Monday, 2014-07-07

« Sunday, 2014-07-06 Index Tuesday, 2014-07-08 »
*** oomichi has joined #openstack-keystone00:10
*** leseb has joined #openstack-keystone00:50
*** leseb has quit IRC00:54
*** jimbaker has quit IRC00:56
*** jimbaker has joined #openstack-keystone01:00
*** jimbaker has quit IRC01:00
*** jimbaker has joined #openstack-keystone01:00
stevemarhey bknudson, when are you leaving MN, apparently i'm connecting there on tuesday01:05
stevemarwondering if we're on the same flight01:05
*** mberlin1 has joined #openstack-keystone01:09
*** mberlin has quit IRC01:11
*** gokrokve_ has quit IRC01:13
*** leseb has joined #openstack-keystone01:16
*** leseb has quit IRC01:21
*** jaosorior has quit IRC01:22
*** diegows has quit IRC01:39
*** bobt has joined #openstack-keystone01:55
*** jamielennox is now known as jamielennox|away02:07
*** miqui_ has quit IRC02:11
*** leseb has joined #openstack-keystone02:17
*** dims has quit IRC02:18
*** leseb has quit IRC02:22
*** gokrokve has joined #openstack-keystone02:25
*** dstanek is now known as dstanek_zzz02:27
*** achampion has quit IRC02:37
*** dstanek_zzz is now known as dstanek02:38
*** gokrokve has quit IRC02:41
*** gokrokve has joined #openstack-keystone02:41
*** dims has joined #openstack-keystone02:44
*** gokrokve has quit IRC02:46
*** dims has quit IRC02:50
*** jamielennox|away is now known as jamielennox03:00
*** hrybacki has quit IRC03:02
*** hrybacki has joined #openstack-keystone03:06
*** lbragstad_ has joined #openstack-keystone03:09
*** leseb has joined #openstack-keystone03:18
*** leseb has quit IRC03:23
*** zhiyan_ is now known as zhiyan03:40
*** hrybacki has quit IRC03:45
*** dims_ has joined #openstack-keystone03:46
*** lbragstad_ has left #openstack-keystone03:48
*** dims_ has quit IRC03:51
*** lbragstad_ has joined #openstack-keystone03:58
*** darren has joined #openstack-keystone03:59
darrenHi all, I'm pretty new to keystone, do we have official explanations of Domain, Region, Tenant and Project? I'm confused with these concepts, better with some examples.04:01
*** darren has quit IRC04:05
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568004:16
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects  https://review.openstack.org/7954204:16
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI  https://review.openstack.org/9567904:16
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Provide an __all__ for auth module  https://review.openstack.org/10452904:16
*** leseb has joined #openstack-keystone04:18
*** zhiyan is now known as zhiyan_04:20
*** leseb has quit IRC04:23
morganfainberghrybacki, pong [only semi here, Keystone Developer needs food badly </bad gauntlet reference>]04:37
*** dims_ has joined #openstack-keystone04:47
*** dims_ has quit IRC04:52
*** ajc_ has joined #openstack-keystone04:52
*** KanagarajM has joined #openstack-keystone05:07
openstackgerritA change was merged to openstack/keystone: Sync with oslo-incubator e9bb0b59  https://review.openstack.org/10325205:11
openstackgerritA change was merged to openstack/python-keystoneclient: endpoint_id and service_id should be random uuid  https://review.openstack.org/10398905:16
*** leseb has joined #openstack-keystone05:19
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768105:22
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Use jsonutils to load adapter response  https://review.openstack.org/10506505:22
*** leseb has quit IRC05:24
*** chandan_kumar has joined #openstack-keystone05:34
*** KanagarajM has quit IRC05:41
openstackgerritA change was merged to openstack/python-keystoneclient: Keystoneclient create user API should have optional password.  https://review.openstack.org/9759705:41
*** afazekas is now known as __afazekas05:43
*** dims_ has joined #openstack-keystone05:47
*** dims_ has quit IRC05:53
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10338006:00
*** bobt has quit IRC06:01
*** ukalifon has joined #openstack-keystone06:15
*** leseb has joined #openstack-keystone06:20
*** stevemar has quit IRC06:23
*** leseb has quit IRC06:24
*** henrynash has joined #openstack-keystone06:42
*** dims_ has joined #openstack-keystone06:48
*** dims_ has quit IRC06:53
*** xianghui has joined #openstack-keystone06:56
*** leseb has joined #openstack-keystone07:09
*** BAKfr has joined #openstack-keystone07:09
*** tomoiaga has joined #openstack-keystone07:10
*** afazekas_ has joined #openstack-keystone07:15
*** xianghui has quit IRC07:16
openstackgerritA change was merged to openstack/keystone: Fix docs and scripts for pki_setup and ssl_setup  https://review.openstack.org/10369707:17
*** chandan_kumar is now known as chandankumar07:23
*** mitz_ has quit IRC07:41
*** dstanek is now known as dstanek_zzz08:08
*** xianghui has joined #openstack-keystone08:11
*** jimbaker has quit IRC08:14
*** jimbaker has joined #openstack-keystone08:18
*** jimbaker has quit IRC08:18
*** jimbaker has joined #openstack-keystone08:18
*** mitz_ has joined #openstack-keystone08:23
*** leseb has quit IRC08:26
*** leseb has joined #openstack-keystone08:28
*** dstanek_zzz is now known as dstanek08:29
*** zhiyan_ is now known as zhiyan08:30
*** kwss has joined #openstack-keystone08:35
*** tkelsey has joined #openstack-keystone08:38
*** dstanek is now known as dstanek_zzz08:39
*** kwss is now known as kwss_afk08:43
*** leseb has quit IRC08:46
*** leseb has joined #openstack-keystone08:46
*** leseb has quit IRC08:47
*** andreaf_ has joined #openstack-keystone08:56
*** kwss_afk is now known as kwss09:04
*** tomoiaga has quit IRC09:22
*** ajayaa has joined #openstack-keystone09:28
*** praneshp has quit IRC09:40
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: reengineered-federation  https://review.openstack.org/10430109:45
*** bvandenh has joined #openstack-keystone10:02
*** oomichi has quit IRC10:04
*** xianghui has quit IRC10:11
*** xianghui has joined #openstack-keystone10:13
*** xianghui has quit IRC10:22
*** tomoiaga has joined #openstack-keystone10:36
*** dims_ has joined #openstack-keystone10:53
*** xianghui has joined #openstack-keystone10:57
*** dims_ has quit IRC10:58
tomoiagaI am wondering if I sould start working with domains or they will be deprecated in a future version in favor of hierarchical multitenancy) ?11:04
*** dims_ has joined #openstack-keystone11:14
*** xianghui has quit IRC11:19
*** jimbaker has quit IRC11:33
*** jimbaker has joined #openstack-keystone11:37
*** jimbaker has quit IRC11:37
*** jimbaker has joined #openstack-keystone11:37
*** jdennis has joined #openstack-keystone11:52
openstackgerritA change was merged to openstack/keystone: Fix the section name in CONTRIBUTING.rst  https://review.openstack.org/10375811:59
*** afazekas_ has quit IRC12:02
openstackgerritmouad benchchaoui proposed a change to openstack/keystone: Retreive token domain depending on scope  https://review.openstack.org/10513712:04
*** topol has joined #openstack-keystone12:12
*** topol has quit IRC12:13
*** topol has joined #openstack-keystone12:14
*** afazekas_ has joined #openstack-keystone12:17
*** topol has quit IRC12:19
*** dstanek_zzz is now known as dstanek12:20
*** xianghui has joined #openstack-keystone12:21
*** rodrigods_ has joined #openstack-keystone12:22
*** afazekas_ has quit IRC12:23
*** huats_ has joined #openstack-keystone12:28
*** huats_ has quit IRC12:28
*** huats_ has joined #openstack-keystone12:28
*** jraim has quit IRC12:28
*** serverascode has quit IRC12:28
*** mgagne has quit IRC12:28
*** baffle_ has joined #openstack-keystone12:30
*** Ephur has quit IRC12:30
*** jgriffit1 has joined #openstack-keystone12:30
*** jraim has joined #openstack-keystone12:30
*** tristanC_ has joined #openstack-keystone12:30
*** huats has quit IRC12:30
*** baffle has quit IRC12:31
*** jgriffith has quit IRC12:31
*** mfisch has quit IRC12:31
*** tristanC has quit IRC12:31
*** mgagne has joined #openstack-keystone12:31
*** jraim has quit IRC12:31
*** jraim has joined #openstack-keystone12:31
*** tristanC_ is now known as tristanC12:31
*** serverascode has joined #openstack-keystone12:31
*** mfisch has joined #openstack-keystone12:32
*** mfisch has quit IRC12:32
*** mfisch has joined #openstack-keystone12:32
*** Ephur has joined #openstack-keystone12:33
*** ajc_ has quit IRC12:33
*** radez_g0n3 is now known as radez12:34
*** dims_ has quit IRC12:37
*** dims_ has joined #openstack-keystone12:37
*** gokrokve has joined #openstack-keystone12:37
*** gokrokve has quit IRC12:38
*** henrynash has quit IRC12:39
*** bknudson has quit IRC12:39
*** gokrokve has joined #openstack-keystone12:39
*** gokrokve has quit IRC12:43
*** lbragstad_ has quit IRC12:43
*** afazekas_ has joined #openstack-keystone12:49
*** ayoung has joined #openstack-keystone12:51
*** huats_ is now known as huats12:53
*** bknudson has joined #openstack-keystone12:54
*** ajayaa has quit IRC12:59
*** kwss has left #openstack-keystone13:03
*** diegows has joined #openstack-keystone13:05
*** raildo has joined #openstack-keystone13:09
*** chandan_kumar has joined #openstack-keystone13:10
*** ajayaa has joined #openstack-keystone13:11
*** joesavak has joined #openstack-keystone13:13
*** chandankumar has quit IRC13:15
*** chandan_kumar is now known as chandankumar13:15
*** dstanek is now known as dstanek_zzz13:17
*** hrybacki has joined #openstack-keystone13:17
*** ukalifon has quit IRC13:17
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10401813:28
