Monday, 2015-08-17

« Sunday, 2015-08-16 Index Tuesday, 2015-08-18 »
*** markvoelker has quit IRC00:02
*** shoutm has quit IRC00:06
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** browne has quit IRC00:31
*** piyanai has joined #openstack-keystone00:35
*** narengan has quit IRC00:45
*** narengan has joined #openstack-keystone00:46
*** narengan has quit IRC00:50
*** mestery has joined #openstack-keystone00:59
*** boris-42 has quit IRC01:10
*** ankita_wagh has joined #openstack-keystone01:11
*** vmbrasseur_GONE has quit IRC01:13
*** ngupta has joined #openstack-keystone01:15
*** davechen has joined #openstack-keystone01:20
*** vmbrasseur has joined #openstack-keystone01:21
openstackgerritBrant Knudson proposed openstack/keystone: Use wsgi_scripts to create admin and public httpd files  https://review.openstack.org/19444201:23
*** davechen1 has joined #openstack-keystone01:23
*** davechen has quit IRC01:25
*** piyanai has quit IRC01:36
*** mestery has quit IRC01:36
*** mestery has joined #openstack-keystone01:37
*** mestery has quit IRC01:37
*** boris-42 has joined #openstack-keystone01:38
*** ngupta has quit IRC01:39
*** ankita_wagh has quit IRC01:43
*** ankita_wagh has joined #openstack-keystone01:44
*** ankita_wagh has quit IRC01:48
*** rodrigod` has quit IRC01:53
*** rodrigod` has joined #openstack-keystone01:53
*** rodrigod` is now known as rodrigods01:57
*** markvoelker has joined #openstack-keystone01:58
*** markvoelker has quit IRC02:03
*** ankita_wagh has joined #openstack-keystone02:11
*** ngupta has joined #openstack-keystone02:20
*** markvoelker has joined #openstack-keystone02:31
*** ngupta has quit IRC02:42
*** hakimo_ has joined #openstack-keystone02:52
*** hakimo has quit IRC02:54
*** ankita_wagh has quit IRC03:06
*** ankita_wagh has joined #openstack-keystone03:06
*** ankita_wagh has quit IRC03:11
*** ankita_w_ has joined #openstack-keystone03:11
openstackgerritBrant Knudson proposed openstack/keystone: Log request ID  https://review.openstack.org/21359503:17
*** piyanai has joined #openstack-keystone03:29
openstackgerritBrant Knudson proposed openstack/keystone: Log request ID  https://review.openstack.org/21359503:39
*** piyanai has quit IRC03:39
*** flwang1 has joined #openstack-keystone03:49
*** ayoung has quit IRC03:52
*** flwang has quit IRC03:53
*** Ephur has joined #openstack-keystone04:02
*** hrou has quit IRC04:03
*** openstack has joined #openstack-keystone04:17
*** markvoelker has quit IRC04:31
*** geoffarnoldX is now known as geoffarnold04:49
*** geoffarnold is now known as geoffarnoldX04:50
*** geoffarnoldX is now known as geoffarnold05:15
*** topol has joined #openstack-keystone05:23
*** ChanServ sets mode: +v topol05:23
*** topol has quit IRC05:27
*** geoffarnold is now known as geoffarnoldX05:27
*** markvoelker has joined #openstack-keystone05:32
*** geoffarnoldX has quit IRC05:32
*** urulama has joined #openstack-keystone05:35
*** markvoelker has quit IRC05:36
*** topol has joined #openstack-keystone05:37
*** ChanServ sets mode: +v topol05:37
*** urulama has quit IRC06:01
*** urulama has joined #openstack-keystone06:01
*** afazekas has quit IRC06:10
*** lsmola has joined #openstack-keystone06:12
*** topol has quit IRC06:17
*** topol has joined #openstack-keystone06:18
*** ChanServ sets mode: +v topol06:18
*** Navid_ has joined #openstack-keystone06:18
*** gpanda has joined #openstack-keystone06:21
*** claudiub has joined #openstack-keystone06:21
*** ankita_w_ has quit IRC06:22
*** ankita_wagh has joined #openstack-keystone06:22
*** gpanda has quit IRC06:22
*** gpanda has joined #openstack-keystone06:23
*** topol has quit IRC06:24
*** ankita_wagh has quit IRC06:27
*** akscram has quit IRC06:32
*** akscram has joined #openstack-keystone06:33
*** sileht has quit IRC06:55
*** sileht has joined #openstack-keystone06:56
*** ankita_wagh has joined #openstack-keystone06:56
*** afazekas_ has joined #openstack-keystone07:01
*** shoutm has joined #openstack-keystone07:01
-openstackstatus- NOTICE: Gerrit is currently under very high load and may be unresponsive. infra are looking into the issue.07:06
*** Nirupama has joined #openstack-keystone07:07
*** gpanda has quit IRC07:26
*** gpanda has joined #openstack-keystone07:27
*** gpanda has quit IRC07:33
*** markvoelker has joined #openstack-keystone07:33
*** gpanda has joined #openstack-keystone07:33
*** markvoelker has quit IRC07:37
*** fhubik has joined #openstack-keystone07:39
*** vivekd has joined #openstack-keystone07:42
*** gpanda has quit IRC07:46
*** ankita_wagh has quit IRC07:46
*** gpanda has joined #openstack-keystone07:47
*** fhubik is now known as fhubik_brb07:49
*** gpanda has quit IRC07:56
*** gpanda has joined #openstack-keystone07:57
*** fhubik_brb is now known as fhubik08:08
*** henrynash has quit IRC08:08
*** afazekas_ is now known as afazkas08:12
*** fhubik is now known as fhubik_brb08:14
*** fhubik_brb is now known as fhubik08:16
*** gpanda has quit IRC08:16
*** gpanda has joined #openstack-keystone08:17
*** fhubik is now known as fhubik_brb08:18
*** gpanda has quit IRC08:18
*** gpanda has joined #openstack-keystone08:18
*** jistr has joined #openstack-keystone08:21
*** fhubik_brb is now known as fhubik08:21
*** vivekd has quit IRC08:23
*** fhubik is now known as fhubik_brb08:24
*** pnavarro has joined #openstack-keystone08:31
*** josecastroleon has joined #openstack-keystone08:35
*** gpanda has quit IRC08:36
*** fhubik_brb is now known as fhubik08:37
*** gpanda has joined #openstack-keystone08:37
*** fhubik is now known as fhubik_brb08:38
*** davechen1 has left #openstack-keystone08:46
*** gpanda has quit IRC08:46
*** gpanda has joined #openstack-keystone08:47
*** marekd_404 has quit IRC08:54
*** fhubik_brb is now known as fhubik08:58
*** urulama has quit IRC09:01
*** urulama has joined #openstack-keystone09:01
*** gpanda has quit IRC09:07
*** gpanda has joined #openstack-keystone09:07
*** gpanda has quit IRC09:14
openstackgerritPaweł Pamuła proposed openstack/keystone: IdP deletion triggers token revocation  https://review.openstack.org/21045609:19
