Monday, 2015-07-20

« Sunday, 2015-07-19 Index Tuesday, 2015-07-21 »
*** jecarey has joined #openstack-keystone00:05
*** dims_ has joined #openstack-keystone00:06
*** chlong has joined #openstack-keystone00:20
*** hrou has joined #openstack-keystone00:21
*** nkinder has quit IRC00:32
*** nkinder has joined #openstack-keystone00:35
*** piyanai has quit IRC00:35
*** piyanai has joined #openstack-keystone00:37
*** piyanai has quit IRC00:37
*** stevemar has quit IRC00:54
*** stevemar has joined #openstack-keystone00:54
*** ChanServ sets mode: +v stevemar00:54
*** jecarey has quit IRC00:55
*** stevemar has quit IRC00:58
openstackgerritliusheng proposed openstack/keystone: Remove the unused config_files parameter of service entry  https://review.openstack.org/20345601:05
*** jiaxi has joined #openstack-keystone01:12
jiaxiGood Morning,everyone.01:12
*** stevemar has joined #openstack-keystone01:21
*** ChanServ sets mode: +v stevemar01:21
*** davechen has joined #openstack-keystone01:28
*** davechen1 has joined #openstack-keystone01:31
*** davechen has quit IRC01:33
*** piyanai has joined #openstack-keystone01:36
*** davechen1 is now known as davechen01:38
*** davechen1 has joined #openstack-keystone01:40
*** davechen has quit IRC01:43
*** ankita_wagh has quit IRC01:46
openstackgerritDave Chen proposed openstack/keystone: Let `region` field be effective both in the testcase and API  https://review.openstack.org/16753401:53
*** Kennan2 has joined #openstack-keystone02:05
*** Kennan has quit IRC02:05
*** Kennan2 is now known as Kennan02:07
*** btully has quit IRC02:13
*** dims_ has quit IRC02:14
*** afazekas has quit IRC02:17
*** afazekas has joined #openstack-keystone02:18
*** dims_ has joined #openstack-keystone02:29
*** ankita_wagh has joined #openstack-keystone02:39
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698802:52
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337702:52
*** hakimo has joined #openstack-keystone02:52
*** hakimo_ has quit IRC02:55
*** stevemar has quit IRC02:55
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837202:55
*** stevemar has joined #openstack-keystone02:55
*** ChanServ sets mode: +v stevemar02:55
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837202:56
*** tobe has joined #openstack-keystone03:06
*** dims_ has quit IRC03:08
*** ankita_wagh has quit IRC03:25
*** ankita_wagh has joined #openstack-keystone03:41
*** ankita_wagh has joined #openstack-keystone03:42
*** stevemar has quit IRC03:54
*** stevemar has joined #openstack-keystone03:55
*** ChanServ sets mode: +v stevemar03:55
openstackgerritDave Chen proposed openstack/keystone: Move resource related testcase into their own module  https://review.openstack.org/19544903:57
*** tobe has quit IRC04:02
*** chenhong has joined #openstack-keystone04:04
*** tobe has joined #openstack-keystone04:05
*** dims_ has joined #openstack-keystone04:10
*** tobe has quit IRC04:13
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376304:14
*** htruta has quit IRC04:15
*** dims_ has quit IRC04:15
*** tobe has joined #openstack-keystone04:16
*** darrenc is now known as darrenc_afk04:20
*** darrenc_afk is now known as darrenc04:35
*** tobe has quit IRC04:41
*** ankita_w_ has joined #openstack-keystone04:42
*** piyanai has quit IRC04:43
*** ankita_wagh has quit IRC04:46
openstackgerritHenrique Truta proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839804:54
*** briancurtin has quit IRC04:58
*** briancurtin has joined #openstack-keystone04:59
*** ctracey has quit IRC05:00
*** ctracey has joined #openstack-keystone05:03
*** topol has quit IRC05:06
*** btully has joined #openstack-keystone05:13
*** stevemar has quit IRC05:14
*** browne has joined #openstack-keystone05:18
*** chlong has quit IRC05:27
*** dims_ has joined #openstack-keystone05:31
*** Protux has quit IRC05:35
*** serverascode has quit IRC05:35
*** h00327910_ has quit IRC05:36
*** briancurtin has quit IRC05:36
*** ctracey has quit IRC05:36
*** dims_ has quit IRC05:36
*** chlong has joined #openstack-keystone05:40
*** serverascode has joined #openstack-keystone05:41
*** briancurtin has joined #openstack-keystone05:44
*** h00327910_ has joined #openstack-keystone05:48
*** Protux has joined #openstack-keystone05:48
*** ctracey has joined #openstack-keystone05:51
*** lhcheng has joined #openstack-keystone05:52
*** ChanServ sets mode: +v lhcheng05:52
*** ankita_w_ has quit IRC05:55
*** hrou has quit IRC06:03
*** ParsectiX has joined #openstack-keystone06:06
*** mflobo has joined #openstack-keystone06:10
*** lsmola has joined #openstack-keystone06:12
*** e0ne has joined #openstack-keystone06:13
*** tsymanczyk has quit IRC06:13
*** alexus is now known as alex_xu06:14
*** rdo has quit IRC06:16
*** rdo has joined #openstack-keystone06:17
*** e0ne has quit IRC06:17
*** tsymanczyk has joined #openstack-keystone06:18
*** chlong has quit IRC06:20
*** e0ne has joined #openstack-keystone06:21
*** e0ne has quit IRC06:29
*** e0ne has joined #openstack-keystone06:33
*** _afazekas has quit IRC06:33
*** chlong has joined #openstack-keystone06:36
*** boris-42 has joined #openstack-keystone06:38
*** pnavarro has joined #openstack-keystone06:41
*** tobe has joined #openstack-keystone06:42
*** ankita_wagh has joined #openstack-keystone06:44
marekdhttps://review.openstack.org/#/c/202282/ is it eligible for a single-core +A?06:45
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722706:51
*** browne has quit IRC06:51
marekdlbragstad: hi :-) Do you mind pushing whatever you have on the https://review.openstack.org/#/c/202176 topic? :-)06:54
*** e0ne has quit IRC06:56
*** e0ne has joined #openstack-keystone07:00
*** ig0r_ has joined #openstack-keystone07:01
*** christx2 has joined #openstack-keystone07:08
*** afazekas_ has joined #openstack-keystone07:09
*** dims_ has joined #openstack-keystone07:19
*** e0ne has quit IRC07:22
*** josecastroleon has quit IRC07:23
*** dims_ has quit IRC07:25
*** e0ne has joined #openstack-keystone07:26
openstackgerritMarek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens.  https://review.openstack.org/20217607:27
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062407:27
*** e0ne has quit IRC07:29
*** e0ne has joined #openstack-keystone07:29
*** e0ne has quit IRC07:30
*** ctracey has quit IRC07:31
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062407:31
*** Protux has quit IRC07:31
*** zhiyan has quit IRC07:31
*** serverascode has quit IRC07:31
*** chlong has quit IRC07:34
*** belmoreira has joined #openstack-keystone07:36
*** ankita_wagh has quit IRC07:39
*** pcaruana has quit IRC07:42
*** zhiyan has joined #openstack-keystone07:48
*** btully has quit IRC07:49
*** jistr has joined #openstack-keystone07:54
openstackgerritMarek Denis proposed openstack/keystone-specs: IDP specific websso  https://review.openstack.org/19933907:54
*** ctracey has joined #openstack-keystone07:54
*** serverascode has joined #openstack-keystone07:59
*** Protux has joined #openstack-keystone08:02
*** fhubik has joined #openstack-keystone08:05
*** fhubik is now known as fhubik_afk08:05
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062408:10
*** amirosh has joined #openstack-keystone08:21
*** christx2 has quit IRC08:23
*** christx2 has joined #openstack-keystone08:23
*** fhubik_afk is now known as fhubik08:23
*** rletrocquer has quit IRC08:25
*** belmoreira has quit IRC08:30
*** lhcheng has quit IRC08:31
*** btully has joined #openstack-keystone08:40
openstackgerritMarek Denis proposed openstack/keystone: Refactor websso ``origin`` validation  https://review.openstack.org/20352508:41
*** pcaruana has joined #openstack-keystone08:43
*** btully has quit IRC08:45
*** e0ne has joined #openstack-keystone08:55
bretonfolks, should https://bugs.launchpad.net/keystone/+bug/1471289 be kilo-backport-potential?08:58
openstackLaunchpad bug 1471289 in Keystone "Fernet tokens and Federated Identities result in token scope failures" [High,In progress] - Assigned to Marek Denis (marek-denis)08:58
uvirtbotLaunchpad bug 1471289 in keystone "Fernet tokens and Federated Identities result in token scope failures" [High,In progress]08:58
bretonmarekd: lbragstad: ^08:58
breton(also, why do we have 2 bots?)08:58
*** dims_ has joined #openstack-keystone09:08
*** dims_ has quit IRC09:14
*** christx2 has quit IRC09:20
openstackgerritMerged openstack/keystone: Document use of wip up to developer  https://review.openstack.org/19533509:20
marekdbreton: think so.09:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20228209:28
*** aix has quit IRC09:41
*** belmoreira has joined #openstack-keystone09:48
openstackgerritDave Chen proposed openstack/keystone: Avoid the hard coding of admin token  https://review.openstack.org/20354609:54
*** davechen1 has left #openstack-keystone09:54
*** dims_ has joined #openstack-keystone09:54
*** fhubik is now known as fhubik_afk10:01
*** fhubik_afk is now known as fhubik10:03
*** Mohammad has joined #openstack-keystone10:13
*** Mohammad is now known as Guest5029610:13
Guest50296Hi there, How can I config devstack , to use keystone version 3 apis?10:14
marekdGuest50296: you just need to configure client to use it - chane OS_AUTH_URL so the suffix is /v3 instead of v/2.0 and set OS_IDENTITY_API_VERSION=310:15
Guest50296<+marekd>: Thanks but what about horizon?10:16
marekdGuest50296: that i don't know from head.10:16
*** belmoreira has quit IRC10:16
*** hakimo has quit IRC10:17
Guest50296<+marekd>: Thanks, I find it. for horizon it can be changed from /openstack_dashboard/local/local_settings.py10:19
