Wednesday, 2014-05-28

gabriel-bezerra	the configuration files on /etc/httpd/conf/	00:00
gabriel-bezerra	in*	00:00
gabriel-bezerra	conf.d*	00:01
openstackgerrit	Brant Knudson proposed a change to openstack/keystone-specs: Spec for V3 extension advertisement https://review.openstack.org/95973	00:01
*** gokrokve has quit IRC		00:03
gabriel-bezerra	morganfainberg, dtroyer ^	00:03
*** gokrokve has joined #openstack-keystone		00:04
gabriel-bezerra	marekd\|away ^	00:04
morganfainberg	gabriel-bezerra, i think they are in conf.d	00:04
morganfainberg	gabriel-bezerra, for RHEL and fedora that is.	00:04
gabriel-bezerra	morganfainberg: but are there default files in those directories as on Ubuntu?	00:05
*** sbfox has quit IRC		00:05
gabriel-bezerra	or is the directory empty when apache is installed ?	00:05
morganfainberg	gabriel-bezerra, honestly, not sure haven't looked recently	00:05
morganfainberg	gabriel-bezerra, i want to say they are ... empty	00:05
morganfainberg	jamielennox, ayoung, ^ gabriel-bezerra's question you guys might know	00:06
gabriel-bezerra	I ask that because I'm moving forward with this review https://review.openstack.org/90771	00:06
gabriel-bezerra	And would like to know if using site.conf{.disabled,} would break anything	00:06
gabriel-bezerra	instead of site{,.conf} as it is today	00:07
jamielennox	umm, the equivalent is just files in /etc/httpd/conf.d/*.conf	00:07
jamielennox	i think they have to end with .conf as there is a README in there that is ignored	00:08
*** gokrokve has quit IRC		00:08
*** ncoghlan has joined #openstack-keystone		00:08
gabriel-bezerra	jamielennox: my question is whether conf.d comes with any file for default sites	00:08
gabriel-bezerra	as ubuntu does	00:08
jamielennox	it has a welcome.conf which is that standard splash screen	00:09
jamielennox	php.conf ends up in there	00:09
gabriel-bezerra	on Ubuntu, a fresh installation of apache comes with /etc/apache2/sites-available/{000-default.conf,default-ssl.conf}	00:09
jamielennox	gabriel-bezerra: no, not like that, though from memory if you install mod_nss it puts some sample files in there	00:10
gabriel-bezerra	ok	00:10
gabriel-bezerra	btw, should I create a new Change on Gerrit?	00:10
gabriel-bezerra	my new patch will be like this:..	00:10
gabriel-bezerra	https://github.com/gabriel-bezerra/devstack/commit/0d42bd7b44e3ba5ea22e68166a92bc3e449186ae	00:11
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: Add spec for non-persistent-tokens https://review.openstack.org/95976	00:11
gabriel-bezerra	It will touch many more files and resolve things in a different way.	00:11
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone-specs: Add spec for non-persistent-tokens https://review.openstack.org/95976	00:13
bknudson	dstanek_zzz: is https://review.openstack.org/#/c/91825/ abandoned?	00:14
gabriel-bezerra	morganfainberg: ^	00:15
gabriel-bezerra	thank you, jamielennox and morganfainberg, for the information about httpd	00:16
*** shakamunyi has quit IRC		00:18
morganfainberg	bknudson, https://review.openstack.org/#/c/80398/ looks like it wont pass (merge conflict)	00:21
bknudson	morganfainberg: you are shitting me.	00:21
morganfainberg	bknudson, will need a rebase it's related to the sample tokens not being valid	00:21
morganfainberg	bknudson, just checked. like 2 line change :(	00:21
morganfainberg	bknudson, conflicted with one of your changes :P	00:22
bknudson	well, maybe in another 2 weeks it'll merge.	00:22
morganfainberg	well i was about to rebase but wanted to wait for the parent to merge	00:22
morganfainberg	i was just going to +2/+A once the rebase was done since it was a simple rebase	00:23
bknudson	ok	00:23
morganfainberg	bknudson, i aim to get that out in the next ksc release, and we need a ksc release to land compressed tokens ASAP	00:23
morganfainberg	it was mostly a heads up incase you saw it before i got to rebase - either way +2/+A right away.	00:24
gabriel-bezerra	https://review.openstack.org/95977	00:27
morganfainberg	gabriel-bezerra, awesome! I had forgotten who was working on that	00:28
morganfainberg	gabriel-bezerra, thanks :) /me looks at now	00:28
*** praneshp has quit IRC		00:29
*** nkinder has joined #openstack-keystone		00:32
*** gokrokve has joined #openstack-keystone		00:32
*** stevemar has joined #openstack-keystone		00:32
gabriel-bezerra	morganfainberg: thanks :)	00:33
*** dstanek_zzz is now known as dstanek		00:34
*** zhiyan_ is now known as zhiyan		00:34
ayoung	morganfainberg, where are we with the "split keystone middleware into its own repo?"	00:35
morganfainberg	ayoung, i think we're at "do we want to make middleware depend on KSC or vice versa"	00:36
morganfainberg	ayoung, and 2: name	00:36
*** zhiyan is now known as zhiyan_		00:36
ayoung	morganfainberg, oh, that is easy.	00:36
ayoung	python-keystonemiddleware; and pkm depends on pkc	00:37
morganfainberg	ayoung, in that case we will have to copy the middleware changes to pkc to maintain compatibility	00:37
ayoung	morganfainberg, we just need some sort of hack so that people with keystoneclient.middleware.auth_token in their config files don't get broken	00:38
morganfainberg	ayoung, unless we plan a full refactor "no you get nothing new in old middleware" (which is probably not the right answer)	00:38
morganfainberg	ayoung, that one should be easy-ish to do.	00:38
morganfainberg	ayoung, as long as peiople don't try and load both middlewares (hey can't guard against "didn't RTFM")	00:38
*** zhiyan_ is now known as zhiyan		00:38
ayoung	morganfainberg, even that will work. Sort of	00:38
morganfainberg	ayoung, nah, will explode due to re-registering config opts	00:39
ayoung	morganfainberg, should I write up a BP?	00:39
morganfainberg	ayoung, yeah we should have one for this	00:39
ayoung	morganfainberg, I'm on it	00:39
morganfainberg	ayoung, awesome!	00:39
ayoung	morganfainberg, we are going to pull in gordon chungs audit middleware, too	00:39
morganfainberg	ayoung, i'd like to pull in all the middleware from ksc.	00:40
ayoung	Keystone will openstacks Identity, Policy, and Audit....	00:40
ayoung	muahahahahahaha	00:40
morganfainberg	ayoung, we should rename the programt to AAA	00:40
ayoung	OpenStackIPA	00:40
morganfainberg	>.>	00:40
ayoung	%-)	00:41
morganfainberg	hehe	00:41
*** zhiyan is now known as zhiyan_		00:41
*** rodrigods_ has joined #openstack-keystone		00:42
morganfainberg	ayoung, soo about some magic to auto register VMs with FreeIPA	00:43
ayoung	I have a blog post for that	00:43
ayoung	http://adam.younglogic.com/2013/09/register-vm-freeipa/	00:43
morganfainberg	ayoung, thought so.	00:44
morganfainberg	ayoung, awesome.	00:44
*** dstanek is now known as dstanek_zzz		00:44
ayoung	morganfainberg, does that help? It only works from a script	00:44
ayoung	not from Horizon	00:44
ayoung	which might be OK...but I want more	00:44
ayoung	here's what I want:	00:44
morganfainberg	ayoung, i think it could be made to work from horizon... but it'll be a bit bigger x-project work	00:44
ayoung	1. Nova generates an OTP (Random Hash)	00:44
ayoung	2. Nova sends notification to FreeIPA with OTP	00:44
ayoung	must be encrypted or somehow protected	00:45
morganfainberg	we should also support domain == realm	00:45
morganfainberg	so new domains can create a realm >.>	00:45
ayoung	3. Nova adds OTP to Metadata for new VM	00:45
ayoung	morganfainberg, Designate is doing something really similar with their freeIPA backend, but just for DNS	00:45
ayoung	so no OTP	00:45
morganfainberg	ah yeah	00:46
ayoung	and the OTP generation is outside the scope of Designate, but the mechanism on that side would almost be identical, just an ipa host-create instead of the dns call	00:46
morganfainberg	ayoung, yeah sounds like there is def. some alignment there	00:46
stevemar	bknudson, ping?	00:47
bknudson	stevemar: what's up?	00:47
stevemar	bknudson, your remark on https://review.openstack.org/#/c/95845/ - i was referring to https://review.openstack.org/#/c/92228/ (yours)	00:48
stevemar	bknudson, is this one of the 'do as i say, not as i do' situations?	00:48
bknudson	stevemar: in my case I didn't have the previous commit, so I don't know how I'd generate the list	00:50
stevemar	bknudson, ah okay - does this list have a specific format?	00:50
bknudson	for you it will be easy, it's like git log --oneline 2640847..4a777e5 -- (list of files that were synced)	00:50
