Friday, 2015-10-16

*** mancdaz has joined #openstack-keystone		00:05
*** brad[] has joined #openstack-keystone		00:05
*** BAKfr has joined #openstack-keystone		00:05
*** iurygregory has joined #openstack-keystone		00:05
*** jmccrory has joined #openstack-keystone		00:05
*** martinus__ has joined #openstack-keystone		00:05
*** evrardjp has joined #openstack-keystone		00:05
*** bradjones\|away has joined #openstack-keystone		00:05
*** aix has joined #openstack-keystone		00:05
*** baffle has joined #openstack-keystone		00:05
*** jbonjean has joined #openstack-keystone		00:05
*** dstanek has joined #openstack-keystone		00:05
*** tsufiev has joined #openstack-keystone		00:05
*** cameron.freenode.net sets mode: +v dstanek		00:05
*** hogepodge has joined #openstack-keystone		00:07
*** petertr7 has joined #openstack-keystone		00:07
*** jdennis has joined #openstack-keystone		00:07
*** jasonsb__ has joined #openstack-keystone		00:07
*** afazekas has joined #openstack-keystone		00:07
*** jasondotstar has joined #openstack-keystone		00:07
*** pgbridge has joined #openstack-keystone		00:07
*** dobson has joined #openstack-keystone		00:07
*** arunkant has joined #openstack-keystone		00:07
*** andreykurilin has joined #openstack-keystone		00:07
*** mordred has joined #openstack-keystone		00:07
*** njohnston has joined #openstack-keystone		00:07
*** haneef__ has joined #openstack-keystone		00:07
*** jamiec has joined #openstack-keystone		00:07
*** x58 has joined #openstack-keystone		00:07
*** trey has joined #openstack-keystone		00:07
*** ekarlso has joined #openstack-keystone		00:07
*** redrobot has joined #openstack-keystone		00:07
*** zeus has joined #openstack-keystone		00:07
*** Dave has joined #openstack-keystone		00:07
*** clayton has joined #openstack-keystone		00:07
*** med_ has joined #openstack-keystone		00:07
*** tellesnobrega has joined #openstack-keystone		00:07
*** jgriffith has joined #openstack-keystone		00:07
*** goodygum has joined #openstack-keystone		00:07
*** raginbajin has joined #openstack-keystone		00:07
*** rmstar has joined #openstack-keystone		00:07
*** mtreinish has joined #openstack-keystone		00:07
*** shadower has joined #openstack-keystone		00:07
*** toddnni has joined #openstack-keystone		00:07
*** daemontool_ has joined #openstack-keystone		00:07
*** pkarikh has joined #openstack-keystone		00:07
*** blogan has joined #openstack-keystone		00:07
*** HenryG has joined #openstack-keystone		00:07
*** d0ugal has joined #openstack-keystone		00:07
*** charz has joined #openstack-keystone		00:07
*** Madkiss has joined #openstack-keystone		00:07
*** zz_john5223 has joined #openstack-keystone		00:07
*** lars1 has joined #openstack-keystone		00:07
*** nonameentername has joined #openstack-keystone		00:07
*** Nakato has joined #openstack-keystone		00:08
*** zzzeek_ has joined #openstack-keystone		00:08
*** tjcocozz has joined #openstack-keystone		00:08
*** rm_work has joined #openstack-keystone		00:08
*** mjb has joined #openstack-keystone		00:08
*** errr has joined #openstack-keystone		00:08
*** odyssey4me has joined #openstack-keystone		00:08
*** mhu has joined #openstack-keystone		00:08
*** BrAsS_mO- has joined #openstack-keystone		00:08
*** timburke has joined #openstack-keystone		00:08
*** jvarlamova has joined #openstack-keystone		00:08
*** david8hu has joined #openstack-keystone		00:08
*** miguelgrinberg has joined #openstack-keystone		00:08
*** woodster_ has joined #openstack-keystone		00:08
*** akscram has joined #openstack-keystone		00:08
*** gsilvis has joined #openstack-keystone		00:08
*** sileht has joined #openstack-keystone		00:08
*** wolsen has joined #openstack-keystone		00:08
*** hideme_ has joined #openstack-keystone		00:08
*** telemonster has joined #openstack-keystone		00:08
*** breton has joined #openstack-keystone		00:08
*** flaper87 has joined #openstack-keystone		00:08
*** kragniz has joined #openstack-keystone		00:08
*** florianf\|away has joined #openstack-keystone		00:08
*** freerunner has joined #openstack-keystone		00:08
*** _fortis has joined #openstack-keystone		00:08
*** opilotte has joined #openstack-keystone		00:08
*** pc-pothole has joined #openstack-keystone		00:08
*** mkoderer has joined #openstack-keystone		00:08
*** urulama has joined #openstack-keystone		00:08
*** browne has joined #openstack-keystone		00:08
*** richm has joined #openstack-keystone		00:08
*** agireud has joined #openstack-keystone		00:08
*** rbowen has joined #openstack-keystone		00:08
*** kfjohnson_ has joined #openstack-keystone		00:08
*** bigjools has joined #openstack-keystone		00:08
*** alex_xu has joined #openstack-keystone		00:08
*** amakarov_away has joined #openstack-keystone		00:08
*** andreaf has joined #openstack-keystone		00:08
*** raildo-afk has joined #openstack-keystone		00:08
*** grantbow has joined #openstack-keystone		00:08
*** htruta has joined #openstack-keystone		00:08
*** hugokuo has joined #openstack-keystone		00:08
*** aix has quit IRC		00:11
*** david-lyle has joined #openstack-keystone		00:11
*** lbragstad has joined #openstack-keystone		00:11
*** edmondsw has joined #openstack-keystone		00:11
*** wasmum- has joined #openstack-keystone		00:11
*** btully has joined #openstack-keystone		00:11
*** zhiyan has joined #openstack-keystone		00:11
*** jraim has joined #openstack-keystone		00:11
*** nzeer has joined #openstack-keystone		00:11
*** morgan has joined #openstack-keystone		00:11
*** dgonzalez has joined #openstack-keystone		00:11
*** cameron.freenode.net sets mode: +v morgan		00:11
*** _cjones_ has joined #openstack-keystone		00:12
*** alejandrito has joined #openstack-keystone		00:12
*** openstackgerrit has joined #openstack-keystone		00:12
*** samueldmq has joined #openstack-keystone		00:12
*** rha has joined #openstack-keystone		00:12
*** rodrigods has joined #openstack-keystone		00:12
*** ctracey has joined #openstack-keystone		00:12
*** amit213 has joined #openstack-keystone		00:12
*** ericksonsantos has joined #openstack-keystone		00:12
*** dhellmann has joined #openstack-keystone		00:12
*** gerhardqux has joined #openstack-keystone		00:12
*** EmilienM has joined #openstack-keystone		00:12
*** notmyname has joined #openstack-keystone		00:12
*** bapalm has joined #openstack-keystone		00:12
*** j_king has joined #openstack-keystone		00:12
*** jimbaker has joined #openstack-keystone		00:12
*** bknudson has joined #openstack-keystone		00:12
*** jlk has joined #openstack-keystone		00:12
*** tristanC has joined #openstack-keystone		00:12
*** hughsaunders has joined #openstack-keystone		00:12
*** jlvillal has joined #openstack-keystone		00:12
*** anteaya has joined #openstack-keystone		00:12
*** cameron.freenode.net sets mode: +v bknudson		00:12
*** gildub has joined #openstack-keystone		00:13
*** harlowja has joined #openstack-keystone		00:13
*** gyee has joined #openstack-keystone		00:14
*** rvba has joined #openstack-keystone		00:14
*** josecastroleon has joined #openstack-keystone		00:14
*** briancurtin has joined #openstack-keystone		00:14
*** chmouel has joined #openstack-keystone		00:14
*** jrist has joined #openstack-keystone		00:14
*** crinkle has joined #openstack-keystone		00:14
*** ramishra has joined #openstack-keystone		00:14
*** cameron.freenode.net sets mode: +v gyee		00:14
*** wasmum- has quit IRC		00:14
*** david-lyle has quit IRC		00:14
*** alejandrito has quit IRC		00:15
*** wwwjfy has joined #openstack-keystone		00:16
*** doug-fish has joined #openstack-keystone		00:16
*** EinstCrazy has joined #openstack-keystone		00:16
*** svasheka has joined #openstack-keystone		00:16
*** nkinder has joined #openstack-keystone		00:16
*** Daviey has joined #openstack-keystone		00:16
*** esp has joined #openstack-keystone		00:16
*** sirushti has joined #openstack-keystone		00:16
*** wasmum has joined #openstack-keystone		00:17
*** wasmum has quit IRC		00:17
*** wasmum has joined #openstack-keystone		00:17
*** EinstCrazy has quit IRC		00:17
*** SpamapS has joined #openstack-keystone		00:17
*** cburgess has joined #openstack-keystone		00:17
*** darrenc has joined #openstack-keystone		00:17
*** dims_ has joined #openstack-keystone		00:17
*** ayoung has joined #openstack-keystone		00:17
*** lhcheng has joined #openstack-keystone		00:17
*** SamYaple has joined #openstack-keystone		00:17
*** serverascode has joined #openstack-keystone		00:17
*** krotscheck has joined #openstack-keystone		00:17
*** jamielennox has joined #openstack-keystone		00:17
*** boltR has joined #openstack-keystone		00:17
*** mitz_ has joined #openstack-keystone		00:17
*** mfisch has joined #openstack-keystone		00:17
*** cloudnull has joined #openstack-keystone		00:17
*** zigo has joined #openstack-keystone		00:17
*** tonyb has joined #openstack-keystone		00:17
*** rharwood has joined #openstack-keystone		00:17
*** gus has joined #openstack-keystone		00:17
*** sigmavirus24_awa has joined #openstack-keystone		00:17
*** eglute has joined #openstack-keystone		00:17
*** d34dh0r53 has joined #openstack-keystone		00:17
*** dolphm has joined #openstack-keystone		00:17
*** cameron.freenode.net sets mode: +vvvo ayoung lhcheng jamielennox dolphm		00:17
*** comstud has joined #openstack-keystone		00:17
*** hockeynut has joined #openstack-keystone		00:17
*** dtroyer has joined #openstack-keystone		00:17
*** mgagne has joined #openstack-keystone		00:17
*** sudorandom has joined #openstack-keystone		00:17
*** johnthetubaguy has joined #openstack-keystone		00:19
*** arif-ali has joined #openstack-keystone		00:19
*** marekd has joined #openstack-keystone		00:19
*** dims_ has quit IRC		00:20
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
*** harlowja has quit IRC		00:24
*** dims_ has joined #openstack-keystone		00:26
*** dims_ has quit IRC		00:27
*** dims_ has joined #openstack-keystone		00:27
*** ChanServ has joined #openstack-keystone		00:30
*** cameron.freenode.net sets mode: +o ChanServ		00:30
*** jbonjean has quit IRC		00:30
*** jbonjean has joined #openstack-keystone		00:30
*** harlowja has joined #openstack-keystone		00:31
*** stevemar_ has joined #openstack-keystone		00:31
*** ChanServ sets mode: +o stevemar_		00:31
*** wwwjfy has quit IRC		00:32
*** wwwjfy has joined #openstack-keystone		00:32
*** wwwjfy has left #openstack-keystone		00:32
stevemar_	jamielennox: feel like +A'ing https://review.openstack.org/#/c/227655/ ? it's already got 2x+2	00:36
stevemar_	jamielennox: also, welcome aboard :)	00:36
*** wwwjfy has joined #openstack-keystone		00:36
jamielennox	stevemar_: done	00:37
stevemar_	\o/	00:37
jamielennox	stevemar_: and yay!	00:37
stevemar_	https://review.openstack.org/#/c/235581/ what about a 1 character change? :P	00:38
jamielennox	can i just A that	00:40
jamielennox	stevemar_: swap for https://review.openstack.org/#/c/235107/2	00:40
jamielennox	i said that earlier but i think it netsplit	00:40
stevemar_	jamielennox: up to you if you want to A it :P	00:41
stevemar_	i won't tattle	00:41
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/235646	00:42
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/235436	00:42
*** chlong has joined #openstack-keystone		00:43
jamielennox	stevemar_: so do you have plans on a ksa release?	00:44
jamielennox	i know ksc got one	00:44
jamielennox	ksm as well by the look of it	00:44
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/235656	00:46
jamielennox	oh, we need to do a release of ^ too	00:46
*** browne has quit IRC		00:48
openstackgerrit	Merged openstack/oslo.policy: Add test for invalid JSON https://review.openstack.org/234297	00:55
*** wasmum has quit IRC		00:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/235646	00:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/235436	00:57
stevemar_	jamielennox: alright, just looking at all the bits that need to line up	00:57
*** EinstCrazy has joined #openstack-keystone		00:58
openstackgerrit	Lin Hua Cheng proposed openstack/keystoneauth: Minor fix for AccessInfo project_scoped accessor https://review.openstack.org/235616	00:58
jamielennox	stevemar_: shouldn't do it on a friday either but if we can get all the bits then can go early next week	00:58
stevemar_	jamielennox: agreed	00:59
*** mylu has joined #openstack-keystone		01:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/235683	01:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/235690	01:00
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/235656	01:00
stevemar_	jamielennox: what aobut https://review.openstack.org/#/c/225453/6	01:01
jamielennox	stevemar_: +2	01:03
