Tuesday, 2014-10-28

« Monday, 2014-10-27 Index Wednesday, 2014-10-29 »
*** tellesnobrega has quit IRC00:05
*** marcoemorais has joined #openstack-keystone00:06
openstackgerritBrant Knudson proposed a change to openstack/keystone: Move eventlet server options to a config section  https://review.openstack.org/13096200:06
*** marcoemorais has quit IRC00:07
*** marcoemorais has joined #openstack-keystone00:07
*** stevemar has joined #openstack-keystone00:13
*** stevemar is now known as notstevemar00:13
*** cjellick has quit IRC00:15
*** oomichi has joined #openstack-keystone00:17
*** marcoemorais has quit IRC00:18
openstackgerritA change was merged to openstack/keystone-specs: Create a seperate page for old specs  https://review.openstack.org/13037900:29
*** marcoemorais has joined #openstack-keystone00:32
*** amcrn has quit IRC00:33
*** ayoung-dadmode is now known as ayoung00:33
*** marcoemorais has quit IRC00:36
openstackgerritBrant Knudson proposed a change to openstack/keystone: Move eventlet server options to a config section  https://review.openstack.org/13096200:41
*** tellesnobrega has joined #openstack-keystone00:45
*** david-lyle has joined #openstack-keystone00:46
*** drjones has quit IRC00:51
*** david-lyle has quit IRC00:51
*** r1chardj0n3s_afk is now known as r1chardj0n3s00:51
morganfainbergayoung, i think you're right, a backlog for specs would be worth having00:55
morganfainbergayoung, *cough* comment on https://review.openstack.org/#/c/125457/ *cough*00:55
morganfainbergerm00:56
ayoungmorganfainberg, I think you have Ebola00:56
ayoung21 days quarentine00:56
morganfainberghttps://review.openstack.org/#/c/123726/00:56
morganfainbergthat one as is is almost perfect example for backlog00:56
ayoungmorganfainberg, we've got a live demo to do next week, and we've yet to get all the pieces together.  Little bit in crunch mode at the moment00:57
ayoungAh...yep00:57
morganfainbergayoung, notice i'm not saying "go do it" was just poiting out that i agree with you :)00:57
ayoungmorganfainberg, are you going to implement "backlog" as a part of the specs?00:57
ayoungexcellent00:57
morganfainbergayoung, i'm thinking we make "lost and found" a "backlog"00:57
ayoungI think I have an implementer for that one actually00:57
ayoungdeal00:57
ayoungmorganfainberg, but...00:58
ayoungbacklog should be just for Good ideas to start....00:58
ayounglost and found can be more than just a backlog...but good idea to merge them00:58
morganfainbergwell we have "nothing" to put in the lost and found00:58
morganfainbergsince we have nothng to go in there the same concept could be used for a backlog today00:58
morganfainberglost and found can happen if we ever need it00:59
* morganfainberg continues to review specs.00:59
ayoungmorganfainberg, how about a tag "Available for interested parties to implement" on a spec to indicate "go do it" versus "I'm still planning on doing this once it is implemented"00:59
morganfainbergayoung, if a spec isn't proposed to the backlog (or moved there cause we decide the original implementor isn't interested) it's open to anyonme01:00
morganfainbergif it's targeted at a release [current] or being pulled forward by someone it has implementor01:00
morganfainbergbut adding "hey this is a good idea but I want to do damn it, but not today... and i'm not sure when" doesn't help anyone01:00
ayoungwel...not completely agreeing.  At the start, it should be proposed to backlog01:00
ayoungyes it does:  I have had a bunch of people ask me "how do I get involved" and the answer should be "pick something off the backlog"01:01
morganfainbergno, the "this is MY thing" doesn't help01:01
morganfainbergthe backlog absolutely helps01:01
openstackgerritAnne Gentle proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131501:02
morganfainbergbut the way i see it, backlog is "good ideas that either we don't have time for or we don't have bandwidth for"01:02
morganfainbergand should be available for people to pickup01:02
morganfainbergif that makes sense.01:02
morganfainbergi think i'm *really* agreeing with the oncept of a backlog as long as it doesn't have the "we put something in the backlog and say no one can touch it but XXX person"01:03
*** ChanServ sets mode: -o morganfainberg01:03
openstackgerritwanghong proposed a change to openstack/keystone: remove implemented TODO in catalog/backends/sql.py  https://review.openstack.org/12983001:05
*** gabriel-bezerra has joined #openstack-keystone01:07
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: fallback to online validation if offline validation fails  https://review.openstack.org/13103601:09
ayoungmorganfainberg, deal01:15
ayoungmorganfainberg, the only thing is there should be a clear sense of whether someone is working on it or not01:15
morganfainbergi'd say if somenoe is working on it it should be targeted or have a review up to target it01:15
ayoungputting it in the backlog first off means "here is the idea, is this good or bad"01:15
morganfainbergit can be a dependent change proposed at the same time01:16
ayoungbut it needs to be approved first01:16
ayoungbefore we assign...01:16
ayoungthe work flow should be light:01:16
morganfainbergso change 1: on backlog, change 2: move from backlog01:16
morganfainbergit shows someone is actively working on it.01:16
ayoungI propose for backlog.  It gets approved.  I propose moving to "kilo"01:16
morganfainbergif its an "idea" you want anyone to pickup, just omit the second change :)01:17
ayoungbut if someone just looks at the git repo (not gerrit) they won't see the proposal01:17
openstackgerritAnne Gentle proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131501:17
ayoungOTOH you need to look at the git repo to see what is available01:17
morganfainbergah but we, the reviewers will. and they'd need to look at the review list *anyway*01:17
morganfainbergsince you're proposing moving it from the backlog01:17
ayoungOK...so if you ant to pick up a spec, submit the "move to release"  request01:18
ayoungand...what about abandonware?01:18
morganfainbergwe can (cores) shuffle things back to lost+found or backlog01:18
morganfainbergat each cycle.01:18
morganfainbergif no one is pulling it forward, it gets shuffled.01:18
ayoungOK...this sounds about right01:18
ayoungwe'll have a pinch or two as we adjuste the straps, but I think we can carry this load01:19
morganfainberglikely backlog replaces lost+found completly01:19
morganfainbergyeah it's def not bad. the streamlinging of the specs is helping01:19
morganfainbergand remember truely trivial bps wont need a spec01:19
morganfainberge.g. "i want to fix docs everywhere"01:19
ayoungLets get them into the backlog at least to float the idea01:19
morganfainbergprobably doesn't need a spec.01:19
ayoungsure01:20
morganfainbergthat is the concept of "trivial bp"01:20
ayoungOK, I'm with you.  I like this01:20
morganfainbergor another trivial bp: the i18n hints01:20
morganfainbergno need to spec it, but it's a bp01:20
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configuring Keystone edits  https://review.openstack.org/13131801:21
ayoungwant me to repurpose the lost-and-found request for this?01:21
morganfainbergif it has any rest changes, no matter how trivial, it's a spec.01:21
morganfainbergyeah01:21
morganfainbergif you have time, if not i'll do it this week01:21
morganfainbergi have some backlog work to do myself - e.g. documenting the whole spec process for people01:21
morganfainbergwhat we consider trivial, etc01:21
*** topol has joined #openstack-keystone01:22
morganfainbergit's part of what *i'm* commiting to as PTL os we can get specs, bugs, and BPs really managable01:22
morganfainbergit's why i've been on such a tear to get things in order01:22
*** jdennis has joined #openstack-keystone01:22
morganfainbergayoung, btw, the DAG for roles, yes please.01:23
morganfainbergesp. depending on where policy discussions go01:23
openstackgerritayoung proposed a change to openstack/keystone-specs: Backlog   https://review.openstack.org/12664701:24
ayoungmorganfainberg, ^^ I just changed the commit message01:24
morganfainbergayoung, ++.01:24
ayoungneed to change the dir name01:24
morganfainbergright.01:24
ayoungetc etc01:24
openstackgerritAnne Gentle proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131501:24
ayoungmorganfainberg, I think we're going to need someone to implement the nova spec "fetch policy by endpoint id" to prime the pump on policy01:25
morganfainbergand we need some *thing* to make it work (looking for the magic invocation in sphinx to say "look if it's empty... ignore it sheesh"01:25
ayoungI'll put in a backlog spec....01:25
morganfainbergayoung, i think we will know a lot more about that post summit sessions01:25
ayoungmorganfainberg, my take is we should do 90% of the work in Keystoneclient, and then make the call from Nova where they currently do their policy enforcement01:26
morganfainbergayoung, sure.01:26
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain  https://review.openstack.org/13131901:26
ayoungActually, we could do that inside Keystone itself, if we could short circuit the actual fetch01:26
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configuring Keystone edits  https://review.openstack.org/13131801:27
morganfainbergayoung, *cough* summit session on policy *cough*01:27
ayoungDeal01:27
morganfainbergspecifically to figure out the next steps here01:27
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configuring Keystone edits  https://review.openstack.org/13131801:29
*** chrisshattuck has joined #openstack-keystone01:30
morganfainbergbknudson, going to move eventlet options under their own section?01:30
morganfainbergbknudson, or does that come after this configuration type change01:30
morganfainbergerm01:30
morganfainbergdoc change01:30
bknudsonmorganfainberg: https://review.openstack.org/#/c/130962/01:30
morganfainbergaha01:31
bknudsonthey're separate.01:31
morganfainbergnice01:31
morganfainbergyay.01:31
*** david-lyle has joined #openstack-keystone01:31
morganfainbergmakes far too much sense to have eventlet options in a separate config group01:31
bknudsonwhen I was updating the config docs for the eventlet options change I noticed there were other issues in the config doc.01:31
morganfainbergbknudson, ah01:31
