Thursday, 2015-06-25

*** tqtran is now known as tqttran_afk		00:00
*** csoukup has quit IRC		00:01
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/192375	00:03
*** geoffarnold has joined #openstack-keystone		00:03
*** geoffarn_ has joined #openstack-keystone		00:04
*** david-ly_ has joined #openstack-keystone		00:06
*** geoffarnold has quit IRC		00:07
*** david-lyle has quit IRC		00:08
*** geoffarn_ has quit IRC		00:09
*** nkinder has joined #openstack-keystone		00:09
*** ankita_w_ has quit IRC		00:09
*** roxanaghe has joined #openstack-keystone		00:11
*** dims_ has joined #openstack-keystone		00:14
*** edmondsw has joined #openstack-keystone		00:16
*** dims has quit IRC		00:16
*** edmondsw_ has joined #openstack-keystone		00:16
*** edmondsw_ has quit IRC		00:17
*** gyee_ has quit IRC		00:17
*** shaleh has quit IRC		00:28
*** rushiagr_away is now known as rushiagr		00:32
*** rwsu has quit IRC		00:38
*** geoffarnold has joined #openstack-keystone		00:41
*** lhcheng has quit IRC		00:42
*** boris-42 has quit IRC		00:42
*** edmondsw has quit IRC		00:47
*** r-daneel has quit IRC		00:48
*** rushiagr is now known as rushiagr_away		00:49
*** jimbaker has quit IRC		00:53
*** nkinder has quit IRC		00:53
*** tobe has joined #openstack-keystone		00:56
*** sigmavirus24 is now known as sigmavirus24_awa		00:58
*** geoffarnold has quit IRC		01:00
*** ankita_wagh has joined #openstack-keystone		01:04
*** Rockyg has joined #openstack-keystone		01:05
*** charlesw has joined #openstack-keystone		01:06
*** lhcheng has joined #openstack-keystone		01:17
*** ChanServ sets mode: +v lhcheng		01:17
*** Kennan has left #openstack-keystone		01:18
samueldmq	morganfainberg: ayoung ping - policy cache strategy, cache control	01:27
ayoung	samueldmq, fire away	01:30
*** davechen_away is now known as davechen		01:31
samueldmq	ayoung: still didn't get the exact solution, I mean, how it solves the issue	01:31
ayoung	samueldmq, heh...there was a lot of talk, wasn't there	01:32
samueldmq	ayoung: cache_control is the timeout in which processes will ask keystone for the policy	01:32
ayoung	samueldmq, so...I'm less worried about this than morganfainberg is. But, I'll try to answer	01:33
ayoung	the general idea is that we want to state that a certain point in time is when the policy gets changed over, so that all machines are in sync, and answer the policy questions the same way	01:33
ayoung	so, we want to tell machines: if your policy is older than x Go get a new one	01:34
ayoung	now, that alone won't synchronize, as the machines will time out at different times	01:34
samueldmq	ayoung: exactly	01:35
samueldmq	ayoung: go ahead :)	01:35
ayoung	so, what we want to say is something like: ok, make the timeout on this policy shorter than normal, cuz the next fetch will be a new policy file...or something like that	01:35
ayoung	it means that policy can't go in to effect immediately	01:35
*** david-ly_ is now known as david-lyle		01:36
ayoung	from the client side, it just knows how long to hold on to a file before rechecking	01:36
ayoung	I think all the delay will happen from the server side.	01:36
samueldmq	ayoung: something like: keystone knows the policy is updated, so emit cache_control = 0 to this endpoint_url, so they will all update policy	01:38
samueldmq	ayoung: when the first token gets tehre	01:38
ayoung	samueldmq, something like that.	01:38
ayoung	samueldmq, I was thinking the freshness header	01:38
ayoung	so, say the timout is 5 minutes, now we enable a new policy, it iwll be delievers in 5 minutes	01:38
*** tqttran_afk has quit IRC		01:38
ayoung	all of the other machines will fetch policy between now and then. But, in 5 minutes, they will be sure to get the new file	01:39
samueldmq	ayoung: hmmm yes	01:39
ayoung	so we tell them all that the file expires at the same time	01:39
samueldmq	ayoung: one can get very qucik; other can take 5 minutes	01:39
samueldmq	ayoung: wait ... what if ..	01:40
ayoung	samueldmq, stampeding herd tjhe way I described i? yeah	01:40
samueldmq	ayoung: we will pass a very short cache_control once keystone knows there is a new policy to be syncrhonized	01:41
samueldmq	ayoung: but what if a process get a new token (so updated cache_control, which is very low)	01:41
*** _cjones_ has quit IRC		01:41
samueldmq	ayoung: but other get an older token; which hasn't an update cache_control?	01:41
ayoung	samueldmq, so..I'm not 100% sure, but we could do something like return a code saying " a new policy file has been distributed, but is not yet active: please fetch it, too"	01:44
ayoung	and then policy would hold on to both..and activate the new one when the old one expired	01:44
ayoung	samueldmq, you get the general idea...we can keep working to get the details down.	01:45
ayoung	I need to work on a demo here, so, have to checkout for a bit	01:45
*** dims_ has quit IRC		01:45
samueldmq	ayoung: yes, and tht's better than having basic fixed timeouts on the middleware	01:45
samueldmq	ayoung: thanks	01:46
*** davechen is now known as davechen_afk		01:50
*** roxanaghe has quit IRC		01:50
*** dims has joined #openstack-keystone		01:50
samueldmq	ayoung: dum question, I can say 13:00 UTC and all processes will understand it	01:53
samueldmq	ayoung: instead of communicating with timeouts ?	01:54
ayoung	samueldmq, I think so.	01:54
samueldmq	ayoung: so tokens could communicate to processes the time for the last ufpate of policy	01:56
samueldmq	ayoung: then if now() > last_update: FETCH!	01:56
*** dontalton has quit IRC		01:56
samueldmq	ayoung: however that's similar to cache_control = 0, or something like that	01:56
*** spandhe has quit IRC		01:57
ayoung	samueldmq, I don't think it would be in the tokens. All data would have to be passed in the policy fetch	01:58
samueldmq	ayoung: cache_control is in the policy?	01:59
ayoung	samueldmq, I need to work on sometjhing else right now. Sorry	02:00
samueldmq	ayoung: np, thanks	02:00
samueldmq	ayoung: talk to you tomorrow	02:00
*** dims has quit IRC		02:04
*** stevemar has joined #openstack-keystone		02:07
*** dims has joined #openstack-keystone		02:10
*** fangzhou has quit IRC		02:14
*** dramakri has quit IRC		02:15
*** rm_work is now known as rm_work\|away		02:18
*** Rockyg has quit IRC		02:22
*** nkinder has joined #openstack-keystone		02:33
*** ankita_wagh has quit IRC		02:35
*** mestery has joined #openstack-keystone		02:44
*** mestery has quit IRC		02:57
*** mestery has joined #openstack-keystone		02:57
*** dims has quit IRC		02:58
*** stevemar has joined #openstack-keystone		03:03
*** ChanServ sets mode: +v stevemar		03:03
*** amit213 has quit IRC		03:12
*** amit213 has joined #openstack-keystone		03:13
*** stevemar has quit IRC		03:15
*** davechen has joined #openstack-keystone		03:15
morganfainberg	samueldmq, ayoung: the cache_control would be dynamic so it always refreshes on the same interval. so say we had a cache_control of 5 min refresh, we would if asked right at the 5 min mark say 300s freshness	03:18
morganfainberg	samueldmq, ayoung: if it was 2.5 minutes through the window, we'd cache_control freshness for 150s	03:18
morganfainberg	the math is to slice into the windows for update, and then always ensure freshness expires at the same moment for a given policy file	03:19
*** tobe has quit IRC		03:26
*** mabrams has joined #openstack-keystone		03:28
morganfainberg	i think freshness is: (ttl_window - ((int(time.time() - upload_time) % ttl_window))))	03:30
morganfainberg	yep	03:30
morganfainberg	that looks right	03:30
morganfainberg	assuming upload_time is unix_epoch	03:31
morganfainberg	this could be done wiht date_time objects and deltas soo	03:31
morganfainberg	too*	03:31
*** stevemar has joined #openstack-keystone		03:31
morganfainberg	samueldmq, ayoung, ^ and that would ensure that all nodes for the given policy would refresh at the same time(well next request)	03:32
*** stevemar has quit IRC		03:32
morganfainberg	the last element to add is a fixed (seeded) RNG in to avoid thundering herd	03:33
morganfainberg	so only a given set of endpoints (URL) will refresh at that moment	03:33
ayoung	morganfainberg, won't that have a stampeding herd, unless we say to also fetch the new file	03:33
morganfainberg	ayoung: not if we box it to the url	03:33
morganfainberg	so RNG(seed=sha(URL)) and use that as the offset	03:34
morganfainberg	or something similar	03:34
ayoung	morganfainberg, we do freshness + an indicator to fetch the new policy file, too, and just stagger the machines	03:34
morganfainberg	ayoung: we'd use IMS	03:34
ayoung	so it holds the new policy file in readiness, but does not deploy it until the old one expires	03:34
morganfainberg	so what IMS does is it says "has this been modified" - yes? send the whole file, else NOT_MODIFIED(cache_control update)	03:34
morganfainberg	ayoung: we can do that as well	03:35
morganfainberg	ayoung: and have a "not_released_until" field, but that can be strictly inside keystone. - i don't think that needs to live at the endpoint	03:35
ayoung	morganfainberg, maybe we could do it as a multipart, with each policy file being a separate part	03:35
morganfainberg	ayoung: there are many ways to skin it.	03:36