jamielennox	stevemar_: there's a previous +2 from bknudson as well so i think you can just tick that one off	01:04
stevemar_	yep, saw that	01:04
openstackgerrit	Merged openstack/oslo.policy: Fix a typo in policy.py https://review.openstack.org/234110	01:07
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/235683	01:07
*** lhcheng has quit IRC		01:08
openstackgerrit	Alexey Troshkov proposed openstack/python-keystoneclient: This is patch adds option is_domain to create the project. When using this option, the client creates a project as domain in keystone. https://review.openstack.org/235085	01:08
*** miyagishi_t has joined #openstack-keystone		01:09
openstackgerrit	Alexey Troshkov proposed openstack/python-keystoneclient: This is patch adds option is_domain to create the project. When using this option, the client creates a project as domain in keystone. https://review.openstack.org/235085	01:13
stevemar_	jamielennox: anything needed for ksc-kerb	01:16
openstackgerrit	Alexey Troshkov proposed openstack/python-keystoneclient: Add option is_domain https://review.openstack.org/235085	01:16
jamielennox	stevemar_: i have up https://review.openstack.org/#/c/233864/ which is somewhat of a revert of an earlier patch	01:17
stevemar_	y, i see that	01:17
stevemar_	i'm going to +2 dolphm's stuff	01:17
jamielennox	https://github.com/openstack/python-keystoneclient-kerberos/commit/a7c6a7c04c0b0c4c2da3ee77532439844ead52d3	01:17
stevemar_	same as the other repos	01:17
*** davechen1 has joined #openstack-keystone		01:18
jamielennox	i haven't seen that docstring one	01:18
jamielennox	but we did that in others as well?	01:18
jamielennox	the fixed flake8_docstrings==0.2.1.post1 is weird to me	01:19
stevemar_	jamielennox: i'm sure it'll be unfixed soon enough	01:19
stevemar_	the immutable __all__ can be merged now	01:20
jamielennox	yea, i +Aed that one - i don't really see the point, but whatever	01:20
*** david-lyle has joined #openstack-keystone		01:21
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Make __all__ immutable https://review.openstack.org/230045	01:21
*** davechen has joined #openstack-keystone		01:22
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient-kerberos: Use stevedore.sphinxext to populate a new page listing all available drivers. https://review.openstack.org/221547	01:22
jamielennox	stevemar_: i haven't seen ^ at work yet	01:23
stevemar_	jamielennox: hmm?	01:24
*** jasonsb__ has quit IRC		01:24
stevemar_	i dont follow	01:24
jamielennox	the sphinext thing	01:24
jamielennox	that could be really useful	01:24
*** davechen1 has quit IRC		01:24
stevemar_	jamielennox: yes	01:25
stevemar_	i am hoping to try that with osc's plugins	01:25
stevemar_	should be "fun"	01:25
stevemar_	jamielennox: no docs page for ksc-kerb?	01:25
stevemar_	http://docs.openstack.org/developer/python-keystoneclient-kerberos	01:25
jamielennox	stevemar_: no idea	01:26
stevemar_	that's #nobueno	01:26
jamielennox	that's bad right?	01:27
stevemar_	whoa, no release since april?!	01:27
stevemar_	yes	01:27
*** jamielennox has left #openstack-keystone		01:27
*** jamielennox has joined #openstack-keystone		01:27
*** ChanServ sets mode: +v jamielennox		01:27
jamielennox	stevemar_: it's not a plugin that needs to change much	01:27
stevemar_	i suppose not	01:27
stevemar_	still, we should have docs	01:28
jamielennox	yup	01:28
stevemar_	is this something that will eventually get gobbled up by ksa?	01:28
jamielennox	depends on what the outcome of that extra dependencies is	01:28
stevemar_	i think we are good on that front	01:29
stevemar_	but i'd like to confirm in tokyo	01:29
jamielennox	the only reason it's seperate is because of the deps so if we merge that back then yes it'll got into ksa	01:29
stevemar_	yep requests-kerberos>=0.6;python_version=='2.7' or python_version=='2.6' # MIT	01:29
stevemar_	same with ksc-saml2	01:29
*** wwwjfy_ has joined #openstack-keystone		01:30
davechen	stevemar_, morgan, jamielennox: all of endpoint filter stuff should be merged with keystone.catalog, right?	01:32
davechen	I saw there is some disscussion about this in the channel.	01:32
stevemar_	davechen: yep, you can follow what i did with the federation and oauth bits	01:32
jamielennox	stevemar_: oh, yea at least previously requests-kerberos was py27 only, i think i saw something about py3 but haven't followed up	01:33
davechen	oaky, I will upadate it, stevemar_	01:33
davechen	i think this will be splited into two bits - https://review.openstack.org/#/c/167675/ and https://review.openstack.org/#/c/183377/.	01:34
*** wwwjfy has quit IRC		01:34
davechen	dstanek: ping? are you around?	01:34
stevemar_	davechen: oh wow, i had no idea there was a patch for it	01:35
*** wwwjfy_ has quit IRC		01:35
openstackgerrit	Merged openstack/python-keystoneclient: auto-generate release history https://review.openstack.org/227655	01:36
davechen	stevemar_: both of them are addressing endpoint filter, so I am going to just focus on this - https://review.openstack.org/#/c/183377/.	01:37
stevemar_	davechen: good call	01:37
stevemar_	davechen: yes, you've done good :) just merge it with catalog	01:38
stevemar_	and then i will add it to my super long chain of commits	01:39
stevemar_	then jamielennox will review them all :P	01:39
davechen	stevemar_: cool. :)	01:39
jamielennox	voluntold	01:39
davechen	stevemar_: should be easy for jamielennox to review, all of these start from his first commit. :)	01:40
*** edmondsw has quit IRC		01:40
*** mylu has quit IRC		01:43
*** spandhe has quit IRC		01:44
*** pumaranikar has joined #openstack-keystone		01:45
*** mylu has joined #openstack-keystone		01:45
*** hidekazu has joined #openstack-keystone		01:46
*** marzif has joined #openstack-keystone		01:47
openstackgerrit	Hidekazu Nakamura proposed openstack/keystone: Update development environment set up doc https://review.openstack.org/223020	01:50
openstackgerrit	Merged openstack/python-keystoneclient: Fix typo that says V3 token only works for v2 https://review.openstack.org/235581	01:51
*** mylu has quit IRC		01:52
stevemar_	davechen: jamielennox that is true :)	01:52
*** mylu has joined #openstack-keystone		01:52
jamielennox	whilst that first patch took a while you are both assuming i remember anything about why i did it that way	01:53
davechen	hehe, good response.	01:54
jamielennox	stevemar_: osc is python2 only?	01:55
stevemar_	jamielennox: good question	01:56
jamielennox	stevemar_: it failed to pip install on python3, but i'm running a seriously messed up environment	01:56
stevemar_	jamielennox: i could say that one of the libs we depend on probably isn't py3	01:57
stevemar_	but honestly, i just haven't bothered to try	01:57
jamielennox	tablib appears not	01:57
*** mylu has quit IRC		01:57
stevemar_	we removed that though	01:57
stevemar_	i wonder if swiftclient is	01:57
openstackgerrit	Merged openstack/keystoneauth: Add url as a deprecated alias for endpoint https://review.openstack.org/225453	01:58
openstackgerrit	Merged openstack/keystoneauth: Expose bind data via AccessInfo https://review.openstack.org/235107	01:59
*** richm has quit IRC		02:00
*** woodster_ has quit IRC		02:09
*** pumaranikar has quit IRC		02:10
*** mylu has joined #openstack-keystone		02:11
*** dims_ has quit IRC		02:14
*** dims_ has joined #openstack-keystone		02:14
*** mylu has quit IRC		02:15
*** mylu has joined #openstack-keystone		02:15
*** mylu has quit IRC		02:17
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Use optional authentication https://review.openstack.org/233864	02:18
ayoung	stevemar_, not that I don't trust you or jamielennox but technically https://review.openstack.org/#/c/225453/6 is a violation of the "don't railroad through a change all from one company" policy now.	02:21
*** mylu has joined #openstack-keystone		02:21
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move revoke extension into core https://review.openstack.org/235704	02:22
stevemar_	ayoung: !!	02:22
ayoung	feel free to ping me for those...I am more than willing to +A things that are reasonable like that	02:22
stevemar_	ayoung: true, good point, i am not quite used to thinking of jamielennox as same company yet :)	02:23
ayoung	stevemar_, you think it is hard for you	02:23
stevemar_	hehe	02:23
*** mylu has quit IRC		02:24
ayoung	stevemar_, OTOH, morgan is now fair game again....	02:24
*** mylu has joined #openstack-keystone		02:24
stevemar_	ayoung: true	02:24
*** mylu has quit IRC		02:26
*** mylu has joined #openstack-keystone		02:27
openstackgerrit	Merged openstack/keystoneauth: Allow fetching oslo.config Opts from plugins https://review.openstack.org/227611	02:27
*** mylu has quit IRC		02:27
*** spandhe has joined #openstack-keystone		02:27
*** mylu has joined #openstack-keystone		02:28
ayoung	stevemar_, If what Matt says on https://review.openstack.org/#/c/233480/ is correct we have a problem: so many things expect admin unscoped to work, and he's claiming there are APIs that need Admin scoped to work...	02:28
*** hightall has joined #openstack-keystone		02:28
*** mylu has quit IRC		02:29
ayoung	stevemar_, here's the crux; if the resource is unscoped (like a hypervisor) what should we realistically scope it to?	02:29
ayoung	termie said way back when "the admin project"	02:30
*** lhcheng has joined #openstack-keystone		02:30
*** ChanServ sets mode: +v lhcheng		02:30
ayoung	so...lets say we have an admim project...how do we communicate that to the other services?	02:30
*** mylu has joined #openstack-keystone		02:32
jamielennox	ayoung, stevemar_: crap, that's going to be a pain	02:32
*** mylu has quit IRC		02:33
*** mylu has joined #openstack-keystone		02:34
ayoung	jamielennox, https://review.openstack.org/#/c/233480 ? he's got to be wrong	02:35
jamielennox	ayoung: that's a lot of comments	02:35
ayoung	jamielennox, Its like, no one wants to engage to solve the problem, just to say "No"	02:36
jamielennox	ayoung: i'll admit i don't really like the solution, i just havent come up with anything better yet	02:36
ayoung	I would really appreciate some +1 type suppor on that one. Or an alternative. A viable alternative	02:36
jamielennox	:)	02:37
*** mylu_ has joined #openstack-keystone		02:37
ayoung	jamielennox, the solution is to do this, then say "existing policy is scope check only" and make RBAC a separate check	02:37
jamielennox	does nova etc really just ignore project scope if they get admin/	02:37
ayoung	there are many APIs wehere there is no scope	02:37
ayoung	like add Hypervisor	02:37
ayoung	anything not scoped to a proejct...	02:38
*** mylu has quit IRC		02:38
*** mylu_ has quit IRC		02:38
ayoung	so this is implicitly communciation "this is the admin project" via the only mechanism we have	02:39
*** mylu has joined #openstack-keystone		02:39
*** mylu has quit IRC		02:40
*** hightall has quit IRC		02:40
*** mylu has joined #openstack-keystone		02:40
ayoung	jamielennox, part of the problem is that we have the v3 cloud sample file implying that editing the policy files is an acceptable thing to do, but we no way of communicating what is supposed to be in that file	02:41
ayoung	it should be jinja {{ admin_project_id }} or something	02:41
* ayoung thinking in yaml now		02:41
*** wwwjfy has joined #openstack-keystone		02:41
jamielennox	yea, this was the point about service scoped tokens right	02:41
jamielennox	to be able to do that sorta stuff	02:42
jamielennox	we can't even make it domain admin any more	02:42
jamielennox	ayoung: how do you seperate admin on project from admin on service then?	02:44
jamielennox	if you limit admin to only being allowed on an admin project	02:45
jamielennox	that rules out regular project admin tasks	02:45
*** browne has joined #openstack-keystone		02:45
morgan	.	02:45
morgan	test	02:45
jamielennox	morgan: roger	02:46
morgan	ok cool	02:46
*** hightall has joined #openstack-keystone		02:46
ayoung	heh..that was the most appropriate use of roger ever	02:46
ayoung	roger was the old phonetic alphabet for R	02:47
ayoung	R was sent in mosrse code for 'received'	02:47
ayoung	Of course, over the readio, it is no more suyllables to say 'received' than 'roger' but the Army is nothing if not in love with traditions	02:47
ayoung	jamielennox, the short answer is that we stop using admin for project scoped resources and use a differen role	02:48
*** dims_ has quit IRC		02:49
ayoung	lets call it manager and be done with it	02:49
jamielennox	ayoung: both problems then involve fixing policies	02:49
*** dims_ has joined #openstack-keystone		02:49
ayoung	jamielennox, m,ome causes less pain	02:49
ayoung	mine	02:49
