Thursday, 2015-08-20

jamielennox	how do we roll forward the existing federation CLI plugins?	00:00
ayoung	jamielennox, we have to deal with what we have for now.	00:00
*** mylu_ has quit IRC		00:00
ayoung	We'll do the two blocks, config the Keystone values before apache, and so on	00:00
*** dave-mccowan has quit IRC		00:00
ayoung	but let's do the websso thing outside of /v3	00:01
ayoung	client doesn't need to know about it	00:01
ayoung	just make sure that Federation without webssso has a place to live, too.	00:01
jamielennox	lbragstad: either way i think it should be /auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol}/websso rather than /auth/OS-FEDERATION/websso/...	00:01
*** mylu has joined #openstack-keystone		00:01
jamielennox	because otherwise your apache modules are going to step all over each other	00:02
ayoung	jamielennox, I could see telling the CLI that the AUTH URL is httpsd://hostname:5000/auth/idp/<>/protocols/ even	00:02
ayoung	jamielennox, ++	00:02
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: IDP specific websso https://review.openstack.org/199339	00:02
ayoung	I think we can frop OS-FEDERATION	00:02
lbragstad	jamielennox: ah, I think that makes sense?	00:02
ayoung	make sure token auth can work in there somehow too	00:03
ayoung	actually, that should be	00:03
lbragstad	because you'll have some apache directive that could be on /auth/OS-FEDERATION/websso/	00:03
ayoung	/auth/OS-FEDERATION/identity_providers/keystone/protocols/password	00:03
ayoung	er	00:03
ayoung	/auth/identity_providers/keystone/protocols/password	00:03
ayoung	or	00:03
ayoung	/auth/identity_providers/keystone/protocols/token ?	00:03
ayoung	jamielennox, what is done now for enumerating projects etc?	00:04
*** geoffarn_ has quit IRC		00:04
jamielennox	lbragstad: generally they'd probably be on /websso/{protocol} but still gets confusing	00:04
jamielennox	ayoung: latest is /auth/projects	00:04
ayoung	that is why we can't put /auth/idp ,right?	00:04
ayoung	so that should have been /auth/token/projects	00:05
jamielennox	i'm not sure how that fits into morgan_2549's auth split	00:05
ayoung	to avoid cluttering the namespace	00:05
ayoung	yeah, it should not be implicit	00:05
ayoung	it should be a minimal service catalog like you proposed	00:05
jamielennox	that exists /auth/catlog	00:05
*** geoffarnold has joined #openstack-keystone		00:06
jamielennox	my intent there was that /auth should be everything that can be performed without a service catalog	00:06
jamielennox	because putting a service catalog in the unscoped token got killed	00:06
jamielennox	or give me information relevant to my current authentication	00:06
ayoung	yep	00:07
jamielennox	i would have no issue with that being part of the auth split	00:07
ayoung	well, we are not going to solve this tonight, are we?	00:07
jamielennox	i would say it might even have to be	00:07
jamielennox	ayoung: it depends - i feel if we don't have something we're happy with for the idp specific websso by next meeting it won't make this cycle	00:07
ayoung	jamielennox, then for now, maybe just keep /auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol}/websso and allow /auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol} to work, too?	00:08
ayoung	/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol} to work for CLI, too	00:08
jamielennox	ayoung: currently there is .../{protocol}/auth for CLI authentication	00:09
ayoung	jamielennox, ah...that will work	00:10
ayoung	so	00:10
ayoung	.../{protocol}/websso	00:10
*** geoffarnold has quit IRC		00:10
ayoung	and then the matching rule can be	00:10
jamielennox	ayoung: is there a reason to distinguish CLI and websso login here though?	00:10
ayoung	~ .../{protocol}/*	00:10
jamielennox	ayoung: how do you configure shib for the difference?	00:10
ayoung	yeah, webssso does the redirect	00:10
jamielennox	how do you configure mellon for the difference	00:10
jamielennox	ayoung: right but it's the apache module that does the redirect	00:11
jamielennox	if you present it with an ECP assertion up front it wouldn't right?	00:11
jamielennox	this is part of why i want to get this environment set up so i can see what the configuration differences are for ECP and websso	00:11
ayoung	jamielennox, http://httpd.apache.org/docs/2.4/mod/core.html#locationmatch	00:11
*** lhcheng has quit IRC		00:12
jamielennox	right	00:12
dstanek	morgan_2549: have you been paying attention to the interface discussion?	00:12
ayoung	jamielennox, I think we can move the keystone-sssd.yml before the keystone.yml, no?	00:12
jamielennox	ayoung: probably, i don't know, different discussion for different channel	00:13
ayoung	ah, not without breaking the HTTPS	00:13
jamielennox	but if you have ECP set up can we not simply run bot websso and ECP via /auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol}	00:13
jamielennox	is there a reason for the /websso and /auth distinguishers	00:14
*** dave-mccowan has joined #openstack-keystone		00:14
lbragstad	I think the federated_sso call returns a web form with the redirect back to the origin host (horizon)	00:14
lbragstad	straight federated cli auth doesn't do that I don't think	00:14
jamielennox	lbragstad: but is that only in the situation where you didn't come with an assertion already	00:14
jamielennox	because i don't see any configuration difference for ECP vs websso	00:14
jamielennox	i guess there is no harm to having seperate routes and it might help in future if we come across something that does need to be handled seperateyl	00:15
jamielennox	lbragstad: so i think we append /auth to that newest spec review	00:17
jamielennox	and we'll sort out CLI in the future	00:17
lbragstad	append to the end of the call?	00:18
lbragstad	and do OS-FEDERATION/identity_provider/ ?	00:18
jamielennox	ahh, prepend - i do that a lot	00:18
morgan_2549	dstanek: some of it	00:18
morgan_2549	dstanek: but not this week	00:18
jamielennox	/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol}/websso	00:18
*** shoutm has quit IRC		00:18
jamielennox	maybe we can come up with some regexp or something that will then allow us to match both CLI and websso	00:19
jamielennox	but it should be /auth if we expect it to be part of the auth split which this definetly would be	00:19
lbragstad	ok	00:21
*** shoutm has joined #openstack-keystone		00:21
jamielennox	lbragstad: are you looking at a DOA that will let us test this?	00:21
lbragstad	I haven't started on that yet	00:22
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
jamielennox	ok, i want to play with this patch anyway, i'll push something and email you if i start on it today	00:23
lbragstad	jamielennox: want me to push a new patch with the path changes?	00:23
*** mylu has quit IRC		00:24
lbragstad	jamielennox: I don't want to overwrite anything you're working on if we're both pushing patches	00:24
* lbragstad and dolphm had issues with that when we were working on the fernet stuff		00:24
jamielennox	lbragstad: if you're still around sure, if you're supposed to be home then i can push something as i get to it	00:25
*** mylu has joined #openstack-keystone		00:25
lbragstad	jamielennox: I worked from home today (does that count?)	00:25
jamielennox	lbragstad: it depends how much trouble you get in from working late whilst at home	00:26
lbragstad	jamielennox: and that depends on when the wife's mood starts to deteriorate	00:26
lbragstad	jamielennox: so, we're not going to be extending wsgi.V3ExtensionRouter anymore for this specific call, right?	00:28
jamielennox	completely understand	00:28
jamielennox	i don't think so	00:28
jamielennox	hmm	00:28
lbragstad	ok, because I think the '/v3/' part is tacked on there..	00:28
jamielennox	you may as well use whatever the current federation stuff uses	00:28
lbragstad	current federation paths look like they start with	00:29
jamielennox	no point trying to add all new modules for this	00:29
lbragstad	'auth'	00:29
*** mylu has quit IRC		00:29
jamielennox	lbragstad: the current patch looks good from a glance if you update the route	00:29
jamielennox	i think smallest possible change is good for this one with the SFE	00:30
lbragstad	jamielennox: ok	00:30
*** dims has joined #openstack-keystone		00:30
lbragstad	so /v3/auth/OS-FEDERATION/websso/identity_providers/{idp_id}/protocols/{protocol_id}/ will change to,	00:31
*** tiny-hands has joined #openstack-keystone		00:31
lbragstad	this /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso	00:31
lbragstad	jamielennox: is that what you mean by update the route?	00:31
jamielennox	yep	00:32
lbragstad	ok, I can respin that quick	00:32
*** gyee has quit IRC		00:33
*** dave-mccowan has quit IRC		00:37
*** piyanai has quit IRC		00:38
jamielennox	ergh, DOA might be uglier than anticipated	00:43
*** sigmavirus24 is now known as sigmavirus24_awa		00:46
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso https://review.openstack.org/214766	00:52
