Tuesday, 2016-02-02

ayoung	amakarov, I had made more earlier but they got dropped somehow	00:06
*** ninag has joined #openstack-keystone		00:07
amakarov	ayoung, I've noticed too: this form isn't very user-friendly	00:08
*** ninag has quit IRC		00:08
*** dims has quit IRC		00:10
*** fpatwa has joined #openstack-keystone		00:14
*** su_zhang has quit IRC		00:21
*** su_zhang has joined #openstack-keystone		00:21
notmorgan	omfg...	00:21
notmorgan	https://twitter.com/notmyname/status/694312115272724480	00:21
notmorgan	I ... just can't ...	00:21
* notmorgan falls out of chair.		00:21
*** samueldmq has joined #openstack-keystone		00:22
notmorgan	stevemar: ^ You will thank me.	00:23
notmorgan	topol: ^ you too.	00:24
notmorgan	(need a mac, don't see the cellos voice in espeak]	00:24
*** raildo-afk is now known as raildo		00:25
*** pushkaru has quit IRC		00:28
*** lolmaster has joined #openstack-keystone		00:30
*** lolmaster has left #openstack-keystone		00:31
*** gildub has quit IRC		00:37
shaleh	someone post a recording for us non-osx users	00:37
shaleh	I am trying to install and run gerrit-dash-creator. But all I get is whining from PBR about "Versioning for this project requires either an sdist"	00:38
shaleh	Exception: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed?"	00:38
shaleh	what more do I need beyond running python setup.py sdist, pip install -r requirements.txt, pip install dist/*.tgz?	00:38
notmorgan	shaleh: it's reading in a vocoder-style-voice in the cello range the diff to the tune of some Edvard Grieg	00:38
notmorgan	shaleh: the composition you'd most likely know from Grieg.	00:39
notmorgan	ok maybe you'd know peer gynt but in the hall of the mountain king being the main one	00:39
shaleh	yeah, I wikipedia'ed it	00:40
shaleh	I am really bad with names	00:40
*** clenimar has joined #openstack-keystone		00:41
*** pushkaru has joined #openstack-keystone		00:42
notmorgan	shaleh: sometimes I forget people didn't get burnt out playing some of that stuff in highschool and college.	00:43
*** fpatwa has quit IRC		00:44
notmorgan	shaleh: so having it seared into your memory [kindof like i'm so over romeo and juliet as a play.. 15 times analysing it]....	00:44
shaleh	heh, I hear you on Romeo et Juliet	00:44
shaleh	400+ years over a weekend infatuation gone wrong	00:44
notmorgan	the worst was doing the dramaturgical analysis	00:44
notmorgan	and having to write up notes for a "production" to execute it	00:45
notmorgan	it's way more fun to design/build sets and/or lighting	00:45
notmorgan	or directing if you're so lucky	00:45
notmorgan	though I learned a lot when doing script analysis, especially "waiting for gadot"	00:46
notmorgan	but.. still not my bag really.	00:46
lbragstad	notmorgan i think we're finally getting to the good stuff - https://review.openstack.org/#/c/258650/16	00:48
lbragstad	notmorgan some of these look like timing issues with tests - http://logs.openstack.org/50/258650/16/check/gate-keystone-python27/7f1a7f6/testr_results.html.gz	00:48
notmorgan	lbragstad: aye	00:48
notmorgan	very much so	00:48
notmorgan	and likely easily resolvable	00:48
notmorgan	like 1 fix will prob, clear a bunch	00:48
notmorgan	dolphm: i'm sad it's called freezegun and not freezeray	00:49
notmorgan	import freezegun as freezeray	00:49
lbragstad	notmorgan fixed*	00:50
notmorgan	then... https://www.youtube.com/watch?v=duI-VImSH6o	00:50
notmorgan	lbragstad: yeah.	00:50
dolphm	notmorgan: lol	00:51
lbragstad	oh man..	00:51
notmorgan	dolphm: you know you want to do it now.	00:51
dolphm	notmorgan: can i copy the lyrics into a docstr?	00:52
* lbragstad can't get it out of his head		00:52
notmorgan	dolphm: i was going to recommend doing:	00:52
notmorgan	dolphm: import freezegun as freezeray # <snippet of lyrics>	00:52
notmorgan	on each import	00:52
notmorgan	or on each use above the use	00:52
lbragstad	I'd -2 that	00:52
lbragstad	;)	00:53
notmorgan	lbragstad: but... butttt....	00:53
*** jasonsb has joined #openstack-keystone		00:53
lbragstad	notmorgan it would no doubt be keystone's most glorious easter egg	00:53
lbragstad	next to assertCloseEnoughForGovernmentWork() method	00:53
notmorgan	lbragstad: i know someone who used to put ascii art as comments in his perl	00:53
lbragstad	notmorgan gross	00:54
notmorgan	isn't assertCloseEnoughForGovt part of testtools?	00:54
notmorgan	lbragstad: the worst part was it actually impacted running the perl...	00:54
notmorgan	lbragstad: cause the way perl parses to bytecode :P	00:54
lbragstad	notmorgan nope - that's in our testing framework	00:55
lbragstad	notmorgan you can thank dolphm	00:55
notmorgan	dolphm: Thank you. that makes me so happy	00:55
notmorgan	dolphm: ^_^	00:55
*** jamielennox\|away is now known as jamielennox		00:55
notmorgan	lbragstad: i wonder if i can manage to get a bunch of Dr. Horrible lyrics into the commit messages for keystone >.>	00:55
dolphm	lbragstad: if you go to the defcore sprint, would it be a one or two night stay for you?	00:55
dolphm	lbragstad: i'd probably make it a one night trip	00:56
notmorgan	dolphm: oh there is a defcore sprint?	00:56
lbragstad	dolphm what days does it fall on?	00:56
* notmorgan should keep better track of this stuff.		00:56
dolphm	notmorgan: in the same room as the keystone sprint at ibm XD	00:56
notmorgan	dolphm: ahaa nice	00:56
dolphm	notmorgan: lbragstad: March 8-9	00:56
dolphm	Tues-Wed	00:56
notmorgan	dolphm: hmm... let me see how i am post this trip to Seattle	00:56
notmorgan	maybe i'll swing down for more BBQ	00:56
notmorgan	cause #reasons	00:56
dolphm	notmorgan: you like planes way more than i can understand	00:57
notmorgan	dolphm: i'm driving to seattle	00:57
notmorgan	screw getting on a plane for that	00:57
dolphm	lol	00:57
notmorgan	also.. i have been on 4 planes total this year	00:57
lbragstad	dolphm you'd only stay on Tuesday night, and return Wednesday afterwords?	00:57
dolphm	notmorgan: it's barely february	00:57
notmorgan	i expect that to stay in the low double digits at worse	00:57
dolphm	lbragstad: yes	00:58
lbragstad	ok	00:58
dolphm	lbragstad: i'd leave by 6am, i hope	00:58
lbragstad	yeah - i'd probably shoot for the same?	00:58
dolphm	lbragstad: k	00:58
notmorgan	dolphm: i don't know if i count a layover as a big deal ewhen counting planes you've been on	00:58
notmorgan	it was 2 flights, pdx -> MSP -> aus, aus -> SLC -> pdx	00:58
*** shoutm_ has joined #openstack-keystone		00:59
notmorgan	dolphm: considering how much i flew in 2014 and 2015...	00:59
notmorgan	this is pretty low	00:59
*** samueldmq has quit IRC		00:59
notmorgan	and that i didnt fly anywhere in december either.	00:59
*** shoutm has quit IRC		01:00
notmorgan	dolphm: i think i am going to hold my talk for Barcelona vs. trying to talk about suburl, auth offload, cache acceleration, etc this summit	01:00
notmorgan	dolphm: i think	01:00
notmorgan	dolphm: i have a couple hours to still decide :P	01:00
* notmorgan isn't sure how close to "really working" things will be by austin summit.		01:01
* notmorgan glares... S3 extension... why do you hate me so.		01:02
dolphm	glares?	01:02
notmorgan	stupid s3 extension keeps getting called and claimes it doesn't have .add_routes	01:02
notmorgan	but it does	01:02
notmorgan	i'm trying to finish this ext -> core thing	01:02
notmorgan	so we get that 100% cleaned up all in O cycle	01:03
*** alexvictorchan has quit IRC		01:05
openstackgerrit	fengzhr proposed openstack/keystone: The name can be just white character except project and user https://review.openstack.org/272358	01:07
*** pushkaru has quit IRC		01:08
*** doug-fish has quit IRC		01:10
*** doug-fish has joined #openstack-keystone		01:10
*** doug-fis_ has joined #openstack-keystone		01:12
*** davechen has joined #openstack-keystone		01:14
*** doug-fi__ has joined #openstack-keystone		01:14
*** doug-fish has quit IRC		01:14
*** markvoelker has joined #openstack-keystone		01:15
*** doug-fi__ has quit IRC		01:15
*** doug-fish has joined #openstack-keystone		01:16
*** shaleh has quit IRC		01:16
*** doug-fish has quit IRC		01:16
*** doug-fis_ has quit IRC		01:16
*** markvoelker has quit IRC		01:20
*** _cjones_ has quit IRC		01:22
*** amakarov has quit IRC		01:23
*** jamielennox is now known as jamielennox\|away		01:23
*** bill_az has quit IRC		01:23
*** jbell8 has joined #openstack-keystone		01:25
davechen	looks like releasenote doesn't work anymore	01:30
davechen	notmorgan: this impact your patch as well, http://docs-draft.openstack.org/89/274489/1/check/gate-keystone-releasenotes/8681a37//releasenotes/build/html/unreleased.html	01:30
openstackgerrit	Merged openstack/keystone: replace tenant with project in cli.py https://review.openstack.org/273757	01:30
davechen	only a few items can be rendered correctly.	01:31
*** csoukup_ has joined #openstack-keystone		01:38
*** esp has quit IRC		01:38
*** marekd has quit IRC		01:40
*** marekd has joined #openstack-keystone		01:40
notmorgan	so we need to revert?	01:41
notmorgan	davechen: happy to push that through or a quick fix if you have that handy	01:41
davechen	notmorgan: no, but i will investigate this.	01:41
notmorgan	davechen: if you know what is causing it that is	01:42
notmorgan	davechen: ok	01:42
notmorgan	davechen: also check to make sure you don't have a stale venv	01:42
notmorgan	because i'm not having a lot of issues atm. but i am not checking everything to be fair	01:42
davechen	notmorgan: if we revert this one, it will rendered correctly,b425b9189420e9592acfe3e7f579caac85bf7bc5	01:42
davechen	notmorgan: but it's irrelevant.	01:42
notmorgan	wait... how does that?	01:43
notmorgan	that makes no sense	01:43
notmorgan	oh it's a merge commit	01:43
davechen	notmorgan: yep, it just fix some testcases.	01:43
notmorgan	yeah that doesn't make sense	01:43
notmorgan	blink	01:43
davechen	notmorgan: but only revert this one can make it work.	01:43
notmorgan	huh	01:43
davechen	notmorgan: so i need more time to investigate.	01:43
notmorgan	weiiird. ok	01:44
notmorgan	let me know if you want me to jump in	01:44
notmorgan	if not i'm gonna finish the last extension -> core move	01:44
davechen	notmorgan: cool.	01:44
davechen	notmorgan: i found this when i review your code.	01:44
notmorgan	and then revert a minor change from the ldap assignment removal.	01:44
notmorgan	annnnd thennnnnn	01:45
notmorgan	back to dogpile.	01:45
davechen	notmorgan: its weird indeed.	01:45
notmorgan	yeah def. check for a stale venv	01:45
