Monday, 2014-11-17

« Sunday, 2014-11-16 Index Tuesday, 2014-11-18 »
*** topol has quit IRC00:17
*** gokrokve has joined #openstack-keystone00:24
*** gokrokve has quit IRC00:29
*** dims has quit IRC00:32
*** dims has joined #openstack-keystone00:32
*** lhcheng has quit IRC00:45
*** marg7175 has joined #openstack-keystone01:23
*** topol has joined #openstack-keystone01:29
*** marg7175 has quit IRC01:36
*** marg7175 has joined #openstack-keystone01:37
*** richm has joined #openstack-keystone01:46
*** alex_xu has joined #openstack-keystone01:57
*** sluo_laptop has joined #openstack-keystone02:07
*** sluo_laptop has quit IRC02:15
*** dims has quit IRC02:18
*** dims has joined #openstack-keystone02:19
*** gokrokve has joined #openstack-keystone02:24
*** dims has quit IRC02:25
*** dims has joined #openstack-keystone02:25
*** oomichi has joined #openstack-keystone02:28
*** gokrokve has quit IRC02:29
*** tellesnobrega has joined #openstack-keystone02:32
*** alex_xu has quit IRC02:34
*** erkules_ has joined #openstack-keystone02:39
*** tellesnobrega has quit IRC02:41
*** alex_xu has joined #openstack-keystone02:41
*** erkules has quit IRC02:42
*** richm has quit IRC02:43
*** fifieldt has quit IRC02:45
*** sigmavirus24_awa is now known as sigmavirus2402:59
*** boris-42 has quit IRC03:07
*** dims_ has joined #openstack-keystone03:20
*** dims has quit IRC03:23
*** gokrokve has joined #openstack-keystone03:24
*** dims_ has quit IRC03:29
*** dims has joined #openstack-keystone03:29
*** gokrokve has quit IRC03:29
*** gokrokve has joined #openstack-keystone04:22
*** gokrokve has quit IRC04:53
*** gokrokve has joined #openstack-keystone04:53
openstackgerritrajiv proposed openstack/python-keystoneclient: Does not accept blank password for updation  https://review.openstack.org/13445404:55
*** gokrokve has quit IRC04:58
*** gokrokve has joined #openstack-keystone05:02
*** sluo_laptop has joined #openstack-keystone05:07
*** oomichi has quit IRC05:11
*** sigmavirus24 is now known as sigmavirus24_awa05:15
*** gokrokve has quit IRC05:18
*** gokrokve has joined #openstack-keystone05:18
*** gokrokve has quit IRC05:23
*** jamielennox is now known as jamielennox|away05:34
*** jamielennox|away is now known as jamielennox05:41
*** topol has quit IRC05:48
*** gokrokve has joined #openstack-keystone05:49
*** gokrokve has quit IRC05:50
*** gokrokve has joined #openstack-keystone05:51
*** stevemar has joined #openstack-keystone05:52
*** gokrokve has quit IRC05:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13469606:02
*** ukalifon has joined #openstack-keystone06:20
*** miqui has quit IRC06:22
*** gokrokve has joined #openstack-keystone06:24
*** gokrokve has quit IRC06:29
*** KanagarajM has joined #openstack-keystone06:30
*** erkules_ is now known as erkules06:42
*** agireud has joined #openstack-keystone06:43
*** marg7175 has quit IRC06:58
*** agireud has quit IRC07:10
*** gokrokve has joined #openstack-keystone07:24
*** marg7175 has joined #openstack-keystone07:25
*** stevemar has quit IRC07:27
*** gokrokve has quit IRC07:29
*** fifieldt has joined #openstack-keystone08:09
*** links has joined #openstack-keystone08:13
*** jaosorior has joined #openstack-keystone08:19
*** ajayaa has joined #openstack-keystone08:24
*** gokrokve has joined #openstack-keystone08:24
*** gokrokve has quit IRC08:29
*** marg7175 has quit IRC08:56
*** alex_xu has quit IRC09:16
*** gokrokve has joined #openstack-keystone09:24
*** gokrokve has quit IRC09:25
*** gokrokve has joined #openstack-keystone09:26
*** gokrokve has quit IRC09:31
*** ajayaa has quit IRC09:59
*** gokrokve has joined #openstack-keystone10:24
*** gokrokve has quit IRC10:29
*** f13o has quit IRC10:33
*** boris-42 has joined #openstack-keystone10:33
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Cache unscoped SAML tokens locally  https://review.openstack.org/13460610:51
*** marg7175 has joined #openstack-keystone10:57
*** marg7175 has quit IRC11:02
*** ajayaa has joined #openstack-keystone11:04
*** KanagarajM has quit IRC11:04
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095411:05
*** gokrokve has joined #openstack-keystone11:24
*** lhcheng has joined #openstack-keystone11:27
*** gokrokve has quit IRC11:29
*** ajayaa has quit IRC11:34
*** openstackgerrit has quit IRC11:48
*** openstackgerrit has joined #openstack-keystone11:49
*** ajayaa has joined #openstack-keystone11:49
*** dims has quit IRC11:50
*** dims has joined #openstack-keystone11:50
*** nellysmitt has joined #openstack-keystone11:58
*** diegows has joined #openstack-keystone12:06
*** marg7175 has joined #openstack-keystone12:11
*** raildo has joined #openstack-keystone12:18
*** stevemar has joined #openstack-keystone12:22
*** gokrokve has joined #openstack-keystone12:24
*** gokrokve has quit IRC12:29
*** diegows has quit IRC12:39
*** rm_work is now known as rm_work|away12:45
*** diegows has joined #openstack-keystone12:51
*** elynn_ has joined #openstack-keystone12:54
*** ajayaa has quit IRC12:56
*** stevemar has quit IRC12:56
*** f13o has joined #openstack-keystone12:59
*** diegows has quit IRC13:03
*** gokrokve has joined #openstack-keystone13:14
*** diegows has joined #openstack-keystone13:20
*** tristanC_ is now known as tristanC13:27
*** ChanServ sets mode: +o dolphm13:30
*** gordc has joined #openstack-keystone13:35
*** diegows has quit IRC13:35
*** diegows has joined #openstack-keystone13:37
*** gokrokve has quit IRC13:38
*** gokrokve has joined #openstack-keystone13:39
*** k4n0_ has quit IRC13:39
*** gokrokve has quit IRC13:43
*** dims has quit IRC13:52
*** jaosorior has quit IRC13:53
*** dims has joined #openstack-keystone13:53
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095413:59
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095414:01
*** henrynash has joined #openstack-keystone14:02
*** tellesnobrega has joined #openstack-keystone14:05
*** nkinder has quit IRC14:05
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263414:06
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352514:06
*** gokrokve has joined #openstack-keystone14:09
*** htruta has joined #openstack-keystone14:11
*** gokrokve has quit IRC14:14
*** elynn_ has quit IRC14:14
*** tellesnobrega has quit IRC14:15
*** thiagop has joined #openstack-keystone14:17
*** ayoung has quit IRC14:18
*** gokrokve has joined #openstack-keystone14:24
*** ayoung has joined #openstack-keystone14:26
*** tellesnobrega has joined #openstack-keystone14:28
*** gokrokve has quit IRC14:29
*** tellesnobrega has quit IRC14:32
*** marg7175 has quit IRC14:36
*** stevemar has joined #openstack-keystone14:42
*** bknudson has joined #openstack-keystone14:46
*** jacorob has joined #openstack-keystone14:46
*** sudorandom has quit IRC14:49
*** nkinder has joined #openstack-keystone14:57
*** gokrokve has joined #openstack-keystone14:58
*** zzzeek has joined #openstack-keystone15:02
*** topol has joined #openstack-keystone15:04
*** radez_g0n3 is now known as radez15:05
*** sudorandom has joined #openstack-keystone15:06
*** richm1 has joined #openstack-keystone15:09
*** jaosorior has joined #openstack-keystone15:16
openstackgerritSteve Martinelli proposed openstack/keystone: Update keystone readme to point to specs.o.org  https://review.openstack.org/13459515:18
ayounglbragstad, I wrote something this weekend that I think you might find intersting about token size:  http://adam.younglogic.com/2014/11/minimal-token-size/15:24
morganfainberg44mornin.15:27
morganfainbergerm.. s/44/15:28
*** amakarov_away is now known as amakarov15:29
ayoungmorganfainberg, 44 morning to you too15:29
dstanekgood morning all15:29
lbragstadayoung: checking15:30
ayounglbragstad, I can run some other size checks, too, if I missed the data that you are contemplating for AE tokens.15:30
lbragstadayoung: writing up a script that probably explains things a little better. I'll link it in the review the next iteration15:30
morganfainbergayoung, not sure a bitmap/bitvector is the right choice, but it's definitly an interesting idea to explore :)15:30
ayounglbragstad, the short of it is, I don' think they really buy us anything15:30
morganfainbergthen again, my answer would be the same in a lot of cases.15:30
ayoungmorganfainberg, it is just the absolute smallest I could think of15:31
morganfainbergayoung, yeah15:31
morganfainberglike i said interesting15:31
ayoungmorganfainberg, the real question is : what are we trying to optimize for?15:31
ayoungI think that a better short hand would be the "subordinate service catalogs"15:31
morganfainbergayoung, in the case of what lbragstad is aiming for, it is a mix between UUID and non-persistence15:31
morganfainbergayoung, largely it will need the "no catalog in the token" change anyway15:32
ayoungmorganfainberg, we can do that today with PKIZ and catalog-less tokens15:32
morganfainbergayoung, 1k is still too much data15:32
ayoungmorganfainberg, what is out size limit?15:32
ayoungour15:32
morganfainbergayoung, 120-150bytes15:32
ayoungmorganfainberg, only going to get that with UUID tokens.15:32
ayoungmorganfainberg, you sign any data cryptographicall and it jumps to 50015:33
morganfainbergayoung, like i said, a mix of uuid and non-persistence15:33
ayoungmorganfainberg, OK...minimal data would be:  userid, projectid, expiry15:33
morganfainberguserid, projectid, issued, expiry-delta15:33
morganfainbergbtw, why are we storing the expired_at in the token at all? we could just put a TTL (int) in seconds ;)15:34
ayoungmorganfainberg, suspect we could calculate expiry from issued if we needed to15:34
