Tuesday, 2015-10-13

openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and session https://review.openstack.org/117089	00:03
*** opal has joined #openstack-keystone		00:04
*** btully has quit IRC		00:07
*** geoffarnold has quit IRC		00:08
*** geoffarn_ has joined #openstack-keystone		00:08
*** hrou has joined #openstack-keystone		00:09
*** _hrou_ has quit IRC		00:11
*** dikonoor has joined #openstack-keystone		00:12
*** _hrou_ has joined #openstack-keystone		00:13
*** EinstCrazy has quit IRC		00:14
*** exploreshaifali has quit IRC		00:16
*** hrou has quit IRC		00:16
*** opal has left #openstack-keystone		00:18
*** wwwjfy has joined #openstack-keystone		00:19
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
*** stevemar_ has quit IRC		00:25
*** geoffarn_ has quit IRC		00:28
*** geoffarnold has joined #openstack-keystone		00:29
*** stevemar_ has joined #openstack-keystone		00:29
*** ChanServ sets mode: +o stevemar_		00:29
*** gyee has quit IRC		00:31
*** omkarjoshi has joined #openstack-keystone		00:32
*** su_zhang has quit IRC		00:34
*** lhcheng has quit IRC		00:37
*** annasort has quit IRC		00:42
jamielennox	stevemar_: super simple: https://review.openstack.org/#/c/224407/	00:43
*** omkarjoshi has quit IRC		00:45
stevemar_	jamielennox: how did you know i'm on :O	00:46
jamielennox	stevemar_: experience	00:47
stevemar_	jamielennox: true that	00:48
*** tobe has joined #openstack-keystone		00:49
*** csoukup has joined #openstack-keystone		00:49
*** geoffarnold has quit IRC		00:50
*** geoffarnold has joined #openstack-keystone		00:50
*** pumaranikar has joined #openstack-keystone		00:51
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/233820	00:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/233876	00:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/233821	00:53
*** gildub has quit IRC		00:53
*** csoukup has quit IRC		00:54
*** yuwen has joined #openstack-keystone		00:58
*** EinstCrazy has joined #openstack-keystone		00:59
*** btully has joined #openstack-keystone		01:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/233886	01:02
*** btully has quit IRC		01:05
*** woodster_ has quit IRC		01:09
*** browne has quit IRC		01:10
*** hrou has joined #openstack-keystone		01:10
*** wwwjfy_ has joined #openstack-keystone		01:10
*** wwwjfy has quit IRC		01:11
*** geoffarn_ has joined #openstack-keystone		01:11
*** geoffarnold has quit IRC		01:12
*** _hrou_ has quit IRC		01:13
*** gildub has joined #openstack-keystone		01:27
*** su_zhang has joined #openstack-keystone		01:32
*** geoffarn_ has quit IRC		01:33
*** geoffarnold has joined #openstack-keystone		01:33
yuwen	I config the keystone as IDP with idp_sso_endpoint=http://10.111.131.83:5000/v3/OS-FEDERATION/saml2/sso , but it returns {"error": {"message": "\u627e\u4e0d\u5230\u8be5\u8d44\u6e90\u3002", "code": 404, "title": "Not Found"}}	01:43
*** davechen has joined #openstack-keystone		01:45
*** omkarjoshi has joined #openstack-keystone		01:46
*** jasonsb_ has quit IRC		01:47
*** omkarjoshi has quit IRC		01:50
*** stevemar_ has quit IRC		01:53
*** john5223 is now known as zz_john5223		01:55
morgan	stevemar_: cause ptl things. That is how jamielennox knew	01:56
*** yuwen has quit IRC		01:56
*** wwwjfy_ has quit IRC		02:08
*** iurygregory has quit IRC		02:10
*** iurygregory has joined #openstack-keystone		02:10
*** yuwen has joined #openstack-keystone		02:15
*** geoffarnold has quit IRC		02:15
*** geoffarnold has joined #openstack-keystone		02:15
*** lhcheng has joined #openstack-keystone		02:22
*** ChanServ sets mode: +v lhcheng		02:22
davechen	lhcheng: hey, are you here?	02:22
lhcheng	davechen: hey	02:23
lhcheng	just pm'd you :)	02:23
*** browne has joined #openstack-keystone		02:26
*** links has joined #openstack-keystone		02:28
*** dims_ has quit IRC		02:28
*** ngupta has joined #openstack-keystone		02:30
*** geoffarnold has quit IRC		02:36
*** su_zhang has quit IRC		02:36
*** geoffarnold has joined #openstack-keystone		02:36
*** dims__ has joined #openstack-keystone		02:41
*** stevemar_ has joined #openstack-keystone		02:42
*** ChanServ sets mode: +o stevemar_		02:42
*** btully has joined #openstack-keystone		02:49
*** richm has quit IRC		02:50
*** btully has quit IRC		02:53
*** geoffarnold has quit IRC		02:57
*** geoffarnold has joined #openstack-keystone		02:58
*** dims__ has quit IRC		02:59
davechen	rodrigods: hey, are you here?	03:00
*** hrou has quit IRC		03:03
*** wwwjfy_ has joined #openstack-keystone		03:12
stevemar_	bknudson: still around?	03:26
openstackgerrit	Steve Martinelli proposed openstack/keystone: switch to oslo.cache https://review.openstack.org/195873	03:31
*** jasonsb_ has joined #openstack-keystone		03:31
stevemar_	jamielennox: payback! https://review.openstack.org/#/c/195873/	03:34
davechen	stevemar_, jamielennox: help me pls,	03:34
jamielennox	stevemar_: they are not equivalent!	03:34
stevemar_	davechen: whats up?	03:34
stevemar_	jamielennox: yeah :(	03:34
davechen	stevemar_, jamielennox: I am trying to enable k-k federation.	03:34
davechen	but i persistent encounter this exception "Could not find Identity Provider identifier in environment"	03:35
stevemar_	jamielennox: this one is a bit of a doozy, but it's just a lot of ripping things out	03:35
stevemar_	hmm	03:35
davechen	seem like it looks for "Shib-Identity-Provider::keystone-idp" in the assertion.	03:35
davechen	but Shib-Identity-Provider is missing in the assertion, how can i do the trouble shooting?	03:36
stevemar_	davechen: what value do you have under [federation] remote_id_attribute (in keystone.conf)	03:38
davechen	let me check	03:38
davechen	remote_id_attribute = Shib-Identity-Provider	03:38
stevemar_	and in your remote keystone, you created the identity provider and set remote-id = keystone-idp?	03:39
stevemar_	davechen: try adding something like this to your configs: https://gist.github.com/stevemart/585f932a5c526c375396#file-liberty_and_keystone-sh-L166	03:39
*** roxanaghe has quit IRC		03:39
davechen	http://paste.openstack.org/show/476080/	03:39
*** spandhe has quit IRC		03:39
*** lhcheng has quit IRC		03:40
davechen	stevemar_: i saw there might some issue in my shibboleth2.xml	03:40
stevemar_	but for you it would be osmething like `SetEnv Shib-Identity-Provider keystone-idp`	03:40
*** dikonoor has quit IRC		03:41
davechen	stevemar_: does this line in the shibboleth2.xml matter? "<ApplicationOverride id="keystone-idp" entityID="http://10.239.48.36/Shibboleth.sso/SAML2/ECP">"	03:43
davechen	not sure what the value i should give for entityID field here	03:43
davechen	do you have a workable shibboleth2.xml?	03:44
stevemar_	davechen: i dont think that value matters in shibboleth2.xml	03:47
stevemar_	davechen: not at the moment :(	03:47
stevemar_	davechen: try setting those env. vars. in apache config, i think that might get you a bit farther	03:48
*** ngupta has quit IRC		03:50
davechen	stevemar_: if i set entityID in apache config, how should i set it?	03:51
davechen	stevemar_: i am get a litter farther, the excetpion is " Incoming identity provider identifier not included among the accepted identifiers" :)	03:53
davechen	let me digging into this.	03:53
davechen	stevemar_: could you pls take a loot at this (http://paste.openstack.org/show/476081/)?	03:53
davechen	i just define my sp id as "keystone-sp", is it acceptable?	03:54
davechen	just got confused about so many id / entity id in the conf.	03:55
stevemar_	davechen: yeah, it's definitely not easy to track	03:55
stevemar_	davechen: that looks fine to me	03:55
davechen	somewhere it says it a url while other place it says it is a ID.	03:55
jamielennox	stevemar_: basic comment: https://review.openstack.org/#/c/195873/	03:55
stevemar_	jamielennox: maintain it because it was listed as a driver https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L326	03:58
*** links has quit IRC		03:58
*** dims__ has joined #openstack-keystone		03:59
stevemar_	jamielennox: ready for 3 more? hehe	04:00
stevemar_	sadly, none are easy breezy	04:01
jamielennox	stevemar_: oh, yea - i misread, thought common was from openstack.common	04:01
stevemar_	but all are non-contentious	04:01
jamielennox	th other was the point though, should create a keystone.common create_memoize thing	04:01
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/233821	04:01
stevemar_	jamielennox: yeah, i'll post it as a follow on soon when i have time again	04:02
jamielennox	stevemar_: is oslo cache going to be useful for auth_token?	04:02
stevemar_	jamielennox: i think so, the nova folks added some other bcakends	04:03
jamielennox	i'm mostly worried about the CONF tie in	04:03
*** su_zhang has joined #openstack-keystone		04:03
stevemar_	jamielennox: i think https://github.com/openstack/oslo.cache/blob/master/oslo_cache/backends/dictionary.py and https://github.com/openstack/keystonemiddleware/blob/aba3846d8cec3eeff03c7996e7afe81315f4a4d0/keystonemiddleware/openstack/common/memorycache.py are analogous	04:04
stevemar_	jamielennox: if you're brave enough: https://review.openstack.org/#/c/214775/ i followed your lead there	04:04
jamielennox	stevemar_: i am _not_ replacing memorycache, i'm killing it as fast as i can	04:04
stevemar_	hehe	04:05
davechen	It's "Could not map user while setting ephemeral user identity", anyway the previous issue has gone :-D	04:05
davechen	stevemar_, thanks a lot!	04:05
jamielennox	oh, nice	04:05
stevemar_	jamielennox: theres this last one too: https://review.openstack.org/#/c/231123/	04:05
*** dims__ has quit IRC		04:06
stevemar_	davechen: i'd ask you to review too, but you are deep in federation code :)	04:06
stevemar_	you might not ever emerge :O	04:06
davechen	will continue my investiagtion after lunch. stevemar_, jamielennox ^^	04:06
stevemar_	davechen: good luck! enjoy lunch :)	04:06
davechen	stevemar_: sure, i will read your code then.	04:07
davechen	must be fun and learn more from it.	04:07
stevemar_	davechen: take your time, mine is boring and just moving things around :P	04:07
davechen	stevemar_: nah, the reason behind it is not boring. :)	04:09
*** davechen is now known as davechen_afk		04:09
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/233886	04:09
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/233876	04:12
*** jaosorior has joined #openstack-keystone		04:15
*** opal has joined #openstack-keystone		04:18
*** jasonsb_ has quit IRC		04:19
jamielennox	stevemar_: you're missing migrations from the federation one	04:19
*** geoffarn_ has joined #openstack-keystone		04:23
*** geoffarnold has quit IRC		04:24
*** lhcheng has joined #openstack-keystone		04:27
*** ChanServ sets mode: +v lhcheng		04:27
*** dobson has quit IRC		04:30
stevemar_	jamielennox: was going to do that in another patch? isn't that how you did the endpoint policy one?	04:30
*** opal has left #openstack-keystone		04:30
jamielennox	stevemar_: yea i did i just didn't see it as a dep	04:31
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove bas64utils and tests https://review.openstack.org/233929	04:34
*** jaosorior has quit IRC		04:34
stevemar_	jamielennox: i can whip that up, didn't think it was a show stopper	04:34
stevemar_	jamielennox: i promise, an easy one this time: https://review.openstack.org/#/c/233929/	04:35
*** dobson has joined #openstack-keystone		04:36
jamielennox	stevemar_: i've been out of this code too long	04:37
jamielennox	wtf is an initiator	04:37
stevemar_	jamielennox: its all good, you can skip that one ;P	04:37
stevemar_	jamielennox: dstanek and lbragstad can handle it	04:38
stevemar_	hehe	04:38
*** btully has joined #openstack-keystone		04:38
*** urulama_ has joined #openstack-keystone		04:39
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move federation extension into keystone core https://review.openstack.org/214775	04:40
*** urulama has quit IRC		04:41
stevemar_	gerrit is so slow today	04:41
*** jaosorior has joined #openstack-keystone		04:42
*** roxanaghe has joined #openstack-keystone		04:43
*** geoffarnold has joined #openstack-keystone		04:44
*** geoffarn_ has quit IRC		04:44
*** roxanaghe has quit IRC		04:56
*** links has joined #openstack-keystone		05:06
*** su_zhang has quit IRC		05:06
*** jaosorior has quit IRC		05:10
*** jaosorior has joined #openstack-keystone		05:10
*** su_zhang has joined #openstack-keystone		05:11
stevemar_	morgan: eventually i want your opinion on https://bugs.launchpad.net/keystone/+bug/1504686	05:14
openstack	Launchpad bug 1504686 in Keystone "Keystone errors on token requests for users in recreated tenants when using memcache" [Undecided,New]	05:14
*** urulama_ is now known as urulama		05:18
*** geoffarnold has quit IRC		05:19
*** geoffarnold has joined #openstack-keystone		05:19
morgan	Invalid	05:21
morgan	Recreated tenant = new id, all tokens are for the oldnid	05:21