bknudson	stevemar: git log --oneline	00:51
stevemar	oh	00:51
stevemar	neat	00:51
bknudson	stevemar: --no-merges	00:51
stevemar	someone should add that here https://wiki.openstack.org/wiki/ReviewChecklist#Oslo_Syncing_Checklist	00:51
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator 4a777e5 https://review.openstack.org/95845	00:54
stevemar	bknudson, i think ^ addressed it	00:55
bknudson	that was a short list.	00:55
stevemar	yes.. it was just grabbing the doc build errors	00:55
bknudson	y, it finally merged	00:56
bknudson	everything is finally going my way	00:56
*** gokrokve_ has joined #openstack-keystone		00:56
gabriel-bezerra	morganfainberg: I improved the commit message of that change	00:56
stevemar	bknudson, everything is coming up brant!	00:56
ayoung	morganfainberg, trying a git review of a spec	00:57
ayoung	I'm reabse against origin master, but get rebase issues from gerrit	00:57
ayoung	.gitreview I understand why	00:57
ayoung	http://paste.fedoraproject.org/105245/23869414	00:58
ayoung	but after that: http://paste.fedoraproject.org/105246/38751140	00:59
stevemar	ayoung, that would do it	00:59
morganfainberg	ayoung hehe	00:59
ayoung	morganfainberg, I think gerrit is ahead of master	01:00
*** gokrokve has quit IRC		01:00
morganfainberg	ayoung, YOUR master or keystone-specs?	01:00
ayoung	morganfainberg, keystone-specs	01:00
ayoung	let me confirm...thought I did a fetch	01:00
*** dstanek_zzz is now known as dstanek		01:01
morganfainberg	https://github.com/openstack/keystone-specs/blob/master/.gitreview	01:01
morganfainberg	ayoung, looks ok to me, but i remember having to fix that as well when i snagged your tree	01:01
ayoung	nah, twas me	01:01
morganfainberg	ayoung, eh new stuff = mistakes both pebcak and non	01:02
ayoung	morganfainberg, nah, thins are still out of sync, just a different list	01:02
ayoung	morganfainberg, I did fetch and rebase origin/master, then cherrypicked my commit	01:03
morganfainberg	ayoung, which origin you on?	01:04
ayoung	morganfainberg, [remote "origin"]	01:04
ayoung	16 url = git://git.openstack.org/openstack/keystone-specs	01:04
morganfainberg	ayoung, try a clean 'checkout origin/master'	01:04
morganfainberg	unless... is your commit have extra cruft in it?	01:05
morganfainberg	s/is/does/	01:05
ayoung	morganfainberg, nope...is git.openstack out of sync with github?	01:06
* morganfainberg checks		01:06
stevemar	delete it all, clone it fresh	01:06
morganfainberg	ayoung, looks ok to me http://git.openstack.org/cgit/openstack/keystone-specs/tree/.gitreview	01:07
morganfainberg	ayoung, i think you have some cruft that git is confused about, clean clone might be best bet (copy file afterwards and add/commit)	01:07
stevemar	++	01:07
ayoung	$ git diff origin/master --stat	01:07
ayoung	warning: refname 'origin/master' is ambiguous.	01:07
ayoung	specs/juno/OS-SIMPLECERT-CRL.rst \| 272 +++++++++++++++++++++++++++++++++++++++	01:07
ayoung	1 file changed, 272 insertions(+)	01:07
morganfainberg	oh. i bet i know.	01:08
morganfainberg	it's probably just confused because you tried a rebase	01:08
morganfainberg	we didn't keep any history, was squashed	01:08
ayoung	nope	01:08
ayoung	oh, maybe...	01:08
ayoung	let me try just pulling the one file over...but it was a cherry pick first, should be no confusion	01:09
*** mfisch has quit IRC		01:09
morganfainberg	ayoung, i've seen it do silly things before when you have trees that are "close" in end result but have massive object differences	01:09
morganfainberg	ask me about the time i accidently rebased keystoneclient to keystone master	01:10
morganfainberg	>.>	01:11
stevemar	morganfainberg, lol	01:11
stevemar	morganfainberg, how does one even do that	01:11
ayoung	nope	01:12
morganfainberg	stevemar, git add <keystoneclient remote>; git fetch ; git checkout ksc ; git rebase origin/master	01:12
morganfainberg	stevemar, it was spectacular	01:12
morganfainberg	ayoung, i'd copy that file out and just clean clone, something's gone wonky	01:13
*** mfisch has joined #openstack-keystone		01:13
ayoung	morganfainberg, yeah...I hate to give up on git that way	01:13
*** mfisch has quit IRC		01:13
*** mfisch has joined #openstack-keystone		01:13
morganfainberg	ayoung, ditto, but every now and again (esp. in cases like keystone-specs repo getting muddled up) it is the easiest	01:14
morganfainberg	ayoung, it was based on your repo, triple-o, some of nova upstream, squashed, then named identity-specs, then renamed keystone-specs	01:14
morganfainberg	ayoung, something is bound to get fouled up somewhere	01:14
stevemar	ayoung, who cares, isn't that the beauty of remote repos, you can nuke it at anytime, and rebuild	01:15
*** ncoghlan is now known as ncoghlan_afk		01:15
ayoung	stevemar, it matters in that I want to understand what my tools are doing. Otherwise I can't trust them	01:16
morganfainberg	ayoung, i'll bet it has some ref in there that is making it unhappy and you could clean the object up and it'd be fine. this is a case though, where it doesn't seem worth it	01:17
ayoung	true...draft review just went through fine post clone	01:18
* morganfainberg glares at trove patch: https://jenkins06.openstack.org/job/gate-tempest-dsvm-full/3690/console MERGE damn it		01:19
morganfainberg	so i can rebase the ksc change and get that in so we can get a new ksc released...	01:19
morganfainberg	then... dinner time	01:19
stevemar	morganfainberg, don't you hate admitting that you've been so concerned about a patch that you look at zuuls console...	01:19
stevemar	i've done that more than i care to admit	01:20
morganfainberg	stevemar, nah, i watch ZuulTV on a regular basis	01:20
stevemar	:P	01:20
morganfainberg	better than sitcoms most of the time. the characters have more depth and are more believable	01:20
morganfainberg	i feel an investment in them that i don't get from cable tv	01:20
morganfainberg	it may have something to do with not having TV service though...	01:21
*** dstanek is now known as dstanek_zzz		01:24
*** dstanek_zzz is now known as dstanek		01:24
openstackgerrit	A change was merged to openstack/python-keystoneclient: auth_token hashes PKI token once https://review.openstack.org/92499	01:26
*** zhiyan_ is now known as zhiyan		01:26
*** gokrokve_ has quit IRC		01:27
*** gokrokve has joined #openstack-keystone		01:28
*** gokrokve has quit IRC		01:32
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987	01:35
*** browne has joined #openstack-keystone		01:35
morganfainberg	ayoung, i think you need to link into the docs and index.rst in that review as well	01:37
ayoung	morganfainberg, probably.	01:37
morganfainberg	ayoung, i'll 2x check and update if its needed.	01:38
ayoung	++	01:38
ayoung	morganfainberg, I 'm on it	01:39
morganfainberg	ayoung, ok works for me	01:40
openstackgerrit	Morgan Fainberg proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	01:40
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987	01:40
ayoung	morganfainberg, BTW, I want to put policy in there as well, although, strictly speaking, policy is not going to be a middleware, it is going to be code called by middleware	01:42
morganfainberg	ayoung, thats fine.	01:42
morganfainberg	ayoung, it's server specific code really	01:42
ayoung	yeah	01:42
morganfainberg	not cli/utility	01:42
morganfainberg	ayoung, btw, you had copy/pasta error in your change keystoneclient != middleware in index.rst	01:43
ayoung	ah	01:43
morganfainberg	i also expect us to release middleware like client, independant of major releases (e.g. juno)	01:43
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: create python-keystonemiddleware repo https://review.openstack.org/95987	01:44
ayoung	++	01:44
lbragstad	woo! another spec up	01:44
morganfainberg	lbragstad, i think i have 4 more to propose (myself)	01:44
lbragstad	++	01:44
morganfainberg	lbragstad, gonna be a busy cycle	01:45
*** RockKuo_Office has joined #openstack-keystone		01:45
morganfainberg	and we need to figue out the combining of identity-api with keystone-specs	01:45
morganfainberg	not sure how we'll handle that.	01:46
*** devkulkarni has joined #openstack-keystone		01:47
lbragstad	morganfainberg: how come we could just include it in the keystone-specs tree?	01:48
* lbragstad rookie question?		01:49