notmorgan	that would be my first place it just seems "odd"	01:45
davechen	no, it's not rendered correctly from the gate.	01:45
notmorgan	ah	01:45
davechen	http://docs-draft.openstack.org/89/274489/1/check/gate-keystone-releasenotes/8681a37//releasenotes/build/html/unreleased.html	01:46
notmorgan	super weird then	01:46
davechen	haha.	01:46
notmorgan	oh oh	01:46
notmorgan	i bet...	01:46
notmorgan	sec	01:46
notmorgan	ugh	01:47
notmorgan	nope	01:47
notmorgan	just touches tests	01:47
notmorgan	how does that impact reno?!	01:47
davechen	i thought you found something.	01:47
notmorgan	i thought i might have for a second	01:47
davechen	not really.	01:47
notmorgan	this is the merge commit's "merge" https://review.openstack.org/#/c/253219/1	01:47
notmorgan	what it merged in	01:47
notmorgan	so... i don't know how that affects it	01:47
*** clenimar has quit IRC		01:48
openstackgerrit	Merged openstack/python-keystoneclient: Bandit profile updates https://review.openstack.org/267810	01:48
davechen	i will revert these releasenote one by one and see if what's happened then.	01:49
*** jgriffith is now known as jgriffith_away		01:50
*** jgriffith_away is now known as jgriffith		01:53
stevemar	hai	01:54
*** lhcheng_ has joined #openstack-keystone		01:55
*** lhcheng has quit IRC		01:58
davechen	stevemar: you know how to fix this? or what cause this issue?	01:59
*** raildo is now known as raildo-afk		01:59
*** jgriffith is now known as jgriffith_away		02:04
*** jbell8 has quit IRC		02:05
*** jbell8 has joined #openstack-keystone		02:07
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove un-used test code https://review.openstack.org/274929	02:08
*** su_zhang has quit IRC		02:11
*** dims has joined #openstack-keystone		02:11
*** Nirupama has joined #openstack-keystone		02:15
*** markvoelker has joined #openstack-keystone		02:16
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	02:16
*** markvoelker has quit IRC		02:20
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move s3 Extension to core https://review.openstack.org/274973	02:21
notmorgan	stevemar: ^ boom, ec2 is left	02:21
stevemar	davechen: hmmm? what happened?	02:21
stevemar	davechen: oh the reno notes?	02:21
stevemar	davechen: i opened a bug against reno for that, let me share the links	02:21
stevemar	davechen: patch: https://review.openstack.org/#/c/272672/ bug: https://bugs.launchpad.net/reno/+bug/1537451	02:22
openstack	Launchpad bug 1537451 in reno "notes missing/overridden in latest version" [High,In progress] - Assigned to Doug Hellmann (doug-hellmann)	02:22
stevemar	i noticed it a week ago or so, i was definitely confused :)	02:22
*** erlarese has joined #openstack-keystone		02:23
stevemar	notmorgan: ^	02:23
*** shoutm_ has quit IRC		02:24
*** shoutm has joined #openstack-keystone		02:25
davechen	stevemar: cool!	02:26
davechen	the bug of reno, it's not our fault.	02:27
stevemar	davechen: no sir!	02:28
*** davechen1 has joined #openstack-keystone		02:31
notmorgan	stevemar: i think trace thing is close	02:31
notmorgan	stevemar: but ...it's spooky	02:31
notmorgan	stevemar: it needs another identifier saying it's the manager call trace	02:31
*** davechen1 has quit IRC		02:31
*** davechen1 has joined #openstack-keystone		02:32
notmorgan	stevemar: ok bets... wine that was "left" by the last tenant in my place...	02:32
notmorgan	stevemar: is it vinegar or "good"	02:32
notmorgan	stevemar: :P	02:32
*** davechen has quit IRC		02:33
openstackgerrit	Steve Martinelli proposed openstack/keystone: Correct docstrings https://review.openstack.org/274895	02:35
bigjools	if you want to see the kind of NIH Rally is doing, look no further: https://review.openstack.org/#/c/235360/9	02:36
bigjools	eyeroll	02:36
notmorgan	bigjools: this is my shocked face </saaaaaaarcaaaassssmm>	02:36
bigjools	hahaha	02:37
notmorgan	"	02:37
notmorgan	"It is dark... you have fallen into a saaaaar-chasm"	02:37
bigjools	one of the review comments: "It looks like keystoneclient sucks and we need to import versioned clients directly."	02:37
notmorgan	bigjools: they should use OCC and KSA	02:38
notmorgan	duh	02:38
notmorgan	oh wait... nih	02:38
bigjools	well I just submitted this, tell me if I did anything wrong and I'll fix it: https://review.openstack.org/#/c/274977/	02:38
* notmorgan just told a google recruiter the magic words that means they aren't interested. [I am not really looking to go to google ftr]		02:38
notmorgan	"I live in Portland OR and am not looking to move unless you pay 7-figures, and somehow I don't think I bring that much to the table"	02:39
notmorgan	she was like "yup, we don't have offices to hire you into in Portland, OR"	02:39
bigjools	I think I did the same sort of thing	02:39
bigjools	I like working from home kthxbye	02:40
notmorgan	i don't mind working from an office	02:40
notmorgan	i mind leaving pacific northwest	02:40
notmorgan	and i mind leaving portland (for now)	02:40
bigjools	I've only been up there the once and it was beautiful	02:40
notmorgan	uggghhhhhh	02:40
notmorgan	really: from keystoneclient.contrib.ec2 import utils as ec2_utils	02:40
notmorgan	this makes me a sad panda	02:40
notmorgan	like... super sad panda	02:41
notmorgan	stevemar: ^ nooooooooooooo	02:41
notmorgan	</vader>	02:41
stevemar	notmorgan: definitely vinegar	02:42
notmorgan	stevemar: remarkably tasty Pinot Noir	02:42
stevemar	notmorgan: was is the guy from google cloud?	02:43
notmorgan	stevemar: the Rose is going to be vinegar	02:43
stevemar	rosè	02:43
notmorgan	stevemar: maybe.. was some generic recruiter	02:43
stevemar	rosé actually..	02:43
notmorgan	wrong accent	02:43
notmorgan	yeah	02:43
notmorgan	haha	02:43
stevemar	my bad :)	02:43
notmorgan	i can't easily type that on linux off the top of my head	02:43
*** jamielennox\|away is now known as jamielennox		02:44
*** fpatwa has joined #openstack-keystone		02:44
*** davechen1 is now known as davechen		02:46
jamielennox	bigjools: awww, man. i kind of understand that they don't want to use the existing clients as they're inconsistent, however at least use the standard tools for like looking up service catalogs	02:48
*** fpatwa has quit IRC		02:48
bigjools	jamielennox: I know right...	02:48
jamielennox	maybe we can get them to at least use keystoneauth and plugins for that bit and they can do their own manager layer	02:48
notmorgan	jamielennox: also.. http://lists.openstack.org/pipermail/openstack-dev/2016-January/085392.html make sure you jump into the convo plx	02:49
*** gildub has joined #openstack-keystone		02:49
jamielennox	oh - they are creating keystoneclients, just wrapping stuff themselves	02:49
notmorgan	jamielennox: at least rally could use tempestlib for that... :(	02:49
jamielennox	notmorgan: wait, that's my spec	02:49
notmorgan	jamielennox: i know. i am a huge huge fan	02:50
bigjools	I never want to see or use tempest again	02:50
notmorgan	jamielennox: and i want to make sure you're keeping up w/ the changes :)	02:50
notmorgan	bigjools: tempestlib != tempest	02:50
bigjools	the lib is part of tempest though?	02:50
jamielennox	notmorgan: i got pinged earlier by thingee, apparently they want to discuss it tomorrow at the cross-project	02:50
jamielennox	notmorgan: i don't think i'll be able to make it (though i'll try)	02:51
jamielennox	notmorgan: dolphm had done a revision i was going to try and enlist him to go and advocate for it	02:51
openstackgerrit	Merged openstack/keystone: Fix nits in include names patch https://review.openstack.org/270884	02:51
dolphm	jamielennox: i should be available to attend the cross-project meeting	02:52
jamielennox	notmorgan: but i don't think he's going to be around. Can you go to the cross project tomorrow or let him know	02:52
jamielennox	or maybe dolphm is lurking....	02:52
dolphm	jamielennox: any points you wanted to make beyond what was in the spec?	02:52
dolphm	jamielennox: it's honestly not a spec i've thought much about between tokyo and last week	02:52
jamielennox	dolphm: i put a comment on the last revision you did, i'm not sure we want to as complex as the manager/resource specific roles	02:52
jamielennox	but otherwise i'm happy just to see it discussed, i think the idea is fairly clear	02:53
notmorgan	:)	02:53
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	02:53
notmorgan	i plan to be there for catalog reasons.	02:53
notmorgan	sooo	02:53
jamielennox	notmorgan: catalog was approved - what do you want?	02:53
notmorgan	jamielennox: keeping aprised of the x-project work	02:54
dolphm	jamielennox: why not go as far as the manager/resource specific roles?	02:54
notmorgan	jamielennox: resource specific (aka "each api"?)	02:54
notmorgan	jamielennox: that is something i plan on encoding in oslo.policy	02:54
notmorgan	fwiw	02:54
jamielennox	dolphm: so i guess there are two parts to a spec like this, what do we add to policy files and what do we recommend something like devstack/puppet set up on a default install	02:54
notmorgan	a side effect of defining the entry in policy is a role can be defined to allow it	02:54
jamielennox	notmorgan: have a look at the last revision	02:55
dolphm	jamielennox: you mean, what roles actually exist in keystone?	02:55
notmorgan	jamielennox: i was there when dolph pushed it	02:55
jamielennox	dolphm: right - and we can't control that but we can specify a recommndation and i think would be almost universally adopted	02:55
dolphm	jamielennox: that's the part that doesn't matter at all, when you have a huge menu of roles defined in policy to choose from. just create and use whatever ones you need?	02:55
dolphm	jamielennox: agree	02:56
dolphm	jamielennox: so, i figured go as granular as anyone would logically go, with the exception of specialized roles that would not fit any convention	02:56
ayoung	dolphm, I really like your take on that spec. Nice work.	02:56
dolphm	ayoung: danke, sir!	02:56
jamielennox	dolphm: yea, ok, as said it doesn't matter if roles that don't exist in keystone are mentioned in the spec	02:57
ayoung	dolphm, I suspec that we will have to enumerate the roles for the core services, but then the *aaS project will all jump in to be relevant.	02:57
*** browne has quit IRC		02:58
dolphm	ayoung: and notmorgan had an idea to help automate some of that repetitive policy definition using oslo.policy	02:58
jamielennox	dolphm: ok, so i'm happy to leave them and get a discussion going about what a standard deployment is there	02:59