*** dhellmann_ is now known as dhellmann13:29
*** stevemar has joined #openstack-keystone13:30
*** ukalifon has joined #openstack-keystone13:33
*** xianghui has quit IRC13:36
*** zhiyan is now known as zhiyan_13:37
bknudsonstevemar: departs at 2:40PM13:49
*** dhellmann is now known as dhellmann_13:51
stevemarbknudson, I'm landing in SAT at noon. I had very few departure options, either super early or super late13:51
bknudsonyou must be leaving early13:52
*** david-lyle has joined #openstack-keystone13:53
stevemarbknudson, yeah 7amish. leaving MN at 9:1513:53
bknudsonit's going to be 100'F there very day.13:53
bknudsonyou'll be sunburned by the time I'm there13:54
stevemarit's already 76 there *now*13:54
bknudsonI promised I wouldn't complain about heat after last winter.13:55
stevemargood point, even if we get a bit roasted13:56
*** otwieracz has quit IRC13:58
*** mostly_d34dh0r53 is now known as d34dh0r5314:03
*** tomoiaga has quit IRC14:04
*** otwieracz has joined #openstack-keystone14:05
*** topol has joined #openstack-keystone14:07
*** ukalifon has quit IRC14:07
*** tellesnobrega has joined #openstack-keystone14:10
*** vhoward- has left #openstack-keystone14:10
*** dstanek_zzz is now known as dstanek14:13
dstanekjust arrived at the barbican hackathon!14:13
*** jaosorior has joined #openstack-keystone14:17
*** jgriffit1 has quit IRC14:19
*** ukalifon has joined #openstack-keystone14:21
*** bklei has joined #openstack-keystone14:23
bkleiAnyone willing to review https://review.openstack.org/#/c/92390?  This is for keystone V3 support in the neutron client...14:24
*** tkelsey has quit IRC14:25
*** dhellmann_ is now known as dhellmann14:26
*** afaranha has joined #openstack-keystone14:26
*** gokrokve has joined #openstack-keystone14:27
ayoungbklei, sure14:28
dolphmstevemar: 78*14:30
hrybacki100* in Houston feels like a brisk 75* in Georgia. I love that dry heat14:31
dolphmhrybacki: are you suggesting houston is dry, or georgia is dry? both are humid in my experience!14:32
*** xianghui has joined #openstack-keystone14:33
hrybackiGiven that I only spent a week in Houston (in June), my experience was that it was very dry. Georgia, where I spent closer to 9 months, felt like a sauna in the summer and a cold shower in the winter -- always.14:33
bkleithanks ayoung14:34
dolphmhrybacki: current humidity in houston is only 75% :P14:34
ayounghrybacki, might have had something to do with the lodgings in Georgia, too.14:35
hrybackiwell that's no fun14:35
dolphmstevemar: also, the high today is only 94 F14:35
hrybackiayoung++ solid point14:35
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101714:35
stevemardolphm, we haven't had a high in the 90s yet14:35
hrybackidolphm: it sounds like a very similar climate to Raleigh today14:35
dolphmlow 70's to mid 90's all week, no rain14:36
dstanekmarekd|away: you're coming to the hackathon right?14:40
marekd|awaydstanek: yes.14:40
*** marekd|away is now known as marekd14:40
*** hrybacki_ has joined #openstack-keystone14:40
marekddstanek: why are you asking?14:40
dstanekmarekd: when do you get in? in the barbican hackathon they mentioned your request for secrets not tied to a project14:41
*** hrybacki has quit IRC14:41
dolphmdstanek: are you at geekdom now?14:42
marekddstanek: i could be available tomorrow, but not the whole day, since I will have some other work-related business...14:43
dvorakI'd appreciate some eyeballs on this review is people have some time - https://review.openstack.org/#/c/101726/14:44
dvorakit's my rework of the token flush behavior to make the range selection more flexible14:44
marekddstanek: is barbican hackathon also happening on Wed?14:44
marekddstanek: maybe it'd be better to gather some folks involved in k2k and only then talk with Barbican folks?14:45
marekddstanek: besides I am not sure if we want to make such dependency... (waiting for them to implement that)14:45
dolphmmarekd: yes, mon-wed14:46
dstanekdolphm: yes, i'm at geekdom14:46
dstanekmarekd: yes, it's also on Wednesday so it can wait until then14:47
dstanekmarekd: i just wanted to make sure you were going to be here14:47
marekdso i'd wait for morganfainberg, stevemar to arrive and only then meet with Barbicans.14:47
marekddstanek: i will! :D14:47
ayounghttp://lists.openstack.org/pipermail/openstack-dev/2014-July/039398.html   dolphm I wrote this up based on the confusion over my "Session Tokens" proposal.  I was hoping for some feedback and insight.14:48
*** hrybacki_ has quit IRC14:49
*** hrybacki has joined #openstack-keystone14:50
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101714:51
*** chandankumar has quit IRC14:51
*** joesavak has quit IRC14:53
*** ukalifon has quit IRC14:55
morganfainbergdolphm, ah so weather has been decent?14:56
morganfainbergdolphm, wow, sounds like it's cooler in SA than here in Pasadena the last few days :P14:56
dolphmmorganfainberg: it's not terrible!14:57
*** gokrokve has quit IRC14:57
*** joesavak has joined #openstack-keystone14:58
*** gokrokve has joined #openstack-keystone14:58
morganfainbergdolphm, nice.14:58
*** marekd is now known as marekd|away15:00
*** gokrokve_ has joined #openstack-keystone15:00
*** bklei has quit IRC15:02
*** gokrokve has quit IRC15:02
*** d34dh0r53 is now known as mostly_d34dh0r5315:03
*** mostly_d34dh0r53 is now known as d34dh0r5315:05
*** afazekas_ has quit IRC15:05
*** chandan_kumar has joined #openstack-keystone15:06
*** gokrokve_ has quit IRC15:06
*** gokrokve has joined #openstack-keystone15:07
*** ajayaa has quit IRC15:08
*** gokrokve has quit IRC15:11
*** richm has joined #openstack-keystone15:19
*** thedodd has joined #openstack-keystone15:21
*** doddstack has joined #openstack-keystone15:24
*** thedodd has quit IRC15:26
*** bobt has joined #openstack-keystone15:28
*** xianghui has quit IRC15:31
*** ayoung is now known as ayoung-afk15:31
*** xianghui has joined #openstack-keystone15:32
*** dtroyer has quit IRC15:36
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Move auth_token session code to middleware repo  https://review.openstack.org/10503115:40
*** daneyon has joined #openstack-keystone15:42
*** daneyon has quit IRC15:44
*** daneyon has joined #openstack-keystone15:45
*** d34dh0r53 is now known as mostly_d34dh0r5315:46
*** mostly_d34dh0r53 is now known as d34dh0r5315:47
*** rwsu has joined #openstack-keystone15:47
openstackgerritDolph Mathews proposed a change to openstack/identity-api: Adding support for self registration to Virtual Organisations  https://review.openstack.org/10521816:05
dolphmmarekd|away: i just put this back into review ^ did the other patch that we had to revert get back into review?16:06
morganfainbergdolphm, so, what is the status of the identity-api repo? someone specifically asked me about this earlier today.16:07
morganfainbergand i didn't know how to answer16:07
morganfainbergas in.  how do we handle it vs. specs16:07
dolphmmorganfainberg: i was hoping to discuss at the hackathon... but i'd like to move the contents of it into something like keystone-specs/specs/api/ ?16:08
morganfainberg++ @ hackathon works for me16:08
morganfainbergi ... should probably pack things for flight tomorrow morning :P16:08
dolphmmorganfainberg: which makes me wish we had renamed identity-api to keystone-specs instead of making a new repo... unless you have a solution to preserve the history at whatnot?16:08
morganfainbergi ... might be able to work with infra to support a merge commit for that16:09
morganfainbergi'll ask what the view on that would be16:09
morganfainbergif we can do a merge commit, i can preserve the history.16:09
bknudsonI don't see what the point is of changing specs16:10
bknudsonI mean changing api doc16:10
bknudsonthe specs are the changes to make to the api. We still need to have something that shows what the api currently is16:11
*** afazekas_ has joined #openstack-keystone16:11
dolphmbknudson: we'd be able to propose a spec with it's actual api impact in a single patchset16:11
bknudsonwe could put them all in keystone and have the code, too16:11
*** KanagarajM has joined #openstack-keystone16:12
dolphmbknudson: i *do* like the separation between the api documentation and the implementation16:12
*** KanagarajM has quit IRC16:12
bknudsonjust don't like it when someone unexpectedly approves the changes16:13
*** gokrokve has joined #openstack-keystone16:14
bknudsonI thought we wanted to be able to not specify everything about the REST API changes, so having the update to the api with the spec would require fully specifying the REST API16:15
bknudsonIt just seems like we're already having to make changes all over the place for specs...16:15
morganfainbergbknudson, dolphm, we could move the REST change bit out of the spec doc.16:15
bknudsonchange tempest, update requirements, update keystoneclient, ...16:15
morganfainbergif we merged them16:15
morganfainberg"go make the change to /api/<whatever>16:15
dolphmbknudson: "we wanted to be able to not specify everything about the REST API changes" <-- because that was redundant with identity-api16:16
*** doddstack has quit IRC16:16
dolphmmorganfainberg: my backup plan was to revise the API Impact section to require link to a review on identity-api16:17
dolphmand then it would still make sense to approve spec -> api -> implementation16:17
