lbragstad | rodrigods I have a question about the jsonschema related to the bug that you brought up in today's meeting | 00:00 |
---|---|---|
dstanek | i need to spend some time looking at all of the oslo.db changes we've made | 00:00 |
shaleh | morgan: the 100 line code is cute. What it looks like you really ought to do is make Fernet be a new BaseTokenProvider with a no-crypto TokenFormatter. Then the FernetProvider can implement one with the crypto code. | 00:02 |
morgan | shaleh: i would just move pack/unpack down | 00:03 |
shaleh | morgan: the fact that the UUIDMsgPack has no crypto because you override all of the pack/unpack which called crypto was easy to miss | 00:03 |
morgan | shaleh: and i would keep it isolated in fernet until the other code paths are dropped | 00:03 |
dstanek | i need to spend some time looking at all of the oslo.db changes we've made | 00:03 |
morgan | shaleh: so the provider would own "pack/unpack" and but the formaters continue to liver where they do | 00:04 |
morgan | live* | 00:04 |
shaleh | morgan: I agree that a refactoring to one core code path is good | 00:04 |
rodrigods | lbragstad, hi | 00:04 |
rodrigods | lbragstad, was afk | 00:04 |
lbragstad | rodrigods quick question | 00:04 |
morgan | shaleh: and once the other things are gone (after deprecation) we can shuffle fernet around a bit to be more generic. but i am trying to avoid 3 shuffles of code | 00:04 |
shaleh | morgan: so for Fernet that means cypto would move from the TokenFormatter to the Provider proper? | 00:04 |
morgan | yep | 00:04 |
lbragstad | rodrigods do you happen to know why we don't use two separate schemas for the federated protocol - https://github.com/openstack/keystone/blob/master/keystone/federation/schema.py#L107-L115 ? | 00:05 |
morgan | and and the two diverging classes would be use crypto, or store in DB | 00:05 |
morgan | very simple inheritence | 00:05 |
morgan | instead of override | 00:05 |
shaleh | well, you could make that refactor now. Only fernet would use it. Then you could make your example UUIDMsgPack based on it | 00:05 |
rodrigods | lbragstad, good question | 00:05 |
rodrigods | have no idea :) | 00:05 |
morgan | shaleh: i have a comment in the code to that effect (you might need to refresh), this is a WIP as a proof of what it would take :) | 00:05 |
morgan | shaleh: there are a few other things needed such as implementing the db migration, flushing of tokens, etc | 00:06 |
shaleh | morgan: yes there is a comment about them moving but not about them being part of a refactor | 00:06 |
morgan | the refactor for where pack/unpack/creation_time would go along those. | 00:06 |
shaleh | morgan: +1 for planned direction | 00:07 |
morgan | :) | 00:07 |
morgan | aw craptastic | 00:07 |
morgan | comcast is implementing 250GB caps in my area. | 00:07 |
morgan | this month alone i'm at 322GB | 00:07 |
morgan | *sigh* | 00:07 |
shaleh | yuck | 00:07 |
shaleh | what is the overage typically? | 00:07 |
morgan | i am guessing i'm going to get forced onto "business" account | 00:08 |
lbragstad | rodrigods you're proposing the we require mapping on protocol creation right? | 00:08 |
morgan | shaleh: my overage, i'm guessing 250-300GB /mo | 00:08 |
*** mylu has quit IRC | 00:08 | |
shaleh | morgan: no, is it locked? fee? | 00:08 |
morgan | over the "not-enforced" cap | 00:08 |
morgan | oh iirc its warn you twice and then shut off your internet | 00:08 |
morgan | i'd have to check | 00:08 |
morgan | but in general.. | 00:08 |
morgan | it doesn't matter which, it sucks. | 00:08 |
shaleh | agreed | 00:09 |
shaleh | that is only 8gb a day | 00:09 |
morgan | maybe i do need to reach out to my landlord and make sure she's ok if i have the fiber run. | 00:09 |
shaleh | easy to reach with some streaming, some dvd downloads, etc. | 00:09 |
*** mylu has joined #openstack-keystone | 00:10 | |
openstackgerrit | David Stanek proposed openstack/keystone: Bump the required tox version to 2.3.1 https://review.openstack.org/308086 | 00:10 |
shaleh | dstanek: what does the new tox version give us? | 00:11 |
rodrigods | lbragstad, a valid mapping -> existing mapping | 00:11 |
lbragstad | rodrigods wouldn't we be able to do something like this - http://cdn.pasteraw.com/3wb778rcxx89yl2nyl908rcuqw7x7gm | 00:11 |
lbragstad | oh... | 00:12 |
dstanek | shaleh: relief from some of the common issues people have when starting development. also newest tox and pip (not sure which one as the cause) fixes bug 1572202 | 00:12 |
openstack | bug 1572202 in OpenStack Identity (keystone) "testresources needs to be explicitly required for tests" [Undecided,In progress] https://launchpad.net/bugs/1572202 - Assigned to David Stanek (dstanek) | 00:12 |
lbragstad | rodrigods so - technically ^ that would still be required but you want to make it so the federation manager checks that the mapping that was passed into the protocol is in-fact a valid mapping | 00:12 |
rodrigods | lbragstad, exactly | 00:12 |
lbragstad | s/valid mapping/valid mapping id/ | 00:12 |
rodrigods | otherwise, it will fail upon authentication | 00:13 |
rodrigods | "mapping not found" | 00:13 |
lbragstad | rodrigods ah ha - ok that makes sense | 00:13 |
rodrigods | lbragstad, seems to break the API :( | 00:13 |
*** josecastroleon has quit IRC | 00:13 | |
*** timonwong has joined #openstack-keystone | 00:14 | |
rodrigods | but i really think that the correct way of handling is checking if the mapping exists, i can't create a domain after i create a project | 00:14 |
*** browne has quit IRC | 00:15 | |
lbragstad | rodrigods hmm - we should probably still separate the schema for the protocols though http://cdn.pasteraw.com/3wb778rcxx89yl2nyl908rcuqw7x7gm | 00:15 |
lbragstad | to follow convention with the rest of the jsonschema stuff in keystone | 00:15 |
*** stingaci_ has quit IRC | 00:15 | |
rodrigods | lbragstad, ++ | 00:16 |
rodrigods | i agree | 00:16 |
*** josecastroleon has joined #openstack-keystone | 00:16 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone: Separate protocol schema https://review.openstack.org/308088 | 00:18 |
lbragstad | rodrigods ^ | 00:18 |
lbragstad | wip | 00:18 |
rodrigods | lbragstad, added myself there | 00:18 |
rodrigods | let's wait our huge zuul queue | 00:19 |
*** browne has joined #openstack-keystone | 00:19 | |
*** sdake has quit IRC | 00:21 | |
*** fawadkhaliq has joined #openstack-keystone | 00:25 | |
*** sdake has joined #openstack-keystone | 00:25 | |
*** alex_xu has quit IRC | 00:26 | |
*** alex_xu has joined #openstack-keystone | 00:27 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/305187 | 00:37 |
*** mylu has quit IRC | 00:38 | |
*** sdake has quit IRC | 00:38 | |
*** sdake has joined #openstack-keystone | 00:38 | |
*** tellesnobrega_af is now known as tellesnobrega | 00:44 | |
*** josecastroleon has quit IRC | 00:46 | |
*** doug-fish has quit IRC | 00:46 | |
*** maestro2 has quit IRC | 00:46 | |
*** alex_xu has quit IRC | 00:47 | |
*** tellesnobrega is now known as tellesnobrega_af | 00:48 | |
*** shaleh has quit IRC | 00:48 | |
*** stingaci has joined #openstack-keystone | 00:48 | |
*** doug-fish has joined #openstack-keystone | 00:49 | |
*** alex_xu has joined #openstack-keystone | 00:49 | |
*** tellesnobrega_af is now known as tellesnobrega | 00:50 | |
*** josecastroleon has joined #openstack-keystone | 00:51 | |
*** fawadkhaliq has quit IRC | 00:56 | |
*** fawadkhaliq has joined #openstack-keystone | 00:57 | |
lbragstad | mfisch dolphm just timed myself with the newly added slides - 21 minutes | 00:59 |
lbragstad | that's more talking than I do in a year | 01:00 |
mfisch | lbragstad: 21m just for you? | 01:00 |
lbragstad | mfisch yeah | 01:00 |
morgan | mfisch: rough to be second billing to lbragstad | 01:00 |
morgan | mfisch: :P | 01:01 |
mfisch | lbragstad: BTW I'm invited to the RAX VIP tent | 01:01 |
mfisch | but now the sales guy wants to meet with me | 01:01 |
* morgan doesn't get invited to VIP anything (and isn't really too upset about that) | 01:01 | |
mfisch | no free lunches at these things | 01:01 |
* morgan plans food and cocktails instead. | 01:02 | |
mfisch | I should tell the sales guy that if he wants to close the deal we need Lance and Dolph there | 01:02 |
morgan | mfisch: and dstanek | 01:02 |
lbragstad | mfisch ++ | 01:02 |
mfisch | is dstanek RAX? | 01:02 |
morgan | mfisch: (gotta toss dstanek under the bus) | 01:02 |
lbragstad | mfisch yup | 01:02 |
*** browne has quit IRC | 01:02 | |
morgan | mfisch: you should also demand claco be there | 01:02 |
mfisch | Im going to send him a list of names for mirantis folks I want to meet and see what happens | 01:03 |
morgan | LOL | 01:03 |
lbragstad | haha | 01:03 |
mfisch | "Hey Nate can we outsource only keystone to Lance?" | 01:04 |
mfisch | I knew I'd met this guy before he was at Canonical! | 01:04 |
mfisch | he's a nice guy | 01:04 |
lbragstad | oh - I know him | 01:05 |
lbragstad | yeah - he's nice | 01:05 |
morgan | mfisch: you should also include random folks you want to meet from cisco | 01:06 |
morgan | mfisch: in that list | 01:06 |
mfisch | I have a guy at Cisco who'd do that for me | 01:06 |
mfisch | he probably bought a boat after we stood up openstack | 01:06 |
*** dave-mccowan has joined #openstack-keystone | 01:07 | |
bigjools | hey folks, is there any protection against someone doing a user list against a domain configured with the LDAP id provider? | 01:09 |
*** tellesnobrega is now known as tellesnobrega_af | 01:09 | |
*** ayoung has joined #openstack-keystone | 01:09 | |
*** ChanServ sets mode: +v ayoung | 01:09 | |
morgan | bigjools: was talking with cburgess about this earlier, -- i think the best bet is a filter for a specific group you add people to (not the entire DN) - and/or issue a 403 on "user-list" | 01:10 |
bigjools | Ah Chet beat me to it | 01:10 |
morgan | bigjools: ;) | 01:10 |
bigjools | :) | 01:11 |
bigjools | if only he'd spilled the beans...! | 01:11 |
morgan | bigjools: i'm still of the opinion user-list (list every single user?! are you nutty?!) is kindof an insane query to make regardless of the backend | 01:11 |
bigjools | I agree 100% | 01:12 |
morgan | bigjools: 403! use policy.json to prevent it! | 01:12 |
bigjools | apparently Horizon needs user lists somewhere? | 01:12 |
morgan | ;) | 01:12 |
bigjools | yeah | 01:12 |
* morgan looks around and whispers "fix horizon" :P | 01:12 | |
morgan | to not do that. | 01:12 |
bigjools | I also agree 100% with that :) | 01:12 |
morgan | bigjools: we are in the process of rewriting the ldap driver in pure python (using ldap3 lib instead of python-ldap) | 01:13 |
bigjools | oh nice | 01:13 |
bigjools | I might try to connect someone here with you then because he's making some changes on our old driver | 01:13 |
morgan | bigjools: roxanaghe and knikolla are leading that charge - so going to connect cburgess with them as well so it's possible to get things like better filtering support in for bad apis like user-list | 01:13 |
bigjools | perfect | 01:14 |
dstanek | morgan: keep me out of this | 01:14 |
morgan | both rodrigods and knikolla are fantasti! | 01:14 |
morgan | fantastic* | 01:14 |
morgan | and doing a good job on ldap3 things. | 01:14 |
morgan | dstanek: but you're RAX, here let me find a bus... ;) i hear it stretches out ones back to be tossed under the wheels for sales things with mfisch ;) | 01:15 |
dstanek | mfisch: just walk in and say "i'm looking to buy a cloud, what colors do you have in stock?" | 01:16 |
bigjools | snork :) | 01:16 |
lbragstad | "I would like one with extra fluff, please" | 01:16 |
lbragstad | "I would also like to make sure it fits in a carry-on" | 01:17 |
morgan | "I am looking to buy a cloud, and ship it to SoCal, I hear they need the rain" | 01:17 |
dstanek | and make sure you get a name brand. generics always taste like they are missing sugar. | 01:17 |
morgan | oh so dstanek don't buy a macbook 12 and try and put linux on it. | 01:18 |
