)15:51
mfischmhu: it is enabled by default it appears15:52
mfischmhu: I did see the token auth call in the stacktrace, let me look again15:52
mfischtoken/controllers.py(94)authenticate()15:52
dstanekload_auth_methods should be called at startup in keystone.backends15:52
dstanekmfisch: is it possible that you are hitting the wrong keystone service?15:53
mfischdstanek: this is what mine dumps out on startup15:54
mfischauth.methods                   = ['thiswontwork']15:54
mfischendpoint looks good15:54
*** sjcazzol has joined #openstack-keystone15:54
mfischokay the token auth driver tries external auth if REMOTE_USER is set, and if not it does a "local" auth which calls directly to the identity driver, skipping the auth module15:55
sjcazzolI added a specification for the blueprint https://blueprints.launchpad.net/keystone/+spec/tenants-users-quotas. It would be great if someone could give me some feedback on this.15:57
sjcazzolThe specs are linked in the whiteboard15:58
mfischnear as I can tell in the code when you ask for a token it completely bypasses the auth module. It tries external if REMOTE_USER is set and then calls directly to the identity driver, which in this case is SQL16:10
mfischseems like a bug to me but perhaps I dont understand the design16:11
*** chandan_kumar has joined #openstack-keystone16:11
dstanekmfisch: what code are you looking at?16:16
mfischdstanek: authenticate() in token/controllers.poy16:16
mfischsorry, .py16:16
mfischdstanek: when I call keystone user-list from the CLI i end up here during the token request16:17
mfischdstanek: see where it calls _authenticate_local()?16:18
*** chandan_kumar has quit IRC16:20
mfischdstanek: I'm looking at havana code, but it looked similar at a glance for I16:21
*** marcoemorais has joined #openstack-keystone16:21
*** shakamunyi has joined #openstack-keystone16:43
*** bach has quit IRC16:51
*** packet has joined #openstack-keystone16:51
afaranhamhu: About the commit message (https://review.openstack.org/#/c/57492/5//COMMIT_MSG) I don't know what need to be done, I think you can ask Anne Gentle or any Keystone Drivers (https://launchpad.net/~keystone-drivers)16:58
*** praneshp has joined #openstack-keystone17:09
*** ayoung_ has joined #openstack-keystone17:14
*** david-lyle is now known as david-lyle_afk17:16
*** harlowja_away is now known as harlowja17:18
*** ayoung_ is now known as ayoung17:25
*** morganfainberg_Z is now known as morganfainberg17:26
ayoungdstanek, sorry for disappearing...why do you think that "with oauth2 you wouldn't need a webui" to log in?17:26
dstanekayoung: there is a mobile flow that i think doesn't use a UI in the same way as oauth117:31
ayoungdstanek, something has to provide the login ui for form based authentication.  I don't think any of the other auth approaches require anything17:32
*** gyee has joined #openstack-keystone17:33
ayoungman, wouldn't it be nice if Basic Auth were skinable or something.17:33
dstanekayoung: doesn't horizon capture the password? they in the background it could exchange that for the token - almost the same as it does now17:33
dstaneks/they/then/17:33
ayoungNo, they don't17:33
ayoungthat would be a security issue,  Horizon only does token-for-token exchanges17:34
dstanekhow do they get the token then? does the user need to use the cli client to get the first token?17:35
*** gyee has quit IRC17:39
morganfainbergdstanek, horizon passes the username/password in once17:49
morganfainbergdstanek, doesn't store it17:49
morganfainbergdstanek, but after that one time (Getting the unscoped token) they only do token-for-token17:50
dstanekmorganfainberg: that's what i thought. so it can do the oauth dance with the credentails at that point17:50
morganfainbergdstanek, yes.17:51
morganfainbergdstanek, keystone can still be the SP in this case.17:51
morganfainbergit's a little wonky but not unsupportable17:51
*** chandan_kumar has joined #openstack-keystone17:52
morganfainbergdstanek, dogpile update merged17:55
ayoungmorganfainberg, so, say we exposed oauth to the public, but not the rest of Keystone, with a webform.17:55
morganfainbergto global reqs, we can make sure keystone is sync'd then do your patch to use the new properties.17:55