*** Guest50296 has quit IRC10:19
*** hakimo has joined #openstack-keystone10:20
marekdGuest52591: thanks10:20
*** ig0r_ has quit IRC10:24
openstackgerritMarek Denis proposed openstack/keystone: Fix docs in federation.routers  https://review.openstack.org/20357210:29
* marekd cleaning day10:32
bretonmarekd: {var} and $var are used inconsistently in the whole codebase10:37
*** tobe has quit IRC10:40
*** piyanai has joined #openstack-keystone10:41
*** jiaxi has quit IRC10:44
*** tobe has joined #openstack-keystone10:52
samueldmqmorning10:57
samueldmqayoung: hi, let me know when you are available to talk about the outcomes of the micycle meetup10:57
*** albertom has quit IRC11:04
*** topol has joined #openstack-keystone11:07
*** ChanServ sets mode: +v topol11:07
*** ig0r_ has joined #openstack-keystone11:08
*** chenhong has quit IRC11:09
*** albertom has joined #openstack-keystone11:11
*** topol has quit IRC11:12
*** boris-42 has quit IRC11:22
*** nllrte has joined #openstack-keystone11:24
*** davidckennedy has joined #openstack-keystone11:30
davidckennedyAnybody got time to take a look at my patch 'Move endpoint catalog filtering to default driver' at 167675 ?11:37
*** fhubik is now known as fhubik_afk11:42
*** piyanai has quit IRC11:43
*** piyanai has joined #openstack-keystone11:44
*** fhubik_afk is now known as fhubik11:45
marekdbreton: you mean everywhere or in federation.routers ?11:45
bretonmarekd: everywhere11:47
ayoungsamueldmq, about 1.5 hours.11:48
*** ayoung has quit IRC11:49
bretonmarekd: I think I'll propose my patch now11:49
marekdbreton: go ahead.11:52
*** fhubik is now known as fhubik_afk11:56
*** gordc has joined #openstack-keystone11:56
*** aix has joined #openstack-keystone12:00
*** woodster_ has joined #openstack-keystone12:00
*** piyanai has quit IRC12:04
bknudsonmarekd: proposal bot change like https://review.openstack.org/#/c/202282/ only needs one +212:05
bknudsonalthough there seems to be something wrong with the code since it's got 2 change-ids.12:05
*** ig0r_ has quit IRC12:05
openstackgerritBoris Bobrov proposed openstack/keystone: Fix docstrings in contrib  https://review.openstack.org/20360712:06
openstackgerritDave Chen proposed openstack/keystone: Avoid the hard coding of admin token  https://review.openstack.org/20354612:06
*** lhcheng has joined #openstack-keystone12:08
*** ChanServ sets mode: +v lhcheng12:08
*** raildo has joined #openstack-keystone12:10
*** lhcheng has quit IRC12:12
*** fhubik_afk is now known as fhubik12:15
*** markvoelker has joined #openstack-keystone12:16
*** gordc has quit IRC12:17
*** gordc has joined #openstack-keystone12:17
*** htruta has joined #openstack-keystone12:18
*** bknudson has quit IRC12:23
*** edmondsw has joined #openstack-keystone12:29
*** tobe has quit IRC12:34
*** chlong has joined #openstack-keystone12:35
*** hrou has joined #openstack-keystone12:36
*** edmondsw has quit IRC12:40
*** bknudson has joined #openstack-keystone12:45
*** ChanServ sets mode: +v bknudson12:45
lbragstaddolphm: yeah, I have a change to get all the fernet/core.py stuff consolidated, so we can use the BaseProvider for everything13:01
lbragstadmarekd: yep, I can push a new version13:01
lbragstadmarekd: I have changes locally13:01
*** topol has joined #openstack-keystone13:02
*** ChanServ sets mode: +v topol13:02
lbragstaddolphm: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider,n,z13:02
marekdlbragstad: ok, so beware cause i rebased it on top of master.13:03
lbragstadmarekd: yep, I'll repull the patch and apply whatever the delta is13:04
lbragstadmarekd: this is the diff of what I have locally (http://cdn.pasteraw.com/f5x9jsr5l48pzrd2yvcf8kc6kxkx3jr)13:04
*** rltrocquer has joined #openstack-keystone13:08
openstackgerritLance Bragstad proposed openstack/keystone: Fernet payloads for federated scoped tokens.  https://review.openstack.org/20217613:13
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: rename Fernet's unscoped federated payload  https://review.openstack.org/20219013:16
dstanekbreton: two bots?13:17
*** edmondsw has joined #openstack-keystone13:18
*** zzzeek has joined #openstack-keystone13:24
*** boris-42 has joined #openstack-keystone13:28
*** dims_ has quit IRC13:35
*** jecarey has joined #openstack-keystone13:40
bretondstanek: https://bugs.launchpad.net/keystone/+bug/147128913:41
openstackLaunchpad bug 1471289 in Keystone "Fernet tokens and Federated Identities result in token scope failures" [High,In progress] - Assigned to Lance Bragstad (lbragstad)13:41
uvirtbotLaunchpad bug 1471289 in keystone "Fernet tokens and Federated Identities result in token scope failures" [High,In progress]13:41
bretondstanek: see?13:41
*** piyanai has joined #openstack-keystone13:41
dolphmlbragstad: looking13:41
*** jdandrea has joined #openstack-keystone13:42
dolphmdstanek: i assume we don't need uvirtbot anymore?13:42
dstanekbreton: haha, nice13:42
dstanekdolphm: looks like maybe not13:42
bknudsonuvirtbot: shutdown -h now13:43
uvirtbotbknudson: Error: "shutdown" is not a valid command.13:43
bknudsonuvirtbot: sudo shutdown -h now13:43
uvirtbotbknudson: Error: "sudo" is not a valid command.13:43
samueldmqhahah13:43
lbragstadbknudson: lol13:43
*** uvirtbot was kicked by dolphm (Your behavior is not conducive to the desired environment.)13:43
*** uvirtbot has joined #openstack-keystone13:43
samueldmqdolphm: lol13:43
lbragstadbah13:43
lbragstadpoor uvirtbot...13:43
samueldmqit's very insistent :)13:44
*** chenhong has joined #openstack-keystone13:44
bretonhttps://bugs.launchpad.net/keystone/+bug/147128913:44
openstackLaunchpad bug 1471289 in Keystone "Fernet tokens and Federated Identities result in token scope failures" [High,In progress] - Assigned to Lance Bragstad (lbragstad)13:44
uvirtbotLaunchpad bug 1471289 in keystone "Fernet tokens and Federated Identities result in token scope failures" [High,In progress]13:44
dolphmuvirtbot: don't make me ban you13:44
uvirtbotdolphm: Error: "don't" is not a valid command.13:44
samueldmqdolphm: it's kidding you :)13:45
lbragstaddolphm: the patch that consolidated the issue_v3_token() method already merged.13:45
dolphmlbragstad: have a link to it?13:45
lbragstaddolphm: https://review.openstack.org/#/c/196774/13:46
dolphmlbragstad: i had a patch to modify that method13:46
lbragstaddolphm: that was the start of my refactor13:46
lbragstaddolphm: my refactor to consolidate all the extended/duplicated methods in fernet/core.py to use BaseProvider()13:47
lbragstaddolphm: the next logical one would be https://review.openstack.org/#/c/196877/13:47
*** chenhong has quit IRC13:48
*** pnavarro has quit IRC13:51
*** TheIntern has joined #openstack-keystone13:51
*** jsavak has joined #openstack-keystone13:51
*** chenhong has joined #openstack-keystone13:53
*** browne has joined #openstack-keystone13:58
*** stevemar has joined #openstack-keystone14:00
*** ChanServ sets mode: +v stevemar14:00
*** stevemar has quit IRC14:03
*** jecarey has quit IRC14:03
*** ParsectiX has quit IRC14:04
morganfainbergYay consolidate fernet issue14:09
*** tjx has joined #openstack-keystone14:10
tjxHello,everyone.14:10
*** sigmavirus24_awa is now known as sigmavirus2414:16
tjxhttps://review.openstack.org/#/c/200512/14:18
*** ayoung has joined #openstack-keystone14:23
*** ChanServ sets mode: +v ayoung14:23
ayoungsamueldmq, https://bugs.launchpad.net/keystone/+bug/147626414:23
openstackLaunchpad bug 1476264 in Keystone "Cannot delete resources in remote services once project is deleted" [High,New] - Assigned to Adam Young (ayoung)14:23
uvirtbotLaunchpad bug 1476264 in keystone "Cannot delete resources in remote services once project is deleted" [High,New]14:23
*** jecarey has joined #openstack-keystone14:23
*** mylu has joined #openstack-keystone14:24
*** pgbridge has quit IRC14:25
*** dims_ has joined #openstack-keystone14:25
*** dims_ has quit IRC14:25
*** dims_ has joined #openstack-keystone14:26
*** _hrou_ has joined #openstack-keystone14:35
*** amirosh_ has joined #openstack-keystone14:35
*** ChanServ sets mode: +o morganfainberg14:37
*** browne1 has joined #openstack-keystone14:37
*** darrenc_ has joined #openstack-keystone14:38
*** ctracey_ has joined #openstack-keystone14:38
*** Nakato_ has joined #openstack-keystone14:39
*** amirosh has quit IRC14:39
*** kfox1111_ has joined #openstack-keystone14:39
*** telemons1er has joined #openstack-keystone14:40
*** cloudkiller has joined #openstack-keystone14:40
*** powerbsd has joined #openstack-keystone14:40
*** krotscheck_ has joined #openstack-keystone14:41
*** albertom has quit IRC14:42
*** ctracey has quit IRC14:42
*** powerbsd is now known as albertom14:42
*** krotscheck has quit IRC14:42
*** rm_work|away has quit IRC14:42
*** jamiec has quit IRC14:42
*** hogepodge has quit IRC14:42
*** wasmum- has quit IRC14:42
*** sudorandom has quit IRC14:42
*** browne has quit IRC14:42
*** flwang1 has quit IRC14:42
*** gabriel-bezerra has quit IRC14:42
*** jamielennox has quit IRC14:42
*** kfox1111 has quit IRC14:42
*** hrou has quit IRC14:42
*** telemonster has quit IRC14:42
*** cloudnull has quit IRC14:42
*** Nakato has quit IRC14:42
*** darrenc has quit IRC14:42
*** gus has quit IRC14:42
*** Tedster has quit IRC14:42
*** sudorandom has joined #openstack-keystone14:42
*** flwang has joined #openstack-keystone14:42
*** hogepodge has joined #openstack-keystone14:42
*** wasmum has joined #openstack-keystone14:42
*** cloudkiller is now known as cloudnull14:42
*** krotscheck_ is now known as krotscheck14:42
*** rm_work|away has joined #openstack-keystone14:42
dstaneklbragstad: my new goal in life is to be able to keep up with you for a full 5k14:42
