Tuesday, 2015-12-01

« Monday, 2015-11-30 Index Wednesday, 2015-12-02 »
*** jerrygb_ has joined #openstack-keystone00:04
*** jerrygb has quit IRC00:05
openstackgerritMerged openstack/python-keystoneclient: Add release notes for keystoneclient  https://review.openstack.org/25116000:06
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/24131700:10
*** belmoreira has quit IRC00:15
*** EinstCrazy has joined #openstack-keystone00:17
*** EinstCrazy has quit IRC00:23
*** roxanaghe has quit IRC00:23
*** openstackstatus has quit IRC00:24
*** openstackstatus has joined #openstack-keystone00:25
*** ChanServ sets mode: +v openstackstatus00:25
*** raildo is now known as raildo-afk00:30
*** aginwala_ has quit IRC00:40
*** aginwala has joined #openstack-keystone00:43
*** shaleh has quit IRC00:46
*** RichardRaseley has quit IRC00:56
*** EinstCrazy has joined #openstack-keystone00:59
*** richm has quit IRC01:16
*** openstackgerrit has quit IRC01:22
*** openstackgerrit has joined #openstack-keystone01:22
*** diegoadolfo has quit IRC01:29
*** diegoadolfo has joined #openstack-keystone01:29
*** aginwala has quit IRC01:30
*** jasonsb has quit IRC01:40
*** aginwala has joined #openstack-keystone01:43
*** markvoelker has quit IRC01:46
*** aginwala has quit IRC01:48
*** aginwala has joined #openstack-keystone01:49
*** jerrygb_ has quit IRC01:51
*** jerrygb has joined #openstack-keystone01:52
*** jerrygb has quit IRC01:55
*** spandhe has quit IRC02:06
openstackgerritMerged openstack/keystone: Needn't care about the sequence for cache validation  https://review.openstack.org/25106002:13
*** sripriya has quit IRC02:17
*** feifei has joined #openstack-keystone02:22
feifeihello02:25
*** davechen has joined #openstack-keystone02:26
jamielennoxstevemar: have you done much with shib?02:45
feifeino02:47
openstackgerritayoung proposed openstack/keystone: set `is_admin` on tokens for admin project  https://review.openstack.org/24071902:48
stevemarjamielennox: nope02:55
stevemari'm an oidc kinda guy02:55
*** fawadkhaliq has joined #openstack-keystone02:57
jamielennoxok, pros,  it does lots of stuff, cons , it does lots of stuff02:58
*** breitz has quit IRC03:05
*** mserngawy_ has quit IRC03:18
*** aginwala has quit IRC03:22
*** aginwala has joined #openstack-keystone03:27
*** jasonsb has joined #openstack-keystone03:27
*** _zouyee has joined #openstack-keystone03:32
*** ayoung has quit IRC03:35
*** links has joined #openstack-keystone03:39
*** aginwala has quit IRC03:41
*** aginwala has joined #openstack-keystone03:42
*** fangxu has quit IRC03:44
*** aginwala has quit IRC03:46
*** csoukup_ has quit IRC03:56
*** davechen1 has joined #openstack-keystone04:02
*** davechen has quit IRC04:02
*** davechen1 has left #openstack-keystone04:03
*** spandhe has joined #openstack-keystone04:17
*** links has quit IRC04:17
*** spandhe_ has joined #openstack-keystone04:20
*** spandhe has quit IRC04:21
*** spandhe_ is now known as spandhe04:21
*** ninag has quit IRC04:22
*** roxanaghe has joined #openstack-keystone04:34
*** gyee has quit IRC04:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25163805:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/25163905:01
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/25164005:05
stevemardamn proposal bot, quit proposing white space changes05:05
*** jerrygb has joined #openstack-keystone05:35
*** links has joined #openstack-keystone05:35
*** fawadkhaliq has quit IRC05:36
openstackgerritFernando Diaz proposed openstack/keystone: Strengthen Mapping Validation in Federation Mappings  https://review.openstack.org/25016205:37
*** tyagiprince has joined #openstack-keystone05:40
openstackgerritMerged openstack/keystone: Reference environment close to use  https://review.openstack.org/25127605:43
*** gildub has joined #openstack-keystone05:46
*** jerrygb has quit IRC05:52
stevemarjamielennox: around?05:53
jamielennoxstevemar: mmm05:53
stevemarjamielennox: trust based auth plugin05:54
stevemarhow i do05:54
jamielennoxfrom user/pass or rescope?05:54
stevemari guess user/pass05:54
stevemarjust user/pass and trust id right?05:55
jamielennoxso it's just the same as normal, just use trust_id instead of project_id05:55
*** fawadkhaliq has joined #openstack-keystone05:58
*** fawadkhaliq has quit IRC05:58
*** fawadkhaliq has joined #openstack-keystone05:59
*** aginwala has joined #openstack-keystone06:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25163806:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth-saml2: Updated from global requirements  https://review.openstack.org/24760406:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/25163906:05
jamielennoxstevemar: what's the point of scoping to a service provider?06:08
jamielennoxwhy do we do that step?06:09
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/25166006:09
jamielennoxcontext, K2K06:09
*** dims has quit IRC06:09
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/25164006:09
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/25166406:09
stevemarjamielennox: https://review.openstack.org/#/c/241986/06:13
stevemarjamielennox: to get the service providers catalog?06:13
*** dims has joined #openstack-keystone06:14
jamielennoxstevemar: what's that?06:14
jamielennox(service provider's catalog)06:14
jamielennoxthe service providers come in the regular catalog right?06:15
*** sripriya has joined #openstack-keystone06:16
*** sripriya_ has joined #openstack-keystone06:19
*** jaosorior has joined #openstack-keystone06:21
*** sripriya has quit IRC06:22
*** mhickey has joined #openstack-keystone06:25
*** aginwala has quit IRC06:28
*** aginwala has joined #openstack-keystone06:28
stevemarjamielennox: have a link for me to look at?06:30
*** lhcheng has joined #openstack-keystone06:30
*** ChanServ sets mode: +v lhcheng06:30
jamielennoxstevemar: umm, i haven't got full dumps06:31
*** lhcheng_ has joined #openstack-keystone06:32
stevemarjamielennox: alrighty06:32
jamielennoxstevemar: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/k2k.py#L175-L17706:32
jamielennoxis the dump06:32
jamielennoxbah, not oding well with words today06:32
*** aginwala has quit IRC06:33
jamielennoxso that's the get sp urls and it seems to be coming from the standard token06:33
jamielennoxbut the response of posting06:33
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/k2k.py#L92-L10606:33
jamielennoxto /auth/OS-FEDERATION/saml2/ecp'06:33
jamielennoxis a ECP assertion06:34
jamielennoxok - so it's just a weird copy of the format rather than a scope06:34
jamielennoxseems like that could have been a get with your existing token06:34
*** lhcheng has quit IRC06:35
jamielennoxGET /OS-FEDERATION/service_providers/{sp_id}/assertion X-Auth-Token: {token}06:36
jamielennoxactually if you did it that way with the vaos header then that would have been the standard ECP flow - yay for standards06:38
*** yangweiwei has joined #openstack-keystone06:41
yangweiweihello, I want to ask some questions about policy.06:48
yangweiweiNow the policy rules of openstack in keystone and other projects are set in policy.json, in other words, the policy rules are equal06:49
yangweiweito each projects.06:49
yangweiweiAnd the common ways to enforce are in decorative function like protected(). And in keystone project, it manage the users, projects,  roles and other resources. Now, some particular projects(tenants) may have its own enforce rules, not just like the policy.json, and in that ways, could we update the usual decorative function of enforce to realize the authentification of projects? And now, the policy model appears in keystone project. Coul06:49
yangweiweid we use it to create association between projects and policy?06:49
*** aginwala has joined #openstack-keystone06:50
*** feifei has quit IRC06:51
yangweiweiIs anyone here?06:52
*** csoukup_ has joined #openstack-keystone06:52
*** amit213 has quit IRC06:55
*** amit213 has joined #openstack-keystone06:56
*** csoukup_ has quit IRC06:57
*** fangxu has joined #openstack-keystone06:59
stevemaryangweiwei: ask away07:03
stevemarbed time is coming up :(07:03
*** btully has quit IRC07:04
*** Nirupama has joined #openstack-keystone07:07
stevemarjamielennox: i think that part is... after the user has authenticated with their local cloud, get the URL of the SP that they plan on using (via the SP's ID)07:07