morganfainbergayoung, technically you could pass that info through horizon to keystone, now you couldn't use the same info for direct access.17:56
*** gyee has joined #openstack-keystone17:56
ayoungmorganfainberg, which horizon?  Lets assume there are multiple, and do Oauth correctly,  and lets not forget about the non-horizon folks.17:57
morganfainbergayoung, multiple horizones with distinct domain names?17:57
morganfainbergayoung, or loadbalanced?>17:57
ayoungsure...or geographically distributed or....17:58
*** topol has joined #openstack-keystone17:58
ayoungHaving Horizon proxy it through seems like a misuse of Oauth.17:58
morganfainbergayoung, ok distinct hostnames - you auth with separate sessions to each - similar to how the SSO (openID) would work for review.openstack.org and revierw-dev.openstack.org17:59
ayoung++17:59
morganfainbergeventually... you want horizon to use the SSO-style auth as a session17:59
morganfainbergnot use the token17:59
ayoung+++17:59
ayoung++++17:59
morganfainbergso horizon would be the SP and pass the info back to keystone in that case.17:59
morganfainbergit also couldn't be used by keystone directly,17:59
*** packet has quit IRC18:00
morganfainbergwell.. in theory it shouldn't work to take that session and use it against a keystone directly18:00
morganfainbergyou would (in theory) need a re-auth for direct access, same mechanism though18:00
*** browne has quit IRC18:02
*** jamielennox|away is now known as jamielennox18:03
*** sjcazzol_ has joined #openstack-keystone18:06
*** sjcazzol has quit IRC18:08
*** chandan_kumar has quit IRC18:29
*** gokrokve has quit IRC18:33
*** browne has joined #openstack-keystone18:34
*** gyee has quit IRC18:35
dolphm#topic open discussion18:39
dolphmwhoops.18:39
bknudsonI hope it's open discussion here18:39
*** dolphm changes topic to "Open discussion."18:40
dolphmjust to be safe18:40
*** kun_huang has quit IRC18:41
morganfainbergLOL18:42
morganfainberg#topic learning where meetbot lives18:42
*** kun_huang has joined #openstack-keystone18:45
*** sjcazzol has joined #openstack-keystone18:45
*** sjcazzol_ has quit IRC18:46
*** gyee has joined #openstack-keystone18:46
*** kun_huang has quit IRC18:46
*** Chicago has quit IRC18:47
*** openstackgerrit has quit IRC18:49
*** openstackgerrit has joined #openstack-keystone18:49
*** sjcazzol has quit IRC18:49
*** chandan_kumar has joined #openstack-keystone18:53
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make auth_token return a V2 Catalog  https://review.openstack.org/8945819:00
nkinder_bknudson: I've added your configurable token hashing work to https://wiki.openstack.org/wiki/Security/Juno/Keystone#Notable_changes_since_Icehouse19:00
bknudsonI'll do a rebase on https://review.openstack.org/#/c/78241/ so we can keep this moving.19:00
bknudsonnkinder_: hasn't even merged yet!19:00
nkinder_bknudson: when it lands, we need to make sure to update the wiki page19:00
nkinder_bknudson: I know.  I listed it as "IN PROGRESS"19:00
bknudsonnkinder_: I wonder if we'll be able to change the default to sha256...19:02
*** bach has joined #openstack-keystone19:02
nkinder_bknudson: When it does land, we can remove the "IN PROGRESS" note and modify the algorithm table where it is discussed19:02
nkinder_bknudson: it would be nice.  I need to review your latest patches19:02
*** bach has quit IRC19:02
*** david-lyle_afk is now known as david-lyle19:03
*** bach has joined #openstack-keystone19:05
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked  https://review.openstack.org/7824119:08
openstackgerritAlexei Kornienko proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked  https://review.openstack.org/7824119:09
*** leseb has quit IRC19:09
bknudsonthe only conflict in https://review.openstack.org/78241 was the change to fix the spelling for "ans1"19:09
*** gyee has quit IRC19:11
*** thiagop has quit IRC19:11
*** bvandenh has quit IRC19:12
topolso bknudson are you happy with https://review.openstack.org/#/c/78241/19:13
topoldid that meet your seal of approval?19:13
morganfainbergdolphm, topol, does it make sense to do a surveymonkey thing for the catalog? or just ask for feedback on the ML?19:13