morgan	Old id*	05:21
morgan	Deletion of a tenant should trigger a cache invalidate	05:22
morgan	But the memcache has to be shared	05:22
openstackgerrit	Steve Martinelli proposed openstack/keystone: add placeholder migrations for liberty https://review.openstack.org/233943	05:23
morgan	You can't have split cache and assume one keystone can invalidate another keystone's cache	05:23
*** davechen_afk is now known as davechen		05:23
stevemar_	morgan: ^	05:23
stevemar_	morgan: ahh	05:23
morgan	How does keystone "a" know how to invalidate keystone "b"'s independent memcache	05:24
stevemar_	i figured you knew the answer :)	05:24
morgan	Memcache is assumed to be a shared reaource. There are ways around it but it's going to be icccccky	05:24
stevemar_	morgan: are you going to write that in the bug, or want me to do it?	05:25
morgan	I am not going to tonight ;)	05:25
morgan	Feel free to paraphrase or remind me tomorrow	05:25
morgan	Either works for me	05:26
stevemar_	i'll paraphrase and include you on the report	05:26
morgan	Sounds good	05:26
*** su_zhang has quit IRC		05:26
*** Nirupama has joined #openstack-keystone		05:31
stevemar_	morgan: lol at jamielennox's last comment here: https://review.openstack.org/#/c/171916/13	05:32
*** lhcheng has quit IRC		05:33
morgan	I dont see a comment from jamielennox ?	05:34
morgan	Ah nvm	05:34
*** lhcheng has joined #openstack-keystone		05:34
*** ChanServ sets mode: +v lhcheng		05:34
morgan	Bad render	05:34
jamielennox	stevemar_: ugh	05:36
jamielennox	saving for mitaka was probably an ok strategy	05:37
jamielennox	although it looks like i wrote the first one not long after liberyu	05:37
stevemar_	jamielennox: we'll get them all in this time :P	05:38
stevemar_	jamielennox: https://review.openstack.org/233943 needs to go in first, then we can get your patch in	05:38
morgan	stevemar_: ooooooooooooh snaaaaaaaap. Migration placeholders	05:38
* morgan might be a little punchy		05:39
*** wwwjfy_ has quit IRC		05:39
* morgan also does the "i get a new bicycle tomorrow" dance		05:39
stevemar_	jamielennox: morgan for something that has >1 migration, like federation, do we just create one script to create the equivalent of 006 or 007 of the extension migration?	05:39
*** tobe has quit IRC		05:39
*** geoffarnold has quit IRC		05:40
stevemar_	morgan: i'll allow it	05:40
morgan	stevemar_: i think so	05:40
*** geoffarnold has joined #openstack-keystone		05:40
stevemar_	morgan: does this new bike cost as much as a down payment on a house again?	05:40
* stevemar_ jokes		05:41
jamielennox	stevemar_: approved	05:42
jamielennox	morgan: oo, bike	05:42
morgan	stevemar_: $2800 USD or so	05:42
morgan	Maybe it was $2500	05:43
morgan	It is a gravel/fire trail/light off road bike	05:43
morgan	(No suspension) vs a xc MTB	05:43
morgan	I'll get an xc/full suspension mtb next year sometime	05:44
morgan	But the trails I want to ride, less fun on an MTB (read: less adrenaline/boring)	05:45
stevemar_	jamielennox: morgan ty!	05:46
stevemar_	jamielennox: morgan d'oh our gate it still busted until we release ksc and ksm	05:46
*** pumaranikar has quit IRC		05:46
morgan	So release em tomorrow!	05:46
stevemar_	morgan: your biking frightens me, do not crash into things	05:46
stevemar_	morgan: patches are already in flight, just need approval! https://review.openstack.org/#/c/233761/ and https://review.openstack.org/#/c/233763/	05:47
morgan	Let slip the hogs... And to the races we go. Bet everything on snake eyes, and spin red	05:48
morgan	Or uh.. Maybe a car metaphor instead?	05:48
morgan	stevemar_: i got a cyclocross bike ;)	05:49
morgan	Now have a road bike, tri bike, cx. Just need a MTB and then a second road bike (for training duh) to have a complete stable :P	05:50
stevemar_	tri-bike?!	05:54
jamielennox	stevemar_: tricycle	05:54
morgan	https://usercontent.irccloud-cdn.com/file/TcjxTaVK/IMG_0550.JPG	05:56
morgan	stevemar_: ^ as an example	05:56
morgan	Triathlon bike	05:56
morgan	That one is way cooler than mine though.	05:56
morgan	Cause Felt > other bike makers.	05:56
stevemar_	morgan: jamielennox i'm glad it's not http://i.imgur.com/LqIySh4.jpg	06:00
stevemar_	apparently there are adult versions?!	06:01
stevemar_	i would avoid those too	06:02
stevemar_	my battery is about to die, so gn morgan and jamielennox	06:02
stevemar_	see you on the flip side tomorrow	06:02
*** stevemar_ has quit IRC		06:03
jamielennox	stevemar_: good night	06:03
*** dims__ has joined #openstack-keystone		06:03
*** jtomasek has joined #openstack-keystone		06:06
*** dims__ has quit IRC		06:09
*** links has quit IRC		06:20
*** wwwjfy_ has joined #openstack-keystone		06:20
*** openstack has joined #openstack-keystone		06:27
*** tsufiev has joined #openstack-keystone		06:29
*** StoneZhang has joined #openstack-keystone		06:29
*** ParsectiX has joined #openstack-keystone		06:42
*** geoffarnold has quit IRC		06:44
*** geoffarnold has joined #openstack-keystone		06:44
*** gildub has quit IRC		06:46
*** tsymancz4k has quit IRC		06:49
*** e0ne has joined #openstack-keystone		06:58
*** e0ne has quit IRC		06:59
*** wwwjfy_ has quit IRC		07:00
*** wwwjfy_ has joined #openstack-keystone		07:01
*** dims__ has joined #openstack-keystone		07:05
openstackgerrit	Merged openstack/keystonemiddleware: Remove unused group parameter from tests https://review.openstack.org/223679	07:09
*** omkarjoshi has joined #openstack-keystone		07:10
*** dims__ has quit IRC		07:10
*** exploreshaifali has joined #openstack-keystone		07:11
*** omkarjoshi has quit IRC		07:11
*** links has joined #openstack-keystone		07:13
*** e0ne has joined #openstack-keystone		07:16
*** btully has quit IRC		07:16
*** tsymanczyk has joined #openstack-keystone		07:18
*** tsymanczyk is now known as Guest4816		07:18
*** exploreshaifali has quit IRC		07:20
*** geoffarn_ has joined #openstack-keystone		07:27
*** geoffarnold has quit IRC		07:31
yuwen	does keystone support oauth2 ？	07:41
yuwen	I find the project https://github.com/ging/keystone-oauth2-extension.git	07:42
*** henrynash has quit IRC		07:43
*** e0ne has quit IRC		07:44
*** fhubik has joined #openstack-keystone		07:44
*** henrynash has joined #openstack-keystone		07:46
*** ChanServ sets mode: +v henrynash		07:46
yuwen	zzzz	07:47
*** henrynash has quit IRC		07:48
*** henrynash has joined #openstack-keystone		07:48
*** geoffarn_ has quit IRC		07:48
*** ChanServ sets mode: +v henrynash		07:48
*** geoffarnold has joined #openstack-keystone		07:48
*** henrynash has quit IRC		07:50
*** browne has quit IRC		07:50
*** jistr has joined #openstack-keystone		08:03
*** btully has joined #openstack-keystone		08:04
davechen	yuwen: no idea, just saw auth1 from code base, didn't notice something about auth2.	08:05
*** dims__ has joined #openstack-keystone		08:06
*** links has quit IRC		08:08
*** geoffarnold has quit IRC		08:09
*** btully has quit IRC		08:09
*** geoffarnold has joined #openstack-keystone		08:10
*** dims__ has quit IRC		08:11
*** lsmola_ has joined #openstack-keystone		08:11
*** links has joined #openstack-keystone		08:17
*** svasheka has joined #openstack-keystone		08:18
*** links has quit IRC		08:24
yuwen	davechen： do you try k2k federation with saml?	08:24
marekd	yuwen: k2k is only with saml2	08:24
yuwen	oh, yes, saml2	08:25
yuwen	but, i config the idp_sso_endpoint = http://10.111.131.83:5000/v3/OS-FEDERATION/saml2/sso ， when sp calls the url， it return 404	08:26
marekd	yuwen: k2k is not a fully fledged IdP	08:26
marekd	it's not a replacement for Shiboleth IdP or Microsoft ADFS	08:26
marekd	it's scope is somehow limited	08:26
yuwen	you mean we can't use keystone as a web sso IDP?	08:29
marekd	yuwen: for instance.	08:29
davechen	yuwen: i am still trying... sigh!	08:30
yuwen	I have a java sp, and i want to use keystone as IDP to LDAP, how to integrate the java SP to keystone IDP	08:31
davechen	marekd: hi, expert of federation	08:31
marekd	davechen: #FederationPTL :D	08:31
marekd	davechen: what's up?	08:31
davechen	marekd: totally agree!	08:31
davechen	:)	08:31
marekd	davechen: totally not true :-)	08:31
*** links has joined #openstack-keystone		08:31
davechen	marekd: i think i am a jurk	08:31
marekd	im too young to die in the oceans of PTLism.	08:32
marekd	davechen: what's wrong?	08:32
davechen	marked: still have some issue with enable k-k federation.	08:32
davechen	but i think i am quite close.	08:32
marekd	davechen: yes, where did you stuck ?	08:32
davechen	blocked by this, "Could not map user while setting ephemeral user identity"	08:33
davechen	i am followed by the guide, and seems the configuration is oaky now.	08:33
marekd	davechen: this is error from the SP, right?	08:33
davechen	yeah,	08:34
marekd	davechen: what are your mapping rules?	08:34
davechen	similar as this,	08:34
davechen	{	08:34
davechen	"mapping": {	08:34
davechen	"rules": [	08:34
davechen	{	08:34
*** davechen has quit IRC		08:34
*** openstack has joined #openstack-keystone		08:46
*** cameron.freenode.net sets mode: +ns		08:46
*** cameron.freenode.net sets mode: -o openstack		08:47
-cameron.freenode.net- *** Notice -- TS for #openstack-keystone changed from 1444725985 to 1377384024		08:47
*** cameron.freenode.net sets mode: +cgt-s		08:47
*** links has joined #openstack-keystone		08:47
*** hideme_ has joined #openstack-keystone		08:47
*** pumaranikar has joined #openstack-keystone		08:47
*** davechen has joined #openstack-keystone		08:47
*** svasheka has joined #openstack-keystone		08:47
*** lsmola_ has joined #openstack-keystone		08:47
*** geoffarnold has joined #openstack-keystone		08:47
*** jistr has joined #openstack-keystone		08:47
*** fhubik has joined #openstack-keystone		08:47
*** Guest4816 has joined #openstack-keystone		08:47
*** wwwjfy_ has joined #openstack-keystone		08:47
*** ParsectiX has joined #openstack-keystone		08:47
*** StoneZhang has joined #openstack-keystone		08:47
*** tsufiev has joined #openstack-keystone		08:47
*** urulama has joined #openstack-keystone		08:47
*** nkinder has joined #openstack-keystone		08:47
*** jimbaker has joined #openstack-keystone		08:47
*** telemonster has joined #openstack-keystone		08:47
*** alex_xu has joined #openstack-keystone		08:47
*** zzzeek has joined #openstack-keystone		08:47
*** daemontool_ has joined #openstack-keystone		08:47
*** jtomasek has joined #openstack-keystone		08:47
*** Nirupama has joined #openstack-keystone		08:47
*** jaosorior has joined #openstack-keystone		08:47
*** dobson has joined #openstack-keystone		08:47
*** yuwen has joined #openstack-keystone		08:47
*** iurygregory has joined #openstack-keystone		08:47
*** EinstCrazy has joined #openstack-keystone		08:47
*** shadower has joined #openstack-keystone		08:47
*** tsymancz2k has joined #openstack-keystone		08:47
*** david-lyle has joined #openstack-keystone		08:47
*** briancurtin has joined #openstack-keystone		08:47
*** zhiyan has joined #openstack-keystone		08:47
*** serverascode has joined #openstack-keystone		08:47
*** ctracey has joined #openstack-keystone		08:47
*** jraim has joined #openstack-keystone		08:47
*** nzeer has joined #openstack-keystone		08:47
*** harlowja has joined #openstack-keystone		08:47
*** arunkant has joined #openstack-keystone		08:47
*** chrisshattuck has joined #openstack-keystone		08:47
*** amit213 has joined #openstack-keystone		08:47
*** BAKfr has joined #openstack-keystone		08:47
*** breton has joined #openstack-keystone		08:47
*** krotscheck has joined #openstack-keystone		08:47
*** brad[] has joined #openstack-keystone		08:47
*** alexpro has joined #openstack-keystone		08:47
*** rha has joined #openstack-keystone		08:47
*** markvoelker has joined #openstack-keystone		08:47
*** Daviey has joined #openstack-keystone		08:47
*** andreykurilin has joined #openstack-keystone		08:47
*** chlong has joined #openstack-keystone		08:47
*** kurtrao has joined #openstack-keystone		08:47
*** rm_work has joined #openstack-keystone		08:47
*** mjb has joined #openstack-keystone		08:47
*** tsufiev_ has joined #openstack-keystone		08:47
*** amakarov_away has joined #openstack-keystone		08:47
*** ayoung has joined #openstack-keystone		08:47
*** afazekas has joined #openstack-keystone		08:47
*** mordred has joined #openstack-keystone		08:47
*** pkarikh has joined #openstack-keystone		08:47
*** lifeless has joined #openstack-keystone		08:47
*** akscram has joined #openstack-keystone		08:47
*** chmouel has joined #openstack-keystone		08:47
*** jdennis has joined #openstack-keystone		08:47
*** Kennan2 has joined #openstack-keystone		08:47
*** jamielennox has joined #openstack-keystone		08:47
*** hogepodge has joined #openstack-keystone		08:47
*** cburgess has joined #openstack-keystone		08:47
*** mancdaz has joined #openstack-keystone		08:47
*** errr has joined #openstack-keystone		08:47
*** SamYaple has