morganfainbergyeah15:34
morganfainberg*shrug*15:34
ayoungso... minimal data would look like this:15:34
lbragstadhttp://pasteraw.com/ml3k9tymvi5rzo2vijc32rw44t415bj15:34
lbragstadsomething like that15:34
ayoung{f6bcfd33c6534a2cab1d96e74768b5fb,58a4988d35474b5faea068990fe96871,2147483647}15:35
stevemarmarekd, ping15:35
ayounglbragstad, how are you encoding>15:35
marekdstevemar: ding dong15:35
morganfainbergayoung, uuid.bytes + msgpack15:35
morganfainbergis what he's doing15:35
stevemarmarekd, can you review https://review.openstack.org/#/c/134700/ - i'm stuck on something :(15:35
ayoungmorganfainberg, so no crypto?15:35
lbragstador even15:36
lbragstadhttp://pasteraw.com/5grctaz9vg0ai2tt9sslbxjtg5ncxxh15:36
dstaneklbragstad: i've never actually used msgpack; is it better than struct?15:36
morganfainbergayoung, i think with HMAC sig we jump to ~150bytes encoded.15:36
marekdstevemar: looking.15:36
morganfainbergayoung, again this is very specifically provding as small a token w/o persistence as possible.15:36
lbragstaddstanek: I'm just playing with at the moment, so far no issues15:36
ayoungmorganfainberg, I understand15:36
lbragstaddstanek: I did a comparison between compressing a dict and using msgpack15:37
morganfainbergayoung, but largely, i expect this to start as an out-of-tree provider. we can evaluate it at that point.15:37
lbragstadmsgpacking with an array of data is shorter15:37
morganfainbergayoung, if it is something that we like - we can bring it in tree and offer it as the alternative to uuid w/o the token store15:37
morganfainbergayoung, if we don't, we've still provided the interface for lbragstad  and RAX to do this type of token (this is the AE proposal)15:38
morganfainbergayoung, PKI/PKIZ will of course be our in-tree (to start) options for non-persistence15:38
morganfainbergayoung, if that makes sense.15:38
* morganfainberg glares at expense reports.15:39
ayoungmorganfainberg, where does the 150 bytes limit come from?15:40
morganfainbergayoung, a nice number we should aim for. I think that limit is a place where swift and the other folks who want UUID length tokens will stop beating us up15:40
*** jacorob has quit IRC15:41
morganfainbergayoung, and the UX is *similar* on the CLI (curl etc) to uuid.15:41
ayoungmorganfainberg, we still need to persist revocation events either way.  How is this any better than volitile memcached?15:42
morganfainbergayoung, revocation events are uncommon - we've discussed that before.15:42
morganfainbergand something that is much less expensive to cleanup than token lists.15:42
morganfainbergsince they are relatively uncommon15:43
lbragstaddstanek: here is an example of what we could get (size wise) by using msgpack15:43
lbragstaddstanek: in the best case15:43
lbragstaddstanek: the format of the data being [token format, user_id, project_id, created_at, ttl]15:44
morganfainberglbragstad, need audit_ids and signer too.15:44
lbragstadmorganfainberg: ahh right,15:45
lbragstadwhat was the link you sent me friday on that?15:45
lbragstadI was digging for it but couldn't recall exactly where it was15:45
dstaneklbragstad: so ~50 bytes of data?15:45
*** radez is now known as radez_g0n315:45
lbragstaddstanek: +50 with the HMAC15:45
lbragstadI still have to do that part15:46
morganfainberglbragstad, i didn't mail was an IRC convo15:46
dstaneklbragstad: a 100 is really good15:46
*** jacorob has joined #openstack-keystone15:46
*** gyee has joined #openstack-keystone15:47
ayoungmorganfainberg, how are we getting the HMAC?15:48
morganfainbergayoung, ask lbragstad he had an idea on it. but tbh i don't remember. I was more worried about supporting this type of exploration than the implementation on that atm.15:49
ayoungmorganfainberg, heh15:49
morganfainbergayoung, HMAC is a realtively solved problem. Our issue is generating a Key and storing the key.15:51
morganfainbergayoung, if we really go down this path, we can address that.15:51
ayoungmorganfainberg, is it a solved problem from python?15:51
morganfainbergayoung, yes.15:52
*** saipandi has joined #openstack-keystone15:52
*** marg7175 has joined #openstack-keystone15:52
morganfainbergayoung, https://docs.python.org/2/library/hmac.html15:53
morganfainbergas is hashlib available15:53
*** agireud has joined #openstack-keystone15:55
marekdstevemar: so where are you stuck?15:55
*** rwsu has joined #openstack-keystone15:56
marekdstevemar: it doesn't really get back to the keysone first url ?15:56
*** marg7175 has quit IRC15:57
*** marg7175 has joined #openstack-keystone15:58
rodrigodsmorganfainberg, ayoung, henrynash, raildo, few moments to discuss get project subtree/parents visibility?15:58
raildoyes15:59
stevemarmarekd, sort of15:59
stevemarmarekd, the last call there - the one that goes to the 'location' of the previous return16:00
marekdstevemar: i might need to setup something to debug, or at least some links how should the workflow look like.16:00
stevemarit just ends up handing16:00
stevemarhanging*16:00
marekdand what's the location value?16:00
*** dtturner has joined #openstack-keystone16:01
marekddid you check apache logs? (server side)16:01
morganfainbergrodrigods, just a moment, i do need to run off an get breakfast before my day gets too crazy16:01
morganfainbergrodrigods, so might need to do this a bit later today.16:01
*** gokrokve_ has joined #openstack-keystone16:01
*** thedodd has joined #openstack-keystone16:01
*** lhcheng has quit IRC16:02
*** radez_g0n3 is now known as radez16:04
*** gokrokve has quit IRC16:04
*** sigmavirus24_awa is now known as sigmavirus2416:04
rodrigodsmorganfainberg, no problem, so when you're back you can ping us =)16:04
*** agireud has quit IRC16:04
stevemarmarekd, lemme check16:06
morganfainbergrodrigods, will do. gonna go grab food.16:10
*** david-lyle_afk is now known as david-lyle16:11
*** jacorob has quit IRC16:11
openstackgerritRodrigo Duarte proposed openstack/keystonemiddleware: Adds Memcached dependencies doc  https://review.openstack.org/13499316:15
*** zzzeek has quit IRC16:16
*** wwriverrat1 has joined #openstack-keystone16:18
*** zzzeek has joined #openstack-keystone16:18
*** jacorob has joined #openstack-keystone16:21
*** agireud has joined #openstack-keystone16:21
*** wwriverrat1 has left #openstack-keystone16:23
*** lhcheng has joined #openstack-keystone16:29
*** agireud has quit IRC16:31
*** gokrokve has joined #openstack-keystone16:36
*** zzzeek has quit IRC16:39
*** gokrokve_ has quit IRC16:39
*** r-daneel has joined #openstack-keystone16:39
*** marg7175 has quit IRC16:40
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13469616:40
*** marg7175 has joined #openstack-keystone16:41
*** zzzeek has joined #openstack-keystone16:42
*** agireud has joined #openstack-keystone16:44
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only)  https://review.openstack.org/11577016:50
*** jacorob has quit IRC16:59
*** wwriverrat has joined #openstack-keystone17:01
*** jacorob has joined #openstack-keystone17:02
*** rwsu has quit IRC17:03
*** kobtea has joined #openstack-keystone17:05
ayounglbragstad, OK, so the HMAC is small, but that is not enough to actually pass the identification data.  How are you passing that?17:09
morganfainbergso based upon the poll for mid-cycle17:11
morganfainbergi think we're going to be in SAT again.17:12
stevemargyee, best comment ever17:14
*** _cjones_ has joined #openstack-keystone17:14
samuelmsmorganfainberg, cool :) would be glad to know it17:15
morganfainbergsamuelms, there will be some official communication asap.17:15
*** _cjones_ has quit IRC17:15
*** _cjones_ has joined #openstack-keystone17:15
samuelmsmorganfainberg, great! waiting for this (: thanks17:15
morganfainbergsamuelms, i am just trying to pin down location17:16
*** rwsu has joined #openstack-keystone17:16
*** raildo has quit IRC17:17
*** sigmavirus24 has left #openstack-keystone17:17
rodrigodssamuelms, schedule your visa interview! =P17:18
*** rwsu has quit IRC17:18
rodrigodsmorganfainberg, ready to chat about get project?17:18
morganfainbergrodrigods, i haven't gotten breakfast :(17:18
morganfainbergabout to go now.17:18
rodrigodsmorganfainberg, omg =O17:18
rodrigodscool17:18
morganfainberghad something come up that needed full attention17:18
samuelmsrodrigods, oops, will do this afternoon17:18
morganfainbergbe back in like 1h17:19
rodrigodsmorganfainberg, great, I'll be here =)17:19
*** rwsu has joined #openstack-keystone17:21
gyeestevemar, some of us do pay attention to the keynotes :D17:22
lbragstadayoung: the information in the token is based on a format17:25
ayounglbragstad, explain?17:26
*** marcoemorais has joined #openstack-keystone17:26
ayounglbragstad, what is in the token itself?17:26
lbragstadayoung: if you're validating the token on the keystone side, you could have a predefined format for how the information in the token is constructed and have a version for it.17:26
lbragstadhttps://gist.github.com/lbragstad/a0b30f15b92798df6141#file-msgpack_demo-py-L53-L6217:27
ayounglbragstad, is that private?17:27
ayounglbragstad, ok,  so we take the fields we need, encode them, get the HMAC for them, append the HMAC, and that is the token17:28
lbragstadayoung: you can't view that?17:28
lbragstadI didn't think it was private17:28
ayounglbragstad, nope17:28
lbragstaddamn17:29
lbragstadayoung: sorry about that... checking17:29
ayoungmight be github or something17:29
ayoungkeeps asking me to log in, but then barfind17:29
lbragstadhttps://gist.github.com/lbragstad/a0b30f15b92798df614117:30