*** devkulkarni1 has joined #openstack-keystone		01:49
morganfainberg	lbragstad, we could. it's a question of converting it? do we want it separate from the specs themselves... what if a spec doesn't get implemented and we chuck it next cycle -- do we revert the changes to identity-api docs?	01:49
lbragstad	didn't dolphm have the idea of generating the docs from the specs?	01:50
*** devkulkarni has quit IRC		01:51
*** devkulkarni has joined #openstack-keystone		01:51
morganfainberg	lbragstad, sure.. still need to get from here to there ;)	01:52
stevemar	morganfainberg, lbragstad i think the two will have to live separately for now	01:53
morganfainberg	lbragstad, totally doable, just need to decide what we want.	01:53
lbragstad	morganfainberg: so for that, we would need to provide some specs to cover what already exists.	01:53
lbragstad	or something to convert,	01:53
*** devkulkarni1 has quit IRC		01:54
morganfainberg	lbragstad, yea	01:56
*** morazi has quit IRC		01:57
openstackgerrit	ayoung proposed a change to openstack/keystone: Kerberos as method name https://review.openstack.org/95989	01:58
*** browne has quit IRC		01:59
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint https://review.openstack.org/95957	02:01
*** mberlin has quit IRC		02:03
*** mberlin has joined #openstack-keystone		02:04
*** raildo has quit IRC		02:09
*** diegows has quit IRC		02:09
*** htruta has quit IRC		02:09
*** tellesnobrega has quit IRC		02:09
*** gabriel-bezerra has quit IRC		02:09
*** rodrigods has quit IRC		02:09
*** xianghui has joined #openstack-keystone		02:22
*** lbragstad has quit IRC		02:33
*** lbragstad has joined #openstack-keystone		02:33
*** BAKfr has quit IRC		02:33
*** htruta has joined #openstack-keystone		02:36
*** zhiyan is now known as zhiyan_		02:36
*** browne has joined #openstack-keystone		02:36
*** rodrigods has joined #openstack-keystone		02:38
*** browne has quit IRC		02:38
*** ncoghlan_afk is now known as ncoghlan		02:39
*** raildo has joined #openstack-keystone		02:43
*** tellesnobrega has joined #openstack-keystone		02:45
*** gyee has quit IRC		02:49
*** zhiyan_ is now known as zhiyan		02:49
*** dims has quit IRC		02:57
*** mberlin has quit IRC		03:04
*** ncoghlan is now known as ncoghlan_afk		03:09
*** devkulkarni has quit IRC		03:10
*** gabriel-bezerra has joined #openstack-keystone		03:10
*** Camisa has joined #openstack-keystone		03:12
*** Camisa has joined #openstack-keystone		03:12
openstackgerrit	A change was merged to openstack/python-keystoneclient: Add description param to v3 service create/update https://review.openstack.org/79774	03:13
openstackgerrit	Matt Fischer proposed a change to openstack/python-keystoneclient: Add support for extensions-list https://review.openstack.org/92978	03:16
*** harlowja_ is now known as harlowja_away		03:16
*** mberlin has joined #openstack-keystone		03:16
*** zhiyan is now known as zhiyan_		03:16
*** shakamunyi has joined #openstack-keystone		03:19
*** dstanek is now known as dstanek_zzz		03:21
*** zhiyan_ is now known as zhiyan		03:22
*** shakamunyi has quit IRC		03:24
openstackgerrit	ayoung proposed a change to openstack/keystone: compressed tokens https://review.openstack.org/71325	03:32
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add endpoint handling to Token/Endpoint auth https://review.openstack.org/91216	03:36
*** zhiyan is now known as zhiyan_		03:41
openstackgerrit	A change was merged to openstack/keystone: replaced unicode() with six.text_type() https://review.openstack.org/95469	03:41
openstackgerrit	A change was merged to openstack/keystone: no one uses macports https://review.openstack.org/90137	03:41
openstackgerrit	A change was merged to openstack/keystone: indicate that sensitive messages can be disabled https://review.openstack.org/94871	03:50
openstackgerrit	A change was merged to openstack/python-keystoneclient: Add /role_assignments endpoint support https://review.openstack.org/91578	03:51
*** shakamunyi has joined #openstack-keystone		03:52
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Convert auth_token to use session https://review.openstack.org/74908	03:58
*** david-lyle has joined #openstack-keystone		04:01
*** afazekas has quit IRC		04:12
*** zhiyan_ is now known as zhiyan		04:13
*** ukalifon has joined #openstack-keystone		04:24
*** marcoemorais has joined #openstack-keystone		04:25
*** shakamunyi has quit IRC		04:27
*** praneshp has joined #openstack-keystone		04:27
*** praneshp_ has joined #openstack-keystone		04:29
*** praneshp has quit IRC		04:32
*** praneshp_ is now known as praneshp		04:32
*** marcoemorais1 has joined #openstack-keystone		04:32
*** marcoemorais has quit IRC		04:34
*** afazekas has joined #openstack-keystone		04:40
*** ajayaa has joined #openstack-keystone		04:48
*** bvandenh has joined #openstack-keystone		04:50
*** shakamunyi has joined #openstack-keystone		04:52
*** zhiyan is now known as zhiyan_		04:53
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add openID Connect auth plugin for federation https://review.openstack.org/61662	04:53
*** shakamunyi has quit IRC		04:54
*** david-lyle has quit IRC		04:57
*** david-lyle has joined #openstack-keystone		04:57
*** ukalifon has quit IRC		05:01
*** david-lyle has quit IRC		05:02
*** ncoghlan_afk is now known as ncoghlan		05:02
openstackgerrit	A change was merged to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	05:11
*** shakamunyi has joined #openstack-keystone		05:12
*** bvandenh has quit IRC		05:12
*** zhiyan_ is now known as zhiyan		05:14
*** zhiyan is now known as zhiyan_		05:25
*** askb has joined #openstack-keystone		05:35
*** shakamunyi has quit IRC		05:40
*** shakamunyi has joined #openstack-keystone		05:40
*** askb has quit IRC		05:49
*** stevemar has quit IRC		05:53
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:00
*** chen has joined #openstack-keystone		06:06
openstackgerrit	guang-yee proposed a change to openstack/keystone: Make sure scoping to the project of a disabled domain result in 401. https://review.openstack.org/94251	06:09
*** jaosorior has joined #openstack-keystone		06:15
*** ukalifon has joined #openstack-keystone		06:16
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor driver_hints https://review.openstack.org/93992	06:17
*** tomoiaga has joined #openstack-keystone		06:25
*** boris-42 has quit IRC		06:45
*** ncoghlan is now known as ncoghlan_afk		06:46
*** ncoghlan_afk is now known as ncoghlan		06:49
*** boris-42 has joined #openstack-keystone		06:50
*** praneshp has quit IRC		06:59
*** BAKfr has joined #openstack-keystone		07:15
*** zhiyan_ is now known as zhiyan		07:18
openstackgerrit	Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325	07:25
*** zhiyan is now known as zhiyan_		07:27
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Suggest users to remove REMOTE_USER from shibd conf https://review.openstack.org/93936	07:34
*** bvandenh has joined #openstack-keystone		07:41
*** ncoghlan has quit IRC		08:10
*** andreaf has joined #openstack-keystone		08:18
*** shakamunyi has quit IRC		08:43
openstackgerrit	henry-nash proposed a change to openstack/keystone: multi-backend support for identity https://review.openstack.org/74214	09:01
*** ByteSore_ is now known as ByteSore		09:05
*** marcoemorais1 has quit IRC		09:07
*** zhiyan_ is now known as zhiyan		09:19
*** zhiyan is now known as zhiyan_		09:28
openstackgerrit	Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Fix attributes ordering at v3/client.py https://review.openstack.org/96113	09:29
openstackgerrit	Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Fix attributes ordering at v3/client.py https://review.openstack.org/96113	09:31
*** zhiyan_ is now known as zhiyan		09:37
*** shakamunyi has joined #openstack-keystone		09:40
*** shakamunyi has quit IRC		09:45
*** zhiyan is now known as zhiyan_		09:46
*** fmarco76 has joined #openstack-keystone		09:48
*** fmarco76 has quit IRC		09:49
*** boris-42 has quit IRC		09:52
*** rodrigods_ has quit IRC		09:54
*** boris-42 has joined #openstack-keystone		10:16
*** diegows has joined #openstack-keystone		10:53
*** yfujioka has joined #openstack-keystone		11:20
yfujioka	hello	11:21
yfujioka	I want to try Keystone v3 api	11:22
yfujioka	I tried set IDENTITY_API_VERSION=3 in localrc, but stack.sh is failing.	11:24