*** pnavarro has quit IRC09:22
*** vivekd has joined #openstack-keystone09:23
*** pnavarro has joined #openstack-keystone09:24
*** markvoelker has joined #openstack-keystone09:33
*** markvoelker has quit IRC09:38
*** Guest47951 is now known as d0ugal09:49
*** d0ugal has quit IRC09:49
*** d0ugal has joined #openstack-keystone09:49
*** dims has joined #openstack-keystone10:17
*** fhubik has quit IRC10:18
*** fhubik has joined #openstack-keystone10:18
*** yottatsa has joined #openstack-keystone10:20
-openstackstatus- NOTICE: review.openstack.org (aka gerrit) is going down for an emergency restart10:21
*** ChanServ changes topic to "review.openstack.org (aka gerrit) is going down for an emergency restart"10:21
*** dims has quit IRC10:30
*** dims has joined #openstack-keystone10:31
*** dims_ has joined #openstack-keystone10:36
*** dims has quit IRC10:38
*** marekd has joined #openstack-keystone10:39
*** ChanServ sets mode: +v marekd10:39
*** marekd is now known as marekd_40410:40
*** josecastroleon has quit IRC10:40
*** piyanai has joined #openstack-keystone10:45
*** Navid_ has quit IRC10:46
*** dikonoo has joined #openstack-keystone10:47
*** dikonoor has joined #openstack-keystone10:47
*** ChanServ changes topic to "Review code, feature freeze is rapidly approaching."10:48
-openstackstatus- NOTICE: Gerrit restart has resolved the issue and systems are back up and functioning10:48
*** dims_ has quit IRC10:50
*** dims has joined #openstack-keystone10:51
*** fhubik is now known as fhubik_brb10:53
*** piyanai has quit IRC10:56
*** piyanai has joined #openstack-keystone10:56
*** dims has quit IRC10:59
*** dims has joined #openstack-keystone11:00
*** dims has quit IRC11:06
*** dims has joined #openstack-keystone11:08
*** boris-42 has quit IRC11:10
*** dims_ has joined #openstack-keystone11:12
*** dims has quit IRC11:12
*** dims_ has quit IRC11:17
*** henrynash has joined #openstack-keystone11:19
*** ChanServ sets mode: +v henrynash11:19
*** mflobo has joined #openstack-keystone11:19
*** piyanai has quit IRC11:20
*** dims has joined #openstack-keystone11:22
*** urulama has quit IRC11:24
*** urulama has joined #openstack-keystone11:24
*** dims has quit IRC11:27
*** dims has joined #openstack-keystone11:29
*** josecastroleon has joined #openstack-keystone11:31
*** markvoelker has joined #openstack-keystone11:34
*** dims_ has joined #openstack-keystone11:34
*** dims has quit IRC11:35
*** markvoelker has quit IRC11:39
*** dims_ has quit IRC11:39
*** mflobo has left #openstack-keystone11:40
*** dims has joined #openstack-keystone11:40
*** woodster_ has joined #openstack-keystone11:46
*** fhubik_brb is now known as fhubik11:48
*** dims has quit IRC11:49
*** dikonoo has quit IRC11:49
*** dims has joined #openstack-keystone11:53
*** dims_ has joined #openstack-keystone11:56
*** dims has quit IRC11:58
*** chlong has quit IRC11:59
openstackgerritTerry Howe proposed openstack/keystoneauth: Keep a consistent logger name for keystoneauth  https://review.openstack.org/21260212:00
*** dims_ has quit IRC12:04
*** dims has joined #openstack-keystone12:04
*** dims_ has joined #openstack-keystone12:08
*** yottatsa has quit IRC12:09
*** dims has quit IRC12:10
*** dims has joined #openstack-keystone12:12
*** dims_ has quit IRC12:14
*** dims_ has joined #openstack-keystone12:18
*** edmondsw has joined #openstack-keystone12:18
*** dims has quit IRC12:18
*** dims has joined #openstack-keystone12:19
*** dims_ has quit IRC12:23
*** dims_ has joined #openstack-keystone12:26
*** henrynash has quit IRC12:26
*** dims has quit IRC12:26
*** topol has joined #openstack-keystone12:27
*** ChanServ sets mode: +v topol12:27
*** tellesnobrega_af has quit IRC12:28
*** dims has joined #openstack-keystone12:30
*** tellesnobrega has joined #openstack-keystone12:30
*** pnavarro is now known as pnavarro|lunch12:30
*** yottatsa has joined #openstack-keystone12:31
openstackgerritMerged openstack/pycadf: Adding barbican specific base resources.  https://review.openstack.org/21002312:31
*** dims_ has quit IRC12:31
*** topol has quit IRC12:31
*** jianzj has joined #openstack-keystone12:31
*** yottatsa has quit IRC12:32
*** yottatsa_ has joined #openstack-keystone12:33
jianzjHi, I am a new member, who want to learn more in this Keystone Community, and hope if I could contribute to Keystone Service.12:33
*** hrou has joined #openstack-keystone12:33
jianzjMy name is Zhao Jian, English name is Eric. I am from China, I am glad to join this family, and if anything that I could do or I could help, please just let me know. Thanks very much!12:34
*** dims has quit IRC12:35
*** dims has joined #openstack-keystone12:35
*** dims_ has joined #openstack-keystone12:38
*** dims has quit IRC12:40
*** edmondsw_ has joined #openstack-keystone12:41
*** ekarlso has quit IRC12:44
*** ekarlso has joined #openstack-keystone12:44
*** dims has joined #openstack-keystone12:45
*** dims_ has quit IRC12:45
*** tjcocozz has joined #openstack-keystone12:48
*** edmondsw_ has quit IRC12:48
*** Nirupama has quit IRC12:49
*** topol has joined #openstack-keystone12:49
*** ChanServ sets mode: +v topol12:49
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/21327312:50
*** piyanai has joined #openstack-keystone12:51
*** dims has quit IRC12:55
*** raildo-afk is now known as raildo12:57
*** shikel has joined #openstack-keystone12:58
*** dims has joined #openstack-keystone12:58
*** geoffarnold has joined #openstack-keystone13:01
*** lifeless has quit IRC13:05
*** dims has quit IRC13:06
*** dims has joined #openstack-keystone13:09
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359513:11
*** dims has quit IRC13:14
*** dims has joined #openstack-keystone13:14
*** dims has quit IRC13:21
*** geoffarnold has quit IRC13:21
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359513:25
*** dims has joined #openstack-keystone13:27
*** pnavarro|lunch is now known as pnavarro13:28
*** lifeless has joined #openstack-keystone13:28
*** jianzj has quit IRC13:31
*** narengan has joined #openstack-keystone13:35
*** fhubik is now known as fhubik_brb13:35
*** markvoelker has joined #openstack-keystone13:35
*** dims has quit IRC13:36
*** jecarey has joined #openstack-keystone13:38
*** zzzeek has joined #openstack-keystone13:38
*** markvoelker has quit IRC13:39
*** piyanai has quit IRC13:40
*** dims has joined #openstack-keystone13:42
*** fhubik_brb is now known as fhubik13:46
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359513:47