topolor you are just starting to review it??19:13
bknudsontopol: I took a look at it before and I think I was fine with it. I'll take a look again.19:13
morganfainbergdolphm, topol, i'm thinking a survey would be good, but i don't know if it makes more sense to just read through ML responses.19:14
nkinder_bknudson: thanks for fixing the asn1 typo!  That was bothering me...19:14
morganfainbergdolphm, topol, thinking of asking 2 questions: which catalog backend, which API version19:14
bknudsonnkinder_: that was someone else made the change19:14
topolmorganfainberg I think just mailing list with a proper subject line to catch folks eye. Im scared the folks will forget to participate in the survey19:14
nkinder_bknudson: ah, I thought you did19:14
bknudsonI just had to resolve the merge conflict19:14
morganfainbergtopol, so something like http://pasteraw.com/ai5kneikh0w0xfuqpt6dqt7vjzumwhp for verbiage19:15
*** afaranha has quit IRC19:15
morganfainbergtopol, trying to avoid panic :)19:15
nkinder_bknudson: back to the token hashing algorithm...  The difficulty in using sha256 as the default is that older clients will not handle revocations?19:16
topolSo I think you could offer the survey or just ask folks to respond to you if they have a strong opinion19:16
morganfainbergtopol, might remove the "limitations" sentence.19:16
ayoungnkinder_, that is correct, so we want to make it optional19:16
morganfainbergtopol, ok i'll toss a survey in.19:16
topolin the same note and give them a choice.19:16
bknudsonnkinder_: there's a transition time while there are both sha256 and md5 tokens out there.19:16
nkinder_bknudson: they will md5 hash, which won't match the sha256 hash19:16
morganfainbergtopol, yep.19:16
ayoungand then deployments that chose to run the newer algorithms have to run with newer clients19:17
nkinder_bknudson: that requires clients that are aware of the fact that tokens with different hashes are out there19:17
topolIdeally there should be no panic. You arent dropping function. Youa re just prioritizing updates correct?19:17
ayoung"only" the newere algorithm19:17
topolmorganfainberg19:17
morganfainbergyep19:17
*** chandan_kumar has quit IRC19:17
morganfainbergtopol, that is the plan :)19:17
bknudsonnkinder_: yes, the auth token middleware, and clients that do hashing themselves19:17
nkinder_so the concern is that keystone's default changes, but old client code is still out there that isn't aware as I understand it19:17
bknudsonI think horizon hashes the pki token19:17
topolwait, did I see a quote from you about dropping the template catalog.  YOU induced the panic :-)19:18
topolmorganfainberg, how about a statement stating a desire to stop enhancing the template catalog.   If you get panic then you know we need to enhance it19:19
morganfainbergtopol, ok i'll reword and include the survey and run it by you one more time.19:20
mfischdstanek: did you find the code I was referring to earlier?19:20
morganfainbergtopol, trying to keep it _really_ simple19:20
*** thiagop has joined #openstack-keystone19:20
topola la nova network19:20
morganfainbergtopol, hehe except nova net is open for changes again iirc19:20
topolYep agreed. I think one line or two and if anyone freaks you know your answer19:21
topolyes it is.  Quite a statement that makes :-)19:21
*** gokrokve has joined #openstack-keystone19:21
topoltest your plugins vedors :-)19:22
nkinder_I'd like to propose a backport of this bug fix for icehouse - https://bugs.launchpad.net/keystone/+bug/128121619:23
uvirtbotLaunchpad bug 1281216 in keystone "Keystone Havana Authentication Error using samAccountName in Active Directory" [Low,Fix committed]19:23
nkinder_does that seem acceptable to others?19:24
openstackgerritAlexei Kornienko proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked  https://review.openstack.org/7824119:25
dstanekmfisch: yes, but i'm not sure about the design19:26
dstanekmfisch: we just had our meeting so there are probably still a bunch of devs that could answer that question still here19:26
bknudsonnkinder_: I don't see a problem with backporting that change... it's small and it's got tests and it fixes a bug19:27