*** rdxc has joined #openstack-keystone		11:28
*** rdxc has left #openstack-keystone		11:29
*** RockKuo_Office has quit IRC		11:32
*** dims has joined #openstack-keystone		11:45
*** dstanek_zzz is now known as dstanek		11:47
*** xianghui has quit IRC		11:49
gabriel-bezerra	Might you take a look at? https://bugs.launchpad.net/keystone/+bug/1320140	11:59
uvirtbot	Launchpad bug 1320140 in keystone "Federation documentation is not clear about mapping.rules.local.user.name" [Undecided,New]	11:59
*** roby_ has joined #openstack-keystone		12:12
*** dims has quit IRC		12:39
*** hrybacki has joined #openstack-keystone		12:40
*** andreaf has quit IRC		12:41
*** erecio has joined #openstack-keystone		12:41
*** mberlin has quit IRC		12:42
*** gordc has joined #openstack-keystone		12:44
dolphm	bknudson: i see you've been on a code review rampage lol	12:44
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes https://review.openstack.org/92535	12:49
*** mberlin has joined #openstack-keystone		12:54
bknudson	dolphm: rampage is the right word. is there any other way?	12:57
*** stevemar has joined #openstack-keystone		13:06
*** dstanek is now known as dstanek_zzz		13:07
*** bknudson has quit IRC		13:11
*** hrybacki has quit IRC		13:12
*** dstanek_zzz is now known as dstanek		13:23
*** yfujioka has quit IRC		13:23
rodrigods	stevemar, there?	13:25
dstanek	dolphm: is there any official guidance for setting the importance on bugs?	13:30
dstanek	dolphm: or is just experience and intuition?	13:31
dolphm	dstanek: i set priority mostly based on impact compared to most common use cases / code paths	13:31
dolphm	dstanek: and use low for bugs just looking for a refactor, since it's confusing to see them appear as wishlist in 6 months	13:32
dolphm	dstanek: there is some guidance in a wiki somewhere, but there's not any surprises - so yes, use your intuition :)	13:33
*** bknudson has joined #openstack-keystone		13:34
dstanek	there are some new/undecided bugs that haven't been commented on in months - i was going to set them to low (unless they are a security issue)	13:34
dstanek	i have now officially flipped through att 261 open bugs at least once! i feel accomplished	13:35
dolphm	dstanek: and closed 2 :D	13:35
stevemar	rodrigods, i am now, good morning	13:36
dstanek	dolphm: that was easy - the work had long been done	13:36
dstanek	following all of the crazy discussions was the challenge	13:36
stevemar	dstanek, the discussions can be a bit crazy	13:37
dstanek	i think there are actually a few more we fixed months ago, but i need to check on that	13:37
dolphm	dstanek: so you said you were going to go close all the stale blueprints next, right?	13:37
stevemar	that shouldn't be as bad	13:37
* dstanek slowly and quietly backs out of the room		13:38
dstanek	dolphm: how do you know if they are stale? just haven't been updated in a long time?	13:38
dolphm	dstanek: you know you want to click me! blueprints.launchpad.net/keystone/	13:38
rodrigods	stevemar, gm =)	13:38
dolphm	although it'd be easier if it was a valid link https://blueprints.launchpad.net/keystone/	13:39
rodrigods	stevemar, the v3 client ordering stuff: https://review.openstack.org/#/c/96113/	13:39
dolphm	dstanek: i suppose? especially if there's no assignee / no progress against it	13:39
dolphm	dstanek: we probably need to do something to indicate all the ones that do not have approved -specs soon	13:39
*** gokrokve has joined #openstack-keystone		13:40
stevemar	rodrigods, ohh ty	13:40
dstanek	dolphm: i'll start poking a blueprints in a bit - i have a list of bugs to follow up on	13:40
stevemar	rodrigods, +2 / +A	13:40
*** gokrokve has quit IRC		13:40
*** gokrokve has joined #openstack-keystone		13:41
rodrigods	stevemar, great!	13:41
dstanek	dolphm: i also have to finish drafting my service scoped token spec	13:41
*** afaranha has joined #openstack-keystone		13:41
dolphm	dstanek: both of those are more important than cleaning up bp's :)	13:42
dstanek	dolphm: morganfainberg: ayoung: bknudson: stevemar: all: before i forget again - i'm out next week so you'll see much less of me and it may take me a while to respond to things	13:43
dolphm	dstanek: ack	13:43
bknudson	dstanek: do you have time to update https://review.openstack.org/#/c/91825/ ?	13:44
bknudson	seems like oslo syncs are blocked since this is not making progress	13:44
*** rodrigods_ has joined #openstack-keystone		13:45
dstanek	bknudson: sure, i can do it right now	13:45
*** rodrigods_ has quit IRC		13:48
dstanek	bknudson: is it OK to update the config and sync all in one commit?	13:49
bknudson	dstanek: I don't have a problem with that.	13:50
*** afaranha has left #openstack-keystone		13:50
bknudson	it could also be done separately if you think that they're not related.	13:51
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint https://review.openstack.org/95957	13:51
bknudson	for example if the config update has no effect on what modules are used then it could be separate	13:51
*** andreaf has joined #openstack-keystone		13:52
*** shakamunyi has joined #openstack-keystone		13:54
*** rodrigods_ has joined #openstack-keystone		13:55
*** gokrokve has quit IRC		13:58
dstanek	bknudson: do you just manually look for the last olso sync in keystone so you can get the list of changes?	13:58
*** gokrokve has joined #openstack-keystone		13:58
bknudson	dstanek: yes, a git log in keystone/openstack/common should show it	13:58
*** bvandenh has quit IRC		13:59
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint https://review.openstack.org/95957	13:59
*** gokrokve has quit IRC		14:02
*** rodrigods_ has quit IRC		14:03
*** hrybacki has joined #openstack-keystone		14:03
dstanek	bknudson: running 'git log --oneline 74ae271..HEAD \| grep -v Merge' in olso give 42 changes :-)	14:03
bknudson	dstanek: --no-merges	14:03
bknudson	dstanek: also, add the files that were updated so you only get the changes for those files.	14:04
dstanek	bknudson: ah, that's a good tip	14:04
bknudson	e.g., git log --no-merges --oneline 74ae271..HEAD -- openstack/common/gettextutils.py	14:04
raildo	dolphm: I want to resolve this bug: https://bugs.launchpad.net/keystone/+bug/1294735	14:07
uvirtbot	Launchpad bug 1294735 in keystone "Disable domain doesn't disable users in the domain" [Medium,Triaged]	14:07
raildo	dolphm: the error occurs at this point https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L316 , correct?	14:08
*** roby_ has quit IRC		14:10
*** gokrokve has joined #openstack-keystone		14:12
*** dstanek is now known as dstanek_zzz		14:19
htruta	stevemar, dtroyer, could you review my patch? https://review.openstack.org/#/c/91634/9 It was depending on the rodrigods patch that was merged today.	14:19
stevemar	htruta, will keep it open in a tab :)	14:21
openstackgerrit	Kévin Bernard-Allies proposed a change to openstack/keystone: Fixes duplicated DELETE queries on SQL backends https://review.openstack.org/96173	14:23
*** david-lyle has joined #openstack-keystone		14:24
htruta	htruta that's something. thanks	14:24
htruta	stevemar: that's something. thanks	14:24
openstackgerrit	Kévin Bernard-Allies proposed a change to openstack/keystone: Fixes duplicated DELETE queries on SQL backends https://review.openstack.org/96173	14:26
dolphm	raildo: yes; a handler in the identity driver should subscribe to that notification	14:26
dolphm	raildo: that method should also emit a token revocation event if it doesn't already	14:27
dolphm	(i believe it does, but you could ensure it's tested)	14:27
*** ukalifon has quit IRC		14:27
*** ajayaa has quit IRC		14:29
*** dstanek_zzz is now known as dstanek		14:34
raildo	dolphm: Ok, I will investigate this and I think I'll sign in the bug. Thank you.	14:36
dolphm	raildo: thanks!	14:36
dstanek	bknudson: git log --oneline 74ae271.. -- `(cd ../keystone; git diff-tree --no-commit-id --name-only -r HEAD \| egrep '/openstack/\|^tools' \| sed -e 's/^keystone\///')`	14:37
dstanek	ugg...deleted the --no-merge	14:38
bknudson	dstanek: nice!	14:38
dstanek	bknudson: if you follow your instructions verbatim the README gets deleted	14:42
bknudson	dstanek: I always restore it	14:43
*** thedodd has joined #openstack-keystone		14:48
openstackgerrit	David Stanek proposed a change to openstack/keystone: Cleanup openstack-common.conf and sync from olso https://review.openstack.org/91825	14:49
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint https://review.openstack.org/95957	14:52