*** dims has quit IRC13:48
*** piyanai has joined #openstack-keystone13:49
*** mylu has joined #openstack-keystone13:50
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359513:51
*** dims has joined #openstack-keystone13:54
*** petertr7_away is now known as petertr713:56
*** fhubik is now known as fhubik_brb13:57
*** narengan has quit IRC13:59
*** dims has quit IRC13:59
*** narengan has joined #openstack-keystone13:59
*** boris-42 has joined #openstack-keystone14:00
*** ngupta has joined #openstack-keystone14:01
*** mylu has quit IRC14:02
*** mylu has joined #openstack-keystone14:02
*** topol has quit IRC14:03
*** chlong has joined #openstack-keystone14:03
*** topol has joined #openstack-keystone14:03
*** ChanServ sets mode: +v topol14:03
*** fhubik_brb is now known as fhubik14:04
*** dims has joined #openstack-keystone14:04
*** narengan has quit IRC14:04
*** mylu has quit IRC14:04
*** mylu has joined #openstack-keystone14:08
*** doug-fish has joined #openstack-keystone14:09
*** mylu has quit IRC14:10
*** HT_sergio has joined #openstack-keystone14:10
*** mylu has joined #openstack-keystone14:11
*** dims has quit IRC14:11
*** shoutm has quit IRC14:12
*** sigmavirus24_awa is now known as sigmavirus2414:15
*** dims has joined #openstack-keystone14:16
*** ngupta has quit IRC14:18
*** samueldmq has joined #openstack-keystone14:20
*** piyanai_ has joined #openstack-keystone14:20
samueldmqmorning14:20
*** dims has quit IRC14:22
*** mylu has quit IRC14:22
*** mylu has joined #openstack-keystone14:22
*** piyanai has quit IRC14:22
*** piyanai_ is now known as piyanai14:22
*** samueldmq has quit IRC14:24
*** fhubik is now known as fhubik_brb14:24
*** doug-fish has quit IRC14:26
*** phalmos has joined #openstack-keystone14:26
*** samueldmq has joined #openstack-keystone14:26
*** dsirrine has quit IRC14:26
*** narengan has joined #openstack-keystone14:27
dstaneksamueldmq: morning14:28
*** piyanai_ has joined #openstack-keystone14:28
*** dsirrine has joined #openstack-keystone14:29
*** ngupta has joined #openstack-keystone14:29
*** doug-fish has joined #openstack-keystone14:30
*** piyanai has quit IRC14:30
*** piyanai_ is now known as piyanai14:30
*** afazkas has quit IRC14:31
*** mylu has quit IRC14:32
*** topol has quit IRC14:33
*** mylu has joined #openstack-keystone14:33
vivekddstanek: good morning14:34
vivekddstanek: i submitted a simple one line fix @ https://review.openstack.org/#/c/213342/ and dolphm has given a code-review+2 for it.14:34
vivekddstanek: would you be able to spare sometime to review it?14:34
dstanekvivekd: sure, what company do you work for?14:37
vivekddstanek: thank you! its reliance industries limited14:38
*** fhubik_brb is now known as fhubik14:38
vivekddstanek: how about u?14:38
dstanekvivekd: ok, cool. i couldn't tell by your email and if you were a Racker I couldn't +A the change14:38
vivekddstanek: racker means? and +A means approve?14:40
dstanekvivekd: Racker == work at Rackspace14:41
dstanekvivekd: yes, a +A is an approval14:41
*** narengan has quit IRC14:41
*** narengan has joined #openstack-keystone14:42
vivekdoh ok :-) dstanek . that implies u work for rackspace14:42
*** fhubik is now known as fhubik_brb14:44
*** ayoung has joined #openstack-keystone14:44
*** ChanServ sets mode: +v ayoung14:44
*** doug-fis_ has joined #openstack-keystone14:45
*** narengan has quit IRC14:46
*** doug-fish has quit IRC14:48
*** dims has joined #openstack-keystone14:48
*** phalmos has quit IRC14:49
lbragstadrandom question - this is liberty milestone 2, right? https://github.com/openstack/keystone/commits/8.0.0.0b214:49
*** markvoelker has joined #openstack-keystone14:51
*** samueldmq has quit IRC14:51
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359514:53
openstackgerritBrant Knudson proposed openstack/keystone: Add user_has_domain property to KeystoneToken  https://review.openstack.org/21374214:53
ayoungrodrigods, so...let me bounce something off you about roles, policy and so forth....14:55
dstanekvivekd: correct14:55
*** markvoelker has quit IRC14:55
rodrigodsayoung, ok... :)14:55
*** gordc has joined #openstack-keystone14:56
ayoungrodrigods, OK,  so I was trying to implement one of the later stages of dyanmic policy:  let a user select which roles to have in a token14:56
ayoungand...fernet tokens make that really hard.14:56
ayoungtoday with fernet, the token does not have a role list.  It reproduces it from the user-project assignments14:56
rodrigodsyes... that's a problem if you are not hitting keystone14:57
*** dikonoor has quit IRC14:57
ayoungrodrigods, fernet hits Keystone, but it is s till a problem.  Actually, PKI would handle this fine, as would UUID14:57
ayoungboth keep a serialized blob that represents the token data14:58
ayoungUUID in the database, PKI in the body of the token14:58
rodrigodsayoung, ok... forget what I said14:58
ayoungrodrigods, its good to make it explicit...14:58
rodrigods(imagined you'd want to use the actual information in the token without hitting keystone)14:58
ayoungrodrigods, I would state the goal this way:  record as little explicit information as possible14:59
*** doug-fis_ has quit IRC14:59
rodrigodsayoung, ok... but why fernet is giving you problems?15:00
ayoungrodrigods, for instance, in fernet, they hold the userid, but not the username.  Projectid, but not roles..etc15:00
*** doug-fish has joined #openstack-keystone15:00
ayoungrodrigods, the fernet tokens are ephemeral...only store info neded to reproduce the whole token15:00
*** phalmos has joined #openstack-keystone15:00
ayoungso...arbitrary list of roles either needs to be stored in the token, or we need another database table15:00
ayoungbut wirth Fernet, we are trying to keep them small.15:01
rodrigodsayoung, yes... but why you listing role assignments doesn't work for your case?15:01
ayoungrodrigods, originally, I wanted to say that a token could have only one role in it....but that does not really work.15:01
ayoungrodrigods, OK...15:01