*** fangzhou has quit IRC		00:57
*** dave-mccowan has joined #openstack-keystone		00:59
*** browne has quit IRC		01:06
*** lhcheng has joined #openstack-keystone		01:17
*** ChanServ sets mode: +v lhcheng		01:17
*** dims has quit IRC		01:25
*** fangzhou has joined #openstack-keystone		01:25
*** mylu has joined #openstack-keystone		01:26
*** mylu has quit IRC		01:30
*** qiaowei has joined #openstack-keystone		01:37
*** mpmsimo has joined #openstack-keystone		01:43
*** ankita_wagh has joined #openstack-keystone		01:46
*** woodster_ has quit IRC		01:49
*** boris-42 has quit IRC		01:50
*** piyanai has joined #openstack-keystone		01:51
*** ankita_wagh has quit IRC		01:57
*** ankita_wagh has joined #openstack-keystone		01:57
*** dsirrine has quit IRC		02:01
*** ankita_wagh has quit IRC		02:01
*** _cjones_ has quit IRC		02:02
*** davechen has joined #openstack-keystone		02:04
*** fangzhou has quit IRC		02:12
*** mpmsimo has quit IRC		02:19
*** ankita_wagh has joined #openstack-keystone		02:20
*** mpmsimo has joined #openstack-keystone		02:21
*** dims has joined #openstack-keystone		02:21
*** lhcheng has quit IRC		02:26
*** mylu has joined #openstack-keystone		02:27
*** tiny-hands has quit IRC		02:29
*** dims has quit IRC		02:29
*** dims has joined #openstack-keystone		02:30
*** shoutm_ has joined #openstack-keystone		02:30
*** mylu has quit IRC		02:31
*** shoutm has quit IRC		02:31
*** lhcheng has joined #openstack-keystone		02:33
*** ChanServ sets mode: +v lhcheng		02:33
*** dims has quit IRC		02:34
*** tiny-hands has joined #openstack-keystone		02:35
*** markvoelker has quit IRC		02:46
*** lhcheng has quit IRC		02:46
*** hakimo has joined #openstack-keystone		02:52
*** piyanai has quit IRC		02:54
*** hakimo_ has quit IRC		02:54
*** nkinder has quit IRC		03:03
*** shoutm has joined #openstack-keystone		03:06
*** shoutm_ has quit IRC		03:07
*** browne has joined #openstack-keystone		03:10
*** lhcheng has joined #openstack-keystone		03:14
*** ChanServ sets mode: +v lhcheng		03:14
openstackgerrit	Merged openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/213273	03:23
*** narengan has joined #openstack-keystone		03:26
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/214339	03:29
*** piyanai has joined #openstack-keystone		03:32
*** Kennan2 is now known as Kennan		03:36
*** tiny-hands has quit IRC		03:42
*** markvoelker has joined #openstack-keystone		03:46
*** markvoelker has quit IRC		03:51
*** mylu has joined #openstack-keystone		03:56
*** piyanai has quit IRC		03:58
*** shoutm_ has joined #openstack-keystone		04:00
*** shoutm has quit IRC		04:01
*** lhcheng has quit IRC		04:03
*** ankita_wagh has quit IRC		04:18
*** hrou has quit IRC		04:18
*** ayoung has quit IRC		04:20
*** dave-mccowan has quit IRC		04:22
*** ankita_wagh has joined #openstack-keystone		04:22
*** mflobo has quit IRC		04:24
*** mflobo has joined #openstack-keystone		04:36
*** ankita_wagh has quit IRC		04:43
*** ankita_wagh has joined #openstack-keystone		04:44
*** darrenc is now known as darrenc_afk		04:46
*** darrenc_afk is now known as darrenc		05:06
*** mylu has quit IRC		05:07
*** mylu has joined #openstack-keystone		05:08
*** hafe has joined #openstack-keystone		05:08
*** afazekas has joined #openstack-keystone		05:08
*** mylu has quit IRC		05:12
*** mylu has joined #openstack-keystone		05:12
*** afazekas has quit IRC		05:15
*** kiran-r has joined #openstack-keystone		05:18
*** hafe has quit IRC		05:33
*** geoffarnold has joined #openstack-keystone		05:39
*** geoffarnold has quit IRC		05:43
*** geoffarnold has joined #openstack-keystone		05:43
*** mylu has quit IRC		05:45
*** geoffarnold is now known as geoffarnoldX		05:45
*** mylu has joined #openstack-keystone		05:45
*** lhcheng has joined #openstack-keystone		05:52
*** ChanServ sets mode: +v lhcheng		05:52
*** shoutm_ has quit IRC		05:52
*** lhcheng has quit IRC		05:56
*** kiran-r has quit IRC		05:59
*** mpmsimo has quit IRC		06:01
*** topol has joined #openstack-keystone		06:05
*** ChanServ sets mode: +v topol		06:05
*** shoutm has joined #openstack-keystone		06:07
*** topol has quit IRC		06:09
*** narengan has quit IRC		06:13
*** narengan has joined #openstack-keystone		06:13
*** ajayaa has joined #openstack-keystone		06:14
*** mpmsimo has joined #openstack-keystone		06:15
*** narengan has quit IRC		06:18
*** afazekas has joined #openstack-keystone		06:21
*** mflobo has left #openstack-keystone		06:29
*** afazekas has quit IRC		06:37
*** ajayaa has quit IRC		06:37
*** urulama has quit IRC		06:39
*** mpmsimo has quit IRC		06:39
*** urulama has joined #openstack-keystone		06:39
*** mpmsimo has joined #openstack-keystone		06:40
*** mpmsimo has left #openstack-keystone		06:41
*** ajayaa has joined #openstack-keystone		06:50
*** henrynash has joined #openstack-keystone		06:59
*** ChanServ sets mode: +v henrynash		06:59
*** browne has quit IRC		06:59
*** mylu has quit IRC		07:00
*** mylu has joined #openstack-keystone		07:00
*** Nirupama has joined #openstack-keystone		07:03
*** mylu has quit IRC		07:05
*** marekd_404 is now known as marekd		07:08
*** mylu has joined #openstack-keystone		07:11
*** mflobo has joined #openstack-keystone		07:13
mflobo	Hi there, question for the community, Is possible to unset project metadata? How should be the CURL call?	07:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/214509	07:17
*** yottatsa has joined #openstack-keystone		07:18
*** ankita_w_ has joined #openstack-keystone		07:27
*** ankita_w_ has quit IRC		07:27
*** ankita_w_ has joined #openstack-keystone		07:28
*** ankita_wagh has quit IRC		07:28
*** ankita_wagh has joined #openstack-keystone		07:30
*** ankita_wagh has quit IRC		07:30
*** ankita_wagh has joined #openstack-keystone		07:30
*** yottatsa has quit IRC		07:31
*** ankita_wagh has quit IRC		07:32
*** ankita_w_ has quit IRC		07:33
*** ankita_wagh has joined #openstack-keystone		07:33
*** yottatsa has joined #openstack-keystone		07:34
*** fhubik has joined #openstack-keystone		07:40
*** lhcheng has joined #openstack-keystone		07:41
*** ChanServ sets mode: +v lhcheng		07:41
*** fhubik is now known as fhubik_brb		07:44
*** lhcheng has quit IRC		07:45
*** markvoelker has joined #openstack-keystone		07:48
*** markvoelker has quit IRC		07:53
*** fhubik_brb is now known as fhubik		07:59
*** fhubik is now known as fhubik_brb		08:00
*** lhinds has joined #openstack-keystone		08:01
*** fhubik_brb is now known as fhubik		08:02
mflobo	Here I can not see anything http://developer.openstack.org/api-ref-identity-v3.html about metadata	08:04
*** lhcheng has joined #openstack-keystone		08:05
*** ChanServ sets mode: +v lhcheng		08:05
*** lhcheng has quit IRC		08:10
*** hafe has joined #openstack-keystone		08:11
*** mylu has quit IRC		08:14
*** afazekas has joined #openstack-keystone		08:18
*** qiaowei has quit IRC		08:19
*** jistr has joined #openstack-keystone		08:28
openstackgerrit	Jamie Lennox proposed openstack/keystone: Add federated auth for idp specific websso https://review.openstack.org/214766	08:29
*** shoutm has quit IRC		08:29
*** fhubik is now known as fhubik_brb		08:29
*** hafe has left #openstack-keystone		08:29
*** fhubik_brb is now known as fhubik		08:33
*** pnavarro has joined #openstack-keystone		08:36
*** aix has joined #openstack-keystone		08:41
*** shoutm has joined #openstack-keystone		08:44
*** ankita_wagh has quit IRC		08:45
*** shoutm has quit IRC		08:54
*** shoutm has joined #openstack-keystone		08:55
*** jamie_h has joined #openstack-keystone		09:02
marekd	rodrigods: https://review.openstack.org/#/c/190361/28 so i am really looking forward to see code and capabilities of those puppet module. It's still full of inconsistencies...	09:08
marekd	rodrigods: they talk about supporting saml and oidc and then don't give a ** about oidc	09:08
marekd	and want to do this from one module?	09:08
*** tsubic has quit IRC		09:13
*** shoutm has quit IRC		09:15
*** jistr has quit IRC		09:19
*** jistr has joined #openstack-keystone		09:20
*** yottatsa has quit IRC		09:26
*** fhubik is now known as fhubik_brb		09:28
*** fhubik_brb is now known as fhubik		09:38
openstackgerrit	Dave Chen proposed openstack/keystone: WIP - Should return no result for unexpected query https://review.openstack.org/215041	09:38
davechen	marekd: hi,	09:38
*** yottatsa has joined #openstack-keystone		09:38
davechen	marekd, henrynash: hi, are you there?	09:39
marekd	davechen: hello i am here	09:40
davechen	marekd, henrynash: I am working on this bug #1479837, after some investigation, I think there should be some change in keystone and will modify the original design.	09:40
openstack	bug 1479837 in Keystone "improper handling non existing identity providers " [Medium,In progress] https://launchpad.net/bugs/1479837 - Assigned to Dave Chen (wei-d-chen)	09:40
davechen	marekd, hi, this bug is filed by you, I did some investigation today,	09:40
davechen	and propose a initial patch.	09:41
marekd	https://review.openstack.org/215041 ?	09:41
davechen	marekd: yes.	09:41