*** gus has joined #openstack-keystone14:42
*** jamielennox has joined #openstack-keystone14:42
*** ChanServ sets mode: +v jamielennox14:42
*** rm_work|away is now known as rm_work14:42
*** rm_work has joined #openstack-keystone14:42
*** Tedster has joined #openstack-keystone14:43
*** ctracey_ is now known as ctracey14:43
*** jamiec has joined #openstack-keystone14:43
bknudsondstanek: shave the beard for better airflow14:43
dstanekbknudson: unfortunately that alone won't cut it14:44
lbragstaddstanek: keep the beard, it's like magic, it makes you faster despite wind resistance14:44
*** morganfainberg sets mode: +q uvirbot!*@*14:45
lbragstaddstanek: want me to check and see if there is a 5k here in August?14:45
morganfainberghttps://bugs.launchpad.net/keystone/+bug/147626414:45
openstackLaunchpad bug 1476264 in Keystone "Cannot delete resources in remote services once project is deleted" [High,New] - Assigned to Adam Young (ayoung)14:45
uvirtbotLaunchpad bug 1476264 in keystone "Cannot delete resources in remote services once project is deleted" [High,New]14:45
lbragstadmorganfainberg: your test failed ;)14:45
*** gabriel-bezerra has joined #openstack-keystone14:45
dstaneklbragstad: sure14:46
lbragstaddstanek: I did this one last year http://www.tap-tober5kbeerrun.com/14:46
*** morganfainberg sets mode: +q uvirtbot!*@*14:47
morganfainberghttps://bugs.launchpad.net/keystone/+bug/147626114:47
openstackLaunchpad bug 1476261 in OpenContrail "Scons fails when building in parallel" [Undecided,New]14:47
morganfainbergthere we go14:47
morganfainbergdolphm, ^ :)14:48
openstackgerritayoung proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743314:48
dolphmmorganfainberg: much better14:49
anteayamorganfainberg: it worked!14:49
tjxHello.everyone. Who can help me to review my patch set ? https://review.openstack.org/#/c/200512/14:50
tjxThank you in advance14:50
* morganfainberg neeeeeeeeeds coooooofffffeeeeee14:50
morganfainbergand a bike ride... preferably sans migrane today14:50
ayoungrodrigods, can you follow up on https://review.openstack.org/#/c/184651/  as you were the last to review.  I added the service provider, and I think I'd like you to look again before this goes in14:55
ayoungtjx, I'll trade you review for review;14:55
tjxcoffee is not good14:55
ayounglook at https://review.openstack.org/#/c/184651/  and I will look at https://review.openstack.org/#/c/200512/14:55
ayoungdeal?14:55
tjxOk, good14:55
*** stevemar has joined #openstack-keystone14:56
*** ChanServ sets mode: +v stevemar14:56
jamielennoxstevemar: does OSC do something funny with SSL certs14:56
*** amakarov has joined #openstack-keystone14:59
*** henrynash has joined #openstack-keystone15:03
*** ChanServ sets mode: +v henrynash15:03
rodrigodsayoung, looking, thx15:10
*** fhubik is now known as fhubik_afk15:12
*** jistr is now known as jistr|mtg15:13
ayoungtjx, why do you explicitly list the endpoint   rtypes and andd them https://review.openstack.org/#/c/200512/16/keystone/catalog/controllers.py,cm15:13
ayoungjamielennox, did you forget to go to bed?15:15
jamielennoxayoung: i've been going to bed as soon as i figure out wtf is wrong with this SSL problem for like 4 hours15:15
tjxWhat't the time now in US15:15
tjxIt's 23:15 in China15:15
ayoungtjx he's in Australia15:16
lbragstadtjx: 10:15 Central (US)15:16
jamielennox1:15, for some reason i can make requests using keystone CLI, but not openstack cli15:18
dstanektjx: did you check to see if null is valid for URLs?15:18
jamielennoxbut if i put OSC in a venv it works15:18
jamielennoxwhich i can only assume means that RHEL has screwed up it's version of requests15:18
ayoungjamielennox, but keystoneclient is not in a venv?15:18
jamielennoxor not...15:18
jamielennoxon15:19
jamielennoxno15:19
dstanekjamielennox: what issue are you having?15:19
jamielennoxdstanek: ValueError: empty or no certificate15:19
jamielennoxsocket.getpeercert() is returning an empty dict15:19
*** gyee has joined #openstack-keystone15:19
*** ChanServ sets mode: +v gyee15:19
dstanekthat's strange...only in a venv or only outside of it?15:20
jamielennoxwhich apparently means it wasn't validated, but i don't see how15:20
ayoungjamielennox, sounds like a config error to me.  Maybe OSC is overwriting the cert path somehow15:20
*** dims_ has quit IRC15:20
jamielennoxdstanek: outside15:20
jamielennoxayoung: same options being provided to keystoneclient, also from rpms15:20
jamielennoxand i can make a request using requests directly and it works, i can make a request with keystoneclient and sesion and it's fine15:20
jamielennoxjust for some reason going through OSC is screwing up15:21
ayoungjamielennox, put a breakpoint in the session code and try.  See if maybe it is screwing up the path\15:21
ayoungwhen called from OSC15:22
jamielennoxayoung: i have, i don't see it different at all15:22
jamielennoxif i git checkout the same version of OSC it seems to work in a venv15:22
ayoungtjx, so long as you put my name at the start of a line, it will notify me15:22
tjxayoung  like this?15:23
ayoungjamielennox, maybe inside the venv it is reading from a cached file inside the venv, but outside it is getting the standard certs from /etc/pki etc15:23
ayoungtjx, yep15:23
jamielennoxayoung: i'm override with --os-cacert in both15:23
ayoungjamielennox, inside the venv, does that maybe map to a different file than outside?15:24
tjxayoung,     urls = []106  ayoung11:14 PM why is this necessary?15:24
*** jistr|mtg is now known as jistr15:24
*** diazjf has joined #openstack-keystone15:24
ayoungtjx, yeah15:24
tjxDo you want me to delete it ?15:24
jamielennoxayoung: that doesn't make sense for a venv15:24
ayoungtjx, the rest of the change makes sense, but why did you explicitly add in the 3 urls?15:24
ayoungtjx, it was not in the code before hand, so it seems strange to add it in here15:25
tjxI want to check the three urls.15:25
tjxin a for sentence15:25
ayoungtjx, ah...those are not returned...I see.15:25
*** richm has joined #openstack-keystone15:26
ayoungtjx, so there is no need to make a list and iterate, right?  code could reduct to15:26
ayoung if endpoint.get('publicurl'):15:26
tjxayoung,   So, it's right.   Right15:26
ayoung     if not clean.check_endpoint_url( endpoint['internalurl'] , core.WHITELISTED_PROPERTIES):15:27
ayoung                raise exception.ValidationURLError(url)15:27
tjxayoung,  then ?15:27
tjxayoung, what do you mean ?15:27
ayoungtjx, use the collection at the top of the file then15:27
ayoungtjx, line 3215:28
ayoungfor interface in INTERFACES .... :15:28
tjxayoung, only check endpoint['internalurl'] ? I need to check the three.15:29
lbragstaddolphm: one comment https://review.openstack.org/#/c/192739/15:29
tjxNeed a list.15:29
lbragstaddstanek: probably has a better answer for that than I do15:29
ayoungtjx, look at line 32 of that file15:30
*** jorge_munoz has quit IRC15:30
ayoungtjx, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/controllers.py?id=d7e529911c496c71effa1d51e1ecf2399ef359f1#n3015:30
*** jorge_munoz has joined #openstack-keystone15:31
*** rdo has quit IRC15:32
tjxayoung, I got it.15:32
*** piyanai has quit IRC15:33
bretonayoung: reviewed https://review.openstack.org/#/c/184651/. You owe me a review now!15:34
openstackgerritDolph Mathews proposed openstack/keystone: Additional Fernet test coverage  https://review.openstack.org/19273915:34
dolphmlbragstad: updated to use @wip() ^15:34
*** dims_ has joined #openstack-keystone15:34
*** marzif has joined #openstack-keystone15:35
dolphmlbragstad: the benefit is that it runs @wip'd tests to ensure that they're failing15:36
dstanekdolphm: ++15:36
*** piyanai has joined #openstack-keystone15:37
*** dims__ has joined #openstack-keystone15:38
*** dims__ has quit IRC15:40
*** dims_ has quit IRC15:40
*** dims_ has joined #openstack-keystone15:41
*** amick has joined #openstack-keystone15:41
*** dims_ has quit IRC15:45
ayoungbreton, saw that.15:45
ayoungbreton, you have a preference for which?15:45
*** fhubik_afk is now known as fhubik15:46
bretonayoung: I'll save it for some other day :p15:46
*** browne1 has quit IRC15:47
*** tjx has quit IRC15:47
henrynashlooking for a bit of review time on: https://review.openstack.org/#/c/200624/ (trying to make how we use parent_id, domain_id and is_domain clearer in the identity spec)15:48
dstanekbreton: yeah, hold on to it until you get have a gnarly one that nobody else wants to review :-)15:49
*** mgarza_ has joined #openstack-keystone15:51
*** mylu has quit IRC15:53
*** mylu has joined #openstack-keystone15:54
*** amick is now known as help15:56
*** help is now known as Guest5695415:56
*** afazekas_ has quit IRC15:57
*** rdo has joined #openstack-keystone15:57
*** Guest56954 has left #openstack-keystone15:57
*** amickus has joined #openstack-keystone16:01
*** fhubik has quit IRC16:03
lbragstaddstanek: your federation devstack stuff is done on 14.04, right?16:03
lbragstaddstanek: I'm going to pull it down locally and run federated devstack16:03
dstaneklbragstad: i may have been using 15.0416:07
lbragstaddstanek: I'll try it and see if it breaks16:07
dstaneklbragstad: been trying to move everything over to fedora, but that's been lagging since osad doesn't work with it yet16:08