morganfainberg	ayoung: i'm trying to avoid needing to store local metadata at the endpoint	03:36
*** richm has quit IRC		03:36
ayoung	morganfainberg, I can;t help but feel I am overdesigning	03:36
morganfainberg	just the policy file	03:36
morganfainberg	and if you don't have a TTL and fetch is enabled, you do a non-IMS fetch	03:36
morganfainberg	or an IMS fetch based on the m_time of the policy cache	03:37
ayoung	we going to use dogpile for the cache?	03:37
morganfainberg	ayoung: we could. we could also jsut use posix	03:37
ayoung	would be nice to be able to identify that multiple requests are coming in, and they should all just block until ojne fetch of policy is done, not have each make their own	03:38
morganfainberg	ayoung: i'm not picky how we store the cache at the endpoint. we can discuss best choices (dogpile has advantages and disadvantages)	03:38
morganfainberg	ayoung: dogpile can do async runners to help	03:38
morganfainberg	it's a lot of code, we could start with simple POSIX and atomic renames	03:38
ayoung	yeah, I think that might be a better approach than having ATM be involved	03:38
morganfainberg	and then move to dogpile after. the cache_control and IMS checks [with an offset] should be enough and fairly simple logic	03:38
*** tobe has joined #openstack-keystone		03:39
morganfainberg	and it does have the benefit of no extra metadata needs to be persisted to disk at the endpoint, just the policy cache	03:40
morganfainberg	s/disk/whatever cache store we use/	03:40
morganfainberg	ayoung: but leveraging dogpile can be done, we can even use the async runner and uhmm.. they call it... uhhh basically a window, so you can say "even though this is expired, you keep using it for X seconds while i fetch the new thing"	03:43
morganfainberg	ayoung: but it also would be easy to use the posix file-lock-method, all processes block while fetch occurs, fetch, rename, unblock IMS checks say NOT_MODIFIED	03:44
morganfainberg	or similar	03:44
ayoung	morganfainberg, so...I would prefer it if the fetch happend asyn, and not in the thread making the request	03:45
ayoung	it would avoid a slowdown everytime we expire policy	03:46
morganfainberg	ayoung: we'd need to spin off a process	03:46
morganfainberg	ayoung: because $GIL	03:46
morganfainberg	but doable	03:46
ayoung	yep	03:46
ayoung	ok...bedtime	03:46
*** ayoung is now known as ayoung-ZZZzzz__		03:46
lifeless	morganfainberg: wait what?	03:47
lifeless	morganfainberg: GIL is not the same as no concurrency, its just no concurrent bytecode	03:47
morganfainberg	lifeless: if we are doing I/O in a blocking manner - we can't guarantee we'd yeild back to the coroutines if eventlet	03:48
morganfainberg	lifeless: if single-process / worker models, we'd block more/less	03:48
lifeless	morganfainberg: I thought you ditced eventlet ?	03:48
morganfainberg	if the fetch occured in-thread of the request processer	03:48
morganfainberg	lifeless: this is something all endpoints would need to use	03:48
lifeless	ah	03:49
morganfainberg	lifeless: not just keystone	03:49
lifeless	so	03:49
lifeless	can you summarise the blocking IO you're planning?	03:49
morganfainberg	lifeless: it's a question of the best way to fetch a file from keystone w/o blocking everything	03:49
morganfainberg	lifeless: TTL of the policy cache is expired, we need to do an If modified since check	03:49
lifeless	thats network, it isn't blocking in eventlet	03:49
morganfainberg	and if modified, write the new file out to our cache and reload	03:50
morganfainberg	the write-out+reload would be blocking iirc	03:50
*** ankita_wagh has joined #openstack-keystone		03:50
morganfainberg	depending on the cache used	03:50
lifeless	disk IO reads and writes will release the GIL	03:50
morganfainberg	if we do posix, non-issue	03:50
morganfainberg	if we use other options it could be an issue if it's c-based bindings	03:50
lifeless	right	03:50
lifeless	anything C needs to be eventlet trampoline aware	03:51
lifeless	anything in CPython is fine I suspect	03:51
morganfainberg	lifeless: so i was just hedging the statement we might need to spin out a process for a true async	03:51
morganfainberg	but i didn't want to get too deep into it until we started writing code	03:51
lifeless	kk	03:51
morganfainberg	and evaluating how we wanted to fetch	03:51
lifeless	so sure	03:51
morganfainberg	not sure if dbm is trampoline aware	03:52
lifeless	is there a spec around this	03:52
morganfainberg	which is one of the options if we didn't do straight posix write to disk, but a dogpile-background	03:52
lifeless	because its sounding a lot more complex than anything I'd have imagined	03:52
morganfainberg	lifeless: there is, but they are being written up now based on our new liberty specific targets	03:52
lifeless	like	03:52
morganfainberg	lifeless: the three [4?] simple elevator pitch goals	03:53
lifeless	why an external cache at all	03:53
morganfainberg	in order	03:53
lifeless	and why synchronous expiry at all	03:53
morganfainberg	1: oslo.policy can merge base-line policy with overrides	03:53
morganfainberg	lifeless: if we centralize policy and you have multiple nova-apis (think HA/master-master) on separate nodes, you need the overrides to land at the same time	03:53
lifeless	morganfainberg: then you need a consensus protocol	03:54
morganfainberg	or you get the chance of requests being rejected / accepted inconsistently	03:54
lifeless	morganfainberg: or 'same time' is not rigorously defined	03:54
morganfainberg	lifeless: if we assume (and this is true) we'd fetch on "next request after TTL expires", we can use cache_control freshness to ensure we fetch at the same request interval	03:54
morganfainberg	lifeless: and IMS checks to see if we have an update in a light-weight manner	03:55
*** lhcheng has quit IRC		03:55
morganfainberg	multiple processes on a single node currently read from the same posix file. we could just rely on that	03:55
morganfainberg	it's the multi-node scenario we run into issues with	03:55
morganfainberg	this all stems from the fact that if we no longer use CMS to deploy a policy file (aka puppet), you don't have control over the windows (or as much) for when a file would be picked up	03:56
morganfainberg	in the case someone used the CRUD interface	03:56
morganfainberg	and it produces very very very very bad things potentially when balancing requests between nodes	03:56
*** charlesw has quit IRC		04:01
*** dramakri has joined #openstack-keystone		04:04
*** vilobhmm has joined #openstack-keystone		04:14
*** stevemar has joined #openstack-keystone		04:14
*** mestery has quit IRC		04:19
*** mestery_ has joined #openstack-keystone		04:19
*** ncoghlan has joined #openstack-keystone		04:29
*** arunkant_ has joined #openstack-keystone		04:35
*** stevemar2 has joined #openstack-keystone		04:37
*** ChanServ sets mode: +v stevemar2		04:37
*** arunkant__ has joined #openstack-keystone		04:37
*** arunkant has quit IRC		04:38
*** arunkant_ has quit IRC		04:41
*** arunkant has joined #openstack-keystone		04:42
*** arunkant__ has quit IRC		04:44
*** csoukup has joined #openstack-keystone		04:45
*** c_soukup has joined #openstack-keystone		04:48
*** csoukup has quit IRC		04:50
*** c_soukup has quit IRC		04:59
*** csoukup has joined #openstack-keystone		04:59
*** spandhe has joined #openstack-keystone		05:04
*** dramakri has left #openstack-keystone		05:05
*** stevemar has quit IRC		05:06
*** stevemar has joined #openstack-keystone		05:07
*** mestery_ has quit IRC		05:09
*** smija has quit IRC		05:12
*** rm_work\|away is now known as rm_work		05:13
*** henrynash has joined #openstack-keystone		05:18
*** ChanServ sets mode: +v henrynash		05:18
*** stevemar has quit IRC		05:18
*** stevemar has joined #openstack-keystone		05:19
*** lhcheng has joined #openstack-keystone		05:26
*** ChanServ sets mode: +v lhcheng		05:26
*** vilobhmm has quit IRC		05:26
davechen	stevemar: I am going to update DB scripts for the other entities, update the FK contraint to replace the 'RESTRICT' with 'CASCADE'.	05:27
stevemar	davechen: which others are you thinking	05:28
davechen	stevemar: Have replied to your comments.	05:28
davechen	stevemar: a lot of.	05:28
davechen	stevemar: endpoint/service, endpoint/service	05:28
davechen	access_token/consumer...	05:28
davechen	yep, I am wondering whether there is a need to address them all.	05:29
stevemar	hmm	05:29
stevemar	i think the access tokens / consumers are cleaned up decently	05:29
davechen	stevemar: but as to your comments for that patch, I think it's covered since we use SQLITE by default.	05:29
stevemar	ahh	05:30
davechen	stevemar: I will check them later.	05:30
davechen	not covered, sorry.	05:30
davechen	just suppose one day, we will enable MYSQL, DB2 etc, then the testcase will be tested well.	05:31
mfisch	dolphm: lbragstad fernet is in prod	05:31
mfisch	automation worked like a champ	05:31
mfisch	16s downtime all due to upgrading the packages	05:31
davechen	stevemar: If there is not big mistake, or silly mistake in that patch, let me propose other patches for other entities.	05:32
stevemar	mfisch: thats insanely good	05:33
stevemar	davechen: sure, it couldn't hurt, thanks for working on this stuff	05:33
davechen	stevemar: your MAC is back to work? :)	05:33