ayoung	jamielennox, I have yet to find a policy that checks both scope and role=='admin'	02:50
ayoung	http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json	02:50
ayoung	its all "rule:admin_or_owner",	02:50
ayoung	"admin_or_owner": "is_admin:True or project_id:%(project_id)s",	02:50
*** lifeless has joined #openstack-keystone		02:51
ayoung	"context_is_admin": "role:admin",	02:51
*** dims_ has quit IRC		02:51
*** topol has joined #openstack-keystone		02:51
*** ChanServ sets mode: +v topol		02:51
*** dims_ has joined #openstack-keystone		02:51
jamielennox	ayoung: policy shouldn't let you even pass without a scope	02:54
jamielennox	ouch, context_is_admin is just wrong	02:54
ayoung	jamielennox, and yet it does.	02:54
ayoung	jamielennox, remember, roles were origianlly global	02:54
ayoung	someone on Keystone changed that	02:54
ayoung	I was trying to figure out with git blame who it was	02:55
jamielennox	so why don't we just change context_is_admin to "role:admin and project_id in XXX,YYY,ZZZ"	02:55
jamielennox	(i don't know how to write that in policy)	02:55
*** dikonoor has joined #openstack-keystone		02:55
*** mylu has quit IRC		02:56
*** mylu has joined #openstack-keystone		03:02
*** mylu has quit IRC		03:05
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/235690	03:06
ayoung	jamielennox, look at this http://git.openstack.org/cgit/openstack/keystone/commit/?id=e8fb989b8b07f3209300ecba043bdf14c94d497f	03:06
ayoung	jamielennox, what would you put in the policuy file for XXX,YYY,ZZZ	03:07
jamielennox	wtf is that	03:07
ayoung	we could say "and project_name=admin" but now with multiple domains	03:07
jamielennox	how did that make it into an upstream produce	03:07
ayoung	jamielennox, heh I have no idea	03:07
ayoung	it was done a long long time ago	03:07
ayoung	2012-02-13	03:07
ayoung	change groups to roles...	03:07
jamielennox	ayoung: it feels like we are fighting the other services at this point	03:08
ayoung	jamielennox, actually, my change is the only way to do it without fighting them	03:08
ayoung	its ack of the status quo	03:08
ayoung	but, yes, we are fighting them	03:08
jamielennox	ayoung: i've been leaving the review because tokyo is just over a week away and i think we'll have this debate many times	03:09
ayoung	http://git.openstack.org/cgit/openstack/keystone/commit/?id=6c60d6c783656f35657b6cb462d93390fc689ac0	03:09
jamielennox	we being everyone not just you & me	03:09
*** tobe has joined #openstack-keystone		03:11
jamielennox	need lunch, back soon	03:11
*** mylu has joined #openstack-keystone		03:13
ayoung	it goes back to KSL https://github.com/termie/keystonelight/blob/master/keystone/identity/core.py#L120	03:15
*** gyee has quit IRC		03:15
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move revoke sql migrations to common https://review.openstack.org/235712	03:27
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/235683	03:32
*** mylu has quit IRC		03:47
*** mylu has joined #openstack-keystone		03:49
*** jamielennox has quit IRC		03:51
*** jamielennox has joined #openstack-keystone		03:52
*** ChanServ sets mode: +v jamielennox		03:52
*** mylu has quit IRC		03:53
*** mylu has joined #openstack-keystone		03:53
*** mylu_ has joined #openstack-keystone		03:54
*** mylu has quit IRC		03:57
*** mylu has joined #openstack-keystone		03:59
*** mylu_ has quit IRC		03:59
*** dims_ has quit IRC		04:29
*** marzif has quit IRC		04:36
*** spandhe_ has joined #openstack-keystone		04:43
*** spandhe has quit IRC		04:44
*** spandhe_ is now known as spandhe		04:44
*** mylu has quit IRC		04:44
*** mylu has joined #openstack-keystone		04:45
*** mylu has quit IRC		04:49
*** roxanaghe has joined #openstack-keystone		04:51
*** roxanaghe has quit IRC		05:01
*** lhcheng has quit IRC		05:04
*** lhcheng has joined #openstack-keystone		05:21
*** ChanServ sets mode: +v lhcheng		05:21
openstackgerrit	Steve Martinelli proposed openstack/keystone: use extras for fernet token support https://review.openstack.org/235731	05:27
*** jamielennox is now known as jamielennox\|away		05:30
openstackgerrit	Lin Hua Cheng proposed openstack/keystoneauth: Refactored AccessInfo.project_scoped accessor https://review.openstack.org/235616	05:39
*** miyagishi_t has quit IRC		05:41
*** miyagishi_t_ has joined #openstack-keystone		05:44
*** pnavarro\|off has joined #openstack-keystone		05:47
stevemar_	lhcheng: if you're still up https://review.openstack.org/#/c/195873/	05:47
stevemar_	it would be great to get that one in before i have to rebase it again :)	05:48
lhcheng	stevemar_: oh yeah, I starred the patch last night.	05:51
*** roxanaghe has joined #openstack-keystone		05:51
lhcheng	going to take a look now	05:51
*** roxanaghe has quit IRC		05:52
stevemar_	lhcheng: ty sir!	05:54
stevemar_	you are a gentleman and a scholar	05:54
lhcheng	hah	05:54
lhcheng	anytime!	05:55
*** miyagishi_t_ has quit IRC		05:56
davechen	two night owls :)	05:57
stevemar_	davechen: who needs sleep anyway	06:00
*** browne1 has joined #openstack-keystone		06:00
*** pnavarro\|off has quit IRC		06:02
*** browne has quit IRC		06:02
lhcheng	davechen: we're staying late to keep you company	06:02
davechen	lhcheng: i am crying...	06:02
davechen	:)	06:03
lhcheng	lol	06:03
davechen	i am caculating how long are you need to sleep?	06:03
*** jbell8 has joined #openstack-keystone		06:04
davechen	role models !	06:04
lhcheng	I still get much, I go to work a bit later	06:05
*** exploreshaifali has joined #openstack-keystone		06:15
lhcheng	stevemar_: posted a question on the patch, let me know if that makes sense	06:15
*** chlong has quit IRC		06:15
stevemar_	lhcheng: eeeee yaaaa	06:19
stevemar_	lhcheng: i'll post a follow up patch to change those :P	06:20
lhcheng	stevemar_: cool	06:21
*** ParsectiX has joined #openstack-keystone		06:22
openstackgerrit	Steve Martinelli proposed openstack/keystone: fix deprecation warnings in cache backends https://review.openstack.org/235748	06:24
stevemar_	lhcheng: ^	06:24
stevemar_	i wanted to squeeze that one in over night, instead of waiting around for reviews on a friday	06:25
stevemar_	but good catch!	06:25
lhcheng	stevemar_: doing one more pass, checking again	06:25
stevemar_	lhcheng: ty sir!	06:26
*** dims_ has joined #openstack-keystone		06:26
*** dims_ has quit IRC		06:28
*** tobe has quit IRC		06:28
stevemar_	lhcheng: fwiw, this one is "interesting" https://review.openstack.org/#/c/235747/	06:28
lhcheng	oh yeah, I saw that popped up	06:29
lhcheng	curious to see the generated output	06:29
stevemar_	though it's easier to see the generated docs	06:29
stevemar_	yeah	06:29
stevemar_	it's not the best	06:29
stevemar_	but i'm surprised that it worked	06:29
lhcheng	it only generate the docs that has the entry point?	06:30
breton	o/	06:30
stevemar_	lhcheng: yep, you can put nonsense as the entrypoint, and if it doesn't find it, nada	06:35
stevemar_	lhcheng: bed time for me	06:35
*** spandhe has quit IRC		06:35
stevemar_	see you all in a few hours!	06:35
*** stevemar_ has quit IRC		06:35
lhcheng	stevemar_: alright, just finishing up the last pass	06:35
*** stevemar_ has joined #openstack-keystone		06:36
*** ChanServ sets mode: +o stevemar_		06:36
lhcheng	stevemar_: good night	06:36
*** EinstCrazy has quit IRC		06:37
davechen	sweat dream! lhcheng, stevemar_	06:37
*** spandhe has joined #openstack-keystone		06:37
*** EinstCrazy has joined #openstack-keystone		06:38
*** stevemar_ has quit IRC		06:38
*** tobe has joined #openstack-keystone		06:39
*** tyagiprince2010 has joined #openstack-keystone		06:42
*** gildub has quit IRC		06:48
*** spandhe has quit IRC		06:54
*** mylu has joined #openstack-keystone		06:56
*** mylu has quit IRC		07:01
*** tobe has quit IRC		07:01
*** EinstCra_ has joined #openstack-keystone		07:04
*** EinstCrazy has quit IRC		07:05
*** EinstCrazy has joined #openstack-keystone		07:05
*** EinstCr__ has joined #openstack-keystone		07:06
*** EinstCra_ has quit IRC		07:07
*** EinstCrazy has quit IRC		07:10
*** tobe has joined #openstack-keystone		07:18
*** lsmola_ has joined #openstack-keystone		07:21
*** exploreshaifali has quit IRC		07:21
*** e0ne has joined #openstack-keystone		07:27
*** dims_ has joined #openstack-keystone		07:28
*** browne1 has quit IRC		07:30
*** dims_ has quit IRC		07:33
*** ParsectiX has quit IRC		07:39
*** EinstCrazy has joined #openstack-keystone		07:46
*** jvarlamova has quit IRC		07:48
*** EinstCr__ has quit IRC		07:48
*** fhubik has joined #openstack-keystone		07:51
*** e0ne has quit IRC		07:54
*** pnavarro\|off has joined #openstack-keystone		07:56
*** belmoreira has joined #openstack-keystone		07:56
*** mylu has joined #openstack-keystone		07:57
*** ParsectiX has joined #openstack-keystone		07:59
*** mylu has quit IRC		08:01
*** jaosorior has joined #openstack-keystone		08:04
*** tyagiprince2010 has quit IRC		08:06
*** ParsectiX has quit IRC		08:07
*** jaosorior has quit IRC		08:10
*** jbell8 has quit IRC		08:13
*** jbell8 has joined #openstack-keystone		08:14
*** jistr has joined #openstack-keystone		08:24
*** ParsectiX has joined #openstack-keystone		08:28
*** dims_ has joined #openstack-keystone		08:29
*** dims_ has quit IRC		08:35
openstackgerrit	Dave Chen proposed openstack/keystone: Move endpoint filter into keystone core https://review.openstack.org/183377	08:39
*** e0ne has joined #openstack-keystone		08:39
*** ParsectiX has quit IRC		08:45
*** hidekazu has left #openstack-keystone		08:56
*** lhcheng has quit IRC		08:58
*** f13o has joined #openstack-keystone		09:05
openstackgerrit	Dave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core https://review.openstack.org/186988	09:07
*** florianf\|away is now known as florianf		09:09
*** ParsectiX has joined #openstack-keystone		09:12
*** tyagiprince2010 has joined #openstack-keystone		09:14
*** hightall has quit IRC		09:29
*** dims_ has joined #openstack-keystone		09:31
*** dims_ has quit IRC		09:37
*** aix has joined #openstack-keystone		09:42
*** dims_ has joined #openstack-keystone		09:48
*** davechen has left #openstack-keystone		09:50
*** jaosorior has joined #openstack-keystone		09:56
*** mylu has joined #openstack-keystone		09:58
*** jaosorior has quit IRC		10:01
*** mylu has quit IRC		10:02
*** fhubik has quit IRC		10:13
openstackgerrit	Merged openstack/keystone: switch to oslo.cache https://review.openstack.org/195873	10:13
*** bradjones\|away is now known as bradjones		10:15
*** exploreshaifali has joined #openstack-keystone		10:16
*** pnavarro\|off has quit IRC		10:18
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	10:19
*** pnavarro\|off has joined #openstack-keystone		10:29
*** pnavarro\|off has quit IRC		10:32
*** tyagiprince2010 has quit IRC		10:34
dstanek	bug day is here!	10:37
*** EinstCrazy has quit IRC		10:49
*** wwwjfy has quit IRC		10:52
*** njohnston is now known as nate_gone		10:54
*** lsmola_ has quit IRC		11:02
*** jaosorior has joined #openstack-keystone		11:10
*** fhubik has joined #openstack-keystone		11:19
*** jaosorior has quit IRC		11:25
*** stevemar_ has joined #openstack-keystone		11:52
*** ChanServ sets mode: +o stevemar_		11:53
*** wwwjfy has joined #openstack-keystone		11:54
*** EinstCrazy has joined #openstack-keystone		11:55
*** stevemar_ has quit IRC		11:55
*** kiranr has joined #openstack-keystone		12:02
ayoung	dstanek, good, put a +1 on this: https://review.openstack.org/#/c/233480/	12:10
*** jaosorior has joined #openstack-keystone		12:10
*** alejandrito has joined #openstack-keystone		12:13
*** exploreshaifali has quit IRC		12:15
*** jaosorior has quit IRC		12:20
dstanek	ayoung: oh, good. an easy one :-)	12:22
ayoung	dstanek, the corner the Nova folks have painted us in to is nice and tight.	12:23
ayoung	dstanek so effectively what he is saying is that in order to be able to set a quota on a project, you get the ability to do any other admin action that is unscoped, like add a hypervisor	12:23
*** raildo-afk is now known as raildo		12:25
*** gordc has joined #openstack-keystone		12:28
breton	why are all patches in merge conflict?	12:31
breton	the whole front page is in merge conflicts.	12:31
dstanek	breton: the ones i am looking at are not in merge conflict	12:32
*** ajaya has joined #openstack-keystone		12:34
breton	dstanek: you've filtered them by Verified+1, haven't you?	12:36
dstanek	breton: not that i know of	12:37
dstanek	ordered by 'updated' though	12:37
*** ayoung has quit IRC		12:38
*** jbell8 has quit IRC		12:41
*** jaosorior has joined #openstack-keystone		12:42
*** kiran-r has joined #openstack-keystone		12:43
breton	https://bugs.launchpad.net/keystone/+bug/1506594 -- should we implement the trimming in keystone? Or in ksc? Or mark as invalid?	12:44