marekd	shouldnw we expand it to the whole project?	09:42
davechen	marekd: I think the previous logic is implemented by henry.	09:42
marekd	davechen: what are hints for ?	09:42
davechen	marekd: yes, I think so.	09:42
davechen	marekd: hint is the query for the backend. such as name=...	09:43
davechen	and in that bug is id=donexist.	09:43
* marekd was 1 week away and when looks at a pile of reviews and fixes pending just wants to cry		09:43
davechen	:)	09:43
*** fhubik is now known as fhubik_brb		09:44
davechen	marekd: I think to address that bug I need to change a lot in keystone, so I am not quite sure.	09:44
davechen	marekd: can I add you to the review list, so when you get a chance you can take a look?	09:45
davechen	reviewer list.	09:45
*** lhinds has quit IRC		09:47
*** yottatsa has quit IRC		09:48
*** yottatsa has joined #openstack-keystone		09:49
*** markvoelker has joined #openstack-keystone		09:49
*** yottatsa has quit IRC		09:50
davechen	marekd: I need to take the shuttle, talk to you later. :)	09:50
marekd	davechen: thanks	09:51
marekd	i will review today	09:51
*** aix has quit IRC		09:51
davechen	marekd: anytime is okay, no need today.	09:53
davechen	marekd: just want to know if there is big mistake there.	09:54
*** markvoelker has quit IRC		09:54
davechen	marekd: talk to you later, have a good day!	09:54
*** davechen has left #openstack-keystone		09:54
marekd	thanks :-)	09:55
*** yottatsa has joined #openstack-keystone		09:55
*** dims has joined #openstack-keystone		09:56
*** lhcheng has joined #openstack-keystone		09:59
*** ChanServ sets mode: +v lhcheng		09:59
*** fhubik_brb is now known as fhubik		09:59
*** Kennan2 has joined #openstack-keystone		10:03
*** Kennan has quit IRC		10:04
*** tiny-hands has joined #openstack-keystone		10:06
*** tiny-hands has quit IRC		10:08
* marekd feels like Federation is destroying Fernet tokens		10:09
*** yottatsa has quit IRC		10:14
odyssey4me	marekd ?	10:16
marekd	odyssey4me: heh, so fernet was meant to be non persistent, yet small token and step after step we find use cases where someting is missing and need to stuff more and more into token payloads	10:17
marekd	which completely kills idea of fernet tokens.	10:17
*** henrynash has quit IRC		10:21
odyssey4me	marekd well, it's making them larger but the lack of persistence is still good - it cuts down the DB load dramatically and as long as the tokens are less onerous than PKI tokens this is still a win in my books. :)	10:25
marekd	odyssey4me: yeah, but there is a hardlimit - 255B	10:26
marekd	everything over that size will start making them not-to-cool	10:26
marekd	odyssey4me: besides...we still query db for projects users, domains, roles etc.	10:27
odyssey4me	marekd hmm, that hard limit may become a problem depending on how the mappings are done	10:30
odyssey4me	the db queries for persistent data like projects, users, domains, etc is ok in my mind - the token storage is a pita for ops	10:31
marekd	pita?	10:31
marekd	odyssey4me: well, ok i can imagine that querying project or user is much faster than 1000s of tokens	10:32
marekd	and this is what defends fernet tokens	10:32
odyssey4me	pita = pain in the ass :p	10:32
marekd	odyssey4me: oh	10:33
marekd	what is the other 'pita' reason rather than number of tokens?	10:33
marekd	or it's the only thing?	10:33
odyssey4me	the queries in large environments, the constant synchronisation - which is a pain when you're looking at a global cluster for keystone, the need for the background process to clean the database of expired tokens	10:34
odyssey4me	it makes keystone's db more write heavy than it needs to be	10:34
marekd	odyssey4me: right.	10:35
dstanek	should be an easy one to merge: https://review.openstack.org/#/c/201738/	10:37
marekd	dstanek: is admin_request appropriate there?	10:50
dstanek	marekd: which one?	10:52
marekd	dstanek: in test you pasted	10:52
dstanek	marekd: which admin_request? the one to get the token or the one to delete?	10:55
*** gpanda has joined #openstack-keystone		10:56
*** gpanda has quit IRC		10:56
dolphm	dstanek: why are you up so early	11:01
dstanek	dolphm: you're up earlier!	11:05
dolphm	oh right, timezones work in that direction	11:06
*** topol has joined #openstack-keystone		11:07
*** ChanServ sets mode: +v topol		11:07
hugokuo	https://youtu.be/duRBlm9RtCw watching Fernet Token.	11:07
*** henrynash has joined #openstack-keystone		11:09
*** ChanServ sets mode: +v henrynash		11:09
*** topol has quit IRC		11:11
*** urulama has quit IRC		11:12
*** lhcheng has quit IRC		11:13
*** urulama has joined #openstack-keystone		11:13
*** jamie_h has quit IRC		11:14
*** dims has quit IRC		11:15
*** dims has joined #openstack-keystone		11:16
*** henrynash has quit IRC		11:16
*** aix has joined #openstack-keystone		11:16
*** dims has quit IRC		11:20
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF https://review.openstack.org/208965	11:21
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/214509	11:21
*** yottatsa has joined #openstack-keystone		11:21
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF https://review.openstack.org/208965	11:22
*** yottatsa has quit IRC		11:22
*** yottatsa_ has joined #openstack-keystone		11:22
*** yottatsa_ has quit IRC		11:27
*** dims has joined #openstack-keystone		11:33
*** markvoelker has joined #openstack-keystone		11:35
*** yottatsa has joined #openstack-keystone		11:35
*** yottatsa has quit IRC		11:37
*** markvoelker has quit IRC		11:40
*** gordc has joined #openstack-keystone		11:45
*** samueldmq has joined #openstack-keystone		11:46
*** afazekas has quit IRC		11:46
*** woodster_ has joined #openstack-keystone		11:48
samueldmq	morning	12:01
*** piyanai has joined #openstack-keystone		12:10
*** topol has joined #openstack-keystone		12:15
*** ChanServ sets mode: +v topol		12:15
marekd	dstanek: https://review.openstack.org/#/c/201738/3/keystone/tests/unit/test_v3_auth.py the one from line 392	12:19
dstanek	marekd that's how we get a v2 token in most of these tests	12:21
*** doug-fish has joined #openstack-keystone		12:23
*** edmondsw has joined #openstack-keystone		12:23
*** topol has quit IRC		12:24
iurygregory	marekd, what do you mean by "full of inconsistencies"?	12:27
openstackgerrit	henry-nash proposed openstack/keystone: Support project hierarchies in data driver tests https://review.openstack.org/154485	12:31
iurygregory	marekd, what problems do you see in http://specs.openstack.org/openstack/puppet-openstack-specs/specs/liberty/enabling-federation.html ?	12:33
*** henrynash has joined #openstack-keystone		12:34
*** ChanServ sets mode: +v henrynash		12:34
marekd	iurygregory: for instance you seem to make references that you will be able to setup saml2 and oidc and later you mention only shibd and mellon modules.	12:36
marekd	iurygregory: but since the spec was approved you are good to go and implement modules :-)	12:37
iurygregory	we are going to support shib mellon and oidc	12:38
*** markvoelker has joined #openstack-keystone		12:39
iurygregory	i have only give examples with shib and mellon because I am familiar with they	12:39
marekd	iurygregory: line 60 - if available modules are shibboleth and mellon how are you going to support oidc then?	12:40
iurygregory	oidc is protocol like SAML	12:41
iurygregory	this are module available for SAML	12:41
iurygregory	=)	12:41
marekd	besides to me saying "OpenID Connect, Shibboleth and Mellon" is like saying "truck, Fiat and Porsche"	12:42
marekd	iurygregory: ok, so how are you going to support OpenID Connect if the only (acording to spec) modules are those capable of handling SAML2?	12:42
marekd	unless one of those started supporting oidc?	12:43
iurygregory	"protocol: The protocol used to provide Federation. There is support for two protocols: OpenID Connect and SAML"	12:43
iurygregory	you need to choose one	12:43
iurygregory	if you choose SAML you need to choose the module (shib/mellon)	12:43
marekd	iurygregory: ok, so what is going to happend if i choose "OIDC" as protocol and module set to mellon ?	12:44
iurygregory	the module will not allow	12:44
iurygregory	or just ignore the "module"	12:45
marekd	is the protocol going to be used to configure protocol via Keystone API ?	12:45
iurygregory	can you make it more clear?	12:45
*** chlong has joined #openstack-keystone		12:46
marekd	what is 'protocol' going to do in your puppet module?	12:46
marekd	where are you going to use this value?	12:46
iurygregory	will be used to verify and install the necessary packages	12:46
iurygregory	and set the configuration in keystone files	12:46
marekd	so it will not actually execute any API calls ?	12:47
marekd	iurygregory: next - line 40 - where do i specify those choices?	12:49
marekd	FWIW protocol can be only "OpenID Connect" or "SAML"	12:50
marekd	and module only 'shibboleth' and 'mellon'	12:50
*** dsirrine has joined #openstack-keystone		12:51
iurygregory	you can specify in your "site.pp" ^^	12:51
EmilienM	it's called Puppet parameters	12:52