stevemar	davechen: almost :\ still getting the hang of it	05:34
davechen	stevemar: dont say that, I must thank you for instruct me such things to do.	05:34
stevemar	its all good :)	05:35
davechen	stevemar: it must be a long day, for your valueable MAC book. :)	05:35
stevemar	davechen: trying to get our corporate mail all set up	05:36
stevemar	proving to be difficult...	05:36
davechen	outlook?	05:37
stevemar	davechen: worse, notes hehe	05:37
davechen	stevemar: take care, man!	05:37
*** markvoelker has quit IRC		05:43
*** browne has quit IRC		06:01
marekd	morganfainberg: hey, hopefully i will get to the point where i will start (finally!) implement functional tests for OS-FEDERATION.	06:01
marekd	morganfainberg: (re co your valid comment on https://review.openstack.org/#/c/188881/ )	06:01
*** raildo has quit IRC		06:04
*** samueldmq has quit IRC		06:04
*** iurygregory has quit IRC		06:05
*** tellesnobrega has quit IRC		06:05
*** ericksonsantos has quit IRC		06:05
*** pnavarro\|off has quit IRC		06:08
*** stevemar has quit IRC		06:09
*** tobe has quit IRC		06:14
*** arunkant_ has joined #openstack-keystone		06:17
*** arunkant__ has joined #openstack-keystone		06:18
*** csoukup has quit IRC		06:18
*** arunkant has quit IRC		06:20
marekd	stevemar2: good evening sir!	06:21
marekd	stevemar2: need your help on https://review.openstack.org/#/c/195132/ . I added bug reference so I hope i can count on a +2!	06:21
*** arunkant_ has quit IRC		06:22
*** tobe has joined #openstack-keystone		06:33
openstackgerrit	Dave Chen proposed openstack/keystone: Show friendly message when request body is empty https://review.openstack.org/195429	06:38
*** toddnni has quit IRC		06:41
*** toddnni_ has joined #openstack-keystone		06:41
*** jaosorior has joined #openstack-keystone		06:41
*** toddnni_ is now known as toddnni		06:41
*** ankita_wagh has quit IRC		06:42
*** markvoelker has joined #openstack-keystone		06:43
*** markvoelker has quit IRC		06:49
*** stevemar has joined #openstack-keystone		06:50
*** belmoreira has joined #openstack-keystone		06:53
*** stevemar has quit IRC		06:54
*** stevemar has joined #openstack-keystone		06:54
*** stevemar has quit IRC		06:56
*** aix has joined #openstack-keystone		06:56
*** spandhe has quit IRC		06:58
*** bradjones has quit IRC		07:02
*** bradjones has joined #openstack-keystone		07:04
*** bradjones has quit IRC		07:04
*** bradjones has joined #openstack-keystone		07:04
*** stevemar2 has quit IRC		07:13
*** rlt_ has joined #openstack-keystone		07:15
*** lsmola has joined #openstack-keystone		07:28
*** ankita_wagh has joined #openstack-keystone		07:36
*** tobe has quit IRC		07:48
*** tobe has joined #openstack-keystone		08:04
*** ankita_wagh has quit IRC		08:09
*** dguerri` is now known as dguerri		08:21
*** lhcheng has quit IRC		08:24
openstackgerrit	Dave Chen proposed openstack/keystone: Move resource(domain, project) testcase into their own module https://review.openstack.org/195449	08:27
*** e0ne has joined #openstack-keystone		08:32
openstackgerrit	Dave Chen proposed openstack/keystone: Move resource related testcase into their own module https://review.openstack.org/195449	08:32
*** markvoelker has joined #openstack-keystone		08:32
*** e0ne has quit IRC		08:37
*** markvoelker has quit IRC		08:37
openstackgerrit	Dave Chen proposed openstack/keystone: Move resource related testcase into their own module https://review.openstack.org/195449	08:50
openstackgerrit	Dave Chen proposed openstack/keystone: Move resource related testcase into their own module https://review.openstack.org/195449	08:52
*** henrynash has quit IRC		09:09
*** e0ne has joined #openstack-keystone		09:10
*** fhubik has joined #openstack-keystone		09:10
*** ncoghlan has quit IRC		09:13
*** e0ne is now known as e0ne_		09:16
*** e0ne_ has quit IRC		09:22
*** henrynash has joined #openstack-keystone		09:24
*** ChanServ sets mode: +v henrynash		09:24
*** henrynash has quit IRC		09:30
*** e0ne has joined #openstack-keystone		09:33
*** lufix has joined #openstack-keystone		09:37
*** henrynash has joined #openstack-keystone		09:38
*** ChanServ sets mode: +v henrynash		09:38
*** fhubik is now known as fhubik_afk		09:43
*** stevemar has joined #openstack-keystone		09:44
*** fhubik_afk is now known as fhubik		09:45
*** stevemar has quit IRC		09:45
*** davechen has left #openstack-keystone		09:51
*** amakarov_away is now known as amakarov		09:54
*** henrynash has quit IRC		10:00
*** nkinder has quit IRC		10:03
*** nkinder has joined #openstack-keystone		10:04
*** edmondsw has joined #openstack-keystone		10:06
*** edmondsw has quit IRC		10:06
*** edmondsw has joined #openstack-keystone		10:07
*** dims has joined #openstack-keystone		10:14
*** husanu3 has joined #openstack-keystone		10:19
*** markvoelker has joined #openstack-keystone		10:21
*** fhubik is now known as fhubik_afk		10:23
*** husanu3 has quit IRC		10:25
*** markvoelker has quit IRC		10:25
*** fhubik_afk is now known as fhubik		10:25
*** husanu1 has joined #openstack-keystone		10:26
*** nkinder has quit IRC		10:28
*** husanu1 has quit IRC		10:28
openstackgerrit	Marek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs https://review.openstack.org/192671	10:29
*** husanu4 has joined #openstack-keystone		10:30
*** husanu4 has quit IRC		10:31
openstackgerrit	Marek Denis proposed openstack/keystone: Update federation driver name in documentation https://review.openstack.org/192706	10:31
*** e0ne is now known as e0ne_		10:31
*** jasondot_ has joined #openstack-keystone		10:32
*** e0ne_ has quit IRC		10:36
*** jasondot_ is now known as jasondotstar		10:37
*** nkinder has joined #openstack-keystone		10:47
*** e0ne has joined #openstack-keystone		10:55
*** fhubik is now known as fhubik_afk		11:01
*** dims has quit IRC		11:02
*** dims has joined #openstack-keystone		11:05
*** evrardjp has quit IRC		11:07
*** dims_ has joined #openstack-keystone		11:10
*** dims has quit IRC		11:11
*** tobe has quit IRC		11:11
*** evrardjp has joined #openstack-keystone		11:11
*** e0ne is now known as e0ne_		11:15
*** dims_ has quit IRC		11:16
*** david-lyle has quit IRC		11:17
*** fhubik_afk is now known as fhubik		11:19
*** fhubik is now known as fhubik_afk		11:20
*** dims has joined #openstack-keystone		11:21
*** david-lyle has joined #openstack-keystone		11:21
*** e0ne_ has quit IRC		11:26
*** e0ne has joined #openstack-keystone		11:28
*** ericksonsantos has joined #openstack-keystone		11:33
*** tellesnobrega has joined #openstack-keystone		11:36
*** markvoelker has joined #openstack-keystone		11:37
*** samueldmq has joined #openstack-keystone		11:37
*** bradjones has quit IRC		11:38
*** EmilienM\|off is now known as EmilienM		11:38
*** bradjones has joined #openstack-keystone		11:41
*** bradjones has quit IRC		11:41
*** bradjones has joined #openstack-keystone		11:41
*** markvoelker has quit IRC		11:41
marekd	samueldmq: hello	11:49
marekd	samueldmq: i have a question - can you update me quickly on status of HMT and reseller in Keystone?	11:50
marekd	what's already landed and what will be landed in L ?	11:50
*** jasondotstar has quit IRC		11:50
samueldmq	marekd: I know the support for Hierarchical Projects was landed in K	11:54
samueldmq	marekd: Reseller itself (hierarchical domains) and the way we get tokens in that hierarchy is being addressed in L	11:55
marekd	samueldmq: but this only allows us to build hierarchy of the projects.	11:55
samueldmq	marekd: I can't tell you more details, the other guys here can tell you more	11:55
*** raildo has joined #openstack-keystone		11:56
samueldmq	marekd: they've been working on this subject as their primary priority	11:56
samueldmq	marekd: raildo! ^	11:56
marekd	aha, i thought you were too	11:56
marekd	rodrigods: raildo ^^	11:56
raildo	i need read the log... 1 min	11:56
samueldmq	raildo: marek wants a quick update on status of HMT and reseller in Keystone?	11:56
samueldmq	raildo: what's already landed and what will be landed in L ?	11:56
samueldmq	raildo: that's all :-)	11:57
raildo	ok :) thanks	11:57
samueldmq	marekd: I am focused on the dyanmic policies things, I know what is going on with reseller and stuff, but not in very details	11:57
raildo	we have the implementation ready, if you want to review: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/reseller,n,z	11:58
*** markvoelker has joined #openstack-keystone		11:58
raildo	and now, we are just waiting the henrynash's spec about add is_domain to tokens for projects acting as a domain be approved, to implement with this other patches.	11:58
raildo	marekd, ^	11:59
marekd	raildo: Thanks. OK, so HMT basically gives us only a projec hierarchy, right?	12:01
marekd	and all this project-domain thing is a Reseller stuff	12:01
raildo	HMT project hierarchy + inherited roles assignment for this hierarchy	12:02
marekd	is HMT somehow usable without Reseller ?	12:02
raildo	marekd, we see some use cases, like if you want to organize a departmental division for a company and distribute the resources in subprojects	12:03
marekd	let's say i have a big department in my company and i want to offload the governance of their resouces (squeezed in one domain) to them. HTM without reseller will let me do that?	12:04