jamielennox	yea, it would be good to have an easier way to write these files rather than have to write out each of those type_manager roles in the file	02:59
ayoung	dolphm, So, I wonder if we can do this in a second policy file. I'd kindof like to leave the original policy files alone, especially the Nova one.	02:59
ayoung	Something like here is the RBAC one and here is the Scope one. Existing policy files will morph into "scope only" if they are not already	03:00
notmorgan	ayoung: i told you we should continue the convo once it's posted :)	03:00
notmorgan	ayoung: ^_^	03:00
dolphm	ayoung: i tried to leave ours backwards compatible, which should be possible (although i think i broke tests)	03:00
notmorgan	ayoung: i'm happy you like the direction	03:00
ayoung	dolphm, well, the default keystone poicy is hard to change without breaking things	03:00
dolphm	i have not looked at our test failures yet	03:00
ayoung	I couldn't even get is_admin_project in there cleanly	03:00
notmorgan	ayoung: that was kindof the idea of the changes, but it's something we can massage mostly	03:00
dolphm	ayoung: that's hard compared to this :P	03:00
ayoung	I think we should start with v3clkoudsample and just cut over at some point	03:00
dolphm	ayoung: i should only have been adding granularity, not changing existing role definitions or anything	03:01
dolphm	ayoung: i need to update that file too	03:01
jamielennox	ayoung: so the admin role specified in the spec should be the same as what admin does now	03:01
ayoung	dolphm, when I was tackling this before, I was going for a pattern like this:	03:01
notmorgan	query ayoung	03:01
ayoung	role_observer: role:observer or role:admin or role:member	03:01
* notmorgan finds a / and succeeds		03:02
ayoung	then you tag the API with the lowest level rule:role_observer	03:02
dolphm	ayoung: sounds kind of like what i was doing in the last patch or two on keystone	03:04
ayoung	dolphm, so you can keep the rules really simple. I don't think there is any need to have "or_admin" in every rule...its implied	03:04
dolphm	ayoung: i ended up with "identity:create_service_provider": "rule:identity_federation_manager_required or role:identity_create_service_provider"	03:05
ayoung	dolphm, so that was one reason why there is the kill switch in the implied roles API for expanding in the token.	03:06
dolphm	ayoung: which i think is exactly that -- admin is rolled up into the rule:identity_federation_manager_required	03:06
ayoung	we could, in theory, generate a fragment of the policy file from the implied rules	03:06
stevemar	dolphm: i didn't get a chance to talk to you about that, isn't there a lot of push back from deployers to not not modify the policy files?	03:06
dolphm	or for a read-only capability: "identity:get_service_provider": "rule:identity_federation_manager_required or rule:observer_required or role:identity_get_service_provider",	03:07
dolphm	stevemar: bluebox expressed the same (and only) concern i've heard before - merging their policy changes into policy is a pain	03:07
notmorgan	dolphm: and they did say it was thankfully minimal	03:07
ayoung	dolphm, I'd suggest dropping "required" and maybe say: all rules for actual apis will be the lowest level role name only	03:07
notmorgan	and likely covered	03:07
dolphm	stevemar: give deployers a tool to stack custom policy on top of upstream defaults, or perhaps this is granular enough that this will be the "last" time they'll have to merge in their own policy	03:08
notmorgan	dolphm: that was the other thing i wanted to add to oslo.policy the policy-merge code if it hadn't landed	03:08
dolphm	stevemar: i asked bluebox for an example of a custom role they used, and it was covered in this spec, so they'll just have to adapt to the new role name	03:08
notmorgan	dolphm: so we can do policy.d type things	03:08
dolphm	notmorgan: ++	03:08
dolphm	ayoung: there seemed to be a convention of using _required to distinguish rule: from role:, so i kept that	03:09
notmorgan	dolphm: ++	03:09
dolphm	rule:{role_name}_required or role:{role_name}	03:09
ayoung	dolphm, right...I was thinking just straight roles	03:09
notmorgan	also "rule" and "role" are hard to talk about fwiw	03:10
ayoung	I went for rule:role_{rolename}	03:10
dolphm	granted there are multiple roles in each rule	03:10
notmorgan	people seemed to confuse them in sound.	03:10
dolphm	notmorgan: easily	03:10
ayoung	and thne the inference rules were all in one stanza at the top.	03:10
ayoung	I might have an example...	03:10
notmorgan	yeah	03:10
ayoung	I know I had one in the presentation I gave.	03:11
stevemar	dolphm: why not create a 3rd policy file with all these bits in there?	03:12
stevemar	policy.granular.dolphinator.json	03:12
dolphm	stevemar: because we should be able to add granularity without breaking backwards compatibility, and make this the new default immediately	03:12
dolphm	(optional) granularity	03:12
*** links has joined #openstack-keystone		03:15
*** davechen1 has joined #openstack-keystone		03:16
ayoung	dolphm, can you think of a way that we could add is_admin_project in...conditionally?	03:17
ayoung	https://review.openstack.org/#/c/257636/	03:17
*** davechen has quit IRC		03:18
ayoung	If not (and I can't think how) how do we go about getting that set for people with the existing policy files as the default?	03:18
notmorgan	stevemar: about to post the EC2 move to core	03:21
notmorgan	stevemar: btw	03:21
*** spandhe has quit IRC		03:22
*** spandhe has joined #openstack-keystone		03:25
*** jgriffith_away is now known as jgriffith		03:26
*** ccard_ has joined #openstack-keystone		03:31
dolphm	ayoung: what do you mean by "conditionally"?	03:32
ayoung	dolphm, well, people won't have that config value set today	03:32
ayoung	so there will be no admin project ever, and that will break things	03:32
openstackgerrit	Steve Martinelli proposed openstack/keystone: WIP: migrate from python-ldap to pyldap https://review.openstack.org/274992	03:33
ayoung	in ordder for that value to be issued with a token, the conf file needs	03:33
ayoung	cfg.StrOpt('admin_project_domain_name', and cfg.StrOpt('admin_project_name',	03:34
*** ccard__ has quit IRC		03:34
ayoung	dolphm, that change will have to be made across every policy file, and I've been holding off on tackling that until implied roles merged	03:37
notmorgan	huh.. ok this is a wierd bug	03:37
stevemar	dolphm: i suppose deployers can choose if they want to use the new policy file after upgrade copmletes?	03:37
*** spandhe has quit IRC		03:37
dolphm	stevemar: depends on the deploy tool	03:38
dolphm	stevemar: some packagers refuse to overwrite existing policy, some refuse to let you set your own, we have every extreme	03:39
stevemar	dolphm: yeah, i recall for some apache plugins i was poking around in they just gave warnings	03:39
dolphm	stevemar: for the bigger deployers, they're going to have to do some work to adapt their custom policy changes into the new policy files. but word is, they've been doing that every release anyway	03:39
dolphm	stevemar: warning from apache about policy.json?	03:39
stevemar	dolphm: no, about config files i had	03:40
stevemar	different topic, but same principle?	03:40
notmorgan	w.t.f http://localhost/v2.0/users/7b190a15e87e423b9cc6e29b73d19cca/credentials/OS-EC2) = 404 when i make it a baseline extension (core)?!	03:40
stevemar	notmorgan: missing port?	03:41
dolphm	ayoung: so you need the role to exist in keystone automatically (ideally), and to assume the role definition to exist in policy?	03:41
notmorgan	stevemar: uhmm...	03:41
notmorgan	stevemar: this is how it falls out of our current test suite	03:41
ayoung	for is_admin_project, it is not a role, it is the project that needs to be there	03:41
*** esp has joined #openstack-keystone		03:42
*** csoukup_ has quit IRC		03:43
*** jrist has joined #openstack-keystone		03:43
jamielennox	stevemar: so you know as much about the devstack v3 conversion as anyone, but do you need me doing anything there?	03:44
jamielennox	stevemar: i'm a little annoyed about sean's -2, if we break that patch up there's a whole bunch of stuff in there that is safe	03:45
notmorgan	jamielennox: i mean...	03:47
notmorgan	annoyed i get it	03:47
jamielennox	notmorgan: i understand his frustrations	03:47
notmorgan	but he's right.	03:47
notmorgan	yeah	03:47
stevemar	notmorgan: i didn't get your comment "this is how it falls out of our current test suite"	03:49
stevemar	jamielennox: i think we just need to start fixing the issues i outlined in the etherpad	03:50
notmorgan	stevemar: this fails when i make it a baseline always included extension.. i don't know how though	03:50
notmorgan	stevemar: since... why would it fail if it's included?!	03:50
*** EinstCra_ has joined #openstack-keystone		03:51
jamielennox	stevemar: so changing the environment variables is a big problem	03:52
jamielennox	like outputting openrc files with a changed /v2.0 -> /v3 string is going to cause problems	03:52
*** dims has quit IRC		03:53
stevemar	jamielennox: we could probably re-propose the changes to the authtoken bits	03:53
jamielennox	stevemar: auth_token bits?	03:53
stevemar	notmorgan: oh.. make sure you're using the right base class	03:54
notmorgan	stevemar: RoutersBase for this	03:54
*** browne has joined #openstack-keystone		03:54
notmorgan	witha minor hack	03:54
notmorgan	but yes	03:54
notmorgan	also... austin we shall revisit the "Keystone tradition of drinking Uisce beatha"	03:54
notmorgan	cause... we skipped the last couple times	03:54
notmorgan	and i'm disappointed	03:55
*** EinstCrazy has quit IRC		03:55
stevemar	jamielennox: https://review.openstack.org/#/c/274703/ - i mean the changes to lib/glance lib/heat and lib/nova/ironic_plugins	03:55
stevemar	jamielennox: i think those are safe/fine	03:55
*** erlarese has quit IRC		03:56
jamielennox	stevemar: right that won't affect others	03:58
jamielennox	stevemar: and to be honest i'm not sure why those still exist	03:58
jamielennox	i thought we had that all fixed	03:58
jamielennox	stevemar: so related i have: https://review.openstack.org/#/c/271051/	03:58
jamielennox	https://review.openstack.org/#/c/271128/	03:59
jamielennox	and https://review.openstack.org/#/c/271127/	03:59
jamielennox	particularly the ec2token thing in heat - i think that will just fail	04:00
*** shoutm_ has joined #openstack-keystone		04:02
*** shoutm has quit IRC		04:03
*** su_zhang has joined #openstack-keystone		04:06
*** jamielennox is now known as jamielennox\|away		04:10
*** davechen has joined #openstack-keystone		04:10
notmorgan	steve you here?	04:11