morganfainbergdolphm, i'd rather it be all one repo.16:17
dolphmmorganfainberg: me too16:17
morganfainbergdolphm, but that is a reasonable enough backup16:17
bknudsonI hope we don't end up with wadls in specs16:17
dolphmbknudson: that would happen. or we could just bring the v3 stuff over?16:18
morganfainbergdolphm, though we should move to .rst only instead of .md16:18
dolphmmorganfainberg: the choice of md was a technical one from the docs team that we never took advantage of, so that's viable16:18
morganfainbergdolphm, if its in specs repo, i say .rst16:19
morganfainbergdolphm, and it means v2.0 would either get dropped or need to be converted16:19
dolphmmorganfainberg: let's just move v3 then?16:19
morganfainberg.md -> rst is easier than uh.. whatever v2.0 is16:19
morganfainbergdolphm, sure16:20
morganfainbergdolphm, this looks easy: http://bfroehle.com/2013/04/26/converting-md-to-rst/16:21
dolphmmorganfainberg: wonder if it works16:22
morganfainbergdolphm, dunno :P will have to find out i guess16:22
dolphmmorganfainberg: your approval fell on it's face: https://review.openstack.org/#/c/104018/16:23
morganfainbergawesome16:24
morganfainbergfatal: read error: Connection reset by peer16:24
morganfainberg2014-07-07 15:22:18.379 | error: Could not fetch origin16:24
morganfainbergLOL16:24
dolphmmorganfainberg: in rst https://gist.github.com/dolph/db4a393c342b439294dd16:25
morganfainberggee, looks like it works16:25
*** dtroyer has joined #openstack-keystone16:29
*** mrutkows has joined #openstack-keystone16:30
*** marcoemorais has joined #openstack-keystone16:31
afaranhaHey, what's the method called when I list a user's roles?16:31
*** hrybacki has quit IRC16:33
*** thedodd has joined #openstack-keystone16:34
*** packet has joined #openstack-keystone16:41
*** arunkant has joined #openstack-keystone16:42
*** harlowja_away is now known as harlowja17:01
*** richm has quit IRC17:03
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101717:05
*** xianghui has quit IRC17:05
raildoafaranha: https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L11917:08
*** bobt has quit IRC17:14
dolphmafaranha: depends ;)17:15
*** arosen has joined #openstack-keystone17:16
dolphmafaranha: there's also list_role_assignments() and list_grants()17:17
*** richm has joined #openstack-keystone17:17
*** topol_ has joined #openstack-keystone17:17
afaranhadolphm: I'm currently using in list_role_assignments17:18
afaranhaBut I don't know if I change it or just use it17:18
afaranhaWhat I want to do is this: List the role assignments of the users and the inherit roles17:19
afaranhaSo, I want the method that lists the user roles to concat it's returns with the inherit roles17:19
*** topol has quit IRC17:19
*** topol_ is now known as topol17:20
*** bobt has joined #openstack-keystone17:20
*** BAKfr has quit IRC17:20
*** topol has quit IRC17:24
dolphmafaranha: GET /v3/role_assignments?user.id={user_id}&scope.OS-INHERIT:inherited_to=projects&effective17:24
*** thedodd has quit IRC17:28
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Correct the region table to be InnoDB and UTF8  https://review.openstack.org/10296417:35
dolphmmorganfainberg: why is the error handling in migration_helpers rather than in migration 37 itself?17:39
morganfainbergbecause once you get into the migration itself, you are wedged17:39
morganfainbergthe sanity check is called after migration script is run, but the db version is already updated by then17:40
dolphmmorganfainberg: shouldn't migration 37 be fixed AND have a new migration to convert the table?17:40
*** ayoung-afk is now known as ayoung17:40
morganfainbergif you didn't have utf-8 charset, you can't run another migration17:40
morganfainbergbasically, you get wedged in a bad way17:41
*** gyee has joined #openstack-keystone17:41
dolphmhrm.17:41
morganfainbergdolphm, so what happens is17:42
morganfainbergupgrade db schema, on the next schema action (any action) https://github.com/openstack/keystone/blob/stable/icehouse/keystone/openstack/common/db/sqlalchemy/migration.py#L194 is run17:42
morganfainbergit's the same in oslo.db, but icehouse is where this hits up17:42
morganfainberghits us*17:42
morganfainbergso, before the next migration (up or down) we run sanity check, and BOOM17:42
morganfainbergexplode.17:42
*** afazekas_ has quit IRC17:43
morganfainbergcan't migrate up or down.17:43
*** hrybacki has joined #openstack-keystone17:43
morganfainbergi guess i could go one step further and even check to make sure the table is wrong using the same query as sanity_check does. narrow the "fix" scope17:44
morganfainberghttps://github.com/openstack/keystone/blob/stable/icehouse/keystone/openstack/common/db/sqlalchemy/migration.py#L21117:44
*** bobt has quit IRC17:45
dolphmmorganfainberg: does sanity check only run before upgrades?17:48
morganfainbergyep17:48
dolphmmorganfainberg: if we ran db_sync twice in the gate, would this have been caught?17:48
morganfainbergnope. because we default to innodb and utf8 in gate17:48
dolphmmorganfainberg: isn't it rdo that defaults to broken?17:49
ayoungWow.   Someone had to really work at the Oracle Paid time off web app to make it so bad.17:49
morganfainbergdolphm, it might be, but we default all other tables in all migrations to utf8 + innodb17:49
morganfainbergbecause oslo.db requires it17:49
morganfainbergso, in short, we don't care what your mysql defaults really are - we set what we expect. this case the table snuck through without it17:50
dolphmmorganfainberg: just wondering if we can help catch this earlier next time, even if we're not gating on broken defaults in our gate17:50
morganfainbergi think the next step is to make our base table always set these values17:50
morganfainbergbut i felt that was above and beyond something i wanted to backport.17:51
dolphmmorganfainberg: isn't there a base table in oslodb that does that?17:51
morganfainbergdoesn't look like it17:51
morganfainbergor we wouldn't have ended up in this situation17:51
morganfainbergoslo.db probably should supply it.17:52
dolphmmorganfainberg: can keystone itself use memcache encrypt?17:53
dolphmmorganfainberg: via dogpile17:53
morganfainbergdolphm, i could layer a proxy in that does it, not hard to do17:53
morganfainbergbut the current memcache_crypt we have wouldn't work17:53
morganfainbergdolphm, it is on the list of "this is a good idea" to implement.17:54
morganfainbergugh. i need to go eat breakfast. got distracted and should have gone 2hrs ago17:55
*** topol has joined #openstack-keystone18:01
*** KanagarajM has joined #openstack-keystone18:04
*** thedodd has joined #openstack-keystone18:14
hrybackiayoung: mind reviewing https://review.openstack.org/#/c/105031/ when you get a chance?18:14
*** afazekas_ has joined #openstack-keystone18:14
*** KanagarajM has quit IRC18:14
*** dims_ has quit IRC18:14
*** rodrigods has quit IRC18:17
*** rodrigods has joined #openstack-keystone18:18
*** dims has joined #openstack-keystone18:19
ayounghrybacki, +2 from me.  That was pretty well reviewed in the client18:25
hrybackiayoung++ wanna do another? ;) https://review.openstack.org/#/c/103229/18:25
hrybackithe follow up tests for another simple fix18:26
ayounghrybacki, respond to Jamie's question.  Another review comment is OK.18:26
* hrybacki nods18:27
*** amcrn has joined #openstack-keystone18:34
*** afazekas_ has quit IRC18:35
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: Add tests without optional create endpoint params  https://review.openstack.org/10322918:39
*** radez is now known as radez_g0n318:39
*** gyee has quit IRC18:42
*** CaioBrentano has joined #openstack-keystone18:45
morganfainbergayoung, hrybacki, be aware we're not _actually_ testing the middleware yet against real services18:49
CaioBrentanoHi all18:49
CaioBrentanoI have a stupid question… I'm configuring swift to use keystone… I couldnt understand what is the diference between public port (5000) and admin port (35357). Does anybody have any document to help me?18:49
*** praneshp has joined #openstack-keystone18:49
morganfainbergayoung, hrybacki, still waiting for it to hit global requirements18:49
hrybackimorganfainberg: I feel lied to now...18:50
morganfainbergayoung, also https://review.openstack.org/#/c/104026/ if you don't mind.18:50
morganfainbergayoung, need some support on that and the icehouse version before we can get the tempest change merged18:50
*** ukalifon1 has joined #openstack-keystone18:51
morganfainberghrybacki, we test (unit tests) but until we get it in the global requirements, we can't update services to use it18:51
morganfainberghrybacki, so we test we just don't do tempest with it.18:51
ayoungmorganfainberg, I'll give it a hit here in a moment18:51
hrybackimorganfainberg: nods. I was wondering why it passed things that the keystoneclient version didin't18:51
morganfainberghrybacki, the ds-g tempest runs are so we start testing as soon as we get a project updated to use it18:51
morganfainbergayoung, it can wait till the hackathon, just want it on your radar :)18:52
*** keith_newstadt has joined #openstack-keystone18:52
*** packet has quit IRC18:52
hrybackiI wish I could join y'all at the hackathon18:52
ayoungmorganfainberg, ++18:53
ayounghrybacki, be careful what you wish for.18:53
*** CaioBrentano has left #openstack-keystone18:53
hrybackiayoung: no earthly magic could make something like that happen in 24 hours18:53