morgan | dstanek: kernel can't work with the trackpad or keyboard | 01:18 |
lbragstad | dstanek looked at those x1 gen 4s... they're spendy | 01:18 |
morgan | dstanek: no SPI device support even in 4.6 | 01:18 |
morgan | lbragstad: dude my x1c gen 4 will be arriving while i'm at the summit (to PDX) =/ | 01:18 |
dstanek | morgan: planning on putting some flavor of linux on it? | 01:19 |
morgan | dstanek: tumbleweed or 16.04 on the x1c | 01:19 |
morgan | dstanek: i'd have it now except i was "smart" and ordered the NVMe drive | 01:20 |
morgan | =/ | 01:20 |
dstanek | morgan: cool. if it works ok for you i'll go ahead and pick one up for myself | 01:20 |
morgan | I *HAVE* a spare NVMe drive at home. | 01:20 |
morgan | dstanek: the 3rd gen worked perfectly before | 01:20 |
morgan | and i have it on good authority the 4th gen works very well | 01:20 |
dstanek | morgan: yeah, that's what i understand. i wanted to make sure it's the same for the 4th | 01:21 |
dstanek | the last think i was it a brick while i wait for a driver update | 01:21 |
*** josecastroleon has quit IRC | 01:21 | |
morgan | i am going to put a Samsung 950 pro in it | 01:22 |
morgan | and see which benchmarks better | 01:22 |
morgan | my guess is the 950 will | 01:22 |
morgan | but then again, it *might* be a 950 in there already | 01:22 |
*** dan_nguyen has quit IRC | 01:25 | |
openstackgerrit | Tin Lam proposed openstack/python-keystoneclient: Updated example in README https://review.openstack.org/308103 | 01:25 |
*** EinstCrazy has joined #openstack-keystone | 01:26 | |
*** tellesnobrega_af is now known as tellesnobrega | 01:33 | |
*** lhcheng has quit IRC | 01:34 | |
*** mylu has joined #openstack-keystone | 01:35 | |
*** rderose has quit IRC | 01:36 | |
*** stingaci has quit IRC | 01:36 | |
*** josecastroleon has joined #openstack-keystone | 01:51 | |
*** mylu has quit IRC | 01:55 | |
*** mylu has joined #openstack-keystone | 01:58 | |
*** EinstCra_ has joined #openstack-keystone | 02:00 | |
openstackgerrit | Merged openstack/keystone: Remove support for generating ssl certs https://review.openstack.org/306795 | 02:01 |
openstackgerrit | Merged openstack/keystone: update deprecation warning for falling back to default domain https://review.openstack.org/294822 | 02:01 |
openstackgerrit | Merged openstack/keystone: add missing deprecation reason for eventlet option https://review.openstack.org/307814 | 02:02 |
*** EinstCrazy has quit IRC | 02:03 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/305187 | 02:04 |
morgan | stevemar: do you want to fix the proposal bot again? | 02:11 |
morgan | stevemar: so we can push that through? or let it sit for a bit? | 02:11 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/308111 | 02:12 |
dstanek | morgan: i didnt' realize that it could get broken | 02:13 |
morgan | dstanek: the extras is broken | 02:14 |
morgan | dstanek: it strips them off the test-requirements.txt | 02:14 |
morgan | so every proposal to keystone is broken. | 02:14 |
morgan | jamielennox is/was working on a fix | 02:14 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/308111 | 02:14 |
dstanek | morgan: ah, i see what you mean | 02:15 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/308111 | 02:16 |
*** josecastroleon has quit IRC | 02:20 | |
*** sdake_ has joined #openstack-keystone | 02:20 | |
*** browne has joined #openstack-keystone | 02:23 | |
*** sdake has quit IRC | 02:23 | |
openstackgerrit | Ryosuke Mizuno proposed openstack/keystone: Add migration to make service type unique https://review.openstack.org/307593 | 02:24 |
*** gyee has quit IRC | 02:27 | |
openstackgerrit | Ryosuke Mizuno proposed openstack/keystone: Add migration to make service type unique https://review.openstack.org/307593 | 02:29 |
*** dave-mcc_ has joined #openstack-keystone | 02:31 | |
*** dave-mccowan has quit IRC | 02:32 | |
*** sdake_ has quit IRC | 02:36 | |
*** KarthikB has joined #openstack-keystone | 02:43 | |
*** sekrit is now known as CIA | 02:44 | |
*** KarthikB_ has joined #openstack-keystone | 02:44 | |
*** dave-mcc_ has quit IRC | 02:47 | |
*** KarthikB has quit IRC | 02:47 | |
*** sdake has joined #openstack-keystone | 02:48 | |
*** richm has quit IRC | 02:50 | |
*** fawadkhaliq has quit IRC | 02:53 | |
mfisch | lbragstad: dolphm: my intro is 1.5m later section 12.5m | 02:54 |
mfisch | thats 35m without dolph :( | 02:54 |
*** KarthikB_ has quit IRC | 02:55 | |
*** KarthikB has joined #openstack-keystone | 02:55 | |
stevemar | morgan: i think jamie's fix is merging/gating, wait for that to get fixed i guess | 02:56 |
*** lhcheng has joined #openstack-keystone | 03:02 | |
*** ChanServ sets mode: +v lhcheng | 03:02 | |
*** KarthikB has quit IRC | 03:09 | |
*** links has joined #openstack-keystone | 03:21 | |
*** mylu has quit IRC | 03:38 | |
*** ayoung has quit IRC | 03:40 | |
*** mylu has joined #openstack-keystone | 03:59 | |
*** mylu has quit IRC | 04:00 | |
*** doug-fish has quit IRC | 04:01 | |
*** stingaci has joined #openstack-keystone | 04:03 | |
*** ekarlso has quit IRC | 04:11 | |
*** andreaf has quit IRC | 04:11 | |
*** mylu has joined #openstack-keystone | 04:14 | |
*** stingaci has quit IRC | 04:18 | |
*** andreaf has joined #openstack-keystone | 04:21 | |
openstackgerrit | Merged openstack/keystoneauth: Fix H405, D105, D200, and D203 PEP257 https://review.openstack.org/308016 | 04:21 |
*** ekarlso has joined #openstack-keystone | 04:25 | |
*** timonwong has quit IRC | 04:28 | |
*** fawadkhaliq has joined #openstack-keystone | 04:28 | |
*** timonwong has joined #openstack-keystone | 04:33 | |
*** markvoelker has quit IRC | 04:34 | |
*** markvoelker has joined #openstack-keystone | 04:35 | |
*** sdake has quit IRC | 04:36 | |
*** markvoelker has quit IRC | 04:40 | |
morgan | stevemar: woo, almost have my home VPN server up and running | 04:44 |
stevemar | nice | 04:44 |
morgan | stevemar: debating on keeping it running on 443 or if 1194 is "ok" enough | 04:44 |
morgan | 1194 is probably "ok" | 04:45 |
*** maestro1 has joined #openstack-keystone | 04:45 | |
morgan | stevemar: ... i also *may* have it all running in a docker container ;) | 04:47 |
*** rderose has joined #openstack-keystone | 04:52 | |
*** rderose has quit IRC | 04:53 | |
*** stingaci has joined #openstack-keystone | 04:54 | |
*** mylu has quit IRC | 04:57 | |
*** dan_nguyen has joined #openstack-keystone | 04:59 | |
*** doug-fish has joined #openstack-keystone | 05:02 | |
*** stingaci has quit IRC | 05:04 | |
*** dan_nguyen has quit IRC | 05:05 | |
*** doug-fish has quit IRC | 05:07 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Updated from global requirements https://review.openstack.org/305187 | 05:15 |
*** stingaci has joined #openstack-keystone | 05:17 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/307772 | 05:19 |
*** Nirupama has joined #openstack-keystone | 05:30 | |
stevemar | morgan: have an opinion on https://review.openstack.org/#/c/305347/ ? | 05:31 |
patchbot | stevemar: patch 305347 - keystone (stable/liberty) - Allow user list without specifying domain | 05:31 |
openstackgerrit | Merged openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/307772 | 05:34 |
*** sdake_ has joined #openstack-keystone | 05:37 | |
*** chip_ has joined #openstack-keystone | 05:49 | |
*** murali has joined #openstack-keystone | 05:52 | |
*** chip_ has quit IRC | 05:52 | |
murali | Hello | 05:53 |
murali | Can anyone be able to check this | 05:53 |
murali | https://ask.openstack.org/en/question/91260/keystone-authentication-error-in-devstack/ | 05:53 |
*** chip_ has joined #openstack-keystone | 05:53 | |
*** stingaci has quit IRC | 06:01 | |
*** stingaci has joined #openstack-keystone | 06:02 | |
lhcheng | murali: are you logging in as new user? | 06:11 |
lhcheng | murali: maybe the new user doesn't have any roles assigned to any projects | 06:11 |
murali | No its preexisting user only | 06:12 |
murali | I can be able do openrc and get some other cli-clients working | 06:12 |
murali | but keystone is not working | 06:12 |
*** ericksonsantos has quit IRC | 06:13 | |
*** maestro2 has joined #openstack-keystone | 06:14 | |
*** clenimar has quit IRC | 06:14 | |
*** maestro1 has quit IRC | 06:14 | |
* stevemar waves at lhcheng :) | 06:14 | |
stevemar | gnite! | 06:15 |
* lhcheng waves back at stevemar | 06:15 | |
* lhcheng is still alive | 06:15 | |
lhcheng | lol | 06:15 |
lhcheng | gnite! | 06:15 |
*** chip_ has quit IRC | 06:16 | |
lhcheng | murali: are you using keystone v2 or v3 on cli-clients? | 06:19 |
*** rcernin has joined #openstack-keystone | 06:21 | |
*** raildo is now known as raildo-afk | 06:25 | |
lhcheng | murali: does your devstack have the latest code from master? | 06:27 |
murali | I am using liberty version | 06:27 |
murali | It was working fine before | 06:27 |
murali | http://paste.openstack.org/show/494730/ | 06:27 |
murali | See above link - I can get user details | 06:27 |
murali | But it gives error for tenant-list | 06:28 |
lhcheng | what's the error? | 06:28 |
lhcheng | horizon internally calls the list tenants, so that might be the same root cause | 06:29 |
murali | An unexpected error prevented the server from fulfilling your request: Expecting ',' delimiter: line 1 column 20 (char 19) (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-188a46e5-5463-4ca8-9485-e50c1e90ce25) | 06:29 |
murali | This is the error | 06:29 |
bigjools | morgan: policy block on list_users breaks anything that wants to use find() :( | 06:30 |
murali | Ohh | 06:31 |
lhcheng | murali: the error looks bad, has the data in db been updated manually? | 06:32 |
murali | No not at all | 06:32 |
lhcheng | murali: you found the problem? :) | 06:32 |
lhcheng | murali: from the log file, looks like it failed while trying to a query on projects | 06:35 |
murali | Ok I will check Db once again | 06:35 |
murali | Thanks for your time everyone | 06:36 |
*** zqfan has joined #openstack-keystone | 06:37 | |
lhcheng | murali: I am guessing maybe the "extra" field have some invalid json blob. | 06:37 |
murali | Ok will check it | 06:38 |
*** e0ne has joined #openstack-keystone | 06:38 | |
murali | Yup right | 06:39 |
murali | there is invalid blob data | 06:40 |
murali | Now its fine | 06:40 |
murali | Thanks everyone | 06:40 |
*** murali has quit IRC | 06:40 | |
*** e0ne has quit IRC | 06:43 | |
*** e0ne has joined #openstack-keystone | 06:44 | |
*** e0ne_ has joined #openstack-keystone | 06:45 | |
*** sheel has joined #openstack-keystone | 06:47 | |
*** tesseract has joined #openstack-keystone | 06:47 | |
*** e0ne has quit IRC | 06:48 | |
*** tesseract is now known as Guest67082 | 06:48 | |
*** lhcheng has quit IRC | 06:50 | |
*** e0ne_ has quit IRC | 06:50 | |
*** jaosorior has joined #openstack-keystone | 06:57 | |
*** permalac has joined #openstack-keystone | 07:00 | |
*** chmouel has joined #openstack-keystone | 07:15 | |
*** jlvillal has quit IRC | 07:22 | |
*** jlvillal has joined #openstack-keystone | 07:22 | |
*** kevinbenton has quit IRC | 07:23 | |
*** kevinbenton has joined #openstack-keystone | 07:26 | |
*** fhubik has joined #openstack-keystone | 07:28 | |
*** henrynash has quit IRC | 07:29 | |
openstackgerrit | Merged openstack/keystone: Updated from global requirements https://review.openstack.org/305187 | 07:35 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/308111 | 07:38 |
*** fawadkhaliq has quit IRC | 07:45 | |
*** fawadkhaliq has joined #openstack-keystone | 07:45 | |
*** stingaci has quit IRC | 07:54 | |
*** stingaci has joined #openstack-keystone | 07:55 | |
*** browne has quit IRC | 07:56 | |
*** pece has joined #openstack-keystone | 07:57 | |
*** zzzeek has quit IRC | 08:00 | |
*** stingaci has quit IRC | 08:00 | |
*** fawadkhaliq has quit IRC | 08:02 | |
*** jdennis has quit IRC | 08:03 | |
*** jdennis has joined #openstack-keystone | 08:03 | |
*** zzzeek has joined #openstack-keystone | 08:04 | |
*** maestro2 has quit IRC | 08:05 | |
openstackgerrit | Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/306848 | 08:10 |