marekd	iurygregory: but what parameter is it going to be?	12:52
marekd	protocol ?	12:52
marekd	module?	12:52
marekd	something that you didn't mention?	12:52
*** dave-mccowan has joined #openstack-keystone		12:52
marekd	anyways, go ahead and implement.	12:52
iurygregory	you can take a look at the example	12:53
EmilienM	I suggest iurygregory adding marekd as a reviewer when code is pushed	12:53
iurygregory	line 175	12:53
*** jistr is now known as jistr\|mtg		12:53
*** thiagop has joined #openstack-keystone		12:54
*** aix has quit IRC		12:54
marekd	iurygregory: ok, and which parameter should i choose to specify my preference from line 40?	12:54
marekd	i have three options	12:54
marekd	according to line 40	12:54
iurygregory	can you go to line 180 and 181?	12:56
*** henrynash has quit IRC		12:57
marekd	so there is protocol and module	12:58
marekd	so you flatten protocol and modules and make them list (OpenID Connect, Mellon and Shibbboleth) ?	12:58
*** fhubik has quit IRC		12:58
samueldmq	marekd, so basically you are asking for clarifying the difference in protocol and module, like saying if saml is used, there are two possible modules: shib and mellon ?	12:59
samueldmq	marekd, and if openidc is used, that's all (no module to specify)	12:59
*** aix has joined #openstack-keystone		13:00
*** chlong has quit IRC		13:00
rodrigods	marekd, hi, just arrived	13:00
marekd	samueldmq: i am basically asking why all those explanations must be posted here are they are not in the spec...	13:00
iurygregory	marek you really have only three coices	13:00
iurygregory	protocol = OpenID Connect module is ignored	13:01
iurygregory	protocol = SAML and module = Shib	13:01
iurygregory	protocol = SAML and module = mellon	13:01
*** richm has joined #openstack-keystone		13:02
*** fhubik has joined #openstack-keystone		13:04
*** chlong has joined #openstack-keystone		13:04
*** tiny-hands has joined #openstack-keystone		13:05
marekd	iurygregory: it's really not clear there. anyway, i am not going back to this.	13:06
marekd	lets now make it work	13:06
iurygregory	ok	13:06
iurygregory	It may have been a failure in the spec as you say, but the code will be ok. i don't think it's worth to send a change now for the spec.	13:08
*** jecarey has joined #openstack-keystone		13:08
*** fhubik has quit IRC		13:09
*** raildo-afk is now known as raildo		13:10
*** hrou has joined #openstack-keystone		13:14
*** ajayaa has quit IRC		13:18
marekd	i didnt say it's a failure	13:21
*** ayoung has joined #openstack-keystone		13:24
*** ChanServ sets mode: +v ayoung		13:24
iurygregory	i know you didn't say marek ^^	13:24
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso https://review.openstack.org/214766	13:28
*** jamielennox is now known as jamielennox\|away		13:30
*** henrynash has joined #openstack-keystone		13:32
*** ChanServ sets mode: +v henrynash		13:32
*** dims_ has joined #openstack-keystone		13:35
*** zzzeek has joined #openstack-keystone		13:36
*** davechen has joined #openstack-keystone		13:38
*** dims has quit IRC		13:39
openstackgerrit	henry-nash proposed openstack/keystone: Support project hierarchies in data driver tests https://review.openstack.org/154485	13:42
*** geoffarnoldX is now known as geoffarnold		13:42
*** dims_ has quit IRC		13:44
*** dims has joined #openstack-keystone		13:46
samueldmq	dstanek, in my policy code, I was using oslo timeutils and doing : timeutils.utcnow() - datetime.datetime.min to get the timestamp, instead of timeutils.utcnow_ts()	13:53
davechen	henrynash: ping?	13:53
*** piyanai has quit IRC		13:53
samueldmq	dstanek, when I converted it back to a datetiem object, my policy was valid until the year 3xxx :-)	13:53
henrynash	davechen: hi	13:53
samueldmq	dstanek, hehe	13:53
davechen	henrynash: want to ask a quesiton :)	13:54
davechen	https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L613-L614	13:54
henrynash	davechen: sure	13:54
davechen	pls take a look at this.	13:54
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: IDP specific websso https://review.openstack.org/199339	13:54
davechen	why we need ignore the key not in the query_dict?	13:54
davechen	henrynash: I saw some comment from you, so I assume this feature is implemented by you. :)	13:55
henrynash	davechen: (thinking…it was a long time ago!)	13:55
davechen	henrynash: yeah, i think so.	13:55
samueldmq	henrynash, the ibm wildduck, making impressive code since .. a long time ago	13:56
samueldmq	:-)	13:56
henrynash	davechen: well I think it was to ensure we only supported filtering on the items we state in the api spec	13:56
davechen	henrynash: this will lead the issue when the query key is not in query_dict will return the entire entries in the DB.	13:56
henrynash	davechen: yes, if you specify a query we don’t support, we ignore that filter	13:57
davechen	henrynash: I am currently work on the bug related with this, https://bugs.launchpad.net/python-openstackclient/+bug/1479837	13:57
openstack	Launchpad bug 1479837 in Keystone "improper handling non existing identity providers " [Medium,In progress] - Assigned to Dave Chen (wei-d-chen)	13:57
henrynash	davechen: I seem to remember us discussion that…i.e. do you show nothing or at least give the user something	13:57
*** Nirupama has quit IRC		13:58
davechen	henrynash: I propose an inital patch here (https://review.openstack.org/#/c/215041/) to change a little bit, but I am not sure if this is by design.	13:58
*** browne has joined #openstack-keystone		13:59
davechen	henrynash: so, the bug desc as what 'openstack identity provider show idontexist' returns is correct by this design?	13:59
davechen	and, when we specify a random key, then the API return all of the entries in the DB is correct?	14:00
henrynash	davechen: so what does the show command on opentsack do…is it meant to show by name, or ID or what?	14:00
*** narengan has joined #openstack-keystone		14:00
henrynash	show by name, I assume	14:01
davechen	henrynash: osc will try to use invoke get_ and then it will try again with list_ with the filter.	14:02
henrynash	davechen: ok, I see	14:02
davechen	the issue is name is not always an existing column	14:02
henrynash	davechen: yep	14:03
*** sigmavirus24_awa is now known as sigmavirus24		14:03
davechen	so, it will try to use list and filter by the filter, but when the 'name' is not a column, it will return all of them.	14:04
*** aix has quit IRC		14:04
henrynash	davechen: so neither the get or the list is going to work…so no sure what osc shoud do!	14:04
davechen	this is not limited to this, it's existing in any APIs rather than identity provider.	14:04
henrynash	davechen: well, it’s an entity that doesn’t have a name atribute (as far as an osc problem)	14:05
henrynash	(any entity…)	14:05
*** lhinds has joined #openstack-keystone		14:06
davechen	henrynash: If curl is used with an random key specified as the filter, then we will get all...	14:06
henrynash	davechecn: origionally we specified that entities had to have certain attributes as mandatory - I think id and name were the two everythig had to have	14:06
henrynash	davechen: yes, and that really was by design	14:06
henrynash	davechen: not saying the design is necessarily right, mind you (!)	14:07
*** afazekas has joined #openstack-keystone		14:07
henrynash	davechen: we can obviosly change it…but we would have to deprecate the old fucntionality	14:07
davechen	henrynash: can we relax it? not ignore the key not in the query_dict, then it will not return anything?	14:08
henrynash	davechen: I don’t think we can just change it without a deprecation preiod	14:08
*** jistr\|mtg is now known as jistr		14:08
davechen	henrynash: got you, I am thinking how to deprectate the old behaviour.	14:08
henrynash	davechen: and I’d want wider discussion in terms of what the best approach would be	14:08
*** yottatsa has joined #openstack-keystone		14:09
*** fhubik has joined #openstack-keystone		14:09
davechen	henrynash: maybe add a topic in our meeting. :)	14:09
*** aix has joined #openstack-keystone		14:09
henrynash	davechen: the actual problem here is that osc assumes that all entities conform to the origional standard (of everything having an id and a name) but IDP entities do not follow that standard	14:09
davechen	henrynash: not every entites in keystone both has ID and name, it's okay if we do some DB migration, but if we use the CURL, what's return is still make user confuse.	14:10
henrynash	davechen: it is a separate issue as to whether specifying a filter we do not support should return you nothing or teh filter shoudl be ignored	14:10
*** geoffarnold has quit IRC		14:10
henrynash	davechen: I really think they are two separate issues	14:11
*** yottatsa has quit IRC		14:11
henrynash	davechen: first class entities in keystone were MEANT to always have id and anme	14:11
henrynash	name	14:11
*** ajayaa has joined #openstack-keystone		14:11
*** yottatsa has joined #openstack-keystone		14:11
*** yottatsa has quit IRC		14:12
davechen	henrynash: yeah, osc seems okay since I cannot figure out a way to change it.	14:12