morganfainberghrybacki, who said anything about magic?18:53
morganfainberg:P18:53
ayoungthat is like asking to attend a 3 day long meeting.   With me.  Amnesty International has already filed a protest18:53
hrybackimorganfainberg: money is magic now a days ;)18:54
morganfainbergayoung, to be fair, amnesty international filed a protest long before they knew it was going to be a full 3 days.18:54
hrybackiayoung: I love hackathons. My first 'conference' was the sprints portion of PyCon a couple of years back. Very tiring, very fun, great learning experience.18:54
morganfainberghrybacki, where are you located? maybe the next hackathon, mid-K cycle!18:55
hrybackimorganfainberg: Greensboro/Raleigh NC18:55
morganfainberghrybacki, we're getting marekd|away ! if we got marekd|away, I'm sure we can get you out for it18:55
morganfainbergayoung, too bad jamielennox didn't want to do the insane travel for the hackathon :P18:55
morganfainberghrybacki, you going to be in Paris for the summit in November?18:56
hrybackimorganfainberg: That'd be lovely. But, my internship will be over and I'll be back in classes =/18:57
morganfainberghrybacki, doh!18:57
morganfainberghrybacki, well even with your internship being over, keep contributing!!!18:57
ayoungmorganfainberg, couldn't get a Red Hat to spring for an intern, especially when he didn't join the project effort until  June.  If he's still heads down on Keystone work in the future, we'll get him to the January conf.18:57
morganfainbergayoung, ++18:57
ayoungHe doesn't even work for my group, but I hijacked him18:58
morganfainbergayoung, so... doing it right!18:58
hrybacki^^ true18:58
hrybackimorganfainberg: I plan to. This is exciting stuff. Rather turbulent but fun none the less.18:58
ayoungmorganfainberg, its because what we are doing with the client right now is critical path.  Most of the rest of Keystone work right now is just lower priority as far as security goes18:58
ayoungso his team lead understands that we need the client stuff straightened out for all the projects sake18:59
ayoungthat is why jamielennox , hrybacki , and I are all working on it pretty much exclusively18:59
morganfainbergayoung, it's great when team leads get that and work with it.18:59
hrybackitickets aren't as expensive as I thought they would be... ~how much are rooms for the duration of the hackathon?19:00
*** radez_g0n3 is now known as radez19:00
morganfainberghrybacki, i think i'm paying ~$130, but i'm not staying at the recommended hotel19:01
mrutkowsayoung/keith_newstadt: matt rutkowski here for chat on audit middleware... o/19:01
morganfainberghrybacki, a night that is. (corp policy said the valencia was out)19:01
hrybackimorganfainberg: Hmmm. Debating on throwing it on the card.19:02
morganfainberghrybacki, $114/night (contact me for a corporate code). [bug dolph] at the Valencia19:02
topolo/19:03
morganfainberghrybacki, (he's the "contact me for the corporate code" statement)19:03
hrybackiayoung: (after your chat on audit middleware) thoughts on value of me going to the hackathon?19:03
morganfainbergtopol, o\19:03
morganfainbergtopol, did you see my message to you this morning?19:03
hrybackimorganfainberg: will do19:03
topolmorganfainberg forgot to respond, got disteracted19:03
morganfainbergdolphm, ^ hrybacki might need that corporate code19:03
morganfainbergtopol, don't worry, i'll bug ya tomorrow night and get the details sent off19:04
mrutkowsayoung: have you seen Keith on recently?19:04
keith_newstadtmrutkows: i'm here now19:04
topolmorganfainberg, perfect19:04
mrutkowswave19:04
keith_newstadtdo we have everyone?19:04
topolhi keith_newstadt19:04
ayoungmrutkows, keith_newstadt yeah, I'm here, too19:05
keith_newstadthi topol19:05
keith_newstadtok, let's start...19:05
*** andreaf has quit IRC19:05
topolsure, go19:05
ayoungBTW, other keystone devs, we are going to be having a mini meeting on Audit19:05
*** andreaf has joined #openstack-keystone19:05
ayoungtopol, was the driver, but keith_newstadt is interested in taking it to the next level19:05
ayoungright now, the audit code lives...where?19:06
*** chandan_kumar has quit IRC19:06
*** gyee has joined #openstack-keystone19:06
keith_newstadthere, let me start on what we're trying to accomplish at symc19:07
morganfainberggyee, mini audit meeting happening, you might be interested in [happening nowish]19:07
ayoungmorganfainberg, thanks19:07
keith_newstadtwe're bringing a few services to iso certification, including some openstack core and some homegrown services19:07
keith_newstadtthe homegrown services are built in openstack style, with keystone auth and the same style of design19:07
keith_newstadtiso requires an audit log of changes to the environment19:08
ayounghttp://docs.openstack.org/developer/pycadf/middleware.html#enabling-audit-middleware19:08
ayounghmmm.chop the internal anchor off that19:08
ayoungthe plan is to put that middleware in the keystonemiddleware project;19:09
ayounghttp://git.openstack.org/cgit/openstack/keystonemiddleware19:09
morganfainberghm. this might require the TC's approval, it is an increase of scope of the Keystone project19:09
mrutkowsthe audit middleware filter is optional and lives apart from any specific project code right now and is part of oslo-common19:09
ayoungwe've got the project underway, and are working to integrate it into the build system19:09
topolso we are putting what where???19:10
keith_newstadti'm not familiar with it.  what does it provide?19:10
morganfainbergi don't think it's a hard sell, just it is increasing scope.19:10
topolthe pycadf code?19:10
ayoungkeith_newstadt, see the link I just posted19:10
*** andreaf_ has quit IRC19:10
dhellmannayoung: why do you want the audit middleware to live in keystone?19:10
mrutkowskeystone uses pyCADF library directly19:10
*** andreaf_ has joined #openstack-keystone19:11
mrutkowsBrad knows that code moreson than i19:11
ayoungdhellmann, because it is the right place for audit;  right next to policy19:11
topolwhat does ayoung mean by audit middleware19:11
gyeemorgainfainberg, sorry I missed part of the conversation, are we talking about API auditing?19:11
ayoungideally, the policy middleware would implement the policy enforcement19:11
morganfainbergi don't think it's wildly out of whack for Identity to help cover audit (since we provide a lot of the stuff that goes into it) but. ah dhellmann ! a good person to have jump in19:11
ayoungI don't know if we could ever make it a straight middleware19:11
ayoungOK...let me lay things out19:11
dhellmannis there something wrong with working on it where it lives now?19:11
morganfainberggyee, aye. and you didn't miss much, i pinged you right at the start19:11
ayoung1.  right now, keystone issues tokens with roles in them19:12
ayoungroles are used by policy enforcement to grant/deny access19:12
ayoungthat decision (policy enforcement) is what needs to be audited19:12
ayoungthe middleware duplicates that19:12
ayoungbut lacks the context19:12
dhellmannwhy don't you just use the library?19:13
ayoungand...I don't think it can be done as a straight middleware19:13
ayoungdhellmann, for policy?19:13
ayoungbecause the library from oslo is just a rules engine19:13
dhellmannfor auditing19:13
dhellmannwhatever you're talking about moving19:13
ayoungdhellmann, in time, yes.19:13
ayoungwe need to do this in usable chunks19:13
dhellmannit's a library. it's meant to be reused. if it doesn't work, help fix the api. why move the code somewhere else?19:13
morganfainbergayoung, ok ok wait. are we talking audit or policy19:13
mrutkowsayoung: excellent, the last iteration of the CADF spec. created a "control" type event for policy decisions and allow/deny outcomes19:13
morganfainberglets keep the scope to the convo at hand.19:13
morganfainbergif we're not talking policy lets leave that to the side for now.19:14
ayoungmorganfainberg, I was answering  dhellmann's question..19:14
ayoungpolicy and audit are hand and glove19:14
gyee"auditing" usually have to meeting certain security properties, like cipher chaining of log entries to make sure there's no tempering19:14
mrutkowsayoung: +119:14
ayoungmorganfainberg, can't19:14
*** afazekas_ has joined #openstack-keystone19:14
ayoungif we treat them separately, we will end up with them in split proejcts19:15
ayoungwe already havea broken policy mechanism (endpoints can't fetch)19:15
gyeenot sure how we are going to aggregate those log19:15
ayounggyee, that can be something we read from the config file19:15
mrutkowsayoung: yes, using XACML terms. the policy enforcement point (or PEP) should centrally report / audit all policy decisions or it could get messy19:15
ayoung++19:16
ayoungmrutkows, right. sothe problem thus far is that openstack has treated tokens, passwords, and role assignemtns as one system, and policy as a separate19:16
ayoungnow audit comes in, and it risks become a third19:16
topolisnt audit interleaved into the other two?19:17
ayoungtopol, it should be19:17
ayoungbut if it is a stand alone middleware it can't be...so gordon't first approach is just a starting point19:17
mrutkowsayoung: i believe that the creation of events that support audit are separate from an independent audit service for users?19:17
ayoungso we put the audit middleware into the keystonemiddleware repo, then refactor19:18