ayoungso,  lets say we want to make a token with only the info to do nova boot15:02
ayoungso, we have APIs like15:02
ayoungcompute:create storage:attach, network:port_attach and image:download15:02
ayounglets say we make all of those into explicit roles.15:02
ayoungso we want a token with those 4 roles on it.   And only those four15:03
*** doug-fish has quit IRC15:03
ayoungso the size of the fernet token would expand by 4 UUIDs15:03
ayoungand...if we had an audit token, and it needed read_only access to say, 18 different APIs...15:04
ayoungyou see the pattern?15:04
rodrigodsayoung, right... not I get it15:04
rodrigodsnow*15:04
ayoungeither we use the roles as a nichname for the permissions, and then, we should only allow a single role.15:04
ayoungOr we allow an arbitrary set of permissions.15:04
ayoungI think I'm going to go with "if you request a specific role, you can only get one"15:05
ayoungand make people come up with new roles for grouping15:05
* morgan_503 waves from airport otw to ops midcycle thing.15:05
rodrigodsayoung, I agree... looks like the right first step to make15:06
*** csoukup has joined #openstack-keystone15:06
*** morgan_503 is now known as morgan_254915:06
bknudsonmorgan_2549: godspeed15:10
morgan_2549Hehe15:12
ayoungrodrigods, so...this might actually cover Henrynash's "domain scoped roles" and so forth15:13
*** mylu has quit IRC15:13
*** markvoelker has joined #openstack-keystone15:15
*** narengan has joined #openstack-keystone15:17
*** chlong has quit IRC15:18
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359515:19
openstackgerritBrant Knudson proposed openstack/keystone: Fix docstring for common.authorization  https://review.openstack.org/21375215:19
*** mylu has joined #openstack-keystone15:20
*** tsubic has quit IRC15:20
openstackgerritMonty Taylor proposed openstack/keystoneauth: Finalize rename of token_endpoint to admin_token  https://review.openstack.org/21338515:23
openstackgerritMonty Taylor proposed openstack/keystoneauth: Port in the argument scrubbing from OCC  https://review.openstack.org/21347715:24
*** urulama has quit IRC15:26
*** urulama has joined #openstack-keystone15:26
*** e0ne has joined #openstack-keystone15:26
*** topol has joined #openstack-keystone15:27
*** ChanServ sets mode: +v topol15:27
*** doug-fish has joined #openstack-keystone15:27
*** vivekd has quit IRC15:28
*** chlong has joined #openstack-keystone15:32
*** chlong has quit IRC15:38
*** chlong has joined #openstack-keystone15:40
*** geoffarnold has joined #openstack-keystone15:42
*** geoffarnold is now known as geoffarnoldX15:42
*** _cjones_ has joined #openstack-keystone15:42
*** nkinder has joined #openstack-keystone15:42
*** fhubik_brb is now known as fhubik15:43
*** _cjones_ has quit IRC15:43
*** _cjones_ has joined #openstack-keystone15:44
*** Ephur has joined #openstack-keystone15:46
*** dguerri` is now known as dguerri15:46
*** mylu has quit IRC15:47
*** geoffarnoldX is now known as geoffarnold15:47
*** mylu has joined #openstack-keystone15:48
*** mylu has quit IRC15:52
*** mestery has joined #openstack-keystone15:53
*** gyee has joined #openstack-keystone15:56
*** ChanServ sets mode: +v gyee15:56
openstackgerritayoung proposed openstack/keystoneauth: Port in the argument scrubbing from OCC  https://review.openstack.org/21347715:57
*** zzzeek has quit IRC15:57
*** zzzeek has joined #openstack-keystone15:59
*** tsymanczyk has quit IRC16:02
*** samueldmq has joined #openstack-keystone16:08
*** e0ne has quit IRC16:09
openstackgerritDoug Fish proposed openstack/keystoneauth: Update k2k plugin with related code comments  https://review.openstack.org/20967116:13
*** david-ly_ is now known as david-lyle16:15
*** lhcheng has joined #openstack-keystone16:16
*** ChanServ sets mode: +v lhcheng16:16
*** jistr has quit IRC16:19
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K  https://review.openstack.org/20758516:23
*** stevemar has joined #openstack-keystone16:24
*** ChanServ sets mode: +v stevemar16:24
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K  https://review.openstack.org/20758516:28
*** fhubik is now known as fhubik_brb16:31
*** fhubik_brb is now known as fhubik16:31
ayoungdstanek, morgan_2549 bknudson so. we need to book hotel rooms through the night of the 30th to do the full Developers summit, right?16:32
*** henrynash has joined #openstack-keystone16:32
*** ChanServ sets mode: +v henrynash16:32
bknudsonayoung: design summit is tuesday - friday16:34
ayoungbknudson, and Friday is 30th.  But I guess if you can get a flight out the night of the 30th you are OK?16:34
dstanekayoung: i was not planning on staying the night of the 30th16:35
*** yottatsa_ has quit IRC16:35
*** yottatsa has joined #openstack-keystone16:36
*** tqtran-afk has joined #openstack-keystone16:38
*** tqtran-afk is now known as tqtran16:38
stevemardstanek: why not? when are you going to be back in tokyo? :)16:41
dstanekstevemar: ideally, never :-)  i'm not a fan of international travel16:42
*** tsymanczyk has joined #openstack-keystone16:43
openstackgerritTimothy Symanczyk proposed openstack/keystone: Simplify rule in sample v3 policy file  https://review.openstack.org/21333816:44
*** Navid_ has joined #openstack-keystone16:45
*** c_soukup has joined #openstack-keystone16:49
*** csoukup_ has joined #openstack-keystone16:50
openstackgerritMerged openstack/keystone: EndpointFilter driver doesnt inherit its interface  https://review.openstack.org/21334216:50
gyeebook a room or capsule?16:53
*** c_soukup has quit IRC16:53
*** csoukup has quit IRC16:54
stevemarroom :)16:54
stevemari doubt i'll fit in a capsule16:54
gyeehah16:54
morgan_2549ayoung: uhmm. Not sure16:54
ayoungstevemar, claustrophobia16:55
gyeemorgan_2549, you in Palo Alto today? its like 100 degrees here16:55
ayoungwhere'd people get rooms?16:55
morgan_2549Just landed at sjc16:55
morgan_2549Headed to Sunnyvale once I get car and such.16:56
*** fhubik has quit IRC16:56
*** jecarey has quit IRC16:57
*** henrynash has quit IRC16:58
*** pnavarro has quit IRC16:59
gyeemorgan_2549, stay indoors today, its going to be triple digits16:59
*** _cjones_ has quit IRC17:00
dolphmmorgan_2549: RFC 2549?17:00