notmorgan	stevemar: ^ c	04:11
notmorgan	cc	04:11
stevemar	notmorgan: hmm?	04:11
*** davechen1 has quit IRC		04:12
*** shoutm_ has quit IRC		04:15
*** ErwanJ has joined #openstack-keystone		04:16
*** woodster_ has quit IRC		04:16
*** markvoelker has joined #openstack-keystone		04:17
*** markvoelker has quit IRC		04:21
ErwanJ	Hi all, I've been trying to allow users in my liberty deployment to create their own projects. I started off by allowing all users in the /etc/keystone/policy.json and /etc/openstack-dashboard/keystone_policy.json files to create projects. This exposed the 'create project' icon in horizon. But then if I clicked it as a user it told me I was unauthorized. Enabled users access to all project related polclies and still	04:22
ErwanJ	I enabeld debug on keystone and the logs all show Authorization granted, I don't see anything about unauthorized or denied etc.	04:22
ErwanJ	Where can i go to find out what policy is being checked against that may be failing when a user tries to create a project?	04:23
*** shoutm has joined #openstack-keystone		04:23
*** spandhe has joined #openstack-keystone		04:34
notmorgan	ErwanJ: this is a tough one. so part of the issue is default policy sucks [badly], and if you just allow creation it's going to make all sorts of headaches	04:37
*** spandhe_ has joined #openstack-keystone		04:37
notmorgan	ErwanJ: the best bet is to resolve the issues in your deployment to use the cloudv3 policy and give a user a domian they can have any number of projects under	04:38
notmorgan	ErwanJ: then the domain is the entry point	04:38
notmorgan	this however, requires V3 auth support	04:38
notmorgan	as an FYI	04:38
ErwanJ	OK great thanks notmorgan, will look more into domains and v3 auth support	04:38
notmorgan	the v3policy.json is close to what you're looking for	04:38
notmorgan	ErwanJ: :)	04:39
notmorgan	happy to help	04:39
notmorgan	ErwanJ: for the record, it'll only get better as we drive towards mitaka and Newton releases.	04:39
*** spandhe has quit IRC		04:39
*** spandhe_ is now known as spandhe		04:39
notmorgan	because we're trying to get everything V3 auth/keystone enabled ASAP	04:39
notmorgan	[we're close]	04:39
*** jamielennox\|away is now known as jamielennox		04:39
notmorgan	and then this will be the default-ish mode	04:40
*** shoutm_ has joined #openstack-keystone		04:40
*** shoutm has quit IRC		04:41
ErwanJ	Ok good to hear!	04:44
notmorgan	it's been a really slow march, but we're getting there	04:44
*** fpatwa has joined #openstack-keystone		04:45
*** roxanagh_ has joined #openstack-keystone		04:49
*** fpatwa has quit IRC		04:50
*** esp has quit IRC		04:55
openstackgerrit	Merged openstack/keystone: Update mod_wsgi + cache config docs https://review.openstack.org/271311	04:58
openstackgerrit	Merged openstack/keystone: Remove un-used test code https://review.openstack.org/274929	04:59
openstackgerrit	Merged openstack/keystone: Correct docstrings https://review.openstack.org/274895	04:59
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	05:00
*** topol has quit IRC		05:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	05:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	05:03
*** ErwanJ has quit IRC		05:03
*** topol_ has joined #openstack-keystone		05:05
*** jamielennox is now known as jamielennox\|away		05:13
*** Nirupama has quit IRC		05:32
*** gyee has quit IRC		05:32
*** sileht has quit IRC		05:44
*** Nirupama has joined #openstack-keystone		05:47
*** Guest51478 has quit IRC		05:48
*** shoutm has joined #openstack-keystone		05:50
*** shoutm_ has quit IRC		05:51
*** vivekd has joined #openstack-keystone		05:57
openstackgerrit	Steve Martinelli proposed openstack/keystone: WIP: migrate from python-ldap to pyldap https://review.openstack.org/274992	05:59
*** oomichi has joined #openstack-keystone		06:04
*** vgridnev has joined #openstack-keystone		06:06
*** lhcheng_ has quit IRC		06:07
*** fawadkhaliq has joined #openstack-keystone		06:11
*** gildub has quit IRC		06:11
*** fawadkhaliq has quit IRC		06:11
*** markvoelker has joined #openstack-keystone		06:18
openstackgerrit	Dave Chen proposed openstack/keystone: Add schema for OAuth1 consumer API https://review.openstack.org/266791	06:21
*** rcernin has joined #openstack-keystone		06:22
*** markvoelker has quit IRC		06:22
*** roxanagh_ has quit IRC		06:23
*** boris-42 has quit IRC		06:23
openstackgerrit	Steve Martinelli proposed openstack/keystone: WIP: migrate from python-ldap to pyldap https://review.openstack.org/274992	06:27
*** csoukup_ has joined #openstack-keystone		06:39
*** vgridnev has quit IRC		06:40
*** vgridnev has joined #openstack-keystone		06:41
*** vgridnev has quit IRC		06:41
*** csoukup_ has quit IRC		06:43
*** fpatwa has joined #openstack-keystone		06:46
*** rcernin has quit IRC		06:46
*** fpatwa has quit IRC		06:50
*** richm has joined #openstack-keystone		06:52
*** jbell8 has quit IRC		06:53
*** jbell8 has joined #openstack-keystone		06:54
stevemar	damn ldappool	06:55
*** richm has quit IRC		06:59
*** spandhe has quit IRC		07:12
*** spandhe has joined #openstack-keystone		07:13
*** jbell8 has quit IRC		07:19
*** jbell8 has joined #openstack-keystone		07:19
*** spandhe has quit IRC		07:22
*** spandhe has joined #openstack-keystone		07:23
*** sileht_ has joined #openstack-keystone		07:29
*** spandhe_ has joined #openstack-keystone		07:34
*** sileht_ is now known as sileht		07:35
*** spandhe has quit IRC		07:36
*** spandhe_ is now known as spandhe		07:36
stevemar	jamielennox\|away: around? or LCA'ing?	07:43
*** belmoreira has joined #openstack-keystone		07:44
*** spandhe has quit IRC		07:44
*** spandhe has joined #openstack-keystone		07:45
*** fhubik has joined #openstack-keystone		07:49
*** sileht has quit IRC		07:50
*** sileht has joined #openstack-keystone		07:51
*** su_zhang has quit IRC		07:52
*** lhcheng has joined #openstack-keystone		07:55
*** ChanServ sets mode: +v lhcheng		07:55
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove eventlet support https://review.openstack.org/249486	07:57
*** lhcheng has quit IRC		08:01
*** fhubik has quit IRC		08:05
*** spandhe_ has joined #openstack-keystone		08:08
*** spandhe has quit IRC		08:10
*** spandhe_ is now known as spandhe		08:10
*** agireud has quit IRC		08:10
*** jistr has joined #openstack-keystone		08:11
*** topol_ has quit IRC		08:12
*** agireud has joined #openstack-keystone		08:12
*** oomichi has quit IRC		08:12
*** oomichi has joined #openstack-keystone		08:13
*** topol_ has joined #openstack-keystone		08:13
*** jbell8 has quit IRC		08:16
*** vivekd has quit IRC		08:16
*** boris-42 has joined #openstack-keystone		08:17
*** markvoelker has joined #openstack-keystone		08:18
*** fhubik has joined #openstack-keystone		08:20
*** vivekd has joined #openstack-keystone		08:22
*** markvoelker has quit IRC		08:22
stevemar	davechen: an easy one: https://review.openstack.org/#/c/264937/5	08:23
*** spandhe has quit IRC		08:23
*** Nirupama has quit IRC		08:25
*** sinese has joined #openstack-keystone		08:25
*** tobe has joined #openstack-keystone		08:28
*** jbell8 has joined #openstack-keystone		08:31
*** jbell8 has quit IRC		08:33
*** jbell8 has joined #openstack-keystone		08:35
*** fhubik_real has joined #openstack-keystone		08:37
*** e0ne has joined #openstack-keystone		08:38
*** fhubik has quit IRC		08:40
*** Nirupama has joined #openstack-keystone		08:41
*** fhubik_real has quit IRC		08:42
*** vivekd has quit IRC		08:43
*** shoutm has quit IRC		08:46
*** browne has quit IRC		08:47
*** fpatwa has joined #openstack-keystone		08:47
*** vivekd has joined #openstack-keystone		08:48
*** marekd has quit IRC		08:50
*** fpatwa has quit IRC		08:51
*** marekd has joined #openstack-keystone		08:52
*** ChanServ sets mode: +v marekd		08:54
*** shoutm has joined #openstack-keystone		09:00
*** marekd has quit IRC		09:01
*** richm has joined #openstack-keystone		09:03
*** vgridnev has joined #openstack-keystone		09:10
*** marekd has joined #openstack-keystone		09:13
*** ChanServ sets mode: +v marekd		09:13
*** marekd has quit IRC		09:14
*** marekd has joined #openstack-keystone		09:15
*** ChanServ sets mode: +v marekd		09:15
openstackgerrit	Merged openstack/keystone: Enhance manager list_role_assignments to support group listing https://review.openstack.org/265650	09:16
*** tobe has quit IRC		09:16
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	09:17
*** shoutm_ has joined #openstack-keystone		09:18
*** shoutm has quit IRC		09:20
*** mhickey_ has joined #openstack-keystone		09:26
*** EinstCra_ has quit IRC		09:28
*** EinstCrazy has joined #openstack-keystone		09:28
*** vivekd has quit IRC		09:33
*** vivekd_ has joined #openstack-keystone		09:33
*** vivekd_ is now known as vivekd		09:33
*** markd_ has joined #openstack-keystone		09:40
*** mdavidson has quit IRC		09:41
*** markd_ has quit IRC		09:41
*** mdavidson has joined #openstack-keystone		09:41
openstackgerrit	zhongshengping proposed openstack/keystone: Replace deprecated LOG.warn with warning https://review.openstack.org/275091	09:47
*** davechen has left #openstack-keystone		09:54
*** vivekd has quit IRC		10:03
*** mvk has joined #openstack-keystone		10:05
*** openstackgerrit has quit IRC		10:17
*** openstackgerrit has joined #openstack-keystone		10:17
*** markvoelker has joined #openstack-keystone		10:19
*** alexvictorchan has joined #openstack-keystone		10:22
*** markvoelker has quit IRC		10:23
*** vivekd has joined #openstack-keystone		10:33
*** jbell8 has quit IRC		10:35
*** EinstCrazy has quit IRC		10:41
*** EinstCrazy has joined #openstack-keystone		10:42
*** fpatwa has joined #openstack-keystone		10:48
*** EinstCrazy has quit IRC		10:50
*** fpatwa has quit IRC		10:52
*** EinstCrazy has joined #openstack-keystone		10:57
*** dims_ has joined #openstack-keystone		11:02
*** samueldmq has joined #openstack-keystone		11:16
*** jistr has quit IRC		11:22
*** agireud has quit IRC		11:27
*** amakarov has joined #openstack-keystone		11:28
*** rodrigods has quit IRC		11:29
*** agireud has joined #openstack-keystone		11:29
*** rodrigods has joined #openstack-keystone		11:29
*** thebloggu has joined #openstack-keystone		11:35
thebloggu	I'm using python-keystoneclient to try and get my service catalog but when I call service_catalog.get_data() I only get one of the two endpoints I've set for one of my services. can someone help me?	11:38