openstack	Launchpad bug 1506594 in Keystone "Keystone endpoint can not resolve DNS" [Undecided,New]	12:44
openstackgerrit	Merged openstack/keystone: Correct typo in copyright https://review.openstack.org/232528	12:45
openstackgerrit	Merged openstack/keystone: Enable subprocess_without_shell_equals_true Bandit test https://review.openstack.org/225692	12:46
*** amakarov_away is now known as amakarov		12:46
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	12:47
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	12:48
*** chlong has joined #openstack-keystone		12:48
breton	dstanek:	12:49
*** kiran-r has quit IRC		12:50
*** tobe has quit IRC		12:50
dstanek	breton: ?	12:51
breton	what do you think about bug 1506594?	12:51
openstack	bug 1506594 in Keystone "Keystone endpoint can not resolve DNS" [Undecided,New] https://launchpad.net/bugs/1506594	12:51
breton	> should we implement the trimming in keystone? Or in ksc? Or mark as invalid?	12:52
*** dikonoor has quit IRC		12:53
*** thiagop has joined #openstack-keystone		12:53
dstanek	breton: just commented on the bug. i don't think we should automatically strip anything	12:57
dstanek	i think a small amount of validation may be good though	12:57
dstanek	lbragstad: thoughts? ^	12:57
raildo	#BugDay \o/	12:58
*** ayoung has joined #openstack-keystone		12:59
*** ChanServ sets mode: +v ayoung		12:59
tjcocozz	\o/	13:00
ayoung	dstanek, http://venturebeat.com/2015/10/15/source-red-hat-is-buying-ansible-for-more-than-100m/	13:00
dstanek	ayoung: yeah, i saw that this morning. maybe you guys can fix their broken	13:00
*** davechen has joined #openstack-keystone		13:01
dstanek	raildo: grab a bug!	13:01
ayoung	dstanek, maybe this means we can get Puppet out of our installer.	13:01
raildo	dstanek: I will! Do you have any recommendation sir?	13:01
davechen	dstanek: here is a bug - https://bugs.launchpad.net/keystone/+bug/1429576 :)	13:03
openstack	Launchpad bug 1429576 in Keystone "region field in 'new_endpoint_ref' is never effective." [Low,In progress] - Assigned to Dave Chen (wei-d-chen)	13:03
dstanek	raildo: not in particular. i would say pick one that you can make some progress on today	13:03
davechen	dstanek: i think we need relax the validation to allow the empty request body.	13:03
raildo	dstanek: ok	13:04
davechen	dstanek: I didn't aware that region is allowed to be created with empty request body	13:05
davechen	dstanek: what do you think? sir	13:05
openstackgerrit	Boris Bobrov proposed openstack/keystone: Forbid non-stripped endpoint urls https://review.openstack.org/235906	13:05
*** ayoung has quit IRC		13:05
breton	^	13:05
davechen	dstanek: sorry, i posed the wrong link	13:06
davechen	dstanek: here it is - https://bugs.launchpad.net/keystone/+bug/1501740	13:06
openstack	Launchpad bug 1501740 in Keystone "Creating a region without request parameters failed." [Medium,Confirmed] - Assigned to Dave Chen (wei-d-chen)	13:06
*** wwwjfy has quit IRC		13:07
*** wwwjfy has joined #openstack-keystone		13:08
dstanek	davechen: good question, i'll take a look in a second	13:08
*** ayoung has joined #openstack-keystone		13:09
*** ChanServ sets mode: +v ayoung		13:09
*** jlk has quit IRC		13:09
davechen	dstanek: thanks!	13:09
openstackgerrit	Henrique Truta proposed openstack/keystone: Tests for projects acting as domains https://review.openstack.org/211219	13:10
openstackgerrit	Henrique Truta proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	13:10
openstackgerrit	Henrique Truta proposed openstack/keystone: Removes project.domain_id FK https://review.openstack.org/233274	13:10
ayoung	htruta, deal with these if you want https://review.openstack.org/#/c/212819/1/keystoneclient/common/cms.py	13:10
*** jlk has joined #openstack-keystone		13:11
*** jlk has quit IRC		13:11
*** jlk has joined #openstack-keystone		13:11
htruta	ayoung: I can see it later... I'm going with this one for now: https://review.openstack.org/#/c/134095/3	13:11
dstanek	davechen: replied on the bug. does that make sense?	13:13
davechen	dstanek: good idea, this looks like a better approach.	13:15
*** su_zhang has joined #openstack-keystone		13:20
*** richm has joined #openstack-keystone		13:20
lbragstad	dstanek reading back	13:21
davechen	dstanek: may not finish this in the bug squashing day, but will fix it ASAP.	13:21
*** nate_gone is now known as njohnston		13:22
dstanek	davechen: np	13:22
dstanek	lbragstad: just the validation stuff	13:22
lbragstad	dstanek breton interesting...	13:22
lbragstad	is that always the case with whitespace in a url?	13:23
breton	lbragstad: I've proposed a fix https://review.openstack.org/235906	13:23
*** ajaya has quit IRC		13:23
lbragstad	breton awesome... reveiewing	13:23
breton	I wonder whether we need a migration for it.	13:23
breton	nah, we don't need. If anybody has such urls in his db, their openstack is broken.	13:25
lbragstad	breton well, if a deployment previously had whitespace in their urls everything would break	13:25
lbragstad	breton your change just makes getting to the broken place a little harder	13:25
*** richm has quit IRC		13:27
htruta	dstanek: for this case https://review.openstack.org/#/c/134095/3/keystone/tests/unit/test_v3_catalog.py does an exception.Conflict seem correct to you?	13:28
breton	if a deployment previously had whitespace in their urls they would not even start working	13:29
dstanek	lbragstad: yes, i'm pretty sure that's always the case	13:29
*** fhubik is now known as fhubik_brb		13:29
lbragstad	breton ++, i think that looks good	13:30
dstanek	htruta: i don't think so because i think a conflict is something specific, but let me take a look ...	13:30
*** richm has joined #openstack-keystone		13:31
*** davechen has quit IRC		13:31
*** jaosorior has quit IRC		13:32
dstanek	htruta: yeah, i don't think conflict is correct.	13:33
raildo	htruta: it's a DbduplicateEntry	13:34
raildo	i guess...	13:34
htruta	dstanek: I thought so, because of this one: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend.py#L802	13:34
dstanek	htruta: hmm...yeah, i think that's incorrect and should probably be a validation error	13:35
dstanek	but who knows maybe that's an openstack thing	13:36
htruta	dstanek, raildo: yep... the sql backend raises oslo_db.exception.DBDuplicateEntry, which seems to be a 500 error	13:36
dstanek	hmm.. maybe dolphm, bknudson or morgan have something to say about that? (our use of 409)	13:37
dstanek	technically i think it's ok, but seems odd to me	13:37
htruta	dstanek: for me too. I thought of catching this exception and raising a ValidationError	13:38
dstanek	htruta: we should get some input here first	13:38
bknudson	validationerror means the client did something wrong on this request	13:38
*** jsavak has joined #openstack-keystone		13:38
htruta	dstanek: ++	13:38
breton	what do you think about bug 1503755 ? It has some comments from lbragstad and dolphm, but is still [undecided,new]	13:39
openstack	bug 1503755 in Keystone "Admin with project-scoped token unable to grant, check, list, revoke roles for domain group/user" [Undecided,New] https://launchpad.net/bugs/1503755	13:39
breton	I'd say it's invalid	13:39
htruta	bknudson: so, when a unique constraint fails, it seems like the client has done something wrong. validationerror, right?	13:39
ayoung	invalid	13:40
ayoung	project scoped tokens are not domain scoped tokens	13:40
bknudson	htruta: a 400 error is the correct response there	13:40
lbragstad	breton yeah, i guess given dolphm's comment it would be invalid	13:40
bknudson	I'm not going to say it's a validationerror, the exception should be specific to the problem.	13:40
*** fhubik_brb is now known as fhubik		13:42
*** edmondsw has joined #openstack-keystone		13:47
breton	could someone mark bug 1489260 as won't fix? It was discussed there why.	13:50
openstack	bug 1489260 in Keystone "trust details unavailable for admin token" [Medium,Triaged] https://launchpad.net/bugs/1489260	13:50
htruta	bknudson: thx	13:50
htruta	dstanek: so, I guess I'll treat the exception and raise a validationerror	13:51
dstanek	htruta: sounds good to me	13:51
bknudson	dstanek: is there an etherpad for the office hours tracking?	13:51
bknudson	never mind, found it: https://etherpad.openstack.org/p/keystone-office-hours	13:52
breton	https://etherpad.openstack.org/p/keystone-office-hours	13:52
*** njohnston is now known as nate_gone		13:53
*** pumaranikar has joined #openstack-keystone		13:55
*** davechen1 has joined #openstack-keystone		14:04
*** nzeer has left #openstack-keystone		14:06
*** ParsectiX has quit IRC		14:06
*** jsavak has quit IRC		14:06
*** jsavak has joined #openstack-keystone		14:07
* breton shrugs		14:07
breton	what else to fix?	14:07
davechen1	Anyone interesting in reviewing two pure doc changes in ksm? - https://review.openstack.org/#/c/219162/ and https://review.openstack.org/#/c/220545/	14:09
lbragstad	is anyone familiar with the parent_as_list/parent_as_ids calls?	14:09
davechen1	both of them are trying to close the bug tracked in the lp.	14:09
lbragstad	same with the subtree_as_list/subtree_as_ids calls	14:10
lbragstad	htruta samueldmq ^	14:10
breton	I marked bug 1480334 as invalid and then thought that maybe it should be marked some other way. Maybe keystone should be removed from the list of affected projects at all?	14:10
openstack	bug 1480334 in oslo.config "can't use "$" in password for ldap authentication" [Undecided,Won't fix] https://launchpad.net/bugs/1480334	14:10
htruta	lbragstad: I guess I can say I am	14:10
htruta	me and raildo	14:10
lbragstad	htruta awesome, quick question for you	14:10
lbragstad	htruta I was able to recreate this, Tim and I didn't do anything wrong did we? https://bugs.launchpad.net/keystone/+bug/1506653	14:11
openstack	Launchpad bug 1506653 in Keystone "Retrieving either a project's parents or subtree as_list does not work" [High,Confirmed]	14:11
dstanek	breton: there are lots of things to fix :-)	14:11
htruta	lbragstad: looking	14:12
*** kiranr has quit IRC		14:12
breton	dstanek: suggest one?	14:12
dstanek	breton: i say pick ones that interest you.	14:12
*** sigmavirus24_awa is now known as sigmavirus24		14:13
htruta	lbragstad: which role did your user have on project 3?	14:14
raildo	lbragstad: to return the projects in subtree_as_list you must need have role assignments in the subprojects	14:14
lbragstad	htruta i did all of this with the admin user	14:14
raildo	or use inherited roles...	14:14
lbragstad	hmm	14:15
htruta	the same that raildo said applies to parents_as_list	14:15
raildo	yeap	14:15
lbragstad	is subtree_as_list suppose to have the same response as subtree_as_ids?	14:15
htruta	lbragstad: in which case?	14:16
raildo	lbragstad: if you have role in every subproject, yes	14:16
breton	many bugs have fixes, but little reviews	14:16
breton	*but with little reviews	14:16
htruta	breton: an easy review for you... https://review.openstack.org/#/c/207218/ bknudson has already reviewed	14:17
lbragstad	htruta, as an admin, i can get the ids of the parents of the tree - http://cdn.pasteraw.com/abdd3la2924agvsl1ihbqmn6yxhhw6v	14:17
lbragstad	htruta as an admin, but i'm unable to get the same information using the parents_as_list - http://cdn.pasteraw.com/ajjc1owd5efcr6xwtsdbj7nqcq6cw6e	14:17
lbragstad	what i mean, is technically, it's the same information, right?	14:17
htruta	lbragstad: you shouldn't see this, because parents_as_list has much more information than parents_as_ids	14:18
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/235436	14:18
breton	htruta: > Restricts the update of a domain_id for a project, (even with the	14:18
breton	'domain_id_immutable' property set to False), allowing it only for	14:18
breton	root projects that have no children of its own	14:18
breton	why allow update of domain id?	14:18
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/235646	14:18
lbragstad	htruta but i can still see the ids of those projects with project_as_ids	14:19
breton	why can't we have it immutable for all projects?	14:19
htruta	breton: we allow it today in every way. We are restricting and deprecating it. It takes 2 cycles for it :/	14:19
lbragstad	htruta just trying to understand why ids aren't important from a security perspective	14:19
lbragstad	in this particular case	14:19
raildo	lbragstad: subtree_as_ids returns a dict of ids for every project in the hierarchy (even if you not have a role assignment in the projects)	14:19
raildo	lbragstad: subtree_as_list returns a list of projects that you have role assignments	14:20