morgan_2549gyee: it's been 100-108 the last 5 days in SoCal17:00
*** narengan has quit IRC17:00
morgan_2549dolphm: yeah :P17:00
dolphmmorgan_2549: Workflow+117:00
*** afaranha has joined #openstack-keystone17:01
*** afaranha has left #openstack-keystone17:01
*** narengan has joined #openstack-keystone17:01
*** alex_xu has quit IRC17:01
*** tjcocozz has quit IRC17:03
*** alex_xu has joined #openstack-keystone17:03
morgan_2549ayoung: I've got a room at... Sheraton I think. About 1km from the venue17:05
*** narengan has quit IRC17:05
dolphmis there a trick to uploading rebases to gerrit that don't otherwise affect the rebased change? i don't know how to get around "No changes between prior commit ... and new commit... [remote rejected]"17:06
ayoungmorgan_2549, sheraton Miyako?17:06
dolphmmorgan_2549: i'm trying to take those two i18n patches out of the stable/kilo sequence, but can't upload the result ^17:06
morgan_2549dolphm: uhmmm. It should just work17:06
*** urulama has quit IRC17:06
morgan_2549No magic needed if you evict patches17:07
*** urulama has joined #openstack-keystone17:07
dolphmmorgan_2549: http://cdn.pasteraw.com/jvehh4bt33m1pvvau4wnwhvjvvfmdeg17:07
dolphmmorgan_2549: gerrit does not like17:07
morgan_2549If you just upload the first patch after them based on stable HEAD you can click debase button  for the rest?17:07
morgan_2549I can take a look / try when I get to the office.17:08
dolphmmorgan_2549: oh wait, *facepalm*, i kept those two patches somehow17:08
ayoungdolphm, does this sound like an appropriate compromise to you:  to keep Fernet tokens small, we will only allow a user to explicitly request a single role for a token if they don't want all roles to be enumerated?  So we would have a fernet format that would have an additional field, role_id?17:08
morgan_2549dolphm: hehe17:09
*** dguerri is now known as dguerri`17:09
ayoungdolphm, I'm thinking explicitly of the case where a user has both admin and member, and needs to do work through a third party type system, so they want as little exposure as possible.17:09
dolphmayoung: what does the number of roles matter? they're in the token body which has no size limit? also, you should already be able to accomplish that by creating and consuming a trust with yourself17:11
ayoungdolphm, nah, this would have to be in the signed portion;  if "all roles"  then you can implicitly get from the query, but if explicitly a subset, it needs to be recorded somehwo17:12
ayoungdolphm, and I don't want to have to create a new table17:12
ayoungyes, self trust would work17:12
ayoungdolphm, I'm trying to not force the creation of trusts if not necessary17:12
*** roxanaghe has joined #openstack-keystone17:14
*** piyanai has quit IRC17:14
*** mestery has quit IRC17:15
dolphmayoung: "have to be in the signed portion" what's the use case?17:15
ayoungdolphm, so,  think of how you work with a Linux box.  even though you own the whole thin, you log in as a limited power user, and only explicitly sudo for admin tasks17:16
ayoungsame kind of approach:  if you are both admin and member, you want to explicitly ask for admin to do that kind of work17:16
ayoungdolphm, and, if there are more roles in the future, there might be more fine grained reasons to hand out tokens with fewer roles.17:17
ayoungdolphm, the thing is, the roles could be completely server side constructs, like Henrynash was asking for.  When you expand the token in validation, you could convert a domain-speicif-role (id)  in to the explicit subordniate roles17:18
dolphmayoung: seems kind of pointless when you can just rescope a token for whatever you want, right?17:19
ayoungdolphm, so, rescoping can be turned off17:19
ayoungwe got that merged in Kilo17:19
*** kfjohnson_ is now known as kfjohnson17:21
*** jasonsb has quit IRC17:23
*** jasonsb has joined #openstack-keystone17:24
*** ankita_wagh has joined #openstack-keystone17:24
*** mestery has joined #openstack-keystone17:26
*** jasonsb has quit IRC17:28
*** lsmola has quit IRC17:31
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359517:31
openstackgerritBrant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context  https://review.openstack.org/21379217:31
*** Navid_ has quit IRC17:31
*** _cjones_ has joined #openstack-keystone17:32
*** therve has left #openstack-keystone17:33
*** mestery has quit IRC17:34
openstackgerritHenrique Truta proposed openstack/keystone: Unit tests for is_domain field in project's table  https://review.openstack.org/21204517:34
*** piyanai has joined #openstack-keystone17:34
openstackgerritSean Perry proposed openstack/keystone: Prevent an exception from occurring for invalidly encoded parameters  https://review.openstack.org/21379617:41
*** piyanai has quit IRC17:41
openstackgerritBrant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context  https://review.openstack.org/21379217:42
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext  https://review.openstack.org/21359517:42
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context  https://review.openstack.org/21379717:42
*** piyanai has joined #openstack-keystone17:42
openstackgerritSean Perry proposed openstack/keystone: Prevent exception from occurring for invalidly encoded parameters  https://review.openstack.org/21379617:44
openstackgerritBrant Knudson proposed openstack/keystone: Remove unnecessary load_backends from TestKeystoneTokenModel  https://review.openstack.org/21380117:47
*** afazkas has joined #openstack-keystone17:50
*** tjcocozz has joined #openstack-keystone17:50
*** browne has joined #openstack-keystone17:52
opilottehttps://review.openstack.org/#/c/210581/17:52
*** piyanai has quit IRC17:53
*** dims_ has joined #openstack-keystone17:53
*** urulama has quit IRC17:56
*** urulama has joined #openstack-keystone17:56
*** dims has quit IRC17:57
*** piyanai has joined #openstack-keystone17:58
*** piyanai has quit IRC17:59
openstackgerritMerged openstack/oslo.policy: Have the enforcer have its own file cache  https://review.openstack.org/20965617:59