*** thedodd has quit IRC		14:53
*** thedodd has joined #openstack-keystone		14:53
*** diegows has quit IRC		14:55
*** gokrokve has quit IRC		14:56
*** gokrokve has joined #openstack-keystone		14:57
*** radez_g0n3 is now known as radez		14:58
BAKfr	someone know if there is a way to manage keystone clients apps ?	14:58
BAKfr	I would block clients if user has not explicitly allowed it.	14:59
*** gokrokve has quit IRC		15:02
dstanek	BAKfr: why are you looking to do that?	15:06
BAKfr	stanek, I would let developers making new client application using my storage services.	15:10
*** afazekas has quit IRC		15:10
BAKfr	But i should possibly block an application (for security purpose)	15:12
stevemar	htruta, fastest turn around time ever	15:13
morganfainberg	mornin	15:14
dstanek	BAKfr: i think you'll have to implement something to do that	15:14
dstanek	morganfainberg: morning	15:15
BAKfr	dstanek, I think so.	15:15
*** shakamunyi has quit IRC		15:16
dstanek	BAKfr: sounds like you need a way for developers to register an application and a way for you to verify that at request time	15:16
morganfainberg	dolphm, i'm going to do one more pass on ksc patches before we should be good for a release, but I think we got the big ones in.	15:16
dolphm	morganfainberg: sounds good, let me know when you need me	15:17
BAKfr	I was hoping for a fast and simple solution I hadn't seen yet.	15:17
BAKfr	dstanek, Ideally, OAuth2 would have been perfect for me	15:18
dstanek	BAKfr: i know commercial companies that provide that kind of service, but no open source that i have seen	15:18
*** shakamunyi has joined #openstack-keystone		15:18
*** tomoiaga has quit IRC		15:21
BAKfr	dstanek, I am in a commercial company who wants provide that kind of service ^^	15:23
BAKfr	But i don't think i'm the only one which be interested by that.	15:23
dstanek	BAKfr: what company?	15:24
BAKfr	dstanek, very small french company, Bajoo	15:24
*** devkulkarni has joined #openstack-keystone		15:24
BAKfr	dstanek, http://www.bajoo.fr/en/	15:25
BAKfr	our actual implementation was done quickly, with git, without any plan to scale.	15:27
BAKfr	and now we've started to migrate to Keystone + Swift	15:28
morganfainberg	dolphm, https://bugs.launchpad.net/keystone/+bug/1253482 comment came up earlier, this doesn't really seem "critical" (only because it's slow fix and _mostly_ mitigated, documentation part was critical). the only real fix is abandoning 35357 and/or moving to shared 80/443 via apache	15:29
uvirtbot	Launchpad bug 1253482 in devstack "Keystone's IANA-assigned default port in linux local ephemeral port range" [Undecided,In progress]	15:29
morganfainberg	dolphm, possibly move to high or medium now?	15:29
morganfainberg	cc dstanek, ^	15:29
dolphm	morganfainberg: shrug i had it as Won't Fix	15:30
morganfainberg	ah i'm ok with that as well.	15:30
dolphm	i guess we could still do the doc fix approach	15:31
*** gokrokve has joined #openstack-keystone		15:31
dolphm	morganfainberg: https://review.openstack.org/#/c/58013/	15:32
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: recommend excluding 35357 from ephemeral ports https://review.openstack.org/58013	15:32
BAKfr	dstanek, btw, I think to implement OAuth2 in Keystone myself	15:32
dolphm	stevemar: ^	15:32
morganfainberg	dolphm, ah yep i +2'd that already	15:32
stevemar	BAKfr, use oauth1 :P	15:33
morganfainberg	dolphm, works for me.	15:33
stevemar	BAKfr, what was the use case again? I think we spoke on monday?	15:33
stevemar	BAKfr, tbh, i wouldn't mind seeing oauth2 in keystone either :)	15:34
BAKfr	stevemar, let user to allow (or not) client apps.	15:34
BAKfr	stevemar, and for we (admin), be able to block a client app	15:36
*** devkulkarni has left #openstack-keystone		15:36
stevemar	BAKfr, might be worth looking at: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-oauth1-ext.md	15:36
stevemar	it's a way for an admin (or user) to delegate some role(s) on a specific project to a consumer (client)	15:38
stevemar	it can then delete the consumer, or revoke it's access	15:38
BAKfr	stevemar, I've seen it, but it seems to me that OAuth1 supports only website ?	15:40
dstanek	dolphm: restoring that patch?	15:40
morganfainberg	dolphm, ok another pass on ksc, i think we should wait for the gating changes to clear https://review.openstack.org/#/c/92978/ [currently gating]	15:41
dolphm	dstanek: which one?	15:41
morganfainberg	dolphm, but that should be ~1h or so.	15:41
dolphm	dstanek: 58013?	15:41
dstanek	dolphm: yes, why bring it back? or rather...why was it abandoned?	15:43
stevemar	BAKfr, i don't think so	15:44
dolphm	dstanek: it was abandoned because it's a less-than-ideal solution, but i still think it's the best step forward that we have	15:44
dolphm	dstanek: short of dropping 35357 which might break hardcoded clients	15:45
dstanek	dolphm: i'm totally fine with it...just having trouble with Apsu's comment	15:46
stevemar	BAKfr, there is code in keystoneclient to show how to create request/access tokens using a python library (oauthlib)	15:46
*** gyee has joined #openstack-keystone		15:46
dstanek	stevemar: BAKfr: all the cool flows were added in oauth2	15:46
stevemar	dstanek, and all the cool vulnerabilities too	15:47
morganfainberg	stevemar, you're stealing bknudson's comments! :P	15:47
stevemar	morganfainberg, haha, that was rather bknudson inspired - wasn't it? I'm learning well	15:48
morganfainberg	stevemar, yep	15:48
dstanek	stevemar: i lost interest in oauth2 when one of the main authors left and blogged about its issues	15:48
stevemar	dstanek, that blog was glorious	15:48
BAKfr	dstanek, stevemar , I've read this post and looked at OAuth2	15:50
BAKfr	that not as dirty as he say	15:51
dstanek	one of my favorite quotes ever: "They say the road to hell is paved with good intentions. Well, that’s OAuth 2.0."	15:51
dolphm	OAuth 3.0 for Humans	15:52
dolphm	%s/v1.0/v3.0/	15:52
stevemar	BAKfr, yeah, it's not bad, openID Connect is based off of it, and that looks sweet	15:54
*** afazekas has joined #openstack-keystone		15:54
*** gokrokve has quit IRC		15:58
*** gokrokve has joined #openstack-keystone		15:58
BAKfr	OAuth2 throws out some good part of OAuth1, like encryption, but covers more use cases.	15:59
BAKfr	By the way, I guess I've no easy way to do what I want with OAuth1 :(	16:00
*** marcoemorais has joined #openstack-keystone		16:00
arunkant	all, can anybody provide me the guideline on how to add ldappool dependency (not present in global requirements) for https://review.openstack.org/#/c/95300/.	16:01
BAKfr	So I think I'll try to implement OAuth2	16:01
*** gokrokve has quit IRC		16:03
dolphm	stevemar: marekd\|away: https://review.openstack.org/#/c/96173/	16:04
*** marcoemorais has quit IRC		16:04
*** marcoemorais has joined #openstack-keystone		16:04
BAKfr	dolphm, thanks for the review :)	16:05
*** marcoemorais has quit IRC		16:05
*** marcoemorais has joined #openstack-keystone		16:05
dolphm	BAKfr: good catch - i bet we've all read that code before and glossed straight over it!	16:06
morganfainberg	dolphm, ++	16:06
*** marcoemorais has quit IRC		16:07
*** marcoemorais has joined #openstack-keystone		16:07
morganfainberg	dolphm, though (nitpicky hat on) isn't the query(Region).filter_by(id=region).delete() more efficient?	16:08
dolphm	morganfainberg: why?	16:08
dolphm	morganfainberg: they emit the same sql	16:08
dolphm	morganfainberg: or should, no?	16:08
morganfainberg	dolphm, i belive it saves a select	16:08
morganfainberg	dolphm, we do the select at line 126	16:08
morganfainberg	which is ... superfluous except to validate the region exists?	16:09
dolphm	morganfainberg: ah - you could eliminate the select	16:09
dolphm	morganfainberg: yep	16:09
morganfainberg	at this point in the code, my guess is we don't care if the region really exists. the delete (obviously) doesn't raise an exception	16:09
gabriel-bezerra	RedHat folks, does httpd works in RHEL the same way as in Fedora? dtroyer asked me that in https://review.openstack.org/95977	16:10
morganfainberg	this is pretty damn nit-picky, i think this is not a common operation	16:10
morganfainberg	dolphm, i'm fine with leaving it as is though.	16:11
bknudson	dstanek: I got different results when I synced oslo-incubator caed79d	16:11
BAKfr	morganfainberg, dolphm I've seen code to use similar select queries for checking if an entity exists, so I've kept it	16:11