*** yangweiwei has left #openstack-keystone07:10
*** yangweiwei has joined #openstack-keystone07:11
*** gildub has quit IRC07:13
yangweiweiNow the policy model has appeard, and it associate with the endpoint, could we use it with the project.07:15
*** tyagiprince has quit IRC07:17
*** roxanaghe has quit IRC07:20
*** tyagiprince has joined #openstack-keystone07:24
*** jaosorior has quit IRC07:25
*** jaosorior has joined #openstack-keystone07:26
*** spandhe has quit IRC07:30
*** fangxu has quit IRC07:36
openstackgerritJamie Lennox proposed openstack/keystoneauth: Get versioned url for K2K auth  https://review.openstack.org/25168607:41
openstackgerritJamie Lennox proposed openstack/keystoneauth: Cleanups to K2K plugin  https://review.openstack.org/25168707:41
openstackgerritIrina proposed openstack/keystone: Fix some inconsistency in docstrings  https://review.openstack.org/25021907:42
*** fawadkhaliq has quit IRC07:52
*** fawadkhaliq has joined #openstack-keystone07:53
*** fawadkhaliq has quit IRC07:53
*** fawadkhaliq has joined #openstack-keystone07:54
*** fawadkhaliq has quit IRC07:57
*** fawadkhaliq has joined #openstack-keystone07:57
*** fawadkhaliq has quit IRC07:57
*** fawadkhaliq has joined #openstack-keystone07:58
*** sripriya_ has quit IRC08:02
*** fawadkhaliq has quit IRC08:02
*** fawadkhaliq has joined #openstack-keystone08:03
*** fawadkhaliq has quit IRC08:03
*** fawadkhaliq has joined #openstack-keystone08:04
*** wangqun has joined #openstack-keystone08:05
*** aginwala has quit IRC08:06
*** aginwala has joined #openstack-keystone08:07
openstackgerritMerged openstack/keystone: force releasenotes warnings to be treated as errors  https://review.openstack.org/24998808:09
*** roxanaghe has joined #openstack-keystone08:20
*** spandhe has joined #openstack-keystone08:24
*** mhickey has quit IRC08:25
*** roxanaghe has quit IRC08:26
*** fhubik has joined #openstack-keystone08:32
*** rcernin has joined #openstack-keystone08:37
*** fhubik is now known as fhubik_brb08:37
*** fhubik_brb is now known as fhubik08:38
*** spandhe has quit IRC08:45
*** spandhe has joined #openstack-keystone08:47
*** josecastroleon1 has quit IRC08:50
*** jerrygb has joined #openstack-keystone08:52
*** spandhe has quit IRC08:53
*** spandhe has joined #openstack-keystone08:54
*** btully has joined #openstack-keystone08:57
*** fhubik is now known as fhubik_brb08:58
*** belmoreira has joined #openstack-keystone09:00
*** fawadkhaliq has quit IRC09:03
*** fawadkhaliq has joined #openstack-keystone09:03
*** xek has joined #openstack-keystone09:07
*** fhubik_brb is now known as fhubik09:13
*** NM has joined #openstack-keystone09:18
*** roxanaghe has joined #openstack-keystone09:23
*** btully has quit IRC09:25
*** roxanaghe has quit IRC09:28
*** miyagishi_t has quit IRC09:29
*** mhickey has joined #openstack-keystone09:41
*** tyagiprince has quit IRC09:42
*** tyagiprince has joined #openstack-keystone09:42
*** tyagiprince has quit IRC09:49
*** tyagiprince has joined #openstack-keystone09:49
*** josecastroleon has joined #openstack-keystone09:50
*** spandhe has quit IRC09:51
*** jistr has joined #openstack-keystone09:52
*** lhcheng has joined #openstack-keystone09:55
*** ChanServ sets mode: +v lhcheng09:55
*** lhcheng_ has quit IRC09:59
*** aix has joined #openstack-keystone10:05
*** wuhg has joined #openstack-keystone10:09
*** NM has quit IRC10:09
*** wuhg has left #openstack-keystone10:11
openstackgerritLin Hua Cheng proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call  https://review.openstack.org/18818410:16
*** yangweiwei has quit IRC10:17
*** aginwala has quit IRC10:20
*** fmarco76 has joined #openstack-keystone10:21
*** kiran-r has joined #openstack-keystone10:22
*** fmarco76 has quit IRC10:23
*** _zouyee has quit IRC10:25
*** roxanaghe has joined #openstack-keystone10:25
*** roxanaghe has quit IRC10:30
*** jerrygb has quit IRC10:31
*** NM has joined #openstack-keystone10:36
*** e0ne has joined #openstack-keystone10:37
*** mdavidson has joined #openstack-keystone10:48
*** rvba has quit IRC10:48
*** e0ne has quit IRC10:51
*** rvba has joined #openstack-keystone10:52
*** rvba has quit IRC10:52
*** rvba has joined #openstack-keystone10:52
*** wangqun has quit IRC10:55
*** fhubik is now known as fhubik_brb11:00
*** fhubik_brb is now known as fhubik11:03
*** marekd has joined #openstack-keystone11:04
*** ChanServ sets mode: +v marekd11:04
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix some inconsistency in docstrings  https://review.openstack.org/25021911:05
*** aix has quit IRC11:06
samueldmqmorning keystoners11:06
samueldmqI hope you (who are based in US) had a great thanksgiving last week11:06
*** fhubik has quit IRC11:09
*** _zouyee has joined #openstack-keystone11:12
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone-specs: Online schema migration  https://review.openstack.org/24518611:13
*** jerrygb has joined #openstack-keystone11:16
*** aix has joined #openstack-keystone11:18
*** jerrygb has quit IRC11:19
*** roxanaghe has joined #openstack-keystone11:26
*** iurygregory_ is now known as iurygregory11:27
*** flaper87 has quit IRC11:30
*** flaper87 has joined #openstack-keystone11:30
*** roxanaghe has quit IRC11:30
*** chlong has quit IRC11:35
*** chlong has joined #openstack-keystone11:35
*** flaper87 has quit IRC11:39
*** fhubik has joined #openstack-keystone11:40
*** Nirupama has quit IRC11:41
*** svasheka has quit IRC11:43
*** flaper87 has joined #openstack-keystone11:47
*** flaper87 has quit IRC11:47
*** flaper87 has joined #openstack-keystone11:47
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone  https://review.openstack.org/25047311:48
*** svasheka has joined #openstack-keystone11:49
*** ninag has joined #openstack-keystone11:56
*** ninag has quit IRC12:01
*** EinstCrazy has quit IRC12:01
*** EinstCrazy has joined #openstack-keystone12:02
*** diegoadolfo__ has quit IRC12:05
*** diegoadolfo_ has quit IRC12:05
*** diegoadolfo has quit IRC12:05
*** clayton has quit IRC12:06
*** EinstCrazy has quit IRC12:06
*** zao_ has joined #openstack-keystone12:07
*** zao has quit IRC12:08
*** zao_ is now known as zao12:08
*** fhubik is now known as fhubik_brb12:10
*** clayton has joined #openstack-keystone12:13
*** jerrygb has joined #openstack-keystone12:20
*** kiranr has joined #openstack-keystone12:20
*** kiran-r has quit IRC12:21
*** raildo-afk is now known as raildo12:21
*** tyagiprince has quit IRC12:23
*** e0ne has joined #openstack-keystone12:25
*** pauloewerton has joined #openstack-keystone12:26
*** jerrygb has quit IRC12:27
*** zao has quit IRC12:27
*** roxanaghe has joined #openstack-keystone12:27
*** zao has joined #openstack-keystone12:27
*** EinstCrazy has joined #openstack-keystone12:29
*** edmondsw has joined #openstack-keystone12:29
*** NM has quit IRC12:30
*** wangqun has joined #openstack-keystone12:31
*** roxanaghe has quit IRC12:32
*** lhcheng has quit IRC12:33
*** lhcheng has joined #openstack-keystone12:34
*** ChanServ sets mode: +v lhcheng12:34
*** e0ne has quit IRC12:34
openstackgerritRui Chen proposed openstack/python-keystoneclient: Fix Resource.__eq__ mismatch semantics of object equal  https://review.openstack.org/25184112:34
*** EinstCra_ has joined #openstack-keystone12:34
*** e0ne_ has joined #openstack-keystone12:37
*** EinstCrazy has quit IRC12:37
*** jaosorior has quit IRC12:42
*** jaosorior has joined #openstack-keystone12:43
*** sileht has joined #openstack-keystone12:47
*** jaosorior has quit IRC12:47
*** jaosorior has joined #openstack-keystone12:47
*** _zouyee has quit IRC12:54
*** fawadkhaliq has quit IRC13:00
*** jerrygb has joined #openstack-keystone13:01
*** fawadkhaliq has joined #openstack-keystone13:01
*** fawadkhaliq has quit IRC13:02
*** fawadkhaliq has joined #openstack-keystone13:03
*** fawadkhaliq has quit IRC13:03
*** fawadkhaliq has joined #openstack-keystone13:04
*** fhubik_brb is now known as fhubik13:06
*** ninag has joined #openstack-keystone13:08
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948613:09
*** gordc has joined #openstack-keystone13:15
*** fawadkhaliq has quit IRC13:18
*** fawadkhaliq has joined #openstack-keystone13:19
*** kiranr has quit IRC13:19
*** lhinds has joined #openstack-keystone13:20
*** stevemar has quit IRC13:22
*** stevemar_znc has joined #openstack-keystone13:23
*** henrynash has joined #openstack-keystone13:29
*** ChanServ sets mode: +v henrynash13:29
henrynashlhcheng: I updated https://review.openstack.org/#/c/200624/ to remove the text on domain hierarchies…are you OK with this now?13:30