*** afaranha has joined #openstack-keystone19:28
nkinder_bknudson: to propose a backport, do I just submit a patch for the stable/icehouse branch and reference the same bug?19:30
bknudsonnkinder_: should be able to cherry-pick it -- git-review -X19:30
bknudsonthen submit that commit to stable/icehouse19:30
bknudsonnkinder_: also, I think you're supposed to add icehouse-backport-potential to the bug19:31
*** shakamunyi has quit IRC19:33
nkinder_bknudson: do I just add that as a comment, or is there somewhere more specific I need to flag that in the bug?19:33
bknudsonnkinder_: it's a tag19:34
morganfainbergtopol, http://pasteraw.com/1fdlbovrrqgiwzj4ofvrzpxjbft48fc19:35
morganfainbergtopol, i'll be x-posting to operators (the same exact email)19:35
mfischdstanek: thanks19:35
*** bach has quit IRC19:35
mfischdstanek: I think I'll just assume it's supposed to work that way and just revive my ident driver since the auth ones dont get called19:35
openstackgerritA change was merged to openstack/keystone: Discourage use of pki_setup  https://review.openstack.org/8081919:35
*** bach has joined #openstack-keystone19:36
*** shakamunyi has joined #openstack-keystone19:36
morganfainbergtopol, subject: Catalog Backend in Deployments (Templated, SQL, etc)19:36
morganfainbergtopol, is it better to send the same email twice, once to each list? [i think that is the right way]19:37
openstackgerritAlexei Kornienko proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked  https://review.openstack.org/7824119:37
topolmorganfainberg, looks perfect19:37
morganfainbergtopol, cool.19:38
topolsubject looks good too.19:38
morganfainbergsending the messages now.19:38
topolemail twice is fine19:38
morganfainbergtopol, sent.19:40
morganfainberglets see what response we end up with19:40
morganfainbergi expect panic.19:40
morganfainberg:P19:40
topolmorganfainberg, no panic until after a few beers and I respond by saying we are removing all catalogs so dont worry about the poll19:43
topoluntil then we are finr19:44
topolfine19:44
*** joesavak has joined #openstack-keystone19:52
nkinder_bknudson: I don't see any way of adding a tag.  Perhaps I need to have some extra permission for that?19:54
*** markstur has joined #openstack-keystone19:54
bknudsonnkinder_: there's no edit tags button? looks like !19:55
nkinder_bknudson: yep, no button for me19:56
bknudsonnkinder_: I added it.19:56
nkinder_bknudson: thanks!19:56
bknudsonmaybe you need some kind of authority to do it19:57
bknudsondolphm had already put havana-backport-potential on it.19:57
dolphmnkinder_: bknudson: which bug?19:58
nkinder_dolphm: https://bugs.launchpad.net/keystone/+bug/128121619:58
uvirtbotLaunchpad bug 1281216 in keystone "Keystone Havana Authentication Error using samAccountName in Active Directory" [Low,Fix committed]19:58
dolphmnkinder_: bknudson: i'd be happy to backport it if ya'll aren't doing so20:00
morganfainbergtopol, haha nice20:04
nkinder_dolphm: I'll take care of it.  It will give me experience in running through the backport process20:04
morganfainbergnkinder_, thankfully backporting isn't too difficult20:05
morganfainbergnkinder_, usually20:05
dolphmnkinder_: awesome - poke me if you have questions20:05
bknudsonmorganfainberg is having flashbacks to difficult backports20:05
morganfainbergbknudson, you weren't there maN... you weren't there20:06
morganfainbergbknudson, i can only really think of one bad backport20:08
morganfainbergbknudson, and it was only painful because it was icehouse -> havana -> grizzly20:09
morganfainbergor was it havana -> grizzly -> folsom20:09
morganfainbergone of those20:09
*** derek_c has joined #openstack-keystone20:10
dolphmmorganfainberg: my worst "backport" required completely separate fixes to be developed for all three branches.20:14
morganfainbergdolphm, thats no fun.20:14
*** bach_ has joined #openstack-keystone20:15
*** bach has quit IRC20:15
*** andreaf_ has joined #openstack-keystone20:16
*** andreaf_ has quit IRC20:19
*** leseb has joined #openstack-keystone20:19
*** andreaf_ has joined #openstack-keystone20:19
*** andreaf has quit IRC20:20
*** bach_ has quit IRC20:22
*** bach has joined #openstack-keystone20:23
dolphmjust ran into this serialization format today, which is totally new to me https://code.google.com/p/rson/20:24
