Monday, 2015-03-02

« Sunday, 2015-03-01 Index Tuesday, 2015-03-03 »
mordredsure00:00
jamielennoxseems unlikely00:00
mordredbut I have to handle it in the library because it's a valid input00:00
jamielennoxyep00:00
mordredyay!00:00
jamielennoxi know that issue well00:00
mordred:)00:00
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for sample policy token operations  https://review.openstack.org/16020400:02
*** ncoghlan has joined #openstack-keystone00:21
*** spandhe has quit IRC00:22
*** stevemar has joined #openstack-keystone00:26
*** ChanServ sets mode: +v stevemar00:26
*** dimsum__ has joined #openstack-keystone00:34
*** dims_ has joined #openstack-keystone00:35
*** dims_ is now known as dims00:36
*** dimsum__ has quit IRC00:39
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy allows user to revoke or check own token  https://review.openstack.org/15591600:42
morganfainbergayoung, i feel slimy saying this...but since we already have sortof implemented a kerberos-like thing for tokens [ugh], maybe we should implement an S4U2Proxy for offloading the "do something on my behalf" things nova needs to do00:54
morganfainbergayoung, the slimy comes from sticking with the token system i'm not a fan off, but can't come up with an alternative00:55
morganfainbergthat would be API compatible [and lets face it, changing the API at that level is a nightmare]00:55
morganfainbergand if a user can declare the interface (e.g. nova boot) they're going to interact with, we could at least limit that chain to things that accept for "nova boot", which could be encoded in the policy language00:57
morganfainbergand through an SELinux non-enforce mode like thing we could map out these paths... but ugh so much pain for security :(00:57
bknudsonjust use rootwrap00:57
morganfainbergbknudson, HAH00:57
morganfainbergbknudson, i see what you did there...00:58
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for sample policy token operations  https://review.openstack.org/16020400:58
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy allows user to revoke or check own token  https://review.openstack.org/15591600:58
stevemarbknudson, nice patches ya got there00:59
stevemarthtas a good bug00:59
bknudsonstevemar: it's still weird... not sure why we need to have a policy for a user revoking their own token.01:00
bknudsonIf someone's got a token then just use the token...01:00
stevemari'll grant you that the use case doesn't really gel with me01:00
morganfainbergbknudson, a policy for revoking their own token? as in if they logout from horizon?01:00
jamielennoxmorganfainberg: now who's  working on the weekend01:01
morganfainbergjamielennox, shhhh01:01
morganfainbergjamielennox, <-- PTL i have an excuse.01:01
*** samueldmq has joined #openstack-keystone01:01
stevemarjamielennox, well when theres 1 week left of kilo3, it's expected01:01
morganfainbergstevemar, 1 wk? like a couple days :P01:01
bknudsonmorganfainberg: https://bugs.launchpad.net/keystone/+bug/142182501:01
openstackLaunchpad bug 1421825 in Keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress] - Assigned to Brant Knudson (blk-u)01:01
bknudsonthere's examples in there.01:02
jamielennoxthis is where client side doesn't matter :)01:02
morganfainbergsure01:02
morganfainbergbknudson, i was thinking it was a legit use-case, not that i really advocate revoking tokens all overt the place01:02
jamielennoxbknudson: i found a similar one to that the other day, cloud_admin can't revoke a user token01:02
stevemarrevoke all the tokens!!01:03
jamielennoxbknudson: want to make that part of the same bug?01:03
bknudsonmorganfainberg: the thing that's weird is why have a policy at all for using a token to revoke a token?01:03
bknudsonif a token can be revoked using the token and I've got the token then I shouldn't need another token.01:03
morganfainbergbknudson, X-Subject vs X-Auth ?01:03
morganfainbergoj01:03
bknudsonmorganfainberg: right.01:03
morganfainbergoh01:03
morganfainbergi see, admin vs self01:03
jamielennoxwell in this case it was because tempest is doing stuff on cleanup01:04
morganfainbergyeah i don't want jamielennox revoking my tokens, but i don't mind if cloud_admin were01:04
morganfainbergbut i should be able to revoke my own token if i so choose01:04
bknudsondoes auth_token middleware need its service token to validate tokens that it gets?01:04
bknudsonwhy not just use the token?01:04
morganfainbergbknudson, i think because validate is priviledged01:04
bknudsonyou can revoke your own token but not validate it?01:05
morganfainbergyou could in theory look for valid tokens if you could validate a token with itself01:05
morganfainbergoh01:05
morganfainbergso self validate, or self revoke01:05
morganfainberghm.01:05
morganfainbergsure.01:05
bknudsonyou can look for valid tokens just by trying operations.01:05
morganfainbergjust not non-priv token validate other non-priv token01:05
bknudsonlist users or something.01:05
morganfainbergi guess it's a small gap01:06
bknudsonis cloud admin supposed to be able to validate tokens?01:07
morganfainbergbknudson, but you could also with a validate know canonically what roles you have. it opens a small door01:07
morganfainbergi would assume cloud admin could validate or revoke01:07
*** davechen has joined #openstack-keystone01:07
morganfainbergsince cloud admin should be able to disable users.01:07
bknudsonb/c I don't think they can based on the testing I was doing.01:07
morganfainbergi might be crazy thinking as much01:07
bknudsonmorganfainberg: look at the end of this: https://review.openstack.org/#/c/160204/1/keystone/tests/unit/test_v3_protection.py01:08
morganfainbergbknudson, see it.01:09
bknudsonunless I don't understand how the users are set up there, cloud_admin_user couldn't revoke a user's token.01:09
bknudsonI changed that test in patch set 2 to use domain_admin_user and that worked for some reason.01:09
bknudson(Note that I don't understand the v3cloudpolicy file...)01:09
morganfainbergso i think that is a bug in v3cloud admin if the cloud admin can't revoke01:10
bknudsonv3cloudsample.policy file.01:10
ayoungmorganfainberg, lets talk at the summit.  I don't think that is quite the right way of saying it01:10
morganfainbergayoung, i am sure i'm saying it wrong, but conceptually it's related.01:10
morganfainbergayoung, i have some other bits to add to that convo, but was trying to distil down some bits to make it easier to type01:11
ayoungOK...so what if, instead of that, we said we woiuld provide a dictionary, with a token for each of the remote services.  A user sends s token nova, nova validates, and then picks of the remote token to use when calling glance01:11
ayoungwhen the user creates a token on the Keystone side, there is an implied trust that is associated with the service catalog01:12
morganfainbergayoung, sort of the direction i was headed... i think i need to draw up / write up the workflow01:13
morganfainbergayoung, it is sortof revisiting the composite token concept.01:13
morganfainberg*sortof*01:13
ayoungmorganfainberg, the trick will be giving Nova a way to select the right token01:13
ayoungIs there anywhere we need this kind of functionality but with Nova?01:13
morganfainbergayoung, heat01:14
morganfainbergin theory01:14
ayoungNah, heat can be made to use trusts01:14
morganfainbergbut in practice they use trusts01:14
morganfainbergcinder minght need it01:14
ayoungI was thinking glance might need it to tlak to swift?01:14
morganfainbergif you're creating a volume from a glance image01:14
ayoungah01:14
morganfainbergglance <-> swift.01:14
morganfainberguhm...01:14
ayounglets find out, and map the uses on out01:14
morganfainbergyeah probably more too01:14
morganfainberganytime a service does X on behalf of user as a side effect of Y01:15
ayoungshort lived, multi service co-ordinations01:15
morganfainbergyep01:16
ayoungI talked it over with Simo.  I think what we are doing here is really different than oauth and the other mechanisms were designed to support.  Maybe the world does need Keystone tokens after all01:16
ayoungbtw...I need to deal with some Python34 issues on the access_info review.01:17
ayoungBut splitting the tests went cleanly.  Only one test failure, and it was for a change that I should have rolled back01:17
morganfainbergnice01:17
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for sample policy token operations  https://review.openstack.org/16020401:19
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy allows user to revoke or check own token  https://review.openstack.org/15591601:19