henrynash	davechen: and just for clarity it is not true to say that if you specify a filter we do not suppor that we return everything…it is just that we ignore the filter (you may, for instance, be specifiy more than one filter)	14:13
davechen	henrynash: yep, only that filter is ignored, and return everything only in case there is just this one filter.	14:14
*** kiran-r has joined #openstack-keystone		14:14
henrynash	davechen: agreed	14:14
*** kiran-r has quit IRC		14:15
davechen	henrynash: whats' the best approach for this issue per your understanding?	14:15
*** doug-fish has quit IRC		14:16
davechen	henrynash: db migraiton for all of these table which don't have name column?	14:16
henrynash	davechen: even if we changed how we did filtering, osc would still be borken	14:16
*** doug-fish has joined #openstack-keystone		14:16
davechen	henrynash: or deprecate this old functionlity and return nothing.. or just keep it as it? :)	14:16
henrynash	davechen: either osc needs be more flexible in what attribute the show coammnd uses...	14:16
henrynash	davechen: or we have to name to teh IDP table	14:16
henrynash	davechen: iI still think the filtering is a separate issue - magine we did that…what would osc do if you said show?	14:17
henrynash	davechen: it still won’t get you enything	14:17
davechen	henrynash: osc dont know what's attribute in the table from each endpoing.	14:17
*** yottatsa has joined #openstack-keystone		14:18
henrynash	davechen: so osc is assume ‘name’ exists….so either we must chaneg that, or we chaneg our idp entitty	14:18
*** petertr7_away is now known as petertr7		14:19
henrynash	davechen: I woudl so first up is a discusion with dean/stevemar on what osc should and should not be assuming	14:19
davechen	henrynash: but if we not ignore the key not in the query_dict, osc will works well.	14:19
*** narengan has quit IRC		14:20
*** narengan has joined #openstack-keystone		14:20
henrynash	davechen: will it? the list will retunr nothing	14:20
*** lhinds_ has joined #openstack-keystone		14:21
henrynash	davechen: am I missign something?	14:21
davechen	henrynash: list call list_***, why return nothing? I didn't get it.	14:21
henrynash	davechen: well won’t osc issue a GET /idp?name=xyz ?	14:23
davechen	henrynash: this is for show not for list, I think.	14:24
*** narengan has quit IRC		14:24
henrynash	davechen: well won’t it try and list using the filter too? ie.. GET /idps?name=xyz	14:24
davechen	https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/utils.py#L66-L83	14:25
henrynash	davechen: soory need to go offline for a bit..wil be back	14:25
*** henrynash has quit IRC		14:25
davechen	henrynash: talk to you later, thanks for talking...	14:26
*** lhinds_ has quit IRC		14:29
*** vivekd has joined #openstack-keystone		14:29
*** albertom-afk is now known as albertom		14:31
*** davechen has left #openstack-keystone		14:31
*** doug-fish has quit IRC		14:33
*** doug-fish has joined #openstack-keystone		14:33
*** doug-fish has quit IRC		14:38
*** geoffarnold has joined #openstack-keystone		14:40
*** samueldmq has quit IRC		14:40
*** yottatsa has quit IRC		14:44
*** yottatsa has joined #openstack-keystone		14:47
*** csoukup has joined #openstack-keystone		14:47
*** piyanai has joined #openstack-keystone		14:49
*** raildo is now known as raildo-afk		14:51
*** yottatsa has quit IRC		14:51
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Some fixes in the is_domain field creation https://review.openstack.org/215167	14:52
*** dsirrine has quit IRC		14:52
rodrigods	bknudson, ayoung ^	14:53
*** narengan has joined #openstack-keystone		14:54
*** raildo-afk has quit IRC		14:55
*** raildo-afk has joined #openstack-keystone		14:56
*** raildo-afk has quit IRC		14:57
*** raildo-afk has joined #openstack-keystone		14:57
*** raildo-afk is now known as raildo		14:58
*** yottatsa has joined #openstack-keystone		14:59
*** yottatsa has quit IRC		14:59
*** fhubik has quit IRC		15:04
*** shoutm has joined #openstack-keystone		15:05
*** alejandrito has joined #openstack-keystone		15:08
*** yottatsa has joined #openstack-keystone		15:09
ayoung	rodrigods, bad commit title. What did you fix?	15:15
rodrigods	ayoung, in the approved review bknudson made some comments and gave a -1	15:15
rodrigods	have any suggestions to make the title clearer?	15:16
*** yottatsa has quit IRC		15:16
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF https://review.openstack.org/208965	15:16
*** urulama has quit IRC		15:18
*** yottatsa has joined #openstack-keystone		15:18
*** urulama has joined #openstack-keystone		15:19
*** shoutm has quit IRC		15:20
*** stevemar has joined #openstack-keystone		15:21
*** ChanServ sets mode: +v stevemar		15:21
*** slberger has joined #openstack-keystone		15:21
*** browne has quit IRC		15:21
*** jistr is now known as jistr\|mtg		15:22
*** topol has joined #openstack-keystone		15:28
*** ChanServ sets mode: +v topol		15:28
*** samueldmq has joined #openstack-keystone		15:28
openstackgerrit	Merged openstack/python-keystoneclient: Deprecate ServiceCatalog(region_name) https://review.openstack.org/205809	15:31
*** piyanai has quit IRC		15:33
*** piyanai has joined #openstack-keystone		15:34
*** r-daneel has joined #openstack-keystone		15:36
*** arunkant_ has joined #openstack-keystone		15:39
*** pnavarro has quit IRC		15:39
slberger	@lbragstad @dolphm with this bug https://bugs.launchpad.net/keystone/+bug/1477600 is there potential to enter a loop of sorts for token requests, after we implemented fernet tokens people noticed a spike in keystone node usage and more than 50% of keystone token validation requests returned 401	15:40
openstack	Launchpad bug 1477600 in Keystone kilo "Token Validation API returns 401 not 404 on invalid fernet token" [Medium,Fix committed] - Assigned to Dolph Mathews (dolph)	15:40
*** geoffarnold has quit IRC		15:41
dstanek	vivekd: i gave the interface review a quick look this morngin	15:41
*** tjcocozz has joined #openstack-keystone		15:42
*** petertr7 is now known as petertr7_away		15:42
breton	slberger: afaik keystoneclient tries to authenticate only once after receiving 401	15:44
vivekd	thanks a lot for your review comments dstanek;	15:44
vivekd	helps a lot for beginner like me.	15:44
vivekd	i'm working on addressing all your comments.	15:45
vivekd	dstanek: will post an updated patch in a while.	15:45
dstanek	vivekd: i'm going to ask about this in the next meeting because this isn't what we discussed at the summit	15:45
dstanek	vivekd: i forgot to push up my hacky alternative...	15:46
vivekd	oh ok dstanek i'll participate in the next meeting	15:46
openstackgerrit	David Stanek proposed openstack/keystone: WIP: WIPier and most WIPs - stable ifc design alternative https://review.openstack.org/215202	15:46
dstanek	vivekd: ^	15:46
dstanek	vivekd: i'm just not sure how valuable doing only methods will be because we still won't have a stable interface	15:47
*** urulama has quit IRC		15:47
*** petertr7_away is now known as petertr7		15:48
*** belmoreira has joined #openstack-keystone		15:49
vivekd	dstanek: i submitted my patch based on my understanding of the spec @ specs.openstack.org/openstack/keystone-specs/specs/liberty/stable-driver-interfaces.html so i thought i was going inline with what was discussed in the summit	15:51
vivekd	dstanek: i'm happy to accept corrections from u if my 'doing only methods' approach is not inline with what was discussed in the summit	15:51
*** doug-fish has joined #openstack-keystone		15:52
dstanek	vivekd: the discussion was more about how to document and enforce the inputs/outputs like i mentioned yesterday	15:52
lbragstad	slberger: I think dolphm wrote about the keystone node usage part	15:52
*** hogepodge has quit IRC		15:53
stevemar	slberger: yay you found the keystone channel!	15:54
*** btully has joined #openstack-keystone		15:54
lbragstad	slberger: http://dolphm.com/benchmarking-openstack-keystone-token-formats/	15:54
stevemar	dolphm: lbragstad, this is slberger, he's trying to make fernet tokens work for us :)	15:54
lbragstad	slberger: o/	15:54
lbragstad	slberger: I have an item on my todo list to implement some sort of caching solution for rebuilding the catalog api	15:55
lbragstad	s/catalog api/catalog from the token api/	15:55
dolphm	slberger: o/	15:56
dolphm	lbragstad: that should be a one liner!	15:56
lbragstad	slberger: on every token request (auth or validate) the catalog is reconstructed	15:56
lbragstad	dolphm: ++ yeah it should	15:56
*** yottatsa has quit IRC		15:57
*** AlexeyElagin has joined #openstack-keystone		15:57
dstanek	dolphm: really? i would have though our methods weren't that fine grained	15:57
*** belmoreira has quit IRC		15:58
*** yottatsa has joined #openstack-keystone		15:58
*** btully has quit IRC		16:00
*** narengan has quit IRC		16:01
*** narengan has joined #openstack-keystone		16:02
lbragstad	dolphm: it looks like we MEMOIZE get_region, get_service, and get_endpoint already?	16:03