*** esp has joined #openstack-keystone		11:46
*** gus_ is now known as gus		11:47
*** esp has quit IRC		11:53
*** raildo-afk is now known as raildo		12:12
*** markvoelker has joined #openstack-keystone		12:20
*** amakarov has quit IRC		12:21
htruta	ayoung: have you seen this: https://review.openstack.org/#/c/243585/8 ?	12:22
*** markvoelker has quit IRC		12:24
*** pauloewerton has joined #openstack-keystone		12:26
*** gordc has joined #openstack-keystone		12:35
*** josecastroleon has joined #openstack-keystone		12:36
*** DuncanT has quit IRC		12:36
*** josecastroleon1 has quit IRC		12:36
*** alexvictorchan has quit IRC		12:36
*** ccard_ has quit IRC		12:36
*** links has quit IRC		12:36
*** ptoohill has quit IRC		12:36
*** DuncanT has joined #openstack-keystone		12:37
*** ptoohill has joined #openstack-keystone		12:38
*** ccard_ has joined #openstack-keystone		12:38
*** links has joined #openstack-keystone		12:39
*** shoutm_ has quit IRC		12:43
*** boris-42 has quit IRC		12:43
*** shoutm has joined #openstack-keystone		12:45
*** fpatwa has joined #openstack-keystone		12:49
*** esp has joined #openstack-keystone		12:50
*** fpatwa has quit IRC		12:53
*** shoutm has quit IRC		12:53
*** esp has quit IRC		12:57
*** anteaya has joined #openstack-keystone		12:59
*** shoutm has joined #openstack-keystone		13:04
*** oomichi has quit IRC		13:05
*** ayoung has quit IRC		13:05
*** anteaya has quit IRC		13:06
*** EinstCrazy has quit IRC		13:07
*** doug-fish has joined #openstack-keystone		13:07
*** shoutm has quit IRC		13:08
*** EinstCrazy has joined #openstack-keystone		13:11
*** markvoelker has joined #openstack-keystone		13:21
*** markvoelker has quit IRC		13:26
*** markvoelker_ has joined #openstack-keystone		13:26
*** vivekd has quit IRC		13:31
*** erlarese has joined #openstack-keystone		13:31
*** ChanServ sets mode: +v topol_		13:33
*** topol_ is now known as topol		13:33
*** vivekd has joined #openstack-keystone		13:33
*** samueldmq has quit IRC		13:33
*** samueldmq has joined #openstack-keystone		13:36
*** edmondsw has joined #openstack-keystone		13:37
*** bill_az has joined #openstack-keystone		13:41
*** su_zhang has joined #openstack-keystone		13:41
*** cdent has joined #openstack-keystone		13:49
cdent	bknudson: can you help me decide if my solution to this bug is correct/okay: https://bugs.launchpad.net/keystonemiddleware/+bug/1540022	13:49
openstack	Launchpad bug 1540022 in keystonemiddleware "The oslo_config_config conf option cannot be used because it gets clobbered" [Undecided,In progress] - Assigned to Chris Dent (cdent)	13:49
cdent	(or anyone else)	13:53
*** Nirupama has quit IRC		13:53
openstackgerrit	Marek Denis proposed openstack/keystone: Service Providers Group CRUD operations. https://review.openstack.org/273438	13:54
*** jgriffith is now known as jgriffith_away		13:58
bknudson	cdent: if you can write a test for it that can show that it's not working right then that would help	13:59
cdent	bknudson: yeah, that was kind of my plan, but interpreting the existing tests made my head swim at the time (it was about 2 in the morning) I thought I'd come crawling for some advice.	14:00
cdent	Now that I'm a bit more awake, might be able to make some headway on that.	14:01
*** woodster_ has joined #openstack-keystone		14:01
bknudson	take a look at it. You don't need to use the existing tests.	14:01
cdent	I'll locate some coffee and give it go	14:01
bknudson	there are a lot of issues with the tests... they've turned into mostly integration tests where component tests would be easier to work with	14:02
* cdent nods		14:02
cdent	thanks, bknudson, I'll push something up later today	14:03
*** cdent has quit IRC		14:04
*** amakarov has joined #openstack-keystone		14:07
*** petertr7_away is now known as petertr7		14:17
openstackgerrit	Raildo Mascena proposed openstack/keystone: API support for project cascade update https://review.openstack.org/243585	14:19
*** jsavak has joined #openstack-keystone		14:23
*** apetrov has joined #openstack-keystone		14:25
*** EinstCrazy has quit IRC		14:29
*** apetrov has quit IRC		14:29
*** jistr has joined #openstack-keystone		14:31
*** jsavak has quit IRC		14:33
*** apetrov has joined #openstack-keystone		14:34
erlarese	notmorgan jamielennox - this method: keystoneclient.service_catalog.ServiceCatalog.factory(dict) used to convert a catalog dictionary to object	14:34
erlarese	do you know what the equivalent method in keystoneauth1 is now?	14:34
erlarese	(or anyone else?)	14:34
*** ninag has joined #openstack-keystone		14:40
openstackgerrit	Raildo Mascena proposed openstack/keystone: API support for project cascade update https://review.openstack.org/243585	14:48
*** fpatwa has joined #openstack-keystone		14:49
*** jsavak has joined #openstack-keystone		14:51
*** fpatwa has quit IRC		14:54
*** mvk has quit IRC		14:56
*** mdavidson has quit IRC		14:59
*** jimbaker has quit IRC		15:00
*** pushkaru has joined #openstack-keystone		15:06
*** sigmavirus24_awa is now known as sigmavirus24		15:10
*** links has quit IRC		15:11
*** jbell8 has joined #openstack-keystone		15:13
*** jed56 has joined #openstack-keystone		15:14
*** slberger has joined #openstack-keystone		15:20
*** ayoung has joined #openstack-keystone		15:20
*** ChanServ sets mode: +v ayoung		15:20
*** jaosorior has joined #openstack-keystone		15:23
*** timcline has joined #openstack-keystone		15:26
*** csoukup_ has joined #openstack-keystone		15:28
*** EinstCrazy has joined #openstack-keystone		15:29
*** EinstCrazy has quit IRC		15:35
*** petertr7 is now known as petertr7_away		15:39
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move EC2 extension to core https://review.openstack.org/275280	15:39
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move EC2 extension to core https://review.openstack.org/275280	15:43
*** esp has joined #openstack-keystone		15:46
*** bill_az has quit IRC		15:47
*** esp has quit IRC		15:50
*** petertr7_away is now known as petertr7		15:51
*** bill_az has joined #openstack-keystone		15:52
*** jbell8 has quit IRC		15:53
*** dims has joined #openstack-keystone		15:54
*** dims_ has quit IRC		15:54
*** mgarza has joined #openstack-keystone		15:57
*** clenimar has joined #openstack-keystone		16:00
*** david-lyle has joined #openstack-keystone		16:02
*** jsavak has quit IRC		16:02
*** jsavak has joined #openstack-keystone		16:03
*** su_zhang has quit IRC		16:08
*** jbell8 has joined #openstack-keystone		16:08
*** su_zhang has joined #openstack-keystone		16:13
*** gokrokve has joined #openstack-keystone		16:13
*** sinese has quit IRC		16:13
*** vgridnev has quit IRC		16:14
*** diazjf has joined #openstack-keystone		16:16
*** diazjf has quit IRC		16:16
*** diazjf has joined #openstack-keystone		16:17
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add in TRACE logging for the manager https://review.openstack.org/274085	16:20
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add in TRACE logging for the manager https://review.openstack.org/274085	16:21
*** browne has joined #openstack-keystone		16:23
*** belmoreira has quit IRC		16:25
*** woodster_ has quit IRC		16:26
*** fesp has joined #openstack-keystone		16:29
openstackgerrit	Raildo Mascena proposed openstack/keystone: API support for project cascade update https://review.openstack.org/243585	16:29
*** agireud has quit IRC		16:36
*** cdcasey has joined #openstack-keystone		16:37
*** agireud has joined #openstack-keystone		16:37
breton	we have a problem in keystoneclient repo	16:38
breton	our latest tag is 2.1.1, right?	16:38
breton	breton@bbobrov-pc ~/src/openstack/python-keystoneclient (master*) $ git describe --abbrev=0	16:38
breton	2.1.0	16:38
breton	tag 2.1.1 points to d20b300, while it should probably point to f5fb643	16:40
samueldmq	ayoung: hi	16:40
samueldmq	ayoung: what about removing the scope checks from the policy file and put them in the code	16:40
ayoung	samueldmq, Good morning	16:40
samueldmq	ayoung: morning	16:40
samueldmq	ayoung: and only leave the role check in the policy	16:40
breton	stevemar: jamielennox\|away: ^	16:40
ayoung	samueldmq, yeah, I think that should be a possbility, but not the keystone team's responsibility, except for Keystone	16:41
samueldmq	ayoung: we could start for project operations	16:41
ayoung	or is that what you were suggesting?	16:41
samueldmq	ayoung: sure sir, I am suggesting for keystone	16:41
samueldmq	ayoung: I believe nova already does that	16:41
ayoung	samueldmq, yep, I think that would work. But it still doesn't give us a way to communicate this to the other services	16:41
samueldmq	ayoung: so easy, I may start with APIs that need a project scoped check	16:41
samueldmq	ayoung: and if global admin is needed, we now have the admin_project anyways	16:42
ayoung	but, I guess the other services could do it with a config flag, too	16:42
ayoung	samueldmq, OK, I think you are on track	16:42
samueldmq	ayoung: perfect	16:42
ayoung	we can discuss in the meeting	16:42
ayoung	not sure if we can do that in Mitaka, but we can shoot for Newton with it	16:42
*** fesp has quit IRC		16:42
samueldmq	ayoung: nice, I am adding a topic there	16:42
samueldmq	with our names	16:43
samueldmq	oh, you have a topic there that perhaps may include it ?	16:43
samueldmq	ayoung: ^	16:43
ayoung	samueldmq, yeah,. and feel free to add you name	16:43
breton	btw, how do we set tags to the repo? Via gerrit or somehow manually?	16:43
samueldmq	ayoung: "Can existing policy files should be limited to scope checks"	16:44
samueldmq	ayoung: I think you meant the opposite in that sentence right ?	16:44
samueldmq	ayoung: i.e "Should existing policy files be limited to ROLE checks"	16:44
dstanek	breton: does it matter?	16:46
dstanek	breton: git claims that dims was the tagger	16:46
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add in TRACE logging for the manager https://review.openstack.org/274085	16:47
breton	dstanek: it does, our packagers suffer. I don't have the details though, I asked them to submit a bugreport.	16:47
*** dims_ has joined #openstack-keystone		16:47
samueldmq	notmorgan: about this TRACE change ^	16:48
notmorgan	samueldmq: yeah?	16:48
samueldmq	notmorgan: when logging is disabled, does the manager calls still enter the wrapper ? or does it bypass and goes to the manager code directly?	16:48
notmorgan	still enters the wrapper but it doesn't to the expensive work	16:48
*** jaosorior has quit IRC		16:49
notmorgan	that is part of the "if do_trace"	16:49