bknudsony, it's a little weird with the ssl options, so make sure you agree with how that was done.01:32
morganfainbergyeah i'm going to take a hard look at it01:32
bknudsonand, it's a little weird with the service catalog substitution too.01:32
morganfainbergi think i need a break from ripping spec proposals apart01:32
bknudsonbut those things were weird to begin with.01:32
morganfainbergthe sc subst stuff will always be wierd01:32
* morganfainberg wonders if we can make keystone-all an entrypoint01:33
morganfainberglike how nova works01:33
morganfainberginstead of having to maintain bin/<stuff>01:33
morganfainbergdoesn't mean we wouldn't have the code elsewhere, just it would be pbr magic01:34
*** david-lyle has quit IRC01:36
bknudsonmorganfainberg: https://review.openstack.org/#/c/62275/ was my attempt at putting the code elsewhere.01:37
morganfainbergbknudson, at that point we could make it an entrypoint01:38
morganfainbergi do remember that change.01:38
bknudsonI haven't looked at how nova does it.01:38
bknudsonhttp://git.openstack.org/cgit/openstack/nova/tree/setup.cfg#n3501:39
morganfainbergyepo01:39
morganfainbergthats what i was thinking we should aim for01:39
bknudsonmight as well be consistent01:39
morganfainbergit mostly just moves your reduced stuff to soemthing like keystoen.cli01:39
morganfainbergbut i like not needing a /bin directory in-tree01:39
bknudsonhow does nova calculate possible_topdir??01:40
openstackgerritAnne Gentle proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131501:40
morganfainbergbknudson, that is the question i am not sure of01:40
morganfainbergit's why i didn't get anywhere with that change.01:41
bknudsonif nova doesn't need to figure out a possible_topdir I don't know why we have to.01:41
morganfainbergi admit i haven't spent much time noodling on it01:41
bknudsonis it for development?01:42
morganfainbergor for tests01:42
bknudsonmaybe git blame can help01:42
morganfainbergi actually think it's mostly for test purposes.01:43
morganfainbergor for laaaaazy magic ux purposes01:43
bknudsontests work fine for me01:43
bknudsonI'll propose a change to get rid of it and see who complains01:43
bknudsonhttps://github.com/openstack/keystone/commit/34e9a9771eb68ff9d98ae1b43a562eabc26849b6 -- something with config file01:44
bknudsonfiles01:44
morganfainberglol01:47
morganfainbergworks for me01:47
bknudsonI guess it's just something relative to the keystone-all file, so it could just as well be relative to keystone.cmd.all01:49
morganfainbergbknudson, ++01:49
morganfainbergless out-of-project files we need to maintain the better imo.01:50
*** chrisshattuck has quit IRC01:57
bknudsonso how do I get a keystone-all now?01:58
morganfainbergyou put the relevant code into like keystone.cli (look at how nova does that) and set a console entry point01:58
morganfainbergit will get built from code and reference the target method(s)01:58
morganfainberghttp://git.openstack.org/cgit/openstack/nova/tree/setup.cfg#n3501:59
morganfainberghttp://git.openstack.org/cgit/openstack/nova/tree/nova/cmd/all.py01:59
bknudsonmorganfainberg: right, that was easy enough... now what do I do to call it?01:59
morganfainberglargely it's moving the code into the project01:59
morganfainbergi'd call it keystone-all01:59
morganfainberg:)02:00
bknudsonhow do I execute keystone-all?02:00
morganfainbergoh you install the project and then it should be in the path02:00
bknudsonthere's no keystone-all now... do I run some pbr command?02:00
morganfainbergpbr make the "console" scripts on install02:00
*** jacer_huawei has quit IRC02:00
morganfainbergand in the case of the VENV the console scripts will be in the VENV02:01
morganfainbergVENV/bin/<script-name>02:01
bknudsonpython setup.py build_scripts -- didn't do it02:02
bknudson.tox/py27/bin/python setup.py install -- now I've got a keystone-all02:04
morganfainbergyeah02:04
morganfainbergbuild_scripts isn't magic pbr hooks into02:04
morganfainberginstall is02:04
bknudsonit started... this seems to work.02:05
openstackgerritBrant Knudson proposed a change to openstack/keystone: Refactor keystone-all and http/keystone  https://review.openstack.org/6227502:06
bknudsonkind of sloppy for now, but seems to work02:06
morganfainbergbknudson, i think we'll want to the same for keystone-manage, but that can be separate02:08
openstackgerritBrant Knudson proposed a change to openstack/keystone: Refactor keystone-all and http/keystone  https://review.openstack.org/6227502:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Refactor keystone-all and http/keystone  https://review.openstack.org/6227502:11
*** jacer_huawei has joined #openstack-keystone02:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove token persistence proxy  https://review.openstack.org/12480902:13
bknudsonalright, I think I got everything cleaned up in 6227502:13
morganfainbergcool02:16
*** sigmavirus24 is now known as sigmavirus24_awa02:20
*** notstevemar has quit IRC02:24
*** lhcheng_ has quit IRC02:33
*** lhcheng has joined #openstack-keystone02:34
*** tellesnobrega has quit IRC02:34
*** david-lyle has joined #openstack-keystone02:36
ayoungjamielennox, morganfainberg can we get a +2A on https://review.openstack.org/#/c/123614/1402:37
ayoungI can't submit the Django review until we have a working client plugin02:38
*** alex_xu has joined #openstack-keystone02:39
*** tellesnobrega has joined #openstack-keystone02:40
*** david-lyle has quit IRC02:41
*** lhcheng has quit IRC02:44
*** dims_ has quit IRC02:44
*** tellesnobrega has quit IRC02:45
ayoungr1chardj0n3s, I'm going to head to bed soon.  Let me know if you have a moment02:46
*** dims__ has joined #openstack-keystone02:47
*** dims__ has quit IRC02:49
*** k-kosaka has joined #openstack-keystone02:51
*** gordc has joined #openstack-keystone02:52
openstackgerritKenjiro Kosaka proposed a change to openstack/keystone: Sample Identity endpoints changed to unversioned  https://review.openstack.org/13066902:52
*** tellesnobrega has joined #openstack-keystone02:54
*** alex_xu has quit IRC03:01
*** jacer_huawei has quit IRC03:04
*** tellesnobrega_ has joined #openstack-keystone03:05
*** tellesnobrega has quit IRC03:06
*** jacer_huawei has joined #openstack-keystone03:08
*** alex_xu has joined #openstack-keystone03:13
r1chardj0n3sayoung: hi03:15
ayoungr1chardj0n3s, hey03:15
ayoungr1chardj0n3s, did you try what I posted earlier?03:15
ayoungkinit rjones@YOUNGLOGIC.NET03:15
r1chardj0n3sayoung: I've been scratching my head at the kerberos stuff. a lot to absorb there. the thing you suggested is no go - the tools and environment aren't on my Mac or my cloud ubuntu instance03:16
ayoungr1chardj0n3s, ah...ok,  so you need the kerberos workstation package03:16
r1chardj0n3sayoung: but I've been trying read the various docs before jumping in03:16
ayoungr1chardj0n3s, I'm happy to help03:16
ayoungits not quite as bad as you might think.03:17
ayounghttps://fermilinux.fnal.gov/documentation/security/kerberos-newer-linux/03:17
r1chardj0n3sI need it to be on my Mac I think, which is where angboard is03:17
ayoungapt-get install krb5-user03:17
ayoungr1chardj0n3s, I know that other mac users have gotten it to work, but I know naught from mac03:17
ayoungmorganfainberg, you have kerberos on your mac, right?03:18
morganfainbergayoung, i do, but i'm actually at the point where my whole machine went sideways03:19
* morganfainberg sighs03:19
morganfainbergit's going to be re-install03:19
ayoungmorganfainberg, does this still make sense: http://web.mit.edu/macdev/KfM/Common/Documentation/osx-kerberos-extras.html03:19
r1chardj0n3sayoung: I kinda got lost/overwhelmed trying to grok that article "Setting Up S4U2Proxy With FreeIPA"03:19
ayoungseems like it is old and out of date03:19
ayoungr1chardj0n3s, heh,03:19
morganfainbergayoung, that is pretty out dated03:19
r1chardj0n3sayoung: there's a heck of a lot of domain knowledge embedded in that sucker ;)03:19
ayounglets start with just getting the client03:19
morganfainbergayoung, i don't think it makes a lot of sense03:19
morganfainbergi *think* most of the stuff comes default in 10.1003:20
*** gordc_ has joined #openstack-keystone03:20
ayoungr1chardj0n3s, do you have krb5.conf file in whatever passes for /etc on Mac?03:20
r1chardj0n3sayoung: nup03:20
ayoungr1chardj0n3s, morganfainberg isn't there some 3rd party library repo for macs03:21
morganfainbergayoung, brew03:21
ayounghttp://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins  says something about clc03:22
ayoungah, yeah ,brew03:22
r1chardj0n3sayoung: yes, homebrew and I'm searching for something there ;)03:22
morganfainbergbut krb5 i *think* is a base install in yosemite (what I have)03:22
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132603:23
*** gordc has quit IRC03:23
ayoung"Mac OS X comes with kerberos already installed."03:23
r1chardj0n3smorganfainberg: yeah, but I'm afeared of upgrading to yosemite just before Paris :)03:23
ayoungr1chardj0n3s, from a command line run kinit03:23
ayoungactually, you should be able to run kinit rjones@YOUNGLOGIC.NET03:24
r1chardj0n3sayoung: *cough* well, that's embarrasing, I must have typo'ed that before :/03:24
ayoungthere is that cough again.  Suspect you caught it from morganfainberg .  Pretty sure he has the Eeebola.  21 day quarentine for both of you03:24
r1chardj0n3sok kinit run03:25
ayounghttp://computing.help.inf.ed.ac.uk/kerberos-mac-os-x  looks like a decent tutorial03:25
openstackgerritA change was merged to openstack/keystonemiddleware: Use correct name of oslo debugger script  https://review.openstack.org/13004603:25
ayoungr1chardj0n3s, klist  should show you your tickets03:25
r1chardj0n3syup03:25
ayoungr1chardj0n3s, cool...ok,  so I'm not certain how well this next part is going to work.03:25
ayoungBut03:26
r1chardj0n3s:)03:26
ayoungr1chardj0n3s, you have firefox installed?03:26
r1chardj0n3sI do03:26
ayoungmorganfainberg, were you able to get all this working using firefox on Mac?03:26
ayoungr1chardj0n3s, got back to ipa.younglogic.com, but don't log in, or, if you are logged in, log out03:26
ayoungyou should have the login dialog infront of you03:26
r1chardj0n3syup (I don't use FF generally, so it wasn't logged in)03:27
ayoungWe're gonna see if your browser can use Kerberos to authenticate you to the ipa server.  It should be able to...03:27