morganfainbergrson. interesting20:25
mfischmorganfainberg: perhaps you can comment on a mystery, when I use password auth and request a token, is it supposed to go through the auth modules?20:26
morganfainbergmfisch, v2.0 or v3?20:26
dolphmmorganfainberg: it's like a weird cross of json and yaml developed by a crazy person20:27
*** bach has quit IRC20:27
morganfainbergmfisch, v3 is where the auth plugins/modules are used vs. the logic in the token auth controller20:27
ayoungbknudson so, there is this bug:   https://bugs.launchpad.net/oslo.messaging/+bug/1261631  which looks like the solution is to sync openstack/common/rpc/impl_kombu.py  but we don't have any part of the RPC subtree20:28
morganfainbergdolphm, yeah i don't see a benefit of this over json.20:28
uvirtbotLaunchpad bug 1261631 in oslo/havana "Reconnect on failure for multiple servers always connects to first server" [Low,Fix committed]20:28
ayoungis it invalid fo us, or is it something we can ignore?20:28
morganfainbergdolphm, it's kindof making my head hurt.20:28
dolphmmorganfainberg: it seems to have all the inadequacies of yaml and xml20:28
mfischmorganfainberg: v220:28
dolphmmorganfainberg: i wouldn't describe it as a superset of json at all20:28
morganfainbergmfisch, yeah, v2 wont use the auth plugins.20:28
mfischmorganfainberg: I did see the token driver just calling right to the identity driver20:28
mfischmorganfainberg: ugh, so whats the point of an auth module in v2?20:28
morganfainbergmfisch, https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L6020:29
bknudsonayoung: how could the bug affect us if we don't use it?20:29
morganfainbergmfisch, this is one of the benefits of using V3 (yes, I know, not supported everywhere yet)20:29
bknudsonif we don't have the code20:29
ayoungyeah...I have no clue20:29
ayoungits a clone, so maybe it was done blindly?20:29
mfischmorganfainberg: yeah, thats the code I was looking at earlier, authenticate_local calls direct to ident20:29
morganfainbergmfisch, yep20:29
ayoungOr..are we not doing something that we should be doing?20:29
bknudsonayoung: we use oslo.messaging now for that, I think.20:30
morganfainbergmfisch, v2.0 doesn't have the auth plugin mechanisms20:30
morganfainbergmfisch, it wasn't really designed with that in mind.20:30
ayoungall I know is nkinder_ is about to beat me up about Bugs in....ah crap , now20:30
mfischmorganfainberg: so the docs for it are really designed for v320:30
morganfainbergmfisch, if we weren't clear on the auth plugins being a v3 thing we should get the docs updated20:30
* nkinder_ looks for his stick20:31
morganfainbergmfisch, but yes, v3 is where auth plugin logic is used20:31
mfischmorganfainberg: I dont see it called out here: http://docs.openstack.org/developer/keystone/configuration.html#how-to-implement-an-authentication-plugin20:31
bknudsonayoung: this was opened 2013-12-17 ... maybe this was before the switch to oslo.messaging20:32
morganfainbergmfisch, yep, don't see it either. file a bug on this if you don't mind (feel free to fix it too if you're so inclined)20:32
morganfainbergmfisch, good catch.20:32
mfischnot sure if happy to be right or sad that it doesn't work20:32
*** derek_c has quit IRC20:33
morganfainbergmfisch, well, help us get everyone moved to v3 :) then it'll work like you expect!20:33
morganfainbergmfisch (shameless plug for help to get OpenStack on keystone V3)20:34
mfischI'm on board20:34
morganfainbergdolphm, on the topic of v3 vs v2... we should start thinking about alternate versioning mechanisms so we don't run into the Nova problem if we hit the limits (design or otherwise) of keystone v3 API.20:34
dolphmmorganfainberg: the nova problems?20:34
dolphmproblem*20:35
morganfainbergdolphm, nova v3 can-o-worms20:35
morganfainbergdolphm, it's a hard sell to make a major API version change.20:35
morganfainbergdolphm, especially as the surface area of the API increases20:35
dolphmmorganfainberg: ah yeah... frankly, when both of these api revisions started, openstack was much younger and a transition seemed much more viable20:36