lbragstad	raildo yeah, that makes sense	14:20
dstanek	breton: i'm trying to target reviews that have bugs listed :-) we need to make progress from all ends	14:20
breton	htruta: 2 cycles or 1? The patch says 1	14:21
lbragstad	raildo i get that subtree_as_list returns more information	14:21
*** petertr7 is now known as petertr7_away		14:21
htruta	breton: 1, sorry. 1 full cycle deprecated	14:21
*** nate_gone is now known as njohnston		14:21
htruta	lbragstad: I'm trying to find the discussion of this	14:21
lbragstad	htruta cool, is it captured in the review?	14:21
*** davechen1 has left #openstack-keystone		14:21
lbragstad	htruta or in a review?	14:21
raildo	lbragstad: we have some explanation about this two behaviours here: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#get-project	14:23
*** su_zhang has quit IRC		14:23
raildo	lbragstad: So I think that bug is invalid	14:23
bknudson	if you've got bug fixes you'd like reviewed, put them in https://etherpad.openstack.org/p/keystone-office-hours so they're easy to find.	14:23
lbragstad	raildo reading	14:23
*** su_zhang has joined #openstack-keystone		14:24
bknudson	also it will allow us to track what got done during the office hours	14:24
raildo	lbragstad: or maybe, we can explain better in the docs :)	14:25
lbragstad	raildo yeah, i think the bug is invalid, but i think we could improve the docs	14:25
lbragstad	raildo ++	14:25
lbragstad	raildo the docs don't say anything about a behavioral different around role assignments	14:25
raildo	lbragstad: ok, I'll do that today :)	14:25
*** ayoung has quit IRC		14:25
raildo	agreed	14:26
lbragstad	raildo perfect! if you want to propose it as "Related-Bug: 1506653"	14:26
openstack	bug 1506653 in Keystone "Retrieving either a project's parents or subtree as_list does not work" [High,Confirmed] https://launchpad.net/bugs/1506653	14:26
lbragstad	raildo I'm going to leave some comments on the bug and explain that a new patch is on the way	14:26
raildo	lbragstad: ++	14:26
lbragstad	raildo htruta thanks for the context/explanation!	14:26
raildo	lbragstad: no problem :)	14:27
*** petertr7_away is now known as petertr7		14:27
dstanek	also for bugs that already have reviews you could go ahead and review them!	14:27
htruta	lbragstad, raildo, ok	14:28
*** rderose has joined #openstack-keystone		14:28
*** tonytan4ever has joined #openstack-keystone		14:31
*** e0ne has quit IRC		14:31
*** r-daneel has joined #openstack-keystone		14:32
*** zz_john5223 is now known as john5223		14:33
*** phalmos has joined #openstack-keystone		14:35
*** fhubik has quit IRC		14:36
*** jsavak has quit IRC		14:37
*** jistr has quit IRC		14:37
*** jsavak has joined #openstack-keystone		14:38
*** slberger has joined #openstack-keystone		14:39
*** phalmos has quit IRC		14:39
*** jistr has joined #openstack-keystone		14:41
*** hightall has joined #openstack-keystone		14:45
openstackgerrit	Brant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling https://review.openstack.org/198931	14:49
*** lbragstad has quit IRC		14:51
*** lbragstad has joined #openstack-keystone		14:51
*** e0ne has joined #openstack-keystone		14:53
*** ajaya has joined #openstack-keystone		14:56
slberger	If token caching is enabled, are fernet tokens cached in anyway? like their validation	14:56
dolphm	slberger: good question -- i actually don't think so, but let me check	14:57
bknudson	the auth_token middleware treats fernet tokens same as uuid tokens	14:57
bknudson	it doesn't have any code to identity fernet tokens	14:57
dolphm	oh yeah, they're definitely cached in middleware	14:58
dolphm	i was thinking in keystone	14:58
dolphm	there are definitely MEMOIZE wrappers here: https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L247-L265	14:58
bknudson	is there token caching in keystone?	14:58
bknudson	ah, well that's not token format specific either	14:59
dolphm	bknudson: on requests with X-Auth-Token?	14:59
bknudson	dolphm: hopefully the same code is called for X-Auth-Token and X-Subject-Token.	15:00
bknudson	maybe that's too much to hope for.	15:01
dolphm	bknudson: lol it should be. those two are the only path into the token providers for validation IIRC	15:01
*** rderose has quit IRC		15:02
*** su_zhang has quit IRC		15:06
*** chlong has quit IRC		15:09
*** weihan has joined #openstack-keystone		15:09
*** su_zhang has joined #openstack-keystone		15:09
*** diazjf has joined #openstack-keystone		15:11
*** david-ly_ has joined #openstack-keystone		15:11
*** david-lyle has quit IRC		15:11
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Improve get project query strings https://review.openstack.org/235971	15:12
lbragstad	it has been agreed that we are going to put things for review in the etherpad, right?	15:13
tjcocozz	lbragstad, yes but the section wasn't created last time I checked	15:14
lbragstad	tjcocozz cool, doing that now	15:15
tjcocozz	lbragstad, thanks	15:15
*** jistr is now known as jistr\|mtg		15:18
bknudson	lbragstad: could you move it to the top so it's easier to track?	15:18
*** roxanaghe has joined #openstack-keystone		15:18
bknudson	I don't care about the rest of the content on the page now	15:18
lbragstad	bknudson absolutely	15:18
*** stevemar_ has joined #openstack-keystone		15:18
*** ChanServ sets mode: +o stevemar_		15:18
*** stevemar_ has quit IRC		15:19
*** ayoung has joined #openstack-keystone		15:19
*** ChanServ sets mode: +v ayoung		15:19
*** stevemar_ has joined #openstack-keystone		15:19
*** ChanServ sets mode: +o stevemar_		15:19
*** urulama has quit IRC		15:19
*** josecastroleon has quit IRC		15:20
*** urulama has joined #openstack-keystone		15:20
*** roxanaghe has quit IRC		15:22
*** john5223 is now known as zz_john5223		15:24
*** timcline has joined #openstack-keystone		15:25
*** jbell8 has joined #openstack-keystone		15:26
*** jbell8 has quit IRC		15:28
*** jlk has quit IRC		15:30
openstackgerrit	Tom Cocozzello proposed openstack/keystonemiddleware: Configure filter factories for PasteDeploy https://review.openstack.org/233839	15:31
openstackgerrit	Merged openstack/keystone: fix deprecation warnings in cache backends https://review.openstack.org/235748	15:31
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	15:33
*** e0ne has quit IRC		15:37
bknudson	#success keystone switched to oslo.cache	15:37
openstackstatus	bknudson: Added success to Success page	15:37
stevemar_	bknudson: \o/	15:37
*** diazjf has quit IRC		15:37
lbragstad	stevemar_ bknudson speaking of that, i just started rebasing https://review.openstack.org/#/c/215212/ :)	15:37
lbragstad	and i actually have a question	15:38
bknudson	hopefully it's minimal? just change section to group	15:38
*** diazjf has joined #openstack-keystone		15:38
*** e0ne has joined #openstack-keystone		15:38
bknudson	oh, you've got your own region	15:38
lbragstad	our keytone.common.cache module has a configure_cache method now	15:38
*** _cjones_ has quit IRC		15:39
lbragstad	so, do we move stuff like https://review.openstack.org/#/c/215212/13/keystone/server/backends.py to keystone.common.cache.core.py?	15:39
*** jistr\|mtg has quit IRC		15:39
bknudson	since we've got 2 of them now it's probably best to move it into keystone.common.cache	15:40
*** jistr has joined #openstack-keystone		15:40
lbragstad	bknudson ok, so cache.configure_cache_region(catalog.COMPUTED_CATALOG_REGION) will always be handled by our keystone.common.cache	15:40
bknudson	if it's only used in keystone.catalog.core then put it in there.	15:41
*** jbell8 has joined #openstack-keystone		15:42
*** browne has joined #openstack-keystone		15:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	15:46
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move federation extension into keystone core https://review.openstack.org/214775	15:47
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move federation sql migrations to common https://review.openstack.org/234537	15:47
openstackgerrit	Brant Knudson proposed openstack/keystone: Update test modules passing on py34 https://review.openstack.org/231635	15:48
openstackgerrit	Brant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences https://review.openstack.org/232711	15:48
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix fernet key writing for python 3 https://review.openstack.org/231710	15:48
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix fernet padding for python 3 https://review.openstack.org/231711	15:48
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move oauth1 extension into core https://review.openstack.org/234598	15:48
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move oauth1 sql migrations to common https://review.openstack.org/235121	15:48
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move revoke extension into core https://review.openstack.org/235704	15:49
lbragstad	what about the make_region() stuff here - https://review.openstack.org/#/c/215212/13/keystone/catalog/core.py ?	15:49
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move revoke sql migrations to common https://review.openstack.org/235712	15:49
lbragstad	bknudson ^	15:49
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move endpoint filter into keystone core https://review.openstack.org/183377	15:49
bknudson	lbragstad: sure, if the region is only used in keystone.catalog.core, do it there.	15:50
lbragstad	bknudson ok	15:50
stevemar_	yay no more merge conflicts	15:50
stevemar_	!!	15:50
openstack	stevemar_: Error: "!" is not a valid command.	15:50
stevemar_	screw you openstack bot	15:50
stevemar_	i'll tell you what's an error or not	15:50
bknudson	getting closer getting test_fernet_provider passing on py3 with the change to oslo.cache.	15:51
lbragstad	awesome	15:51
stevemar_	bknudson: i'm glad oslo.cache is in :)	15:52
stevemar_	-2000 lines is good	15:52
bknudson	we should have a real chance at python3 support in M.	15:52
dstanek	breton: this one is ayoung's and i think that all is needed is some tests https://bugs.launchpad.net/keystone/+bug/1240163	15:53
openstack	Launchpad bug 1240163 in python-keystoneclient "Can't store a PKI token with a large catalog" [Medium,In progress] - Assigned to Adam Young (ayoung)	15:53
ayoung	dstanek, yep. Please!	15:53
dstanek	haneef__: yt?	15:54
slberger	More caching questions, So looking at the default config everything is cached by default when global caching is enabled? so if I want to cache something like tokens or revocations they are already taken care of when I enable global caching?	15:55
stevemar_	when i get back, i'll be squashing bugs!	15:55
*** su_zhang has quit IRC		15:56
*** diazjf has quit IRC		15:57
*** hightall has quit IRC		15:57
*** topol has quit IRC		15:58
*** e0ne has quit IRC		15:59
* tjcocozz squashes bugs like she squashes grapes http://i.imgur.com/XVP8bYS.gif		16:00
*** e0ne has joined #openstack-keystone		16:00
*** diazjf has joined #openstack-keystone		16:02
lbragstad	#fail	16:02
dstanek	lbragstad: i don't think they setup a failbot yet	16:03
*** gyee has joined #openstack-keystone		16:03
*** ChanServ sets mode: +v gyee		16:03
lbragstad	dstanek we should get on that	16:03
*** mylu has joined #openstack-keystone		16:04
*** _cjones_ has joined #openstack-keystone		16:04
morgan	slberger: yes. Caching is on for each subsystem when you turn global caching on. You can turn token caching for example, explicitly off if you want.	16:04
morgan	stevemar_: good luck bug squashing ;)	16:05
*** stevemar_ has quit IRC		16:10
*** belmoreira has quit IRC		16:11
*** stevemar_ has joined #openstack-keystone		16:11
*** ChanServ sets mode: +o stevemar_		16:11
*** ayoung has quit IRC		16:14
*** stevemar_ has quit IRC		16:16
*** roxanaghe has joined #openstack-keystone		16:18
*** roxanaghe has quit IRC		16:19
*** lhcheng has joined #openstack-keystone		16:19
*** ChanServ sets mode: +v lhcheng		16:19
*** roxanaghe has joined #openstack-keystone		16:19
*** e0ne has quit IRC		16:22
*** rvba has quit IRC		16:25
*** urulama has quit IRC		16:25
*** urulama has joined #openstack-keystone		16:25
*** bradjones has quit IRC		16:26
*** tonytan4ever has quit IRC		16:30
*** jistr has quit IRC		16:33
*** spandhe has joined #openstack-keystone		16:36
*** roxanaghe has quit IRC		16:37
*** spandhe_ has joined #openstack-keystone		16:37
*** jaosorior has joined #openstack-keystone		16:37
*** jaosorior has quit IRC		16:37
*** jaosorior has joined #openstack-keystone		16:37
*** roxanaghe has joined #openstack-keystone		16:38
*** wwwjfy has quit IRC		16:39
*** weihan has quit IRC		16:39
*** spandhe has quit IRC		16:40
*** spandhe_ is now known as spandhe		16:40
*** jaosorior has quit IRC		16:40
*** jaosorior has joined #openstack-keystone		16:41
*** weihan has joined #openstack-keystone		16:43
*** diazjf has quit IRC		16:43
*** mylu has quit IRC		16:44
*** phalmos has joined #openstack-keystone		16:46
*** browne has quit IRC		16:46
*** weihan has quit IRC		16:48
*** weihan has joined #openstack-keystone		16:48
*** diazjf has joined #openstack-keystone		16:48
*** spandhe has quit IRC		16:49
*** diazjf has quit IRC		16:51
dstanek	tjcocozz: let me know if that comment makes sense	16:52