*** jistr has joined #openstack-keystone | 08:18 | |
*** fhubik has quit IRC | 08:20 | |
*** pece has quit IRC | 08:21 | |
openstackgerrit | Merged openstack/python-keystoneclient: Updated example in README https://review.openstack.org/308103 | 08:21 |
openstackgerrit | Merged openstack/keystone: Use messaging notifications transport instead of default https://review.openstack.org/301193 | 08:22 |
*** maestro1 has joined #openstack-keystone | 08:24 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/308111 | 08:26 |
*** rdo_ has quit IRC | 08:34 | |
*** rdo has joined #openstack-keystone | 08:36 | |
*** mhickey has joined #openstack-keystone | 08:38 | |
*** david-lyle has quit IRC | 08:59 | |
*** david-lyle has joined #openstack-keystone | 09:00 | |
*** henrynash has joined #openstack-keystone | 09:08 | |
*** ChanServ sets mode: +v henrynash | 09:08 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/308227 | 09:35 |
openstackgerrit | Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/306848 | 10:10 |
*** EinstCra_ has quit IRC | 10:13 | |
*** doug-fish has joined #openstack-keystone | 10:26 | |
*** doug-fish has quit IRC | 10:31 | |
breton | morning, keystone | 10:32 |
*** maestro1 has quit IRC | 10:39 | |
*** jaosorior has quit IRC | 10:52 | |
*** jaosorior has joined #openstack-keystone | 10:53 | |
*** tellesnobrega is now known as tellesnobrega_af | 10:54 | |
*** chaitu has joined #openstack-keystone | 10:55 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add identity providers integration tests https://review.openstack.org/302299 | 10:58 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add protocols integration tests https://review.openstack.org/307508 | 10:58 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests https://review.openstack.org/305444 | 10:58 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add service providers integration tests https://review.openstack.org/303502 | 10:58 |
*** LZ has joined #openstack-keystone | 10:59 | |
rodrigods | bknudson, ping... the functional tests job is failing because we don't have any | 11:06 |
chaitu | I'm following this blog "http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo" | 11:06 |
chaitu | We configured both IdP and SP. We are trying to "Get a unscoped token from the SP using a SAML assertion generated by the Keystone IdP" | 11:06 |
chaitu | We are getting an error after running python script . Here is the script here http://paste.openstack.org/show/494766/ | 11:06 |
chaitu | This is the issue we are facing "http://paste.openstack.org/show/494767/" | 11:06 |
chaitu | Please help us | 11:06 |
rodrigods | bknudson, should we try to add a sample one, or just wait to have a real one? | 11:06 |
rodrigods | chaitu, looking | 11:06 |
*** LZ has quit IRC | 11:07 | |
*** LZ has joined #openstack-keystone | 11:08 | |
chaitu | shibboleth logs in SP (var/log/shibboleth/sibd.log ) http://paste.openstack.org/show/494769/ | 11:08 |
rodrigods | chaitu, there is a problem with your mapping | 11:08 |
rodrigods | probably you created a protocol using the wrong mapping_id | 11:08 |
chaitu | rodrigods, This is my mapping file http://paste.openstack.org/show/494770/ | 11:10 |
*** doug-fish has joined #openstack-keystone | 11:11 | |
rodrigods | chaitu, your mapping_id is incorrect, seems that you don't have created a mapping with ID "idp_1_mapping" | 11:11 |
rodrigods | you can create it right now | 11:11 |
rodrigods | using the rules you just passed | 11:12 |
chaitu | This is my mapping list http://paste.openstack.org/show/494771/ | 11:14 |
rodrigods | chaitu, and your protocol list? | 11:15 |
*** samueldmq has joined #openstack-keystone | 11:17 | |
*** ChanServ sets mode: +v samueldmq | 11:17 | |
chaitu | rodrigods: here is protocol list http://paste.openstack.org/show/494772/ | 11:18 |
samueldmq | keystoners: good morning! | 11:19 |
chaitu | rodrigods: This is how we created mapping http://paste.openstack.org/show/494774/ | 11:20 |
rodrigods | chaitu, hmm looks that you don't have a group with ID "federated", can you list the groups | 11:20 |
*** josecastroleon has joined #openstack-keystone | 11:22 | |
chaitu | rodrigods: Here is the gropu list http://paste.openstack.org/show/494775/ | 11:22 |
chaitu | rodrigods: group** | 11:22 |
rodrigods | chaitu, so you need to provide the domain_id in the mapping | 11:23 |
rodrigods | like: | 11:23 |
rodrigods | http://paste.openstack.org/show/494777/ | 11:23 |
rodrigods | chaitu, not like that... because "federated" is the name | 11:25 |
*** trown|outtypewww is now known as trown | 11:25 | |
rodrigods | chaitu, http://paste.openstack.org/show/494778/ or http://paste.openstack.org/show/494779/ | 11:26 |
*** gordc has joined #openstack-keystone | 11:26 | |
*** TxGVNN has joined #openstack-keystone | 11:32 | |
chaitu | rodrigods: Is that fine with this http://paste.openstack.org/show/494780/ | 11:35 |
chaitu | rodrigods: I used above mapping rule I got this error http://paste.openstack.org/show/494781/ | 11:36 |
rodrigods | chaitu, probably you already have a user with the same name you are trying to mapping | 11:38 |
rodrigods | chaitu, do a test, create a user to be your mapped user - like "mapped_user", and change your mapping to: | 11:39 |
rodrigods | http://paste.openstack.org/show/494782/ | 11:39 |
*** gordc has quit IRC | 11:40 | |
*** gordc has joined #openstack-keystone | 11:41 | |
chaitu | rodrigods: This is how i created mapping http://paste.openstack.org/show/494783/ | 11:47 |
chaitu | rodrigods: here is my error when i used that mapping http://paste.openstack.org/show/494785/ | 11:49 |
*** daemontool has joined #openstack-keystone | 11:50 | |
rodrigods | chaitu, add mapped_user to federated group and add the entry in the local part of the mapping | 11:55 |
rodrigods | chaitu, http://paste.openstack.org/show/494786/ | 11:55 |
*** stacker has joined #openstack-keystone | 11:56 | |
chaitu | rodrigods: This works for us........ Thanks a lot | 12:00 |
rodrigods | chaitu, glad to help, sorry for the bunch of tentative - i just woke up | 12:02 |
*** raildo-afk is now known as raildo | 12:10 | |
chaitu | rodrigods: Oh I see ...It's ok | 12:14 |
breton | guys | 12:14 |
breton | could you please run `tox -e py27 keystone.tests.unit.test_cli.CliNoConfigTestCase.test_cli` locally on your computer? | 12:14 |
rodrigods | breton, running | 12:15 |
breton | with the latest master | 12:15 |
*** csoukup has joined #openstack-keystone | 12:17 | |
breton | tests from change I276c671a0da78e3d1d2aa7336e55f65be41d8cca don't pass | 12:18 |
*** markvoelker has joined #openstack-keystone | 12:18 | |
chaitu | rodrigods: I tried list the federated project list using this script http://paste.openstack.org/show/494791/ | 12:19 |
chaitu | rodrigods: I got an error http://paste.openstack.org/show/494790/ | 12:20 |
rodrigods | breton, i've run locally in a devstack, locally it worked in the devstack it didn't | 12:22 |
rodrigods | and in a devstack* | 12:22 |
*** samueldmq has quit IRC | 12:30 | |
*** samueldmq has joined #openstack-keystone | 12:32 | |
*** ChanServ sets mode: +v samueldmq | 12:32 | |
*** iurygregory has joined #openstack-keystone | 12:37 | |
*** links has quit IRC | 12:46 | |
*** dave-mccowan has joined #openstack-keystone | 12:46 | |
*** tellesnobrega_af is now known as tellesnobrega | 12:52 | |
*** pauloewerton has joined #openstack-keystone | 12:59 | |
*** trown is now known as trown|brb | 13:00 | |
* breton shrugs | 13:00 | |
*** aimeeU has joined #openstack-keystone | 13:02 | |
*** bj0rnar has joined #openstack-keystone | 13:03 | |
openstackgerrit | Ron De Rose proposed openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635 | 13:03 |
openstackgerrit | Ron De Rose proposed openstack/keystone: WIP - Move the assignment abstract base class out of core https://review.openstack.org/299635 | 13:03 |
bj0rnar | When using keystonemiddleware and keystone_authtoken, how can I force services to use internal endpoint or auth_url .. they seem to be picking up public endpoint atm | 13:04 |
*** csoukup has quit IRC | 13:11 | |
*** richm has joined #openstack-keystone | 13:15 | |
*** timonwong_ has joined #openstack-keystone | 13:16 | |
*** pnavarro has joined #openstack-keystone | 13:17 | |
*** agireud has quit IRC | 13:17 | |
*** dansmith has quit IRC | 13:17 | |
*** trown|brb is now known as trown | 13:19 | |
*** timonwong has quit IRC | 13:19 | |
*** dansmith has joined #openstack-keystone | 13:20 | |
*** dansmith is now known as Guest64767 | 13:20 | |
samueldmq | stevemar: could you re approve patch 307409? | 13:20 |
patchbot | samueldmq: https://review.openstack.org/#/c/307409/ - keystone - Remove comments mentioning eventlet | 13:20 |
*** agireud has joined #openstack-keystone | 13:21 | |
bknudson | rodrigods: the functional test is a non-voting job, so not a big deal. It should work on a review to add functional tests. | 13:22 |
rodrigods | bknudson, cool | 13:22 |
bknudson | for some reason I thought we had added some functional tests already | 13:23 |
*** maestro1 has joined #openstack-keystone | 13:23 | |
rodrigods | bknudson, not yet... the first ones are https://review.openstack.org/#/c/302299 | 13:24 |
bknudson | rodrigods: that one's failing the functional test job, too. | 13:25 |
rodrigods | bknudson, yeah... fixing it right now | 13:25 |
rodrigods | actually, i've already fixed, now i'm rebasing everything | 13:25 |
dstanek | rodrigods: well, let's get those merged then :-) | 13:28 |
rodrigods | dstanek, o/ | 13:28 |
rodrigods | will submit new patches in a couple of minutes | 13:28 |
dstanek | rodrigods: is it safe for me to take a pass at that review or do you have changes coming? | 13:28 |
dstanek | rodrigods: k, let me know | 13:29 |
rodrigods | dstanek, ok | 13:29 |
dstanek | i just added myself to the review, but with the amount of review email i get i'll probably miss it | 13:29 |
bknudson | dstanek: star it | 13:29 |
rodrigods | dstanek, as soon as i submit a new patchset i'll ping you | 13:29 |
bknudson | then have a query to show your starred reviews: https://review.openstack.org/#/q/status:open+is:starred+label:Verified%253D1+-label:Workflow%253D-1+-label:Code-Review%253D2%252Cself,n,z | 13:30 |
dstanek | bknudson: already did. that's how it gets on my trello board. but that job won't run for another hour or so | 13:30 |
rodrigods | bknudson, dstanek, do you use gerrit or other tool for reviewing? | 13:31 |
rodrigods | like gerty | 13:31 |
bknudson | apprently there's also a flag for "reviewed" that doesn't show up in the gerrit ui anywhere, that might be handy. | 13:31 |
dstanek | once it gets there i'll move it to the top | 13:31 |
rodrigods | gertty* | 13:31 |
bknudson | still using gerrit. I haven't figured out gertty yet. | 13:31 |
dstanek | i use gertty sometimes, but mostly gerrit. i organized my work in trello though | 13:31 |
bknudson | every time I use it I'm wondering if it's downloading changes or what it's doing. | 13:31 |
rodrigods | gertty is useful for airplanes :P | 13:31 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add identity providers integration tests https://review.openstack.org/302299 | 13:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add protocols integration tests https://review.openstack.org/307508 | 13:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests https://review.openstack.org/305444 | 13:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add service providers integration tests https://review.openstack.org/303502 | 13:32 |
rodrigods | bknudson, dstanek ^ done :) | 13:32 |
dstanek | only if you know ahead of time :-) i once tried to update on old gerrty instance at the airport and i didn't have enough time to download before boarding | 13:32 |
dstanek | rodrigods: great thanks | 13:33 |
dstanek | rodrigods: did you have to rename the plugin? | 13:34 |
*** Nirupama has quit IRC | 13:34 | |
rodrigods | dstanek, rename how? to be keystone_tempest_plugin instead of tempest_plugin | 13:34 |