morganfainbergdolphm, i expect we will eventually hit a hard limitation of v3. we should consider options when that happens earlier vs "OMG how do we fix it"20:36
dolphmmorganfainberg: every release that goes by makes that much more challenging20:36
morganfainbergdolphm, i am a fan of microversioning.20:36
dolphmmorganfainberg: we already are microversioning20:36
morganfainbergdolphm, i mean on the public REST API, we add functionality, but changing it is hard.20:36
morganfainbergdolphm, if we want to change how a whole suite of calls work... how do we do that.20:37
mfischmorganfainberg: https://bugs.launchpad.net/keystone/+bug/131132420:37
dolphmmorganfainberg: that sounds like a major version bump to me :-/20:37
uvirtbotLaunchpad bug 1311324 in keystone "documentation does not specify that [auth] drivers only work with v3 API" [Undecided,New]20:37
morganfainbergdolphm, a way to handle API incompatible changes w/o breaking the contract20:37
morganfainbergdolphm, right, and that is the hard sell.20:37
dolphmmorganfainberg: ideally you don't break *everything* with a major version bump20:38
morganfainbergdolphm, maybe we can do per-api versioning. eh, something to talk about later (or per subsystem)20:38
morganfainbergdolphm, ideally.20:38
dolphmmorganfainberg: unfortunately for keystone, part of the motivation for a v3 was simply consistency across the api20:38
morganfainbergdolphm, and for us it's good (same reason nova wanted v3)20:38
morganfainbergdolphm, nothing we need to solve now, but we may want to come up with a API succession plan so to speak - start planning the basics of it (long view)20:39
dolphmmorganfainberg: i'm still interested in separating the "identity-api" into smaller APIs... "auth-api", "identity-management-api", "quota-api", etc20:39
morganfainbergdolphm, ++++++20:39
morganfainbergdolphm, i actually was mulling over some of that.20:39
dolphmmorganfainberg: i'd be easy to break the doc down, but what do you win in the real world?20:40
dolphm(for free)20:40
morganfainbergdolphm, leverage HTTP codes to start. 301 /v3/<blah> -> /<blah>/v320:40
dolphmmorganfainberg: i'd prefer content types over that (application/json+identity-v3.2)20:41
morganfainbergdolphm, and then we can work to increment the major versions of the subsystems as needed. might require continued/better internal isolation, but we've been heading that way.20:41
morganfainbergdolphm, well, i meant for the initial conversion i think the subsystems should be the top level vs the version #20:42
morganfainbergdolphm, past that, content-type would be awesome for that20:42
morganfainbergmfisch, awesome thanks!20:43
morganfainbergdolphm, i really like the idea of content types.20:45
morganfainbergdstanek, do we have a common-ish wsgi implementation across openstack or is it really all over (i think it's the latter)20:48
*** _TheDodd_ has quit IRC20:49
dstanekcontent-types ftw!20:49
dstanekmorganfainberg: i think it's all over the place20:49
morganfainbergdstanek, trying to figure out where to implement HTTP cache headers (etags etc) for APIs so we can get it in all services20:50
morganfainbergwe should be specifying this stuff.20:50
morganfainbergi'm wondering if pecan can do this for us.20:50
bknudsonI think we already have a hard limitation of v3 if we want to start validating inputs (using jsonschema, for example)20:51
dstanekmorganfainberg: i was just asking about pecan vs. tuplip yesterday20:51
morganfainbergdstanek, nice20:52
morganfainbergbknudson, i would agree.20:52
morganfainbergbknudson, i think that makes the argument for splitting the API (and using separate versioning) stronger20:53
morganfainbergbknudson, v3 being the base version.20:53
morganfainbergbknudson, and not saying we should work on a new version of anything until we _must_.20:54
dstanekmorganfainberg: the way i've impplemented this in the past is through facades20:54
openstackgerritDoug Hellmann proposed a change to openstack/keystone: Move stevedore to a production requirement  https://review.openstack.org/8942020:54
morganfainbergdstanek, nod.20:54
bknudsonmorganfainberg: we could use the same technique that we should use for the client API -- up the version when we remove stuff20:55