dolphm	BAKfr: understood; the more efficient way would be to issue the delete and raise a 404 if no rows were affected	16:12
morganfainberg	dolphm, i wonder....	16:12
morganfainberg	dolphm, ah we rely on _get_region to raise the 404	16:13
morganfainberg	dolphm, lets not do a massive restructure for a minor gain	16:13
morganfainberg	BAKfr, no need to change it, this is the least amount of change - my suggestion for efficiency would be a much larger restructure i think.	16:14
gabriel-bezerra	ayoung, jamielennox ^	16:14
dolphm	morganfainberg: ++	16:14
dstanek	bknudson: really?	16:15
bknudson	dstanek: https://review.openstack.org/#/c/91825/2/keystone/openstack/common/gettextutils.py	16:16
bknudson	_translators = TranslatorFactory('keystone') -> _translators = TranslatorFactory('oslo')	16:16
bknudson	that's actually going to break translation	16:16
bknudson	domain='keystone', args): -> domain='oslo', args):	16:16
dstanek	bknudson: hmm...i wonder what happened there...i'll try that again	16:16
morganfainberg	bknudson, looks like the magic {"rename oslo to {project}" code failed?	16:16
bknudson	right, the update.py script is supposed to change `oslo` to `keystone`	16:17
bknudson	dstanek: I wasn't using the in-review oslo-incubator update.py change, just the plain one.	16:17
ayoung	gabriel-bezerra, yes, although RHEL is always going to trail Fedora, so it won't be identical	16:23
dstanek	bknudson: it's odd too because there was a systemd change that i didn't have	16:23
ayoung	morganfainberg, I would love to get the Kerberos patch in for client, but understand if we are not ready for it	16:24
BAKfr	If someone wants another small patch to review: https://review.openstack.org/#/c/95212/ :)	16:25
morganfainberg	ayoung, i'm not sure about the consensus on it.	16:25
gabriel-bezerra	ayoung: so is it valid that RHEL6 enables all sites whose config file ends with .conf in /etc/httpd/conf.d? Can we use the way to configure Fedora there as well?	16:25
openstackgerrit	A change was merged to openstack/python-keystoneclient: Fix attributes ordering at v3/client.py https://review.openstack.org/96113	16:25
openstackgerrit	A change was merged to openstack/python-keystoneclient: Authenticate via oauth https://review.openstack.org/81981	16:25
ayoung	gabriel-bezerra, "sites" meaning entries in /etc/httpd/conf.d?	16:26
gabriel-bezerra	yes	16:26
openstackgerrit	David Stanek proposed a change to openstack/keystone: Cleanup openstack-common.conf and sync from olso https://review.openstack.org/91825	16:26
dstanek	bknudson: see if that matches ^	16:26
gabriel-bezerra	ayoung: can you take a look at the review?	16:26
ayoung	will do	16:26
bknudson	dstanek: no diffs this time.	16:27
dstanek	bknudson: i have to idea what happened...i just ran the same commands from my zsh history	16:28
bknudson	dstanek: switch to bash	16:28
dstanek	bknudson: can't downgrade now - i'm too invested	16:30
ayoung	gabriel-bezerra, this is for Devstack, right? Pretty sure that the CentOS code there has bit rotted.	16:31
morganfainberg	ayoung, ++	16:31
morganfainberg	ayoung, re: reberos, i just ran a recheck on it now that global reqs has requests-kerb	16:31
morganfainberg	ayoung, there are a couple nice-to-have patches we could hold for the client if we could get them in, but i haven't seen commitment on that kerb patch being ready, cc jamielennox	16:32
gabriel-bezerra	ayoung: yes, it is for DevStack...	16:32
morganfainberg	ayoung, but i'm really eager to get compression in as well (which is ready to go)	16:32
gabriel-bezerra	ayoung: You mean that it won't work on CentOS after the patch?	16:33
morganfainberg	gabriel-bezerra, meaning it may not work on centos before the patch	16:33
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone-specs: Purpose keystone-api-validation blueprint https://review.openstack.org/95957	16:35
*** ozialien has quit IRC		16:46
morganfainberg	ayoung, are you ok with waiting until the next ksc release for krb plugin? or should we push on getting that reviewed today prior to making the cut?	16:47
morganfainberg	ayoung, also https://jenkins05.openstack.org/job/gate-python-keystoneclient-python33/251/console py33 pip isn't happy (at the moment) with the kerberos 1.1 requirement	16:50
ayoung	morganfainberg, yeah, I'm OK with waiting	16:50
ayoung	I can work out of dev	16:50
morganfainberg	ayoung ok.	16:50
*** gokrokve has joined #openstack-keystone		16:51
ayoung	morganfainberg, that was the problem jamielennox saw...some sort of pip versioning issue. Not sure how the requests-kerberos change passed local tox	16:51
ayoung	gabriel-bezerra, is the question of whether we can make elif is_fedora; into something more inclusive?	16:52
ayoung	gabriel-bezerra, you should be able to test that on CentOS	16:52
openstackgerrit	A change was merged to openstack/python-keystoneclient: Add support for extensions-list https://review.openstack.org/92978	16:57
openstackgerrit	A change was merged to openstack/python-keystoneclient: Mark keystoneclient as being a universal wheel https://review.openstack.org/94050	16:57
*** browne has joined #openstack-keystone		16:58
*** BAKfr has quit IRC		16:59
morganfainberg	dolphm, ^ I think we're good for cutting a ksc release unless anyone has a solid reason not to	17:00
*** Camisa has quit IRC		17:02
*** praneshp has joined #openstack-keystone		17:06
*** andreaf has quit IRC		17:06
*** bvandenh has joined #openstack-keystone		17:06
*** diegows has joined #openstack-keystone		17:07
*** bvandenh has quit IRC		17:08
*** andreaf has joined #openstack-keystone		17:10
*** andreaf has quit IRC		17:10
*** andreaf has joined #openstack-keystone		17:12
*** sbfox has joined #openstack-keystone		17:14
*** harlowja_away is now known as harlowja_		17:16
*** marcoemorais has quit IRC		17:16
*** marcoemorais has joined #openstack-keystone		17:16
*** dstanek is now known as dstanek_zzz		17:17
*** diegows has quit IRC		17:18
htruta	setevemar: hahaha.	17:23
htruta	stevemar: could you review it again? https://review.openstack.org/#/c/91634/	17:23
stevemar	htruta, i don't review as fast as you code :(	17:24
stevemar	i wanted to try it out too	17:24
morganfainberg	anyone know if https://review.openstack.org/#/c/86025 author has been around? I don't think it would be bad to get that change in, but if not around someone else should pick it up.	17:24
ayoung	morganfainberg, You might be interested in this little ditty about Kerberos http://adam.younglogic.com/2014/05/tgt-forwarding-and-cleanup/	17:27
morganfainberg	ayoung, standard GSSAPI stuff	17:27
morganfainberg	ayoung, yep, used that before :)	17:27
htruta	stevemar: take your time. hahaha	17:28
ayoung	morganfainberg, I like the config option to scope it to a certain set of hosts	17:32
morganfainberg	ayoung, ++	17:32
*** praneshp has quit IRC		17:32
morganfainberg	ayoung, very similar to some other stuff (proxy command) work i've had to do in the past	17:33
morganfainberg	ok i need to go get either an early lunch or a late breakfast.	17:34
morganfainberg	bbib.	17:34
*** praneshp has joined #openstack-keystone		17:35
*** praneshp has quit IRC		17:46
stevemar	htruta, 2 nits with the commit message! I would change them myself, but then it'll change the committer value too, (not sure if that steals credit)	17:55
stevemar	htruta, hopefully dtroyer or thowe can have a look at it (https://review.openstack.org/#/c/91634/), but if they don't get back any time soon, i'll +A it	17:56
*** ukalifon has joined #openstack-keystone		17:58
openstackgerrit	Arun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.(Work-in-progress) https://review.openstack.org/95300	18:07
*** dstanek_zzz is now known as dstanek		18:08
*** BAKfr has joined #openstack-keystone		18:08
*** sbfox1 has joined #openstack-keystone		18:09
*** jaosorior has quit IRC		18:11
*** sbfox has quit IRC		18:13
*** diegows has joined #openstack-keystone		18:14
*** jamielennox is now known as jamielennox\|away		18:16
*** dstanek is now known as dstanek_zzz		18:17
*** praneshp has joined #openstack-keystone		18:21
*** marcoemorais has quit IRC		18:33
*** marcoemorais has joined #openstack-keystone		18:34
*** ukalifon has quit IRC		18:35
*** dstanek_zzz is now known as dstanek		18:37
htruta	stevemar: wouldn't it be better if I just submit another patch changing the message?	18:39