*** adelia has joined #openstack-keystone13:30
*** adelia has quit IRC13:33
*** adelia has joined #openstack-keystone13:34
*** adelia has quit IRC13:38
*** richm has joined #openstack-keystone13:44
*** links has quit IRC13:47
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848813:47
*** markvoelker_ has joined #openstack-keystone13:49
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848813:52
*** e0ne_ has quit IRC13:55
*** e0ne has joined #openstack-keystone13:55
lhchenghenrynash: checking..13:58
henrynashlhcheng: thx13:58
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848813:59
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation driver  https://review.openstack.org/20960014:01
*** adelia has joined #openstack-keystone14:02
*** fhubik is now known as fhubik_brb14:02
*** fhubik_brb is now known as fhubik14:03
*** silvio is now known as gissi14:03
*** ayoung has joined #openstack-keystone14:05
*** ChanServ sets mode: +v ayoung14:05
*** breitz has joined #openstack-keystone14:05
*** fhubik is now known as fhubik_brb14:05
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation migration  https://review.openstack.org/23704714:06
henrynashlhcheng: thx14:08
lhchenghenrynash: thanks for the updated patch, the doc looks great!14:08
lhchenghenrynash: got a quick question related to this bug: https://bugs.launchpad.net/keystone/+bug/146684614:12
openstackLaunchpad bug 1466846 in OpenStack Identity (keystone) "the function _config_to_list is not working well" [Medium,New]14:12
lhchenghenrynash: should the value from the config be injected in the whitelisted/sensitive list in here: https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L102414:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Deprecating API v2.0  https://review.openstack.org/25153014:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Deprecating API v2.0  https://review.openstack.org/25153014:16
*** btully has joined #openstack-keystone14:17
*** henrynash has quit IRC14:17
*** henrynash_ has joined #openstack-keystone14:17
*** ChanServ sets mode: +v henrynash_14:17
henrynash_lhcheng: hmm, that’s looks like bad Henry code to me!14:17
henrynash_lhcheng: assign me the bug!14:17
*** adelia has quit IRC14:17
*** adelia has joined #openstack-keystone14:18
*** csoukup has joined #openstack-keystone14:22
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation migration  https://review.openstack.org/23704714:23
lhchenghenrynash_: sure!14:23
lhchenghenrynash_: done!14:23
henrynash_lhcheng: your wish is my command (polishes lamp in corner)14:24
*** topol has joined #openstack-keystone14:24
*** ChanServ sets mode: +v topol14:24
*** Ctina has joined #openstack-keystone14:25
*** Ctina is now known as ctina14:25
*** jdennis1 has joined #openstack-keystone14:26
*** jdennis has quit IRC14:27
*** henrynash_ has quit IRC14:28
*** adelia has quit IRC14:28
*** topol has quit IRC14:29
*** roxanaghe has joined #openstack-keystone14:29
*** adelia has joined #openstack-keystone14:29
*** topol has joined #openstack-keystone14:29
*** ChanServ sets mode: +v topol14:29
*** jdennis1 has quit IRC14:30
*** adelia has quit IRC14:30
*** adelia has joined #openstack-keystone14:30
*** jdennis has joined #openstack-keystone14:30
*** btully has quit IRC14:32
*** btully has joined #openstack-keystone14:33
*** roxanaghe has quit IRC14:33
*** markvoelker has joined #openstack-keystone14:34
*** markvoelker_ has quit IRC14:35
*** adelia has quit IRC14:42
*** adelia has joined #openstack-keystone14:42
*** adelia has quit IRC14:47
*** btully has quit IRC14:51
*** petertr7_away is now known as petertr714:53
*** btully has joined #openstack-keystone14:55
*** wangqun has quit IRC15:00
*** NM has joined #openstack-keystone15:06
*** dims has quit IRC15:08
*** csoukup has quit IRC15:10
*** navid_ has joined #openstack-keystone15:12
*** csoukup has joined #openstack-keystone15:12
*** btully has quit IRC15:15
*** henrynash has joined #openstack-keystone15:16
*** ChanServ sets mode: +v henrynash15:16
*** btully has joined #openstack-keystone15:18
*** fawadkhaliq has quit IRC15:25
*** fawadkhaliq has joined #openstack-keystone15:26
*** markvoelker_ has joined #openstack-keystone15:28
*** e0ne has quit IRC15:29
*** roxanaghe has joined #openstack-keystone15:30
*** markvoelker has quit IRC15:32
*** markvoelker_ has quit IRC15:33
openstackgerritayoung proposed openstack/keystone: set `is_admin` on tokens for admin project  https://review.openstack.org/24071915:33
*** roxanaghe has quit IRC15:34
*** davechen has joined #openstack-keystone15:35
*** belmoreira has quit IRC15:35
*** ninag has quit IRC15:36
*** btully has quit IRC15:37
openstackgerritayoung proposed openstack/keystone: SQLAlchemy column type for storing string arrays as flat strings (materialized path)  https://review.openstack.org/25144515:38
*** btully has joined #openstack-keystone15:42
*** tyagiprince has joined #openstack-keystone15:44
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948615:44
*** tyagiprince has quit IRC15:46
*** e0ne has joined #openstack-keystone15:47
*** tyagiprince has joined #openstack-keystone15:49
*** EinstCra_ has quit IRC15:49
*** aix has quit IRC15:49
*** davechen1 has joined #openstack-keystone15:50
*** davechen has quit IRC15:52
*** dims has joined #openstack-keystone15:54
*** adelia has joined #openstack-keystone15:55
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone  https://review.openstack.org/25047315:57
*** btully has quit IRC15:57
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path convenience wrapper  https://review.openstack.org/25145515:58
*** markvoelker has joined #openstack-keystone16:00
*** fhubik_brb is now known as fhubik16:02
*** petertr7 is now known as petertr7_away16:02
*** lhinds has quit IRC16:02
*** btully has joined #openstack-keystone16:03
*** rcernin has quit IRC16:04
*** dims_ has joined #openstack-keystone16:08
*** dims has quit IRC16:10
*** amakarov has quit IRC16:11
*** tsufiev has quit IRC16:11
*** pkarikh has quit IRC16:12
*** petertr7_away is now known as petertr716:13
*** btully has quit IRC16:17
*** amakarov has joined #openstack-keystone16:18
*** diazjf has joined #openstack-keystone16:19
*** sripriya has joined #openstack-keystone16:26
*** petertr7 is now known as petertr7_away16:26
*** btully has joined #openstack-keystone16:26
*** tsufiev has joined #openstack-keystone16:27
*** r-daneel has joined #openstack-keystone16:27
*** pkarikh has joined #openstack-keystone16:28
*** petertr7_away is now known as petertr716:29
*** dims has joined #openstack-keystone16:30
*** roxanaghe has joined #openstack-keystone16:30
*** dims_ has quit IRC16:33
*** roxanaghe has quit IRC16:35
*** slberger has joined #openstack-keystone16:37
*** btully has quit IRC16:39
*** deray_ has joined #openstack-keystone16:39
deray_hello all16:41
deray_I am facing an issue with keystone while stacking up using devstack16:41
*** btully has joined #openstack-keystone16:42
deray_the log shows as:16:43
deray_"ContextualVersionConflict: (oslo.middleware 2.11.0 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('oslo.middleware>=3.0.0'), set(['keystone']))"16:43
deray_can anybody help me resolving this?16:44
*** EinstCrazy has joined #openstack-keystone16:50
*** fawadkhaliq has quit IRC16:50
*** woodster_ has joined #openstack-keystone16:51
*** fhubik is now known as fhubik_brb16:52
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848816:52
*** tyagiprince1 has joined #openstack-keystone16:53
*** tyagiprince has quit IRC16:54
*** tyagiprince1 is now known as tyagiprince16:54
*** EinstCrazy has quit IRC16:55
openstackgerritAlexander Makarov proposed openstack/keystone: SQLAlchemy column type for storing string arrays as flat strings (materialized path)  https://review.openstack.org/25144516:57
*** xek_ has joined #openstack-keystone16:58
*** petertr7 is now known as petertr7_away16:58
*** petertr7_away is now known as petertr716:58
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848816:59
openstackgerritAlexander Makarov proposed openstack/keystone: SQLAlchemy column type for materialized path  https://review.openstack.org/25144516:59
openstackgerritAlexander Makarov proposed openstack/keystone: Use path hybrid property in query filtering  https://review.openstack.org/25151316:59