joined #openstack-keystone		08:47
*** bknudson has joined #openstack-keystone		08:47
*** blogan has joined #openstack-keystone		08:47
*** andreaf has joined #openstack-keystone		08:47
*** arif-ali has joined #openstack-keystone		08:47
*** HenryG has joined #openstack-keystone		08:47
*** boris-42 has joined #openstack-keystone		08:47
*** flaper87 has joined #openstack-keystone		08:47
*** d0ugal has joined #openstack-keystone		08:47
*** kragniz has joined #openstack-keystone		08:47
*** boltR has joined #openstack-keystone		08:47
*** marekd has joined #openstack-keystone		08:47
*** mitz_ has joined #openstack-keystone		08:47
*** david8hu has joined #openstack-keystone		08:47
*** miguelgrinberg has joined #openstack-keystone		08:47
*** mfisch has joined #openstack-keystone		08:47
*** thiagop has joined #openstack-keystone		08:47
*** florianf\|away has joined #openstack-keystone		08:47
*** jrist has joined #openstack-keystone		08:47
*** ericksonsantos has joined #openstack-keystone		08:47
*** cameron.freenode.net sets mode: +vvv ayoung jamielennox bknudson		08:47
*** jlk has joined #openstack-keystone		08:47
*** agireud has joined #openstack-keystone		08:47
*** njohnston has joined #openstack-keystone		08:47
*** mtreinish has joined #openstack-keystone		08:47
*** uiyice has joined #openstack-keystone		08:47
*** morgan has joined #openstack-keystone		08:47
*** tristanC has joined #openstack-keystone		08:47
*** haneef__ has joined #openstack-keystone		08:47
*** gsilvis has joined #openstack-keystone		08:47
*** freerunner has joined #openstack-keystone		08:47
*** openstackgerrit has joined #openstack-keystone		08:47
*** andrewbogott has joined #openstack-keystone		08:47
*** jamiec has joined #openstack-keystone		08:47
*** dhellmann has joined #openstack-keystone		08:47
*** x58 has joined #openstack-keystone		08:47
*** petertr7_away has joined #openstack-keystone		08:47
*** martinus__ has joined #openstack-keystone		08:47
*** jbonjean has joined #openstack-keystone		08:47
*** trey has joined #openstack-keystone		08:47
*** sudorandom has joined #openstack-keystone		08:47
*** mgagne has joined #openstack-keystone		08:47
*** dtroyer has joined #openstack-keystone		08:47
*** Guest68187 has joined #openstack-keystone		08:47
*** hockeynut has joined #openstack-keystone		08:47
*** jacorob has joined #openstack-keystone		08:47
*** comstud has joined #openstack-keystone		08:47
*** lbragstad has joined #openstack-keystone		08:47
*** dolphm has joined #openstack-keystone		08:47
*** d34dh0r53 has joined #openstack-keystone		08:47
*** eglute has joined #openstack-keystone		08:47
*** sigmavirus24_awa has joined #openstack-keystone		08:47
*** gus has joined #openstack-keystone		08:47
*** rharwood has joined #openstack-keystone		08:47
*** tonyb has joined #openstack-keystone		08:47
*** zigo has joined #openstack-keystone		08:47
*** cloudnull has joined #openstack-keystone		08:47
*** Nakato has joined #openstack-keystone		08:47
*** wolsen has joined #openstack-keystone		08:47
*** wasmum has joined #openstack-keystone		08:47
*** ekarlso has joined #openstack-keystone		08:47
*** _fortis has joined #openstack-keystone		08:47
*** charz has joined #openstack-keystone		08:47
*** redrobot has joined #openstack-keystone		08:47
*** baffle has joined #openstack-keystone		08:47
*** SpamapS has joined #openstack-keystone		08:47
*** cameron.freenode.net sets mode: +vo morgan dolphm		08:47
*** Madkiss has joined #openstack-keystone		08:47
*** jmccrory has joined #openstack-keystone		08:47
*** raildo-afk has joined #openstack-keystone		08:47
*** zeus has joined #openstack-keystone		08:47
*** dgonzalez has joined #openstack-keystone		08:47
*** Dave has joined #openstack-keystone		08:47
*** rdo has joined #openstack-keystone		08:47
*** clayton has joined #openstack-keystone		08:47
*** odyssey4me has joined #openstack-keystone		08:47
*** pgbridge has joined #openstack-keystone		08:47
*** ChanServ has joined #openstack-keystone		08:47
*** hughsaunders has joined #openstack-keystone		08:47
*** toddnni has joined #openstack-keystone		08:47
*** crinkle has joined #openstack-keystone		08:47
*** med_ has joined #openstack-keystone		08:47
*** tellesnobrega_af has joined #openstack-keystone		08:47
*** zz_john5223 has joined #openstack-keystone		08:47
*** jlvillal has joined #openstack-keystone		08:47
*** sileht has joined #openstack-keystone		08:47
*** grantbow has joined #openstack-keystone		08:47
*** esp has joined #openstack-keystone		08:47
*** tjcocozz has joined #openstack-keystone		08:47
*** htruta has joined #openstack-keystone		08:47
*** mhu has joined #openstack-keystone		08:47
*** bapalm has joined #openstack-keystone		08:47
*** BrAsS_mO- has joined #openstack-keystone		08:47
*** sirushti has joined #openstack-keystone		08:47
*** jgriffith has joined #openstack-keystone		08:47
*** rvba has joined #openstack-keystone		08:47
*** darrenc has joined #openstack-keystone		08:47
*** timburke has joined #openstack-keystone		08:47
*** samueldmq has joined #openstack-keystone		08:47
*** ramishra has joined #openstack-keystone		08:47
*** josecastroleon has joined #openstack-keystone		08:47
*** anteaya has joined #openstack-keystone		08:47
*** gerhardqux has joined #openstack-keystone		08:47
*** bigjools has joined #openstack-keystone		08:47
*** opilotte has joined #openstack-keystone		08:47
*** EmilienM has joined #openstack-keystone		08:47
*** goodygum has joined #openstack-keystone		08:47
*** notmyname has joined #openstack-keystone		08:47
*** raginbajin has joined #openstack-keystone		08:47
*** rmstar has joined #openstack-keystone		08:47
*** lars1 has joined #openstack-keystone		08:47
*** rodrigods has joined #openstack-keystone		08:47
*** cameron.freenode.net sets mode: +o ChanServ		08:47
*** hugokuo has joined #openstack-keystone		08:47
*** kfjohnson has joined #openstack-keystone		08:47
*** pc-pothole has joined #openstack-keystone		08:47
*** nonameentername has joined #openstack-keystone		08:47
*** jasondotstar has joined #openstack-keystone		08:47
*** mkoderer has joined #openstack-keystone		08:47
*** evrardjp has joined #openstack-keystone		08:47
*** dstanek has joined #openstack-keystone		08:47
*** cameron.freenode.net sets mode: +v dstanek		08:47
*** cameron.freenode.net sets mode: +b *!awrbgh@197.123.75.191		08:47
*** cameron.freenode.net sets mode: +qq uvirtbot!@ uvirbot!@		08:47
*** cameron.freenode.net changes topic to "Liberty RC2 is Out \| Mitaka Development Cycle Open \| Great Job Everyone"		08:47
*** kiran-r has joined #openstack-keystone		08:47
yuwen	davechen， do you success	08:47
samueldmq	davechen: :)	08:49
davechen	yuwen: close.	08:49
yuwen	：）	08:49
*** flaper87 has quit IRC		08:51
*** flaper87 has joined #openstack-keystone		08:51
*** geoffarn_ has joined #openstack-keystone		08:52
yuwen	davechen，whats your keystone IDP config steps？	08:53
yuwen	http://docs.openstack.org/developer/keystone/configure_federation.html#keystone-as-an-identity-provider-idp	08:53
yuwen	jus	08:53
yuwen	just follow this guide？	08:53
davechen	yeah,	08:54
*** hideme_ has quit IRC		08:54
*** hideme_ has joined #openstack-keystone		08:54
*** links has quit IRC		08:54
*** links has joined #openstack-keystone		08:54
davechen	you may refer to marekd's scripts.	08:54
davechen	but i am sorry to tell you, it's still fail in my side. :(	08:54
marekd	davechen: where eactly?	08:54
marekd	exactly	08:54
davechen	marekd: the same, just say "Could not map user while setting ephemeral user identity"	08:55
marekd	you sure you changed the correct mapping?	08:55
marekd	try debugging the code with rpdb	08:56
davechen	let me past for you.	08:56
yuwen	should we install Shiboleth module on the keystone IDP host，or keystone IDP need run in apache？	08:56
davechen	marekd: i have pdb it for a long time. :(	08:57
*** geoffarnold has quit IRC		08:57
davechen	marekd: if you don't mind, pls let me paste what i did somewhere, and take you couples of mins to have a look?	08:57
*** marzif has joined #openstack-keystone		08:57
davechen	marekd: i think there is something in my side but i missed it.	08:58
davechen	something wrong*	08:58
marekd	davechen: sure.	09:00
*** exploreshaifali has joined #openstack-keystone		09:03
*** dims__ has joined #openstack-keystone		09:08
*** dims__ has quit IRC		09:13
*** geoffarn_ has quit IRC		09:13
*** geoffarnold has joined #openstack-keystone		09:13
*** links has quit IRC		09:15
davechen	marekd: http://paste.openstack.org/show/476097/	09:16
davechen	some steps i am not quite sure.	09:16
davechen	other is okay.	09:16
*** fhubik has quit IRC		09:17
davechen	yuwen: i think Shiboleth should run on the SP host.	09:18
davechen	and keystone IDP need run in apache.	09:18
yuwen	davechen do your idp_sso_endpoint like this : http://your-keystone-ip:5000/v3/OS-FEDERATION/saml2/sso	09:22
*** pnavarro\|off has joined #openstack-keystone		09:23
davechen	yuwen: where you get this?	09:23
yuwen	and then， if you curl http://your-keystone-ip:5000/v3/OS-FEDERATION/saml2/sso in browser , it will return "error": {"message": "\u627e\u4e0d\u5230\u8be5\u8d44\u6e90\u3002", "code": 404, "title": "Not Found"}}	09:24
davechen	yuwen: i am not do it via brower :)	09:24
davechen	http://10.239.48.36/Shibboleth.sso/SAML2/ECP	09:24
* davechen need do more homework tonight		09:26
*** geoffarnold has quit IRC		09:34
*** geoffarnold has joined #openstack-keystone		09:35
*** EinstCrazy has quit IRC		09:35
*** openstackstatus has joined #openstack-keystone		09:38
*** ChanServ sets mode: +v openstackstatus		09:38
yuwen	davechen, if i integrate a java SP to keystone IDP, I need access via ECP, not via browser?	09:42
-openstackstatus- NOTICE: gerrit is undergoing an emergency restart to investigate load issues		09:42
*** ChanServ changes topic to "gerrit is undergoing an emergency restart to investigate load issues"		09:42
davechen	yuwen: i am just want to try this feature, so i think we have different purpose, pls don't follow me. :)	09:43
davechen	yuwen: i will let you know once i get it done.	09:43
yuwen	many thks	09:44
samueldmq	note: keystone master tests don't pass the gate because of requirements conflicts, I am investigating the issue	09:44
samueldmq	http://logs.openstack.org/43/233943/1/check/gate-keystone-python27/ad5279b/console.html#_2015-10-13_05_30_22_252	09:44
samueldmq	I reproduced the same issue locally	09:44
yuwen	but i have tried k2k some times, maybe you will get my issue , wish you success tonight	09:46
samueldmq	jamielennox: you around ?	09:48
*** dims__ has joined #openstack-keystone		09:49
*** marzif has quit IRC		09:50
*** marzif has joined #openstack-keystone		09:51
jamielennox	samueldmq: not really	09:55
jamielennox	sup?	09:55
openstackgerrit	Dave Chen proposed openstack/keystone: Fix some nits in `configure_federation.rst` https://review.openstack.org/234091	09:55
*** geoffarnold has quit IRC		09:56
*** davechen has left #openstack-keystone		09:56
*** geoffarnold has joined #openstack-keystone		09:56
samueldmq	jamielennox: so, our master is breaking in the gate	09:57
samueldmq	jamielennox: the reason is that our version of 'requests' from ksclient is imcompatible with the version keystone wants	09:58
jamielennox	samueldmq: something to do with requests 2.8	09:58
*** e0ne has joined #openstack-keystone		09:58
samueldmq	jamielennox: I don't know what to do to solve that, maybe a new release of ksclient ?	09:58
jamielennox	it's caused problems for a bunch of projects	09:59
samueldmq	jamielennox: yes, ksserver wnts >=2.5.2!=2.8.0	09:59
samueldmq	jamielennox: but we require ksclient 2.6, which in turn wants requests>=2.5.2 (without !=2.8.0)	09:59
samueldmq	jamielennox: 2.8.0 happens to be instlled from ksclient reqs, and break the world around it	10:00
jamielennox	samueldmq: https://review.openstack.org/#/c/232893/ is the fix for ksc reqs	10:00
jamielennox	samueldmq: there needs to be a ksc release to fix it, which i think was being planned for tomorrow	10:01
jamielennox	for now i'd just recommend blacklisting it	10:01
samueldmq	jamielennox: exactly, we need a new release + update requirements for other projs	10:01
*** openstackgerrit has quit IRC		10:01
*** aix has joined #openstack-keystone		10:01
*** openstackgerrit has joined #openstack-keystone		10:02
jamielennox	that's not something we control any more, it's gotta go via some release process	10:02
jamielennox	i'm leaving that up to stevemar, but it's a known issue and will be fixed soon	10:02
samueldmq	jamielennox: nice, wanted to confirm it was a known issue	10:03
samueldmq	jamielennox: did we release keystone already ? we will probably need to backport it in tht case, otherwise we could be breaking people who just update the server and no the client	10:04
samueldmq	jamielennox: anyway I can talk to stevemar later on this, thanks :)	10:04