*** harlowja is now known as harlowja_away03:27
ayoungOK,  so there is a small link that says something like "click here to configure"03:27
r1chardj0n3sok, it's punted me to an unauthorized page, tellting me how to configure FF03:28
ayoungyeah, go through that process.03:28
ayoungWe streamlined it as much as possble, but there are a few things that need to be done for an ipa server to set up a little more than your average web app03:29
ayounghowever, once you have it, it means that the stuff we need for angboard will work, too03:29
ayoungr1chardj0n3s, BTW, I just completed a packstack install on another machine up on younglogic.net.  I'll try to get angboard up and running there tomorrow03:30
r1chardj0n3sok, I'm not sure what it just did, but my FF is now configured and accessing my account on ipa03:30
*** harlowja_away is now known as harlowja03:30
r1chardj0n3s(well, I did a certificate thing, installed some extension in FF, configured that with I guess my krb token)03:31
r1chardj0n3sok, so the extension was for negotiate support, roger03:32
r1chardj0n3shm, all a bit black box. I'm gonna have to go back to figuring out how to make that work from JS03:32
r1chardj0n3sthough I assume that's going to still need some browser extension given that the krb tokens are in the OS03:33
r1chardj0n3salso, I had to do the krb login from the command line which is suboptimal from a web perspective ;)03:33
r1chardj0n3sok, Lynn Root, you legend http://www.roguelynn.com/words/explain-like-im-5-kerberos/03:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/13089703:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/13132903:34
ayoungyeah,  there are other ways of managing the kerberos login, but command line is lowest common denominator03:34
* ayoung still sad Lynn no longer works for RH03:34
ayoungshe's been seduced by the dark side of the web:  Spotify!03:35
r1chardj0n3swow, ok, I found a *thesis* for adapting kerberos for browser-based environment03:35
ayoungwe really just need a browser plugin,  surprised no one has written one03:35
r1chardj0n3swell, no, redhat *has* written one :)03:36
ayoungr1chardj0n3s, OK,  I have a kerberized Keystone server, and the ability to hit it from javascript03:36
ayounglet me give you user a role...03:36
ayoungOK,  hit https://keystone.younglogic.net/keystone/cops/old.html#  and lets see what happen03:37
ayoungthis is pure javascript in front of Keystone03:37
ayoungDomain name is YOUNGLOGIC.NET03:37
ayoungyou can try using userid and poassword first, and then we'll try kerberos03:38
*** miqui has quit IRC03:38
ayoungr1chardj0n3s, I need to know the userid generated for your user. Its the big long sha25603:39
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13112203:39
r1chardj0n3s42524c7ca1a996863625b413e73392ae95be9b4f90b89603a7fdf87523929ae103:39
r1chardj0n3s:)03:39
ayoungand it only gets generated the first time you login03:39
r1chardj0n3sChrome has kerberos built in, but disabled by default "for security reasons"03:40
ayoungum. yeah03:40
r1chardj0n3syou need to whitelist servers to enable it03:40
ayoungI know.  I think I worked through that 4 years ago?03:40
ayoung3+ anyway03:40
*** marcoemorais has joined #openstack-keystone03:40
ayoungOK.  So on that keystone UI page, try listing projects03:41
ayoungyou should now have a Member role on the demo project, and should be able to get a token for that03:41
ayoungI did a slightly nicer Proof of concept here https://keystone.younglogic.net/keystone/cops/03:41
ayoungbut it doesn't do the role thing03:41
ayoungin both cases, the general thing is "get an unscoped token, list projects, select a project, get a scoped token"03:42
openstackgerritwanghong proposed a change to openstack/keystone: remove implemented TODO in catalog/backends/sql.py  https://review.openstack.org/12983003:42
r1chardj0n3sok, I've clicked around somewhat randomly, and now I have something under Roles :)03:43
r1chardj0n3sand now I have "trusts"03:43
r1chardj0n3sbrb, putting the damned heater on03:44
*** richm has quit IRC03:44
r1chardj0n3sayoung: I suspect that supporting this might require some small amount of support in the proxy03:45
ayoungr1chardj0n3s, OK, so I'll get the proxy up and running tomorrow (close to midnight here) and see if I can make it work.  I suspect I know what it will take03:46
*** tellesnobrega_ has quit IRC03:47
r1chardj0n3sayoung: yes, go to sleep :) angboard should just work, but if you run into issues I'll be up and about at 7AM local time (UTC+11)03:47
*** marcoemorais has quit IRC03:48
ayoungthanks.  You are in the same timezone as jamielennox03:48
r1chardj0n3sI don't think I know jamie, but I do know some other red hatters (not openstackers)03:48
ayoungr1chardj0n3s, he's up the coast in Brisbane03:49
r1chardj0n3sayoung: yup, that's the RH office - they don't do remote workers in AU AFAIK03:49
*** dims__ has joined #openstack-keystone03:50
*** tellesnobrega has joined #openstack-keystone03:52
*** dims__ has quit IRC03:55
ayoungnpm install....Oh Em Gee03:56
ayoungI think I saw an ASN1 library in there03:56
ayoungr1chardj0n3s, so angboard is hanging on me04:02
r1chardj0n3sayoung: oh, you're still up!04:02
ayoungI suspect it is the "open the browser" aspect04:02
ayoungr1chardj0n3s, my wife is yelling down at me "It's midnight"04:02
r1chardj0n3sayoung: it might be - just try hitting 0.0.0.0:900004:02
r1chardj0n3sayoung: or go to bed04:02
r1chardj0n3sayoung: :)04:02
r1chardj0n3sayoung: there is a known issue with grunt at startup getting the flask app and proxy stuff synchronised; thanks for the prod, I'll look into it right now04:03
ayoungr1chardj0n3s, it works when I do a local 0.0.0.0:9000 ,but not across the web.  Suspect it is a floating IP issue04:03
ayoungand...with that I'm off to bed04:04
r1chardj0n3sayoung: ok, catch you tomorrow!04:04
*** ayoung has quit IRC04:04
*** david-lyle has joined #openstack-keystone04:06
*** gyee has joined #openstack-keystone04:11
*** ajayaa has joined #openstack-keystone04:14
*** tellesnobrega has quit IRC04:15
*** gordc_ has quit IRC04:18
*** chrisshattuck has joined #openstack-keystone04:28
*** vsilva is now known as victsou04:28
*** tellesnobrega has joined #openstack-keystone04:34
*** victsou is now known as vsilva04:35
*** links has joined #openstack-keystone04:39
*** stevemar has joined #openstack-keystone04:44
*** lhcheng has joined #openstack-keystone05:09
*** lhcheng_ has joined #openstack-keystone05:11
*** lhcheng has quit IRC05:14
*** gyee has quit IRC05:19
*** fifieldt__ has quit IRC05:20
*** ncoghlan has joined #openstack-keystone05:22
*** topol has quit IRC05:33
*** stevemar has quit IRC05:37
*** harlowja is now known as harlowja_away05:37
*** chrisshattuck has quit IRC05:43
*** topol_ has joined #openstack-keystone05:49
*** topol_ is now known as topol05:49
openstackgerritDave Chen proposed a change to openstack/keystone: minor fix on the dubug information and python annotation  https://review.openstack.org/13134405:52
*** r1chardj0n3s is now known as r1chardj0n3s_afk05:58
*** topol has quit IRC06:02
*** alex_xu has quit IRC06:05
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13092906:06
*** afazekas_drunk is now known as afazekas06:08
*** ajayaa has quit IRC06:12
*** alex_xu has joined #openstack-keystone06:19
*** david-lyle has quit IRC06:20
*** ajayaa has joined #openstack-keystone06:24
*** alex_xu has quit IRC06:32
*** tellesnobrega has quit IRC06:44
*** alex_xu has joined #openstack-keystone06:44
*** dims__ has joined #openstack-keystone06:44
*** dims__ has quit IRC06:49
*** david-lyle has joined #openstack-keystone06:50
*** david-lyle has quit IRC06:54
*** ajayaa has quit IRC06:57
*** k4n0 has joined #openstack-keystone06:57
*** alex_xu has quit IRC07:02
*** fifieldt has joined #openstack-keystone07:06
*** ukalifon1 has joined #openstack-keystone07:15
*** lhcheng_ has quit IRC07:17
*** oomichi has quit IRC07:19
*** ajayaa has joined #openstack-keystone07:21
*** david-lyle has joined #openstack-keystone07:21
*** david-lyle has quit IRC07:25
*** jacer_huawei has quit IRC07:31
*** nellysmitt has joined #openstack-keystone07:33
*** alex_xu has joined #openstack-keystone07:39
*** jacer_huawei has joined #openstack-keystone07:48
*** links has quit IRC07:48
*** jaosorior has joined #openstack-keystone07:50
*** ncoghlan has quit IRC07:54
*** jacer_huawei has quit IRC08:12
*** alex_xu has quit IRC08:14
openstackgerritA change was merged to openstack/keystone: Use correct name of oslo debugger script  https://review.openstack.org/13004508:18
*** nellysmitt has quit IRC08:19
*** david-lyle has joined #openstack-keystone08:21
*** nellysmitt has joined #openstack-keystone08:24
*** jacer_huawei has joined #openstack-keystone08:25
*** david-lyle has quit IRC08:26
*** amakarov_away is now known as amakarov08:35
*** links has joined #openstack-keystone09:01
*** links has quit IRC09:17
*** tomoiaga has joined #openstack-keystone09:17
*** k-kosaka has quit IRC09:19
*** david-lyle has joined #openstack-keystone09:22
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use connection retrying from keystoneclient  https://review.openstack.org/12986809:24
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Add versions to requests  https://review.openstack.org/13053109:24
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use an adapter in IdentityServer  https://review.openstack.org/13053009:25
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Allow loading other auth methods in auth_token  https://review.openstack.org/12955209:25
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests  https://review.openstack.org/13024709:25
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin  https://review.openstack.org/11585709:25
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Split identity server into v2 and v3  https://review.openstack.org/13053409:25
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Additional discovery changes  https://review.openstack.org/13053309:25
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use real discovery object in auth_token middleware.  https://review.openstack.org/13053209:25
*** david-lyle has quit IRC09:26
*** jamielennox_ has joined #openstack-keystone09:28
*** bjornar has joined #openstack-keystone09:29
bjornarWhat services does not speak keystone v3 api?09:30