*** henrynash has quit IRC01:41
*** himangi has joined #openstack-keystone01:55
*** davechen_ has joined #openstack-keystone02:05
*** diegows has quit IRC02:07
*** davechen has quit IRC02:08
*** erkules_ has joined #openstack-keystone02:13
*** erkules has quit IRC02:15
*** richm has quit IRC02:19
*** gabrielbezerra has quit IRC02:21
*** wpf has joined #openstack-keystone02:23
*** gabrielbezerra has joined #openstack-keystone02:24
*** trey_ has joined #openstack-keystone02:27
*** trey has quit IRC02:27
*** trey_ is now known as trey02:27
ayoungbknudson, so..I was creating  class to deal with Date/string conversions.  I had descended from String (JSON marshalling kindof dictated that) but with Python 3,  when doing htat, I get02:36
ayoungTypeError: object.__init__() takes no parameters02:36
ayoungI had02:36
ayoungclass DateString(six.text_type):02:36
ayoung    def __init__(self, value):02:36
ayoung        assert_datetime(value)02:36
ayoung        self.value = value02:36
ayoungand then02:37
ayoung super(DateString, self).__init__(strval)02:37
ayoungand it is the last part that is problematic, I guess02:37
ayoungstrings much not take the value in the init param?  Not sure why it is jumping direct to object,  but I had the same thing with str02:38
*** junhongl has joined #openstack-keystone02:42
*** DaveChen has joined #openstack-keystone02:51
*** davechen_ has quit IRC02:51
*** davechen_ has joined #openstack-keystone02:59
*** DaveChen has quit IRC03:02
*** _cjones_ has joined #openstack-keystone03:14
stevemarmorganfainberg, i'm restless, what should i do03:24
*** lhcheng has joined #openstack-keystone03:25
morganfainbergstevemar, uh03:26
morganfainbergstevemar, keystone stuff, non keystone stuff, or watch movies? ;)03:28
morganfainbergi have recommendations for all three categories03:28
*** samueldmq has quit IRC03:30
stevemarmorganfainberg, i'm going to settle for another episode of house o' cards03:31
morganfainbergthat was what i was going to recommend over movies had you selected that category03:32
stevemar(still season 1 :( )03:32
* morganfainberg has watched 1 ep of season 3 so far03:32
morganfainbergstevemar, http://www.vox.com/2015/2/27/8119829/house-of-cards-spacey-southern-accent03:32
stevemarmorganfainberg, we need topol to weigh in on it03:33
*** dims has quit IRC03:35
stevemarmorganfainberg, not bad03:38
*** panbalag has joined #openstack-keystone03:38
*** nkinder has joined #openstack-keystone03:38
morganfainbergi like the h-w inversion description03:38
morganfainbergwhile -> hwile03:38
morganfainbergreminds me of a family guy skit03:38
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013403:42
openstackgerritayoung proposed openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013203:42
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013303:42
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851903:42
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor  https://review.openstack.org/14384203:45
stevemarmorganfainberg, like cool 'hwip'03:46
jamielennoxstevemar: looking at OSC auth and it's still all twisted and weird03:47
*** panbalag has quit IRC03:47
stevemarjamielennox, yep, the patch that you had going on, i don't think it ever landed right?03:47
stevemarjamielennox, it's weird, but it works?03:48
jamielennoxstevemar: no, and i went back to it a while later and had to much to rebase03:48
jamielennoxstevemar: yep, mostly03:48
stevemarjamielennox, i think dtroyer tried to keep up with it, but we were trying to get a 1.0.0 release out the door03:48
jamielennoxyea, i remember03:48
*** tqtran_afk has joined #openstack-keystone03:49
jamielennoxmaybe i'll get back around to it just in time to have another big summit push03:49
*** lhcheng has quit IRC03:49
*** _cjones_ has quit IRC03:51
jamielennoxstevemar: if you're not doing anything can you look at this chain again: https://review.openstack.org/#/c/157280/03:51
*** csoukup has joined #openstack-keystone03:55
*** david-lyle_afk has quit IRC04:02
*** himangi has quit IRC04:18
openstackgerritMorgan Fainberg proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566004:26
openstackgerritMorgan Fainberg proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186704:26
*** himangi has joined #openstack-keystone04:30
*** dims has joined #openstack-keystone04:35
*** dims has quit IRC04:40
*** fifieldt has joined #openstack-keystone04:44
*** csoukup has quit IRC04:47
morganfainbergstevemar, am i missing something... but https://review.openstack.org/#/c/154934/19/keystone/auth/plugins/mapped.py looks like it never actually checks that a user exists if it's a local user?04:48
morganfainbergi'm just not seeing where the local user_id is being pulled out and utilized.04:48
morganfainbergor username is being lookedup and validated it is in-fact a local user.04:49
*** Akshik has joined #openstack-keystone04:52
stevemarmorganfainberg, lookin04:54
morganfainbergi admit i might be missing where that is done... but... i just don't see it04:54
stevemarmorganfainberg, it's in another patch04:54
stevemarmorganfainberg, https://review.openstack.org/#/c/156308/04:54
morganfainbergearlier or later?04:54
morganfainbergah04:54
morganfainbergso i *wasn't* crazy04:54
stevemarmorganfainberg, maybe just a bit, but not in this regard04:55
stevemarmorganfainberg, he was just making the mapping engine return the 'user' object instead of trying to fish out the name/id/blah04:55
*** Akshik_ has joined #openstack-keystone04:57
*** Akshik has quit IRC04:57
*** Akshik_ has quit IRC04:58
morganfainbergstevemar, ok just pressed go on all of those in that chain04:58
morganfainbergi need to look at the whitelist/blacklist one, something isn't sitting righrt with me, some bit of it is changing the data types being produced and it bugs me.04:59
morganfainberguntil i poke at it more04:59
stevemarmorganfainberg, what do you mean by changing the data types05:00
morganfainbergit's mapping in lists to a structure that preiviously afaict never contained lists05:00
morganfainbergso instead of [a, b, c, d] you can have [a, b, [c, d, e]]05:01
morganfainbergand i haven't poked at it enough to feel confident in what happens there05:01
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor  https://review.openstack.org/14384205:14
stevemarmorganfainberg, ohhh that part05:15
stevemarbecause it was a string at first right05:15
*** lhcheng has joined #openstack-keystone05:15
morganfainbergYeah.05:30
*** spandhe has joined #openstack-keystone05:34
stevemarmorganfainberg, what else is close-ish?05:42
stevemarrather, in need of review05:43
stevemarmorganfainberg, oh btw, ayoung +1'ed the 'remove kvs revoke backend'05:43
stevemarsome tests failed, i should fix those05:43
stevemari think it's just domain-config and kwlt left over05:44
openstackgerritMerged openstack/keystone: Enhance user identification in mapping engine  https://review.openstack.org/15493405:57
stevemarjamielennox, if you have a quick second: https://review.openstack.org/#/c/160065/06:02
jamielennoxstevemar: +A06:03
jamielennoxstevemar: also means that marekd's spec was merged which is good06:03
jamielennoxi didn't see that one go in06:03
stevemarjamielennox, morgan and i settled on it, marek was OK, and i think you had agreed on it too06:03
jamielennoxstevemar: it looks like what i was expecting06:04
openstackgerritMerged openstack/keystone-specs: Fix nits from 159922  https://review.openstack.org/16006506:06
openstackgerritMerged openstack/keystone: Make RuleProcessor._UserType class public  https://review.openstack.org/15771106:17
openstackgerritMerged openstack/keystone: Move UserAuthInfo to a separate file  https://review.openstack.org/15771706:17
openstackgerritMerged openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630806:28
openstackgerritSteve Martinelli proposed openstack/keystone: Remove KVS backend for revocation api  https://review.openstack.org/16006706:31
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16023306:34
stevemarjamielennox, whats up with registering the conf options twice? https://review.openstack.org/#/c/157280/4/keystonemiddleware/auth_token/_auth.py06:35
stevemarlast 2 lines of the file06:36
stevemaroops, nvm, it's done like that anyway now06:36
stevemaroh it's being set of auth from KSC and AuthTokenPlugin from ksm06:37
stevemarthats still a bit weird >.<06:37
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808006:42
*** himangi has quit IRC06:44
*** tqtran_afk has quit IRC06:49
*** _cjones_ has joined #openstack-keystone06:51
stevemarjamielennox, all that refactoring and it's still > 1100 lines06:53
stevemarbut great job06:53
*** hogepodge has quit IRC06:55
marekd"Merged openstack/keystone: Enhance user identification in mapping engine  https://review.openstack.org/154934" yupi!06:55
stevemarmarekd, :)06:56
*** _cjones_ has quit IRC06:56
marekdstevemar: hey06:56
stevemarmarekd i think morganfainberg had some issues with the ast bits in whitelist/blacklist06:56
marekdstevemar: we can add some fixups on that if he wants.06:57
stevemarmarekd, i think it's more "it's just weird to do it that way'06:57
stevemarbut i dunno06:57