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path convenience wrapper  https://review.openstack.org/25145516:59
*** btully has quit IRC17:01
*** btully has joined #openstack-keystone17:02
*** links has joined #openstack-keystone17:08
openstackgerritTony Wang proposed openstack/keystone: Add `type' filter for list_credentials_for_user  https://review.openstack.org/23521417:09
*** fhubik_brb is now known as fhubik17:12
*** btully has quit IRC17:13
*** gyee has joined #openstack-keystone17:14
*** ChanServ sets mode: +v gyee17:14
*** tyagiprince has quit IRC17:15
*** btully has joined #openstack-keystone17:16
*** lhcheng_ has joined #openstack-keystone17:17
*** lhcheng has quit IRC17:20
*** fawadkhaliq has joined #openstack-keystone17:22
*** fhubik is now known as fhubik_brb17:25
*** doug-fish has joined #openstack-keystone17:25
*** stevemar_znc is now known as stevemar17:25
*** ChanServ sets mode: +o stevemar17:25
*** shaleh has joined #openstack-keystone17:26
*** ayoung has quit IRC17:28
*** btully has quit IRC17:28
*** lhcheng_ has quit IRC17:29
bretonit seems that nobody wants to discuss anything today :)17:29
*** lhcheng has joined #openstack-keystone17:29
*** ChanServ sets mode: +v lhcheng17:29
*** e0ne has quit IRC17:30
*** roxanaghe has joined #openstack-keystone17:31
*** btully has joined #openstack-keystone17:31
*** petertr7 is now known as petertr7_away17:31
*** roxanaghe has quit IRC17:35
*** deray_ has quit IRC17:39
gyeebreton, yeah, nothing on the agenda today17:40
shalehthe meeting is going to be about voting for specs17:40
shalehmostly for cores17:40
gyeefor everybody17:41
*** navid_ has quit IRC17:42
stevemarshaleh: everyone is allowed to comment17:45
stevemarshaleh: or throw tomatoes at the ptl17:46
stevemarwhatever is your jam17:46
*** lhcheng_ has joined #openstack-keystone17:46
shalehstevemar: :-) hmm, tomato jam....17:46
marekdstevemar: don't be so harsh for yourself, you are great17:46
stevemarmy use of cool urban slang backfired17:46
stevemarmarekd: <317:46
marekdstevemar: and i mean that....17:46
marekd:)17:47
stevemarmarekd: :P17:47
shalehstevemar: it is hard to be a hip, urban, white dude17:47
stevemarshaleh: drew carey makes it happen17:47
shalehstevemar: fake it til you make it17:47
gyeethrowing tomatoes to stevemar sounds fun17:48
*** spandhe has joined #openstack-keystone17:49
*** lhcheng has quit IRC17:49
stevemargyee: i'm gonna bug you for simple reviews since you are here17:49
stevemargyee: https://review.openstack.org/#/c/249469/17:49
gyeeyes sir17:49
stevemarhttps://review.openstack.org/#/c/249472/17:49
stevemargyee: https://review.openstack.org/#/c/249475/17:50
stevemarand last one: https://review.openstack.org/#/c/251222/17:50
notmorganstevemar: so ksm -> ksa use17:50
notmorganstevemar: approved17:50
* stevemar is selfishly trying to make keystone mitaka-1 ready by tomorrow, cause he's off thursday and friday17:50
stevemarnotmorgan: :O17:51
stevemarballer17:51
*** EinstCrazy has joined #openstack-keystone17:52
*** tqtran has joined #openstack-keystone17:53
*** jistr has quit IRC17:54
*** jasonsb has quit IRC17:56
*** EinstCrazy has quit IRC17:56
*** mhickey_ has joined #openstack-keystone17:56
stevemarnotmorgan: want me to update the SHA of my release request ?17:57
notmorganstevemar: if you don't mind once that lands.17:58
notmorganstevemar: but i'm not dying to have that fix in the release17:58
notmorganstevemar: the fixture and the KSA fixes are important17:58
stevemarnotmorgan: roger roger17:58
openstackgerritMerged openstack/keystone-specs: Create an attic for APIs we don't support  https://review.openstack.org/24882817:58
stevemarmeeting time!17:59
stevemarajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek, MaxPC, tjcocozz17:59
*** spandhe has quit IRC17:59
stevemarcourtesy ping ^17:59
dolphmstevemar: wrong channel :P17:59
*** mhickey_ has quit IRC17:59
stevemardolphm: you and bknudson givin me grief18:00
* notmorgan debates showing up to the meeting18:00
shalehnotmorgan: no no no, you debate in the meeting18:00
*** ayoung has joined #openstack-keystone18:01
*** ChanServ sets mode: +v ayoung18:01
*** jaosorior has quit IRC18:02
*** ayoung_ has joined #openstack-keystone18:02
*** fhubik_brb is now known as fhubik18:02
*** sripriya has left #openstack-keystone18:03
*** ayoung has quit IRC18:03
*** ayoung_ is now known as ayoung18:03
*** lhcheng_ is now known as lhcheng18:12
*** ChanServ sets mode: +v lhcheng18:12
*** davechen1 is now known as davechen18:14
ayounghenrynash, ... putting this here for after the meeting.  I am assuming a domain specific role can be an implied role, right?  I can have on domain specific role impy another domain specific role which then implies a global role....18:22
henrynashyes18:23
*** jed56 has quit IRC18:23
*** diazjf has quit IRC18:24
*** links has quit IRC18:24
*** mancdaz has quit IRC18:26
*** fhubik has quit IRC18:26
*** mancdaz has joined #openstack-keystone18:27
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation migration  https://review.openstack.org/23704718:29
*** tqtran has quit IRC18:30
openstackgerritMarek Denis proposed openstack/keystone-specs: Expand endpoint filters to service providers  https://review.openstack.org/18853418:30
*** rha has quit IRC18:31
*** jbell8 has joined #openstack-keystone18:35
*** spandhe has joined #openstack-keystone18:36
*** rcernin has joined #openstack-keystone18:38
*** petertr7_away is now known as petertr718:40
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation driver  https://review.openstack.org/20960018:40
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/25166018:41
openstackgerritBoris Bobrov proposed openstack/keystone: Explicitly check incorrect token input  https://review.openstack.org/20692118:43
*** alex_xu has quit IRC18:48
*** mhickey has quit IRC18:48
*** navid_ has joined #openstack-keystone18:50
*** alex_xu has joined #openstack-keystone18:52
*** fangxu has joined #openstack-keystone18:53
*** jasonsb has joined #openstack-keystone18:56
openstackgerritBoris Bobrov proposed openstack/keystone: Explicitly check incorrect token input  https://review.openstack.org/20692118:57
ayounghenrynash, OK, so when implementing domain specific roles, we need to make sure the inference rules do not add DSRs to the token, but we do need to make sure that the DSRs are expanded.19:00
ayoungthat is going to change this code....19:00
ayounghttps://review.openstack.org/#/c/242614/13/keystone/assignment/core.py,cm19:00
gyeeayoung, henrynash, sorry I have to run to another meeting19:01
gyeeI'll ping you guys after the meeting19:01
henrynashgyee: ok19:01
gyeesorry about that19:01
*** gyee has quit IRC19:02
henrynashayoung: I’ll ba back on late rtoo19:02
davechenlhcheng: so, you want a deprecation message on top of "identity_uri"?  - https://review.openstack.org/#/c/220545/19:03
stevemarnotmorgan: can you check out this pycadf review: https://review.openstack.org/#/c/240979/19:03
notmorganstevemar: no i cannot >.> ok i can19:04
stevemarnotmorgan: it'll need a major version bump too, and since we're already doing that cause of py26 support...19:04
notmorganwait what is going on here?19:04
stevemargordc: ^19:04
openstackgerritMerged openstack/keystonemiddleware: Use keystoneauth  https://review.openstack.org/23509019:04
stevemarnotmorgan: the bulk of the changes are in identifier.py19:05
stevemarwe're changing the type of ID that pycadf generates, so we're changing the data stream19:05
stevemarinstead of having it prefixed with "openstack-", it'll just be a UUID19:05
notmorganso this is going to break people who assumed openstack: before?19:05
notmorganor looked at that19:06
notmorgan?19:06
stevemarnotmorgan: ye19:06
stevemars19:06
notmorganthis looks like it's going to impact people who relied on this and/or break their correlation of events19:06
gordcnotmorgan: basically.19:06
stevemarwhich is why it'll be going into a major version bump19:07
gordcnotmorgan: main reason is that the 'openstack:' part is already breaking people when they try to define policies19:07
notmorgani mean.. i guess with a major version bump...19:07
notmorgangordc: ok.. sure19:07
notmorgani think we're just in a bad state in both cases19:07
gordcyep19:07
notmorgan+2, someone else +A19:08
stevemarnotmorgan: alrighty19:08
lbragstadstevemar small summary with only things that were voted yes - http://cdn.pasteraw.com/ivxkpn54ishq0eazrvjvkalg1xy9f3i19:09