raildo	or if you want to provide inherited role assignments for a group of projects, so you can assign a role in just in a part of the hierarchy	12:04
*** fhubik_afk is now known as fhubik		12:04
*** henrynash has joined #openstack-keystone		12:05
*** ChanServ sets mode: +v henrynash		12:05
raildo	hum... with only the HMT implementation, you need to create a different domain for this department	12:05
marekd	raildo: yeah, sure	12:06
marekd	say i have 4 big independent experiments at CERN	12:06
marekd	and i don't want to have to allsign quotas/add/rm users	12:07
marekd	i want to let them do this by themselves.	12:07
raildo	ok... only with HMT, you have to create a domain for each department and create a domain_admin . the problem is to control this domain, (if you want in a future, delete this resources) you must need to be domain_admin too.	12:09
raildo	or a cloud_admin	12:09
raildo	with reseller will be easier to control this, since you can create like a subdomain...	12:09
marekd	raildo: ok, takeaway message is projects will be domains	12:10
raildo	marekd, with reseller you will be able to create: domain -> subdomain -> subdomain -> project - subproject ...	12:12
raildo	marekd, when I say subdomain is project.is_domain=True :P	12:12
*** htruta has joined #openstack-keystone		12:12
raildo	so, you can isolate the users in each subdomain ( you can manage subdomains or not, but by default you can't manage)	12:13
marekd	https://review.openstack.org/#/c/195132/ -> already got 2x+2 from IBM. Can I get +A on this?	12:14
marekd	raildo: it's too complicated to mee :P	12:15
* raildo need to find a way to explain this in a easy way		12:16
samueldmq	morganfainberg: I'll be writing that policy fetch + cache approach in the spec today	12:17
samueldmq	morganfainberg: so I have things to discuss/confirm with you :-)	12:17
*** bknudson has joined #openstack-keystone		12:19
*** ChanServ sets mode: +v bknudson		12:19
samueldmq	morganfainberg: basically we have a TTL for a policy (aka freshness), and when this TTL expires, we do an IMS request to keystone	12:20
samueldmq	morganfainberg: however, this doesn't guarantee that TTL will be expiring at the same time in different processess	12:21
samueldmq	processes*	12:22
*** fhubik is now known as fhubik_afk		12:22
samueldmq	morganfainberg: because they'll time out at different times	12:23
*** fhubik_afk is now known as fhubik		12:26
*** btully has quit IRC		12:28
*** btully has joined #openstack-keystone		12:28
samueldmq	morganfainberg: unless, as Keystone, I know the policy was updated as 12:00 UTC, and I know TTL is 300 seconds, so I tell that policy cannot be used before 12:05 UTC	12:31
*** dims has quit IRC		12:31
*** dims has joined #openstack-keystone		12:31
*** david-ly_ has joined #openstack-keystone		12:35
*** david-lyle has quit IRC		12:39
*** jasondotstar has joined #openstack-keystone		12:46
*** iurygregory has joined #openstack-keystone		12:47
*** bradjones has quit IRC		12:47
*** bradjones has joined #openstack-keystone		12:50
*** bradjones has quit IRC		12:50
*** bradjones has joined #openstack-keystone		12:50
*** ajayaa has joined #openstack-keystone		12:50
*** husanu1 has joined #openstack-keystone		12:50
*** husanu1 has quit IRC		12:52
*** tellesnobrega_ has joined #openstack-keystone		12:55
*** Ctina has joined #openstack-keystone		12:56
*** husanu5 has joined #openstack-keystone		12:56
ajayaa	Hi guys. Can I use domain scoped tokens with Keystoneclient? I am passing username, user_domain_name and password argument to Client object.	12:59
ajayaa	When I try to list users, I get EndpointNotFound exception.	12:59
ajayaa	Am I doing something wrong?	13:00
*** husanu5 has quit IRC		13:00
lbragstad	mfisch congrats!	13:03
lbragstad	mfisch: any issues?	13:03
*** e0ne is now known as e0ne_		13:04
*** e0ne_ is now known as e0ne		13:04
*** belmoreira has quit IRC		13:05
*** afazekas has joined #openstack-keystone		13:08
*** radez is now known as radez_g0n3		13:08
*** pnavarro has joined #openstack-keystone		13:09
*** husanux1 has joined #openstack-keystone		13:13
*** husanux1 has quit IRC		13:13
*** husanux3 has joined #openstack-keystone		13:14
*** husanux3 has quit IRC		13:18
*** husanux6 has joined #openstack-keystone		13:20
ajayaa	lbragstad, any idea on the above question?	13:20
*** e0ne is now known as e0ne_		13:20
lbragstad	ajayaa: what if you pass a project to scope to in the client instead/	13:21
ajayaa	unauthorized.	13:21
*** husanux6 has quit IRC		13:21
*** stevemar has joined #openstack-keystone		13:21
ajayaa	I concluded that project scoped token does not contain domain information.	13:21
lbragstad	ajayaa: can you confirm that the user has access to the project?	13:21
ajayaa	Yes.	13:21
ajayaa	I can see that in mysql.	13:21
*** e0ne_ is now known as e0ne		13:22
lbragstad	ajayaa: so you tried passing the id of the project you have an assignment on here?. https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/client.py#L61	13:23
ajayaa	I passed project_name	13:23
lbragstad	ajayaa: I could be wrong, but if you pass project name you might have to pass in the domain id/name of that project too	13:23
lbragstad	ajayaa: try using the project id,	13:24
ajayaa	lbragstad, You are right.	13:24
lbragstad	since that is globally unique	13:24
lbragstad	(in a deployment)	13:24
*** stevemar has quit IRC		13:24
*** husanux0 has joined #openstack-keystone		13:25
ajayaa	You do have to pass that.	13:25
lbragstad	ajayaa: is everything created under your 'default' domain?	13:25
*** husanux0 has quit IRC		13:29
ajayaa	lbragstad, No.	13:29
ajayaa	There is an admin domain.	13:29
lbragstad	ok, and that is separate from the CONF.identity.default_domain_id that you have specified?	13:30
ajayaa	yes.	13:30
lbragstad	ok	13:30
lbragstad	and you have a project created under that domain?	13:30
ajayaa	When I pass a domain scoped token using curl, I can do a list user. I want to be able to do the same thing using python-keystoneclient. In stead I get Endpointnotfound exception. (Just to clarify my question.)	13:31
openstackgerrit	Sean Dague proposed openstack/keystone: WIP: Expose functions for wsgi_scripts support https://review.openstack.org/195575	13:31
ajayaa	lbragstad, Yes, I do have a project created under that domain.	13:31
lbragstad	ajayaa: hmmm interesting... let me see if I can recreate that locally.	13:32
ajayaa	lbragstad, Thanks. That will be helpful.	13:32
ajayaa	lbragstad, What I am trying to do is write some functional tests using keystoneclient since tempest tests are practically useless if you change the policies.	13:33
ajayaa	tempest identity tests*	13:33
*** liusheng has quit IRC		13:35
lbragstad	ajayaa: are you using the v3 or the v2 client?	13:38
*** fhubik is now known as fhubik_afk		13:38
ajayaa	lbragstad, v3.	13:39
lbragstad	ok	13:39
*** zzzeek has joined #openstack-keystone		13:39
ajayaa	v2 only works with default domain, I suppose.	13:39
ajayaa	I am planning to move our stuff to v3 completely.	13:39
*** henrynash has quit IRC		13:40
*** charlesw has joined #openstack-keystone		13:47
*** samueldmq has quit IRC		13:51
*** iurygregory has quit IRC		13:51
*** tellesnobrega has quit IRC		13:51
*** tellesnobrega_ has quit IRC		13:51
*** ericksonsantos has quit IRC		13:51
*** raildo has quit IRC		13:51
*** htruta has quit IRC		13:51
ajayaa	lbragstad, you there?	13:58
*** iamjarvo has joined #openstack-keystone		13:59
*** tellesnobrega has joined #openstack-keystone		14:01
*** stevemar has joined #openstack-keystone		14:06
*** ChanServ sets mode: +v stevemar		14:06
*** stevemar_ has joined #openstack-keystone		14:06
*** r-daneel has joined #openstack-keystone		14:09
lbragstad	ajayaa: yep, still trying to recreate	14:10
*** ajayaa has quit IRC		14:10
*** tellesnobrega has quit IRC		14:11
*** e0ne is now known as e0ne_		14:13
*** tellesnobrega has joined #openstack-keystone		14:14
*** tellesnobrega_ has joined #openstack-keystone		14:21
*** e0ne_ has quit IRC		14:23
*** tellesnobrega has quit IRC		14:24
*** richm has joined #openstack-keystone		14:24
*** raildo has joined #openstack-keystone		14:28
*** fhubik_afk is now known as fhubik		14:30
*** fhubik is now known as fhubik_afk		14:32
*** htruta has joined #openstack-keystone		14:33
*** vilobhmm has joined #openstack-keystone		14:33
*** samueldmq has joined #openstack-keystone		14:33
samueldmq	morganfainberg: I think I finally got it	14:34
samueldmq	morganfainberg: keystone knows cache_timeout for endpoints on url nova_url is 5 minutes	14:35
morganfainberg	samueldmq: spend less time on how we refresh cache. There are many ways to do it	14:35
morganfainberg	Just that we need to do it.	14:35
samueldmq	morganfainberg: yes, I just got it, just want to confirm :(	14:35
samueldmq	morganfainberg: I am going to update the spec with the solution	14:35
morganfainberg	Sort of. Let's just focus on the other stuff and at mid cycle hash this caching stuff out.	14:36
*** e0ne has joined #openstack-keystone		14:36
morganfainberg	It'll be easier to draw out.	14:36
samueldmq	morganfainberg: I will write it in the spec, so we can have a formal and clear definition of the solution (or at least one possibility)	14:37