lbragstadayoung: I verified that others can access that gist17:31
bknudsonI can access it.17:31
ayounglbragstad, I can see it17:31
ayounglbragstad, OK,  use the base64 url safe encoding.17:32
ayoungDon't do the replacements yourself17:32
ayoungits in the base64 python package17:32
lbragstadayoung: yeah, those are implementation details, just prototyping so people get a feel for what we're trying to do17:32
ayoung++17:32
lbragstadI also need to add the audit ids per morganfainberg 's comment17:33
lbragstadand the hmac,17:33
lbragstadthen we can get an accurate estimate on the actual size17:33
*** kobtea has quit IRC17:36
*** jacorob has quit IRC17:36
*** harlowja_away is now known as harlowja17:41
ayounglbragstad, so with auditid as bytes we are up to 185.17:52
ayoungyou are doing:17:52
ayoungcompress, encrypt, encode17:53
ayoungI assume it is going to be17:53
*** jaosorior has quit IRC17:53
ayounghmac, append, compress, encrypt, encode?17:53
*** RichardRaseley has joined #openstack-keystone17:54
morganfainbergayoung: I'm thinking we need the idp -> domain stuff this cycle.17:55
ayoungHeh17:55
morganfainbergOh. Hah still op'd here. *fixes*17:55
ayoungwhat brought on that realization?17:55
*** ChanServ sets mode: -o morganfainberg17:55
morganfainbergWell we've talked about it a bunch.17:56
morganfainbergAnd a thread talking about idp auth.17:56
morganfainbergAnd unique usernames.17:56
*** rm_work|away is now known as rm_work18:00
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:01
ayoungmorganfainberg, so...what do we do about the existing federation code that maps multiple users into the default domain?18:01
morganfainbergWe maintain it and allow it.18:02
morganfainbergI guess18:02
rodrigodsmorganfainberg, ayoung, so it means we'll be able to easily revoke fed tokens? =)18:02
ayoungrodrigods, not yet18:03
rodrigods=(18:03
morganfainbergrodrigods: sortof. But we can already do that. Idp id is in the token.18:03
morganfainbergRevocation events.18:03
rodrigodsmorganfainberg, not in the middleware18:03
*** arborism has joined #openstack-keystone18:03
*** arborism is now known as amcrn18:03
rodrigodswe only have access to the token_id there18:03
ayoungugh...ok,  I need to remeber the pre-tree revocation code...18:04
*** _cjones_ has quit IRC18:05
*** _cjones_ has joined #openstack-keystone18:05
dolphmayoung, bknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, topol, marekd, lbragstad, joesavak, shardy, fabiog, nkinder, lloydm, shrekuma, ksavich, hrybacki, rharwood, grantbow, vdreamarkitex, raildo, rodrigods, amakarov, ajayaa, hogepodge, breton, lhcheng, nonameentername: as a follow up to morgan's email, don't forget that keystone meeting is this time tomorrow! (an hour earlier than pre-summit18:06
dolphm for american daylight savings enthusiasts)18:06
stevemarthanks for the head up dolphm18:07
ayoungrodrigods, OK, here is the original code  https://review.openstack.org/#/c/55908/60/keystone/contrib/revoke/model.py,cm18:07
dolphmstevemar: i almost forgot that you're american too! /hugs18:08
gyeeha thanks dolphm18:08
stevemareww18:08
gyeestevemar, according to nafta, you are an american :)18:09
rodrigodsayoung, domain_id there, so...18:09
rodrigods?18:09
ayoungrodrigods, you are jumping ahead.  we need to change the tree code back to that style so that people can actually understand what it is doing18:10
rodrigodsayoung, ahh, assumed it looked like that today18:10
*** dolphm sets mode: +v morganfainberg18:10
ayoungrodrigods, no18:10
morganfainbergLol18:10
morganfainbergNice dolphm18:11
ayoungrodrigods, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n18118:11
*** dolphm sets mode: +o morganfainberg18:12
dolphmmorganfainberg: in my head i was giving you channel op18:12
* ayoung imagines morganfainberg on "The Voice" singing "Dream On"18:13
morganfainbergdolphm: hehe. I just don't like being op'd if I don't need to be.18:13
morganfainbergBut it doesn't really matter.18:14
dolphmmorganfainberg: it's your hat now, sucker18:14
morganfainbergHana18:14
morganfainbergHaha*18:14
ayoungrodrigods, think you could revert that?18:15
ayoungI have my boss bothering me for something else right now, and not sure when I can implement18:15
rodrigodsayoung, ++ yes I can18:15
ayoungrodrigods, awesome18:15
ayoungrodrigods, the current tests should pass regardless of the algorithm in the "tree"18:16
*** thedodd has quit IRC18:16
ayoungso long as the tests continue to pass unmodified, you should be OK18:16
rodrigodsayoung, great, just trying to get the big picture here18:17
ayoungrodrigods, ok,  so we need the code to be readable/maintainble first18:17
*** dolphm sets mode: +v morganfainberg18:17
ayoungthen we need to unify how we turn a token from text into python.  The server does it one way, the client a different one18:17
*** dolphm sets mode: +v ayoung18:18
*** dolphm sets mode: +g 18:18
rodrigodsayoung, good18:18
*** dolphm sets mode: +v dstanek18:18
*** dolphm sets mode: +v bknudson18:18
*** dolphm sets mode: +v gyee18:18
ayoungand this is actually different from morganfainberg 's code to turn a token into data as well...18:18
*** dolphm sets mode: +v stevemar18:18
ayoungso we really should have a single TokenData class18:19
ayoungwe need to make sure the IDP data is in there18:19
morganfainbergayoung: ++18:19
ayoungand then we can revoke by IDP18:19
rodrigodsayoung, hmm18:19
rodrigods++18:19
ayoungI'd rather do IdP -> domain, but we broke that18:19
*** dolphm sets mode: +v jamielennox18:19
ayoungrodrigods, once we have the server code working, we need to extract it out to the client18:20
*** dolphm sets mode: +v henrynash18:20
*** dolphm sets mode: +v topol18:20
*** dolphm sets mode: +v lbragstad18:20
ayoungthat way it can be checked inside of auth_token middleware18:20
*** wwriverrat has left #openstack-keystone18:20
rodrigodsayoung, good18:20
* rodrigods wonders why the code has changed so much18:21
ayoungrodrigods, we had a really smart programmer rewrite it, and I accepted his rewrite18:21
ayoungthat was the "tree" approach18:21
ayoungbut the algorithm wasn18:21
ayoung't really as effecient as we thought, and the code got unreadable due to the tricky algorithm18:21
morganfainbergThe tree approach is cool. It isn't that maintainable and has efficiency concerns.18:22
ayoungso we are reverting to the more procedural approach18:22
ayoungit should be something like18:22
rodrigodsyeah, I got the old code approach18:22
ayoung for attribute_name in _EVENT_NAMES:18:22
ayoungfirst look for the direct match18:23
ayoungand then18:23
ayoung for alt_name in alternatives.get(name, [name]):18:23
ayoungkeep the special check for role18:24
*** jacorob has joined #openstack-keystone18:25
rodrigodsayoung, look for direct matches, in modularized fashion, right?18:25
rodrigodslike the one before18:25
ayoungyeah18:25
*** dnalezyt has joined #openstack-keystone18:27
*** nellysmitt has quit IRC18:27
*** dnalezyt has quit IRC18:27
rodrigodsayoung, great, i might bug you to do some review this week =)18:28
ayoungrodrigods, hmmm,  I think I had better code than '60'18:28
*** dnalezyt has joined #openstack-keystone18:28
*** patrickeast has joined #openstack-keystone18:28
ayoungrodrigods, hmmmm,  my code was doing a linear search through the events18:29
ayounghis code was doing a more efficient search, but then we get killed on the hashtable lookups18:30
morganfainbergayoung, aand the hashtable building18:31
dolphmmorganfainberg: is there an IRC command to list all modes of a user? or all users with a mode?18:31
rodrigodsayoung, don't worry, will take this in consideration18:31
morganfainbergdolphm, uhm18:31
morganfainbergdolphm /msg chanserv flags #openstack-keystone18:31
dolphmmorganfainberg: perfect! thanks18:32
*** jacorob has left #openstack-keystone18:33
*** jacorob has joined #openstack-keystone18:33
*** ChanServ sets mode: -vvv henrynash bknudson gyee18:34
ayoungrodrigods, heh, I am worried18:37
ayoungthis was hard to get right, and I am not certain we can really make it perform under load without some foresight18:38
ayoungI've often  wondered if we can continue to do the tree approach but without hashtables18:38
dolphmbknudson henrynash: you need to register your nickname with NickServ, and configure your IRC client to automatically identify you with a password18:39
*** gokrokve_ has joined #openstack-keystone18:39
ayoungthe assumption is that checking revocations is going to be much more common than adding a new revocation event18:39
dolphmgyee: looks like your client isn't configured to identify you either18:39
dolphmbknudson henrynash: see https://freenode.net/faq.shtml#userregistration18:39
rodrigodsayoung, this is true for long-lived tokens18:39
rodrigodsright?18:40
dolphmbknudson henrynash gyee: ping me if you need a hand18:40
ayoungrodrigods, well, anything that triggers a revocation event is going to be evaluated, long lived or not18:40
ayoungand evicting older events might end up being the most expensive part18:40
morganfainbergrodrigods, i'm back btw18:40
rodrigodsmorganfainberg, great .... ping raildo samuelms18:41
morganfainbergayoung, maybe the right answer is we bucket the events by window e.g. 5 minute / 10 minute 1h18:41
gyeedolphm, I registered my irc handle18:41
gyeeI am using xchat18:41
morganfainbergayoung, then we just drop the buckets vs scrubbing the list18:41
ayoungmorganfainberg, the linear search lends itself to that18:41
rodrigodsmorganfainberg, going to the right bucket should be constant18:42
gyeeah, maybe I didn't configure xchat correctly18:42