gordcawesome! one more step to making uuid common place.19:09
stevemarlbragstad: thank you sir, you are a gentleman and a scholar19:09
stevemarlbragstad: easy review: https://review.openstack.org/#/c/251222/ !19:10
*** john5223 is now known as zz_john522319:20
dolphmmarekd: can you explain gyee's comment on L34? https://review.openstack.org/#/c/240595/4/specs/mitaka/shadow-users.rst,unified19:24
marekddolphm: you can configure your mapping engine in a way, that a effective user will be a local user19:26
marekddolphm: dolphm let me find a spec19:26
marekddolphm: https://github.com/openstack/keystone-specs/blob/master/specs/kilo/federated-direct-user-mapping.rst19:27
shalehgyee is away for a bit or I would ping him to explain himself19:28
marekdif the targeted user is not a member of 'Federated' Domain it means keystone expects to find a user in a users table, effectively ditching dynamic groups membership and returning whatever local user has19:28
*** rderose has joined #openstack-keystone19:28
marekddolphm: if you happen to have same backend configured for keystone and your idp you may then use federated as an auth mean (and just that)19:29
shalehI am not certain if he is arguing for more language in the spec or if he has not considered other use cases19:29
marekddolphm: we use it for instance.19:29
lbragstadrderose ^19:32
lbragstadrderose https://github.com/openstack/keystone-specs/blob/master/specs/kilo/federated-direct-user-mapping.rst19:32
*** roxanaghe has joined #openstack-keystone19:32
*** roxanagh_ has joined #openstack-keystone19:33
*** roxanagh_ has quit IRC19:37
*** aginwala has joined #openstack-keystone19:46
*** diazjf has joined #openstack-keystone19:48
*** petertr7 is now known as petertr7_away19:51
*** jbell8 has quit IRC19:54
*** petertr7_away is now known as petertr719:57
*** jbell8 has joined #openstack-keystone20:01
dolphmmarekd: (thanks!)20:06
*** fawadkhaliq has quit IRC20:09
openstackgerritMerged openstack/pycadf: make generate_uuid return valid uuid  https://review.openstack.org/24097920:10
*** diazjf has quit IRC20:12
*** btully has quit IRC20:12
marekddolphm: no problem20:13
*** aginwala has quit IRC20:14
*** btully has joined #openstack-keystone20:14
*** aginwala has joined #openstack-keystone20:17
*** fangxu has quit IRC20:23
*** NM has quit IRC20:31
*** errr_ is now known as errr20:32
openstackgerritPriti Desai proposed openstack/keystone: Fix for listing role assignments by project admin  https://review.openstack.org/24889220:33
*** roxanagh_ has joined #openstack-keystone20:34
lbragstadmarekd what refactorization needs to be done in the mapping engine here (line 179) - https://review.openstack.org/#/c/240595/4/specs/mitaka/shadow-users.rst,unified20:37
marekdlbragstad: where would you specify what roles will be assigned to the shadow (federated) user?20:38
*** roxanagh_ has quit IRC20:38
marekdlbragstad: you must assume there is no such user in the database until somebody logs in for the first time20:38
marekdunless i misunderstood some concepts there.20:39
lbragstadmarekd the current mapping engine determines which roles a user gets based on the attributes in the SAML, right?20:41
*** EinstCrazy has joined #openstack-keystone20:41
marekdlbragstad: no, it determines membership of the groups you will be.20:42
marekdgroups is your link to roles.20:42
lbragstadmarekd ah, right20:42
lbragstadmarekd i was mixed up, I think we talked about being able to map directly to roles at the summit20:42
marekdperhaps :-)20:42
lbragstadmarekd so, the mapping engine will have to be refactored to be smart enough to handle mapping to groups *and* users20:43
marekdin a sense you just wrote i can answer "it it smart enough to do so today". But i think you meant "shadow users"...20:44
marekdright?20:44
marekdlbragstad:20:44
lbragstadmarekd yes20:44
marekdlbragstad: to be honest i am not sure how to solve it...20:44
lbragstadmarekd it will have to be refactored to be smart enough to handle groups, local users, and shadow users20:45
*** diazjf has joined #openstack-keystone20:45
marekddolphm: lbragstad shadow users change pretty much everything in terma of federation - i am not sure how to keep old maping rules doing what they are doing today20:45
marekdwe can introduce new syntax, that's fine20:46
marekdlbragstad: do you know what i mena?20:47
marekdmean20:47
*** btully has quit IRC20:47
*** EinstCrazy has quit IRC20:47
lbragstadmarekd yeah, kind of20:47
lbragstadmarekd i need to familiarize myself with the mapping engine again20:47
lbragstadmarekd i'm leaving a comment on the spec now20:47
marekdlbragstad: i need to do that everytime i am debugging those areas of code :P20:48
lbragstadmarekd line 179 - https://review.openstack.org/#/c/240595/4/specs/mitaka/shadow-users.rst20:48
*** btully has joined #openstack-keystone20:48
lbragstadmarekd does my response make sense?20:48
marekdyes20:51
*** rderose has quit IRC20:51
*** rderose has joined #openstack-keystone20:51
marekdafter rethinking it i reckon this spec is quite big chunk of work and it may take >1 cycles to implement and merge unless somebody makes it a primary task.20:53
openstackgerritMonty Taylor proposed openstack/python-keystoneclient: Accept v2 params to v3 service create  https://review.openstack.org/23310220:54
*** mnaser has quit IRC20:58
shaleh^^^ shouldnt we make a deprecation notice if they do that?21:01
*** raildo is now known as raildo-afk21:01
*** pauloewerton has quit IRC21:03
*** aginwala has quit IRC21:05
*** mnaser has joined #openstack-keystone21:06
*** aginwala has joined #openstack-keystone21:08
*** navid__ has joined #openstack-keystone21:10
*** navid_ has quit IRC21:10
openstackgerritMerged openstack/keystone: Remove RequestBodySizeLimiter from middleware  https://review.openstack.org/24946921:11
dolphmstevemar: fyi, lbragstad and rderose just went through the unified auth spec, left a few comments in response, but didn't have any need to submit a revision. so, it's sitting there with 2x+2 and a few -1's21:14
dolphmi think marekd is the only -1 that might be online ^21:15
*** navid__ has quit IRC21:15
openstackgerritayoung proposed openstack/keystone: Updated Cloudsample  https://review.openstack.org/24072021:16
stevemardolphm: i'm OK with +A'ing specs with the assumption that there is a bit of clean up to do21:16
stevemarbknudson, you working on friday?21:16
bknudsonstevemar: I'm on vaca friday21:16
stevemarlol21:16
stevemareveryone seems to be!21:16
dolphmstevemar: can we close the New Bug form down for friday?21:17
*** btully has quit IRC21:17
dolphm"Report a bug"21:17
openstackgerritayoung proposed openstack/keystone: Updated Cloudsample  https://review.openstack.org/24072021:17
openstackgerritMerged openstack/keystone: Remove check_role_for_trust  https://review.openstack.org/24947221:18
openstackgerritMerged openstack/keystone: Remove deprecated notification event_type  https://review.openstack.org/24947521:18
openstackgerritMerged openstack/keystone: Fix a typo in notifications function doc  https://review.openstack.org/25087621:18
dolphmstevemar: cleanup on what? the spec?21:20
*** btully has joined #openstack-keystone21:20
*** mhickey has joined #openstack-keystone21:21
marekddolphm: stevemar: if you feel my comments are invalid orrrr you know how to handle everything i mentioned feel free to +A.21:22
dolphmmarekd: they responded to your comments21:22
dolphmmarekd: lbragstad / rderose did21:22
*** ctina_ has joined #openstack-keystone21:22
dolphmmarekd: ah, they missed your newest comment :)21:24
marekddolphm: no, i also left comment for the review (not inlined)21:25
marekdwhen i first -1 it.21:25
marekd"I am unsure on where operator would assign roles to a shadow users. [...]"21:25
marekd"What about backwards compatibility especially wrt old mapping rules, dynamic group membership etc? [..]"21:25
openstackgerritayoung proposed openstack/keystone-specs: Make keystone fully fledged SAML2 Service Provider  https://review.openstack.org/24469421:26
*** dulek has quit IRC21:26
*** ctina has quit IRC21:26
marekddolphm: I think those are important topics.21:26
*** dulek has joined #openstack-keystone21:27
*** ctina_ has quit IRC21:27
*** harlowja has quit IRC21:27
*** harlowja has joined #openstack-keystone21:28
lbragstadmarekd wouldn't an operator just assign roles like they would to any other user?21:29
marekdlbragstad: for federated user?21:29