marekdstevemar: it was first proposed by Victor from Brazilian uni.06:58
*** himangi has joined #openstack-keystone06:58
*** ajayaa has joined #openstack-keystone06:59
*** lhcheng has quit IRC07:01
ajayaaHi guys. When is the feature freeze for kilo release?07:02
*** lhcheng has joined #openstack-keystone07:14
marekdajayaa: tomorrow or so.07:15
ajayaaI have few patches lying around since Juno. I will rebase them asap. marekd, would you volunteer for a review? :)07:17
marekdi can take a look07:17
ajayaamarekd, Thanks.07:18
*** jaosorior has joined #openstack-keystone07:31
openstackgerritMarek Denis proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808007:39
openstackgerritMarek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules  https://review.openstack.org/14257307:39
*** henrynash has joined #openstack-keystone07:43
*** ChanServ sets mode: +v henrynash07:43
*** hogepodge has joined #openstack-keystone07:49
*** chlong has quit IRC08:02
stevemarmarekd, commented on e^08:07
marekdstevemar: thanks.08:07
marekdI am responding to https://review.openstack.org/#/c/152156/16 and will now fix what's missing.08:07
*** nellysmitt has joined #openstack-keystone08:18
*** afazekas has joined #openstack-keystone08:18
*** Guest78669 is now known as d0ugal08:20
*** d0ugal has joined #openstack-keystone08:21
*** himangi has quit IRC08:27
*** stevemar has quit IRC08:36
openstackgerritMarek Denis proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215608:42
*** pnavarro_ has joined #openstack-keystone08:47
*** kashyap has joined #openstack-keystone08:48
*** lhcheng has quit IRC08:49
kashyapAny pointers to make Keystone end points to configure with SSL?08:50
*** ajayaa has quit IRC08:54
*** ncoghlan has quit IRC09:00
kashyapjamielennox, If you're around, maybe you have some pointers?09:00
*** jistr has joined #openstack-keystone09:12
*** ajayaa has joined #openstack-keystone09:12
openstackgerritMarek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules  https://review.openstack.org/14257309:14
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376309:28
*** pnavarro_ has quit IRC09:42
*** Akshik has joined #openstack-keystone09:43
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967509:50
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992809:50
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003209:51
*** ajayaa has quit IRC09:52
*** pnavarro has joined #openstack-keystone09:55
*** davechen_ has quit IRC09:55
*** ajayaa has joined #openstack-keystone09:56
openstackgerritAjaya Agrawal proposed openstack/keystone: Implemented caching in identity layer.  https://review.openstack.org/11057509:56
*** henrynash has quit IRC10:00
*** pnavarro has quit IRC10:02
ajayaamarekd, Has something changed very recently wrt how different drivers are assigned through keystone.conf?10:25
ajayaaI am getting an error "ArgsAlreadyParsedError" while starting keystone with keystone-all10:25
*** erkules_ is now known as erkules10:27
marekdajayaa: are you running latest version ?10:37
marekdajayaa: and has packages updated ?10:37
ajayaamarekd, I am running master.10:38
ajayaaYes updated packages.10:38
marekdhm10:38
marekdnothing i'd be aware of.10:38
ajayaaokay.10:38
marekdsome more detailed errors?10:38
*** aix has joined #openstack-keystone10:41
*** EmilienM is now known as EmilienM|afk10:54
ccardWe are trying to get an HA openstack up and running, with keystone being a pacemaker resource. I've noticed that if I turn off one of the machines running keystone and then turn it on again, systemd tries to start keystone, but when pacemaker runs its keystone monitor (calling systemd status openstack-keystone) about 8 seconds later, keystone is still starting up, and the pacemaker monitor operation returns OCF_PENDING. Then pacemaker stops11:05
ccardkeystone, and the next time keystone is started by systemd it starts up successfully within 2 seconds. Any idea why keystone should fail to start up within 8 seconds the first time, but succeed within 2 seconds the second time?11:05
ccardI can't see anything in the pacemaker or keystone logs giving any indication about what is going on.11:06
ajayaamarekd, here it is. https://review.openstack.org/#/c/110575/. Hope you find sometime to review it.11:20
*** Akshik has quit IRC11:35
*** fmarco76 has joined #openstack-keystone11:37
fmarco76I am working on https://review.openstack.org/#/c/159803/ but I have a problem I would discuss11:42
fmarco76the migration scripts does not work properly because of the missing encoding11:44
fmarco76the problem arise before any upgrade/downgrade is applied so even if I create a new migration script to change the tables, this will not work if the problem is present (the problem arise if default DB encoding is not utf8)11:45
fmarco76the check is in oslo_db/sqlalchemy/migration.py, so external to keystone, To avoid the problem I should disable the check in the ligbraries for some table and I do not like the idea11:47
fmarco76so my problem: is there a way to modify the database before the migration scripts are executed?11:47
*** amakarov_away is now known as amakarov11:51
*** Gippa has joined #openstack-keystone11:58
*** Gippa has left #openstack-keystone11:59
*** henrynash has joined #openstack-keystone12:00
*** ChanServ sets mode: +v henrynash12:00
*** dims has joined #openstack-keystone12:09
*** henrynash has quit IRC12:11
*** raildo has joined #openstack-keystone12:12
*** fmarco76 has quit IRC12:34
*** henrynash has joined #openstack-keystone12:41
*** ChanServ sets mode: +v henrynash12:41
*** diegows has joined #openstack-keystone12:41
*** panbalag has joined #openstack-keystone12:44
*** himangi has joined #openstack-keystone13:01
*** markvoelker has joined #openstack-keystone13:08
*** jacorob has quit IRC13:10
*** jacorob has joined #openstack-keystone13:13
*** fmarco76 has joined #openstack-keystone13:16
*** jacorob has quit IRC13:20
openstackgerritMarek Denis proposed openstack/keystone: Populate token with service providers  https://review.openstack.org/15986513:21
*** jacorob has joined #openstack-keystone13:27
*** gordc has joined #openstack-keystone13:30
*** henrynash has quit IRC13:31
*** ajayaa has quit IRC13:39
*** bknudson has quit IRC13:46
ccarddelving deeper, I added some write statements to the /usr/bin/keystone-all script and it appears that although systemd says "systemd[1]: Starting OpenStack Identity Service (code-named Keystone)..." in messages.minor, the keystone-all script is not being run, until pacemaker stops the openstack-keystone service and systemd has another go13:49
*** ljfisher has joined #openstack-keystone13:53
mfischmorganfainberg: it did work fine to remove the admin_auth_token from the public pipeline, I was trying to be too tricky in how I setup the pipelines and missed a difference between them when it failed13:59
*** afazekas has quit IRC14:06
*** richm has joined #openstack-keystone14:06
*** fmarco76 has left #openstack-keystone14:07
*** fmarco76 has joined #openstack-keystone14:08
*** fmarco76 has quit IRC14:08
*** openstack1 has joined #openstack-keystone14:09
*** bknudson has joined #openstack-keystone14:10
*** ChanServ sets mode: +v bknudson14:10
openstack1have a quick question14:10
openstack1if I don't see services in my service catalog (keystone v2.0), will that block me from accessing the open stack services14:10
openstack1I can't access any apis, especially heat14:11
openstack1keep getting a 403 error14:11
larsksopenstack1: Most of the client tools (including Horizon) use the service catalog to figure out API endpoints.14:11
larsksIf you're getting a 403 error (from keystone?), you probably want to investigate your server logs.14:12
*** fmarco76 has joined #openstack-keystone14:12
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185414:16
*** nkinder has quit IRC14:19
openstack1k, I'll check it out14:21
*** joesavak has joined #openstack-keystone14:21
amakarovdstanek, hi! I addressed your -1 there can you please take a look? ^^14:21
openstack1larsks, I'm getting 403 from the Heat api14:21
openstack1larsks, when I access nova, I get an error saying the tenant id on the url is not the same as the context14:22
openstack1larsks, so I just chalked it all up to I don't see any services in my service catalog14:22
*** afazekas has joined #openstack-keystone14:23
larsksopenstack1: you probably want to move this over to #openstack, since this channel is mostly for keystone development.14:25
*** dims has quit IRC14:25
*** dims has joined #openstack-keystone14:26
openstack1k will do so, thanks14:26
*** fmarco76 has quit IRC14:26
*** radez_g0n3 is now known as radez14:27
openstackgerritMarek Denis proposed openstack/keystone: Populate token with service providers  https://review.openstack.org/15986514:29
*** mattfarina has joined #openstack-keystone14:32
*** ajayaa has joined #openstack-keystone14:36
*** afazekas has quit IRC14:41
dstanekamakarov: sure14:44