rodrigods | ? | 13:34 |
*** tellesnobrega is now known as tellesnobrega_af | 13:36 | |
dstanek | didn't you say something yesterday about keystone being in the name? | 13:36 |
rodrigods | dstanek, yeah... i tried to use just "tempest_plugin" | 13:36 |
rodrigods | but turns out that the "tox -e all-plugin" command matches the folder name | 13:37 |
dstanek | ah, i see so i *needs* to be keystone_tempest_plugin | 13:37 |
rodrigods | yeah | 13:37 |
*** mou1 has joined #openstack-keystone | 13:37 | |
rodrigods | we can try to fix that in tempest, but for now it works like that | 13:37 |
*** edmondsw has joined #openstack-keystone | 13:38 | |
*** sc68cal has joined #openstack-keystone | 13:39 | |
sc68cal | anyone around to chat about https://bugs.launchpad.net/python-keystoneclient/+bug/1571833 ? | 13:39 |
openstack | Launchpad bug 1571833 in python-keystoneclient "Usage example in the README does not work" [Low,Fix released] - Assigned to Tin Lam (tl3438) | 13:39 |
sc68cal | Fixing the README is one way to fix, but I think the issue is, what happened that broke such a basic example of using the python-keystoneclient API? | 13:39 |
sc68cal | because obviously any apps that did it using the old way in the README obviously were broken by whatever changed | 13:40 |
*** samueldmq has quit IRC | 13:41 | |
bknudson | v3 came out 2 years ago, so docs for v2 client are not a priority | 13:41 |
openstackgerrit | Ron De Rose proposed openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635 | 13:41 |
bj0rnar | I am seeing a problem that for example glance (keystone middleware) tries to validate tokens against the endpoint it finds in /v3 .. problem is, when using keystone behind a proxy, I need to set public_endpoint ... Is there any fix for this? I mean.. auth_uri is set to public_endpoint and auth_url to internal .. it starts by going correctly to auth_url, but then (because of public_endpoint) continues to my public_endpoint that does not even e | 13:41 |
bj0rnar | xist at this stage (runs in openstack itself) | 13:41 |
*** samueldmq has joined #openstack-keystone | 13:41 | |
sc68cal | bknudson: is v2 API deprecated? | 13:42 |
bknudson | most of the v2 api is deprecated in keystone | 13:42 |
sc68cal | what release was the deprecation | 13:43 |
bknudson | mitaka | 13:43 |
*** samueldmq has quit IRC | 13:43 | |
sc68cal | That doesn't really cut it. Just because you deprecated it, this release, doesn't really absolve the main issue, that at some point in the past the API you give out to app developers was horribly broken | 13:44 |
bknudson | ok. but given I've got limited time to work on things, given the choice I'm going to work on something else. | 13:45 |
dstanek | sc68cal: who is saying that we don't have to deal with the bug? | 13:45 |
bknudson | luckily it's open source so others can work on it if they want to. | 13:45 |
sc68cal | dstanek: I reported the bug, really I guess I should have been more specific - the issue is that anyone who developed an application, and was directly using the python-keystoneclient API, they got some weird errors like I did | 13:46 |
sc68cal | fixing the README is fine and good, but it doesn't hit the core issue, which is that app developers were broken by some change in python-keystoneclient | 13:46 |
mou1 | Hello. Are anybody familiar with fernet token generation code? | 13:46 |
dstanek | sc68cal: do you know what is actually happening in your sample? | 13:48 |
sc68cal | dstanek: not really. I just followed the example for creating a keystone client object, then when trying to call any of the methods it just 404's out | 13:48 |
sc68cal | most likely due to some sort of issue where the old way that was published doesn't auth correctly? | 13:49 |
sc68cal | I provided a username, tenant, auth_url, etc... to the constructor | 13:49 |
dstanek | sc68cal: if you don't have time to look at it, i can probably look in the next day or two | 13:49 |
sc68cal | dstanek: thanks. I'm not familiar with the internals of keystoneclient | 13:50 |
*** ayoung has joined #openstack-keystone | 13:50 | |
*** ChanServ sets mode: +v ayoung | 13:50 | |
mrhillsman | morning | 13:51 |
*** links has joined #openstack-keystone | 13:52 | |
sc68cal | bknudson: I'd just like to say, yes it is open source, but breaking people in this fashion isn't really a good thing | 13:53 |
bknudson | I'm not convinced that we broke anything. The docs have always had problems. | 13:53 |
sc68cal | so then why does creating a keystone client object with the args I used not work? | 13:54 |
bknudson | I don't know. | 13:54 |
dstanek | sc68cal: i don't think anyone is saying that it is or that anything was done on purpose. it's just it's marked as low priority (because it's easy to fix your code to do it the keystoneauth way). | 13:54 |
dstanek | sc68cal: if we know that this wouldn't still be a bug :-) it would be either marked as invalid or fixed | 13:55 |
sc68cal | dstanek: ack. thanks. I'll be arond if there's anything I can help with | 13:56 |
openstackgerrit | Ron De Rose proposed openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635 | 13:58 |
*** samueldmq has joined #openstack-keystone | 13:59 | |
openstackgerrit | yolanda.robla proposed openstack/keystoneauth: Create custom serializer for keystoneauth and betamax https://review.openstack.org/305937 | 14:03 |
*** jaosorior has quit IRC | 14:09 | |
*** jaosorior has joined #openstack-keystone | 14:09 | |
*** ametts has joined #openstack-keystone | 14:11 | |
ayoung | sc68cal, you need to learn that when something goes wrong in Keystone to blame it on me. | 14:13 |
*** TxGVNN has quit IRC | 14:13 | |
*** TxGVNN has joined #openstack-keystone | 14:13 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 14:15 | |
*** jaosorior has quit IRC | 14:16 | |
*** csoukup has joined #openstack-keystone | 14:18 | |
*** pnavarro has quit IRC | 14:20 | |
*** spzala has quit IRC | 14:22 | |
*** real56 has joined #openstack-keystone | 14:23 | |
*** spzala has joined #openstack-keystone | 14:23 | |
*** spzala has quit IRC | 14:27 | |
sc68cal | ayoung: heh. it's not about blame. This stuff is complex, and there's always little unintended side-effects | 14:28 |
*** tellesnobrega_af is now known as tellesnobrega | 14:29 | |
*** mylu has joined #openstack-keystone | 14:31 | |
*** pushkaru has joined #openstack-keystone | 14:31 | |
*** real56 has quit IRC | 14:32 | |
*** real56 has joined #openstack-keystone | 14:33 | |
*** slberger has joined #openstack-keystone | 14:33 | |
*** mou has joined #openstack-keystone | 14:34 | |
*** mou1 has quit IRC | 14:34 | |
openstackgerrit | ayoung proposed openstack/keystone-specs: Tokens with subsets of roles https://review.openstack.org/186979 | 14:35 |
morgan | stevemar: ping | 14:36 |
morgan | stevemar: actually. | 14:36 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/308371 | 14:37 |
*** slberger1 has joined #openstack-keystone | 14:37 | |
*** slberger has quit IRC | 14:38 | |
openstackgerrit | ayoung proposed openstack/keystone-specs: Tokens with subsets of roles https://review.openstack.org/186979 | 14:38 |
ayoung | morgan, def want to discuss https://review.openstack.org/#/c/186979/ ^^ at the summit. It should be relatively clear, now that we have implied roles, how to implement without breaking Fernet's size limits. | 14:39 |
patchbot | ayoung: patch 186979 - keystone-specs - Tokens with subsets of roles | 14:39 |
morgan | ayoung: sure. | 14:39 |
*** jaosorior has joined #openstack-keystone | 14:40 | |
*** real56 has quit IRC | 14:40 | |
*** mrhillsman has quit IRC | 14:41 | |
*** sdake_ has quit IRC | 14:42 | |
*** roxanagh_ has joined #openstack-keystone | 14:44 | |
raildo | ayoung: what do you think on split the fernet token as default provider patch in small patches? | 14:45 |
ayoung | raildo, oh yeah. | 14:45 |
ayoung | raildo, want to get it working to see what the scope of it is first | 14:45 |
*** sdake_ has joined #openstack-keystone | 14:45 | |
ayoung | we can, however, chip off pieces that are already identified if we want to drive on with them raildo | 14:45 |
raildo | ayoung: sure, I'm finishing the summit talks and after that I'll start to work on it :) | 14:46 |
bknudson | I finally need to learn some ansible. | 14:50 |
*** navidp has joined #openstack-keystone | 14:50 | |
morgan | bknudson: ansible is awesome | 14:50 |
bknudson | no complaints so far... I need to find the modules. | 14:50 |
bknudson | I'm reading "Ansible: Up and Running" safari book online. | 14:51 |
ayoung | bknudson, what are you trying to do? | 14:51 |
bknudson | ayoung: at this point just learning, I'm going to write a playbook for https://review.openstack.org/#/c/264398/10/doc/source/project-setup/python.rst (and then +2 when it works) | 14:51 |
patchbot | bknudson: patch 264398 - project-team-guide - Improve docs on setting up development environment | 14:51 |
*** roxanagh_ has quit IRC | 14:51 | |
*** phalmos has joined #openstack-keystone | 14:52 | |
bknudson | eventually I'm going to deploy a public cloud. | 14:52 |
ayoung | bknudson, so jamielennox and I spent a good deal of time in Ansible develpment for a Keystone based proof of concept last summer | 14:53 |
ayoung | https://github.com/admiyo/rippowam | 14:53 |
ayoung | but We didn't use ansible to do the Openstack calls to set up the cluster. | 14:53 |
ayoung | That was due to Ansible 1 not supportting Keystone v3, but Shade does that nicely now. | 14:53 |
dolphm | anyone have any idea why adding an tox environment to [tox] envlist would cause it to install dependencies differently? the tox documentation doesn't associate any behaviors with envlist beyond which environments are run when you run "tox" itself cc- dstanek | 14:54 |
ayoung | bknudson, so I'd recommend using ansible in a venv and running with ansible2, not stock ansible 1 which is what most distros have at the moment | 14:54 |
bknudson | y, I did pip install in a venv. | 14:54 |
bknudson | it's ansible 2.0.2.0 | 14:55 |
dstanek | dolphm: what is happening exactly? master (keystone) had a recent change that changes the way we install deps | 14:55 |
dolphm | dstanek: i don't *think* this is related to that, as i'm workon on stable/liberty at the moment | 14:55 |
ayoung | bknudson, cool. Ther tripleo-quickstart is a decently organized example of a non-trivial Ansible setup | 14:56 |
dstanek | dolphm: are you getting the wrong deps? | 14:56 |
ayoung | https://github.com/redhat-openstack/tripleo-quickstart | 14:56 |
bknudson | ayoung: once I learn the basics hopefully this will make sense. | 14:56 |
dolphm | dstanek: sort of. i'm trying to fix the two broken jobs here: https://review.openstack.org/#/c/307318/ | 14:56 |
patchbot | dolphm: patch 307318 - keystone (stable/liberty) - Keystone jobs should honor upper-constraints.txt | 14:56 |
ayoung | bknudson, start with running ansible -m setup | 14:56 |
ayoung | bknudson, actually, start with creating an inventory file for your remote hosts, and then running | 14:57 |
ayoung | ansible -i <your file> <somehost> -m setup | 14:57 |
ayoung | that is like, Ansible hello world.\ | 14:57 |
dolphm | dstanek: tony breed's comment (anyone know his irc nick?) was helpful to get the releasenotes job working again, but to get cover working, this is my diff: http://cdn.pasteraw.com/7cnwh57rabhhtgr0qbydxmg32h4a28u | 14:57 |
ayoung | Gets the set of things that the remote system knows about | 14:57 |
*** henrynash has quit IRC | 14:58 | |
bknudson | dolphm: tonyb | 14:58 |
bknudson | ayoung: right, I need to figure out the inventory file. | 14:58 |
stevemar | morgan: o/ | 14:58 |
ayoung | bknudson, OK...so you have an ip address for the remote host? | 14:58 |
morgan | stevemar: see PM | 14:59 |
ayoung | bknudson, or even a hostname? | 14:59 |
bknudson | oh, hosts is the inventory file! | 14:59 |
ayoung | yep | 14:59 |
ayoung | bknudson, simplest one is something like this | 14:59 |