*** afazkas has quit IRC18:01
*** piyanai has joined #openstack-keystone18:01
*** stevemar has quit IRC18:08
*** stevemar has joined #openstack-keystone18:10
*** ChanServ sets mode: +v stevemar18:10
*** jasonsb has joined #openstack-keystone18:11
*** Navid_ has joined #openstack-keystone18:13
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains  https://review.openstack.org/21344818:14
*** btully has quit IRC18:18
*** fangzhou has joined #openstack-keystone18:22
*** yottatsa_ has joined #openstack-keystone18:23
*** afazkas has joined #openstack-keystone18:24
*** yottatsa has quit IRC18:24
*** ngupta_ has joined #openstack-keystone18:24
*** ankita_w_ has joined #openstack-keystone18:25
*** piyanai has quit IRC18:27
*** ankita_wagh has quit IRC18:27
*** ngupta has quit IRC18:27
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837218:28
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060018:28
*** piyanai has joined #openstack-keystone18:29
*** afazkas has quit IRC18:30
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913218:30
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table  https://review.openstack.org/21117018:30
openstackgerritHenrique Truta proposed openstack/keystone: Creating tests for projects acting as domains  https://review.openstack.org/21121918:30
openstackgerritSean Perry proposed openstack/keystone: Prevent exception from occurring for invalidly encoded parameters  https://review.openstack.org/21379618:31
morgan_2549dolphm: this should be an easy couple +A https://review.openstack.org/#/c/196475/ [starting here[18:36
morgan_2549needed fernet fixes18:36
*** ayoung has quit IRC18:38
*** narengan has joined #openstack-keystone18:40
*** e0ne has joined #openstack-keystone18:40
*** yottatsa_ has quit IRC18:41
*** d34dh0r53 is now known as VD18:42
*** VD is now known as Guest6944218:43
*** Guest69442 is now known as d34dh0r5318:47
*** henrynash has joined #openstack-keystone18:49
*** ChanServ sets mode: +v henrynash18:49
*** mylu has joined #openstack-keystone18:50
*** mylu has quit IRC18:51
*** mylu has joined #openstack-keystone18:52
*** piyanai has quit IRC18:52
openstackgerrithenry-nash proposed openstack/keystone: Rationalize unfiltered list role assignment test  https://review.openstack.org/21382018:56
*** mylu has quit IRC18:57
*** samueldmq has quit IRC18:58
*** e0ne has quit IRC19:03
*** topol has quit IRC19:04
*** topol has joined #openstack-keystone19:05
*** ChanServ sets mode: +v topol19:05
*** samueldmq has joined #openstack-keystone19:06
*** geoffarnold has quit IRC19:07
*** e0ne has joined #openstack-keystone19:09
*** topol has quit IRC19:09
morgan_2549lbragstad: ping19:11
morgan_2549lbragstad: any issues with https://review.openstack.org/#/c/209349/ still?19:11
*** geoffarnold has joined #openstack-keystone19:12
lbragstadmorgan_2549: nope, my one comment was address. looks like mordred had a comment similar to mine around the commit message?19:12
morgan_2549nod.19:13
lbragstad" I am curious as to why we want pluggable sessions."19:13
lbragstadmorgan_2549: I can remove my -1, but maybe a bit of detail in the commit message around the purpose would be helpful (though this is probably pretty nit picky)?19:13
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917819:15
*** petertr7 is now known as petertr7_away19:24
*** Ephur has quit IRC19:28
*** petertr7_away is now known as petertr719:29
*** Ephur has joined #openstack-keystone19:40
*** Navid_ has quit IRC19:41
*** tjcocozz has quit IRC19:42
*** tjcocozz has joined #openstack-keystone19:42
*** e0ne has quit IRC19:45
*** e0ne has joined #openstack-keystone19:48
*** dims_ has quit IRC19:48
*** dims has joined #openstack-keystone19:48
*** annasort has joined #openstack-keystone19:53
*** ayoung has joined #openstack-keystone19:53
*** ChanServ sets mode: +v ayoung19:53
*** piyanai has joined #openstack-keystone19:59
openstackgerritSean Perry proposed openstack/keystone: Prevent exception from occurring for invalidly encoded parameters  https://review.openstack.org/21379620:05
*** doug-fish has quit IRC20:09
*** doug-fish has joined #openstack-keystone20:09
*** yottatsa has joined #openstack-keystone20:13
*** mylu has joined #openstack-keystone20:16
* stevemar just found out that hitting "enter" when you have a file selected in OSX, renames it! 20:22
* stevemar mind proceeds to blow20:22
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Model: Create policy cache table  https://review.openstack.org/21167920:24
openstackgerritMerged openstack/keystoneauth: Add required property to Opt class  https://review.openstack.org/21347620:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Driver: Provide function to cache policies  https://review.openstack.org/21295920:25
dstanekstevemar: yeah, that's given me several "oh, shit" moments in my time with OSX20:25
*** samueldmq has quit IRC20:28
*** mylu has quit IRC20:33
*** mylu has joined #openstack-keystone20:34
*** mylu_ has joined #openstack-keystone20:35
*** jasonsb has quit IRC20:35
*** mylu has quit IRC20:35
*** jasonsb_ has joined #openstack-keystone20:35
*** doug-fish has quit IRC20:35
*** doug-fish has joined #openstack-keystone20:35
*** ankita_w_ has quit IRC20:37
*** ankita_w_ has joined #openstack-keystone20:41
*** ajayaa has joined #openstack-keystone20:42
*** urulama has quit IRC20:42
*** urulama has joined #openstack-keystone20:43
*** claudiub has quit IRC20:48
*** raildo is now known as raildo-afk20:50
openstackgerrithenry-nash proposed openstack/keystone: Rationalize unfiltered list role assignment test  https://review.openstack.org/21382020:51
*** mylu_ has quit IRC20:52
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917820:52
*** pnavarro has joined #openstack-keystone20:53
morgan_2549lbragstad: we should just get jaimie to post more to the commit20:56
morgan_2549lbragstad: but the long/short of it is not "pluggable" but "loadable"20:56
lbragstadmorgan_2549: yeah, that would be helpful20:56
morgan_2549so we can chain them together20:56
*** ajayaa has quit IRC20:56
morgan_2549jamielennox: ^ re session loading commit20:56
morgan_2549just needs a better commit/answer to why thisis useful20:57
morgan_2549dolphm, dstanek, stevemar, lbragstad: could one of you run the meeting tomorrow20:58
morgan_2549i should be there but at the ops midcycle thing20:58