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036414:46
*** henrynash has joined #openstack-keystone14:46
*** ChanServ sets mode: +v henrynash14:46
dolphmdoes anyone use a vim layout with gertty?14:48
marekdmorganfainberg: re: https://review.openstack.org/#/c/155660/13 few questions here. Rather want to make sure that place where CADF events are emited is choosen on purpose. cc/ stevemar14:51
openstackgerritMarek Denis proposed openstack/keystone: WIP - add cadf notifications for oauth  https://review.openstack.org/15904514:52
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036414:53
*** csoukup has joined #openstack-keystone15:03
*** rm_work has quit IRC15:05
*** openstack1 has quit IRC15:06
dstanekdolphm: didn't know that existed15:06
dstanekdolphm: i gave up on gertty because the interface was too slow15:06
*** rm_work|away has joined #openstack-keystone15:07
*** rm_work|away is now known as rm_work15:07
*** rm_work has quit IRC15:07
*** rm_work has joined #openstack-keystone15:07
*** sigmavirus24_awa is now known as sigmavirus2415:11
*** rm_work has quit IRC15:12
*** nkinder has joined #openstack-keystone15:13
*** rm_work|away has joined #openstack-keystone15:15
*** rm_work|away is now known as rm_work15:15
*** rm_work has joined #openstack-keystone15:15
*** afazekas has joined #openstack-keystone15:19
*** jsavak has joined #openstack-keystone15:20
*** joesavak has quit IRC15:23
marekdajayaa: can you tell me where function invalidate() comes from?15:23
marekdajayaa: self.get_user.invalidate()15:23
marekdis it caching related func ?15:23
ajayaamarekd, yes. It comes from dogpile.15:24
marekdajayaa: ok, thanks.15:25
marekdand it is member function of what object?15:25
marekdyou call it on self.get_user() or similar15:25
marekd.15:25
dolphmdstanek: just wrote a patch to add basic vim motions, but it doesn't work great because there's no concept of modes when you're writing comments, etc15:25
ajayaamarekd, It comes from the cache object.15:25
ajayaaIf the decorator cache is used for a function then you can call the invalidate on that function.15:26
ajayaamarekd, Actually this patch got one +2 at some point of time but then merge conflicts and juno feature freeze and then...15:27
ajayaa:)15:27
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013415:27
openstackgerritayoung proposed openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013215:27
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013315:27
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851915:27
dolphmdstanek: and yeah, it's slow but i'm sitting in a waiting room on bluetooth tether + low strength LTE signal so it's going to be slow no matter what :P15:28
dstanekdolphm: fair enough :-)15:28
marekdajayaa: ok, i understand now.15:29
marekdajayaa: yeah, i saw voting history.15:29
*** stevemar has joined #openstack-keystone15:32
*** ChanServ sets mode: +v stevemar15:32
*** radez is now known as radez_g0n315:33
marekdajayaa: done :-)15:39
*** carlosmarin has joined #openstack-keystone15:39
ajayaamarekd, Thanks a lot.15:39
ajayaadolphm, Thanks.15:44
*** jorge_munoz has joined #openstack-keystone15:46
ajayaadolphm, Would it possible to introduce authentication using user_id? It only supports with name as of now. It is necessary if we use a backend wherein the user name won't be unique. For e.g. a NoSql backend.15:47
dolphmajayaa: auth by ID is supported by both the HTTP API and the auth driver15:48
dolphmajayaa: in fact, it's the only form of auth supported at the driver layer15:48
lbragstaddolphm: thanks for pushing the latest patchset, I'15:48
*** topol has joined #openstack-keystone15:48
*** ChanServ sets mode: +v topol15:48
dolphmlbragstad: what did i do15:48
lbragstadI'm going to address comments if you're not working on stuff locally15:48
lbragstadcc jorge_munoz^15:48
dolphmlbragstad: i'm only reviewing15:48
lbragstaddolphm: oh, it looked like you pushed patchset 3115:49
dolphmlbragstad: when?15:49
lbragstaddolphm: 27th15:49
ajayaadolphm, perhaps I am looking at an older documentation. Thanks for clarifying though.15:50
dolphmlbragstad: that was last month15:50
stevemarmorganfainberg, ping when you are available15:56
*** zzzeek has joined #openstack-keystone16:08
dolphmstevemar: awake*16:08
*** joesavak has joined #openstack-keystone16:19
*** jsavak has quit IRC16:22
*** samueldmq has joined #openstack-keystone16:26
samueldmqmorning16:26
*** boris-42 has quit IRC16:32
openstackgerritSean Dague proposed openstack/oslo.policy: remove policy_dirs option  https://review.openstack.org/16040716:37
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531716:42
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841416:42
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922916:42
*** gyee has joined #openstack-keystone16:42
*** ChanServ sets mode: +v gyee16:42
*** _cjones_ has joined #openstack-keystone16:47
*** diegows has quit IRC16:51
*** trey has quit IRC16:56
*** trey has joined #openstack-keystone16:57
*** radez_g0n3 is now known as radez16:57
*** jsavak has joined #openstack-keystone17:01
amakarovdolphm, greetings! Can you please suggest me a way to test Redis backend? I fear I cannot use functional testing yet so will it be enough to mock Redis?17:02
*** tqtran_afk has joined #openstack-keystone17:05
*** joesavak has quit IRC17:05
*** diegows has joined #openstack-keystone17:05
*** rwsu has joined #openstack-keystone17:09
stevemarhenrynash, morganfainberg can you guys OK mareks concern in https://review.openstack.org/#/c/155660/13/keystone/identity/core.py17:12
henrynashstevemar: looking17:12
stevemarayoung, more questions about the revoke api here: https://review.openstack.org/#/c/160067/17:15
ayoungstevemar, looking17:15
*** spandhe has quit IRC17:15
stevemarbuahaha, i every one looking at stuff17:15
samueldmqstevemar is keeping things moving17:15
samueldmq:-)17:16
ayoungstevemar, so,  I think my take when writing it was that a KVS solution was light enough and easy enouigh to support that it was worth while17:16
ayoungthe unit tests need something to work against, and it will be lighter to use KVS then SQL, but if we are going SQL everywhere ,then using the SQL revoke API in that test makes sense17:16
henrynashstevemar: done17:17
ayoungstevemar, I'm not certain I would recommend removing it, though.  THe Revoke API is essentially write-only...data falls off due to age, but it really doesn't need to be transactional17:17
ayoungand for replication, Mongo etc may make more sense then MySQL17:17
ayoungcan we maybe punt on that, and discuss de-deprecation after the release.  It won't hurt anything if we leave it one more release, will it?17:18
*** tqtran_afk is now known as tqtran17:18
stevemarayoung, agreed17:19
ayoungstevemar, cool17:19
openstackgerritMerged openstack/keystonemiddleware: Break default auth plugin into file  https://review.openstack.org/15728017:20
*** jistr has quit IRC17:21
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994417:24
openstackgerritMerged openstack/keystone: Use correct dependency decorator  https://review.openstack.org/15934717:26
openstackgerritMerged openstack/keystone: Remove conditionals that check for revoke_api  https://review.openstack.org/15962817:26
openstackgerritMerged openstack/keystone: Implemented caching in identity layer.  https://review.openstack.org/11057517:26
*** adam_g_out is now known as adam_g17:27
*** ayoung is now known as ayoung-lunx17:29
henrynashstevemar, gyee, bknudson, morganfainberg: looking for us to make some progress on reviews of the “domain-config in SQL” series of patched…they start at: https://review.openstack.org/#/c/15770117:31
lbragstaddolphm: mind if I rebase https://review.openstack.org/#/c/160040/ ?17:31
gyeehenrynash, yes, I'll take a look in a few mins17:32
henrynashmorganfainberg: two minor fixes to our identity API spec to correct inaccuracies….probably better to get them in sooner than later: https://review.openstack.org/#/c/159914/, https://review.openstack.org/#/c/159919/117:33
henrynashgyee: thx17:33
gyeehenrynash, with this, we can in theory have multiple SQL backends right?17:33
gyeeor is the SQL driver still global?17:34
*** afazekas is now known as _afezekas|pub17:37
henrynashgyee: no, we can still only have one SQL backend…this moves the config definitions into SQL so you can use REST to onbaord, rather than have to go create separate config files per domain (to specifiy each LDAP scenario)17:38
henrynashgyee: the multiple SQL one is another patch altogether….not for Kilo17:38
gyeehenrynash, k, I see17:38
samueldmqhenrynash, reviewed the first one on the domain-config, just found some nits :)17:49
openstackgerritMerged openstack/keystonemiddleware: Extract all TokenCache related classes to file  https://review.openstack.org/15728117:50