dolphm	dstanek: add a @MEMOIZE here https://github.com/openstack/keystone/blob/master/keystone/catalog/core.py#L273	16:03
dolphm	lbragstad: ^	16:03
openstackgerrit	Merged openstack/keystone: Updating sample configuration file https://review.openstack.org/214339	16:03
dolphm	lbragstad: i don't think we're caching authorization stuff, but the trick there is to refactor all calls into ones that don't have optional arguments	16:05
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add caching to get_catalog https://review.openstack.org/215212	16:05
*** narengan has quit IRC		16:06
lbragstad	dolphm: optional arguments where? in get_service, get_endpoint, and get_region ?	16:06
slberger	dolphm: with your benchmarks did you do any testing with cpu load?	16:07
slberger	dolphm: when changing to fernet	16:07
dstanek	lbragstad: that's actually surprising. i would have thought that it depended on a context object	16:08
lbragstad	slberger: I'm not sure we saved metrics from CPU load, mostly based on response times	16:08
*** piyanai has quit IRC		16:09
dolphm	slberger: not specifically, but it should certainly increase	16:09
*** jistr\|mtg is now known as jistr		16:10
*** narengan has joined #openstack-keystone		16:10
dolphm	slberger: in each benchmark, CPU time was our bottleneck though	16:10
*** henrynash has joined #openstack-keystone		16:12
*** ChanServ sets mode: +v henrynash		16:12
*** lsmola has quit IRC		16:12
*** _cjones_ has joined #openstack-keystone		16:13
*** piyanai has joined #openstack-keystone		16:13
*** piyanai has quit IRC		16:18
openstackgerrit	Marek Denis proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe https://review.openstack.org/215221	16:18
*** yottatsa has quit IRC		16:20
*** kiran-r has joined #openstack-keystone		16:20
*** david8hu has quit IRC		16:22
*** hogepodge has joined #openstack-keystone		16:23
*** vivekd has quit IRC		16:23
*** petertr7 is now known as petertr7_away		16:25
*** mylu has joined #openstack-keystone		16:27
*** geoffarnold has joined #openstack-keystone		16:27
*** roxanaghe has joined #openstack-keystone		16:29
*** piyanai has joined #openstack-keystone		16:29
*** _kiran_ has joined #openstack-keystone		16:30
*** kiran-r has quit IRC		16:31
*** browne has joined #openstack-keystone		16:33
*** doug-fish has quit IRC		16:33
*** doug-fish has joined #openstack-keystone		16:33
*** piyanai has quit IRC		16:34
lbragstad	mfisch: I'm curious if this will help your token validation problem https://review.openstack.org/#/c/215212/	16:34
lbragstad	problem = token response time	16:35
dolphm	lbragstad: i wonder if morgan_2549 knows why that @MEMOIZE wasn't there already? ^	16:35
lbragstad	dolphm: maybe he thought it was too edge case if we were already caching the service, regions, and endpoints?	16:35
morgan_2549	Uh. Because it was probably just missed	16:36
*** piyanai has joined #openstack-keystone		16:37
*** geoffarnold has quit IRC		16:37
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Calculate validity and control caching https://review.openstack.org/209695	16:40
arunkant_	gordc and stevemar: Barbican taxonomy change is merged in pycadf. I need a new version so I can use it in Barbican side. How do I request that?	16:41
gordc	arunkant_: i can create one for you.	16:42
gordc	it probably won't be released this week (we tend not to release late in week).	16:43
*** narengan_ has joined #openstack-keystone		16:44
*** jistr has quit IRC		16:46
*** narengan has quit IRC		16:47
*** vivekd has joined #openstack-keystone		16:48
*** lhinds has quit IRC		16:48
*** piyanai has quit IRC		16:49
arunkant_	gordc, thanks. Next week is fine.	16:49
*** Kennan2 has quit IRC		16:50
gordc	arunkant_: https://review.openstack.org/#/c/215232/	16:52
gordc	hmmm... spelled something wrong.	16:52
*** btully has joined #openstack-keystone		16:54
*** piyanai has joined #openstack-keystone		16:54
arunkant_	gordc, looks good now.	16:56
*** narengan has joined #openstack-keystone		16:56
*** piyanai has quit IRC		16:56
*** tjcocozz_ has joined #openstack-keystone		16:58
*** piyanai has joined #openstack-keystone		16:59
*** narengan_ has quit IRC		17:00
slberger	does keystone support oauth v2.0?	17:00
*** tjcocozz has quit IRC		17:02
*** afazekas has quit IRC		17:02
*** Kennan has joined #openstack-keystone		17:05
ayoung	slberger, define support?	17:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/214509	17:06
*** henrynash has quit IRC		17:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/213898	17:10
slberger	I guess is there any way to federate with an oauth v2.0 based backend	17:10
*** ankita_wagh has joined #openstack-keystone		17:13
*** piyanai has quit IRC		17:13
*** piyanai has joined #openstack-keystone		17:13
*** Kennan has quit IRC		17:14
stevemar	slberger: i think chris casey was working on trying to get that figured out	17:17
stevemar	it should, mod_auth_openidc should have oauthv2.0 support	17:17
*** Kennan has joined #openstack-keystone		17:20
*** csoukup has quit IRC		17:21
*** aix has quit IRC		17:22
*** geoffarnold has joined #openstack-keystone		17:22
*** mylu has quit IRC		17:22
*** mylu has joined #openstack-keystone		17:23
*** narengan has quit IRC		17:23
*** doug-fish has quit IRC		17:23
*** jeffDeville has joined #openstack-keystone		17:23
*** narengan has joined #openstack-keystone		17:24
*** doug-fish has joined #openstack-keystone		17:24
*** Kennan has quit IRC		17:24
*** narengan has quit IRC		17:28
*** david8hu has joined #openstack-keystone		17:29
*** piyanai has quit IRC		17:32
*** narengan has joined #openstack-keystone		17:33
*** narengan has quit IRC		17:34
*** narengan has joined #openstack-keystone		17:34
*** doug-fish has quit IRC		17:35
*** tsymanczyk has quit IRC		17:35
*** doug-fish has joined #openstack-keystone		17:35
*** geoffarnold has quit IRC		17:38
*** narengan has quit IRC		17:39
*** piyanai has joined #openstack-keystone		17:39
*** Kennan has joined #openstack-keystone		17:40
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Some fixes in the is_domain field creation https://review.openstack.org/215167	17:40
*** lhcheng has joined #openstack-keystone		17:41
*** ChanServ sets mode: +v lhcheng		17:41
*** piyanai has quit IRC		17:41
*** yottatsa has joined #openstack-keystone		17:43
*** stevemar has quit IRC		17:44
*** stevemar has joined #openstack-keystone		17:46
*** ChanServ sets mode: +v stevemar		17:46
lhcheng	stevemar: ping	17:50
stevemar	lhcheng: pong	17:50
lhcheng	stevemar: https://bugs.launchpad.net/keystone/+bug/1482772	17:50
openstack	Launchpad bug 1482772 in Keystone "Region filtering for endpoints does not work" [Medium,In progress] - Assigned to Lin Hua Cheng (lin-hua-cheng)	17:50
*** _kiran_ has quit IRC		17:50
lhcheng	we have the region filter in OSC and KSC, but it is passing region instead of region_id :(	17:51
stevemar	oh noes	17:51
stevemar	my bad, re-open them	17:51
lhcheng	do we make the API accept both region and region_id?	17:51
lhcheng	I am just about to add the filter, so I can still add it we want..	17:52
lhcheng	*if we want	17:52
stevemar	region & region_id seems pointless	17:53
*** petertr7_away is now known as petertr7		17:54
stevemar	i think the standard is just the ID	17:54
lhcheng	okay, sounds good to me.	17:54
*** tsymanczyk has joined #openstack-keystone		17:55
*** tsymanczyk is now known as Guest90767		17:55
lbragstad	dolphm: any suggestions on how we get these kinds of tests to pass with caching enabled on get_catalog? https://github.com/openstack/keystone/blob/a42db6085bde6bbbe5ba35fa8823a7b1ef5b3742/keystone/tests/unit/test_backend_templated.py#L69-L79	17:57
*** jasonsb has quit IRC		17:57
*** csoukup has joined #openstack-keystone		17:58
*** csoukup has quit IRC		17:58
openstackgerrit	David Stanek proposed openstack/keystone: Remove all traces of olso incubator https://review.openstack.org/199343	17:58
dstanek	how do people feel about https://blueprints.launchpad.net/keystone/+spec/remove-oslo-incubator ?	17:59
dstanek	lbragstad: do those tests fail?	17:59
*** gyee has joined #openstack-keystone		18:00
*** ChanServ sets mode: +v gyee		18:00
*** piyanai has joined #openstack-keystone		18:00
*** gyee has quit IRC		18:00
*** gyee has joined #openstack-keystone		18:03
*** ChanServ sets mode: +v gyee		18:03
lbragstad	dstanek: yeah, just the one	18:04
lbragstad	http://logs.openstack.org/12/215212/1/check/gate-keystone-python27/f224531/testr_results.html.gz	18:04
lbragstad	dstanek: I'm sure the update to the templated catalog works, but since it's caching, it doesn't pickup that change	18:05
dstanek	wow, that's odd that it would fail	18:05
lbragstad	dstanek: I think it's caching on arguments	18:05
*** mpmsimo has joined #openstack-keystone		18:06
lbragstad	dstanek: so, 'foo' and 'bar'	18:06
*** mpmsimo has quit IRC		18:06
openstackgerrit	Vivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces https://review.openstack.org/209524	18:07