dstaneka facade for each supported version - the actual implementation of the model is almost changing, but the facades make it look like it's not for stable apis20:55
bknudsonotherwise it's minor version number changes20:55
morganfainbergdstanek, ++ that was the general direction i would like to go20:55
morganfainbergbknudson, sure, but the public facing API can't be a big moving target (I'd argue some of the client stuff is a bit much of a moving target, and we try and minimize that as well)20:57
*** erecio has quit IRC20:59
morganfainbergbknudson, probably nothing we need to address today.21:02
morganfainbergdstanek, ^21:02
dstanekmorganfainberg: what's up?21:02
*** derek_c has joined #openstack-keystone21:04
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Debug log when token found in revocation list  https://review.openstack.org/8969321:08
bknudsontopol: https://review.openstack.org/#/c/78241/ looks ok to me21:09
morganfainbergdstanek, what i just said to bknudson.21:09
morganfainbergdstanek, versions not somethjing we need to solve today.21:09
bknudsonmorganfainberg: let's solve it today anyways21:09
*** kmartin has joined #openstack-keystone21:09
morganfainbergbknudson, lol21:09
morganfainbergbknudson, lets break all the APIs while we're at it too.21:10
morganfainbergbknudson, can we move to a binary only-format as well (HTTP 2.0?)21:10
bknudsonmorganfainberg: let's just make up our own protocol similar to HTTP21:11
morganfainbergbknudson, Love it!21:11
topolbknudson, cool21:12
*** bach has joined #openstack-keystone21:14
*** gyee has joined #openstack-keystone21:20
*** derek_c_ has joined #openstack-keystone21:22
dolphmmorganfainberg: you can't choose v2 AND v3 in your survey21:24
morganfainbergdolphm, oh i can fix that, sec21:24
morganfainbergoh ... no i can't fix it *doh*21:25
dolphmmorganfainberg: the response is going to be 100% v2 then!21:25
morganfainbergthere we go21:26
morganfainbergfixed21:26
morganfainbergadded a v2.0 and v3 option21:26
dolphmmorganfainberg: that works21:26
morganfainbergdolphm, yeah good catch (couldn't change the type of question to be multi-select)21:27
gyeemorganfainberg, dolphm, are we going to add cache (dogpile) for identity manager?21:32
morganfainberggyee, yes21:32
gyeeJuno?21:33
morganfainberggyee, i'm waiting until post summit since the dogpile developer will be there21:33
morganfainbergi might be converting all of the work to oslocache21:33
morganfainbergit's a question of where the code goes, in oslo or in dogpile21:33
gyeei c21:33
morganfainbergsince mike will be there, i can talk to him directly about it21:33
dolphmmorganfainberg: really?21:33
dolphmmorganfainberg: what's his interest in openstack?21:34
morganfainbergdolphm, he wrote SQLAlchemy and Alembic?21:34
dolphmmorganfainberg: so he's just attending because we're users?21:35
dolphmand probably doing it all wrong21:35
morganfainbergdolphm, he was asked by oslo / dreamhost to come and chat with us21:37
morganfainbergso we can be aligned with where SQLA and Alembic are going21:37
*** markstur has quit IRC21:37
morganfainbergand contribute some of our work up to the upstream lib21:37
dolphmmorganfainberg: is there an interrogate-mike session?21:37
morganfainbergdolphm, i think it's on the cross-project one21:38
dolphmmorganfainberg: i don't see it21:38
morganfainberglet me see.21:39
morganfainbergdhellmann, ^ any specifics on the session with mike (SQLA/Dogpile/etc21:42
dhellmannmorganfainberg, dolphm : http://summit.openstack.org/cfp/details/15721:42
dstanekif i have a config option that i want to be a positive integer what is the best way to handle that?21:43
morganfainbergdstanek, IntOpt and validate it's positive?21:43
bknudsonoslo.config doesn't support a parser for the option?21:43
dstaneki was thinking of subclassing IntOpt21:43
morganfainbergit sounds like a valuable option intOpt could benefit from21:44
morganfainberge.g. subclass it and submit the same change up to oslo.config?21:44
dstanekbknudson: not that i can see21:44
dhellmanndstanek: there are some not-well-documented validation features -- look at the type argument21:44
morganfainbergdhellmann is here to save the day!21:44