panbalagHi..I'm trying to add a role to existing user and seeing this error intermittently...Error "Authorization Failed: An unexpected error prevented the server from fulfilling your request: (OperationalError) (2003, "Can't connect to MySQL server on '127.0.0.1' (111)") None None (Disable debug mode to suppress these details.) (HTTP 500)."..17:51
panbalagHas anyone seen this error before?17:52
samueldmqpanbalag, the error message looks to be clear "Can't connect to MySQL server on '127.0.0.1' (111)"17:54
samueldmqpanbalag, please ensure your database you running properly and you set the configs for keystone17:54
samueldmqpanbalag, keystone user, password, database, etc17:55
panbalagsamueldmq, the same (keystone user-role-add) command worked after some retries. Now I'm seeing the issue with a different command17:55
samueldmqpanbalag, refer to the official docs, such as http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-install.html17:55
samueldmqpanbalag, yep, then it clearly is a problem with your env :)17:56
panbalagsamueldmq, ok let me check the docs and try troubleshooting17:56
*** doug-fish has joined #openstack-keystone18:00
panbalagsamueldmq, is there a way to check the status on the MySQL server ?18:03
panbalagsamueldmq, I'm working with a devstack installation and used the install script to do the installation18:03
morganfainberggyee: we can't have more than one sql backend really unless we want to support multiple connectors to different sqls, and that is way painful to to right. Easier to say the main driver should be sql and ldap should override domains we want in other backends.18:05
*** spandhe has joined #openstack-keystone18:05
*** boris-42 has joined #openstack-keystone18:05
gyeemorganfainberg, that's fine, I was just curious. I haven't come across a use case for it yet18:07
morganfainbergstevemar: https://review.openstack.org/#/c/158600/ answered your comment.18:09
dolphmgyee: why would anyone want multiple sql backends?18:10
*** _afezekas|pub has quit IRC18:10
dolphmlbragstad: go for it18:10
amakarovdolphm, hi! I have a question to you18:11
dolphmamakarov: to test the redis driver? i'd like to see docs moreso18:12
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531718:12
openstackgerritLance Bragstad proposed openstack/keystone: Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens  https://review.openstack.org/16004018:12
dolphmamakarov: there weren't any last i looked?18:13
dolphmamakarov: (outside of a docstr, or is that rendered to http://docs.openstack.org/developer/keystone/ somewhere?)18:13
amakarovdolphm, you asked for test18:13
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841418:13
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922918:13
morganfainbergstevemar: also pong.18:13
dolphmamakarov: you're right. i was concerned about documentation as well though :)18:14
openstackgerritMerged openstack/keystone-specs: Correct the use of POST for domain configs  https://review.openstack.org/15991918:14
amakarovdolphm, I have 2 question then :)18:14
dstaneklbragstad: is klwt tokens ready for another pass?18:14
amakarovs/question/questions/18:14
lbragstaddstanek: yes sir18:14
dolphmamakarov: i recall the docstr being pretty good, but non-developers will never see them unless they appear in http://docs.openstack.org/developer/keystone/ in a more discoverable place18:14
samueldmqpanbalag, I'm not sure about the best place to ask about devstack specifics ... maybe morganfainberg can answer you better18:15
lbragstaddstanek: dolphm added a bunch of nice documentation18:15
* dolphm cold shipley's coffee == terribad18:15
amakarovdolphm, good point, I'll write a small guide here18:15
amakarovdolphm, 2nd question: about testing18:16
dolphmamakarov: regarding testing the token redis driver... have any ideas, dstanek?18:16
panbalagmorganfainberg, is there a way to check the status on MySQL server on a devstack installation? or how to restart keystone service in devstack installation?18:16
openstackgerritMerged openstack/keystone-specs: Remove email from examples in Identity API  https://review.openstack.org/15991418:16
dstanekdolphm: ?18:16
amakaroviirc we have no such tests for memcached18:16
dolphmdstanek: amakarov has a patch to add dogpile support for redis as a token persistence driver18:17
lbragstadI assume that would take some additional setup?18:17
lbragstadoutside of just switching the CONF.token.driver18:17
dstanekdolphm: i remember seeing that...what's the problem with it?18:17
*** browne has joined #openstack-keystone18:17
dolphmdstanek: just wondering the best approach to add some level of test coverage to it18:18
dstanekdolphm: ah, i'll take a look after the klwt review i just started18:18
morganfainbergpanbalag: restarting keystone in devstack (if it's using default options Juno and later) is restarting Apache18:18
dolphmamakarov: as a result, we only have about 2 deployers using memcached in any serious capacity. if that's the fate of a redis backend, then it shouldn't merge18:18
morganfainbergpanbalag: not sure what you mean about MYSQL status.18:18
dolphmdstanek: priorities :P18:18
amakarovdolphm, dstanek, all I found is henrynash's idea to extract backend tests to a separate folder, but he used mock objects there18:19
dolphmamakarov: i assume you're primarily interested in redis + uuid tokens?18:19
amakarovdolphm, correct18:19
panbalagmorganfainberg, I'm getting this error ""Authorization Failed: An unexpected error prevented the server from fulfilling your request: (OperationalError) (2003, "Can't connect to MySQL server on '127.0.0.1' (111)") None None (Disable debug mode to suppress these details.) (HTTP 500)."..so wanted to know if there is a way to check the status on the MySQL server.18:19
morganfainbergdolphm: it'd be silly if he was doing redis and fernet tokens ;)18:19
dolphmamakarov: have you followed the AE / KLWT / Fernet token conversation?18:19
dolphmamakarov: i'd be surprised if you didn't prefer to just switch from UUID to that18:19
amakarovdolphm, and looking forvard to move towards klwt when they are ready18:20
dolphmmorganfainberg: well you'd get epic performance with that combo18:20
dolphmmorganfainberg: you could go to production with redis running on a raspberry pi! it'd be great18:20
morganfainbergpanbalag: try connecting to MySQL directly.18:20
morganfainbergpanbalag: either username/password is wrong or maybe mysql isn't running?18:21
panbalagmorganfainberg, it is happening only recently and nothing changed in the environment other than assigning admin role to an existing user.18:21
dstanekdolphm: i have a cloud of raspberry pi's that i can try it on!18:21
panbalagmorganfainberg, ok let me check the status of mysql18:21
lbragstaddstanek: ++18:21
*** harlowja_away is now known as harlowja_18:21
amakarovdolphm, the main idea is to get rid of python-memcached actually :)18:21
morganfainbergpanbalag: that is an issue with MySQL directly not keystone afaik.18:22
morganfainbergdolphm: we need to fix things to rely on py memcache not Python-memcache. But not drop in replacement(s). :(18:22
morganfainbergCause Python-memcache is just awful.18:23
openstackgerritSteve Martinelli proposed openstack/keystone: Add in non-decorator notifiers  https://review.openstack.org/15860018:24
openstackgerritSteve Martinelli proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566018:24
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994418:24
openstackgerritRodrigo Duarte proposed openstack/keystone: Expose create project with invalid domain_id  https://review.openstack.org/16044618:24
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186718:24
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - add cadf notifications for oauth  https://review.openstack.org/15904518:24
*** pnavarro has joined #openstack-keystone18:25
dolphmamakarov: well you can accomplish that with dogpile, right?18:25
gyeedolphm, I haven't seen any multi sql identity backend use case yet, was just curious18:26
dolphmgyee: i've seen people ask about it, but never with a use case18:26
amakarovdolphm, right: my patch is just about it18:26
dolphmamakarov: morganfainberg: i don't follow. if the goal is to get rid of pymemcache & python-memcache, then dogpile supports pylibmc. i don't see how redis is a "drop in" replacement at all18:28
raildomorganfainberg: just a little doubt here. what should happen if a user tries to create an is_domain project, passing a domain_id18:33
raildowhen the is_domain flag is set True, the domain_id of the project is his own id18:34
raildobut if I pass another domain_id, should I ignore it?18:34
dolphmraildo: sounds like a 40018:35
dolphmraildo: if the request doesn't make any sense, let the user know instead of introducing an arbitrary behavior. someone will just file it as a bug later :)18:36