bjornar..in juno..09:30
*** andreaf has joined #openstack-keystone09:36
*** andreaf_ has joined #openstack-keystone09:39
jamielennox_bjornar: it depends how you look at it, auth_token middleware is generally the only thing that talks to keystone (other than heat) - auth_token will use v3 for validation but it can only authenticate itself with v2 (for now)09:39
bjornar..I just want to get rid of the admin endpoint...09:43
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain  https://review.openstack.org/13131909:50
*** jamielennox_ has quit IRC09:53
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain  https://review.openstack.org/13131909:53
jamielennoxbjornar: unfortunately not yet, auth_token still defaults to using that10:05
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Update requests-mock syntax  https://review.openstack.org/13138010:05
*** tellesnobrega has joined #openstack-keystone10:16
*** f13o_f13o has joined #openstack-keystone10:18
*** f13o_f13o has quit IRC10:18
*** dims__ has joined #openstack-keystone10:19
*** nellysmitt has quit IRC10:20
*** david-lyle has joined #openstack-keystone10:23
*** dims__ has quit IRC10:23
*** tellesnobrega has quit IRC10:24
*** david-lyle has quit IRC10:28
*** tellesnobrega has joined #openstack-keystone10:36
*** tellesnobrega has quit IRC10:43
*** dims__ has joined #openstack-keystone10:43
*** gabriel-bezerra has quit IRC10:44
*** tellesnobrega has joined #openstack-keystone10:47
*** tellesnobrega has quit IRC10:51
*** tellesnobrega has joined #openstack-keystone10:55
*** andreaf has quit IRC10:55
*** andreaf_ is now known as andreaf10:55
*** tellesnobrega has quit IRC10:59
*** nellysmitt has joined #openstack-keystone11:01
bjornarjamiec, did you get anything done with the performance of token generation and the numerous sql queries? Dont see anything in the short juno changelog..11:19
bjornarjamielennox, that was for you, sorry.11:19
jamiecnp :)11:19
*** gabriel-bezerra has joined #openstack-keystone11:23
*** david-lyle has joined #openstack-keystone11:24
*** nellysmitt has quit IRC11:25
*** david-lyle has quit IRC11:28
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/13089711:47
*** nellysmitt has joined #openstack-keystone11:48
jamielennoxbjornar: i'm not aware of anything targetting that specifically11:53
jamielennoxbut i've been a bit removed from that sort of thing11:53
bjornarok ic.. who is into this?11:57
*** thiagop has joined #openstack-keystone11:58
*** htruta has joined #openstack-keystone11:58
*** samuelms has joined #openstack-keystone11:59
*** afaranha has joined #openstack-keystone11:59
*** raildo has joined #openstack-keystone12:02
*** ajayaa has quit IRC12:04
*** gordc has joined #openstack-keystone12:05
*** dims__ has quit IRC12:07
*** dims__ has joined #openstack-keystone12:07
*** ajayaa has joined #openstack-keystone12:17
*** gordc has quit IRC12:20
jamielennoxprobably morganfainberg is best to ask12:24
*** david-lyle has joined #openstack-keystone12:24
*** gordc has joined #openstack-keystone12:26
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: get_endpoint should return the override  https://review.openstack.org/13140812:27
jamielennoxhe was the one looking into things like non-persistent backends so probably did the most in that area in juno12:27
*** ajayaa has quit IRC12:28
*** david-lyle has quit IRC12:29
*** miqui has joined #openstack-keystone12:36
*** k4n0 has quit IRC12:46
*** edmondsw has joined #openstack-keystone12:50
*** gordc has quit IRC12:54
tomoiagaI'm wondering if there is a way as an admin to generate a token on behalf of another user. I'm trying to avoid the need for a user to log in to keystone if he's already logged in someplace else (not LDAP or Kerberos, just a simple Django app).12:58
tomoiagaright now I can scope that token to a project and work that way, but I don't necessarly like that solution12:59
*** saipandi has quit IRC13:02
*** bknudson has quit IRC13:05
*** alex_xu has joined #openstack-keystone13:07
*** nkinder has quit IRC13:14
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Split up assignments, making role-assignments pluggable.  https://review.openstack.org/12939713:19
*** richm has joined #openstack-keystone13:21
*** nellysmitt has quit IRC13:24
*** bknudson has joined #openstack-keystone13:25
*** david-lyle has joined #openstack-keystone13:25
*** ajayaa has joined #openstack-keystone13:27
*** david-lyle has quit IRC13:29
*** shikui__ has quit IRC13:30
*** thedodd has joined #openstack-keystone13:32
*** ajayaa has quit IRC13:33
*** joesavak has joined #openstack-keystone13:39
openstackgerritBrant Knudson proposed a change to openstack/keystone: Refactor keystone-all and http/keystone  https://review.openstack.org/6227513:43
*** topol has joined #openstack-keystone13:48
*** gordc has joined #openstack-keystone13:48
openstackgerritBrant Knudson proposed a change to openstack/keystone: Entrypoints for commands  https://review.openstack.org/13143513:51
*** sigmavirus24_awa is now known as sigmavirus2413:53
*** ttw has quit IRC13:57
*** dims__ has quit IRC14:04
*** nkinder has joined #openstack-keystone14:05
*** vhoward has left #openstack-keystone14:07
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005014:10
*** vejdmn has joined #openstack-keystone14:15
*** miqui has quit IRC14:25
*** david-lyle has joined #openstack-keystone14:26
*** vejdmn has quit IRC14:27
*** vejdmn1 has joined #openstack-keystone14:27
*** radez_g0n3 is now known as radez14:29
*** david-lyle has quit IRC14:31
*** thedodd has quit IRC14:33
*** miqui has joined #openstack-keystone14:37
*** alex_xu has quit IRC14:41
*** ayoung has joined #openstack-keystone14:42
*** ayoung has quit IRC14:46
*** saipandi has joined #openstack-keystone14:50
*** vejdmn has joined #openstack-keystone14:52
*** vejdmn1 has quit IRC14:53
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768114:55
*** ayoung has joined #openstack-keystone15:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make tests run against original client and session  https://review.openstack.org/11708915:03
*** david-lyle has joined #openstack-keystone15:05
*** ukalifon1 has quit IRC15:10
*** nellysmitt has joined #openstack-keystone15:12
*** chrisshattuck has joined #openstack-keystone15:13
*** tomoiaga has quit IRC15:17
richmIf using keystone with ldap for the identity backend, what are LDAP groups (ou=groups) used for?15:18
richmkeystone project/tenant == ldap group?15:20
ayoungrichm, Keystone user groups15:21
ayoungrichm, no, identity  is users and groups.  Either can get role assignments15:21
richmhttp://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html15:21
richmseems to imply that tenants and roles are part of the identity backend15:22
ayoungthey used to be, but we split them out.  Keystone is the "identiyt" api  but I'm referring to the identity backend, separate from assignments backend, so a subset of Keystone15:22
ayoungrichm, but that looks old and outdated15:22
ayoungrichm, each time I think we have the docs straight, I get another link to something with old info15:23
richmso if I have ldap for the identity backend, and sql for the assignment backend, what would cause a lookup in ldap for (member=uid=myuserid,ou=people,dc=example,dc=com) in ou=groups,dc=example,dc=com?15:24
ayoungrichm, the token process goes like this:15:24
ayoung1.  authenticate (ldap query)  2.  get groups for the user (ldap query)  3. resolve role assignements for user and roles. ....etc15:25
*** jorge_munoz has joined #openstack-keystone15:25
ayoungrichm, are you using v2 or v3?15:26
richm# cat /root/keystonerc_admin15:26
ayoungdman cats15:27
richmexport OS_AUTH_URL=http://localhost:5000/v2.0/15:27
ayoungOK,  so v215:27
ayoungif you are using the keystone cli that is also pretty much constrained to v215:27
ayoungso...15:27
ayoungthat hits the token controller (we split auth between v2 and v3, into two packages, which was a mistake, but anyway....)15:28
richmdifferent but related question - let's say I want to set up an ldap server to be used as the read-only identity backend for keystone - what do I put in ou=groups?15:28
ayoungthe token controller starts roughly here  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py15:28
ayoungrichm, FreeIPA setup?15:28
richmayoung: that too, but I'm assuming plain ldap will probably be simpler15:28
ayoungFreeIPA pretty simple...for that I have...15:29
richmbut are you first installing keystone with sql for identity and assignment, then "moving" the service accounts into ldap/ipa while at the same time changing keystone to use ldap for identity?15:30
*** chrisshattuck has quit IRC15:30
ayoungrichm, nah, don'15:30
ayoungt move nothing15:30
ayoungleave the service users in SQL15:30
ayoungrichm, http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/15:30
richmbut that assumes multiple domain support15:30
ayounggroup_tree_dn=cn=groups,cn=accounts,dc=ipa,dc=cloudlab,dc=freeipa,dc=org15:30
ayoungyep15:30
ayoungrichm, but that is where we are going15:31
ayoungask nkinder : we're going V3 eerywhere, and pushing the use of the openstack common client15:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create a framework for federation plugins  https://review.openstack.org/13056415:31
richmyes, but I would also like to try to handle the case where users may not yet be on that version that supports v315:31
ayoungrichm, That is OK.15:32
richmunfortunately puppet has a lot of hardcoded references to v2.015:32
ayoungrichm, with LDAP,  you can make the LDAP domain the default domain.  It just means that the remote endpoints need to use the V3 API to validate tokens etc15:32
ayoungrichm, we'll be untangling that for a while15:33
richmright, which is going to be a big problem with puppet15:33
ayoungbut we need to cut the puppet strings15:33
ayoungscrew Puppet.  lets go with Ansible!15:33
richmpuppet has ":5000/v2.0" and ":35357/v2.0" hard coded everywhere15:33
ayoungrichm, all those need to die anyway15:34
richmbecause, duh, why would you ever want to do something else?15:34
jamielennoxayoung: speaking of which that middleware stack needed rebasing again: starting https://review.openstack.org/#/c/115857/ can you +a again15:34
jamielennoxrichm: bah - die /v2.015:34