dhellmannnone of this explains why the middleware code has to move somewhere other than where it is. I'm fine if the keystone team wants to adopt pycadf, since it needs more devs anyway, but I need more detail than "because dependencies" :-)19:18
mrutkowsayoung: but the audit filter was created as a convenience19:18
*** rodrigods has quit IRC19:18
topoldhellmann, Im kind of like you trying to understand. I look at auditng as pycadf plu decorators + notifications19:18
ayoungdhellmann, keystonemiddleware is the portion of keystone program managed code designed to run in other serivces19:18
mrutkowsayoung: as long as the correct notifier (with audit channel setup) is used the audit middleware filter need no tbe used19:18
ayoungmrutkows, right, and it was a fine proof-of-concept19:19
ayoungmrutkows, I wanted to have it done via policy enforcement, but that is also currently implemented by eachj project19:19
ayoungcut-and-paste code,19:19
ayoungwith the security and bug fix problems that implies19:19
morganfainbergayoung, policy shouldn't be incubator, dhellmann knows my stance on that, but what is wrong with it graduating into it's own olso lib?19:20
morganfainbergayoung, similar with audit?19:20
morganfainbergayoung, i don't see the _need_ to move it to the keystonemiddleware.19:20
ayoungmorganfainberg, it is a single system with Keystone.  It needs to be reviewed by keystone devs.  Oslo devs are generalists, not security folks.19:21
*** ukalifon1 has left #openstack-keystone19:21
morganfainbergdhellmann, can keystone folks be core on a graduated library?19:21
morganfainbergdhellmann, or is it oslo-core only?19:21
topolayoung which code needs to be reviewed by keystone devs? the pycadf librabry or something else?19:21
dhellmannmorganfainberg: each library has its own core team19:21
ayoungmorganfainberg, and, there is a lot of work to do before we can get to a stable end state;19:21
ayoungtopol, the policy/audit code19:22
dhellmannalthough if it's going to be largely keystone folks, I agree it would make just as much sense to move it into the keystone program19:22
ayoungmorganfainberg, but, it belongs in keystonemiddleware;19:22
morganfainbergdhellmann, sure.19:22
ayounghere is the flow19:22
ayounguser gets token from keystone service,  user sendstoken to , say glance19:22
ayoungright now, auth token middlewared unpacks token, verifies, but also says 40319:22
ayoungthat is a mistake, and we want to remove that19:23
ayoungas there are some calls that are fine to be unauthenticated, or that don't need a role19:23
ayoungso, once we do that, we need to keep from opening up a security hole in the apps19:23
morganfainbergsure, move 100% to defer policy19:23
ayoungwe need a second layer that enforces policy19:23
ayoungit is this layer that needs to send audit events19:23
morganfainbergbut policy is driven by methods on the controllers, you can't do anything with that in the middleware layer19:24
ayoungI know19:24
ayoungand that means it needs to be a library called by the other services19:24
topolayoung, perfect. so the tricky part is the policy layer.  audit just hitches a ride19:24
ayoungtopol, right19:24
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101719:24
ayoungmorganfainberg, so we make it possible for other services to call keystonemiddleware.policy.whatever19:25
ayoungwe do that as a refactoring effort;19:25
morganfainbergok, so are you saying policy language needs to encompass say... REST API calls? e.g. PUT <uri>, roles=[list]?19:25
morganfainbergor are we saying keep policy at the controller level?19:25
ayoungstart with letting people deploy the audit middleware, and by getting the policy stuff clean enough to live in there19:25
dhellmannmoving the code around to different libraries is going to break apis and existing deployments, so we need a migration plan to mitigate those issues19:25
morganfainbergdhellmann, ++19:25
ayoungdhellmann, exactly, so this is a first step that19:26
topoldhellmann, what code does he want to move exactly???19:26
ayoungdoes not require changeing other services19:26
dhellmanntopol: excellent question :-)19:26
ayoungother than allowing the to use audit19:26
topolthe  policy stuff???19:26
ayoungthe code I want to move for policy...I'll post a link.19:26
ayounghttps://github.com/openstack/keystone/blob/master/keystone/common/authorization.py19:26
ayoungthat is "necessary but not sufficient"19:27
ayoungwe need to extract the decorators as well;  and those are still tightly coupled to keystone server19:27
dhellmannI was more worried about whatever you want to move out of pycadf or oslo-incubator19:27
dhellmannmaybe you could write this up in a spec?19:27
ayounghttps://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L8719:27
ayoungdhellmann, that is the plan, but I can't own it.  I have too much on my plate, I need the Audit drivers to understand the endstate and work with me on it19:28
ayounghence this meeting of the minds19:28
morganfainbergok so we're talking about a path to graduate policy to it's own library, and where that emits audit events, but not precluding the direct use of pycadf for certain cases19:28
ayoungyes...although "to its own library" should be keystonemiddleware19:28
morganfainbergso, pycadf stays in oslo, and policy + some policy_audit moves under keystone?19:28
* morganfainberg is trying to understand.19:28
ayoungIts the reason I didn't love the name keystonemiddleware19:29
ayoungits more keystone-client-for-other-services19:29
dhellmannhttps://wiki.openstack.org/wiki/Oslo/GraduationStatus#oslo.policy19:29
*** rodrigods_ has quit IRC19:29
ayoungmorganfainberg, there is the whole question of how to fetch policy.19:29
ayoungAnd that needs to be audited as well.19:29
morganfainbergok, so, i don't see audit needing it's own middleware.19:30
ayoungThen there is the question about centralized configuration of audit logging, and how to distribute that.19:30
morganfainbergi see this completely as a graduation path for policy19:30
mrutkowsmorgan: I believe that direct use of pyCADF is what we have done already and will continue to do so if is integral to keystone and usable for ISO audit purposes.19:30
morganfainbergayoung, audit should use pycadf, plain and simple.19:30
dhellmannmorganfainberg: there's already an audit middleware, are you saying we don't need that?19:30
ayoungmorganfainberg, 100% Agreed19:30
ayoungdhellmann, not long term19:30
morganfainbergdhellmann, i think it fills a gap19:30
topolmorganfainberg +++19:31
ayoungdhellmann, short term yes19:31
dhellmannok19:31
morganfainbergdhellmann, and could be useful for bootstrapping new projects19:31
ayoungmorganfainberg, you said that better than I did19:31
mrutkowsmorgan: agree (per above stmt)19:31
morganfainbergmrutkows ++19:31
ayoungKeystone IPA.   Identity, Policy, Audit.  Smooth.19:31
topolwhat replaces audit middleware?19:31
*** rodrigods has joined #openstack-keystone19:31
mrutkowsaudit middleware does not get replaces19:32
ayoungtopol, OK, so let me try to make that a little clearer19:32
dhellmanneliminating the audit middleware may resolve an issue we have with circular dependencies with some proposed libs and oslo.messaging, so that's nice to know :-)19:32
ayoungI'm assuing we need audit today...that is going to use the audit middleare19:32
morganfainbergdhellmann, good point19:32
ayoungat the same time, we work at getting the policy enforcement code from keystone server into the keystonemiddleware repo.19:32
mrutkowstopol: audit middleware can still be used for API audits only, but hard core auditing will also use keystone generated IAP events19:32
ayoungWe clean it up so that it is usable by the other projects.19:33
ayoungat the same point, we integrate auditing into the policy mechanism, such that every policy decision emits and CADF message19:33
ayoungat some point, we cut over from using the middleware to using the policy enforcement19:34
ayoungits a longer path, as we need to help the other projects switch over, comparable to what we are doing with the client/session effort right now19:34
dhellmannso would you want us to graduate the policy module as a library in the way we've planned, to preserve the commit history, or do you really want to put it into the keystonemiddleware repository?19:34
morganfainbergayoung, so policy doesn't end up in middleware at all, it stays (roughly) the same with policy being controller + decorator based19:34
ayoungmorganfainberg, yes19:34
morganfainbergit just happens to emit audit as well?19:34
ayoungdecorator moves to keystonemiddleware19:34
ayoungyes19:34
morganfainbergayoung, no, not to keystonemiddleware.19:35
morganfainbergit itsn't middleware19:35
ayoungmorganfainberg, you want to push for it being a stand alone library from the start?19:35
morganfainbergayoung, yes.19:35
ayoungThat is going to be messy19:35
morganfainbergayoung, not any more messy than splitting keystoneclient and keystonemiddleware was19:35
morganfainbergayoung, actually, probably less messy, since we are talking about building on the policy from incubator19:36
ayoungmorganfainberg, I guess I am ok with it, so long as it is under the review of the same devs working on auth token middleware and the currrent policy code19:36
ayoungmorganfainberg, that is a problem;  policy in incubator is just a rules engine19:36
ayoungand it is owned by Oslo, and when I brought all this up two summits ago I was accused of a powergrab19:36