lbragstadyes21:30
lbragstadsince a federated user entity points to a shadow user21:30
rderoseagree21:30
marekdlbragstad: so, as an operator you will need to create shadow users for all people from CERN IT21:30
marekdbefore they even login.21:31
*** mancdaz has quit IRC21:31
lbragstadno, the shadow user is created after the saml assertion is validated21:31
lbragstadonce the identity is verified21:31
*** rcernin has quit IRC21:31
rderosemapping is created from token + saml21:31
marekdok, so i madenis login for the first time. My assertion is valid, but i wil be blocked and wait for operator to assign me roles?21:32
marekdlbragstad: you just mentioned that operator would assign roles to a user.21:32
*** jerrygb has quit IRC21:32
marekdshadow user is created after my first login.21:32
marekdso it looks only then an operator can assign roles?21:32
*** mancdaz has joined #openstack-keystone21:32
*** navid_ has joined #openstack-keystone21:33
*** roxanagh_ has joined #openstack-keystone21:34
*** aginwala has quit IRC21:35
marekdlbragstad: rderose: looks like mapping engine will be responsible for that for the first time OR we need to add some new kickass feature which doesn't seem to be mentined in the spec.21:36
lbragstadmarekd the operator assigns roles to the group the same way they do now21:36
lbragstadmarekd option A21:36
marekdlbragstad: so, it's still membership through groups?21:36
lbragstadyes21:36
marekdit wasn't stated clearly in the spec  :P21:36
lbragstadmarekd the mapping engine will create a shadow user and also make that user a member of the groups in the mapping21:37
shalehonce the shadow exists the op can specify a specific mapping for a specific user, right?21:37
marekdshaleh: the problem is shadow user doesn't exist until you login21:37
shalehmarekd: understood21:37
rderoseshaleh: you cannot do this today21:38
shalehayoung was talking about using a hash or the like so they could be precomputed21:38
shalehgetting around the login issue potentally21:38
ayoungshaleh, we do something like that with LDAP and multi backends21:38
shalehif I remember correctly21:38
ayoungsha256{domain_id, userid}21:39
marekdshaleh: (and dolphm lbragstad ) oh, precomutping hash is another thing21:39
*** roxanagh_ has quit IRC21:39
*** xek_ has quit IRC21:39
shalehayoung: thank you, I remembered the high level bits but not the detail21:40
ayoungshaleh, look for id_mapping in keystone/identity/ for the details21:40
*** fangxu has joined #openstack-keystone21:42
*** Guest55984 has quit IRC21:45
*** gildub has joined #openstack-keystone21:47
*** btully has quit IRC21:48
*** tsymanczyk has joined #openstack-keystone21:50
*** tsymanczyk is now known as Guest5648621:50
lbragstadayoung the precomputed part was just to ensure authentication from two different auth types is mapped to the same shadow user, right?21:50
ayounglbragstad, yes21:51
ayounglbragstad, needed to pre-populate roles even in the case where there is only a single IDP,. too21:51
*** topol has quit IRC21:51
lbragstadayoung could you map roles to federated users without using groups, would that work?21:52
ayounglbragstad, I should say "propopulate role assignments"  say you have not visited a cloud before....21:52
ayounglbragstad, I'm not certain how to parse that21:53
ayoungif by "map" you mean "use the federation mapping" then, in theory (and chadwick origianlly wanted that) but we can't allow other-than-admin to do that today21:53
lbragstadtoday federated users are mapped into groups, which have role assignments.21:53
marekdayoung: create assignments to a 'dangling user', entity which will exist one day, but doesn't NOW21:53
ayounglbragstad, in theory, yes.  IN practice, there are no groups21:53
ayoungmarekd, sounds like the virtual org spec21:54
marekdayoung: perhaps21:54
*** btully has joined #openstack-keystone21:54
ayoungmarekd, I think we need a way to say "what will ayoung@redhat.com get as a userid when he hits my cloud."21:54
marekdayoung: i know that.21:55
ayoungthat was the a"diagnostist" thmessage I sent to the mailing list21:55
lbragstadayoung if you have no groups, how do you have role or role assignments?21:55
*** navid_ has quit IRC21:55
marekduh, it's late i need to run. will read that convo tomorrow.21:55
lbragstadmarekd o/21:56
openstackgerritSteve Martinelli proposed openstack/keystone: remove version from setup.cfg  https://review.openstack.org/25207821:57
stevemarkeystoners: dstanek marekd lbragstad dolphm notmorgan henrynash jamielennox lhcheng gyee ayoung bknudson -- anything else critical that you guys want to land in mitaka-1? i plan on just adding release notes for things we've done so far and then tagging21:59
ayounglbragstad, that is the conundrum, and why we need to be able to precompute userids22:00
bknudsonI don't think we have any critical bugs to fix now.22:00
ayounglbragstad, groups are kindof meaningless.  THe fact that, say richm or nkinder and I are both in the IdM group at red hat does not show up in our SAAML assertions produced by Red Hat's saml provider.  And even if they did, they would not mean that we should get the same permissions in an HP cloud used for hosting Keystone development on Openstack,  right?22:01
notmorganstevemar: all the things22:01
*** aginwala has joined #openstack-keystone22:02
ayoungreally, the only thing you would have to go on if you were setting this up is my user name22:02
lbragstadstevemar - https://review.openstack.org/#/c/240595/422:03
stevemarspecs are tomorrow22:04
stevemarthis is what is going to go into mitaka-1, the actualy keystone code base22:04
stevemar(i assume not much)22:04
stevemarhow the hell do we have 118 blueprints22:05
stevemarwe need a blueprint squash day22:06
stevemartheres gotta be a bunch of overlap there22:06
lbragstadstevemar blueprint were superseded by specs22:07
lbragstadblueprints*22:07
stevemarlbragstad: excellent, i will mark them all as obsolete22:07
lbragstadrm -rf /22:07
lbragstadi believe that is what you're looking for22:07
*** jbell8 has quit IRC22:08
ayoungstevemar, blueprints are needed for the launchpad side fo things, but should be 1 to 1 with specs22:09
*** jbell8 has joined #openstack-keystone22:10
ayoungI'd kill any BP where the spec url is not a gerrit spec22:10
stevemarayoung: yargh22:10
stevemari agree22:10
stevemarthere are some decent ideas in there22:10
stevemarbut it's making it hard to track thigns22:11
*** davechen has left #openstack-keystone22:12
*** zz_john5223 has quit IRC22:13
*** dtroyer has quit IRC22:14
*** dtroyer has joined #openstack-keystone22:15
*** rderose has quit IRC22:15
*** diazjf has quit IRC22:16
*** zz_john5223 has joined #openstack-keystone22:16
bknudsonwe've got some bps that we said didn't need a spec22:17
bknudsonhopefully they're all implemented by now22:17
*** harlowja has quit IRC22:19
*** ayoung has quit IRC22:21
*** harlowja has joined #openstack-keystone22:21
*** gyee has joined #openstack-keystone22:22
*** ChanServ sets mode: +v gyee22:22
*** NM has joined #openstack-keystone22:23
*** gordc has quit IRC22:24
*** petertr7 is now known as petertr7_away22:26
openstackgerritSteve Martinelli proposed openstack/keystone: Add release notes for mitaka-1  https://review.openstack.org/24952322:27
stevemargyee: around?22:28
gyeestevemar, yes sir22:29
gyeejumping back to spec reviews22:29
stevemargyee: can you give me a one line description for x509 SSL cert auth support?22:29
stevemari need to make a release note for it, it was merged before the releasenotes stuff came along22:29
gyeeSupport tokenless client SSL x.509 certificate authentication and authorization22:30
stevemargyee: that's good enough for an operator?22:32
gyeeyeah, the setup is in the doc already22:32
*** jerrygb has joined #openstack-keystone22:32
gyeestevemar, I need to start writing blogs about keystone features22:33
stevemargyee: don't do it, it's a trick22:33
gyeehah22:33
stevemaryou just end up getting emails and questions22:33
gyeecharge them for it and make some $$ on the side :)22:34
gyeestevemar, https://github.com/openstack/keystone/blob/master/doc/source/configure_tokenless_x509.rst22:34
gyeeif you prefer, we can use the Definitions section22:34
stevemarnah, thats good enough for now22:35
*** roxanagh_ has joined #openstack-keystone22:35
*** NM has quit IRC22:35
openstackgerritSteve Martinelli proposed openstack/keystone: Add release notes for mitaka-1  https://review.openstack.org/24952322:36