stevemar	htruta, that would be awesome	18:39
*** rodrigods_ has joined #openstack-keystone		18:42
*** gabriel-bezerra has quit IRC		18:47
*** rodrigods_ has quit IRC		18:48
openstackgerrit	A change was merged to openstack/keystone: Fixes duplicated DELETE queries on SQL backends https://review.openstack.org/96173	18:48
*** gabriel-bezerra has joined #openstack-keystone		18:50
htruta	stevemar: done! your +2 remains. hehe	18:51
morganfainberg	htruta, you can also change the commit message from the gerrit web interface now (as well)	18:52
morganfainberg	htruta, if you're the patch owner	18:52
openstackgerrit	A change was merged to openstack/keystone: recommend excluding 35357 from ephemeral ports https://review.openstack.org/58013	18:53
gabriel-bezerra	ayoung: is_fedora checks for CentOS: [ "$os_VENDOR" = "Fedora" ] \|\| [ "$os_VENDOR" = "Red Hat" ] \|\| [ "$os_VENDOR" = "CentOS" ]	18:54
htruta	morganfainberg: that's what I did! thanks	18:55
ayoung	gabriel-bezerra, cool. did you test your script on a Centos VM? They are cheap to come by	18:55
gabriel-bezerra	ayoung: Not yet.	18:57
ayoung	gabriel-bezerra, trystack.org if you need it	18:59
gabriel-bezerra	:D	19:00
gabriel-bezerra	ayoung: there are only ubuntu12.10, and a couple fedora images there. no centos.	19:03
*** piousbox has joined #openstack-keystone		19:03
ayoung	bleh	19:03
piousbox	alo people	19:04
piousbox	I'm trying to use Cyberduck to connect to a swift storage service.	19:04
morganfainberg	ayoung, gabriel-bezerra, maybe stacklet? (might cost $ though)	19:04
piousbox	Cyberduck is asking the following: tenand ID, access key, secret key	19:04
piousbox	what are access key and secret key and how do I associate them with a tenant?	19:04
piousbox	Thanks in advance	19:04
ayoung	morganfainberg, CentOS is free, and he could run in a kvm instance local. Just download time	19:04
morganfainberg	ayoung, right. i meant if you wanted a pre-canned vm ready to go (no install / etc for any hypervisor)	19:05
*** bobt has joined #openstack-keystone		19:05
ayoung	morganfainberg, I have one in my glance server I could send him	19:05
morganfainberg	ayoung, hrm. doesn't RAX or HP offer some limited free vms to OS developers?	19:06
ayoung	morganfainberg, ask the people that work there. I have internal resources I use	19:06
*** dims has joined #openstack-keystone		19:07
openstackgerrit	A change was merged to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	19:11
morganfainberg	dolphm, ^ RAX and VMs for OS contributors? cc dstanek (I remeber something about this a while ago)	19:12
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225	19:14
ayoung	gabriel-bezerra, do you have and openstack instance ? I can post a CentOS cloud image you can import	19:14
gabriel-bezerra	ayoung: I've got one here	19:16
gabriel-bezerra	htruta: got one for me :)	19:16
gabriel-bezerra	ayoung: thx	19:16
gabriel-bezerra	will just test that	19:17
dstanek	morganfainberg: i thought so, but i'm not sure	19:18
morganfainberg	dstanek, yeah. :P	19:19
* morganfainberg shrugs		19:19
morganfainberg	omg... coffee sooooo gooooooood	19:19
dstanek	morganfainberg: i have some dev promo passes that give you $50 (i think) a month for 6 months - are you looking for a VM?	19:19
morganfainberg	not me, was a convo ^	19:19
morganfainberg	about testing some centos devstack-y-ness	19:20
morganfainberg	ok i need to go buy a USB stick.	19:20
morganfainberg	turns out it's really hard to install an OS w/o one these days :P	19:21
* morganfainberg wonders if tftpboot from mac -> other laptop would be viable		19:21
gabriel-bezerra	ayoung: is it enough to test on CentOS 6.5 cloud img?	19:22
morganfainberg	gabriel-bezerra, that should probably be sufficient	19:23
gabriel-bezerra	ok, that's the one I have	19:23
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: Add v2 & v3 API documentation https://review.openstack.org/96242	19:39
*** sbfox1 has quit IRC		19:42
stevemar	dolphm, giving us a history lesson eh ^	19:46
*** diegows has quit IRC		19:47
morganfainberg	ayoung, dolphm, ~300s is the accepted clock-skew minimum theoretical TTL for tokens right?	19:47
morganfainberg	ayoung, dolphm, any reason we don't enforce a minimum if that is the case?	19:48
ayoung	morganfainberg, um...I went by what we discussed for Kerberos, but no idea if that is a standard or anything	19:48
ayoung	I was treating it as a rule of thumb	19:48
morganfainberg	ayoung, hrm. i'd be ok with enforcing a lower limit if its' accepted fro a similar construct	19:49
ayoung	morganfainberg, do we need to enforce a minimum?	19:50
*** diegows has joined #openstack-keystone		19:52
morganfainberg	ayoung, depends on how much rope we want to give deployers	19:57
morganfainberg	ayoung, not sure if we should... was thinking out loud mostly	19:57
ayoung	morganfainberg, I'm not really worried about people setting it too low	19:57
ayoung	if we get there, we've won	19:57
morganfainberg	hehe	19:57
bknudson	all we give deployers is rope.	19:57
*** piousbox has left #openstack-keystone		19:57
morganfainberg	bknudson, is it magic rope?	19:57
morganfainberg	cause i want magic rope	19:58
morganfainberg	:P	19:58
openstackgerrit	A change was merged to openstack/keystone: Suggest users to remove REMOTE_USER from shibd conf https://review.openstack.org/93936	19:59
*** hrybacki has quit IRC		20:03
morganfainberg	ok i really have to go run some errands, be back shortly	20:03
dstanek	stevemar: do you understand the difference between the existing design and chadwick's proposals? it seems more like incremental refactoring, but i don't understand the diagrams	20:04
*** radez is now known as radez_g0n3		20:12
*** erecio has quit IRC		20:12
gabriel-bezerra	ayoung: morganfainberg I'm getting this error on CentOS. Any idea of what it might be?	20:14
gabriel-bezerra	[client 10.1.0.69] (13)Permission denied: mod_wsgi (pid=32151): Unable to connect to WSGI daemon process 'keystone-admin' on '/etc/httpd/logs/wsgi.32074.0.2.sock' after multiple attempts.	20:14
gabriel-bezerra	in /var/log/httpd/keystone	20:14
ayoung	gabriel-bezerra, SELinux?	20:15
ayoung	try sudo setenforce permissive	20:16
*** hrybacki has joined #openstack-keystone		20:18
stevemar	dstanek, sorta? it seems like a refactoring imo	20:20
stevemar	dstanek, i don't see how the current design limits anything	20:20
gabriel-bezerra	sudo getenforce returned Permissive	20:21
gabriel-bezerra	ayoung: ^	20:21
stevemar	dstanek, for instance, he wrote that it'll allow for openID Connect, and keystone2keystone support. But i'm already doing one of those in the framework	20:21
ayoung	gabriel-bezerra, strange	20:21
dstanek	stevemar: the only thing i don't like about the current design is the 'if' statement	20:22
ayoung	gabriel-bezerra, is the wsgi process actually up and running?	20:22
dstanek	i should probably add that to my review commentary	20:22
*** r-daneel has joined #openstack-keystone		20:22
*** browne has quit IRC		20:22
gabriel-bezerra	ayoung: sorry, I'll have to stack.sh again	20:23
stevemar	dstanek, please do, since i don't know what you're talking about	20:23
ayoung	NP	20:23
*** browne has joined #openstack-keystone		20:24
dstanek	stevemar: ha, ha - i say the if statement because there is one that just jumps out at me	20:24
*** hrybacki has quit IRC		20:29
gabriel-bezerra	ayoung: I have a bunch of httpd processes, how can i know which one is the right one?	20:30
ayoung	gabriel-bezerra, wsgi process should be owned by a different user, and should be python processes.	20:30
*** andreaf has quit IRC		20:32
bknudson	do the specs get built and published somewhere?	20:33
gabriel-bezerra	ayoung: there is only one python process running: tuned	20:37
ayoung	look in the httpd error log gabriel-bezerra	20:38
openstackgerrit	Brant Knudson proposed a change to openstack/keystone-specs: Spec for V3 extension advertisement https://review.openstack.org/95973	20:40
*** radez_g0n3 is now known as radez		20:40
*** hrybacki has joined #openstack-keystone		20:42
gabriel-bezerra	ayoung: I was just looking there. These are the 3 lines that look more meaningful..	20:43
gabriel-bezerra	SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0	20:43
gabriel-bezerra	[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)	20:44
ayoung	gabriel-bezerra, its not selinux if Permive	20:44