*** daneyon has quit IRC21:45
bknudsonmake your own Opt and send in a type=21:46
dstanekdhellmann: type argument to Opt?21:46
*** daneyon has joined #openstack-keystone21:46
bknudsondstanek: Looks like you can pass in min= to IntOpt21:47
dstanekbknudson: where to do see that?21:47
dstanekmaybe i have an older version installed21:47
bknudsondstanek: oh, no..21:48
bknudsondstanek: you can create a types.Integer with min=21:48
dhellmannright, that sounds familiar21:48
dstanekbknudson, dhellmann: got it. that's what i can pass to type21:50
dstanekbasically cfg.IntOpt(type=types.integer(min=1))21:50
dstanekbknudson, dhellmann: thanks!21:50
*** topol has quit IRC21:51
bknudsondstanek: that works? don't you get 2 type parameters to the constructor?21:51
*** lbragstad has quit IRC21:53
dstanekbknudson: not exactly, was just summarizing the solution21:54
dstanekbknudson: i have to pass in the name and other options too21:55
openstackgerritDoug Hellmann proposed a change to openstack/keystone: Register all backend classes as entry points  https://review.openstack.org/8941921:59
*** leseb has quit IRC22:01
*** marcoemorais has quit IRC22:02
*** marcoemorais has joined #openstack-keystone22:09
*** leseb has joined #openstack-keystone22:16
*** dstanek is now known as dstanek_zzz22:17
*** joesavak has quit IRC22:18
*** leseb has quit IRC22:21
*** jimbaker has quit IRC22:25
*** bknudson has quit IRC22:25
*** jimbaker has joined #openstack-keystone22:26
*** jimbaker has quit IRC22:26
*** jimbaker has joined #openstack-keystone22:26
gyeeayoung,  can you restore? https://review.openstack.org/#/c/4744122:29
*** andreaf_ has quit IRC22:29
*** bach has quit IRC22:29
*** derek_c has quit IRC22:40
*** derek_c_ has quit IRC22:41
*** nkinder_ has quit IRC22:43
*** stevemar has quit IRC22:47
*** topol has joined #openstack-keystone22:48
*** derek_c_ has joined #openstack-keystone22:53
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116622:54
*** derek_c has joined #openstack-keystone22:55
*** gokrokve has quit IRC22:56
*** derek_c has quit IRC23:00
*** derek_c_ has quit IRC23:00
topoldstanek, dstanek_zzz still around?23:06
morganfainbergtopol, my guess is not (zzzz would be the first reason)23:06
topolmorganfainberg, probably just as well. https://review.openstack.org/#/c/83834/  is one ugly patch :-).  Wanted to poke some fun23:07
topolbut I plus oned it23:08
morganfainberghaha23:08
morganfainbergthe comment "I'm a bad person"23:08
morganfainbergthats... great23:08
*** browne1 has joined #openstack-keystone23:10
*** david-lyle has quit IRC23:10
topolmorganfainberg, I was gonna say something like save the brutal self assesments for launchpad..  But chose not to23:11
topolStaneks patches are a rgeat way to learn about python 323:11
*** browne1 has quit IRC23:11
*** browne1 has joined #openstack-keystone23:11
morganfainbergtopol, i -1'd based upon that comment alone23:11
morganfainbergtopol, now if it was a FIXME .... :P /s23:12
topolI put a comment that said remove before merging23:12
topolyeah, he might as well said, minus 1 my patch please23:12
morganfainbergtopol, if it needs to be removed before merging a -1 would be better, +1 would indicate it's good to go as is. (even as core +1 is "i don't mind it merging as is if other cores want to")23:13
topolOK. I will be more strict.23:13
*** browne has quit IRC23:14
morganfainbergtopol, keep in mind your opinion is important :) if it legitimately needs some reworking in your mind, please -1 it! :)23:14
morganfainbergeven for a silly comment23:14
topolYep.  it was so absurd I figured he knew to remove it but better safe than sorry.  I'll go grab the hammer23:14
*** gokrokve has joined #openstack-keystone23:20
*** gokrokve_ has joined #openstack-keystone23:36
*** gokrokve has quit IRC23:39
*** topol has quit IRC23:47
*** daneyon has quit IRC23:49
*** bknudson has joined #openstack-keystone23:52
bknudsonmorganfainberg: you were +2 on https://review.openstack.org/#/c/79411/ already23:53
morganfainbergoh yeah23:53
morganfainbergbknudson, +2/+A on that easy changes between the patchsets23:54
« Monday, 2014-04-21 Index Wednesday, 2014-04-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!