jamielennox	samueldmq: we don't really need to release keystone server	10:05
jamielennox	umm, not sure what the policy on backporting requirements are	10:05
jamielennox	i think the requirements should be pinned already	10:06
samueldmq	jamielennox: https://github.com/openstack/keystone/blob/8.0.0.0rc2/requirements.txt#L19	10:06
*** wwwjfy_ has quit IRC		10:06
samueldmq	jamielennox: we need a way to update tht in our last rc once ksclient is released, you agree?	10:06
*** marzif has quit IRC		10:10
*** yuwen has quit IRC		10:11
*** marzif has joined #openstack-keystone		10:11
*** tyagiprince2010 has joined #openstack-keystone		10:13
tyagiprince2010	Hi I need some help with keystone.	10:13
openstackgerrit	Boris Bobrov proposed openstack/keystone: Make @truncated common for all backends https://review.openstack.org/233069	10:15
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use @truncated in ldap https://review.openstack.org/233070	10:15
breton	tyagiprince2010: ask away	10:15
openstackgerrit	Daisuke Fujita proposed openstack/oslo.policy: Fix a typo in policy.py https://review.openstack.org/234110	10:16
tyagiprince2010	I need some info on how keystone is working on the backend. Could you just forward me a link to some page with as much info on keystone as possible.	10:16
tyagiprince2010	<breton>	10:17
*** geoffarn_ has joined #openstack-keystone		10:17
tyagiprince2010	<breton> and also what is keystone-federation.	10:18
*** dims__ is now known as dims		10:18
* tyagiprince2010 slaps breton around a bit with a large fishbot		10:19
tyagiprince2010	sorry for that breton. MISTAKE	10:19
breton	keystone federation: http://docs.openstack.org/developer/keystone/configure_federation.html	10:20
breton	keystone backends: http://docs.openstack.org/developer/keystone/architecture.html	10:20
tyagiprince2010	thanks for that breton.	10:21
*** geoffarnold has quit IRC		10:21
jamielennox	samueldmq: interesting, when it goes stable they generally have upper bounds - it shouldnt matter because the requirements will be managed by keystoneclient	10:25
*** urulama is now known as urulama\|afk		10:28
*** tyagiprince2010 has quit IRC		10:29
*** aix has quit IRC		10:30
samueldmq	jamielennox: sorry, not sure I follow .. you mean capping the requests requirement ? how would tht change anything ?	10:31
*** urulama\|afk is now known as urulama		10:32
jamielennox	samueldmq: i thought they capped everything in stable now and that keystone would just pick it up with everything else	10:36
jamielennox	samueldmq: i'm not exactly sure how we handle that in stable	10:36
*** geoffarn_ has quit IRC		10:38
*** geoffarnold has joined #openstack-keystone		10:38
samueldmq	jamielennox: kk I am not familiar with that too :(	10:39
samueldmq	jamielennox: will take a look later with stevemar, it might be late for you, and I don't want to disturb :)	10:39
*** aix has joined #openstack-keystone		10:42
*** kiran-r has quit IRC		10:43
*** jvarlamova has joined #openstack-keystone		10:50
*** wasmum has quit IRC		10:52
*** edmondsw has joined #openstack-keystone		10:52
*** edmondsw has quit IRC		10:52
*** geoffarnold has quit IRC		10:59
*** geoffarnold has joined #openstack-keystone		11:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/233820	11:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/234130	11:00
*** StoneZhang has quit IRC		11:01
*** marzif has quit IRC		11:01
*** marzif has joined #openstack-keystone		11:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/234140	11:04
*** ChanServ changes topic to "Liberty RC2 is Out \| Mitaka Development Cycle Open \| Great Job Everyone"		11:17
-openstackstatus- NOTICE: Gerrit has been restarted and is responding to normal load again.		11:17
*** urulama has quit IRC		11:17
*** urulama has joined #openstack-keystone		11:18
*** wwwjfy_ has joined #openstack-keystone		11:18
*** geoffarnold has quit IRC		11:21
*** geoffarnold has joined #openstack-keystone		11:21
*** doug-fish has joined #openstack-keystone		11:22
*** marzif has quit IRC		11:29
*** exploreshaifali has quit IRC		11:32
*** jistr is now known as jistr\|biab		11:32
*** gordc has joined #openstack-keystone		11:36
*** geoffarnold has quit IRC		11:42
*** wwwjfy_ has quit IRC		11:43
*** geoffarnold has joined #openstack-keystone		11:43
*** dims has quit IRC		11:47
*** dims has joined #openstack-keystone		11:48
*** wwwjfy_ has joined #openstack-keystone		11:52
*** fhubik has joined #openstack-keystone		12:00
*** amakarov_away is now known as amakarov		12:00
*** e0ne has quit IRC		12:00
*** fhubik is now known as fhubik_brb		12:00
openstackgerrit	Sonali proposed openstack/keystone: Do not rebuild revoke_tree on each validate-token https://review.openstack.org/232715	12:01
*** geoffarnold has quit IRC		12:03
*** fhubik_brb is now known as fhubik		12:04
*** geoffarnold has joined #openstack-keystone		12:04
*** tyagiprince2010 has joined #openstack-keystone		12:05
tyagiprince2010	Hey i just started working with keystone. Please tell me where do I start. Also If I can use any middleware to check whats going on behind keystone.	12:06
tyagiprince2010	Keystone uses tokens for authorization and authentication. I need to use PKI for the same. How do I do that	12:07
tyagiprince2010	Please provide me some documentation on keystone which covers everything from basics.	12:07
*** su_zhang has joined #openstack-keystone		12:13
*** urulama has quit IRC		12:21
*** urulama has joined #openstack-keystone		12:22
*** raildo-afk is now known as raildo		12:24
tyagiprince2010	[17:36] <tyagiprince2010> Hey i just started working with keystone. Please tell me where do I start. Also If I can use any middleware to check whats going on behind keystone. [17:37] <tyagiprince2010> Keystone uses tokens for authorization and authentication. I need to use PKI for the same. How do I do that [17:37] <tyagiprince2010> Please provide me some documentation on keystone which covers everything from basic	12:24
tyagiprince2010	Anyone?	12:24
*** geoffarnold has quit IRC		12:24
tyagiprince2010	Please help me in exploring whole keystone. Atleast put me on the right track.	12:25
*** geoffarnold has joined #openstack-keystone		12:25
*** nicodemos has joined #openstack-keystone		12:31
*** edmondsw has joined #openstack-keystone		12:31
*** pauloewerton has joined #openstack-keystone		12:40
*** EinstCrazy has joined #openstack-keystone		12:40
*** e0ne has joined #openstack-keystone		12:46
*** geoffarnold has quit IRC		12:46
*** hrou has joined #openstack-keystone		12:46
*** geoffarnold has joined #openstack-keystone		12:46
*** Nirupama has quit IRC		12:50
*** jaosorior has quit IRC		12:51
*** jaosorior has joined #openstack-keystone		12:51
*** fhubik is now known as fhubik_brb		12:54
*** rvba has quit IRC		12:55
*** rvba has joined #openstack-keystone		12:58
*** rvba has quit IRC		12:58
*** rvba has joined #openstack-keystone		12:58
samueldmq	tyagiprince2010: hi	12:59
samueldmq	tyagiprince2010: http://docs.openstack.org/developer/keystone/ is the main entrypoint for the keystone documentation	12:59
samueldmq	tyagiprince2010: feel free to ask whatever questions you have here, people will reply as they are available	13:00
samueldmq	tyagiprince2010: as we have people with different timezones working all over the world, someone will eventually see your question and reply you	13:00
*** tyagiprince2010 has quit IRC		13:02
*** jistr\|biab is now known as jistr		13:03
*** tellesnobrega_af is now known as tellesnobrega		13:05
*** richm has joined #openstack-keystone		13:07
*** geoffarn_ has joined #openstack-keystone		13:08
*** geoffarnold has quit IRC		13:08
*** wwwjfy_ has quit IRC		13:08
*** alejandrito has joined #openstack-keystone		13:09
*** wwwjfy_ has joined #openstack-keystone		13:14
*** andrewbogott has left #openstack-keystone		13:15
*** stevemar_ has joined #openstack-keystone		13:20
*** ChanServ sets mode: +o stevemar_		13:20
*** wwwjfy_ has quit IRC		13:24
*** wwwjfy_ has joined #openstack-keystone		13:25
ayoung	Hey samueldmq did you see: https://review.openstack.org/#/c/233480/3	13:29
*** geoffarn_ has quit IRC		13:29
*** geoffarnold has joined #openstack-keystone		13:29
*** jsavak has joined #openstack-keystone		13:29
samueldmq	ayoung: hi, I took a glance .. looking better now	13:31
samueldmq	lbragstad: ping - you around ? I have a question about https://review.openstack.org/#/c/215715	13:33
ayoung	samueldmq, so, new thought on Dynamic policy based on that	13:33
ayoung	we leave the existing policy files as is	13:33
ayoung	those are the basis for the scope checks	13:33
ayoung	they should not be checking any role other than admin	13:34
ayoung	The various projects can clean up their policy files over time, to make the scope checks more accurate, but they will be no worse than things are now	13:34
ayoung	the dynamic policy part can be done in middleware, done based on a URL/URI and only check that the role matches	13:35
*** pumaranikar has quit IRC		13:38
*** ngupta has joined #openstack-keystone		13:39
*** jsavak has quit IRC		13:39
*** jsavak has joined #openstack-keystone		13:40
*** petertr7_away is now known as petertr7		13:43
*** yuwen has joined #openstack-keystone		13:44
*** zz_john5223 is now known as john5223		13:46
samueldmq	ayoung: so ... I was finishing up a review ..	13:50
*** geoffarnold has quit IRC		13:50
*** geoffarnold has joined #openstack-keystone		13:50
samueldmq	ayoung: so we leave the current policies as they are, and add the role check at middleware level ?	13:50
samueldmq	ayoung: that way we would be checking roles twice (at least for admin) ? and deployers would have to separate their existing policies, even without services having properly separated them ?	13:51
*** pumaranikar has joined #openstack-keystone		13:51
samueldmq	ayoung: that doesn't seem an easy adoption that way ... do you agree?	13:51
*** r-daneel has joined #openstack-keystone		13:55
*** phalmos has joined #openstack-keystone		13:55
stevemar_	reminder to add to the meeting agenda: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda	14:00
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use search_ext_s instead of search_s in ldap https://review.openstack.org/232995	14:01
openstackgerrit	Boris Bobrov proposed openstack/keystone: Make @truncated common for all backends https://review.openstack.org/233069	14:01
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use @truncated in ldap https://review.openstack.org/233070	14:01
openstackgerrit	Boris Bobrov proposed openstack/keystone: Fix exposition of bug about limiting with ldap https://review.openstack.org/234226	14:01
dstanek	marekd: why would be not start reviewing and coding functional tests?	14:01
*** sigmavirus24_awa is now known as sigmavirus24		14:01
marekd	dstanek: sorry ?	14:02
marekd	dstanek: why not coding and reviewing functional tests?	14:02
dstanek	marekd: your topic for the meeting today	14:02
marekd	dstanek: erm, last time bknudson said it's generally wrong according to someone + he also said he doesn't really understand why adding functional tests while existing are not running. He didn't clarify what he'd meant.	14:03
stevemar_	dstanek: marekd it'll be nice to bring it up again as a general topic	14:04
marekd	dstanek: i don't feel adding a chain of patches, spend some time and get -1 saying "it's all wrong"	14:04
marekd	stevemar_: dstanek i am happy removing this from the agenda if you prmise to take a look at what i have now and at least assure that we are headed good direction :-)	14:05
marekd	https://review.openstack.org/#/c/203258/ and up	14:05
dstanek	we can talk about it at the meeting, but i don't think we are doing anything "wrong" i think some other group(s) feel that things should also be looked up directly in the database	14:05
marekd	dstanek: yes. but eventually we will ask for jenkins jobs and some "groups" may say "you are doing it wrong, you get nothing"	14:06
*** nicodemos has left #openstack-keystone		14:06
dstanek	imo, that's wrong. if it can't be checked in an API it isn't part of these tests	14:06
marekd	dstanek: i share your opinions	14:07
stevemar_	dstanek: marekd checking the backend is just one of the things we "need" to get in place to get functional tests up and running	14:07
dstanek	it would violate my entire premise of writing a single test that runs against any environment :-( and would make functional tests just as useless as v3 tests	14:08
stevemar_	the patches you've put up will still be needed, regardless of us checking backends	14:08
stevemar_	:(	14:08
dstanek	stevemar_: why?	14:08
*** btully has joined #openstack-keystone		14:08
marekd	stevemar_: ok then, i will carry on with what i have now. I will addd service providers which should be last part of the easy stuff. Authentication will be worse.	14:09