dstanek	lbragstad: that reminds me that i have to fix a conflict in my review that decouples templated from kvs	18:07
*** jdennis has quit IRC		18:08
*** bapalm has quit IRC		18:11
*** urulama has joined #openstack-keystone		18:13
*** bapalm has joined #openstack-keystone		18:14
*** jdennis has joined #openstack-keystone		18:17
*** vivekd has quit IRC		18:21
*** ayoung has quit IRC		18:23
*** samleon has joined #openstack-keystone		18:23
*** yottatsa has quit IRC		18:27
*** geoffarnold has joined #openstack-keystone		18:28
*** kiran-r has joined #openstack-keystone		18:33
*** henrynash has joined #openstack-keystone		18:35
*** ChanServ sets mode: +v henrynash		18:35
*** dave-mcc_ has joined #openstack-keystone		18:36
*** jeffDeville has quit IRC		18:38
*** dave-mccowan has quit IRC		18:39
*** jeffDeville has joined #openstack-keystone		18:39
*** piyanai has quit IRC		18:46
*** kiran-r has quit IRC		18:53
*** thiagop is now known as thiagop_afk		18:54
*** afazekas has joined #openstack-keystone		18:55
*** piyanai has joined #openstack-keystone		18:56
*** geoffarnold has quit IRC		19:00
*** narengan has joined #openstack-keystone		19:01
*** afazekas has quit IRC		19:03
*** piyanai has quit IRC		19:06
openstackgerrit	Roxana Gherle proposed openstack/python-keystoneclient: Deprecate default admin endpoint type for v3 client https://review.openstack.org/185200	19:08
*** piyanai has joined #openstack-keystone		19:10
*** Guest90767 has quit IRC		19:15
*** btully has quit IRC		19:16
*** jasonsb has joined #openstack-keystone		19:18
*** urulama has quit IRC		19:18
*** urulama has joined #openstack-keystone		19:18
*** dims_ has joined #openstack-keystone		19:26
*** lhcheng_ has joined #openstack-keystone		19:27
*** Protux has quit IRC		19:27
*** tsymanczyk has joined #openstack-keystone		19:27
*** woodster_ has quit IRC		19:27
*** dolphm has quit IRC		19:27
*** jamielennox\|away has quit IRC		19:27
*** tsymanczyk is now known as Guest88498		19:28
*** dims has quit IRC		19:28
*** piyanai has quit IRC		19:28
*** lhcheng has quit IRC		19:28
*** r-daneel has quit IRC		19:28
*** serverascode has quit IRC		19:28
*** piyanai has joined #openstack-keystone		19:29
*** dave-mccowan has joined #openstack-keystone		19:30
gyee	henrynash, question for ya if you still awake	19:30
henrynash	gyee: yep!	19:30
gyee	yay!	19:30
gyee	so for per-domain config in sql	19:30
gyee	how do we handle custom certificates for LDAP servers?	19:30
gyee	meaning we have LDAP server certs that are not issued by a commercial CA	19:31
gyee	those we still have to go through CMS right?	19:31
*** woodster_ has joined #openstack-keystone		19:31
*** btully has joined #openstack-keystone		19:31
*** rm_work is now known as rm_work\|away		19:32
*** ankita_w_ has joined #openstack-keystone		19:32
gyee	right now we specify the cert location in the config	19:32
*** ayoung has joined #openstack-keystone		19:32
*** ChanServ sets mode: +v ayoung		19:32
*** dave-mcc_ has quit IRC		19:33
henrynash	so is cert config one ofteh ldap config options?	19:33
openstackgerrit	henry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy https://review.openstack.org/208152	19:33
gyee	henrynash, yes, it is an requirement for passing password to LDAP	19:33
gyee	most be done over TLS	19:34
henrynash	gyee: let me see it is in our white list	19:34
*** serverascode has joined #openstack-keystone		19:34
gyee	henrynash, how does out LDAP code handle that though? we have to write it out to a file first I would think	19:35
*** ankita_wagh has quit IRC		19:35
*** Protux has joined #openstack-keystone		19:35
gyee	let me see if it takes a file descriptor instead	19:36
*** dolphm has joined #openstack-keystone		19:36
henrynash	gyee: so tls_cretdiir and tls_certfile are certainly supported by out config on a domain by domain basis	19:36
gyee	right	19:36
gyee	but its still a combination of SQL and CMS	19:37
gyee	I was trying to see if we can avoid CMS	19:37
*** narengan_ has joined #openstack-keystone		19:37
henrynash	guee: yep, we don’t offer storing the actual cert in teh DB	19:37
henrynash	gyee: isn’t that barbican?	19:37
gyee	henrynash, blueprint time :)	19:37
gyee	henrynash, yes, ideally we want to be able to use URLs to pull the certs	19:38
gyee	file://...	19:38
gyee	https://...	19:38
gyee	instead of dir path	19:38
*** richm has quit IRC		19:38
henrynash	gyee: yep…or is barbican the “openstack cms” for this?	19:38
gyee	if we can load a cert from a URL, it can be barbican or any API server	19:39
henrynash	gyee: true	19:39
*** darrenc has quit IRC		19:39
gyee	henrynash, you want to start a blueprint or do you want me to start one?	19:40
henrynash	samueldmq, rodigods: see https://review.openstack.org/208152 for some heavy weight hierarchy testing!	19:40
gyee	we'll have to enhance the LDAP driver code as well	19:40
samueldmq	henrynash, nice!	19:40
*** narengan has quit IRC		19:40
henrynash	gyee: sounds liek you would be a good “customer” to write the bp…I’d be happy to take onteh work	19:40
*** darrenc has joined #openstack-keystone		19:40
samueldmq	henrynash, love those ascii art there :-)	19:41
gyee	henrynash, lemme write one then	19:41
*** Ephur_ has joined #openstack-keystone		19:41
henrynash	samueldmq: :-)	19:41
* gyee puts on his operator hat		19:41
henrynash	samueldmq: space bar…tap, tap , tap ,tap	19:41
samueldmq	henrynash, heheh very nice :)	19:42
samueldmq	henrynash, I am going to take a better look later (doing somehting right now), but definitely added here as high-priority todo	19:42
samueldmq	henrynash, I own you those reviews :)	19:42
*** Ephur has quit IRC		19:43
gyee	samueldmq, ascii art reminds me of the NNTP days :)	19:43
*** Ephur has joined #openstack-keystone		19:43
openstackgerrit	henry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy https://review.openstack.org/208152	19:43
*** r-daneel has joined #openstack-keystone		19:44
rodrigods	henrynash, haha nice!	19:44
samueldmq	henrynash, :) (had to google NNTP tbh haha)	19:45
*** slberger has left #openstack-keystone		19:45
gyee	in the old days, we got our 'ascii arts' via nntp	19:46
*** Ephur_ has quit IRC		19:46
*** alejandrito has quit IRC		19:47
*** jamielennox\|away has joined #openstack-keystone		19:47
*** jamielennox\|away is now known as jamielennox		19:47
*** ChanServ sets mode: +v jamielennox		19:47
openstackgerrit	henry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy https://review.openstack.org/208152	19:48
*** alejandrito has joined #openstack-keystone		19:49
*** dsirrine has joined #openstack-keystone		19:51
*** richm has joined #openstack-keystone		19:54
*** doug-fis_ has joined #openstack-keystone		19:56
*** topol has quit IRC		19:57
*** topol has joined #openstack-keystone		19:57
*** ChanServ sets mode: +v topol		19:57
*** doug-fish has quit IRC		19:59
*** doug-fish has joined #openstack-keystone		20:00
*** doug-fis_ has quit IRC		20:01
*** alejandrito has quit IRC		20:09
*** browne has quit IRC		20:11
*** pnavarro has joined #openstack-keystone		20:11
*** browne has joined #openstack-keystone		20:12
*** alejandrito has joined #openstack-keystone		20:13
openstackgerrit	henry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct https://review.openstack.org/148995	20:15
samueldmq	gyee, yes, 'N T T P' ftw	20:15
samueldmq	:)	20:15
openstackgerrit	David Stanek proposed openstack/keystone: Remove all traces of oslo incubator https://review.openstack.org/199343	20:16
*** ajayaa has quit IRC		20:19
openstackgerrit	henry-nash proposed openstack/keystone: Enable listing of role assignments in a project hierarchy https://review.openstack.org/208152	20:22
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Calculate validity and control caching https://review.openstack.org/209695	20:26
*** urulama has quit IRC		20:27
*** urulama has joined #openstack-keystone		20:27
*** e0ne has joined #openstack-keystone		20:31
dstanek	henrynash: you still around?	20:31
henrynash	dstanek: yep….on phone..will be free in bit	20:35
dstanek	henrynash: np... i was just wondering if there is anything we can/should do with https://review.openstack.org/#/c/153535	20:36
*** boris-42 has joined #openstack-keystone		20:41
*** ankita_wagh has joined #openstack-keystone		20:44
henrynash	dstanek: so I don’t think there is an real big deal on this one….it was just that I was working with a group experimenting with alternate assignment engines…and they could bolt it in for expermientation…with no changes…except these couple of fixes	20:45
henrynash	dstanek: I don’t thikn they are pressing anything now, so if we like this fine, if not, killing it is fine too!	20:45
*** geoffarnold has joined #openstack-keystone		20:47
*** ankita_w_ has quit IRC		20:47
dstanek	henrynash: i don't mind killing it! only because i don't want people coming in and thinking that we like drivers that don't implement the full driver api	20:48
henrynash	dstanek: consider it dead, sir! (like a parrot)	20:48