ayoungOh, I don't know.  Maybe becasue port 5000 is assigned to another service and 35357 is ins the middle of the ephemeral range?  Perhaps?15:34
jamielennoxrichm: is that an endpoint and service catalog thing or more?15:34
richmjamielennox: in a few cases, more15:35
ayoungjamielennox, its probably endemic across the puppet modules due to cut-and-pastism15:35
jamielennoxdamn - we can't do much about the service catalog for now, but that really should be all15:35
jamielennoxi guess AUTH_URL still mostly relies on it - for now15:35
richmwhich brings me back to my original problem - let's say I want to do this with v2.0 without domains - because puppet - how do I set up my ldap backend ahead of time so that I can just do a brand new keystone installation with a read-only identity backend?15:35
ayoungyou need the service users in LDAP15:36
richmright15:36
ayoungso...assuming you get them in there somehow,  the LDAP config still looks like what I have on my blog15:37
ayoung[ldap]15:37
ayoungurl=ldap://ipa.cloudlab.freeipa.org15:37
ayounguser_tree_dn=cn=users,cn=accounts,dc=ipa,dc=cloudlab,dc=freeipa,dc=org15:37
ayounguser_id_attribute=uid15:37
ayounguser_name_attribute=uid15:37
ayounggroup_tree_dn=cn=groups,cn=accounts,dc=ipa,dc=cloudlab,dc=freeipa,dc=org15:37
ayoungFor AD,  there are more values... nkinder does it thusly:  https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-ad-setup/vm-post-cloud-init.sh15:38
ayounghttps://github.com/nkinder/rdo-vm-factory/blob/master/rdo-ad-setup/vm-post-cloud-init.sh#L5615:38
richmdoes anything need to be in ou=groups?15:38
*** cjellick has joined #openstack-keystone15:38
ayoungopenstack-config --set /etc/keystone/keystone.conf ldap group_tree_dn cn=users,$VM_AD_SUFFIX15:39
ayoungactually I think that is a typo15:39
richmright - yes - he borrowed most of that stuff from my ad vm setup and ipa/ad/keystone demo scripts15:39
*** cjellick has quit IRC15:39
ayoungrichm, is that how AD does groups, or should that be ou=groups,$VM_AD_SUFFIX?15:40
richmcn=users - AD mixes groups in with users15:40
ayoungAh,  OK15:40
nkinderayoung: yeah, they are mixed15:40
ayoungand how does it do group assignmnets?15:40
nkindermember/memberOf15:40
ayoungis it still member_of15:40
ayoungcool15:40
nkinderexcept keystone doesn't use memberOf15:41
nkinderwhich would be more efficient than looking up the groups...15:41
ayoungnkinder, "premature optimization is the root of all evil" --Don Knuth15:42
ayoungOr was it Bjarne Stroustrup?15:43
*** cjellick has joined #openstack-keystone15:43
ayoungKnuth15:43
ayoungnkinder, so I have a running Packstack on horizon.younglogic.net.15:44
ayoungI'm going through the rest of your clolud-init step by step15:44
*** edmondsw has quit IRC15:47
*** andreaf has quit IRC15:48
dstanekayoung: Stroustrup butchered C15:50
ayoungdstanek, no, he documented the butchery15:50
ayoungit was being butched long before he got his hands on it.15:50
ayoungdstanek, but C is a mess anyway15:50
ayounghttps://twitter.com/admiyoung/status/50790017060518297615:51
ayoungrichm, https://bugs.launchpad.net/openstack-manuals/+bug/138676815:52
uvirtbotLaunchpad bug 1386768 in openstack-manuals "LDAP in OpenStack Cloud Administrator Guide  Needs update for multiple backends" [Undecided,New]15:52
ayoungFeel free to take it!15:52
dstanekayoung: i love C! beautiful in it's simplicity - it's the programmers that made it suck15:53
*** _cjones_ has joined #openstack-keystone15:53
ayoungdstanek, no, you love a particular subset of C.15:53
ayoungTry writing a compiler, or even a parser for C, and you will start cursing15:54
ayoungnot just a subset, but the whole language15:54
ayoungits a Code Golem15:54
*** _cjones_ has quit IRC15:54
*** _cjones_ has joined #openstack-keystone15:54
dstanekayoung: yeah, i had to write a C parser for a compiler class - i leave that to the GCC guys because I don't care how the sausage is made15:55
amakarovayoung, http://en.wikipedia.org/wiki/Compilers:_Principles,_Techniques,_and_Tools :)15:55
ayoungamakarov, most of those go out the window with a language that you can't write in BNF15:56
ayoungLike C15:56
amakarovayoung, I like C too )))15:57
amakarovjust kidding :)15:57
ayoungamakarov, I like C.  I like C++. I like Java, and I'm learning to tolerate Python and Javascript.  I've done Assembly, COBOL, FORTRAN and Visual Basic during my professional career as well.  Every programming language sucks.15:58
ayoungBut, as they say in the Army:15:59
ayoungEMBRACE THE SUCK!15:59
*** lhcheng has joined #openstack-keystone15:59
*** miqui has quit IRC15:59
*** miqui_ has joined #openstack-keystone15:59
amakarovayoung, LOL when I served in army they said: good is good, bad is bad but nothing is even worse16:00
ayoungI like that16:00
ayoungMy favorite was "Half Assed, full blast.  Don't know where we're going but we shoulda been there yesterday."16:00
amakarovayoung, I thought only our roads are so bad )16:03
ayoungI was light infantry.  We crossed roads tactically, and stayed in the woods whenever possible.16:03
*** gyee has joined #openstack-keystone16:04
amakarovQuite an experience I'd say.16:05
*** marcoemorais has joined #openstack-keystone16:08
*** BAKfr has quit IRC16:17
*** BAKfr has joined #openstack-keystone16:18
*** edmondsw has joined #openstack-keystone16:20
*** stevemar has joined #openstack-keystone16:21
*** miqui_ has quit IRC16:26
*** marcoemorais has quit IRC16:32
*** marcoemorais has joined #openstack-keystone16:32
*** dims__ has joined #openstack-keystone16:33
*** thedodd has joined #openstack-keystone16:33
amakarovayoung, help me please! I'm editing trust spec and see references with non-existing URL's16:39
amakarovlike this: Relationship:``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``16:40
openstackgerritNathan Kinder proposed a change to openstack/python-keystoneclient-kerberos: kerberos client plugin  https://review.openstack.org/12361416:40
amakarovI think I have to change them, but I don't know correct ones16:41
*** marcoemorais has quit IRC16:41
*** harlowja_away is now known as harlowja16:46
*** sigmavirus24 is now known as sigmavirus24_awa16:46
*** chrisshattuck has joined #openstack-keystone16:47
dstanekin the horizon meeting they are talking dress codes for Paris - this makes me realize that I may be in trouble16:48
*** chrisshattuck has joined #openstack-keystone16:49
bknudsondstanek: they love if you wear black.16:49
dstaneki may have to go buy some nicer pants/shirts :-)16:50
jamielennoxall horizon developers must wear a bright yellow beanie at all times16:51
amakarovbknudson, as our horizon guys say they talked about a place to booze where a dress code not so strict )16:51
richmusing the keystone client, given a username or userid, how do I find out which projects/tenants that user "belongs to" (if that is the correct terminology)?16:51
dstanekjamielennox: ++16:52
dstanekjamielennox: can we wear red?16:52
marekdayoung: how can you work most of the time in a language that you barely tolerate? :-)16:56
amakarovmarekd, maybe there is a Zen in Python? ;)16:56
jamielennoxdstanek: might be considered as promoting segregation16:56
amakarovjamielennox, maybe you can help me? Where are http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts moved to?16:58
amakarovI'm thying to document what I've done to trusts and run into invalid links in docs16:59
amakarovs/thying/trying16:59
jamielennoxamakarov: i don't know where they are published to, i always just looked at the sources https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-trust-ext.md17:00
jamielennoxgithub markdown renders them fairly well17:00
*** marcoemorais has joined #openstack-keystone17:01
*** marcoemorais has quit IRC17:01
amakarovjamielennox, thank you17:01
*** marcoemorais has joined #openstack-keystone17:01
jamielennoxayoung: can you kick off https://review.openstack.org/#/c/115857/ again - it had to be rebased, then there are two or three that can be merged after that17:02
*** jaosorior has quit IRC17:03
marekdamakarov: what Zen?17:04
amakarovjamielennox, that's the document I'm about to patch, it itself contains incorrect links17:04
marekdamakarov: ayoung is right - there is no perfect language :(17:04
*** marcoemorais has quit IRC17:05
amakarovmarekd, >>> import this17:05
marekdamakarov: with all Python's flexibility it's sometimes frustrating and just ridiculous, esp. with bigger projects.17:05
jamielennoxamakarov: ok not sure then17:05
marekdamakarov: seen that17:05
*** marcoemorais has joined #openstack-keystone17:05
*** ukalifon has joined #openstack-keystone17:06
amakarovmarekd, IJK :) IMHO language it a tool. There is neither universal tool nor perfect language.17:07
*** marcoemorais has quit IRC17:07
dstanekmarekd: the problem i've encountered in bigger projects is that people still do the stupid tricks they do in smaller projects instead of something more like C++/Java17:07
*** marcoemorais has joined #openstack-keystone17:07
dstanekjust because you can doesn't mean you should17:07
*** marcoemorais has quit IRC17:07
*** marcoemorais has joined #openstack-keystone17:08
*** marcoemorais has quit IRC17:08
*** marcoemorais has joined #openstack-keystone17:09
amakarovmarekd, I like Assembly but I'd never use it for markup )17:09
openstackgerrithenry-nash proposed a change to openstack/keystone: Split up assignments and make the assignments piece pluggable  https://review.openstack.org/13095417:10
marekddstanek: i think it;s because those languages simply enforce people to do that.17:13
marekddstanek: + i find really inconvenient that e.g. in OpenStack we all endup documenting parameters types...but in docstrings. And it's really up to you or other reviewers if you catch my error if I wrongly document a method or not.17:14
dstanekexactly. left to their own devices programmers will typically use a sledgehammer when they could have used a screwdriver :-)17:15
dstanekexcept for type that's the same in most other languages17:15
*** marcoemorais has quit IRC17:15
marekdi really wish one day there was a cPython version where you can enforce types.17:16
marekdthis is string, and that's int17:17
marekdand dear Python, please take care of that.17:17
dstanekmarekd: http://www.infoq.com/news/2014/08/python-type-annotation-proposal17:18
marekddstanek: i have seen that.17:19
marekd:-)17:19
ayoungmarekd, Type safety is the thing I miss the most17:19