*** gokrokve has quit IRC18:42
morganfainberggyee, you're not identifying w/ nickserv18:42
morganfainbergthats all.18:42
rodrigodsmorganfainberg, ready to multithread here? (HM + tokens revoke tree)18:43
gyeeI am looking for that magic button in xchat18:43
dolphmgyee: it's called Nickserv password in Xchat, i think18:43
rodrigodsgyee, should be in the network config18:43
dolphmgyee: in your server settings18:43
rodrigodsgyee, or via /nickserver identity ... something like that18:43
*** gokrokve_ has quit IRC18:43
dolphmrodrigods: that will work for today, but i'd like his client to auto-identify him in the future18:44
gyeeah, got it, thanks dolphm, rodrigods!18:44
rodrigodsdolphm, ++18:45
*** gyee has quit IRC18:45
rodrigodsmorganfainberg, so... the issue is: get project subtree and parents: GET /v3/projects/<project_id>?subtree_as_list and GET /v3/projects/<project_id>?parents_as_list18:45
*** gyee has joined #openstack-keystone18:45
*** ChanServ sets mode: +v gyee18:45
morganfainbergrodrigods, oh boy!18:45
morganfainbergright18:46
gyeeyay!18:46
morganfainbergwoot18:46
gyeeI have a voice!18:46
ayoungrodrigods, OK,  I think we should try out the linear search again.  I suspect that the most important thing is to "fail fast" when checking an individual event, which means that the least common matched fields should be the first to check18:46
dolphmgyee: ++18:46
morganfainbergrodrigods, i'm also writing up 2 emails and trying to file an expense report :P18:46
ayoungwhich would be userid, I am fairly certain18:46
rodrigodsmorganfainberg, the idea is to return the full project ref , which is not ok since the get_project call is blocked in the policy18:47
dolphmmorganfainberg: i spent all morning filing expense reports :(18:47
rodrigodsayoung, need to get both codes into my head in order to provide some insight =(18:47
henrynashdolphm: so where do you input all the commonds listed in uer registration in the link you provided?18:47
gyeeconverting euro to dollar, with fees on top ain't fun18:47
ayoungrodrigods, heh...18:47
ayoungrodrigods, I have an overview of the tree code on my blog18:47
ayounglink in a moment18:47
ayounghttp://adam.younglogic.com/2014/02/efficient-revocation-checking/18:48
dolphmhenrynash: any command starting with "/msg NickServ" is effectively sending a private message to the NickServ user, so anywhere in your client18:48
rodrigodsmorganfainberg, so, since we are going to implement a the ?subtree and ?parents, that will return only the IDs, in a structured fashion18:48
morganfainbergright18:49
henrynashdolphm: ah, ok18:49
dolphmrodrigods: shouldn't it be ?children then, since there's no tree returned?18:49
morganfainbergdolphm, my expense report is unfun... my VPN connection keeps dying18:49
rodrigodsmorganfainberg, we want to limit the subtree_as_list and parents_as_list by using the "list_projects_for_user" call, and then getting the subtree and parents18:49
morganfainbergdolphm, so i can't get it submitted.18:49
dolphmmorganfainberg: does it at least save as you go?18:50
rodrigodsdolphm, children we thought that might confuse the user, since it would mean only immediate children18:50
morganfainbergdolphm, i can't get to the point where it'll save18:50
rodrigodsayoung, reading18:50
morganfainbergdolphm, "edit expense... --- TIMEOUT"18:50
morganfainbergdolphm, all the expenses are pre-populated in our system, i just need to classify and upload receipts18:50
morganfainbergdolphm (and print a paper and mail off the physical receipts for VAT recovery)18:50
morganfainbergdolphm, i get ~5minutes on the VPN max18:51
morganfainbergatm18:51
* morganfainberg grumbles about OpenVPN being silly.18:51
dolphmrodrigods: hmm, valid point. the discrepency between subtree and parents is confusing to me though. i'd expect subtree / supertree and children / parents to complement each other18:51
dolphmmorganfainberg: i lost you at "print"18:51
gyeemorganfainberg, I scan the receipts and attach them to the report18:51
morganfainberggyee, can't with the VAT recovery, must be the original receipt18:52
dolphmbest practice at rackspace is to take cell phone photos of receipts and toss them18:52
dolphmif you even need a receipt18:52
morganfainbergdolphm, this is a special case for VAT recovery, most of the time it's photo recepit and upload photo18:52
gyeenice! cell phone photos would be awesome18:52
ayoungrodrigods, once you see the elegance of the solution, you will understand why I was seduced by it18:52
henrynashdolphm: thx, done18:52
rodrigodsdolphm, parents is not like a supertree, only the list of projects that would get by following the parent_id18:52
ayoungI wonder if we could convert the hashtables into linear searches and get the best of both worlds18:53
dolphmhenrynash: did you configure your client to identify you with nickserv / sasl?18:53
ayoungrodrigods, https://bugs.launchpad.net/keystone/+bug/129062518:54
uvirtbotLaunchpad bug 1290625 in keystone "keystone.contrib.revoke.backends.sql contains several glaring performance problems" [Medium,Triaged]18:54
morganfainbergayoung, lol18:54
henrynashdolphm: hmm…maybe not :-)18:54
morganfainbergnice bug.18:54
dolphmhenrynash: next step then!18:54
*** amakarov is now known as amakarov_away18:54
ayoungmorganfainberg, I had a commit for converting the IDs to indexes18:54
morganfainbergrodrigods, for now, ithink the simply parent, children type hierarchy18:54
ayoung* The id column is internal only, and yet, is varchar(64). This should just be an auto incremented int.18:54
morganfainbergrodrigods, and only return IDs is the important part18:54
*** links has quit IRC18:55
*** thedodd has joined #openstack-keystone18:55
ayoungmorganfainberg, was there a bug for the hashtable portion of that?18:55
rodrigodsmorganfainberg, not the full ref? =( we thought about the usecase from a user trying to fetch the projects he/she has access18:55
rodrigodsthat would also mean a nice UI in horizon =)18:55
ayoungmorganfainberg, I'm almostted tempted to leave the tree code as is18:55
morganfainbergdidn't we decide we can't return the whole project_ref in *all cases*18:55
morganfainberg?18:55
ayoungmorganfainberg, and see if instead we can performance tune it as is18:56
morganfainbergor is that a followup for the "reseller/SP" case18:56
morganfainberg?18:56
rodrigodsmorganfainberg, hmm18:57
rodrigodslet me start again18:57
rodrigodswe thought about 2 use cases:18:57
rodrigods1 - a service trying to get the hierarchy (like for the hierarchical quotas use case)18:58
morganfainbergrodrigods, ok sorry the conversation overlap has been ... crazy :P18:58
rodrigods2 - a user trying to see where he/she has access18:58
rodrigodsmorganfainberg, I'm lost too18:58
rodrigods=)18:58
morganfainbergdolphm, ayoung, gyee, lbragstad, dstanek, stevemar, henrynash, topol, https://review.openstack.org/#/c/131227/2/reference/project-release-schedules.rst18:59
rodrigodsfor the first usecase, we have the simple ?subtree -> will return *only IDs* in a structured fashion (not implemented yet)18:59
stevemarthats a lot of reading18:59
rodrigodsfor the second... we have the ?subtree_as_list -> will return the full project_ref -> will be limited by the projects that could be listed using "list_projects_for_user()"19:00
henrynashrodigods: (i’m not sure why we would only return IDs in that structured case, why not the whole refs?)19:00
rodrigodshenrynash, because we would mount the wrong tree, image you have this structure: A -> B -> C, and you only have access to A and C19:01
*** NM has joined #openstack-keystone19:01
rodrigodshenrynash, it would return A -> C, which is wrong19:01
rodrigodsreturning only the IDs, we can return A -> B -> C, since the ID by itself is not a sensitive information19:02
henrynashrodigods: hmm, I’d be tempted to eitehr a) fail that cmd in that case due to lack of permissions19:02
rodrigodshenrynash, what about the services that wants to update project quotas?19:02
rodrigodsit would need the full info19:02
rodrigodsfull info == full hierarchy19:02
henrynashrodigods: what does it mean to update a quota?19:03
gyeemorganfainberg, besides the clients, who on Free Release Cycle? Swift?19:04
henrynashrodigods: where are the quotas stored (assuming I know nothing about quotas…because I don’t :-) )19:04
morganfainbergso the full hierarchy is likely a cloud-admin question only19:04
morganfainberggyee, no one.19:04
morganfainberggyee, the proposal is to allow other projects to adopt varying release cycles.19:04
*** henrynash has left #openstack-keystone19:05
rodrigodsmorganfainberg, yep19:05
rodrigodsrodrigods, nova -> oslo in the future19:05
*** henrynash has joined #openstack-keystone19:05
rodrigodshenrynash, nova -> oslo in the future19:06
henrynashrodigods: sorry. missed some messages trying to reconfigure my IRC client19:06
rodrigodsthey store only one level quota, to update to the children they will need the full hierarchy19:06
*** marcoemorais has quit IRC19:06
*** marcoemorais has joined #openstack-keystone19:06
*** marcoemorais has quit IRC19:07
stevemarnkinder, can you confirm if this still applies? https://bugs.launchpad.net/python-openstackclient/+bug/138533819:07
uvirtbotLaunchpad bug 1385338 in python-openstackclient "Keystone v3 authentication request is malformed with latest OSC code" [High,Confirmed]19:07
*** marcoemorais has joined #openstack-keystone19:07
dstanekmorganfainberg: that's interesting19:07
henrynashrodigods: so why wouldn’t their be an inherited role that they must have to update all the projects in a hierachy (if indeed they want to operated taht way)19:07