ayoungme whistles19:37
ayoungpolicy as a rules engine can be separate19:37
ayoungas it might be used by, say, Neutron for firewall rules or something different than Keystone manages19:37
ayoungthis is specifically Keystone RBAC19:37
*** afazekas_ has quit IRC19:37
ayoungof which Auth token middleware is the starting point19:38
morganfainbergstill needs to graduate, i'll defer to dhellmann  if the policy library should be inclusive for the way we're doing policy enforcement or if it should be built on as aother layer for what ayoung is talking about19:38
* ayoung going to abbreviate that to AtM 19:38
ayoungmorganfainberg, so In the interest of keeping the  refactoring process moving, I would like to do it all in keystonemiddleware19:38
morganfainbergif it is oslo.policy, it feels like (in my mind) it could encompass the decorators etc19:39
ayoungas we can put ATM and audit middleware in there19:39
ayoungthen, refactor19:39
ayoungthen, if needs  be, extract it to its own library19:39
*** amcrn is now known as ghost_of_amcrn19:39
morganfainbergif it is meant to stand alone outside of openstack, i don't see it being the right place for the decorators that are more openstack/keystone/auth_token driven19:39
morganfainbergthe question is, what is oslo.policy's goal to provide.19:39
morganfainbergif we answer that, the rest becomes much easier19:40
ayoungmorganfainberg, I think you are hung up on that we called the repo keystonemiddleware.19:40
morganfainbergdhellmann, and in eithe rcase we should maintain the policy history.19:40
ayoungmorganfainberg, so oslo.policy is the rules engine19:40
ayoungdecorators....maybe19:40
morganfainbergayoung, ok so i'm lost. what part of the code goes in keystonemiddleware?19:41
ayoungmorganfainberg, I'd rather start with it in keystonemiddleware, and then move it to its own oslo thing once it is mature.19:41
morganfainbergif the engine and decorators are in oslo.policy19:41
morganfainbergwhat goes in middleware?19:41
*** bvandenh has quit IRC19:41
dhellmannmorganfainberg: I think infra has to get involved if the policy history is merged into another repo, but I think they can do that without a huge hassle. So we could graduate it and then figure out how to proceed.19:42
morganfainbergdhellmann, yeah i know the steps to merge into another repo, we're going to do it for identity-api, but i want to be sure we're putting things in the right place19:42
dhellmannyeah, that part isn't clear to me yet19:42
morganfainbergdhellmann, its not "trivial" to do.19:42
ayoungmorganfainberg, authorization.py,  the decorators  (maybe)  can be oslo19:42
ayoungwe need code to fetch the policy file from keystone, but that needs more design work19:43
dhellmannoslo isn't the only team allowed to create reusable libraries, so if you just mean that those things can go into their own library the keystone program could still own it19:43
ayoungmorganfainberg, the engine itself is different from  binding the engine to a controller19:43
dhellmannoh, god, why is something going to fetch a policy file?19:43
ayoungI'd rather keep the decorators out of the controller19:44
ayoungdhellmann, if you are going to use my other name, please use a capitol G19:44
* dhellmann probably doesn't have enough background on these plans19:44
morganfainbergok, lets step WAY back.19:45
ayounghttp://adam.younglogic.com/2013/07/a-vision-for-keystone/19:46
dhellmannperhaps some of you could also review this spec for policy directories (mirroring the --config-dir feature of oslo.config): https://review.openstack.org/#/c/104157/19:46
morganfainbergdhellmann, ++ will do19:46
morganfainbergdhellmann, good idea to mirror that btw.19:47
morganfainbergayoung, so, when it comes to policy enforcement, how does it work. ignore where the policy file comes from19:47
morganfainbergayoung, is this a decorator on a controller like keystone? is this a middleware that enforces on the REST + HTTP method?19:48
morganfainbergayoung, or is it something else i'm not seeing?19:48
ayoungmorganfainberg, it is a decorator19:48
morganfainbergayoung, and it decorates the controller method?19:48
dhellmannis "controller" a web api controller?19:49
*** erecio has joined #openstack-keystone19:49
*** erecio has quit IRC19:49
mrutkowsmorgan: ideally policy files are controlled entities and actions taken against them strictly audited, each policy should have an associated ID that can be tracked19:49
ayoungmorganfainberg, see the link to controller I posted above, that code needs to be cleaned up, moved to that authrzie.py file, and extracted19:49
ayoungdhellmann, yes19:49
ayounga controller is a web API controller19:49
morganfainbergdhellmann, controller from the MVC design pattern19:49
*** dstanek is now known as dstanek_zzz19:49
morganfainbergmrutkows, ++ perfect19:49
dhellmannok19:49
ayoungmorganfainberg, agreed we should table "where the policy file comes from"  for this discussion19:50
ayoungmrutkows, ++19:50
mrutkowsmorgan: and as policy decision events are created the policy ID is logged (even the rule and PIP information used can be recorded)19:50
morganfainbergmrutkows, ok, cool, that makes a lot of sense19:51
ayoungdhellmann, there is also the fact that each policy file starts with a set of rule-definitions that really should be common acros all the services, like "how do we define admin"19:51
*** keith_newstadt has quit IRC19:51
*** keith_newstadt has joined #openstack-keystone19:52
topolmrutkow, i agree with everything you said. I get lost on all the proposed code shuffling between projects19:52
mrutkowstopol: thx Brad19:52
ayoungtopol, My goal was to get it to a central point,  and it currently is split across more than just keystone projects, but glance, nova, and so for19:53
ayoungth19:53
morganfainbergtopol, the only code shuffling i see being warranted is some extraction of keystone-specific things to the general library and graduation of policy to it's own library19:53
topolcan we propose patches to where things sit now and then refactor as a second phase?19:53
ayoungso  I'd like to put it all in keystonemiddleware,  and have one library to work on,  for RBAC, for policy, for audit,19:53
topolor a simpliststic refactoring as porposed by morganfainberg19:53
ayoungif people object to having the decorators in their code say keystonemiddleware, then we put the decorators into oslo19:54
dhellmannI thought the oslo policy library was something keystone wanted to manage?19:54
ayoungbut the logic at the guts of the decorators stay in keystonemiddleware19:54
topolwhy would folks object to decorators in their code??? they are used all over the place??19:54
ayoungdhellmann, I'm OK with the policy engine being a more general purpose piece of code19:55
ayoungwe don't need to manage it directly, but it does need to get a stand alone library19:55
dhellmannok19:55
morganfainbergdhellmann, i'm happy to manage it if that is what it takes to get it out of incubator :)19:55
ayoungdhellmann, to start, though, we can leave it in incubated, so long as the code that we use is all managed in a single, replaceable library19:55
ayoungso keystonemiddleware.openstack.common.policy  is OK for start19:55
dhellmannmorganfainberg: volunteers welcome! it didn't make the cut this cycle, since we're working from the bottom up19:56
morganfainbergdhellmann, right19:56
morganfainbergdhellmann, i talked to you @ the summit about it :)19:56
dhellmannmorganfainberg: that was a million years ago19:56
ayoungtopol, no, not "object to decorators in their code." I said "object to their decorators coming from keystonemiddleware"19:56
topoldhellmann, Ha Ha19:56
topolayoung, OK19:57
morganfainbergayoung, why make everyone use keystonemiddleware for that instead of just graduating policy, it's not a big step of work to graduate it.19:57
topolmorganfainberg+++19:57
morganfainbergdhellmann, looks like breaking oslo.config dep and minor shuffling would get us graduated?19:57
topolI think thats less headaches for the keystone team19:57
dhellmannok, I feel like you all understand what you're proposing but I'm not 100% clear on the specifics of moving A to B and who owns what. Could we have a mailing list message with a specific list of steps in the order they may need to be taken? That would also give me something to point the oslo core team to to discuss changing ownership of the policy module, if that's still something you want.19:57
topoldhellmann +++19:57
topolgood call19:57
morganfainbergdhellmann, yeah this is a good ML topic19:57
ayoungdhellmann, I can do that19:57
dhellmannmorganfainberg: yeah, the config dependency isn't a small thing, though, because we want to avoid having every project declare those options differently19:58
arosenHi, I asked about this on friday but figured I'd ask again here. Do you guys have any pointers on how a new project should integrate with the keystone middleware? Or should I just look at nova/neutron and figure it out from there?19:58
morganfainbergdhellmann, right.19:58
ayoungdhellmann, we have a patch for creating a keystoneclient from a config file.  I think it would be comparable19:58
ayoungarosen, heh19:58
arosenI got the client side figured out, so I'm working on the server side now.19:58
ayoungarosen, start with auth token middleware from the keystonemiddleware repo.19:59
*** dstanek_zzz is now known as dstanek19:59
ayoungAnd you will be ahead of the curve....19:59