ayoung | [ipa] | 14:59 |
ayoung | ipa.ayoung.oslab.test | 14:59 |
ayoung | now ipa is the host group with one host in it, with the FQDN ipa.ayoung.oslab.test | 14:59 |
*** Guest64767 is now known as dansmith | 15:00 | |
*** henrynash has joined #openstack-keystone | 15:00 | |
*** ChanServ sets mode: +v henrynash | 15:00 | |
ayoung | so I have that in | 15:00 |
ayoung | ~/.ossipee/deployments/ayoung.oslab/inventory.ini | 15:00 |
*** wxy has quit IRC | 15:00 | |
ayoung | I can do | 15:00 |
bknudson | `ansible keystone-dev -m setup` -- worked | 15:00 |
*** henrynash has quit IRC | 15:01 | |
dolphm | bknudson: (thanks, pinged tonyb in #openstack-dev) cc- dstanek | 15:01 |
ayoung | well I could if the host were up... | 15:01 |
dstanek | dolphm: it looks like you are missing parts of the original patch | 15:01 |
dolphm | dstanek: right, this is my diff on top of the current patchset in gerrit | 15:01 |
bknudson | ayoung: now I need to create a directory "workspace" | 15:02 |
dolphm | dstanek: i can upload the whole thing, but i'd -1 it myself :P | 15:02 |
bknudson | as you can see I'm starting with the basics. | 15:02 |
dstanek | dolphm: did you have to remove the install_command lines for some reason? | 15:02 |
dolphm | dstanek: i did not remove any | 15:02 |
ayoung | bknudson, while you can always do a shell command... | 15:02 |
bknudson | we should switch devstack to ansible. | 15:02 |
bknudson | ayoung: there must be a module for it?? How do I find modules I want? | 15:03 |
ayoung | http://docs.ansible.com/ansible/list_of_files_modules.html | 15:03 |
dolphm | bknudson: but we're still trying to switch it to chef | 15:03 |
dstanek | dolphm: the original patch has install_command lines for cover and release notes https://review.openstack.org/#/c/306846/4/tox.ini | 15:03 |
patchbot | dstanek: patch 306846 - keystone - Keystone jobs should honor upper-constraints.txt (MERGED) | 15:03 |
dolphm | dstanek: the complete change https://review.openstack.org/#/c/307318/ | 15:03 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Closure table for HMT https://review.openstack.org/285521 | 15:03 |
patchbot | dolphm: patch 307318 - keystone (stable/liberty) - Keystone jobs should honor upper-constraints.txt | 15:03 |
stevemar | bknudson: the point of devstack was to be more user-friendly / self-documenting - and not pick a specific deployment tool over another | 15:03 |
ayoung | bknudson, you are then going to call virtualenv on it? | 15:03 |
bknudson | stevemar: the problem is it's not self-documenting anymore | 15:03 |
dolphm | dstanek: erm, i have no idea how i dropped those originally... | 15:04 |
bknudson | ayoung: I'm going to git clone keystone into it! | 15:04 |
ayoung | git? | 15:04 |
bknudson | then tox - e py27 | 15:04 |
dstanek | bknudson: make it a submodule of itself and see what happens :-) | 15:04 |
ayoung | http://docs.ansible.com/ansible/file_module.html | 15:05 |
ayoung | - file: path=/etc/some_directory state=directory mode=0755 | 15:05 |
bknudson | ayoung: ah, neat | 15:05 |
*** BjoernT has joined #openstack-keystone | 15:05 | |
ayoung | http://docs.ansible.com/ansible/git_module.html | 15:05 |
bknudson | ayoung: how'd you find that? You've got them all memorized? | 15:05 |
* dolphm is just going to start this backport over again | 15:05 | |
*** gagehugo has joined #openstack-keystone | 15:05 | |
*** amit213 has quit IRC | 15:06 | |
ayoung | bknudson, so I think google tracks what I qurey, but really it was just google searches for "ansible mkdir " and "ansible git" | 15:06 |
bknudson | ayoung: makes sense. thanks! | 15:06 |
ayoung | I knew that there were modules for both those, since I've worked with them in the past. Ansible documetnation is pretty good | 15:07 |
*** jaugustine has joined #openstack-keystone | 15:07 | |
ayoung | bknudson, so you are going to want to organizat this stuff into a playbook | 15:07 |
ayoung | its a kindof deep directory structure, looks roughly like this: | 15:08 |
ayoung | projectname/playbooks/roles/ | 15:08 |
ayoung | and then under roles you would probably only have one to start, but build up a few over time | 15:08 |
ayoung | so for rippowam: | 15:08 |
*** amit213 has joined #openstack-keystone | 15:08 | |
ayoung | we did not have a playbooks top level driectory, and things got messy. | 15:09 |
*** phalmos has quit IRC | 15:09 | |
ayoung | quickstart is a little cleaner | 15:09 |
bknudson | ok, makes sense. | 15:10 |
ayoung | bknudson, follow this guide http://docs.ansible.com/ansible/playbooks_best_practices.html | 15:10 |
*** mylu has quit IRC | 15:10 | |
*** mylu has joined #openstack-keystone | 15:11 | |
*** raddaoui has joined #openstack-keystone | 15:11 | |
*** phalmos has joined #openstack-keystone | 15:11 | |
bknudson | success, created a directory. | 15:12 |
*** pnavarro has joined #openstack-keystone | 15:13 | |
ayoung | bknudson, sounds like you are rolling. THe ansible command line is rarely used, almost always it is ansible-playbook | 15:14 |
*** mylu has quit IRC | 15:14 | |
bknudson | I assume the goal is you can re-run the ansible playbook and it works if you ran before | 15:14 |
ayoung | bknudson, yes, and the modules are designed to not redo work if it is in the right state | 15:15 |
*** mylu has joined #openstack-keystone | 15:15 | |
ayoung | so if the dir exists, it will not recreate it | 15:15 |
rodrigods | dstanek, can you check the reply here: https://review.openstack.org/#/c/302299/9/keystone_tempest_plugin/services/identity/base_clients.py ? | 15:15 |
patchbot | rodrigods: patch 302299 - keystone - Add identity providers integration tests | 15:15 |
rodrigods | dstanek, (thanks for the review, btw) | 15:15 |
bknudson | y, but if i have to run a command it needs to work (e.g., mkdir -p) | 15:16 |
dstanek | rodrigods: sure | 15:16 |
*** stingaci has joined #openstack-keystone | 15:17 | |
*** e0ne has joined #openstack-keystone | 15:18 | |
stevemar | dolphm: lol @ "Apparently I'm terrible at backporting." | 15:19 |
*** gagehugo has quit IRC | 15:20 | |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Restructure endpoint policy abstract driver https://review.openstack.org/307373 | 15:21 |
openstackgerrit | ayoung proposed openstack/keystone: Make all fixture project_ids into uuids https://review.openstack.org/306681 | 15:21 |
*** stingaci has quit IRC | 15:21 | |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers https://review.openstack.org/212006 | 15:21 |
*** mylu_ has joined #openstack-keystone | 15:22 | |
openstackgerrit | Cristian Sava proposed openstack/keystone: Customize config file location when run as wsgi app. https://review.openstack.org/288216 | 15:22 |
morgan | stevemar: ooooh | 15:23 |
*** mylu has quit IRC | 15:23 | |
stevemar | morgan: approved ^ | 15:24 |
morgan | stevemar: NICE | 15:24 |
ayoung | rodrigods, can't generate the uuids inline for the Proj_id patch | 15:25 |
morgan | stevemar: is that something we want to try and backport - it seems like a viable mitaka backport (border bug vs feature, but tending bug-ish) | 15:25 |
rodrigods | ayoung, the perf issue? | 15:25 |
ayoung | since they are global vars, each time the python module is imported, the import will regen | 15:25 |
ayoung | two different imports will have two different values | 15:25 |
rodrigods | yeah | 15:25 |
*** spzala has joined #openstack-keystone | 15:25 | |
rodrigods | got it | 15:25 |
ayoung | possibly not a problem now, but might be in the future... | 15:25 |
ayoung | going to roll back the change | 15:25 |
*** gagehugo has joined #openstack-keystone | 15:26 | |
openstackgerrit | ayoung proposed openstack/keystone: Make all fixture project_ids into uuids https://review.openstack.org/306681 | 15:26 |
openstackgerrit | Merged openstack/keystone: Updating sample configuration file https://review.openstack.org/308111 | 15:28 |
*** jaosorior has quit IRC | 15:29 | |
*** spzala has quit IRC | 15:30 | |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers https://review.openstack.org/212006 | 15:30 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/308414 | 15:30 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add identity providers integration tests https://review.openstack.org/302299 | 15:31 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add protocols integration tests https://review.openstack.org/307508 | 15:31 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests https://review.openstack.org/305444 | 15:31 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add service providers integration tests https://review.openstack.org/303502 | 15:31 |
*** links has quit IRC | 15:32 | |
*** browne has joined #openstack-keystone | 15:33 | |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Restructure policy abstract driver https://review.openstack.org/307379 | 15:34 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers https://review.openstack.org/212957 | 15:36 |
*** josecastroleon has quit IRC | 15:36 | |
*** josecastroleon has joined #openstack-keystone | 15:37 | |
*** samueldmq has quit IRC | 15:40 | |
*** mylu_ has quit IRC | 15:44 | |
*** mylu has joined #openstack-keystone | 15:44 | |
*** pauloewerton has quit IRC | 15:45 | |
*** iurygregory has quit IRC | 15:45 | |
*** timcline has joined #openstack-keystone | 15:48 | |
*** mylu has quit IRC | 15:48 | |
ayoung | rodrigods, where do I start with reviews? | 15:51 |
*** rderose has joined #openstack-keystone | 15:51 | |
*** tellesnobrega is now known as tellesnobrega_af | 15:51 | |
morgan | ayoung: wait what with the global and import? | 15:51 |
morgan | oh | 15:51 |
morgan | i see | 15:51 |
morgan | ayoung: uhmm... | 15:51 |
morgan | ayoung: actually, wait what is the concern? | 15:52 |
*** stingaci has joined #openstack-keystone | 15:52 | |
ayoung | morgan, so if, say test_v3 and test_v3_auth both imported the file, the uuids generate would be different...I think? | 15:52 |
morgan | ayoung: import compile happens exactly 1 time in a program | 15:52 |
morgan | it's safe to do what you were doing | 15:53 |
*** mylu has joined #openstack-keystone | 15:53 | |
ayoung | morgan, it was on this version: https://review.openstack.org/#/c/306681/3/keystone/tests/unit/default_fixtures.py | 15:53 |
patchbot | ayoung: patch 306681 - keystone - Make all fixture project_ids into uuids | 15:53 |
*** tellesnobrega_af is now known as tellesnobrega | 15:53 | |
ayoung | morgan, but its not a compile, is it. The code itself is run on each import, I think | 15:53 |
*** gyee has joined #openstack-keystone | 15:54 | |
*** ChanServ sets mode: +v gyee | 15:54 | |
morgan | ayoung: http://paste.openstack.org/show/494843/ | 15:54 |
*** spzala has joined #openstack-keystone | 15:54 | |
ayoung | morgan, I just feel more comfortable with making constants constant | 15:54 |
dstanek | ayoung: only if you do magic. the normal import only executes the code once | 15:54 |
morgan | ayoung: import time happens exactly once unless you do a lot of magic | 15:54 |
morgan | we do exactly waht you were doing in a number of cases | 15:54 |
ayoung | morgan, dstanek, so, any preference which way to do it? | 15:54 |
morgan | ayoung: i prefer the global and have it random per test | 15:55 |
morgan | but thats me. | 15:55 |
*** iurygregory has joined #openstack-keystone | 15:55 | |
morgan | as long as it's a consistent format | 15:55 |
morgan | but i'm ok with it either way | 15:55 |
morgan | i wouldn't block either choice. | 15:55 |
*** spzala_ has joined #openstack-keystone | 15:55 | |
morgan | ayoung: the fact import executes once is also partly why mutable default args are so bad. | 15:56 |
*** raildo is now known as raildo-afk | 15:56 | |
*** mylu has quit IRC | 15:57 | |
dstanek | ayoung: i think i'm also OK with either version | 15:57 |
ayoung | rodrigods, ^^ | 15:58 |
*** spzala has quit IRC | 15:58 | |
ayoung | lets get that one in, then, as it will allow for full testing of Fernet | 15:58 |