henrynashdolphm: so is there a way I can tell if I know have everything configured OK in my IRC client?19:08
rodrigodshenrynash, why return a bunch of information that a service won't use? I mean, they only care about the ID19:08
rodrigodshenrynash, that's why I prefer the hierarchy return to have only the IDs19:08
*** ChanServ sets mode: +v henrynash19:09
henrynashrodigods: so I’m not talking about the xxx_as_list, I’m talking about teh structured one...19:09
rodrigodshenrynash, me too19:09
henrynashrodigods: ha “-)19:09
*** ChanServ sets mode: +v bknudson19:09
henrynashrodigods: so you think the quotas code will need the structured version?  I thought that’s why you wanted the flat list?19:10
*** jacorob has quit IRC19:11
rodrigodshenrynash, yeah... the list would be returned to a user that wants to know where he/she has access19:11
henrynashrodigods: oh, I see…hmmm.something smells fishy here19:11
rodrigodshenrynash, hmm19:12
rodrigodshenrynash, what's your suggestion? return full refs both ways and if the user hasn't access to a project, the call fails?19:12
topolmorganfainberg, thanks. will take a look19:12
henrynashrodigods: so what’s the need to ever return any info (including the ID) on a project for which the user doesn’t have access19:13
rodrigodshenrynash, just for a service trying to know the full hierarchy (like the quota example)19:13
*** bknudson has quit IRC19:15
*** bknudson has joined #openstack-keystone19:15
*** ChanServ sets mode: +v bknudson19:15
henrynashrodigods: (so here comes the circular argument)…but surely if someone wants to update the quotas for a hierarchy, they must have permission (maybe a specifc “update quota” role) on all nodes in said hierarchy?19:15
bknudsondolphm: am I registered now?19:15
henrynashrodigods: when would we not want that to be true?19:15
nkinderstevemar: I was still seeing that issue last week.19:16
nkinderstevemar: I can set up another test environment and see if it's still there19:17
*** marcoemorais has quit IRC19:17
rodrigodshenrynash, thinking...19:17
rodrigodshenrynash, and... what about a user that wants to know where he has access?19:18
henrynashrodigods: sounds like a new use case!19:18
rodrigodswhy we don't return only the projects he has access, and since we do not want to "lie" about the hierarchy, we return it as a list?19:18
rodrigods=)19:18
*** marcoemorais has joined #openstack-keystone19:19
henrynashrodigods: my turn…..thinking19:19
stevemarnkinder, if you could, that would be great19:21
stevemarhoping to release a new osc version19:21
*** jaosorior has joined #openstack-keystone19:21
stevemarso we can break everyone, buahaha19:21
*** raildo has joined #openstack-keystone19:22
henrynashrodigods: so in the list case, I guess that makes sense…..although IF, for instance, someone was doing somkind of quota opertion, then the’d only be operating on some (potentially non-contigious)subset of the tree…so wonder if it would result in what they want19:23
*** ukalifon has quit IRC19:23
henrynashrodigods: e.g. they sumed or set quota for some set of projects…but other projects in the same tree (for whicih they don’t have access) are not summed or updated19:23
henrynashrodigods: seems a bit odd19:24
rodrigodshenrynash, yes, that's why we want the full hierarchy19:25
rodrigodsfor those cases19:25
raildohenrynash, but the quota operations are doing by the Nova service, not for the user, so we don't have this problem19:26
raildo(and other global operations in Nova)19:26
dolphmbknudson: yes, you are!19:27
henrynashraildo: “we don’t have this problem” because?19:27
rodrigodshenrynash, do you agree that we can not return a structured hierarchy containing missing parts? so we either return the full info, or return error19:27
stevemarmorganfainberg, dolphm does keystone always have 'regionOne'19:27
dolphmhenrynash: your current state is good, but if you close your client and re-open it -- we should be able to tell for sure?19:27
dolphmstevemar: no19:27
henrynashdolphm: ok19:28
rodrigodsand we would need a list, for the cases where we *can't* return the full hierarchy, but makes sense to return a subset of it19:28
*** henrynash has quit IRC19:28
stevemardolphm, so how is it created when we spin up devstack? i don't see any code to do that19:28
*** henrynash has joined #openstack-keystone19:28
*** ChanServ sets mode: +v henrynash19:28
dolphmhenrynash: looks good!19:28
rodrigodshenrynash, and we would need a list, for the cases where we *can't* return the full hierarchy, but makes sense to return a subset of it19:28
henrynashdolphm: thx for your help19:28
dolphmhenrynash: now we call all stop worrying about henrynash imposters19:29
henrynashdolphm: i know it was front of mind for everyone here…..19:29
henrynashdolphm: not19:29
dolphmhenrynash: it was a popular concern cited at the summit19:29
henrynashdolphm: i”ll be giving classes in how to type in ye olde english style19:30
raildobecause using the role service (for update quotas) they can access the full hierarchy, so all the hierarchy will be update. for a user (using other role) we have to filter which projects the user can acess19:30
henrynashraildo: becasue a service user user has full accees, you mean?19:31
raildohenrynash, yes19:31
henrynashrailldo: true today, maybe not always true19:31
*** jacorob has joined #openstack-keystone19:31
stevemardolphm, so how is it created when we spin up devstack? i don't see any code to do that19:31
rodrigodshenrynash, yes, that's why return only the IDs, structured, is a good idea =)19:32
rodrigodshehe19:32
dolphmstevemar: does keystoneclient default endpoints to have a region value of 'regionOne' ?19:33
raildorodrigods, ++ :)19:33
*** marcoemorais has quit IRC19:34
dolphmlbragstad: how's the seasoning coming along?19:34
*** marcoemorais has joined #openstack-keystone19:34
morganfainbergFYI, i've added keystone-specs-core group19:34
morganfainbergthere may be a window where cores cannot approve specs/vote +2 on them today19:34
lbragstadit's good, I have three coats done... it takes a really really long time19:34
morganfainbergshould be a limited window before i have it fixed19:35
lbragstadburnt myself a few times though...19:35
dolphmlbragstad: fun!19:35
morganfainbergso... don't worry if suddenly you can't +2 a spec for a few minutes19:35
morganfainbergdolphm, ok so SAT looks like this cycle's meetup again.19:35
morganfainbergif you didn't see previous info19:35
henrynashrodigods, raildo: so I’m not opposed to ID only (well you’d need the parent/subtree attribute as well)…just as long as it’s obvious from the api19:35
dolphmmorganfainberg: what you're really trying to hint at is that we should all be reviewing specs, and should be noticing this as an issue19:36
rodrigodshenrynash, cool19:36
morganfainbergdolphm, haha. maaaaybe ;)19:36
henrynashrodigods, raildo: e.g. GET /projects?subtree_IDs19:36
rodrigodshenrynash, for the subtree_as_list, returning only a subset of the hierarchy. Are you OK with using list_projects_for_user(), and then filtering the result?19:36
henrynashrodigodsm raildo: or something liek that19:36
raildohenrynash, sounds good to me19:36
morganfainbergdolphm, unless there is a *real* reason not to do the midcycle in SAT - I'm going to try and get geekdom space again [or bug you to!]19:37
rodrigodshenrynash, in this way, we would return only the projects a user *has* access to19:37
morganfainbergoooor space @ RAX if that makes more sense.19:37
*** marcoemorais has quit IRC19:37
henrynashrodigods: you mean as implementation or instead of?19:37
rodrigodshenrynash, implementation19:37
*** marcoemorais has joined #openstack-keystone19:37
henrynashrodigods: I’m all for re-using fo code!19:38
rodrigodshenrynash, the subtree_ids vs subtree_as_list would need a big red note in the API19:38
rodrigodsexplaining the differences19:38
rodrigodshenrynash, but... I guess we have an agreement here?19:39
raildohenrynash, maybe we have to control who can access these GETs in the policy.json?19:39
*** marcoemorais has quit IRC19:39
henrynashrodigods: btw, are we saying this is GET /projects?subtree_xxx or GET /projects/subtree_xxx ?19:39
*** marcoemorais has joined #openstack-keystone19:39
rodrigodshenrynash, /projects/<project_id>?subtree_xxx19:40
rodrigodsGET19:40
henrynashrodigods: ok19:41
rodrigodshenrynash, great19:41
rodrigodssince we have only the subtree_as_list impl right now, will update it to list only the projects the user access to19:41
*** gokrokve has joined #openstack-keystone19:43
lbragstadayoung: dolphm jacorob morganfainberg here is the token with uuid.uuid4()hex representing the user id and project ids and the HMAC included: http://pasteraw.com/8xz2zfyzpzjfwilu1klkci08s3t5ih519:44
lbragstadstill missing audit ids.19:44
rodrigodsmorganfainberg, summary: ?subtree_as_list will only return a subset of the hierarchy -> the projects the user has access to. ?subtree_ids will return a structured information about the full hierarchy will only the IDs (similar to parents_xx)19:45
morganfainberglbragstad, audit ids will be up to 44 more "useful" characters19:45
morganfainbergin the current impl19:45
morganfainbergprior to msgpack19:45
lbragstadok19:46
*** lhcheng has quit IRC19:49
*** lhcheng has joined #openstack-keystone19:49
ayoungI wonder if there is an asymmetric equivalent to the HMAC we could use?19:52
ayoungIt might be larger than the HMAC, but it can't be that big19:52
lbragstadso with audit_id and hex format uuids, we are at 177 characters msgpack'd19:54