notmorganjamielennox: ping [you around?]22:36
*** NM has joined #openstack-keystone22:36
stevemarif i could get eyes on https://review.openstack.org/#/c/249523/ << this should be the last patch landing in mitaka22:36
gyeelooking22:37
*** jerrygb has quit IRC22:37
jamielennoxnotmorgan: listening in to a meeting but sure22:38
shalehstevemar: does that mean more stringent control on checkins for the next part of the cycle?22:38
stevemarshaleh: ?22:39
stevemarshaleh: does what mean that?22:39
shaleh"this should be the last patch landing in mitaka"22:39
stevemaroops22:39
stevemarmitaka-1!22:39
stevemarmitaka-2 should just be implementing all the features we agreed to in keystone-specs22:40
shalehstevemar: this is my first full cycle22:40
stevemari understand, that was my bad22:40
*** EinstCrazy has joined #openstack-keystone22:40
*** roxanagh_ has quit IRC22:40
stevemarmitaka-3 should be clean up, major bugs and stability22:40
stevemareach is about 6 weeks, so we have 6 hellish weeks to get all the fucntionality in :)22:40
shalehI see22:41
stevemarhappy holidays!22:41
shalehso the mid-cycle is a chance to check on the state of the code and plan out the cleanup/finish?22:41
stevemarshaleh: that's supposed to be the case22:41
gyeestevemar, I like your style, celebrate holidays by doing bug triage22:41
*** aginwala has quit IRC22:42
shalehgyee: it is like the world's worst Advent calendar :-)22:42
gyeehah22:42
stevemarshaleh: but i will understand if there is some spillage, and we should consider stretching out our deadline to land stuff by a week or so22:42
stevemarto take the midcycle into account22:42
bknudsonaccording to http://russellbryant.net/openstack-stats/keystone-openreviews.html we've already got 258 reviews to handle22:43
gyeeshaleh, I literally renamed my Keystone bug email rule to Steve, no kidding22:43
stevemarbknudson: what are you waiting for! review!22:44
stevemargyee: i feel honored22:44
gyeehe'll start with 258 -1s22:44
*** edmondsw has quit IRC22:44
*** EinstCrazy has quit IRC22:45
*** adelia_ has joined #openstack-keystone22:46
*** mhickey has quit IRC22:46
shalehbknudson: might be time to bless another core or two22:47
*** Guest56486 is now known as tsymanczyk22:48
*** adelia has quit IRC22:49
*** aginwala has joined #openstack-keystone22:50
*** adelia_ has quit IRC22:51
bknudsony, we do have some people doing lots of reviews... http://russellbryant.net/openstack-stats/keystone-reviewers-90.txt22:51
*** r-daneel has quit IRC22:52
*** chmouel has quit IRC22:55
shaleh 59    0   0  59   0   0   100.0% |    5 (  8.5%)22:56
*** chmouel has joined #openstack-keystone22:56
*** harlowja has quit IRC22:57
bknudsonit's hard to trust someone who only +1s. We'd have to check the reviews.22:57
gyeebknudson, the guys must have a very positive attitude :)22:58
stevemarvenkatamahesh is my hero22:58
stevemar|      venkatamahesh      |      84    0   1  83   0   0    98.8% |    4 (  4.8%)  |22:58
stevemartheres a guy who only seems to +1 bot proposals22:58
stevemari forget who he is...22:58
gyeeno disagreement what so ever22:58
gyeeteam playa22:59
shalehthat is what happens when work places stupid quota checks on you23:00
shaleh"have you reviewed enough this week? No, sorry that will hurt your rankings during our yearly reviews"23:01
stevemargyee: haha http://stackalytics.com/?user_id=clint23:01
stevemarproposal bot guy!23:01
*** harlowja has joined #openstack-keystone23:01
gyeefrom HP?!23:02
bknudsonhe might be a bot23:02
* stevemar shrugs23:02
stevemarbknudson: HP is making sophisticated bots23:02
bknudsonproposal bot reviewer bot23:02
stevemarlol23:02
* gyee give shaleh a jingle23:02
bknudsonyou mean HPE23:02
gyeeNo!23:03
bknudsonHP just makes printers23:03
shalehbknudson: and laptops23:03
gyeeits Hewlett Packard Enterprise23:03
gyeeyou dig?23:03
stevemarbknudson: can you kick this through? https://review.openstack.org/#/c/249523/ so i can attach a SHA to the release request23:03
bknudsongyee drank the kool-aid23:03
gyeedamn straight23:03
bknudsonstevemar: I'll look at it tonight I have to take off.23:03
*** jdennis has quit IRC23:05
*** omkarjoshi has joined #openstack-keystone23:05
*** NM has quit IRC23:06
stevemarbknudson: alrighty23:07
stevemarbknudson: have fun bowling23:07
shalehhttps://review.openstack.org/#/c/23310223:09
shalehMonty proposed this one. It allows v2 args into v3 CRUD23:09
stevemarshaleh: it sure does23:09
shalehwouldn't we want to emit a deprecation wwarning?23:09
stevemarshaleh: yes we would23:10
stevemarshaleh: or just move "service_type" to be the last paramtere23:10
shalehstevemar: will the user of that code see anything from keystone? Or does the warning need to be in the client library?23:10
stevemaruser's would see the warnin g23:11
*** csoukup has quit IRC23:11
shalehstevemar: what does moving service_type to the end do?23:11
stevemarshaleh: if someone is using it like: create('myname', mytype, True, 'my description') << then they'll get wonky results if the 3rd argument is now service_type23:13
shalehstevemar: Monty wants this call to succeed. Moving service_type into the kwargs would cause it to fail.23:13
*** slberger has left #openstack-keystone23:14
shalehstevemar: yeah the implication is people only use kw style args23:14
stevemarshaleh: yep23:14
stevemarshaleh: either make it the last parameter, before kwargs, or check if `service_type` is in kwargs23:14
shalehstevemar: lots of keystone code is like that23:14
stevemarand then use it23:14
shalehstevemar: Monty's patch has service_type as last arg before kwargs23:15
shalehah but he is not consistent23:15
shalehI see your point23:15
stevemarmordred: ^23:16
shalehI personally use the inspect kwargs when I write this kind of code23:16
stevemarwe're chatting about you23:16
stevemarshaleh: that could work23:16
stevemarfeel free to propose a new patch23:16
stevemari have to go cook and setup a christmas tree23:16
stevemarso long folks!23:16
shalehcheers23:16
gyeemerry christmas23:20
shalehwhen i loaded it there were no comments. Weird. Oh well. Sorry stevemar.23:23
mordredwhat did I do?23:24
mordredI am not consistent23:24
shalehmordred: we were talking about your revire 23310223:25
shalehs/revire/review/23:25
mordredshaleh: my main goal is that I can make calls that are compatible regardless of whether I'm doing v2 or v323:25
*** david-lyle has quit IRC23:25
shalehmordred: I support that. I don't like confusing the function parameters. It makes it confusing for people trying to determine how to correctly call the function.23:26
shalehand as stevemar points out it breaks peopple no using kwargs23:26
mordredcool! happy to fix it then23:26
shalehhmm, keyboard and I are not geling23:26
shalehmordred: what about deprecations though? The user making v2 calls to a v3 interface should see a warning that they are not heading towards obsolescence.23:27
mordredwell....23:27
notmorganwait but it's using the V3 interface?23:28
mordredso the problem is with the person who wants to write code that works on his clouds23:28
mordredyes23:28
notmorganwhy would that raise a deprecation23:28
notmorgan?23:28
mordredbecause getting a v2 or a v3 object is different than making calls23:28
shalehv2 args to a v3 interface23:28
mordredbecause we're adding a v2 param name23:28
notmorganshaleh: but...23:28
mordredv3 changed "service_type" to "type"23:28
notmorgani don't see a reason that needs to be a "OMG DO SOMETHING ELSE"23:28
notmorganwarning23:28
notmorgani mean, it could?23:28
shalehallowing code to keep using the old args tends to lead to subtle bugs though23:29
mordredso a person who writes  "client.services.create(service_type='foo')" - may not konw at that part of the code that it's a v2 or a v3 object23:29
shalehwe should alert them that they are heading down a less well lit path23:29
mordredhonestly, we should add type as an arg to the v2 path too23:29
notmorganunless the v2/v3 is hitting the same underlying code path23:29
mordredand we should label both as supported-until-the-end-of-time23:29
mordredotherwise end-users have to write this code:23:30
mordredhttps://github.com/openstack-infra/shade/blob/master/shade/operatorcloud.py#L762-L77223:30
*** spandhe has quit IRC23:30
mordredwhich makes bunnies sad23:30
mordredand nobody wants sad bunnies23:31
*** darrenc is now known as darrenc_afk23:31
shalehmordred: that code has to live somewhere.23:31