*** mylu has joined #openstack-keystone | 15:58 | |
*** maestro1 has quit IRC | 16:00 | |
*** pushkaru has quit IRC | 16:01 | |
openstackgerrit | yolanda.robla proposed openstack/keystoneauth: Create custom serializer for keystoneauth and betamax https://review.openstack.org/305937 | 16:01 |
*** pushkaru has joined #openstack-keystone | 16:01 | |
*** lhcheng has joined #openstack-keystone | 16:02 | |
*** ChanServ sets mode: +v lhcheng | 16:02 | |
*** jaugustine has quit IRC | 16:06 | |
*** spzala_ has quit IRC | 16:07 | |
*** spzala has joined #openstack-keystone | 16:07 | |
*** josecastroleon has quit IRC | 16:07 | |
*** spzala_ has joined #openstack-keystone | 16:08 | |
*** dan_nguyen has joined #openstack-keystone | 16:10 | |
*** spzala_ has quit IRC | 16:11 | |
*** spzala_ has joined #openstack-keystone | 16:12 | |
*** spzala has quit IRC | 16:12 | |
*** josecastroleon has joined #openstack-keystone | 16:13 | |
*** pushkaru has quit IRC | 16:17 | |
*** pushkaru has joined #openstack-keystone | 16:17 | |
*** TxGVNN has quit IRC | 16:17 | |
*** pushkaru has quit IRC | 16:17 | |
arunkant | stevemar: Hi Steve..how can I get attention to this review: https://review.openstack.org/#/c/279828/ ? | 16:20 |
patchbot | arunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv... | 16:20 |
*** jistr has quit IRC | 16:22 | |
*** haneef__ has quit IRC | 16:24 | |
*** rderose has quit IRC | 16:25 | |
*** spzala_ has quit IRC | 16:26 | |
*** pumaranikar has quit IRC | 16:31 | |
*** tellesnobrega is now known as tellesnobrega_af | 16:31 | |
openstackgerrit | Merged openstack/keystone: Remove comments mentioning eventlet https://review.openstack.org/307409 | 16:34 |
ayoung | sudo dnf install https://kojipkgs.fedoraproject.org//packages/python-tox/2.3.1/1.fc24/noarch/python-tox-2.3.1-1.fc24.noarch.rpm | 16:34 |
dstanek | arunkant: i think there is just a lot going on now | 16:35 |
ayoung | in case any of you were wondering how to run tox on Fedora for Keystone now that we've bumpted the version | 16:35 |
dstanek | arunkant: i'll add it to my list | 16:35 |
arunkant | dstanek: thanks. | 16:36 |
*** nkinder has quit IRC | 16:37 | |
*** stingaci_ has joined #openstack-keystone | 16:37 | |
*** nkinder has joined #openstack-keystone | 16:37 | |
*** stingaci has quit IRC | 16:38 | |
*** spzala has joined #openstack-keystone | 16:39 | |
*** mylu has quit IRC | 16:40 | |
*** raildo-afk is now known as raildo | 16:41 | |
*** pumaranikar has joined #openstack-keystone | 16:41 | |
*** pauloewerton has joined #openstack-keystone | 16:42 | |
*** spzala has quit IRC | 16:43 | |
*** josecastroleon has quit IRC | 16:43 | |
*** stingaci_ has quit IRC | 16:44 | |
*** spzala has joined #openstack-keystone | 16:45 | |
*** david-nesher has joined #openstack-keystone | 16:45 | |
*** mhickey has quit IRC | 16:46 | |
*** Guest67082 has quit IRC | 16:46 | |
*** spzala has quit IRC | 16:49 | |
*** spzala has joined #openstack-keystone | 16:50 | |
sigmavirus24 | yolanda: did you see my message about https://github.com/sigmavirus24/betamax/pull/104 ? | 16:51 |
*** mylu has joined #openstack-keystone | 16:52 | |
*** roxanagh_ has joined #openstack-keystone | 16:53 | |
*** spzala has quit IRC | 16:55 | |
*** evrardjp has joined #openstack-keystone | 16:55 | |
*** jasonsb has joined #openstack-keystone | 16:56 | |
*** navidp has quit IRC | 17:00 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Add other-requirements.txt https://review.openstack.org/308477 | 17:01 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Add other-requirements.txt https://review.openstack.org/308477 | 17:01 |
*** spzala has joined #openstack-keystone | 17:02 | |
morgan | sigmavirus24: i'm so happy we have someone working on leveraging the betamax fixture :) | 17:04 |
sigmavirus24 | morgan: me too. It's driving 3 year old feature requests in betamax | 17:04 |
morgan | hehehe | 17:04 |
morgan | ^_^ | 17:05 |
*** navidp has joined #openstack-keystone | 17:05 | |
sigmavirus24 | (granted, feature requests that I made to reach parity with Ruby's VCR but no one really needed until lately) | 17:05 |
*** stingaci has joined #openstack-keystone | 17:05 | |
sigmavirus24 | Not sure I'll get that pull request completed before this weekend though, so I didn't want yolanda rushing into using a custom serializer for the work in keystoneauth | 17:06 |
*** spzala has quit IRC | 17:07 | |
*** maestro1 has joined #openstack-keystone | 17:09 | |
mylu | rodrigods: hi I run into some weird issues do you have a second to help me look at it? | 17:11 |
*** navidp has quit IRC | 17:12 | |
evrardjp | hello guys | 17:14 |
evrardjp | I'm trying to setup my keystone with a self signed cert right now and I have some issues | 17:14 |
evrardjp | http://paste.openstack.org/show/494860/ | 17:14 |
evrardjp | It's more the fact I don't understand the process (yet) and I'd be happy to learn | 17:14 |
*** maestro1 has quit IRC | 17:15 | |
evrardjp | I wonder why I'm that often redirected to the admin interface | 17:16 |
evrardjp | is that normal? | 17:16 |
*** josecastroleon has joined #openstack-keystone | 17:19 | |
dstanek | arunkant: i did a quick first pass | 17:19 |
arunkant | dstanek: Thanks..will address the comments soon. | 17:20 |
*** clenimar has joined #openstack-keystone | 17:22 | |
*** trown is now known as trown|lunch | 17:27 | |
*** real56 has joined #openstack-keystone | 17:27 | |
*** BjoernT is now known as Bjoern_zZzZzZzZ | 17:29 | |
*** Bjoern_zZzZzZzZ is now known as BjoernT | 17:31 | |
*** maestro1 has joined #openstack-keystone | 17:32 | |
*** jasonsb has quit IRC | 17:32 | |
*** yarkot has joined #openstack-keystone | 17:32 | |
*** jasonsb has joined #openstack-keystone | 17:32 | |
odyssey4me | stevemar if you can help get the right person in contact with evrardjp I'd appreciate it - we need to understand whether keystone has a bug (unlikely), it's working as designed (possible), or whether we're configuring something badly (entirely possible) | 17:33 |
dstanek | odyssey4me: is there a bug report i can look at? | 17:34 |
evrardjp | more likely a configuration issue, because I can adapt it to make it work | 17:34 |
evrardjp | http://paste.openstack.org/show/494860/ | 17:34 |
odyssey4me | dstanek not at this stage - just trying to understand whether this is by design or now | 17:34 |
odyssey4me | *not | 17:34 |
evrardjp | not a bug | 17:34 |
gyee | evrardjp, that's the expected behavior | 17:34 |
gyee | it will pick the admin endpoint by default | 17:34 |
gyee | try setting the interface param to public | 17:35 |
gyee | client.Client(interface="public", ...) | 17:35 |
odyssey4me | gyee is that the same as using OS_ENDPOINT_TYPE=publicURL when using the CLI ? | 17:36 |
gyee | openstack --os_interface=public | 17:36 |
gyee | right | 17:36 |
odyssey4me | or does the client perhaps ignore the env var for a subset of commands? | 17:37 |
gyee | I don't think client uses env var | 17:37 |
*** jasonsb has quit IRC | 17:37 | |
gyee | just the CLI | 17:37 |
dstanek | odyssey4me: ksc doesn't use those vars at all | 17:37 |
*** pnavarro has quit IRC | 17:38 | |
dstanek | that's purely an osc thing iiuc | 17:38 |
lbragstad | dolphm mfisch down to 16:30 | 17:38 |
mfisch | lbragstad: like this? | 17:38 |
mfisch | https://www.youtube.com/watch?v=j2egGfd5j_k | 17:38 |
openstackgerrit | Merged openstack/keystone: Updated from global requirements https://review.openstack.org/308371 | 17:38 |
mfisch | you might be too young to remember that ^ | 17:38 |
evrardjp | I'll paste you something | 17:39 |
dstanek | mfisch: yesssssss! | 17:39 |
lbragstad | mfisch lol pretty much | 17:39 |
dstanek | mfisch: i used to have a huge collection | 17:39 |
evrardjp | http://paste.openstack.org/show/494863/ | 17:40 |
*** spzala has joined #openstack-keystone | 17:40 | |
odyssey4me | gyee ^ | 17:41 |
odyssey4me | hmm, so perhaps the ksc isn't receiving the right parameter (ie bug in OSC) | 17:41 |
*** tellesnobrega_af is now known as tellesnobrega | 17:41 | |
*** sdake__ has joined #openstack-keystone | 17:41 | |
evrardjp | however this works: http://paste.openstack.org/show/494864/ | 17:42 |
evrardjp | when querying internally | 17:42 |
gyee | I mean "openstack --os-interface public" | 17:42 |
gyee | not --os-interface=public | 17:42 |
gyee | sorry | 17:42 |
evrardjp | it doesn't change a thing | 17:43 |
*** sdake__ has quit IRC | 17:43 | |
*** sdake_ has quit IRC | 17:43 | |
*** sdake_ has joined #openstack-keystone | 17:45 | |
dolphm | mfisch: <3 micro machines | 17:45 |
stevemar | mfisch: well that was weird | 17:45 |
evrardjp | I do too TBH, it makes me hate that | 17:45 |
evrardjp | too many words per second | 17:45 |
evrardjp | we didn't get the budget for a 10 minute ad, so let's stick to 30 seconds... | 17:46 |
evrardjp | anyway | 17:46 |
dolphm | stevemar: do you know why the cover and releasenotes jobs don't respect constraints like the other jobs do? https://review.openstack.org/#/c/306846/4/tox.ini | 17:47 |
patchbot | dolphm: patch 306846 - keystone - Keystone jobs should honor upper-constraints.txt (MERGED) | 17:47 |
evrardjp | gyee it doesn't seem related to the os-interface at all | 17:47 |
evrardjp | it's an endpoint issue, that looks weird | 17:47 |
evrardjp | so we did something wrong in the configuration | 17:47 |
*** josecastroleon has quit IRC | 17:48 | |
stevemar | dolphm: let me see... | 17:49 |
*** josecastroleon has joined #openstack-keystone | 17:50 | |
gyee | evrardjp, try "openstack token issue --debug" to see if the service catalog is returned | 17:50 |
dstanek | dolphm: someone said it's an infra limitation. not implemented i think | 17:50 |
evrardjp | gyee with the os-interface set to public? | 17:50 |
gyee | evrardjp, doesn't matter for token issue | 17:51 |
evrardjp | internally/externally? | 17:51 |
evrardjp | ok | 17:51 |
gyee | token issue only cares about auth-url | 17:51 |
dolphm | dstanek: oh, so it'll work on my box with the constraints, but not in jenkins? | 17:51 |
stevemar | dolphm: yeah, what dstanek said... i think its got to do with infra | 17:51 |
stevemar | dolphm: possible | 17:52 |
dolphm | that might explain some things | 17:52 |
dstanek | dolphm: i would guess that it'll execute the tests, but not do the enforcement | 17:52 |
dolphm | dstanek: but only in jenkins? | 17:52 |
evrardjp | http://paste.openstack.org/show/494868/ | 17:52 |
dstanek | dolphm: i don't think anything will evaluate that environment variable, but i'm not sure how the sausage is made | 17:53 |
*** sdake__ has joined #openstack-keystone | 17:53 | |
*** jed56 has quit IRC | 17:53 | |
*** daemontool has quit IRC | 17:53 | |
bknudson | in ansible, can I run some commands with sudo and some commands without? | 17:54 |
dolphm | dstanek: lol okay | 17:54 |
rodrigods | ayoung, hmm was afk | 17:54 |
evrardjp | bknudson yes | 17:54 |
bknudson | I should find an ansible forum. | 17:54 |
evrardjp | sudo: | 17:54 |
rodrigods | ayoung, so use uuid.uuid4().hex? | 17:54 |
dstanek | dolphm: https://specs.openstack.org/openstack/openstack-specs/specs/requirements-management.html | 17:54 |
evrardjp | it is now named become | 17:54 |
rodrigods | mylu, hi, was afk | 17:54 |
rodrigods | mylu, what issues are you facing? | 17:54 |
bknudson | I tried sticking become: root on the task and it doesn't seem to work. | 17:54 |
dstanek | bknudson: yep | 17:54 |
evrardjp | gyee so token doesn't seem to work externally | 17:54 |
mylu | rodrigods: no worries I actually just sent you an email to explain it | 17:55 |
bknudson | ohhh, it's become: yes , not root. | 17:55 |
dstanek | and become_user i think | 17:55 |
evrardjp | bknudson become: yes, become_user: root | 17:55 |
evrardjp | yes or True | 17:55 |
bknudson | right, thanks. | 17:55 |
evrardjp | yw | 17:55 |
mylu | rodrigods: in short the issue is i can get a unscoped token with curl command but not with tempest, even if they r requesting with the same headers and url | 17:55 |
evrardjp | I'd be happy if you get an idea of how to fix that :D | 17:56 |