marekddstanek: and you, what are your preffered languages apart from Python?17:19
marekdanybody tried Go already?17:19
*** marcoemorais has joined #openstack-keystone17:20
dstaneki like C and GO - erlang to some extent17:20
ayoungjamielennox, https://review.openstack.org/#/c/115857/8..9/keystonemiddleware/auth_token.py,cm  did we lost IPv6 specific code?   Intentionally?17:21
*** ukalifon has quit IRC17:21
morganfainbergdstanek: we should write keystone in earlang17:22
dstanekmorganfainberg: not i :-)  bigger apps in erlang make my head spin17:22
dstanekmorganfainberg: functional is cool, but i can't really think that way yet17:23
morganfainbergmarekd: I was working on go a few weeks ago digging into why a lib only worked for rax cloud17:23
morganfainbergTurns out, no "real" region support.17:23
dstanekmorganfainberg: i thought that maybe it was just too awesome17:23
morganfainbergdstanek: I had to work on ejabberd. It did make my head spin.17:24
morganfainbergWonder if we could replace rabbitmq with ejabberd.17:24
*** vejdmn has quit IRC17:25
dstanekyes, but you might have to build in a little extra queue specific logic17:25
*** vejdmn has joined #openstack-keystone17:25
dstaneki've used ejabberd as a queue in a prior life17:25
morganfainbergit might be more stable >.>17:25
* morganfainberg kinda wants to look into it :P17:26
morganfainbergsee how hard it would be to write an oslo.messaging driver that would do what is needed17:26
morganfainbergejabberd clustering is pretty spot on.17:26
dstanekthe python libraries for it sucked when i last used it17:26
morganfainbergfair enough17:28
*** stevemar is now known as notstevemar17:29
notstevemardstanek, morganfainberg review request :) https://review.openstack.org/#/c/131268/17:30
openstackgerritA change was merged to openstack/python-keystoneclient: Correct use of noqa  https://review.openstack.org/13127417:30
dstaneknotstevemar: tell stevemar that it looks good17:36
notstevemardstanek, will do17:36
openstackgerritMehdi Abaakouk proposed a change to openstack/keystone-specs: tokens swift persistent backend  https://review.openstack.org/13151517:39
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a wip decorator for tests  https://review.openstack.org/13151617:42
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132617:43
dstanekayoung: ^ not exactly what you wanted, but based on what i have done in the past17:43
ayoungdstanek,  Adds IPv6 url validation support ?17:45
*** amcrn has joined #openstack-keystone17:46
*** morganfainberg is now known as alsonotstevemar17:46
alsonotstevemarI like this trend17:46
*** alsonotstevemar is now known as morganfainberg17:47
dstanekayoung: no the wip decorator17:52
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132617:53
*** henrynash has joined #openstack-keystone17:58
*** marcoemorais has quit IRC17:59
*** marcoemorais has joined #openstack-keystone17:59
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:01
*** marcoemorais has quit IRC18:01
bknudsonlooking at http://www.infoq.com/news/2014/08/python-type-annotation-proposal -- python will turn into C++ or Java soon enough18:02
*** marcoemorais has joined #openstack-keystone18:02
ekarlsojust as wel..18:05
ekarlsonot having to check stuff all over the place18:05
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: Multifactor Authentication  https://review.openstack.org/13037618:08
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132618:09
*** cds has joined #openstack-keystone18:09
dstaneklbragstad: did you see my note here: https://review.openstack.org/#/c/125738/13/keystone/token/controllers.py ?18:11
*** ukalifon has joined #openstack-keystone18:11
dstanekjamielennox: ^18:11
lbragstaddstanek: yep, I did18:11
lbragstadI was going to try it and possibly dig into it a bit18:12
lbragstadsee if there is a test we can add, or if we can just remove that?18:12
lbragstaddstanek: maybe in a subsequent patch?18:12
jamielennoxdstanek: i honestly can't remember18:12
*** amerine_ has quit IRC18:12
jamielennoxi think one came through as an empty list rather than an empty dict in XML18:12
jamielennoxif you didn't specify any auth18:12
lbragstadinteresting18:12
jamielennoxkind of makes sense, XML has no way to distinguish what should go between empty tags18:13
lbragstadI was wondering if it was something like but wasn't completely sure18:13
jamielennoxmakes sense in like an "oh XML" kind of way18:13
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132618:15
lbragstadjamielennox: so you agree it can be omitted?18:15
*** amerine has joined #openstack-keystone18:15
jamielennoxlbragstad: i'm surprised that no tests pick it up, if they don't i think it's ok to remove18:17
jamielennoxit's been there a long time so the problem may have been fixed higher up18:17
lbragstadjamielennox: sounds good, thanks for the input18:18
dstaneklbragstad: i only tested removing from your patch - if it's XML related i would expect test failures if it's removed from master18:18
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119918:18
lbragstaddstanek: but the tests are removed from my patch as well?18:20
dstaneklbragstad: you mean the XML ones?18:20
jamielennoxbknudson: i saw that ^ and some of the other docs changes - they're fine but i'm hoping to push through this auth_token change before approving them because they'll be easier to rebase than the plugin one18:20
jamielennoxwell ^ is the -client one, but i saw the middleware one as well18:20
dstaneklbragstad: that why i think it would/should fail if you removed those lines from master18:21
lbragstaddstanek: yeah, the XML ones18:21
lbragstadoh, right18:21
lbragstaddstanek: sorry, I misunderstood you18:21
dstaneklbragstad: :-) np18:21
lbragstaddstanek: was it you or bknudson who was interested in running coverage before and after the XML removal patch?18:21
bknudsonlbragstad: I did it.18:22
dstaneklbragstad: probably bknudson, but i'd also be interested18:22
lbragstadbknudson: do you recall what the coverage was?18:22
bknudsonlbragstad: and didn't notice anything that's not checked now that was before18:22
lbragstadbknudson: interesting... so the XML cases weren't tested?18:23
bknudsonlbragstad: no, they weren't testing anything new18:23
dstaneklbragstad: i removed the lines from master and have the test running now18:23
jamielennoxlbragstad: more likely they were tested by XML and something else as well18:23
jamielennoxthe something else will keep the coverage the same18:23
lbragstaddstanek: cool18:24
lbragstadjamielennox: gotcha, makes sense18:24
bknudsonto give an example, if we remove the keystoneclient master tests then there will be things that aren't being tested.18:24
dstanekanyone like regexes (or torture:)  https://review.openstack.org/13132618:24
jamielennoxbknudson: :(18:24
bknudsonso we should write some new tests and then delete the keystoneclient tests.18:24
jamielennoxbknudson: :)18:25
*** amerine_ has joined #openstack-keystone18:26
jamielennoxdstanek: that's crazy - i thought there was a jsonschema IPv6 field18:26
dstanekjamielennox: no idea - i haven't looked yet18:27
jamielennoxthere is a lbragstad note above it, something about GPL18:27
lbragstadjamielennox: yep18:27
lbragstadso jsonshema uses rfc398718:27
jamielennoxi'm surprised that jsonschema can depend on it then18:27
lbragstadwhich is GPL licensed and we couldn't get it into global requirements18:28
amakarovIs here anybody related to /openstack/keystone-specs project? I've just compiled it and found out that external links are broken18:28
jamielennoxor at least it seems like jsonschema's llicensing issue18:28
dstaneklbragstad: jamielennox: looks like XML passed in an emtpy string for auth: http://paste.openstack.org/show/126076/18:29
marekdgyee: did you have any luck running adfs w/ Keystone?18:29
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573818:29
lbragstaddstanek: sweet, thanks for running tat18:29
lbragstadthat*18:29
*** amerine has quit IRC18:29
lbragstaddstanek: removed in the latest patch ^18:29
gyeemarekd, I have try the client part yet18:30
gyeeon my todo list18:30
*** thedodd has quit IRC18:30
gyeemarekd, the apache setup works great, thanks for the tips!18:30
marekdgyee: no problem.18:30
lbragstaddstanek: that regex is insane18:32
*** packet has joined #openstack-keystone18:34
dstaneklbragstad: yeah, there are lots of examples on the interwebs so it's just about comparing http://bit.ly/1wzxrsX18:35
lbragstaddstanek: I think I saw one that was similar on stackoverflow or something like that18:36
lbragstadhttps://gist.github.com/mnordhoff/221317918:37
*** sigmavirus24_awa is now known as sigmavirus2418:38
*** marcoemorais has quit IRC18:40
*** ukalifon has quit IRC18:40
*** amerine has joined #openstack-keystone18:45
*** amerine_ has quit IRC18:46
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update docs to no longer show XML support  https://review.openstack.org/12575318:56
openstackgerritayoung proposed a change to openstack/keystone-specs: Alembic for SQL migrations  https://review.openstack.org/13153118:57
*** marcoemorais has joined #openstack-keystone18:59
dstanekjust missed it!19:00
morganfainbergdstanek, , yeah sorry19:00
morganfainbergi like log.warning19:00
dstanek:) I just thought of it19:00
morganfainbergbut honestly, i don't care enough to say it needs to be one way or another unless oslo.log cares19:01
dstanekI agree but the question was asked for I thought I'd bring it up19:01
*** joesavak has quit IRC19:03
morganfainbergok i think i'm going to change the no-spec thing to allow people to add BPs for review19:04
morganfainbergrather than "we review the BPs"19:04
*** joesavak has joined #openstack-keystone19:05
*** topol has quit IRC19:06
*** cjellick has quit IRC19:08
jamielennoxayoung: kick along https://review.openstack.org/#/c/115857/9 please19:08
ayoungjamielennox, done19:09
ayoungjamielennox, https://review.openstack.org/#/c/129868/6  too?19:10
*** marcoemorais has quit IRC19:10
jamielennoxayoung: there there are a couple there with two +2s19:10
jamielennoxif you don't i willl19:10
ayounggood to go19:10
ayoungone, first 3 are covered19:11
ayoungjamielennox, https://review.openstack.org/#/c/130531/4  eneds another +2  morganfainberg bknudson gyee please19:11
gyeeayoung, change looks good, but no tests?19:15