ayoung	samueldmq, look at the existing policies (cloud sample being the exception) no one does a role check	14:09
ayoung	except for Admin	14:09
*** ParsectiX has quit IRC		14:09
ayoung	so this is the easiest path to adoption	14:09
stevemar_	dstanek: why what?	14:09
dstanek	stevemar_: if we have to check the backend directly then these tests are no different than v3 tests	14:10
marekd	stevemar_: i think dstanek's point is if you explicitely check database you will not be able to easily switch backends.	14:10
stevemar_	ah	14:10
marekd	be back in 30 mins	14:11
dstanek	stevemar_: the whole point is REST API call to modify data and REST API call to check it - who cares how it is stored....	14:11
dstanek	marekd: exactly	14:11
*** geoffarnold has quit IRC		14:11
stevemar_	then let's chat about it today, we can ask mtreinish to attend	14:11
stevemar_	right, i agree	14:11
*** geoffarnold has joined #openstack-keystone		14:12
mtreinish	stevemar_: I see yellow, what's up?	14:12
stevemar_	ayoung: got a review request for ya: https://review.openstack.org/#/c/232715/3	14:12
stevemar_	mtreinish: we're talking about functional tests	14:13
stevemar_	mtreinish: i think it was you who chimed in last time, the need to check backends for a functional test?	14:13
mtreinish	stevemar_: I don't think I've said that before	14:14
ayoung	stevemar_, really? That was how it was origianlly designed.	14:14
mtreinish	stevemar_: my argument is in tree functional tests shouldn't require a full deployment and only black box test it	14:14
mtreinish	because that's what tempest does	14:15
mtreinish	in tree functional tests should be more tightly coupled to the project because you have the advantage of being able to keep up with code changes	14:15
stevemar_	mtreinish: full deployment meaning?	14:15
stevemar_	right	14:15
breton	full devstack deployment I guess	14:15
mtreinish	in some cases that might mean checking the backend, but it doesn't have to	14:15
mtreinish	breton: any deployment, I guess in the keystone case its just keystone	14:16
stevemar_	mtreinish: checking the http response should be sufficient?	14:16
stevemar_	mtreinish: gotcha regarding deployment, just keystone is probably enough for most of our functional tests	14:16
stevemar_	that would be a real quick devstack setup :)	14:17
*** dikonoor has joined #openstack-keystone		14:17
mtreinish	stevemar_: it can be, it's all about what you as a project want to verify. The example I always use is nova (which is probably where the backend idea came up) has api tests which test a negative request and ensure the db doesn't contain anything	14:17
dstanek	mtreinish: right now that's the intent of the keystone functional tests; only need keystone (and maybe other things Keystone depends on)	14:17
stevemar_	mtreinish: ahhh	14:18
mtreinish	stevemar_: and all those tests spin up are nova api and the db	14:18
stevemar_	that seems like slight overkill, and starts creeping onto unit test territory	14:18
dstanek	mtreinish: my goal is to have everything test through the API so that the same tests can run against any backend	14:18
mtreinish	which is done dynamically	14:18
samueldmq	ayoung: brb - lunch time, we can talk a bit more on policies this afternoon	14:18
stevemar_	dstanek: so i think mtreinish is saying that there is enough leeway in how to set things up that we as a project should decide what to verify	14:19
dstanek	yep, that's perfect	14:19
mtreinish	stevemar_: yes, it's a project level decision, I can provide some guidance and examples if you'd like	14:19
stevemar_	mtreinish: ++ on examples	14:19
stevemar_	and your input is always valued, it cleared up this issue in 2 minutes	14:20
mtreinish	like I think depending on an existing deployment and only doing black box api driven is a mistake, because that's what tempest does	14:20
bknudson	so we should put our black box tests in tempest instead	14:21
stevemar_	mtreinish: i think we're more interested in different configurations, rather than just dsvm-full	14:21
dstanek	i only want to do black box testing because we do other testing in our unit tests	14:21
mtreinish	bknudson: yes, that's what I'd recommend it also gives you the advantage of better "social coverage" (which is what I call defcore stuff and people running tests against real deployments)	14:22
mtreinish	stevemar_: sure, I'd recommend taking a look at neutron's full stack testing	14:22
dstanek	mtreinish: i thought the idea was tempest would only do the integration testing where the tests covered more than one project	14:23
dstanek	mtreinish: my general idea for functional testing is a single set of tests that run across any and all backends; and then some specialized tests (like federation) that require certain additional setup	14:24
*** pumaranikar has quit IRC		14:24
mtreinish	dstanek: that's the primary goal, but there is also a lot of functional api testing in tempest which gets used a ton of places because it's centralized and easy to point at a deployment	14:24
*** pumaranikar has joined #openstack-keystone		14:25
samueldmq	mtreinish: and then we would vary the configuration/backends/etc by adding new gates/checks ?	14:26
dstanek	mtreinish: so is keeping these tests in our repo the right thing?	14:26
*** timcline has joined #openstack-keystone		14:26
mtreinish	samueldmq, dstanek: so for in tree tests my recommendation would be for the tests to own the configuration/deployment to a certain degree you want the tests in tree to be deterministic and easy to setup for a dev	14:27
samueldmq	dstanek: ++	14:27
mtreinish	and not depend on having an existing deployment configured just right	14:27
dstanek	a sub-goal or side benefit would be the ability of a backend writer to run the tests against their backend to see if they are compiant	14:27
*** phalmos has quit IRC		14:28
*** Ephur has joined #openstack-keystone		14:28
*** slberger has joined #openstack-keystone		14:28
mtreinish	dstanek: for example from neutron: http://docs.openstack.org/developer/neutron/devref/fullstack_testing.html#full-stack-testing (which I don't have much experience with but the docs are kinda what I'm getting at)	14:28
dstanek	so it sounds like we're going down the right path in what we want to do	14:29
mtreinish	and let me show how nova's functional tests use fixtures to spin up nova services on demand	14:29
openstackgerrit	Henrique Truta proposed openstack/keystone: Tests for projects acting as domains https://review.openstack.org/211219	14:30
openstackgerrit	Henrique Truta proposed openstack/keystone: Manager support for projects acting as domains https://review.openstack.org/213448	14:30
openstackgerrit	Henrique Truta proposed openstack/keystone: Removes project.domain_id FK https://review.openstack.org/233274	14:30
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	14:30
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	14:30
dstanek	right now the plan it to have the functional tests depend on an environment already existing somewhere. we configure this using environment vars	14:30
dstanek	actually standing up an environment is out of the scope of the tests although we are working on a framework to build the environments using devstack	14:31
mtreinish	dstanek: so how does this differ from tempest? if it's api only and depends on a pre-existing environment that you configure the tests to run against?	14:31
dstanek	mtreinish: it doesn't all that much :-) other than we don't depend on any other projects	14:32
mtreinish	neither does tempest	14:32
mtreinish	you just tell it that keystone is the only available service	14:32
*** geoffarn_ has joined #openstack-keystone		14:33
mtreinish	well actually you just tell it that none of the other services are available, keystone is the only hard service dep	14:33
*** geoffarnold has quit IRC		14:33
mtreinish	nothing works without	14:33
mtreinish	it	14:33
dstanek	mtreinish: i keep hearing that we should move functional tests out of tempest, so i would expect what we are doing to look very similar to the tempest functional tests	14:33
dstanek	mtreinish: are you saying that functional tests should be in tempest?	14:33
*** pumaranikar has quit IRC		14:34
samueldmq	mtreinish: so should functional tests belong to tempest ? in that case our functional tests should be written there, is that right ?	14:34
ayoung	mtreinish, tempest is the wrong place. We've been here before, we've seen this room and we've walked this floor	14:34
samueldmq	dstanek: yes, that's the question	14:34
ayoung	It is a case of abuse. Only we really know how to abuse Keystone	14:34
*** jsavak has quit IRC		14:34
dstanek	mtreinish: also we're trying not to use the client for these tests	14:35
mtreinish	ayoung: honestly no one ever shows up to write tests so how can you say that?	14:35
mtreinish	dstanek: tempest has it's own clients	14:35
mtreinish	dstanek: it just feels like the gap you're trying to fill with what your calling functional tests is what already exists with tempest	14:35
mtreinish	dstanek: and other projects which have more tempest tests are trying to fill the middle ground between that and unit tests	14:36
bknudson	tempest doesn't have federation tests	14:36
*** jsavak has joined #openstack-keystone		14:36
bknudson	or tests for heirarchical multitenancy	14:36
mtreinish	bknudson: tempest barely has any keystone tests, but yes there aren't any	14:37
mtreinish	bknudson: but what is stopping you from adding them?	14:37
*** dsirrine has joined #openstack-keystone		14:37
bknudson	there's no devstack setup for it.	14:37
bknudson	is that required?	14:37
dstanek	mtreinish: so is the new plan to keep functional tests in tempest? and what the other projects are doing is something different?	14:38
bknudson	think we could get a gate job that only sets up keystone with federation?	14:38
mtreinish	bknudson: the tests need to run in a ci (either infra or 3rd party, periodic/experimental is fine too) to land	14:38
*** derosenet has joined #openstack-keystone		14:38
mtreinish	dstanek: I think the term functional is just overloaded here, which is leading to the confusion	14:38
mtreinish	dstanek: projects still contribute tests to tempest, but they also have in tree tests	14:39
mtreinish	there isn't a bright line between what belongs where	14:39
* marekd is back		14:39
dstanek	mtreinish: so it sounds like we should continue down our path so that we test keystone to our satisfaction and worry about moving stuff to tempest later if at all	14:40
bknudson	why don't we have a tempest-first mindset instead of tempest-maybe-later?	14:41
*** browne has joined #openstack-keystone		14:41
dstanek	mtreinish: i think this comment http://paste.openstack.org/show/476146/ from this post http://lists.openstack.org/pipermail/openstack-dev/2014-July/041057.html kicked off the discussions that this was based on	14:41
mtreinish	dstanek: I really don't think having a one off essentially duplicate tempest in tree is the right path, but like I said before you can set your own direction	14:41
bknudson	oh, so it can be landed along with the patch	14:42
dstanek	bknudson: yes, plus it gives us the control to get tests in faster without waiting for cores from another project to approve	14:43
mtreinish	dstanek: so there is context there, keystone doesn't really have any direct testing in tempest, that was a reaction to projects that were doing all of their testing in tempest instead of owning things in tree	14:43
mtreinish	dstanek: which is what I was saying before about how most projects are trying to fill that middle ground with functional testing	14:43
dstanek	mtreinish: exactly, so at least for right now there is not duplication :-)	14:43
yuwen	help： if I want to use java SP to integrate keystone IDP, should I need to implement it via ECP ,just like k2k, the keystone SP use shibboleth ECP	14:44
mtreinish	dstanek: but I'm saying that's a problem, because we need better coverage for keystone in tempest since keystone is a core component of any openstack cloud	14:44
mtreinish	there are defcore implications as well as deployment testing advantages with having good coverage in tempest	14:45
*** dsirrine_ has joined #openstack-keystone		14:45
*** jsavak has quit IRC		14:45
openstackgerrit	gordon chung proposed openstack/keystonemiddleware: drop use of norm_ns https://review.openstack.org/234265	14:46
*** jsavak has joined #openstack-keystone		14:46
*** geoffarn_ is now known as geoffarnoldX		14:47
*** timcline has quit IRC		14:47
*** derosenet has quit IRC		14:48
*** rderose has joined #openstack-keystone		14:49
marekd	yuwen: what is java SP?	14:50
marekd	java sevice provider?	14:50
yuwen	yes， a java application as service provider	14:51