*** andreaf has quit IRC19:59
dhellmannayoung: I had some feedback on that patch series, but haven't come back around to look at them in a while.19:59
*** andreaf has joined #openstack-keystone19:59
dhellmannayoung: I'm not sure how they're related, though.19:59
mrutkowshave to run to next meeting, will look for ML discussion and track20:00
topolme too20:00
keith_newstadti have to drop off for another meeting.  interesting conversation guys.  we'll start with the auditing middleware for the short term, but will stay involved to see where we can contribute.  this is an area that we are interested in.20:00
ayoungI'm going to write this up20:00
mrutkowsayoung, tyvm20:00
keith_newstadtayoung, thanks20:01
arosenayoung:  there is needs to be a part before that with  api-paste.ini within the project?20:01
openstackgerritA change was merged to openstack/keystone: Updated from global requirements  https://review.openstack.org/10401820:04
*** mrutkows has quit IRC20:04
*** marcoemorais has quit IRC20:06
ayoungarosen, you just walked into a huge discussion around the issues you will face20:06
ayoungbasically, keystone provides a token that a user hands to your  service.  You service has a paste pipeline set up to call auth-token middleware20:07
ayoungor ATM for short20:07
ayoungreally it is20:07
*** marcoemorais has joined #openstack-keystone20:07
ayoungkeystoneclient.middleware.auth_token20:07
ayoungbut we are moving it to20:07
*** marcoemorais has quit IRC20:07
ayoungkeystonecmiddleware.auth_token20:07
*** ghost_of_amcrn is now known as amcrn20:07
*** marcoemorais has joined #openstack-keystone20:08
ayoungarosen, after that comes policy enforcment20:08
ayoungthe  best example of it I can show you is here;20:08
ayounghttps://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L8720:08
ayoungarosen, and that is code I want to pull out and put into keystonemiddleware20:08
arosenayoung:  yup I remember reading a thread about this on the mailing list.20:15
arosenayoung:  I'll keep digging in nova/neutron and see how they integrate with this pipeline. Was just wondering if there was a doc out there already that explained this.20:16
ayoungarosen, nah, dig into Keystone20:16
hrybackimorganfainberg, dolphm: This may be an odd question but would it be possible to get an email formally 'inviting' me to attend the hackathon? It will go a long way in convincing my uni to reimburse some travel funds20:23
morganfainberghrybacki, of course I can send one! :)20:23
morganfainberghrybacki, dolphm might have a better form-letter-y thing though handy20:24
morganfainbergnot sure ;)20:24
dolphmi don't have anything pre-written20:24
morganfainbergtopol, might be able to help too!20:24
morganfainbergtopol has all sorts of form-lettery stuff20:24
morganfainberghe works for IBM >.>20:24
hrybackilol20:24
topolyes,  I have done those before20:24
dolphmtopol: is totally the person to ask for form lattery things20:24
morganfainbergtopol, see what i did there :P20:24
morganfainbergdolphm, ++20:25
topolits all true, all true20:25
topollet me dig it up20:25
hrybackitopol: thanks!20:25
dolphmmorganfainberg: i happen to have a recent example of topol's form letteryness https://twitter.com/dolphm/status/48550934592107315220:26
topoldolphm, so I found it. You want me to send it to you and you send the invite?20:26
dolphmtopol: happy to20:26
morganfainbergdolphm, also the corp code for the valencia might be good to add in :)20:28
morganfainbergsave some $$ on hotel if possible.20:28
morganfainberghrybacki, phsaw, magic.20:28
morganfainberg:)20:29
hrybackimorganfainberg++ told ya magic was real ;)20:29
topoldolphm, sent the letter sample to you gmail account20:30
topoldolphm you may need to change the letter20:30
topolthe one I sent was to get someone here from China20:31
topolyou will need to bump up why it benefits the university to have hrybacki attend20:31
arosenayoung:  I guess I should start at create_server in bin/keystone-all and make my way up to how the keystone-paste.ini is loaded?20:32
ayoungarosen, start with the link I posted, which is a decorator call20:32
ayounglook at20:32
topoldolphm if you need help let meknow20:32
morganfainbergdolphm, bknudson, requirements update is going through gate (well recheck now)20:33
arosenayoung: K20:33
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n20620:33
ayoungarosen, see the decorator there?20:33
morganfainbergmiddleware should hit today in global requirements, so we can get a project or few converted over and get real testing20:33
morganfainbergreal = tempest20:33
topolhrybacki, what are the types of things that help the university understand its a good investment to send you?20:33
ayoungarosen, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n8720:34
arosenayoung:  yup the protected decorator implementation.20:34
ayoungis where it is implemented20:34
ayoungand that is what I want to pull out into the keystonemiddleware repo20:34
hrybackitopol: hmm20:34
arosenayoung:  k, i'll start reading through this to figure out where I need to hook in. thanks!20:34
arosenbrb20:34
topolhrybacki, which university and what department are you in?20:35
hrybackitopol: well, I'm showing that our uni/department supports and promotes the open source community -- specifically undergraduates focusing in the area20:35
hrybackitopol: University of North Carolina - Greensboro (UNCG) -- Computer Science20:35
topolhrybacki, no way, I served on a students master's thesis defense committee fromthere20:36
topolhrybacki, its an hour away20:36
hrybackitopol: where are you?20:36
topolhrybacki, raleigh, NC20:37
topolactually cary NC20:37
hrybackitopol: hah, I'm in Raleigh for the summer20:37
topolhrybacki, what dept20:37
hrybacki?20:37
topolat the school? compter science?20:37
topolelectrical enginnering?20:38
hrybackitopol: ah, yes, Computer Science20:38
topolhrybacki, have you made contributions to Keystone? Whats you stackalytics ID?20:39
ayoungtopol, stop trying to steal my intern20:39
hrybackitopol: I wasn't aware of stackanalytics20:40
hrybackiayoung: fret not, I love what RH stands for20:40
topolayoung, not stealing, just trying to get details to ghost write a letter for dolphm20:40
ayoungHeh20:40
ayoungtopol, nah, I know you are aboveboard,  just had to say it20:40
topolayoung :-)20:40
topolpretty funny20:40
topolbut nice to know he's right here in raliegh....:-)20:41
topol:-)20:41
ayoungtopol, I've been throwing him at the client issues20:41
hrybackitopol: I didn't register with it and I don't see my launchpad id in the individual engineers section20:41
ayounghe's gotten a  couple minor patches through,20:41
topolK, I can make that work20:41
hrybackiayoung: and several in the queue :P20:41
ayounghrybacki, yep20:41
morganfainbergtopol, http://stackalytics.com/?user_id=hrybacki20:41
hrybackimorganfainberg: actual name, heh20:42
morganfainberghrybacki, goes by LP id20:42
hrybackitopol: I'll be transitioning to a coffee shop downtown for the remainder of the day to do some work for a client -- I generally do most week nights. Feel free to join in. Nice to here a keystone person is close :P20:43
topolk, dolphm,. morganfainberg, hrybacki, writing a new invite letter now20:43
hrybackimorganfainberg: my gravatar on stackanalytics accurately depicts every time I dive into this code base...20:44
morganfainberghrybacki, had to disable my 3rd party cookie blocking addon to see the gravatar20:45
morganfainberghrybacki, nice one :)20:45
*** bobt has joined #openstack-keystone20:47
topoldolphm, hrybacki, morganfainberg. how's this?20:55
topolTo whom it might concern,20:55
topolI would like to formally invite Harry Rybacki to the OpenStack Keystone Hackathon being hosted by Rackspace and being held in San Antonio July 8-11.   OpenStack is an  open source Infrastructure as a Service cloud operating system that currently is growing at a pace that surpasses the Linux Open Source Community.   Harry has started contributing to OpenStack Keystone which is the authentication an20:55
topold authorization component used by OpenStack.   By attending the Keystone hackathon, Harry will not only get to contribute his expertise to the project, but will also gain key insights into the open source development processes and philosophies used by OpenStack.  OpenStack skills are in extremely high demand by vendors such as Rackspace, Red Hat, IBM, HP, Cisco, and numerous others.   By...20:55
topol...funding Harry to attend the OpenStack Keystone hackathon, UNCG  will be taking advantage of an outstanding opportunity to start building a relationship with this critically important open source community.  We very much hope that UNCG can help Harry to obtain funding to attend this conference.   We look forward to continued collaboration with Harry and with UNCG and hope that you see this...20:55
topol...as a mutually beneficial opportunity.20:55
topolbest regards,20:55
topolDolph Mathews20:55
hrybackitopol++20:56
topoldolphm , sent by emaiil as well20:56
hrybackithank you!20:56
morganfainbergtopol, looks good to me!20:56
topolhrybacki, you are welcome.  now who needs a new oxycotin prescription??? :-)20:57
hrybackilol20:57
morganfainbergtopol, <insert comment about california and other perscriptions>20:58
morganfainbergtopol, :P20:58