*** davidckennedy has quit IRC16:08
lbragstaddstanek: moving everything to fedora for the devstack + federation stuff?16:10
*** gyee has quit IRC16:11
*** mylu has quit IRC16:11
dstaneklbragstad: i've been trying to go to fedora for everything i do16:12
lbragstaddstanek: gotcha16:12
dstaneki wish ansible (or maybe the task it's performing) went faster. i hate sitting around and waiting16:14
lbragstaddstanek: a single task or the whole playbook?16:14
dstaneklbragstad: the playbooks16:14
lbragstaddstanek: are you able to use tags?16:15
lbragstador are the tasks just long running in general?16:15
*** gyee has joined #openstack-keystone16:15
*** ChanServ sets mode: +v gyee16:15
dstaneklbragstad: yes, i'm using tags and had to resort to 'start-at-task'16:15
lbragstadahhh, that's what I was going to suggest16:16
*** ajayaa has joined #openstack-keystone16:16
dstaneki think when i checks if a system package is installed it sends a carrier pigeon16:17
*** e0ne has quit IRC16:18
*** _cjones_ has joined #openstack-keystone16:22
lbragstaddstanek: for the changes you have in openstack/keystone, do they have to live in /opt/stack/keystone in order for devstack to pick them up?16:22
*** mylu has joined #openstack-keystone16:22
*** ankita_wagh has joined #openstack-keystone16:23
dstaneklbragstad: i typically do16:24
bretonlbragstad: I am reviewing https://review.openstack.org/#/c/197647/8/keystone/token/providers/fernet/core.py now. What's bind? Lines 49-52 do something about it16:24
*** jistr has quit IRC16:24
lbragstadbreton: bind is something that you can do to get a token, ayoung knows more about it16:25
dstanekalright i'm not feeling well today - going to grab a quick lunch16:25
lbragstadfeel better16:26
*** morganfainberg changes topic to "Welcome back from the meetup | MidCycle Etherpad: https://etherpad.openstack.org/p/keystone-liberty-midcycle-meetup"16:26
*** mylu has quit IRC16:28
bretonOK, I've found this -- https://review.openstack.org/#/c/36166/8/openstack-identity-api/v3/src/markdown/identity-api-v3.md16:28
bretondoes anybody use it?16:28
*** chenhong has quit IRC16:31
lbragstadbreton: I'm not sure16:31
bknudsonbreton: I think there's a bug in auth_token where it doesn't even work.16:32
lbragstadbreton: not that I'm aware of16:32
*** lhcheng has joined #openstack-keystone16:34
*** ChanServ sets mode: +v lhcheng16:34
ayoungbreton, token binding was to limit the token itslef to only communicating authorization information, but to still require using strict authentication (crypto) when talking to the endpoint.  It never caught on and I stopped pushing it16:34
*** afaranha has joined #openstack-keystone16:35
*** jsavak has quit IRC16:35
*** mylu has joined #openstack-keystone16:35
*** afaranha has left #openstack-keystone16:35
ayoungbreton, so if I used a Kerberos principal to get a token, I could say "require this same Kerberos principal to be used when handing the token over to  a services"16:35
bretonmaybe we should deprecate and drop it?16:35
*** browne has joined #openstack-keystone16:35
samueldmqayoung: o/16:36
ayounghey sam16:36
samueldmqayoung: hey, how are you ?16:36
ayoungbreton, not willing to, yet....we might go that way after all.16:37
samueldmqayoung: how was the meetup last week ?16:37
ayoungsamueldmq, exhausting, but ultimately successful16:37
ayoungI think I have a clear view of the next steps for policy, anyway16:37
samueldmqayoung: that's great news16:37
ayoungsamueldmq, BTW, the fact that we are starting with "endpoint ID" needs to be syncronized with t gyee 's team doing the endpoint binding of tokens16:38
samueldmqayoung: yeah, tell me what have been agreed there16:38
ayoungsamueldmq, I think it was more that people finally started to see the big picture16:38
samueldmqayoung: ok so the fetch is going to be by endpoint id16:38
samueldmqayoung: not by url nor policy id16:38
ayoungsamueldmq, I think we need the ability to kill "global admin" which means...I think, create project with a specified ID16:38
ayoungsamueldmq, yes fetch is going to be by endpoint_id16:39
samueldmqayoung: nice16:39
ayoungand then we will put more logic into the middleware to calculate endpoint_id from other known things16:39
samueldmqgyee: ping - I'll propose a patch that simply introduces endpoint_id as a config option, then my patch and yours can be based on that first one16:39
ayoungsamueldmq, so we probably need a spec for "caluclate endpoint_id from url"16:40
ayoungsamueldmq, I think someone else on his team is writing that...let me look16:40
samueldmqayoung: didn't that have known problems as pointed out by morgan ?16:40
samueldmqayoung: I mean the id from url16:40
ayoungsamueldmq, its imperfect, but "good enough"16:40
samueldmqayoung: like the URL could be rewriteen at some point .. eg the ssl termination16:40
ayoungURL can either be from request or in config file16:41
ayoungeither way, logic will still be to deduce from the catalog16:41
samueldmqayoung: then we document that, if you do URL re-write put it in the config16:41
ayoungyep16:41
samueldmqayoung: if you don't, we will discover that for you16:41
ayoungyep16:41
samueldmqlike .. magic16:41
samueldmq:)16:41
ayoungand if we can't...we asplode16:41
samueldmqayoung: asplode == self.explode ?16:42
ayoungstevemar, I like https://review.openstack.org/#/c/203262/  but would check with dstanek that it is not going to set back his Flask work16:42
ayoungsamueldmq, yep16:43
samueldmqayoung: k got it sir16:43
samueldmqayoung: and regarding the scope, we keep the dynamic distribution targeted to L, right ?16:43
ayoungsamueldmq, wanna take https://bugs.launchpad.net/keystone/+bug/147626416:43
openstackLaunchpad bug 1476264 in Keystone "Cannot delete resources in remote services once project is deleted" [High,New] - Assigned to Adam Young (ayoung)16:43
ayoungsamueldmq, ^^ probably needs to be both domain and project, but project is the important one16:44
ayoungI think we need that fixed in order to write policy to always require a scoped token16:44
ayoungwe also, probably, need endpoint scoped tokens, but still thinking through that.  I would rather reuse the project abstraction than create a new type of scope\16:45
samueldmqayoung: I can grab that later today, not now because I have to report/confirm dynmaic policies roadmap to my managers16:46
ayoungsamueldmq, this falls under dynamic policy16:46
ayoungso, want to know if you plan on grabbing it, or I can do it16:47
*** jasonsb has quit IRC16:47
samueldmqayoung: keep with it for now, if I am going to grab it later and you haven't start, I ping you16:47
samueldmqayoung: sounds good ?16:47
ayoungyep16:47
*** roxanaghe has joined #openstack-keystone16:48
samueldmqayoung: I thought a project's resources were deleted somehow if we delete the project in keystone side ..16:48
samueldmqayoung: but that seems to not be the case16:48
ayoungsamueldmq, not if they are not listening, etc.16:48
ayoungsamueldmq, it is one case where being able to re-create a project would be essential.  I think all other cases for global admin for project scoped resources are covered16:49
samueldmqayoung: and that's the case you reported16:49
ayoungneed to figure out what to do baout not-project-scoped, though16:49
samueldmqayoung: should a domain admin be able to manage resources within a project ?16:50
*** ankita_wagh has quit IRC16:50
ayoungsamueldmq, it should be "possible" to do so with HTM16:50
ayoungHMT16:50
samueldmqayoung: actually how the delete is done depends in the policy in place, right ?16:50
samueldmqayoung: so what you report is with the current default policies16:50
samueldmqayoung: and what makes me sad is this fact: https://github.com/openstack/glance/blob/master/etc/policy.json#L616:51
samueldmqayoung: so the project scope checking looks to be hard coded16:51
samueldmq:(16:51
ayoungsamueldmq, yep16:51
samueldmqayoung: the tricky part of fixing 968696 is that it isn't "simply" fixing our default policies16:53
samueldmqayoung: there are hardcoded things around that as well :(16:53
ayoungsamueldmq, I know,  it is removing the reasons that we have those default policies in the first place16:53
ayounglike this16:53
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: clean up TokenAPITests  https://review.openstack.org/20325016:54
samueldmqayoung: yep16:54
ayoungsamueldmq, if there project is deisabled, we can enable it to delte16:54
ayoung the normal case will use HMT16:54
ayoungbut if the project is deleted, I don't know what else we can do but recreate it16:54
samueldmqayoung: in HMT .. I was thinking about something to be added in the code as well16:54
ayoungput it under some different, admin los-tand-found project and delete resources, then re-delete the project16:54
samueldmqayoung: look: galnce will need to know the project hierarchy to quota operations, for example, right ?16:55
samueldmqayoung: we could allow a policy operation like: project_id:%(any(project.parents)s16:56
samueldmqayoung: to allow, for example, an admin in any parent to set the quota to that children..16:57
*** lhcheng has quit IRC16:57
*** lhcheng has joined #openstack-keystone16:57
*** ChanServ sets mode: +v lhcheng16:57
samueldmqayoung: anyway that's just a thought I had, I know making the policy rules more powerful is in your plans16:57
ayoungsamueldmq, while we *(can* do stuff like that, I don't think we should16:58
ayoungpolicy should not allow hierarchical operations.  Shooting to limit the exposure in a token, not widen it16:59