samueldmq	morganfainberg: and if we kind of agree on that, I can implement in my 'fetch and cache policy from middleware' patch	14:38
samueldmq	morganfainberg: midcycle is ~1 month, I will ping you once I have something	14:38
morganfainberg	samueldmq: sure. But like I said the other bits are really important.	14:38
morganfainberg	Fetch and cache does nothing without the changes to Oslo.policy	14:39
samueldmq	morganfainberg: like associating the policy with an URL?	14:39
samueldmq	morganfainberg: oslo.policy doing the overlay	14:39
morganfainberg	Associating with a url likewise isn't useful without the overlay capability	14:39
morganfainberg	So..	14:39
morganfainberg	See what my priority is ? :)	14:39
samueldmq	morganfainberg: yes, what I just said above ^ :-)	14:39
morganfainberg	Yep	14:40
samueldmq	morganfainberg: sure, we need to have clear specs for all them though	14:40
samueldmq	morganfainberg: and the priority for implementation is the oslo.policy change, for sure	14:40
samueldmq	morganfainberg: I got what you say, thanks	14:40
*** woodster_ has joined #openstack-keystone		14:42
samueldmq	morganfainberg: when are you planning to talk to other folks with this scope we defined for L ? (sdague and nova guys, specifically)?	14:43
*** csoukup has joined #openstack-keystone		14:43
samueldmq	morganfainberg: I mean, once we have a consistent minimum of specs defined (well defined), that's easier to get it to them	14:43
samueldmq	I am going to start with the needed work on the specs today, then implemnetation of overlay in oslo.policy	14:44
samueldmq	ayoung-ZZZzzz__: cc ^	14:44
*** iurygregory has joined #openstack-keystone		14:46
morganfainberg	samueldmq: cool.	14:51
morganfainberg	samueldmq: just expect that some of this fetch stuff etc is all going to be hashed out at mid cycle.	14:52
morganfainberg	samueldmq: because we need to look at the design.	14:52
morganfainberg	And make sure we're not over/under designing it	14:52
*** stevemar has quit IRC		14:55
bknudson	morganfainberg: -infra asked that I also give somebody auth to merge the feature branch back to master -- https://review.openstack.org/#/c/195607/	14:55
*** fhubik_afk is now known as fhubik		14:55
*** mestery has joined #openstack-keystone		14:56
morganfainberg	bknudson: will +1 that shortly	14:57
*** browne has joined #openstack-keystone		14:59
*** mabrams has quit IRC		15:00
*** fifieldt has joined #openstack-keystone		15:00
*** david-ly_ is now known as david-lyle		15:01
*** fifieldt has quit IRC		15:01
*** thedodd has joined #openstack-keystone		15:01
*** fifieldt has joined #openstack-keystone		15:01
*** ajayaa has joined #openstack-keystone		15:02
*** charlesw_ has joined #openstack-keystone		15:03
*** ayoung-ZZZzzz__ is now known as ayoung		15:04
*** charlesw has quit IRC		15:05
*** charlesw_ is now known as charlesw		15:05
*** iamjarvo has quit IRC		15:10
*** jasondotstar has quit IRC		15:10
*** diazjf has joined #openstack-keystone		15:12
*** iamjarvo has joined #openstack-keystone		15:15
*** edmondsw has quit IRC		15:16
*** ayoung is now known as ayoung-afk		15:18
*** ajayaa has quit IRC		15:23
morganfainberg	bknudson: +1	15:25
*** edmondsw has joined #openstack-keystone		15:25
*** charlesw has quit IRC		15:28
*** henrynash has joined #openstack-keystone		15:30
*** ChanServ sets mode: +v henrynash		15:30
*** e0ne is now known as e0ne_		15:35
*** e0ne_ is now known as e0ne		15:37
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Expand endpoint filters to service providers https://review.openstack.org/188534	15:44
*** jasondotstar has joined #openstack-keystone		15:45
*** ajayaa has joined #openstack-keystone		15:46
rodrigods	henrynash, https://review.openstack.org/#/c/193543/ should be approved today, right?	15:48
*** pballand has joined #openstack-keystone		15:49
rodrigods	s/should/must	15:49
diazjf	marekd, rodrigods, fixed up the mapping documentation. Can you take a look when you have a chance. https://review.openstack.org/#/c/192850/	15:50
diazjf	thanks :)	15:50
*** vilobhmm has quit IRC		15:51
rodrigods	diazjf, of course, thx	15:51
*** crc32 has joined #openstack-keystone		15:52
lbragstad	ajayaa: I ended up getting forbidden issues after I created a new domain that contained a new project	15:53
lbragstad	ajayaa: I assigned a new user a role on that domain and I was able to get a domain scoped token,	15:53
lbragstad	ajayaa: but when I passed it to the Client() as token, it returned forbidden when I did any sort of operation	15:53
ajayaa	Did you try a curl with the domain scoped token?	15:55
ajayaa	lbragstad ^^	15:55
lbragstad	ajayaa: curl as in validate via curl or get users via curl?	15:56
ajayaa	yes	15:56
lbragstad	no i didn't	15:56
*** e0ne is now known as e0ne_		15:56
lbragstad	I just tried passing it to the Client()	15:56
ajayaa	curl http://localhost:5000/v3/users -H "X-Auth-Token: $TOKEN"	15:57
ajayaa	I didn't pass it to client. Tried with curl and it worked.	15:57
lbragstad	ok, i feel like that'd be a question for jamielennox\|away	15:57
henrynash	rodigods: don’t see why not!	15:59
*** lufix has quit IRC		15:59
*** arunkant_ has joined #openstack-keystone		15:59
ajayaa	lbragstad, I passed token to the client now and tried 'users.list()'. It gave EndpointNotFound exception again.	16:00
ajayaa	I will ask him jamielennox when he comes online.	16:01
*** arunkant__ has quit IRC		16:03
*** e0ne_ has quit IRC		16:06
openstackgerrit	Dolph Mathews proposed openstack/keystone-specs: User groups in token bodies https://review.openstack.org/188564	16:08
*** e0ne has joined #openstack-keystone		16:11
*** samueldmq has quit IRC		16:12
*** iurygregory has quit IRC		16:12
*** htruta has quit IRC		16:12
*** tellesnobrega_ has quit IRC		16:12
*** raildo has quit IRC		16:12
crc32	Something in devstack is cloning keystone into /opt/stack/keystone but then inserts a bunch of changes into requirments.txt and test-requirments.txt . The changes break the install of devstack http://pastebin.com/TWdE6szX When I went to the git logs the changes appear to be made by me at the time I attempted to stack.sh so I'm guessing devstack just decided to stick a bunch of version changes into keystone. How do I prevent this since the	16:13
crc32	is_projects_in_txts function seems broken.	16:13
*** RichardRaseley has joined #openstack-keystone		16:17
*** geoffarnold has joined #openstack-keystone		16:19
*** fhubik is now known as fhubik_afk		16:20
*** tellesnobrega has joined #openstack-keystone		16:22
*** geoffarnold has quit IRC		16:23
*** afazekas has quit IRC		16:23
*** geoffarnold has joined #openstack-keystone		16:24
*** raildo has joined #openstack-keystone		16:27
*** diazjf has quit IRC		16:30
*** diazjf has joined #openstack-keystone		16:35
*** jaosorior has quit IRC		16:35
*** lufix has joined #openstack-keystone		16:37
*** radez_g0n3 is now known as radez		16:38
*** fhubik_afk is now known as fhubik		16:40
*** kiranr has joined #openstack-keystone		16:42
*** htruta has joined #openstack-keystone		16:43
*** kiranr has quit IRC		16:43
*** lufix has quit IRC		16:46
*** rwsu has joined #openstack-keystone		16:52
*** jasondotstar has quit IRC		16:55
*** _cjones_ has joined #openstack-keystone		16:58
*** roxanaghe has joined #openstack-keystone		17:00
*** stevemar_ has quit IRC		17:00
*** stevemar has joined #openstack-keystone		17:01
*** henrynash has quit IRC		17:01
*** henrynash has joined #openstack-keystone		17:03
*** ChanServ sets mode: +v henrynash		17:03
*** lhcheng has joined #openstack-keystone		17:03
*** ChanServ sets mode: +v lhcheng		17:03
*** htruta has quit IRC		17:04
*** raildo has quit IRC		17:05
*** jasondotstar has joined #openstack-keystone		17:08
*** e0ne has quit IRC		17:08
*** lhcheng has quit IRC		17:09
*** tellesnobrega has quit IRC		17:10
*** _cjones_ has quit IRC		17:17
*** _cjones_ has joined #openstack-keystone		17:17
dstanek	crc32: you're seeing something change the keystone code after it is cloned? or did you change the code?	17:19
crc32	+dstanek no not the code. Something is mangling the requirments.txt and test-requirments.txt after cloning so that pthon setup.py egg_info breaks. I think its devstack trying to "auto sync" requirments or something. case when I git diff the keystone directory it shows a bunch of uncommitted changes as If I had changed the files. This is in relation to https://bugs.launchpad.net/devstack/+bug/1468808	17:22
openstack	Launchpad bug 1468808 in devstack "stack.sh downgrades pbr" [Undecided,Confirmed]	17:22
dstanek	crc32: i've not seen that behavior, but i'll see if i can reproduce	17:26
*** bradjones has quit IRC		17:26
*** spandhe has joined #openstack-keystone		17:28
*** ankita_wagh has joined #openstack-keystone		17:28
*** bradjones has joined #openstack-keystone		17:28
*** bradjones has quit IRC		17:28
*** bradjones has joined #openstack-keystone		17:28
*** Ctina_ has joined #openstack-keystone		17:31
*** jasondotstar has quit IRC		17:34
*** Ctina has quit IRC		17:35
*** Ctina_ has quit IRC		17:36
*** jasondotstar has joined #openstack-keystone		17:39
*** fangzhou has joined #openstack-keystone		17:41
*** samueldmq has joined #openstack-keystone		17:41
*** dguerri is now known as dguerri`		17:43
*** pnavarro has quit IRC		17:43
*** dramakri has joined #openstack-keystone		17:49
*** afazekas has joined #openstack-keystone		17:49
*** fhubik has quit IRC		17:50
samueldmq	the set of specs we need for our current scope are : i) policy overlay at oslo.policy; ii) fetch and cache of policy by ksmiddleware , iii) granular CRUD of policy on keystone server, allowing changes in a single rule, if needed	17:51