gabriel-bezerra	[notice] Apache/2.2.15 (Unix) DAV/2 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations	20:44
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator caed79d https://review.openstack.org/95845	20:45
stevemar	bknudson, i think i was referring to the wrong commit hash	20:46
bknudson	stevemar: using that commit hash from oslo-incubator I don't see any diffs, so that must be in.	20:48
bknudson	it	20:48
stevemar	bknudson, sadly this is my first oslo sync, thanks for catching the mistake	20:49
bknudson	that's a long list of commits -- does that include changes from files that weren't synced?	20:49
stevemar	bknudson, i believe so, no good?	20:51
bknudson	stevemar: we just want the changes for the files that were changed...	20:51
gabriel-bezerra	ayoung: I tried to setenforce permissive and run stack.sh, but the same happened	20:51
bknudson	stevemar: like this: git log --oneline --no-merges 2640847..caed79d -- openstack/common/apiclient/auth.py openstack/common/apiclient/base.py	20:52
bknudson	except all the files that were changed.	20:52
ayoung	gabriel-bezerra, I'd have to debug it....not sure what is going on	20:52
bknudson	stevemar: I only get 4 changes.	20:53
gabriel-bezerra	ayoung: tcp 0 0 :::35357 :::* LISTEN 25928/httpd	20:53
gabriel-bezerra	tcp 0 0 :::5000 :::* LISTEN 25928/httpd	20:53
gabriel-bezerra	nestat shows taht	20:53
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225	20:53
gabriel-bezerra	that*	20:53
stevemar	bknudson, okay, i see, let me try and make sure i get the same	20:53
bknudson	stevemar: 4a777e5 18f2bc1 90ae24b 1173e46	20:53
stevemar	yep	20:54
gabriel-bezerra	but curl http://localhost:5000/v2.0 returns a 503	20:54
stevemar	bknudson, i'll update	20:54
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator caed79d https://review.openstack.org/95845	20:54
gabriel-bezerra	[error] [client ::1] (13)Permission denied: mod_wsgi (pid=25940): Unable to connect to WSGI daemon process 'keystone-public' on '/etc/httpd/logs/wsgi.25928.0.1.sock' after multiple attempts.	20:55
gabriel-bezerra	but I can see some wsgi.XXXXX.X.X.sock in /var/log/httpd/	20:55
gabriel-bezerra	that is a log...	20:56
gabriel-bezerra	/var/log/keystone is owned by root.root and /var/log/wsgi.XXXX.sock by apache.root	20:57
gabriel-bezerra	sorry.. /etc/httpd/logs is a link and in there: keystone belongs to root:root and wsgi.XXXX.sock, to apache:root	20:57
bknudson	stevemar: looks like your sync includes https://review.openstack.org/#/c/95697/	20:58
bknudson	which Closes-Bug: 1314129	20:58
bknudson	so how about add that to your sync and then the other is abandoned	20:59
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/96265	21:00
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources https://review.openstack.org/96266	21:00
*** topol has joined #openstack-keystone		21:01
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Initial implementation of validator https://review.openstack.org/86483	21:02
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources https://review.openstack.org/96266	21:02
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484	21:02
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources https://review.openstack.org/96266	21:06
*** browne has quit IRC		21:06
*** marcoemorais has quit IRC		21:07
*** marcoemorais has joined #openstack-keystone		21:07
gabriel-bezerra	ayoung, morganfainberg: at least it was not a regression that my patch introduced	21:09
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225	21:14
*** sbfox has joined #openstack-keystone		21:14
*** gyee has quit IRC		21:14
*** hrybacki has quit IRC		21:18
*** marcoemorais1 has joined #openstack-keystone		21:19
*** marcoemorais has quit IRC		21:20
*** marcoemorais has joined #openstack-keystone		21:21
*** browne has joined #openstack-keystone		21:22
*** marcoemorais1 has quit IRC		21:25
*** gokrokve has quit IRC		21:26
*** gokrokve has joined #openstack-keystone		21:27
*** gokrokve has quit IRC		21:30
*** david-lyle has quit IRC		21:35
*** diegows has quit IRC		21:38
stevemar	bknudson, was afk, cool, i'll mention: Closes-Bug: 1314129 in the message	21:43
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator caed79d https://review.openstack.org/95845	21:45
*** topol has quit IRC		21:47
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Initial implementation of validator https://review.openstack.org/86483	21:50
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources https://review.openstack.org/96266	21:50
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484	21:50
*** browne1 has joined #openstack-keystone		21:52
*** browne has quit IRC		21:52
stevemar	lbragstad, posting a bunch of reviews!	21:54
*** dhellmann is now known as dhellmann_		21:58
*** dhellmann_ is now known as dhellmann		21:58
*** dhellmann is now known as dhellmann_		21:58
*** ekarlso has quit IRC		22:01
morganfainberg	lbragstad, omg SPAM! :) nice.	22:03
openstackgerrit	Steven Hardy proposed a change to openstack/python-keystoneclient: Enable forcing re-authentication for trust-scoped clients https://review.openstack.org/96298	22:04
openstackgerrit	Brant Knudson proposed a change to openstack/keystone-specs: Spec for V3 extension advertisement https://review.openstack.org/95973	22:10
*** raildo has quit IRC		22:11
*** tellesnobrega has quit IRC		22:12
*** rodrigods has quit IRC		22:12
*** htruta has quit IRC		22:12
*** gabriel-bezerra has quit IRC		22:13
*** htruta has joined #openstack-keystone		22:13
*** gabriel-bezerra has joined #openstack-keystone		22:14
*** tellesnobrega has joined #openstack-keystone		22:14
*** raildo has joined #openstack-keystone		22:14
*** rodrigods has joined #openstack-keystone		22:14
*** rodrigods has quit IRC		22:15
*** rodrigods has joined #openstack-keystone		22:15
*** afaranha has joined #openstack-keystone		22:15
*** bknudson has quit IRC		22:16
*** dstanek is now known as dstanek_zzz		22:19
*** dstanek_zzz is now known as dstanek		22:20
lbragstad	stevemar: morganfainberg gettin' there	22:23
*** r-daneel has quit IRC		22:26
*** ekarlso has joined #openstack-keystone		22:26
*** rodrigods_ has joined #openstack-keystone		22:30
*** gordc has left #openstack-keystone		22:30
*** browne1 has quit IRC		22:30
*** sbfox has quit IRC		22:33
*** thedodd has quit IRC		22:35
*** marcoemorais has quit IRC		22:36
*** marcoemorais has joined #openstack-keystone		22:36
*** browne has joined #openstack-keystone		22:36
morganfainberg	stevemar, dstanek, https://bugs.launchpad.net/keystone/+bug/1324260 any complaints with that? i think that makes sense.	22:39
uvirtbot	Launchpad bug 1324260 in keystone "Always migrate the the db for extensions instead of conditionally" [Medium,Triaged]	22:39
stevemar	morganfainberg, i think it's a good idea	22:40
morganfainberg	stevemar, yeah always felt odd to migrate those schemas conditionally... bad ux for deployers "oh and don't forget to migrate the new extension"	22:41
stevemar	morganfainberg, yeah, its a bit weird. is there anything we can do from the keystone side?	22:45
morganfainberg	stevemar, yeah, just always migrate, we already know the extensions, don't play "if this then migrate" with the migrate_repos	22:45
morganfainberg	stevemar, we should simply ensure the tables are always there. if we remove an extension permanently, the migrate repo becomes "delete the tables" or some such.	22:46
stevemar	morganfainberg, i hear ya	22:46
morganfainberg	stevemar, but for schema consistency across deployments, always add the tables if you're using db_migrate. same as we do for identity even if we use ldap identity	22:46
morganfainberg	erm db_sync	22:46
morganfainberg	it's probably less than 5 line change :)	22:47
dstanek	morganfainberg: stevemar: agreed - it also makes testing a little easier because the schema is always predictable	22:48
morganfainberg	dstanek, ++	22:48
*** dims has quit IRC		22:51
*** dims has joined #openstack-keystone		22:52
*** sbfox has joined #openstack-keystone		22:52
*** sbfox has quit IRC		23:15
*** ozialien has joined #openstack-keystone		23:18
*** radez is now known as radez_g0n3		23:30
*** dstanek is now known as dstanek_zzz		23:37
*** dstanek_zzz is now known as dstanek		23:47
*** gyee has joined #openstack-keystone		23:53
*** sbfox has joined #openstack-keystone		23:57
*** bobt has quit IRC		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!