morgan_2549so i'd rather not try and chair the meeting20:58
*** tjcocozz has quit IRC20:59
*** claudiub|2 has joined #openstack-keystone21:00
*** yottatsa has quit IRC21:01
dstanekmorgan_2549: sure21:02
lbragstadI get nervous in front of crowds ;)21:02
*** dave-mccowan has joined #openstack-keystone21:06
dave-mccowanayoung ping21:07
morgan_2549dstanek: since you're here21:08
morgan_2549https://review.openstack.org/#/c/196475/21:08
morgan_2549and the one following it21:08
morgan_2549important for the sake of shoring up fernet21:09
stevemarmorgan_2549: sure, dstanek or i will pick it up21:11
ayoungdave-mccowan, one sec21:12
*** ankita_w_ has quit IRC21:12
*** ankita_wagh has joined #openstack-keystone21:12
dstanekmorgan_2549: sure, i can hit up those reviews21:13
stevemarmorgan_2549: should that be backported21:14
*** mestery has joined #openstack-keystone21:15
*** topol has joined #openstack-keystone21:16
*** ChanServ sets mode: +v topol21:16
*** doug-fish has quit IRC21:18
*** mylu has joined #openstack-keystone21:20
*** ngupta_ has quit IRC21:21
stevemardstanek: i approved the first 2 patches in that chain21:22
dstanekstevemar: perfect, now i don't even have to look!21:22
*** mylu has quit IRC21:23
dstanekstevemar: are you looking at the third too?21:23
stevemari looked briefly21:23
stevemarsame concerns as gyee21:23
*** pnavarro has quit IRC21:23
*** pnavarro has joined #openstack-keystone21:36
gyeestevemar, dstanek, morgan_2549, you mean 196483?21:37
gyeeI though role_id is in the v2 token data21:37
gyeeno?21:37
morgan_2549right21:37
gyeehttps://review.openstack.org/#/c/196483/4/keystone/token/providers/common.py21:38
morgan_2549fernet was, i believe erronously removing it21:38
gyeeah, gotcha21:38
ayoungdave-mccowan, ok...I'm back21:39
gyeedo we need a bug on this?21:39
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162321:39
morgan_2549*shrug*21:39
dave-mccowanayoung hi adam.  i'm working on adding a barbican feature and someone recommended i ask for your advice.  we need to add a "super-admin" with certain cross-project permissions.  we want to do it in a standard oslo policy way.21:39
morgan_2549it didn't "break" anything until I started changing how this all worked21:40
morgan_2549but fernet didn't pass check/gate as the default21:40
morgan_2549fwiw21:40
gyeeotherwise, looks good to me!21:40
ayoungdave-mccowan, so...give me more context before I jump to too many conclusions.  What does this user need to do?21:40
* morgan_2549 put out the "jump to conclusions" mat for ayoung21:40
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196221:41
* ayoung jumps over the lazy sleeping dog21:41
dave-mccowanayound here's complete context:  https://review.openstack.org/21357021:41
dave-mccowanayoung i'm guessing using domain id to scope the admin role is the only/best way to go.  but want to make sure.21:41
ayoungdave-mccowan, looks like you are tracking.  Setting quotas is separate use case from managing secrets...21:42
gyeeayoung love "super-admin" topic :)21:42
ayoungdave-mccowan, service-admin is probably not the right name, though.  Barbican is the "secret" service, right?21:43
dave-mccowanayoung yes, Barbican is the key/secret manager.  quota support is our first cloud-admin type of api command.21:44
ayoungdave-mccowan, so call the role secret-agent21:44
* redrobot pokes head in21:45
ayoungOr 00  if you are feeling even more obscure21:45
redrobotbarbican is officially the "key-manager" service in governance21:45
openstackgerritMerged openstack/keystone-specs: Add region_id filter in List Endpoints API  https://review.openstack.org/21335621:46
dave-mccowanayoung :-)21:46
ayoungredrobot, that is not nearly as much fun21:46
ayoungdave-mccowan, actually, the key-manager role would be a decent name21:46
redrobotayoung agreed :)21:46
*** narengan has quit IRC21:47
ayoungI like using "manager" in place of admin for things that have limited power21:47
gyeemorgan_2549, check out the dependency on dolphm's patch https://review.openstack.org/#/c/213216/21:47
*** narengan has joined #openstack-keystone21:47
morgan_2549gyee: yeah21:47
morgan_2549gyee: stable backport21:47
gyeewow21:47
dave-mccowanayoung i found this example in a keystone sample file:  "cloud_admin": "rule:admin_required and domain_id:admin_domain_id"21:48
ayoungdave-mccowan, you need to set the admin_domain_id for that to work.  right henrynash ?21:48
morgan_2549gyee: already fixed in master21:48
*** csoukup_ has quit IRC21:49
dave-mccowanayoung.  i didn't think that just a new role would cover this.  i thought i'd need to scope it either with a service project or service domain.21:49
ayoungdave-mccowan, yep...you want what everyone wants.  THis is why I've been pushing dynamic policy21:50
ayounghttps://bugs.launchpad.net/keystone/+bug/96869621:50
openstackLaunchpad bug 968696 in Cinder ""admin"-ness not properly scoped" [Undecided,In progress] - Assigned to Brent Roskos (broskos)21:50
*** uvirtbot has quit IRC21:50
henrynashdave-mccowan: yes, that sample is meant to be edited with the id of a domain you have blessed as reprsenting cloud admins21:51
ayoungdave-mccowan, https://twitter.com/admiyoung/status/62729334257815552021:51
dave-mccowanso, in real life, it would be a UUID?21:51
ayounghenrynash, I have a cool idea for you21:51
ayoungdave-mccowan, yes, and it would be deployment specific21:51
*** narengan has quit IRC21:52
ayounghenrynash, so...private roles...I think are a good thing.21:52
ayoungdomain scoped roles...which then expand out to specific permission?21:52
henrynashayoung: ok....21:52
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430221:53
ayounghenrynash, what if...we made it such that certain roles get this "private" flag, and, it maps to one or more public roles21:53
dave-mccowani've seen your 968696 presentation at a summit. :-) i don't remember which one.21:54
ayoungthen...we allow a user to request a token with a specific role, and the token records the private role ID internally (thinking fernet)21:54
ayounghttp://openstacksummitmay2015vancouver.sched.org/event/14f4c5993e34b0f6a10c810510abbd73#.VdJYFZP-SV421:54