*** roxanaghe has quit IRC		16:52
*** diazjf has joined #openstack-keystone		16:53
openstackgerrit	Henrique Truta proposed openstack/keystone: Constraint to prevent duplicates endpoints https://review.openstack.org/134095	16:53
dstanek	tjcocozz: https://pythonhosted.org/setuptools/setuptools.html#dynamic-discovery-of-services-and-plugins	16:53
*** dims_ has quit IRC		16:54
*** dims_ has joined #openstack-keystone		16:55
*** diazjf has quit IRC		16:56
*** weihan has quit IRC		16:56
*** phalmos has quit IRC		16:57
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Improve get project query strings https://review.openstack.org/235971	16:59
*** roxanaghe has joined #openstack-keystone		16:59
*** roxanaghe has quit IRC		16:59
htruta	breton: about your comment here: https://review.openstack.org/#/c/207218/21/keystone/identity/core.py	17:00
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add caching to get_catalog https://review.openstack.org/215212	17:00
htruta	the method you've suggested to put the check has a not from henrynash: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L684	17:00
htruta	I think it's better if we don't touch it, right?	17:00
*** jsavak has quit IRC		17:02
*** jsavak has joined #openstack-keystone		17:03
*** jaosorior has quit IRC		17:09
dstanek	any reason not to close this one? https://bugs.launchpad.net/keystone/+bug/1490497	17:10
openstack	Launchpad bug 1490497 in Keystone "pep8-incompliant filenames missing in gate console logs" [Undecided,Incomplete]	17:10
*** stevemar_ has joined #openstack-keystone		17:10
*** ChanServ sets mode: +o stevemar_		17:10
bknudson	dstanek: I've never seen that error.	17:12
openstackgerrit	Dolph Mathews proposed openstack/keystone: Test revocation race conditions https://review.openstack.org/227995	17:12
dstanek	bknudson: me either. i think it is a random infa thing	17:12
bknudson	we don't need the gate to tell us what files are involved pep8 fails. run it on your local system.	17:12
*** jasonsb has joined #openstack-keystone		17:13
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D208: Docstring over indented. (PEP257) https://review.openstack.org/229837	17:13
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D402: First line should not be the function's "signature" (PEP257) https://review.openstack.org/229839	17:13
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D300: Use """triple double quotes""" (PEP257) https://review.openstack.org/229853	17:14
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D210: No whitespaces allowed surrounding docstring text (PEP257) https://review.openstack.org/229857	17:14
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D200: 1 line docstrings should fit with quotes (PEP257) https://review.openstack.org/229865	17:14
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D202: No blank lines after function docstring (PEP257) https://review.openstack.org/229887	17:14
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D204: blank line required after class docstring (PEP257) https://review.openstack.org/229898	17:14
openstackgerrit	Dolph Mathews proposed openstack/keystone: Promote an arbitrary string to be a docstring https://review.openstack.org/229916	17:14
stevemar_	dstanek: o/	17:16
stevemar_	dstanek: hows the squishing going?	17:16
dstanek	stevemar_: yo	17:16
lbragstad	dstanek do we know what the bug count was at when we started today?	17:17
dstanek	stevemar_: overall number of bugs is slightly down and we have several things in the gate (hopefully tied to bugs)	17:17
stevemar_	dstanek: nice	17:17
stevemar_	i'm gonna take a crack at it in a few minutes	17:18
*** phalmos has joined #openstack-keystone		17:18
openstackgerrit	Henrique Truta proposed openstack/keystone: Restricting domain_id update https://review.openstack.org/207218	17:18
dstanek	lbragstad: yes, i have a report here; it was something like 311 total and now down to 307	17:19
lbragstad	Awesome!	17:19
dstanek	after lunch i can get more deets	17:19
openstackgerrit	Merged openstack/keystone: Forbid non-stripped endpoint urls https://review.openstack.org/235906	17:19
lbragstad	dstanek sounds like a plan	17:20
openstackgerrit	Dolph Mathews proposed openstack/keystone: Promote an arbitrary string to be a docstring https://review.openstack.org/229916	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Add docstring validation https://review.openstack.org/229689	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D204: blank line required after class docstring (PEP257) https://review.openstack.org/229898	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D210: No whitespaces allowed surrounding docstring text (PEP257) https://review.openstack.org/229857	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D202: No blank lines after function docstring (PEP257) https://review.openstack.org/229887	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D300: Use """triple double quotes""" (PEP257) https://review.openstack.org/229853	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D208: Docstring over indented. (PEP257) https://review.openstack.org/229837	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D402: First line should not be the function's "signature" (PEP257) https://review.openstack.org/229839	17:21
openstackgerrit	Dolph Mathews proposed openstack/keystone: Fix D200: 1 line docstrings should fit with quotes (PEP257) https://review.openstack.org/229865	17:21
*** petertr7 is now known as petertr7_away		17:21
lbragstad	dolphm I take it those are ready for review new?	17:23
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	17:23
stevemar_	dolphm: did the requirements change merge?	17:26
*** su_zhang has joined #openstack-keystone		17:27
*** kfox1111 has joined #openstack-keystone		17:28
kfox1111	question.. http://dolphm.com/benchmarking-openstack-keystone-token-formats/ implies you can have region specific keystone's that validate each other's tokens.	17:28
kfox1111	is that true or did I misunderstand something?	17:28
morgan	kfox1111: it's totally doable	17:29
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	17:29
kfox1111	cool. does it work with horizon?	17:29
*** jsavak has quit IRC		17:29
*** jsavak has joined #openstack-keystone		17:30
morgan	kfox1111: uhm... sortof... but you still need to sync the identity backend/etc since the way fernet does the lookups	17:30
*** browne has joined #openstack-keystone		17:30
kfox1111	so, each region gets a keystone server, and you share gallera or something?	17:30
morgan	yah or similar	17:31
kfox1111	so, its basically one keystone cluster though.	17:31
morgan	yep	17:31
kfox1111	you wouldn't want to have different domains in different regions?	17:31
lhcheng	kfox1111: horizon should work with fernet, twc is already using it.	17:31
kfox1111	cool.	17:32
morgan	sure, but if you are building a cloud that meshes like that do you really want different domains?	17:32
kfox1111	was looking forward to just setup one keystone with ldap, and then federate to each region with a keystone, but horizon's just too far away for that for now.	17:32
*** wwwjfy has joined #openstack-keystone		17:32
kfox1111	morgan: probably not. just trying to figure out whats possible. :)	17:32
morgan	fwiw: ldap replicates better than sql	17:33
kfox1111	you never know when a subtile trick like that may pay off. :)	17:33
morgan	across WAN	17:33
kfox1111	... but I didn't think you could put projects/etc in ldap, just users/groups?	17:33
*** su_zhang has quit IRC		17:33
morgan	you can't	17:33
morgan	well you can but don't it's going away this cycle	17:33
kfox1111	yeah. thats what I've been telling others.	17:34
*** su_zhang has joined #openstack-keystone		17:34
kfox1111	ok. so, for multi region for now, its best to ldap -> keystone pool (one+ per region for performance) -> shared gallera.	17:35
kfox1111	+ farnet tokens.	17:35
lbragstad	kfox1111 that an interesting case, because if you have a global identity backend for all your keystone nodes, but each region has a different resource/catalog backend, then a user can validate a token across region keystone, but they won't be able to validate a project or domain scoped token across regions.	17:35
openstackgerrit	Henrique Truta proposed openstack/keystone: Constraint to prevent duplicates endpoints https://review.openstack.org/134095	17:36
kfox1111	I thought the shared mysql whould cover that case?	17:36
kfox1111	I guess I mean, ldap via the keystone domain plugin, not external authentication.	17:37
kfox1111	so keystone's basically just a single cluster, with closeish members to the region for quicker validation?	17:38
kfox1111	oh, but I guess that probably doesn't matter much with farnet tokens?	17:38
*** roxanaghe has joined #openstack-keystone		17:39
lbragstad	kfox1111 yep, if you have a shared backend it covers that case	17:39
kfox1111	k.	17:39
kfox1111	are farnet tokens compatible with v2, or alternately, does every openstack service now support v3 exclusively?	17:40
*** e0ne has joined #openstack-keystone		17:40
kfox1111	last I tried, too many services only worked with v2. :/	17:40
lbragstad	kfox1111 they are compatible with v2.0	17:40
kfox1111	ok. cool.	17:40
lbragstad	kfox1111 but the rules around domains and v2.0 still apply	17:41
kfox1111	I'd really like to get to v3 only. :/	17:41
kfox1111	yeah. I understand.	17:41
kfox1111	we set the ldap domain to be default for that reason.	17:41
lbragstad	kfox1111 makes sense	17:41
kfox1111	all the services that need a domain other then ldap knew enough to speak v3.	17:41
kfox1111	well, except it woudl be awesome to have all service accounts in a non default domain.	17:42
kfox1111	but that wasn't supported. :/	17:42
kfox1111	is the fernet token stuff backward/forwards compatable? kilo + liberty hybrid clouds?	17:42
lbragstad	kfox1111 we have some back-ports proposed to the stable/branches to make them backword and forward compatible	17:44
lbragstad	through a kilo -> liberty upgrade	17:44
kfox1111	k. so today it doesn't work though?	17:44
kfox1111	trying to share a keystone between regions and want to ensure the shared keystone stays stable if we have to upgrade one region, and not another for a while.	17:45
kfox1111	(different sla's)	17:45
lbragstad	without https://review.openstack.org/#/c/231057/ merging, there is a possibility liberty keystone won't recognize kilo keystone fernet tokens	17:45
kfox1111	ah.	17:46
htruta	dolphm: any thoughts on bug 1017606 ?	17:46
openstack	bug 1017606 in Keystone "Mixing references to 'Tenants' and 'Projects' is confusing" [Medium,Confirmed] https://launchpad.net/bugs/1017606	17:46
lbragstad	^ that patch makes it so that we can validate fernet tokens regardless of padding	17:46
kfox1111	thanks.	17:46
lbragstad	kfox1111 np	17:46
openstackgerrit	Brant Knudson proposed openstack/keystone: Allow the PBR_VERSION env to pass through tox https://review.openstack.org/224407	17:46
*** topol has joined #openstack-keystone		17:56
*** ChanServ sets mode: +v topol		17:56
stevemar_	anyone want to review a whole bunch of patches to move extensions? :D	17:56
stevemar_	https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/replace-extensions,n,z	17:56
bknudson	stevemar_: you understand https://review.openstack.org/#/c/234531/ -- can you explain it to me?	17:57
amakarov	stevemar_, not "a whole" - Jenkins already reviewed half of them, so it's "half of a bunch" ;)	17:58
stevemar_	amakarov: good point!	17:58
stevemar_	bknudson: let me find the code in pysaml2, 1 sec	17:58
amakarov	stevemar_, isn't there a CR to move trusts into the core?	17:59
amakarov	stevemar_, sorry, that's an old memory - trust isn't in contrib already :)	18:01
bknudson	amakarov: trusts aren't part of the core api	18:02
*** phalmos has quit IRC		18:02
bknudson	http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-trust-ext.html	18:03
amakarov	bknudson, I'm curious: what are the criteria to consider some API to be "core" and other - not to be?	18:05