*** stevemar has quit IRC16:59
*** lhcheng has quit IRC16:59
openstackgerritMarek Denis proposed openstack/keystone: Fix docs in federation.routers  https://review.openstack.org/20357216:59
*** lhcheng has joined #openstack-keystone17:00
*** ChanServ sets mode: +v lhcheng17:00
*** dims_ has joined #openstack-keystone17:05
*** stevemar has joined #openstack-keystone17:08
*** ChanServ sets mode: +v stevemar17:08
*** amirosh_ has quit IRC17:10
samueldmqayoung: k17:10
samueldmqayoung: did you have a chance to take a look at Dynamic Policies Delivering Mechanism ?17:10
ayoungsamueldmq, I d8id, but you still had work to do on it, I thought17:11
samueldmqayoung: that's the missing part to have true policy delivery (behind policies, etc)17:11
*** amirosh has joined #openstack-keystone17:11
samueldmqayoung: I think I will implement it + policy by endpoint id to have a TRUE demo in ~3 weeks17:12
ayoungsamueldmq, there is a long way to get this to where it should be,  delivery is key, but not the whole story.17:12
samueldmqayoung: what do you think ?17:12
*** ankita_wagh has joined #openstack-keystone17:12
ayoungsamueldmq, just get the "by ID" working and posted.  THe url-to-id can happen second17:12
ayoungyou just had the field as policy_id, which you needed to change to endpoint_id, I think17:13
samueldmqayoung: yes, and the ksclient must support the get_policy_by_endpoint_id thing17:13
ayoungbut, yeah, the rest of it is important.  Drive on17:13
samueldmqayoung: what do I do in the case the URL match multiple endpoints ? keystone server returns all available ids right ?17:14
morganfainbergyou could unique constrain URL17:14
samueldmqmorganfainberg: how about migrations ?17:15
*** amirosh has quit IRC17:15
samueldmqmorganfainberg: and hey, you there listening .. :)17:15
*** e0ne has joined #openstack-keystone17:15
morganfainbergif multiple endpoints map to the same URL - you have other issues in the catalog17:15
morganfainbergyou could squash them - unless the bridge services -- and even then... I think your cloud is broken17:16
samueldmqmorganfainberg: maybe, but we must adopt an approach to decide what to do in the case we find that in the db17:16
*** openstackgerrit has quit IRC17:16
morganfainbergtrue - like i said, my guess is we could squash it -- unless it is across multiple serviceIDs. then something is really broken17:17
*** openstackgerrit has joined #openstack-keystone17:17
openstackgerritMarek Denis proposed openstack/keystone: Fix docs in federation.routers  https://review.openstack.org/20357217:17
samueldmqmorganfainberg: by squash you mean concatenate ? suppose I have (id1,url1) (id2,url1) (id3,url1), what shoudl htat look like at the end ?17:18
morganfainbergsamueldmq: those endpoints are likely the same thing.17:19
morganfainbergif the url is the *exact* same17:19
samueldmqmorganfainberg: yeah, but they have different interface types17:19
samueldmqmorganfainberg: what to do ? I think we should have a single ID even for different interface tyeps17:19
samueldmqtbh .. :)17:19
morganfainbergyou could also change the DB data normalization scheme17:20
morganfainbergsamueldmq: basically yes, same ID, just type is different17:20
morganfainberg(interface type(17:20
morganfainbergnot to be confused with... gah, I hate our data model sometime17:20
morganfainbergss17:20
samueldmqmorganfainberg: and the object is duplicated into db, or do we create another table for the association ?17:20
samueldmqhehe17:21
morganfainbergsamueldmq: basically we'd end up with a new table layout.17:21
morganfainbergsamueldmq: with a many->one type relationship17:21
morganfainbergvs. the one-to-one17:21
morganfainbergwe have today17:21
morganfainbergor mixed into a single table17:21
morganfainbergit would be a total restructure of the db schema for this bit.17:22
samueldmqmorganfainberg: yes, and the many side is (interface, url) ? as different interfaces can have different urls, but the same id though17:22
morganfainbergthe many side would be interface-type/interface17:22
morganfainbergthe URL would be the one, and then a many url -> one endpoint id17:23
*** diegoadolfo has joined #openstack-keystone17:23
morganfainbergit's a lot of moving things around17:23
morganfainbergmight not be worth the headache17:23
morganfainbergmight be easier to go with something a lot simpler17:23
samueldmqlike ?17:23
morganfainbergwhat you descibed17:24
morganfainbergreturn them all17:24
morganfainbergor something17:24
samueldmqand a fix for the endpoints datamodel could come later17:24
samueldmqin the history17:24
* morganfainberg shrugs17:24
morganfainbergsomething like that17:24
*** piyanai has quit IRC17:25
samueldmqmorganfainberg: I prefer to fix all that .. but time's short :) L is running17:25
morganfainbergyes17:25
morganfainbergi'd like to use consul for the catalog, but that might be out of scope for L as well17:25
morganfainberg:P)17:25
diegoadolfolbragstad,17:25
samueldmqmorganfainberg: how do deployers (CMS) associate policy to endpoint ?17:26
samueldmqmorganfainberg: do we keep associating the policy by enpoint ID ?17:26
morganfainbergsamueldmq: dump it on disk for the server17:26
morganfainberg:P17:27
samueldmqmorganfainberg: and yeah, I like consul, but it's a long road though17:27
morganfainbergoh in the future17:27
morganfainbergyeahhh17:27
samueldmqmorganfainberg: lol17:27
lbragstaddiegoadolfo: o/17:27
samueldmqmorganfainberg: and the bad UX comes here: in that case, what id do deployers use to associate the policy ?17:28
morganfainbergsamueldmq: go with ayoung's suggestion SHA25617:28
morganfainberg:P17:28
samueldmqmorganfainberg: the answer can be: any of them, as the middleware will know the list of endpoint-ids for that URL, it fetch the first valid policy17:28
morganfainbergi like the url model though17:28
morganfainbergbut if we can just use any url, doesn't matter17:29
ayoungmorganfainberg, reading up17:29
*** Ephur has joined #openstack-keystone17:29
morganfainbergdata model can be fixed later17:29
morganfainbergif it really has no impact17:29
samueldmqmorganfainberg: I don't think it has :)17:29
morganfainbergthen go for easiest17:29
morganfainbergbest ux for deployer17:29
ayoungmorganfainberg, so...it might be possible that both admin and public endpoints have the same URL.  There is only an issue if they have different policy files, and if that is the case, then, yes, there is a problem.  But, I think we can punt on that from the fetch side17:30
ayoungwe need to identify that on the assignment side17:30
samueldmqso .. when getting endpoints by URL, middleware can get a list of IDs, then it asks keystone for policies associated with those IDs, and stores the first valid one17:30
samueldmqif that makes sense17:30
*** tqtran has joined #openstack-keystone17:30
ayoungendpoint_policy should enforce: if two endpoints have the same URL, they must resolve to the same policy file17:31
samueldmqayoung: ^ yeah we just consider the first ID in the list which has a valid policy associated with17:31
ayoungsamueldmq, right.  and at the middleware layer, we will not know if they would resolve to different policy files17:31
ayoungso, lets file a bug against endpoint_poicy and then drive on with this approach in middleware17:31
ayoungmorganfainberg, make sense?17:32
samueldmqayoung: we don't care, if the deployer has different policies to the same endpoint (which is a process running a service), it's his bad deployment :p17:32
samueldmqayoung: fixing our endpoint model would result on fixing this as well, see above conversation17:33
ayoungsamueldmq, Yep, but we'll help to straighten out those issues over time, too.17:33
*** Ephur has quit IRC17:33
openstackgerritMarek Denis proposed openstack/keystone: Fix docstrings in contrib  https://review.openstack.org/20360717:34
*** ChanServ sets mode: +o stevemar17:34
openstackgerritMarek Denis proposed openstack/keystone: Fix docs in federation.routers  https://review.openstack.org/20357217:34
samueldmqayoung: where we have a single endpoint_id associated to multiple interfaces, instead of needing to have multiple endpoitn_ids for multiple interfaces17:34
samueldmqayoung: so that would fix the above issue as well17:34
samueldmqayoung: if that makes sense to you  :)17:35
*** btully has joined #openstack-keystone17:35
lbragstaddiegoadolfo: something simple to implemented?17:36
ayoungsamueldmq, yeah, it really is addressing the same issue, and addressing it at the core17:36
lbragstads/implemented/implement/17:37
samueldmqayoung: exactly sir !17:37
samueldmqayoung: you ok with that addressed later ? :)17:37
samueldmqayoung: and we do it the simplest way for now17:37
ayoungmorganfainberg, so..any problem with me fixing https://bugs.launchpad.net/keystone/+bug/1476264  via "specify ID when creating project"?17:38
openstackLaunchpad bug 1476264 in Keystone "Cannot delete resources in remote services once project is deleted" [High,New] - Assigned to Adam Young (ayoung)17:38
morganfainbergi don't really mind it being changed.17:38
samueldmqmorganfainberg: if we don't associate a policy by URL, we'll do it by endpoint_id, as we do today ... which is not known a priori17:40
ayoungmorganfainberg, cool17:40
samueldmqmorganfainberg: and doesn't fit your previous requirement .. are you ok with that ? i.e we fetch by URL, but associate by id ?17:41
morganfainbergayoung: make sure conflicts can't occur and make sure if not specified a id is generated, last thing - ids are immutable - no changing then after the fact17:41