henrynashayoung: it records that it is private, not what it maps to, I assume you mean?21:55
ayounghenrynash, the id is a shortcut21:55
ayoungwhen you validate, you get the list of public roles21:55
ayoungnot the private one21:56
dave-mccowanayoung, so it wouldn't be worse than anything else, if i added a new role key-manager and ignore the missing scope.  this is just for a default policy file.  a customer can adjust the policy to his/her own liking.21:56
henrynashayoung: so validation causes a roudn trip to keystone, but at least our tokens stay small…21:56
ayoungdave-mccowan, yes, you will be cargo culting the bad behvaior but we have no better solution for you now21:57
ayounghenrynash, exactly21:57
ayounghenrynash, it also allow a user a way to specify a subset of roles for a token.  And, if roles really mean "policy targets..."21:57
henrynashayoung: so I think that is an interesting middle ground…21:58
ayounghenrynash, I could do "subset of roles in a token" with uuid or PKI tokens without it, but not fernet.21:59
henrynashayoung: understand….22:00
henrynashayoung: the other thing that might fall into this is the need for some kind of grouping that is “part of assignment” but different to users/grops (since the later are usually RO for keystone admins)22:00
*** petertr7 is now known as petertr7_away22:01
*** mestery has quit IRC22:01
ayounghenrynash, yeah....although, it might be possible to specify that a certain domain can get userids from outside.  idmapping table would make that work, too22:01
dave-mccowanayoung henrynash  thanks for the discussion.  just what i needed.  if you have a minute, please chime in on the CR I linked above.22:01
henrynashayoung: true, you can use idmapping for that....22:02
ayounghenrynash, considering that groups need to be actually written in the keystone backend for federation, I guess that they would just be more mapping rules...but mappings are so painful to manage, we really need that tool that dave chadwick is pushing to make it palatable.22:03
*** mestery has joined #openstack-keystone22:04
henrynashayoung: agreed….I do think we are getting to the point where we need to consider whether teh solution to some problems may not be a new API, but better tooling using the existing APIs22:04
*** hrou has quit IRC22:05
ayounghenrynash, what if we make every policy target into a role, and then policy enforcement is "you must have this role"22:05
ayoungwe could implement that in olso-policy as a global config option or something22:06
*** shoutm has joined #openstack-keystone22:06
*** pnavarro has quit IRC22:07
ayoungbut....we can't do that today.  The number of roles returned for _member_ would be too big22:07
henrynashayoung: that was the “in the limit” scenario I was pushing a while back….bascially each service would register its targets with keystone (which become the capabilities or base roles)….then role-groups (at least that’s what I called them) would be used to collect usefull buckets of those togetehr22:07
openstackgerritHaneef Ali proposed openstack/keystone: Return correct URL in /v3 version response  https://review.openstack.org/21337922:07
ayounghenrynash, I am so with you on that22:07
ayoungwe could do the role expansion as a cached query as opposed to dynamically generating the policy file22:08
openstackgerritHaneef Ali proposed openstack/keystone: Return correct URL in /v3 version response  https://review.openstack.org/21337922:08
*** mestery has quit IRC22:09
henrynashayoung: yes, agreed22:09
*** ngupta has joined #openstack-keystone22:09
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389722:10
*** HT_sergio has quit IRC22:10
*** ngupta has quit IRC22:11
*** ngupta has joined #openstack-keystone22:12
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448522:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21389322:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/21389422:16
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/21389822:19
gyeemorgan_2549, I thought we don't backport tests? https://review.openstack.org/#/c/212944/22:20
gyeeunless this is needed somewhere in the chain22:20
gyeeI haven't look through the entire chain yet22:21
openstackgerritSean Perry proposed openstack/keystone: Prevent exception from occurring for invalidly encoded parameters  https://review.openstack.org/21379622:22
openstackgerritSean Perry proposed openstack/keystone: Prevent exception for invalidly encoded parameters  https://review.openstack.org/21379622:24
*** dims_ has joined #openstack-keystone22:25
*** edmondsw has quit IRC22:26
dolphmgyee: we have backported new tests, certainly. we usually don't backport refactors though. in this case, there's several test refactors in that sequence that would make it really hard to land the later patches that utilize those revised test structures22:26
dolphmgyee: and i wouldn't want to backport those changes without their tests22:27
*** dims has quit IRC22:28
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899522:29
*** gordc has quit IRC22:30
*** shoutm has quit IRC22:32
*** chlong has quit IRC22:34
*** shoutm has joined #openstack-keystone22:36
*** claudiub|2 has quit IRC22:39
*** e0ne has quit IRC22:41
gyeedolphm, k, make sense, just want to make sure22:43
*** Navid_ has joined #openstack-keystone22:43
*** dims_ has quit IRC22:47
*** Ephur has quit IRC22:47
*** dims has joined #openstack-keystone22:47
*** markvoelker has quit IRC22:51
*** dims has quit IRC22:51
*** hrou has joined #openstack-keystone23:07
*** mestery has joined #openstack-keystone23:13
*** piyanai has quit IRC23:15
*** ngupta has quit IRC23:18
*** tiny-hands has joined #openstack-keystone23:18
*** Navid_ has quit IRC23:20
*** zzzeek has quit IRC23:28
*** ngupta has joined #openstack-keystone23:30
*** ankita_w_ has joined #openstack-keystone23:33
*** markvoelker has joined #openstack-keystone23:35
*** ankita_wagh has quit IRC23:36
*** topol has quit IRC23:44
*** phalmos has quit IRC23:47
*** mestery has quit IRC23:55
*** Ctina_ has joined #openstack-keystone23:56
*** ctina has joined #openstack-keystone23:56
« Sunday, 2015-08-16 Index Tuesday, 2015-08-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!