topoldolphm, if you want me to co-sign with you at the bottom to put the fancy shmancy credentials in play thats fine too20:58
topolmorganfainberg, almost went there but decorum prevented me20:59
morganfainbergtopol, notice i didn't get too specific!20:59
morganfainbergtopol, dude, i need glasses! >.>20:59
morganfainbergtopol, what were you thinking?! :P21:00
*** harlowja is now known as harlowja_away21:02
*** marcoemorais has quit IRC21:11
hrybackiThe airlines know... Ticket prices went from ~500 to ~1000. In the hour since I first looked.21:14
ayoungmorganfainberg, is get_member_from_driver  generalizable  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py?h=stable/icehouse#n12021:14
*** marcoemorais has joined #openstack-keystone21:14
morganfainbergthats the callback stuff, right?21:14
morganfainbergoh no it isn't21:14
morganfainberguhm. sec21:14
morganfainbergayoung, i think you could make it more general, but it would require passing a callback in.21:15
morganfainbergthat might also be a keystone-only construct21:16
morganfainbergayoung, nova does it a little bit differently21:17
morganfainberghttp://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/servers.py#n107521:17
morganfainbergayoung, nova does the work and then does enforcement instead of as a decorator21:18
morganfainbergwork = get resources in the controller method21:18
*** topol has quit IRC21:20
ayoungmorganfainberg, its that "enforce" method I think we need to make general21:21
ayoungthe decorators could stay as a keystone only implementation21:21
stevemarcan someone take a looksy at https://review.openstack.org/#/c/104321/21:22
*** radez is now known as radez_g0n321:26
*** marcoemorais has quit IRC21:26
*** marcoemorais has joined #openstack-keystone21:27
*** marcoemorais has quit IRC21:27
*** marcoemorais has joined #openstack-keystone21:27
*** marcoemorais has quit IRC21:27
*** marcoemorais has joined #openstack-keystone21:28
*** marcoemorais has quit IRC21:28
*** marcoemorais has joined #openstack-keystone21:28
*** marcoemorais has quit IRC21:29
*** marcoemorais has joined #openstack-keystone21:29
*** joesavak has quit IRC21:32
morganfainbergayoung, the enforce method is already general.21:44
morganfainbergayoung, that comes straight afaict from policy21:44
ayoungmorganfainberg, there is some setup specific to each service21:44
morganfainbergnot much http://git.openstack.org/cgit/openstack/nova/tree/nova/policy.py21:45
ayoungmorganfainberg, yep21:46
ayoungand code to that effect lives in just about every project21:46
ayoungkeystone is the only one that does the decorator approach.  Not certain that the decorator is a great idea.  It really only works when you cache21:47
morganfainbergeven then.21:48
ayoungmorganfainberg, it also means that the policy rules get embedded in the controller.  You can't do what we do with the trusts where the whole rule goes into policy, to include what field to match on what21:48
ayoungmorganfainberg, I'm doing this as a blog post.  It needs images and stuff.21:49
morganfainbergthis is something worth discussing a bit more in depth at the hackathon i think21:49
morganfainberghrybacki, make sure you clear your cookies / use incognito browser21:50
morganfainberghrybacki, some airlines do shaaaaady things "oh you looked, ok we21:50
*** dstanek is now known as dstanek_zzz21:50
morganfainbergll jack up the prices next time you look"21:50
hrybackimorganfainberg: I only read the first line and the hairs on the back of my neck began to rise. Make sure you flip those sentences around so as not to induce heart attacks ;)21:51
morganfainberglol21:52
morganfainbergand... gate is going to punt requiremnets update21:57
morganfainberg*sigh*21:57
*** andreaf_ has quit IRC21:57
*** andreaf has quit IRC21:57
*** andreaf has joined #openstack-keystone21:58
*** andreaf_ has joined #openstack-keystone21:58
*** ayoung is now known as ayoung_dad_mode22:03
*** harlowja_away is now known as harlowja22:04
*** d34dh0r53 is now known as mostly_d34dh0r5322:11
*** bknudson has quit IRC22:16
*** rodrigods_ has joined #openstack-keystone22:34
*** rodrigods_ has quit IRC22:34
*** stevemar has quit IRC22:35
*** stevemar has joined #openstack-keystone22:36
*** thedodd has quit IRC22:38
*** rodrigods_ has joined #openstack-keystone23:02
*** david-lyle has quit IRC23:04
*** daneyon has quit IRC23:05
jamielennoxmorganfainberg: don't push the decorator policy around, it really needs to be a part of the function23:12
jamielennoxif it wasn't for the caching layer the decorator would be terrible23:13
openstackgerritBob Thyne proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter  https://review.openstack.org/10202323:13
jamielennoxwe (can't remember all involved) discussed this at summit that maybe we can do a decorator to ensure that somewhere within the function that policy was called, but not to do the resource call there23:14
morganfainbergexcept the caching layer is done at the manager level23:17
morganfainbergnot at the controller level23:17
morganfainbergand the polcy enforcement is only at the controller level23:17
openstackgerritBob Thyne proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter  https://review.openstack.org/10202323:18
jamielennoxright, but the controller level is doing a lookup to enforce policy, and then goes into the function which will generally perform the same lookup23:20
hrybackijamielennox: I made the actual session object private in https://review.openstack.org/#/c/105031/ and made you the change author  -- fyi!23:20
hrybackieverything else is the same though23:20
jamielennoxhrybacki: oh, cool23:21
hrybackiaside from making changes to match changes in auth_token since you made 7490823:21
jamielennoxhrybacki: actually that's great because we no longer have to worry about trove's stupid gate issues until trove decided to convert to keystonemiddleware23:21
hrybackiglad to be of use23:22
jamielennoxhrybacki: are you still looking at glanceclient - i had a look through it the other day and realize just want a steaming pile i had dropped you in23:23
hrybackinot super actively -- got caught up with other things. Everything is so turbulent around here it's hard to sink my teeth into anything23:23
jamielennoxhrybacki: ok - i wouldn't worry about it too much then, if you want to have a look at another client we'll find something that is at least requests based but if you have stuff you're working on already don't worry about it23:24
hrybackiWell, I'm fresh out of stuff to do so we should think about another client ;)23:24
jamielennoxhrybacki: never say you're bored around here :)23:27
hrybackijamielennox: I said no such thing :P23:27
jamielennoxpeople will find things for you23:27
hrybackiThat's okay when I'm also looking for things :P23:28
hrybackiDid you have another client in mind?23:28
jamielennoxhrybacki: comment on https://review.openstack.org/#/c/105031/23:31
jamielennox(they might have been my mistakes)23:32
hrybackireviewing23:33
jamielennoxumm, let me have a look23:34
jamielennoxi made a start on cinderclient23:34
jamielennoxi know there is a review for neutronclient23:34
jamielennoxi haven't even looked at swift, but swift is a bit of a special case i think23:34
*** dims has quit IRC23:37
*** oomichi has joined #openstack-keystone23:38
hrybackithey are all special, aren't they?23:40
hrybackiposted comments23:40
*** jaosorior has quit IRC23:42
jamielennoxugh, yea swift might be a problem23:44
hrybackijamielennox: safe to assume you won't be at the hackathon?23:45
jamielennoxhrybacki: would love to, but no23:46
hrybackiI suppose you'd probably need to be boarding a flight about now23:47
jamielennoxhrybacki: you can be the designated client whip cracker if you like23:47
hrybackijamielennox: while normally I would say that I would love to, I need to have something to show by the 8th (actual code that is)23:48
jamielennoxthat's ok, i can get ayoung_dad_mode to do it23:49
hrybackiheh, he's already cracking a whip ;)23:50
jamielennoxalways, i'm not sure what his current focus is though23:50
jamielennoxhrybacki: comment on https://review.openstack.org/#/c/105031/23:51
hrybackiwas already on it23:51
jamielennoxhrybacki: new one23:52
jamielennoxessentially this change shouldn't touch anything about caching at all23:52
hrybackiI'll make that local. Should we change it's name? It could confuse people as it did me.23:53
*** rodrigods has quit IRC23:53
jamielennoxif you like, but it's nothing to do with this particular review so you should make it another one23:53
jamielennoxmorganfainberg: what's our license to break things with keystonemiddleware23:53
jamielennoxmorganfainberg: or did we do 1.0 already23:54
morganfainbergwe shipped 1.0.023:54
hrybackithey 1.0'd yesterday23:54
*** gabriel-bezerra has quit IRC23:54
*** tellesnobrega has quit IRC23:54
*** raildo has quit IRC23:54
morganfainbergbased on discussions, it made the most sense to make 1.0.0 a no-risk adoption23:54
jamielennoxyea, i see the point in that23:55
*** afaranha has quit IRC23:55
*** dims has joined #openstack-keystone23:57
*** rodrigods has joined #openstack-keystone23:57
*** raildo has joined #openstack-keystone23:58
*** gabriel-bezerra has joined #openstack-keystone23:58
*** tellesnobrega has joined #openstack-keystone23:59
*** afaranha has joined #openstack-keystone23:59
« Sunday, 2014-07-06 Index Tuesday, 2014-07-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!