samueldmq(fetch by URL means resolving the ID thoguth the UR)17:41
morganfainbergayoung: if we're doing that change.17:41
ayoungmorganfainberg, basically, it is a change on the controller.  If the id is specified, do a sanity check on it, and then leave it in place.  id has a unique constraint in the database17:42
morganfainbergayoung: sure. and make sure update doens't let ids change17:42
morganfainbergit should already check that..but you know...17:42
morganfainbergworth 2x checking17:43
ayoungmorganfainberg, will do17:43
morganfainberglast bit - highly recommend constraining the id to hex/uuid format17:43
morganfainbergthis isn't so people can make a project id: "my nifty <utf-8-char-string> project thing"17:44
samueldmqmorganfainberg: what about LDAP resource backends ? I think we support that today17:44
morganfainbergsamueldmq: assume LDAP assignment is dead17:44
samueldmqmorganfainberg: I am talking about LDAP resource17:44
morganfainbergit is being removed next cycle17:44
*** topol has quit IRC17:44
morganfainbergsamueldmq: same thing17:44
morganfainbergdead next cycle17:44
samueldmqmorganfainberg: k they never existed to me anyway17:45
samueldmqo/17:45
morganfainberg:(17:45
morganfainberg:)17:45
morganfainbergeven17:45
lbragstaddiegoadolfo: maybe look at solving one of these? https://bugs.launchpad.net/keystone/+bugs?field.searchtext=&orderby=-importance&search=Search&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&fiel17:45
lbragstadd.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=low-hanging-fruit+&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_bluepr17:45
lbragstadints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on17:45
lbragstadooo...17:45
samueldmqlbragstad: lol17:45
lbragstadsorry17:45
morganfainberglbragstad: tinyurl!17:45
morganfainberg:P17:45
lbragstaddiegoadolfo: https://goo.gl/CIeYO817:45
*** rltrocquer has quit IRC17:46
ayoungmorganfainberg, I was going with UUID, but going to be forgiving on length, up to 128 chars17:46
ayoungallow for SHA25617:46
samueldmqlbragstad: my mind is processing that URL in bash, will be back in ~1 hour17:46
lbragstadsamueldmq: lol17:46
ayoungsamueldmq, going to ignore ldap resources for this17:46
*** aix has quit IRC17:46
morganfainbergayoung: hm. i don't think projects are anything but uuid atm17:46
ayoungmorganfainberg, that is correct17:46
samueldmqayoung: yeah they'll die in M17:46
morganfainbergayoung: I'd rather over constrain the input and ease the constraint back later than too open right now17:47
ayoungmorganfainberg, I guess we can expand the length on both sides when we do17:47
ayoungcool.  I'll go with UUID length17:47
morganfainbergayoung: i wouldn't -1 or -2 a sha256 allowance, but UUID is probably better for today17:47
samueldmqmorganfainberg: ++17:47
samueldmqmorganfainberg: btw we didn't deprecate LDAP resource ...17:48
samueldmqmorganfainberg: just assignment17:48
morganfainbergsamueldmq: we deprecated ldap assignment17:48
morganfainbergit's the same thing17:48
morganfainbergwe did the split and resource lost the deprecation warning - but lets be clear, both are going away in M17:48
samueldmqmorganfainberg: ah yes, we deprecated that before the assignment/resource split17:48
morganfainbergsamueldmq: it's worth adding the warning to resouce fwiw17:48
*** piyanai has joined #openstack-keystone17:48
morganfainberg(If we could have rm -rf'd it for Liberty, I would have)17:49
samueldmqmorganfainberg: yes that's my concern, just to be clear, not against the removal at all :)17:49
morganfainbergsamueldmq: it's still being removed next cycle - just add the warning in a patchset17:49
samueldmqmorganfainberg: k17:49
ayoungmorganfainberg, this regex  "[0-9a-f]{32}"17:50
morganfainbergayoung: i think we have a uuid schema17:51
morganfainbergfor json schema you can use17:51
morganfainbergthis is a json schema thing not a controller matching thing [or should be]17:51
morganfainbergor... not17:52
morganfainbergah17:52
ayoungmorganfainberg, needs to be called from the controller.   We could do a json schema, too17:52
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/resource/schema.py#L2217:53
*** dims_ has quit IRC17:53
ayoungmorganfainberg, that is not quite strict enough.17:53
morganfainbergayoung: we should add a uuid-strict then17:53
*** jsavak has joined #openstack-keystone17:53
morganfainbergto https://github.com/openstack/keystone/blob/master/keystone/common/validation/parameter_types.py#L36-L4417:53
ayoungmorganfainberg, I'd like to keep this as saying "it must match an old UUID" for now17:54
ayoungeven though there is no way we can enforce it17:54
ayoungand the API can get more forgiving in the future without an API spec change17:54
morganfainberghow do you know the old uuid?17:54
ayoungyou don't.  Like most things, we jusrt lie17:54
morganfainbergi was thinking we just make it a schema validation above the controller and similarly then lie17:55
morganfainberg:P17:55
*** piyanai has quit IRC17:55
morganfainbergcontroller doesn't need any logic - if the json schema prevents anything non-uuid landing17:55
morganfainbergwe're pretty good.17:55
morganfainbergthen just loosen the controller "generate_an_id" line17:55
ayoungwe only guarantee it to work if it matches an old UUID17:56
ayoungif gyee wants to do soft deletes, he can use this to bring things back to life without an API change17:56
morganfainbergpushng this to json schema doesn't really change that.17:56
*** dims_ has joined #openstack-keystone17:56
morganfainberggyee's change would be in the driver in either case17:56
morganfainbergor a change in driver *and* controller in both cases17:57
morganfainbergsince today controller can't know if a uuid used to exist or not17:57
morganfainbergagain, I wont -2 or -1 either approach17:57
*** diegoadolfo_ has joined #openstack-keystone17:58
ayoungcool17:58
ayounglet me a get a WIP posted17:58
*** dims_ has quit IRC17:58
morganfainbergsounds good to me17:58
*** albertom has quit IRC17:58
*** ajayaa has quit IRC17:59
morganfainbergayoung: fwiw you're going to need to make some json schema validation changed in either case (to accept, optionally, the id)17:59
*** piyanai has joined #openstack-keystone18:00
*** pcaruana has quit IRC18:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Deprecates LDAP Resource  https://review.openstack.org/20374818:00
samueldmqmorganfainberg: ^18:00
morganfainbergsamueldmq: open a bug, don't attach to an old BP18:01
morganfainbergotherwise - yes.18:01
lbragstaddstanek: I'm running devstack with your change, it doesn't look like there is any thing config wise to enable federation?18:02
*** fangzhou has joined #openstack-keystone18:03
*** ParsectiX has joined #openstack-keystone18:04
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Deprecate LDAP Resource Backend  https://review.openstack.org/20374818:05
samueldmqmorganfainberg: ^ done18:05
samueldmqMitaka ftw18:06
stevemarlhcheng: you approved just before i could :(18:06
*** albertom has joined #openstack-keystone18:06
*** ParsectiX has quit IRC18:06
lhcheng I thought you just updated a patch on osc18:07
lhcheng we're  in sync on the sequence of patches being looked at18:07
lhchenglol18:07
*** TheIntern has quit IRC18:11
*** TheIntern has joined #openstack-keystone18:11
bretonI think it's weird to make a commit in L that is marking something as deprecated starting from K18:13
samueldmqayoung: i) fix middleware patch to fetch by endpoint_id18:14
samueldmqayoung: ii) resolve endpoint_id from URL18:14
samueldmqayoung: iii) implement keystone server cache logic to deal with that case where multiple service processes are behind a HAProxy18:14
*** arunkant has joined #openstack-keystone18:14
morganfainbergbreton: the deprecation warning was missed from the split18:15
stevemarbknudson: with create_region now in oslo.cache, how did you envision passing the region around to all the memoization decorators?18:15
bretonmorganfainberg: yeah, I understand18:15
morganfainbergbreton: the driver was already deprecated but assignment -> [assignment|resource] should have been maintained18:15
morganfainbergwe can backport the warning too18:15
bknudsonstevemar: you'll have to create_region statically18:15
morganfainberg[and probably should]18:15
bknudsonthen ref it from somewhere18:15
bretonit's just my... inner perfectionist riots18:15
bretonmorganfainberg: ++18:16
stevemarbknudson: ...18:16
samueldmqayoung: we then should have the same demo as we had last week, but much more robust18:16
stevemarbknudson: thats more work :P18:16
bknudsonstevemar: I mean, you'll have to reference the static region in all the decorators18:16
morganfainbergbreton: this case, your inner perfectionist will need to let it go ;)18:16
bretonmorganfainberg: he is ok with backporting to kilo18:16
bknudsonstevemar: the previous way it was done didn't make any sense.18:16
samueldmqmorganfainberg: actually the warning came after the split, however its true semantic was to apply for both of them (assignment,resource)18:16
morganfainbergsure sure18:17
stevemarbknudson: i gotta save the region in backends.py now and reference the global variable from there?18:27
bknudsonstevemar: that works.18:28
bknudsonI don't know where the best place is for it.18:29
stevemarbknudson: you stink, that means i gotta change a whole bunch of stuff now :P18:29
bknudsonthe code should have been written correctly to begin with18:29