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Improve get project query strings https://review.openstack.org/235971	18:05
bknudson	amakarov: core API are defined in http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html , the rest are not	18:05
stevemar_	bknudson: ah there we go, the file '/etc/keystone/ssl/certs/signing_cert.pem' isn't generated by default when you perform `keystone-manage ssl_setup`	18:05
stevemar_	so change it to something that exists by default	18:06
bknudson	people shouldn't be using that anyways	18:06
lbragstad	lhcheng updated those docs that you commented on ^	18:06
lbragstad	lhcheng that was a good question, i had to go test it ut	18:06
lbragstad	out*	18:06
stevemar_	amakarov: trusts are enabled by default, and not in contrib	18:07
*** phalmos has joined #openstack-keystone		18:07
stevemar_	they are really part of core keystone, no idea why they were called extensions	18:07
lhcheng	lbragstad: great, thanks!	18:07
*** jsavak has quit IRC		18:07
*** jsavak has joined #openstack-keystone		18:08
*** jasonsb has quit IRC		18:09
*** jasonsb has joined #openstack-keystone		18:10
*** jasonsb has quit IRC		18:10
*** jasonsb has joined #openstack-keystone		18:12
*** fhubik has joined #openstack-keystone		18:14
*** stevemar_ has quit IRC		18:17
*** stevemar_ has joined #openstack-keystone		18:18
*** ChanServ sets mode: +o stevemar_		18:18
amakarov	stevemar_, bknudson thanks, I think I'll file a bp for that at least	18:19
bknudson	amakarov: we already have bp replace-extensions	18:19
bknudson	amakarov: actually it's move-extensions	18:20
amakarov	bknudson, just wanted to ask why it's "replace" )	18:21
amakarov	bknudson, so what about adding trusts there?	18:22
*** stevemar_ has quit IRC		18:22
bknudson	amakarov: that covers all of the extensions	18:22
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add caching to role assignments https://review.openstack.org/215715	18:23
amakarov	bknudson, thank you for clarification!	18:23
*** stevemar_ has joined #openstack-keystone		18:25
*** ChanServ sets mode: +o stevemar_		18:25
*** amakarov is now known as amakarov_away		18:27
*** su_zhang has quit IRC		18:28
*** diazjf has joined #openstack-keystone		18:29
*** timcline has quit IRC		18:31
*** timcline has joined #openstack-keystone		18:32
lbragstad	dstanek ping	18:34
lbragstad	dstanek i have some questions on https://review.openstack.org/#/c/134095/ - but i'm not sure if i'm just thinking about it wrong	18:34
openstackgerrit	Henrique Truta proposed openstack/keystone: Constraint to prevent duplicates endpoints https://review.openstack.org/134095	18:36
lbragstad	dstanek let's say you have a compute service with service id c05f46 in some Region	18:36
lbragstad	^ that change would make it so that you can only have three endpoints for that service in that region, right? You'd have an admin endpoint, a public endpoint and an internal endpoint	18:38
htruta	lbragstad: yep	18:38
lbragstad	what if i want more endpoints than that?	18:38
lbragstad	say i have a lot of endpoints for my compute service	18:39
*** su_zhang has joined #openstack-keystone		18:39
lbragstad	if we made that constraint unique between service_id + region_id + interface + url, it wouldn't be as limiting	18:40
morgan	hm. redhat buying ansible	18:40
morgan	not really surprised there I guess	18:40
htruta	lbragstad: how would horizon handle that?	18:40
*** dims_ is now known as dimsum__		18:41
lbragstad	htruta is horizon only suppose to know about one?	18:42
*** roxanaghe has quit IRC		18:42
htruta	lbragstad: I don't know, I'm just wondering what problems it might cause	18:42
lbragstad	htruta i'm just thinking about it in the sense that I have more than three service endpoints in my deployment	18:43
*** roxanaghe has joined #openstack-keystone		18:44
lbragstad	and I go to upgrade the schema in my deployment	18:44
openstackgerrit	Dolph Mathews proposed openstack/keystone: Explain default domain in docs for other services https://review.openstack.org/232098	18:45
*** spandhe has joined #openstack-keystone		18:46
lbragstad	timcline https://bugs.launchpad.net/keystone/+bug/1376937	18:47
openstack	Launchpad bug 1376937 in Keystone "No way to prevent duplicates in endpoints" [Medium,In progress] - Assigned to Henrique Truta (henriquetruta)	18:47
htruta	lbragstad: is it okay to have two urls to the same service? if so, we must put url at the constraint too	18:47
lbragstad	htruta that was one of the suggestions that dolphm made in the bug report	18:48
htruta	lbragstad: makes sense.	18:49
*** urulama has quit IRC		18:49
*** urulama has joined #openstack-keystone		18:49
htruta	lbragstad: changing the focus a little bit, this shouldn't return true if we pass MII, right? https://review.openstack.org/#/c/212819/1/keystoneclient/common/cms.py L293	18:52
raildo	lbragstad: https://bugs.launchpad.net/keystone/+bug/1506986 makes sense?	18:52
openstack	Launchpad bug 1506986 in Keystone "documentation needs to be clarified about differences between subtree_as_ids and subtree_as_list" [Undecided,New]	18:52
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Add even more clarity to scope docs https://review.openstack.org/229949	18:56
lbragstad	raildo looks good, we should probably just track that in the already opened bug. working a fix for it here, too - https://review.openstack.org/#/c/235971/3	18:57
raildo	lbragstad: sure	18:58
*** woodster_ has joined #openstack-keystone		19:00
raildo	lbragstad: so you can just update the commit message to close this bug :D	19:00
*** jsavak has quit IRC		19:01
lbragstad	raildo yep	19:01
*** jsavak has joined #openstack-keystone		19:02
openstackgerrit	Henrique Truta proposed openstack/python-keystoneclient: Shorten PKI Token Identifier to MI https://review.openstack.org/212819	19:02
*** gordc has quit IRC		19:02
lbragstad	bknudson responded - https://review.openstack.org/#/c/235971/3/api/v3/identity-api-v3.rst	19:03
*** david-ly_ has quit IRC		19:04
*** david-lyle has joined #openstack-keystone		19:05
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Add even more clarity to scope docs https://review.openstack.org/229949	19:06
openstackgerrit	Dolph Mathews proposed openstack/keystone: Explain default domain in docs for other services https://review.openstack.org/232098	19:13
openstackgerrit	Merged openstack/keystonemiddleware: Straighten up exceptions imports https://review.openstack.org/235089	19:19
*** jdennis has quit IRC		19:19
*** ajaya has quit IRC		19:22
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Improve get project query strings https://review.openstack.org/235971	19:24
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Improve get project query strings https://review.openstack.org/235971	19:25
dstanek	lbragstad: back from lunch	19:27
lbragstad	dstanek how was it?	19:27
bknudson	lbragstad: must have been good because it took 3 1/2 hours.	19:28
lbragstad	bknudson and now it's almost coffee break time!	19:29
dstanek	lbragstad: not great. errand time :-(	19:29
dstanek	bknudson: :-)	19:29
*** weihan has joined #openstack-keystone		19:30
lbragstad	dstanek i had a couple questions i wanted to bounce off of you here - https://review.openstack.org/#/c/134095/	19:33
dstanek	shore	19:34
dstanek	lbragstad: dolphm's suggestion to include url is interesting	19:35
*** ayoung has joined #openstack-keystone		19:35
*** ChanServ sets mode: +v ayoung		19:35
lbragstad	dstanek yeah, it was originally suggested in the bug report	19:35
stevemar_	dstanek: combining errands with lunch is never fun :(	19:36
kfox1111	so, key rotation should be done on one node, and the results pushed to the other keystone members. what about compute nodes / service nodes? They need the public keys somehow?	19:39
lbragstad	kfox1111 nope, the keys should only be shared across the keystone nodes	19:40
dolphm	kfox1111: auth_token calls back to keystone to validate, fernet doesn't do offline/distributed validation like PKI	19:42
dolphm	kfox1111: we could but that, but fernet uses symmetric crypto, so there's a lot of risk involved	19:43
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs: Improve get project query strings https://review.openstack.org/235971	19:45
*** timcline_ has joined #openstack-keystone		19:45
*** roxanaghe has quit IRC		19:45
*** timcline has quit IRC		19:46
*** roxanaghe has joined #openstack-keystone		19:46
dolphm	lbragstad: nice update on https://review.openstack.org/#/c/215212/	19:47
*** jbell8 has quit IRC		19:47
kfox1111	so wouldn't pki perform better multiregion then?	19:48
lbragstad	bknudson stable backport related to your comment - https://review.openstack.org/#/c/236071/	19:48
kfox1111	or does the services end up contacting keystone anyway even with pki?	19:48
bknudson	lbragstad: that one was clean?	19:48
lbragstad	bknudson yeah, no conflicts	19:48
bknudson	lbragstad: there's no cherry-picked-from line	19:48
*** jbell8 has joined #openstack-keystone		19:48
lbragstad	bknudson hmm, you're right. I used git review -x 215221	19:49
bknudson	use -X	19:49
bknudson	otherwise it doesn't add the line	19:49
dolphm	kfox1111: i can't recommend PKI at all right now	19:50
bknudson	kfox1111: the services talk to keystone for pki to get the certificates and to get the revocation list	19:50
lbragstad	bknudson done, thanks	19:50
*** dramakri has joined #openstack-keystone		19:51
*** e0ne has quit IRC		19:51
kfox1111	I thought they skipped talking to keystone for validate though, and that in theory all they needed was in the token. so they only had to talk to keystone occationally to get the revocation list.	19:51
kfox1111	which would make the traffic to keystone very infrequent.	19:51
dolphm	kfox1111: they need to verify the token's integrity & authenticity still	19:52
kfox1111	that could be done on the service by just validating the signature on the token with keystone's public key I think?	19:52
bknudson	on validate it'll only talk to keystone when the revocation list is past its expiration	19:52
kfox1111	wouldn't take a contact back to keystone.	19:52
dolphm	kfox1111: correct	19:53
bknudson	note that PKI tokens are also ~8K in size.	19:53
bknudson	so there's a definite tradeoff	19:53
dolphm	kfox1111: ^^ more generally, i'd strongly advise against considering PKI today for anything beyond academic purposes - there are simply one too many severe, unresolvable bugs. 18 months ago i believe i would have told you the exact opposite :-/	19:53
kfox1111	yeah. latency of connections vs fault tollerence.	19:53
lbragstad	they have the possibility to be greater than that depending on the size of your deployment	19:53
kfox1111	keystone in theory could go totally down with pki and existing stuff should still work.	19:53
kfox1111	at least until the revocation lists expire.	19:53
dolphm	kfox1111: correct	19:53
kfox1111	so might be preferable for cross country datacenters?	19:54
kfox1111	ah. ok.	19:54
kfox1111	bugs are a different matter entirely.	19:54
dolphm	kfox1111: if your fernet keys are globally distributed, you get some similar benefits	19:54
dolphm	kfox1111: don't get me wrong, there are outstanding bugs against fernet as well, but none that i'm aware of that would truly impede adoption in production (and there are several production deployments), just some caveats we're working to resolve	19:55
kfox1111	assuming the mysql backend is replicated locally.. yeah..	19:55
kfox1111	k.	19:56
dolphm	kfox1111: correct	19:56
dolphm	kfox1111: https://bugs.launchpad.net/keystone/+bugs?field.tag=fernet	19:56
dolphm	kfox1111: https://bugs.launchpad.net/keystone/+bugs?field.tag=pki	19:57
*** mylu has joined #openstack-keystone		19:57
kfox1111	hmm.. this one may be a show stopper... https://bugs.launchpad.net/keystone/+bug/1497461	19:57
openstack	Launchpad bug 1497461 in Keystone "Fernet tokens fail for some users with LDAP identity backend" [High,Fix committed] - Assigned to Eric Brown (ericwb)	19:58
lbragstad	kfox1111 that has been fixed in master	19:58
*** su_zhang has quit IRC		19:58
lbragstad	kfox1111 are you targeting a specific release?	19:58
kfox1111	but not liberty. so backporting at least...	19:58
dolphm	lbragstad: ooh, but i haven't seen a kilo backport	19:58
dolphm	kfox1111: backport for liberty is in review	19:58
lbragstad	dolphm yeah, that could use a backport to kilo (i have no idea if it would conflict?)	19:59
browne	kfox1111: kilo backport will be soon	19:59
dolphm	lbragstad: should not	19:59
lbragstad	speaking of kilo backports - https://review.openstack.org/#/c/236071/	19:59
dolphm	browne: thanks	19:59
browne	lbragstad: yeah there are conflicts and some other fernet related fixes that should also go back to kilo	20:00