dstanek	mtreinish: so i think what neutron is doing is very similar to what we'll be doing. the big difference is that i have separated the actual tests from the configuration setup	14:51
mtreinish	dstanek: which is an important distinction	14:52
*** ngupta has quit IRC		14:52
bknudson	maybe we need to learn more about how tempest works... e.g., demo it with a keystone-only setup.	14:52
mtreinish	dstanek: I also feel that you want any in-tree tests to just work for a dev and depending on an existing setup isn't really conducive for that	14:53
bknudson	and at least look into what it would take to get federation tests in there	14:53
dstanek	mtreinish: i haven't looked at how they implemented, but i' sure they are doing some separation too in order to run the same tests against different configuration	14:53
*** rderose has quit IRC		14:53
mtreinish	bknudson: yes, I think that's a good idea, I'd be willing to help you with that	14:53
*** iurygregory is now known as iury_gregory		14:54
*** iury_gregory is now known as iurygregory		14:54
dstanek	mtreinish: how would be do things like setup multiple keystones for k2k or sp/idps for federation using tempest?	14:54
*** derosenet has joined #openstack-keystone		14:55
*** jsavak has quit IRC		14:55
*** derosenet has quit IRC		14:55
bknudson	mtreinish: I've run tempest against keystone before but I think I only had it run specific tests since I couldn't figure out how to run the right ones... I didn't spend too much time looking at it. So maybe a short doc in keystone dev docs, which hopefully won't get too out of date.	14:56
*** jsavak has joined #openstack-keystone		14:56
mtreinish	dstanek: well tempest is only api driven so for multiple keystones we'll probably just need to add support and options for talking to a second keystone	14:56
*** rderose has joined #openstack-keystone		14:56
lbragstad	bknudson fwiw, i have a doc for standing up devstack and running tempest against fernet	14:57
mtreinish	dstanek: for the identity providers we'd have to leverage devstack or something else to set that all up	14:57
marekd	mtreinish: talking only ? For federation we need proper configuration of both keystone or even 3rd party software before we launch tests	14:57
mtreinish	marekd: tempest assumes there is a deployment already setup and you tell it how to talk to things	14:58
marekd	mtreinish: ok, so we still need some kind of work that will setup whole env.	14:58
mtreinish	bknudson: well to say only run keystone you would just set everything to false except for keystone in: http://docs.openstack.org/developer/tempest/configuration.html#configuring-available-services	14:59
mtreinish	(although there isn't actually a keystone flag in that config section because it's a hard dep for tempest)	14:59
bknudson	it will be interesting to see how many tests run in keystone-only	15:00
bknudson	can't do much	15:00
*** ngupta has joined #openstack-keystone		15:00
dstanek	mtreinish: when you get a sec take a look at http://specs.openstack.org/openstack/keystone-specs/specs/liberty/functional-testing.html and http://specs.openstack.org/openstack/keystone-specs/specs/backlog/functional-testing-setup.html	15:00
dstanek	mtreinish: those document how i think about functional testing	15:00
*** petertr7 is now known as petertr7_away		15:01
*** rderose has left #openstack-keystone		15:01
mtreinish	bknudson: it'll probably just be: http://paste.openstack.org/show/476148/	15:02
*** petertr7_away is now known as petertr7		15:02
ayoung	mtreinish, not true. We have a slew of "unit" tests in the Keystone tests dir that are more properly integration tests.	15:02
mtreinish	those are all the tests marked as talking directly to keystone for the test code itself	15:02
*** ankurgupta has joined #openstack-keystone		15:02
bknudson	that's not too bad... I was worried it would just be get a token and validate a token	15:03
dstanek	bknudson: wasn't there also talk of moving the existing keystone functional tests our of keystone and into tree?	15:03
bknudson	you can probably get rid of the "JSON".	15:03
ayoung	dstanek, we need to id the tests that can go from /unit to /functional	15:03
dstanek	ayoung: every v3 test	15:03
mtreinish	bknudson: heh, yeah that's a simple cleanup	15:03
bknudson	dstanek: well, we need to figure out how we want our "unit" tests to work.	15:03
bknudson	or be structured	15:04
ayoung	dstanek, yep...although be aware that there are many code paths only tested via those tests.	15:04
dstanek	they all use an in-process server, but if we are going to put tests into tempest we may want to keep those as-is	15:04
marekd	bknudson: everything that needs anything else than keystone itself should be functional, rest can stay as is today.	15:04
bknudson	I think we want our "unit" tests to only test a specific class/function. And then have a smallish number of "scenario" tests that test using the rest interface.	15:05
marekd	bknudson: federation needs idps, k2k needs two keystones -> go to functionals	15:05
ayoung	plus ça change, plus c'est la même chose	15:05
bknudson	we can have functional tests but they have to run on every change, and it has to be possible for developers to run them.	15:05
dstanek	marekd: not true, functional testing is black box testing. doesn't matter what the dependencies are	15:05
marekd	dstanek: so when i run today tox -epy27 i am not talking with keystone?	15:06
*** derosenet has joined #openstack-keystone		15:06
ayoung	dstanek, how much more black could the box be, you ask, and the answer is none. None more black	15:06
dstanek	marekd: the v3 tests do	15:06
*** derosenet has quit IRC		15:07
ayoung	dstanek, we need an IdP for true functional testing	15:07
bknudson	is there an open source idp?	15:08
dstanek	ayoung: for testing the federation bits yes	15:08
ayoung	FreeIPA	15:08
marekd	bknudson: shibboleth is opensource	15:08
*** rderose has joined #openstack-keystone		15:08
marekd	bknudson: but for now we will probably leverage on pysaml as it's python	15:08
ayoung	There are others, too	15:08
marekd	ayoung: ++	15:08
ayoung	I want to do FreeIPA + Ipsilon as it gets more than just SAML	15:09
bknudson	I assume devstack could set up freeipa or something	15:09
marekd	bknudson: dstanek has patches for that.	15:09
ayoung	It will get us Kerberos SSSD, X509, and SAML.	15:09
ayoung	OpenID in the future.	15:09
marekd	ayoung: cool	15:09
*** diazjf has joined #openstack-keystone		15:09
ayoung	bknudson, It should be possible. I'll have a demo with me,	15:09
ayoung	we have in ansibleized	15:09
*** rderose has quit IRC		15:09
dstanek	ayoung: i don't want to overcomplicate this yet. we can't even agree where stuff goes :-(	15:09
*** jsavak has quit IRC		15:10
* ayoung should try an Ubuntu VM with IPA...		15:10
*** jsavak has joined #openstack-keystone		15:10
ayoung	dstanek, going with IPA is the simpler path	15:10
ayoung	its the less "NIH" path	15:10
*** rderose has joined #openstack-keystone		15:10
dstanek	ayoung: why less "NIH"?	15:10
bknudson	H stands for RedHat	15:10
*** alex_xu has quit IRC		15:10
dstanek	i would think it's more if you work at redhat :-)	15:10
bknudson	he he	15:10
ayoung	dstanek, Because you have to configure a hell of a lot less	15:10
ayoung	bknudson, MIT Kerberos, BIND DNS	15:11
ayoung	LDAp is 389...was origianlly Netsacpe, but yeah, that is RH now	15:11
ayoung	as is Dogtag	15:11
ayoung	dstanek, show me a comparable other that gets us all the technololgies?	15:11
ayoung	Ever try to set up Kerberos by hand?	15:11
bknudson	as long as it talks the standard protocols should be good enough to validate.	15:12
dstanek	ayoung: right now we only have the drive for federation so i'd rather not complicate things until we have to	15:12
ayoung	dstanek, Tell you what...Let me spin up an Ubuntu VM on Dreamhost and see what it takes to get IPA on it	15:12
bknudson	I would like to see sssd / mapping used for ldap. then we can deprecate identity ldap, too.	15:13
dstanek	ayoung: i was unsuccessful :-( and once i moved to fedora nothing worked by default :-( :-(	15:13
*** tecn1z has joined #openstack-keystone		15:14
*** fhubik_brb is now known as fhubik		15:14
ayoung	mtreinish, dstanek, what is the target Distro for Gate? Ubuntu 12.04 or 14.04?	15:14
mtreinish	ayoung: ubuntu 14.04 is what's used now	15:15
*** geoffarnoldX has quit IRC		15:15
mtreinish	ayoung: it's always the latest lts release	15:15
*** geoffarnold has joined #openstack-keystone		15:15
*** ankurgupta has quit IRC		15:16
*** rderose has quit IRC		15:16
*** topol has joined #openstack-keystone		15:19
*** ChanServ sets mode: +v topol		15:19
openstackgerrit	Brant Knudson proposed openstack/oslo.policy: Add cover test requirement https://review.openstack.org/234289	15:21
*** wwwjfy_ has quit IRC		15:21
*** urulama has quit IRC		15:22
*** jsavak has quit IRC		15:23
*** urulama has joined #openstack-keystone		15:23
*** jsavak has joined #openstack-keystone		15:23
*** wwwjfy_ has joined #openstack-keystone		15:26
*** phalmos has joined #openstack-keystone		15:30
*** su_zhang has quit IRC		15:32
openstackgerrit	Brant Knudson proposed openstack/oslo.policy: Add test for invalid JSON https://review.openstack.org/234297	15:33
*** geoffarnold has quit IRC		15:36
*** geoffarnold has joined #openstack-keystone		15:37
openstackgerrit	Boris Bobrov proposed openstack/keystone: Refactor LimitTests https://review.openstack.org/234300	15:38
*** su_zhang has joined #openstack-keystone		15:38
*** su_zhang has quit IRC		15:46
openstackgerrit	Sean Dague proposed openstack/keystone: Correct typo in copyright https://review.openstack.org/232528	15:49
*** gyee has joined #openstack-keystone		15:55
*** ChanServ sets mode: +v gyee		15:55
*** e0ne has quit IRC		15:56
*** geoffarnold has quit IRC		15:57
*** fawadkhaliq has joined #openstack-keystone		15:57
*** geoffarnold has joined #openstack-keystone		15:58
*** jasonsb has joined #openstack-keystone		15:58
*** petertr7 is now known as petertr7_away		16:01
openstackgerrit	Brant Knudson proposed openstack/oslo.policy: Add test for raising default exception https://review.openstack.org/234309	16:03
openstackgerrit	Brant Knudson proposed openstack/oslo.policy: Add test for enforce with rule doesn't exist https://review.openstack.org/234310	16:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	16:04
openstackgerrit	Henrique Truta proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	16:04
*** mriedem has joined #openstack-keystone		16:04
mriedem	bknudson: stevemar_: btw, https://review.openstack.org/#/c/233763/ breaks keystone right now,	16:04
mriedem	we are going to land https://review.openstack.org/#/c/233857/ and once that syncs to keystonemiddlware and is merged, we'll need to release 2.4.1	16:05
*** _cjones_ has joined #openstack-keystone		16:05
*** _cjones_ has quit IRC		16:05
bknudson	mriedem: keystone is already broken due to requests 2.8.0	16:05
*** _cjones_ has joined #openstack-keystone		16:05
bknudson	I haven't had a chance to see if webob change breaks keystone	16:06
mriedem	the webob thing is causing a conflict with uncapped keystone since https://review.openstack.org/#/c/233820/ isn't merged	16:06
mriedem	but the webob thing is temporary anyway, so once we revert that and sync to middleware we have to release that as 2.4.1	16:07
bknudson	mriedem: we can't merge that because keystone doesn't work with the requests in keystoneclient / keystonemiddleware	16:07
mriedem	that being the keystone g-r sync right?	16:08
mriedem	i saw the unit test failures	16:08
bknudson	mriedem: right, nothing can merge, including https://review.openstack.org/#/c/233820/	16:08
mriedem	cool, well, you can't cap requestes in g-r apparently	16:10
mriedem	so good luck!	16:10
*** phalmos_ has joined #openstack-keystone		16:10
*** chrisshattuck has quit IRC		16:10
bknudson	it will probably take a while to dig out from this one.	16:10
mriedem	bknudson: if this is just a unit test thing, you could hack around this in tox.ini for keystone	16:11
bknudson	hmm... maybe that's easier.	16:11
mriedem	but i don't fully understand what's going on with keystone and requests 2.8.0	16:11
bknudson	mriedem: actually, the failures in https://review.openstack.org/#/c/233820/ are because of the oslo.policy release and not requests... wonder how that changed.	16:12
*** phalmos has quit IRC		16:13
mriedem	bknudson: oslo did a mass release party yesterday	16:13
bknudson	the proposed change for that is https://review.openstack.org/#/c/233800/ ... maybe need to merge those 2 reviews	16:13
mriedem	yeah you probably need to squash the changes if they are co-dependent	16:14
*** tecn1z has quit IRC		16:14
dims	bknudson: found that last week for neutron - https://bugs.launchpad.net/neutron/+bug/1503890	16:14
openstack	Launchpad bug 1503890 in neutron "test_policy assumes oslo.policy internal implementationd details" [Medium,Fix committed] - Assigned to Kevin Benton (kevinbenton)	16:14