samueldmq	iv) allow associoation of policy per endpoint_url (already started by ayoung-afk)	17:51
samueldmq	maybe iii) and iv) will be in a single spec	17:51
samueldmq	morganfainberg: ayoung-afk cc ^	17:51
*** ayoung-afk is now known as ayoung		17:53
ayoung	samueldmq, "granular CRUD of policy on keystone server, allowing changes in a single rule" won't be Liberty	17:54
*** boris-42 has joined #openstack-keystone		17:54
*** lhcheng has joined #openstack-keystone		17:54
*** ChanServ sets mode: +v lhcheng		17:54
samueldmq	ayoung: so we only allow handling a blob in Liberty ?	17:54
ayoung	samueldmq, yes	17:54
ayoung	samueldmq, long story there	17:54
samueldmq	ayoung: we could allow POST (the whole blob), PUT (add a new rule there), DELETE and UPDATE (both the whole or a single API)	17:55
*** afazekas has quit IRC		17:55
*** diazjf has quit IRC		17:55
*** rlt_ has quit IRC		17:56
ayoung	samueldmq, yes	17:56
*** tellesnobrega has joined #openstack-keystone		17:56
ayoung	samueldmq, need to continually make progress here	17:57
samueldmq	ayoung: what if I come wiht a spec for that ? to modify the current policy api to allow granular changes ?	17:57
ayoung	make it possible to fetch policy from Keystone, then make it easier to manage on the Keystone side	17:57
samueldmq	ayoung: do you thing that's too much effort, and really can't be addressed in l?	17:57
ayoung	samueldmq, you would be competing with specs that are there already. See the work that Iorem is working on	17:57
samueldmq	ayoung: sure, I agree, that spec is the last one in ths roadmap of 4 specs	17:57
ayoung	Once again, the breadth of what Dchadwick is proposing makes it a little hard to map to what we are doing in Keystone today, but their DB drive n tool is probably the right way to go, just need to close the gaps	17:58
samueldmq	ayoung: k so this point need to be discussed later	17:59
samueldmq	ayoung: however I think their tooling would be like a backend, we needed to expose that granular CRUD on keystone anyway	17:59
ayoung	samueldmq, so, I think what you and I can do is prepare something for the midcycle, stating the overall vision, the steps to take, and the timing for each of thos steps. I think we have the absolute basics fior Liberty sketched out	18:00
ayoung	tying in to the Kent work is part of that	18:00
samueldmq	ayoung: k so the work on the granular policy api has to take into account their proposal, which somehting that brings some discussion	18:01
ayoung	++	18:01
samueldmq	ayoung: yes, so I agree the basic fetch/caching from keysotne is the core	18:02
samueldmq	ayoung: the UX can be improved later, as we go in the road	18:02
*** husanu91 has joined #openstack-keystone		18:02
samueldmq	ayoung: k got it, so ...	18:02
*** dontalton has joined #openstack-keystone		18:02
samueldmq	ayoung: i) policy overlay at oslo.policy; ii) fetch and cache of policy by ksmiddleware and iii) allow associoation of policy per endpoint_url	18:02
samueldmq	ayoung: those three we need for the core support ^, you agree ?	18:03
samueldmq	ayoung: ii and iii are already started, but need to be updated, i needs to be created	18:03
ayoung	++	18:03
ayoung	samueldmq, I is an oslo policy spec, not Keystone, btw	18:04
*** jasondotstar has quit IRC		18:05
samueldmq	ayoung: great, nice to know, I was plannig to submit it against keystone-specs	18:07
samueldmq	ayoung: thanks	18:07
samueldmq	ayoung: yep, we have oslo-specs repo	18:07
samueldmq	:)	18:07
*** husanu91 has quit IRC		18:14
*** lsmola has quit IRC		18:19
*** jasondotstar has joined #openstack-keystone		18:19
samueldmq	ayoung: can I grab/update those specs ?	18:23
samueldmq	ayoung: or are you planning to be updating them yourself ?	18:23
ayoung	samueldmq, take them	18:23
samueldmq	ayoung: I am asking to tell my managers what I will be doing	18:24
samueldmq	ayoung: great, thanks	18:24
ayoung	I'll let you know when I return to working on this stuff, and check to see what you have in flight samueldmq	18:24
*** diazjf has joined #openstack-keystone		18:24
david8hu	samueldmq, Let me know if you need any help. We can get something going quickly.	18:25
*** ducttape_ has joined #openstack-keystone		18:26
ducttape_	mfisch ping	18:26
morganfainberg	samueldmq: the oslo-spec should be really easy to land fwiw.	18:26
morganfainberg	it's not a crazy set of changes	18:26
mfisch	ducttape_: yo	18:26
samueldmq	morganfainberg: nice	18:26
* ducttape_ hopes mfisch shares a linky linky		18:26
mfisch	yeah 1s	18:26
*** med_ has joined #openstack-keystone		18:27
samueldmq	morganfainberg: so starting by that one may be the best approach	18:27
mfisch	Fernet tokens: the real story: https://goo.gl/photos/mLWSkEkMNZ2ZirjY6	18:27
samueldmq	morganfainberg: then update the others	18:27
morganfainberg	samueldmq: yep	18:27
samueldmq	ayoung: looks good!	18:27
ayoung	mfisch, you need to chase that down with some Keystone Light.	18:28
mfisch	+2	18:28
samueldmq	david8hu: sure! looking at https://wiki.openstack.org/wiki/DynamicPolicies and giving some feedback on how clear/ what we could add/remove from there would be very useful	18:28
ducttape_	when keystone light is the better drink available, it says some things about your decisions in life	18:28
morganfainberg	ducttape_: At least it isn't PBR	18:28
samueldmq	david8hu: we can also work together on the specs, making improvements to them	18:28
morganfainberg	ducttape_: you don't have to worry about being judged on both your taste in beer and how much of a hipster you are	18:29
samueldmq	david8hu: I'll start with the spec on oslo.policy, after that we can synchronize better	18:29
samueldmq	david8hu: if that makes sense to you :-)	18:29
david8hu	samueldmq, sounds good. It is always good to have something written so we can discuss it. You are already doing that. Thanks!	18:30
morganfainberg	mfisch: you.. actually drank Fernet	18:33
morganfainberg	mfisch... wow, i wouldn't wish that on anyone (it is "ok" when mixed sometimes)	18:33
mfisch	I consdiered mixing with coke but wanted to try the real thing, so thats off the list now	18:34
morganfainberg	mfisch: yeahhh shudder	18:34
mfisch	If it was Keystone Light I'd have special lined cans	18:35
ducttape_	it's really horrible. the taste won't leave my mouth	18:35
samueldmq	morganfainberg: mfisch I thought you were kidding .. but now, there is a real drink called Keystone Light :-)	18:35
ducttape_	the token switch was much less painful, compared to the drink	18:35
mfisch	samueldmq: a terrible cheap beer that I drank in college	18:36
mfisch	ducttape_: I went and rinsed my mouth out	18:36
bknudson	45 open reviews in keystone-specs	18:36
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Project tree deletion https://review.openstack.org/148730	18:36
samueldmq	mfisch: hehe :-)	18:36
*** ericksonsantos has joined #openstack-keystone		18:37
*** ericksonsantos has quit IRC		18:37
samueldmq	bknudson: that's a lot!	18:37
bknudson	y, people are signing up for a lot of work	18:37
*** ericksonsantos has joined #openstack-keystone		18:38
samueldmq	bknudson: I suppose they need love (reviews)	18:38
morganfainberg	bknudson: a lot of those specs are targeted to backlog	18:38
*** timsim has joined #openstack-keystone		18:38
morganfainberg	bknudson: at least last i saw	18:38
*** samueldmq has quit IRC		18:43
*** ericksonsantos has quit IRC		18:43
*** ayoung has quit IRC		18:43
*** dontalton has quit IRC		18:44
*** jasondotstar has quit IRC		18:47
*** ROT26 has joined #openstack-keystone		18:52
*** lastops has joined #openstack-keystone		18:54
*** r-daneel has quit IRC		18:54
*** r-daneel has joined #openstack-keystone		18:55
*** dguerri` is now known as dguerri		18:55
morganfainberg	hmm. https://review.openstack.org/#/c/195348/ so close.	18:55
*** ericksonsantos has joined #openstack-keystone		18:56
bknudson	morganfainberg: somebody out there loves using keystone CLI!	18:57
bknudson	oh, it's our own functional tests	18:57
morganfainberg	bknudson: yep	18:57
morganfainberg	bknudson: this is good news imo	18:57
morganfainberg	proposing fixes for that now	18:57
*** RichardRaseley has quit IRC		18:58
bknudson	we're going to be short on functional tests	18:58
morganfainberg	lol	18:58
morganfainberg	and the merge from master needs to happen for bandit	18:59
bknudson	morganfainberg: I'M WORKING ON IT	18:59
morganfainberg	bknudson: hehe I know. ^_^	18:59
bknudson	for some reason the -infra change failed	19:00
morganfainberg	really?	19:00
morganfainberg	weird.	19:00
bknudson	and it appears to still be failing	19:00
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Expand endpoint filters to service providers https://review.openstack.org/188534	19:00
morganfainberg	let me take a gander	19:00
bknudson	morganfainberg: https://jenkins02.openstack.org/job/gate-infra-puppet-apply-centos6/495/console	19:00