*** dims has quit IRC		16:49
samueldmq	notmorgan: so shouldn't add signficant overhead to manager calls	16:50
notmorgan	correct	16:50
notmorgan	unless you enable "TRACE" logging... which case it'll slow things down massively	16:50
notmorgan	expected	16:50
*** rderose has joined #openstack-keystone		16:50
*** fpatwa has joined #openstack-keystone		16:50
samueldmq	notmorgan: got it	16:50
samueldmq	notmorgan: starred, will "review -d" and test it later, thanks	16:51
*** su_zhang has quit IRC		16:52
*** jistr has quit IRC		16:53
*** mvk has joined #openstack-keystone		16:54
*** fpatwa has quit IRC		16:54
*** clenimar has quit IRC		16:55
*** e0ne has quit IRC		16:55
bknudson	breton: the tags are described in the releases repo: http://git.openstack.org/cgit/openstack/releases/tree/deliverables/mitaka/python-keystoneclient.yaml	16:59
*** vivekd has quit IRC		17:00
*** stevemar sets mode: +o samueldmq		17:01
*** ChanServ sets mode: -o samueldmq		17:01
breton	bknudson: thanks. So, to move the tag I need to propose a change for openstack/releases?	17:02
*** vivekd has joined #openstack-keystone		17:02
bknudson	I don't think tags can be changed. We'd have to do another release.	17:02
bknudson	anyone can propose changes to the repo to request a new release	17:03
*** cdent has joined #openstack-keystone		17:03
*** jsavak has quit IRC		17:04
*** jsavak has joined #openstack-keystone		17:04
*** clenimar has joined #openstack-keystone		17:04
*** timcline has quit IRC		17:05
*** stevemar sets mode: +v samueldmq		17:05
*** clenimar has quit IRC		17:09
*** esp has joined #openstack-keystone		17:10
*** fesp has joined #openstack-keystone		17:11
*** fesp has quit IRC		17:12
dolphm	marekd: i know you abandoned https://review.openstack.org/#/c/244694/ but IIRC from tokyo, we agreed it made sense to pursue a PoC first, then go back to the spec. any traction on that?	17:16
samueldmq	bknudson: does stevemar proposal make sense to you here https://review.openstack.org/#/c/208215 ?	17:17
*** sinese has joined #openstack-keystone		17:17
samueldmq	stevemar: are you going to propose a follow-on patch for this ? I may do it if you want	17:20
samueldmq	^	17:20
stevemar	samueldmq: go ahead and post a follow on patch, then maybe bknudson will +2 the original :)	17:20
samueldmq	stevemar: ++	17:20
openstackgerrit	Chris Dent proposed openstack/keystonemiddleware: Remove clobbering of passed oslo_config_config https://review.openstack.org/274396	17:21
cdent	bknudson: ^	17:21
cdent	(and anyone else)	17:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add RENO update for simple_cert_extension deprecation https://review.openstack.org/275333	17:22
notmorgan	stevemar: full chain of extensions-to-core complete	17:23
notmorgan	stevemar: that will wind down all extensions. next step merging in the middlewares so someone can't "break" keystone	17:23
stevemar	notmorgan: yeah, whats your plan there for ec2 in ksm?	17:24
notmorgan	stevemar: ec2? support it	17:24
notmorgan	like we do today	17:24
notmorgan	add more testing around it shrug	17:25
notmorgan	the "middleware" i mean the keystone versions	17:25
notmorgan	not the KSM stuff	17:25
notmorgan	in the keystone paste-ini	17:25
stevemar	notmorgan: i find it funny that we have ec2 related stuff in keystone, ksm, ksc	17:26
notmorgan	well KSM makese sense	17:26
notmorgan	ksm needs to know how to auth the token things on the endpoints	17:27
notmorgan	in theory	17:27
notmorgan	in keystone it's the APIs to set it all up	17:27
notmorgan	in ksc... uhg common place some of the functions live	17:27
notmorgan	but at the very least "pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body service_v3" is looking better	17:27
stevemar	mmhmm	17:28
raildo	stevemar: ++ I discovered that we had ec2 stuffs on keystone in the v2.0 deprecation	17:28
notmorgan	stevemar: i also formalized the the S3 and EC2 things in keystone were "aws" compat	17:28
notmorgan	in tree structure	17:28
notmorgan	keystone.compat.aws	17:28
notmorgan	didn't really know where else to stick them.	17:28
notmorgan	keystone.ec2 and keystone.s3 felt "wrong"	17:29
stevemar	notmorgan: good call	17:29
stevemar	i'll pull them down today and play	17:29
stevemar	notmorgan: bknudson also has a patch for changing the pipeline around: https://review.openstack.org/#/c/198931/	17:29
*** mgarza has quit IRC		17:30
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Do not assign admin to service users https://review.openstack.org/275335	17:30
samueldmq	stevemar: ayoung: dstanek ^	17:31
*** jasonsb has quit IRC		17:32
*** openstackgerrit has quit IRC		17:32
*** openstackgerrit has joined #openstack-keystone		17:32
*** cdcasey has quit IRC		17:32
*** mgarza_ has joined #openstack-keystone		17:33
*** EinstCrazy has joined #openstack-keystone		17:33
notmorgan	stevemar: i am working on a patch to deprecate/remove auth_token_admin	17:36
notmorgan	erm.. you know the order of that	17:36
notmorgan	admin_token_auth	17:36
notmorgan	since bootstrap is a thing	17:36
*** EinstCrazy has quit IRC		17:38
stevemar	wow, 20 minutes til meeting, where did the time go	17:39
samueldmq	stevemar: :-)	17:41
samueldmq	stevemar: please tell me once you find it out hehe	17:41
*** sinese has quit IRC		17:44
*** sinese has joined #openstack-keystone		17:44
*** browne has quit IRC		17:46
*** _cjones_ has joined #openstack-keystone		17:50
*** rderose has quit IRC		17:50
*** _cjones_ has quit IRC		17:51
*** _cjones_ has joined #openstack-keystone		17:51
marekd	dolphm: i abandoned as I found another way of overcoming some problems that keystone-saml2 was going to solve. I also saw lots of "no"s from jamie or adam etc. I didnt focus on poc recently.	17:53
*** tsymanczyk has joined #openstack-keystone		17:53
*** rderose has joined #openstack-keystone		17:53
stevemar	marekd: what did you abandon?	17:54
marekd	stevemar: https://review.openstack.org/#/c/244694/	17:54
marekd	stevemar: nothing you wouldn't know :-)	17:54
stevemar	ah	17:54
stevemar	didn't get the notice in email yet, just got it now	17:54
stevemar	nvm	17:54
stevemar	i see whats going on	17:55
marekd	stevemar: not that i abandoned it (like formally abandon the spec), dolphm meant that there is no consensus and progress on it.	17:55
stevemar	ah	17:56
*** lhcheng has joined #openstack-keystone		17:56
*** ChanServ sets mode: +v lhcheng		17:56
ayoung	samueldmq, I don't know if we can avoid that yet	17:57
ayoung	there are other services that still need it, it is one of the things to clean up	17:57
samueldmq	ayoung: other services that need admin powers ?	17:57
*** drjones has joined #openstack-keystone		17:57
samueldmq	ayoung: could you give an example ?	17:57
*** _cjones_ has quit IRC		17:57
ayoung	samueldmq, yes	17:57
ayoung	samueldmq, it has to do with long lived callbacks	17:57
ayoung	when we did the proof of concept, you can ask jamielennox\|away if he remembers the details , buit one was Neutron calling back to Nova	17:58
ayoung	I think a volume attach also fell into that category	17:58
*** richm has quit IRC		17:59
stevemar	courtesy ping ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek, MaxPC, tjcocozz	17:59
stevemar	dolphm: that's right, i do it in both channels!	18:00
*** mhickey_ has quit IRC		18:00
dolphm	stevemar: but you don't even tell anyone what you're pinging about in this channel	18:00
stevemar	dolphm: good, keep everyone surprised	18:01
*** henrynash has joined #openstack-keystone		18:03
*** ChanServ sets mode: +v henrynash		18:03
*** sigmavirus24 is now known as sigmavirus24_awa		18:03
*** simondodsley has joined #openstack-keystone		18:03
*** petertr7 is now known as petertr7_away		18:04
*** timcline has joined #openstack-keystone		18:06
*** jsavak has quit IRC		18:09
*** jsavak has joined #openstack-keystone		18:10
*** timcline has quit IRC		18:11
*** anteaya has joined #openstack-keystone		18:14
*** c_soukup has joined #openstack-keystone		18:14
*** csoukup_ has quit IRC		18:18
*** su_zhang has joined #openstack-keystone		18:20
*** su_zhang has quit IRC		18:22
*** su_zhang has joined #openstack-keystone		18:22
*** clenimar has joined #openstack-keystone		18:24
*** jsavak has quit IRC		18:25
*** timcline has joined #openstack-keystone		18:26
*** vivekd has quit IRC		18:29
*** gokrokve has quit IRC		18:29
*** browne has joined #openstack-keystone		18:29
*** timcline has quit IRC		18:32
*** gyee has joined #openstack-keystone		18:37
*** ChanServ sets mode: +v gyee		18:37
*** jsavak has joined #openstack-keystone		18:41
*** jbell8 has quit IRC		18:43
*** fpatwa has joined #openstack-keystone		18:51
*** samueldmq has quit IRC		18:51
andrewbogott	How does /v2.0/tenants/{tenantId}/users relate to roles? Is a ‘user’ anyone that has /any/ role in the specified tenant?	18:53
*** petertr7_away is now known as petertr7		18:55
*** fpatwa has quit IRC		18:56
bknudson	andrewbogott: yes, any role and you're a user..	19:00
andrewbogott	ok, makes sense, thanks	19:00
*** jsavak has quit IRC		19:02
*** jsavak has joined #openstack-keystone		19:03
*** ThomasHsiao has joined #openstack-keystone		19:04
*** henrynash_ has joined #openstack-keystone		19:04
*** ChanServ sets mode: +v henrynash_		19:04
*** crinkle_ has joined #openstack-keystone		19:05
*** ThomasHsiao has quit IRC		19:05
* stevemar pokes dolphm and notmorgan		19:06
notmorgan	stevemar: ohai	19:06
*** crinkle has quit IRC		19:06
*** timcline has joined #openstack-keystone		19:07
*** crinkle_ is now known as crinkle		19:07
*** jbell8 has joined #openstack-keystone		19:08
rodrigods	htruta, ping	19:09
rodrigods	ayoung, ^	19:09
ayoung	rodrigods, c'mon, give him some context	19:10
*** petertr7_away has joined #openstack-keystone		19:10
rodrigods	ayoung, he knows :P	19:10