gyeejamielennox, what's this auth.AUTH_INTERFACE magic?19:15
jamielennoxgyee: has been around for a while - essentially returns the AUTH_URL19:16
gyeeits declared as an object()19:16
gyeeso its a special marker?19:16
jamielennoxyes19:16
jamielennoxneeded because we still have routes that have to be sent to the auth interface rather than reading from the service catalog19:16
jamielennoxalso because my service catalog in unscoped didn't get picked up - so you need to be able to request things to go to the auth_url19:17
gyeek, I see what you did there19:17
gyeeclever :)19:17
*** sigmavirus24 is now known as sigmavirus24_awa19:18
jamielennoxgyee: so it's a bit hard to put tests in there because the exact values returned by that function change over the next few patches19:19
jamielennoxI've considered the fact that i changed something so significant and it passes the existing tests and the gate to be proof that there has been no functional changes19:19
*** sigmavirus24_awa is now known as sigmavirus2419:19
gyeejamielennox, k, wfe19:20
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: I18n  https://review.openstack.org/13128719:20
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a wip decorator for tests  https://review.openstack.org/13151619:21
jamielennoxif you look at https://review.openstack.org/#/c/130533/4/keystonemiddleware/auth_token.py querying the actual keystone server moves into that function so the tests would have to change19:21
gyeeif there's a problem with the gates, we'll blame the newly minted QA liaison :D19:21
jamielennoxgyee: works for me19:22
jamielennoxgyee: keep going down the chain, the next one: https://review.openstack.org/#/c/130247/5 is super easy19:23
ayoungjamielennox, nkinder is it OK if I just revert the param to None  for the kerberos patch, and let if fail that way?19:25
jamielennoxayoung: i was just looking at that one i was going to make it raise a RuntimeError19:26
ayoungdeal19:26
ayoungjamielennox, I'll let you submit, then19:26
jamielennoxdstanek had the -1 if you can explain it past him i don't mind19:26
jamielennoxmaybe we just follow dstanek's advice19:27
jamielennoxayoung: i had the default in there because it technically should be a kwarg - but it will make no real difference so long as it's called correctly19:28
jamielennox(which it is because it's always keystoneclient that calls it)19:28
ayoung++19:28
jamielennoxcan i use utils.positional here?19:30
jamielennoxfrom ksc? do we consider ksc.utils public?19:31
*** gyee has quit IRC19:31
ayoungjamielennox, I don't think auth_token uses it19:32
ayoungother than that, I can't say19:32
jamielennoxyea - i've never wanted to rely on it outside of ksc19:32
ayoungrichm, do you still have the Keystone LDAP Puppet issue?19:33
richmayoung: yeah19:33
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient-kerberos: kerberos client plugin  https://review.openstack.org/12361419:33
*** amerine has quit IRC19:33
*** amerine has joined #openstack-keystone19:34
*** cjellick has joined #openstack-keystone19:35
dstanekjamielennox: -1 on what?19:35
jamielennoxdstanek: the kerberos plugin ^19:35
*** cjellick has quit IRC19:35
jamielennoxi did what you suggested, just remove the default. Technically it's a required keyword argument which keystone 2 can't express19:36
*** cjellick has joined #openstack-keystone19:36
openstackgerritAlexander Makarov proposed a change to openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154119:36
dstanekjamielennox: yeah, just took a look and it looks much better19:36
bknudsonkeystone 2?19:37
morganfainbergbknudson, keystone 419:37
morganfainbergoh sorry was thinking we were just tossing numbers out there19:37
bknudsonat least we dropped 2.619:38
*** pack3t has joined #openstack-keystone19:39
*** pack3t has quit IRC19:39
amakarovmorganfainberg, good day! I've done some docs modifications, and have a question for now: what to do with broken links on the pages?19:42
amakarovmorganfainberg, file a bug or fix in place?19:43
*** marcoemorais has joined #openstack-keystone19:43
morganfainbergbroken links?19:44
*** amerine has quit IRC19:44
morganfainbergamakarov, ^19:44
amakarovmorganfainberg, I'm about https://review.openstack.org/131541 there are plenty of links to nowhere. For example:19:46
amakarovCreate trustPOST /OS-TRUST/trusts19:46
amakarovRelationship: http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts19:46
amakarovoops19:46
amakarovRelationship: http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts19:46
amakarovmorganfainberg, I presume it's something old19:47
morganfainbergwhere is that link hiding?19:47
* morganfainberg isn't seeing it19:47
morganfainbergoh19:47
morganfainberginteresting19:47
amakarovmorganfainberg, it's in keystone-specs19:47
morganfainbergRelationship: http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role19:47
morganfainbergooooooo19:48
morganfainberguh19:48
morganfainbergamakarov, we might need to work on that19:49
morganfainberghmmm19:49
amakarovmorganfainberg, does it block trust redelegation issue?19:49
morganfainbergbknudson, ayoung, ping- in our docs "Relationship: http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role " should that *point* to something?19:50
morganfainbergbknudson, ayoung, http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-trust-ext.html#check-if-role-is-delegated-by-a-trust19:50
morganfainbergfor example is where that is19:50
dolphmamakarov: they're not intended to be working links, they're just namespaces19:50
morganfainbergdolphm, ah19:50
morganfainbergamakarov, no it wouldn't block the review in either case19:50
amakarovdolphm, a relief )19:50
ayoungmorganfainberg, yes19:51
bknudsonmorganfainberg: the relationship doesn't have to point to anything. It's just an ID.19:51
amakarovmorganfainberg, thanks, got it19:51
morganfainbergbknudson, yep.19:51
bknudsonsimilar to the XML namespace id.19:51
amakarovcan somebody suggest what else to write in the docs?19:52
morganfainbergah19:52
amakarov  https://review.openstack.org/13154119:52
*** ukalifon1 has joined #openstack-keystone19:53
openstackgerritAlexander Makarov proposed a change to openstack/keystone-specs: Trust redelegation documentation  https://review.openstack.org/13154119:56
dstaneknkinder: do you have an easy way to test https://review.openstack.org/#/c/123614 against a live setup?19:59
nkinderdstanek: for me to test it, or for you to set up an environment to test it?20:00
dstaneknkinder: either - do you test by hand or do you have some scripts?20:01
nkinderdstanek: it's all scripted - https://github.com/nkinder/rdo-vm-factory20:01
nkinderdstanek: the scripts are based on Fedora 20+ or RHEL720:02
dstaneknkinder: neat, i'll check that out20:02
dstaneknkinder: thanks20:02
nkinderdstanek: on a F20 system with enough memory, you can clone that repo and just run setup.sh in rdo-kerberos-setup to build it all20:02
ayoungdstanek, I do20:02
ayoungyou can hit the keystone server a keystone.younglogic.net20:02
nkinderdstanek: I'll test the latest patch this afternoon too20:02
ayoungdstanek, pretty sure I already gave you an account20:03
ayoungdstanek, nope, not yet...I'll give you one20:03
*** amakarov is now known as amakarov_away20:04
ayoungdstanek, sent you login info in a PM. Headed home now, will be aback online in a bit20:07
*** ayoung has quit IRC20:07
*** thedodd has joined #openstack-keystone20:08
*** nkinder has quit IRC20:08
*** ukalifon1 has quit IRC20:28
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:30
r1chardj0n3smorning20:30
openstackgerritRodrigo Duarte proposed a change to openstack/keystone-specs: API documentation for Hierarchical Multitenancy  https://review.openstack.org/13010320:31
rodrigodsmorganfainberg, henrynash nice comment from bknudson in the HM API spec20:32
rodrigodsshould we only allow disable a leaf project?20:33
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: I18n  https://review.openstack.org/13119920:33
jamielennoxbknudson: what is the DocImpact of https://review.openstack.org/#/c/131199/20:33
bknudsonjamielennox: document that it's supported now and how to enable it.20:37
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient-kerberos: kerberos client plugin  https://review.openstack.org/12361420:37
jamielennoxbknudson: ok, that's fair enough20:37
bknudsonjamielennox: I actually don't know what you have to do to enable it... since we call it from keystoneclient and keystonemiddleware maybe we have to call something.20:38
bknudsonI mean we call keystoneclient from keystone20:38
jamielennoxbknudson: i have no idea - this is what i mean by we'd never looked at i18n for libraries. I'm *guessing* that you must do a global setting when you start keystone that translates to everything you import as well -?20:39
*** david-lyle has quit IRC20:48
*** radez is now known as radez_g0n320:51
openstackgerritA change was merged to openstack/keystone: Use oslo.concurrency instead of sync'ed version  https://review.openstack.org/13126820:59
*** lhcheng has quit IRC20:59
*** marcoemorais has quit IRC21:01
*** marcoemorais1 has joined #openstack-keystone21:01
*** joesavak has quit IRC21:11
*** nkinder has joined #openstack-keystone21:12
*** nellysmitt has quit IRC21:16
openstackgerritAnne Gentle proposed a change to openstack/keystone-specs: Adds v2.0 files for api spec  https://review.openstack.org/13131521:18
*** harlowja is now known as harlowja_away21:21
openstackgerritLance Bragstad proposed a change to openstack/keystone: Provide useful info when parsing policy file  https://review.openstack.org/13157421:24
morganfainberglbragstad, ayoung, dstanek, nkinder, topol, stevemar, notstevemar, dolphm, bknudson, jamielennox, gyee, henrynash, http://kilodesignsummit.sched.org/event/bc0a9cdc4f3b190cf83214fc5f07c3cd21:32
dolphmmorganfainberg: cool!21:32
morganfainbergcross project workshop, highly recommend everyone show up if possible :)21:32
bknudson3 attendees already!21:33
morganfainbergit *might* change timeslot, but that is based on russel's recent email to -dev21:33
russellbi hope not to move stuff21:33
russellbunless it's really bad21:33
russellbbut yeah, you guys basically have 2 sessions in a row21:34
russellbmorganfainberg: i have you listed as the lead for both21:34
russellbunless you say otherwise21:34