bknudsonglobal variables are an abomination18:30
*** spandhe has joined #openstack-keystone18:30
*** piyanai has quit IRC18:30
*** jasonsb has joined #openstack-keystone18:30
stevemarbknudson: we should have some sort of get_region() for oslo.cache18:31
*** piyanai has joined #openstack-keystone18:32
dstaneklbragstad: what are you doing exactly?18:33
*** piyanai has quit IRC18:33
lbragstaddstanek: just trying to run devstack with the federation stuff you have up for review https://review.openstack.org/#/c/151311/918:33
lbragstadI have a VM with devstack and keystone + your patch18:34
*** mylu has quit IRC18:34
*** piyanai has joined #openstack-keystone18:34
dstaneklbragstad: ah, i see, i see. that will install keystone/apache/etc, but doesn't load the federation data18:35
lbragstaddstanek: yep, I stacked and that's what the result was18:35
dstanekto run that you'll need to make sure you have the right local.conf18:35
lbragstaddstanek: I figured i was missing the "enabled keystone-federation" part in my devstack config somewhere18:36
dstaneklbragstad: that's the review that i wanted to steal your stuff18:36
dstaneklbragstad: did it actually configure apache and shib for you?18:36
*** piyanai has quit IRC18:36
lbragstaddstanek: the ansible stuff?18:36
*** piyanai has joined #openstack-keystone18:37
dstaneklbragstad: this patch actually does the devstack configuration to use keystone-federation18:37
dstanekhttps://review.openstack.org/#/c/139137/18:37
dstaneklbragstad: yes18:37
*** piyanai has quit IRC18:37
*** mylu has joined #openstack-keystone18:37
dstaneklbragstad: specifically i need to get this working again: https://review.openstack.org/#/c/151311/9/dsvm/federation/devstack/files/key-federation-setup.py18:38
lbragstaddstanek: my federation ansible branch installs mod_shib and sets it up, but I think there are still issues,18:38
dolphmare you going to be at castle tomorrow?18:39
dolphmlbragstad: ^ whoops lol18:39
lbragstaddstanek: this is what you need? https://github.com/lbragstad/keystone-deploy/blob/federation/test_federation_exercises.py#L24-L3318:39
lbragstaddolphm: yep18:39
lbragstadI'll be out thursday and friday18:39
dstaneklbragstad: yep, exactly18:39
*** jsavak has quit IRC18:40
*** jsavak has joined #openstack-keystone18:40
lbragstaddstanek: so, if I checkout 139137 locally18:40
lbragstadI should be able to use the local.conf there18:41
lbragstadand restack18:41
*** topol has joined #openstack-keystone18:41
*** ChanServ sets mode: +v topol18:41
dstaneklbragstad: yes, i'm guessing that there will be some issues since it has been so long18:41
lbragstaddstanek: I'm about to find out18:42
dstaneki have my fingers crossed18:43
*** piyanai has joined #openstack-keystone18:44
samueldmqmorganfainberg: just to be clear, with the solution we were talking about earlier today, you're ok with the policy association by id18:45
*** ayoung has quit IRC18:45
samueldmqmorganfainberg: as it is today....18:45
samueldmqis that right ?18:45
*** topol has quit IRC18:45
samueldmqwell... at least for now18:46
lbragstaddstanek: ... ummm18:50
lbragstaddstanek: it worked?18:50
dstanekwoot?18:50
* lbragstad blinks blankly at devstack18:50
lbragstaddstanek: does your bootstrap stuff work to set up a user that the idp can valid?18:51
*** davi8784 has joined #openstack-keystone18:54
*** davi8784 has quit IRC18:55
dstaneklbragstad: right now i don't think any of the data is actually setup - the ipd is running, keystone is running, but they are not communicating yet18:55
dstaneki think the key exchange is done as well as the metadata exchange18:55
*** TheIntern has quit IRC18:56
*** geoffarnold has joined #openstack-keystone18:57
*** adam_g` is now known as adam_g19:01
*** adam_g has quit IRC19:01
*** adam_g has joined #openstack-keystone19:01
*** piyanai has quit IRC19:02
*** losingle has joined #openstack-keystone19:05
*** piyanai has joined #openstack-keystone19:06
*** tsymanczyk has quit IRC19:06
*** dims_ has joined #openstack-keystone19:10
*** topol has joined #openstack-keystone19:20
*** ChanServ sets mode: +v topol19:20
*** piyanai has quit IRC19:21
*** piyanai has joined #openstack-keystone19:24
openstackgerritIan Cordasco proposed openstack/keystoneauth: Fix test-requirements for python 2.6  https://review.openstack.org/20281619:24
*** tsymancz1k has joined #openstack-keystone19:25
gyeesamueldmq, ayoung, sure, support endpoint_id as a option would be great19:27
openstackgerritDolph Mathews proposed openstack/keystone: Add better user feedback when bind is not implemented  https://review.openstack.org/20378819:29
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742719:31
*** nllrte has quit IRC19:32
*** piyanai has quit IRC19:33
openstackgerritDolph Mathews proposed openstack/keystone: Federated tokens do not require group IDs  https://review.openstack.org/20379119:34
stevemarlhcheng: can you quickly review an osc patch?19:35
*** miand has joined #openstack-keystone19:35
lhchengstevemar: sure, which one?19:35
stevemarlhcheng: https://review.openstack.org/#/c/203455/19:35
*** miand has quit IRC19:35
gyeestevemar, lhcheng, https://review.openstack.org/#/c/194733/19:37
gyeeeasy one :)19:37
samueldmqgyee: I was wondering if that should be endpoint_ids ... you know, multiple URLs (internal,public) -> multiple IDs19:41
samueldmqgyee: if you have public or internal or admin endpoint in your token, any of them should be valid (in your constraint enforcement)19:42
samueldmqgyee: so it should be a list of endpoint ids : endpoint_ids config option ..19:42
gyeesamueldmq, yes19:42
*** piyanai has joined #openstack-keystone19:43
gyeeI agree19:43
samueldmqgyee: if that makes sense to you19:43
gyeesamueldmq, yes, make sense19:43
samueldmqgyee: great sir, I will create a patch that introduces this as a config option, then you (and I) rebase the work on it19:43
gyeesamueldmq, thanks!19:43
samueldmqgyee: great, sounds like we have a plan :)19:44
gyeelets do this!19:44
samueldmq++19:45
samueldmqbknudson, dolphm : hi - are you ok with backporting this to kilo ? https://review.openstack.org/#/c/203748/19:48
bknudsonsamueldmq: no19:48
dolphmsamueldmq: no, we don't backport deprecations19:49
samueldmqbknudson: why ? is it just, it doesn't need to or ..19:49
samueldmqbknudson: dolphm got it, thanks19:49
samueldmqmorganfainberg: cc ^19:49
*** amakarov is now known as amakarov_away19:49
dolphmsamueldmq: it's not fair to end users, at all19:49
samueldmqdolphm: yes I see the point, but you're ok with that change in master right ? ^19:50
dolphmsamueldmq: no19:50
*** ayoung has joined #openstack-keystone19:51
*** ChanServ sets mode: +v ayoung19:51
dolphmsamueldmq: https://review.openstack.org/#/c/203748/2/keystone/resource/backends/ldap.py,unified cc- morganfainberg19:51
*** esp has left #openstack-keystone19:53
lhchengstevemar: comments added on the osc patch19:53
stevemarlhcheng: thx!19:56
samueldmqdolphm: I understand your point, even if we meant to do that, we didn't do .. :( let's see that together with morgan, thanks20:01
dolphmsamueldmq: that's unfortunate, i agree20:01
lbragstaddstanek: awesome, I'll see if I can create a script with the setup data20:01
samueldmqdolphm: btw, I was looking into that keystone-deploy stuff ... do you have an Ansible repo to deploy devstack and run a kind of test_exercises against the cloud ?20:03
samueldmqdolphm: I mean, to then use travis-ci :)20:03
dolphmsamueldmq: devstack deploys itself -- why do you need ansible?20:04
samueldmqdolphm: my usecase is to make demonstrations, like the one I did in the midcycle (hope you saw that one)20:05
samueldmqdolphm: so I could just run Ansible on travis-ci, then run my demo.sh and get the results on the travis-ci build, something like that20:05
samueldmqdolphm: if that makes sense ..20:05
dolphmsamueldmq: i did not - i was not at the midcycle20:06
lbragstaddstanek: after your devstack patch runs, should ssh be up and running?20:06
samueldmqdolphm: in the case you want to check that out20:07
samueldmqdolphm: https://drive.google.com/open?id=0B2vU1iAv61nDSEVaZGw3M0xlNXc20:07
dolphmsamueldmq: there's so many limitations to travis that i don't know if it's worth it to pursue that, honestly20:07
samueldmqdolphm: k then :(20:08
*** btully has quit IRC20:09
samueldmqdolphm: tbh I have a lot of work to be done in dynamic policy, I shouldn't be looking for more work :)20:09
*** mylu has quit IRC20:10
samueldmqdolphm: thanks20:10
dstaneklbragstad: as in system ssh?20:10
dstaneklbragstad: the plugin shouldn't do anything to that20:10
lbragstaddstanek: sorry s/ssh/ssl/20:11
samueldmqmorganfainberg: fyi, I've put 2 points in dynamic policies to the meeting tomorrow: SFE decision + request for spec reviews20:11
dstaneklbragstad: i don't know that i was running in SSL...let me see20:11
samueldmqmorganfainberg: let me know if that sounds sane20:11
lbragstaddstanek: I thought I saw something along those lines20:12
dstaneklbragstad: you probably did because i tend to run everything behind ssl20:12
dstaneklbragstad: actually i think i just attach on to what devstack is already doing20:14
lbragstaddstanek: makes sense20:14
lbragstaddstanek: I want to see if I can get my service provider ansible stuff to work with test shib...20:14