*** opilotte\| has joined #openstack-keystone		19:10
*** hrou_ has joined #openstack-keystone		19:10
*** lbragstad_ has joined #openstack-keystone		19:11
*** bknudson_ has joined #openstack-keystone		19:11
*** ChanServ sets mode: +v bknudson_		19:11
*** htruta` has joined #openstack-keystone		19:11
*** miguelgrinberg_ has joined #openstack-keystone		19:11
*** _nonameentername has joined #openstack-keystone		19:11
*** charz has joined #openstack-keystone		19:11
*** henrynash has quit IRC		19:12
*** Ephur has quit IRC		19:12
*** hogepodge has quit IRC		19:12
*** arunkant has quit IRC		19:12
*** mordred has quit IRC		19:12
*** bknudson has quit IRC		19:12
*** hrou has quit IRC		19:12
*** htruta has quit IRC		19:12
*** martinus__ has quit IRC		19:12
*** nonameentername has quit IRC		19:12
*** pkarikh has quit IRC		19:12
*** petertr7 has quit IRC		19:12
*** charz_ has quit IRC		19:12
*** lbragstad has quit IRC		19:12
*** opilotte- has quit IRC		19:12
*** miguelgrinberg has quit IRC		19:12
*** lbragstad_ is now known as lbragstad		19:12
*** miguelgrinberg_ is now known as miguelgrinberg		19:12
*** petertr7_away is now known as petertr7		19:12
*** henrynash_ is now known as henrynash		19:12
*** martinus__ has joined #openstack-keystone		19:12
*** pkarikh has joined #openstack-keystone		19:13
*** htruta` is now known as htruta		19:14
*** mordred has joined #openstack-keystone		19:15
ayoung	rodrigods, ah well. what did you want to discuss anyway?	19:16
*** spzala has joined #openstack-keystone		19:16
*** arunkant has joined #openstack-keystone		19:16
htruta	ayoung, rodrigods: hi	19:16
rodrigods	ayoung, htruta, do not use query parameter, but stay with /cascade in the URLs	19:16
htruta	looks like we have another plot twist in /cascade x ?cascade	19:16
ayoung	htruta, yeah... rodrigods had a point	19:17
htruta	ayoung: fyi, raildo implemented it with ?cascade=true and it is in gerrit	19:17
ayoung	I think I can work with it either way	19:18
htruta	but I've mentioned rodrigods point that filters only make sense in GET/HEAD	19:18
ayoung	my thinking was that cascade would be a reusable filter, for any hierarchy	19:18
* raildo want to use jokenpo to decide		19:18
ayoung	I think it makes sense for DELETE too, right?	19:19
*** boris-42 has joined #openstack-keystone		19:19
stevemar	notmorgan: we chatting?	19:19
ayoung	DELETE https://host/resource?cascade=True	19:19
raildo	ayoung: yes	19:19
rodrigods	nope	19:19
ayoung	why not?	19:19
rodrigods	since DELETE https://host/resource?cascade=false is the same of no query param	19:19
htruta	ayoung: I don't see as a filter, I see as another operation	19:19
edmondsw	notmorgan, did you see the question from erlarese earlier?	19:19
ayoung	htruta, it means for any operation that can be performed on a resource, we need a whole nother resource to specify that. The API increase will be, potentially, factorial i for each fileter like this	19:20
stevemar	edmondsw: you may have to repeat the question	19:21
edmondsw	yeah	19:21
edmondsw	this method: keystoneclient.service_catalog.ServiceCatalog.factory(dict) used to convert a catalog dictionary to object. do you know what the equivalent method in keystoneauth1 is now?	19:21
stevemar	edmondsw: ah	19:21
edmondsw	nova's got some code that is hardcoding to use ServiceCatalogV2... ugh	19:22
rodrigods	ayoung, yeah... but this is not the current situation	19:22
htruta	ayoung: partially agreed.	19:22
raildo	ayoung: do you see any similarity between cascade operation and inherited roles?	19:22
rodrigods	ayoung, if we ever reach that point, we would need to change the API	19:22
edmondsw	trying to fix that to not be version specific, and the factory seems to have been removed	19:22
htruta	the problem is that we have the CRUD and another type of update AND another type of delete	19:23
ayoung	edmondsw, do you have a suggested API replacement for implied roles?	19:23
raildo	ayoung: like... why we didn't made inherited roles like a query string?	19:23
*** rderose has quit IRC		19:23
edmondsw	ayoung, I had suggested a replacement in my initial commens. I haven't had a chance to throw up a proposed change on the spec as you were asking for	19:23
*** hogepodge has joined #openstack-keystone		19:24
ayoung	raildo, so...if I were to liken it to file system operations, we have rm -rf or rmdir	19:24
ayoung	rmdir is directory specific	19:24
ayoung	rm -rf is "kill it all die die die"	19:24
ayoung	rm was supposed to be file only	19:24
ayoung	but we use it for cascade operations	19:24
ayoung	if you don't have access to a subdir...you end up with it 1/2 completed	19:24
ayoung	all the directories before the failure are gone	19:25
ayoung	damn I love POSIX	19:25
ayoung	no I don't	19:25
htruta	ayoung: rm is awesome. but aren't rest apis a little bit different?	19:27
ayoung	htruta, so, as I said, i can work with it either way	19:27
ayoung	I think the filter is more correct	19:27
*** esp_ has joined #openstack-keystone		19:27
htruta	ayoung: I mean... this is a filter, not an argument	19:28
htruta	I'm ok with both too	19:28
rodrigods	ayoung, htruta use /cascade	19:28
htruta	ayoung: and I know that you'll be happy if we have the policy enforcement in each node (which we did)	19:28
rodrigods	let's not enter in a infinite discussion :)	19:28
ayoung	rodrigods, so, for a post, you don't usually have an instance	19:28
ayoung	for PUT, you do	19:28
rodrigods	ayoung, instance?	19:28
ayoung	and, if that PUT is the parent resource, /cascade does not make sense	19:28
notmorgan	oh i have an idea. lets make a FUSE driver that mounts the keystone backends as a POSIX filesystem then we can just do system operations	19:29
ayoung	rodrigods, users/ versus usreser/123FEEDBABECAF	19:29
ayoung	er	19:29
notmorgan	instead of needing APIs	19:29
ayoung	rodrigods, users/ versus users/123FEEDBABECAF	19:29
stevemar	notmorgan: i like it, screw these apis	19:29
rodrigods	ayoung, why doesn't make sense?	19:29
rodrigods	the /cascade	19:29
notmorgan	stevemar: EXACTLY	19:29
stevemar	notmorgan: i think dolphm got wrapped up in a meeting	19:29
stevemar	he isn't replying on any medium	19:30
notmorgan	he always is in a meeting	19:30
rodrigods	is just the semantics of what is going to happen	19:30
ayoung	rodrigods, you are using the URL to specify an operation	19:30
ayoung	well...not even	19:30
ayoung	its just weird	19:30
rodrigods	ayoung, yes... I agree	19:30
rodrigods	we don't have a meaningful HTTP method for this case...	19:31
rodrigods	but query params are filters	19:31
*** mgarza_ has quit IRC		19:31
rodrigods	:(	19:31
ayoung	so..is there any compelling reason to use /cascade? I mean, from a poilcy perspective, we should be using the policy on the individual objects	19:31
rodrigods	ayoung, first... it is not against REST	19:31
*** su_zhang has quit IRC		19:32
rodrigods	second, we would end with two URLs that means the same	19:32
*** su_zhang has joined #openstack-keystone		19:32
rodrigods	for example PUT /abc/123?cascade=false is equal to just PUT /abc/123	19:32
*** su_zhang has quit IRC		19:34
htruta	rodrigods: but we already have that in GET /projects?subtree, for example	19:34
*** esp_ has quit IRC		19:34
*** su_zhang has joined #openstack-keystone		19:34
rodrigods	htruta, GET is a GET	19:34
htruta	rodrigods: agreed	19:35
*** vgridnev has joined #openstack-keystone		19:36
htruta	rodrigods, ayoung: anyway, I think using /cascade is the safer option, once it is approved in the spec, making the policy enforcement in each node	19:38
rodrigods	htruta, can't it behave like hierarchical quotas?	19:38
rodrigods	policy enforcement happening only in the target node? with a different policy rule?	19:38
rodrigods	it is a branch operation	19:39
htruta	rodrigods: ayoung would be a great -2 on that. He believes we need to enforce it in all tree nodes, otherwise, no operation is made	19:40
rodrigods	where is the ownership behavior than? :(	19:40
openstackgerrit	werner mendizabal proposed openstack/keystone: Time-based One-time Password https://review.openstack.org/274901	19:42
*** su_zhang has quit IRC		19:43
*** EinstCrazy has joined #openstack-keystone		19:43
*** su_zhang has joined #openstack-keystone		19:43
*** timcline_ has joined #openstack-keystone		19:45
*** su_zhang has quit IRC		19:46
*** su_zhang has joined #openstack-keystone		19:47
*** EinstCrazy has quit IRC		19:48
*** mvk_ has joined #openstack-keystone		19:48
*** ccard__ has joined #openstack-keystone		19:48
*** simondodsley_ has joined #openstack-keystone		19:50
ayoung	htruta, rodrigods I don't really care that much	19:50
ayoung	just wanted to make sure Iunderstood, an provided my feedback	19:50
*** timcline has quit IRC		19:51
*** simondodsley has quit IRC		19:51
*** mvk has quit IRC		19:51
*** apetrov has quit IRC		19:51
*** ccard_ has quit IRC		19:51
*** simondodsley_ is now known as simondodsley		19:51
htruta	another plot twist here.	19:53
*** su_zhang has quit IRC		19:53
htruta	ayoung: does that mean you'd still be happy with a new policy rule?	19:53
*** su_zhang has joined #openstack-keystone		19:53
htruta	ayoung: if so, I suggest we just follow what was approved in the spec (which is /cascade + new rule)	19:55
*** gyee has quit IRC		19:57
ayoung	htruta, I have other fish to fry	19:59
*** thebloggu has quit IRC		20:05
*** su_zhang has quit IRC		20:06
*** jsavak has quit IRC		20:08
*** jsavak has joined #openstack-keystone		20:09
*** mhickey_ has joined #openstack-keystone		20:20
*** jgriffith_away is now known as jgriffith		20:21
*** jbell8_ has joined #openstack-keystone		20:22
*** jbell8 has quit IRC		20:22
*** petertr7 is now known as petertr7_away		20:22
stevemar	dstanek: can you comment/change status on https://blueprints.launchpad.net/keystone/+spec/more-code-style-automation	20:22
stevemar	it seems done	20:22
*** jbell8_ has quit IRC		20:23
dstanek	stevemar: sure	20:23
stevemar	dstanek: umm, also this one: https://blueprints.launchpad.net/keystone/+spec/restructuring-tests	20:23
*** jbell8 has joined #openstack-keystone		20:23
dstanek	stevemar: there are probably a few more too	20:23
stevemar	dstanek: if they are finished mark them as superseded, if they are no longer valid, then obsolete. this option is under 'definition'	20:24
stevemar	dolphm: not around?	20:27
dolphm	stevemar: in a meeting for another 1.5 hours :(	20:27
ryanpetrello	keeps track of them with self.workers	20:37
ryanpetrello	bah, wrong chatroom :o	20:38
*** simondodsley has quit IRC		20:38
*** spzala has quit IRC		20:44
*** spzala has joined #openstack-keystone		20:45
*** spzala_ has joined #openstack-keystone		20:47
*** timcline_ has quit IRC		20:49
*** spzala has quit IRC		20:49
*** fpatwa has joined #openstack-keystone		20:52
*** spzala_ has quit IRC		20:52
*** raildo is now known as raildo-afk		20:54
*** csoukup_ has joined #openstack-keystone		20:55
ayoung	stevemar, so...I'm working on killing Keystone Eventlet in Tripleo....where else are we stuck with it still?	20:55
stevemar	ayoung: no where else AFAIK	20:55
ayoung	stevemar, I had it working for non-HA...and I think I solved the next two problems with HA just now...we'll see what CI says	20:56