morganfainberg	http://logs.openstack.org/77/195577/2/check/gate-infra-puppet-apply-centos6/6417c99/console.html#_2015-06-25_16_00_12_798	19:01
morganfainberg	issues with the build taking too long	19:01
morganfainberg	not anything wrong with your change	19:01
morganfainberg	bknudson: or the get_httpd. it looks external to your change	19:02
morganfainberg	esp. since the dependant change passed	19:02
bknudson	it's taking an inordinate amount of time for that review to finish jenkins	19:02
bknudson	I was waiting for it but maybe it's not going to finish	19:03
morganfainberg	:(	19:03
*** ericksonsantos has quit IRC		19:03
bknudson	I've got the merge commit in my command window waiting to push it. (like salt n pepa)	19:04
morganfainberg	haah	19:04
*** Raildo has joined #openstack-keystone		19:04
morganfainberg	then we'll have some rebase hell	19:04
morganfainberg	and should be in a good place	19:04
bknudson	we'll need to merge every once in a while.	19:04
morganfainberg	need to finish the last couple ksa patches.	19:05
bknudson	maybe weekly	19:05
morganfainberg	bknudson: probably	19:05
morganfainberg	we should be close to releasing KSA now.	19:05
morganfainberg	need to poke jamielennox\|away though	19:05
*** ducttape_ has quit IRC		19:05
bknudson	morganfainberg: the merge conflict was with http://git.openstack.org/cgit/openstack/python-keystoneclient/commit/keystoneclient/exceptions.py?id=c57e562d2b941c47abdfea46fbe45e8f8cdf431b	19:05
morganfainberg	oh	19:06
morganfainberg	fun	19:06
morganfainberg	yeah	19:06
bknudson	and http://git.openstack.org/cgit/openstack/python-keystoneclient/commit/keystoneclient/exceptions.py?h=feature/keystoneauth_integration&id=849b205f2d0f88a638c4d5b48cd8641de7419b5b	19:06
bknudson	so exceptions was changed to use exceptions from keystoneauth	19:06
morganfainberg	right	19:06
bknudson	and also changed to add name parameter	19:06
*** jasondotstar has joined #openstack-keystone		19:07
dstanek	so many specs and so little time	19:07
bknudson	so after the merge merges somebody needs to take a look at that file	19:07
bknudson	I resolved the conflict the way I thought it needs to be	19:07
bknudson	and the tests passed for me.	19:07
bknudson	so assuming we have test coverage I did it right	19:07
morganfainberg	bknudson: we'll get jamielennox\|away to 2x check	19:07
morganfainberg	bu i think it should be fine if you're passing	19:08
bknudson	not my first time resolving merge conflicts	19:08
*** tellesnobrega has quit IRC		19:10
*** htruta has joined #openstack-keystone		19:13
morganfainberg	lol	19:17
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Project tree deletion https://review.openstack.org/148730	19:17
*** ayoung has joined #openstack-keystone		19:22
*** ChanServ sets mode: +v ayoung		19:22
Raildo	henrynash, do you think that we can approve this https://review.openstack.org/#/c/193543/ until tomorrow or I send SPF excetion for it?	19:23
Raildo	morganfainberg, ^	19:23
*** Raildo is now known as raildo		19:23
morganfainberg	uhh wtf	19:24
morganfainberg	how did a keystoneclient directory end up in keystoneauth	19:24
morganfainberg	oh ust local	19:24
morganfainberg	or.. not	19:24
morganfainberg	wow	19:24
bknudson	http://git.openstack.org/cgit/openstack/keystoneauth/tree/	19:25
bknudson	there's 1 file	19:25
openstackgerrit	Morgan Fainberg proposed openstack/keystoneauth: Remove keystoneclient lingering files. https://review.openstack.org/195710	19:25
morganfainberg	bknudson: ^	19:25
openstackgerrit	Morgan Fainberg proposed openstack/keystoneauth: Remove catalog/translation targets from tox.ini https://review.openstack.org/195712	19:27
*** tellesnobrega has joined #openstack-keystone		19:29
*** rushiagr_away is now known as rushiagr		19:32
openstackgerrit	Morgan Fainberg proposed openstack/keystoneauth: Remove catalog/translation targets from tox.ini https://review.openstack.org/195712	19:34
*** tellesnobrega has quit IRC		19:35
openstackgerrit	Morgan Fainberg proposed openstack/keystoneauth: Move to the keystoneauth1 namespace https://review.openstack.org/191003	19:35
morganfainberg	jamielennox\|away: ^	19:36
morganfainberg	mordred: ^ CC on ksa patches	19:36
*** ajayaa has quit IRC		19:38
*** Ephur has joined #openstack-keystone		19:42
*** Ephur has quit IRC		19:47
marekd	diazjf: ok	19:49
bknudson	This is what's annoying about reviewing specs: https://review.openstack.org/#/c/169399/	19:51
bknudson	I spend time reading it and it turns out it's not even complete.	19:51
morganfainberg	bknudson: yeah i usually scroll to the bottom first now and see if everything is filled out at a glance	19:52
morganfainberg	bknudson: marked that one as WIP so other people can skip, sorry about the time waste	19:52
*** ayoung has quit IRC		19:55
morganfainberg	stevemar: o/	20:02
*** lhcheng has quit IRC		20:06
stevemar	morganfainberg: o/	20:07
morganfainberg	stevemar: i forgot what i was going to ask	20:07
morganfainberg	stevemar: darn it	20:07
* stevemar shrugs		20:07
*** gabriel-bezerra has quit IRC		20:17
*** gabriel-bezerra has joined #openstack-keystone		20:20
*** jasondotstar has quit IRC		20:39
*** afazekas has joined #openstack-keystone		20:41
*** slberger has joined #openstack-keystone		20:45
*** RichardRaseley has joined #openstack-keystone		20:55
*** ayoung has joined #openstack-keystone		20:56
*** ChanServ sets mode: +v ayoung		20:56
*** arunkant__ has joined #openstack-keystone		20:57
*** arunkant_ has quit IRC		21:01
*** rm_work is now known as rm_work\|away		21:02
*** ankita_wagh has quit IRC		21:03
*** stevemar has quit IRC		21:04
*** stevemar has joined #openstack-keystone		21:04
*** RichardRaseley has quit IRC		21:05
*** e0ne has joined #openstack-keystone		21:05
openstackgerrit	Fernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations https://review.openstack.org/192850	21:06
*** rm_work\|away is now known as rm_work		21:06
*** stevemar has quit IRC		21:07
*** pballand has quit IRC		21:12
openstackgerrit	Fernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations https://review.openstack.org/192850	21:12
*** pballand has joined #openstack-keystone		21:12
*** RichardRaseley has joined #openstack-keystone		21:15
*** ankita_wagh has joined #openstack-keystone		21:16
htruta	hey morganfainberg, henrynash will we need an SPF for is_domain project tokens? https://review.openstack.org/#/c/193543/	21:17
*** RichardRaseley has quit IRC		21:23
*** iamjarvo has quit IRC		21:25
*** dguerri is now known as dguerri`		21:28
*** hogepodge has quit IRC		21:38
*** e0ne is now known as e0ne_		21:39
*** e0ne_ is now known as e0ne		21:41
*** diazjf has left #openstack-keystone		21:56
*** slberger has quit IRC		21:58
*** rushiagr is now known as rushiagr_away		22:03
*** Rockyg has joined #openstack-keystone		22:04
*** zzzeek has quit IRC		22:07
*** david8hu has quit IRC		22:07
*** rm_work is now known as rm_work\|away		22:09
gyee	ayoung, left you a comment, http://adam.younglogic.com/2015/03/key-fed-lookup-redux/comment-page-1/#comment-844457	22:11
gyee	ayoung, I suppose there's no way to make mod_lookup_identity to convey the domain information?	22:12
gyee	nkinder, is mellon ready for prime time?	22:14
bigjools	does mellon have an IdP?	22:15
gyee	not sure	22:15
gyee	I am trying to make it work with the existing IdPs	22:15
bigjools	I am in the process of choosing an IdP, just wondered	22:16
gyee	IdP's that talk SAML2?	22:16
*** jdennis has quit IRC		22:20
bigjools	yep	22:21
*** iamjarvo has joined #openstack-keystone		22:22
openstackgerrit	Merged openstack/keystone-specs: Moved driver interface from backlog to liberty https://review.openstack.org/184896	22:23
dolphm	from #openstack-horizon: <ducttape_> https://goo.gl/photos/mLWSkEkMNZ2ZirjY6 - we've been drinking for some time. Enjoy fernet tokens!!!	22:24
*** e0ne has quit IRC		22:26
*** edmondsw has quit IRC		22:27
*** dims has quit IRC		22:30
*** dontalton has joined #openstack-keystone		22:32
*** jdennis has joined #openstack-keystone		22:32
bknudson	let's make fernet tokens the default for devstack	22:34
*** rm_work\|away is now known as rm_work		22:36
openstackgerrit	Brant Knudson proposed openstack/keystone: Document httpd for accept on /identity, /identity_admin https://review.openstack.org/195766	22:37
*** dims_ has joined #openstack-keystone		22:38
gyee	++! fernet da default!	22:40
bknudson	I'll take a look at it	22:41
bknudson	at least just supporting it	22:41
gyee	bknudson, btw, do you know of anybody have a driver that talk SCIM?	22:43
bknudson	gyee: I've never seen SCIM in action	22:45
gyee	k, I was just curious	22:45
bknudson	gyee: ask topol or stevemar	22:45
gyee	bknudson, we need a better default Keystone IdP	22:45
bknudson	gyee: better than what?	22:45
gyee	or don't have one at all	22:45
bknudson	there's a default Keystone IdP?	22:45
gyee	yes	22:45
gyee	keystone/identity sql driver	22:45
*** dontalton has quit IRC		22:45
bknudson	oh, sure	22:46
bknudson	we need to get rid of sql driver.	22:46
gyee	sure, we either going to have a decent one or we don't	22:46
bknudson	Looks like all I need to do for fernet in devstack is fernet_setup.	22:46