*** tecn1z has joined #openstack-keystone		16:15
dims	mriedem: bknudson: unit tests dependent on internal implementation details	16:15
mriedem	those are always fun	16:15
mriedem	someone should report a bug against oslo.policy that they changed their internal impl	16:15
dims	mriedem: see bug above	16:16
dims	mriedem: y we should freeze oslo code and not release anything anymore :)	16:16
mriedem	just move it all back to oslo-incubator	16:16
mriedem	like i said	16:16
mriedem	c'mon	16:16
dims	haha +++	16:16
dims	mriedem: you are way ahead of me in thinking	16:17
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/234140	16:17
*** geoffarnold has quit IRC		16:18
*** geoffarnold has joined #openstack-keystone		16:19
*** wwwjfy_ has quit IRC		16:20
bknudson	pkg_resources.ContextualVersionConflict: (WebOb 1.5.0 (/opt/stack/keystone/.tox/py27/lib/python2.7/site-packages), Requirement.parse('WebOb<1.5.0,>=1.2.3'), set(['keystonemiddleware']))	16:20
bknudson	yep, keystone unit tests are broken	16:21
mriedem	yup	16:21
mriedem	not just keystone i don't think	16:21
*** ankurgupta has joined #openstack-keystone		16:21
bknudson	it wasn't failing that way yesterday	16:21
mriedem	b/c middleware had the webob g-r sync and released as 2.4.0 since yesterday	16:21
mriedem	that's why i was saying about reverting the webob thing and releasing as 2.4.1	16:22
bknudson	can we have ksm not match global-requirements? I thought that would fail a gate test	16:23
*** yuwen has quit IRC		16:25
openstackgerrit	Henrique Truta proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	16:25
*** wwwjfy_ has joined #openstack-keystone		16:26
*** phalmos_ has quit IRC		16:30
*** jistr has quit IRC		16:31
mriedem	bknudson: you can, you'd have to remove it from projects.txt in the requirements repo	16:34
*** jsavak has quit IRC		16:34
mriedem	but, probably not a great idea	16:34
mriedem	b/c if ksm caps or uncaps some dep and something depends on ksm with the opposite caps/uncaps, we get wedged	16:34
mriedem	b/c pip sucks	16:35
*** lhcheng has joined #openstack-keystone		16:35
*** ChanServ sets mode: +v lhcheng		16:35
*** jsavak has joined #openstack-keystone		16:37
*** wwwjfy_ has quit IRC		16:40
*** geoffarn_ has joined #openstack-keystone		16:40
*** geoffarnold has quit IRC		16:44
*** john5223 is now known as zz_john5223		16:48
dhellmann	bknudson: if you're working on things blocking master, can you coordinate with us in #openstack-relmgr-office and using https://etherpad.openstack.org/p/liberty-release-gate-race please?	16:48
*** petertr7_away is now known as petertr7		16:53
*** fhubik has quit IRC		16:54
*** henrynash has joined #openstack-keystone		16:57
*** ChanServ sets mode: +v henrynash		16:57
*** pnavarro\|off has quit IRC		16:59
*** shaleh has joined #openstack-keystone		17:04
*** doug-fis_ has joined #openstack-keystone		17:04
*** amakarov is now known as amakarov_away		17:04
*** doug-fis_ is now known as doug-fish_		17:05
*** doug-fish has quit IRC		17:07
*** petertr7 is now known as petertr7_away		17:08
*** jsavak has quit IRC		17:09
*** jsavak has joined #openstack-keystone		17:10
*** browne has quit IRC		17:11
*** diazjf has quit IRC		17:12
*** su_zhang has joined #openstack-keystone		17:12
*** gordc has quit IRC		17:14
*** urulama has quit IRC		17:15
*** roxanaghe has joined #openstack-keystone		17:15
*** urulama has joined #openstack-keystone		17:15
stevemar_	really bknudson "exemplar"	17:15
stevemar_	:)	17:15
*** geoffarn_ has quit IRC		17:16
*** geoffarnold has joined #openstack-keystone		17:18
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2 https://review.openstack.org/93982	17:21
*** aix has quit IRC		17:22
*** phalmos has joined #openstack-keystone		17:29
*** geoffarnold has quit IRC		17:39
*** geoffarnold has joined #openstack-keystone		17:39
*** petertr7_away is now known as petertr7		17:41
*** gordc has joined #openstack-keystone		17:41
*** Guest4816 is now known as tsymanczyk		17:47
bknudson	dhellmann: ok.	17:51
*** browne has joined #openstack-keystone		17:54
*** fawadkhaliq has quit IRC		17:58
*** mylu has joined #openstack-keystone		17:59
*** jbell8 has joined #openstack-keystone		17:59
*** geoffarnold has quit IRC		18:00
*** geoffarnold has joined #openstack-keystone		18:00
*** ankurgupta has left #openstack-keystone		18:01
*** rderose has joined #openstack-keystone		18:01
*** jdennis has quit IRC		18:02
*** mylu has quit IRC		18:02
*** dikonoor has quit IRC		18:03
*** mylu has joined #openstack-keystone		18:03
*** mylu has quit IRC		18:04
*** mylu has joined #openstack-keystone		18:04
*** diazjf has joined #openstack-keystone		18:05
*** Alexander has joined #openstack-keystone		18:06
*** fawadkhaliq has joined #openstack-keystone		18:07
*** jsavak has quit IRC		18:08
*** jsavak has joined #openstack-keystone		18:09
*** jdennis has joined #openstack-keystone		18:13
*** woodster_ has joined #openstack-keystone		18:13
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2 https://review.openstack.org/93982	18:14
*** henrynash has quit IRC		18:16
*** e0ne has joined #openstack-keystone		18:17
*** mriedem has quit IRC		18:18
*** csoukup has joined #openstack-keystone		18:19
*** fawadkhaliq has quit IRC		18:21
*** mriedem has joined #openstack-keystone		18:21
*** fawadkhaliq has joined #openstack-keystone		18:21
*** geoffarn_ has joined #openstack-keystone		18:22
*** fawadkhaliq has quit IRC		18:24
*** fawadkhaliq has joined #openstack-keystone		18:24
*** phalmos has quit IRC		18:25
*** geoffarnold has quit IRC		18:26
*** jaosorior has quit IRC		18:28
*** e0ne has quit IRC		18:30
openstackgerrit	gordon chung proposed openstack/keystonemiddleware: drop use of norm_ns https://review.openstack.org/234265	18:34
*** su_zhang_ has joined #openstack-keystone		18:38
*** su_zhang has quit IRC		18:39
*** jsavak has quit IRC		18:42
*** geoffarnold has joined #openstack-keystone		18:43
*** geoffarn_ has quit IRC		18:43
*** jdennis has quit IRC		18:43
*** jsavak has joined #openstack-keystone		18:44
*** wwwjfy_ has joined #openstack-keystone		18:45
*** wwwjfy_ has quit IRC		18:46
*** phalmos has joined #openstack-keystone		18:53
breton	I wonder	18:55
breton	marekd: dstanek: why can't we use the same keystone for k2k?	18:55
dstanek	breton: ?	18:56
*** jsavak has quit IRC		18:56
breton	use the same keystone instance as idp and sp at the same time	18:56
breton	we need to sp in idp and idp in sp anyway	18:56
dstanek	i'm not sure that it would work and even it if did i don't know that it would be a fair test	18:56
dstanek	since uses would be in the database already we could make things work on accident	18:57
marekd	breton: i said we should be able to use one keystone	18:57
marekd	breton: i just mentioned i have never tested such configuration	18:57
marekd	dstanek: ++	18:58
*** jsavak has joined #openstack-keystone		18:58
marekd	dstanek: breton IMHO we should build test environments that are similar to what will land one day in production	18:58
breton	oh, I see, it was discussed	18:58
*** su_zhang_ has quit IRC		18:58
breton	there is no cross-dependency in sp and idp code afaik	18:59
marekd	breton: there is not	18:59
*** amakarov has joined #openstack-keystone		19:00
edmondsw	opened https://bugs.launchpad.net/keystone/+bug/1505777 for the extras issue we were discussing	19:00
openstack	Launchpad bug 1505777 in Keystone "inconsistent support for optional dependencies" [Undecided,New]	19:00
ayoung	dstanek, it ensrues all the pieces work. so long as we don;'t special case it...why not?	19:00
*** tonytan4ever has joined #openstack-keystone		19:00
*** mriedem has left #openstack-keystone		19:01
gyee	marekd, you can put both SP and IDP on the same Keystone instance	19:01
gyee	just make sure the have different set of certs and keys	19:01
breton	somebody needs to try that	19:01
gyee	breton, did	19:01
breton	oh, cool.	19:02
ayoung	david8hu, so, tokenless authN is the future, but we will still need to do AuthZ	19:02
gyee	ayoung, how does Horizon query the admin project?	19:02
ayoung	and so X509 will just bypass the token piece, not the list-roles	19:02
ayoung	gyee, it does not need to	19:02
gyee	don't they want to lock it down as well?	19:03
ayoung	gyee, horizon will see that the user gets the admin role based on project selected	19:03
ayoung	Horizon should not have to change at all	19:03
dstanek	ayoung: i worry that things will accidentally work because we share the same database	19:03
gyee	ayoung, so whoever have role assignment perm can still assign the admin role to whatever, but they won't get it unless its admin project	19:03
*** mylu has quit IRC		19:04
ayoung	gyee, right	19:04
*** geoffarnold has quit IRC		19:04
*** geoffarnold has joined #openstack-keystone		19:04
ayoung	gyee, as a follow on check, we can prevent people from assigning admin on non-admin projects as we want for better UX	19:04
*** rderose has quit IRC		19:05
gyee	ayoung, sure	19:05
gyee	ayoung, I am fine with the idea, not a long term solution, but enough to get us by for now	19:05
gyee	ayoung, that would make the admin project immutable	19:06
gyee	plenty of doc as bknudson said	19:06
gyee	dstanek, btw, you have a good weekend :)	19:06
dstanek	gyee: do you have a long term solution in mind?	19:06
gyee	the freaking Browns beat up on the Ravens!!!!!!!!	19:07
dstanek	gyee: record breaking, in fact	19:07
gyee	8 years of frustration	19:07
gyee	dstanek, long term solution is proper authorization APIs	19:08
dstanek	who would have thought you could take a scrub QB, give him a bunch or shorty receivers and expect a win	19:08
ayoung	dstanek, it won't work accidentally. The test has to go through token to SAML and then SAML to token	19:08
*** jsheeren has joined #openstack-keystone		19:09
dstanek	ayoung: but can tokens get objects without SAML by hitting the IdP?	19:09
dstanek	ayoung: the edge cases are my concern	19:09
*** diazjf has quit IRC		19:09
ayoung	dstanek, If we go through the client code, we might fool ourselves, but if we make the API calls directly, we will not. I think	19:10
ayoung	dstanek, anyway, testing with a single server K2K is a good first step, and we can solve multi next	19:10
jsheeren	hi, i have a question about keystone and https	19:11
ayoung	jsheeren, fire away	19:11
jsheeren	i'm setting up a kilo environment, with haproxy as ssl endpoint	19:11
jsheeren	i configured everything and it is working up untill the creation of the credentials files	19:11
shaleh	why not just fire up two devstack instances and test it like it will actually run?	19:12
jsheeren	if I use the temporary token, i can do everythgin	19:12
jsheeren	if i source the credentials file; i get an http auth url in my response from keystone	19:12
jsheeren	so, auth_url = https - i do a request with --debug and it shows me an http auth url	19:13
shaleh	dstanek: why not just fire up two devstack instances and test it like it will actually run?	19:13
ayoung	jsheeren, but the service catalog endpoint is not the https one	19:13
jsheeren	as a result, no commands can be excecuted	19:13
ayoung	so you can;t make anuy other calls	19:13
jsheeren	when i created the endpoints for keystone, they were all https	19:14
jsheeren	is there somewhere else i need to define the auth url to be the https one?	19:14
ayoung	jsheeren, inside the database?	19:14
ayoung	You sure?	19:14
jsheeren	i haven't checked the database yet. i would like to not mess around in there :)	19:15
*** mylu has joined #openstack-keystone		19:15
dstanek	shaleh: infra has a new feature for doing just that	19:17
jsheeren	if i do this request: curl -g -i --insecure -X GET https://servername:35357/v3 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" i get following href response: {"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://servername:35357/v3/",	19:17
jsheeren	"rel": "self"}]}}	19:17
jsheeren	so, request to https, repsone gives back http	19:18
shaleh	dstanek: I have been doing my fed testing using devstack and ansible to coordinate the federation	19:18
shaleh	dstanek: since doing it within devstack was a little messy since each needs to talk to the other	19:18
jamielennox	jsheeren: i think you've got public_endpoint and admin_endpoint set in keystone.conf	19:18
ayoung	"http://servername:35357/v3	19:19
jamielennox	jsheeren: that or you've got a load balancer in front	19:19
*** e0ne has joined #openstack-keystone		19:19
ayoung	smirking gun	19:19
*** petertr7 is now known as petertr7_away		19:19
jsheeren	yeah i have an haproxy load balancer in front	19:19
ayoung	damn , I shoulhd have said smirking girn	19:19
jamielennox	jsheeren: ok, so what happens there is that keystone is filling in the url with the info it knows - which in this case is http	19:19