*** sdake_ has quit IRC | 17:57 | |
*** pumaranikar has quit IRC | 17:57 | |
*** pumaranikar has joined #openstack-keystone | 17:57 | |
rodrigods | mylu, replying your email | 17:58 |
*** spzala has quit IRC | 17:59 | |
odyssey4me | gyee does 'token issue' get a scoped or unscoped token? from evrardjp's paste it looks like it's failing hard | 18:00 |
gyee | scoped, last paste is showing http instead of https endpoint? | 18:01 |
gyee | so http endpoint works but not https | 18:01 |
odyssey4me | gyee yeah, so the http endpoint is inside | 18:01 |
*** spzala has joined #openstack-keystone | 18:01 | |
odyssey4me | so the second paste is from an internal host, whereas the first is from an external host | 18:02 |
odyssey4me | evrardjp do the scond one but make sure it uses the public endpoint, not internal | 18:03 |
evrardjp | I don't know what scoped or unscoped means, but yes, that's it | 18:03 |
mylu | rodrigods: awesome thanks! | 18:04 |
*** edtubill has joined #openstack-keystone | 18:04 | |
*** spzala has quit IRC | 18:06 | |
gyee | evrardjp, when using https endpoint for token issue, do you see the /auth/token call in /var/logs/apache2/keystone_access.log? | 18:09 |
evrardjp | I'll check that right away | 18:10 |
bknudson | I screwed up my vm by making it too small. Luckily I've got an ansible script so I don't have to enter all those commands again. | 18:12 |
*** spzala has joined #openstack-keystone | 18:13 | |
*** sdake__ has quit IRC | 18:14 | |
*** navidp has joined #openstack-keystone | 18:15 | |
*** spzala has quit IRC | 18:18 | |
*** mylu has quit IRC | 18:18 | |
*** browne has quit IRC | 18:19 | |
*** spzala has joined #openstack-keystone | 18:19 | |
*** josecastroleon has quit IRC | 18:19 | |
*** navidp has quit IRC | 18:20 | |
*** josecastroleon has joined #openstack-keystone | 18:21 | |
evrardjp | gyee I don't know if it helps: http://paste.openstack.org/show/494870/ | 18:21 |
gyee | doesn't appear your auth token call made it to the keystone app | 18:23 |
*** spzala has quit IRC | 18:24 | |
*** spzala has joined #openstack-keystone | 18:24 | |
gyee | evrardjp, can you check this? grep -i SSL /etc/apache2/sites-available/keystone | 18:25 |
gyee | and paste me the output? | 18:25 |
*** ayoung has quit IRC | 18:25 | |
gyee | make sure your SSLVerifyClient is set to optional | 18:25 |
evrardjp | it's not | 18:25 |
*** mylu has joined #openstack-keystone | 18:25 | |
evrardjp | SSLVerifyClient isn't there | 18:25 |
evrardjp | let me check | 18:26 |
evrardjp | just to be sure | 18:26 |
*** yolanda has quit IRC | 18:26 | |
evrardjp | yes it's not there | 18:26 |
evrardjp | I'll add it and come back to you | 18:27 |
*** yolanda has joined #openstack-keystone | 18:29 | |
evrardjp | wait I just thought before doing something stupid | 18:29 |
evrardjp | you mean I have to passthrough SSL to my server right? | 18:29 |
openstackgerrit | Merged openstack/keystone: Customize config file location when run as wsgi app. https://review.openstack.org/288216 | 18:30 |
*** real56 has quit IRC | 18:30 | |
*** mylu has quit IRC | 18:30 | |
evrardjp | because what we did is configure HTTP in the backend, and HTTPs termination on our load balancer | 18:30 |
evrardjp | if this isn't possible this is something we should be aware of | 18:31 |
*** real56 has joined #openstack-keystone | 18:32 | |
*** mylu has joined #openstack-keystone | 18:32 | |
bknudson | evrardjp: are you setting public_endpoint and admin_endpoint in keystone.conf? | 18:32 |
bknudson | that will cause keystone to return whatever you want it to when keystone returns the versions response. | 18:32 |
evrardjp | we have admin_endpoint in keystone.conf | 18:33 |
bknudson | there's also a setting for the header to use from the proxy (if you're notting setting *_endpoint: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n83 | 18:34 |
gyee | evrardjp, no, if your keystone is listening on non-ssl, you need to terminate ssl at the LB and do non-ssl to keystone | 18:34 |
bknudson | what is admin_endpoint set to? | 18:34 |
evrardjp | bknudson the internal http address | 18:34 |
gyee | evrardjp, you using haproxy? | 18:35 |
bknudson | if you want people using the internal http address then that's correct. | 18:35 |
evrardjp | gyee yes | 18:35 |
*** mylu has quit IRC | 18:35 | |
evrardjp | bknudson my workaround was to use the public URL there | 18:35 |
evrardjp | which isn't I think the best practice | 18:35 |
gyee | so make sure the keystone url at the backend section is non-ssl | 18:35 |
*** daemontool has joined #openstack-keystone | 18:35 | |
bknudson | that sounds like the correct thing to do rather than a workaround? | 18:35 |
evrardjp | gyee that's ok | 18:35 |
bknudson | I don't know your network setup so I can't give good advice here anyways. | 18:36 |
gyee | bknudson, that's a typical production deployment, terminates SSL at the proxy/lb | 18:36 |
*** mylu has joined #openstack-keystone | 18:36 | |
gyee | and do non-ssl to the keystone instances | 18:36 |
evrardjp | yes we terminate at haproxy, and do no-ssl to keystone | 18:36 |
bknudson | he's saying he's got an internal http address, whatever that is? | 18:36 |
evrardjp | in haproxy the backend in http | 18:37 |
evrardjp | and we have http-request set-header X-Forwarded-Port %[dst_port] | 18:37 |
evrardjp | and the server in the backend is well in http | 18:37 |
bknudson | why wouldn't you set the admin_endpoint to HAProxy? | 18:37 |
evrardjp | so you mean expose the admin_endpoint to the public? | 18:38 |
gyee | evrardjp, what's your keystone backend looks like in /etc/haproxy/haproxy.cfg? | 18:39 |
bknudson | if you want public to be able to create users and do other admin ops then that makes sense. | 18:39 |
*** woodster_ has joined #openstack-keystone | 18:39 | |
evrardjp | gyee which one? admin or public? | 18:39 |
bknudson | I guess I'm wondering why this is a problem if users aren't doing admin ops | 18:40 |
evrardjp | I'll paste them both | 18:40 |
gyee | "server keystone-public <ip>:5000 check" | 18:40 |
gyee | something like that? | 18:40 |
evrardjp | yes | 18:40 |
*** maestro1 has quit IRC | 18:40 | |
evrardjp | http://paste.openstack.org/show/494871/ | 18:41 |
gyee | what about frontend? | 18:41 |
evrardjp | I removed the checks | 18:41 |
evrardjp | for a cleaner log | 18:41 |
evrardjp | but I can put them back | 18:41 |
*** mylu has quit IRC | 18:41 | |
evrardjp | the haproxy nodes hold the vip for public and admin interface | 18:42 |
evrardjp | it binds to it and redirects to the appropriate server in http | 18:42 |
evrardjp | the admin is in an internal net on 172.29 range | 18:43 |
evrardjp | apparently here we also configured the admin on the public vip | 18:43 |
evrardjp | which is not great but that's another topic | 18:43 |
gyee | can you add "verify optional" to the bind line | 18:44 |
gyee | just in case | 18:44 |
evrardjp | for the public vip right | 18:44 |
evrardjp | ok | 18:44 |
gyee | bind 104.239.168.236:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS verify optional | 18:44 |
*** mylu has joined #openstack-keystone | 18:45 | |
evrardjp | I'm new to this self sign thingy | 18:45 |
evrardjp | I used to have certificates for free :p | 18:45 |
*** sigmavirus24 is now known as sigmavirus24_awa | 18:45 | |
gyee | certificates are never *free* | 18:46 |
evrardjp | true | 18:46 |
gyee | it may be zero CapEx, but definitely not zero OpEx | 18:46 |
bknudson | https://letsencrypt.org/ | 18:46 |
*** trown|lunch is now known as trown | 18:46 | |
evrardjp | gyee in our case it was shared opex | 18:46 |
gyee | still, not zero opex | 18:47 |
evrardjp | true | 18:47 |
evrardjp | verify optional doesn't work let me check the doc one sec | 18:47 |
*** doug-fish has quit IRC | 18:47 | |
bknudson | one thing I don't get about the ansible docs is the examples: http://docs.ansible.com/ansible/command_module.html#examples | 18:48 |
bknudson | that's not even valid yaml. | 18:48 |
bknudson | (the args: form) | 18:49 |
evrardjp | ok so | 18:50 |
evrardjp | I added verify none | 18:50 |
bknudson | oh, maybe I'm supposed to leave off the name:? | 18:50 |
*** josecastroleon has quit IRC | 18:50 | |
evrardjp | nope you can keep it | 18:50 |
evrardjp | show me I'll help you :D | 18:51 |
*** browne has joined #openstack-keystone | 18:51 | |
evrardjp | gyee so it's added, but it doesn't work better | 18:51 |
*** josecastroleon has joined #openstack-keystone | 18:51 | |
bknudson | here's the sample: https://etherpad.openstack.org/p/keystone-dev-ansible (see line 58) | 18:52 |
gyee | evrardjp, lets try curl | 18:52 |
gyee | curl -k https://ip:5000 | 18:53 |
evrardjp | gyee /v3 ? | 18:54 |
gyee | sure | 18:55 |
evrardjp | http://paste.openstack.org/show/494875/ | 18:55 |
*** e0ne has quit IRC | 18:55 | |
gyee | your configuration appear to be fine | 18:56 |
evrardjp | v3 : http://paste.openstack.org/show/494876/ | 18:56 |
*** sigmavirus24_awa is now known as sigmavirus24 | 18:56 | |
gyee | configuration appear to be correct | 18:57 |
evrardjp | and thanks for your time everyone already | 18:57 |
evrardjp | good news | 18:57 |
evrardjp | it's a good start for the users to do a openstack server list | 18:57 |
evrardjp | :D | 18:57 |
*** yolanda has quit IRC | 18:58 | |
*** tqtran has joined #openstack-keystone | 19:00 | |
gyee | can you try authenticate via curl? | 19:01 |
evrardjp | I have to learn that first | 19:02 |
gyee | http://docs.openstack.org/developer/keystone/api_curl_examples.html | 19:02 |
evrardjp | faster than my google | 19:02 |
gyee | hah | 19:02 |
evrardjp | user or admin? | 19:02 |
gyee | user | 19:03 |
evrardjp | let's try some user with _member_ role only | 19:03 |
*** woodburn has quit IRC | 19:03 | |
gyee | does't matter about the user | 19:03 |
gyee | just want to see the call get routed properly | 19:03 |
openstackgerrit | Arun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf https://review.openstack.org/279828 | 19:04 |
evrardjp | ok I got everything | 19:04 |
evrardjp | want to see? | 19:05 |
*** rcernin has quit IRC | 19:05 | |
evrardjp | sorry for the rudimentary aspect of this paste | 19:06 |
evrardjp | if I had a beautifier... | 19:06 |
*** aimeeU has quit IRC | 19:06 | |
*** doug-fis_ has joined #openstack-keystone | 19:07 | |
evrardjp | solved now | 19:10 |
*** mylu has quit IRC | 19:10 | |
evrardjp | so the issue isn't keystone itself, it's the user? | 19:10 |
*** lhcheng has quit IRC | 19:11 | |
gyee | regardless, we have a usability bug in keystoneauth1 | 19:12 |
evrardjp | nah it should work | 19:12 |
evrardjp | I agree | 19:13 |
gyee | failed authentication is not the same as can't get endpoint | 19:13 |
bknudson | python -m json.tool | 19:13 |
evrardjp | but it's always a question of endpoint | 19:13 |
evrardjp | openstack server list needs to know the endpoint | 19:14 |
evrardjp | right? | 19:14 |
evrardjp | for user interactions I mean | 19:14 |
gyee | it only need the auth-url | 19:14 |
bknudson | openstack server list needs to know the nova endpoint and the auth endpoint | 19:14 |
gyee | everything else is discovered from service catalog | 19:14 |
bknudson | the admin endpoint doesn't matter | 19:14 |
*** sheel has quit IRC | 19:15 | |
evrardjp | bknudson I agree the admin endpoint shouldn't matter | 19:15 |
evrardjp | that's what I wrote in the first paste | 19:15 |
gyee | admin endpoint does matter if you perform keystone v3 operations | 19:16 |
gyee | it select the admin endpoint by default | 19:16 |
evrardjp | ohoh | 19:16 |
evrardjp | that's it | 19:16 |
evrardjp | so I should use admin endpoint as a public thingy | 19:16 |
evrardjp | or not? | 19:16 |
gyee | we did tried to make public endpoint as default, but not sure if that patch has landed yet | 19:17 |
bknudson | we probably tried to change it and it broke somebody so we had to undo it. | 19:18 |
bknudson | that's typically what happens whenever we try to do the right thing. | 19:18 |
evrardjp | so what's the best solution for my case? | 19:18 |