*** mylu has joined #openstack-keystone20:14
*** spandhe has quit IRC20:32
*** spandhe has joined #openstack-keystone20:32
*** ankita_w_ has joined #openstack-keystone20:39
*** ankita_wagh has quit IRC20:42
*** geoffarnold has quit IRC20:51
*** geoffarnold has joined #openstack-keystone20:52
*** jsavak has quit IRC20:55
*** diegoadolfo_ has quit IRC20:55
*** diegoadolfo has quit IRC20:55
*** raildo has quit IRC20:56
*** pnavarro has joined #openstack-keystone20:56
*** jsavak has joined #openstack-keystone20:57
lbragstaddoes this seems like a federation bug or is it just me? http://cdn.pasteraw.com/oavk5srm2kbunn8t28wjf8wyb14pt2421:01
lbragstadcc stevemar marekd ^21:01
_cjones_Hi guys. We're merging our code with upstream stable/kilo and I've run into this issue with devstack/keystone:21:03
_cjones_"2015-07-20 13:55:35.199175 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option"21:04
*** btully has joined #openstack-keystone21:04
lbragstadah nevermind, possibly a dependency issue http://cdn.pasteraw.com/txqrkhcuzgm6kdadi6h37quv4pex4w21:04
bknudson_cjones_: sounds similar to https://review.openstack.org/#/c/201352/ ?21:05
bknudsonoh, no, that's different... I haven't seen that error reported.21:05
_cjones_Via ayoung:s page: http://adam.younglogic.com/2012/04/keystone-httpd/comment-page-1/#comment-76048621:06
ayoungUh oh21:06
*** crinkle has quit IRC21:06
*** crinkle_ has joined #openstack-keystone21:07
_cjones_Sorry my gist isn't working, but essentially looks to be the same-ish error message.21:07
bknudsonit must be ayoung's fault since it's on his blog.21:07
ayoungOh, I saw this before, not long ago21:07
ayoungbknudson, everything is my fault.  I thought that was well established21:07
bknudsonactually, I think we were seeing that in the gate (during grenade run)21:08
ayoung_cjones_, I thought before that  it happens when you have multiple parts of the apache file refer to the same WSGI process, but now I think that it is a false error message21:08
ayoung I think it comes from improper parse of the config options21:08
*** btully has quit IRC21:08
_cjones_So, I may have missed a commit (from upstream) either in devstack (config issue) or something in keystone (code issue). Just wondering which to start digging at?21:09
bknudson_cjones_: https://bugs.launchpad.net/keystone/+bug/1466485 ?21:09
openstackLaunchpad bug 1466485 in grenade "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Undecided,In progress] - Assigned to Ihar Hrachyshka (ihar-hrachyshka)21:09
ayoung_cjones_, put a breakpoint in the config procesing code I think....21:09
ayoungI forget how I solved it,21:09
ayoung_cjones_, try just cranking up the logging in Keystone and restarting the server21:10
_cjones_ayoung: No problem. I'll look at the bug too.21:10
ayoungthere was a stack trace21:10
ayoungI think that the error ^^ you see after the real error21:10
marekdlbragstad: it's rather you21:12
marekdlbragstad: you seem to be touching keystone-idp stuff21:12
marekdand with testshib you don't want to do that...21:12
lbragstadmarekd: yep, I think it was a dep issue21:13
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/contrib/federation/idp.py21:13
lbragstadwrong link https://github.com/openstack/oslo.utils/commit/36d599f477b38be2899604304523e07d998bd0d621:13
lbragstadmarekd: I verified that my service provider is set up properly, I was able to test it against testshib21:13
lbragstadso that's cool!21:13
marekdlbragstad: GREAT!!!!!!!!!21:14
marekdgood to know!21:14
lbragstadand that's with the ansible playbooks21:14
lbragstadnow I'm trying to get the idp setup so I can have it all21:14
lbragstadin ansible21:14
marekdidp is much much easier.21:14
marekdwith sp done i consider job almost done (you can open that cold beer)21:15
* lbragstad wishes21:15
lbragstadmarekd: I'm getting http://cdn.pasteraw.com/2f4g667yzk8q6d28z6hy68xhnwrvlmm so I think we need to update the dependency for oslo.utils one stevemar's fix is released?21:15
lbragstadmarekd: but, when I fire up the python interpreter on the idp, I can confirm the following:21:16
*** crinkle_ is now known as crinkle21:17
lbragstadmarekd: http://cdn.pasteraw.com/izsij2xfc19bda04t4phgq57cwtu88921:17
*** mylu has quit IRC21:17
_cjones_ayoung: "2015-07-20 14:18:17.271517 LookupError: No section 'xml_body_v2' (prefixed by 'filter') found in config /etc/keystone/keystone-paste.ini"21:19
dstanek_cjones_: do you still have XML configured in you paste.ini?21:19
ayoung_cjones_, yeah, get rid of that21:20
_cjones_Okay.21:20
stevemarlbragstad: oslo_utils should have been bumped up in keystones reqs.txt21:20
*** dims_ has quit IRC21:22
*** losingle has quit IRC21:23
ankita_w_Hi gordc : I am trying to catch nova 500 errors using ceilometer. I see all 200s and 400s in ceilometer but when a 500 error is generated. The outcome says "unknown" . I have enabled the audit middleware21:25
ankita_w_Is this a known issue?21:25
*** topol has quit IRC21:27
*** pgbridge has joined #openstack-keystone21:29
_cjones_ayoung/dstanek: Good catch guys. I realize what my mistake was: Did a stack.sh with some variables pointing to our old branch. Realized my mistake: "rm -rf /opt/stack", fix branch variables, ./stack.sh (but this left old configuration in /etc/keystone).21:30
ayoung_cjones_, cool,  respond to blog post so the next person sees it, please21:30
bretonankita_w_: I'm not, but I can test that now21:30
*** fangzhou_ has joined #openstack-keystone21:31
bretonankita_w_: *it's not for me21:31
*** zzzeek has quit IRC21:31
*** fangzhou has quit IRC21:32
*** fangzhou_ is now known as fangzhou21:32
bretonankita_w_: ok, I can't, my env broke. I suggest to file a bugreport anyway21:36
ankita_w_Hi breton : I dont see any events at all21:37
ankita_w_The unknowns are a seperate issue21:37
openstackgerritBrant Knudson proposed openstack/keystone: Document policy target for operation  https://review.openstack.org/16852121:44
*** zzzeek has joined #openstack-keystone21:46
*** e0ne has quit IRC21:48
*** htruta_ has joined #openstack-keystone21:48
htruta_henrynash, ping21:48
*** e0ne has joined #openstack-keystone21:48
stevemarhtruta_: its midnight for mr nash :|21:51
dstanekstevemar: so what you are saying is he's probably at the pub?21:55
stevemardstanek: if he's working on keystone, probably21:56
stevemarworking on keystone promotes consuming keystone lite21:56
bretonoh gawd, why I didn't see https://review.openstack.org/#/c/168521/ before21:58
*** sigmavirus24 is now known as sigmavirus24_awa21:58
*** jsavak has quit IRC21:59
lbragstadstevemar: http://i.imgur.com/MvGmLie.jpg21:59
bretonoh, no, wait, it's not what I thought.21:59
*** jsavak has joined #openstack-keystone21:59
bretongood patch anyway.22:00
htruta_stevemar, ops... kind of forgot it... but he's just reviewed a patch... who knows?22:00
htruta_anyway, he's probably on keystone light :P22:02
*** pnavarro has quit IRC22:02
lbragstadhtruta_: that's Keith Stone22:03
bknudsonlbragstad: we need a t-shirt with keith stone22:06
bknudsonhe sounds tough22:06
lbragstadbknudson: ++, the next time we get jackets we should have Keith Stone as our mascot22:06
*** jecarey has quit IRC22:06
htruta_lbragstad, lol22:07
htruta_lbragstad, https://www.youtube.com/watch?v=hNz0kdGLX-E22:11
htruta_lbragstad, I don't have any words for keith stone lol22:11
*** mylu has joined #openstack-keystone22:17
*** edmondsw has quit IRC22:19
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587322:21
*** e0ne has quit IRC22:25
*** topol has joined #openstack-keystone22:28
*** ChanServ sets mode: +v topol22:28
*** stevemar has quit IRC22:29
*** topol has quit IRC22:32
*** geoffarnold has quit IRC22:35
*** geoffarnold has joined #openstack-keystone22:36
*** fangzhou has quit IRC22:40
*** _hrou_ has quit IRC22:42
*** diazjf has left #openstack-keystone22:45
*** esp has joined #openstack-keystone22:48
*** fangzhou has joined #openstack-keystone22:52
*** btully has joined #openstack-keystone22:52
*** rm_work is now known as rm_work|away22:53
*** jsavak has quit IRC22:53
*** jsavak has joined #openstack-keystone22:54
*** gordc has quit IRC22:54
*** chlong has quit IRC22:54
openstackgerritayoung proposed openstack/keystone: Specify ID for Project or domain creation  https://review.openstack.org/20385222:57
*** btully has quit IRC22:57
*** jsavak has quit IRC22:57
ayoungsamueldmq, there you go.  Need to think about things like "cells and hypervisors" next22:57
openstackgerritBrant Knudson proposed openstack/keystone: test_base64utils works with py34  https://review.openstack.org/20385322:59
*** bknudson has quit IRC23:04
*** tqtran is now known as tqtran-afk23:08
*** hrou has joined #openstack-keystone23:11
*** sigmavirus24_awa is now known as sigmavirus2423:12
*** zzzeek has quit IRC23:14
*** mylu has quit IRC23:14
*** jsavak has joined #openstack-keystone23:15
*** jsavak has quit IRC23:18
*** bitblt has joined #openstack-keystone23:20
*** henriquetruta has joined #openstack-keystone23:24
*** htruta_ has quit IRC23:28
*** stevemar has joined #openstack-keystone23:30
*** ChanServ sets mode: +v stevemar23:30
*** roxanaghe has quit IRC23:31
*** stevemar has quit IRC23:33
*** mylu has joined #openstack-keystone23:37
*** geoffarnold has quit IRC23:37
*** geoffarnold has joined #openstack-keystone23:38
*** stevemar has joined #openstack-keystone23:44
*** ChanServ sets mode: +v stevemar23:44
*** mgarza_ has quit IRC23:47
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587323:57
*** stevemar has quit IRC23:58
*** darrenc_ is now known as darrenc23:58
*** sigmavirus24 is now known as sigmavirus24_awa23:58
« Sunday, 2015-07-19 Index Tuesday, 2015-07-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!