dolphm	browne: are you proposing them, or do you have a list?	20:00
browne	dolphm: i haven't put them together yet. i'll make a list	20:01
lbragstad	browne that would be great, i haven't been doing a great job of tracking everything that has, or hasn't, gone all the way back to kilo	20:01
kfox1111	k. thanks.	20:01
browne	i think the float to int was one. but i don't know the commit	20:02
dolphm	browne: that one is not an end-user facing bug though, just a pain to cherry pick around :)	20:02
browne	oh ok	20:02
dolphm	browne: i would +2 a backport though, nonetheless, as a trivial refactor	20:03
dolphm	pardon the ridiculous URL, but this is a query for fernet bugs tagged as potential kilo backports: https://bugs.launchpad.net/keystone/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=kilo-backport-potential+fernet+&field.tags_combin	20:03
dolphm	ator=ALL&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on&search=Search	20:03
morgan	browne: also +2 a backport (you have two stable keystone maintainers saying to backport for an easy +2 ;)	20:03
dolphm	shortened: http://bit.ly/1LeEDSU	20:04
morgan	dolphm: bit.ly!!	20:04
browne	cool, let me put those together	20:04
dolphm	morgan: i... did	20:04
morgan	dolphm: hehe	20:04
dolphm	morgan: i got yelled at in some openstack channel for using a bit.ly link recently, because it wasn't archive worthy	20:05
dolphm	so, have both!	20:05
lbragstad	browne here is the int -> float one - https://review.openstack.org/#/c/232010/2	20:05
browne	lbragstad: thanks	20:05
morgan	Oh dolphm have you tried http://www.stochasticity.com/beers/your-father-smelt-elderberries	20:05
lbragstad	browne I assume that one is going back to both liberty and kilo?	20:05
morgan	dolphm: i think we need an official openstack url shortener	20:05
dramakri	bknudson: can I bug you on a bug-related questions? ;-)	20:06
bknudson	dramakri: sure	20:06
browne	lbragstad: it would yes. o	20:06
bknudson	you can bug the whole channel	20:06
dramakri	bknudson: can you please take a look at this bug - https://bugs.launchpad.net/keystone/+bug/1434000 ? I have written my thoughts, let me know what you think?	20:06
openstack	Launchpad bug 1434000 in Keystone "user creation without domain using admin_token should fail nicer" [Low,In progress] - Assigned to Deepti Ramakrishna (dramakri)	20:06
lbragstad	browne ok, i'll propose them	20:06
browne	lbragstad: thx	20:06
*** roxanaghe has quit IRC		20:07
*** diazjf has quit IRC		20:09
*** tonytan4ever has joined #openstack-keystone		20:09
htruta	dstanek: bug 1473489 looks invalid, right?	20:10
openstack	bug 1473489 in Keystone "Identity API v3 does not accept more than one query parameter" [Medium,Incomplete] https://launchpad.net/bugs/1473489 - Assigned to Alexey Miroshkin (amirosh)	20:10
stevemar_	ouch	20:11
dstanek	htruta: i'm going to say yes :-)	20:12
dstanek	the example is clearly wrong	20:12
dstanek	i didn't notice that dolphm responded after me	20:12
lbragstad	browne stable/liberty - https://review.openstack.org/#/c/236078/	20:13
htruta	dstanek: cool. can you mark it as invalid?	20:13
browne	lbragstad: thanks!	20:15
lbragstad	browne that change conflicts a lot with kilo, might need to have some other stuff go before it	20:16
htruta	guys, we should not encourage anyone to use domain scoped tokens, right? I think bug 1378036 is invalid as well	20:16
openstack	bug 1378036 in Keystone "Keystone unit tests should use domain scoped token" [Low,Triaged] https://launchpad.net/bugs/1378036 - Assigned to Anh Huynh (anhx-huynh)	20:16
*** jsavak has quit IRC		20:17
htruta	it was triaged 1 year ago	20:17
dolphm	htruta: why not?	20:17
breton	domain-scoped tokens are the mainstream now	20:18
dolphm	it's a big refactor, but the assertion is correct. we should be dogfooding the new policy model in tests	20:18
htruta	dolphm: with reseller, we are replicating the domains operations to projects, and we'll be able to do it all with project scoped tokens	20:18
htruta	we have a bp for that	20:18
dstanek	htruta: but we have domain scoped tokens now and we support that right?	20:19
htruta	https://blueprints.launchpad.net/keystone/+spec/add-isdomain-to-token	20:19
dolphm	dstanek: ++	20:19
*** diazjf has joined #openstack-keystone		20:20
breton	htruta: I just don't want to have the code for this check to be spread in different places	20:20
htruta	dstanek, dolphm: yes, correct	20:21
htruta	although this is a long term change, I don't know if it's worth to spend much effort in that	20:22
breton	htruta: *the one we were talking about in https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L684	20:23
*** jsavak has joined #openstack-keystone		20:24
breton	maybe someome could review https://review.openstack.org/#/c/234849/ ? It's about a bug.	20:25
htruta	breton: I see... but I agree with henry that it makes more sense being at manager	20:26
lbragstad	browne stable/kilo - https://review.openstack.org/#/c/236083/	20:28
* lbragstad steps away to get coffee		20:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences https://review.openstack.org/232711	20:34
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix fernet padding for python 3 https://review.openstack.org/231711	20:34
*** mylu has quit IRC		20:37
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain. https://review.openstack.org/196942	20:37
*** mylu has joined #openstack-keystone		20:37
openstackgerrit	Merged openstack/oslo.policy: Add test for raising default exception https://review.openstack.org/234309	20:42
*** mylu has quit IRC		20:45
dolphm	have a good weekend before our 3-week-work-week, everyone :)	20:45
openstackgerrit	Merged openstack/oslo.policy: Add test for enforce with rule doesn't exist https://review.openstack.org/234310	20:48
openstackgerrit	Merged openstack/oslo.policy: Use JSON generator https://review.openstack.org/234421	20:48
browne	lbragstad: I resolved the conflicts. doesn't look like the int-> float thing was necessary. https://review.openstack.org/#/c/236092/	20:50
kfox1111	does keystone need rabbit at all?	20:50
kfox1111	coming up with the bare minimum keystone cluster for multiregion.	20:51
kfox1111	haproxy/keystone/gallera?	20:51
*** ankurgupta has joined #openstack-keystone		20:56
openstackgerrit	Tom Cocozzello proposed openstack/keystonemiddleware: Define entry points for filter factories for Paste Deployment https://review.openstack.org/233839	20:56
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain. https://review.openstack.org/196942	20:57
*** ankurgupta has left #openstack-keystone		20:57
dramakri	dolphm: sorry about this patch - https://review.openstack.org/#/c/196942/ earlier. Now I have fixed the merge conflicts.	20:58
*** raildo is now known as raildo-afk		20:59
openstackgerrit	Brant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences https://review.openstack.org/232711	20:59
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix fernet padding for python 3 https://review.openstack.org/231711	20:59
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix key_repository_signature method for python3 https://review.openstack.org/236096	20:59
*** su_zhang has joined #openstack-keystone		21:00
lbragstad	browne ok	21:02
*** roxanagh_ has joined #openstack-keystone		21:03
*** timcline_ has quit IRC		21:06
*** njohnston is now known as nate_gone		21:07
openstackgerrit	Henrique Truta proposed openstack/keystone: Improves domain name case sensitivity tests https://review.openstack.org/236103	21:09
stevemar_	bknudson: you got a clever way of how to do this? https://review.openstack.org/#/c/171916/18/keystone/tests/unit/test_sql_upgrade.py	21:11
*** jsavak has quit IRC		21:11
*** rbowen has quit IRC		21:16
*** jbell8 has quit IRC		21:23
dstanek	lbragstad: http://paste.openstack.org/show/476563/ with ~9 things gating right now	21:35
*** diegows has joined #openstack-keystone		21:38
*** dims_ has joined #openstack-keystone		21:38
*** jasonsb has quit IRC		21:38
dstanek	lbragstad: that's keystone only running a larger report now	21:39
openstackgerrit	Steve Martinelli proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	21:40
*** dimsum__ has quit IRC		21:40
*** phalmos has quit IRC		21:41
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	21:43
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	21:44
*** dims_ has quit IRC		21:45
*** david-ly_ has joined #openstack-keystone		21:50
*** david-lyle has quit IRC		21:50
*** tonytan4ever has quit IRC		21:51
*** jdennis has joined #openstack-keystone		21:52
*** diegows has quit IRC		21:53
stevemar_	#topic	21:56
stevemar_	whoopsy	21:56
*** stevemar_ changes topic to "Liberty is Out yay!! \o/ \| Etherpads for summit https://wiki.openstack.org/wiki/Design_Summit/Mitaka/Etherpads#Keystone"		21:57
stevemar_	etherpads ^^	21:57
gyee	yay, we got liberty	21:58
*** alejandrito has quit IRC		21:59
stevemar_	gyee: but no freedom :(	22:01
*** stevemar_ has quit IRC		22:01
*** sigmavirus24 is now known as sigmavirus24_awa		22:01
*** stevemar_ has joined #openstack-keystone		22:02
*** ChanServ sets mode: +o stevemar_		22:02
*** tonytan4ever has joined #openstack-keystone		22:04
*** roxanaghe has joined #openstack-keystone		22:05
*** su_zhang has quit IRC		22:06
*** stevemar_ has quit IRC		22:06
*** roxanagh_ has quit IRC		22:06
*** jbell8 has joined #openstack-keystone		22:07
*** stevemar_ has joined #openstack-keystone		22:07
*** ChanServ sets mode: +o stevemar_		22:07
*** dimsum__ has joined #openstack-keystone		22:08
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/235646	22:10
*** pumaranikar has quit IRC		22:11
bknudson	stevemar_: move the original migration out to another file or something?	22:11
openstackgerrit	Merged openstack/keystone: Correct the filename https://review.openstack.org/234533	22:11
openstackgerrit	Merged openstack/keystone: Fix some nits in `configure_federation.rst` https://review.openstack.org/234091	22:11
*** gsilvis has quit IRC		22:11
*** stevemar_ has quit IRC		22:12
*** diazjf has quit IRC		22:15
*** dimsum__ has quit IRC		22:16
*** dimsum__ has joined #openstack-keystone		22:17
*** jbell8 has quit IRC		22:25
*** jbell8 has joined #openstack-keystone		22:27
openstackgerrit	Merged openstack/keystone: Allow the PBR_VERSION env to pass through tox https://review.openstack.org/224407	22:28
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:29
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain. https://review.openstack.org/196942	22:30
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:31
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:32
*** martinus__ has quit IRC		22:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:33
*** martinus__ has joined #openstack-keystone		22:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:34
*** btully has quit IRC		22:36
*** tonytan4ever has quit IRC		22:36
*** btully has joined #openstack-keystone		22:38
*** slberger has left #openstack-keystone		22:46
openstackgerrit	Merged openstack/keystone: Update test modules passing on py34 https://review.openstack.org/231635	22:49
openstackgerrit	Merged openstack/keystone: Fix fernet key writing for python 3 https://review.openstack.org/231710	22:49
*** wwwjfy has quit IRC		22:50
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:51
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/235608	22:52
*** dimsum__ has quit IRC		22:52
*** jbell8 has quit IRC		22:57
*** jbell8 has joined #openstack-keystone		22:58
*** jbell8 has quit IRC		23:03
*** pgbridge has quit IRC		23:07
*** marzif has joined #openstack-keystone		23:08
*** dimsum__ has joined #openstack-keystone		23:08
*** roxanaghe has quit IRC		23:17
*** roxanaghe has joined #openstack-keystone		23:22
*** marzif has quit IRC		23:24
*** lhcheng has quit IRC		23:25
*** lhcheng has joined #openstack-keystone		23:29
*** ChanServ sets mode: +v lhcheng		23:29
*** su_zhang has joined #openstack-keystone		23:37
*** su_zhang has quit IRC		23:37
*** su_zhang has joined #openstack-keystone		23:38
*** woodster_ has quit IRC		23:39
*** gsilvis has joined #openstack-keystone		23:43
*** su_zhang has quit IRC		23:52
*** gsilvis_ has joined #openstack-keystone		23:55
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reject user creation using admin token without explicitly passing the domain. https://review.openstack.org/196942	23:55
*** _cjones_ has quit IRC		23:56
*** _cjones_ has joined #openstack-keystone		23:56
*** gsilvis has quit IRC		23:56
*** browne has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!