*** real56 has quit IRC | 19:18 | |
gyee | evrardjp, that's the conversation you need to have with your security team | 19:18 |
gyee | which API to expose to the public | 19:18 |
bknudson | there's probably setup you could do in apache to reject all requests to /v2.0 if you want to make only v3 public. | 19:19 |
evrardjp | so v3 operations imposes the actions that I have to expose to the public if they want to make simple calls like openstack server list | 19:19 |
gyee | for openstack server list, you do not need keystone admin endpoint | 19:20 |
*** mylu has joined #openstack-keystone | 19:20 | |
bknudson | gyee: you think it's the keystoneclient lib that's doing this? | 19:20 |
bknudson | using the admin endpoint for auth? | 19:20 |
gyee | bknudson, don't think so | 19:20 |
bknudson | so, openstack CLI? | 19:21 |
*** edtubill has quit IRC | 19:21 | |
evrardjp | gyee apprently yes because it first needs to find the nova endpoint in the service catalog | 19:21 |
gyee | openstack CLI should be using Session from keystoneauth1 by now | 19:21 |
*** josecastroleon has quit IRC | 19:21 | |
evrardjp | and the service catalog is only accessed through admin? or am I wrong? | 19:21 |
gyee | no | 19:21 |
bknudson | ok, then keystoneauth is using admin for auth? | 19:21 |
gyee | you'll get the service catalog from token auth | 19:22 |
gyee | bknudson, no, it should use auth_url | 19:22 |
evrardjp | gyee which is fine because it worked with curl | 19:22 |
evrardjp | now i get it | 19:22 |
bknudson | y, that's weird. wonder why in this case it's hitting admin? | 19:22 |
bknudson | unless auth url is set to the admin endpoint? | 19:23 |
*** yolanda has joined #openstack-keystone | 19:23 | |
evrardjp | bknudson in my openstack client the auth url is set to public | 19:23 |
evrardjp | is set to the public ip | 19:23 |
bknudson | export OS_AUTH_URL=http://localhost:5000/v2.0 | 19:23 |
evrardjp | port 5000 | 19:23 |
bknudson | that's weird. I think we'll have to trace keystoneauth and see what it's doing. | 19:24 |
evrardjp | it's becoming a little late for me | 19:24 |
evrardjp | I'll stop for today and come back tomorrow | 19:24 |
*** lhcheng has joined #openstack-keystone | 19:25 | |
*** ChanServ sets mode: +v lhcheng | 19:25 | |
evrardjp | I really thank you for your time | 19:25 |
evrardjp | so we should check at what would be the cause of the pain in openstack cli I guess | 19:25 |
evrardjp | I can help you reproduce that I can deploy plenty of stuff :D | 19:25 |
*** roxanagh_ has quit IRC | 19:26 | |
evrardjp | a comma is missing in the last phrase, but I guess you understood | 19:26 |
evrardjp | anyway | 19:26 |
evrardjp | I'm off | 19:26 |
evrardjp | thanks! | 19:26 |
gyee | no problem | 19:26 |
gyee | bknudson, only thing I can think off would be if they have proxy set on the box where CLI is running | 19:27 |
gyee | evrardjp, check your http_proxy and http_proxy env var | 19:27 |
bknudson | anything's possible. | 19:27 |
bknudson | or maybe they're using an older version that has a bug | 19:28 |
odyssey4me | gyee hmm, nope - no proxy... but keystone does have an LB in front of it | 19:28 |
gyee | haproxy config seem fine | 19:28 |
odyssey4me | keystone.conf has secure_proxy_ssl_header set | 19:28 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Closure table for HMT https://review.openstack.org/285521 | 19:29 |
gyee | version discovery looks fine | 19:29 |
gyee | it correctly return the https url in href | 19:29 |
openstackgerrit | Merged openstack/keystone: Updating sample configuration file https://review.openstack.org/308414 | 19:30 |
evrardjp | odyssey4me you take over this? | 19:30 |
evrardjp | I'm willing to come back home to continue this conversation | 19:31 |
odyssey4me | evrardjp have a good night - relax, we can continue tomorrow | 19:31 |
evrardjp | it's fine I can continue to get it working | 19:31 |
evrardjp | I just want to come back safe home, you know the neighborhood ;) | 19:31 |
*** rcernin has joined #openstack-keystone | 19:32 | |
odyssey4me | haha, for sure | 19:32 |
*** e0ne has joined #openstack-keystone | 19:33 | |
*** ametts has quit IRC | 19:33 | |
gyee | odyssey4me, bknudson, this is an opportunity for us to start a Keystone run book | 19:40 |
bknudson | Add run book to http://docs.openstack.org/developer/keystone/ | 19:41 |
gyee | like if something goes wrong, how to troubleshoot | 19:41 |
odyssey4me | gyee yeah, that would be very useful to all projects actually | 19:41 |
gyee | some of that stuff can even be automated | 19:41 |
gyee | like run_diagnostic or something | 19:42 |
gyee | we can start with the common scenario, like <client> -- https --> <proxy/lb cluster> -- http --> <Keystone instances> | 19:43 |
*** manjeets has left #openstack-keystone | 19:43 | |
*** woodburn has joined #openstack-keystone | 19:49 | |
bknudson | btw, here's the ansible script to set up to run keystone: https://gist.github.com/brantlk/e9ce45d6b709774ae8ac445437325608 | 19:50 |
bknudson | based on these docs: https://review.openstack.org/#/c/264398/10/doc/source/project-setup/python.rst | 19:50 |
patchbot | bknudson: patch 264398 - project-team-guide - Improve docs on setting up development environment | 19:50 |
evrardjp | hey again | 20:00 |
evrardjp | what did I miss ? | 20:00 |
*** edtubill has joined #openstack-keystone | 20:07 | |
*** csoukup has quit IRC | 20:12 | |
*** rderose has joined #openstack-keystone | 20:12 | |
*** comstud has quit IRC | 20:14 | |
*** stingaci has quit IRC | 20:15 | |
*** browne has quit IRC | 20:21 | |
*** timcline_ has joined #openstack-keystone | 20:22 | |
*** roxanagh_ has joined #openstack-keystone | 20:25 | |
*** lhcheng has quit IRC | 20:25 | |
*** browne has joined #openstack-keystone | 20:26 | |
*** stingaci has joined #openstack-keystone | 20:29 | |
*** doug-fish has joined #openstack-keystone | 20:30 | |
*** doug-fi__ has joined #openstack-keystone | 20:31 | |
*** doug-f___ has joined #openstack-keystone | 20:32 | |
*** mylu has quit IRC | 20:33 | |
*** doug-fis_ has quit IRC | 20:33 | |
*** doug-fish has quit IRC | 20:34 | |
*** doug-fish has joined #openstack-keystone | 20:35 | |
*** doug-fi__ has quit IRC | 20:35 | |
openstackgerrit | Ron De Rose proposed openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635 | 20:35 |
*** doug-f___ has quit IRC | 20:37 | |
*** stacker has quit IRC | 20:40 | |
*** navidp has joined #openstack-keystone | 20:41 | |
*** pumaranikar has quit IRC | 20:45 | |
*** doug-fish has quit IRC | 20:50 | |
openstackgerrit | Arun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf https://review.openstack.org/279828 | 20:51 |
*** doug-fis_ has joined #openstack-keystone | 20:52 | |
*** trown is now known as trown|outtypewww | 20:53 | |
*** spzala has quit IRC | 20:54 | |
*** mylu has joined #openstack-keystone | 20:55 | |
*** daemontool has quit IRC | 20:56 | |
*** mylu has quit IRC | 20:56 | |
*** navid_ has joined #openstack-keystone | 20:57 | |
*** mylu has joined #openstack-keystone | 20:59 | |
*** navidp has quit IRC | 21:01 | |
*** spzala has joined #openstack-keystone | 21:01 | |
*** mylu has quit IRC | 21:02 | |
*** navid_ has quit IRC | 21:05 | |
*** spzala has quit IRC | 21:06 | |
*** spzala has joined #openstack-keystone | 21:07 | |
*** lhcheng has joined #openstack-keystone | 21:08 | |
*** ChanServ sets mode: +v lhcheng | 21:08 | |
*** pauloewerton has quit IRC | 21:08 | |
*** navidp has joined #openstack-keystone | 21:10 | |
*** mylu has joined #openstack-keystone | 21:10 | |
dstanek | rderose: this is following the same pattern that you've been doing right? | 21:12 |
dstanek | rderose: https://review.openstack.org/#/c/307379/2 | 21:12 |
patchbot | dstanek: patch 307379 - keystone - Restructure policy abstract driver | 21:12 |
*** spzala has quit IRC | 21:12 | |
*** spzala has joined #openstack-keystone | 21:13 | |
rderose | dstanek: yes, exactly | 21:13 |
rderose | nice :) | 21:13 |
*** xek has quit IRC | 21:16 | |
*** spzala has quit IRC | 21:18 | |
*** spzala has joined #openstack-keystone | 21:19 | |
*** lhcheng has quit IRC | 21:20 | |
*** e0ne has quit IRC | 21:20 | |
*** spzala has quit IRC | 21:25 | |
*** spzala has joined #openstack-keystone | 21:26 | |
*** gagehugo has quit IRC | 21:26 | |
*** browne has quit IRC | 21:26 | |
*** sdake_ has joined #openstack-keystone | 21:28 | |
*** xek has joined #openstack-keystone | 21:29 | |
*** spzala has quit IRC | 21:30 | |
*** browne has joined #openstack-keystone | 21:32 | |
*** spzala has joined #openstack-keystone | 21:32 | |
*** spzala has quit IRC | 21:36 | |
*** spzala has joined #openstack-keystone | 21:38 | |
*** e0ne has joined #openstack-keystone | 21:41 | |
*** spzala has quit IRC | 21:43 | |
*** lhcheng has joined #openstack-keystone | 21:44 | |
*** ChanServ sets mode: +v lhcheng | 21:44 | |
*** spzala has joined #openstack-keystone | 21:45 | |
*** sdake_ has quit IRC | 21:45 | |
*** mylu has quit IRC | 21:46 | |
*** sdake_ has joined #openstack-keystone | 21:47 | |
*** e0ne has quit IRC | 21:51 | |
*** vgridnev_ has joined #openstack-keystone | 21:55 | |
*** roxanagh_ has quit IRC | 21:57 | |
*** spzala has quit IRC | 21:57 | |
*** henrynash has joined #openstack-keystone | 22:00 | |
*** ChanServ sets mode: +v henrynash | 22:00 | |
*** vgridnev_ has quit IRC | 22:00 | |
*** spzala has joined #openstack-keystone | 22:00 | |
*** navidp has quit IRC | 22:03 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add identity providers integration tests https://review.openstack.org/302299 | 22:04 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add protocols integration tests https://review.openstack.org/307508 | 22:04 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests https://review.openstack.org/305444 | 22:04 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add service providers integration tests https://review.openstack.org/303502 | 22:04 |
*** roxanagh_ has joined #openstack-keystone | 22:05 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add protocols integration tests https://review.openstack.org/307508 | 22:05 |
*** timcline_ has quit IRC | 22:13 | |
*** mylu has joined #openstack-keystone | 22:15 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 22:15 | |
*** doug-fis_ has quit IRC | 22:17 | |
*** mylu has quit IRC | 22:17 | |
*** lhcheng has quit IRC | 22:18 | |
*** phalmos has quit IRC | 22:22 | |
*** gordc has quit IRC | 22:23 | |
*** mylu has joined #openstack-keystone | 22:24 | |
*** edmondsw has quit IRC | 22:24 | |
*** timcline_ has joined #openstack-keystone | 22:25 | |
*** dan_nguyen has quit IRC | 22:25 | |
*** gyee has quit IRC | 22:25 | |
*** lhcheng has joined #openstack-keystone | 22:27 | |
*** ChanServ sets mode: +v lhcheng | 22:27 | |
*** edtubill has quit IRC | 22:28 | |
*** dan_nguyen has joined #openstack-keystone | 22:29 | |
*** timcline_ has quit IRC | 22:30 | |
*** ayoung has joined #openstack-keystone | 22:33 | |
*** ChanServ sets mode: +v ayoung | 22:33 | |
*** spzala has quit IRC | 22:37 | |
*** slberger1 has left #openstack-keystone | 22:46 | |
*** krotscheck is now known as krotscheck_dcm | 22:57 | |
*** edtubill has joined #openstack-keystone | 22:58 | |
*** henrynash has quit IRC | 22:59 | |
*** stingaci has quit IRC | 23:08 | |
*** stingaci has joined #openstack-keystone | 23:13 | |
*** dan_nguyen has quit IRC | 23:15 | |
*** spzala has joined #openstack-keystone | 23:18 | |
*** dan_nguyen has joined #openstack-keystone | 23:19 | |
*** mylu has quit IRC | 23:20 | |
*** mylu has joined #openstack-keystone | 23:20 | |
*** stingaci has quit IRC | 23:21 | |
*** spzala has quit IRC | 23:23 | |
*** rderose has quit IRC | 23:27 | |
*** roxanagh_ has quit IRC | 23:30 | |
*** BjoernT has quit IRC | 23:31 | |
*** mylu has quit IRC | 23:38 | |
*** mylu has joined #openstack-keystone | 23:38 | |
*** jamielennox is now known as jamielennox|away | 23:51 | |
*** sdake__ has joined #openstack-keystone | 23:58 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!