shalehif it HAS to live in keystone, I would rather you inspect kwargs as I suggest in my review23:31
notmorganugh23:31
mordredokie!23:31
shalehthis keeps the method/function interface appropriate for v3 but supports old usage23:32
notmorganbut.. i mean. no23:32
notmorgan**kwargs is terrible and shouldn't be used23:32
notmorganit makes bunnies cry too23:32
shalehnotmorgan: shush or really come back :-)23:32
notmorganshaleh: i still have -2 powers23:32
notmorgan:P23:32
notmorganshaleh: seriously, **kwargs is terrible23:32
shalehnotmorgan: nonsense23:32
notmorganwe should clearly state what we expect23:32
*** jdennis has joined #openstack-keystone23:33
notmorganin function defs.23:33
shalehwhen a user reads the code they should see how to use it. Advertising competing arguments in the function def is silly23:33
notmorgantaking a bundle of *random* from **kwargs is horrible23:33
notmorganshaleh: i will never agree to that statement23:33
notmorganbecause i also like C and proper polymorphism23:33
notmorganand C++23:33
shalehnotmorgan: that is what I am suggesting. The function def defines the actual, expected arguments. For compatibility we look for old ones in kwargs23:33
notmorganno23:33
notmorganyou didn't read what i said.23:33
notmorgani am saying we support both ways23:34
*** spandhe has joined #openstack-keystone23:34
shalehnotmorgan: which is boneheaded and leads to 100 parameters because we used one 5 releases ago and changed our minds23:34
notmorganit is fine to explicitly define them and in the docstring explaining args to say "these are the same thing"23:34
notmorganshaleh: we should stop changing our minds23:34
*** e0ne has joined #openstack-keystone23:34
shalehnotmorgan: I do not disagree, but since we have already lots take the bandaid off and move on23:35
notmorganshaleh: the fact that the arguments changed names even though it is the same thing is the issue23:35
notmorganit should *never* have changed names in the first place23:35
shalehnotmorgan: not disagreeing with you. but it happened23:35
notmorgani am monumentally against "oh just yank this out of kwargs"23:35
notmorganand always will be23:35
*** e0ne has quit IRC23:36
shalehwhy? As a new coder asked to use the method, how should they choose between type and service_type?23:36
notmorganif it is a supported arg, it is a supported arg. i would be happy if **kwargs was never used in something a user could consume23:36
*** roxanagh_ has joined #openstack-keystone23:36
notmorganand yes, i am ok with 10000000 args23:36
notmorganrather than magic from random keywords23:36
*** e0ne has joined #openstack-keystone23:36
notmorganalso because **kwargs means typos sneak through23:37
notmorganserviec_type would silently fall through23:37
shalehnotmorgan: which get caught as bogus args at some point23:37
notmorganagain, i am against the **kwargs inspection23:37
*** ayoung has joined #openstack-keystone23:37
*** ChanServ sets mode: +v ayoung23:37
notmorgannow if stevemar says "we do **kwargs inspection" i'll not block it23:37
notmorganbut i really do disagree with that approach23:38
notmorganheck i wont even block it based on this convo23:38
notmorgani will point out i very much disagree when the code is written23:38
shalehnotmorgan: I agree with all of your points for standard code practices. I disagree when handling backwards compat issues.23:39
*** e0ne_ has joined #openstack-keystone23:39
notmorganbut it's not worth a "force another review" and cycle of code for a point that is largely principle23:39
shaleheither way, mordred's patch as written breaks positional parameters so at least that needs to be fixed.23:39
notmorgan[as you may have noticed i rarely -1 things these days unless it's really simple]23:39
notmorganshaleh: and that much yes. that is fine23:40
notmorgandon't break positional23:40
notmorganannnnnnyway. i wont block your recommended chang e(or even -1 it)23:40
*** roxanagh_ has quit IRC23:41
shalehnotmorgan: disagreeing but not enforcing it is pretty useless. The point of these reviews is to achieve consensus through argument.23:41
*** e0ne has quit IRC23:41
notmorganshaleh: forcing another review and another cycle is not worth an argument on princple23:41
*** dstanek has quit IRC23:41
*** dstanek has joined #openstack-keystone23:41
*** ChanServ sets mode: +v dstanek23:41
shalehnotmorgan: if that were true then we are wasting our time on reviews23:42
notmorgani would argue if i -1 this recommended change you made, i am well into the bikeshed realm23:42
shalehstyle is just as important in coding as not writing bugs. In fact, style helps prevent bugs.23:42
notmorganso, i'm arguing the point in channel before the review23:43
shalehunless the group agrees that my proposed solution of parsing kwargs is boneheaded23:43
*** topol has joined #openstack-keystone23:43
*** ChanServ sets mode: +v topol23:43
notmorganif we disagree, great, i'm telling you my stance and i am willing to concede that this isn't important enough stylistically to force another review23:43
notmorganif it lands inspecting **kwargs23:43
notmorganvs. declared23:43
notmorganso, i defer to mordred's choice on approach23:44
notmorganas long as we aren't breaking positional args23:45
shalehmordred: marking "support old stuff" vs. expected should be considered in your future patches :-)23:45
* notmorgan goes back to other things.23:45
notmorganlike talking betamax with jamielennox in keystoneauth23:45
mordredshaleh: ++23:46
mordredmmm23:46
mordredbetamax23:46
notmorganmordred: to be fair... i almost did go digital medium format >.<23:46
notmorganmordred: they had a used one...23:46
notmorganmordred: you're a bad influence23:46
notmorgan^_^23:46
shalehnotmorgan: I have not been able to justify 10k on a camera23:46
notmorganshaleh: it was only going to be ~5k or so.23:46
notmorganbut still.23:47
shalehbut oooooh how I want one23:47
notmorganused.23:47
shalehnotmorgan: which setup?23:47
mordrednotmorgan: yes I am23:47
notmorgandon't remember off the top of my head, went w/ a Canon 6D, 50mm lens, 16-35MM, and 85MM23:47
shalehmordred: what do you shoot?23:47
notmorganmordred: but i also kno if i had gone medium format... i would have had to get a film back too... cause $reasons23:48
*** lhcheng has quit IRC23:48
* shaleh recently bought a Fuji Xpro after years of Nikon shooting23:48
*** topol has quit IRC23:48
*** lhcheng has joined #openstack-keystone23:48
*** ChanServ sets mode: +v lhcheng23:48
mordredshaleh: Mamiya 645 Pro AFD23:48
shalehI gave up film when it became hard to find ilford paper. and dark rooms.23:48
shalehmordred: bastard :-) That is my lust.23:49
mordredit's SO GOOD23:49
*** e0ne has joined #openstack-keystone23:49
notmorganshaleh: what no silver plates? :P23:49
notmorganshaleh: and mordred has some nice photos from that camera23:49
shalehoh i bet23:49
mordred6x4.5 Velvia FTW23:50
mordrednow, it's only velvia 100 because FAIL - but stil23:50
*** e0ne_ has quit IRC23:51
*** darrenc_afk is now known as darrenc23:52
shalehI need a 16mm and a 85mm for my Fuji. I really wanted both in Japan.23:52
*** e0ne_ has joined #openstack-keystone23:52
shalehThe normal lens I had on was nice but not enough23:52
*** tsymanczyk has quit IRC23:52
notmorganthe 50mm is my fav. lens to shoot with23:53
notmorgantbh23:54
notmorganwell i take that back23:54
notmorganthe 100mm Macro 1:123:54
notmorganthat is my fav.23:54
notmorganbut, that is not super useful for general purpose23:54
*** e0ne has quit IRC23:54
shalehnotmorgan: agree on both counts23:54
shalehbut landscape/building stuff you often want wider23:55
shalehI wanted to capture some neat spiders but I did not have a good macro like lens23:55
notmorganshaleh: this is the lense to get: http://www.bhphotovideo.com/c/product/801201815-USE/canon_2527a001_super_telephoto_1200mm_f_5_6l.html23:56
shalehheh23:57
shalehno Canon here23:57
shalehCanon cameras try to fall out of my hands23:57
notmorganat that price, you buy a camera to go with the lense!23:57
shalehI have never liked one23:57
shalehI like Nikon bodies. I really like the Fuji X series cameras though. The Xpro1 I bought as few months back gives all of the manual twiddles.23:58
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Domain Specific Roles  https://review.openstack.org/22666123:59
« Monday, 2015-11-30 Index Wednesday, 2015-12-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!