raildodolphm, right, that is the other option that I have in mind.18:36
openstackgerritSean Dague proposed openstack/oslo.policy: remove policy_dirs option  https://review.openstack.org/16040718:37
raildodolphm, thanks18:37
amakarovdolphm, redis gives some flexibility such as persistence and it's sentinel I'd like to try. For now it works quite well18:37
amakarovmemcache lib has a problem with sharding18:38
dolphmamakarov: pylibmc?18:39
dolphmamakarov: i'm not sure what you're referring to exactly with "memcache lib"18:41
*** aix has quit IRC18:41
amakarovdolphm, haven't tried. There was some complaints from collegues about memcache itself I can't recall now. I spoke about python-memcached.18:42
amakarovdolphm, I can ask them again why Redis is a good idea :)18:43
openstackgerritMarek Denis proposed openstack/keystone: Populate token with service providers  https://review.openstack.org/15986518:43
marekdmorganfainberg: stevemar bknudson gyee ^^ this is service_providers in token, for some reason it's not on 'high priorities reviews' anymore, even though it should.18:44
dolphmamakarov: a couple releases ago, it would have made sense. in kilo, it feels like it's going to go unused next to ae/klwt/fernet18:44
amakarovdolphm, as for me - I can implement event-based distributed lock on Redis instead of polling used in memcached18:44
stevemarmarekd, i think dolph/morgan have to 'star' it18:44
marekdaha18:45
dolphmmarekd: it'll appear in a minute :)18:45
marekddolphm: thanks :-)18:45
openstackgerritMarek Denis proposed openstack/keystone: Emit failure notifications for CADF audits events  https://review.openstack.org/15690518:47
openstackgerrithenry-nash proposed openstack/keystone: Refactor and provide scaffolding for domain specific loading  https://review.openstack.org/15770118:48
amakarovdolphm, I agree, though Redis token backend is a nice feature for current installations as a means to harden them with little effort18:49
amakarovdolphm, I'm not sure I'll be capable of convincing our engineers to adopt shiny new technology in a core component lust like "Guys, I have this one here, it's cool!" :)18:51
marekddolphm: https://review.openstack.org/#/c/152156/ can you also star this one? This was discussed at the meetup and i reckond this is a super nice feature. It had few iterations of reviews from stevemar, few folks and myself.18:52
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185418:52
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805118:53
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867918:54
amakarovs/lust/just/18:55
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875218:55
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967518:56
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992818:57
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036418:58
gyeemarekd, k, looking19:00
marekdty19:01
*** devlaps has joined #openstack-keystone19:01
henrynashdolphm: sorry you keep getting bugged on “staring” blueprints etc….but what determins if the chain of dependant patches appears on the high priorrity list vs just the first one? (See: https://review.openstack.org/#/c/157701/6)19:01
henrynashsamueldmq, gyee: fixed up your suggestions on: https://review.openstack.org/#/c/157701/619:02
* marekd SAML Protocol has its 10th birthday today.19:10
* dolphm happy birthday SAML19:13
* stevemar gives SAML a cake19:15
henrynashand a coconut..19:16
* amakarov reminds SAML that cake is a lie19:16
henrynashyou can’t have your cake and parse it19:16
*** haneef has quit IRC19:17
* gyee gives SAML a JSON toy19:17
morganfainbergmarekd, lbragstad: requirements.txt: The order of packages is significant, because pip processes them in the order of appearance. Changing the order has an impact on the overall integration19:17
morganfainbergsee the comment at the top19:18
lbragstadmorganfainberg: makes sense, I thought there was a stipulation there19:18
lbragstadcc stevemar ^19:18
morganfainbergyeah basically... don't reorder them19:18
morganfainbergif it works... leave irt19:18
*** amakarov is now known as amakarov_away19:20
stevemarmorganfainberg, lbragstad okie dokes19:20
henrynashsamueldmq: if there’s a chance you could spend some time on the follow-on patches on domain-config, that would be great…19:22
morganfainbergso, for priorities: if you're reviewing - KLWT/Fernet tokens, Domain SQL, CADF, and then x50919:24
morganfainbergsorry, rephrase: KLWT/Fernet, Service Providers in Token / other federation, Domain SQL, CADF, x50919:25
marekdmorganfainberg: https://review.openstack.org/#/c/145317/33/requirements.txt talking this?19:27
morganfainbergmarekd, yeah just a comment to not reorder what is already there19:27
marekdok ok19:28
marekdmorganfainberg: i got scared i approved something that will explode as soon as it gets on this 'master' plane :-)19:28
stevemarhenrynash, morganfainberg take another look at: https://review.openstack.org/#/c/155660/ ? it's rebased now, and the dependent patch is going through19:28
*** devlaps has quit IRC19:29
morganfainbergstevemar, looks like a clear rebase to me19:30
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove KVS backend for revocation api  https://review.openstack.org/16006719:31
henrynashstevemar: looking19:31
gyeeKLWT review is going to take awhile, a lot of code to read :)19:31
stevemarmorganfainberg, oh i was just going to ask about the kvs backend19:32
morganfainbergstevemar, was just clicking abandon19:32
morganfainbergbased upon discussion w/ ayoung19:32
stevemarthats fine19:32
morganfainbergmis-clicked on rebase :P19:32
stevemarwanted to 2x check with you19:32
stevemarmorganfainberg, marking that bp as implemented19:32
morganfainberg++19:33
morganfainberggyee, and it's high priority to get it gating ;)19:33
*** himangi has left #openstack-keystone19:34
openstackgerritMerged openstack/keystone: Correct token flush logging  https://review.openstack.org/13100319:35
gyeeon it19:35
openstackgerritMerged openstack/keystone: Use dict comprehensions instead of dict constructor  https://review.openstack.org/14384219:37
morganfainbergugh19:38
morganfainberg^ that is likely going to cause rebase ick19:38
henrynashmorganfainberg: do you know what causes a full chain of dependant patches to show on the high priority list vs just the top one?19:39
morganfainberghenrynash, each one is starred19:39
morganfainbergindependently19:40
stevemardstanek, really pushing the criteria for a -1 there :P https://review.openstack.org/#/c/160040/19:41
dstanekstevemar: :-P19:41
stevemari mentioned the same issue on ps1, but still +2'ed!19:41
stevemarcurse my disagreement percentage19:42
dstanekstevemar: if my comments in the parent are address this will have to be rebased anyway19:42
* morganfainberg just bumped up dstanek's disagreement % by +2 that one... :P19:42
stevemarbuaha19:43
henrynashmorganfainberg: ahh…so teh chain of domain-config patches *were* all starred yesterday…and now only the first one is…!?!19:45
*** ajayaa has quit IRC19:45
morganfainberghenrynash, wasn't my stars19:45
morganfainbergjust starred them19:45
morganfainbergthere is one that is still merge conflicting19:45
morganfainberghenrynash, my guess is you're probably going to need an FFE if those aren't gating today.19:46
morganfainberghenrynash, but they are behind the tokens and the small-ish federation patches priority wise.19:46
morganfainberghenrynash, so def. high prio.19:47
*** henrynash has quit IRC19:48
morganfainbergdstanek, so if those test issues are cleared up you'd be +2 on fernet tokens?19:48
morganfainbergklwt19:48
morganfainbergor whatever they are called19:48
*** henrynash has joined #openstack-keystone19:48
*** ChanServ sets mode: +v henrynash19:48
*** lhcheng has joined #openstack-keystone19:48
henrynashmorganfainberg; let me check on that…I thought I caugth them all19:48
morganfainberghenrynash, it was one of the last ones in the chain19:48
*** arunkant has joined #openstack-keystone19:50
rodrigodsmorganfainberg, during the reseller implementation we found some bugs... can they be evaluated? (the fixes are already submitted)19:50
dstanekmorganfainberg: yeah, and i think the ordering is also important19:50
morganfainbergdstanek, hm? the ordering?19:50
morganfainbergdstanek, missing context now.19:50
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003219:51
dstanekmorganfainberg: https://review.openstack.org/#/c/145317/33/keystone/cli.py19:51
morganfainbergoh19:51
morganfainbergyeah19:51
morganfainbergif there wasn't test issues i'd say we push that as a quick cleanup on the end19:51
morganfainbergbut since it's test issues, lets get both done at once19:51
henrynashstevemar: if you get a chance to at least kick off https://review.openstack.org/#/c/157701/6 (which I know you reviewd before)19:56
henrynashstevemar:….that would be great…19:57
stevemarhenrynash, looking now19:57