dolphmmorganfainberg: id be happy to make geekdom happen again if we have firm dates19:54
lbragstadwith audit_ids and byte strings for uuids, we have 133 characters mskpack'd19:54
bknudsonI hope geekdom fixes their wireless19:55
lbragstadI don't remember having issues with wireless at Geekdom19:55
morganfainbergdolphm, well looks like i can't make Jan 22, 2319:55
dolphmbknudson: refresh me - what was the problem before?19:55
morganfainberggoing to need to be in sunnyvale those days for $HPSTUFF$19:55
bknudsonwireless didn't work for me.19:55
dolphmbknudson: just you?19:56
morganfainbergso the dates will be January 19 - 21 (Mon, Tue, Wed)19:56
bknudsony, it was just me19:56
bknudsonas far as I know19:56
dolphmbknudson: #personalproblem ;)19:56
bknudsonwireless works everywhere else!19:56
dolphmbknudson: i didnt realize you *never* had wifi :-/19:56
morganfainbergsince everyone seemed to be ok with either parts of that week.19:56
bknudsonI used my phone tether19:57
dolphmbknudson: oooh19:57
bknudsoncost $2019:57
dolphmbknudson: they surely have an IT folk around to pester next time19:57
rodrigodsayoung, just read the blog post... and I have to say... I'm in love with this solution =)19:57
ayoungrodrigods, heh19:58
ayoungI bet we can tune it, but, yea, I think leave it for now19:58
morganfainbergayoung, which blog post?19:58
rodrigodsmorganfainberg, http://adam.younglogic.com/2014/02/efficient-revocation-checking/19:58
ayoungmorganfainberg, on the revoke tree19:58
morganfainbergah yeah19:58
* morganfainberg needs to write up a post about SSO next.19:58
morganfainbergSSO / Federation and next steps19:58
dolphm\o/19:59
ayoungmorganfainberg, BTW,  I wrote up the series of steps for Dynamic policy19:59
morganfainbergi was asked to both by HP and cause i deferred on the "results of the summit" post19:59
ayounghttp://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/19:59
morganfainbergayoung, will read.19:59
rodrigodsmorganfainberg, btw, what are the blockers to oslo.policy graduate? I'm thinking about submitting the spec19:59
ayoungdolphm, ^^  I'd be really interested in your feedback, but I think it reflects what you origianlly proposed at the midcycle19:59
dolphmayoung: ack20:00
morganfainbergrodrigods, 2 things: 1) fileutils is in incubator still && 2) we don't have an alternative to oslo.config options.20:00
morganfainbergit's not a big surface area to fix20:00
ayoungdolphm, the one thing was that you were thinking we'd merge the policy offline, and with hierarchical (implied) roles,  it might be better to do it in Keystone20:00
rodrigodsmorganfainberg, how can I start?20:00
morganfainbergrodrigods, basically we need to figure out when fileutils will be graduated if there isn't a timeline we can carry it until it does.20:01
morganfainbergand we also need a new name for the library20:01
ayoungI can post to the mailing list once you guys provide a base level sanity check20:01
morganfainbergit can't be oslo_policy20:01
morganfainbergrodrigods, so it is a fairly straightforward graduation20:02
rodrigodsmorganfainberg, hmm will ping the folks from oslo about fileutils20:02
rodrigodsmorganfainberg, the config part would need a local file to handle it?20:05
rodrigods"local file" might not be the right name for it20:05
*** droot has joined #openstack-keystone20:13
*** stevemar has quit IRC20:13
*** jacorob has quit IRC20:13
*** droot is now known as theroot20:13
*** theroot is now known as sunil_20:14
*** sunil_ is now known as _sunil_20:14
*** amakarov has joined #openstack-keystone20:15
*** amakarov has quit IRC20:16
*** gokrokve has quit IRC20:20
*** gokrokve has joined #openstack-keystone20:21
*** jacorob has joined #openstack-keystone20:23
samuelmshenrynash, ping20:24
henrynashsamuelms: hi20:24
samuelmshenrynash, few minutes to take a look at our assignment driver/manager language ? :-)20:24
samuelmshenrynash, https://etherpad.openstack.org/p/role-assignment-backend-language20:24
henrynashsamuelms: sure…20:24
samuelmshenrynash, take a look at the end of the doc20:24
samuelmshenrynash, I represented a user on project assignment that comes from group membership .. also inherited through a project hierarchy20:25
gyeemarekd, stevemar, ping20:25
*** gokrokve has quit IRC20:25
henrynashsamuelms: is this what is returned BY the controller?20:25
*** jorge_munoz has joined #openstack-keystone20:25
samuelmshenrynash, yes20:26
samuelmshenrynash, I proposed to change the 'inherited_to_projects': 'projects' thing to a 'inherited' dict20:27
henrynashsamuelms: and remind me what we currectly retunr?20:27
samuelmshenrynash, ^20:27
henrynashsamuelms: oh, right, breaking that down20:28
samuelmshenrynash, yes .. that's the point.. not sure if we can do that20:28
henrynashsamulems: certainly a change to the api spec20:29
samuelmshenrynash, yes .. did you like that?20:29
henrynashsamuelms: and what you are representing is where the role is inherited from?20:30
samuelmshenrynash, inside the inherited dict20:30
henrynashsamuelms: right20:30
samuelmshenrynash, it contains info from where the inheritance came from20:30
henrynashsamuelms: ..and today, that’s not in there at all is it?20:30
samuelmshenrynash, just a sec, checking the code again (https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L590)20:31
ayoungnkinder, running a devstack on F20, and the20:31
ayoungapache user was not created20:31
ayoungI added it into /etc/passwd by hand, but that seems strang20:32
ayounge20:32
ayoungand that seemed to be what was required to get a devstack run to succeed20:32
henrynashsamulems: for effective, it’s stored in the assignment link, no?20:32
samuelmshenrynash, https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L736-L75420:33
samuelmshenrynash, yes20:33
henrynashsamulems: so not sure why we need the extra bit you are adding…is it telling me something more?20:33
samuelmshenrynash, hmm .. so assignment link tells us that the assignment came from a domain (inherited), right?20:34
henrynashsamuelms: indeed20:35
samuelmshenrynash, ok .. but once we have Hierarchical Projects20:35
henrynashsamuelms: …and now it might come from a project20:35
samuelmshenrynash, we just put the parent's id?20:35
*** lhcheng has quit IRC20:36
samuelmshenrynash, if we have 'inherited' dict with 'project' or 'domain' inside it .. we can add a name if we want ..20:36
samuelmshenrynash, i think it's more meaningful for the user ..20:36
henrynashsamuelms: that’s true…20:36
*** kobtea has joined #openstack-keystone20:36
samuelmshenrynash, once we have a deep hierarchy ... oh wait ! I got an id : j239818j2820:37
samuelmshenrynash, no idea of what project that represents :P20:37
*** kobtea has quit IRC20:37
henrynashsamuelms: the idea of the assignment link is that you should be ablt to issue a GET of that API and read the assignment20:37
*** kobtea has joined #openstack-keystone20:37
henrynashsamulems: or GET /project/proj_id20:38
henrynashsamuelms: not sure whether the additional advantage is worth the changeing of the API….20:38
samuelmshenrynash, /projects/parent_id/users/user_id/roles/role_id/inherited_to_projects ?20:38
henrynashsamuelms: yep…OK it doesn’t really do you any good…since Getting that just confirms it exists20:39
henrynashsamuelms: but in general we try and retunr links that you cold go execute and find our more info20:39
samuelmshenrynash, makes sense20:40
samuelmshenrynash, a user with any role (doesnt matter) on a project, should be able to do a GET on that project, in your opinion?20:41
henrynashsamuelms: well, that depends on policy….a user with any role can get a scoped token to that project20:42
*** kobtea has quit IRC20:42
samuelmshenrynash, ok .. just a last thing about the current format we use ..20:43
samuelmshenrynash, on this example https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L611-L62820:43
samuelmshenrynash, and everywhere ... why do we use 'inherited_to_projects': 'projects'?20:43
raildomorganfainberg, I need to create a new BP for the HM stuffs and the Reseller use case?20:43
samuelmshenrynash, that could be only 'inherited': True/False20:44
samuelmshenrynash, if it's inherited .. it's obvious that it is to projects :P20:44
henrynashsamuelms: ahhhh…a long and bloody battle was fought....20:44
henrynashsamuelms: and like all good battles some the details are lost in the mists of time… but20:44
samuelmshenrynash, haha20:45
henrynashsamuelms: at the time I think we also thought about supporting inheritance to a tree of domains20:45
samuelmshenrynash, but it doesnt make sense anymore, right?20:45
henrynashsamuelms: or indeed to some subset of projects20:45
henrynashsamuelms: like you could have an expression in there, e.g. 'inherited_to_projects': ‘name=hen*’20:46
samuelmshenrynash, hmm .. interesting .. so let's keep that .. maybe we'll need it soon :p20:47
henrynashsamuelms: I think my default approach was what you are advocating..just make it a boolean, but in order to cater for the requirements that peopel wanted to potentially expand this into, we went for str field we could but other thinsg into20:47
samuelmshenrynash, with hierarchical projects ..20:47
morganfainbergraildo, yes a new BP please.20:48
samuelmshenrynash, makes sense now .. let's keep that .. maybe useful for hierarchical projects soon20:48
*** openstackgerrit has quit IRC20:49
*** openstackgerrit has joined #openstack-keystone20:49
samuelmshenrynash, I just fixed my example to use the assignment link thing20:50
samuelmshenrynash, since there's no problem with exposing parent's id .. we should be ok with that20:50