bknudson	oh, man, there must be something wrong since there are no tokens in my database.	22:48
bknudson	gAAAAABVjIVoNPzzEJNo7hThVdp2MjYLJISc9AwDirWkaYOedEoWXruS53Yzj-opll5ZKHxHYTzEpz8qFAHR_N5S3cJ1I61LgBN-Jopt3_dzux71Aq6H4sOotglTPEwLwglS55rd2S3RAaP3qnDHCARI9P3lEGUk2M2nemsUYdm_97bCBdrMIXY%3D	22:49
bknudson	gAAAA!	22:49
bknudson	it's always gAAAA	22:49
bknudson	should have called them gAAAA tokens	22:50
gyee	heh	22:50
*** rm_work is now known as rm_work\|away		22:52
*** iamjarvo has quit IRC		22:55
*** hogepodge has joined #openstack-keystone		22:58
bknudson	https://review.openstack.org/#/c/195779/1 -- try that if you want -- should set up your system with fernet	23:00
*** roxanaghe has quit IRC		23:06
breton	no, we should keep sql for service users	23:07
gyee	bknudson, where's the part you changed the default provider?	23:07
*** mestery has quit IRC		23:07
bknudson	gyee: I don't think we should make it the default in devstack	23:07
bknudson	devstack should use keystone's default	23:07
bknudson	for its default	23:08
gyee	oh, so its a two part change	23:08
gyee	i c	23:08
bknudson	the other change is just there to see if it works	23:08
gyee	gotcha	23:08
bknudson	if fernet works let's get a gate job running it.	23:08
bknudson	I think we've got one doing pki tokens?	23:09
gyee	not sure	23:09
*** csoukup has quit IRC		23:10
gyee	breton, I am sure you have fun rotating passwords for the service users? :)	23:10
bknudson	y, service users should use X.509	23:11
*** thedodd has quit IRC		23:16
*** raildo has quit IRC		23:20
*** markvoelker has quit IRC		23:24
morganfainberg	bknudson: i like the gAAAAAAAA tokens	23:32
morganfainberg	bknudson: and yes. fernet default in devstack	23:33
bknudson	morganfainberg: we should change the default in keystone then	23:33
bknudson	that would require another devstack change since it doesn't do fernet_setup	23:34
morganfainberg	bknudson: not sure about that one - my worry is that it can't work out of the box w/ just SQL then... but i guess that isn't the end of the world	23:34
morganfainberg	bknudson: yeah.	23:34
bknudson	we used to default to pki tokens	23:34
bknudson	which required pki_setup	23:34
bknudson	we've got too many token formats	23:35
morganfainberg	we could make the change to devstack all at once	23:35
morganfainberg	adn then fix our default down the line	23:35
bknudson	it doesn't hurt to run fernet_setup	23:35
morganfainberg	exactly	23:35
bknudson	we might be running pki_setup all the time still, unless token format was explicitly set it runs pki_setup	23:36
bknudson	that's the current devstack behavior	23:36
morganfainberg	i think that is only run w/ PKI tokens set	23:36
bknudson	http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/keystone#n479	23:36
bknudson	so if KEYSTONE_TOKEN_FORMAT == "" it's going to run pki_setup	23:37
morganfainberg	ugh	23:37
* morganfainberg wonders if we can deprecate PKI tokens next cycle.		23:37
morganfainberg	probably not	23:37
bknudson	we've got check-tempest-dsvm-full , check-tempest-dsvm-postgres-full , check-tempest-dsvm-neutron-full	23:38
bknudson	so we could put one of those on fernet?	23:38
morganfainberg	nah lets just default over to fernet	23:39
morganfainberg	switch one of those to UUID if we really want the coverage	23:39
bknudson	we still want a job on UUID?	23:39
bknudson	y, I think we need a job for UUID, PKIZ, and UUID	23:39
bknudson	and fernet	23:39
morganfainberg	i am not convinced we need PKIZ	23:39
morganfainberg	:P	23:39
* morganfainberg looks for more reasons to make it go away		23:39
bknudson	as long as we support it I think we'll need it	23:40
morganfainberg	i think we can move these to functional testing tbh	23:40
bknudson	especially if we're making changes to auth_token for fernet	23:40
bknudson	y, they should really be functional tests	23:40
morganfainberg	and we should make devstack default to the best option, fernet	23:40
bknudson	we've got a lot of perf #s in the tempest jobs	23:40
bknudson	would be interesting if we set check-tempest-dsvm-neutron-full to fernet and it's a lot faster	23:41
bknudson	since that's the slowest now	23:41
morganfainberg	bknudson: so lets switch the devstack default	23:41
morganfainberg	bknudson: and then look at either functional testing uuid and pkiz or converting the other test over	23:42
bknudson	morganfainberg: https://review.openstack.org/#/c/195780/	23:42
dstanek	will it be possible to eventually get rid of pki[z] completely?	23:42
morganfainberg	dstanek: i'd like to. not sure	23:42
bknudson	I'm not sure if the jobs set KEYSTONE_TOKEN_FORMAT explicitly	23:42
bknudson	have to check the logs	23:42
morganfainberg	dstanek: my worry is PKI(Z) is used by people to offload the work to the endpoints instead of on keystone	23:43
morganfainberg	dstanek: and i don't know how wide spread that is / if fernet solves their use-cases	23:43
morganfainberg	it should but people are weird sometimes	23:43
dstanek	that would be very unfortunate	23:43
bknudson	they can step up to support it then	23:43
bknudson	put it in stackforge	23:44
morganfainberg	dstanek, bknudson: lets make fernet the default everywhere	23:44
morganfainberg	then look at [once it's baked through liberty] removal of PKI (inc. user survey data, etc)	23:45
morganfainberg	if we can also ditch uuid, more better	23:45
* morganfainberg would love a migration: DROP TABLE TOKEN		23:45
bknudson	we've got a deployment now that's reporting issues due to the token table	23:46
bknudson	disabling a project takes forever	23:46
bknudson	because it's going through the tokens trying to disable tokens	23:46
morganfainberg	bknudson: i've had ~10+ deployments across 2 employers complaining about it	23:46
morganfainberg	bknudson: it is a real issue	23:47
bknudson	and there's no project_id column, so it has to go through all tokens	23:47
morganfainberg	bknudson: they on Kilo?	23:47
bknudson	this is icehouse still	23:47
morganfainberg	bknudson: ouch.	23:47
morganfainberg	bknudson: at least not grizzly	23:47
morganfainberg	:P	23:47
bknudson	they just upgraded	23:47
morganfainberg	bknudson: upgrade them to Kilo Keystone ;)	23:48
bknudson	it was grizzly for a while	23:48
*** lhcheng has joined #openstack-keystone		23:48
*** ChanServ sets mode: +v lhcheng		23:48
openstackgerrit	Morgan Fainberg proposed openstack/keystoneauth: Move to the keystoneauth1 namespace https://review.openstack.org/191003	23:49
bknudson	I still think clouds.yaml is the greatest thing since sliced bread -- https://review.openstack.org/#/c/195790/	23:49
morganfainberg	bknudson: there was talk of moving clouds.yaml over into keystoneauth's purview	23:51
morganfainberg	and yes clouds.yaml is awesome	23:51
dstanek	bknudson: i totally agree - and ansible's new os_server uses it for auth info	23:52
bknudson	I don't know if it belongs in keystoneauth or maybe in a hall of fame somewhere.	23:52
bknudson	in the next presidential election I will write in clouds.yaml.	23:53
dstanek	i use it in all my scripts now too	23:53
morganfainberg	dstanek: i'd like you to take a look at something and tell me what you think	23:54
*** stevemar has joined #openstack-keystone		23:54
morganfainberg	bknudson: you too - strictly from a "is this service a lot of overhead" perspective (put on your ops/would i want to work with this thing hat)	23:54
morganfainberg	dstanek, bknudson: https://consul.io	23:54
bknudson	morganfainberg: you're trying to put keystone out of business	23:55
morganfainberg	bknudson: is that a bad thing?	23:55
bknudson	morganfainberg: why doesn't keystone have a fancy web site?	23:56
dstanek	i've not looked at consul, but i've started a little prototype for using DSN to replace the catalog	23:56
morganfainberg	dstanek: thinking of using consul for that specific case	23:56
morganfainberg	dstanek: it also gives us a DNS interface (wheeeee) for free	23:56
bknudson	we should eventually be running everything in apache	23:56
bknudson	can we do that with consul?	23:57
morganfainberg	bknudson: mod_keystone	23:57
morganfainberg	bknudson: consul is like etcd or zookeeper	23:57
morganfainberg	so, no. it's standalone	23:57
*** stevemar has quit IRC		23:57
bknudson	I mean can consul give you endpoints under apache?	23:57
bknudson	or is it just ip addrs?	23:57
*** Rockyg has quit IRC		23:57
morganfainberg	bknudson: it also has a KVS - so you could map DNS info out to the key-value	23:58
dstanek	bknudson: if it's like what i'm dong it'll give you the endpoint	23:58
dstanek	there is an rfc for this	23:58
morganfainberg	bknudson: i haven't looked to see if you can get a SRV record out of it	23:58
morganfainberg	bknudson: but that would be the logical enhancement i'd be looking to contribute to them long term if it was missing it	23:58
morganfainberg	bknudson: SRV or other TXT based record	23:59
gyee	golang impl, fancy	23:59
gyee	I mean consul is in golang	23:59
morganfainberg	oooh	23:59
morganfainberg	"For standard services queries, both A and SRV records are supported. SRV records provide the port that a service is registered on, enabling clients to avoid relying on well-known ports. SRV records are only served if the client specifically requests them, like so:"	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!