*** joesavak has joined #openstack-keystone19:58
stevemarthere is no delta between when i reviewed it the first time and the proposed code, nice :D19:58
stevemari think i just took issue with the msg19:58
henrynashstevemar: Yes, I changed the commit message to make it clear that this was scoffolding as well as a refactor19:59
henrynashstevemar: “scoffolding’ : the art of cramming as much as possible into one’s mouth…20:00
*** jsavak has quit IRC20:00
*** jimbaker has quit IRC20:00
henrynashstevemar: thx20:01
stevemarnp20:01
*** nellysmi_ has joined #openstack-keystone20:05
*** jimbaker has joined #openstack-keystone20:06
*** jimbaker has quit IRC20:07
*** jimbaker has joined #openstack-keystone20:07
*** fifieldt has quit IRC20:07
*** nellysmitt has quit IRC20:09
*** EmilienM|afk is now known as EmilienM20:10
*** karimb has joined #openstack-keystone20:12
*** _afezekas|pub has joined #openstack-keystone20:13
morganfainberglbragstad, dolphm, you guys got dstanek's comments or do you want us to handle them as we prepare to put this through gate? [i'm looking at post food]20:14
morganfainbergi think most comments have been addressed and minor other changes besides the test ones can happen in a followup.20:14
dolphmmorganfainberg: i'll take a poke unless lbragstad has uncommitted changes to make?20:14
morganfainbergunless someone has a major issue between now and then.20:14
morganfainbergdolphm, cool.20:14
morganfainbergdolphm, figure i'd ask because unless there is a major issue i'd like to get this gating today20:15
dstanekafter those last few small things i think it's ready to go20:15
lbragstaddolphm: morganfainberg I can do it, I don't have anything outstanding locally (working on getting federation setup to test this with)20:15
dolphmmorganfainberg: i still have changes i'd like to try - like moving the version into the integrity verfified message :)20:15
dolphmmorganfainberg: but none would be blockers20:15
dstaneklbragstad: your other review has the same test issues20:15
dstaneklbragstad: i just put a quick comment on it; although i'm still going over the details of the new tests20:17
lbragstaddstanek: so do you want me to get rid of the matchers or just use them directly in every test case?20:17
morganfainberglbragstad, more important .assert_true isn't correct20:17
morganfainbergthe use of^20:17
morganfainberglbragstad, though the direct use of the matchers would be better for readability20:17
lbragstadmorganfainberg: dstanek ok, I can address taht20:17
dstaneklbragstad: i don't care either way - we have been trending toward matchers in general though20:17
dstanekmorganfainberg: ++20:18
dolphmlbragstad: responded to dstanek's comments with a few suggestions - i agree with all of them20:23
dolphmlbragstad: the way you used assertTrue is how you would use assertThat instead20:24
lbragstadmakes sense, I'll refactor20:24
dolphmlbragstad: hopefully those tests won't suddenly fail! (subtle catch, dstanek!)20:24
*** fifieldt has joined #openstack-keystone20:24
*** mriedem has joined #openstack-keystone20:25
mriedemwhere does the notification_driver config option come from? i see it in the config docs but not in the source, except in a test20:25
mriedemstevemar: ^?20:25
morganfainbergdolphm, hehe, right usage, wrong method :P20:26
morganfainbergmriedem, oslo.messaging?20:26
lbragstadmriedem: https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/notify/notifier.py#L3020:27
mriedemlbragstad: yeah looking there now, still.20:28
mriedemdigging around in guts20:28
samueldmqdstanek, ping - so it sadly looks like openstack didnt get accepted for gsoc :/20:28
samueldmqdstanek, https://www.google-melange.com/gsoc/org/list/public/google/gsoc201520:28
*** _afezekas|pub has quit IRC20:29
dstaneksamueldmq: well, that sucks20:29
lbragstadmriedem: the notification_driver looks to still be specified in the keystone.conf https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L35220:29
samueldmqdstanek, linux foundation wasnt as well... that looks odd20:30
samueldmqdstanek, but .. well, next year we re-apply :p20:30
mriedemmorganfainberg: lbragstad: ah https://github.com/openstack/oslo.messaging/blob/master/setup.cfg#L5020:32
lbragstadmriedem: yeah, that looks right, you also have https://github.com/openstack/oslo.messaging/blob/master/setup.cfg#L32-L3620:33
mriedemlbragstad: yeah so notification_driver=messagingv2 and rpc_backend=rabbit20:34
mriedemto get 'notifications' topic20:35
mriedemis the notifications stuff turned on at all in the gate?20:35
stevemarmriedem, it's not turned on at all in the gate20:35
mriedemwas it at one point?  i seem to remember performance issues with ceilometer/keystone/cadf20:36
stevemarwouldn't know that far back20:36
*** david-lyle has joined #openstack-keystone20:37
*** jsavak has joined #openstack-keystone20:37
lbragstaddstanek: dolphm with the fernet_keys/ suggestion here20:39
lbragstadhttps://review.openstack.org/#/c/145317/33/keystone/common/config.py20:39
lbragstadshould that be done in the fernet renaming patch?20:39
dolphmlbragstad: works for me20:40
*** joesavak has quit IRC20:41
dstaneklbragstad: dolphm: ++20:43
*** lhcheng has quit IRC20:51
*** mriedem has left #openstack-keystone20:52
*** raildo_ has joined #openstack-keystone20:54
*** samueldmq_ has joined #openstack-keystone20:56
openstackgerritMerged openstack/keystone: Remove deprecated methods and functions in token subsystem  https://review.openstack.org/15138120:57
lbragstaddolphm: question on the key rotation21:06
lbragstaddolphm: when I have an empty key directory, and I do a keystone-manage klwt_setup, I get the following output:21:06
samueldmq_henrynash, ping - have a question on your migration for adding domain config ...21:06
*** joesavak has joined #openstack-keystone21:06
lbragstaddolphm: nevermind, I answered my own question21:07
dolphmlbragstad: K :)21:08
*** andreaf_ has joined #openstack-keystone21:08
*** andreaf_ has quit IRC21:08
*** jsavak has quit IRC21:09
*** diegows has quit IRC21:13
*** rm_work is now known as rm_work|away21:14
stevemarlbragstad, whats the output you get?21:15
stevemarno keys present?21:15
lbragstadstevemar: the directory that you've specified as the key repository should contain two keys21:15
lbragstad0 and 121:16
*** lhcheng has joined #openstack-keystone21:16
lbragstadso, the first time through, it should create a new staged key, 0, and then promote that key to a primary key, 121:16
stevemarso 2 is the minimum eh21:16
lbragstadthen it should create another staged key, 021:16
lbragstadhttp://cdn.pasteraw.com/olixsladeuyf2lk6t5nmb2llu1aj4zk21:16
morganfainberghenrynash: ping. So have a question for you.21:21
*** radez is now known as radez_g0n321:21
*** lhcheng_ has joined #openstack-keystone21:21
morganfainberghenrynash: any thoughts on how to use per-domain backend where ids are needed but the Id isn't generated until the request goes through the mapping backend?21:22
*** rm_work|away is now known as rm_work21:23
*** chlong has joined #openstack-keystone21:23
*** lhcheng has quit IRC21:24
*** david-lyle has quit IRC21:27
henrynashmorganfainberg: hi21:27
*** ayoung-lunx has quit IRC21:27
henrynashmorganfainberg: can you explain some more about what you need?21:28
morganfainberghenrynash: so in short, how do I assign a role to someone in an ldap backend that goes through the mapping thing? Assuming I have added them to ldap but they have not logged in yet.21:28
*** david-lyle has joined #openstack-keystone21:28
morganfainbergOr I add a new group to LDAP, and want to assign a role to it.21:28
henrynashmorganfainber: so if you just to a identity_api.get_user() on them it will generate a public ID for you21:30
morganfainbergSo how do I get user on them if I don't know their Id yet?21:30
morganfainbergOr get group?21:30
henrynashmorganfainberg: so you can do a list_users()21:31
henrynashmorganfainberg: (filterred by user name if you like)21:31
morganfainbergPotentially harmful if I have 10k users.21:31
morganfainbergOk. So no good answer atm b21:31
morganfainbergBecause the filtering needs the improvement still (ish)21:32
henrynashmorganfainberg: so if you know the local ID, then you could call the mapping manually I suspect to cause a public ID to be generated21:32
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support  https://review.openstack.org/16003121:33
henrynashmorganfainberg: I’d have to check if all the apis needed are publick21:33
henrynashmorganfainberg: filtering by name is now supported in sql and ldap backends21:33
morganfainbergRight.21:34
henrynashmorganfainberg: and there is already an explict get_user_by_name API call21:35
morganfainbergOk cool.21:35
morganfainbergNot a rest call for get user by name though21:35
*** david-lyle has quit IRC21:35
henrynashmorganfainberg: yep, its a v2 REST API21:37
morganfainbergHmm.21:37