raildomorganfainberg, great :)20:51
*** htruta has quit IRC20:51
henrynashsamuelms: is that a real example….is that expanded or simple?20:51
henrynashsamuelms: looks like a mix, no?20:52
samuelmshenrynash, expanded .. from a inherited role assignment of a group on a parent project20:52
samuelmshenrynash, assignment link tells us where it was inherited from20:52
henrynashsamuelms: I need to go read up it again!20:53
samuelmshenrynash, ok20:53
samuelmshenrynash, I described all the cases again .. considering Hierarchical Projects20:53
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095420:55
*** _sunil_ has quit IRC20:56
samuelmshenrynash, maybe it should be easier if I show how we have those assignments represented today20:56
henrynashsamuelms: agreed20:56
samuelmshenrynash, so please stop looking at that ..20:56
*** _sunil_ has joined #openstack-keystone20:56
samuelmshenrynash, I'll rewrite and ping you again :)20:56
henrynashsamuelms: ok20:57
rodrigodsayoung, have to ask, why not just checking if it is None while appending? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n23220:59
morganfainberghenrynash, does the deprecated to resource decorator need @staticmethod ?20:59
morganfainberghenrynash, https://review.openstack.org/#/c/130954/20/keystone/assignment/core.py20:59
ayoungrodrigods, see the comment above? #tree.get returns `None` if there is no match, so `bundle.append`20:59
henrynashmorganfainberg: what woud that get us…?21:00
morganfainberghenrynash, or should it be moved out of the class scope...it... i'm not sure that works like you're expecting it21:00
rodrigodsayoung, yes... I meant, why before appending to bundle we assign tree.get() to a var and check if it is None?21:00
*** _sunil_ has quit IRC21:00
rodrigodswhy don't*21:00
henrynashmorganfainberg: I do have a test for it….and haev checked the logs and the messages are there21:00
morganfainberghenrynash, it might act weird being in that scope is all. - i've never seen someone use a class scope like that.21:01
henrynashmorganfainberg: but I’m on teh ragged edge of my python knowledge, I’ll readily admit21:01
morganfainbergi would expect based upon how it's structured to be @staticmethod and be referenced as @<class>.deprecated_to_resource21:01
ayoungrodrigods, I think we could do it either way.  We went back and fort over that as I recall21:02
morganfainbergor to be defined at the top of the file not in a specific scope.21:02
*** stevemar has joined #openstack-keystone21:02
*** ChanServ sets mode: +v stevemar21:02
morganfainbergit *might* work, i just think it's going to be weird.21:02
rodrigodsayoung, great code btw.21:02
ayoungrodrigods, wasn't mine...that was Yorik-Sar's work21:02
samuelmshenrynash, for that refactoring that improves the performance of list role assignments .. could I submit a first patch for what we have today (without spliting the code between controller/manager) ?21:03
henrynashmorganfainberg: ok, I’ll look into that….also take a look at the way I handled the assignment/resouce config values….it’s in resource/core/__init__()21:03
samuelmshenrynash, I mean just rebasing on your work?21:03
samuelmshenrynash, and a second one (depending on this first) using the common language (for manager/driver) and splitting the code between controller/manager?21:03
morganfainberghenrynash, yeah the original design of those methods didn't take into account a split like this21:04
henrynashsamuelms: you could…but I guess the question would be whether there’s and advantage to do the split into two steps21:04
samuelmshenrynash, since we'll introduce a new way to represent expanded assignments at manager level .. and format them at manager level.. maybe it would be easir for other people to review ..21:05
henrynashmorganfainberg: happy to get other ideas on that…21:05
morganfainbergdolphm, so i'm off the hook on doing expense reports today... the expense report system is broken :P21:06
morganfainbergdolphm, hah21:06
henrynashmorganfainberg: need to go off line for a while…will be back online and look at comments21:06
morganfainberghenrynash, yeah not sure if i have something better up my sleeve on this one21:06
morganfainberghenrynash, will think about it21:06
morganfainberghenrynash, and comment if i have an idea21:06
samuelmssamuelms, the first improves the performance itself .. the second split the code between manager/controller21:06
dolphmmorganfainberg: i'm in the same boat, except with rackspace's new insurance provider.21:07
morganfainbergdolphm, fun times!21:07
openstackgerritAndre Aranha proposed openstack/keystone:     Creating a policy sample  https://review.openstack.org/13508321:08
*** samuelms is now known as samuelms-away21:08
openstackgerritAndre Aranha proposed openstack/keystone: Creating a policy sample  https://review.openstack.org/12350921:10
*** topol has quit IRC21:10
*** thedodd has quit IRC21:10
rodrigodsmorganfainberg, seems fileutils graduation hasn't started yet21:11
rodrigodsayoung, ^21:12
ayoungrodrigods, nothing moves fast21:12
rodrigodsayoung, do we write its graduation spec or wait? =)21:13
ayounghmmm21:13
*** NM has quit IRC21:13
ayoungwho is the owner of fileutils?21:13
rodrigodsayoung, good question21:14
ayounghttp://git.openstack.org/cgit/openstack/oslo-incubator/log/openstack/common/fileutils.py21:15
ayoungseems a little on the trivial side...21:16
marekdgyee: what's up?21:17
*** jacorob has quit IRC21:17
ayoungwhat do we use from file_utils anyway?21:17
*** lhcheng has joined #openstack-keystone21:17
ayoungread and dlete cached files...ok, I guess we should keep that21:17
rodrigodsayoung, fileutils is going to move to oslo.utils, we won't have a oslo.fileutils21:18
ayoungrodrigods, I would almost want that code out of policy anyway21:18
ayoungit seems to me that policy should be separate from any form of file management, should be up to the caller where and how to find the policy file21:19
rodrigodsayoung, ++21:20
ayoungand not sure how well that works with mod_wsgi in prefork mode anyway, I think it might be assuming eventlet21:20
marekdgyee: drop me an e-mail if you still need something, as I am running away as of now.21:21
*** marekd is now known as marekd|away21:21
*** fifieldt_ has joined #openstack-keystone21:22
*** fifieldt has quit IRC21:23
*** thedodd has joined #openstack-keystone21:24
rodrigodsayoung, so we drop it and expect the caller to pass the object to be handled?21:24
morganfainbergrodrigods, i'm fine carrying fileutils as incubator as part of the initial graduation21:26
morganfainbergayoung, unless you have a complaint about that21:26
*** radez is now known as radez_g0n321:27
*** _sunil_ has joined #openstack-keystone21:27
rodrigodsmorganfainberg, ++ so we are left only with the oslo.config blocker (which I didn't get it)21:28
*** jacorob has joined #openstack-keystone21:28
dhellmannrodrigods, morganfainberg : what's the oslo.config issue?21:30
morganfainbergdhellmann, just that we should provide an alternative interface21:30
dhellmannrodrigods: you could also proceed and use the incubated copy of fileutils, then switch to oslo.utils when we graduate it21:30
dhellmannmorganfainberg: ah, ok21:30
morganfainbergdhellmann, as we discussed... so people don't *have* to use oslo.config to use policy21:30
*** gokrokve has joined #openstack-keystone21:31
dhellmannsure21:31
morganfainbergrodrigods, ^ and the last blocker - we need a name21:31
morganfainberg2 really hard things in CS...21:31
dhellmannalthough I would expect all openstack projects to use oslo.config -- do you expect policy to be used outside of openstack?21:31
ayoungmorganfainberg, no complaint,  just a longer term direction21:31
*** vejdmn has joined #openstack-keystone21:31
morganfainbergcache coherency ... and naming things21:31
dhellmannmorganfainberg: naming things, cache invalidation, and off-by-one errors?21:31
ayounglets be practical minded about getting it graduated, and I don't think we want to remove the file handling stuff for the people that use it now.21:31
morganfainbergdhellmann, ++21:31
morganfainbergdhellmann, fence posting?21:32
ayoungLonger term, I want to get the policy file from keystone via Keystoneclienbt21:32
morganfainbergayoung, not removing the file handling, offer another way to load the file handling21:32
ayoungexactly21:32
*** vejdmn has quit IRC21:32
morganfainbergdhellmann, ideally i'd like to make it a more generic lib21:32
morganfainbergbut for now i think we can stick with openstack-only?21:32
dhellmannmorganfainberg: sure, just don't let that prevent you from doing something useful in the short term :-)21:32
morganfainbergi know some folks are running keystoen in lieu of shibboleth (et al), maybe similarly they'll want to use the policy.21:32
dhellmannmorganfainberg: exactly21:33
morganfainbergrodrigods, so... the only blocker - new name21:33
morganfainbergrodrigods, and no we're not calling it keystonepolicy21:33
morganfainberg:P21:33
ayoungpython-keystone-policy21:33
ayoungheh21:33
morganfainbergi mean, we can do that if we want. but i'd like it to not be a "keystone" tagged thing21:34
ayoungagreed, but then the only namespace that makes sense is oslo21:34
morganfainbergit doesn't rely on "keystone" to be a rules parser21:34
morganfainbergayoung, pycadf isn't oslo namespaced nor is it keystone namespaced21:34
morganfainbergand we own that.21:34
morganfainbergi see policy being similar.21:35
ayoungyeah,  cadf.  So some sort of long acronym?21:35
ayoungcapf21:35
morganfainbergcloud audit something something?21:35