morganfainbergrussellb, hehe ok21:34
morganfainbergoh woot we got the policy discussion one!21:34
russellbyeah21:34
morganfainbergyay!21:34
morganfainberg:)21:34
morganfainbergsame group: http://kilodesignsummit.sched.org/event/0cc08a23b52afbb8d3526d530806c6c221:34
*** saipandi has quit IRC21:35
morganfainbergrussellb, thats good, we can take those and get the keystone-specifics worked on in our dedidcated session then / more focused21:35
morganfainbergrussellb, likely it'll be me, ayoung, nkinder leading the policy one (provided both of them can make it)21:35
morganfainbergsame as the keystone focused one.21:36
russellbmorganfainberg: just update https://etherpad.openstack.org/p/kilo-crossproject-summit-topics21:36
russellbas you see fit21:36
russellbneed descriptions too21:36
morganfainbergyep.21:36
morganfainbergdo you want me to create the dedicated etherpads for these?21:36
nkindermorganfainberg: I'll be there for the policy one for sure21:36
openstackgerritJorge Munoz proposed a change to openstack/keystone-specs: Refresh Token spec  https://review.openstack.org/13157521:38
morganfainbergnkinder, added http://kilodesignsummit.sched.org/event/061876b56285e8a46443bc3bf730031b21:39
morganfainbergthe link at the top of that sched.org description21:39
ekarlsojamielennox: how did the cli plugin stuff end ?21:40
lbragstadmorganfainberg: awesome21:40
morganfainbergso people know we are doing the more focused work in the keystone session21:40
morganfainbergrussellb, let me go get lunch and i'll get some stuff updated for you / descriptions /etc21:41
russellbmorganfainberg: thanks!21:41
*** packet has quit IRC21:42
*** marcoemorais1 has quit IRC21:42
*** marcoemorais has joined #openstack-keystone21:45
*** tellesnobrega_ has joined #openstack-keystone21:45
*** harlowja_away is now known as harlowja21:46
*** dims__ has quit IRC21:46
richmthe base puppet keystone ldap identity backend install is working - there must be a problem in my multi-domain patches - investigating21:47
*** lhcheng has joined #openstack-keystone21:47
*** marcoemorais has quit IRC21:48
nkinderrichm: interesting...21:48
*** marcoemorais has joined #openstack-keystone21:48
nkinderrichm: I haven't gotten a setup fully going with your patches yet21:48
*** tellesnobrega_ has quit IRC21:50
*** david-lyle has joined #openstack-keystone21:53
dolphmmorganfainberg: already aware of the schedule conflict for keystone feature adoption?21:55
*** vejdmn has quit IRC21:55
richmI'll send you my working patches - at least you can get up and running with full read-write ldap identity backend21:55
morganfainbergdolphm, with?21:55
dolphmmorganfainberg: Congress http://kilodesignsummit.sched.org/event/e82e30d5f2c961a4f9d8641833b1715d21:56
morganfainberghmm21:56
dolphmmorganfainberg: http://kilodesignsummit.sched.org/event/bc0a9cdc4f3b190cf83214fc5f07c3cd21:56
morganfainbergrussellb, ^21:56
dolphmnot critical, but definitely an overlap in target audience21:56
morganfainbergdolphm, yeah was looking at my schedule still.21:56
*** tellesnobrega_ has joined #openstack-keystone21:56
morganfainbergrussellb, not sure if we can move (as dolphm said not super critical) but congress has expressed interest in collaborating and we have a genuine overlap in audience21:57
dolphmi'd suggest swapping Congress with Kolla http://kilodesignsummit.sched.org/event/14b3884522b5501a71404b481d5b45f121:58
russellbthis for the policy thing?21:58
russellbso ... help me understand the overlap in "policy"21:58
russellbi took your policy thing to be related to policy.json type policy21:58
morganfainbergrussellb, the keystone feature adoption overlaps with congress session21:58
russellbAPI RBAC like policy21:58
morganfainbergrussellb, congress is a project focused on poilicy, which21:59
russellboh that one.21:59
morganfainbergyeah21:59
russellbcongress scope isn't entirely clear to me, honestly21:59
morganfainbergits timeslot overlap21:59
russellbthe scope seems .... very big.21:59
dolphmyep, it's oslo.policy but a service21:59
russellbdolphm: your thing, right?21:59
russellbnot congress21:59
morganfainbergrussellb, i was planning on showing up and trying to figure that out / help get them pointed21:59
dolphmbut i'd fix the issue by tweaking the "Other Projects" track, not the cross project track21:59
morganfainbergrussellb, since i *think* they have potential.22:00
morganfainbergdolphm, ah hm.22:00
russellbtheir "policy" seems different22:00
russellbit's ...22:00
morganfainbergi wonder if we can get that tweaked22:00
russellbyeah.22:00
morganfainberglet me chase down hoge and ttx22:00
morganfainbergif we can't fix it no worries22:00
russellbyeah, see what ttx thinks22:00
morganfainbergkeystoen feature > congress imo22:00
morganfainbergfor this team that is22:01
* russellb nods22:01
russellbi would think so!22:01
dolphmrussellb: oh - i have not looked at congress is a long while. the scope has certainly changed!22:01
morganfainbergdolphm, yeah whoa, it's changed since last i looked22:02
*** tellesnobrega_ has quit IRC22:02
morganfainberghuh22:02
dolphmit sounds like it leans more toward the auditing side22:02
russellbmaybe i need to look again22:02
morganfainberglooks like they're mosting business rules "policy"22:02
morganfainbergand auditing22:03
morganfainbergmeh, ok nvm22:03
russellbyeah..22:03
dolphmstill conflicts with keystone's interesets22:03
morganfainbergi'll corner some of them and bug them to join our session(s)22:03
morganfainbergor at least visit with us in the PODs22:03
russellbwhat really struck me is I even saw references to things like, automatically resolving policy violations22:03
russellbthat's getting out of control, IMO22:03
russellband also involving congress in all decisions made to make sure they don't violate policy22:03
morganfainbergrussellb, thats just not really doable imo22:03
russellbthat was my take22:04
russellbanyway, i really need to take my feedback to congress :)22:04
russellbjust haven't had time22:04
russellbmaybe a good beer topic next week if i can grab the right person22:04
morganfainbergnow if they fit the bill on "holders of policy configs" and "what roles / capabilities can i do with X" or the inverse of "what do i need to have capability wise to do x" that would be useful22:04
russellbright now i just want to make sure i understand their goals properly22:04
morganfainbergbut it looks out of the scope i was even thinking of now.22:05
morganfainbergwhich is largely what the larger-policy topic is about22:05
dolphmmorganfainberg: i was thinking the same as you. what's described in the current readme is not what i remember from a wiki / email way back when22:05
morganfainbergthe 3 things listed above22:05
morganfainberganyway22:05
morganfainbergdolphm, you mind co-leading the keystone feature adoption x-project workshop?22:06
morganfainbergdolphm, or should i drag jamielennox into it ;)22:06
morganfainberg[for funsies]22:06
dolphmmorganfainberg: except that i'd also like to be in the congress session22:06
dolphmmorganfainberg: and yeah, that should be jamielennox :D22:06
morganfainbergdolphm, works for me. i'll drag jamielennox in22:06
morganfainbergwe can sync up with the congress "stuff" after22:06
dolphmi'd also like to be in Growth Challenges22:07
dolphmbut i'll settle for part 222:07
morganfainbergaye22:07
*** Gippa has joined #openstack-keystone22:08
morganfainbergdolphm, sounds good i think we can handle policy [besides we're going to have a keystone session later on it anyway]22:09
*** thiagop has quit IRC22:09
morganfainbergalso http://kilodesignsummit.sched.org/event/01bc059c3574746dd8c513843bb19cf3 is fairly interesting.22:09
morganfainbergwe might need someone to sit in that one as well.22:09
*** thedodd has quit IRC22:09
*** bknudson has quit IRC22:11
morganfainbergdolphm, http://imgur.com/mnCNjNc omg *explodes head*22:16
morganfainbergi just realized how awful those colors are too22:16
*** thedodd has joined #openstack-keystone22:19
morganfainbergi totally  need another sched.org account for "would like to go" calendar vs. "must go"22:22
*** sigmavirus24 is now known as sigmavirus24_awa22:24
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/13089722:28
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132622:31
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13112222:33
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/13159522:33
*** david-lyle_ has joined #openstack-keystone22:33
*** thedodd has quit IRC22:35
openstackgerritMatthew Edmonds proposed a change to openstack/keystone: Adds IPv6 url validation support  https://review.openstack.org/13132622:36
*** david-lyle has quit IRC22:36
*** andreaf has joined #openstack-keystone22:37
*** gyee has joined #openstack-keystone22:39
*** david-lyle has joined #openstack-keystone22:41
nkinderdstanek: just successfully tested the latest revision of https://review.openstack.org/#/c/123614/22:42
*** jorge_munoz has quit IRC22:42
*** david-lyle_ has quit IRC22:45
*** gordc has quit IRC22:45
*** dims__ has joined #openstack-keystone22:46
*** dims__ has quit IRC22:52
*** amcrn has quit IRC22:52
*** dims__ has joined #openstack-keystone22:55
*** dims__ has quit IRC22:55
*** dims__ has joined #openstack-keystone22:56
*** henrynash has quit IRC22:56
*** dims__ has quit IRC22:57
*** dims__ has joined #openstack-keystone22:57
*** chrisshattuck has quit IRC22:59
*** Gippa has quit IRC23:05
*** andreaf has quit IRC23:08
*** henrynash has joined #openstack-keystone23:10
*** andreaf has joined #openstack-keystone23:11
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain  https://review.openstack.org/13131923:13
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Doc about deleting a domain specific backend domain  https://review.openstack.org/13131923:15
*** andreaf has quit IRC23:16
*** andreaf has joined #openstack-keystone23:17
morganfainbergnkinder: before he cross project session I'd like to sit down with you. Want to hammer out some details before hand.23:36
morganfainbergPolicy one that is.23:37
*** henrynash has quit IRC23:40
*** amcrn has joined #openstack-keystone23:42
*** andreaf has quit IRC23:43
*** david-lyle has quit IRC23:50
*** packet has joined #openstack-keystone23:51
« Monday, 2014-10-27 Index Wednesday, 2014-10-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!