morganfainbergOk so maybe a gap in v3.21:37
morganfainbergSmall gap21:37
henrynashmorganfainberg: and in v3 you would do GET /users?name=xyz21:38
henrynashmorganfainberg: which would end up doing the same thing underneath21:38
morganfainbergDidn't that do bad things? Like filtering in memory.21:38
*** ChristyF has joined #openstack-keystone21:38
morganfainbergOr did we fix that recently?21:38
henrynashmorganfainbergL so we fixed in for SQL a couple of releases ago…and my patch to fix with with LDAP merged last week21:39
morganfainbergAgh21:39
morganfainbergAhh*21:39
stevemarhey ChristyF :) glad to see you here!21:43
stevemarmorganfainberg, ^ new grunt that i'm trying to get up to speed21:44
ChristyFhey :)21:44
morganfainbergChristyF, hiya!21:44
ChristyFtryin to get my hands dirty on this stuff ... heh21:44
stevemarChristyF, still trying to setup your vm?21:45
stevemarand the whole launchpad/gerrit setup21:46
ChristyFvm is all good to go21:46
ChristyFreadin through launchpad/gerrit stuff you linked right now21:46
openstackgerritMerged openstack/keystone: Add in non-decorator notifiers  https://review.openstack.org/15860021:48
*** chlong has quit IRC21:51
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531721:55
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841421:55
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922921:55
*** aix has joined #openstack-keystone21:56
*** _afezekas|pub has joined #openstack-keystone21:56
openstackgerritMerged openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566021:57
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805121:59
morganfainbergso..21:59
morganfainbergi think DOA is doing something bad w/ fernet tokens22:00
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867922:00
bknudsonmorganfainberg: does DOA think it's a PKI token?22:01
morganfainberghm nope not DOA.22:01
*** nkinder has quit IRC22:01
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875222:01
morganfainbergsomehow i lost my session22:01
morganfainberglogged in then it was invalid22:01
*** jaosorior has quit IRC22:02
morganfainbergrelog solved it22:02
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967522:03
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992822:03
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003222:03
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036422:03
henrynashgyee, samueldmq: fixec up the suggesttions you had on: https://review.openstack.org/#/c/158051/22:04
*** joesavak has quit IRC22:04
*** david-lyle has joined #openstack-keystone22:05
*** _cjones_ has quit IRC22:06
openstackgerritLance Bragstad proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212222:08
lbragstadlhcheng_: ^ fixed a rebase issue22:08
*** _afezekas|pub has quit IRC22:10
*** _cjones_ has joined #openstack-keystone22:12
dstaneklbragstad: a small spelling error!22:12
lbragstaddstanek: which patch?22:12
dstaneklbragstad: https://review.openstack.org/#/c/145317/33..34/doc/source/configuration.rst *single22:12
*** lhcheng_ is now known as lhcheng22:13
lhchenglbragstad: thanks!22:14
lbragstadlhcheng: thank you for moving it along22:14
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531722:16
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841422:16
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922922:16
lbragstaddstanek: fixed22:16
lbragstaddstanek: thank you for the diligent reviews22:16
lhchenglhcheng: glad to help, still need to figure out the tricky part on how to add the password length on schema. Going to work on it when this patch merges.22:17
dstaneklbragstad: you're doing the hard part22:17
lbragstadlhcheng: yeah, that has something to do with how import works I believe... dstanek was digging into that a while ago. We should be able to get around it by using jsd22:17
lhchenglbragstad: what's "jsd" ?22:18
dstaneklhcheng: it's easy to do, but it looks really, really ugly22:18
lbragstadlhcheng: some magical stuff22:18
lbragstadlhcheng: https://github.com/dstanek/jsd22:19
dstaneklhcheng: the problem is that the decorators are set at import time, well before the config is read22:19
dstaneklhcheng: jsd is an attempt to make jsonschema usable22:19
lbragstadit should benefit us as our schema grows22:19
*** radez_g0n3 is now known as radez22:20
lhchengdstanek, lbragstad: nice! is this something we're looking at for kilo? or too late?22:21
lbragstadlhcheng: probably too late for that22:21
dstaneklhcheng: way too late22:21
lhchengheh thought so22:22
dstaneklhcheng: there's some lingering fixes that i really need to push, but it hasn't been a priority for me so far22:22
dstanekmaybe later tonight now that i've been reminded22:22
lbragstadlhcheng: jsd has some good ground work, but we'd need to develop it a bit more in order to use it fully in keystonbe22:22
lbragstadkeystone*22:22
lbragstadlhcheng: http://lbragstad.com/?p=1522:23
dstanekthere twitter now knows how i feel about jsonschema22:23
*** pnavarro has quit IRC22:23
lhchenglbragstad: umm.. the recipe post distracted me from reading the keystone post22:28
*** ajayaa has joined #openstack-keystone22:28
*** topol has quit IRC22:29
lhchengdstanek: nice, seems a lot cleaner. ++ on making it reusable22:32
*** stevemar has quit IRC22:33
lbragstadlhcheng: lol yeah, they distract me too22:34
samueldmq_henrynash, ok thanks, I'm reviewing the other on that chain :)22:34
*** henrynash has quit IRC22:38
*** csoukup has quit IRC22:40
*** flaviof has left #openstack-keystone22:44
*** mattfarina has quit IRC22:44
*** radez is now known as radez_g0n322:47
dolphmmorganfainberg: i think dstanek made a mistake and put a +2 on https://review.openstack.org/#/c/145317/ almost 3 weeks before feature freeze. should probably -2 for a week or two just to be safe?22:49
dstanekdolphm: morganfainberg: i thought we were trying to get that through. i may have mis-read the conversation this morning though22:50
morganfainbergdolphm, uhm. wait what?22:51
* morganfainberg is suddenly very confused.22:51
* dolphm is joking22:51
* morganfainberg can't tell if dolphm ... yeah22:51
morganfainbergok22:51
morganfainberg:)22:52
* lbragstad got that joke! 22:52
* dolphm is just trying to give morganfainberg a heart attack22:52
* morganfainberg -2's everything and rage quits (/s)22:52
morganfainberg:)22:52
morganfainbergooh i just realized a minor improvement we can make to dogpile, zzzeek might like this.22:53
dstanekdolphm: you make me want to drink22:53
morganfainbergmaybe,...22:53
dolphmdstanek: haha22:54
dolphmdstanek: that's what friends are for!22:54
openstackgerritMorgan Fainberg proposed openstack/keystone: Make the default cache time more explicit in code  https://review.openstack.org/11358622:54
*** ajayaa has quit IRC22:56
morganfainberglbragstad, https://review.openstack.org/#/c/160040/ needs a rebase22:57
morganfainbergbtw, +3 on KLWT.22:58
morganfainbergat this point i think we're going to pile on any fixes at the end barring major problems [ and we addressed the majority of those afaict ]22:58
morganfainbergs/majority/all22:59
*** nkinder has joined #openstack-keystone23:05
dolphmmorganfainberg: !! lbragstad23:05
dolphmlbragstad: well done, sir!23:06
dolphmlbragstad: i've got a rebase of the rename patch ready to go, including the key dir rename, sample config update, etc23:06
*** bknudson has quit IRC23:08
dstanekdolphm: did you fix the caps issue?23:08
dolphmdstanek: yep! running tests to make sure i didn't break anything before posting23:08
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696223:10
*** nellysmi_ has quit IRC23:21
*** nellysmitt has joined #openstack-keystone23:23
*** rm_work is now known as rm_work|away23:24
*** nellysmitt has quit IRC23:28
*** gordc has quit IRC23:31
*** jorge_munoz has quit IRC23:32
*** chlong has joined #openstack-keystone23:33
*** henrynash has joined #openstack-keystone23:36
*** ChanServ sets mode: +v henrynash23:36
*** openstackgerrit has quit IRC23:38
*** rm_work|away is now known as rm_work23:38
*** openstackgerrit has joined #openstack-keystone23:38
*** ljfisher has quit IRC23:42
*** _cjones_ has quit IRC23:47
*** ayoung-lunx has joined #openstack-keystone23:47
*** _cjones_ has joined #openstack-keystone23:51
openstackgerritDolph Mathews proposed openstack/keystone: Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens  https://review.openstack.org/16004023:52
openstackgerritDolph Mathews proposed openstack/keystone: Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens  https://review.openstack.org/16004023:54
dolphmmorganfainberg: the one you just +2'd had an unintended inconsequential change23:55
morganfainbergsaw23:55
morganfainberg+2ing again23:55
morganfainbergwow, 300 lines of testing for +1,-1 change23:56
*** EmilienM is now known as EmilienM|afk23:58
« Sunday, 2015-03-01 Index Tuesday, 2015-03-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!