ayoungcpre21:35
morganfainbergwoot baclronym!21:35
ayoungcloud policy rules engine21:35
morganfainbergbackronym...21:35
morganfainbergcadf -> Cloud Auditing Data Federation21:36
morganfainbergpycpre isn't a bad one21:36
ayoung<fargo>Well now, there ya go!</fargo>21:36
morganfainbergayoung, ... and on that note.21:37
morganfainbergi'm going to go take care of something really important21:37
* morganfainberg goes and gets a replacement driver's license.21:37
ayoungHeh21:37
morganfainbergit's scary but thye let me drive here in california :P21:37
* ayoung goes for more coffee21:37
morganfainbergayoung, ooh good idea.21:37
morganfainbergcoffee too21:37
morganfainbergnkinder, sorry wont be in the bay for the meetup this time :(21:38
morganfainbergnkinder, lets plan more in advance than starting at the summit for the next mid-cycle.21:38
morganfainbergnkinder, and we'll def. aim for the bay area.21:38
ayoungmorganfainberg, why the redirect?21:42
ayoungfrom Bay to SAT?21:42
morganfainbergayoung, generally speaking we have more people who can't make it to the Bay this time around.21:42
ayoungOK21:42
morganfainbergayoung, my goal is that for the next summit (regardless if I'm PTL or not, or if we have PTLs) we can have the details lined up. e.g. "hey everyone midcycle is at XXX"21:43
morganfainbergso it's easy to budget for.21:44
morganfainberggreater lead time, easier to justify, etc.21:44
morganfainbergor even if we have the need for a midcycle (you were cc'd on the thread)21:45
*** Kr4zy has joined #openstack-keystone21:52
*** tellesnobrega has joined #openstack-keystone21:52
Kr4zyanyone having problems starting keystone icehouse when using setting this value, use_syslog_rfc_format=True, in keystone.conf?21:53
*** gokrokve has quit IRC21:55
rodrigodsmorganfainberg, haha sorry for the delay was driving home =)22:03
rodrigodsmorganfainberg, the name... hmm22:03
rodrigodsI think ayoung has the imagination to it =)22:03
*** jacorob has quit IRC22:04
ayoungI was just trying to use the basic_auth middleware patch and not getting the Authorization header.  I just figured out why it doesn't work in devstack now.  Anyone want to venture a guess?22:06
*** BAKfr has quit IRC22:06
*** BAKfr has joined #openstack-keystone22:09
jamielennoxayoung: so it seems there's a reason that no one has done certmonger - it's hard :)22:16
ayoungnot it isn't22:17
ayoungyou just need nalin22:17
ayoung:)22:17
ayoungjamielennox, what is tripping you up?22:17
jamielennoxayoung: so certmaster doesn't support DNS name, email, usage flags and all that stuff that in the getcert request --help22:18
jamielennoxturns out we really need the DNS name field22:18
ayoungjamielennox, ah...thought we were going to skip the certmaster one...just use local22:18
ayoungmight have the same issues, though22:18
jamielennoxi looked at just adding it to certmaster - there hasn't been an update there since about 201122:18
jamielennoxso i got it to work with local22:18
jamielennoxhowever local doesn't exist in ubuntu installations22:19
ayoungjamielennox, that is an update issue22:19
ayoungits on its way22:19
jamielennoxas in it's been packaged already?22:19
ayoungand we can get a version available...its like FreeIPA issues:   there are packages now22:19
ayoungjamielennox, I think so.  Need to see what is in Debian22:19
jamielennoxi kind of figured local would have been trivial - why wouldn't it have been packaged initially ?22:19
* ayoung goes to look22:20
ayoungjamielennox, cuz nalin wrote "local" for us22:20
jamielennoxahhh22:20
jamielennoxi think i could fix certmaster fairly quickly - but i don't know where to submit those patches22:20
jamielennoxbut local would be fine22:21
jamielennoxdoes devstack need to work on OSX?22:21
ayounghttps://packages.debian.org/sid/certmonger22:22
ayoungF20 has certmonger-0.75.14-1.fc20.x86_6422:22
ayoungtesting has Package: certmonger (0.75.14-2)22:23
ayoungjamielennox, if it were up to me I'd say "no" but it is not up to me22:23
jamielennoxit makes a difference as i ripped out the openssl stuff completely22:24
ayoungjamielennox, thought certmaster was built out of the same repo as certmonger, so patches would go there22:24
ayoungbut would not bother22:24
ayoungmorganfainberg, dolphm certmonger does not run on Mac.  Is that going to be a dealbreaker?22:25
jamielennoxso i found https://git.fedorahosted.org/cgit/certmaster.git/tree/ but i agree, with the time it takes to get distributed it's probably not worth it22:25
*** marcoemorais has quit IRC22:25
*** gokrokve has joined #openstack-keystone22:26
ayoungjamielennox, yeah, the intention was that "local" was for selfsign/internal usage, and dogtag for a real CA...and the Semantic's of the world can write their own plugins if they want, too22:28
jamielennoxayoung: yep22:28
jamielennoxayoung: i just thought we were using certmaster for that but locals fine22:28
jamielennoxanyway - works on F2022:28
*** Kr4zy has quit IRC22:28
ayoungsorry to not make that clear...didn't mean to waste your time on the certmaster approach22:28
jamielennoxmeh - that didn't take long22:28
ayoungjamielennox, so Ade is working on the Barbican plugin22:29
jamielennoxit's going to be the cross platform bit that is the problem22:29
ayoungis there a MacOS analogue to Dbus?22:29
ayounghttp://stackoverflow.com/questions/2723936/is-there-an-equivalent-to-dbus-on-osx22:29
ayoungjamielennox, looks like dbus would work via brew...we'll let some Mac person set it up, though22:30
jamielennoxayoung: is mac a target though? does anyone do that? morganfainberg ?22:31
ayoungjamielennox, they tend to use a VM to develop22:31
ayoungI think we are good22:31
jamielennoxayoung: ok, well need to see what's going on with local on ubuntu22:32
jamielennoxi assume it will mean it won't work under F19 etc22:32
ayoungjamielennox, I think you would need to install the Debian/testing version22:32
ayoungyeah, needs a relatively recent certmonger22:32
*** marcoemorais has joined #openstack-keystone22:34
ayoungOK...stomping herd upstairs...time to go be a dad.22:34
*** ayoung is now known as ayoung-dadmode22:34
*** marcoemorais has quit IRC22:35
*** marcoemorais has joined #openstack-keystone22:36
jamielennoxayoung-dadmode: that deb package relies on "init-system-helpers" of a newer version that 14.04 has - not sure we can get away with updating that22:37
*** marcoemorais has quit IRC22:37
*** tellesnobrega has quit IRC22:37
*** marcoemorais has joined #openstack-keystone22:37
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005022:38
*** henrynash has quit IRC22:43
morganfainbergI develop direct on the Mac. As does dolphm22:45
*** henrynash has joined #openstack-keystone22:46
*** ChanServ sets mode: +v henrynash22:46
dolphmi develop keystone as much as possible directly on a mac, but run devstack on a vm, so as long as that's the only place i need certmonger, i'd be fine22:48
*** lhcheng_ has joined #openstack-keystone22:48
morganfainbergdolphm: ++22:48
morganfainbergthat sums up my view.22:49
morganfainbergI would like unit tests (what we have today) to keep working on the Mac.22:49
*** lhcheng has quit IRC22:51
*** vejdmn has joined #openstack-keystone22:56
jamielennoxdoes devstack work on OSX today?22:57
jamielennoxi can't imagine it would22:58
jamielennoxnot to mention - you'd be stupid to run it directly anyway so it probably doesn't matter22:58
*** rharwood has joined #openstack-keystone23:01
*** gokrokve has quit IRC23:01
*** gokrokve has joined #openstack-keystone23:02
*** marcoemorais has quit IRC23:02
*** marcoemorais has joined #openstack-keystone23:03
*** marcoemorais has quit IRC23:03
*** marcoemorais has joined #openstack-keystone23:04
openstackgerritBrant Knudson proposed openstack/keystone: Correct token flush logging  https://review.openstack.org/13100323:04
*** gokrokve has quit IRC23:06
*** r-daneel has quit IRC23:14
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Remove middleware architecture doc  https://review.openstack.org/12708123:18
*** nkinder has quit IRC23:20
*** gyee has quit IRC23:21
*** rm_work is now known as rm_work|away23:22
*** rm_work|away is now known as rm_work23:23
*** jaosorior has quit IRC23:23
openstackgerritBrant Knudson proposed openstack/keystone: Configuring Keystone edits  https://review.openstack.org/13131823:24
morganfainbergdolphm: thanks for taking on API working group liaison!23:27
morganfainbergjamielennox: I wouldn't try to run devstack on OS X natively. I might add the scripts would fail.23:28
jamielennoxmorganfainberg: yea, the scripts would fail, i was thinking about it and there's no brew for mysql or anything23:28
*** dims_ has joined #openstack-keystone23:28
*** henrynash has quit IRC23:30
morganfainbergThere is a native MySQL. Dunno how out of date it is though.23:30
*** vejdmn has quit IRC23:31
*** dims has quit IRC23:32
*** nkinder has joined #openstack-keystone23:33
*** agireud has quit IRC23:39
*** soren has quit IRC23:44
*** _sunil_ has quit IRC23:50
*** diegows has quit IRC23:50
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Replace magic numbers with named symbols  https://review.openstack.org/13512723:50
*** _sunil_ has joined #openstack-keystone23:50
stevemarlooks like bknudson is back from paris :)23:54
*** _sunil_ has quit IRC23:55
morganfainbergbknudson, welcome back!23:55
*** nkinder has quit IRC23:56
morganfainbergstevemar, i mean.. hi23:56
*** bknudson has quit IRC23:56
« Sunday, 2014-11-16 Index Tuesday, 2014-11-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!