ayoung	jsheeren, you need those to be https. THat is from, the service catalog	19:19
*** alejandrito has quit IRC		19:20
jamielennox	jsheeren: the easy way to fix it is to set public_endpoint in keystone.conf to be the https url which will override keystone figuring it out itself	19:20
ayoung	Oh...wait, yeah, that is just the discovery page...taht comes from conf file	19:20
jsheeren	ok, i checked my keystone.conf and i have not set an explicit public/admin endpoint there	19:20
jsheeren	ok, so set the public endpoint explicit in the keystone to be https?	19:20
ayoung	jsheeren, do a catalog list and you would see it, but you probably can't	19:21
ayoung	because the endpoint is wrong in your catalog	19:21
jsheeren	i'll try that	19:21
ayoung	go look in your databnase	19:21
jsheeren	k	19:21
ayoung	the userid and password is in your keystone.conf file	19:21
jamielennox	jsheeren: there is another setting that will let you pass the protocol from a load balancer which is useful if you have multiple URLs that all point to the same keystone, but if you've only got one just set public_endpoint and admin_endpoint to the https address	19:21
*** petertr7_away is now known as petertr7		19:22
*** alejandrito has joined #openstack-keystone		19:22
ayoung	morgan, thinking multistropt is the least surprising for admin_project_id	19:22
jsheeren	jamielennox: i was setting up a public url on the public network and an internal and admin url for the internal network; do you mean that? or something else?	19:23
morgan	ayoung: sure	19:23
*** diazjf has joined #openstack-keystone		19:23
jamielennox	jsheeren: are they actually different URLs?	19:24
gyee	jamielennox, jsheeren, you need to do two things	19:24
jsheeren	jamielennox: yes, url on the public network is different than on internal network.	19:25
gyee	1) configure secure_proxy_ssl_header in HAProxy	19:25
jamielennox	jsheeren: so there is an option in keystone secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO	19:25
gyee	2) set in keystone.conf, see https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L211	19:25
gyee	otherwise, the hrefs in version discovery will not work	19:25
*** geoffarn_ has joined #openstack-keystone		19:26
jamielennox	jsheeren: i think HTTP_X_FORWARDED_PROTO is the standard for haproxy so it will use the value in there instead of http	19:26
gyee	version discovery is generally broken when deploying with proxies	19:26
jsheeren	ok, so i will set the secure_proxy_ssl_header in keystone and the other HTTP_X_FORWARDED_PROTO in haproxy	19:26
jsheeren	thanks for the tips!!	19:26
jamielennox	gyee: public/admin split is fine, internal is tricky	19:26
gyee	jamielennox, I had to write custom code to get around that	19:27
gyee	will push a patch upstream when I find the time	19:27
jamielennox	gyee: i said we should just always use relative links, people complained	19:28
jamielennox	gyee: granted i have no idea if that actually works today	19:28
gyee	jamielennox, relative links?	19:28
*** amakarov has quit IRC		19:28
jamielennox	gyee: well this is only a problem because you have the service trying to figure out its own hostname and protocol	19:29
jamielennox	gyee: we should just return the path and assume that it's relative to the current url	19:29
*** su_zhang has joined #openstack-keystone		19:29
*** jdennis has joined #openstack-keystone		19:29
gyee	oh I see	19:29
*** geoffarnold has quit IRC		19:29
gyee	jamielennox, I like the idea!	19:29
gyee	plus, we can't expose internal hosts/ports	19:30
jamielennox	i would have to see how keystoneclient/auth actually handled that	19:30
*** amakarov has joined #openstack-keystone		19:31
*** amakarov has quit IRC		19:31
*** alejandrito has quit IRC		19:32
jsheeren	jamielennox: gyee: just wanted to let you know, setting secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO in my keystone.conf fixed it. i alread had set reqadd X-Forwarded-Proto:\ https in my haproxy config	19:34
*** su_zhang has quit IRC		19:34
jsheeren	thanks!	19:34
gyee	jsheeren, excellent	19:35
*** petertr7 is now known as petertr7_away		19:36
*** gyee has quit IRC		19:37
*** marzif has joined #openstack-keystone		19:39
*** rderose has joined #openstack-keystone		19:41
*** e0ne has quit IRC		19:43
*** petertr7_away is now known as petertr7		19:43
*** jsheeren has quit IRC		19:44
*** su_zhang has joined #openstack-keystone		19:46
*** c_soukup has joined #openstack-keystone		19:46
*** geoffarn_ has quit IRC		19:47
*** csoukup has quit IRC		19:50
openstackgerrit	ayoung proposed openstack/keystone: Strip admin roles from non-admin projects and domains https://review.openstack.org/233480	19:51
*** mylu has quit IRC		19:53
*** mylu has joined #openstack-keystone		19:53
*** tyagiprince2010 has joined #openstack-keystone		19:54
*** mylu has quit IRC		19:54
*** rickyrem has joined #openstack-keystone		19:54
*** marzif has quit IRC		19:54
*** rickyrem has left #openstack-keystone		19:55
lbragstad	dolphm if we do version 0x81 of fernet, is that something you should be able to leverage via the api? from keystone for example?	19:57
*** jsavak has quit IRC		19:58
*** jsavak has joined #openstack-keystone		19:58
*** roxanaghe has quit IRC		19:59
*** diazjf has quit IRC		19:59
*** mylu has joined #openstack-keystone		20:00
*** mylu has quit IRC		20:00
*** geoffarnold has joined #openstack-keystone		20:02
*** diazjf has joined #openstack-keystone		20:02
*** rderose has quit IRC		20:05
*** roxanaghe has joined #openstack-keystone		20:05
*** geoffarnold has quit IRC		20:08
*** geoffarnold has joined #openstack-keystone		20:08
openstackgerrit	Brant Knudson proposed openstack/oslo.policy: Use JSON generator https://review.openstack.org/234421	20:08
*** csoukup_ has joined #openstack-keystone		20:10
*** mylu has joined #openstack-keystone		20:13
*** c_soukup has quit IRC		20:13
*** jmccrory has quit IRC		20:17
*** jmccrory has joined #openstack-keystone		20:19
browne	could someone please review https://review.openstack.org/#/c/226121/	20:20
browne	fix for a high priority bug	20:20
*** e0ne has joined #openstack-keystone		20:22
dolphm	lbragstad: morgan: ^	20:28
*** geoffarnold has quit IRC		20:29
*** geoffarnold has joined #openstack-keystone		20:30
*** marzif has joined #openstack-keystone		20:30
morgan	So if the userid is hex and 16 bytes we assume uuid. (I guess that is a safe assumption)	20:31
*** e0ne has quit IRC		20:35
*** mylu has quit IRC		20:38
openstackgerrit	Brant Knudson proposed openstack/keystone: More info in RequestContext https://review.openstack.org/213595	20:43
*** topol has quit IRC		20:45
*** _hrou_ has joined #openstack-keystone		20:48
*** hrou has quit IRC		20:49
*** geoffarnold has quit IRC		20:50
*** phalmos has quit IRC		20:51
*** geoffarnold has joined #openstack-keystone		20:51
*** exploreshaifali has joined #openstack-keystone		20:55
*** diazjf has quit IRC		20:56
*** thiagop has quit IRC		20:58
*** raildo is now known as raildo-afk		21:00
*** pushkaru has joined #openstack-keystone		21:01
*** pumaranikar has joined #openstack-keystone		21:01
*** diazjf has joined #openstack-keystone		21:02
*** petertr7 is now known as petertr7_away		21:04
*** tyagiprince2010 has quit IRC		21:07
*** jsavak has quit IRC		21:12
*** geoffarnold has quit IRC		21:12
*** geoffarnold has joined #openstack-keystone		21:12
*** gildub has joined #openstack-keystone		21:18
*** njohnston is now known as nate_gone		21:20
stevemar_	bknudson: why set tenant instead of project?	21:28
stevemar_	"request_context.tenant = auth_context.get('project_id')"	21:28
bknudson	stevemar_: that's what the field is in oslo_context RequestContext. :(	21:28
stevemar_	bknudson: sadness :(	21:28
bknudson	stevemar_: http://git.openstack.org/cgit/openstack/oslo.context/tree/oslo_context/context.py#n54	21:29
bknudson	I need to deprecate that old garbage!	21:29
stevemar_	bknudson: JFDI	21:29
stevemar_	bknudson: https://bugs.launchpad.net/oslo.context/+bug/1505827	21:31
openstack	Launchpad bug 1505827 in oslo.context "use project instead of tenant" [Undecided,New]	21:31
stevemar_	add project to args, self.tenant = tenant or project, if tenant: log.deprecation blah	21:32
*** _hrou_ has quit IRC		21:33
*** hrou has joined #openstack-keystone		21:33
*** geoffarn_ has joined #openstack-keystone		21:33
*** roxanaghe has quit IRC		21:33
*** geoffarnold has quit IRC		21:34
stevemar_	blah, all the other spots	21:34
stevemar_	hmmm	21:34
*** urulama has quit IRC		21:36
*** urulama has joined #openstack-keystone		21:36
*** hrou has quit IRC		21:37
*** hrou has joined #openstack-keystone		21:38
*** hrou has quit IRC		21:42
*** hrou has joined #openstack-keystone		21:42
*** pauloewerton has quit IRC		21:42
*** pgbridge has quit IRC		21:43
*** hrou has quit IRC		21:44
*** hrou has joined #openstack-keystone		21:44
lbragstad	dolphm thanks, looking	21:45
lbragstad	dolphm also, i added another comment here - √	21:46
lbragstad	s/√/ https://review.openstack.org/#/c/231191/ /	21:46
*** pumarani__ has joined #openstack-keystone		21:47
*** gordc has quit IRC		21:47
*** pumarani__ has quit IRC		21:47
stevemar_	lbragstad: √√√√	21:47
*** diazjf has left #openstack-keystone		21:51
*** geoffarn_ has quit IRC		21:54
*** geoffarnold has joined #openstack-keystone		21:55
*** pgbridge has joined #openstack-keystone		21:57
*** exploreshaifali has quit IRC		21:59
*** pumaranikar has quit IRC		22:03
*** pushkaru has quit IRC		22:04
*** mylu has joined #openstack-keystone		22:07
*** sigmavirus24 is now known as sigmavirus24_awa		22:08
*** jasonsb has quit IRC		22:08
*** jasonsb has joined #openstack-keystone		22:09
*** slberger has left #openstack-keystone		22:09
*** david-lyle has quit IRC		22:10
*** tecn1z has quit IRC		22:10
*** mylu has quit IRC		22:11
*** mylu has joined #openstack-keystone		22:11
*** david-lyle has joined #openstack-keystone		22:12
*** tonytan4ever has quit IRC		22:13
*** ngupta has quit IRC		22:15
*** geoffarnold has quit IRC		22:15
*** mylu has quit IRC		22:16
*** geoffarnold has joined #openstack-keystone		22:16
*** pgbridge has quit IRC		22:20
*** pgbridge has joined #openstack-keystone		22:21
*** hrou has quit IRC		22:23
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	22:31
*** edmondsw has quit IRC		22:33
*** darrenc is now known as darrenc_afk		22:35
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	22:36
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move federation extension into keystone core https://review.openstack.org/214775	22:36
*** mylu has joined #openstack-keystone		22:36
*** geoffarnold has quit IRC		22:37
*** geoffarnold has joined #openstack-keystone		22:37
*** marzif has quit IRC		22:41
*** marzif has joined #openstack-keystone		22:41
*** jbell8 has quit IRC		22:41
*** wwwjfy_ has joined #openstack-keystone		22:47
*** mylu has quit IRC		22:48
*** mylu has joined #openstack-keystone		22:49
*** wwwjfy_ has quit IRC		22:49
*** mylu_ has joined #openstack-keystone		22:50
*** mylu has quit IRC		22:53
anteaya	stevemar_: you seen this? http://www.cbc.ca/news/politics/elections-canada-says-3-6-million-votes-cast-during-advance-polls-1.3269393	22:58
*** geoffarn_ has joined #openstack-keystone		22:59
*** chlong has quit IRC		22:59
*** geoffarnold has quit IRC		23:03
*** gyee has joined #openstack-keystone		23:07
*** ChanServ sets mode: +v gyee		23:07
*** lhcheng has quit IRC		23:11
*** lhcheng has joined #openstack-keystone		23:13
*** ChanServ sets mode: +v lhcheng		23:13
*** lhcheng_ has joined #openstack-keystone		23:17
*** geoffarn_ has quit IRC		23:18
*** lhcheng has quit IRC		23:19
*** geoffarnold has joined #openstack-keystone		23:20
*** stevemar_ has quit IRC		23:23
*** stevemar_ has joined #openstack-keystone		23:24
*** ChanServ sets mode: +o stevemar_		23:24
*** mylu_ has quit IRC		23:28
*** mylu has joined #openstack-keystone		23:29
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2 https://review.openstack.org/93982	23:30
*** mylu has quit IRC		23:34
stevemar_	anteaya: i have heard it was an insane number, that's huge	23:36
stevemar_	anteaya: i am waiting until until the actual day, since the polling station is in the building i live in :)	23:37
*** mylu has joined #openstack-keystone		23:40
shaleh	what is the expected turn out?	23:41
*** dims has quit IRC		23:41
*** dims has joined #openstack-keystone		23:42
*** r-daneel has quit IRC		23:43
stevemar_	shaleh: its up 70% from 2011	23:44
stevemar_	this is just advanced polling, the main day always has a big turn out	23:44
* shaleh waits for his country, the "Leader" of the free world to come to its senses and make voting that easy		23:45
stevemar_	shaleh: it's in case you are traveling or busy the day of :)	23:56
*** hrou has joined #openstack-keystone		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!