*** jeffDeville has quit IRC		20:49
dstanek	henrynash: is it dead or just resting :-)	20:50
henrynash	dstanek: now, that, is the question!	20:51
*** geoffarnold has quit IRC		20:52
*** e0ne has quit IRC		20:58
*** tjcocozz__ has joined #openstack-keystone		20:59
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Calculate validity and control caching https://review.openstack.org/209695	20:59
*** tomas_c has joined #openstack-keystone		21:00
*** geoffarnold has joined #openstack-keystone		21:00
*** lhcheng has joined #openstack-keystone		21:01
*** ChanServ sets mode: +v lhcheng		21:01
*** lhcheng_ has quit IRC		21:01
*** tjcocozz_ has quit IRC		21:02
tomas_c	Hey, can someone please explain me this error? http://pastebin.com/sAaAF16w It happens on ./stack in Devstack.	21:04
lbragstad	tomas_c: it looks like the user creation failed (in a previous command) and the value was never persisted to a variable/	21:05
lbragstad	tomas_c: you might find some more information around the ERROR: openstack Internal Server Error (HTTP 500) on the keystone screen (if you're running devstack)	21:05
*** urulama has quit IRC		21:08
tomas_c	lbragstad: thank you for responding. i'm not sure if you mean by keystone screen a web-interface, because unfortunatelly i can't access it. Do you think it would be sufficient to back-out commits at keystone project?	21:09
*** urulama has joined #openstack-keystone		21:09
lbragstad	tomas_c: oh sorry	21:09
lbragstad	tomas_c: what I means was the keystone-all process that is started in a screen session	21:09
lbragstad	meant*	21:10
lbragstad	tomas_c: you should be able to attach to that screen session and find the window that is running the keystone process.	21:10
lbragstad	tomas_c: that might give you some more information around the 500s	21:10
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: No more openstack.common https://review.openstack.org/215337	21:11
*** rm_work\|away is now known as rm_work		21:13
tomas_c	lbragstad: sounds good, i will try that. i'm wondering if you think that a commit merged in keystone should cause this?	21:14
tomas_c	* could	21:15
lbragstad	tomas_c: I would hope not, since it would hopefully be caught by the gate	21:15
lbragstad	and the gate uses devstack to stand up the environments that we use for testing	21:15
*** urulama has quit IRC		21:17
tomas_c	lbragstad: hm, i haven't known about that. at this time it looks to me more like there might be stgh wrong in my local.conf	21:17
*** tiny-hands has left #openstack-keystone		21:21
*** ankita_w_ has joined #openstack-keystone		21:24
lbragstad	do we have triggers in keystone somewhere that allow us to invalidate a cache if something specific happens?	21:25
*** Guest88498 is now known as tsymanczyk		21:25
lbragstad	like "i'm going to add a new endpoint, so call this trigger that invalidates the endpoint cache?"	21:25
*** ayoung has quit IRC		21:25
*** ankita_wagh has quit IRC		21:27
*** thiagop_afk has quit IRC		21:28
*** stevemar has quit IRC		21:28
dstanek	lbragstad: not really triggers	21:29
dstanek	lbragstad: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/core.py#n224	21:30
lbragstad	dstanek: sorry, triggers probably isn't the right word, do we have a way of invoking an invalid cache if we change stuff?	21:30
*** dguerri` is now known as dguerri		21:30
lbragstad	ah... interesting	21:30
lbragstad	I was wondering what those were!	21:31
lbragstad	dstanek: and .invalidate() is a cache thing?	21:31
*** dguerri is now known as dguerri`		21:31
dstanek	lbragstad: i believe that dogpile adds that on there	21:31
*** pnavarro has quit IRC		21:31
dstanek	lbragstad: it talks about it here: http://dogpilecache.readthedocs.org/en/latest/api.html	21:32
lbragstad	dstanek: nice, thank you -- http://dogpilecache.readthedocs.org/en/latest/api.html#dogpile.cache.region.CacheRegion.invalidate	21:34
openstackgerrit	Merged openstack/keystone: Test v2 tokens being deleted by v3 https://review.openstack.org/201738	21:34
lbragstad	dstanek: makes sense, so the test that is failing for me isn't because of not invalidating the cache because it looks like we already do that, which is a good thing	21:36
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/catalog/core.py#L250	21:37
dstanek	lbragstad: is the cache actually caching durign the tests?	21:37
lbragstad	dstanek: it must be	21:37
lbragstad	dstanek: i could skip that test if caching it enable d	21:37
lbragstad	dstanek: because I think that is related to the templated backend	21:37
*** sigmavirus24 is now known as sigmavirus24_awa		21:38
dstanek	lbragstad: hmmm... i thought during test we used a cache backend that didn't actually cache	21:41
lbragstad	dstanek: I'm not sure, but the failing assertion of the tests looks like its caching	21:41
dstanek	well that's a bummer :-(	21:41
lbragstad	dstanek: http://cdn.pasteraw.com/3asqlld0xqo3rat38t9g5w5qdifh6zn	21:42
*** doug-fish has quit IRC		21:42
*** doug-fish has joined #openstack-keystone		21:42
dstanek	lbragstad: i'll have to look into this more when i get home .. .going to be leaving for the Browns game in a bit	21:44
*** edmondsw has quit IRC		21:44
dstanek	lbragstad: i thought http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/ksfixtures/cache.py was to enable caching only for certain tests.	21:44
lbragstad	dstanek: no worries, it's not a really big deal, I was more or less curious	21:44
dstanek	maybe that got turned on somehow	21:44
*** tjcocozz__ has quit IRC		21:46
lbragstad	possibly	21:46
*** doug-fish has quit IRC		21:46
*** alejandrito has quit IRC		21:49
*** bapalm has quit IRC		21:49
*** bapalm has joined #openstack-keystone		21:52
*** alejandrito has joined #openstack-keystone		21:53
*** sigmavirus24_awa is now known as sigmavirus24		21:54
*** henrynash has quit IRC		21:55
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add caching to get_catalog https://review.openstack.org/215212	21:55
*** topol has quit IRC		21:56
*** piyanai has quit IRC		21:56
*** bapalm has quit IRC		21:57
*** geoffarnold has quit IRC		22:01
*** geoffarnold has joined #openstack-keystone		22:02
*** bapalm has joined #openstack-keystone		22:03
*** petertr7 is now known as petertr7_away		22:06
*** bapalm has quit IRC		22:08
*** doug-fish has joined #openstack-keystone		22:14
*** bapalm has joined #openstack-keystone		22:14
*** narengan_ has quit IRC		22:16
*** doug-fish has quit IRC		22:18
*** bapalm has quit IRC		22:19
*** ayoung has joined #openstack-keystone		22:19
*** ChanServ sets mode: +v ayoung		22:19
*** chlong has quit IRC		22:25
*** jecarey has quit IRC		22:28
*** bapalm has joined #openstack-keystone		22:29
*** bapalm has quit IRC		22:34
*** bapalm has joined #openstack-keystone		22:35
*** flwang1 has quit IRC		22:39
*** tomas_c has quit IRC		22:39
roxanaghe	bknudson: for deprecating the admin default endpoint type is this the correct place you suggested to submit the patch? https://review.openstack.org/#/c/215261/	22:40
*** bapalm has quit IRC		22:43
*** bapalm has joined #openstack-keystone		22:43
*** bapalm has quit IRC		22:48
*** btully has quit IRC		22:49
*** bapalm has joined #openstack-keystone		22:51
*** hrou has quit IRC		23:00
*** rm_work is now known as rm_work\|away		23:01
*** jasonsb has quit IRC		23:02
*** jasonsb has joined #openstack-keystone		23:03
*** ayoung has quit IRC		23:03
*** alejandrito has quit IRC		23:06
*** jasonsb has quit IRC		23:07
*** tiny-hands has joined #openstack-keystone		23:07
*** arunkant_ has quit IRC		23:13
*** sigmavirus24 is now known as sigmavirus24_awa		23:18
*** dramakri has joined #openstack-keystone		23:19
*** samuel-dmq has joined #openstack-keystone		23:24
*** zzzeek has quit IRC		23:25
samuel-dmq	gyee, you around ?	23:26
*** r-daneel has quit IRC		23:27
samuel-dmq	dstanek ?	23:27
openstackgerrit	Terry Howe proposed openstack/keystoneauth: Keep a consistent logger name for keystoneauth https://review.openstack.org/212602	23:27
samuel-dmq	dstanek, I am tending to think a small inconsistency when policies get updated could be aceptable	23:28
*** flwang1 has joined #openstack-keystone		23:29
samuel-dmq	dstanek, just need to figure out if this would be really acceptable, wanted to check gyee and morgan's view on that	23:29
samuel-dmq	dstanek, if deployers think we should reduce this inconsistency to about 0 (even when updates occur), we know how to do it already	23:30
samuel-dmq	dstanek, maybe it's a matter of starting simpler, if simpler is acceptable	23:30
*** roxanaghe has quit IRC		23:36
*** ayoung has joined #openstack-keystone		23:37
*** ChanServ sets mode: +v ayoung		23:37
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Add region_id filter for List Endpoints API https://review.openstack.org/215378	23:43
*** geoffarnold has quit IRC		23:43
*** samuel-dmq has quit IRC		23:51
*** hrou has joined #openstack-keystone		23:55
*** topol has joined #openstack-keystone		23:56
*** ChanServ sets mode: +v topol		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!