*** jgriffith is now known as jgriffith_away		20:56
*** fpatwa has quit IRC		20:57
*** timcline has joined #openstack-keystone		20:58
*** c_soukup has quit IRC		20:58
*** mhickey_ has quit IRC		20:59
*** mhickey_ has joined #openstack-keystone		21:00
*** petertr7_away is now known as petertr7		21:00
notmorgan	almost under 200 open bugs for keystone just by cleaning up backlog of clearly invalid/wont fixes	21:02
notmorgan	woo	21:02
notmorgan	dstanek, dolphm ^	21:02
cdent	ayoung, stevemar, notmorgan: If any of you have some comments on https://review.openstack.org/#/c/274396/ that would be awesome. The bug is going to block me sooner or later	21:03
*** jsavak has quit IRC		21:03
*** clenimar has quit IRC		21:03
*** vgridnev has quit IRC		21:04
*** jsavak has joined #openstack-keystone		21:04
ayoung	cdent, can you 'splain that to me using the ten hundred most common words?	21:04
notmorgan	ayoung: ++	21:05
cdent	ayoung: you can't pass olso_config_config in conf to AuthProtocol and expect it to work	21:05
notmorgan	cdent: what is the case that happens more to the point	21:05
ayoung	cdent, so what	21:05
* ayoung breaindead right now		21:05
notmorgan	cdent: i'm fine with a fix, but when do you pass that in?	21:05
notmorgan	since you can explain it fast rather than me digging	21:06
ayoung	cdent, yeah, where do you want to do this? What use case does the current behavior break?	21:06
notmorgan	but totally cool with fixing it for a real case :)	21:06
cdent	notmorgan: the goal is to be able to use the oslo conf I have already read, in a non-global fashion, in my service that is using the middleware and _not_ using paste	21:06
cdent	I don't want to pass the config file, I just want to pass the config	21:07
cdent	because why read it again? and because in some cases I don't really know where the file came from (if it was passed as an argument instead of coming from a default location)	21:07
notmorgan	ah also people souldn't be putting middleware opts in paste anyway	21:08
notmorgan	ayoung: ^ this sounds like a real use-case to me	21:09
cdent	the code appears to want this use case to work, but it was broken	21:09
ayoung	cdent, I think I like what you are saying	21:09
cdent	(I think because whoever wrote it had some confusion about ConfigOpts objects work)(	21:09
ayoung	cdent, but I am also a little wary. RIght now, we have a bug, reported by you, fixed by you, where you are the only responder, and I don't undertand the code.	21:11
ayoung	I want at least someone that knows this to chime in, and that means jamielennox\|away	21:12
cdent	ayoung: ulenderstandab	21:12
cdent	whoops	21:12
cdent	understandable	21:12
ayoung	I like that word	21:12
cdent	trackpad fail	21:12
ayoung	ulenderstandab is pro nounce ooo lender stan dab	21:12
ayoung	what does the call to self._local_oslo_config( actually do?	21:13
ayoung	link	21:13
cdent	the first thing it does is clear() the existing ConfigOpts and reset it to something new, by reading from either the default files or a named file, for a particular project	21:14
ayoung	no, where is the code it calls	21:15
ayoung	http://git.openstack.org/cgit/openstack/oslo.config/tree/oslo_config/cfg.py#n2118	21:15
cdent	yes, that	21:15
*** spzala has joined #openstack-keystone		21:16
cdent	(parsing what oslo_config gets up to is ... challenging)	21:16
ayoung	OK, so the first part of your change looks like it is just doing the same logic as before	21:16
ayoung	self._local_oslo_config = conf['oslo_config_config'] in the if, and the else is the	21:16
ayoung	self._local_oslo_config = cfg.ConfigOpts()	21:16
ayoung	so now you are defaulting	21:16
ayoung	self._local_oslo_config.project = conf['oslo_config_project'] but only in the first case	21:17
cdent	that gets set in the second case	21:17
ayoung	and skipping the rest of the __call__	21:17
ayoung	yeah, it gets set but inside the __call__	21:17
cdent	in the first case no _new_ ConfigOpts is created	21:17
cdent	in the second, one is, and it is set to values from the file passed in or the default file for that project	21:17
ayoung	so before if if conf.get('oslo_config_config') would return None, we do the _call_ but in this case we don't because your logic is that the _call_ clobbers what you are holding in memory?	21:19
ayoung	in cfg.ConfigOpts()	21:19
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users: unified identity - Shadow federated users https://review.openstack.org/274761	21:19
cdent	the __call__ clobbers what came in	21:20
ayoung	cdent, so you are saying that if conf['oslo_config_config'] is set, we don't want to do the initilization code?	21:20
*** su_zhang has joined #openstack-keystone		21:20
cdent	correct	21:20
*** spzala has quit IRC		21:20
*** pauloewerton has quit IRC		21:21
*** spzala has joined #openstack-keystone		21:21
cdent	(because we've already got a config that is the one we want to use)	21:21
*** gyee has joined #openstack-keystone		21:22
*** ChanServ sets mode: +v gyee		21:22
*** gyee has quit IRC		21:22
*** ubuntu has joined #openstack-keystone		21:23
*** ubuntu is now known as Guest40848		21:23
*** jsavak has quit IRC		21:23
ayoung	cdent, yeah...sorry, I really need to defer to jamielennox\|away on this one. It just looks too much like “I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.”	21:24
cdent	:)	21:24
*** su_zhang has quit IRC		21:25
cdent	ayoung: It may be that my fix is wrong, but is definitely the case that the code on master is wrong.	21:25
cdent	as there is currently no way for oslo_config_config to get used	21:25
ayoung	anything named _config_config is suspect anyway	21:26
cdent	It's a super useful feature, if we can get it to work	21:26
*** jsavak has joined #openstack-keystone		21:27
*** jsavak has quit IRC		21:29
*** jsavak has joined #openstack-keystone		21:30
*** su_zhang has joined #openstack-keystone		21:32
bknudson_	cdent: did you see https://review.openstack.org/#/c/255661/ ?	21:36
bknudson_	it looks related	21:36
*** gyee has joined #openstack-keystone		21:37
*** ChanServ sets mode: +v gyee		21:37
cdent	bknudson_: is news to me	21:37
* cdent looks		21:37
cdent	that does look related, especially to my comment in the test, but not directly related	21:37
stevemar	notmorgan: morgan 'the-bug-smasher' fainberg	21:39
notmorgan	stevemar: heh	21:39
*** tsymanczyk has quit IRC		21:42
*** jbell8 has quit IRC		21:49
*** ayoung has quit IRC		21:51
*** ThomasHsiao has joined #openstack-keystone		21:53
notmorgan	bknudson_: i think we need to just do a new LDAP driver that is R/O and is ldap3 based	21:59
notmorgan	bknudson_: far easier than retrofitting everything	21:59
notmorgan	bknudson_: and it can be all isolated away from keystone.common	21:59
*** jsavak has quit IRC		22:04
*** edmondsw has quit IRC		22:05
openstackgerrit	werner mendizabal proposed openstack/keystone: Time-based One-time Password https://review.openstack.org/274901	22:07
openstackgerrit	Chris Dent proposed openstack/keystonemiddleware: Remove clobbering of passed oslo_config_config https://review.openstack.org/274396	22:08
cdent	bknudson_: ^ that might be better	22:09
*** jsavak has joined #openstack-keystone		22:11
*** erlarese has quit IRC		22:13
*** timcline has quit IRC		22:21
*** itlinux has quit IRC		22:22
*** petertr7 is now known as petertr7_away		22:23
*** itlinux has joined #openstack-keystone		22:24
*** mhickey_ has quit IRC		22:30
*** mhickey_ has joined #openstack-keystone		22:30
bknudson_	502 proxy error	22:30
*** e0ne has joined #openstack-keystone		22:31
*** jsavak has quit IRC		22:34
cdent	gerrit be slow	22:34
*** jamielennox\|away is now known as jamielennox		22:41
*** e0ne has quit IRC		22:43
*** itlinux_ has joined #openstack-keystone		22:44
*** itlinux has quit IRC		22:47
*** EinstCrazy has joined #openstack-keystone		22:48
*** drjones has quit IRC		22:49
*** _cjones_ has joined #openstack-keystone		22:51
*** EinstCrazy has quit IRC		22:52
*** fpatwa has joined #openstack-keystone		22:53
*** ayoung has joined #openstack-keystone		22:53
*** ChanServ sets mode: +v ayoung		22:53
*** itlinux_ has quit IRC		22:54
*** itlinux has joined #openstack-keystone		22:55
*** slberger has left #openstack-keystone		22:56
*** fpatwa has quit IRC		22:58
*** sinese has quit IRC		23:00
*** jamielennox is now known as jamielennox\|away		23:05
*** cdent has quit IRC		23:07
*** su_zhang has quit IRC		23:11
*** su_zhang has joined #openstack-keystone		23:12
*** mhickey_ has quit IRC		23:13
*** mhickey_ has joined #openstack-keystone		23:14
notmorgan	stevemar, bknudson_: about to push a patch to deprecate 'admin_token_auth'	23:15
notmorgan	:)	23:15
notmorgan	need to fix one test.	23:16
*** clenimar has joined #openstack-keystone		23:16
tjcocozz	does anyone know how long gerrit will be down?	23:17
tjcocozz	looks like just long enough for me to write out that question :-)	23:18
openstackgerrit	Tom Cocozzello proposed openstack/keystone: WIP Depricate Saml2 https://review.openstack.org/275438	23:18
notmorgan	lol	23:18
*** e0ne has joined #openstack-keystone		23:19
*** ThomasHsiao has quit IRC		23:21
*** pushkaru has quit IRC		23:27
*** e0ne has quit IRC		23:28
*** pumarani__ has joined #openstack-keystone		23:28
*** mhickey_ has quit IRC		23:29
*** pumarani__ has quit IRC		23:30
*** pushkaru has joined #openstack-keystone		23:30
*** pumarani__ has joined #openstack-keystone		23:32
*** gordc has quit IRC		23:33
*** pushkaru has quit IRC		23:33
*** clenimar has quit IRC		23:43
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move EC2 extension to core https://review.openstack.org/275280	23:47
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate simple_cert extension https://review.openstack.org/274479	23:48
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move user and admin crud to core https://review.openstack.org/274489	23:48
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Move s3 Extension to core https://review.openstack.org/274973	23:48
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Deprecate admin_token_auth https://review.openstack.org/275443	23:48
notmorgan	stevemar, bknudson_, dolphm, ^ move all the things to core, deprecate more things	23:49
notmorgan	SpamapS: ^ like that [re "things that need to just get "done""]	23:50
*** su_zhang has quit IRC		23:51
*** su_zhang has joined #openstack-keystone		23:51
*** boris-42 has quit IRC		23:53
*** gildub has joined #openstack-keystone		23:58
*** csoukup_ has quit IRC		23:58
*** pumarani__ has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!